How to Dump Firmware ?

fe50

3147
IXUS50 & 860, SX10 Star WARs-Star RAWs

Re: How to Dump Firmware ?

« Reply #50 on: 17 / August / 2009, 06:50:12 »

Advertisements

@siatitel

The P-ID for the A480 is 31BF, not 3117 (that's the P-ID of A700); a fw file with the wrong P-ID will be rejected by the camera.

The A480 won't run a PS.FIR file, that's the "old" style; new DryOS cameras need encrypted PS.FI2 files.

Attached you'll find the files i used for the SX10 LED adresses...
You have to replace the address you want to test, then run make.bat (you need the gcc dev environment set up correctly; the easiest way is to call a cmd window from within CHDK-Shell & change to you working directory).

The SX10 runs fine with the autoboot method (with diskboot bin), but the A480 probably dont start with such a diskboot bin (don't forget to make the card bootable & lock it !), as some of the newer models like the SX200.

Those cameras need PS.FI2 files loaded with the firmware update method; the PS.FI2 files are encrypted diskboot files, you'll find all informations about this here: fi2 encoder/decoder.

You should also have a look to the SX200 porting thread here in the forum...

Logged

-->FIRMWARE DUMPS<-- * Manual * Lua * me

siatitel

8

Re: How to Dump Firmware ?

« Reply #51 on: 17 / August / 2009, 20:44:27 »

Logged

whoever

280
IXUS950

Re: How to Dump Firmware ?

« Reply #52 on: 18 / August / 2009, 02:15:29 »

Quote

Attached you'll find the files i used for the SX10 LED adresses...

Quote

fe50
tanks for your advise, your instructions are very clear but i still get the "Update File Error!!!".

Don't the newer cams need "gaonisoy" signature? I.e.,
_start:
B main
_signature:
.ascii "gaonisoy"
in entry.s

Logged

reyalp

14080

Re: How to Dump Firmware ?

« Reply #53 on: 18 / August / 2009, 02:23:30 »

Logged

Don't forget what the H stands for.

fe50

3147
IXUS50 & 860, SX10 Star WARs-Star RAWs

Re: How to Dump Firmware ?

« Reply #54 on: 18 / August / 2009, 02:52:57 »

Quote from: whoever on 18 / August / 2009, 02:15:29

Don't the newer cams need "gaonisoy" signature? I.e.,
_start:
B main
_signature:
.ascii "gaonisoy"
in entry.s

Yes, "gaonisoy" is the sig on all DryOS cams, but until now that sig wasn't necessary for the blinker; i'm not sure, but i guess OldGit's blinker for the SX200 used the same entry.S without that sig, so it should work without this !?

Quote from: reyalp on 18 / August / 2009, 02:23:30

They are compressed.
The uncompressed image needs to be a certain minimum size before the camera will accept it.

@siatitel:
Have a look to the Make.bat file, line 11 does this...

Logged

-->FIRMWARE DUMPS<-- * Manual * Lua * me

whoever

280
IXUS950

Re: How to Dump Firmware ?

« Reply #55 on: 18 / August / 2009, 04:33:06 »

Quote

Yes, "gaonisoy" is the sig on all DryOS cams, but until now that sig wasn't necessary for the blinker; i'm not sure, but i guess OldGit's blinker for the SX200 used the same entry.S without that sig, so it should work without this !?

You're right, it seems. I do remember though that Chris described it as necessary, when he discovered the encoding mechanism and made the first "new DryOS" udumper...

Logged

fe50

3147
IXUS50 & 860, SX10 Star WARs-Star RAWs

Re: How to Dump Firmware ?

« Reply #56 on: 18 / August / 2009, 05:48:30 »

Quote from: whoever on 18 / August / 2009, 04:33:06

I do remember though that Chris described it as necessary, when he discovered the encoding mechanism and made the first "new DryOS" udumper...

Yes, first Chris & TPC thought it is necessary...Link...lol, a journey back to the roots of CHDK TNG

@siatitel:
Forgot to say this... in my attachement in reply #50 there's the file "encode.exe".
It's the compiled binary of brake's fw encoder (in the trunk, chr's "dancingbits" is used, the result is the same); the sources are included in the Cardtricks package (in the file "helper_sources.zip" in \CardTricks\SRC).

Just to make things clear:
1) The fw encoder (encode oder dancingbits) encodes the diskboot.bin (with a simple encoding algorithm) to feed newer DryOS cameras
2) The FI2 encoding encodes (and also prepares) the diskboot.bin with an AES encryption to make a valid PS.Fi2 file for the fw update method.

Logged

-->FIRMWARE DUMPS<-- * Manual * Lua * me

OldGit

303

Re: How to Dump Firmware ?

« Reply #57 on: 18 / August / 2009, 16:29:15 »

Hi guys,
fe50 asked me to take a look at this thread as I did the SX200 dump.

If its any help.....
I used CHDK Shell to do the compile, it takes care of the encoding, you need the correct PID and the FI2KEY / FI2IV keys. Other threads here give details of these keys and how to find them.

Main problem I had with blinking SX200 was speed, the original blinker times for "on" / "off" were much too short.
I think the DICIC IV processor is running at much faster clock speed, so 1 NOP on the SX200 takes much less time than on some older cams.

Try slowing down (increase delay) of time on and off, you may be blinking the LED so fast it has no time to "energise" and light up.
As regards the "gaonisoy" sig, I didn't use it for the SX200, wasn't needed.

