| Author |
Message |
CVSfan
Joined: 23 Aug 2005
Posts: 143
|
 Posted:
Mon Sep 19, 2005 7:43 pm |
  |
Bummer ... got my hands on 3.62 firmware and PD removed the section of code that dealt with enabling mass-storage mode. The new address is 0x8013e098, but the case 10 code is now noop.  |
|
|
  |
|
BillW
Joined: 14 Apr 2005
Posts: 2507
Location: in a tightly curled dimension
|
| Posted:
Mon Sep 19, 2005 8:21 pm |
|
Translation for those watching at the sidelines: It looks like they've removed the mass-storage code in the 03.62 firmware!
Nice find CVSfan... if I only had 03.62 cameras, I'd be redoubling my efforts to get at least one 3.40 camera at the same PCB version as my 03.62 cameras. At least that way you may be able to reflash in the mass storage functionality some day. |
|
|
 |
|
carpespasm
Joined: 05 Aug 2005
Posts: 1541
Location: jacksonville, fl
|
| Posted:
Mon Sep 19, 2005 9:04 pm |
|
maybe they saw the mass storage as our next likely place to open the camcorders from and took it out to remove one more potential hole. |
_________________
rat shack, you've got questions, we've got blank stares.... and cell phones. |
|
 |
|
radarman
Joined: 01 Jul 2005
Posts: 1538
Location: is everything
|
| Posted:
Mon Sep 19, 2005 9:10 pm |
|
That, and it isn't required for normal operations. It could be they just streamlined the code to do just what it needed to do, and no more. (while simultaneously making life hard for us.)
However, since we have seen recycled cameras with board revisions of B1-B3 running 3.62 FW, it stands to reason you could reflash 3.40 on camcorders that came loaded with 3.62 - as I would suspect any "personalizers" would involve bumping the board rev.
Of course, only about three people on this board could do this magical FW swap, and it currently involves removing and replacing a TSOP chip, so I doubt PD is going to get very concerned about this. |
|
|
|
|
Cosmic Gecko
Joined: 07 Aug 2005
Posts: 214
|
| Posted:
Mon Sep 19, 2005 9:35 pm |
|
Makes me wonder what's other goodies might be present in the 3.01 firmware version. My local CVS won't let me buy their demo model to find out. |
|
|
|
|
mattcam3
Joined: 10 Aug 2005
Posts: 437
|
| Posted:
Mon Sep 19, 2005 10:39 pm |
|
for the people that have a recyled 3.62, does the flash chip look like it was taken off then put back on? if not then they must have a way to reflash it thru the connecter. is there a simmilar method we could exploit? or does that require the camera be unlocked, which is really the whole prob. |
|
|
|
|
Corscaria
Joined: 08 Jul 2005
Posts: 441
|
| Posted:
Mon Sep 19, 2005 10:50 pm |
|
mattcam3, it's already known there is code in the firmware to support flashing a new version of the firmware on.
What i know of the upgrade functions is they allow repartitioning, flashing individual partitions, and full reflash. |
_________________
how does a hatrack cope with suddenly becoming human? |
|
|
|
CVSfan
Joined: 23 Aug 2005
Posts: 143
|
| Posted:
Mon Sep 19, 2005 11:13 pm |
|
For those looking at fetching the 3.62 firmware, starts at 0x81ec6800, length 0x139800.
Here's initial output from objdump:
| Code: |
firmware_362.o: file format elf32-littlemips
architecture: mips:isa32, flags 0x00000002:
EXEC_P
start address 0x80000600
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 .spc0 00000210 bfc08000 bfc08000 0013919c 2**2 CONTENTS, ALLOC, LOAD, CODE
1 .spc1 00000000 bfc09000 bfc09000 001393ac 2**0 CONTENTS
2 .spc2 00000000 bfc09400 bfc09400 001393ac 2**0 CONTENTS
3 .spc3 00000000 bfc09800 bfc09800 001393ac 2**0 CONTENTS
4 .spd0 00000000 90008000 90008000 001393ac 2**0 CONTENTS
5 .spd1 00000000 90009000 90009000 001393ac 2**0 CONTENTS
6 .spd2 00000000 90009400 90009400 001393ac 2**0 CONTENTS
7 .spd3 00000400 90009800 90009800 00138d9c 2**2 CONTENTS, ALLOC, LOAD, DATA
8 .exception 0000013c 80000180 80000180 000000d4 2**0 CONTENTS, ALLOC, LOAD, READONLY, CODE
9 .boot 00000040 80000600 80000600 00000220 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE
10 .text 0012e168 80000640 80000640 00000260 2**5 CONTENTS, ALLOC, LOAD, READONLY, CODE
11 __ex_table 00000010 8012e7a8 8012e7a8 0012e3c8 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
12 .scratch 0000011c 8012e7b8 8012e7b8 0012e3d8 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .scratchpad3 00000070 8012e8d4 8012e8d4 0012e4f4 2**0 CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .data 0000a818 8012e948 8012e948 0012e568 2**3 CONTENTS, ALLOC, LOAD, DATA
15 .data1 00000018 80139160 80139160 00138d80 2**2 CONTENTS, ALLOC, LOAD, DATA
16 .sbss 000005c4 80139178 80139178 00138d98 2**2 ALLOC
17 .bss 0000c5d0 80139740 80139740 00138d9c 2**4 ALLOC
|
And, for comparison, here's the 3.40:
| Code: |
firmware_340.o: file format elf32-littlemips
architecture: mips:isa32, flags 0x00000002:
EXEC_P
start address 0x80000600
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 .spc0 00000210 bfc08000 bfc08000 00138fec 2**2 CONTENTS, ALLOC, LOAD, CODE
