universal dumper - one more idea - page 2 - Firmware Dumping - CHDK Forum  
« previous next »
Pages: 1 [2] 3 4 5 6 7   Go Down

universal dumper - one more idea

  • 63 Replies
  • 54052 Views
*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: universal dumper - one more idea
« Reply #10 on: 24 / January / 2008, 16:20:28 »
Advertisements
Quote from: ewavr on 24 / January / 2008, 16:09:48
How about this? It works on my A710, but don't works on G7 (signarure search failed, but if I assign correct function address, all works).
The longer the signature, the less chance to match it for other models. Did you try to cut the signature a bit and to match a shorter version for G7?
Logged
CHDK Developer.
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: universal dumper - one more idea
« Reply #11 on: 24 / January / 2008, 16:35:23 »
Quote from: GrAnd on 24 / January / 2008, 16:20:28
The longer the signature, the less chance to match it for other models. Did you try to cut the signature a bit and to match a shorter version for G7?

Difficulty in the fact that the functions ReadSDCard (0xFF88BCD0 G7 all f/w) and WriteSDCard (0xFF88BE6C G7 all f/w) are really very similar  :(

edit: Ok, I reduce signature size to 20 instructions. But however each camera works with own signatures  :(
« Last Edit: 24 / January / 2008, 17:49:39 by ewavr »
Logged
*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: Universal dumper becomes a reality?
« Reply #12 on: 24 / January / 2008, 16:39:35 »
Quote from: ewavr on 24 / January / 2008, 16:09:48
How about this? It works on my A710, but don't works on G7 (signarure search failed, but if I assign correct function address, all works).  Of course, it has its drawbacks - dumper uses absolute sector writing instead of  filesystem.
This is reference project only, it should be added signature for DRYOS cams and changed signature search algorithm.

Having just spent a long long time getting to dump my firmware, I can say that efforts on this front would be a very good use of time.

At the very least, I wouldn't mind helping with this so that I can get a dump that I fully trust...

Since I'm new to this project, I doubt I'll be much help for a while though :)

 
Logged
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: universal dumper - one more idea
« Reply #13 on: 24 / January / 2008, 18:48:58 »
Second variant - works on G7 and A710 too. It calls both ReadSDCard() and WriteSDCard()  ;). Can anybody verify it on other VxWorks camera?
Logged
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: universal dumper - one more idea
« Reply #14 on: 24 / January / 2008, 19:29:24 »
@ewavr:
I just tested your first dumper on my A720.  I removed the signature, assigned the address to WriteSDCard directly and it actually wrote the firmware to the card.

The locations (A720) are:
* FFCF5058 ReadSDCard
* FFCF51B0 WriteSDCard

Parameters are identical. The starting point to locate the functions manually is task_InitFileModules (on both, VxWorks and DryOS).

Edit:
I just had a look at the WriteSDCard-functions of the A720 (1.00C), the S5 (1.01B) and the G9 (1.00d) and it seems that A and G are (mostly) equal while the S has at least one additional command quite at the beginning (see attached file).

Another way to find the location of WriteSDCard could be the function that actually refers to ReadSDCard and WriteSDCard. It looks identical on each firmware - maybe even os-independent (didn't check this).

I'm referring to sub_FFC3EC9C (A720). Could the signature-finder locate this function and we read the actual location(s) from there?

Cheers.
« Last Edit: 24 / January / 2008, 19:53:59 by jeff666 »
Logged
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: universal dumper - one more idea
« Reply #15 on: 24 / January / 2008, 19:54:30 »
Quote from: jeff666 on 24 / January / 2008, 19:29:24
I just tested your first dumper on my A720.  I removed the signature, assigned the address to WriteSDCard directly and it actually wrote the firmware to the card.
Good!
Can you also test first or second dumper with signatures (generated by tools/gensig(.exe)) ? If it works, we can try to dump A650 in ten seconds :)
« Last Edit: 24 / January / 2008, 20:01:16 by ewavr »
Logged
*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: universal dumper - one more idea
« Reply #16 on: 24 / January / 2008, 20:30:44 »
Quote from: ewavr
Can you also test first or second dumper with signatures (generated by tools/gensig(.exe)) ? If it works, we can try to dump A650 in ten seconds :)

I made the signature and it seems to work (main.c attached). One thing is strange, though. wr() doesn't seem to return. At least the debug-led isn't turned off, but the data is written anyway.

Good luck to the A650-owners :)

Cheers.
Logged
*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: universal dumper - one more idea
« Reply #17 on: 24 / January / 2008, 21:52:33 »
Quote from: jeff666 on 24 / January / 2008, 20:30:44

I made the signature and it seems to work (main.c attached). One thing is strange, though. wr() doesn't seem to return. At least the debug-led isn't turned off, but the data is written anyway.


I tried the siganture-based main.c in my SD870 and it didn't work... I have the dump for my SD870 loaded into IDA, and I don't see that the WriteSDCard is labeled after running through the DryOS CHDK.idc script...

How would I go about finding that function so I can get this to work on the SD870?

Quote from: ewavr on 24 / January / 2008, 19:54:30
Can you also test first or second dumper with signatures (generated by tools/gensig(.exe)) ? If it works, we can try to dump A650 in ten seconds :)

Real men dump by blinking!  ;)
« Last Edit: 24 / January / 2008, 21:59:14 by RyeBrye »
Logged
*

Offline Barney Fife

  • *****
  • 1157
    • Gay Outdoorsmen
Re: universal dumper - one more idea
« Reply #18 on: 25 / January / 2008, 00:41:01 »
Deleted
« Last Edit: 22 / April / 2008, 10:07:34 by Barney Fife »
Logged
[acseven/admin commented out: please refrain from more direct offensive language to any user. FW complaints to me] I felt it imperative to withdraw my TOTAL participation. Nobody has my permission, nor the right, to reinstate MY posts. Make-do with my quoted text in others' replies only. Bye
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: universal dumper - one more idea
« Reply #19 on: 25 / January / 2008, 02:49:57 »
Quote from: RyeBrye on 24 / January / 2008, 21:52:33
How would I go about finding that function so I can get this to work on the SD870?
I also cannot find this function - it seems that dump is broken (piece of code is absent).
For example:
ROM:FF81019C                 B       aExporttoeven_0+8
Jump into string? Not real...
« Last Edit: 25 / January / 2008, 03:49:29 by ewavr »
Logged
Pages: 1 [2] 3 4 5 6 7   Go Up
« previous next »
 

Related Topics