Problems dumping the SD1100IS/IXUS80IS

[chr]

I looked for two functions in your firmware:
  WriteSDCard: 0xFF91F0C8
  ReadSDCard: 0xFF91EF70

WriteSDCard is used by udumper to write the firmware to the SD. I wrote some notes on how to use it. See this and the following posts.

Cheers.

kewl. I'm going to build an udumper. Might work in other latest cams too.

Wait: these symbols were not in the file   !

And finally here's the diskboot.bin porno: Emulating Digicam with QEMU

Question: can IDA "run" the code like that?

Mh, we close this thread and open "porting SD1100" 

[jeff666]

kewl. I'm going to build an udumper. Might work in other latest cams too.
Wait: these symbols were not in the file   !

Those functions aren't part of the signature-file, thus they weren't in the file I posted earlier. I found the functions because I know how they are referred.

Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this and the subsequent posts for details.

Question: can IDA "run" the code like that?

No, it's just a disassembler, not a debugger (at least the ARM-part).

Mh, we close this thread and open "porting SD1100" 

Go on. Read the G9-porting-thread if you haven't, yet.

Cheers.

[mx3]

SD1100IS/IXUS80IS dump

it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.

[chr]

it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.

Mh, I documented everything ... is something missing?
Also I don't like to talk about encryption. I know nothing about that. It may be illegal to look at. What I found so far is hardly encryption, isn't it? U read my post about decoding? Emulating Digicam with QEMU

Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this and the subsequent posts for details.

Argh! U Bastard! Why didn't u post this earlier???

Ok, quick try. udumper with fixed SDWrite adress works! And the md5sum of the dump ... *drumroll* the same as the led dump.

But udumper with searching for the address did not work. However, running in gdb it's Bingo:

Code: [Select]


WriteSDCard: 0xff91f0c8
ReadSDCard:  0xff91ef70

ff84e81c:   e3a01000    mov r1, #0  ; 0x0
ff84e820:   e59f00b4    ldr r0, [pc, #180]  ; ff84e8dc <_binary_dump_bin_start+0x3e8dc>
ff84e824:   e5801034    str r1, [r0, #52]
ff84e828:   e5801038    str r1, [r0, #56]
ff84e82c:   e3a01003    mov r1, #3  ; 0x3
ff84e830:   e580103c    str r1, [r0, #60]
ff84e834:   e59f10c0    ldr r1, [pc, #192]  ; ff84e8fc <_binary_dump_bin_start+0x3e8fc>
ff84e838:   e580104c    str r1, [r0, #76]
ff84e83c:   e59f10bc    ldr r1, [pc, #188]  ; ff84e900 <_binary_dump_bin_start+0x3e900>
ff84e840:   e5801050    str r1, [r0, #80]
ff84e844:   e12fff1e    bx  lr

(gdb) j *0xff84e81c
Continuing at 0xff84e81c.

Breakpoint 3, 0xff84e844 in _binary_dump_bin_start ()
(gdb) x/32x $r0
0x11544:        0x00000000      0x00000000      0x00000000      0x00000000
0x11554:        0x00000000      0x00000000      0x00000000      0x00000000
0x11564:        0x00000000      0x00000000      0x00000000      0x00000000
0x11574:        0x00000000      0x00000000      0x00000000      0x00000003
0x11584:        0x00000000      0x00000000      0x00000000      0xff91ef70
0x11594:        0xff91f0c8      0x00000000      0x00000000      0x00000000
0x115a4:        0x00000000      0x00000000      0x00000000      0x00000000
0x115b4:        0x00000000      0x00000000      0x00000000      0x00000000


in qemu the udumper works. I guess, the image is too large! I'll check


Question:

#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

[jeff666]

Argh! U Bastard! Why didn't u post this earlier???

Because it would have been to easy and no challenge at all

Question:

#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

Hmm... it's been a while. I think it's like that:
* Originally our diskboot-files were zero-padded to 100k.
* Some memory after 0x1900 needs to be zeroed out for WriteSDCard to work.
* Around this area are pointers to WriteSDCard and ReadSDCard which were overwritten by our large diskboot-file. WriteSDCard does work with hard-coded pointers, though.
* We reduce diskboot-size, thus locate the pointers but WriteSDCard stops working.
* To compensate we blank out memory after we found the pointer to WriteSDCard.

