I just tested your first dumper on my A720. I removed the signature, assigned the address to WriteSDCard directly and it actually wrote the firmware to the card.
Can you also test first or second dumper with signatures (generated by tools/gensig(.exe)) ? If it works, we can try to dump A650 in ten seconds
I made the signature and it seems to work (main.c attached). One thing is strange, though. wr() doesn't seem to return. At least the debug-led isn't turned off, but the data is written anyway.
How would I go about finding that function so I can get this to work on the SD870?
I tried the siganture-based main.c in my SD870 and it didn't work... I have the dump for my SD870 loaded into IDA, and I don't see that the WriteSDCard is labeled after running through the DryOS CHDK.idc script...
Quote from: RyeBryeI tried the siganture-based main.c in my SD870 and it didn't work... I have the dump for my SD870 loaded into IDA, and I don't see that the WriteSDCard is labeled after running through the DryOS CHDK.idc script... WriteSDCard isn't part of the signature-file, you have to locate it yourself. Take a firmware in which you know the address, trace the path to the function and walk the same path on your own firmware.To make sure the dumper is really not working ...* note that it does not write a file. It starts writing at sector 1024 on the sd (not the partition)* make sure that the code runs. My code didn't do anything at all using ewavr's makefile. Use the one you compiled your blinker with. Check this by enabling an led right after the start.Also make sure to change the offset of your firmware or you might get unpredicted behaviour.Cheers.
I modified the code to blink once when it started, and then to blink when it was writing... I see it blink when it loads so I know it is running - but I don't see any other blinks. I checked the card with hexedit, and I just see a bunch of 00's around block 1024
ROM:FFC3EC9C sub_FFC3EC9C ; CODE XREF: sub_FFC3F0CC+CpROM:FFC3EC9C LDR R1, =0x2BA0ROM:FFC3ECA0 LDR R1, [R1,#0xC]ROM:FFC3ECA4 CMP R1, #0ROM:FFC3ECA8 CMPEQ R0, #0ROM:FFC3ECAC BXNE LRROM:FFC3ECB0 MOV R1, #0ROM:FFC3ECB4 LDR R0, =0x11800ROM:FFC3ECB8 STR R1, [R0,#0x34]ROM:FFC3ECBC STR R1, [R0,#0x38]ROM:FFC3ECC0 MOV R1, #3ROM:FFC3ECC4 STR R1, [R0,#0x3C]ROM:FFC3ECC8 LDR R1, =ReadSDCardROM:FFC3ECCC STR R1, [R0,#0x4C]ROM:FFC3ECD0 LDR R1, =WriteSDCardROM:FFC3ECD4 STR R1, [R0,#0x50]ROM:FFC3ECD8 BX LR
edit: from your dumped firmware: WriteSDCard=0xFF9182FC
#define FW_ADDRESS 0xFFC00000#define FW_SIZE 0x3F0000#define START_SECTOR 1024#define LED_PR 0xC0220084inline void debug_led(int state){ volatile long *p=(void*)LED_PR; if (state) p[0]=0x46; else p[0]=0x44;}typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address int main(){ int i; f_w wr; for (i=0x1900;i<0xF0000;i+=4) if ((*(unsigned int*)(i+0x34)==0) && (*(unsigned int*)(i+0x38)==0) && (*(unsigned int*)(i+0x3C)==3) && (*(unsigned int*)(i+0x4C)>FW_ADDRESS) && (*(unsigned int*)(i+0x50)>FW_ADDRESS) ) { wr=(f_w)*(int*)(i+0x50); debug_led(1); wr(0,START_SECTOR,FW_SIZE/512,FW_ADDRESS); debug_led(0);} while(1); return 0;}
How about RAM search?It works on my A710....
Maybe, diskboot.bin is very long or OS reads whole cluster (up to 64k) with this file in RAM?
diskboot is the usual 100k
Author
Topic: universal dumper - one more idea (Read 19573 times)