Development for the 5D mk II

ewavr

1057
A710IS

Re: Development for the 5D mk II

« Reply #10 on: 05 / March / 2009, 18:05:36 »

Advertisements

Some information from russian forum - Memset succesfully dumped 5D mk II and 50D using own toolkit - http://www.zshare.net/download/56526976b795c07f/ (all instructions inside).

Logged

PhyrePhoX

2254
make RAW not WAR

Re: Development for the 5D mk II

« Reply #11 on: 05 / March / 2009, 19:47:48 »

too bad google still cant translate this forum. nice move, kudos to memset.
this will push the chdk-dslr development farther, and i seriously have to reconsider my "Coders Humiliate DSLR Kiddies" slogan soon

Logged

Flickr*
www.PhyreWorX.de
CHDK News @ Twitter

ewavr

1057
A710IS

Re: Development for the 5D mk II

« Reply #12 on: 06 / March / 2009, 05:59:17 »

... and dumps from 5D Mk II:
http://narod.ru/disk/6359802000/ROM0.bin.html
http://narod.ru/disk/6359665000/ROM1.bin.html

(enter captcha and press green button).

Logged

Ailurus fulgens

38

Re: Development for the 5D mk II

« Reply #13 on: 06 / March / 2009, 06:03:09 »

is it dryos (or better: CryOS

) ? can they be loaded into IDA using the usual way? i guess not, at least applying the signatures and the like does not work, eh? afaik in the other dslrs dumps there were no functionnames, if i remember correctly.

Logged

freegun

2

Re: Development for the 5D mk II

« Reply #14 on: 11 / March / 2009, 17:05:28 »

could anyone post link to russian forum where 5d dumping toolkit was anounced ?

Logged

ewavr

1057
A710IS

Re: Development for the 5D mk II

« Reply #15 on: 11 / March / 2009, 17:30:08 »

Quote from: freegun on 11 / March / 2009, 17:05:28

could anyone post link to russian forum where 5d dumping toolkit was anounced ?

http://forum.ixbt.com/topic.cgi?id=20:22191 , pages 132-133

Link to toolkit was posted to me and other forum members via PM.

« Last Edit: 11 / March / 2009, 17:31:46 by ewavr »

Logged

freegun

2

Re: Development for the 5D mk II

« Reply #16 on: 14 / March / 2009, 08:51:26 »

Hi, does anybody look into 5dmk2 dumps ?

I've looaded it into Ida pro.
rom entry point looks like: ROM:F8010000 LDR PC, =0xFF81000C

then at F801000C it looks like initialisation, but this "LDR PC" jump to some wrong place. Does anybody have clue if it IDa's wrong interpretation, or its dump with errors, or somthing else ? this LDR PC's instructions are also used in other places of code.

does 50d dumps are also available ?

Thanks.

ROM:F801000C ; ---------------------------------------------------------------------------
ROM:F801000C
ROM:F801000C boot_entry
ROM:F801000C MOV R1, #0xC0000000
ROM:F8010010 LDR R2, =0xD9C5D9C5
ROM:F8010014 STR R2, [R1,#0x10]
ROM:F8010018 LDR R2, =0xC0200000
ROM:F801001C MOV R1, #1
ROM:F8010020 STR R1, [R2,#0x10C]
ROM:F8010024 MOV R1, #0xFF
ROM:F8010028 STR R1, [R2,#0xC]
ROM:F801002C STR R1, [R2,#0x1C]
ROM:F8010030 STR R1, [R2,#0x2C]
ROM:F8010034 STR R1, [R2,#0x3C]
ROM:F8010038 STR R1, [R2,#0x4C]
ROM:F801003C STR R1, [R2,#0x5C]
ROM:F8010040 STR R1, [R2,#0x6C]
ROM:F8010044 STR R1, [R2,#0x7C]
ROM:F8010048 STR R1, [R2,#0x8C]
ROM:F801004C STR R1, [R2,#0x9C]
ROM:F8010050 STR R1, [R2,#0xAC]
ROM:F8010054 STR R1, [R2,#0xBC]
ROM:F8010058 STR R1, [R2,#0xCC]
ROM:F801005C STR R1, [R2,#0xDC]
ROM:F8010060 STR R1, [R2,#0xEC]
ROM:F8010064 STR R1, [R2,#0xFC]
ROM:F8010068 LDR R1, =0xC0400008
ROM:F801006C LDR R2, =0x430005

Logged

ewavr

1057
A710IS

Re: Development for the 5D mk II

« Reply #17 on: 14 / March / 2009, 09:03:16 »

Quote from: freegun on 14 / March / 2009, 08:51:26

Does anybody have clue if it IDa's wrong interpretation, or its dump with errors, or somthing else ? this LDR PC's instructions are also used in other places of code.

Maybe something else - at camera startup code is copied from ROM (0xF8010000) to RAM (0xFF810000) for faster execution.
But this is only my assumption.

upd: Memset's comments on this dump:

Quote

Digic IV EOS ROM map

0xF8000000 - ROM0 (64Mb)
0xF0000000 - ROM1 (32Mb)

0xF8000000 - 0xF0010000 - Flags & config area
0xF8010000 - 0xF874FFFF - User area
0xF8760000 - 0xF87BFFFF - FPGA config
0xF87C0000 - 0xF7DFFFFF - Bind resource
0xF87E0000 - 0xF87EFFFF - Bootrom cipher extension
0xF87F0000 - 0xF87FFFFF - Bootloader (bootrom)

FPGA config area: byte-by-byte interleaved bitstreams:
bitstream 0: Xilinx Spartan-3E XC3S250E
bitstream 1: Xilinx Spartan-3E XC3S100E

« Last Edit: 14 / March / 2009, 09:08:38 by ewavr »

Logged

Marvin

4

Re: Development for the 5D mk II

« Reply #18 on: 15 / March / 2009, 17:04:36 »

I'm new at camera tweaking so please bear with me.

I'm close to 1000 named functions in IDA, though this is less than 10% of all functions in ROM0. It's long and dull but straightforward. I'll post a map file people can apply to their IDA projects when I've done the obvious stuff. Otherwise we repeat a lot of work.

I was under the impression that the ROM on these systems was at the end of memory so when I found some hardcoded references that didn't work I gave up on 0xF8000000 and reloaded ROM0 at 0xFF800000. I did a hunt for the ARM reset vector at 0xFFFF0000 (alternative to 0x0) and there is a plausable jump leading to configuration code in an area that claims to be the bootloader at the end of ROM0.

Logged

Marvin

4

Re: Development for the 5D mk II

« Reply #19 on: 04 / April / 2009, 12:31:14 »

As promised,

http://www.mediafire.com/download.php?mwmwjyjhmq5

About five thousand functions named.

Logged