code you HAVE RUN on your dslr

jeff666

181
A720IS

Re: code you HAVE RUN on your dslr

« Reply #10 on: 15 / May / 2008, 06:16:22 »

Advertisements

Quote from: Seklth on 15 / May / 2008, 00:14:48

Nothing.

Bummer.

Digic2 and Digic3 all use identical reset-code which looks like this:

asm volatile(
"MRS R1, CPSR\n"
"BIC R1, R1, #0x3F\n"
"ORR R1, R1, #0xD3\n"
"MSR CPSR_cf, R1\n"

"LDR R2, =0xC0200000\n" These two lines...
"MOV R1, #0xFFFFFFFF\n" ...are characteristic
"STR R1, [R2,#0x10C]\n"
"STR R1, [R2,#0xC]\n"
"STR R1, [R2,#0x1C]\n"
"STR R1, [R2,#0x2C]\n"
"STR R1, [R2,#0x3C]\n"
"STR R1, [R2,#0x4C]\n"
"STR R1, [R2,#0x5C]\n"
"STR R1, [R2,#0x6C]\n"
"STR R1, [R2,#0x7C]\n"
"STR R1, [R2,#0x8C]\n"
"STR R1, [R2,#0x9C]\n"
"STR R1, [R2,#0xAC]\n"
"STR R1, [R2,#0xBC]\n"
"STR R1, [R2,#0xCC]\n"
"STR R1, [R2,#0xDC]\n"
"STR R1, [R2,#0xEC]\n"
"STR R1, [R2,#0xFC]\n"

"MOV R1, #0x78\n"
"MCR p15, 0, R1,c1,c0\n"
"MOV R1, #0\n"
"MCR p15, 0, R1,c7,c10, 4\n"
"MCR p15, 0, R1,c7,c5\n"
"MCR p15, 0, R1,c7,c6\n"
"MOV R2, #0x40000000\n"
"ORR R1, R2, #6\n"
"MCR p15, 0, R1,c9,c1\n"
"ORR R1, R1, #6\n"
"MCR p15, 0, R1,c9,c1, 1\n"
"MRC p15, 0, R1,c1,c0\n"
"ORR R1, R1, #0x50000\n"
"MCR p15, 0, R1,c1,c0\n"

"MOV R3, #0xFF0\n"
"LDR R1, =0x12345678\n" LDR Rx, =0x12345678 shouldn't occur to often, as well.
"ADD R3, R3, #0x4000000C\n"
"STR R1, [R3]\n"

"MOV SP, #0x1900\n"
"MOV LR, PC\n"
"MOV PC, %0\n"
: : "r"(dst_void) : "memory","r1","r2","r3");

Something you might look for in IDA are these commands:
"LDR R2, =0xC0200000\n"
"MOV R1, #0xFFFFFFFF\n"

They should be characteristically enough to start a search for, although the registers may be different. I've seen "LDR R2.../MOV R1..." as well as "LDR R1.../MOV R0...".

You may also look for LDR Rx, =0x12345678 to identify the reset-function.

Check for matches, and if you find some, check if the surroundings match the remaining reset-code.

Cheers.

Logged

ASalina

Re: code you HAVE RUN on your dslr

« Reply #11 on: 15 / May / 2008, 13:42:19 »

Quote from: jeff666 on 15 / May / 2008, 06:16:22

Quote from: Seklth on 15 / May / 2008, 00:14:48
Nothing.

Bummer.

Digic2 and Digic3 all use identical reset-code which looks like this:

asm volatile(
"MRS R1, CPSR\n"
"BIC R1, R1, #0x3F\n"
"ORR R1, R1, #0xD3\n"
"MSR CPSR_cf, R1\n"

"LDR R2, =0xC0200000\n" These two lines...
"MOV R1, #0xFFFFFFFF\n" ...are characteristic
<snip>
Check for matches, and if you find some, check if the surroundings match the remaining reset-code.

Cheers.

