VerifyAndDecryptFirmware() Found! Maybe... - page 2 - DSLR Hack development - CHDK Forum

VerifyAndDecryptFirmware() Found! Maybe...

  • 36 Replies
  • 15280 Views
*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #10 on: 21 / May / 2008, 21:37:14 »
Advertisements
What amount of control do you have over the camera? Is there any way to make a memory dump or display memory contents on the LCD?

I have no control as yet. I just today installed arm-elf-gcc and friends and have not tried to re-write any code.

My camera currently has FW105 in ROM from the factory. I have not upgraded to FW108 yet because I wanted to wait and see if anyone had complaints about the upgrade. I need to check if the camera will let me install the same version that is already in ROM. If both FW's are on the CF card the camera will display them both in a list, but I don't know if it will reject older versions when actually proceeding with the update. If it does allow that then I will feel more confident about running a modded flasher (this camera is only a few months old!).


I also know that the USB port is up and running when upgrading because the FW can be installed via USB and the EOSUtility program, from what I've read. Maybe debugging output from the Debug Manager can be sent to the USB port. Hey, wait... I wonder if the EOSUtility program can decrypt the firmware?

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #11 on: 21 / May / 2008, 21:47:23 »
I need to check if the camera will let me install the same version that is already in ROM.

Ok, it does accept the same version and flashes it. I'll work on a mod of the FW108 flasher and see if the camera crashes.

*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #12 on: 22 / May / 2008, 01:16:08 »
I can just rebase the entire program to 0x800120. I highly doubt the header would contain valid ARM code anyway and this will keep my comments.

I suggest you to add header.
it does not contain code but data.
code can reference it so it would be usefull to have it in IDA



here is my join bat file
Code: [Select]
set path=f:\_dev\chdk_gcc\;f:\_dev\chdk_gcc\bin;f:\_tools;f:\_dev\tools
cat -B 40d00105.fir_0_header.bin >105.bin
cat -B 40d00105.fir_1_flasher.dec >>105.bin

Edit:
nice work :-)

also i'm absolutelly sure that header contains data to generate XOR tables.
I think flasher's decryptor do not use(references) header at 0x800000 . it loads file again using mem allocs     so there are no hrdcoded addresses
« Last Edit: 22 / May / 2008, 01:22:59 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #13 on: 22 / May / 2008, 16:30:55 »
Aplying the CanonFW_VxWorks_A-Series.sig  makes sense. I dont see any incorect locations of subs or functions.
I think I keep it for a while.

I still have the code including the header loaded on 0x800000

I dont know why, but 50% of the time the signature will not apply at all. It remains in the status "planned" for a verry long time (until I cancel it). Any idee why?


*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #14 on: 22 / May / 2008, 16:40:44 »
Yeah, as far as I know, signatures only identify function names and don't assign any code themselves... so the result of tracing through the code will yield the signature-labels (including a different color) instead of sub_xxxx.
Anyway, do you have a RAM dump or anything else loaded? While the signature is being applied, you should see the triangular cursor move in the memory representation (that bar with the lots of colors after identifying code) and you should also see the progress in the status bar (memory address). Are you sure it hangs or does it just take a long time to complete on something?

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #15 on: 22 / May / 2008, 18:23:45 »
I'm working on generating a list of the function names I've found so far (and a few that I have had to invent myself). I'm far from having named all of the functions that call TryPostEvent, but I've got quite a few so far (almost 300 of them right now). I downloaded a free plugin for IDA called IDB2SIG which will extract non-auto generated labels (e.g. "sub_ABCDE" etc.) and output them to a text file along with a lot of other info (garbage for my purposes). I used the Unix "cut" command to get the function names from this output file, and intend to write an IDC script to read in and rename the functions in the disassembly. This way I can share my findings in an automated way.

I chose to name the functions with the entry point address appended, such as "WaitTimerCallBack_93F4E8" to make it easier for me to reference their entry points. I can write a Unix shell script to remove the '_address' part if desired.

What do you all think about my naming conventions? Would anyone like me to post the file as it is right now? I haven't written the IDC script yet.

P.S. I really don't want to download the FLAIR tools in order to generate signature files. I'm running Linux with IDA under Wine and it's kind of flaky as it is.

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #16 on: 22 / May / 2008, 18:32:05 »
Seklth published idc scripts to export and import functions list in the other thread.

http://volohova.zelnet.ru/FuncListSave.rar
idc for save and load list of functions  and my current list for 400D v1.1.1
see path in idc files - #define FILELIST "c:/funclist.txt"

I tested them - they're good. you have to edit the path only.
I see you all don't read the "code runned" thread, so:
We're running succesfully code on 400D. and much of the structure is reversed.
For you I have a usefull thing:

0xC0220000 - PTP led.
0xC02200A0 - CF led.

Mayby they will be the same in 40D.

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #17 on: 22 / May / 2008, 19:14:14 »
Seklth published idc scripts to export and import functions list in the other thread.

http://volohova.zelnet.ru/FuncListSave.rar
idc for save and load list of functions  and my current list for 400D v1.1.1
see path in idc files - #define FILELIST "c:/funclist.txt"

I tested them - they're good. you have to edit the path only.
Ahh, thank you! See below for 40DFLIST.zip!

Quote
I see you all don't read the "code runned" thread, so:
We're running succesfully code on 400D. and much of the structure is reversed.
Congratulations! I do read that thread, but I forgot about Seklth's scripts!
Quote
For you I have a usefull thing:

0xC0220000 - PTP led.
0xC02200A0 - CF led.

Mayby they will be the same in 40D.

I'll look!

Thanks again!


*

Offline _MAG_

  • *
  • 47
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #18 on: 23 / May / 2008, 03:44:05 »
So need ROM dumper. When they finished need todo:
Dump mem without lens
Dump mem with 50 1,4 in manual focus mode. Then found differense. Then made program who write this differense in mem without lens. I houpe this enable AF-confirmation with old lenses
Also need do dump with another 1,4 lens in manual focus mode to add proper work with flash.
« Last Edit: 23 / May / 2008, 05:50:08 by _MAG_ »

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #19 on: 23 / May / 2008, 14:58:24 »
Below is an updated 40FLIST.zip with 469 function names. This exhausts the list of functions that use TryPostEvent to log their names.
« Last Edit: 23 / May / 2008, 15:01:55 by ASalina »

 

Related Topics