O firmware, where art thou?

Joined: 16 Apr 2005 Posts: 191 Location: Medford, MA

The last couple days I've been trying to (besides catch up on all the new discussions) capture a good firmware image from the camera noninvasively, with no success. I've dumped RAM and gotten what would "appear to be" firmware at first glance (from the strings it contains), but is not anywhere close to the actual firmware image obtained via flash reader (no hits even searching for a 4-byte sequence from near the beginning of firmware).

The best luck I've been able to get so far is via the 'dumpf' monitor command as someone mentioned in Discussions (somewhere), but starting at the beginning of the retrieved dump, many bytes [just ELF header?] are different.

(At around 0x560 it just goes haywire; things relocated everywhere.)

Is all of this normal/expected/harmless, or are my dumps goofed up somehow?

Screenshot of ELF differences: http://cexx.org/dakota/stuff/firmwhere.gif
Note: First 0x601 bytes clipped from flash-data.bin to facilitate file compare

Posted: Sun Sep 04, 2005 7:38 am

Nice title but I think you meant

O Firmware, Firmware Wherefore art thou Firmware.

Razz

And followed by:

But, soft! What light through yonder window breaks?

or

Deny thy Saturn and refuse thy name

Posted: Sun Sep 04, 2005 7:57 am

I haven't tried to obtain firmware yet (probably wouldn't even get as far as Drmn4ea). But if anyone can provide simple instructions - please do so in this thread or post a link to another topic that has clear instructions. Seems like daBass posted that he had obtained a complete and valid firmware after adding one byte to the front.

Joined: 08 Jul 2005 Posts: 785 Location: 4 8 15 16 23 42

With OPS, download 1283583 bytes of memory starting at 200043008 and save as firmware.img

To disassemble:

Code:

objdump-mips.exe -h -D -M reg-names=r3000 firmware.img > firmware.hd

Then:

Code:

dismipper.exe > firmware.lst

Of course, you will first need to get objdump compiled with mips support, and compile dismipper.

Posted: Sun Sep 04, 2005 12:39 pm

Drmn4ea, my memory dumped firmware matches your TEST1.BIN. I assume that's your memory dumped firmware.

Perhaps some relocation occurs when the firmware is actually loaded into memory.

Joined: 06 Aug 2005 Posts: 67

Mine (obtained with Ops "Download memory" starting Location=200043008 and with Length=1283583) looks like the one on the right. Eyeballed because mine has at the very beginning of the file one more byte, specifically 0x7f, to make a valid ELF Header. The first 4 bytes of the Identification should be the "magic number", 0x7f, 'E', 'L', and 'F'.

Joined: 08 Jul 2005 Posts: 441

relocation is a possibility, as is XIP (eXecute In Place). As that would change the varible in the ram copy of the program, to minimize memory allocation, leaving as much as possible for the codec.

Joined: 16 Apr 2005 Posts: 191 Location: Medford, MA

Rammer, BillW, I got what you got - the dump from RAM using your offsets is byte-for-byte identical (even dumped on different days with powercycles in between) with what I got from dumpf [ dumpf 200043008 1283569 test1.bin].

It's just raising the fur on my neck a little that a firmware-dumping command would return the bastardized in-memory copy rather than what's actually on the chip.

EDIT: Whoops! dumpf is a memory dumping cmd, not a firmware-dumping, so it makes sense that they match...still, I hope the differences between the memory copy and on-chip copy aren't significant enough to throw our firmware gurus for a loop!

Joined: 28 Aug 2005 Posts: 80

Either your camera is different the one I and several others have, or you are doing something wrong.

There are actually two versions of the 'firmware' in memory. One is at that lower address people have been quoting. That is the elf image, right off the disk. The other is at address 0x80000000 and is a running, or at least run-able copy located at the addresses where the elf header says the code should be loaded.

I should mention that for some reason, the image I downloaded with the button in ops was garbage. I had to manually type the dumpf command and then select and downlaod the resulting image, but I always assumed this was a glitch as it has worked for others.

Joined: 23 Aug 2005 Posts: 143

If you download the first 32MB starting at 0x80000000, you'll get everything including the firmware (starting at 0x81ec6a00, 2179754496 dec). It appears that above that, everything is mirrored every 32M.

Joined: 28 Aug 2005 Posts: 80

CVSfan wrote:

If you download the first 32MB starting at 0x80000000, you'll get everything including the firmware (starting at 0x81ec6a00, 2179754496 dec). It appears that above that, everything is mirrored every 32M.

That will give you the running copy, not the elf image. If you search it you will only find the string 'ELF' once, as part of the file name desired by the upgrade firmware routine. You won't find the ELF header in the DRAM, you have to look at that other address that people have been quoting in decimal (it's confusing, because that other address looks like it could be half of 4gb or 0x80000000, but the number of digits is wrong for that)

Joined: 23 Aug 2005 Posts: 143

It's in there ... check again! ;)