How to Dump Firmware ? - page 6 - Firmware Dumping - CHDK Forum

How to Dump Firmware ?

  • 78 Replies
  • 152370 Views
*

Offline fe50

  • ******
  • 3152
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: How to Dump Firmware ?
« Reply #50 on: 17 / August / 2009, 06:50:12 »
Advertisements
@siatitel

The P-ID for the A480 is 31BF, not 3117 (that's the P-ID of A700); a fw file with the wrong P-ID will be rejected by the camera.

The A480 won't run a PS.FIR file, that's the "old" style; new DryOS cameras need encrypted PS.FI2 files.

Attached you'll find the files i used for the SX10 LED adresses...
You have to replace the address you want to test, then run make.bat (you need the gcc dev environment set up correctly; the easiest way is to call a cmd window from within CHDK-Shell & change to you working directory).

The SX10 runs fine with the autoboot method (with diskboot bin), but the A480 probably dont start with such a diskboot bin (don't forget to make the card bootable & lock it !), as some of the newer models like the SX200.

Those cameras need PS.FI2 files loaded with the firmware update method; the PS.FI2 files are encrypted diskboot files, you'll find all informations about this here: fi2 encoder/decoder.

You should also have a look to the SX200 porting thread here in the forum...

Re: How to Dump Firmware ?
« Reply #51 on: 17 / August / 2009, 20:44:27 »

*

Offline whoever

  • ****
  • 280
  • IXUS950
Re: How to Dump Firmware ?
« Reply #52 on: 18 / August / 2009, 02:15:29 »
Quote
Attached you'll find the files i used for the SX10 LED adresses...
Quote
fe50
tanks for your advise, your instructions are very clear but i still get the "Update File Error!!!".
Don't the newer cams need "gaonisoy" signature? I.e.,
_start:
    B    main
_signature:
    .ascii "gaonisoy"
in entry.s

*

Offline reyalp

  • ******
  • 14125
Re: How to Dump Firmware ?
« Reply #53 on: 18 / August / 2009, 02:23:30 »
Don't forget what the H stands for.

*

Offline fe50

  • ******
  • 3152
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: How to Dump Firmware ?
« Reply #54 on: 18 / August / 2009, 02:52:57 »
Don't the newer cams need "gaonisoy" signature? I.e.,
_start:
    B    main
_signature:
    .ascii "gaonisoy"
in entry.s

Yes, "gaonisoy" is the sig on all DryOS cams, but until now that sig wasn't necessary for the blinker; i'm not sure, but i guess OldGit's blinker for the SX200 used the same entry.S without that sig, so it should work without this !?

They are compressed.
The uncompressed image needs to be a certain minimum size before the camera will accept it.

@siatitel:
Have a look to the Make.bat file, line 11 does this...

*

Offline whoever

  • ****
  • 280
  • IXUS950
Re: How to Dump Firmware ?
« Reply #55 on: 18 / August / 2009, 04:33:06 »
Quote
Yes, "gaonisoy" is the sig on all DryOS cams, but until now that sig wasn't necessary for the blinker; i'm not sure, but i guess OldGit's blinker for the SX200 used the same entry.S without that sig, so it should work without this !?
You're right, it seems. I do remember though that Chris described it as necessary, when he discovered the encoding mechanism and made the first "new DryOS" udumper...

*

Offline fe50

  • ******
  • 3152
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: How to Dump Firmware ?
« Reply #56 on: 18 / August / 2009, 05:48:30 »
I do remember though that Chris described it as necessary, when he discovered the encoding mechanism and made the first "new DryOS" udumper...
Yes, first Chris & TPC thought it is necessary...Link...lol, a journey back to the roots of CHDK TNG  :D

@siatitel:
Forgot to say this... in my attachement in reply #50 there's the file "encode.exe".
It's the compiled binary of brake's fw encoder (in the trunk, chr's "dancingbits" is used, the result is the same); the sources are included in the Cardtricks package (in the file "helper_sources.zip" in \CardTricks\SRC).

Just to make things clear:

1) The fw encoder (encode oder dancingbits) encodes the diskboot.bin (with a simple encoding algorithm) to feed newer DryOS cameras
2) The FI2 encoding encodes (and also prepares) the diskboot.bin with an AES encryption to make a valid PS.Fi2 file for the fw update method.

*

Offline OldGit

  • ****
  • 303
Re: How to Dump Firmware ?
« Reply #57 on: 18 / August / 2009, 16:29:15 »
Hi guys,
fe50 asked me to take a look at this thread as I did the SX200 dump.

If its any help.....
I used CHDK Shell to do the compile, it takes care of the encoding, you need the correct PID and the FI2KEY / FI2IV keys.  Other threads here give details of these keys and how to find them.

Main problem I had with blinking SX200 was speed, the original blinker times for "on" / "off" were much too short.
I think the DICIC IV processor is running at much faster clock speed, so 1 NOP on the SX200 takes much less time than on some older cams.

Try slowing down (increase delay) of time on and off, you may be blinking the LED so fast it has no time to "energise" and light up.
As regards the "gaonisoy" sig, I didn't use it for the SX200, wasn't needed.

