SX280 HS 101B Dump - I am truly willing to help test if someone develops - page 3 - Firmware Dumping - CHDK Forum
supplierdeeply

SX280 HS 101B Dump - I am truly willing to help test if someone develops

  • 54 Replies
  • 42072 Views
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #20 on: 06 / September / 2013, 21:08:36 »
Advertisements
Thanks reyalp, I was just about to ask what I should be doing with this thing next. There is an LED on the camera, so I can see if I can blink it. I was a little worried that I'd have to go through every bit of the firmware, including the OpenGL libraries. Hopefully it's only a few functions we need to find?

*

Offline reyalp

  • ******
  • 14117
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #21 on: 06 / September / 2013, 22:40:40 »
Thanks reyalp, I was just about to ask what I should be doing with this thing next. There is an LED on the camera, so I can see if I can blink it. I was a little worried that I'd have to go through every bit of the firmware, including the OpenGL libraries.
Heh, I was going to take this as a joke but on seeing "OpenGL ES-CM 1.1" in the firmware.... :blink:

That could be fun ;) It could also mean that the normal CHDK way of interacting with the display isn't going to work.
Quote
Hopefully it's only a few functions we need to find?
For a working chdk build, you need pretty much everything that appears in stubs_entry.S, plus various other miscellaneous constants. In modern CHDK development, a lot of this is done for you by the finsig_dryos tool, but this will not work on thumb2 code, and even if you were to make support thumb2, you'd need everything identified on one camera first.

On top of all that you'll need to adjust CHDK to actually build in thumb2, which will be somewhat non-trivial since we've always assumed it would be running on an ARM firmware.

edit:
I should add you don't need to get all that right of the bat. First thing is to get something booting and blinking an LED or something like that.  You'll need the diskboot encoding, which may be the same as other DryOS R52 cameras, or may be something new. The strings "StartDiskboot" and "not executable" should get you in the right vicinity of the firmware.

Once you've got something booting, the next step is to boot, run your code, then continue in the canon firmware.
« Last Edit: 06 / September / 2013, 22:45:05 by reyalp »
Don't forget what the H stands for.

Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #22 on: 07 / September / 2013, 15:17:36 »
I've located the string StartDiskboot in both the SX280 and SX260 firmware, but so far I haven't been able to correlate the code, since I haven't found the code that refers to that string yet. But I have found one signpost string, ErrColct.c, which enabled me to locate the HardwareDefect_FW and HardwareDefectWithRestart_FW functions in both firmware. Thought you might like to see both of them:

SX260 (v101a):

