SD870IS Firmware dumping - page 6 - Firmware Dumping - CHDK Forum  

SD870IS Firmware dumping

  • 60 Replies
  • 20422 Views
*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #50 on: 24 / January / 2008, 15:57:59 »
Advertisements
Well... here it is - it SHOULD be complete - since the blocks that were in error did not overlap at all - so... here is the sd870 dump:

 http://ryebrye.com/files/sd870_dump.dat.zip

MD5 (sd870_dump.dat.zip) = a25d18f948114a8fbffff21bce328a99

and when it is uncompressed:
MD5 (sd870_dump.dat) = 19e597052878177a3339a4b420f4d6f7

Now... how can I help get this thing ported over? :)
« Last Edit: 24 / January / 2008, 16:09:25 by RyeBrye »

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #51 on: 24 / January / 2008, 20:51:55 »
I'm loading it into IDA now and using the signature and idc files... Somebody has definitely spent a LOT of work already on the DryOS poting! :)

I think I might try to lend a hand over in the "universal dumping" forum and find the WriteSD address and make an SD-card dumper for this camera to get another dump - and to make it really easy for others to get dumps...

Of course, since I have no idea how to go about doing that - it might take me a while :)
« Last Edit: 24 / January / 2008, 22:39:02 by RyeBrye »

Re: SD870IS Firmware dumping
« Reply #52 on: 24 / January / 2008, 23:27:13 »
Great work RyeBrye !

I downloaded the firmware some hours ago but I had some trouble loading the file in IDA. What ROM start address value  did you used ?!? Also, I noticed this firmware dump start 10000 to "early" (you can compare with the 720 dump). Did you enter a File Offset in IDA ? I'm not very experimented with this kind of stuff but I think the absolute address value is critical for the porting.

Thanks for you dump !

EDIT: Here is the exact error message: The loading adress should belong to RAM or ROM.
I used the value 0xFF810000 for the ROM Start address
« Last Edit: 24 / January / 2008, 23:31:35 by mlaprise »

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #53 on: 24 / January / 2008, 23:44:38 »
Rom start address: 0xFF80000

I just used the guide here: http://chdk.wikia.com/wiki/DryOS_Porting#Load_into_IDA_and_Disassemble_code
and here: http://chdk.wikia.com/wiki/Loading_dump_to_IDA#Preparing

If we can find the WriteSD function - we can put the address into the universal dumper being worked on in the other thread and dump it out again.

The function in the SD870 doesn't appear to match the one in the A720 - I used the signature-based main.c to try to dump it out, but it didn't work.

I noticed tonight that something in my camera is faulty...  ::) for some reason... the flash isn't working...  :-[ No idea how that could have happened  ::) I guess my flash unit must have been faulty... since I've only had the camera for a week...  ::)

« Last Edit: 25 / January / 2008, 00:05:26 by RyeBrye »


*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: SD870IS Firmware dumping
« Reply #54 on: 25 / January / 2008, 07:39:04 »
It seems that the dump is still incorrect.
1) It's too long.
2) Some blocks are "flying" in the file.

Looks like dec.exe did incorrect seeks to positions before writing. But it should work (it works well on my machine). What the OS did you use? Did you use correct base address in the dec.c?

The output file should contain data not more than dumped range. You can clearly see this from the very simple source of dec.c:
Code: [Select]
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

static unsigned char *data;
static int len;
static unsigned long base = 0xFFC00000;   [color=red] // Should be adjusted for camera model.
[/color]
#include "crc16.c"

int findsig(int sp)
{
    int i;

    for (i=0;i<(len-sp-4);i++){
if ((data[sp+i+0] == 0x0a) &&
    (data[sp+i+1] == 0x55) &&
    (data[sp+i+2] == 0xaa) &&
    (data[sp+i+3] == 0x50) )
    return sp+i;
    }
    return -1;
}

int main()
{
    FILE *f, *fo;
    int r,t, crc;
    unsigned long addr, blk=base;

    f = fopen("dump", "r+b");
    if (!f) {
        perror("Can't open input file");
        exit(1);
    }
    fo = fopen("dump.dat", "r+b");
    if (!fo) {
        fo = fopen("dump.dat", "w+b");
        if (!fo) {
            perror("Can't open output file");
            exit(1);
        }
    }

    fseek(f, 0, SEEK_END);
    len = ftell(f);
    data = malloc(len);
    fseek(f, 0, SEEK_SET);
    r = fread(data,1, len, f);
    printf("read %d bytes... \n", r);

    t = findsig(0);
    while (t>0){
addr = *(long*)(data+t+4);

        while (blk < addr) {
            printf("MISSED block: %08x\n", blk);
            blk += 1024;
        }

printf("found SIG at %7d... Base: %08x CRC...", t, addr);
crc = crc16(0,data+t+8, 1024);
printf("%04x...", crc);

if ((*(unsigned short*)(data+t+8+1024) == crc) &&
    (*(unsigned short*)(data+t+8+1024+2) == crc)){
    printf("OK!\n");
            fseek(fo, addr-base, SEEK_SET);  [color=red]// Go to the actual block location[/color]
            fwrite(data+t+8,1,1024,fo);      [color=red]// Write the data[/color]
} else {
    printf("FAIL\n");
}

t = findsig(t+8);
        blk += 1024;
    }

//    fwrite(data,1,len,fo);

    fclose(f);
    fclose(fo);
}

« Last Edit: 25 / January / 2008, 07:49:59 by GrAnd »
CHDK Developer.

