PowerShot SX210 IS - Porting Thread - page 3 - General Discussion and Assistance - CHDK Forum
« previous next »
Pages: 1 2 [3] 4 5 6 7 8 ... 59   Go Down

PowerShot SX210 IS - Porting Thread

  • 589 Replies
  • 301645 Views
*

Offline dh

  • *
  • 6
Re: PowerShot SX210 IS - Porting Thread
« Reply #20 on: 11 / May / 2010, 14:31:01 »
Advertisements
Did anyone try *.FI3? (maybe not likely, but don't think I saw it mentioned in thread...)

[edit] Also, do these cameras still deal only with the 'small' partition SD cards, or do they also work with larger partitions and  the 'bootable' indicator may have (been) moved?  (I'm still relatively ignorant, so don't even know to what extent the older cameras deal with larger partition SD cards, except that CHDK can 'swap' partitions for them somehow.)
« Last Edit: 11 / May / 2010, 14:47:01 by dh »
Logged
*

Offline reyalp

  • ******
  • 14082
Re: PowerShot SX210 IS - Porting Thread
« Reply #21 on: 12 / May / 2010, 01:41:31 »
Quote from: dh on 11 / May / 2010, 14:31:01
Did anyone try *.FI3? (maybe not likely, but don't think I saw it mentioned in thread...)
Given that the camera recognizes FI2 as an update, this is unlikely. Far more likely they just changed the encoding.
Quote
[edit] Also, do these cameras still deal only with the 'small' partition SD cards, or do they also work with larger partitions and  the 'bootable' indicator may have (been) moved?
No, my understanding is that the camera crashes with an encoded diskboot on a card set up bootable in the normal way. This is exactly what older cameras do with an incorrectly encoded diskboot. Again, changing the encoding is far more likely.

Edit:
Of course, this is just guesswork, we won't know for sure until someone manages run something or gets a firmware update for one of these.
« Last Edit: 12 / May / 2010, 01:43:16 by reyalp »
Logged
Don't forget what the H stands for.
*

Offline cppasm

  • **
  • 92
Re: PowerShot SX210 IS - Porting Thread
« Reply #22 on: 21 / May / 2010, 06:27:18 »
Quote from: reyalp on 12 / May / 2010, 01:41:31
we won't know for sure until someone manages run something or gets a firmware update for one of these.
Maybe I've missed something...
How will firmware upgrade help with running code in camera?
It will be encrypted with still unknown key - you will not be able even analize it.

I found that camera loads A/BootFAEXE.bin - some factory module.
And it is not encoded even on those cameras where diskboot.bin and upgrader.bin are.
BootFAEXE.bin can be uploaded and run via USB or from SD card.
We just need to investigate prerequisite conditions for camera to run it.
I don't have camera - so can't test all this stuff.
Logged
*

Offline HarpoMa

  • ***
  • 218
Re: PowerShot SX210 IS - Porting Thread
« Reply #23 on: 21 / May / 2010, 14:25:45 »
my my.  This is good news.  I will look at this tonight.

Harpo
Logged
Canon Models - SD300, SD780, & SX210
*

Offline reyalp

  • ******
  • 14082
Re: PowerShot SX210 IS - Porting Thread
« Reply #24 on: 22 / May / 2010, 01:29:54 »
Quote from: cppasm on 21 / May / 2010, 06:27:18
Quote from: reyalp on 12 / May / 2010, 01:41:31
we won't know for sure until someone manages run something or gets a firmware update for one of these.
Maybe I've missed something...
How will firmware upgrade help with running code in camera?

It will be encrypted with still unknown key - you will not be able even analize it.
Much easier to brute force. You can throw many ghz at it instead of trying swapping SD cards for every attempt.
Quote
I found that camera loads A/BootFAEXE.bin - some factory module.
And it is not encoded even on those cameras where diskboot.bin and upgrader.bin are.
BootFAEXE.bin can be uploaded and run via USB or from SD card.
We just need to investigate prerequisite conditions for camera to run it.
I don't have camera - so can't test all this stuff.
My impression was that this will only be loaded in factory mode, and you can't get into factory mode without running code on the camera. But I could be wrong.

Some observations of factory mode:
http://chdk.setepontos.com/index.php/topic,4417.msg45029.html#msg45029
Logged
Don't forget what the H stands for.
*

Offline cppasm

  • **
  • 92
Re: PowerShot SX210 IS - Porting Thread
« Reply #25 on: 22 / May / 2010, 06:38:33 »
Quote from: reyalp on 22 / May / 2010, 01:29:54
Much easier to brute force. You can throw many ghz at it instead of trying swapping SD cards for every attempt.
FI2 is encoded using AES, no chances to bruteforce key...

