supplierdeeply

Experiments with WriteToRom

  • 2 Replies
  • 145 Views
*

Offline srsa_4c

  • ******
  • 3689
Experiments with WriteToRom
« on: 24 / June / 2018, 12:39:11 »
Advertisements
First, a warning: altering the camera's flash ROM can render the camera inoperable (aka brick). If you're not absolutely sure what this is about then do not even think about trying it on real hardware.

The firmware routine exists in all PowerShot firmwares. It is also exported as an event procedure.
Its prototype is
int WriteToRom(char *addr, char *buf, int length)
addr    is the destination address in ROM
buf    points to a buffer with the bytes to write
length is the number of bytes to be written

The flash in our cameras is NOR flash. It can be written, but the camera normally does not permit writing into flash - that's what this function is for. The smallest unit that can be written is one byte.

When the flash is erased, the erased region will consist of 0xff bytes (all bits set to '1'). Writing can change bits that are '1', but zero bits can't be changed. Erasing the flash can only be done in larger units (sectors) - these are multiples on kbytes, starting on sector boundary. I did not attempt doing this as erasing into the code area of flash does not sound safe at all.

I used WriteToRom to do the following:
- I fixed corrupted bytes in the flash. One or more bits of those bytes was faded into '1'. I did this using chdkptp.
 - On a DryOS camera, calling WriteToRom by its address succeeded immediately and the corrupted byte got fixed (I compared ROM dumps afterwards).
 - On a VxWorks camera, calling WriteToRom by its address froze the PTP connection and the camera. Fortunately, the camera could be turned on afterwards and the byte I targeted was no longer corrupted.

- After the success on the DryOS camera, I decided to disable the bootdisk signature check - I turned a conditional branch instruction into a harmless andeq (that's a zero word on ARM). That camera now boots from any file system, without requiring the BOOTDISK signature on card. This change, however, can't be undone easily.


Re: Experiments with WriteToRom
« Reply #1 on: 24 / June / 2018, 23:35:54 »
After the success on the DryOS camera, I decided to disable the bootdisk signature check - I turned a conditional branch instruction into a harmless andeq (that's a zero word on ARM). That camera now boots from any file system, without requiring the BOOTDISK signature on card. This change, however, can't be undone easily.
First of all, really nice work.  Talk about playing right out on the bleeding edge.

One question immediately occurs to me - could you tweak the SD card lock check so that if there is a BOOTDISK.BIN file on the SD card, it uses that regardless of the position of the switch?


Ported :   A1200    SD940   G10    Powershot N    G16

*

Offline srsa_4c

  • ******
  • 3689
Re: Experiments with WriteToRom
« Reply #2 on: 25 / June / 2018, 12:44:38 »
One question immediately occurs to me - could you tweak the SD card lock check so that if there is a BOOTDISK.BIN file on the SD card, it uses that regardless of the position of the switch?
There is a function call we always disable when doing a port's boot.c. It's the one that starts the diskboot from the "startup" task. Comments in boot.c usually indicate which one is that. The checks are inside that function.
Here's an excerpt (these routines look almost alike in all cameras)
Code: [Select]
loc_FFC2AC7C: <StartDiskboot> 2 refs 
    FFC2AC7C 08 00 4F E2   adr       r0, 0xFFC2AC7C ; <StartDiskboot>
    FFC2AC80 FF 04 10 E3   tst       r0, #0xFF000000
    FFC2AC84 10 40 2D E9   push      {r4, lr}
    FFC2AC88 0A 00 00 0A   beq       0xffc2acb8 ; `running from RAM, exit`
    FFC2AC8C 00 00 A0 E3   mov       r0, #0
    FFC2AC90 62 62 00 EB   bl        0xffc43620 ; `check for SD card presence`
    FFC2AC94 01 00 10 E3   tst       r0, #1
    FFC2AC98 06 00 00 1A   bne       0xffc2acb8
    FFC2AC9C 8D 9A 00 EB   bl        0xffc516d8 ; `start the SD1stInit task`
    FFC2ACA0 01 00 A0 E3   mov       r0, #1
    FFC2ACA4 5D 62 00 EB   bl        0xffc43620 ; `check for SD lock switch`
    FFC2ACA8 01 00 10 E3   tst       r0, #1
    FFC2ACAC 01 00 00 0A   beq       0xffc2acb8 ; `card not locked, exit`
    FFC2ACB0 59 62 00 EB   bl        0xffc4361c
    FFC2ACB4 01 00 00 EB   bl        0xffc2acc0 ; `-> diskboot handling`
loc_FFC2ACB8: 3 refs ▲
    FFC2ACB8 10 40 BD E8   pop       {r4, lr}
    FFC2ACBC 56 62 00 EA   b         0xffc4361c
loc_FFC2ACC0: 1 refs ▲
    FFC2ACC0 F8 40 2D E9   push      {r3, r4, r5, r6, r7, lr}
    FFC2ACC4 00 00 A0 E3   mov       r0, #0
    FFC2ACC8 EB 98 00 EB   bl        0xffc5107c
    FFC2ACCC 00 00 A0 E3   mov       r0, #0
    FFC2ACD0 FA 98 00 EB   bl        0xffc510c0 ; `is bootable?`
    FFC2ACD4 00 00 50 E3   cmp       r0, #0
    FFC2ACD8 25 00 00 0A   beq       0xffc2ad74 ; `card not bootable, exit`
    FFC2ACDC 94 00 8F E2   adr       r0, 0xFFC2AD78 ; *"\nStartDiskboot\n"
    FFC2ACE0 A6 5A FF EB   bl        0xffc01780
As you can see there are several beq/bne instructions that can be altered. What you're looking for is the instruction with the "card not locked, exit" comment. What I changed was the one with "card not bootable, exit" comment.

 

Related Topics