Problems dumping the SD1100IS/IXUS80IS

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #50 on: 05 / July / 2008, 17:14:01 »

Advertisements

Hello ppl!

I'm going to document everything! Be patient. I'm actually not at $HOME but I am currently in a hack lab. Had some trouble to setup a working PC from junk.

Sure, I tried a udumper in the cam, no success.

I need GrAnd's advice:
I'm using the A610 - SLOW (2500) [96KHz] timing. The FAST timing doesn't give me a good amplitude.
There is a noticeably gap every 5 seconds. I can see it with my eyes while dumping.
Smells like if irqs are not dead?

Heres a dump 8bit raw:
dump.raw.bz2

Code: [Select]

I used 
./adc2 -d 60 207   1 70   6 23 ~/ixdump2/dump.raw dump 
60 140 9 80 1 17
... (more or less sync err)

./dec.o
read 6740 bytes...
found SIG at    3302... Base: 7f800000 CRC...a8a9...FAIL
found SIG at    4333... Base: 7f800400 CRC...c49f...FAIL
found SIG at    5364... Base: 7f800800 CRC...9449...FAIL
found SIG at    6396... Base: ff7f8000 CRC...1188...FAIL



first hexdump looks like this

00000408   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000420   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000438   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000450   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000468   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000480   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  37 38 39 0D  789..0123456789..012789.
00000498   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004B0   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004C8   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004E0   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
000004F8   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000510   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000528   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000540   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567

lab.jpg (118.32 kB, 800x600 - viewed 155 times.)
Model:Canon DIGITAL IXUS i7 zoom Exposure Time:1/60 seconds F Number:F/3.2 Date Taken:2008:07:05 22:50:01 Metering Mode:Pattern Flash Mode:Flash fired; auto mode; red-eye reduction mode Focal Length:6.3 mm Color Space:sRGB

« Last Edit: 05 / July / 2008, 17:43:59 by chr »

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #51 on: 05 / July / 2008, 17:59:55 »

LED - Dumper images, encoded.

Use as diskboot.bin on a sd-bootable sd card

blinker1.cr.bin - 0.10MB
blinker2.cr.bin - 0.10MB

(actually I'm not sure who is who

)

A610 - FAST (9230) [96KHz]
A610 - SLOW (2500) [96KHz]
(from speeds.txt)

AF LED should light and start 0123456789\a\d dump, rom at 0xff800000

led_on_off.bin.cr.5 - 0.10MB
switch led on and off - loop. Also try to hold down the powerbutton ~10sec.

Code: [Select]

#define led_start 0xc0220000
#define led_end   0xc022f000
//AF  0xc0223030
#define delay 0x1000

void sleep(int d) {
    for ( ; d>0; d--) {
        asm("nop");
        asm("nop");
    }
}

int main(){
    while (1) {
        long* led;

        led=(long*)led_start;
        while (led < led_end) {
            *led = 0x46;
            led++;
            sleep(delay);
        }
sleep(0x100000);
        led=(long*)led_end;
        while (led > led_start) {
            *led = 0x44;
            led--;
            sleep(delay);
        }

sleep(0x100000);
    }
    return 0;
}

« Last Edit: 05 / July / 2008, 20:29:34 by chr »

Logged

dlw

22

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #52 on: 05 / July / 2008, 18:48:58 »

(quote) "My interpretation of this is that having "noag" and "yosi" in the right spots on the card causes the camera to boot as normal." (close quote)

I think you're right. I have the same code in LoadBootFile in my G9 firmware. You may have not yet seen the beginning of the firmware: it's a branch around the constant, "gaonisoy". This could well be a validity test.

I haven't been able to boot CHDK on my G9, so I'm grasping at straws.

Thanks for your work.

Logged

side78

3

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #53 on: 06 / July / 2008, 00:52:56 »

Quote from: chr on 05 / July / 2008, 17:59:55

LED - Dumper images, encoded.

Very nice work, it appears to be working. I'm off to buy a photo resister

Any thoughts on extending this to dump to SD?

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #54 on: 13 / July / 2008, 12:06:34 »

Here we go:

[DOWNLOAD LINKS] Firmware dumps available

100%, no crc errors!

