Problems with dumping A1100 IS 1.00A firmware - Firmware Dumping - CHDK Forum
« previous next »
Pages: [1]   Go Down

Problems with dumping A1100 IS 1.00A firmware

  • 6 Replies
  • 5826 Views
*

Offline Timich

  • *
  • 17
Problems with dumping A1100 IS 1.00A firmware
« on: 05 / July / 2010, 02:34:50 »
Advertisements
I have A1100 IS camera with 1.00A firmare and current chdk version based on 1.00C doesn't support it, so I decided to get 1.00A firmware.

Udumper method didn't work (empty.dum file remains empty).

I tried to find LED adresses using code taken from here: http://forums.dpreview.com/forums/read.asp?forum=1010&message=24988142

I successfully built blinker application and put it (diskboot.bin) on a locked SD Card. I started the camera by pressing "play" button and got nothing. It hanged and after ~1 hour of waiting it's LEDs didn't light up.

Then I encoded the blinker using 31C3 PID and placed PS.FI2 on a unlocked card. When I started the camera in play mode, firmware update option appeared in menu. After selecting, it gave me an option to update firmware from 1.0.0.0 to 1.0.0.0 version (no messages about File load error, so encoding was correct). When I pressed OK, camera hanged again - the screen became dark and after ~1 hour LEDs didn't light up again.

I also tried precompiled blinker from here - http://chdk.setepontos.com/index.php/topic,17.msg2038.html#msg2038 with the same negative result.

So, what is the problem - incorrect LED addresses range in blinker code or something else?
Logged
*

Offline reyalp

  • ******
  • 14080
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #1 on: 05 / July / 2010, 02:45:51 »
The LED addresses will be the same for a given model, so you can get the correct ones from the already ported versions.

You don't need to wait for an hour, even a few minutes should be plenty.

If your build environment isn't set up right, you can produce code that just crashes.

For diskboot, if it's below some minimum size, it may just crash without actually running the code. Padding it to 10kb resolves this in my experience.

Since other firmwares of this model have been dumped, you should be able to make a modified udumper that works. Err99s code here http://chdk.setepontos.com/index.php/topic,17.msg47908.html#msg47908 should be a starting point.
Logged
Don't forget what the H stands for.
*

Offline Timich

  • *
  • 17
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #2 on: 09 / July / 2010, 04:05:44 »
Thanks for information... I thought that cameras with 1.00a firmware have slightly different hardware configuration (and that's why 1.00C-based chdk doesn't work) and so, may have different LED addresses.

"by-grand-blinker" with known LED addresses seems to work fine (I can see some very quick random blinking), so the only thing I need is to find a photodiode. Can it be replaced by a small solar battery from a calculator? Autofocus LED is very bright, it may generate enough power in the battery to be detected by soundcard mic-in. The only question - will the battery be able to "react" quickly.)

I also  tried to disassemble an old mouse, but it's photodiodes seems to work with infrared only (black casing).

As for modified udumper, ERR99s code, where I replaced 0xFF810000 with 0xFFC00000 for A-series, didn't work. Tried different amount of function parameters - no luck.


ERR99 writes:

Quote
After i analysing some dumps of other cameras, i find out that allmost allways a pointer to the SD-CARD write function is below of the "BOOTDISK" string in flash. In most cases it is the second flash address (in one dump i checked, it was the first one, but for the G11 it was allways the second).

I think that "second flash address" means the following - There are several "BOOTDISK" strings in flash - write function is located below the second "BOOTDISK" string

For example, I loaded G11 1.00l firmare into IDA and found several "BOOTDISK" strings.