Cheers.

[chr]

Argh! U Bastard! Why didn't u post this earlier???

Because it would have been to easy and no challenge at all

Too easy. Meanwhile I played with the older SD40 - CHDK Wiki it boots well the stuff I compile:
[DOWNLOAD LINKS] Firmware dumps available

But the SD1100 is still a beast. Wants about 4k padding but sometimes refuses to do anything ... 100K was simply too much !!!!! 

[arvacon]

Hi.I have an Ixus 85is (sd 770). Is there any hope to build a CHDK version for this camera?
Will it be possible to run the same version for what you are making now for the Ixus 80 (sd1100) in my camera?
Please guys,keep trying,don't stop now!

Ps: My firmware version is GM 1.00a
 

[baccoba]

hi I am an Italian boy and I have just bought an IXUS80, I hope to succeed in installing soon your CHDK. When you think can you/he/she be ready?
thanks and good job!

[arvacon]

Bad news.

Yesterday my cam got a E18 "Lens error, restart camera" without any reason!

I did not drop the cam nor did I play with DISKBOOT. It simply refused to work. Looking closly I noticed, the Lens is not correct mounted: The outer "Gummidichtung" (english?!) is not well fitting and maybe caused the blocking.

Today it operates as nothing happened, but vers.req show an "E18" with timestamp in the log.

So tomorrow I'm going to return the cam.

Can CHDK hurt the camera like this problem?

[MrSpoon]

Hi, so I have the A470 and tried the encoded blinker diskboots and it gets the LCD blinking...
The led_on_off.bin.cr.5 does get the AF LED on...

I could probably work out writing a blinker and getting the LED address, but the encoding stage sounds a little beyond me...

[chr]

Hi, so I have the A470 and tried the encoded blinker diskboots and it gets the LCD blinking...
The led_on_off.bin.cr.5 does get the AF LED on...

Thats a good start. With that u can already calculate the led adress

I could probably work out writing a blinker and getting the LED address, but the encoding stage sounds a little beyond me...

I started working on an udumper, but still it refuses to do the work.

[Yoshiofthewire]

I wanted to thank you for your hard work and ask if there is anyway I can help.  I have a SD1100IS (Brown).

[MrSpoon]

Hey, I have qemu running and am able to decode and re-encode your earlier examples, so I have that working at least oO

When I try to encode my own diskboot.bin files though they just 'brick' the camera =/ I've never done any chdk compiling before so I get the feeling Im just doing something silly...would you mind giving a brief runthrough to see what I've missed?

I've tried making grand's blinker code and even with your earlier led code as well...

many thanks!

EDIT: Nevermind! I got the blinker working(ish), made a new thread for my problems after that though hehe

[Phoool]

so i'm just wondering if we are actually any closer to getting CHDK on ixus80is? i cant really understand all this talk of LED blinkers and whatnot ( :-[my bad - just not that technically minded) and was just wondering what all this means for the average pleb who just bought a shiny new ixus80is?

i got addicted to CHDK with my ixus70 which i lost recently hence the ixus80is...

thanks for all the hard work from everyone who understands what they are doing here...

hope we get CHDK on ixus80is soon

i'll just sit here patiently till then...

[pricead]

so i'm just wondering if we are actually any closer to getting CHDK on ixus80is? i cant really understand all this talk of LED blinkers and whatnot ( :-[my bad - just not that technically minded) and was just wondering what all this means for the average pleb who just bought a shiny new ixus80is?

i got addicted to CHDK with my ixus70 which i lost recently hence the ixus80is...

thanks for all the hard work from everyone who understands what they are doing here...

hope we get CHDK on ixus80is soon

i'll just sit here patiently till then...

Seems like someone was successful in dumping the firmware, which is the first step to getting CHDK to work on our camera. I too anxiously await the SD1100IS/IXUS80 CHDK!