40D Disk Dumping. More Trials - page 2 - DSLR Hack development - CHDK Forum

40D Disk Dumping. More Trials

  • 50 Replies
  • 37190 Views
*

ASalina

Re: 40D Disk Dumping. More Trials
« Reply #10 on: 10 / June / 2008, 19:35:17 »
Advertisements
also i advice you to load into ida  file 40d00105.fir_1_flasher.dat in new segment to address 1900

bin_extract 40d00105.fir_1_flasher.dec 19B4E0 2464 40d00105.fir_1_flasher.dat

I'll need dx_lib.h to compile bin_extract.

*

Offline mx3

  • ****
  • 372
Re: 40D Disk Dumping. More Trials
« Reply #11 on: 10 / June / 2008, 23:31:56 »
also i advice you to load into ida  file 40d00105.fir_1_flasher.dat in new segment to address 1900

bin_extract 40d00105.fir_1_flasher.dec 19B4E0 2464 40d00105.fir_1_flasher.dat

I'll need dx_lib.h to compile bin_extract.

see attached file
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: 40D Disk Dumping. More Trials
« Reply #12 on: 11 / June / 2008, 00:07:53 »
Thanks.

If all bin_extract does is to copy a section of the flasher.bin file to a new file (19B4E0 to 19D944) then I went ahead and did that with a binary file editor.

I'm having a hard time loading it into IDA in the right place. I don't know IDA well enough. I'm still working on that. (Any hints would be helpful)

It looks like that section of the flasher is loaded into 1900 on start up in order to initialize it?
« Last Edit: 11 / June / 2008, 00:10:28 by ASalina »

*

Offline mx3

  • ****
  • 372
Re: 40D Disk Dumping. More Trials
« Reply #13 on: 11 / June / 2008, 00:22:53 »
I'm having a hard time loading it into IDA in the right place. I don't know IDA well enough. I'm still working on that. (Any hints would be helpful)
create new segment 0x0 - 0x100000
load file. see screenshots attached

It looks like that section of the flasher is loaded into 1900 on start up in order to initialize it?
yes
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


*

Offline mx3

  • ****
  • 372
Re: 40D Disk Dumping. More Trials
« Reply #14 on: 11 / June / 2008, 05:01:48 »
Plan B
Code: [Select]
#define FW_ADDRESS      0xFF800000
#define FW_SIZE         0x800000

#define O_WRONLY        1
#define O_CREAT         0x200
 
 
typedef int (*ft_open)(const char *name, int flags, int mode);
typedef int (*ft_close)(int fd);
typedef int (*ft_write)(int fd, void *buffer, long nbytes);
 
int main(){

ft_open open;
ft_write write;
ft_close close;
int f;

open =(ft_open)  0x00989A34;
write=(ft_write) 0x00989534;
close=(ft_close) 0x009896A0;


f = open("A:/DUMP.DMP", O_WRONLY|O_CREAT, 0777);
if (f>=0){
write(f, (void*)FW_ADDRESS, FW_SIZE);
close(f);
}


while(1){
;
}

return 0;
}


skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: 40D Disk Dumping. More Trials
« Reply #15 on: 11 / June / 2008, 05:33:06 »
Hi MX3,

whey load the flasher of the 105 FW. The flasher in the 108 is already there (@ 0x99B450) and exatly the same code as in the 105 FW. Am I missing something and is did anyone make changes to the flasher

*

Offline mx3

  • ****
  • 372
Re: 40D Disk Dumping. More Trials
« Reply #16 on: 11 / June / 2008, 05:38:18 »
Hi MX3,

whey load the flasher of the 105 FW. The flasher in the 108 is already there (@ 0x99B450) and exatly the same code as in the 105 FW. Am I missing something and is did anyone make changes to the flasher

I'm not sure what are you talking about.

we are trying to dump firmware to CF card from patched flasher

see attached "toolkit" here
and instructions here


105 flasher identical to 108

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: 40D Disk Dumping. More Trials
« Reply #17 on: 11 / June / 2008, 05:45:25 »
OK a patched flasher, i get it


*

ASalina

Re: 40D Disk Dumping. More Trials
« Reply #18 on: 11 / June / 2008, 05:55:21 »
@mx3

Man, you are fast! :-)

Ok, open() is returning a negative number.
I added "else{ LED_ON; }" and the LED came on.
« Last Edit: 11 / June / 2008, 05:58:34 by ASalina »

*

Offline mx3

  • ****
  • 372
Re: 40D Disk Dumping. More Trials
« Reply #19 on: 11 / June / 2008, 05:57:42 »
Ok, open() is returning a negative number.

create empty file
also it is possible to add function create
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

 

Related Topics