PowerShot SX210 IS - Porting Thread

  • 588 Replies
  • 139932 Views
*

Offline whoever

  • ****
  • 280
  • IXUS950
Re: PowerShot SX210 IS - Porting Thread
« Reply #60 on: 02 / July / 2010, 04:02:18 »
Advertisements
Overwriting function pointers, well, you'd still have to know the address of the functions, which is pretty much guaranteed is not going to be in the same place as on a different camera.
Well, such techniques usually aim at executing own code, stored in that same file whose handling by OS is exploited, such as in the well known MSWin JPEG buffer overflow exploit. Wikipedia has a nice overview article Buffer overflow for beginners. Of course it is non-trivial, an art in itself. You are right, even being able to say flood the stack with a pointer, you still have to find a way to point it to something useful.

*

Offline reyalp

  • ******
  • 10055
Re: PowerShot SX210 IS - Porting Thread
« Reply #61 on: 02 / July / 2010, 12:21:53 »
Of course it is non-trivial, an art in itself. You are right, even being able to say flood the stack with a pointer, you still have to find a way to point it to something useful.
Of course finding a something you can overwrite is only the start. My 3 line instruction quoted above was not intended to be a complete manual!

It will be difficult to do blind, without having the actual target firmware to examine, but not necessarily impossible. Examining existing firmwares may get you close enough that brute force is possible. In some cases, you can increase your odds (e.g. NOP sled).
Don't forget what the H stands for.

*

Offline RaduP

  • *****
  • 856
Re: PowerShot SX210 IS - Porting Thread
« Reply #62 on: 03 / July / 2010, 21:11:52 »
I think the easiest (but still pretty hard) method is for someone to figure out from an existing firmware how the basic script can be executed.
With poke and peek it should be pretty easy to blink the firmware, so long as they work.

*

Offline reyalp

  • ******
  • 10055
Re: PowerShot SX210 IS - Porting Thread
« Reply #63 on: 03 / July / 2010, 21:29:01 »
I think the easiest (but still pretty hard) method is for someone to figure out from an existing firmware how the basic script can be executed.
With poke and peek it should be pretty easy to blink the firmware, so long as they work.
That would definitely be better, if it's possible. But I think not. Looking at D10, I'm quite certain scripts are encoded with the same functions a diskboot (the earlier statement that unencoded scripts could be run is not necessarily wrong, old cameras allowed unencoded diskboot as well)

From D10
sub_FF86B7D0 is the diskboot decode function. It is called by
sub_FF82905C <- loads diskboot or upgrader.bin
sub_FF93C654 <- something related to additionagent, indirectly from LoadScript eventproc and some other places
sub_FFA0EAC0 <- FAEXE from USB (Factory Adjustment IMO)
sub_FFA0EB64 <- FAEXE from SD

edit: correct FAEXE USB address
« Last Edit: 03 / July / 2010, 21:38:10 by reyalp »
Don't forget what the H stands for.


*

Offline RaduP

  • *****
  • 856
Re: PowerShot SX210 IS - Porting Thread
« Reply #64 on: 03 / July / 2010, 21:40:08 »
A while ago, when playing with my SD980, I tried to look into the basic script thingy. I remember someone mentioning playing with it before, and it is NOT encrypted. The idea is, the camera will accept a semantically correct script (plain ASCII, so unencrypted) but will not do anything with it. This was tested with infinite loops.
On invalid scripts, the camera will shut down. I was able to reproduce those results.

So probably we need a main() thing in the script, but by just doing an ascii search in the firmware, I was unable to find anything that would resemble a literal entry point function.

Re: PowerShot SX210 IS - Porting Thread
« Reply #65 on: 04 / July / 2010, 02:06:47 »
Quote
The idea is, the camera will accept a semantically correct script (plain ASCII, so unencrypted) but will not do anything with it. This was tested with infinite loops.

So where can I find information about the "script"?
I think the encryption should be obvious from the firmware disassembly right? What about the syntax?

*

Offline reyalp

  • ******
  • 10055
Re: PowerShot SX210 IS - Porting Thread
« Reply #66 on: 04 / July / 2010, 02:57:56 »
So where can I find information about the "script"?
Read the previous posts in this thread, including links. Starting around http://chdk.setepontos.com/index.php/topic,5045.msg50871.html#msg50871
Quote
I think the encryption should be obvious from the firmware disassembly right? What about the syntax?
Whether the script must be encoded is not obvious to me from the disassembly. Both encoded and unencoded appear to be possibilities in LoadScript, but it's not immediately clear to me where each case applies in what circumstances. It's not as simple as checking if the first byte of the file is a NULL (suggested earlier in the thread).

I would expect Canon to require encoded scripts unless some kind of development flag (only settable from FA mode or already running script) was already set, otherwise there appears to be no point in allow encoded scripts at all (edit: but it could be buggy/incomplete/whatever).

I'm not convinced that the "infinite loop" actually represents successfully running a script.

edit:
The syntax should theoretically be determinable from disassembly, but again, not obvious.
« Last Edit: 04 / July / 2010, 02:59:48 by reyalp »
Don't forget what the H stands for.

*

Offline RaduP

  • *****
  • 856
Re: PowerShot SX210 IS - Porting Thread
« Reply #67 on: 04 / July / 2010, 04:01:12 »
Actually I think the test was done with a very long loop, not infinite. I don't remember the exact details, but with long loops it should be possible to tell if a script is executed or not.
Also, you could probably use the poke instruction to turn on LEDs..


Re: PowerShot SX210 IS - Porting Thread
« Reply #68 on: 04 / July / 2010, 17:32:29 »
What is your ETA on the completion of the SX210 firmware?
Thanks!

*

Offline reyalp

  • ******
  • 10055
Re: PowerShot SX210 IS - Porting Thread
« Reply #69 on: 04 / July / 2010, 18:27:48 »
What is your ETA on the completion of the SX210 firmware?
Thanks!
I'm glad you asked, because I can give you a precise answer, in interval notation: (now,never]

If that doesn't make sense, read the thread.
Don't forget what the H stands for.

 

Related Topics