Dryos Basic scripting - DryOS Development - CHDK Forum

Dryos Basic scripting

  • 64 Replies
  • 45760 Views
Dryos Basic scripting
« on: 13 / August / 2010, 20:33:47 »
Advertisements
Hi all!

We reversed the basic language interpreter that comes with most Powershot cameras. This is not the same as uBasic and doesn't need CHDK installed.

It could be useful to dump the firmware from some models, it's very easy to do this with a simple script that you save in the SD card.

We did a talk about this in the Defcon security conference and we published documentation and videos in this URL:

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

You can download the (incomplete) documentation of the language from this link:

http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=Exploiting_Digital_Cameras&file=Exploiting_Digital_Cameras_IOBasic_-_BONUS.pdf

Hope it's useful.

Oren and Alfred

« Last Edit: 13 / August / 2010, 20:38:08 by aortega »

*

Offline reyalp

  • ******
  • 14125
Re: Dryos Basic scripting
« Reply #1 on: 13 / August / 2010, 23:08:14 »
Very nicely done :)
Don't forget what the H stands for.

*

Offline dvip

  • ****
  • 451
Re: Dryos Basic scripting
« Reply #2 on: 14 / August / 2010, 01:02:45 »
Nice aortega, some useful functions there.
Would be nice to have some of them in lua.

I like these   :)

InitializeSoundRec( )
FreeBufferForSoundRec( )
StartSoundRecord( 3 )
TerminateSoundRec( )




*

Offline reyalp

  • ******
  • 14125
Re: Dryos Basic scripting
« Reply #3 on: 14 / August / 2010, 01:10:14 »
Nice aortega, some useful functions there.
Would be nice to have some of them in lua.

I like these   :)

InitializeSoundRec( )
FreeBufferForSoundRec( )
StartSoundRecord( 3 )
TerminateSoundRec( )
Divp, you should be able to call any of these using the eventproc interface. http://chdk.wikia.com/wiki/LUA/LUA_Reference/Native_Function_Calls
Don't forget what the H stands for.

*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: Dryos Basic scripting
« Reply #4 on: 14 / August / 2010, 02:03:01 »
@reyalp, multiply(*) is working in your D10?
It seems that a=2*2 crashes my a710, but a=2+2 works
Code: (vb) [Select]
dim f,a

private sub Initialize()
  a=2*2
  SystemEventInit()
  f=Fopen_Fut("A/dump.bin","w")
  Fwrite_Fut(&a, 4,1,f)
  Fclose_Fut(f)
end sub
In old VxWorks cameras, LCDMsg_**** functions are absent...

*

Offline reyalp

  • ******
  • 14125
Re: Dryos Basic scripting
« Reply #5 on: 14 / August / 2010, 02:15:28 »
That script crashes my d10

edit:
Code: [Select]
ASSERT!! Script.c Line 461
Occured Time  2010:08:13 22:19:39
Task ID: 12582936
Task name: CtrlSrv

edit:
and also a540 with an assert in Script.c


edit:
BTW, I started a wiki page to document this http://chdk.wikia.com/wiki/Canon_Basic

edit:
A fairly comprehensive list of eventprocs on a540 may be found at http://chdk.wikia.com/wiki/User:ReyalP/EventProcNotes

edit:
Vxworks has PT_SetMessage and PT_UndispMessage but I'm not sure how they work.
« Last Edit: 14 / August / 2010, 02:39:03 by reyalp »
Don't forget what the H stands for.

Re: Dryos Basic scripting
« Reply #6 on: 14 / August / 2010, 03:03:37 »
@ewavr I believe the problem with that script is on the operator & that doesn't behave like in C.
The equivalent in Canon basic may be the weird operators %%MEMORY_L, %%MEMORY_S and %%MEMORY_M, but we didn't test them.

Something like this should work (tested on my G10):

private sub Initialize()
   System.Create()
   a=strlen("Aaaaaaaa\n")
   sprintf(b,"Aa%caaaaaaa\n",0)
   a=Fopen_Fut("A/test.txt","w")
   Fwrite_Fut("AAAA",1,4,a)
   Fwrite_Fut(b,1,6,a)
   Fclose_Fut(a)
end sub

Note that you don't really need to DIM variables. And sorry but Latex screwed with the characters on the documentation and copy-paste of scripts won't work.

You guys crafted a functional firmware dumper in less than an hour? that's awesome.


EDIT: oops, didn't see that 2+2 works. Then probably it's the multiplication, we didn't test all operators.
« Last Edit: 14 / August / 2010, 03:09:02 by aortega »

*

Offline reyalp

  • ******
  • 14125
Re: Dryos Basic scripting
« Reply #7 on: 14 / August / 2010, 03:56:27 »
@aortega
Would you mind if I reproduce the "Executing Scripts" and "Language constructs" sections in our wiki ?
Don't forget what the H stands for.

Re: Dryos Basic scripting
« Reply #8 on: 14 / August / 2010, 04:16:53 »
@reyalp, no problem at all.

BTW, there are many interesting event procedures such as AdditionAgentRAM(), looking at the firmware it seems to accept a file, load it into memory, check if starts with "gaonisoy", creates a task and runs it. Maybe it's a easier way to execute ARM code.

Great to know that it works on VxWorks, we missed that one.

Re: Dryos Basic scripting
« Reply #9 on: 14 / August / 2010, 06:18:14 »
Any 2010 cameras that the firmware dumping script can be tried on ?
« Last Edit: 14 / August / 2010, 07:26:47 by Microfunguy »

 

Related Topics


SimplePortal © 2008-2014, SimplePortal