universal dumper - one more idea - page 6 - Firmware Dumping

mrblack51

Re: universal dumper - one more idea

« Reply #50 on: 21 / March / 2008, 02:25:19 »

Advertisements

Where can I find the udumper.zip? I have an SD1100 IS for a short time and would like to at least get a clean dump if possible.

Thanks

Logged

quietschi

116
Ixus70 102a

Publish

Re: universal dumper - one more idea

« Reply #51 on: 21 / March / 2008, 03:26:51 »

here
TX1 Firmware dumping

Logged

mrblack51

Publish

Re: universal dumper - one more idea

« Reply #52 on: 24 / March / 2008, 02:32:21 »

Interesting - I used udumper to dump my SD800IS and it worked fine, so I know the card is bootable. However, when I try the same card in the SD1100IS it boots up like normal and shows "card is locked"...hmm. anyone have ideas?

Logged

mx3

Publish

Re: universal dumper - one more idea

« Reply #53 on: 24 / March / 2008, 02:47:01 »

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?

you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears

Logged

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

mrblack51

Publish

Re: universal dumper - one more idea

« Reply #54 on: 24 / March / 2008, 10:09:10 »

Quote from: mx3 on 24 / March / 2008, 02:47:01

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?

you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears

Adding a ps.fi2 yielded the "Firm Update..." option in the menu, but selecting it yielded "Update File Error!!!". Not suprising since the contents of ps.fi2 was just a copy of diskboot.bin renamed to be ps.fi2.

So it looks like there might be some potential for the flasher or perhaps a firmware based dumper rather than a diskboot.bin based one.

Logged

chr

138
IXUS 82 IS

Publish

Re: universal dumper - one more idea

« Reply #55 on: 14 / July / 2008, 16:58:07 »

I just successfully dumped the SD40 - CHDK Wiki
[DOWNLOAD LINKS] Firmware dumps available

with this code:

Code: [Select]

#define MIN_ADDRESS     0xFF810000
#define FW_SIZE         0x400000

#define START_SECTOR    2048

#define LED_AF 0xc0223030

void led_on()
{
    volatile long *p=(void*)LED_AF;
    *p=0x46;
}

void led_off()
{
    volatile long *p=(void*)LED_AF;
    *p=0x44;
}

void idle()
{
    int i;

    for(i=0;i<0x78800;i++){
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    }
}


typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address
 
int main() {
 int i;
 unsigned long sa;
        f_w wr;
 
 led_on();
 idle();
 led_off();
 idle();
 led_on();

   for (i=0x1900;i<0xF0000;i+=4)
    if ((*(unsigned int*)(i+0x34)==0) &&
        (*(unsigned int*)(i+0x38)==0) &&
        (*(unsigned int*)(i+0x3C)==3) &&
        (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
        (*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) {

  wr=(f_w)*(unsigned int*)(i+0x50);
  sa=(unsigned long)wr>0xFFC00000 ? 0xFFC00000 : 0xFF810000;

  wr(0, START_SECTOR, FW_SIZE/512, sa);
  break;
 }
 led_off();
 while(1);
 return 0;
}

the led address is an accident but it turned out to be the backlight display of the cam and it blinked as intended

Also I did not pad the diskboot.bin

« Last Edit: 14 / July / 2008, 18:34:35 by chr »

Logged

chr

138
IXUS 82 IS

Publish

udumper 2008

« Reply #56 on: 30 / July / 2008, 18:44:53 »

Hi!

I made a udumper for the latest cameras who refuses to boot unencoded diskboot files. At least it worked with my sd1100. I had to pad the file to 16K.

In dryos_2008 is a 15x decoded diskboot.bin

This build blinks the LED on 0xc0223030 before and after the dump is done.

Hope, this will work on other cams, too.

ps: tried it several times, sometimes it just bricks. Stroke the camera and try again

Also I noticed it works while the battery cover is still open!

psps:
- remove battery before (it may boot better) and after (cam is not "off" and drains battery)
- use only the playback mode: the lens shall not track

udumper_2008.tar.bz2 (79.03 kB - downloaded 337 times.)

« Last Edit: 10 / August / 2008, 13:39:05 by chr »

Logged

whim

2013
A495/590/620/630 ixus70/115/220/230/300/870 S95

Publish

Re: universal dumper - one more idea

« Reply #57 on: 04 / October / 2008, 10:22:50 »

Hi,

following discussions here Ixus 870 IS it turns out that

a) udump08 WORKS on (at least 1) Digic IV cam !
b) it would be preferable to have udumper always dump the entire firmware ( = up to 0xFFFF FFFF)

fortunately brake came up with encode.c (here: First boot: a failure!)

which enabled me to put together udumpfull

universal sourcecode for vxworks, dryos & newdryos
dumps complete firmwares (0xFFC00000-0xFFFFFFFF or 0xFF81 0000-0xFFFFFFFF)
see attachment for binaries and source code
bins/sources also integrated in CardTricks139.exe - 0.40MB

thanks again to brake (and to ma_jk for testing newdryos udumpfull on A590IS)

enjoy,

wim

udumpfull.zip (30.36 kB - downloaded 217 times.)

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

brake

23
IXUS90IS / SD790IS

Publish

Re: universal dumper - one more idea

« Reply #58 on: 04 / October / 2008, 10:33:52 »

Just a quick question, what are the errors that appear from the Borland C++ compiler? I only compile with gcc, and that emits no warnings.

Logged

whim

2013
A495/590/620/630 ixus70/115/220/230/300/870 S95

Publish

Re: universal dumper - one more idea

« Reply #59 on: 04 / October / 2008, 10:45:50 »

Nothing serious AFAIK:

Quote

decode.c:
Warning W8065 decode.c 79: Call to function 'resetkey' with no prototype in function encodefile
Warning W8060 decode.c 100: Possibly incorrect assignment in function encodefile
Warning W8065 decode.c 110: Call to function 'xencode' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'resetkey' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'rotatekey' with no prototype in function encodefile
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland

the 'Possibly incorrect assignment in function encodefile' refers to

Quote

while (read = fread(data, 1, 8, f)) {

... which i guess is Borlands way to warn that you're assigning within the while clause;
perfectly legal c, but it wants to make sure you didn't actually mean

Quote

while (read == fread(data, 1, 8, f)) {

the prototype warnings are typical for C++ AFAIK

wim

« Last Edit: 04 / October / 2008, 10:59:00 by whim »

Logged

*Wikia FAQ *GCC Compiler Shell for Windows