40D 1.0.8 Dump Available - DSLR Hack development - CHDK Forum
supplierdeeply

40D 1.0.8 Dump Available

  • 34 Replies
  • 20826 Views
*

ASalina

40D 1.0.8 Dump Available
« on: 11 / June / 2008, 11:59:49 »
Advertisements
RapidShare: Easy Filehosting

Re: 40D 1.0.8 Dump Available
« Reply #1 on: 12 / June / 2008, 03:12:53 »
Got it, thanks, it loads beautifully in IDA.
« Last Edit: 12 / June / 2008, 09:32:50 by emklap »

Re: 40D 1.0.8 Dump Available
« Reply #2 on: 12 / June / 2008, 06:34:19 »
Good work !!
You can now open the IDA of 400D and the 40D - and see much of the functions. it's a fast method.

There are writen names for most of the Kernel Init Functions from vxWorks, and others. If will have similar names - will work better.

http://azorek.org/travel/other/400D_1.1.1_ow.idb

The best way to start is to go down from romStart and look at the shape of the functions.

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #3 on: 12 / June / 2008, 11:01:14 »
Right now, the thing I want to figure out is how to get the camera to run AUTOEXEC.BIN properly, so I looked at your AUTOEXEC.BIN file from the "Rescue" thread. I see that you are setting flags in R0 to #5 and then branching to 0xFFFF0CC8, which I guess is the bootloader in ROM. So I opened 400D_1.1.1_ow.idb to look at that function, but it is not there (it ends at 0xFFB602EF). Am I doing something wrong, or can you post that part?

Thanks!


Re: 40D 1.0.8 Dump Available
« Reply #4 on: 12 / June / 2008, 11:43:21 »
The rescue disk writes bootflags. and uses the bootloader(FFFF0000 segment) function. You don't have to run anything to run a autoexec.bin.

Write a blinking code compile and copy it as AUTOEXEC.BIN - If it run - good. If not - The mechanism is propably diffrent - And mayby you need your FFFF0000 segment dumped and checked (what label and things have to be set to the CF card. )

Remember what I wrote in the other thread: the cardtricks program from this forum won't write the label properly !

*

Offline mx3

  • ****
  • 372
Re: 40D 1.0.8 Dump Available
« Reply #5 on: 12 / June / 2008, 11:58:20 »
Right now, the thing I want to figure out is how to get the camera to run AUTOEXEC.BIN properly

hoa.
stop the music.
was there some successfull experiment with autoexec.bin?

I suggest you to use old firmware update option until autoexec.bin thing will be clear

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

Offline mx3

  • ****
  • 372
Re: 40D 1.0.8 Dump Available
« Reply #6 on: 12 / June / 2008, 12:12:08 »
how can I export my functions to you?

IDA 5.2.0

update
Code: [Select]

