code you HAVE RUN on your dslr - page 2 - DSLR Hack development - CHDK Forum  
« previous next »
Pages: 1 [2] 3 4 5 6 7 ... 15   Go Down

code you HAVE RUN on your dslr

  • 141 Replies
  • 75396 Views
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: code you HAVE RUN on your dslr
« Reply #10 on: 15 / May / 2008, 06:16:22 »
Advertisements
Quote from: Seklth on 15 / May / 2008, 00:14:48
Nothing.

Bummer.

Digic2 and Digic3 all use identical reset-code which looks like this:

    asm volatile(
        "MRS     R1, CPSR\n"
        "BIC     R1, R1, #0x3F\n"
        "ORR     R1, R1, #0xD3\n"
        "MSR     CPSR_cf, R1\n"

        "LDR     R2, =0xC0200000\n"  These two lines...
        "MOV     R1, #0xFFFFFFFF\n"   ...are characteristic
        "STR     R1, [R2,#0x10C]\n"
        "STR     R1, [R2,#0xC]\n"
        "STR     R1, [R2,#0x1C]\n"
        "STR     R1, [R2,#0x2C]\n"
        "STR     R1, [R2,#0x3C]\n"
        "STR     R1, [R2,#0x4C]\n"
        "STR     R1, [R2,#0x5C]\n"
        "STR     R1, [R2,#0x6C]\n"
        "STR     R1, [R2,#0x7C]\n"
        "STR     R1, [R2,#0x8C]\n"
        "STR     R1, [R2,#0x9C]\n"
        "STR     R1, [R2,#0xAC]\n"
        "STR     R1, [R2,#0xBC]\n"
        "STR     R1, [R2,#0xCC]\n"
        "STR     R1, [R2,#0xDC]\n"
        "STR     R1, [R2,#0xEC]\n"
        "STR     R1, [R2,#0xFC]\n"

        "MOV     R1, #0x78\n"
        "MCR     p15, 0, R1,c1,c0\n"
        "MOV     R1, #0\n"
        "MCR     p15, 0, R1,c7,c10, 4\n"
        "MCR     p15, 0, R1,c7,c5\n"
        "MCR     p15, 0, R1,c7,c6\n"
        "MOV     R2, #0x40000000\n"
        "ORR     R1, R2, #6\n"
        "MCR     p15, 0, R1,c9,c1\n"
        "ORR     R1, R1, #6\n"
        "MCR     p15, 0, R1,c9,c1, 1\n"
        "MRC     p15, 0, R1,c1,c0\n"
        "ORR     R1, R1, #0x50000\n"
        "MCR     p15, 0, R1,c1,c0\n"

        "MOV     R3, #0xFF0\n"
        "LDR     R1, =0x12345678\n"         LDR Rx, =0x12345678 shouldn't occur to often, as well.
        "ADD     R3, R3, #0x4000000C\n"
        "STR     R1, [R3]\n"

        "MOV     SP, #0x1900\n"
        "MOV     LR, PC\n"
        "MOV     PC, %0\n"
    : : "r"(dst_void) : "memory","r1","r2","r3");


Something you might look for in IDA are these commands:
        "LDR     R2, =0xC0200000\n"
        "MOV     R1, #0xFFFFFFFF\n"

They should be characteristically enough to start a search for, although the registers may be different. I've seen "LDR R2.../MOV R1..." as well as "LDR R1.../MOV R0...".

You may also look for LDR Rx, =0x12345678 to identify the reset-function.

Check for matches, and if you find some, check if the surroundings match the remaining reset-code.

Cheers.
Logged
*

ASalina

Re: code you HAVE RUN on your dslr
« Reply #11 on: 15 / May / 2008, 13:42:19 »
Quote from: jeff666 on 15 / May / 2008, 06:16:22
Quote from: Seklth on 15 / May / 2008, 00:14:48
Nothing.

Bummer.

Digic2 and Digic3 all use identical reset-code which looks like this:

    asm volatile(
        "MRS     R1, CPSR\n"
        "BIC     R1, R1, #0x3F\n"
        "ORR     R1, R1, #0xD3\n"
        "MSR     CPSR_cf, R1\n"

        "LDR     R2, =0xC0200000\n"  These two lines...
        "MOV     R1, #0xFFFFFFFF\n"   ...are characteristic
 <snip>
Check for matches, and if you find some, check if the surroundings match the remaining reset-code.

