DryOS - some success

  • 220 Replies
  • 106177 Views
*

Offline ewavr

  • ****
  • 1057
  • A710IS
  • Publish
    Re: DryOS - some success
    « Reply #60 on: 07 / January / 2008, 14:10:57 »
    Advertisements
    The "traditional" method to start CHDK doesn't work with DryOS since it doesn't have the "Firm Update" Menu. Well, actually it seems like "Firm Update" is still there, but we don't know what enables it, yet.

    "Firm update" menu appears if firmware file extension is "FI2" (not "FIR").

    will be available after I figure out how "task_CaptSeqTask" works.

    You can compare part of "CaptSeqTask" @0xFFC4CC10 (for A720) and sub_FFD5C2C4_my() in A710 sources - they are very similar. And also sub_FFD0A3CC for A720 and sub_FFD5F178_my() in A710 sources.

    *

    Offline GrAnd

    • ****
    • 916
    • [A610, S3IS]
      • CHDK
  • Publish
    Re: DryOS - some success
    « Reply #61 on: 07 / January / 2008, 15:26:46 »
    The "traditional" method to start CHDK doesn't work with DryOS since it doesn't have the "Firm Update" Menu. Well, actually it seems like "Firm Update" is still there, but we don't know what enables it, yet.

    "Firm update" menu appears if firmware file extension is "FI2" (not "FIR").

    But in the same time the string 'A/*.FIR' still persists in DryOS firmwares. ???
    CHDK Developer.

    *

    Offline DataGhost

    • ****
    • 314
    • EOS 40D, S5IS
      • DataGhost.com
  • Publish
    Re: DryOS - some success
    « Reply #62 on: 07 / January / 2008, 15:53:51 »
    Possibly didn't notice this because it's not seen as a string and not nicely formatted, but the context clearly confirms what ewavr said, and it seems to be referenced:
    (S5 code)
    Quote
    ROM:FF9AE394     off_FF9AE394:   .long unk_FFA9635A      @ DATA XREF: sub_FF9AE110+2Cr
    ROM:FF9AE398     unk_FF9AE398:   .byte 0x46 @ F          @ DATA XREF: sub_FF9AE110+6Co
    ROM:FF9AE399                     .byte 0x49 @ I
    ROM:FF9AE39A                     .byte 0x32 @ 2
    ROM:FF9AE39B                     .byte    0
    ROM:FF9AE39C     unk_FF9AE39C:   .byte 0x41 @ A          @ DATA XREF: sub_FF9AE110+84o
    ROM:FF9AE39C                                             @ sub_FF9AE1B8+58o
    ROM:FF9AE39D                     .byte 0x2F @ /
    ROM:FF9AE39E                     .byte    0
    ROM:FF9AE39F                     .byte    0
    ROM:FF9AE3A0     aSS_16:         .ascii "%s%s"           @ DATA XREF: sub_FF9AE110+88o
    ROM:FF9AE3A0                     .byte 0
    ROM:FF9AE3A5                     .byte    0
    ROM:FF9AE3A6                     .byte    0
    ROM:FF9AE3A7                     .byte    0
    ROM:FF9AE3A8     dword_FF9AE3A8: .long 0x57E8C           @ DATA XREF: sub_FF9AE110+7Cr
    ROM:FF9AE3A8                                             @ sub_FF9AE1B8+B0r ...
    ROM:FF9AE3AC     aVersioncheck:  .ascii "VersionCheck"   @ DATA XREF: ROM:FF9AE32Co
    ROM:FF9AE3AC                     .byte 0
    ROM:FF9AE3B9                     .byte    0
    ROM:FF9AE3BA                     .byte    0
    ROM:FF9AE3BB                     .byte    0
    ROM:FF9AE3BC     aVersionid:     .ascii "VersionID"      @ DATA XREF: ROM:FF9AE350o
    ROM:FF9AE3BC                     .byte 0
    ROM:FF9AE3C6                     .byte    0
    ROM:FF9AE3C7                     .byte    0
    By the way, why doesn't the code-tag generate monospace output?
    « Last Edit: 07 / January / 2008, 17:40:01 by DataGhost »

