A2000 IS dump - page 3 - Firmware Dumping - CHDK Forum

A2000 IS dump

  • 39 Replies
  • 23349 Views
Re: A2000 IS dump
« Reply #20 on: 19 / December / 2008, 09:08:31 »
Advertisements
Tried everything to repeat, but nothing so far, strange. Try again today.

Now, I am not using CartTricks much, I just used them to format card and make it bootable. I am opening dumps in hexeditor and striping zeros at the begining and at the and here as well.

It looks I sucessfully loaded dump in IDA, but I have not much experience in ARM assembler.

Re: A2000 IS dump
« Reply #21 on: 02 / January / 2009, 13:06:01 »
I just got an A2000IS with the 1.00A firmware on it.  I've tried all the udumper builds on this thread so far using the normal on button (not the play button). I haven't had any success yet and just curious if exander or anyone has had any repeatable dump process yet.  I'm going to retry all the udumper build using the play button next round to see if that makes a difference.

*

Offline fe50

  • ******
  • 3152
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: A2000 IS dump
« Reply #22 on: 02 / January / 2009, 16:02:28 »
@exander
...I tried everything so I wanted to compile my own udumper, but it didn't want to boot.

FYIO: if you want to compile your own udumper (or a blinker to check LED addresses / your own port), don't forget to encode the binary file at the end of the process.
This is needed for all newer (NewDryOS) cameras. The encoder is in the SVN tree (dancingbits.c) and also within the Cardtricks source, file 'encode.c'.

-> The camera ignores unencoded binaries, you'll get the 'card locked' message...
« Last Edit: 02 / January / 2009, 16:04:29 by fe50 »

*

Maus

Re: A2000 IS dump
« Reply #23 on: 17 / April / 2009, 12:01:31 »
I also have a A2000IS 1.00A here and tried to dump its firmware -- so far, as chiropterian, unsuccessful.


Re: A2000 IS dump
« Reply #24 on: 15 / May / 2009, 21:22:18 »
Don't know, how it happened.
If I am successfull at school (I gonna be bachelor  :D), I'll give it a next try during summer, maybe even try porting.

Re: A2000 IS dump
« Reply #25 on: 16 / May / 2009, 15:45:19 »
After I posted tomorrow, I got som urge to try something out.

I did a few tweaks in udumper and I verify, that:

  • udumper succesfully boots up on default pading (16K)
  • A2000IS main diod is 0xC02200CC and I sucesfully turned it on and off

Modified udumper is attached.

The problem is, that it hangs on firmware dumping - wr(0, START_SECTOR, (0xFFFFFFFF - FW_ADDRESS + 1)/512, FW_ADDRESS) and the dion never goes off. I choose FW_ADDRESS 0xFFC00000, which was mentioned as the address, where firmware loads. I tried also 0xFF810000.

I tried to modify clearing value and for (i = 0x3000; i<0x30000; i+=4) *(int*)i=0 works as well as the default value.

But it always hangs on firmware dumping.

Code: [Select]
for (i=0x1900;i<0xF0000;i+=4)
  if ((*(unsigned int*)(i+0x34)==0) &&
      (*(unsigned int*)(i+0x38)==0) &&
      (*(unsigned int*)(i+0x3C)==3) &&
      (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) &&
      (*(unsigned int*)(i+0x50)>MIN_ADDRESS)) {
     
     debug_led(1);
wr=(f_w)*(unsigned int*)(i+0x50);
for (i = 0x1c00; i<0x30000; i+=4) *(int*)i=0;
wr(0, START_SECTOR, (0xFFFFFFFF - FW_ADDRESS + 1)/512, FW_ADDRESS);
debug_led(0);
}

What could be the problem?

If I comprehend the code correctly, I am going through the memory, trying to find address for function, which saves memory to SD card. And when such address is found I call it to dump firmware. Is this right?

I even try, tu dump some random memory wr(0, 2048, 1, 0x3000) and it hanged as well.

BTW by hang I mean several minutes to infinity  :D
« Last Edit: 16 / May / 2009, 15:53:10 by exander »

*

Offline reyalp

  • ******
  • 14119
Re: A2000 IS dump
« Reply #26 on: 16 / May / 2009, 17:54:44 »
Does the LED light before it hangs ?

If it does, then a function is found, but it doesn't work. If it doesn't, then the function isn't found at all.

Since you have an LED, you could dump using the old blinker method (see http://chdk.wikia.com/wiki/Porting_the_CHDK ) . Or you could try a more sophisticated search for the writing function.

The current udumper looks in RAM for a pointer to the desired function, relying on the fact that it is preceded by ints 0 0 3 and two pointers at specific offsets. This pattern could easily have changed, or there could be more than one match in newer cameras. If there are multiple matches, you should be able to find this out quite quickly with LED debugging (blink once for each match or something).

One alternate approach would be to find the function that udumper normally uses in a known working firmware, and then use something like the finsig code to find the actual function in ROM.

Another approach has crossed my mind as well. Since loader is almost entirely generic, and we have task hooking in dryos, it may be possible to make a (very nearly) generic loader that lets you run code with the OS actually loaded. Using strings from eventproc tables you should be able to find enough functions to dump ROM without too much trouble. You may have to pull out a few constants, but you can do that with LED debugging. The one stumbling block I see is finding a safe place to put our code, but simply putting it somewhere in the middle of the heap might work.
Don't forget what the H stands for.

Re: A2000 IS dump
« Reply #27 on: 16 / May / 2009, 19:37:02 »
Sorry, no, dump in not a problem, I already dumped once and I have fully functional dump. But I still cant figure out how it happened, I try to repeat it with several modifications, but I cant get dump again. And it really bugs me.

I got dump in a very long night, when I was nearly sleeping, compiling my own udumper, which don't want to boot, I was changing udumper on card several times without accually controling if something happened, becoause I was just trying to compile booting udumper. Then I just for fun opened dump and It was there and me: WTF, how did that happened?  :D

Since then every dumping hangs on writing to sd card without actually dumping someting.
« Last Edit: 16 / May / 2009, 19:39:06 by exander »


*

Offline fe50

  • ******
  • 3152
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: A2000 IS dump
« Reply #28 on: 18 / May / 2009, 04:59:32 »
Sorry, no, dump in not a problem, I already dumped once and I have fully functional dump.

Could you pls. upload this dump somewhere & post us a link ?

Re: A2000 IS dump
« Reply #29 on: 18 / May / 2009, 08:56:04 »
My dump is already posted in this topis and also on chdk wifi. It has been several months. (I created this topic  :))
The dump was checked and was said to be fully functional.

So I have dump.
I can boot from card by locking the card and pressing power button.
Led is fully functional.
But when I tried to repeat dumping (to understand how to get dump and help others trying to dump) it every time hangs on on WriteSDCard function.

It is possible to find address of WriteSDCard function in firmware dump? I cound try udumper with fixed address?
« Last Edit: 18 / May / 2009, 09:04:04 by exander »

 

Related Topics


SimplePortal 2.3.6 © 2008-2014, SimplePortal