sd200/ixus30 - page 2 - Firmware Dumping - CHDK Forum

sd200/ixus30

  • 60 Replies
  • 38725 Views
*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: sd200/ixus30
« Reply #10 on: 15 / February / 2008, 12:24:56 »
Advertisements
And, should I care about these sync errors, when I get data like that data I attached?
You should care only about that errors if they are not in the beginning or end of the file.
In your example they are ok, because the adc.exe tries to find the position to start from.

One more notice: dec.exe can be used for incremental decoding. For example, if you have two dumps, decoded by adc.exe, and dec.exe find some errors (fails) in both of them, but the failed blocks are not overlapped, you can get the complete dump without errors. Just do not erase output 'dump.dat' file between dec.exe executions.
For example, you have three dumps.
The sequience:
delete dump.dat
adc.exe dump1
dec.exe
adc.exe dump2
dec.exe
adc.exe dump3
dec.exe
« Last Edit: 15 / February / 2008, 12:27:44 by GrAnd »
CHDK Developer.

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: sd200/ixus30
« Reply #11 on: 15 / February / 2008, 12:50:54 »
I have the improved adc which allows doing some extra analysis.

1st stage:  adc2 -a1 [max_size] <input_file>
It will print the number of samples of each signal strength. The optional argument 'max_size' is used to limit the file size for analysis (in MB). It would help to adjust min and max thresholds. For example:
Code: [Select]
> adc2.exe -a1 1.raw
    0: 0
    1: 0
    2: 0
    3: 0
    4: 0
    5: 0
    6: 198
    7: 4751
    8: 14859
    9: 24097
   10: 32386
   11: 39814
   12: 44342
   13: 45606
   14: 51481
   15: 68749
   16: 121703
   17: 191836
   18: 190769
   19: 166851
   20: 150514
   21: 142934
   22: 146066
   23: 156593
   24: 214309
   25: 286036
   26: 532731
   27: 517075
   28: 497329
   29: 576330
   30: 394013
   31: 282401
   32: 229455
   33: 190051
   34: 151647
   35: 100002
   36: 68045
   37: 47113
   38: 33273
   39: 25804
   40: 21194
   41: 18570
   42: 16869
   43: 15970
   44: 15682
   45: 15273
   46: 14888
   47: 14778
   48: 14353
   49: 14188
   50: 14085
   51: 13791
   52: 13714
   53: 13367
   54: 13248
   55: 13016
   56: 13014
   57: 12754
   58: 12542
   59: 12567
   60: 12393
   61: 12203
   62: 12023
   63: 12133
   64: 11977
   65: 12057
   66: 11711
   67: 11606
   68: 11564
   69: 11525
   70: 11590
   71: 11319
   72: 11346
   73: 10988
   74: 11198
   75: 11123
   76: 11027
   77: 10797
   78: 10931
   79: 10781
   80: 10551
   81: 10722
   82: 10883
   83: 10881
   84: 10517
   85: 10596
   86: 10459
   87: 10497
   88: 10595
   89: 10425
   90: 10281
   91: 10183
   92: 10208
   93: 10276
   94: 10213
   95: 10075
   96: 10079
   97: 9950
   98: 10220
   99: 10154
  100: 10031
  101: 10261
  102: 10103
  103: 10043
  104: 9886
  105: 10099
  106: 9915
  107: 10015
  108: 9900
  109: 9844
  110: 9787
  111: 10016
  112: 10082
  113: 9906
  114: 9909
  115: 9843
  116: 9878
  117: 9960
  118: 9890
  119: 10037
  120: 9818
  121: 9945
  122: 10005
  123: 10097
  124: 10028
  125: 9876
  126: 9969
  127: 166386
  128: 195067
  129: 9972
  130: 9965
  131: 10068
  132: 10099
  133: 10043
  134: 10212
  135: 10202
  136: 10120
  137: 9941
  138: 10072
  139: 10018
  140: 10178
  141: 10160
  142: 10340
  143: 10199
  144: 10412
  145: 10412
  146: 10439
  147: 10542
  148: 10538
  149: 10637
  150: 10583
  151: 10583
  152: 10767
  153: 10736
  154: 10858
  155: 10821
  156: 11050
  157: 11006
  158: 11122
  159: 10993
  160: 11228
  161: 11293
  162: 11324
  163: 11305
  164: 11525
  165: 11458
  166: 11724
  167: 11790
  168: 11942
  169: 11718
  170: 11825
  171: 12035
  172: 12220
  173: 12406
  174: 12600
  175: 12488
  176: 12557
  177: 12805
  178: 13076
  179: 13031
  180: 13183
  181: 13440
  182: 13832
  183: 13739
  184: 13951
  185: 14236
  186: 14472
  187: 14733
  188: 15069
  189: 15664
  190: 18112
  191: 21870
  192: 30577
  193: 49281
  194: 80825
  195: 133568
  196: 208252
  197: 280467
  198: 324892
  199: 330627
  200: 326093
  201: 324810
  202: 310248
  203: 306909
  204: 304287
  205: 318069
  206: 333890
  207: 354548
  208: 379937
  209: 396179
  210: 391294
  211: 367079
  212: 334519
  213: 303331
  214: 268526
  215: 237454
  216: 205555
  217: 179177
  218: 148647
  219: 119117
  220: 90832
  221: 66900
  222: 47547
  223: 31665
  224: 20205
  225: 12280
  226: 6748
  227: 3151
  228: 1347
  229: 532
  230: 228
  231: 110
  232: 34
  233: 19
  234: 19
  235: 13
  236: 11
  237: 8
  238: 11
  239: 6
  240: 4
  241: 2
  242: 0
  243: 0
  244: 0
  245: 0
  246: 0
  247: 0
  248: 0
  249: 0
  250: 0
  251: 0
  252: 0
  253: 0
  254: 0
  255: 0
As you can see the numbers of samples are growing from <40 and >190. But you should add some gap, let say 10 levels. So, thresholds will be 50 and 180.