In the 40D's 1.0.8 FW, the chunk of code you refer to is located at 0x0080035C.
The whole function starts at 0x00800328 where there are more coprocessor instructions.

Logged

Seklth

54
400D

Re: code you HAVE RUN on your dslr

« Reply #12 on: 15 / May / 2008, 13:52:36 »

@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

http://volohova.zelnet.ru/400D_Restart.txt

added:
i see powershot firmware - it is function sysInit, not Restart

maybe run code, that jeff666 posted?

« Last Edit: 15 / May / 2008, 15:01:31 by Seklth »

Logged

ASalina

Re: code you HAVE RUN on your dslr

« Reply #13 on: 15 / May / 2008, 14:21:42 »

Quote from: Seklth on 15 / May / 2008, 13:52:36

@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

http://volohova.zelnet.ru/400D_Restart.txt

Same here on 40D. Because I have my FW loaded at 0x00800000 it looks like 0x0080035C, but if loaded at 0xFF810000 it would be located at 0xFF81035C.

I'm still confused about where to load what into IDA. :-)

Logged

Seklth

54
400D

Re: code you HAVE RUN on your dslr

« Reply #14 on: 15 / May / 2008, 14:29:34 »

Decrypted FIR file with header loaded by 0x00800000
MAIN_FIRMWARE section (from data packs) loaded by 0xFF810000.

You can check address, if see start code, example
FWLDR:008000B0 LDR PC, =loc_8000D0 ; Indirect Jump
FW:FF810080 LDR PC, =sub_FF8100A0 ; Indirect Jump

Logged

jeff666

181
A720IS

Re: code you HAVE RUN on your dslr

« Reply #15 on: 15 / May / 2008, 16:19:00 »

Quote from: Seklth on 15 / May / 2008, 13:52:36

@jeff666
Thanks, i find identical code by "0xC0200000" value.

FW:FF810190 Restart

This looks great. A jump to this function should restart the cam.

If this works, the next step would be to duplicate the original restart-code from IDA into your own function and change the location it branches to.

Note that the code you posted seems incomplete. It ends with
ADR SP, Restart
MOV R11, #0
MOV R0, #2
B sub_FF810B7C

Restart points (probably) to 0xFF810000 or something near there. But this code doesn't jump there. Instead it continues execution at 0xFF810B7C.

At 0xFF810B7C you will probably find something like "BX SP" or "LDR PC, SP" or just "RET" (or something totally different that I can't think of right now).

Please post that code as well. I'd like to see it.

Cheers.

Logged

Seklth

54
400D

Re: code you HAVE RUN on your dslr

« Reply #16 on: 15 / May / 2008, 16:25:40 »

@jeff666
This code - function sysInit, not Restart (i see it later). All addresses - indentical, as sysInit in sd750.
Maybe run code, that you posted - from powershot?

« Last Edit: 15 / May / 2008, 16:27:35 by Seklth »

Logged

owerlord

115

Re: code you HAVE RUN on your dslr

« Reply #17 on: 15 / May / 2008, 17:03:58 »

Anybody runned this code?
I runed the FF810190 and nothing happened :\

Logged

owerlord

115

Re: code you HAVE RUN on your dslr

« Reply #18 on: 16 / May / 2008, 11:17:41 »

Found the vxWorks reboot and sysToMonitor procedures.
Runned the sysToMonitor - same efect as eventproc_SelfReboot :

Loading ... | black | Loading ... | blank | Loading ... | ...

It's wierd - becose main feature of the sysToMonitor is to jump to Rom start. But jumping to rom start didn't do anything.

Note: Even the orginal canon loader don't reboot the system. It writes to unload the batteries :\

« Last Edit: 16 / May / 2008, 11:32:16 by owerlord »

Logged

Seklth

54
400D

Re: code you HAVE RUN on your dslr

« Reply #19 on: 16 / May / 2008, 11:43:02 »

Quote from: owerlord on 16 / May / 2008, 11:17:41

Found the vxWorks reboot and sysToMonitor procedures.

Please post addresses, that you found

Logged