Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

zebra

24

Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« on: 04 / October / 2009, 02:35:33 »

Advertisements

All,

So, I've been fiddling around with the IXUS 120 IS, attempting (with the use of the current CardTricks and the newest bootdisk.bin I could find) to drop it into a hang state and manage a dump.

So far, without much effort, I've managed to get the camera to hang. I've then left it for about 2 mins, but, after running a unix "strings" on the empty.dum file, unfortunately, the dump process is not working.

I had a look here:

http://chdk.setepontos.com/index.php/topic,4255.0.html

It looks like somebody managed a dump on the SX120, but this is a different camera.

I've done all the simple stuff already, to help "fill in the blanks" for you guys:

http://chdk.wikia.com/wiki/SD940IS#Firmware_info

Any suggests as to how I might tweak the bootdisk.bin et al, so that I can invoke the dump routines required? Very interested in extracting it so that we can get started on making it CHDK capable...

I'm very new to CHDK, but I'm not new to firmware in general, having had...history...with these things, so not afraid to get hands dirty/pull apart source, have some fun with IDA, compile to achieve if needed...

z

« Last Edit: 06 / October / 2009, 05:36:19 by zebra »

Logged

reyalp

14082

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #1 on: 04 / October / 2009, 03:54:57 »

I'd suggest finding an LED address as a next step. Even if you don't intend to blink out the firmware, it will help you figure out what is wrong with udumper. This thread: http://chdk.setepontos.com/index.php/topic,4188.0.html has some information.

You will probably want to get the CHDK source and get it building. That will give you a known working build environment and also the tools needed to encode both FI2 files and and DISKBOOT.BIN files.

To find an LED, you can either try the each of the 3 known diskboot encodings, or you can build an FI2 file.

For the FI2 file, you need some keys which are not included in the CHDK source (you also have to guess which keys your camera uses, but all new cameras so for use the "d4" set) This thread http://chdk.setepontos.com/index.php/topic,2995.0.html describes FI2 stuff.

The links in this post http://chdk.setepontos.com/index.php/topic,4213.msg39818.html#msg39818 should help you understand how udumper is supposed to work.

Logged

Don't forget what the H stands for.

gajownik

24

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #2 on: 04 / October / 2009, 11:22:28 »

Quote from: zebra on 04 / October / 2009, 02:35:33

I had a look here:

http://chdk.setepontos.com/index.php/topic,4255.0.html

It looks like somebody managed a dump on the SX120, but this is a different camera.

Hi!

ROM on SX120IS starts at 0xFFC0000, so that version of udumper will not work for your. Would you be so kind to test attached files? Rename each of a file to diskboot.bin and test it as usual. I would suggest starting with files encoded with dancingbits with option 3.

HTH

Logged

"Trying is the first step towards failure." (Homer Simpson)

zebra

24

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #3 on: 05 / October / 2009, 04:48:28 »

Hi there.

OK. Bad news thus far, but I'm sure we're in early days/something simple going wrong. Procedure I used was as follows:

1. Took 4GB SDHC card and threw it through CardTricks 1.44. Formatted as FAT16, 16k sectors.

2. Pressed "NewDryOS" button on the menu options to dump the relevant files onto the card for automated firmware dump procedure.

3. Put file on card, renamed to bootdisk.bin, locked/READ ONLY, pressed "play".

4. Camera would "hang" and I'd see no power on or activity.

5. Waited 40 to 50 seconds.

6. After time had elapsed, I'd eject battery, then SD card.

7. I'd load into CardTricks, and inspect for strings. (used unix strings on my Mac box, just because I'm a unix guy and will never say die, to prove it to myself).

6. Systematically used these files, renaming them as "bootdisk.bin" every time:

Code: [Select]

offset-0x8.dance3.bin <-- failed to dump data/strings are not present

offset-0x4.dance3.bin <-- failed to dump data/strings are not present

offset+0xC.dance3.bin <-- failed to dump data/strings are not present

offset+0x10.dance3.bin <-- broke format of card entirely. Needed to reformat to "see" mounted in windows.

offset-0x8.dance2.bin <-- failed to dump data/strings are not present

offset-0x4.dance2.bin <-- failed to dump data/strings are not present

offset+0xC.dance2.bin <-- failed to dump data/strings are not present

offset+0x10.dance2.bin <-- failed to dump data/strings are not present

So, as it stands, I *think* I'm doing this correctly, or, at least, thought I was!

Could the offset+0x10 with dancing bits 3 be a clue, as it seems to "damage" the card format, which suggests something is actually being written, at least (albeit smashing over the top of the file allocation table, and thus we can't mount the volume?).

Where to from here?

