40D 1.0.8 Dump Available - page 2 - DSLR Hack development - CHDK Forum supplierdeeply

40D 1.0.8 Dump Available

  • 34 Replies
  • 20851 Views
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #10 on: 12 / June / 2008, 13:35:01 »
Advertisements
Addendum: entry.s calls scan().

Re: 40D 1.0.8 Dump Available
« Reply #11 on: 12 / June / 2008, 14:17:45 »
Can you check if the "EOS_DEVELOP" is in the right place ? in raw editor? If it is - you'll propably have to dump FFFF0000 to see what is checked.

"... "BOOTDISK" at 0x40, and "EOS_DEVELOP" at 0x2B ..."

*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: 40D 1.0.8 Dump Available
« Reply #12 on: 12 / June / 2008, 15:01:46 »
Yes, it seems to be the same code as in the 400D.

ASalina: did you edit the disk (MBR) or the partition header? It should say "FAT16" somewhere in that section you edited and you're probably overwriting a value "EOS_DIGITAL" (or some other readable thing.. or nothing) with "EOS_DEVELOP". If you edited the disk header (MBR) instead of the partition header, it's likely not to work :)
Also, can you attach AUTOEXEC.BIN somewhere or are you 100% positive that it should work (correct order of binary parts)?

I haven't had a chance to trace it all out yet, but there seems to be other tests taking place in the function that looks for "EOS_DEVELOP" and "BOOTDISK". In fact, it looks for those strings several times, doing other tests each time.
There are two sets of 'checks', each containing two references to both EOS_DEVELOP and BOOTDISK. If I read and recall it correctly, one of those sets is to write those values to the CF and the other set checks for their presence (executing AUTOEXEC.BIN afterwards). The fact that there are two references to those strings in each set is because one tests/writes those strings for FAT12/16, the other for FAT32.
« Last Edit: 12 / June / 2008, 15:07:09 by DataGhost »

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #13 on: 12 / June / 2008, 15:29:57 »
Can you check if the "EOS_DEVELOP" is in the right place ? in raw editor? If it is - you'll propably have to dump FFFF0000 to see what is checked.

"... "BOOTDISK" at 0x40, and "EOS_DEVELOP" at 0x2B ..."


Yes, that is what I have on my CF card, exactly.
Looking at the code, it seems like 0xF8000000 is being checked for -1. If it does not contain -1 then the sub that executes the AUTOEXEC.BIN file is called. There are other conditions that have to be met as well. Quite a gauntlet of checks, it seems.

A feature that confuses things is that .BIN and .FIR files can be executed interactively from Canon's Magic Console, if present.
That makes the code harder to follow.

Still digging.

@DataGhost

Here is output from the command "bvi /dev/sda1" (bvi is a binary file editor). (/dev/sda1 is the cf card reader with the cf card in it)

Code: [Select]
00000000  EB 3C 90 43 61 6E 6F 6E 45 4F 53 00 02 04 01 00 02 00 02 00 .<.CanonEOS.........
00000014  00 F8 F5 00 20 00 08 00 20 00 00 00 E0 D2 03 00 80 00 29 00 .... ... .........).
00000028  00 00 00 45 4F 53 5F 44 45 56 45 4C 4F 50 46 41 54 31 36 20 ...EOS_DEVELOPFAT16
0000003C  20 20 00 00 42 4F 4F 54 44 49 53 4B 00 00 00 00 00 00 00 00   ..BOOTDISK........

Here is AUTOEXEC.BIN (linked for 0x10800000)



*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: 40D 1.0.8 Dump Available
« Reply #14 on: 12 / June / 2008, 15:41:11 »
Code looks ok, though it could use -O2 (it looks horrible but appears to do the trick). You're correct that it wants a value to be -1, indeed. Specifically at 0xF8000004, not 0xF8000000. At least, that's on the 105 firmware, I haven't loaded 108 into IDA yet. I'm now dumping a list file to find references to 0xF8000000 and see where it sets 0xF.....4.

Edit: As far as I can deduce from the code, it's the 'TORNADO' area... it's being checked for -1 and overwritten 'chip erase' somewhere for some reason, probably called from the terminal :) Anyway, I have just one theory about it: maybe the CF (MBR) or partition header is memorymapped into 0xF8000000.. you could try overwriting byte 4 of the MBR and partition header with 0xFFFFFFFF (of course, backup first) and see if that helps.
« Last Edit: 12 / June / 2008, 15:52:08 by DataGhost »

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #15 on: 12 / June / 2008, 15:46:28 »
You're correct that it wants a value to be -1, indeed. Specifically at 0xF8000004, not 0xF8000000. At least, that's on the 105 firmware, I haven't loaded 108 into IDA yet.

0xF800000C is correct location in 1.0.8.

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #16 on: 12 / June / 2008, 15:54:21 »
You're correct that it wants a value to be -1, indeed.

Just to keep the record straight. It want's the value to not be -1.

CMN R0, 1              ; equivalent to saying "CMP R0, -1"
BNE loc_......

Re: 40D 1.0.8 Dump Available
« Reply #17 on: 12 / June / 2008, 15:58:03 »
FF800000 (=F8000000) is the bootflag place. I wrote about it in the other thread.


*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: 40D 1.0.8 Dump Available
« Reply #18 on: 12 / June / 2008, 16:03:12 »
You're correct that it wants a value to be -1, indeed.

Just to keep the record straight. It want's the value to not be -1.

CMN R0, 1              ; equivalent to saying "CMP R0, -1"
BNE loc_......

True, yes. 0xF800000C and 0xF8000004 have to be not -1 for AUTOEXEC.BIN to be executed... and it also checks for not 1(bitwise &1) at 0xC0220080.

owerlord: I didn't know that. Time to read your thread again, then :)

Edit: removed, see below
« Last Edit: 12 / June / 2008, 16:10:37 by DataGhost »

*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #19 on: 12 / June / 2008, 16:04:28 »
you could try overwriting byte 4 of the MBR and partition header with 0xFFFFFFFF (of course, backup first) and see if that helps.

I'd have to do some reading to figure out where the partition header is located because I'm not that familiar with FAT filesystems. Is it a simple location?

In the meantime I have put 0xFFFFFFFF in byte 0x4-0x8 of the MBR and will try that.

 

Related Topics