40D 1.0.8 Dump Available - page 3 - DSLR Hack development - CHDK Forum
« previous next »
Pages: 1 2 [3] 4   Go Down

40D 1.0.8 Dump Available

  • 34 Replies
  • 22934 Views
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #20 on: 12 / June / 2008, 16:09:16 »
Advertisements
Quote from: owerlord on 12 / June / 2008, 15:58:03
FF800000 (=F8000000) is the bootflag place. I wrote about it in the other thread.

That's what I thought I'd read. Now to figure out how to set those flags...
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: 40D 1.0.8 Dump Available
« Reply #21 on: 12 / June / 2008, 16:12:19 »
Hm, so you have to execute EnableBootDisk (which looks like it should store (NOT 0) into 0xF800004) before AUTOEXEC.BIN will be considered? That's not really useful IMO.. so it still requires at least one 'firmware update' step? Ah well, I guess it's usable.

On FW 105, EnableBootDisk is at loc_FFD5CA5C... search for the string EnableBootDisk, it should be loaded into R0 somewhere, then 0 into R1 and the address of the function itself should be loaded into R2. It'll then call a function to register it, structure similar to the functions being registered around it. It doesn't want arguments so maybe owerlord can confirm that this function indeed does enable loading a bootdisk and whether or not it's persistent.
Logged
*

Offline owerlord

  • ***
  • 115
Re: 40D 1.0.8 Dump Available
« Reply #22 on: 12 / June / 2008, 17:41:11 »
If you'd have a FFFF0000 dump - it would be very easy to make a flag-changer (as I did in the rescue disk)

I'm leaving for couple of days - so I can't help you, but:
The FFFF0000 is structured like this:

First there are couple of IRQ's. The first is the main entry point.
In this procedure, system checks the bootflags and
a) run the loader program
b) run the specyfied place in memory (800000 or F8010000)
c) run the menu

a) means:  there is a small function that takes one argument ("code"), copies the loader program to RAM (attached at the end of bootloader) and run the loader with the argument. It is copied so It can change ROM without problem.

loader takes the argument and do one of a switch like "load .fir file", "check and run AUTOEXEC.BIN" and so. One of the switch is a menu - and some of the options in the menu change the boot-flags.

If everything is like in 400D you can run the code in the rescue disk - and it will change the boot-flags as are in my camera (witch run AUTOEXEC.BIN :D)
But I wouldn't experiment - I would dump the FFFF0000 on your place :-)
« Last Edit: 12 / June / 2008, 17:42:53 by owerlord »
Logged
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #23 on: 12 / June / 2008, 22:14:57 »
I'm having a persistent problem loading dumps into IDA.
I keep getting a warning saying "Loading address should belong to RAM or ROM" but as far as I can see, the loading address does belong to ROM. The ROM Size and Loading Size fields are filled out by IDA automatically.

Does anyone know what I'm doing wrong? In the screenshot below I'm trying to load a dump of 0xFFFF0000 but I get the same error when trying to load the Firmware dump too.

Thanks

Screenshot:
Logged
*

Offline mx3

  • ****
  • 372
Re: 40D 1.0.8 Dump Available
« Reply #24 on: 13 / June / 2008, 00:53:44 »
ROM size must be 0x10.000 (not 0x100.000)

use 0xFFF0 in both "ROM size" and "loding size"
Logged
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #25 on: 13 / June / 2008, 01:35:56 »
Quote from: mx3 on 13 / June / 2008, 00:53:44
ROM size must be 0x10.000 (not 0x100.000)

use 0xFFF0 in both "ROM size" and "loding size"

Thanks. That doesn't line up either, but your response did make me realize that I was using the 32bit version of IDA, not the 64bit one. Now I can load with the values I first mentioned. :-)
Logged
*

Offline emklap

  • *
  • 45
Re: 40D 1.0.8 Dump Available
« Reply #26 on: 13 / June / 2008, 04:31:48 »
Hi,

I loaded in IDA 5.2 64 bit
Loading segment 0x0
loading offset 0xFF800000
File ofset 0x0
nr of bytes = 0 (0 means maximum)

Now I have both the rom fir file 0x800000-0x99DC98 and the ROM 0xFF800000-FFFFFFFF loaded in the same IDA file.

To analyze the ROM part I use the attached scripts 40DROM.rar

I applyd the signature of the vxworks A720 and habe limited matches.
MX3, can you explain how you got your functions as mention in this thread yeaterday? I do nit find any of them by applying the signature I have.

I also attached my output of the script FuncListSave.idc
Logged
*

Offline mx3

  • ****
  • 372
Re: 40D 1.0.8 Dump Available
« Reply #27 on: 13 / June / 2008, 07:24:33 »
Quote from: emklap on 13 / June / 2008, 04:31:48
MX3, can you explain how you got your functions as mention in this thread yeaterday? I do nit find any of them by applying the signature I have.
I have source code of vxworks 5.5
Logged
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #28 on: 14 / June / 2008, 11:32:49 »
Quote from: mx3 on 12 / June / 2008, 12:12:08
how can I export my functions to you?

IDA 5.2.0

Sorry, I completely missed this request.

Try the IDC script by Seklth called FuncListSave here:
code you HAVE RUN on your dslr
Logged
*

ASalina

Re: 40D 1.0.8 Dump Available
« Reply #29 on: 14 / June / 2008, 14:35:12 »
Part 1 of Function List exported from 40D 1.0.8 dump. I've got a long long way to go before I've gotten all of the func names that are sent to TryPostEvent(). This is the first 208 of them. Expect more than 2000 of them eventually, but even this preliminary list is very enlightening and helps to make sense of the code.

Notes about the function names: As usual, I've left the function addresses on the end of the function names for easier reference. These addresses can be stripped off in an official release in the future. They shouldn't do any harm if left in place (I actually think they prevent namespace clashes in the event of accidental misnaming). Some functions that call TryPostEvent do not provide a function name string, or are at best ambiguous. I've opted not to make up my own names for these functions because I haven't had time to analyze them in order to give them meaningful names.

I'll be posting updates (in additional parts) as time permits.

Use FuncListLoad.idc from code you HAVE RUN on your dslr to import these function names into your 1.0.8 dump listing.

Logged
Pages: 1 2 [3] 4   Go Up
« previous next »
 

Related Topics