hacking Canon EOS 1000D

[virility]

@raptorx30 : GREAT!!!! Gratiz has posted few information about the 1000d. the firmware is very similar to the one of the 450d. maybe you can "just" rewrite the 450d fw.

[Bobsancho]

I have some knowledge in C, i'll do my best to support this camera

Wow that's great news, give me some hope for CHDK on our DSLRs one day!

[virility]

@raptorx30 .... anything new about your project?

[gio91ber]

hello. i might have found something new: http://www.woodmann.com/forum/archive/index.php/t-7663.html

On this page people is talking about how to disassemble a firmware coming from a vxworks router, one of them writes:

I tried once to crack some vxwoks firmware. Inside the original file was another zlib compressed file that needed to be extracted. I used simple python script to extract data and continue analysis. Could find script if interested.
Did you set correct processor for your binary?

another userwho is struggling to get the same result asks:

if you could share that script, please send it across . it will be useful in few cases if you are reversing Linux kernel binary also. please share that !!

and the creator of the first message sent him this script:

Code: [Select]


from sys import *

from struct import *

from zlib import *



def main():

    print "\nextract and decompress zlib"

    if len(argv) is not 3:

        print """

Usage:

  <argv1> source file

  <argv2> dest file

    """

        exit()

    else:

        print """

Using:

  Source: %s

  Dest: %s

     """ % (argv[1],argv[2])

    try:

        in_fd=open(argv[1],"rb"

    except:

        print "[-]Could't open file %s" % argv[1]

        exit()



    try:

        out_fd=open(argv[2],"wb"

    except:

        print "[-]Could't open file %s" % argv[2]

        exit()



    buff=in_fd.read()

    print 'Length', hex(len(buff))



    for i in range(len(buff)):

        try:

            decomS = decompress(buff[i:])

        except:

#            print '.'

            continue



    print "Got it ", i, hex(i)

    out_fd.write(decomS)

    print "[+]Done writing to '%s'" % argv[2]



if __name__=="__main__":

    main()

the zilb compression library (http://www.zlib.net/) could have compressed our firmware... what do you think about this?

during the following days i'm going to try another idea: formatting an sd card, putting on it the firmware with other files then deleting them all and formatting then trying to find the files that was saved there with a file recovery software: do you think this would help splitting the original firmware from the empty bits???

[ragustin]

I have been a user of CHDK for S3. I finally upgraded to 1000D(FW v1.0.6). I am a programmer with c/c++ knowledge, and I am willing to get my hands deep on enabling spot metering and ISO3200 on my DSLR. I may have time implementing the features, but please don't rush me.

Could someone tell me how should I get started?

[engelmarkus]

I added some LED addresses to the wiki page http://chdk.wikia.com/wiki/1000D#LED_addresses, just in case you want to blink out a firmware dump yourself. I'm currently working on a new dump, but it's quite difficult to make it work.
The 1000D I bought last week has firmware version "1.0.7"... It seems this version has not been released on Canon's website yet.
I wrote a PM to Gratiz, but I think he's still busy with his studies.

[engelmarkus]

I just finished creating a firmware dump of 1.0.7: http://www.MegaShare.com/2260320
Now the next thing would be to make "EnableBootDisk" work, I think it's located at "ROM:FFD21248" and referenced from "ROM:FFD211DC". Then we can take a look at the beta source code of the 400D port...

[bastisk8]

Wow, great work, thanks for your efforts.

Please keep the project going.

Something like Magic Lantern, "DSLR-CHDK" or enabling the features of the 450d + high ISO and 5x bracketing would be awesome.

[nadivar]

Wow that's great news, give me some hope for CHDK on our DSLRs one day!

[virility]

@engelmarkus : sounds german, right?

really great work!

spot methering and 3fps in raw would be some awesome.....you are my hope!

[darkbrain]

Hey Markus!

Keep working please! Very great that someone is working on it! If i can help in any case, tell me!
btw: Komme auch aus good old Germany ;-) Ich biete einen Kasten Bier als Belohnung *gg*

[virility]

[nakata101]

Any update for EOS1000D

[muzsielod]

not yet

[acoder]

Hi guys,

just stumbled across chdk and modding canon firmwares yesterday. How to get started with the 1000D? From what I have read in the 400D thread I expected booting from SD card would be step one

http://chdk.setepontos.com/index.php/topic,3290.msg35329.html#msg35329

But my Kingston 2GB SD card made bootable with Cardtricks (formatted FAT32 and made read-only) just yields me an "read only card inserted" screen on my 1000D...

Someone else having success with a bootable SD card? Or does booting from SD require some firmware hack (as I infer from engelmarkus's post here http://chdk.setepontos.com/index.php/topic,2310.msg52099.html#msg52099)?

Does someone have more information?

If decrypting and patching an official Canon firmware is the way to go (in case the 1000D won't boot from SD in original state), then how to decrypt the FWs? Can gratiz or engelmarkus post some additional information here?


Cheers
A