1 .spc1 00000000 bfc09000 bfc09000 001391fc 2**0 CONTENTS
2 .spc2 00000000 bfc09400 bfc09400 001391fc 2**0 CONTENTS
3 .spc3 00000000 bfc09800 bfc09800 001391fc 2**0 CONTENTS
4 .spd0 00000000 90008000 90008000 001391fc 2**0 CONTENTS
5 .spd1 00000000 90009000 90009000 001391fc 2**0 CONTENTS
6 .spd2 00000000 90009400 90009400 001391fc 2**0 CONTENTS
7 .spd3 00000400 90009800 90009800 00138bec 2**2 CONTENTS, ALLOC, LOAD, DATA
8 .exception 0000013c 80000180 80000180 000000d4 2**0 CONTENTS, ALLOC, LOAD, READONLY, CODE
9 .boot 00000040 80000600 80000600 00000220 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE
10 .text 0012dfc0 80000640 80000640 00000260 2**5 CONTENTS, ALLOC, LOAD, READONLY, CODE
11 __ex_table 00000010 8012e600 8012e600 0012e220 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
12 .scratch 0000011c 8012e610 8012e610 0012e230 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .scratchpad3 00000070 8012e72c 8012e72c 0012e34c 2**0 CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .data 0000a808 8012e7a0 8012e7a0 0012e3c0 2**3 CONTENTS, ALLOC, LOAD, DATA
15 .data1 00000018 80138fa8 80138fa8 00138bc8 2**2 CONTENTS, ALLOC, LOAD, DATA
16 .sbss 000005c4 80138fc0 80138fc0 00138be0 2**2 ALLOC
17 .bss 0000c5d0 80139590 80139590 00138bec 2**4 ALLOC
|
Two sections changed size, .text and .data. Good news is that .bss appears to have stayed intact (other than for it's new starting address). Hopefully all objects (including USP.BIN) are still in the same order so it's a matter of adjusting their offset compared to 3.40 (.bss offset between 3.40 and 3.62 = 0x1b0). If only we'd be so lucky!!!! |
|
|
|
|
carpespasm
Joined: 05 Aug 2005
Posts: 1541
Location: jacksonville, fl
|
| Posted:
Tue Sep 20, 2005 1:23 am |
|
| mattcam3 wrote: |
| for the people that have a recyled 3.62, does the flash chip look like it was taken off then put back on? if not then they must have a way to reflash it thru the connecter. is there a simmilar method we could exploit? or does that require the camera be unlocked, which is really the whole prob. |
they can update the firmware through usb, but the thing is, they can get in the camcorders with the real response keys, no such niceness for us yet. |
_________________
rat shack, you've got questions, we've got blank stares.... and cell phones. |
|
|
|
star882
Joined: 11 Aug 2005
Posts: 282
|
| Posted:
Tue Sep 20, 2005 2:33 am |
|
| Drmn4ea wrote: |
| star882 wrote: |
Couldn't you also connect a logic probe to the original WR line to see if it's trying to write? |
Unfortunately not that I know of. The WP (Write Protect) pin is usually kept HIGH (writable) always during normal operation; the idea behind that pin is it will be low right when the device is first turned on, to keep random glitches on the power/data/etc. lines, which could possibly match a data-write or erase operation, from damaging anything while the power is still coming up and the CPU is still booting.
The WR line on this type of chip isn't helpful either, as it indicates writing a command to the chip (not necessarily a data write); this will also show activity even when 'writing' a Read command. |
So you're saying that the WR line is also used to write addresses to some of the address registers?
In that case, find out what address is on the main address lines while mapped address registers are being written to. Then make some logic that senses for a write at an address other than the register addresses.
Or maybe put a Jessica Simpson microcontroller between the board and Flash to do a "man in the middle" attack. I'm not sure how fast the memory accesses are, though. A FPGA may be necessary to handle the speeds involved. Even that may introduce enough delay to mess it up.
Or what about find a way to use a CF card instead of the original Flash so if you mess it up, you can just put it into the reader and write a good image. |
|
|
|
|
radarman
Joined: 01 Jul 2005
Posts: 1538
Location: is everything
|
| Posted:
Tue Sep 20, 2005 3:15 am |
|
Actually, I had something slightly less invasive than a "man in the middle" attack planned.
I plan on sniffing the data from the flash. Remember, FLASH memories are block devices. This is why you can't just use the WE line. You write to the memory the address you want (or control operation you want), and the host controller on the flash will either buffer up your writes, or start sending out your reads. The flash memory on these parts is 512 bytes per block.
It is fairly easy to follow reads from the flash, because the host controller must strobe the RE line for each byte recieved. Thus, the RE line can be used to "clock" the data into a third party receiver.
So, I plan on designing an FPGA which will count the number of write enables, then trigger a FIFO to start capturing the USP.BIN as it is being read out of the flash. This will require some experimentation to know where to set the trigger, but is perfectly safe.