ROM:FF86F090 sub_FF86EE64 ADR     R1, aBootdisk   ; "BOOTDISK"           
ROM:FF86F360              aBootdisk DCB "BOOTDISK",0                     
ROM:FF86FB98 sub_FF86FB80 ADR     R2, aBootdisk   ; "BOOTDISK" 

So, the pointer is somewhere below ROM:FF86F360              aBootdisk DCB "BOOTDISK",0           

I looked at this part of rom and found:

Code: [Select]
ROM:FF86F360 aBootdisk       DCB "BOOTDISK",0        ; DATA XREF: sub_FF86EE64+22Co
ROM:FF86F360                                         ; sub_FF86FB80+18o
ROM:FF86F369                 DCB    0
ROM:FF86F36A                 DCB    0
ROM:FF86F36B                 DCB    0
ROM:FF86F36C aScript         DCB "SCRIPT",0          ; DATA XREF: sub_FF86EE64+248o
ROM:FF86F36C                                         ; sub_FF86FBAC+18o
ROM:FF86F373                 DCB    0
ROM:FF86F374 dword_FF86F374  DCD 0x4D2               ; DATA XREF: sub_FF86F0CC+34r
ROM:FF86F378 unk_FF86F378    DCB 0x4D ; M            ; DATA XREF: sub_FF86F0CC+3Co
ROM:FF86F378                                         ; sub_FF86F1DC+15Co ...
ROM:FF86F379                 DCB 0x6F ; o
ROM:FF86F37A                 DCB 0x75 ; u
ROM:FF86F37B                 DCB 0x6E ; n
ROM:FF86F37C                 DCB 0x74 ; t
ROM:FF86F37D                 DCB 0x65 ; e
ROM:FF86F37E                 DCB 0x72 ; r
ROM:FF86F37F                 DCB 0x2E ; .
ROM:FF86F380                 DCB 0x63 ; c
ROM:FF86F381                 DCB    0
ROM:FF86F382                 DCB    0
ROM:FF86F383                 DCB    0
ROM:FF86F384 off_FF86F384    DCD sub_FF94B61C        ; DATA XREF: sub_FF86F0CC+54r
ROM:FF86F388 off_FF86F388    DCD sub_FF94B804        ; DATA XREF: sub_FF86F0CC+60r
ROM:FF86F38C off_FF86F38C    DCD sub_FF94B504        ; DATA XREF: sub_FF86F0CC+6Cr
ROM:FF86F390 off_FF86F390    DCD unk_FF94BBD8        ; DATA XREF: sub_FF86F0CC+7Cr
ROM:FF86F394 off_FF86F394    DCD sub_FF94BC48        ; DATA XREF: sub_FF86F0CC+84r
ROM:FF86F398 dword_FF86F398  DCD 0x568               ; DATA XREF: sub_FF86F1DC:loc_FF86F334r
ROM:FF86F39C
ROM:FF86F39C ; =============== S U B R O U T I N E =======================================
ROM:FF86F39C
ROM:FF86F39C
ROM:FF86F39C sub_FF86F39C                            ; CODE XREF: sub_FF86F4E0+38p
ROM:FF86F39C                 STMFD   SP!, {R4-R8,LR}
ROM:FF86F3A0                 MOV     R6, R0
ROM:FF86F3A4                 LDR     R0, =0x375F0
ROM:FF86F3A8                 MOV     R7, R1
ROM:FF86F3AC                 ADD     R4, R0, R1,LSL#7
ROM:FF86F3B0                 LDR     R0, [R4,#0x3C]
ROM:FF86F3B4                 MOV     R5, #0
ROM:FF86F3B8                 CMP     R0, #6
ROM:FF86F3BC                 ADDLS   PC, PC, R0,LSL#2
ROM:FF86F3C0                 B       loc_FF86F42C
ROM:FF86F3C4 ; ---------------------------------------------------------------------------
ROM:FF86F3C4

<...>
Where a pointer to SD-CARD write may be here?
Logged
*

Offline Timich

  • *
  • 17
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #3 on: 09 / July / 2010, 04:39:11 »
For A1100IS 1.00C firmware, there are two "BOOTDISKS":

