supplierdeeply

universal dumper - one more idea

  • 63 Replies
  • 26208 Views
*

Offline jeff666

  • ****
  • 181
  • A720IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #30 on: 25 / January / 2008, 17:45:50 »
    Advertisements
    Quote from: ewavr
    My diskboot.bin is only 236 bytes long.

    My cam won't load diskboot if the file isn't at least 20k. It just hangs then (confirmed by debug-led which blinks on start).

    update: with a shorter diskboot, an address is actually found, but no data is written. I'll check if the found address is ok.
    « Last Edit: 25 / January / 2008, 17:53:59 by jeff666 »

    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #31 on: 25 / January / 2008, 17:54:40 »
    My cam won't load diskboot if the file isn't at least 20k. It just hangs then (confirmed by debug-led which blinks on start).

    Yes, this also sometimes happens with a710, but not in this case. I tried 16M, 1G & 2G cards - all works.
    And 20k+0x1900<0x11800.

    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #32 on: 25 / January / 2008, 18:02:38 »
    update: with a shorter diskboot, an address is actually found, but no data is written. I'll check if the found address is ok.

    Firmware can blink this address (if it is correct) to user in Morse code  :D
    Or can fill 100k memory with zeroes and then call WriteSDCard()
    « Last Edit: 25 / January / 2008, 18:04:29 by ewavr »

    *

    Offline jeff666

    • ****
    • 181
    • A720IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #33 on: 25 / January / 2008, 18:16:54 »
    Quote from: ewavr
    Firmware can blink this address (if it is correct) to user in Morse code  :D

    I'd rather go with a good old "if (wr == 0xMYADDR) blink_long else blink_short" :D

    Quote
    Or can fill 100k memory with zeroes and then call WriteSDCard()

    This actually seems necessary. If diskboot is short, not even a manual assignment of the correct offset writes data. If I blow it up to 100k, it works, again.

    I'll try to figure out, what needs to be cleared.


    *

    Offline RyeBrye

    • **
    • 73
    • SD-870
  • Publish
    Re: universal dumper - one more idea
    « Reply #34 on: 25 / January / 2008, 18:23:59 »
    Once I can test and verify it works on my SD870 - I'll race over to the local camera store and see if I can dump the 650 ;)

    Also - if you want to blink stuff out I wrote some code when I was searching for the AF-LED that will blink out numbers... could easily make it blink out hex if someone cared...

    Chances are, however, this dumper will be used by people even before they know any LED addresses - so you might want to write some signature checking to find the LED to blink on first :)

    *

    Offline jeff666

    • ****
    • 181
    • A720IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #35 on: 25 / January / 2008, 18:38:32 »
    Quote from: RyeBrye
    Once I can test and verify it works on my SD870 - I'll race over to the local camera store and see if I can dump the 650 ;)

    Well, here you are: http://www.zshare.net/download/68797117f280ae/ :D
    The 650 has the same LED addresses as the 720

    Quote
    Chances are, however, this dumper will be used by people even before they know any LED addresses - so you might want to write some signature checking to find the LED to blink on first :)

    I already considered running the whole firmware in a virtual machine that is started via diskboot :)


    Here's the code:
    Code: [Select]
    #define FW_ADDRESS      0xFFC00000
    #define FW_SIZE         0x400000

    #define START_SECTOR    1024
    //#define LED_PR 0xC0220084
    #define LED_PR 0xC02200c4   

    #define DEL 50000
    void delay(float i){
    int j;
    j = i * 30 * DEL;
    while(--j) {
    asm("nop\n");
    asm("nop\n");
    asm("nop\n");
    asm("nop\n");
    }
    }

    inline void debug_led(int state)
    {
        volatile long *p=(void*)LED_PR;
        if (state)
    p[0]=0x46;
        else
    p[0]=0x44;
    }


    typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address
     
    int main() {
    int i, j;
    int tw, tr;

    int *p;

    f_w wr;

    debug_led(1); delay(2); debug_led(0); delay(2);

      for (i=0x1900;i<0xF0000;i+=4)
       if ((*(unsigned int*)(i+0x34)==0) &&
           (*(unsigned int*)(i+0x38)==0) &&
           (*(unsigned int*)(i+0x3C)==3) &&
           (*(unsigned int*)(i+0x4C)>FW_ADDRESS) &&
           (*(unsigned int*)(i+0x50)>FW_ADDRESS) ) {

    wr=(f_w)*(unsigned int*)(i+0x50);

    // check if found address was expected and blink state (8:good, 3:bad)
    /*
    if ((void*) wr == (void*) 0xffcf51b0) {
    j = 8;
    } else {
    j = 3;
    }

    for (; j>0; j--) {
    debug_led(1); delay(0.5);
    debug_led(0); delay(0.5);
    }
    */

    // fill some memory with zeroes; "simulate" large diskboot
                    // WARNING: the starting address is a guess
    for (j = 0x1c00; j<0x30000; j+=4) {
    p = (int *) j;
    *p = 0;
    }

    debug_led(1);
    wr(0,START_SECTOR,FW_SIZE/512,FW_ADDRESS);
    debug_led(0);
    }


    // would blink 5 times if wr() would return (which it doesn't, but still works)
    for (j=5; j>0; j--) {
    debug_led(1); delay(0.3);
    debug_led(0); delay(0.3);
    }

    while(1);
    return 0;
    }

    Remember to keep the diskboot short. I got strange effects with the 20k diskboot. Several tries may be necessary.

    Needless to say, that I wouldn't post the code if it wouldn't work, right? :D

    Cheers.

    *

    Offline RyeBrye

    • **
    • 73
    • SD-870
  • Publish
    Re: universal dumper - one more idea
    « Reply #36 on: 31 / January / 2008, 02:08:48 »
    I tested out some things... the SD870 doesn't work with that signature... :(

    I hardcoded in the address 0xFF9182FC to see if that would work, but no go... 

    I also tried 0xFF9181A4 to see if that would work, and it didn't work either.

    I am using a 32 meg bootable SD card, and the 100k diskboot image. I'm scanning the entire card each dump attempt to search for the firmware, but not finding it :(

    Oh well... I'll try some more things later and see how it goes.

    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: universal dumper - one more idea
    « Reply #37 on: 31 / January / 2008, 10:55:14 »
    Latest jeff's dumper works on A650 - one guy from russian forum got the dump. After verification I'll post this dump in corresponding topic.
    "The triumph of mind over sarsaparilla"


    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: universal dumper - one more idea
    « Reply #38 on: 31 / January / 2008, 12:05:10 »
    Latest jeff's dumper works on A650 - one guy from russian forum got the dump.
    I like it
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

    *

    Offline RyeBrye

    • **
    • 73
    • SD-870
  • Publish
    Re: universal dumper - one more idea
    « Reply #39 on: 31 / January / 2008, 16:44:21 »
    Here's a helper function that will blink out the hexadecimal value of an unsigned int - one digit at a time in a very easy-to-use format....

    Usage:
    1. Define LEDs you will use
    • If you know multiple LEDs, you are in luck - because you can ping-pong between them to make it easy to identify when one digit ends and the next digit begins
    2. Call function output_hex_address(unsigned int value)

    It's pretty straightforward. Should be helpful for debugging any signature-searching functions...

     

    Related Topics