universal dumper - one more idea

[RyeBrye]

Here's the code I'm using. When it runs, I have it flash through my LEDs so I know it is working - and I have it flash them all 3 times if it finds the signature at the address my dump predicts it to be.

When it runs, it flashes three times. Then, it turns on the write LED, and does nothing more.

Of course... the part that sucks is that Nothing gets written to the card

Code: [Select]

#define FW_ADDRESS      0xFF810000
#define FW_SIZE         0x400000
#define START_SECTOR    256

// maximum number of hex digits this will be outputting
// (there is a fudge factor of 10 additional digits built in
//  to help avoid overrun...)
#define HEX_LENGTH 8
#define LED_PR 0xC02200CC   
#define LED_GR 0xC0220136
#define LED_OR 0xC0220133
#define LED_AF 0xC0223030

#define DOT_DURATION          0.05
#define DOT_PAUSE             0.05
#define DASH_DURATION         0.2
#define DASH_PAUSE            0.2
#define BETWEEN_NUMBER_PAUSE  0.3

#define DEL 50000

// side note...
// wouldn't it be ironic if we inlined the function
// that is supposed to kill time?
void delay(float i){
int j;
j = i * 30 * DEL;
while(--j) {
asm("nop\n");
asm("nop\n");
asm("nop\n");
asm("nop\n");
}
}

inline void led_on(long led_addr) {
    volatile long *p;
    p=(void*)led_addr;
    *p=0x46;
}

inline void led_off(long led_addr) {
    volatile long *p;
    p=(void*)led_addr;
    *p=0x44;
}

// output a dot on the given LED address
// (a 'dot' is a quick blip of the LED)
void output_dot(long led_addr) {
delay(DOT_PAUSE);
    led_on(led_addr);
    delay(DOT_DURATION);
led_off(led_addr);
#endif
}

// output a dash on the given LED address
// (dash is longer than a dot)
void output_dash(long led_addr) {
delay(DASH_PAUSE);
    led_on(led_addr);
    delay(DASH_DURATION);
    led_off(led_addr);
}

typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address
 
int main() {
int i, j;
int tw, tr;

int *p;

f_w wr;
output_dot(LED_OR); output_dot(LED_GR); output_dot(LED_OR);
output_dot(LED_PR); output_dot(LED_AF);

for (i=0x1900;i<0xF0000;i+=4)
   if ((*(unsigned int*)(i+0x34)==0) &&
       (*(unsigned int*)(i+0x38)==0) &&
       (*(unsigned int*)(i+0x3C)==3) &&
       (*(unsigned int*)(i+0x4C)>FW_ADDRESS) &&
       (*(unsigned int*)(i+0x50)>FW_ADDRESS) ) {
output_dot(LED_OR);
output_dot(LED_OR);
output_dot(LED_OR);
delay(0.5);

wr=(f_w)*(unsigned int*)(i+0x50);
// blink three times if its at the right address
// (note - on my camera, it blinks 3 times with this function...)
if ((unsigned int)wr == (unsigned int)(0xFF9182FC)) {
int p;
for (p=0;p<3;p++) {
led_on(LED_AF);
led_on(LED_GR);
led_on(LED_PR);
delay(0.1);
led_off(LED_AF);
led_off(LED_GR);
led_off(LED_PR);
delay(0.1);
}
}
else {
// if none of the above addresses match - display error
led_on(LED_OR);
delay(0.1);
led_off(LED_OR);
delay(0.1);
led_on(LED_OR);
delay(0.1);
led_off(LED_OR);
}
// fill some memory with zeroes; "simulate" large diskboot
        // WARNING: the starting address is a guess
for (j = 0x2e20; j<0x27100; j+=4) {
p = (int *) j;
*p = 0;
}

// delay to allow time to unlock the memory card
// if I'm trying to do that...
int q = 0;
for (q=0; q<50; q++) {
led_on(LED_GR);
delay(0.01);
led_off(LED_GR);
delay(0.01);
}
delay(0.1);

led_on(LED_OR);
wr(0,START_SECTOR,FW_SIZE/512,FW_ADDRESS);
led_off(LED_OR);

}

// would blink 5 times if wr() would return (which it doesn't, but still works)
for (j=5; j>0; j--) {
output_dot(LED_OR);
}

while(1);
return 0;
}

I don't see anything I'm doing wrong... I changed the sector to sector 256 because that one is full of zeroes on my SD card and it's easier to check quickly to see if it wrote anything.

[GrAnd]

How does the RAM map on these? What would be the largest value that I should write 0's to? 0xF000000?

0x02000000. The memory size is 32MB. The addresses 0x0 - 0x1900  are reserved.

[ewavr]

I don't see anything I'm doing wrong...

All is correct, but...
WriteSDCard() is complex function, it uses different memory locations, semaphores etc - I was surprised that it could work after OS death.

