Dryos Basic scripting

[aortega]

Hi all!

We reversed the basic language interpreter that comes with most Powershot cameras. This is not the same as uBasic and doesn't need CHDK installed.

It could be useful to dump the firmware from some models, it's very easy to do this with a simple script that you save in the SD card.

We did a talk about this in the Defcon security conference and we published documentation and videos in this URL:

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

You can download the (incomplete) documentation of the language from this link:

http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=Exploiting_Digital_Cameras&file=Exploiting_Digital_Cameras_IOBasic_-_BONUS.pdf

Hope it's useful.

Oren and Alfred

[reyalp]

Very nicely done

[dvip]

Nice aortega, some useful functions there.
Would be nice to have some of them in lua.

I like these   

InitializeSoundRec( )
FreeBufferForSoundRec( )
StartSoundRecord( 3 )
TerminateSoundRec( )

[reyalp]

Nice aortega, some useful functions there.
Would be nice to have some of them in lua.

I like these   

InitializeSoundRec( )
FreeBufferForSoundRec( )
StartSoundRecord( 3 )
TerminateSoundRec( )

Divp, you should be able to call any of these using the eventproc interface. http://chdk.wikia.com/wiki/LUA/LUA_Reference/Native_Function_Calls

[ewavr]

@reyalp, multiply(*) is working in your D10?
It seems that a=2*2 crashes my a710, but a=2+2 works

Code: Visual Basic

1. dim f,a
2.  
3. private sub Initialize()
4.   a=2*2
5.   SystemEventInit()
6.   f=Fopen_Fut("A/dump.bin","w")
7.   Fwrite_Fut(&a, 4,1,f)
8.   Fclose_Fut(f)
9. end sub
10.  

In old VxWorks cameras, LCDMsg_**** functions are absent...

[reyalp]

That script crashes my d10

edit:

Code: [Select]

ASSERT!! Script.c Line 461
Occured Time  2010:08:13 22:19:39
Task ID: 12582936
Task name: CtrlSrv

edit:
and also a540 with an assert in Script.c


edit:
BTW, I started a wiki page to document this http://chdk.wikia.com/wiki/Canon_Basic

edit:
A fairly comprehensive list of eventprocs on a540 may be found at http://chdk.wikia.com/wiki/User:ReyalP/EventProcNotes

edit:
Vxworks has PT_SetMessage and PT_UndispMessage but I'm not sure how they work.

[aortega]

@ewavr I believe the problem with that script is on the operator & that doesn't behave like in C.
The equivalent in Canon basic may be the weird operators %%MEMORY_L, %%MEMORY_S and %%MEMORY_M, but we didn't test them.

Something like this should work (tested on my G10):

private sub Initialize()
   System.Create()
   a=strlen("Aaaaaaaa\n")
   sprintf(b,"Aa%caaaaaaa\n",0)
   a=Fopen_Fut("A/test.txt","w")
   Fwrite_Fut("AAAA",1,4,a)
   Fwrite_Fut(b,1,6,a)
   Fclose_Fut(a)
end sub

Note that you don't really need to DIM variables. And sorry but Latex screwed with the characters on the documentation and copy-paste of scripts won't work.

You guys crafted a functional firmware dumper in less than an hour? that's awesome.


EDIT: oops, didn't see that 2+2 works. Then probably it's the multiplication, we didn't test all operators.

[reyalp]

@aortega
Would you mind if I reproduce the "Executing Scripts" and "Language constructs" sections in our wiki ?

[aortega]

@reyalp, no problem at all.

BTW, there are many interesting event procedures such as AdditionAgentRAM(), looking at the firmware it seems to accept a file, load it into memory, check if starts with "gaonisoy", creates a task and runs it. Maybe it's a easier way to execute ARM code.

Great to know that it works on VxWorks, we missed that one.

[Microfunguy]

Any 2010 cameras that the firmware dumping script can be tried on ?

[ewavr]

It seems that Canon use asterisk(*) as dereference operator only:

  a=1
  b=&a
  *b=2
(a is now equal to 2)

Maybe Canon use another character (or set of characters, like trigraphs in C) for multiply operation (and something else for binary AND instead of '&').

[dvip]

@reyalp, thanks for the info regarding eventproc to call those native functions.

[emlyn]

This looks very interesting, but unfortunately I have been unable to get it working on an IXUS 130 (SD 1400IS). The camera just behaves as if nothing is different, pressing 'set' just brings up the usual menu on the left of the screen.
It's possible that I did something wrong, but I suspect that this is yet another thing that Canon has tightened up on the 2010 cameras...

[Microfunguy]

Do you have a pre-2010 camera you can try your procedure on ?

If Canon have disabled it, that is very mean, I do not understand their 'problem'.

[emlyn]

Do you have a pre-2010 camera you can try your procedure on ?

Unfortunately not at the moment (I may eventually get an old one to play around with CHDK if there is no progress on the recent ones).

If Canon have disabled it, that is very mean, I do not understand their 'problem'.

Yes, it is disappointing... hopefully something will be found eventually for these cameras.