ROM:FFC3E248 sub_FFC3E02C                 ADR     R1, aBootdisk   ; "BOOTDISK"                   
ROM:FFC3E430              aBootdisk       DCB "BOOTDISK",0        ; DATA XREF: sub_FFC3E02C+21Co

And some code below second "BOOTDISK" is:

Code: [Select]
ROM:FFC3E430 aBootdisk       DCB "BOOTDISK",0        ; DATA XREF: sub_FFC3E02C+21Co
ROM:FFC3E439                 DCB    0
ROM:FFC3E43A                 DCB    0
ROM:FFC3E43B                 DCB    0
ROM:FFC3E43C aScript         DCB "SCRIPT",0          ; DATA XREF: sub_FFC3E02C+238o
ROM:FFC3E443                 DCB    0
ROM:FFC3E444 dword_FFC3E444  DCD 0x53A               ; DATA XREF: sub_FFC3E390+34r
ROM:FFC3E448 unk_FFC3E448    DCB 0x4D ; M            ; DATA XREF: sub_FFC3E390+3Co
ROM:FFC3E448                                         ; sub_FFC3E4EC+154o ...
ROM:FFC3E449                 DCB 0x6F ; o
ROM:FFC3E44A                 DCB 0x75 ; u
ROM:FFC3E44B                 DCB 0x6E ; n
ROM:FFC3E44C                 DCB 0x74 ; t
ROM:FFC3E44D                 DCB 0x65 ; e
ROM:FFC3E44E                 DCB 0x72 ; r
ROM:FFC3E44F                 DCB 0x2E ; .
ROM:FFC3E450                 DCB 0x63 ; c
ROM:FFC3E451                 DCB    0
ROM:FFC3E452                 DCB    0
ROM:FFC3E453                 DCB    0
ROM:FFC3E454 off_FFC3E454    DCD sub_FFCE4560        ; DATA XREF: sub_FFC3E390+54r
ROM:FFC3E458 off_FFC3E458    DCD sub_FFCE4748        ; DATA XREF: sub_FFC3E390+60r
ROM:FFC3E45C off_FFC3E45C    DCD sub_FFCE44AC        ; DATA XREF: sub_FFC3E390+6Cr
ROM:FFC3E460 off_FFC3E460    DCD sub_FFCE4AFC        ; DATA XREF: sub_FFC3E390+7Cr
ROM:FFC3E464 off_FFC3E464    DCD sub_FFCE4B6C        ; DATA XREF: sub_FFC3E390+84r
ROM:FFC3E468
ROM:FFC3E468 ; =============== S U B R O U T I N E =======================================
ROM:FFC3E468
ROM:FFC3E468
ROM:FFC3E468 sub_FFC3E468                            ; CODE XREF: sub_FFC3E9BC+4Cp
ROM:FFC3E468                                         ; sub_FFC3EB1C+34p
ROM:FFC3E468                 LDR     R1, =0xE5D8
ROM:FFC3E46C                 STMFD   SP!, {R4-R6,LR}
ROM:FFC3E470                 ADD     R4, R1, R0,LSL#7
ROM:FFC3E474                 LDR     R0, [R4,#0x70]
ROM:FFC3E478                 TST     R0, #1
ROM:FFC3E47C                 LDMNEFD SP!, {R4-R6,PC}
ROM:FFC3E480                 LDR     R6, [R4,#0x38]
ROM:FFC3E484                 BL      sub_FFC3B85C
ROM:FFC3E488                 LDR     R0, [R4,#0x38]
ROM:FFC3E48C                 BL      sub_FFC3EEE8
ROM:FFC3E490                 CMP     R0, #0
ROM:FFC3E494                 MOV     R5, #5
ROM:FFC3E498                 STREQ   R5, [R4,#0x3C]
ROM:FFC3E49C                 BEQ     loc_FFC3E4E4
ROM:FFC3E4A0                 BL      sub_FFC3F6B8
ROM:FFC3E4A4                 BL      sub_FFC3F7A0
ROM:FFC3E4A8                 CMP     R0, #0
ROM:FFC3E4AC                 STREQ   R5, [R4,#0x3C]
ROM:FFC3E4B0                 BEQ     loc_FFC3E4D8
ROM:FFC3E4B4                 LDR     R1, [R4,#0x5C]
ROM:FFC3E4B8                 MOV     R0, R6
ROM:FFC3E4BC                 BLX     R1
ROM:FFC3E4C0                 CMP     R0, #0
ROM:FFC3E4C4                 STR     R0, [R4,#0x3C]
ROM:FFC3E4C8                 LDRNE   R0, [R4,#0x70]
ROM:FFC3E4CC                 ORRNE   R0, R0, #1
ROM:FFC3E4D0                 STRNE   R0, [R4,#0x70]
ROM:FFC3E4D4                 LDMNEFD SP!, {R4-R6,PC}
ROM:FFC3E4D8
ROM:FFC3E4D8 loc_FFC3E4D8                            ; CODE XREF: sub_FFC3E468+48j
ROM:FFC3E4D8                 LDR     R0, [R4,#0x60]
ROM:FFC3E4DC                 CMP     R0, #0
ROM:FFC3E4E0                 BLXNE   R0
ROM:FFC3E4E4
ROM:FFC3E4E4 loc_FFC3E4E4                            ; CODE XREF: sub_FFC3E468+34j
ROM:FFC3E4E4                 LDMFD   SP!, {R4-R6,LR}
ROM:FFC3E4E8                 B       sub_FFC3F748
ROM:FFC3E4E8 ; End of function sub_FFC3E468
ROM:FFC3E4E8
ROM:FFC3E4EC

