I use following code to dump 450D 1.0.9 firmware ,but it now worked.Can somebody give me some advice? thanks.
I load flasher of firmware to ida ,and see the pointer address is not a function entry. Can the code really run right?
ROM:00916964 BEQ loc_916950
ROM:00916968 MOV R0, R5
ROM:0091696C BL sub_974A50
ROM:00916970 LDR R3, [R6]
ROM:00916974 MOV R0, R4
??so sad....
---------
// canon 450d fw 1.0.9
//--------------------------------------
#define FW_ADDRESS 0xFF800000
#define FW_SIZE 0x800000
#define LEDBLUE 0xC02200E8
#define O_WRONLY 1
typedef int (*ft_open)(const char *name, int flags, int mode);
typedef int (*ft_close)(int fd);
typedef int (*ft_write)(int fd, void *buffer, long nbytes);
typedef int (*ft_creat)(char *nm,int flg);
typedef int (*ft_shdn)(void);
int main()
{
ft_open open;
ft_creat create;
ft_write write;
ft_close close;
ft_shdn shdn;
int f = 0;
// 0x00807128 - tUpdMgr
open = (ft_open) 0x00916964;
create = (ft_creat) 0x00916a30;
write = (ft_write) 0x00916d28;
close = (ft_close) 0x00916de0;
shdn = (ft_shdn) 0x00807874;
f = open("A:", 1, 0644);
close(f);
if (f>=0) {
//create on A:
f = create( "A:/DUMPA.DMP", O_WRONLY );
if ( f>=0 ) {
write(f, (void*)FW_ADDRESS, FW_SIZE);
close(f);
shdn();
}
}else{
f = open("B:", 1, 0644);
close(f);
if (f>=0) {
//create on B:
f = create( "B:/DUMPB.DMP", O_WRONLY );
if ( f>=0 ) {
write(f, (void*)FW_ADDRESS, FW_SIZE);
close(f);
shdn();
}
}
}
*((int *)LEDBLUE) = 0x46; //ON
while(1){};
return 0;
}