HF10 & HV30 (Digic DV II) decrypted!

cail

Re: HF10 (Digic DV II) decrypted!

« Reply #40 on: 29 / July / 2008, 00:47:56 »

Advertisements

Quote from: Wiesel on 28 / July / 2008, 17:16:53

Ok so does that mean that we have to find a way to inject code into the firmware that reads out the bootloader and ram, upload it to the cam by the firmware upgrade mechanism, and then search the bootloader for an autoload mechanism?

Yes, this is also an option, although quite risky. The preferable way I think is to avoid f/w changes (this keeps warranty) or at least minimize the changes (low risk).

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #41 on: 29 / July / 2008, 08:28:53 »

Could you give me an overview of what you're thinking of? I need some starting point, and more detailed information on what we need to find. I've never done that before so I have no idea where to start but I'm a fast learner with code related things...

Btw are you working on finding some way to execute code?

Logged

cail

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #42 on: 29 / July / 2008, 14:27:01 »

A general work anyone even without cam can do is to analyze f/w.

I've already done some job on this with HF100 f/w, but have to restart it with HV30

Basic and general things are to be discovered: stdlib, file i/o functions, OS related calls (tasks, queues, semaphores, etc.), usb driver logic ultimately.
Analysis is quite dumb and is based on text strings references search and interpretation.

However, right now I think I have to improve IDAs FR disassembler module, since it is _very_ plain and misses many features.

BTW, which camera do you use? I have HV10.

And, of course, some risky guy can directly try to change F/W and see what happens.
With this way we still need to find file i/o functions to be able to dump memory content onto flash card.
Best way for this is to have some half-broken HV30 unit. We can place a request for this somewere...

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #43 on: 29 / July / 2008, 15:41:48 »

Yes getting a half-broken unit would be great, and then concentrating on that target until we have some ideas on how that stuff works. On eBay there's nothing, probably both models are still too new, but we could post requests at some sites like hv20.com or dvinfo.net, don't know where else?

I'm using a HF10... had a HV30 before but exchanged it with this one...

A little problem with changing the FW and testing with it is (beside the big risk of bricking the cam) that you can only upgrade the FW if the version number is higher than the current one. At 0x10000 there are four bytes 0x01000100 (== FW 1.0.1.0 in our case) which the camera reads out to decide whether to permit the upgrade or not. All in all there are 153 appearences of that pattern in the HF10 FW, 83 in HV30's. Two cases might follow from that:
1) The pattern at 0x10000 is the only real FW version info -> no possibility to ever reset the FW version and Canon might get suspicious if you'd send them a cam with FW 1.0.3.183 for repair
2) it's not the only one, and we have to find the second one inside the real FW data to be able to reset the FW version

Btw I guess we can assume that those FW upgrades are just parts of the whole FW/OS/system, at least they are universal (PAL & NTSC) and not limited to any specific region... those firminfo.txt files delivered with the upgrades don't mention anything related either. I was searching for system related data like shutter speeds but couldn't find a single value, so the actual configuration is probably stored somewhere inside the cam... maybe the ROM, but at least on the HF10 it could be a second partition on the internal flash memory as well. Interpreting the file paths that I posted before this might be the case... HF10 has 3 drive letters (A, B, D), with D probably being the SD card, since the HV30 only contains references to D. Forget that theory, I just remembered that the HF100 doesn't have the internal flash storage.

« Last Edit: 29 / July / 2008, 16:11:54 by Wiesel »

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #44 on: 29 / July / 2008, 16:22:23 »

Some other observations regarding the HF10/100 which might be helpful:

On the FW analysis wiki page HF10/100 Firmware Analysis - CHDK Wiki it says "The exact processor and peripherial models are unknown, however the code shows that CR5 (EIT Vector Base) register is used - and this register seems to be present only in M32R2 processors.".
However I found an interesting paper "Porting Linux to the M32R processor" where they mention the CR5 register without ever mentioning M32R2/M32R-II.
http://www.linux-m32r.org/cmn/m32r/ols2003.pdf

There's an M32R windows gui emulator available on the renesas website... but I haven't figured out yet if it is possible to emulate pure bytecode. It seems it only emulates debug code written by the M32R compiler (which is available on renesas' website as well).

The GNU debugger seems to support M32R code execution simulation as well.

Logged

cail

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #45 on: 30 / July / 2008, 05:53:24 »

I've also tried renesas simulator, it seems to be working, but anyway camera specific h/w simulation is required also. GDB could be a better choice for this.
Simulator is normally could be used to understand parts of the logic. A potential problem here is that both mr32 and fr71 are very unpopular processors - the support could be buggy...
Moreover, gbd doesn't have FR-xx simulator at all ;(

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #46 on: 30 / July / 2008, 06:15:32 »

Yes unfortunately...
But I thought the renesas sim could become quite handy to test some custom code (which doesn't use camera specific hardware) if it turns out that there's an autoloader.

I guess the GDB m32r support should be pretty decent since they used it to port the linux kernel to this processor.

Logged

kmaage

12
HV20, Norway, Newborn, Software Developer

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #47 on: 31 / July / 2008, 10:55:25 »

Quote from: cail on 30 / July / 2008, 05:53:24

I've also tried renesas simulator, it seems to be working...

Cail, where do you get the simulator, and are you somehow feeding it the firmware code? What do you mean by "working"?

Quote from: Wiesel on 30 / July / 2008, 06:15:32

...the renesas sim could become quite handy to test some custom code (which doesn't use camera specific hardware) if it turns out that there's an autoloader.

What might an autoloader look like in the firmware? What should we be looking for? There have to be libraries for reading and writing to the SD card... Do we just go through each instance of calling the read/write libraries and look for something that doesn't seem to be just dealing with jpegs?

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #48 on: 31 / July / 2008, 11:26:54 »

A quick googling for "m32r simulator" and the first link would take you where you want

But since I'm a nice guy and currently bored here's the link (ignore the title): Resource Error Page
With "working" he probably meant that it executes the FW code (file > download > binary)!?

I don't know what it would look like but basically it would load a file and execute it. Yes there has to be a library or at least the functions and if we knew them then yes that would be an option but we don't know them yet. The problem might be that the interesting parts that we need to know aren't part of those firmware upgrades.

Logged

kmaage

12
HV20, Norway, Newborn, Software Developer

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #49 on: 01 / August / 2008, 03:09:35 »

Thanks for the link the the simulator. I had looked on Renesas' website but had trouble recognizing downloadable software and which applied to what, or maybe I had seen it and skipped it because it didn't seem to apply. I'm not as familiar with debugging as you and cail...

Quote from: Wiesel on 31 / July / 2008, 11:26:54

The problem might be that the interesting parts that we need to know aren't part of those firmware upgrades.

Really? I thought a firmware update was a completely new firmware that fully overwrites the previous one. Strange.

In your opinion, what's the most imporant thing to look for in our firmware analysis?

Logged