Good Luck and keep trying, just keep telling yourself "I WILL get it to work"
SX200 IS-100C

Re: How to Dump Firmware ?
« Reply #58 on: 26 / March / 2010, 00:58:13 »
I'm trying very hard to find a way to get udumper working for the SD780 (mostly for the alternate FWs 1.00b)  What I am finding is that despite there existing an area of low memory that eventually has the correct form:

   for (i=0x1900;i<0xF0000;i+=4)
   if ((*(unsigned int*)(i+0x34)==0) &&
   (*(unsigned int*)(i+0x38)==0)  &&
   (*(unsigned int*)(i+0x3C)==3) ) &&
   (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
   (*(unsigned int*)(i+0x50)>MIN_ADDRESS) )

It does not seem to have it during the early stages when udumper is running.  Question #1 is this.  Is there a sign issue with this code trying to use MIN_ADDRESS?  I cast to (unsigned int) but no difference.  Can someone with more knowledge just confirm that there is likely no need to add additional casting to the match string.  Specifically from a sign point of view?


   
ROM:0001096B                 DCB    0
ROM:0001096C                 DCD 0
ROM:00010970                 DCD 0
ROM:00010974                 DCD 3
ROM:00010978                 DCD 7
ROM:0001097C                 DCD unk_2000
ROM:00010980                 DCD 0x77E000
ROM:00010984                 DCD 0xFF903950
ROM:00010988                 DCD 0xFF903B38  (and this is the WriteSD as found in the blinked firmware)

RealRom:FF903B38 loc_FF903B38                            ; DATA XREF: RealRom:off_FF851ABCo
RealRom:FF903B38                 STMFD   SP!, {R0-R11,LR}
RealRom:FF903B3C                 LDR     R0, =0x5634
RealRom:FF903B40                 SUB     SP, SP, #0xC
RealRom:FF903B44                 LDR     R1, [SP,#0xC]
RealRom:FF903B48                 LDR     R0, [R0,#8]
RealRom:FF903B4C                 MOV     R11, R2
RealRom:FF903B50                 CMP     R1, R0
RealRom:FF903B54                 MOV     R10, #0
RealRom:FF903B58                 MOV     R5, #2
RealRom:FF903B5C                 BEQ     loc_FF903B90
RealRom:FF903B60                 MOV     R0, #0x80
RealRom:FF903B64                 BL      sub_FF86399C
RealRom:FF903B68                 LDR     R0, [SP,#0xC]
RealRom:FF903B6C                 BL      sub_FF9032D4
RealRom:FF903B70                 MOV     R4, R0
RealRom:FF903B74                 MOV     R0, #0x80
RealRom:FF903B78                 BL      sub_FF8639C0
RealRom:FF903B7C                 CMP     R4, #0
RealRom:FF903B80                 BEQ     loc_FF903BCC
RealRom:FF903B84                 LDR     R0, =0x5634
RealRom:FF903B88                 LDR     R1, [SP,#0xC]
RealRom:FF903B8C                 STR     R1, [R0,#8]

Second question would be (and a bit of a big one).  Does the firmware piece above having anything the original udumper doesn't expect?  typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address  I feel silly asking such a question as open ended as it is.  I'm not a great reader of the firmwares.

Anyways if there is anyone that can see something that might help I would be greatful.

Harpo
Canon Models - SD300, SD780, & SX210

*

Offline ERR99

  • ****
  • 339
Re: How to Dump Firmware ?
« Reply #59 on: 26 / March / 2010, 04:33:29 »
Hello HarpoMa, maybe you can give this solution a try:

On the G11, the normal udumper was also not working. The signature search in RAM (0x1900...0xF0000) was not sucessfull.
So i changed the search algorithm, i am searching now directly in the FLASH area for the SD-Card write function.
After i analysing some dumps of other cameras, i find out that allmost allways a pointer to the SD-CARD write function is below of the "BOOTDISK" string in flash. In most cases it is the second flash address (in one dump i checked, it was the first one, but for the G11 it was allways the second).

Second difference to the "standard" udumper was, that the write function on the G11 only writes something on the card if i add additional int parameter to the function prototype and function call. I dont know what the parameters are for, so i pass simply a "0" as value, but somehow there are necessary for the G11...


So, here is the source of my modified G11 udumper:
Code: [Select]
typedef int (*f_w)(int, int, int, int, int, int, int,int);
#define MIN_ADDRESS     0xFF810000
#define FW_SIZE         0x400000
#define START_SECTOR    2048

int main()
{
unsigned int i,j;
unsigned long sa;
f_w wr = 0;
for (i=0xFF810000; i < 0xFFFF0000; i+=4)
{
if (        (*(char*)i == 'B')
&&  (*(char*)(i+1) == 'O')
        &&  (*(char*)(i+2) == 'O')
        &&  (*(char*)(i+3) =='T')
        &&  (*(char*)(i+4)== 'D')
        &&  (*(char*)(i+5) == 'I')
        &&  (*(char*)(i+6) == 'S')
        &&  (*(char*)(i+7) == 'K')
        &&  (*(char*)(i+8) == 0)
)
{
for (j=i+8; j<0xFFFF0000;j+=4)
{
  if (      (*(unsigned int*)(j)>MIN_ADDRESS)
        &&(*(unsigned int*)(j+4)>MIN_ADDRESS)
     )
  {
    wr=(f_w)*(unsigned int*)(j+4);
  for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;
sa=(unsigned long)0xFF810000;
wr(0, START_SECTOR, (0xFFFFFFFF - sa + 1)/512, sa,0,0,0,0);
  break;
  }
}

break;
}
}

while(1);
return 0;
}

 

Related Topics


SimplePortal © 2008-2014, SimplePortal