Any developers interested in working on CHDK firmware for DSLRs ? - page 16 - DSLR Hack development - CHDK Forum

Any developers interested in working on CHDK firmware for DSLRs ?

  • 202 Replies
  • 148505 Views
*

Offline Seklth

  • **
  • 54
  • 400D
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #150 on: 09 / May / 2008, 16:15:18 »
Advertisements
400D v1.1.1

i try jump to this function in fir file:
FW:FFB2E980                         eventproc_SelfReset
and it is restart - started firmware loader (that loading .fir file from CF - main firmware (FF810000) not have code, that loaded fir file to ram).


« Last Edit: 13 / May / 2008, 09:55:52 by Seklth »

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #151 on: 09 / May / 2008, 19:04:07 »
Hi all. I started looking at the 40D firmware yesterday for the first time using the original 105 decrypter and after trying to decrypt 108 I came to the same conclusion as you have that something in the firmware header must be used to generate the XOR tables. I've now discovered this message board so am currently playing catchup on all the hard work you guys have achieved so far.

size of flasher is the same in 1.0.5 and 1.0.8 FW files.
assuming 108 flasher is identical to 105 I XOR-ed decrypted 105 flasher with 108 encrypted one.
result of xoring is cipher tream used to encrypt file
using recreate_tables tool on such stream will recreate tables
I can verify that this worked. The decrypted 108 flasher looks good to me.

I begun encryption analysis in a hope to determine how tables depend on fw file header

you see. there is a small problem...
there are can exist 256 combinations of tables to generate the same cipher stream
recreate_tables tool can generate any of them (optional second parameter)
Well I'm not sure we need to worry about solving this problem just yet. After all we have a decrypted version of the latest firmware, and until/unless Canon change the flasher we can just use the same trick each time?

also it may be possible to patch flasher to make ROM dump to SD card.
in a such a way we could know exactly how to make decryptor instead guessing.
please check following:
- use dissect_fw3 on fir file
- use decrypt_40D10X_Flasher tool to decrypt flasher
- change some bytes in binary file (I advice you to change some strings which are displayed in flashing progresss. example: "Update Firmware?")

I did this test for you (altered some text in the flasher, re-encrypted, reassembled the .fir, applied a new checksum and tried it in my 40D). The great news is that yes it works just as you'd hoped. There doesn't appear to be any additional checksum on the flasher code itself and I didn't have to actually install the firmware to get this working.

Here's a photo of this in action, running with the 108 firmware:

http://redyeti.net/40d_test.jpg

I guess the next thing to do is figure out how to dump the ROM. I've worked with x86 assembly a lot in the past including reverse-engineering but firmware hacking is new to me. Would dumping the ROM mean learning how to write to CF cards (or perhaps writing it out over USB)?

If I get time I'll try to improve on the existing programs for dissecting/decrypting/checksumming the firmware so we have a nice all-in-one solution that can do a lot of the manual stuff for us. (ie give us a flasher binary to patch as we like, then automatically reassemble the patched .fir including a checksum).

*

Offline _MAG_

  • *
  • 47
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #152 on: 11 / May / 2008, 09:59:49 »
fantastic!
« Last Edit: 11 / May / 2008, 10:30:43 by _MAG_ »

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #153 on: 12 / May / 2008, 17:47:16 »
Hi,

Please start new threads to discuss the matters in this thread.

A new subforum has been created to deal with DSLR cameras CHDK development and you should channel your discussion in threads created there.

Thank you

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #154 on: 12 / May / 2008, 20:25:00 »
awesome ... i can start seeing 450D with video capabilities not in the distant future ... yoohoo ....:D

thanks guys being so kind, generous with your time and being a genius ... i have a feeling Canon is not going to be very happy with this :D ... we do not need better dSLR from Canon after this lol :D

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #155 on: 12 / May / 2008, 23:21:02 »
Keep in mind - porting is a very slow process. And we're just seeing the beginnings of the effort. AFAIK there's not even a dumped ROM yet. We could be many many months away from anything like a functional port. Still, I greatly applaud the efforts of the ever-so-smart hackers here. I'm thrilled and grateful to benefit from your passion. I'm just saying - patience is a virtue.

*

Offline mx3

  • ****
  • 372
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #156 on: 13 / May / 2008, 02:22:53 »

I did this test for you (altered some text in the flasher, re-encrypted, reassembled the .fir, applied a new checksum and tried it in my 40D). The great news is that yes it works just as you'd hoped. There doesn't appear to be any additional checksum on the flasher code itself and I didn't have to actually install the firmware to get this working.

Here's a photo of this in action, running with the 108 firmware:

http://redyeti.net/40d_test.jpg

hm. it seems it is a list of fir files.
please place 105 firmware file along  with 108 on card
launch update again
do you see only 108.fir in list or 105.fir also?

if you see both files it means that FLASHER ITSELFS KNOW HOW TO DECRYPT data section.....
it means we do not have to make ROM dump....


I guess the next thing to do is figure out how to dump the ROM.

may be not :-)
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #157 on: 13 / May / 2008, 03:48:57 »

hm. it seems it is a list of fir files.
please place 105 firmware file along  with 108 on card
launch update again
do you see only 108.fir in list or 105.fir also?

if you see both files it means that FLASHER ITSELFS KNOW HOW TO DECRYPT data section.....
it means we do not have to make ROM dump....

Ok, I did this and both FW's showed up in the list. I could not select between them (it was ready to install the latest version), but I don't think that matters for this test.

Looks like the flasher can decrypt any FW file. :-)

*

ASalina

Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #158 on: 13 / May / 2008, 04:19:44 »

if you see both files it means that FLASHER ITSELFS KNOW HOW TO DECRYPT data section.....

Is the data section you're talking about located around FF9AB604? That's about where my disassembly stops in the 108FW and the rest is some sort of data. It even has the string "start of data" at FF9AB604. :-)


*

Offline mx3

  • ****
  • 372
Re: Any developers interested in working on CHDK firmware for DSLRs ?
« Reply #159 on: 13 / May / 2008, 05:13:46 »

if you see both files it means that FLASHER ITSELFS KNOW HOW TO DECRYPT data section.....

Is the data section you're talking about located around FF9AB604? That's about where my disassembly stops in the 108FW and the rest is some sort of data. It even has the string "start of data" at FF9AB604. :-)


flasher is to be loaded at 800000(800120).
where did you get this(FF9AB604) address?

and lets start separate thread for 40D
it will be usefull to update first message in such thread so it would be usefull for someone of you two (ASalina, gone_boarding) to start such topic
« Last Edit: 13 / May / 2008, 05:24:34 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

 

Related Topics


SimplePortal © 2008-2014, SimplePortal