PowerShot SX210 IS - Porting Thread

  • 588 Replies
  • 151447 Views
*

Offline ccheney

  • *
  • 6
  • SX210IS
Re: PowerShot SX210 IS - Porting Thread
« Reply #10 on: 07 / May / 2010, 13:50:13 »
Advertisements
How were dancingbits 2/3 found, was it via the other FI2 method referenced? They appear to only be used on cameras that don't have firmware updates available either.

*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: PowerShot SX210 IS - Porting Thread
« Reply #11 on: 07 / May / 2010, 13:58:34 »
 If one could change the file remotely it would greatly speed up the brute force.  
To locked card? It's impossible, IMHO.
BTW, transferring of diskboot.bin via USB works at least for VxWorks cameras (with Vitaly's libptp patch).

*

Offline ccheney

  • *
  • 6
  • SX210IS
Re: PowerShot SX210 IS - Porting Thread
« Reply #12 on: 07 / May / 2010, 14:29:25 »
I've tried some brute force based on prior dancing bit "patterns".  To date no success since it takes a bit of time for each attempt.  My first subset is 250 files in size.  :( 

I've contemplated trying to find an alternate vector but I don't know where to begin really.  If it was plausable (ie someone had the method of trying) I would either connect the ARM debug pins to something or try to read the eeprom directly.  I don't know how to do either of these possibilities.

I'm wondering if one could speed up the brute force by using an eye-fi card but as I don't have one I don't know yet.  If one could change the file remotely it would greatly speed up the brute force.  After all it's only a 8 factorial.  LOL - 40k plus tries. 


Harpo


Entertaining the brute force method, at 40K its not inconceivable to find it, do we have any super simple test we could do with it to verify the dancingbits pattern works? Cutting the time needed per test down to absolute minimum while still having some way to verify if it worked would be ideal. As I understand even with the proper dancingbits udumper sometimes won't work due to issues with finding the function, so that seems to not be a reliable way to find the new pattern.

*

Offline asm1989

  • *****
  • 527
  • SX720, SX260, SX210 & SX200
Re: PowerShot SX210 IS - Porting Thread
« Reply #13 on: 07 / May / 2010, 15:06:54 »
If we procedure the brute force option, we can spread it over serveral owners to win time.

Can't we read the bits directly from the chip, using some kind of electronic custom built device?


Re: PowerShot SX210 IS - Porting Thread
« Reply #14 on: 07 / May / 2010, 17:25:02 »
@ewavr - Ahhh yes a locked card.  Forgot about that. 

As for the brute force there are several issues (at least).  #1 is the simple fact that you don't know if it's running or crashed.  LOL   So you need to do something that is simple and doesn't crash in the case where it is actually running.  So what I do is try to turn on LEDs in the C022xxxx range.  This assumption is large as maybe C022xxxx does not have leds assigned to it.  Also, maybe the first 0x44 I find is not valid if turned to 0x46.   ect ect ect.

So even if we run a full brute force we could find nothing.  :(
Canon Models - SD300, SD780, & SX210

*

Offline reyalp

  • ******
  • 10913
Re: PowerShot SX210 IS - Porting Thread
« Reply #15 on: 07 / May / 2010, 19:33:54 »
How were dancingbits 2/3 found, was it via the other FI2 method referenced? They appear to only be used on cameras that don't have firmware updates available either.
Yes, they were found after dumps had already been obtained. I'm not sure if the FI2 was originally figured out from a firmware dump (via diskboot) or reverse engineering a firmware update.

As mentioned, public firmware updates from canon are quite rare, so we may be at the end of new ports for a while.

Can't we read the bits directly from the chip, using some kind of electronic custom built device?
I believe the internal flash is on the same IC as the CPU. See http://techon.nikkeibp.co.jp/english/NEWS_EN/20090218/165866/

If there is a debug interface (jtag ?) available, you might be able to read it. Otherwise, recovering that data is likely out of reach unless you have a very well equipped lab.

I've contemplated trying to find an alternate vector but I don't know where to begin really.
The most obvious candidate to me would be file parsing. The camera reads various headers and data from jpegs, videos, wavs etc. PTP would be another option.
« Last Edit: 07 / May / 2010, 19:42:53 by reyalp »
Don't forget what the H stands for.

Re: PowerShot SX210 IS - Porting Thread
« Reply #16 on: 08 / May / 2010, 00:04:15 »
I've tried to make PTP read arbitrary areas of memory with handles that are invalid for jpgs.  No luck so far. 
Canon Models - SD300, SD780, & SX210

*

Offline asm1989

  • *****
  • 527
  • SX720, SX260, SX210 & SX200
Re: PowerShot SX210 IS - Porting Thread
« Reply #17 on: 08 / May / 2010, 02:27:09 »
reyalp, How can we start fileparsing?

Maybe a cross camera project with all the 2010 model owerns can do the trick


*

Offline reyalp

  • ******
  • 10913
Re: PowerShot SX210 IS - Porting Thread
« Reply #18 on: 08 / May / 2010, 17:29:03 »
reyalp, How can we start fileparsing?
- Get firmware dumps from one or more cameras assumed to be similar to the one you are trying to hack.
- Find the code that deals with different files, like reading the exif for playback mode information, movie metadata, direct print stuff etc.
- Find bugs in that code that allow you to overwrite a function pointer or return address.
Don't forget what the H stands for.

*

Offline asm1989

  • *****
  • 527
  • SX720, SX260, SX210 & SX200
Re: PowerShot SX210 IS - Porting Thread
« Reply #19 on: 09 / May / 2010, 12:37:03 »
Maybe the sx200, is the closest camera, but not in the timeline

 

Related Topics