I already have the basic blocks for the project sketched out - UART, control logic, FIFO, etc. I even have my FPGA board - I just don't have a Byteblaster cable yet! (it's pretty simple, so I can probably build it at home with veroboard)
With this, I can simply extract the C/R pair from the datastream, then go in later and change it to something more amenable to automated tools, like all zeros. (or at least identical data) |
|
|
|
|
Corscaria
Joined: 08 Jul 2005
Posts: 441
|
| Posted:
Tue Sep 20, 2005 6:51 am |
|
instead of counting the cycles, couldn't you sniff for the magic of the USP.BIN. and start your recording when that triggers it? Throw in upto 9 bytes following the magic for increased likely hood of finding an accurate match. It'd be much more accuracte than counting cycles, and would survive future firmware changes more robustly.
not sure how complex this would be to implement in FPGA, never worked with them, but seems to me using the magic and upto 9 bytes following might be just as easy, to implement. And definately more adaptable. |
_________________
how does a hatrack cope with suddenly becoming human? |
|
|
|
radarman
Joined: 01 Jul 2005
Posts: 1538
Location: is everything
|
| Posted:
Tue Sep 20, 2005 2:30 pm |
|
Damn, great minds must think alike. I was thinking about entering the serial number through the serial port, then having it scan incoming frames for it - keeping the first frame that it found it in.
Interestingy enough, you don't need a processor to use a serial port. A state machine can do the job quite nicely.  |
|
|
|
|
brite_eye
Joined: 14 Apr 2005
Posts: 2518
Location: In my dreams higher than a kite as a wingsuit flyer
|
| Posted:
Wed Apr 25, 2007 9:55 am |
|
| CVSfan wrote: |
Got dismipper to run under cygwin, two files needed patching to work around some stack corruption and other memory issues (diff with original to see changes): pass_one.c and sections.c. Hopefully the output is accurate ...
To compile under cygwin (as pure-analog discovered, needs no-cygwin):
$ gcc -mno-cygwin -o dismipper *.c
And for reference:
- Get camcorder firmware by using Ops' Download Memory button:
Start Location=200043008 and Length=1283583; save as firmware.o
- Using objdump built to understand MIPS, generate firmware.hd:
$ objdump-mips -w -f -h -D -M reg-names=r3000 firmware.o > firmware.hd
[To build objdump for MIPS, get the GNU binutils package (I got VER 2.16.1). Extract and configure (./configure --target=mips), type make and then find the binary in binutils/objdump.exe ... rename to objdump-mips]
- Generate the re-disassembly:
$ dismipper > firmware.lst |
The links to CVSfan's pass_one and sections no longer work. Would someone please repost those changes. |
|
|
|
|
Amyn
Joined: 24 Jul 2006
Posts: 1440
Location: Trying to grab onto the wingsuit flyer after ripping an aquamarine parachute.
|
| Posted:
Wed Apr 25, 2007 11:30 pm |
|
Why don't you do it...  |
_________________
I'm a geek. With aptitude. |
|
 |
|
brite_eye
Joined: 14 Apr 2005
Posts: 2518
Location: In my dreams higher than a kite as a wingsuit flyer
|
| Posted:
Thu Apr 26, 2007 11:59 am |
|
I never downloaded CVSfan's changes.  |
|
|
|
|
brite_eye
Joined: 14 Apr 2005
Posts: 2518
Location: In my dreams higher than a kite as a wingsuit flyer
|
| Posted:
Wed May 16, 2007 2:53 am |
|
| CVSfan wrote: |
More firmware.comment updates:
| Code: |
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
// Added by CVSfan
function=0x80005a20,"v0=number of videos recorded (*0x8013df00,w)"
function=0x80005af4,"v0=remaining memory (*0x8012e844,w)"
function=0x80005b00,"v0=recording secs. remaining from hard-limit"
function=0x80005b40,"v0=recording secs. remaining from soft-limit"
function=0x80005b80,"v0=recording secs. used"
function=0x80005b8c,"camcorderFull? (v0=1:yes, 0:no)" // *0x80005b40<3 or *0x8013df00 < *0x80140138 or 99999 < *0x8012e844
function=0x800069f4,"v0=image width (*0x8014013e,h)"
function=0x80006a0c,"v0=image height (*0x80140140,h)"
function=0x80006a24,"v0=image FPS (*0x8014013a,b)"
//var=0x801184e0,"?"