Code: [Select]
ROM:FF027460 ; =============== S U B R O U T I N E =======================================
ROM:FF027460
ROM:FF027460 ; Attributes: noreturn
ROM:FF027460
ROM:FF027460 HardwareDefectWithRestart_FW            ; CODE XREF: sub_FF0698DC+19Cp
ROM:FF027460                                         ; DATA XREF: ROM:FF02752Co
ROM:FF027460                 STMFD   SP!, {R4-R6,LR}
ROM:FF027464                 LDR     R4, =0x1DB8
ROM:FF027468                 MOV     R5, R0
ROM:FF02746C                 LDR     R1, =0x1D4C0
ROM:FF027470                 LDR     R0, [R4,#0xC]
ROM:FF027474                 MOV     R3, #0x5B
ROM:FF027478                 ADR     R2, aErrcolct_c ; "ErrColct.c"
ROM:FF02747C                 BL      0x68AEC0
ROM:FF027480                 LDR     R0, [R4]
ROM:FF027484                 CMP     R0, #0
ROM:FF027488                 MOV     R0, #1
ROM:FF02748C                 STREQ   R5, [R4]
ROM:FF027490                 STR     R0, [R4,#8]
ROM:FF027494                 STR     R5, [R4,#4]
ROM:FF027498                 LDR     R1, [R4,#0x10]
ROM:FF02749C                 BLX     R1
ROM:FF0274A0                 MOV     R0, #0
ROM:FF0274A4                 STR     R0, [R4,#8]
ROM:FF0274A8                 LDR     R0, [R4,#0xC]
ROM:FF0274AC                 LDMFD   SP!, {R4-R6,LR}
ROM:FF0274B0                 B       0x68AA60
ROM:FF0274B0 ; End of function HardwareDefectWithRestart_FW
ROM:FF0274B0
ROM:FF0274B4
ROM:FF0274B4 ; =============== S U B R O U T I N E =======================================
ROM:FF0274B4
ROM:FF0274B4 ; Attributes: noreturn
ROM:FF0274B4
ROM:FF0274B4 HardwareDefect_FW                       ; CODE XREF: sub_FF01E810:loc_FF01E850j
ROM:FF0274B4                                         ; ROM:FF03B860p ...
ROM:FF0274B4                 STMFD   SP!, {R4-R6,LR}
ROM:FF0274B8                 LDR     R4, =0x1DB8
ROM:FF0274BC                 MOV     R5, R0
ROM:FF0274C0                 LDR     R1, =0x1D4C0
ROM:FF0274C4                 LDR     R0, [R4,#0xC]
ROM:FF0274C8                 MOV     R3, #0x55
ROM:FF0274CC                 ADR     R2, aErrcolct_c ; "ErrColct.c"
ROM:FF0274D0                 BL      0x68AEC0
ROM:FF0274D4                 LDR     R0, [R4]
ROM:FF0274D8                 CMP     R0, #0
ROM:FF0274DC                 MOV     R0, #1
ROM:FF0274E0                 STREQ   R5, [R4]
ROM:FF0274E4                 STR     R0, [R4,#8]
ROM:FF0274E8                 STR     R5, [R4,#4]
ROM:FF0274EC                 BL      sub_FF020CF4
ROM:FF0274F0                 BL      sub_FF025334
ROM:FF0274F4                 BL      sub_FF07501C
ROM:FF0274F8 ; ---------------------------------------------------------------------------
ROM:FF0274F8                 LDR     R1, [R4,#0x10]
ROM:FF0274FC                 MOV     R0, #0
ROM:FF027500                 BLX     R1
ROM:FF027504                 MOV     R0, #0
ROM:FF027508                 STR     R0, [R4,#8]
ROM:FF02750C                 LDR     R0, [R4,#0xC]
ROM:FF027510                 LDMFD   SP!, {R4-R6,LR}
ROM:FF027514                 B       0x68AA60
ROM:FF027514 ; End of function HardwareDefect_FW
ROM:FF027514
ROM:FF027518 ; ---------------------------------------------------------------------------
ROM:FF027518                 STMFD   SP!, {R4,LR}
ROM:FF02751C                 ADR     R1, HardwareDefect_FW
ROM:FF027520                 ADR     R0, aHardwaredefect ; "HardwareDefect"
ROM:FF027524                 BL      loc_FF07CD40
ROM:FF027528 ; ---------------------------------------------------------------------------
ROM:FF027528                 LDMFD   SP!, {R4,LR}
ROM:FF02752C                 ADR     R1, HardwareDefectWithRestart_FW
ROM:FF027530                 ADR     R0, aHardwaredefectwithrestar ; "HardwareDefectWithRestart"
ROM:FF027534                 B       loc_FF07CD40


Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #23 on: 07 / September / 2013, 15:18:00 »
SX280:

