PowerShot SX210 IS - Porting Thread - page 6 - General Discussion and Assistance

reyalp

14082

Re: PowerShot SX210 IS - Porting Thread

« Reply #50 on: 01 / July / 2010, 02:29:01 »

Advertisements

Quote from: dumper on 01 / July / 2010, 00:33:56

Actually what I wanted to reduce is the number of tries required to find the byte swap pattern.

That's an interesting idea, but I don't think it will be practical.

Quote

I'm not sure how the camera starts to execute the code in DISKBOOT.bin (is it an unconditional jump or routine call, which should be able to return, right?).

I'm not sure (search for StartDiskboot and you can find the function that does the deed. It's sub_FF82905C in d10, but it goes through a pointer stored in data TCM whose value I don't know), but the diskboot is loaded on top of the OS data, so there won't be a functioning OS if it managed to return. If you could run a 4 byte diskboot it might be OK (since only 4 bytes of OS data would be trashed), but as I mentioned before there appears to be a minimum size for diskboot to run at all. Also the canon code clearly doesn't expect diskboot to return, so there's no reason to expect the OS to work correctly if it did.

I just tried the following diskboot:

Code: [Select]

    .section .entry
	LDR     R3, =0xC0220130 
	MOV     R2, #0x46
	STR     R2, [R3]
	BX 		LR

This should turn on the red LED on my D10 and then return to whatever called it.

If the diskboot is padded to 10kb, it does: The camera hangs with the red LED on, requiring the battery be removed to turn it off. This means the code has run, but the return hasn't had the desired effect of continuing to run the OS (possibly because 10k of the OS data was trashed, or possibly because there isn't a valid conditions to return)

With only 1k bytes of padding, it doesn't turn on the LED. The camera is still crashed, since I have to take the battery out to get it to start again, even without the card, but the LED not getting turned on indicates the code didn't run at all.

Logged

Don't forget what the H stands for.

RaduP

926

Re: PowerShot SX210 IS - Porting Thread

« Reply #51 on: 01 / July / 2010, 05:17:49 »

How about the "Let's ask Canon nicely" method?

We can't lose anything, and since many people use CHDK, Canon might at the very least consider giving us the info we need. Assuming that they didn't change the firmware purposefully so that we can't get to it.

Logged

reyalp

14082

Re: PowerShot SX210 IS - Porting Thread

« Reply #52 on: 01 / July / 2010, 12:35:58 »

Quote from: RaduP on 01 / July / 2010, 05:17:49

How about the "Let's ask Canon nicely" method?
We can't lose anything

Absolutely wrong. We could lose a whole lot if Canon decided that CHDK is a problem. I strongly suggest not bothering them. Canon has thus far ignored CHDK, and that's the best outcome we can reasonably expect. If they are ever forced to take an official position, it will almost certainly not be favorable to the continued development of CHDK.

Quote

Assuming that they didn't change the firmware purposefully so that we can't get to it.

What other possible purpose would encoding firmware updates and diskboots have ? It's not necessarily aimed at CHDK specifically, but making a method to bypass it public would defeat the entire purpose. If they wanted to do that, they could just go back to unencoded diskboots.

Logged

Don't forget what the H stands for.

RaduP

926

Re: PowerShot SX210 IS - Porting Thread

« Reply #53 on: 01 / July / 2010, 17:30:03 »

Quote

Absolutely wrong. We could lose a whole lot if Canon decided that CHDK is a problem. I strongly suggest not bothering them.

Well, if all the newer cameras are not going to be supported due to the encryption changes, then in a year or two CHDK will be dead anyway, since the older cameras will be harder to find, and obsolete as well.

Quote

If they are ever forced to take an official position, it will almost certainly not be favorable to the continued development of CHDK.

I don't think a letter to them would actually force them into anything. Most likely they would ignore it. It's not like they are not aware of CHDK's existence. But since they never complained about it, I don't think they have a hostile attitude towards it.

I don't have any of the new cameras, but if there will be no further developments in getting the firmware, I guess the only method would be the hardware one (unsolder the flash, read it in some external reader).

Logged

reyalp

14082

Re: PowerShot SX210 IS - Porting Thread

« Reply #54 on: 01 / July / 2010, 19:22:10 »

Quote from: RaduP on 01 / July / 2010, 17:30:03

Well, if all the newer cameras are not going to be supported due to the encryption changes, then in a year or two CHDK will be dead anyway, since the older cameras will be harder to find, and obsolete as well.

Finding an exploitable bug is a much more likely to bring positive results than mailing canon, IMO.

Quote

I don't think a letter to them would actually force them into anything. Most likely they would ignore it.

Most likely. Clearly some of people within Canon are aware of CHDK and have chosen not to actively do anything about it (thanks guys

), but that doesn't mean that the next PHB who finds out will react the same way.

Quote

I guess the only method would be the hardware one (unsolder the flash, read it in some external reader).

The flash is part of the Digic IC. Good luck with that

Logged

Don't forget what the H stands for.

dumper

15

Re: PowerShot SX210 IS - Porting Thread

« Reply #55 on: 01 / July / 2010, 20:05:12 »

Quote

Finding an exploitable bug is a much more likely to bring positive results than mailing canon, IMO.

I have a question. If you find such a bug, do you still need to find out the address of the function you want to call?

Logged

reyalp

14082

Re: PowerShot SX210 IS - Porting Thread

« Reply #56 on: 01 / July / 2010, 21:31:25 »

Quote from: dumper on 01 / July / 2010, 20:05:12

I have a question. If you find such a bug, do you still need to find out the address of the function you want to call?

If you manage to run code, you should be able to find an LED and blink out the ROM. You can also use an LED for further diagnostics.

Depending on the exact nature of the exploit, there might be easier options. If the OS isn't trashed (as it is with udumper), you could just find Fwrite_Fut by looking for the string and call it to dump out the whole ROM.

Logged

Don't forget what the H stands for.

RaduP

926

Re: PowerShot SX210 IS - Porting Thread

« Reply #57 on: 01 / July / 2010, 23:21:03 »

How can a bug be found, without having the firmware, OR the possibility to even run any code whatsoever in the camera? Am I missing something here?

Logged

dumper

15

Re: PowerShot SX210 IS - Porting Thread

« Reply #58 on: 02 / July / 2010, 00:22:09 »

Quote from: RaduP on 01 / July / 2010, 23:21:03

How can a bug be found, without having the firmware, OR the possibility to even run any code whatsoever in the camera? Am I missing something here?

reyalp said this in a previous post

Quote

- Get firmware dumps from one or more cameras assumed to be similar to the one you are trying to hack.
- Find the code that deals with different files, like reading the exif for playback mode information, movie metadata, direct print stuff etc.
- Find bugs in that code that allow you to overwrite a function pointer or return address.

Logged

RaduP

926

Re: PowerShot SX210 IS - Porting Thread

« Reply #59 on: 02 / July / 2010, 01:37:57 »

Well, even if such a bug was found, you'd have to hope that the same binary equivalent function is present in the new camera. Same compiler, same compiler options, etc.
Overwriting function pointers, well, you'd still have to know the address of the functions, which is pretty much guaranteed is not going to be in the same place as on a different camera.

Logged