CreateBinarySemaphore                     ROM FFD439AC 000000DC R . . . . . .
CreateEventFlag                           ROM FFD41E20 000000D0 R . . . . . .
CreateMessageQueue                        ROM FFD4286C 00000110 R . . . . . .
CreateTask                                ROM FFD44660 000001CC R . . . . . .
DeleteSemaphore                           ROM FFD43BA0 00000144 R . . . . . .
FIO_CreateFile_maybe                      ROM FFD1690C 000000BC R . . . . . .
FIO_Open                                  ROM FFD16840 000000C4 R . . . . . .
FIO_ReadFile                              ROM FFD16A94 000000B0 R . . . . . .
FSUmkdir                                  ROM FFD0F564 00000118 R . . . . . .
OpenLogFile                               ROM FFD4E518 000000C8 R . . . . . .
UPD_DecryptoFir_maybe                     ROM FFBC4A5C 00000070 R . . . . . .
__sflags                                  ROM FFD80C14 00000114 R . . . . . .
__sseek                                   ROM FFD7F240 0000003C R . . . . . .
assert                                    ROM FFD4C200 000000CC R . . . . . .
checksum                                  ROM FFD57890 00000018 R . . . . . .
close                                     ROM FFD77C58 00000060 R . . . . . .
create                                    ROM FFD77FFC 00000014 R . . . . . .
create_2                                  ROM FFD1D368 0000000C R . . . . . .
d                                         ROM FFD57728 000000A8 R . . . . . .
dump                                      ROM FFD4CCC8 00000074 R . . . . . .
dumpentire                                ROM FFD4D0DC 00000058 R . . . . . .
errnoSet                                  ROM FFD7A924 00000010 R . . . . . .
filewrite                                 ROM FFD5734C 00000130 R . . . . . .
fopen                                     ROM FFD80B80 00000090 R . . . . . .
free                                      ROM FFD7509C 00000014 R . . . . . .
gang                                      ROM FFD577E4 0000009C R . . . . . .
gpioread                                  ROM FFD578D0 0000001C R . . . . . .
grep                                      ROM FFD4CED4 00000064 R . . . . . .
harbint                                   ROM FFD57A18 00000010 R . . . . . .
i                                         ROM FFD59484 000000F8 R . . . . . .
ioCreateOrOpen                            ROM FFD77DA4 00000238 R . . . . . .
ioFullFileNameGet                         ROM FFD77884 00000078 R . . . . . .
ioctl                                     ROM FFD77AE0 0000000C R . . . . . .
ioctl_2                                   ROM FFD1D3B0 0000000C R . . . . . .
iosClose                                  ROM FFD76B98 000000BC R . . . . . .
iosCreate_maybe                           ROM FFD76C60 00000034 R . . . . . .
iosDelete                                 ROM FFD76C98 00000034 R . . . . . .
iosDevFind                                ROM FFD7713C 00000058 R . . . . . .
iosDevMatch                               ROM FFD770CC 0000006C R . . . . . .
iosFdFree                                 ROM FFD76EE4 000000D0 R . . . . . .
iosFdNew                                  ROM FFD76D04 00000124 R . . . . . .
iosFdSet                                  ROM FFD76E34 000000AC R . . . . . .
iosOpen_maybe                             ROM FFD76CD0 00000030 R . . . . . .
iosWrite                                  ROM FFD769F0 000000C8 R . . . . . .
log1                                      ROM FFD5A028 0000004C R . . . . . .
log3                                      ROM FFD7A610 00000028 R . . . . . .
lseek                                     ROM FFD77A20 000000BC R . . . . . .
memShow                                   ROM FFD578F0 000000A0 R . . . . . .
mem_fn                                    ROM FFD56D40 0000001C R . . . . . .
mem_fn_0                                  ROM FFD5B3FC 00000034 R . . . . . .
mem_fn_1                                  ROM FFD5B43C 00000018 R . . . . . .
mem_fn_2                                  ROM FFD56CFC 00000044 R . . . . . .
olddump                                   ROM FFD4CD4C 00000074 R . . . . . .
open                                      ROM FFD77FEC 00000010 R . . . . . .
open_2                                    ROM FFD1D35C 0000000C R . . . . . .
read_mb_r0_to_0x21020                     ROM FFD1D440 0000000C R . . . . . .
stdioFpCreate                             ROM FFD7F114 00000084 R . . . . . .
stdioFpDestroy                            ROM FFD7F0F0 00000020 R . . . . . .
strcmp                                    ROM FFD7D680 0000003C R . . . . . .
strcpy                                    ROM FFD7D4F8 00000024 R . . . . . .
strlen                                    ROM FFD7D348 0000002C R . . . . . .
strncpy                                   ROM FFD7D24C 00000060 R . . . . . .
taskShow                                  ROM FFD578A8 00000014 R . . . . . .
task_1stCapture                           ROM FF8149DC 00000370 . . . . . . .
task_CSMgrTask                            ROM FFD17E7C 0000023C R . . . . . .
task_CapPower                             ROM FF815394 00000054 . . . . . . .
task_CmdShell                             ROM FFD4ED0C 00000084 R . . . . . .
task_Develop                              ROM FF817A48 00000418 . . . . . . .
task_DpsReceiveTask                       ROM FFAEB368 00000808 R . . . . . .
task_GuiLockTask                          ROM FF859EBC 00000220 R . . . . . .
task_GuiMainTask                          ROM FF85B84C 00000338 R . . . . . .
task_HotPlug                              ROM FF812CB0 0000048C R . . . . . .
task_MainCtrl                             ROM FF8134A4 00000120 R . . . . . .
task_Marker                               ROM FF8127F4 0000003C . . . . . . .
task_PostCapture                          ROM FF814D8C 000000D4 . . . . . . .
task_PowerMgr                             ROM FFD5A4A4 000000B4 . . . . . . .
task_RelSchemer                           ROM FF853F00 000002B8 R . . . . . .
task_TaskMain                             ROM FF811720 00000558 R . . . . . .
task_TaskTuneData                         ROM FF812758 00000070 R . . . . . .
task_Terminate                            ROM FF818DBC 000002FC R . . . . . .
taskcreate_CSMgrTask                      ROM FFD177A0 000001F0 R . . . . . .
taskcreate_CapPower                       ROM FF81454C 0000010C R . . . . . .
taskcreate_CmdShell                       ROM FFD4EC80 00000044 R . . . . . .
taskcreate_Develop                        ROM FF8182A0 00000098 R . . . . . .
taskcreate_EvntExec.c___Error_Line____d__ ROM FFC70700 000000BC R . . . . . .
taskcreate_GuiLockTask                    ROM FF85A19C 00000120 R . . . . . .
taskcreate_GuiMainTask                    ROM FF85BBCC 000000C8 R . . . . . .
taskcreate_HotPlug                        ROM FF8128B0 00000240 R . . . . . .
taskcreate_MainCtrl                       ROM FF81382C 00000094 R . . . . . .
taskcreate_Marker                         ROM FF8126E4 00000030 R . . . . . .
taskcreate_PowerMgr                       ROM FFD5A39C 00000040 R . . . . . .
taskcreate_RelSchemer                     ROM FF853C24 0000017C R . . . . . .
taskcreate_TaskMain                       ROM FF81131C 00000164 R . . . . . .
taskcreate_Terminate                      ROM FF8189DC 0000034C R . . . . . .
vfprintf                                  ROM FFD79564 00000C6C R . . . . . .
write                                     ROM FFD77AEC 00000070 R . . . . . .
write_2                                   ROM FFD1D398 0000000C R . . . . . .

