Firmware dumps available
Loads into IDA, DryOS-Signatures apply. Good work.
I had a quick look into the Diskboot-loader (
LoadDiskbootFile). In your cam its return-value is checked and a new error message ("not executable") is written to stdout on failure. If the return-value of
LoadDiskbootFile doesn't indicate an error, the same code as in existing cameras is executed. Also the load-function itself looks nearly identical, thus the decoding mechanism should have been needed before, but existing firmwares just didn't check for successful decoding.
It seems we have been exploiting a bug in the firmware to boot CHDK, until now.
Addresses:
StartDiskboot: 0xFF82A0B0
LoadDiskbootFile: 0xFF8666BC
Cheers.