Thanks guys.

z

« Last Edit: 05 / October / 2009, 04:54:33 by zebra »

Logged

RaduP

926

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #4 on: 05 / October / 2009, 05:53:34 »

Your camera is probably from the same family with mine, SD980.
Follow the thread reyalp pointed out, http://chdk.setepontos.com/index.php/topic,4188.0.html
You should be able to get it to blink the firmware. If you have some beginner expertise with electronics (soldering and stuff) you should be able to get the firmware via the LED blinking method. The LED address should probably be similar with mine, at 0xc0223030

Logged

whim

2046
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #5 on: 05 / October / 2009, 05:54:58 »

Quote

6. Systematically used these files, renaming them as "bootdisk.bin" every time:

no, no ! diskboot.bin ! (i know it's confusing: the flag in the bootsector is BOOTDISK )

also, but not relevant here:

Quote

1. Took 4GB SDHC card and threw it through CardTricks 1.44. Formatted as FAT16, 16k sectors

if formatted like that it will produce 64k sectors

HTH,

wim

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

gajownik

24

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #6 on: 05 / October / 2009, 06:00:39 »

Thanks for testing. Could you run in console:

Code: [Select]

strings /dev/DEVICE | grep gaonisoywhere DEVICE is filename of your SD card (not partition on that card)? You can also dump first 1kB of your SD card:

Code: [Select]

dd if=/dev/DEVICE of=dump.bin bs=1k count=1 and post it here.

Logged

"Trying is the first step towards failure." (Homer Simpson)

zebra

24

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #7 on: 05 / October / 2009, 07:08:14 »

@whim: Was just typo on my behalf in the write up. Is actually diskboot.bin in real life

. Well spotted though!

OK. Here is where we are at...

Code: [Select]

zbox:Volumes zebra$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *232.9 Gi   disk0
   1:                        EFI                         200.0 Mi   disk0s1
   2:                  Apple_HFS Mac OS X                232.6 Gi   disk0s2
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *3.7 Gi     disk2
   1:                 DOS_FAT_16                         3.7 Gi     disk2s1

So, on this basis:

Code: [Select]

zbox:Volumes zebra$ strings /dev/disk2 | grep -i gaonisoy
zbox:Volumes zebra$ strings /dev/disk2s1 | grep -i gaonisoy
zbox:Volumes zebra$ strings /dev/disk2s0 | grep -i gaonisoy
strings: can't open file: /dev/disk2s0 (No such file or directory)

No love there, so let's try a dd:

Code: [Select]

zbox:Volumes zebra$ dd if=/dev/disk2s1 of=/Users/Shared/dump.bin bs=1k count=1
1+0 records in
1+0 records out
1024 bytes transferred in 0.001321 secs (775125 bytes/sec)

Well, it's something, but maybe nothing useful. Posted here, attached. At 1K, I'm wondering what it contains. Strings is a no go here.

Hex dump of the bin that I stripped using dd:

Code: [Select]