« Last Edit: 12 / June / 2008, 12:24:35 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #7 on: 12 / June / 2008, 12:35:44 »
hoa.
stop the music.
was there some successfull experiment with autoexec.bin?

On the 400D, yes. On the 40D, no. Not yet.

Quote
I suggest you to use old firmware update option until autoexec.bin thing will be clear

I'd like to get an image of memory with the OS running and do other things like owerlord is doing. Do you see danger in trying to get AUTOEXEC.BIN going?


Note: I just tried an AUTOEXEC.BIN. A simple LED flasher. No joy. There is something more to be done than just making the card bootable. I think some flag needs to be set (probably by AUTOEXEC.BIN itself).


*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: 40D 1.0.8 Dump Available
« Reply #8 on: 12 / June / 2008, 13:01:03 »
How did you make it bootable? What filesystem are you using? I don't exactly know what triggers it yet, but the structure of the code looks very similar to the code on the 400D, so if there is anything special that needs to be done with AUTOEXEC.BIN, owerlord already did it for his 400D and it's probably the same for the 40D.
Oh and what is the exact code you tried to execute, how did you compile it? What exactly is 'No joy', camera didn't turn on or did something else happen?

The other thing I noticed is that it could also start at 0x10800000 but I'm not exactly sure when that happens. I also see some reference to a checksum so it may need one.
« Last Edit: 12 / June / 2008, 13:07:11 by DataGhost »

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #9 on: 12 / June / 2008, 13:23:14 »
How did you make it bootable?

I edited the raw disk with a binary editor.

Quote
What filesystem are you using?

FAT16 on an old Sandisk 128meg CF card.

Quote
I don't exactly know what triggers it yet, but the structure of the code looks very similar to the code on the 400D, so if there is anything special that needs to be done with AUTOEXEC.BIN, owerlord already did it for his 400D and it's probably the same for the 40D.

I haven't had a chance to trace it all out yet, but there seems to be other tests taking place in the function that looks for "EOS_DEVELOP" and "BOOTDISK". In fact, it looks for those strings several times, doing other tests each time.

Quote
Oh and what is the exact code you tried to execute,
Code: [Select]
#define RED_LED (int *)0xC02200E0
#define BLUE_LED (int *)0xC02200E8
#define LONG_PAUSE 350000
#define SHORT_PAUSE 150000
#define ON 0x46
#define OFF 0x48

delay(int i)
{
        while(--i)
        {
                asm("NOP");
                asm("NOP");
                asm("NOP");
                asm("NOP");
        }
}

blueled(int onoff)
{
        *(BLUE_LED) = onoff;
}

redled(int onoff)
{
        *(RED_LED) = onoff;
}

scan()
{
        int j, red_val, blue_val;

        blue_val = *(BLUE_LED);
        red_val = *(RED_LED);

        for(j = 0; j < 100000; j++){
                delay(SHORT_PAUSE);
                redled(ON);
                delay(SHORT_PAUSE);
                redled(red_val);
                delay(SHORT_PAUSE);
                blueled(ON);
                delay(SHORT_PAUSE);
                blueled(blue_val);

        }

}

Quote
how did you compile it?

Code: [Select]
arm-elf-gcc -fno-builtin -Ilib -nostdinc -c entry.s
        arm-elf-gcc -fno-builtin -Ilib -mcpu=arm9 -c autoexec.c
        arm-elf-gcc -fno-builtin -nostdlib -Wl,-N,-Ttext,800000 -o autoexec.exec entry.o autoexec.o
        arm-elf-objcopy -O binary autoexec.exec autoexec.bin

Quote
What exactly is 'No joy', camera didn't turn on or did something else happen?

The camera booted up normally just as if I had put a freshly formatted CF card in.

Quote
The other thing I noticed is that it could also start at 0x10800000 but I'm not exactly sure when that happens. I also see some reference to a checksum so it may need one.

Hmmm... I'll try re-linking with a load address of 0x10800000.
And I'll look into the check sum.

Thanks

 

Related Topics