    *

    Offline jeff666

    • ****
    • 181
    • A720IS
  • Publish
    Re: DryOS - some success
    « Reply #63 on: 07 / January / 2008, 15:58:53 »
    Quote from: DataGhost
    Possibly didn't notice this because it's not seen as a string and not nicely formatted, but the context clearly confirms what ewavr said,

    And a quick test confirms it, too.
    There's still information to be found, since selecting the entry brings a friendly "Update File Error!!!" message. I tried renaming the .FIR generated by "make fir".

    Cheers.


    *

    Offline GrAnd

    • ****
    • 916
    • [A610, S3IS]
      • CHDK
  • Publish
    Re: DryOS - some success
    « Reply #64 on: 07 / January / 2008, 16:45:03 »
    Quote from: DataGhost
    Possibly didn't notice this because it's not seen as a string and not nicely formatted...
    IDA does not always determine correct type of the data. But you can help by pressing 'a' key for the address which contain a string.
    Code: [Select]
    ROM:FFD4CE74 off_FFD4CE74    DCD byte_FFE3EAD6                 ; DATA XREF: sub_FFD4CC04+2Cr
    ROM:FFD4CE78 aFi2            DCB "FI2",0                       ; DATA XREF: sub_FFD4CC04+6Co
    ROM:FFD4CE7C aA_5            DCB "A/",0                        ; DATA XREF: sub_FFD4CC04+84o
    ROM:FFD4CE7C                                                   ; sub_FFD4CCAC+58o
    ROM:FFD4CE7F                 ALIGN 4
    ROM:FFD4CE80 aSS_14          DCB "%s%s",0                      ; DATA XREF: sub_FFD4CC04+88o
    ROM:FFD4CE85                 ALIGN 4
    ROM:FFD4CE88 dword_FFD4CE88  DCD 0x57E38                       ; DATA XREF: sub_FFD4CC04+7Cr
    ROM:FFD4CE88                                                   ; sub_FFD4CCAC+B0r ...
    ROM:FFD4CE8C aVersioncheck   DCB "VersionCheck",0              ; DATA XREF: ROM:FFD4CE0Co
    ROM:FFD4CE99                 ALIGN 4
    ROM:FFD4CE9C aVersionid      DCB "VersionID",0                 ; DATA XREF: ROM:FFD4CE30o
    ROM:FFD4CEA6                 ALIGN 4
    BTW. I have bo problem with [code] tag
    CHDK Developer.

    *

    Offline GrAnd

    • ****
    • 916
    • [A610, S3IS]
      • CHDK
  • Publish
    Re: DryOS - some success
    « Reply #65 on: 07 / January / 2008, 16:53:15 »
    ... selecting the entry brings a friendly "Update File Error!!!" message. I tried renaming the .FIR generated by "make fir".
    I hope the cameraID you used for "make fir" conforms with the actual camera ID?
    Then Canon guys could change encryption tables (as they constantly do for EOS cameras).
    CHDK Developer.

    *

    Offline DataGhost

    • ****
    • 314
    • EOS 40D, S5IS
      • DataGhost.com
  • Publish
    Re: DryOS - some success
    « Reply #66 on: 07 / January / 2008, 17:35:35 »
    Finally! Progress! I rewrote my stuff today, actually reading what's happening, adding debug leds and such... I can now boot the OS entirely with my code... I figured out which sub in Startup_my is responsible for the autoboot stuff, so I commented it out :p I'll thoroughly investigate what it does later on, I don't really have time for that now, I should be studying :p
    After booting, it complains the card is locked, of course.. and I can use the camera as I usually would, so that looks OK. Only thing is, when I start the camera in picture-mode, it actually starts in display-mode as well. This is probably due to diskboot.bin, though. I guess that can be fixed later on. It seems that it's loaded anyway, regardless of what mode the camera is started in.

