Noob trying to dump 500D/T1i, need some input... - Firmware Dumping - CHDK Forum supplierdeeply
« previous next »
Pages: [1] 2   Go Down

Noob trying to dump 500D/T1i, need some input...

  • 19 Replies
  • 13309 Views
*

Offline anwe79

  • *
  • 16
Noob trying to dump 500D/T1i, need some input...
« on: 05 / October / 2009, 13:10:44 »
Advertisements
I'm on Linux, so I can't use Card Tricks, but this is what I've done so far:

1. I haven't got a small SD-card, so I'm trying this with a 16 GB SDHC, with a small boot-partition.
2. I tried putting a vers.req and ver.req on the card and using "set+disp" to get a version string. No go.
3. I formatted the card using gparted, one 32 MB FAT16 partition and one big Fat32 for the rest of the card.
4. I labeled the boot partition "BOOT" for no apparent reason (just for me to be able to tell them appart).
5. I then used 'sudo sh -c "echo -n BOOTDISK | dd bs=1 count=8 seek=64 of=/dev/mmcblk0p1"' to write the bootsector of the partition.
6. I tried "booting" the camera with the empty card, hoping to make it halt the boot process (to proove to myself it would read the card). No go.
7. I tried putting newdryos.bin (from udumpfull.zip, renamed to diskboot.bin) on the card and then booting. No go.
8. I tried renaming the file autoexec.bin. No go.

"No go" means that the camera started normally, with the occasional addition of warning for a full/write protected SD-card.

Thats about as far as I've got right now. Oh, I should add that I did have write protection on while booting, and removed (and replaced :)) the battery prior.

There was a mention about labeling the partition with "EOS_DEVELOP" instead of "BOOTDISK" on the 5D mark II page, I'll try that next.

BTW, did i overwrite the bootsector with gparted when I labeled it? I'm guessing not, but I'm not totally sure where the partition label gets written to. I'll try reading it back with dd to make sure. Would a 2 GB card help? I'm guessing the limit is in partition size and not overall card size, but I think I have a 2 GB lying around somewhere I could try.

I will update this thread as I try different things... Any pointers from more experienced CHDK users is very welcome.

/Andreas
Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #1 on: 05 / October / 2009, 14:02:11 »
I've now confirmed that my hunch was right, the volume label and the "boot sector" of the disk is (obviously) two separate things, I read 'em both in hexedit. Should've probably known that already, but my mind tends to discard info I can easily look up, and keep really useless trivia instead... I also saw that I accidentaly left the "LOP" behind when I reentered "BOOTDISK" into the boot sector. Sloppy...

Well, I've now tried different combinations of labels in the boot sector and different file names for the diskboot.bin, but none seem to work.

I'm guessing a 2GB card would be no better than a 16GB, so I'm not going down that road unless someone recommends it.

Since the 50D and 5D mark II seems similar (DryOS, Digic IV, DSLR), I'll look into how those boot and see if I can get anything useful out of it.

PS Could someone confirm what should happen when the camera actually tries to boot the dumper? The first sign should be a blank screen, right?

/Andreas
Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #2 on: 05 / October / 2009, 18:57:25 »
Ok, so I found out how to start the camera in playback mode (press playback button while turning on, doh!), but still no joy with ver.req/vers.req. Maybe the procedure is different with a DSLR?

/Andreas
Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #3 on: 06 / October / 2009, 08:33:12 »
Argh, I'm realy flaunting my ignorance here :D. Maybe a little RTFM would do me good.

There's no need for ver.req, the version number (1.0.9) is right there in the menu, but only when in non-auto modes. Hidden from dummies like me ;).

I found my 2GB card, so I'm gonna use that instead, as I wasn't using it for anything in particular anyway.
I now have tested with the combination of "EOS_DEVELOP" in the partition label (0x2B) and "BOOTDISK" in the boot record (0x40) as in this post on the 400d. Still unsure about filename, so i tried both BOOTDISK.BIN and AUTOEXEC.BIN, no joy. I also tried the bootdisk.bin from "udumper-new-new-dryos.zip" (can't find the thread again), but still no go.

Maybe i need repack to encode the bin to fi2? There's very little info on the 500d, I'm basically in the dark here.

I'm guessing the easiest way right now would be to load something through the firmware update mechanism. I'm a little hesitant about this, need to read a little more so I'm sure not to brick my camera.