[whim]

@Jeff666
You wrote in reply #35 - 26/Jan/2008:

I already considered running the whole firmware in a virtual machine that is started via diskboot Smiley

Hi!
I was about to post a question if anybody has experience with / ever tried to boot a Canon primary and/or
CHDK on an ARM emulator, did a search for virtual machine, and found this thread.
So, about the quote above, have you ever tried this ?
So far I found this sympathetic-looking open source project:
 
Wiki Manual
Source and binaries

but you, or other posters here might know others/better ones.

oh, and sorry to butt in on this thread with something only
remotely related to the subject.

wim

[quietschi]

Hi

Only for information. I tried the udumper.zip on my Ixus70_sd1000 and get a correct dump on my first try.
Really nice, much easier than the blinker version

quietschi

[mrblack51]

Where can I find the udumper.zip? I have an SD1100 IS for a short time and would like to at least get a clean dump if possible.

Thanks

[quietschi]

here
TX1 Firmware dumping

[mrblack51]

Interesting - I used udumper to dump my SD800IS and it worked fine, so I know the card is bootable. However, when I try the same card in the SD1100IS it boots up like normal and shows "card is locked"...hmm. anyone have ideas?

[mx3]

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?


you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears

[mrblack51]

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?


you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears

Adding a ps.fi2 yielded the "Firm Update..." option in the menu, but selecting it yielded "Update File Error!!!". Not suprising since the contents of ps.fi2 was just a copy of diskboot.bin renamed to be ps.fi2.

So it looks like there might be some potential for the flasher or perhaps a firmware based dumper rather than a diskboot.bin based one.

[chr]

I just successfully dumped the SD40 - CHDK Wiki
[DOWNLOAD LINKS] Firmware dumps available

with this code:

Code: [Select]

#define MIN_ADDRESS     0xFF810000
#define FW_SIZE         0x400000

#define START_SECTOR    2048

#define LED_AF 0xc0223030

void led_on()
{
    volatile long *p=(void*)LED_AF;
    *p=0x46;
}

void led_off()
{
    volatile long *p=(void*)LED_AF;
    *p=0x44;
}

void idle()
{
    int i;

    for(i=0;i<0x78800;i++){
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    }
}


typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address
 
int main() {
int i;
unsigned long sa;
        f_w wr;

led_on();
idle();
led_off();
idle();
led_on();

  for (i=0x1900;i<0xF0000;i+=4)
   if ((*(unsigned int*)(i+0x34)==0) &&
       (*(unsigned int*)(i+0x38)==0) &&
       (*(unsigned int*)(i+0x3C)==3) &&
       (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
       (*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) {

wr=(f_w)*(unsigned int*)(i+0x50);
sa=(unsigned long)wr>0xFFC00000 ? 0xFFC00000 : 0xFF810000;

wr(0, START_SECTOR, FW_SIZE/512, sa);
break;
}
led_off();
while(1);
return 0;
}

the led address is an accident but it turned out to be the backlight display of the cam and it blinked as intended

Also I did not pad the diskboot.bin

[chr]

Hi!

I made a udumper for the latest cameras who refuses to boot unencoded diskboot files. At least it worked with my sd1100. I had to pad the file to 16K.

In dryos_2008 is a 15x decoded diskboot.bin

This build blinks the LED on 0xc0223030 before and after the dump is done.

Hope, this will work on other cams, too.

ps: tried it several times, sometimes it just bricks. Stroke the camera and try again
Also I noticed it works while the battery cover is still open!

psps:
- remove battery before (it may boot better) and after (cam is not "off" and drains battery)
- use only the playback mode: the lens shall not track

[whim]

Hi,

following discussions here Ixus 870 IS it turns out that

a) udump08 WORKS on (at least 1) Digic IV cam !
b) it would be preferable to have udumper always dump the entire firmware ( = up to 0xFFFF FFFF)

fortunately brake came up with encode.c (here: First boot: a failure!)

which enabled me to put together udumpfull

• universal sourcecode for vxworks, dryos & newdryos
• dumps complete firmwares (0xFFC00000-0xFFFFFFFF or 0xFF81 0000-0xFFFFFFFF)
• see attachment for binaries and source code
• bins/sources also integrated in CardTricks139.exe - 0.40MB

thanks again to brake (and to ma_jk for testing newdryos udumpfull on A590IS) 

enjoy,

wim

[brake]

Just a quick question, what are the errors that appear from the Borland C++ compiler? I only compile with gcc, and that emits no warnings.

[whim]

Nothing serious AFAIK:

decode.c:
Warning W8065 decode.c 79: Call to function 'resetkey' with no prototype in function encodefile
Warning W8060 decode.c 100: Possibly incorrect assignment in function encodefile
Warning W8065 decode.c 110: Call to function 'xencode' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'resetkey' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'rotatekey' with no prototype in function encodefile
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland

the 'Possibly incorrect assignment in function encodefile' refers to

while (read = fread(data, 1, 8, f)) {

... which i guess is Borlands way to warn that you're assigning within the while clause;
    perfectly legal c, but it wants to make sure you didn't actually mean

while (read == fread(data, 1, 8, f)) {

the prototype warnings are typical for C++ AFAIK

wim