code you HAVE RUN on your dslr

  • 141 Replies
  • 37567 Views
  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #120 on: 08 / June / 2008, 05:00:28 »
    Advertisements
    the "SaveXxxxToFile" names are from strings in the code - or are guessed ?

    *

    ASalina

  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #121 on: 08 / June / 2008, 06:06:42 »

    I suggest to substitute tUpdMgr task with code wich saves dump
    see attached files. I'm absolutelly sure it will work.


    Thanks, mx3. I don't have tUpdMgr labeled in my disassembly. I do have "updater_807214", and I think they are the same. A pointer to updater_807214 is passed in R3 to CreateTask_95BEF8 from UM_MainInitialize_80697C. Is that what you have for tUpdMgr?

    FW 1.0.8
    Code: [Select]
    ROM:00806A18                  LDR     R0, =aTupdmgr
    ROM:00806A1C                  LDR     R1, [R11,#var_14]
    ROM:00806A20                  MOV     R2, #0
    ROM:00806A24                  LDR     R3, =updater_807214
    ROM:00806A28                  BL      CreateTask_95BEF8
    BTW: I've been wondering what Rasen and Ring are...
    Have a chocolate: Rasen - Wikipedia, the free encyclopedia :-)


    UPDATE: Ok, I just answered this question by looking in inject/dumper1/Make.bat
    The -Ttext,00807214 in the linker command matches with "updater_807214" so everything should line up.

    I'll give it a try as soon as I can.
    « Last Edit: 08 / June / 2008, 06:25:07 by ASalina »

  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #122 on: 08 / June / 2008, 06:21:08 »
    ;-) some Ring lovers in Canon ?

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #123 on: 08 / June / 2008, 06:22:13 »
    the "SaveXxxxToFile" names are from strings in the code - or are guessed ?
    from code.
    there are arrays of type
    struct {
    char *function_name;
    void * entry_point;
    }

    I do have "updater_807214", and I think they are the same.
    Is that what you have for tUpdMgr?
    yes it is.

    see bat files : -Wl,-N,-Ttext,00807214
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #124 on: 08 / June / 2008, 08:33:20 »
    I found many location with adresses pointing to functions and data.
    Still need to make a IDC to also dump these entries

    ROM:0099BA58                 DCD aUmpostmessage      ; "umPostMessage"
    ROM:0099BA5C                 DCD loc_807AB4
    ROM:0099BA60                 DCD aUmmenu             ; "umMenu"
    ROM:0099BA64                 DCD loc_807AF0
    ROM:0099BA68                 DCD aUmset              ; "umSet"
    ROM:0099BA6C                 DCD loc_807B18
    ROM:0099BA70                 DCD aUmdl               ; "umDL"
    ROM:0099BA74                 DCD loc_807B40
    ROM:0099BA78                 DCD aUmdr               ; "umDR"
    ROM:0099BA7C                 DCD loc_807B68
    ROM:0099BA80                 DCD aUmfirmvalid        ; "umfirmvalid"
    ROM:0099BA84                 DCD loc_807B90
    ROM:0099BA88                 DCD aUmfirminvalid      ; "umfirminvalid"
    ROM:0099BA8C                 DCD loc_807BB0
    ROM:0099BA90                 DCD aUmvraminf          ; "umVramInf"
    ROM:0099BA94                 DCD loc_806898
    ROM:0099BA98                 DCD aUmmemdumpf         ; "ummemdumpf"
    ROM:0099BA9C                 DCD loc_8080F0
    ROM:0099BAA0                 DCD aUpd_savetuneto     ; "UPD_SaveTuneToFile"
    ROM:0099BAA4                 DCD loc_808184
    ROM:0099BAA8                 DCD aUpd_saveringto     ; "UPD_SaveRingToFile"
    ROM:0099BAAC                 DCD loc_8081C4
    ROM:0099BAB0                 DCD aUpd_savefixtofile  ; "UPD_SaveFixToFile"
    ROM:0099BAB4                 DCD loc_808200
    ROM:0099BAB8                 DCD aUpd_saverasentofile ; "UPD_SaveRasenToFile"
    ROM:0099BABC                 DCD loc_808240
    ROM:0099BAC0                 DCD aUmsendstate        ; "umSendState"
    ROM:0099BAC4                 DCD loc_808274
    ROM:0099BAC8                 DCD aUp_0               ; "up"
    ROM:0099BACC                 DCD loc_8082E8