Code: [Select]
ROM:FC07B002 ; =============== S U B R O U T I N E =======================================
ROM:FC07B002
ROM:FC07B002
ROM:FC07B002 HardwareDefectWithRestart_FW            ; DATA XREF: ROM:FC07B07Co
ROM:FC07B002                 PUSH            {R4-R6,LR}
ROM:FC07B004                 LDR             R4, =0x83C8
ROM:FC07B006                 MOVS            R3, #0x59
ROM:FC07B008                 LDR             R1, =0x1D4C0
ROM:FC07B00A                 ADR             R2, aErrcolct_c ; "ErrColct.c"
ROM:FC07B00C                 MOV             R5, R0
ROM:FC07B00E                 LDR             R0, [R4,#0xC]
ROM:FC07B010                 BLX             sub_FC251C38
ROM:FC07B014                 LDR             R0, [R4]
ROM:FC07B016                 CBNZ            R0, loc_FC07B01A
ROM:FC07B018                 STR             R5, [R4]
ROM:FC07B01A
ROM:FC07B01A loc_FC07B01A                            ; CODE XREF: HardwareDefectWithRestart_FW+14j
ROM:FC07B01A                 MOVS            R0, #1
ROM:FC07B01C                 STRD.W          R5, R0, [R4,#4]
ROM:FC07B020                 LDR             R1, [R4,#0x10]
ROM:FC07B022                 BLX             R1
ROM:FC07B024                 MOVS            R0, #0
ROM:FC07B026                 STR             R0, [R4,#8]
ROM:FC07B028                 LDR             R0, [R4,#0xC]
ROM:FC07B02A                 POP.W           {R4-R6,LR}
ROM:FC07B02E                 B.W             sub_FC25143C
ROM:FC07B02E ; End of function HardwareDefectWithRestart_FW
ROM:FC07B02E
ROM:FC07B032
ROM:FC07B032 ; =============== S U B R O U T I N E =======================================
ROM:FC07B032
ROM:FC07B032
ROM:FC07B032 HardwareDefect_FW                       ; CODE XREF: sub_FC05370E+70p
ROM:FC07B032                                         ; sub_FC053B36+1Cp ...
ROM:FC07B032                 PUSH            {R4-R6,LR}
ROM:FC07B034                 LDR             R4, =0x83C8
ROM:FC07B036                 MOVS            R3, #0x53
ROM:FC07B038                 LDR             R1, =0x1D4C0
ROM:FC07B03A                 ADR             R2, aErrcolct_c ; "ErrColct.c"
ROM:FC07B03C                 MOV             R5, R0
ROM:FC07B03E                 LDR             R0, [R4,#0xC]
ROM:FC07B040                 BLX             sub_FC251C38
ROM:FC07B044                 LDR             R0, [R4]
ROM:FC07B046                 CBNZ            R0, loc_FC07B04A
ROM:FC07B048                 STR             R5, [R4]
ROM:FC07B04A
ROM:FC07B04A loc_FC07B04A                            ; CODE XREF: HardwareDefect_FW+14j
ROM:FC07B04A                 MOVS            R0, #1
ROM:FC07B04C                 STRD.W          R5, R0, [R4,#4]
ROM:FC07B050                 BL              sub_FC07202A
ROM:FC07B054                 BL              sub_FC0959B6
ROM:FC07B058                 BL              sub_FC20D2FC
ROM:FC07B05C                 LDR             R1, [R4,#0x10]
ROM:FC07B05E                 MOVS            R0, #0
ROM:FC07B060                 BLX             R1
ROM:FC07B062                 MOVS            R0, #0
ROM:FC07B064                 STR             R0, [R4,#8]
ROM:FC07B066                 LDR             R0, [R4,#0xC]
ROM:FC07B068                 POP.W           {R4-R6,LR}
ROM:FC07B06C                 B.W             sub_FC25143C
ROM:FC07B06C ; End of function HardwareDefect_FW
ROM:FC07B06C
ROM:FC07B070 ; ---------------------------------------------------------------------------
ROM:FC07B070                 PUSH            {R4,LR}
ROM:FC07B072                 ADR.W           R1, (HardwareDefect_FW+1)
ROM:FC07B076                 ADR             R0, aHardwaredefect ; "HardwareDefect"
ROM:FC07B078                 BL              loc_FC29B072
ROM:FC07B07C ; ---------------------------------------------------------------------------
ROM:FC07B07C                 ADR.W           R1, (HardwareDefectWithRestart_FW+1)
ROM:FC07B080                 POP.W           {R4,LR}
ROM:FC07B084                 ADR             R0, aHardwaredefe_0 ; "HardwareDefectWithRestart"
ROM:FC07B086                 B.W             loc_FC29B072


