Ave,
I would like to inform you that I managed to dump firmware from SX120IS. Current udumper does not work on this camera so I had to modify it a bit.
Few facts:
* executing DISKBOOT.BIN is possible after encoding it with `dancingbits' and specifying option '3'
* contrary to what wiki says about SX line, ROM starts at 0xFFC00000 [1]
* led addresses:
0xC0220008 FLASH_LAMP
0xC022000C LED_AF
0xC0220010 LED_ORANGE
0xC0220014 LED_GREEN
* link to firmware:
http://w472.wrzuta.pl/plik/3BjnPIMyelk/sx120is.100bAt first I found LED addresses using self-created PS.FI2 file. Few days later dancingbits program was updated with a new encoding method. Executing DISKBOOT.BIN became possible - hurray!
With a thought that blinking would be inevitable, I started playing around with IDA and analyzing CanonIxus95IS_SD1200IS firmware. (I was to lazy to go to shop to buy a photodiode ;P ).
It took me a bit of time to find a real WriteSDCard function... Instead of serching for 'write' string in the binary I should have looked for ',#0x38]' near STR instruction first. These two post gave me a really good hint how to get the bastard.
http://chdk.setepontos.com/index.php/topic,3347.msg31914.html#msg31914http://chdk.setepontos.com/index.php/topic,3347.msg35952.html#msg35952Here's the code:
ROM:FFC3EE28 uSetPointers ; CODE XREF: sub_FFC3F454+34p
ROM:FFC3EE28 ; sub_FFC3F5B4+2CFp
ROM:FFC3EE28 STMFD SP!, {R4-R6,LR}
ROM:FFC3EE2C MOV R6, R0
ROM:FFC3EE30 LDR R0, =0xE2FC ;Somewhere near pointers are stored
ROM:FFC3EE34 MOV R5, R1
ROM:FFC3EE38 ADD R4, R0, R6,LSL#7
[snip]
ROM:FFC3EE64 ADRNE R0, aMounter_c ; "Mounter.c"
ROM:FFC3EE68 BNE DebugAssert
ROM:FFC3EE6C LDR R0, [R4,#0x70]
ROM:FFC3EE70 TST R0, #1
ROM:FFC3EE74 LDMNEFD SP!, {R4-R6,PC}
ROM:FFC3EE78 MOV R0, #3
ROM:FFC3EE7C LDR R1, =sub_FFCE4118
ROM:FFC3EE80 STR R0, [R4,#0x3C]
ROM:FFC3EE84 STR R1, [R4,#0x4C]
ROM:FFC3EE88 LDR R1, =ThisIsIT
ROM:FFC3EE8C MOV R0, #0
ROM:FFC3EE90 STR R1, [R4,#0x50]
ROM:FFC3EE94 LDR R1, =sub_FFCE4064
ROM:FFC3EE98 STR R0, [R4,#0x38]
ROM:FFC3EE9C STR R1, [R4,#0x5C]
ROM:FFC3EEA0 STR R0, [R4,#0x60]
ROM:FFC3EEA4 LDR R0, =sub_FFCE46D4
ROM:FFC3EEA8 STR R0, [R4,#0x64]
ROM:FFC3EEAC LDR R0, =sub_FFCE4744
ROM:FFC3EEB0 STR R0, [R4,#0x68]
ROM:FFC3EEB4 LDMFD SP!, {R4-R6,PC}
ROM:FFC3EEB4 ; End of function uSetPointers
Unfortunately, changed udumper code did not work - address could not be found:
for (i=0x1900;i<0xF0000;i+=4)
if ((*(unsigned int*)(i+0x60)==0) &&
(*(unsigned int*)(i+0x38)==0) &&
(*(unsigned int*)(i+0x3C)==3) &&
(*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
(*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) {
wr=(f_w)*(unsigned int*)(i+0x50);
But...
if you look a bit harder into the firmware code you will find:
ROM:FFC3EEDC dword_FFC3EEDC DCD 0x53A ; DATA XREF: uSetPointers+34r
ROM:FFC3EEE0 aMounter_c DCB "Mounter.c",0 ; DATA XREF: uSetPointers+3Co
ROM:FFC3EEE0 ; sub_FFC3EF84+154oo ...
ROM:FFC3EEEA DCB 0
ROM:FFC3EEEB DCB 0
ROM:FFC3EEEC off_FFC3EEEC DCD sub_FFCE4118 ; DATA XREF: uSetPointers+54r
ROM:FFC3EEF0 off_FFC3EEF0 DCD ThisIsIT ; DATA XREF: uSetPointers+60r
[gajownik@zuzia tmp]$ grep Mounter CanonIxus95IS_SD1200IS.bin.strings
ffc3eee0 Mounter.c
[gajownik@zuzia tmp]$
Mounter.c is uniq and 0x10 bytes later we have a pointer to our function!
I compiled attached code at 1 AM, inserted SD card into camera with a trembling hands and a minute later there was a big smile on my face :]
If someone would like to test it on his/her camera, binary can be found in the attachment (dumps from 0xFFC00000 though).
And now for something completely different. On systems with /bin/sh set to ksh ./chdk/tools/gensigs.sh does not work:
gajownik@hydra:~/chdk/chdk/tools$ make
pakwif.c -> pakwif.o
pakwif.o -> pakwif
gensig.c -> gensig.o
gensig.o -> gensig
-> signatures_vxworks.h
./gensigs.sh[9]: syntax error: `(' unexpected
make: *** [signatures_vxworks.h] B??d 1
gajownik@hydra:~/chdk/chdk/tools$
Here's a fix:
gajownik@hydra:~/chdk/chdk/tools$ LC_ALL=C svn diff gensigs.sh
Index: gensigs.sh
===================================================================
--- gensigs.sh (revision 803)
+++ gensigs.sh (working copy)
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
VERSIONS=$3
gajownik@hydra:~/chdk/chdk/tools$
Hope that helps.
Oh, BTW is processor really little endian?
[1] I discovered it by blinking out first 3 bytes of "gaonisoyP" string with a fantastic speed of 1bit per 5 seconds