2nd stage:  adc2 -a2 <min_threshold> <max_threshold> [max_size] <input_file>
Specify the thresholds calculated in the previous stage. It will print numbers of sequences with each lengths:
Code: [Select]
> adc2.exe -a2 50 180 1.raw
space / sync:
    1: 2
    2: 1
    3: 2
    5: 4
    6: 140015
    7: 524537
    8: 154
   14: 2
   16: 1
   18: 1
   19: 1
   24: 1
   27: 1
   32: 1
   34: 36904
   35: 57962
   36: 1
  175: 75
  176: 13

bit0 / bit1:
    2: 4
    3: 3
    4: 1
    5: 329513
    6: 154952
    7: 7
   10: 1
   11: 304
   12: 239396
   13: 35501
   14: 2
   19: 1
I.e., from the example above, there was 524537 sequences with length 7 for space/sync signals. In the ideal case you should get two peaks delimited by set of zeros in each group.
Let see at the bit0/bit1 group. From the data it seems that bit0 length does not exceed the 7. And bit1 length starts from 10. So, they can be separated. In general, the bit0 and space lengths can be set to 1 and then fine-tuned if there are errors while recognition. The sync and bit1 lengths should be the smallest values from the second groups.


3rd stage:  adc2 -d  <min_threshold> <max_threshold> <len_space> <len_sync> <len_0> <len_1> <input_file> <output_file>
Specify the parameters calculated in the previous stages.
Code: [Select]
> adc.exe -d 50 180 1 24 1 10 1.raw dump
« Last Edit: 15 / February / 2008, 12:52:41 by GrAnd »
CHDK Developer.

*

Offline jetzt

  • ****
  • 316
  • [A710IS,(SD200)]
Re: sd200/ixus30
« Reply #12 on: 15 / February / 2008, 15:22:34 »
Thanks very much, tryed to at another pc, (in the cellar) just to get the right hacking feel.
NO, just to make sure not to destroy my notebooks soundcard, so I didn't try things of your last post.
BUT:
I have found a link to some files(read somewhere here that we only share links we found on the net):
raw audio(lol) of about 366 MB (couldn't find a link) edit: total procedure had a duration of a bout 2h 10 min, I arrived only 5 mins too late. If it is complete 2,3h wasn't too far away.
something called dump_7_sd200.zip - 0.92MB
which contains about 2MB of Data and a log of dec.exe
--> only last one is corrupted
I don't know if the camera of the one who did the dump switched of because of low voltage or just because everything was finished, but as the last one is a corrupted one it is not as fine as I thought.
So now let's read your last post completely. ;)
« Last Edit: 15 / February / 2008, 15:28:29 by jetzt »

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: sd200/ixus30
« Reply #13 on: 15 / February / 2008, 15:42:12 »
something called dump_7_sd200.zip - 0.92MB
which contains about 2MB of Data and a log of dec.exe
--> only last one is corrupted
So, you can start your dump from the address of last block (0xffa12000)of that file. And then concatenate two dumps.
Or you can completely dump your own firmware and then compare it with that one.
CHDK Developer.


*

Offline jetzt

  • ****
  • 316
  • [A710IS,(SD200)]
Re: sd200/ixus30
« Reply #14 on: 15 / February / 2008, 15:50:14 »
So the camera was off because of too low voltage?

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: sd200/ixus30
« Reply #15 on: 15 / February / 2008, 15:58:53 »
So the camera was off because of too low voltage?
Perhaps.
CHDK Developer.

*

Offline jetzt

  • ****
  • 316
  • [A710IS,(SD200)]
Re: sd200/ixus30
« Reply #16 on: 15 / February / 2008, 16:09:11 »
Started again, but with 0xffa11c00 as start address, blinks now again.
Perhaps I shall have recharged batteries first, but ... let's see.

*

Offline jetzt

  • ****
  • 316
  • [A710IS,(SD200)]
Re: sd200/ixus30
« Reply #17 on: 15 / February / 2008, 16:34:24 »
Went off after 3mins again, so I have to finish for today.

merged 7 with this short 8 so I have it till 0xffa1ac00
« Last Edit: 15 / February / 2008, 16:46:50 by jetzt »


*

Offline jetzt

  • ****
  • 316
  • [A710IS,(SD200)]
Re: sd200/ixus30
« Reply #18 on: 16 / February / 2008, 05:39:52 »
I've done it now till 0xffb40000 and result is 3264 KB small/big.
But, there is something else: From 0xffae6000 on I only get FFFF in hex viewer or CRC in dec.log of 6440.

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: sd200/ixus30
« Reply #19 on: 16 / February / 2008, 05:50:17 »
From 0xffae6000 on I only get FFFF in hex viewer or CRC in dec.log of 6440.
That's ok. The firmware size is usually about 3MB. (You should see the string "r0 r1 r2 r3 r4 r5 r6 r7 ..." near the end.)
So, can I look at the dump (if there was no error in decoding)?
« Last Edit: 16 / February / 2008, 05:53:47 by GrAnd »
CHDK Developer.

 

Related Topics


SimplePortal 2.3.6 © 2008-2014, SimplePortal