*

Offline srsa_4c

  • ******
  • 4451
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #24 on: 07 / September / 2013, 15:36:30 »
"GPL disassembly", excerpt. While not perfect, it can help when IDA fails to disassemble parts of the code.
Code: [Select]
loc_fc04f9c2:
fc04f9c2: b510      push {r4, lr}
fc04f9c4: f2af 0005 subw r0, pc, #5
fc04f9c8: 0e00      lsrs r0, r0, #24
fc04f9ca: d01f      beq.n loc_fc04fa0c
fc04f9cc: 2000      movs r0, #0
fc04f9ce: f00f fdfe bl loc_fc05f5ce
fc04f9d2: 07c0      lsls r0, r0, #31
fc04f9d4: d11a      bne.n loc_fc04fa0c
fc04f9d6: f038 fd58 bl loc_fc08848a
fc04f9da: 2001      movs r0, #1
fc04f9dc: f00f fdf7 bl loc_fc05f5ce
fc04f9e0: 07c0      lsls r0, r0, #31
fc04f9e2: d013      beq.n loc_fc04fa0c
fc04f9e4: f00f fdf2 bl loc_fc05f5cc
fc04f9e8: 2000      movs r0, #0
fc04f9ea: f255 f833 bl loc_fc2a4a54
fc04f9ee: 2000      movs r0, #0
fc04f9f0: f255 f847 bl loc_fc2a4a82
fc04f9f4: b150      cbz r0, loc_fc04fa0c
fc04f9f6: a01f      add r0, pc, #124 ; 0xfc04fa74: (6174530a)  *".StartDiskboot"
fc04f9f8: f268 fb10 bl loc_fc2b801c

edit: the following code snippet gives hints about kernel code copied to RAM
Code: [Select]
fc02001e: 481f      ldr r0, [pc, #124] ; 0xfc02009c: (fc9538d4)
fc020020: 491f      ldr r1, [pc, #124] ; 0xfc0200a0: (010c1000)
fc020022: 4b20      ldr r3, [pc, #128] ; 0xfc0200a4: (010e03c4)
loc_fc020024:
fc020024: 4299      cmp r1, r3
fc020026: bf3c      itt cc
fc020028: f850 2b04 ldrcc.w r2, [r0], #4
fc02002c: f841 2b04 strcc.w r2, [r1], #4
fc020030: d3f8      bcc.n loc_fc020024
So, ROM content from 0xfc9538d4 gets copied to 0x10c1000 in RAM, up to 0x10e03c4

This code copies pre-initialized data into RAM (0x8000 - 0x2945f):
Code: [Select]
fc02003a: 481c      ldr r0, [pc, #112] ; 0xfc0200ac: (fc932474)
fc02003c: 491c      ldr r1, [pc, #112] ; 0xfc0200b0: (00008000)
fc02003e: 4b1d      ldr r3, [pc, #116] ; 0xfc0200b4: (00029460)
loc_fc020040:
fc020040: 4299      cmp r1, r3
fc020042: bf3c      itt cc
fc020044: f850 2b04 ldrcc.w r2, [r0], #4
fc020048: f841 2b04 strcc.w r2, [r1], #4
fc02004c: d3f8      bcc.n loc_fc020040
« Last Edit: 07 / September / 2013, 16:39:19 by srsa_4c »

*

Offline reyalp

  • ******
  • 14117
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #25 on: 07 / September / 2013, 15:41:56 »
That's the technique, although that particular function isn't of much interest.

Note that despite my earlier statement that .c string references would find DebugAssert, sub_FC251C38 / 0x68AEC0 isn't it (you can tell because the arguments don't match up). It appears to be TakeSemaphoreStrictly, which tries to take a semaphore and asserts if it can't.