Found the gap problem: comes from delay while calculating crc for one block. This made my capture circuit crazy.
I put on/off around crc call, shifted it before sending anything.
Also I added sending four 0x00 before each SIG, so my homebrewn circuit can proper swing up at each block.

Also started some documentation in the wiki:

GPL Tools - CHDK Wiki

« Last Edit: 13 / July / 2008, 12:21:11 by chr »

Logged

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #55 on: 13 / July / 2008, 13:44:25 »

Quote from: chr on 13 / July / 2008, 12:06:34

Firmware dumps available

Loads into IDA, DryOS-Signatures apply. Good work.

I had a quick look into the Diskboot-loader (LoadDiskbootFile). In your cam its return-value is checked and a new error message ("not executable") is written to stdout on failure. If the return-value of LoadDiskbootFile doesn't indicate an error, the same code as in existing cameras is executed. Also the load-function itself looks nearly identical, thus the decoding mechanism should have been needed before, but existing firmwares just didn't check for successful decoding.

It seems we have been exploiting a bug in the firmware to boot CHDK, until now.

Addresses:
StartDiskboot: 0xFF82A0B0
LoadDiskbootFile: 0xFF8666BC

Cheers.

« Last Edit: 13 / July / 2008, 14:03:42 by jeff666 »

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #56 on: 13 / July / 2008, 14:02:55 »

Quote from: jeff666 on 13 / July / 2008, 13:44:25

Quote from: chr on 13 / July / 2008, 12:06:34
Firmware dumps available
Loads into IDA, DryOS-Signatures apply. Good work.
Cheers.

kewl!

Can we exchange symbol files? I'm thinking about hacking gdb to make it reading at least a plain ascii symbol file:

Gpl Qemu - CHDK Wiki

or ... can IDA save it in elf format w/symbols?

« Last Edit: 13 / July / 2008, 14:04:46 by chr »

Logged

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #57 on: 13 / July / 2008, 14:28:11 »

Quote from: chr on 13 / July / 2008, 14:02:55

Can we exchange symbol files? I'm thinking about hacking gdb to make it reading at least a plain ascii symbol file:

Well, IDA has a function called "export map file". Have a look:
zSHARE - ixus1100.0xff81000-0xffb1ffff_led.map.bz2

Quote

or ... can IDA save it in elf format w/symbols?

Negative.

Running the firmware in qemu seems like a lot of work but might be very useful.
Is it simple enough to rebuild the canon-hardware in qemu?
How do you handle unknown MMIO access?
Can you access the memory from outside qemu so it's possible to rebuild a GUI (display + LED output, kbd input)?

Cheers.

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #58 on: 13 / July / 2008, 14:46:43 »

Quote from: jeff666 on 13 / July / 2008, 14:28:11

Well, IDA has a function called "export map file". Have a look:
zSHARE - ixus1100.0xff81000-0xffb1ffff_led.map.bz2

Wrong offset. Mh, let's see if my renumber.pl works

Quote

Running the firmware in qemu seems like a lot of work but might be very useful.
Is it simple enough to rebuild the canon-hardware in qemu?
How do you handle unknown MMIO access?
Can you access the memory from outside qemu so it's possible to rebuild a GUI (display + LED output, kbd input)?

Cheers.

I posted the patch here:
Emulating Digicam with QEMU

in qemu's hw/ directory u find a lot of complete hardware setup from a full x86 IBM PC to simple ARM evaluation boards.
I just took an ARM, some RAM and a loader for the ROM. For I/O there are callbacks. So far I only printf but I found something like stdout. There's a SD cardreader implementation but someone must look with chdk into the cam to find out which chipset the cams use.

Logged

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #59 on: 13 / July / 2008, 16:05:54 »

Quote from: chr on 13 / July / 2008, 14:46:43

Wrong offset. Mh, let's see if my renumber.pl works

A simple string-replace should be sufficient.

I looked for two functions in your firmware:
WriteSDCard: 0xFF91F0C8
ReadSDCard: 0xFF91EF70

WriteSDCard is used by udumper to write the firmware to the SD. I wrote some notes on how to use it. See this and the following posts.

Cheers.

Logged