Problems dumping the SD1100IS/IXUS80IS

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #10 on: 06 / June / 2008, 14:17:07 »

Advertisements

Quote from: chr on 06 / June / 2008, 14:03:31

ps: I'm linux user ....

Me too (well, both linux and win32, actually). I used the win32-toolchain because it's faster to "install" for the first tests. Now I have the linux-toolchain and use that.

Quote

mh, arm assembler looks cute ...

Yes, very nice ASM dialect. After reading ARM ASM for a while, I load a x86-binary into IDA and find it ugly and chaotic. One day I will throw my PC hardware into the garbage and get ARM-devices

Cheers.

Logged

rlyon

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #11 on: 07 / June / 2008, 00:28:00 »

Quote from: chr on 06 / June / 2008, 10:52:09

I looked through 960is.dump to get some insperation. The string "A/uartr.req" made me curious because there seems to be a shell inside the dump. Mh, how might that work? Another usb-endpoint? No. The presence of that file did nothing special on usb, but .... try this:

Where did you get a dump of IXUS960IS? No one has reported dumping this camera.

diskboot.bin does not work with the IXUS960IS.

The IXUS960IS firmware will be close to the IXUS80IS.

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #12 on: 07 / June / 2008, 09:05:52 »

Quote from: rlyon on 07 / June / 2008, 00:28:00

Where did you get a dump of IXUS960IS? No one has reported dumping this camera.
diskboot.bin does not work with the IXUS960IS.
The IXUS960IS firmware will be close to the IXUS80IS.

here: IXUS960IS - CHDK Wiki
I'm still wondering how he did it.

@jeff:
2 questions
1. I got now gcc-arm ready. I can compile udumper and ledblink but make in chdk.trunk gives me:

Code: [Select]

[chris@hirnlego ~/ixus/chdk.trunk]$ LC_ALL=c make
>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1
make: *** [all-recursive] Error 1

2. how to disassemble a firmware dump? which (linux/gnu) tool to use?

Logged

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #13 on: 07 / June / 2008, 09:51:27 »

Quote from: chr on 07 / June / 2008, 09:05:52

>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1

Your local c-compiler is damaged. The programs in tools/ are built using your local c-compiler (usually gcc) since they're supposed to run on your host.

Quote

2. how to disassemble a firmware dump? which (linux/gnu) tool to use?

Our reference disassembler is IDA pro. See here and here.

Quote from: chr on 06 / June / 2008, 14:03:31

No success. I tried up to 512k.

Did you rebuild the source I posted or just added padding?
If you compiled the source yourself, post the binary so I can make sure your compiler worked (=run it on my cam).
Did you only try larger file sizes or smaller ones as well?

Cheers.

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #14 on: 07 / June / 2008, 11:57:13 »

Quote from: jeff666 on 07 / June / 2008, 09:51:27

Quote from: chr on 07 / June / 2008, 09:05:52
>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1

Your local c-compiler is damaged. The programs in tools/ are built using your local c-compiler (usually gcc) since they're supposed to run on your host.

Ah, it used the arm gcc ... hehe, ok it compiles now.

Quote

Quote from: chr on 06 / June / 2008, 14:03:31
No success. I tried up to 512k.
Did you rebuild the source I posted or just added padding?

Both. Also padded udumper up to 512k

Quote

If you compiled the source yourself, post the binary so I can make sure your compiler worked (=run it on my cam).

ok, attached

Quote

Did you only try larger file sizes or smaller ones as well?

Smaller not yet. Damn SD cards: my poor fingernails ... I saw the upload stuff libptp2, want to use that! But actually any diskboot.bin on SD + USB cable the cam switches off. I guess can't upload anything.

led.tbz2 (2.88 kB - downloaded 72 times.)

Logged

jeff666

181
A720IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #15 on: 07 / June / 2008, 12:40:41 »

Quote from: chr on 07 / June / 2008, 11:57:13

Quote from: jeff666 on 07 / June / 2008, 09:51:27
Did you rebuild the source I posted or just added padding?
Both. Also padded udumper up to 512k

Don't go for udumper for now. Keep it as simple as possible. This reduces the possibilities for errors. We first want to light up an LED.

Quote

ok, attached

Seems ok, at least it works here (after some padding).