    *

    ASalina

  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #125 on: 08 / June / 2008, 09:15:04 »

    I suggest to substitute tUpdMgr task with code wich saves dump
    see attached files. I'm absolutelly sure it will work.

    after patching flasher  encrypt it and pack into fir file


    I have one more annoying question about this because I'm a bit nervous...

    My packer-encrypter-checksummer program, mkfir, creates a small dummy firmware payload (2k RET instructions). mkfir works fine with the led dumpers I've tried.

    Is there any chance that this modified flasher could try to write my dummy payload to ROM?

    If so I'll use the real payload just to be safe (how could I explain to canon how 2000 RET's got into my ROM? Lightening? My dog? :-))

    I guess because tUpdMgr has been replaced it won't be possible for the flasher to write to the ROM, I but don't know the code as well as you seem to.

    Thanks for easing my mind.

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #126 on: 08 / June / 2008, 09:30:25 »
    see attached files. I'm absolutelly sure it will work.

    I have one more annoying question about this because I'm a bit nervous...

    My packer-encrypter-checksummer program, mkfir, creates a small dummy firmware payload (2k RET instructions). mkfir works fine with the led dumpers I've tried.

    Is there any chance that this modified flasher could try to write my dummy payload to ROM?

    If so I'll use the real payload just to be safe
    I suggested to use my method of packing with real payload

    I guess because tUpdMgr has been replaced it won't be possible for the flasher to write to the ROM, I but don't know the code as well as you seem to.

    I think updater will not show you dialog with question "Do you want to upgrade? blah blah bla"
    If you will see this dialog I suggest you to find more suitable place for patch.

    payload will not be applied untill you select "upgrade" button.
    If you don't see dialog - payload will never be applied.


    EDIT:
    I think you will see dark screen and will be able to switch camera by power button

    « Last Edit: 08 / June / 2008, 09:34:35 by mx3 »
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

    *

    ASalina

  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #127 on: 08 / June / 2008, 09:36:59 »

    I suggested to use my method of packing with real payload


    Ok, I'll use your method with a full payload.
    I hope to be back with a dump in a few minutes.


  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #128 on: 08 / June / 2008, 09:52:53 »
    Her my IDC to dump all my names. I included all my names, 52.277   :o in total.

    Still dont know how to extract the references to function/data like the table from address 0099B6A to 0099B8B which contains a list of subroutine adresses. see this sub section

    OM:0099B83C                 DCD sub_98F0C8
    ROM:0099B840                 DCD sub_98EF64

    ROM:0099B844                 DCD strcpy_98EF40

    ROM:0099B848                 DCD sub_98EED8
    ROM:0099B84C                 DCD sub_98EEB0
    ROM:0099B850                 DCD sub_98E138

    ROM:0099B854                 DCD strlen_98ED90

    ROM:0099B858                 DCD sub_98ED40
    « Last Edit: 08 / June / 2008, 09:58:35 by emklap »

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: code you HAVE RUN on your dslr
    « Reply #129 on: 08 / June / 2008, 09:56:01 »
    Still dont know how to extract the references to function/data like the table from address 0099B6A to 0099B8B which contains a list of subroutine adresses. see this sub section
    see scan-events.idc from vxworks IDC scripts

    you need to find function wich uses such arrays.
    name id properly
    run script

    EdIT:
    I meant such arrays as at 0099BA58
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

     

    Related Topics