Quote from: reyalp on 22 / May / 2010, 01:29:54
My impression was that this will only be loaded in factory mode, and you can't get into factory mode without running code on the camera. But I could be wrong.
Factory mode could be entered using USB command, but it's needs investigation.
First problem - we don't know USB command and needs to find it out, and second - we will need to exit factory mode somehow...

For now it looks like the most possible solution is to disassemble some camera and get ROM content using JTAG.
Logged
*

Offline reyalp

  • ******
  • 14082
Re: PowerShot SX210 IS - Porting Thread
« Reply #26 on: 22 / May / 2010, 17:49:01 »
Quote from: cppasm on 22 / May / 2010, 06:38:33
FI2 is encoded using AES, no chances to bruteforce key...
Assuming they didn't mess up in some way. It is certainly possible that a firmware update will be no help. It is also possible that it will give a useful clue. (yes, that wouldn't be strictly bruit force, but being able to apply more computer power to the problem can help)
Quote
Factory mode could be entered using USB command, but it's needs investigation.
Do you know this, or is it speculation. My observation is that factory mode switches the USB to a different configuration.
Quote
First problem - we don't know USB command and needs to find it out, and second - we will need to exit factory mode somehow...
If such a USB command exists in non-factory mode, you should be able to find it by disassembling ROM from existing cameras.

Exiting factory mode shouldn't be a problem once you have code running, there's an eventproc for that (ClearFactoryMode worked on my a540, and exists in recent dryos cameras), and failing, with a ROM dump you can find the correct location in ROM to write to clear it off.

There is also the SCRIPT disk system for canons builtin scripting which might be worth investigating. It is encoded AFAIK, but it's possible that they neglected to update it. Canon script should be able to execute event procs, which would be enough to get a ROM dump. If that fails, it's a good candidate for buffer overflows. See the LoadScript eventproc and references to  A/autotest.m
Logged
Don't forget what the H stands for.
*

Offline cppasm

  • **
  • 92
Re: PowerShot SX210 IS - Porting Thread
« Reply #27 on: 24 / May / 2010, 06:24:36 »
Quote from: reyalp on 22 / May / 2010, 17:49:01
Do you know this, or is it speculation. My observation is that factory mode switches the USB to a different configuration.
Just a speculation...
Yes, factory mode switches USB from PTP (picture transfer protocol) to DCP (device configuration protocol).
Logged
*

Offline whoever

  • ****
  • 280
  • IXUS950
Re: PowerShot SX210 IS - Porting Thread
« Reply #28 on: 24 / May / 2010, 12:04:17 »
Quote from: HarpoMa on 07 / May / 2010, 17:25:02
As for the brute force there are several issues (at least).  #1 is the simple fact that you don't know if it's running or crashed.
I believe there is a conceptually simple way to see if the code is running or crashed -- by monitoring the energy consumption. This idea had floated up a couple of years ago, again when trying to obtain a dump from a stubborn camera (the dump was eventually obtained by other means). Say, you run a loop, when half of the time you do NOP's, and the other half some number-crunching code. The energy consumption of MPU will then be different over the period, so if you hook up an oscilloscope to the battery pins, you will see a waveform. And no waveform if it's just crashed. That holds unless they've managed to reduce the MPU energy consumption to zero. Which would defy the laws of physics, but you cannot be sure these days.
Logged
*

Offline reyalp

  • ******
  • 14082
Re: PowerShot SX210 IS - Porting Thread
« Reply #29 on: 24 / May / 2010, 22:55:28 »
Quote from: whoever on 24 / May / 2010, 12:04:17
Quote from: HarpoMa on 07 / May / 2010, 17:25:02
As for the brute force there are several issues (at least).  #1 is the simple fact that you don't know if it's running or crashed.
I believe there is a conceptually simple way to see if the code is running or crashed -- by monitoring the energy consumption. This idea had floated up a couple of years ago, again when trying to obtain a dump from a stubborn camera (the dump was eventually obtained by other means). Say, you run a loop, when half of the time you do NOP's, and the other half some number-crunching code. The energy consumption of MPU will then be different over the period, so if you hook up an oscilloscope to the battery pins, you will see a waveform. And no waveform if it's just crashed. That holds unless they've managed to reduce the MPU energy consumption to zero. Which would defy the laws of physics, but you cannot be sure these days.
you should be able to test this theory with an already hacked camera. If it works on another digic 4 camera, chances are high it will work on the current ones.
Logged
Don't forget what the H stands for.
Pages: 1 2 [3] 4 5 6 7 8 ... 59   Go Up
« previous next »
 

Related Topics