Any developers interested in working on CHDK firmware for DSLRs ?

  • 202 Replies
  • 93602 Views
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #120 on: 29 / April / 2008, 21:24:16 »
Advertisements
One other interesting possibility is focus and aperture control in the software intervolometer.

Although I haven't done much with intervalometering, I can see how this would be useful to a lot of wildlife/nature professionals on a budget. Your mentioning missing zoom control reminds me how DSLR hardware limitations in turn limit the usefulness of a CHDK port.

I'm just so curious about the possibility of raising the mirror to read from the sensor "live." It *seems* to me that this would be a very significant doorway to really creative functionality. Being able to do some kind of "exposure preview" would rock on the XX0D models. I'd love to hear from any developer about this (im)possibility (though I know I'm getting ahead of myself and them... and "off topic" to boot). Anyway, I'm just dreaming of possibilities - not "feature nagging!" :P

*

Offline mx3

  • ****
  • 372
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #121 on: 30 / April / 2008, 01:39:13 »

Unfortunately it seems that the 40D will need its firmware patched and flashed into ROM in order to run CHDK, like you were talking about earlier.


IMHO:
firmware file contain flasher and data as in 30D and 400D
these parts are just encrypted with different keys
it seems hash tables depends on header

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #122 on: 02 / May / 2008, 09:51:38 »
Any progress these days?


*

Offline kwf

  • **
  • 72
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #123 on: 02 / May / 2008, 16:38:13 »
Nice to see quite some people working on DSLR porting. I didn't have much time lately. But today I looked a bit at the code again.

I still could not find the location of the checksum for the 350D. It does not seem to have the starting 32 bytes as later cameras. I suspected the last bytes of the first part (the "flasher" to be a checksum, but it is the same for two different firmware versions.

But i found the s19 encoded part of the firmware mentioned by nn (which he found in 20d firmware). Don't know how i could miss that ... And it seems to be different for the two different firmware versions. I don't know what motorola (compatible) processor (which are usually encoded in s19) is used. Don't know what it does either. Maybe it is even involved in the firmware upgrade process.

Is there a s19 encoded part in other firmwares (other than 20D and 350D) as well?
« Last Edit: 02 / May / 2008, 16:41:57 by kwf »


Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #124 on: 02 / May / 2008, 17:18:27 »
Currently I am trying to analyze the 350D Firmware (1.0.3) with IDA - quite a large project...
Camara and vxWorks-System Functions may be identified quite easy.

Do I understand the previous discussion right: Main Problem right now is to find an easy way to get code executed without changing the firmware.

Notes
  • The Firmware contains a huge amount of "debug" information. Has anyone already identified the contact pads in the cameras battery compartment? (16 pads) Perhaps some of those pads contain a serial IO for this debugging info. (or an JTAG Port?)
  • If there is no "nice" way to get code executed, why not using some kind of buffer/stack overflow. The strcpy-Function is really used often so that I would be very surprised if there is no bug in file handling that cannot be exploited

*

ASalina

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #125 on: 03 / May / 2008, 03:32:28 »
Is there a s19 encoded part in other firmwares (other than 20D and 350D) as well?

I just did a search through the 40D's 1.0.5 FW using
http://www.x-ways.net/winhex/kb/ff/Motorola-S3.txt
as a guide. I have not found any s19 records yet.

*

Offline mx3

  • ****
  • 372
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #126 on: 03 / May / 2008, 04:31:30 »
I just did a search through the 40D's 1.0.5 FW

through flasher only...

I have not found any **********yet

because data segment of 1.0.5  is not decrypted properly
I think different hash tables are used for flasher segment and data segment and they re generated on the fly using data from file header

It would explain why 40D decryptor do not work properly even on 1.0.5
 - because it ignores segmented structure of file
 - because it tries to use static hash tables

see attached file
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

Offline Seklth

  • **
  • 54
  • 400D
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #127 on: 03 / May / 2008, 08:16:03 »
Is there a s19 encoded part in other firmwares (other than 20D and 350D) as well?

It is "EEP" section.



*

Offline mx3

  • ****
  • 372
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #128 on: 03 / May / 2008, 10:35:48 »
that's my packer:

It searches for files "loader", "firm" (firmware) and so. And pack it all.
You'll find everything in the code. It can be easily modifed.

Code: [Select]
[...skipped...]

I tested a firmware without the attached file pack - and it didn't work, but my tests could be wrong (other thing might have been wrong in the file).

I tried to pack file and it seems packer works fine

what exactly did not work? does camera not accept file?
can you explain more detailed what gone wrong?

have you encrypted packed file before placing it into camera?

also there are flags(types) of sections.
they are zero in new file packed by your packer.
type(flags) for MAIN_FIRMWARE  must be 3
type(flags) for FirmwareVersion must be 4

also maybe required section is ModelID
have you seen eos_tools_v10.rar ? Any developers interested in working on CHDK firmware for DSLRs ?
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #129 on: 03 / May / 2008, 11:54:16 »
I just did a search through the 40D's 1.0.5 FW

through flasher only...

I have not found any **********yet

because data segment of 1.0.5  is not decrypted properly


Okay, I see.

Quote
I think different hash tables are used for flasher segment and data segment and they re generated on the fly using data from file header

It would explain why 40D decryptor do not work properly even on 1.0.5
 - because it ignores segmented structure of file
 - because it tries to use static hash tables

So the decrypter needs to pull hash tables at 0x68 and 0x88, and data segment offset at 0x30 from the FW file? I can try to modify the decrypter to experiment with this.

What do you mean by "generated on the fly"? Do you think the hash tables in the file header have yet another level of encryption, or do you mean that they are just taken from the file and each FW version has different hash tables?

 

Related Topics