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #55 on: 25 / January / 2008, 10:20:01 »
It seems that the dump is still incorrect.
1) It's too long.
2) Some blocks are "flying" in the file.

Looks like dec.exe did incorrect seeks to positions before writing. But it should work (it works well on my machine). What the OS did you use? Did you use correct base address in the dec.c?

I used OS X... perhaps its related to an endianness issue? adc was run on my ppc machine which has tons of hard disk space, and dec was run on my intel machine...

Perhaps the best approach now would be for me to delete the dump.bat file and run dec with the one dump that only had a small number of crc issues - load that dump into IDA - and then look for the WriteSDCard method to use with the universal dumper to dump the thing out to an SD card?

Or - another approach is I can zip up the 790 meg audio raw audio file and someone who enjoys self-mutilation can try to tweak their adc settings to get the dump out of it :) (attached is an image of the waveform - it's consistent the whole way through - although in this image the sync signal isn't there - it's about three times longer than the space signal )

Looks like dec.exe did incorrect seeks to positions before writing. But it should work (it works well on my machine). What the OS did you use? Did you use correct base address in the dec.c?

Woops... that was the problem :)

Now the dec behaves MUCH more logically - as in:


$ cp dump2 dump
$ ./bin/chdk_dec  | grep FAIL > dump.bad
$ md5 dump.dat
$ cp dump_older dump
$ ./bin/chdk_dec  | grep FAIL > dump.bad.2
$ md5 dump.dat
MD5 (dump.dat) = d68ae00c34777b8166b68621369aef44
$ cp dump2 dump
$ ./bin/chdk_dec  > /dev/null
$ md5 dump.dat
MD5 (dump.dat) = d68ae00c34777b8166b68621369aef44

This behavior is what you would expect based on the not ovewriting functional blocks behavior you mentioned before... but before, the md5's wouldn't match...

I will have to re-run adc on the first dump I had because that one has missing blocks that don't overlap. I'll do that today sometime and post the new (correct) decoded dump :)
« Last Edit: 25 / January / 2008, 11:10:02 by RyeBrye »

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #56 on: 25 / January / 2008, 12:39:43 »
Ok. NOW I have a working dump. My apologies about the other one.

Here are the two dumps I combined to make this one:


dump 1 -
found SIG at  110505... Base: ff819c00 CRC...26df...FAIL
found SIG at 1100920... Base: ff908c00 CRC...0944...FAIL
found SIG at 1683144... Base: ff995400 CRC...9d1a...FAIL
found SIG at 1685215... Base: ff995c00 CRC...e3c1...FAIL
found SIG at 2459106... Base: ffa50800 CRC...aca7...FAIL
found SIG at 2562705... Base: ffa69800 CRC...fbd7...FAIL
found SIG at 3203988... Base: ffb04400 CRC...d401...FAIL
found SIG at 3682619... Base: ffb77c00 CRC...d401...FAIL
found SIG at 4160214... Base: ffbeb000 CRC...d401...FAIL

dump 2 -
found SIG at    3900... Base: ff800000 CRC...c6cf...FAIL
found SIG at   48448... Base: ff80ac00 CRC...c441...FAIL
found SIG at 2025132... Base: ff9e7c00 CRC...cf54...FAIL
found SIG at 2429170... Base: ffa49400 CRC...8326...FAIL
found SIG at 2441600... Base: ffa4c400 CRC...9629...FAIL
found SIG at 2512047... Base: ffa5d400 CRC...6a6d...FAIL


None of those overlap, and I can repeatedly change which one I use and the md5 of the combined dump file stays the same.

MD5 (dump.dat) = ea9412416420bde5036f38579f2f972e

It's posted here:
http://ryebrye.com/files/sd870.dat.zip

Dump start address is 0xFF80000
« Last Edit: 25 / January / 2008, 12:41:59 by RyeBrye »

*

Offline dodgersp

  • *
  • 9
  • Ixus 860is - SD 870is
Re: SD870IS Firmware dumping
« Reply #57 on: 14 / March / 2008, 08:10:53 »
great Work!!! any improvement over this month so far?


*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #58 on: 14 / March / 2008, 11:10:40 »
Unfortunately, no... I've been really busy with paying work projects and haven't had any time for any of my hobbies :(

I probably wont be able to touch this for another few months - so if anyone else is worried about duplicating effort on this - don't be!

*

Offline dodgersp

  • *
  • 9
  • Ixus 860is - SD 870is
Re: SD870IS Firmware dumping
« Reply #59 on: 16 / March / 2008, 06:34:22 »

 

Related Topics