it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.
Mh, I documented everything ... is something missing?
Also I don't like to talk about encryption. I know nothing about that. It may be illegal to look at. What I found so far is hardly encryption, isn't it? U read my post about decoding?
Emulating Digicam with QEMUAlso note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this and the subsequent posts for details.
Argh! U Bastard! Why didn't u post this earlier???
Ok, quick try. udumper with fixed SDWrite adress works! And the md5sum of the dump ... *drumroll* the same as the led dump.
But udumper with searching for the address did not work. However, running in gdb it's Bingo:
WriteSDCard: 0xff91f0c8
ReadSDCard: 0xff91ef70
ff84e81c: e3a01000 mov r1, #0 ; 0x0
ff84e820: e59f00b4 ldr r0, [pc, #180] ; ff84e8dc <_binary_dump_bin_start+0x3e8dc>
ff84e824: e5801034 str r1, [r0, #52]
ff84e828: e5801038 str r1, [r0, #56]
ff84e82c: e3a01003 mov r1, #3 ; 0x3
ff84e830: e580103c str r1, [r0, #60]
ff84e834: e59f10c0 ldr r1, [pc, #192] ; ff84e8fc <_binary_dump_bin_start+0x3e8fc>
ff84e838: e580104c str r1, [r0, #76]
ff84e83c: e59f10bc ldr r1, [pc, #188] ; ff84e900 <_binary_dump_bin_start+0x3e900>
ff84e840: e5801050 str r1, [r0, #80]
ff84e844: e12fff1e bx lr
(gdb) j *0xff84e81c
Continuing at 0xff84e81c.
Breakpoint 3, 0xff84e844 in _binary_dump_bin_start ()
(gdb) x/32x $r0
0x11544: 0x00000000 0x00000000 0x00000000 0x00000000
0x11554: 0x00000000 0x00000000 0x00000000 0x00000000
0x11564: 0x00000000 0x00000000 0x00000000 0x00000000
0x11574: 0x00000000 0x00000000 0x00000000 0x00000003
0x11584: 0x00000000 0x00000000 0x00000000 0xff91ef70
0x11594: 0xff91f0c8 0x00000000 0x00000000 0x00000000
0x115a4: 0x00000000 0x00000000 0x00000000 0x00000000
0x115b4: 0x00000000 0x00000000 0x00000000 0x00000000
in qemu the udumper works. I guess, the image is too large! I'll check
Question:
#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess
for (i = 0x1c00; i<0x30000; i+=4) *(int*)i=0;