hacking Canon EOS 1000D

[acoder]

If decrypting and patching an official Canon firmware is the way to go (in case the 1000D won't boot from SD in original state), then how to decrypt the FWs?

After tinkering around with some tools it looks like FIRLoad http://pel.hu/down/FIRload.exe can decrypt the flasher part of the FIR (there  are sensible strings like "Copyright 1999-2001 ARM Limited.Copyright 1999-2001 Wind River Systems" in the decrypted file) but not the firmware itself (at least I am not able to identify any strings; still looks pretty much encrypted though I did not make any distribution analysis. EDIT: According to HxD's statistic all symbols are about evenly distributed which implies the firmware still being encrypted with a reasonable algorithm).

Updated the http://chdk.wikia.com/wiki/1000D#Firmware_info, anyway.

Any further information?

[virility]

[acoder]

[engelmarkus]

I'm sorry, but the whole process isn't easy.
First of all, you'll need an original fir file from the canon website.
Then you'll have to compile "dissect_fw3_2.c" from the attachment and run it on the fir file. This will split it into pieces.

Now you can write some code you want to run on your camera, for example

Code: [Select]

#define LED_BLUE 0xC02200E8
#define LED_ON    0x46

int main() {
  *((volatile long*)LED_BLUE) = LED_ON;
  while (1) ;
}

Compile it and link it.
Now build a new fir file. Open assemble_fw and change $header_file, $flasher_file and $camera_id to match your camera. Run assemble_fw. You will get a file "output.fir". Copy this file to your sd card and do a firmware update. The blue led should turn on. To make your camera work again you'll have to take out its battery...

You will have to blink out at least a part of a new firmware version through an led in order to find out some function addresses you need for creating a complete dump. For that I used the blue led, a photo diode and some cd audio cable. Just look at the pictures in the attachment.
Now disassemble your dump and find all of the functions listed in entry_subs.S. Replace the addresses there with the ones you found out.
You are able to reboot your camera and create a new process now, which will write a complete dump to an sd card.

Decryption of the flasher part of fir files is possible, but I think it is of no use...

[acoder]

Run assemble_fw. You will get a file "output.fir". Copy this file to your sd card and do a firmware update. The blue led should turn on. To make your camera work again you'll have to take out its battery...

What I am uncertain about wrt this step is: does this blow my camera's brains out or not? As it is a firmware update it should (firmware should now contain only turning blue led on and an infinite loop). But given that you later extracted the complete fw there seems to be a safety catch preserving the original firmware.

Background: the latest downloadable firmware is 1.06, while both yours and my camera are already at 1.07.

Furthermore: can you extract the respective portions from the 1.07 fw dump and integrate them back into a fir file (taking the flasher from either the 1.07 dump or the 1.06 fw download)?

In the meantime I had some trouble setting up a Ubuntu 10.4 dev vm. Seem unable to get cross gcc 4.3.3 running. Thus, I am now back on Windows using the CHDK Shell v273.

Anyhow, is IDA 4.9 sufficient for working with the dumps or is 5.x required?

Cheers
A

[engelmarkus]

No, it does not overwrite your firmware.
A fir file consists of 3 parts: A header, the flasher and the actual firmware (encrypted). The complete fir file is loaded at 0x800000 (RAM). Then the camera checks its header, whether it is the right file. After that it jumps to 0x800120. There the flasher code begins. The flasher itself is responsible for overwriting the flash. assemble_fw will exchange the flasher with our own code and it will zero out the rest of the file. So there is no chance of "blowing its brains out" .
The problem is that many of the addresses and data are hardcoded into the firmware. As the fir file is partly encrypted, you cannot easily make changes there. You'd have to reencrypt it. But I don't know how .
IDA 4.9 is probably ok, although I'm using 5.5.

[virility]

how far are you with your firmware? have you seen any features in the code that can be enabled?

[engelmarkus]

Well, you could do a lot of things, but you'll always have to make permanent changes to the firmware.
The next thing is probably to find out how to hook buttons, so we can make the camera do something...

[nakata101]

Well, you could do a lot of things, but you'll always have to make permanent changes to the firmware.
The next thing is probably to find out how to hook buttons, so we can make the camera do something...

Wow!! Cant wait for it!!!

[virility]

i think the most important changes were mentioned in this thread.

3fps in raw, iso 3200, spot methering

[Bobsancho]

not to mention video record

[virility]

[sensitiveeyes]

Quick ?

The firmware "bin" that is linked to on the Camera's page, how do I go about installing it, and does anyone know of the exact changes accompanying that update?

[bastisk8]

Just read in ther German CHDK Forums, that canons own script language has been discovered, could this be any helpful?


Link for the German folks:
http://www.wirklemms.de/chdk/forum/viewtopic.php?t=2013

[acoder]

Just read in ther German CHDK Forums, that canons own script language has been discovered, could this be any helpful?

According to a quick check with my 1000D (fw 1.07) and a look at the firmware strings, at least my camera does not seem to support the recently discovered scripting language. Hopefully, I do stand corrected wrt this claim

Booting from card and autoexec.bin are in the strings and thus very likely supported (though apparently disabled by default).