function=0x800046b8,"?v0=*0x8013dee8,w ; if a0!=0 copies 5 bytes starting at 0x801184e0 into *a0"
function=0x800069bc,"v0=(*0x8014012c,b == 3)" // Logic is: v0 = ((*0x8014012c,b ^ 3) < 1)? 1 : 0
function=0x80001b9c,"v0=*0x801407e8,b"
function=0x80001ba8,"*0x801407e8,b=1"
function=0x80001bb8,"*0x801407e8,b=0"
function=0x80001bc4,"does nothing"
function=0x80002ab0,"does nothing"
function=0x80006a94,"does nothing"
var=0x8012fd94,"unknown"
function=0x8004667c,"v0 = *0x8012fd94"
function=0x80006288,"v0=*0x8013ff1e,b"
function=0x80006294,"*0x8013ff1c,b=1"
function=0x800069dc,"v0=*0x80140134,b <- USP.BIN:0x1be(0)"
function=0x800064fc,"v0=*0x8013ff08,b"
function=0x80006508,"v0=*0x8013ff0c,b"
function=0x80006514,"v0=*0x8013ff09,b"
function=0x80006520,"v0=*0x8013ff0a,b"
function=0x8000652c,"v0=*0x8013ff0b,b"
function=0x80006538,"v0=*0x8013ff10,w"
function=0x8000695c,"*0x80140142|=1,b <- USP.BIN:0x1cc"
function=0x80006974,"*0x80140142&=0xfe,b <- USP.BIN:0x1cc"
function=0x8000699c,"*0x8014012c,b=1 <- USP.BIN:0x1b6"
function=0x80006d2c,"*0x8013ff64,w=0;*0x8013ff68,w=0"
function=0x80006d40,"*0x8013ff6c,w=*0x8013ff18,w"
function=0x80006d54,"*0x8013ff6c,w=0"
function=0x80006d60,"*0x8013ff18,w=0"
function=0x80006d6c,"*0x8013ff6c,w|=(1<<a0)"
function=0x80006d8c,"*0x8013ff18,w|=(1<<a0)"
function=0x8002a3a8,"*0x8012fd78,b=a0"
function=0x80008fb0,"*0x801407dc,w=0;*0x801407e0,w=0"
function=0x80008fc4,"*0x801407dc,w++; a0=1;goto 0x80027350"
function=0x80008ff0,"v0=*0x801407dc,w&0x1"
function=0x80009000,"v0=*0x801407dc,w&0x1"
function=0x800090e0,"v0=*0x801407e0,w"
function=0x800261cc,"displayJPEG(a0=?,a1=filename_str,a2=x?,a3=y?,16(sp)=width,20(sp)=height)"
function=0x80029bec,"drawGraphicOnScreen()"
function=0x801098d0,"v0=a0;strcat(a0=str,a1=str1)"
function=0x80108edc,"v0=strcmp(a0=str1,a1=str2)"
function=0x80109924,"v0=strncmp(a0=str1,a1=str2,a2=count)"
function=0x80109980,"v0=a0;strncpy(a0=dst,a1=src,a2=count)"
function=0x80108f18,"v0=a0;strcpy(a0=dst,a1=src)"
function=0x80002a00,"v0=0x0"
function=0x80002a70,"?debug level (or not), v0=0x24"
function=0x80002ab8,"v0=0x0"
function=0x80002ac0,"v0=0x1f4(500)"
function=0x80002ac8,"v0=0x0"
function=0x80002ad0,"sets a0=0 and jumps to 0x800262c4"
function=0x80002ae8,"v0=0xffff"
function=0x80002af0,"v0=0x4"
function=0x80002af8,"v0=0x7d0(2000)"
function=0x80002b00,"v0=0x0"
function=0x80002b08,"v0=0xc80(3200)"
function=0x80002b10,"*0x8013ff74,b=1"
function=0x80108080,"v0=a0&0xfffffffc"
function=0x80108044,"unknown"
//function=,"v0=0x"
// USP.BIN stuff - file offset starting at 0x1aa
// 80140120h: 6C 0F 00 03 00 01 15 03 01 01 01 FF 00 00 00 00
// 80140130h: 14 00 00 00 00 60 7F 00 62 09 1E 00 86 00 80 02
// 80140140h: E0 01 00 00 00 1E 06 00 20 04 14 50 78 28 32 00
// 80140150h: B4 01 04 01 04 00 0A 10 10 5C 08 0A 00 00 00 00
var=0x80140120,"b- -USP.BIN:0x1aa(0x6c)"
var=0x80140121,"b- -USP.BIN:0x1ab(0xf)"
var=0x80140122,"b- -USP.BIN:0x1ac(0x0)"
var=0x80140123,"b- -USP.BIN:0x1ad(0x3)"
var=0x80140124,"b- -USP.BIN:0x1ae(0x0)"
var=0x80140125,"b- -USP.BIN:0x1af(0x1)"
var=0x80140126,"b- -USP.BIN:0x1b0(0x15)"
var=0x80140127,"b- -USP.BIN:0x1b1(0x3)"
var=0x80140128,"b- -USP.BIN:0x1b2(0x1)"
var=0x80140129,"b- -USP.BIN:0x1b3(0x1)"
var=0x8014012a,"b- -USP.BIN:0x1b4(0x1)"
var=0x8014012b,"b- -USP.BIN:0x1b5(0xff)"
var=0x8014012c,"b- -USP.BIN:0x1b6(0x0)"
var=0x8014012d,"b- -USP.BIN:0x1b7(0x0)"
var=0x8014012e,"b- -USP.BIN:0x1b8(0x0)"
var=0x8014012f,"b- -USP.BIN:0x1b9(0x0)"
var=0x80140130,"b- -USP.BIN:0x1ba(0x14)"
var=0x80140131,"b- -USP.BIN:0x1bb(0x0)"
var=0x80140132,"b- -USP.BIN:0x1bc(0x0)"