/Andreas
Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #4 on: 06 / October / 2009, 11:36:48 »
Very little progress...
I might have a valid PID though. Lsusb gives me; VID: 04a9 PID: 31cf. Mighty similar to other recent cameras, so I'm guessing it is correct.

Edit: Also, the firmware update menu responds to a PS.FIR but not a PS.FI2 file (I used a renamed diskboot.bin, so haven't tried running anything this way).


/Andreas
« Last Edit: 06 / October / 2009, 14:27:33 by anwe79 »
Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #5 on: 06 / October / 2009, 14:31:03 »
As you can tell I'm talking to myself here. This is intentional, I use the thread to document what I've tried and any progress made. Please feel free to chime in though, I'm basically blindfolded right now and any pointers will probably help.

Hey wait a minute... This page on the wiki implies the camera is not a DryOS-camera since it doesn't respond to an fi2-file. Can this really be true? Seems unlikely...

/Andreas
Logged
*

Offline reyalp

  • ******
  • 14080
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #6 on: 06 / October / 2009, 16:29:55 »
Quote from: anwe79 on 06 / October / 2009, 14:31:03
As you can tell I'm talking to myself here. This is intentional, I use the thread to document what I've tried and any progress made. Please feel free to chime in though, I'm basically blindfolded right now and any pointers will probably help.
No problem.
Quote
Hey wait a minute... This page on the wiki implies the camera is not a DryOS-camera since it doesn't respond to an fi2-file. Can this really be true? Seems unlikely...

/Andreas
DSLRs are run very different code, even if they use the same OS. If you haven't already, I suggest you take a long look through the DSLR subforum, and the possibly the magic lantern wiki http://magiclantern.wikia.com/wiki/Magic_Lantern_Firmware_Wiki

I basically ignore the DSLR stuff since I don't own one, so I can't offer any specific advice.
Logged
Don't forget what the H stands for.
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #7 on: 06 / October / 2009, 18:20:26 »
Thanks for the input, I'll be sure to check up on Magic Lantern and the DSLR threads more tomorrow, right now I'm too tired and my head is full from reading the forum/wiki :).

Yep, I kinda figured DSLRs are different beasts alltogether, I'll focus on Magic Lantern and 5d mark II, seems to be the most similar camera with progress made.

No real progress yet, but I stumbled on a version string embedded in a photo with hexedit: 1.0.9.4a(01), it seems to match well with what the camera reports. I also made a Wiki-page and updated the PID-list.

/Andreas
Logged
*

Offline hudson

  • *
  • 43
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #8 on: 07 / October / 2009, 15:57:49 »
I'm working on dumping the firmware for the 7D and am in much the same position as you are with the 500D.  Since neither has had an official firmware update from Canon, we do not have pre-existing .fir files for analysis.  I've been able to determine the device id for the first quad word of the firmware file, but something else must be wrong since it rejects files that are acceptable to the 5D.  They might have changed the checksum algorithm or are perhaps looking for some values elsewhere in the header that we're not setting correctly.

Logged
*

Offline anwe79

  • *
  • 16
Re: Noob trying to dump 500D/T1i, need some input...
« Reply #9 on: 07 / October / 2009, 16:57:45 »
Yes, I guess we're in the same boat, although you have som "mad skillz" that I lack. I'm in complete awe of Magic Lantern, I'll be happy if I can just make my camera hang in the boot process or, if I'm lucky, blink a led :).

I'm guessing there might be a boot flag similar to 450D that needs to be set in firmware before boot from SD is possible, so I'm giving up those tests now. (Tried FAT32 also, with adjusted offsets, no go. BTW, why are there 2 blank bytes in the "Operating system boot code" area before "BOOTDISK"?)

Right now I'm installing "EOS utility" in QEMU and trying USB passthrough. I figured I may as well snoop the USB a little as I wasn't getting anywhere with the card. I need to read up on USB first though...

I have not tried loading anything via firmware update yet, in fear of bricking. As I understand "firmware update" really only loads a flasher embedded in the .fir that does the actual flashing. Is there a dummy .fir somewhere that would be safe to play with? I haven't set up a build environment yet, maybe now is the time. I have somewhat of a learning curve to climb here, my C knowledge is mighty rusty, and I've only done ASM on a 6809...

PS Hudson; how did you "guess" the device ID for the firmware? I noticed you mentioned trial and error, care to elaborate? Does it have any connection with model # or P-ID?

Sorry for the barrage of questions, I'm basically thinking out loud :-[.

/Andreas
Logged
Pages: [1] 2   Go Up
« previous next »
 

Related Topics