supplierdeeply

Dryos Basic scripting

  • 64 Replies
  • 19396 Views
  • Publish
    Dryos Basic scripting
    « on: 13 / August / 2010, 20:33:47 »
    Advertisements
    Hi all!

    We reversed the basic language interpreter that comes with most Powershot cameras. This is not the same as uBasic and doesn't need CHDK installed.

    It could be useful to dump the firmware from some models, it's very easy to do this with a simple script that you save in the SD card.

    We did a talk about this in the Defcon security conference and we published documentation and videos in this URL:

    http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

    You can download the (incomplete) documentation of the language from this link:

    http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=Exploiting_Digital_Cameras&file=Exploiting_Digital_Cameras_IOBasic_-_BONUS.pdf

    Hope it's useful.

    Oren and Alfred

    « Last Edit: 13 / August / 2010, 20:38:08 by aortega »

    *

    Online reyalp

    • ******
    • 9950
  • Publish
    Re: Dryos Basic scripting
    « Reply #1 on: 13 / August / 2010, 23:08:14 »
    Very nicely done :)
    Don't forget what the H stands for.

    *

    Online dvip

    • ****
    • 451
  • Publish
    Re: Dryos Basic scripting
    « Reply #2 on: 14 / August / 2010, 01:02:45 »
    Nice aortega, some useful functions there.
    Would be nice to have some of them in lua.

    I like these   :)

    InitializeSoundRec( )
    FreeBufferForSoundRec( )
    StartSoundRecord( 3 )
    TerminateSoundRec( )




    *

    Online reyalp

    • ******
    • 9950
  • Publish
    Re: Dryos Basic scripting
    « Reply #3 on: 14 / August / 2010, 01:10:14 »
    Nice aortega, some useful functions there.
    Would be nice to have some of them in lua.

    I like these   :)

    InitializeSoundRec( )
    FreeBufferForSoundRec( )
    StartSoundRecord( 3 )
    TerminateSoundRec( )
    Divp, you should be able to call any of these using the eventproc interface. http://chdk.wikia.com/wiki/LUA/LUA_Reference/Native_Function_Calls
    Don't forget what the H stands for.


    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: Dryos Basic scripting
    « Reply #4 on: 14 / August / 2010, 02:03:01 »
    @reyalp, multiply(*) is working in your D10?
    It seems that a=2*2 crashes my a710, but a=2+2 works
    Code: (vb) [Select]
    dim f,a

    private sub Initialize()
      a=2*2
      SystemEventInit()
      f=Fopen_Fut("A/dump.bin","w")
      Fwrite_Fut(&a, 4,1,f)
      Fclose_Fut(f)
    end sub
    In old VxWorks cameras, LCDMsg_**** functions are absent...

    *

    Online reyalp

    • ******
    • 9950
  • Publish
    Re: Dryos Basic scripting
    « Reply #5 on: 14 / August / 2010, 02:15:28 »
    That script crashes my d10

    edit:
    Code: [Select]
    ASSERT!! Script.c Line 461
    Occured Time  2010:08:13 22:19:39
    Task ID: 12582936
    Task name: CtrlSrv

    edit:
    and also a540 with an assert in Script.c


    edit:
    BTW, I started a wiki page to document this http://chdk.wikia.com/wiki/Canon_Basic

    edit:
    A fairly comprehensive list of eventprocs on a540 may be found at http://chdk.wikia.com/wiki/User:ReyalP/EventProcNotes

    edit:
    Vxworks has PT_SetMessage and PT_UndispMessage but I'm not sure how they work.
    « Last Edit: 14 / August / 2010, 02:39:03 by reyalp »
    Don't forget what the H stands for.

  • Publish
    Re: Dryos Basic scripting
    « Reply #6 on: 14 / August / 2010, 03:03:37 »
    @ewavr I believe the problem with that script is on the operator & that doesn't behave like in C.
    The equivalent in Canon basic may be the weird operators %%MEMORY_L, %%MEMORY_S and %%MEMORY_M, but we didn't test them.

    Something like this should work (tested on my G10):

    private sub Initialize()
       System.Create()
       a=strlen("Aaaaaaaa\n")
       sprintf(b,"Aa%caaaaaaa\n",0)
       a=Fopen_Fut("A/test.txt","w")
       Fwrite_Fut("AAAA",1,4,a)
       Fwrite_Fut(b,1,6,a)
       Fclose_Fut(a)
    end sub

    Note that you don't really need to DIM variables. And sorry but Latex screwed with the characters on the documentation and copy-paste of scripts won't work.

    You guys crafted a functional firmware dumper in less than an hour? that's awesome.


    EDIT: oops, didn't see that 2+2 works. Then probably it's the multiplication, we didn't test all operators.
    « Last Edit: 14 / August / 2010, 03:09:02 by aortega »

    *

    Online reyalp

    • ******
    • 9950
  • Publish
    Re: Dryos Basic scripting
    « Reply #7 on: 14 / August / 2010, 03:56:27 »
    @aortega
    Would you mind if I reproduce the "Executing Scripts" and "Language constructs" sections in our wiki ?
    Don't forget what the H stands for.


  • Publish
    Re: Dryos Basic scripting
    « Reply #8 on: 14 / August / 2010, 04:16:53 »
    @reyalp, no problem at all.

    BTW, there are many interesting event procedures such as AdditionAgentRAM(), looking at the firmware it seems to accept a file, load it into memory, check if starts with "gaonisoy", creates a task and runs it. Maybe it's a easier way to execute ARM code.

    Great to know that it works on VxWorks, we missed that one.

  • Publish
    Re: Dryos Basic scripting
    « Reply #9 on: 14 / August / 2010, 06:18:14 »
    Any 2010 cameras that the firmware dumping script can be tried on ?
    « Last Edit: 14 / August / 2010, 07:26:47 by Microfunguy »

     

    Related Topics