New stubs/signature finder (gensig2/finsig2) for DryOS cameras. - page 8 - General Discussion and Assistance - CHDK Forum  
« previous next »
Pages: 1 ... 3 4 5 6 7 [8] 9 10 11   Go Down

New stubs/signature finder (gensig2/finsig2) for DryOS cameras.

  • 103 Replies
  • 43278 Views
*

Offline philmoz

  • *****
  • 3450
    • Photos
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #70 on: 17 / June / 2013, 21:41:49 »
Advertisements
Quote from: srsa_4c on 17 / June / 2013, 15:38:20
@philmoz
When you have some time, can you explain some of the functions (return value, arguments) you used in your latest (2877) finsig_dryos.c changeset? I'd like to understand "the basics" better.

I'm adding some better documentation to the source code.
Should have something in the next few days.

Phil.
Logged
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)
*

Offline srsa_4c

  • ******
  • 4451
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #71 on: 18 / June / 2013, 17:01:54 »
@philmoz

Thanks, I see you've already added some notes.
Logged
*

Offline nafraf

  • *****
  • 1308
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #72 on: 20 / June / 2013, 20:17:58 »
This patch add raw buffer detection for cameras with just one buffer.   It is not fully tested.
Logged
*

Offline srsa_4c

  • ******
  • 4451
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #73 on: 21 / June / 2013, 13:21:11 »
Attached patch adds some of the remaining semaphore functions to finsig_dryos.
These are (and how they are found):
CreateCountingSemaphore (it's exported as eventproc)
CreateBinarySemaphore (This is the function right before CreateCountingSemaphore, just like in VxWorks firmwares. My method to find it is to look for the first use of a debug string.)
DeleteSemaphore (exported as eventproc)

All of them are marked as UNUSED for now.
« Last Edit: 21 / June / 2013, 13:29:45 by srsa_4c »
Logged
*

Offline srsa_4c

  • ******
  • 4451
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #74 on: 25 / June / 2013, 19:38:37 »
I've been working on the identification of several dryos kernel functions. A work in progress patch to detect these is attached. The reason I'm doing this is to aid firmware research a bit (including my work), probably none of these functions will ever be used by CHDK. Function parameters, return values are subject of further research.
Some notes:
- Function names are based on possible vxworks equivalents (they wrapped most vxworks kernel functions with a different name, most function names appear in the ixus30/40 firmware).
- Several functions have no direct vx equivalents, anybody can suggest a better naming scheme for these (they are the "lethal" variants, which cause assert when timed out(?) ):
TakeSemaphoreStrictly // r23+
ReceiveMessageQueueStrictly // r23+
PostMessageQueueStrictly // r23+
WaitForAnyEventFlagStrictly // r23+
WaitForAllEventFlagStrictly // r23+
AcquireRecursiveLockStrictly // r23+
All of these names are made up.
- hook_CreateTask2 is the "strict" variant of CreateTask, called CreateTaskStrictly in vxworks
- I'm not 100% sure about the -any- and -all- variants of the eventflag functions. Vx firmwares have these, I tried to find equivalents based on similar fw functions in A460 (vx) and A470 (dryos). Don't ask me what these do, I don't know :)
- I have added find_strsig19() to the sigfinder. Most detections are based on this. This method locates a function based on its offset to another function. I can imagine that the current implementation is not the most appropriate, suggestions are welcome.
- All of this is work in progress, I have not verified the hits in every dryos revision.
Logged
*

Offline reyalp

  • ******
  • 14080
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #75 on: 25 / June / 2013, 21:44:50 »
Quote from: srsa_4c on 25 / June / 2013, 19:38:37
I've been working on the identification of several dryos kernel functions. A work in progress patch to detect these is attached. The reason I'm doing this is to aid firmware research a bit (including my work), probably none of these functions will ever be used by CHDK.
I'm not sure about the "strictly" variants, but the message queue and eventflag functions could be very useful.
Logged
Don't forget what the H stands for.
*