For cameras like sx260 that load some of the OS code into RAM (code at FF000138) you can get disassembly of these functions at the proper location by loading the file again, using "load file->Additional binary" (may be different in your version of IDA) and creating a code segment at the location that the code is copied too, with the copied length. Information about the copied data is also in stubs_entry.S for that camera.

You can sometimes find us in the IRC channel, #chdk on freenode if you want more realtime assistance
Don't forget what the H stands for.

*

Offline nafraf

  • *****
  • 1308
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #26 on: 07 / September / 2013, 15:57:26 »
IXUS140 loader function start @ 0xFF038240
I'm not sure, but It seems to be similar to SX280 101b 0xfc095c40.. 

Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #27 on: 08 / September / 2013, 12:09:26 »
Oh, *that's* how you simulate copying ROM into RAM! That'll definitely help, thanks!


Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #28 on: 08 / September / 2013, 13:11:39 »
OK, I got DebugAssert in its RAM location. Interestingly, this version of the firmware adds another DebugAssert function which takes an initial parameter. Although that parameter seems to be ignored if *(0x8470)==0.

Code: [Select]
RAM:010C5C3C ; =============== S U B R O U T I N E =======================================
RAM:010C5C3C
RAM:010C5C3C
RAM:010C5C3C DebugAssert0                            ; CODE XREF: sub_10C546E+18p
RAM:010C5C3C                                         ; sub_10C546E+2Cp ...
RAM:010C5C3C                 LDR             R3, =0x8470
RAM:010C5C3E                 PUSH            {R4,LR}
RAM:010C5C40                 LDR             R3, [R3]
RAM:010C5C42                 CBZ             R3, loc_10C5C4A
RAM:010C5C44                 POP.W           {R4,LR}
RAM:010C5C48                 BX              R3
RAM:010C5C4A ; ---------------------------------------------------------------------------
RAM:010C5C4A
RAM:010C5C4A loc_10C5C4A                             ; CODE XREF: DebugAssert0+6j
RAM:010C5C4A                 ADR             R0, aAssertFileSLineD ; "\nAssert: File %s Line %d\n"
RAM:010C5C4C                 BL              sub_10C1CD8
RAM:010C5C50
RAM:010C5C50 spinloop                                ; CODE XREF: DebugAssert0:spinloopj
RAM:010C5C50                 B               spinloop
RAM:010C5C50 ; End of function DebugAssert0
RAM:010C5C50
RAM:010C5C52
RAM:010C5C52 ; =============== S U B R O U T I N E =======================================
RAM:010C5C52
RAM:010C5C52
RAM:010C5C52 DebugAssert                             ; CODE XREF: TakeSemaphoreStrictly+14p
RAM:010C5C52                                         ; ReceiveMessageQueueStrictly+14p ...
RAM:010C5C52                 MOV             R2, R1
RAM:010C5C54                 MOV             R1, R0
RAM:010C5C56                 MOVS            R0, #0
RAM:010C5C58                 B               DebugAssert0
RAM:010C5C58 ; End of function DebugAssert
RAM:010C5C58
RAM:010C5C5A ; [00000002 BYTES: COLLAPSED FUNCTION j_DebugAssert0. PRESS KEYPAD CTRL-"+" TO EXPAND]
RAM:010C5C5C ; ---------------------------------------------------------------------------
RAM:010C5C5C                 LDR             R1, =0x8470 ; DATA XREF: sub_FC25166Co
RAM:010C5C5E                 STR             R0, [R1]
RAM:010C5C60                 BX              LR

In any case, this should get most of the RAM functions mapped out.

Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #29 on: 08 / September / 2013, 15:25:03 »
As an aside, I think 0xfe000000 aliases 0xfc000000, since the code appears to be the same, but the absolute addresses in both areas reference 0xfc000000. So it's probably sufficient to dump 0xFC020000 - 0xFDFFFFFF rather than all the way to 0xFFFFFFFF as the dumper does.

 

Related Topics


SimplePortal 2.3.6 © 2008-2014, SimplePortal