    Anyway, I'm not that familiar with tasks and how they interact with the OS yet, but could you just tell me what the blinker is supposed to do? Everything it does it blink the led once, when it's started... after that it doesn't really do anything anymore. I'm currently spawning spytask and blinker, I'll investigate more possibilities somewhere this week.
    To whoever is interested: http://stack.dataghost.com/07012008072.mp4 notice the red led at the lower-right (write led) indicating boot() started, the AF led (long) indicating it's in Startup_my() and the AF led (short) indicating task_blinker was spawned, after which it boots normally :)

    BTW. I have bo problem with [code] tag
    bo = no? I meant that the font isn't monospace, so the code looks messed up. I just don't really like that :)

    Edit: ah. I found something... I can confirm that spytask is called properly and actually works, I see a short blink for
    Quote
    *led = 0x46;
    msleep(2000);
    though not when I reverse those two lines. It seems that control is passed over and never returned for some reason.

    Edit2: and the reason is... PEBKAC! I should really look for what is happening before saying "it doesn't work!". msleep calls _SleepTask and I haven't made chdk aware of its location yet.

    Edit3: Yay, it's blinking, I can use buttons as long as it displays "Card locked", after that the keyboard is dead and it won't turn off. It still behaves strangely, I'll look into properly fixing that later on. I'm calling it a day.
    « Last Edit: 07 / January / 2008, 17:51:32 by DataGhost »

    *

    Offline jeff666

    • ****
    • 181
    • A720IS
  • Publish
    Re: DryOS - some success
    « Reply #67 on: 07 / January / 2008, 21:13:55 »
    @DataGhost: Great that you're making progress.

    I did some investigation on "task_CaptSeqTask" and called the raw-save-function at some point that should be appropriate.

    The resulting file doesn't look like what I had expected. Obviously the memory location and the size of the raw-buffer need to be adjusted.

    Code: [Select]
    char *hook_raw_image_addr()
    {
        return (char*)(0x10400000+0x164000+0xBF0);
    }

    char *hook_raw_image_addr()
    {
        return (char*)(0x10400000+0x164000+0xBF0);
    }

    Now I wonder where these numbers come from and what they mean.



    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: DryOS - some success
    « Reply #68 on: 08 / January / 2008, 02:59:41 »
    Code: [Select]
    char *hook_raw_image_addr()
    {
        return (char*)(0x10400000+0x164000+0xBF0);
    }

    Now I wonder where these numbers come from and what they mean.

    Somewhere there is a function, which uses the strings "CRAW BUF", "CRAW BUF SIZE" (in A710 @0xFFEBC23C, in A720 @0xFFDAB204).  Likely that in A720  hook_raw_image_addr() should return 0x10F6C860, and hook_raw_size() - 0x9DCCE0 (this is very strange, because for A630 (also 8 MP) this value is 0x9E6F10).

    Edit: Maxtrix size should be 3336x2480 (0xD08*0x9B0, can be found @0xFFDA3720). 3336*2480*10/8=10341600(0x9DCCE0). This is new matrix type for dcraw converter.
    « Last Edit: 08 / January / 2008, 04:02:52 by ewavr »

    *

    Offline DataGhost

    • ****
    • 314
    • EOS 40D, S5IS
      • DataGhost.com
  • Publish
    Re: DryOS - some success
    « Reply #69 on: 08 / January / 2008, 03:00:45 »
    As I said before, the LED thing didn't really get me excited. Now I'm at the point that it's beginning to get exciting, though :)

    http://stack.dataghost.com/08012008078.mp4 (My Nokia N80 sucks at making movies, and focus.... well, it doesn't do that.)
    There is still much to be done, though... this is currently forced, keyboard isn't hooked, I had to disable some more functions or the spytask process would crash, locking my camera (when calling histogram functions), etc, etc, etc. It's exciting to finally get some reward for the hard work :)

     

    Related Topics