Anyone interesting to SONY DSLR firmware dump? - DSLR Hack development - CHDK Forum
« previous next »
Pages: [1] 2   Go Down

Anyone interesting to SONY DSLR firmware dump?

  • 14 Replies
  • 9961 Views
*

Offline asett

  • *
  • 7
Anyone interesting to SONY DSLR firmware dump?
« on: 04 / June / 2008, 07:40:17 »
Advertisements
Hi all,
 I'm not sure I can post such a topic because this seems only about Canon firmware.
 But I try to post a new topic about SONY DSLR-A100, DSLR-A700 firmware. I hope someone interest to it.
 SONY DSLR-A100 CPU is M30620FCPGP, DSP is MIPS MA07169(core LX4180, R3000 series).
There are not encrypted, but I cannot get any info after loading to IDA. even func names.
Can anyone help me ?
 
DSLR-A100 firmware:
Sony eSupport - DSLR-A100 - Software Updates & Drivers

DSLR-A700 firmware: 
http://support.d-imaging.sony.co.jp/download/DSLR/DSCA700v03.exe?fm=us
Logged
*

ASalina

Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #1 on: 04 / June / 2008, 07:49:18 »
Quote from: asett on 04 / June / 2008, 07:40:17
Hi all,
 I'm not sure I can post such a topic because this seems only about Canon firmware.
 But I try to post a new topic about SONY DSLR-A100, DSLR-A700 firmware. I hope someone interest to it.
 SONY DSLR-A100 CPU is M30620FCPGP, DSP is MIPS MA07169(core LX4180, R3000 series).
There are not encrypted, but I cannot get any info after loading to IDA. even func names.
Can anyone help me ?


IDA won't give you function names by itself. You will need to figure out the function names yourself. A good thing to do is to look for ASCII strings in the firmware that might have references to function names in them, like:

"ERROR: DoSomething() received NULL parameter!\n"

The function that references that string is probably called DoSomething().


Good luck!
Logged
*

Offline asett

  • *
  • 7
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #2 on: 04 / June / 2008, 08:26:07 »
thank you. can you tell me how to find the func address after got the func string name ?
I had got much print info content including func names, like:

 SetBossCameraSendDataOfCaptureSettings-No Converter:%d
 SetBossCameraSendDataOfSettings-No Converter:%d
    RelLock 0x%x,rem %d,buf %d,0x%x->0x%x
  SetCameraStatusForCamera() -ERROR-
 bossCameraCommSettingOfManualFireLevel-illegal:%d
Logged
*

ASalina

Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #3 on: 04 / June / 2008, 08:32:48 »
Quote from: asett on 04 / June / 2008, 08:26:07
thank you. can you tell me how to find the func address after got the func string name ?
I had got much print info content including func names, like:

 SetBossCameraSendDataOfCaptureSettings-No Converter:%d
 SetBossCameraSendDataOfSettings-No Converter:%d
    RelLock 0x%x,rem %d,buf %d,0x%x->0x%x
  SetCameraStatusForCamera() -ERROR-
 bossCameraCommSettingOfManualFireLevel-illegal:%d


You will need to figure out how functions are coded. They usually start by pushing registers onto the stack. I don't know your CPU's mnemonics so I can't give an example. Sometimes IDA can find functions. It just can't name them properly. Look for "sub_XXXX" (where XXX  is the HEX memory offset of the lable) in the disassembly listing.
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #4 on: 04 / June / 2008, 08:40:38 »
Functions don't have to have readable names. The ones you're seeing are purely strings for debugging purposes and they *usually* have something to do with the function they're in but not necessarily. Also, the A700 firmware does seem to be encrypted/compressed somehow, though a graphical representation indicates that it's possibly weak, but I don't know how to decode it.
Logged
*

Offline owerlord

  • ***
  • 115
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #5 on: 04 / June / 2008, 19:24:01 »
I don't have a sony - but one question:

Is it also on ARM?
Logged
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #6 on: 04 / June / 2008, 19:47:03 »
Quote from: owerlord on 04 / June / 2008, 19:24:01
Is it also on ARM?

No. In first message - core have MIPS architecture
Logged
*

Offline asett

  • *
  • 7
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #7 on: 04 / June / 2008, 21:08:09 »
thanks for all, can anyone give me a example about how to find out the func name when process Canon 40D firmware ?

The SONY DSLR is MIPS arch (LX4180, r3000 series).

ASalina, I cannot find any "sub_XXXX"  in the disassembly listing, there are nothing in the IDA result. Can you download A100 or A700 firmware and try it ?

DataGhost, Why you think the A700 firmware are encrypted/compressed ? There are much debug info in them. I also find the MIPS core dump :

******************** CRASH ********************
    0x%08x :   R0/ZERO=00000000 R1/AT  =%08x R2/V0  =%08x R3/V1  =%08x
    R4/A0  =%08x R5/A1  =%08x R6/A2  =%08x R7/A3  =%08x
    R8/T0  =%08x R9/T1  =%08x R10/T2 =%08x R11/T3 =%08x
    R12/T4 =%08x R13/T5 =%08x R14/T6 =%08x R15/T7 =%08x
    R16/S0 =%08x R17/S1 =%08x R18/S2 =%08x R19/S3 =%08x
    R20/S4 =%08x R21/S5 =%08x R22/S6 =%08x R23/S7 =%08x
    R24/T8 =%08x R25/T9 =%08x
  R28/GP =%08x R29/SP =%08x R30/FP =%08x R31/RA =%08x
    pc   : 0x%08x      sr  : 0x%08x
    cause: 0x%08x                 
     Stack Dump : %08x
  %d:%08x:%08x:%08x:%08x
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #8 on: 05 / June / 2008, 03:14:11 »
I only see that dump in the A100 firmware. The A700 firmware doesn't have it, it doesn't have anything readable, actually. When I convert it into an image, it looks like nicely colored random noise which does not look like code at all. Also, the A100 firmware looks a lot less 'dense' in a hex viewer (it's just a feeling I get) and it *does* convert into sensible code. I also loaded the A700 dump in IDA just to prove my theory and I got zero logical code from it.

Maybe my download is broken somehow? Can you post the md5sum and filename for your A700 dump?
Logged
*

Offline asett

  • *
  • 7
Re: Anyone interesting to SONY DSLR firmware dump?
« Reply #9 on: 05 / June / 2008, 04:12:04 »
Dear DataGhost,
I am sorry for give you the "encrypted" A700 firmware, In fact, SONY release the A700 for different package: On form is compressed as a whole file, the other form is separate files. This forum cannot post attachment files? So I PM to you for your email address.
the file name of separate files package is "E1_2_0.APP".
I think it is like A100 firmware.
I use another tools "LDA" to analysis the A100, but I'm not sure the result is very convincible.
I also send all of them to you when I get your email.
Logged
Pages: [1] 2   Go Up
« previous next »
 

Related Topics