supplierdeeply

How to Dump Firmware ?

  • 78 Replies
  • 120207 Views
How to Dump Firmware ?
« on: 27 / November / 2007, 19:49:17 »
Advertisements
Obtaining a firmware dump
http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump


Canon Basic/Scripts/Dumper
http://chdk.wikia.com/wiki/Canon_Basic/Scripts/Dumper









[admin edited]

hi ;) ... i have the 650is and am interessted in how to dump the firmware ...
what tools are needed and what tasks have to be done to achive this ? ....

chris
« Last Edit: 01 / August / 2017, 11:24:24 by acseven »

*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: how to dump firmware ?
« Reply #1 on: 28 / November / 2007, 07:36:58 »
The current state-of-the-art (and also only) method to get the firmware is to "blink" it using a phototransistor and a dumper-program that blinks the firmware to one of LEDs (preferably the AF-LED).

See:
General information:
http://chdk.wikia.com/wiki/Porting_the_CHDK

Run own code on a Cam without "Firm Update"-menu entry:
http://forums.dpreview.com/forums/read.asp?forum=1010&message=25202367

Find the address of the LEDs:
http://forums.dpreview.com/forums/read.asp?forum=1010&message=24988142

You will also need to (partly) modify and compile the dumper-code which needs a ARM-Compiler as well as some (at least basic) c-programming knowledge.

see:
http://chdk.wikia.com/wiki/Compiling_CHDK_under_Windows or
http://chdk.wikia.com/wiki/Compiling_CHDK_under_Linux


There are thoughts going on about a universal dumper. In case this approach is successful the effort for dumping the firmware may be as little as copying a file to the card and putting it into the cam. But there's nothing usable, yet.

Cheers.

Re: how to dump firmware ?
« Reply #2 on: 02 / December / 2007, 14:53:36 »
Winno made an interesting edit on the A650IS CHDK Wiki. Apparently the addresses of the LED's are known on this camera.
http://chdk.wikia.com/wiki/A650IS#LED_Memory_Addresses

I'm intrigued as to how this was obtained. I guess the SD card was made bootable as described at:
http://forums.dpreview.com/forums/read.asp?forum=1010&message=25202367

I too have a A650IS. I borrowed a A640 and was impressed by CHDK.
Surely if the LED addresses are known and we can load executable code.
Then I've just got to have a go at dumping.
« Last Edit: 02 / December / 2007, 14:56:01 by Trackieman »

*

Winno

Re: how to dump firmware ?
« Reply #3 on: 03 / December / 2007, 02:11:31 »
Hi everyone.  I'd thought I'd chime in on how I got those LED addresses.  I started without any CHDK experience, but I gathered a lot of information and ideas from the CHDK wikia and the DPReview forum, particularly the "CHDK for S5" http://forums.dpreview.com/forums/readflat.asp?forum=1010&thread=24983823&page=1 and the "CHDK firmware hack discussion" threads.  For my work, I used the supplied 32mb SD card, card readers and a Linux environment.

After identifying the firmware version using ver.req, I tried loading the G7-1.00g build onto the camera.  It didn't load, and there was no "Firmware Update" prompt in the menu. 

So the next task was to make the card bootable.  Unfortunately there wasn't much info on doing that outside a CHDK-enabled camera.  Eventually, I found some info on DPReview, especially the "CHDK for S5" thread.  I had to locate the first partition's boot sector and add the BOOTDISK string to it so it looks like the G7 sector, followed by locking the SD card.  Originally I thought that the boot sector meant the master boot record, or the first sector, but that was wrong, won't work and forced me to format the card in the camera.  So finally after reformatting the card, remodifying the boot sector (now at offset 0x6600), adding the "preblinker" files and locking the card, the camera responded - by locking up completely when the power button is pressed.  Same happened when G7 files were booted - nothing happens.

Now that the camera has responded to some code, it was time to find the LED addresses.  I went through various camera models on the wikia to get an idea of where the LEDs exist within the 32-bit address space.  All models had them in the range of about 0xC022 0080 to 0xC022 00E0.  I then modified the G7 blinker and tried turning everything >=80 to <FF on/off.  Initially every LED turned on, so I progressively halved the range until I got single LEDs turning on.  As I've found, LEDs only needed to be turned on and not blinked.  Incidentally, the addresses were the same as the A720IS. 

With the LED addresses and process of making an SD card bootable now known, a firmware blinker could be modified to blink out the firmware provided the correct firmware starting address is coded in. 

