I am going to get an SD980 soon - Firmware Dumping - CHDK Forum
« previous next »
Pages: [1] 2 3   Go Down

I am going to get an SD980 soon

  • 28 Replies
  • 15420 Views
*

Offline RaduP

  • *****
  • 926
I am going to get an SD980 soon
« on: 08 / September / 2009, 23:36:56 »
Advertisements
Probably by Friday.
I would really like to have CHDK on it, so the first step would be to dump the firmware. From reading a few threads here, it seems that the udumper doesn't work on some of the new cameras, such as the SD960, so I guess it is safe to assume it won't work on this camera either.
Is there anything I can try to get the udumper to work? For example, from an older source, it seems that it is looking for a pointer to the function that writes sectors on disk. Would it be possible to actually search for the function signature in the ROM, and call the function directly, rather than through the pointer?

If all fails, I guess I can try the LED blinking, I have a few PIC microcontrollers and phototransistors, and might be able to blink it to the sound card (I don't have the chip to interface with the RS232).
Logged
*

Offline reyalp

  • ******
  • 14079
Re: I am going to get an SD980 soon
« Reply #1 on: 08 / September / 2009, 23:57:53 »
There are several issues:
- diskboot is encoded differently on these cameras: http://chdk.setepontos.com/index.php/topic,4095.0.html
- udumper encoded as an FI2 doesn't appear to work, even when a properly encoded diskboot does (reported on sx200). Presumably something important gets clobbered by the FI2 loading process or some other sensitivity to the values in memory. If you can figure out what this is, you can possibly load udumper as an FI2
- So far, the new encoding is only confirmed on the SX200, it's possible that other cameras use a different encoding, although strangely the key appears to be the same in ixus 100.

Quote
Would it be possible to actually search for the function signature in the ROM, and call the function directly, rather than through the pointer?
Sure, find WriteSDCard on another camera, and look for that. But remember it expects various OS structures to be valid, so calling it isn't necessarily the problem.
Logged
Don't forget what the H stands for.
*

Offline RaduP

  • *****
  • 926
Re: I am going to get an SD980 soon
« Reply #2 on: 09 / September / 2009, 00:11:15 »
Ok, thanks for the info.
But do you have any idea why the udumper is actually trying to find the pointer to the function rather the signature of the function? Is there some other magic involved?

Quote
Presumably something important gets clobbered by the FI2 loading process or some other sensitivity to the values in memory.
Since the code is loaded where the functions table is, do you think just the pointer to the function is destroyed, or maybe something else too, like the pointer to other functions that are called by WriteSDCard?
Logged
*

Offline reyalp

  • ******
  • 14079
Re: I am going to get an SD980 soon
« Reply #3 on: 09 / September / 2009, 00:19:11 »
Quote from: RaduP on 09 / September / 2009, 00:11:15
Ok, thanks for the info.
But do you have any idea why the udumper is actually trying to find the pointer to the function rather the signature of the function? Is there some other magic involved?
I suspect it was just what was figured out first.
Logged
Don't forget what the H stands for.
*

Offline RaduP

  • *****
  • 926
Re: I am going to get an SD980 soon
« Reply #4 on: 09 / September / 2009, 00:30:14 »
And I guess it's faster too, and maybe little less code. But it seems a pretty unreliable method, since the address of the functions is more likely to change than their first few bytes.
Logged
*

Offline reyalp

  • ******
  • 14079
Re: I am going to get an SD980 soon
« Reply #5 on: 09 / September / 2009, 00:48:47 »
Quote from: RaduP on 09 / September / 2009, 00:30:14
And I guess it's faster too, and maybe little less code. But it seems a pretty unreliable method, since the address of the functions is more likely to change than their first few bytes.
udumper doesn't rely on the address not changing. It relies on some constants and offsets within a structure not changing. A struct with a pointer to WriteSDCard (ISTR ReadSDCard is in there too) is almost certainly something fairly low level in dryos that doesn't change often. The number of cameras udumper does work on also supports this ;)

Should probably link http://chdk.setepontos.com/index.php/topic,4069.0.html for anyone else reading the thread ;)
Logged
Don't forget what the H stands for.
*

Offline RaduP

  • *****
  • 926
Re: I am going to get an SD980 soon
« Reply #6 on: 09 / September / 2009, 01:01:04 »
Good idea about posting the link to that thread.

From some other thread (I forgot which one), it seems that even if the signature is found and you call that function it doesn't work with the new cameras. Or did I understand it wrong?
Anyway, since you got the SX200 firmware, were you able to look at the ReadSDCard function and see if anything changed? I am not fluent in ARM assembly so I won't be able to tell what it does and if/what changed.
Logged
*

Offline reyalp

  • ******
  • 14079
Re: I am going to get an SD980 soon
« Reply #7 on: 09 / September / 2009, 01:30:45 »
It was reported that udumper diskboot encoded with the new settings worked unchanged on the SX200 http://chdk.setepontos.com/index.php/topic,3994.msg38483.html#msg38483

I haven't looked at WriteSDCard in detail, I think looked at it earlier, decided it was complicated and I should look at encoding first. Since that turned out to be the problem, there was no need to keep looking at WriteSDCard.

You well need a fair bit of assembler if you intend to make a CHDK port. Most of it comes down to exactly this problem of looking at code in a known firmware, finding the equivalent in the new firmware, and figuring out which differences are significant.
Logged
Don't forget what the H stands for.
*

Offline RaduP

  • *****
  • 926
Re: I am going to get an SD980 soon
« Reply #8 on: 09 / September / 2009, 01:38:45 »
Ok, so it worked on the SX200, but not on some other cameras, such as SD960? Could it be because of a different encryption, or because WriteSDCard changed?

Regarding the CHDK port, first I will just try to get the dump, then worry about the rest later. I don't know the exact process of porting chdk, I thought it was mainly about finding function signatures and getting the structures with pointers and functions populated.
Logged
*

Offline reyalp

  • ******
  • 14079
Re: I am going to get an SD980 soon
« Reply #9 on: 09 / September / 2009, 02:18:18 »
Quote from: RaduP on 09 / September / 2009, 01:38:45
Ok, so it worked on the SX200, but not on some other cameras, such as SD960? Could it be because of a different encryption, or because WriteSDCard changed?
Unknown, the data available appears contradictory.
Logged
Don't forget what the H stands for.
Pages: [1] 2 3   Go Up
« previous next »
 

Related Topics