var=0x80140133,"b- -USP.BIN:0x1bd(0x0)"
var=0x80140134,"b- -USP.BIN:0x1be(0x0)"
var=0x80140135,"b- -USP.BIN:0x1bf(0x60)"
var=0x80140136,"h- -USP.BIN:0x1c0/1(0x007f)"
var=0x80140138,"b- Max files to record -USP.BIN:0x1c2(0x62)"
var=0x80140139,"b- Soft-limit (mins.) -USP.BIN:0x1c3(0x14)"
var=0x8014013a,"b- recording FPS -USP.BIN:0x1c4(0x1e)"
var=0x8014013b,"b- -USP.BIN:0x1c5(0x0)"
var=0x8014013c,"b- -USP.BIN:0x1c6(0x86)"
var=0x8014013d,"b- -USP.BIN:0x1c7(0x0)"
var=0x8014013e,"h- image width from -USP.BIN:0x1c8/9(*)"
var=0x80140140,"h- image height from -USP.BIN:0x1ca/b(*)"
var=0x80140142,"b- -USP.BIN:0x1cc(0x0)"
var=0x80140143,"b- -USP.BIN:0x1cd(0x0)"
var=0x80140144,"b- -USP.BIN:0x1ce(0x0)"
var=0x80140145,"b- -USP.BIN:0x1cf(0x1e)"
var=0x80140146,"b- -USP.BIN:0x1d0(0x6)"
var=0x80140147,"b- Hard-limit (mins.) -USP.BIN:0x1d1(0x19)"
var=0x80140148,"b- -USP.BIN:0x1d2(0x20)"
var=0x80140149,"b- -USP.BIN:0x1d3(0x4)"
var=0x8014014a,"b- -USP.BIN:0x1d4(0x14)"
var=0x8014014b,"b- -USP.BIN:0x1d5(0x50)"
var=0x8014014c,"b- -USP.BIN:0x1d6(0x78)"
var=0x8014014d,"b- -USP.BIN:0x1d7(0x28)"
var=0x8014014e,"b- -USP.BIN:0x1d8(0x32)"
var=0x8014014f,"b- -USP.BIN:0x1d9(0x0)"
var=0x80140150,"b- -USP.BIN:0x1da(0xb4)"
var=0x80140151,"b- -USP.BIN:0x1db(0x1)"
var=0x80140152,"b- -USP.BIN:0x1dc(0x4)"
var=0x80140153,"b- -USP.BIN:0x1dd(0x1)"
var=0x80140154,"b- -USP.BIN:0x1de(0x4)"
var=0x80140155,"b- -USP.BIN:0x1df(0x0)"
var=0x80140156,"b- -USP.BIN:0x1e0(0xa)"
var=0x80140157,"b- -USP.BIN:0x1e1(0x10)"
var=0x80140158,"b- -USP.BIN:0x1e2(0x10)"
var=0x80140159,"b- -USP.BIN:0x1e3(0x5c)"
var=0x8014015a,"b- -USP.BIN:0x1e4(0x8)"
var=0x8014015b,"b- -USP.BIN:0x1e5(0xa)"
var=0x8014031c,""
var=0x80140320,""
///////////////////////////////////////
function=0x800058b4,"?v0=determine recorded file space or time usage"
function=0x80005f64,"?initVideos()"
function=0x80005fb4,"Something related to recording stat??"
function=0x800060ec,"Something related to recording file??"
function=0x80009c60,"v0=statfileRecDel()"
function=0x80005cb8,"?initVideoParams()"
var=0x8012e840,"h- Total recorded secs."
var=0x8012e844,"w- Total free memory available for recordings"
var=0x8013df00,"w- Total files recorded and last recorded video number - 2148785920"
var=0x8013df04,"w- Total files recorded2" // Updated after statfile.txt log entry (REC/DEL) added
var=0x8013df08,"a- savedVideos[]: struct vidEntry {char aviName[13]; byte pad[3]; word size; half time(hour:5,minutes:6,secs:5); half date(year:7,month:4,day:5);}"
//| hour : minutes : secs/2 |
//|. . . . .:. . .|. . .:. . . . . |time
//| year-1980 : month : days |
//|. . . . . . .:.|. . .:. . . . . |date
var=0x80138fc0,"w- copy of 0x80140154 (0x00000004)"
var=0x80138fd4,"w- copy of 0x8014014e (0x00000032)"
var=0x80134d18,"w- copy of 0x80140148<<16 (0x00200000)"
var=0x80138fd0,"b- Copy of FPS?"
var=0x80138fc4,"b- something related to FPS: =0xdf at 24fps, =0x4f everything else"
0x8013df08- 50 49 43 54 30 30 30 31 2E 41 56 49 00 00 20 00 |F0 92 0C 00 |0F 6B |26 33
note=0x80009d24,"a0 = DEL or REC"
note=0x80009d2c,"a1 = vid# (*0x8013df00)"
note=0x80009d98,"s0 = 0x8013df18 + sizeof(struct vidEntry) * vid#"
note=0x80009de4," vid YYYY MM DD HH MM SS"
note=0x80009e20,"s3 contains original a0 from caller"
note=0x80009e24,"'R' special output for REC"
var=0x8013F708,"?vidParams[]: struct vidParam { byte ?; byte fps; half frames; half ?; half ?; } - 2148792072"
note=0x80009e38,"v1 = 0x8013F708 + sizeof(struct vidParam) * vid# ; s1 = 0x8013dee8"
note=0x80009e3c,"v0 = same as v1 above"
note=0x80009e40,"vid# frames"
note=0x80009e44,"vid# size"
note=0x80009e48,"vid# ???"
