Problems dumping the SD1100IS/IXUS80IS - page 7 - Firmware Dumping - CHDK Forum
« previous next »
Pages: 1 2 3 4 5 6 [7] 8   Go Down

Problems dumping the SD1100IS/IXUS80IS

  • 74 Replies
  • 49977 Views
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #60 on: 13 / July / 2008, 16:41:50 »
Advertisements
Quote from: jeff666 on 13 / July / 2008, 16:05:54
I looked for two functions in your firmware:
  WriteSDCard: 0xFF91F0C8
  ReadSDCard: 0xFF91EF70

WriteSDCard is used by udumper to write the firmware to the SD. I wrote some notes on how to use it. See this and the following posts.

Cheers.

kewl. I'm going to build an udumper. Might work in other latest cams too.

Wait: these symbols were not in the file ???  !

And finally here's the diskboot.bin porno: Emulating Digicam with QEMU

Question: can IDA "run" the code like that?

Mh, we close this thread and open "porting SD1100"  ::)
Logged
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #61 on: 13 / July / 2008, 19:27:44 »
Quote from: chr on 13 / July / 2008, 16:41:50
kewl. I'm going to build an udumper. Might work in other latest cams too.
Wait: these symbols were not in the file ???  !

Those functions aren't part of the signature-file, thus they weren't in the file I posted earlier. I found the functions because I know how they are referred.

Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this and the subsequent posts for details.

Quote
Question: can IDA "run" the code like that?

No, it's just a disassembler, not a debugger (at least the ARM-part).

Quote
Mh, we close this thread and open "porting SD1100"  ::)

Go on. Read the G9-porting-thread if you haven't, yet.

Cheers.
Logged
*

Offline mx3

  • ****
  • 372
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #62 on: 14 / July / 2008, 00:42:39 »
Quote from: chr on 13 / July / 2008, 12:06:34
SD1100IS/IXUS80IS dump

it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.
Logged
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #63 on: 14 / July / 2008, 14:27:04 »
Quote from: mx3 on 14 / July / 2008, 00:42:39
it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.
Mh, I documented everything ... is something missing?
Also I don't like to talk about encryption. I know nothing about that. It may be illegal to look at. What I found so far is hardly encryption, isn't it? U read my post about decoding? Emulating Digicam with QEMU

Quote from: jeff666 on 13 / July / 2008, 19:27:44
Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this and the subsequent posts for details.

Argh! U Bastard! Why didn't u post this earlier???

Ok, quick try. udumper with fixed SDWrite adress works! And the md5sum of the dump ... *drumroll* the same as the led dump.

But udumper with searching for the address did not work. However, running in gdb it's Bingo:

Code: [Select]

WriteSDCard: 0xff91f0c8
ReadSDCard:  0xff91ef70

ff84e81c:   e3a01000    mov r1, #0  ; 0x0
ff84e820:   e59f00b4    ldr r0, [pc, #180]  ; ff84e8dc <_binary_dump_bin_start+0x3e8dc>
ff84e824:   e5801034    str r1, [r0, #52]
ff84e828:   e5801038    str r1, [r0, #56]
ff84e82c:   e3a01003    mov r1, #3  ; 0x3
ff84e830:   e580103c    str r1, [r0, #60]
ff84e834:   e59f10c0    ldr r1, [pc, #192]  ; ff84e8fc <_binary_dump_bin_start+0x3e8fc>
ff84e838:   e580104c    str r1, [r0, #76]
ff84e83c:   e59f10bc    ldr r1, [pc, #188]  ; ff84e900 <_binary_dump_bin_start+0x3e900>
ff84e840:   e5801050    str r1, [r0, #80]
ff84e844:   e12fff1e    bx  lr

(gdb) j *0xff84e81c
Continuing at 0xff84e81c.