5C 03 34 00 01 00 00 00 0C 00 10 0E 00 00 00 00 11 00 10 0E 08 00 00 00 0B 00 10 0E 01 00 00 00 0A 00 10 12 01 00 00 00 08 00 B1 FF 01 00 03 00 20 00 B1 FF 06 00 01 00 00 03 06 00 00 03 06 00 03 03 03 00 00 00 00 00 D0 02 E0 01 00 00 00 00 D0 02 E0 01 00 00 00 00 00 00 00 00 00 00 08 00 FF 02 00 00 00 00 C0 02 E0 01 00 00 00 00 C0 02 E0 01 00 00 00 00 00 00 00 00 00 00 08 00 FF 02 00 00 00 00 C0 03 E0 01 00 00 00 00 C0 03 E0 01 00 00 00 00 00 00 00 00 00 00 08 00 FF 02 00 00 01 00 00 00 00 00 00 0E 68 00 A0 00 00 02 A0 00 01 20 00 00 00 01 00 00 00 00 00 12 68 00 B0 00 00 02 34 00 01 00 00 00 08 00 00 00 00 00 00 02 F0 00 F4 00 F0 00 3C 00 01 00 00 00 01 00 00 00 00 00 00 0E 68 00 A0 00 00 02 A0 00 01 20 00 00 00 01 00 00 00 00 00 12 68 00 B0 00 00 02 34 00 01 00 00 00 08 00 00 00 00 00 00 02 F0 00 F4 00 F0 00 3C 00 01 00 00 00 01 00 00 00 00 00 00 0E E0 00 A0 00 00 02 A0 00 01 20 00 00 00 01 00 00 00 00 00 12 E0 00 B0 00 00 02 34 00 01 00 00 00 08 00 00 00 00 00 00 02 68 01 F4 00 F0 00 3C 00 01 00 00 00 0C 00 10 0E 00 00 00 00 11 00 10 0E 08 00 00 00 0B 00 10 0E 01 00 00 00 0A 00 10 12 01 00 00 00 08 00 20 02 04 00 00 00 54 01 B1 FF 01 00 03 00 6C 01 B1 FF 00 01 01 00 74 01 B1 FF 08 00 01 00 00 00 00 00 00 00 00 00 01 00 00 00 44 02 B1 FF A0 02 B1 FF 38 03 B1 FF 38 02 B1 FF 3C 02 B1 FF 40 02 B1 FF 03 02 03 02 54 03 B1 FF B0 03 B1 FF 38 0A B1 FF 48 03 B1 FF 4C 03 B1 FF 50 03 B1 FF 03 0E 03 0E B4 0A B1 FF 10 0B B1 FF 30 0C B1 FF A8 0A B1 FF AC 0A B1 FF B0 0A B1 FF 03 04 03 04 5C 0C B1 FF B8 0C B1 FF D8 0D B1 FF 50 0C B1 FF 54 0C B1 FF 58 0C B1 FF 03 04 03 04 04 0E B1 FF 60 0E B1 FF 30 10 B1 FF F8 0D B1 FF FC 0D B1 FF 00 0E B1 FF 03 06 03 06 02 00 00 00 60 08 00 00 61 08 00 00 00 03 06 00 00 03 06 00 02 02 02 00 00 00 00 00 D0 02 6A 01 00 00 00 00 D0 02 6A 01 00 00 00 00 00 00 00 00 00 00 01 00 06 28 20 00 18 00 80 02 40 01 00 00 00 00 80 02 40 01 00 00 00 00 00 00 00 00 00 00 01 00 06 28 00 00 1E 00 C0 03 6C 01 00 00 1E 00 C0 03 6C 01 00 00 00 00 00 00 00 00 00 00 01 00 06 28 00 00 1A 00 00 00 00 00 00 0E 08 00 36 01 C0 02 34 00 01 20 00 00 19 00 00 00 00 00 00 12 0C 00 38 01 BC 02 30 00 01 00 00 00 1A 00 00 00 00 00 00 0E 00 00 0C 01 80 02 34 00 01 20 00 00 19 00 00 00 00 00 00 12 04 00 0E 01 7C 02 30 00 01 00 00 00 1A 00 00 00 00 00 00 0E 32 00 56 01 5C 03 34 00 01 20 00 00 19 00 00 00 00 00 00 12 36 00 58 01 58 03 30 00 01 00 00 00 11 00 10 0E 08 00 00 00 0F 00 10 0E 08 00 00 00 10 00 10 0E 08 00 00 00 00 00 20 12 32 01 00 00 18 03 B1 FF 1A 00 03 00 30 03 B1 FF 19 00 01 00 00 03 06 00 00 03 06 00 0E 0E 0E 00 00 00 00 00 D0 02 E0 01 00 00 00 00 78 02 B4 01 00 00 00 00 00 00 00 00 00 00 07 00 06 02 00 00 00 00 C0 02 E0 01 00 00 00 00 C0 02 E0 01 00 00 00 00 00 00 00 00 00 00 07 00 06 02 32 00 1C 00 5C 03 E4 01 00 00 00 00 5C 03 E4 01 00 00 00 00 00 00 00 00 00 00 07 00 06 02 00 00 08 00 00 00 00 00 00 0E 08 00 06 00 4C 00 2C 01 01 20 00 00 07 00 00 00 00 00 00 02 08 00 06 00 4C 00 3C 00 31 04 00 00 03 00 00 00 00 00 00 02 08 00 42 00 4C 00 3C 00 31 04 00 00 01 00 00 00 00 00 00 02 08 00 7E 00 4C 00 3C 00 31 04 00 00

Hope this is somehow useful!

z

« Last Edit: 05 / October / 2009, 07:10:45 by zebra »

Logged

RaduP

926

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #8 on: 05 / October / 2009, 13:52:22 »

Let me know if this works for you:
Put it on the card, and do a firmware update. Tell me if the LED blinks.

Logged

zebra

24

Re: Dumping IXUS 120 IS. Almost, but not quite! Need some assistance.

« Reply #9 on: 05 / October / 2009, 17:02:50 »

Quote from: RaduP on 05 / October / 2009, 13:52:22

Let me know if this works for you:
Put it on the card, and do a firmware update. Tell me if the LED blinks.

Hi!

Reformatted card, put ps.fi2 file on root of card, went to menu then "Firm update...".

Selected it and it simply said "Update file error".

No LED blinks, unfortunately...

z

Logged