Offline philmoz

  • *****
  • 3450
    • Photos
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #76 on: 28 / June / 2013, 05:33:09 »
Quote from: srsa_4c on 25 / June / 2013, 19:38:37
I've been working on the identification of several dryos kernel functions. A work in progress patch to detect these is attached. The reason I'm doing this is to aid firmware research a bit (including my work), probably none of these functions will ever be used by CHDK. Function parameters, return values are subject of further research.
Some notes:
- Function names are based on possible vxworks equivalents (they wrapped most vxworks kernel functions with a different name, most function names appear in the ixus30/40 firmware).
- Several functions have no direct vx equivalents, anybody can suggest a better naming scheme for these (they are the "lethal" variants, which cause assert when timed out(?) ):
TakeSemaphoreStrictly // r23+
ReceiveMessageQueueStrictly // r23+
PostMessageQueueStrictly // r23+
WaitForAnyEventFlagStrictly // r23+
WaitForAllEventFlagStrictly // r23+
AcquireRecursiveLockStrictly // r23+
All of these names are made up.
- hook_CreateTask2 is the "strict" variant of CreateTask, called CreateTaskStrictly in vxworks
- I'm not 100% sure about the -any- and -all- variants of the eventflag functions. Vx firmwares have these, I tried to find equivalents based on similar fw functions in A460 (vx) and A470 (dryos). Don't ask me what these do, I don't know :)
- I have added find_strsig19() to the sigfinder. Most detections are based on this. This method locates a function based on its offset to another function. I can imagine that the current implementation is not the most appropriate, suggestions are welcome.
- All of this is work in progress, I have not verified the hits in every dryos revision.

Nice - the new values also get picked up by code_gen so I now see the function names in the code instead of sub_XXXXXXXX for some of them.

Phil.
Logged
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)
*

Offline srsa_4c

  • ******
  • 4451
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #77 on: 29 / June / 2013, 18:17:20 »
Attached is a slightly updated patch.
I've added TryTakeSemaphore (which is a less widely used function, there is a very slight chance that it's actually something else).
Also updated find_strsig19() to make finding functions with a negative offset possible (I'm only using negative offsets for VxWorks).
All added functions seem to be found on all DryOS dumps (r23...r52), with the exception of the S5IS (r20, some functions are not present). I still have not verified the hits though. My helper utility (dumpfwfunc) is still using my chdk_dasm variant, and is not able to show disassembly for functions copied to RAM. I should probably switch to code_gen...

Quote from: reyalp on 25 / June / 2013, 21:44:50
I'm not sure about the "strictly" variants, but the message queue and eventflag functions could be very useful.
The strict variants are present for two reasons: 1) some non-strict functions are found based on them 2) they are widely used.
Logged
*

Offline srsa_4c

  • ******
  • 4451
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #78 on: 06 / July / 2013, 22:32:36 »
Timer and HP (high precision? high performance?) timer functions (r20 ... r52). These are almost the same since the early VxWorks days. Names are based on the names found in the ixus30 fw.
I have added a slightly changed version of the match_strsig15 functions (as match_strsig115), which allows to limit the search range for the previous BL instruction.

And a question: is the order of function names in func_names[] still important for dependencies to work? This latest patched version still finds all new functions, despite an ordering 'mistake' (CancelHPTimer depends on SetHPTimerAfterTimeout, but they are specified in reverse order).
« Last Edit: 06 / July / 2013, 22:37:08 by srsa_4c »
Logged
*

Offline philmoz

  • *****
  • 3450
    • Photos
Re: New stubs/signature finder (gensig2/finsig2) for DryOS cameras.
« Reply #79 on: 09 / July / 2013, 06:37:19 »
Quote from: srsa_4c on 06 / July / 2013, 22:32:36
Timer and HP (high precision? high performance?) timer functions (r20 ... r52). These are almost the same since the early VxWorks days. Names are based on the names found in the ixus30 fw.
I have added a slightly changed version of the match_strsig15 functions (as match_strsig115), which allows to limit the search range for the previous BL instruction.

And a question: is the order of function names in func_names[] still important for dependencies to work? This latest patched version still finds all new functions, despite an ordering 'mistake' (CancelHPTimer depends on SetHPTimerAfterTimeout, but they are specified in reverse order).

Thanks for that, testing it now.
I've merged your new match_strsig115 back into match_strsig15 (the old entries all have dryos_ofst = 0 so in this case I just use 50 to match the original code).

The code will try to find a dependency if it hasn't already been found; but only with the new string matching functions - if the dependency requires matching using the old gensig matching then it will fail unless the order is correct in func_names.

Phil.
Logged
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)
Pages: 1 ... 3 4 5 6 7 [8] 9 10 11   Go Up
« previous next »
 

Related Topics