Breakpoint 3, 0xff84e844 in _binary_dump_bin_start ()
(gdb) x/32x $r0
0x11544:        0x00000000      0x00000000      0x00000000      0x00000000
0x11554:        0x00000000      0x00000000      0x00000000      0x00000000
0x11564:        0x00000000      0x00000000      0x00000000      0x00000000
0x11574:        0x00000000      0x00000000      0x00000000      0x00000003
0x11584:        0x00000000      0x00000000      0x00000000      0xff91ef70
0x11594:        0xff91f0c8      0x00000000      0x00000000      0x00000000
0x115a4:        0x00000000      0x00000000      0x00000000      0x00000000
0x115b4:        0x00000000      0x00000000      0x00000000      0x00000000


in qemu the udumper works. I guess, the image is too large! I'll check


Question:


#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

???
« Last Edit: 14 / July / 2008, 14:32:01 by chr »
Logged
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #64 on: 14 / July / 2008, 15:47:24 »
Quote from: chr on 14 / July / 2008, 14:27:04
Argh! U Bastard! Why didn't u post this earlier???

Because it would have been to easy and no challenge at all :D

Quote
Question:

#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

???

Hmm... it's been a while. I think it's like that:
* Originally our diskboot-files were zero-padded to 100k.
* Some memory after 0x1900 needs to be zeroed out for WriteSDCard to work.
* Around this area are pointers to WriteSDCard and ReadSDCard which were overwritten by our large diskboot-file. WriteSDCard does work with hard-coded pointers, though.
* We reduce diskboot-size, thus locate the pointers but WriteSDCard stops working.
* To compensate we blank out memory after we found the pointer to WriteSDCard.

Cheers.
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #65 on: 14 / July / 2008, 17:05:45 »
Quote from: jeff666 on 14 / July / 2008, 15:47:24
Quote from: chr on 14 / July / 2008, 14:27:04
Argh! U Bastard! Why didn't u post this earlier???
Because it would have been to easy and no challenge at all :D

Too easy. Meanwhile I played with the older SD40 - CHDK Wiki it boots well the stuff I compile:
[DOWNLOAD LINKS] Firmware dumps available

But the SD1100 is still a beast. Wants about 4k padding but sometimes refuses to do anything ... 100K was simply too much !!!!!  >:(
Logged
*

Offline arvacon

  • *
  • 5
  • Ixus 85is
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #66 on: 18 / July / 2008, 02:35:41 »
Hi.I have an Ixus 85is (sd 770). Is there any hope to build a CHDK version for this camera?
Will it be possible to run the same version for what you are making now for the Ixus 80 (sd1100) in my camera?
Please guys,keep trying,don't stop now!

Ps: My firmware version is GM 1.00a
 
Logged
Detail makes the difference...
*

Offline baccoba

  • *
  • 1
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #67 on: 18 / July / 2008, 03:48:42 »
hi I am an Italian boy and I have just bought an IXUS80, I hope to succeed in installing soon your CHDK. When you think can you/he/she be ready?
thanks and good job!
Logged
*

Offline arvacon

  • *
  • 5
  • Ixus 85is
Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #68 on: 18 / July / 2008, 07:47:45 »
Quote from: chr on 15 / June / 2008, 10:57:31
Bad news.

Yesterday my cam got a E18 "Lens error, restart camera" without any reason! :blink:

I did not drop the cam nor did I play with DISKBOOT. It simply refused to work. Looking closly I noticed, the Lens is not correct mounted: The outer "Gummidichtung" (english?!) is not well fitting and maybe caused the blocking.

Today it operates as nothing happened, but vers.req show an "E18" with timestamp in the log.

So tomorrow I'm going to return the cam.



Can CHDK hurt the camera like this problem?
Logged
Detail makes the difference...
*

MrSpoon

Re: Problems dumping the SD1100IS/IXUS80IS
« Reply #69 on: 21 / July / 2008, 13:26:47 »
Hi, so I have the A470 and tried the encoded blinker diskboots and it gets the LCD blinking...
The led_on_off.bin.cr.5 does get the AF LED on...

I could probably work out writing a blinker and getting the LED address, but the encoding stage sounds a little beyond me... :(
Logged
Pages: 1 2 3 4 5 6 [7] 8   Go Up
« previous next »
 

Related Topics