hacking Canon EOS 1000D - page 8 - DSLR Hack development - CHDK Forum  

hacking Canon EOS 1000D

  • 101 Replies
  • 126468 Views
Re: hacking Canon EOS 1000D
« Reply #70 on: 11 / July / 2010, 14:51:37 »
Advertisements
Hey Markus!

Keep working please! Very great that someone is working on it! If i can help in any case, tell me!
btw: Komme auch aus good old Germany ;-) Ich biete einen Kasten Bier als Belohnung *gg*


Re: hacking Canon EOS 1000D
« Reply #71 on: 12 / July / 2010, 04:51:49 »

Re: hacking Canon EOS 1000D
« Reply #72 on: 15 / July / 2010, 00:16:04 »
Any update for EOS1000D ???

Re: hacking Canon EOS 1000D
« Reply #73 on: 15 / July / 2010, 17:36:17 »
not yet :(


Re: hacking Canon EOS 1000D
« Reply #74 on: 21 / July / 2010, 07:02:11 »
Hi guys,

just stumbled across chdk and modding canon firmwares yesterday. How to get started with the 1000D? From what I have read in the 400D thread I expected booting from SD card would be step one

http://chdk.setepontos.com/index.php/topic,3290.msg35329.html#msg35329

But my Kingston 2GB SD card made bootable with Cardtricks (formatted FAT32 and made read-only) just yields me an "read only card inserted" screen on my 1000D...

Someone else having success with a bootable SD card? Or does booting from SD require some firmware hack (as I infer from engelmarkus's post here http://chdk.setepontos.com/index.php/topic,2310.msg52099.html#msg52099)?

Does someone have more information?

If decrypting and patching an official Canon firmware is the way to go (in case the 1000D won't boot from SD in original state), then how to decrypt the FWs? Can gratiz or engelmarkus post some additional information here?


Cheers
A

Re: hacking Canon EOS 1000D
« Reply #75 on: 21 / July / 2010, 08:12:45 »
If decrypting and patching an official Canon firmware is the way to go (in case the 1000D won't boot from SD in original state), then how to decrypt the FWs?

After tinkering around with some tools it looks like FIRLoad http://pel.hu/down/FIRload.exe can decrypt the flasher part of the FIR (there  are sensible strings like "Copyright 1999-2001 ARM Limited.Copyright 1999-2001 Wind River Systems" in the decrypted file) but not the firmware itself (at least I am not able to identify any strings; still looks pretty much encrypted though I did not make any distribution analysis. EDIT: According to HxD's statistic all symbols are about evenly distributed which implies the firmware still being encrypted with a reasonable algorithm).

Updated the http://chdk.wikia.com/wiki/1000D#Firmware_info, anyway.

Any further information?
« Last Edit: 21 / July / 2010, 08:37:01 by acoder »

Re: hacking Canon EOS 1000D
« Reply #76 on: 22 / July / 2010, 09:54:21 »

Re: hacking Canon EOS 1000D
« Reply #77 on: 23 / July / 2010, 19:28:37 »


Re: hacking Canon EOS 1000D
« Reply #78 on: 25 / July / 2010, 12:22:37 »
I'm sorry, but the whole process isn't easy.
First of all, you'll need an original fir file from the canon website.
Then you'll have to compile "dissect_fw3_2.c" from the attachment and run it on the fir file. This will split it into pieces.

Now you can write some code you want to run on your camera, for example
Code: [Select]
#define LED_BLUE 0xC02200E8
#define LED_ON    0x46

int main() {
  *((volatile long*)LED_BLUE) = LED_ON;
  while (1) ;
}

Compile it and link it.
Now build a new fir file. Open assemble_fw and change $header_file, $flasher_file and $camera_id to match your camera. Run assemble_fw. You will get a file "output.fir". Copy this file to your sd card and do a firmware update. The blue led should turn on. To make your camera work again you'll have to take out its battery...

You will have to blink out at least a part of a new firmware version through an led in order to find out some function addresses you need for creating a complete dump. For that I used the blue led, a photo diode and some cd audio cable. Just look at the pictures in the attachment.
Now disassemble your dump and find all of the functions listed in entry_subs.S. Replace the addresses there with the ones you found out.
You are able to reboot your camera and create a new process now, which will write a complete dump to an sd card.

Decryption of the flasher part of fir files is possible, but I think it is of no use...

Re: hacking Canon EOS 1000D
« Reply #79 on: 26 / July / 2010, 13:41:15 »

Run assemble_fw. You will get a file "output.fir". Copy this file to your sd card and do a firmware update. The blue led should turn on. To make your camera work again you'll have to take out its battery...


What I am uncertain about wrt this step is: does this blow my camera's brains out or not? As it is a firmware update it should (firmware should now contain only turning blue led on and an infinite loop). But given that you later extracted the complete fw there seems to be a safety catch preserving the original firmware.

Background: the latest downloadable firmware is 1.06, while both yours and my camera are already at 1.07.

Furthermore: can you extract the respective portions from the 1.07 fw dump and integrate them back into a fir file (taking the flasher from either the 1.07 dump or the 1.06 fw download)?

In the meantime I had some trouble setting up a Ubuntu 10.4 dev vm. Seem unable to get cross gcc 4.3.3 running. Thus, I am now back on Windows using the CHDK Shell v273.

Anyhow, is IDA 4.9 sufficient for working with the dumps or is 5.x required?

Cheers
A

 

Related Topics