Quote

Damn SD cards: my poor fingernails ... I saw the upload stuff libptp2, want to use that!

Use a card reader (and maybe one which doesn't require breaking your fingers to insert/remove the card).

Cheers.

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #16 on: 07 / June / 2008, 16:35:24 »

so far not much progress.

The arm in the cam really runs in little endian, normal mode?!

if diskboot.bin is 0 size -> cam brick
if diskboot is any size, first byte 0x00 -> cam brick

if diskboot is any size, first byte != 0x00 -> cam "normal" (but usb plug powers off)

mh, we need some magic at beginning???

Logged

rlyon

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #17 on: 08 / June / 2008, 22:18:26 »

Quote from: chr on 07 / June / 2008, 09:05:52

here: IXUS960IS - CHDK Wiki
I'm still wondering how he did it.

I don't believe this is the IXUS960IS. There is some confusion on IXUS model numbering. The IXUS960IS operates in a similar manner to the IXUS80IS. The same dumping techniques will be applicable.

Logged

chr

138
IXUS 82 IS

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #18 on: 09 / June / 2008, 13:13:09 »

So, I looked into the ARM reference and into ixus860is_dump ... which might be close to sd1100 or not.
(only have arm-objdump ... stuff like IDA only exists in proptary windows world

)

1. it looks for DISKBOOT.BIN and then Upgrader.bin. confirmed.

Code: [Select]

r0 -> *file (?!)
ff8650cc:   e5d02000    ldrb    r2, [r0]
ff8650d0:   e3520000    cmp r2, #0  ; 0x0
ff8650d4:   112fff1e    bxne    lr
ff8650d8:   e5902010    ldr r2, [r0, #16]
ff8650dc:   e59f303c    ldr r3, [pc, #60]   ; ff865120 <_binary_ixus860is_dump_start+0x55120>
-> "gaon"isoy

ff8650e0:   e1520003    cmp r2, r3
ff8650e4:   05902020    ldreq   r2, [r0, #32]
ff8650e8:   059f3034    ldreq   r3, [pc, #52]   ; ff865124 <_binary_ixus860is_dump_start+0x55124>
-> gaon"isoy"

ff8650ec:   01520003    cmpeq   r2, r3
ff8650f0:   012fff1e    bxeq    lr
...
don't understand the rest, yet.

2. it looks first byte if 0x00, and then checks "gaonisoy" ...

confirmed.
0x00 => brick
0x00 and "gaon" at #16 and "isoy" at #32 => no brick, (but still hates usb)

I googled for that string. Found "yosinoag", which is a litte japanese assurance company.

Code: [Select]

ff82bbd8:   e59d1000    ldr r1, [sp]
ff82bbdc:   e1a00004    mov r0, r4
ff82bbe0:   eb00e539    bl  ff8650cc <_binary_ixus860is_dump_start+0x550cc>
ff82bbe4:   e3a00101    mov r0, #1073741824 ; 0x40000000
ff82bbe8:   e5906000    ldr r6, [r0]
ff82bbec:   e59d5000    ldr r5, [sp]
ff82bbf0:   ebffbf31    bl  ff81b8bc <_binary_ixus860is_dump_start+0xb8bc> IRQ off?!
ff82bbf4:   e3a03c19    mov r3, #6400   ; 0x1900
ff82bbf8:   e1a02005    mov r2, r5
ff82bbfc:   e1a01004    mov r1, r4
ff82bc00:   e3a00c19    mov r0, #6400   ; 0x1900
ff82bc04:   e12fff36    blx r6
ff82bc08:   e8bd40f8    ldmia   sp!, {r3, r4, r5, r6, r7, lr}
ff82bc0c:   ea006226    b   ff8444ac <_binary_ixus860is_dump_start+0x344ac>

So, it gets the jump address from 0x40000000 ...

Questions:
Has canon implemented exception handling?
What happens on other cams, if there is a undefined instruction or a breakpoint (freeze/brick/reboot/poweroff)?
In which mode does the ARM cpu run (LE, User Mode, whatever)? Do we have a MMU?

Logged

user1

Re: Problems dumping the SD1100IS/IXUS80IS

« Reply #19 on: 09 / June / 2008, 13:22:07 »

Quote from: chr on 09 / June / 2008, 13:13:09

.. stuff like IDA only exists in proptary windows world

Really?

Logged