======
As a side note, I bought the A650 not long ago, as my first digital camera.  No, I didn't buy it purposely to hack, but to take photos with its nice features and likeness to the G9.  I tossed up between buying the A650 or S5, both of which I wanted to hack (and use).  I leaned towards the A650 because it was smaller and no one was hacking it until about now.


Anyone up for writing a "CHDK Utilities"?
« Reply #4 on: 03 / December / 2007, 05:26:53 »
Deleted
« Last Edit: 22 / April / 2008, 07:32:43 by Barney Fife »
[acseven/admin commented out: please refrain from more direct offensive language to any user. FW complaints to me] I felt it imperative to withdraw my TOTAL participation. Nobody has my permission, nor the right, to reinstate MY posts. Make-do with my quoted text in others' replies only. Bye

*

Offline mx3

  • ****
  • 372
Re: Anyone up for writing a "CHDK Utilities"?
« Reply #5 on: 03 / December / 2007, 06:55:31 »
re: Make card bootable. Could someone make a small windows or DOS (or other) utility that could be used just for the purpose of writing that string to a card?

Why would anyone without enough of computer science knowledge want to make card bootable ?
- for those have been made menu option in already running CHDK

Those who know what to do and how to modify sector can do it without specialized tool.

Anyway there is an utility "Changing volume's serial number" on codeproject
http://www.codeproject.com/system/change_drive_sn.asp
its code can be easily used/modified to write "BOOTDISK" mark onto SD Card using cardreader

copying of files can be easily done using some.bat file without using of any other program

the easy way for developers is to make "hdd_directwrite.exe" and batch file to invoke it and other copy operations

but it stil requires person to enter right disk letter to execute this batch file in a right way
such tool used on wrong disk letter can lead to computer system damage ( I can be wrong )

anyway it seems tool you are asking for must be able to recognize removable media disks to be used safely
and it seems you would like it to have some windows interface too :-)

do you realy think that such tool is required?

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

Offline digit

  • *
  • 13
Re: how to dump firmware ?
« Reply #6 on: 04 / December / 2007, 19:58:53 »
I've just tried a few of the steps in this thread to try and get chdk on my G9.  I've retreived the firmware version using the  ver.req method. I also made my SD card bootable and copied the three pre_blinker .bin files.

My question is about the these three files.  After inserting the card into my camera, nothing happens, the camera boots up normaly.  But when I lock this same card, and try to boot the camera, it does not start,  the screen is blank and any buttons are non-responsive.  Is this what is considered as "The camera Hangs"?  or should it be doing something else when the pre_blinker files are in?  What should I be looking for?

*

Winno

Re: how to dump firmware ?
« Reply #7 on: 04 / December / 2007, 23:17:15 »
My question is about the these three files.  After inserting the card into my camera, nothing happens, the camera boots up normaly.  But when I lock this same card, and try to boot the camera, it does not start,  the screen is blank and any buttons are non-responsive.  Is this what is considered as "The camera Hangs"?  or should it be doing something else when the pre_blinker files are in?  What should I be looking for?

You're spot on.  When the camera "hangs" it does nothing when you try turning it on.  No lights, nothing on LCD, no LCD backlight, no lens movement, no response.  It is exactly what the preblinker is meant to do, and shows that your camera is running that code.  Don't worry about it damaging your camera - just pop open the battery door and unlock the SD card and you should be fine.


*

Offline digit

  • *
  • 13
Re: how to dump firmware ?
« Reply #8 on: 04 / December / 2007, 23:44:38 »
Thats Great to here!  I will keep on following the steps indicated in the forums and post any results(if any...)  CHDK would be a great addition to the G9


Thanks again

*

Offline digit

  • *
  • 13
Re: how to dump firmware ?
« Reply #9 on: 10 / December / 2007, 09:56:38 »
Playing with the G7 Blinker code last night, I got my G9's green LED to light up

The blink_G7 file from this post seems to be doing something   http://forums.dpreview.com/forums/read.asp?forum=1010&message=25071034&q=blink%5Fg7&qf=m.

I didn't have to modify the code at all, I just recompiled the "for camera" files using the included batch file, placed the diskboot.bin and PS.FIR on the bootable SD card, locked the card. After pressing power on the camera, the green LED turns on.

Does anyone know if it's suppose  to blink, or should it stay solid? 

For the G7 blinker code to light up the G9's led, these two camera's can't be that different.

 

Related Topics