Logged
*

Offline reyalp

  • ******
  • 14080
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #4 on: 10 / July / 2010, 00:14:18 »
Quote
Thanks for information... I thought that cameras with 1.00a firmware have slightly different hardware configuration (and that's why 1.00C-based chdk doesn't work) and so, may have different LED addresses.
As far as I know, there has never been a case where different firmwares of the same model had different hardware addresses. The reason CHDK doesn't work is the code or data have moved.

In the assembler you quote, one of the function pointers following BOOTDISK should be the function you are looking for. You can identify which one by looking at cameras where the location of WriteSDCard is known.

I would guess it is sub_FFCE4748 in 100c. Since that code is quite early in the dump, there is a fair chance it hasn't moved between 100a and 100c.  You could also try just hard coding that address in the udumper.

Since LED addresses are known, you should turn on an LED at the start of your udumper code. This will let you know if it is actually loading and running correctly. If it isn't, it's possible you need to make the diskboot bigger (by padding with some zeros) or you aren't encoding it correctly.
Logged
Don't forget what the H stands for.
*

Offline Timich

  • *
  • 17
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #5 on: 16 / July / 2010, 04:40:48 »
To be sure, if I want to use sub_FFCE4748  in udumper I should replace

Code: [Select]
wr=(f_w)*(unsigned int*)(j+4);

with

Code: [Select]
wr=(f_w)*(unsigned int*)(0xFFCE4748);

?

Did so, camera hanged and empty.dum is empty again.

Using solar battery from a broken calculator I got powerful signal from the blinker, but responce time was very high and I had to decrease blinking speed greatly to get a correct signal. Estimated time to get a 4 Mb firmware was over a day, so...

Now I got BPW34S photodiode (couldn't find BPW96C mentioned in the article), hope to get better luck with it. :)

BTW, what other diodes can be used to work with rapidly blinking orange LED (AF LED)?
« Last Edit: 16 / July / 2010, 04:45:26 by Timich »
Logged
*

Offline Timich

  • *
  • 17
Re: Problems with dumping A1100 IS 1.00A firmware
« Reply #6 on: 26 / August / 2010, 14:28:03 »
Working with blinked out pcm was not good, but new "Canon Basic" method worked fine.

Logged
Pages: [1]   Go Up
« previous next »
 

Related Topics