note=0x80009e4c,"vid# fps"
note=0x80009e60," a2 a3 a0 v0"
function=0x80009b4c, "?close statfile.txt and *0x801407e4=0"
function=0x80009c20, "?create statfile.txt if it doesn't exist"
function=0x8002d674, "fopen(a0=filename_str,a1=mode[0:read,1:write])"
function=0x8002d830, "fwrite(a0=fd, a1=buf, a2=len)"
function=0x8002d7a0, "?fclose(a0=fd)"
// Button and/or "command" word
function=0x80006dac,"v0=((*0x8013ff6c,w&(1<<a0))>0)"
function=0x80006dc8,"v0=((*0x8013ff6c,w&(1<<0))>0)"
function=0x80006de4,"v0=((*0x8013ff6c,w&(1<<5))>0)"
function=0x80006e00,"v0=((*0x8013ff6c,w&(1<<7))>0)"
function=0x80006e1c,"v0=((*0x8013ff6c,w&(1<<1))>0)"
function=0x80006e38,"v0=((*0x8013ff6c,w&(1<<2))>0)"
function=0x80006e54,"v0=((*0x8013ff6c,w&(1<<3))>0)"
function=0x80006e70,"v0=((*0x8013ff6c,w&(1<<4))>0)"
function=0x80006e8c,"v0=((*0x8013ff6c,w&(1<<9))>0)"
function=0x80006ea8,"v0=((*0x8013ff6c,w&(1<<8))>0)"
function=0x80006ec4,"v0=((*0x8013ff6c,w&(1<<10))>0)"
function=0x80006ee0,"v0=((*0x8013ff6c,w&(1<<6))>0)"
function=0x80006f8c,"v0=((*0x8013ff6c,w&0x3ff)>0)" // any bits (0-10) set in 0x8013ff6c
var=0x8013ff6c,"w, ?buttons bitfield? 1:power?, 2:del, 4:rec, 8:play"
var=0x801407e4,"statfile.txt fd" // - temp stor fd
function=0x80005cb8 - ?save video
function=0x800059cc - ?delete video
function=0x80003c88 - ?display videos saved
// Main loop command processing
var=0x8013dee8,"index to state process" // less than 20
// State: 0 -> 7 -> 1
var=0x8013deec,"previous state"
note=0x80004750,"dispatch based on index in 0x8013dee8"
note=0x80118500,"idx 0: 0x80004758 initialization"
note=0x80118504,"idx 1: 0x800047cc power-up phase 2, logo screen"
note=0x80118508,"idx 2: 0x800049e8 record"
note=0x8011850c,"idx 3: 0x80004ac0 beeps and goes to Ready screen"
note=0x80118510,"idx 4: 0x80004b1c playback"
note=0x80118514,"idx 5: 0x800052a8 removes text from display, locked keys, power off works"
note=0x80118518,"idx 6: 0x80005188 shutdown"
note=0x8011851c,"idx 7: 0x80004778 power-up phase 1, splash screen"
note=0x80118520,"idx 8: 0x800049b4 4-sec delay, hard shutdown"
note=0x80118524,"idx 9: 0x80004cb4 delete video"
note=0x80118528,"idx 10: 0x80004f4c mount media" // wl 8013dee8 0xa
note=0x8011852c,"idx 11: 0x80004fb4 ?camcorder empty"
note=0x80118530,"idx 12: 0x80005018 ?camcorder empty"
note=0x80118534,"idx 13: 0x80004e38 display video deleted"
note=0x80118538,"idx 14: 0x80004ec0 3-sec delay, the screen redraw"
note=0x8011853c,"idx 15: 0x8000507c ?camcorder full"
note=0x80118540,"idx 16: 0x80004c64 ?screen redraw"
note=0x80118544,"idx 17: 0x80005258 ?hard powerdown"
note=0x80118548,"idx 18: 0x80005138 ?locked keys; power off works"
note=0x8011854c,"idx 19: 0x80005154 processed camera"
// The following seem to be related to USB Mass Storage
function=0x80007058,"v0=*0x8013ff58,b"
function=0x80007064,"*0x8013ff58,b=0;*0x8013ff5c,w=0"
function=0x80007078,"if *0x8013ff58,b==0 then {*0x8013ff5c,w=0;*0x8013ff58,b=1;call ?????}"
function=0x800070bc,"?do something that sets media mode"
0x8013ff58,b == 1
0x8013ff5c,w == 100-1
// General sound play routines
function=0x80026674,"playWav(a0=?,a1=wavfile_str)"
function=0x80006abc,"playSoundAtIndex(a0=index)" // a0 must be last than 18
note=0x800047b4,"[7]Sound1.wav"
note=0x8000483c,"[3]Sound0.wav"
note=0x800049fc,"[2]Sound0.wav"
note=0x80004b50,"[4]Sound0.wav"
note=0x80004ce8,"[9]Sound0.wav"
note=0x80004e7c,"[13]Sound8.wav"
note=0x80004fc8,"[11]Sound0.wav"
note=0x8000502c,"[12]Sound0.wav"
note=0x8000522c,"[6]Sound2.wav"
note=0x80118610,"idx 0: 0x80006b58 none"
note=0x80118614,"idx 1: 0x80006b58 none"
note=0x80118618,"idx 2: 0x80006b20 Sound0.wav"
note=0x8011861c,"idx 3: 0x80006b20 Sound0.wav"
note=0x80118620,"idx 4: 0x80006b20 Sound0.wav"
note=0x80118624,"idx 5: 0x80006b04 Sound8.wav"
note=0x80118628,"idx 6: 0x80006b3c Sound2.wav"
note=0x8011862c,"idx 7: 0x80006ae8 Sound1.wav - power-up"
note=0x80118630,"idx 8: 0x80006b58 none"
note=0x80118634,"idx 9: 0x80006b20 Sound0.wav"
note=0x80118638,"idx 10: 0x80006b58 none"
