supplierdeeply

Compressed ROM data @ 0xfffa0000

  • 19 Replies
  • 2449 Views
  • Publish
    Compressed ROM data @ 0xfffa0000
    « on: 27 / January / 2009, 03:05:31 »
    Advertisements
    Hi guys,

    I was wondering whether anyone had already found the compressed ROM data located at around 0xfffa0000 (on my ixus 85). I have identified the decompression method as being an ARM compilation of the standard zlib inflate() call. This is what I found:

    0xfffa0000 => Length of uncompressed data
    0xfffa0004 => Length of compressed data
    0xfffa0008 => Start of compressed data

    I dumped the compressed data and uncompressed it with a simple program that just calls 'uncompress()' from zlib on linux, which yielded about 90k of uncompressed data, starting with the string 'SIGE'. This signature is also searched for by the cam, so the decompression obviously was ok.

    I have no idea what this 90k of data is, except that I know that there is some white-balance programming in it. I think that this data may be in a separate EEPROM or something in the camera, seperate from the flash memory used for the ROM code...

    Maybe there's some other cool stuff in there like the boot logo or other cam-specific settings (color matrix, dead pixels, ?)

    attached is my raw uncompressed data.

  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #1 on: 27 / January / 2009, 04:02:55 »
    by the way, all this decompression seems to be done by ImgTbl.c

    *

    Offline fudgey

    • *****
    • 1705
    • a570is
  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #2 on: 27 / January / 2009, 16:20:10 »
    Neat...

    Well, I suppose for a570is 1.00e (vxworks digic III) this thing starts here (yours is twice as big...):

    ffff2000:    00009cb0    strheq   r9, [r0], -r0
    ffff2004:    00001145    andeq   r1, r0, r5, asr #2

    used similarly to your dryos cam from
    ffd46cb8:    e92d4ff0    push   {r4, r5, r6, r7, r8, r9, sl, fp, lr}
    ffd46cbc:    e3a04209    mov   r4, #-1879048192   ; 0x90000000
    ffd46cc0:    e1a047c4    asr   r4, r4, #15

    which is called from SystemTimerHandler, 0xffce8b00, which appears start up a number of tasks, names for some of which are directly visible from to IDA signatures (DevelopModule AfIntSrvTask AFTask WBIntegTask OBCtrlTask WBCtrl FramePosition).

    Would you mind sharing your decompressor, I can't be arsed to figure out how zlib works since you already did that.  ;)

  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #3 on: 28 / January / 2009, 02:06:35 »
    Here you go

    gcc -o inflate inflate.c -lz
    Code: [Select]
    #include <stdio.h>
    #include <stdlib.h>

    int main(int argc, char *argv[])
    {
      FILE *fp;
      unsigned int len;

      if(argc != 2) { printf("Bah! no file\n"); exit(1); }

      fp = fopen(argv[1], "rb");

      fseek(fp, 0, 2);
      size_t size = ftell(fp);
      fseek(fp, 0, 0);

      char *comp = malloc(size);

      fread(comp, 1, size, fp);

      fprintf(stderr, "Size %d\n", size);

      len = size * 100;
      char *uncomp = malloc(len);

      uncompress(uncomp, &len, comp, size);

      fprintf(stderr, "Size %d\n", len);

      fwrite(uncomp, 1, len, stdout);
    }


  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #4 on: 28 / January / 2009, 02:10:20 »
    By the way, I don't understand your logic comparing your ARM code with mine :)

    My decompressor looks like this:

    Code: [Select]
    ROM:FF8B91F0 LoadCompressedData                      ; CODE XREF: sub_FF82A1A8+4218p
    ROM:FF8B91F0                 LDR     R1, =0xFFFA0000
    ROM:FF8B91F4                 STMFD   SP!, {R4-R6,LR}
    ROM:FF8B91F8                 LDR     R0, [R1]        ; R0 = *(0xfffa0000)
    ROM:FF8B91FC                 LDR     R4, =0x6B2C
    ROM:FF8B9200                 STR     R0, [R4,#4]     ; 0x6b30 = *(0xfffa0000)
    ROM:FF8B9204                 LDR     R5, [R1,#4]     ; R5 = *(0xfffa0004)
    ROM:FF8B9208                 LDR     R1, [R4]        ; if(lpUncompressed != NULL) return;
    ROM:FF8B920C                 CMP     R1, #0
    ROM:FF8B9210                 LDMNEFD SP!, {R4-R6,PC}
    ROM:FF8B9214                 BL      DebugMalloc     ; lpUncompressed = malloc(*(0xfffa0000)
    ROM:FF8B9218                 STR     R0, [R4]
    ROM:FF8B921C                 MOV     R1, R0          ; R1 = lpUncompressed (destination uncompressed)
    ROM:FF8B9220                 LDR     R0, =0xFFFA0008 ; R0 = 0x0fffa0008 (compressed data)
    ROM:FF8B9224                 LDR     R3, [R4,#4]     ; r3 = *0xfffa0000 (uncompressed size)
    ROM:FF8B9228                 MOV     R2, R5          ; r2 = *(0xfffa0004) (compressed size)
    ROM:FF8B922C                 BL      inflate_data
    ROM:FF8B9230                 LDR     R0, [R4]        ; 'SIGE'

    *

    Offline whoever

    • ****
    • 280
    • IXUS950
  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #5 on: 28 / January / 2009, 06:41:55 »
    Here (Ixus950, VxWorks, digic III) the data start at FFFC0000 and are about the same size as sharky's. The beginning of ImgTbl.c at FF99991C looks similar to fudgey's, and thus the code is rather different from DryOS. Also, zlib inflate doesn't seem to want to swallow the data, must be a different encoding.
       Now, just looked to A720, dryos classic. The stuff there starts at FFFF2000, and is  zlib-encoded. Twice shorter than sharky's though. Funny... But it's incomprehensible anyway...

  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #6 on: 28 / January / 2009, 07:34:46 »
    yeah, no string, just lots of integers that look a lot like eachother ...

    I have tried staring at the numbers (a la 'a beatiful mind') but nothing's coming to me .. :)

    *

    Offline ewavr

    • ****
    • 1057
    • A710IS
  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #7 on: 28 / January / 2009, 08:17:00 »
    In SX100IS this uncompressed table ("SIGE" ... "sige") with correct size (0xA004) can be found in RAM dump.
    Official firmware update for VxWorks cameras also contains this table (uncompressed, with "ImgTbl.bin" name.)


    *

    Offline whoever

    • ****
    • 280
    • IXUS950
  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #8 on: 28 / January / 2009, 10:55:28 »
    Official firmware update for VxWorks cameras also contains this table (uncompressed, with "ImgTbl.bin" name.)
    Which means it is not specific to an individual camera. Which in turn means it cannot contain hot-pixel table.
       Which actually gives an idea of how to find the freakin' table -- get full ROM dumps of two same-model cameras, and compare the dumps. Of course there'll be differences in camera-log and "customer-supplied" data, but otherwise seems feasible...

    *

    Offline whim

    • ******
    • 2013
    • A495/590/620/630 ixus70/115/220/230/300/870 S95
  • Publish
    Re: Compressed ROM data @ 0xfffa0000
    « Reply #9 on: 28 / January / 2009, 11:01:23 »
    Quote
    Which means it is not specific to an individual camera.

    ...unless he just meant it contains the "SIGE......sige" structure


    wim

     

    Related Topics