universal dumper - one more idea - page 6 - Firmware Dumping - CHDK Forum  
« previous next »
Pages: 1 2 3 4 5 [6] 7   Go Down

universal dumper - one more idea

  • 63 Replies
  • 43449 Views
*

Offline mrblack51

  • *
  • 27
Re: universal dumper - one more idea
« Reply #50 on: 21 / March / 2008, 02:25:19 »
Advertisements
Where can I find the udumper.zip? I have an SD1100 IS for a short time and would like to at least get a clean dump if possible.

Thanks
Logged
*

Offline quietschi

  • ***
  • 116
  • Ixus70 102a
Re: universal dumper - one more idea
« Reply #51 on: 21 / March / 2008, 03:26:51 »
Logged
*

Offline mrblack51

  • *
  • 27
Re: universal dumper - one more idea
« Reply #52 on: 24 / March / 2008, 02:32:21 »
Interesting - I used udumper to dump my SD800IS and it worked fine, so I know the card is bootable. However, when I try the same card in the SD1100IS it boots up like normal and shows "card is locked"...hmm. anyone have ideas?
Logged
*

Offline mx3

  • ****
  • 372
Re: universal dumper - one more idea
« Reply #53 on: 24 / March / 2008, 02:47:01 »

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?


you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears

Logged
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler
*

Offline mrblack51

  • *
  • 27
Re: universal dumper - one more idea
« Reply #54 on: 24 / March / 2008, 10:09:10 »
Quote from: mx3 on 24 / March / 2008, 02:47:01

hm. lets see

1) people had some problems with turning theirs cameras in play mode (because there were no switch). I think they held down some button on powerup.
I can't recall what these camera models are.

2) canon changed firmware so it ignores bootable card or name of the file on it.
what card do you use? can you use small memory card supplied with camera?


you can try to
1) hold some buttons while powering up ( there were some instructions floating about G7 or G9). i think somebody will give you more precise instructions.

2) add ps.fi2 file on card and see if update menu appears



Adding a ps.fi2 yielded the "Firm Update..." option in the menu, but selecting it yielded "Update File Error!!!". Not suprising since the contents of ps.fi2 was just a copy of diskboot.bin renamed to be ps.fi2.

So it looks like there might be some potential for the flasher or perhaps a firmware based dumper rather than a diskboot.bin based one.

Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: universal dumper - one more idea
« Reply #55 on: 14 / July / 2008, 16:58:07 »
I just successfully dumped the SD40 - CHDK Wiki
[DOWNLOAD LINKS] Firmware dumps available

with this code:

Code: [Select]
#define MIN_ADDRESS     0xFF810000
#define FW_SIZE         0x400000

#define START_SECTOR    2048

#define LED_AF 0xc0223030

void led_on()
{
    volatile long *p=(void*)LED_AF;
    *p=0x46;
}

void led_off()
{
    volatile long *p=(void*)LED_AF;
    *p=0x44;
}

void idle()
{
    int i;

    for(i=0;i<0x78800;i++){
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    asm ("nop\n");
    }
}


typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address
 
int main() {
int i;
unsigned long sa;
        f_w wr;

led_on();
idle();
led_off();
idle();
led_on();

  for (i=0x1900;i<0xF0000;i+=4)
   if ((*(unsigned int*)(i+0x34)==0) &&
       (*(unsigned int*)(i+0x38)==0) &&
       (*(unsigned int*)(i+0x3C)==3) &&
       (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
       (*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) {

wr=(f_w)*(unsigned int*)(i+0x50);
sa=(unsigned long)wr>0xFFC00000 ? 0xFFC00000 : 0xFF810000;

wr(0, START_SECTOR, FW_SIZE/512, sa);
break;
}
led_off();
while(1);
return 0;
}

the led address is an accident but it turned out to be the backlight display of the cam and it blinked as intended ;)

Also I did not pad the diskboot.bin

« Last Edit: 14 / July / 2008, 18:34:35 by chr »
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
udumper 2008
« Reply #56 on: 30 / July / 2008, 18:44:53 »
Hi!

I made a udumper for the latest cameras who refuses to boot unencoded diskboot files. At least it worked with my sd1100. I had to pad the file to 16K.

In dryos_2008 is a 15x decoded diskboot.bin

This build blinks the LED on 0xc0223030 before and after the dump is done.

Hope, this will work on other cams, too.

ps: tried it several times, sometimes it just bricks. Stroke the camera and try again ;)
Also I noticed it works while the battery cover is still open!

psps:
- remove battery before (it may boot better) and after (cam is not "off" and drains battery)
- use only the playback mode: the lens shall not track
« Last Edit: 10 / August / 2008, 13:39:05 by chr »
Logged
*

Offline whim

  • ******
  • 2040
  • A495/590/620/630 ixus70/115/220/230/300/870 S95
Re: universal dumper - one more idea
« Reply #57 on: 04 / October / 2008, 10:22:50 »
Hi,

following discussions here Ixus 870 IS it turns out that

a) udump08 WORKS on (at least 1) Digic IV cam !
b) it would be preferable to have udumper always dump the entire firmware ( = up to 0xFFFF FFFF)

fortunately brake came up with encode.c (here: First boot: a failure!)

which enabled me to put together udumpfull

  • universal sourcecode for vxworks, dryos & newdryos
  • dumps complete firmwares (0xFFC00000-0xFFFFFFFF or 0xFF81 0000-0xFFFFFFFF)
  • see attachment for binaries and source code
  • bins/sources also integrated in CardTricks139.exe - 0.40MB

thanks again to brake (and to ma_jk for testing newdryos udumpfull on A590IS) 

enjoy,

wim
Logged
*

Offline brake

  • *
  • 23
  • IXUS90IS / SD790IS
Re: universal dumper - one more idea
« Reply #58 on: 04 / October / 2008, 10:33:52 »
Just a quick question, what are the errors that appear from the Borland C++ compiler? I only compile with gcc, and that emits no warnings.
Logged
*

Offline whim

  • ******
  • 2040
  • A495/590/620/630 ixus70/115/220/230/300/870 S95
Re: universal dumper - one more idea
« Reply #59 on: 04 / October / 2008, 10:45:50 »
Nothing serious AFAIK:

Quote
decode.c:
Warning W8065 decode.c 79: Call to function 'resetkey' with no prototype in function encodefile
Warning W8060 decode.c 100: Possibly incorrect assignment in function encodefile
Warning W8065 decode.c 110: Call to function 'xencode' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'resetkey' with no prototype in function encodefile
Warning W8065 decode.c 114: Call to function 'rotatekey' with no prototype in function encodefile
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland

the 'Possibly incorrect assignment in function encodefile' refers to

Quote
while (read = fread(data, 1, 8, f)) {

... which i guess is Borlands way to warn that you're assigning within the while clause;
    perfectly legal c, but it wants to make sure you didn't actually mean

Quote
while (read == fread(data, 1, 8, f)) {

the prototype warnings are typical for C++ AFAIK

wim
« Last Edit: 04 / October / 2008, 10:59:00 by whim »
Logged
Pages: 1 2 3 4 5 [6] 7   Go Up
« previous next »
 

Related Topics