Good Luck and keep trying, just keep telling yourself "I WILL get it to work"

Logged

SX200 IS-100C

HarpoMa

218

Re: How to Dump Firmware ?

« Reply #58 on: 26 / March / 2010, 00:58:13 »

I'm trying very hard to find a way to get udumper working for the SD780 (mostly for the alternate FWs 1.00b) What I am finding is that despite there existing an area of low memory that eventually has the correct form:

   for (i=0x1900;i<0xF0000;i+=4)
   if ((*(unsigned int*)(i+0x34)==0) &&
   (*(unsigned int*)(i+0x38)==0) &&
   (*(unsigned int*)(i+0x3C)==3) ) &&
   (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
   (*(unsigned int*)(i+0x50)>MIN_ADDRESS) )

It does not seem to have it during the early stages when udumper is running. Question #1 is this. Is there a sign issue with this code trying to use MIN_ADDRESS? I cast to (unsigned int) but no difference. Can someone with more knowledge just confirm that there is likely no need to add additional casting to the match string. Specifically from a sign point of view?


ROM:0001096B DCB 0
ROM:0001096C DCD 0
ROM:00010970 DCD 0
ROM:00010974 DCD 3
ROM:00010978 DCD 7
ROM:0001097C DCD unk_2000
ROM:00010980 DCD 0x77E000
ROM:00010984 DCD 0xFF903950
ROM:00010988 DCD 0xFF903B38 (and this is the WriteSD as found in the blinked firmware)

RealRom:FF903B38 loc_FF903B38 ; DATA XREF: RealRom:off_FF851ABCo
RealRom:FF903B38 STMFD SP!, {R0-R11,LR}
RealRom:FF903B3C LDR R0, =0x5634
RealRom:FF903B40 SUB SP, SP, #0xC
RealRom:FF903B44 LDR R1, [SP,#0xC]
RealRom:FF903B48 LDR R0, [R0,#8]
RealRom:FF903B4C MOV R11, R2
RealRom:FF903B50 CMP R1, R0
RealRom:FF903B54 MOV R10, #0
RealRom:FF903B58 MOV R5, #2
RealRom:FF903B5C BEQ loc_FF903B90
RealRom:FF903B60 MOV R0, #0x80
RealRom:FF903B64 BL sub_FF86399C
RealRom:FF903B68 LDR R0, [SP,#0xC]
RealRom:FF903B6C BL sub_FF9032D4
RealRom:FF903B70 MOV R4, R0
RealRom:FF903B74 MOV R0, #0x80
RealRom:FF903B78 BL sub_FF8639C0
RealRom:FF903B7C CMP R4, #0
RealRom:FF903B80 BEQ loc_FF903BCC
RealRom:FF903B84 LDR R0, =0x5634
RealRom:FF903B88 LDR R1, [SP,#0xC]
RealRom:FF903B8C STR R1, [R0,#8]

Second question would be (and a bit of a big one). Does the firmware piece above having anything the original udumper doesn't expect? typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address I feel silly asking such a question as open ended as it is. I'm not a great reader of the firmwares.

Anyways if there is anyone that can see something that might help I would be greatful.

Harpo

Logged

Canon Models - SD300, SD780, & SX210

ERR99

339

Re: How to Dump Firmware ?

« Reply #59 on: 26 / March / 2010, 04:33:29 »

Hello HarpoMa, maybe you can give this solution a try:

On the G11, the normal udumper was also not working. The signature search in RAM (0x1900...0xF0000) was not sucessfull.
So i changed the search algorithm, i am searching now directly in the FLASH area for the SD-Card write function.
After i analysing some dumps of other cameras, i find out that allmost allways a pointer to the SD-CARD write function is below of the "BOOTDISK" string in flash. In most cases it is the second flash address (in one dump i checked, it was the first one, but for the G11 it was allways the second).

Second difference to the "standard" udumper was, that the write function on the G11 only writes something on the card if i add additional int parameter to the function prototype and function call. I dont know what the parameters are for, so i pass simply a "0" as value, but somehow there are necessary for the G11...

So, here is the source of my modified G11 udumper:

Code: [Select]

typedef int (*f_w)(int, int, int, int, int, int, int,int); 
#define MIN_ADDRESS     0xFF810000
#define FW_SIZE         0x400000
#define START_SECTOR    2048

int main()
{
	unsigned int i,j;
	unsigned long sa;
	f_w wr = 0;
	for (i=0xFF810000; i < 0xFFFF0000; i+=4)
	{
		if (        (*(char*)i == 'B')
			&&  (*(char*)(i+1) == 'O')
		        &&  (*(char*)(i+2) == 'O')
		        &&  (*(char*)(i+3) =='T')
		        &&  (*(char*)(i+4)== 'D')
		        &&  (*(char*)(i+5) == 'I')
		        &&  (*(char*)(i+6) == 'S')
		        &&  (*(char*)(i+7) == 'K')
		        &&  (*(char*)(i+8) == 0)
		)
		{
			for (j=i+8; j<0xFFFF0000;j+=4)
			{
				  if (      (*(unsigned int*)(j)>MIN_ADDRESS) 
				        &&(*(unsigned int*)(j+4)>MIN_ADDRESS)
				     )
				  {
					    wr=(f_w)*(unsigned int*)(j+4);
					  	for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;
						sa=(unsigned long)0xFF810000;
						wr(0, START_SECTOR, (0xFFFFFFFF - sa + 1)/512, sa,0,0,0,0);
					  break;
				  }
			}
			
			break;
		}
	}

	while(1);
	return 0;
}

Logged