Cheers.

In the 40D's 1.0.8 FW, the chunk of code you refer to is located at 0x0080035C.
The whole function starts at 0x00800328 where there are more coprocessor instructions.

Logged
*

Offline Seklth

  • **
  • 54
  • 400D
Re: code you HAVE RUN on your dslr
« Reply #12 on: 15 / May / 2008, 13:52:36 »
@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

http://volohova.zelnet.ru/400D_Restart.txt

added:
i see powershot firmware - it is function sysInit, not Restart

maybe run code, that jeff666 posted?
« Last Edit: 15 / May / 2008, 15:01:31 by Seklth »
Logged
*

ASalina

Re: code you HAVE RUN on your dslr
« Reply #13 on: 15 / May / 2008, 14:21:42 »
Quote from: Seklth on 15 / May / 2008, 13:52:36
@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

http://volohova.zelnet.ru/400D_Restart.txt

Same here on 40D. Because I have my FW loaded at 0x00800000 it looks like 0x0080035C, but if loaded at 0xFF810000 it would be located at 0xFF81035C.

I'm still confused about where to load what into IDA. :-)

Logged
*

Offline Seklth

  • **
  • 54
  • 400D
Re: code you HAVE RUN on your dslr
« Reply #14 on: 15 / May / 2008, 14:29:34 »
Decrypted FIR file with header loaded by 0x00800000
MAIN_FIRMWARE section (from data packs) loaded by 0xFF810000.

You can check address, if see start code, example
FWLDR:008000B0 LDR     PC, =loc_8000D0 ; Indirect Jump
FW:FF810080 LDR     PC, =sub_FF8100A0 ; Indirect Jump
Logged
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: code you HAVE RUN on your dslr
« Reply #15 on: 15 / May / 2008, 16:19:00 »
Quote from: Seklth on 15 / May / 2008, 13:52:36
@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

This looks great. A jump to this function should restart the cam.

If this works, the next step would be to duplicate the original restart-code from IDA into your own function and change the location it branches to.

Note that the code you posted seems incomplete. It ends with
  ADR     SP, Restart
  MOV     R11, #0
  MOV     R0, #2
  B       sub_FF810B7C

Restart points (probably) to 0xFF810000 or something near there. But this code doesn't jump there. Instead it continues execution at 0xFF810B7C.

At 0xFF810B7C you will probably find something like "BX SP" or "LDR PC, SP" or just "RET" (or something totally different that I can't think of right now).

Please post that code as well. I'd like to see it.

Cheers.
Logged
*

Offline Seklth

  • **
  • 54
  • 400D
Re: code you HAVE RUN on your dslr
« Reply #16 on: 15 / May / 2008, 16:25:40 »
@jeff666
This code - function sysInit, not Restart (i see it later). All addresses - indentical, as sysInit in sd750.
Maybe run code, that you posted - from powershot?
« Last Edit: 15 / May / 2008, 16:27:35 by Seklth »
Logged
*

Offline owerlord

  • ***
  • 115
Re: code you HAVE RUN on your dslr
« Reply #17 on: 15 / May / 2008, 17:03:58 »
Anybody runned this code?
I runed the FF810190 and nothing happened :\
Logged
*

Offline owerlord

  • ***
  • 115
Re: code you HAVE RUN on your dslr
« Reply #18 on: 16 / May / 2008, 11:17:41 »
Found the vxWorks reboot and sysToMonitor procedures.
Runned the sysToMonitor - same efect as eventproc_SelfReboot :

Loading ... | black | Loading ... | blank | Loading ... | ...

It's wierd - becose main feature of the sysToMonitor is to jump to Rom start. But jumping to rom start didn't do anything.

Note: Even the orginal canon loader don't reboot the system. It writes to unload the batteries :\
« Last Edit: 16 / May / 2008, 11:32:16 by owerlord »
Logged
*

Offline Seklth

  • **
  • 54
  • 400D
Re: code you HAVE RUN on your dslr
« Reply #19 on: 16 / May / 2008, 11:43:02 »
Quote from: owerlord on 16 / May / 2008, 11:17:41
Found the vxWorks reboot and sysToMonitor procedures.
Please post addresses, that you found ;)
Logged
Pages: 1 [2] 3 4 5 6 7 ... 15   Go Up
« previous next »
 

Related Topics