Dump Ixus 960is - page 4 - Firmware Dumping - CHDK Forum

Dump Ixus 960is

  • 45 Replies
  • 28908 Views
*

Offline mx3

  • ****
  • 372
Re: Dump Ixus 960is
« Reply #30 on: 11 / April / 2008, 05:06:52 »
Advertisements
could you explain that mx3, for us non-gcc guru's ? what does that do and should it be added to
all 3 'arm-elf-gcc' lines in the 2 .bat files ?

I'm not a guru.
pic stands for Position independent code

using this option in compilation will give you ability to load code to any address location and it will be executed ok


I just had a thought that maaybe udumper must be compiled with such option to be sure it works even if canon chose to make some changes about 1900
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

Offline whim

  • ******
  • 2041
  • A495/590/620/630 ixus70/115/220/230/300/870 S95
Re: Dump Ixus 960is
« Reply #31 on: 11 / April / 2008, 05:13:47 »
@mx3

thanks for the info, i guess that means we should wait until the udumper coders come up
with suggestions... in the meantime i'll test if the ff80 stuff i attached above actually still works on my ixus 70

wim

edit: yep, still works on ixus70 (tested vxworks-small)
« Last Edit: 11 / April / 2008, 05:27:32 by whim »

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: Dump Ixus 960is
« Reply #32 on: 11 / April / 2008, 06:36:15 »
We know there's at least 1 cam (ixus65) that uses FF80 0000 as ROMBASEADDR.

No. IXUS65 firmware also starts from 0xFF810000. Cail admitted that he just has the dump which was gotten from 0xFF800000 address and the dump has 0x00010000 bytes of zeros in the beginning.
CHDK Developer.

*

Offline whim

  • ******
  • 2041
  • A495/590/620/630 ixus70/115/220/230/300/870 S95
Re: Dump Ixus 960is
« Reply #33 on: 12 / April / 2008, 16:20:47 »
@GrAnd

Sorry, must have missed your post yesterday.

does that mean this is an error in the trunk then:

(from trunk382\platform\ixus65_630\sub\100a\makefile.inc)

Quote
--snip---
MEMBASEADDR=0x1900
RESTARTSTART=0x50000
MEMISOSTART=0x9C6B0
#MEMISOSIZE=0x1ae000
MEMISOSIZE=0x40000
#0x30000
ROMBASEADDR=0xff800000
--snip--

or did cail just offset all his addresses by 0x10000 ?

« Last Edit: 12 / April / 2008, 16:22:31 by whim »


*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: Dump Ixus 960is
« Reply #34 on: 12 / April / 2008, 17:06:14 »
does that mean this is an error in the trunk then:
Quote
ROMBASEADDR=0xff800000

Yes and no. This value is used for addresses finding. If your PRIMARY.BIN starts from 0xFF810000 you should correct this value. But if it starts from 0xFF800000 (with leading zeros, as for Cail) this value should be kept. :)
Anyway, if you don't use/have PRIMARY.BIN for updating stubs_entry*.S files that value is meaningless.

PS. I think we have to ask Cail to change this value and cut his PRIMARY.BIN as well.
CHDK Developer.

Re: Dump Ixus 960is
« Reply #35 on: 29 / May / 2008, 06:39:21 »
The problem with the Ixus 970 IS and SD1100IS seems to be that is impossible to get the camera to attempt to boot from a binary file on the SD Card. The contents of the diskboot.bin (or as suggested upgrader.bin) are irrelevant at this stage. We can't even get the camera to hang.

Yes the card is formatted FAT16.
The card was formatted in the camera.
BOOTDISK text inserted at 0x40 in card boot sector.
diskboot.bin is stored in the root directory.
Card is locked.
The camera is in review/view mode.
Battery is removed and reinserted before power on.
Can't think of anything else
etc ...

Camera simply boots up as normal with no delay.

*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: Dump Ixus 960is
« Reply #36 on: 30 / May / 2008, 07:17:51 »
Camera simply boots up as normal with no delay.

The next method would be to test the "Firm Update"-Menu.

Place a file called PS.FI2 on the card and see if the menu-entry shows up. If it does, we would have to find out how the FI2-encoding mechanism works.

Edit: I just read, that the "Firm Update"-menuentry does indeed show up. Now we "just" have to find out how the FI2-encoding works.

Maybe the DSLR-Firmware-decoding-discussion gives us some useful hints.

Another approach would be reverse-engineering of the update-loader in a DryOS cam. The decoding function has to be in there, somewhere. A quick test shows the string "Update File Error!!!". With a little luck it is directly referred to by some function.

Edit2: In the A720-firmware is the Firm-update function at 0xFFDC6538. The decoding should take place in a function called FIRHANDLER, located at 0xFFE2CB20.

Cheers.
« Last Edit: 30 / May / 2008, 08:33:40 by jeff666 »

*

Offline jeff666

  • ****
  • 181
  • A720IS
Re: Dump Ixus 960is
« Reply #37 on: 30 / May / 2008, 08:20:21 »
- deleted (accidential post) -
« Last Edit: 30 / May / 2008, 08:34:09 by jeff666 »


*

Offline mx3

  • ****
  • 372
Re: Dump Ixus 960is
« Reply #38 on: 30 / May / 2008, 08:35:32 »
diskboot.bin is stored in the root directory.
can you rename diskboot.bin into autoexec.bin ? ( it seems DSLRs use such bin file name....)
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: Dump Ixus 960is
« Reply #39 on: 31 / May / 2008, 11:54:29 »
Neither diskboot.bin or autoexec.bin has any effect on my IXUS 80 IS (which is an SD1100IS, right?). It just says 'No Image (Card Locked!)' immediately.

 

Related Topics