SD870IS Firmware dumping - page 5 - Firmware Dumping - CHDK Forum

SD870IS Firmware dumping

  • 60 Replies
  • 30309 Views
*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: SD870IS Firmware dumping
« Reply #40 on: 23 / January / 2008, 01:46:40 »
Advertisements
AFAIR, the blinker already outputs 10000 of 0xAA bytes at the beginning. So, you might do not need to re-dump anything, if the signal is readable enough.

PS. Various signal strengths, which were enough (even the last one) to get a dump:
« Last Edit: 23 / January / 2008, 01:53:44 by GrAnd »
CHDK Developer.

Re: SD870IS Firmware dumping
« Reply #41 on: 23 / January / 2008, 01:48:33 »
I used scotch tape to tape the sensor over the LED.

However, I seem to have some DC lag in the data. It may be because the detector is a phototransistor that I diode-connected (shorted collector to base). I'm getting the sync errors but can't get the thresholds set with the data that I have (garbage?).


*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #42 on: 23 / January / 2008, 10:13:12 »
My first dump had stuff like that in it... Not quite that severe - I would see stuff like that if I somehow would touch phototransistor and would accidently short it out...

The dump I did with the 2500 baud settings was looking fantastic - but this morning I went down to that machine that was doing it and it was completely locked up... strange - since the machine had an uptime of about 120 days at that point...

I tried to recover the files from Audacity - but the default temp directory is an actual system temp directory and they got wiped when the machine rebooted... go figure.

I adjusted the temp directory and will try again today.

So - I'm charging my battery now and hope it will get charged enough to do a full dump today at the slower speed setting while I'm at work. I wont be able to get anything to work with until this evening - but the dump was looking very consistent and like it would be a piece-of-cake to parse out...

Lobo - if you can keep yours going, it will be really good to have 2 dumps to compare.

What starting address are you using? I'm assuming because it's an IXUS camera it starts at the 0xff8 or whatever address - instead of the default one in the dumper... at least that's what I've gathered from reading other boards. (I don't know if that address is for sure the correct one - that's from memory) [the address is in the dumper file, but commented out - you can uncomment it and comment the other one to swap the two]

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #43 on: 23 / January / 2008, 21:22:00 »
I redid the dump with the 2500 BAUD settings, and am trying to get the ADC thing to work.

No matter what I seem use for settings, I get tons of SYNC_ERRORS - is this normal?

If it would help, I can upload a chunk of it somewhere you can get access to it... I can upload the raw recording, and then the one I've normalized and amplified to try to get more of a range to clip...

I can also output some of the sample ^^^^___ dumps along with my settings if that would help reveal any potential problems. 


*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #44 on: 24 / January / 2008, 00:38:29 »
Ok... I've gone nuts tweaking settings and the best I have gotten so far is a result that just gives me these CRC errors:


./bin/chdk_dec | grep FAIL
found SIG at    3898... Base: ff800000 CRC...d401...FAIL
found SIG at   11149... Base: ff801c00 CRC...d401...FAIL
found SIG at   47408... Base: ff80a800 CRC...007c...FAIL
found SIG at  143756... Base: ff821c00 CRC...5af8...FAIL
found SIG at  520859... Base: ff87cc00 CRC...d70c...FAIL
found SIG at  652430... Base: ff89c800 CRC...f6f9...FAIL
found SIG at  866881... Base: ff8d0400 CRC...931f...FAIL
found SIG at 1214976... Base: ff924400 CRC...1343...FAIL
found SIG at 1585863... Base: ff97dc00 CRC...d7e2...FAIL
found SIG at 2005442... Base: ff9e3000 CRC...7b58...FAIL
found SIG at 2006478... Base: ff9e3400 CRC...2163...FAIL
found SIG at 2025125... Base: ff9e7c00 CRC...73b2...FAIL
found SIG at 2026160... Base: ff9e8000 CRC...65cb...FAIL
found SIG at 2040663... Base: ff9eb800 CRC...c543...FAIL
found SIG at 2049986... Base: ff9edc00 CRC...ad78...FAIL
found SIG at 2215745... Base: ffa15c00 CRC...465f...FAIL
found SIG at 2429160... Base: ffa49400 CRC...1c9b...FAIL
found SIG at 2431231... Base: ffa49c00 CRC...c703...FAIL
found SIG at 2868422... Base: ffab3400 CRC...acc0...FAIL
found SIG at 2962697... Base: ffaca000 CRC...d21f...FAIL
found SIG at 2978236... Base: ffacdc00 CRC...4b4f...FAIL
found SIG at 3336691... Base: ffb24400 CRC...d401...FAIL
found SIG at 3456866... Base: ffb41400 CRC...6ccd...FAIL