note=0x8011863c,"idx 11: 0x80006b20 Sound0.wav"
note=0x80118640,"idx 12: 0x80006b20 Sound0.wav"
note=0x80118644,"idx 13: 0x80006b04 Sound8.wav"
note=0x80118648,"idx 14: 0x80006b58 none"
note=0x8011864c,"idx 15: 0x80006b58 none"
note=0x80118650,"idx 16: 0x80006b20 Sound0.wav"
note=0x80118654,"idx 17: 0x80006b58 none"
function=0x800071dc,"?always called after playWav()"
// ZBM related stuff
function=0x80002dbc,"?displayZBM(a0=index,a1=x,a2=y,a3=width,16sp=height) - prepare to display .zbm. a0=index to zbm string array"
function=0x80002e14,"?initZBM() - initialize zbm array"
note=0x800030c4,"v0 = 0x8014099c"
note=0x80003114,"s0 = 0x801409a0"
var=0x8014099c,"?zbmList[]: struct zbmEntry { word ?filePtr; word fileName; }"
note=0x801409a0,"idx 00: 0x801180d0 ["StatTimer-0"]
note=0x801409a8,"idx 01: 0x801180dc ["StatTimer-1"]
note=0x801409b0,"idx 02: 0x801180e8 ["StatTimer-2"]
note=0x801409b8,"idx 03: 0x801180f4 ["StatTimer-3"]
note=0x801409c0,"idx 04: 0x80118100 ["StatTimer-4"]
note=0x801409c8,"idx 05: 0x8011810c ["StatTimer-5"]
note=0x801409d0,"idx 06: 0x80118118 ["StatTimer-6"]
note=0x801409d8,"idx 07: 0x80118124 ["StatTimer-7"]
note=0x801409e0,"idx 08: 0x80118130 ["StatTimer-8"]
note=0x801409e8,"idx 09: 0x8011813c ["StatTimer-9"]
note=0x801409f0,"idx 10: 0x80118148 ["PlayTimer-0"]
note=0x801409f8,"idx 11: 0x80118154 ["PlayTimer-1"]
note=0x80140a00,"idx 12: 0x80118160 ["PlayTimer-2"]
note=0x80140a08,"idx 13: 0x8011816c ["PlayTimer-3"]
note=0x80140a10,"idx 14: 0x80118178 ["PlayTimer-4"]
note=0x80140a18,"idx 15: 0x80118184 ["PlayTimer-5"]
note=0x80140a20,"idx 16: 0x80118190 ["PlayTimer-6"]
note=0x80140a28,"idx 17: 0x8011819c ["PlayTimer-7"]
note=0x80140a30,"idx 18: 0x801181a8 ["PlayTimer-8"]
note=0x80140a38,"idx 19: 0x801181b4 ["PlayTimer-9"]
note=0x80140a40,"idx 20: 0x801181c0 ["Rec-Timer-0"]
note=0x80140a48,"idx 21: 0x801181cc ["Rec-Timer-1"]
note=0x80140a50,"idx 22: 0x801181d8 ["Rec-Timer-2"]
note=0x80140a58,"idx 23: 0x801181e4 ["Rec-Timer-3"]
note=0x80140a60,"idx 24: 0x801181f0 ["Rec-Timer-4"]
note=0x80140a68,"idx 25: 0x801181fc ["Rec-Timer-5"]
note=0x80140a70,"idx 26: 0x80118208 ["Rec-Timer-6"]
note=0x80140a78,"idx 27: 0x80118214 ["Rec-Timer-7"]
note=0x80140a80,"idx 28: 0x80118220 ["Rec-Timer-8"]
note=0x80140a88,"idx 29: 0x8011822c ["Rec-Timer-9"]
note=0x80140a90,"idx 30: 0x80118238 ["BattLevel0"]
note=0x80140a98,"idx 31: 0x80118244 ["BattLevel1"]
note=0x80140aa0,"idx 32: 0x80118250 ["BattLevel2"]
note=0x80140aa8,"idx 33: 0x8011825c ["BattLevel3"]
note=0x80140ab0,"idx 34: 0x80118268 ["BattLevelE"]
note=0x80140ab8,"idx 35: 0x80118274 ["Blank"]
note=0x80140ac0,"idx 36: 0x8011827c ["Deleted"]
note=0x80140ac8,"idx 37: 0x80118284 ["NotDeleted"]
note=0x80140ad0,"idx 38: 0x80118290 ["CamEmpty"]
note=0x80140ad8,"idx 39: 0x8011829c ["CamFull"]
note=0x80140ae0,"idx 40: 0x801182a4 ["Rec0000"]
note=0x80140ae8,"idx 41: 0x801182ac ["Colon"]
note=0x80140af0,"idx 42: 0x801182b4 ["StatTimer-Colon"]
note=0x80140af8,"idx 43: 0x801182c4 ["PlayTimer-Colon"]
note=0x80140b00,"idx 44: 0x801182d4 ["Rec-Timer-Colon"]
note=0x80140b08,"idx 45: 0x801182e4 ["Video-Number"]
note=0x80140b10,"idx 46: 0x801182f4 ["Video-Length"]
note=0x80140b18,"idx 47: 0x80118304 ["Ready"]
note=0x80140b20,"idx 48: 0x8011830c ["Clear"]
note=0x80140b28,"idx 49: 0x80118314 ["Record"]
note=0x80140b30,"idx 50: 0x8011831c ["Play"]
note=0x80140b38,"idx 51: 0x80118324 ["Delete-Video"]
note=0x80140b40,"idx 52: 0x80118334 ["CamProce"]
note=0x80140b48,"idx 53: 0x80118340 ["Processed"]
note=0x80140b50,"idx 54: 0x8011834c ["redcolon"]
note=0x80140b58,"idx 55: 0x80118358 ["StatTimer-E"]
note=0x80140b60,"idx 56: 0x80118364 ["StatusBarText"]
note=0x80140b68,"idx 57: 0x80118374 ["Videos-Saved"]
function=0x8000396c,"?displayMsgFromState()"
function=0x80003a5c,"?displayStatusTime(a0=S,a1=s,a2=M,a3=m) mM:sS"
function=0x80003bcc,"?displayTime(a0=S,a1=s,a2=M,a3=m) mM:sS"
function=0x80003c88,"?displayVideosSaved()"
function=0x80003dc0,"?displayVideoLength()?"