So... I'm getting CLOSE - but not quite there... Although I can confirm that this camera is definitely DryOS:


DRYOS version 2.3, release #0023

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: SD870IS Firmware dumping
« Reply #45 on: 24 / January / 2008, 04:59:42 »
So, you are quite close to the finish line.
You can modify blinker to dump only broken addresses (1 block from each base address listed above). It will take you just a seconds to get a new dump.
Then run adc.exe on this new micro-dump.
Then run dec.exe (do not remove output file (dump.dat) from previous decoding). It's smart enough to do incremental decoding (it outputs only correct blocks and does not override any others).
CHDK Developer.

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #46 on: 24 / January / 2008, 08:07:09 »
Beautiful!

Actually... last night just re-ran the whole dump because it was late and a 5-hour dump is nothing compared to a few hours of sleep...

If there area any blocks that are bad again in the second dump, then I will definitely modify the blinker to only output the needed blocks.

Is there a sample piece of code I can use to output just those blocks I need?

I'm down to:

found SIG at  110505... Base: ff819c00 CRC...26df...FAIL
found SIG at 1100920... Base: ff908c00 CRC...0944...FAIL
found SIG at 1683144... Base: ff995400 CRC...9d1a...FAIL
found SIG at 1685215... Base: ff995c00 CRC...e3c1...FAIL
found SIG at 2459106... Base: ffa50800 CRC...aca7...FAIL
found SIG at 2562705... Base: ffa69800 CRC...fbd7...FAIL
found SIG at 3203988... Base: ffb04400 CRC...d401...FAIL
found SIG at 3682619... Base: ffb77c00 CRC...d401...FAIL
found SIG at 4160214... Base: ffbeb000 CRC...d401...FAIL


From the second dump I did... but those blocks don't seem to overlap the blocks from the first dump? Do I need to strip anything out of the dump files before running dec?
« Last Edit: 24 / January / 2008, 09:24:06 by RyeBrye »

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: SD870IS Firmware dumping
« Reply #47 on: 24 / January / 2008, 09:47:00 »
From the second dump I did... but those blocks don't seem to overlap the blocks from the first dump? Do I need to strip anything out of the dump files before running dec?

Nope. The dec.exe will override blocks with good CRC (but they should be the same, right?), will not touch good blocks if they have wrong CRC in a new dump and write the rest with good CRC. So, you should have a complete dump after run of the adc/dec couple with the both data you got (if the erroneous blocks are different in dumps).
« Last Edit: 24 / January / 2008, 09:50:28 by GrAnd »
CHDK Developer.

*

Offline RyeBrye

  • **
  • 73
  • SD-870
Re: SD870IS Firmware dumping
« Reply #48 on: 24 / January / 2008, 10:53:03 »
Nope. The dec.exe will override blocks with good CRC (but they should be the same, right?), will not touch good blocks if they have wrong CRC in a new dump and write the rest with good CRC. So, you should have a complete dump after run of the adc/dec couple with the both data you got (if the erroneous blocks are different in dumps).

Beautiful. What made me wonder was I would md5 the dump.dat file and then run with alternating dump files, and even though I had already used both dump files (thus, all correct blocks should be in the dump.dat already) - the md5 would change. (strange)

I read in another thread about a portion of the firmware only be included in some dumps and not others - meaning... sometimes a piece of it would get dumped out and other times it would not - I wonder if this behavior would explain the change of the md5 for the dump.dat...

Since I was able to get so few errors on the second dump without much effort, I'm going to try to tweak the audio file (normalize, amplify... etc) and reprocess it with new settings to see if I can get a complete dump out of a single run...

When I do get a finished dump file - what should I do with it?

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: SD870IS Firmware dumping
« Reply #49 on: 24 / January / 2008, 11:09:34 »
Beautiful. What made me wonder was I would md5 the dump.dat file and then run with alternating dump files, and even though I had already used both dump files (thus, all correct blocks should be in the dump.dat already) - the md5 would change. (strange)
The actual firmware is started from 0xFF810000. Your dump is from 0xFF800000. So, the differences could be in the first 64KB.

When I do get a finished dump file - what should I do with it?
Al least upload it somewhere and post the link.
CHDK Developer.

 

Related Topics


SimplePortal © 2008-2014, SimplePortal