function=0x80003fc4,"?displayMsgFromArg()?
function=0x800036bc,"?displayBatteryLevel"
note=0x800036dc,"v0=0x80026a20(a0=78,a1=sp+24) returns 0"
function=0x80026a20,"?v0=0; *a1=0x80028fd8(a0&=0xffff)"
function=0x80008f60,"?v0=0x80026a20(a0=?)"
function=0x80008f88,"?v0=0x80026a20(a0=?)"
function=0x80028fd8,"?v0=0x8002863c(a0&=0xffff)&0xffff"
function=0x8002863c,"?process operations based on a0"
var=0x8012f64c,"?unknown"
function=0x800fa4b0,"?"
//
function=0x800058e8,"?Determine recording/compression rates"
var=0x80138fe8, "w- ?recording/compression rate based on image size - 2148765672"
var=0x80138fec, "w- ?recording/compression rate based on FPS and soft-limit"
00138fe8: 4E 00 00 00 1E 00 00 00 (default camera)
: 8E 00 00 00 36 00 00 00 (9 minutes, 640x480)
: 9E 00 00 00 3C 00 00 00 (10 minutes, 640x480)
: 3E 01 00 00 78 00 00 00 (20 minutes, 640x480)
: 02 01 00 00 61 00 00 00 (60 minutes, 640x480, 0x1c0=1)
: F0 04 00 00 DA 01 00 00 (60 minutes, 640x480, 0x1c0=1, 0x1bf=1)
: 2A 00 00 00 10 00 00 00 (255 mins, 640x480, 0x1c0=7f, 0x1bf=1)
var=0x80143104,"?some kind of table"
var=0x8014318c,"b- pcb version num.; 0xff for pre-B3"
word=0xb000800c,"?HWIO:"
word=0xb0010140,"?HWIO:"
word=0xb0010144,"?HWIO:"
word=0xb001014c,"?HWIO:"
word=0xb0010150,"?HWIO:"
word=0xb0010160,"?HWIO:"
word=0xb0010164,"?HWIO:"
word=0xb0010168,"?HWIO:"
word=0xb0010170,"?HWIO:"
word=0xb0802020,"?HWIO:"
word=0xb0802024,"?HWIO:"
word=0xb0802040,"?HWIO:"
word=0xb2002098,"?HWIO:"
word=0xb8000098,"?HWIO:"
word=0xb80000ac,"?HWIO:"
word=0xb80000b4,"?HWIO:"
word=0xb8000140,"?HWIO:"
word=0xb8000144,"?HWIO:"
word=0xb8000148,"?HWIO:"
word=0xb800200c,"?HWIO:"
word=0xb9000048,"?HWIO:"
word=0xb9000140,"?HWIO:"
word=0xb9000290,"?HWIO:"
word=0xba000000,"?HWIO:"
word=0xba000004,"?HWIO:"
word=0xba00000c,"?HWIO:"
word=0xba000010,"?HWIO:"
word=0xba000014,"?HWIO:"
word=0xba000018,"?HWIO:"
word=0xba000020,"?HWIO:"
word=0xba000024,"?HWIO:"
word=0xba000028,"?HWIO:"
word=0xbb000000,"?HWIO:"
word=0xbb000008,"?HWIO:"
word=0xbb00028c,"?HWIO:"
word=0xbb000300,"?HWIO:"
word=0xbc000000,"?HWIO:"
word=0xbc000008,"?HWIO:"
word=0xbc00000c,"?HWIO:"
word=0xbc000010,"?HWIO:"
word=0xbc000014,"?HWIO:"
word=0xbc000018,"?HWIO:"
word=0xbc00001c,"?HWIO:"
word=0xbc000020,"?HWIO:"
word=0xbc000024,"?HWIO:"
word=0xbc000028,"?HWIO:"
word=0xbc00002c,"?HWIO:"
word=0xbc000030,"?HWIO:"
word=0xbc000034,"?HWIO:"
word=0xbc000038,"?HWIO:"
word=0xbc00003c,"?HWIO:"
word=0xbc00006c,"?HWIO:"
word=0xbc000070,"?HWIO:"
word=0xbc000074,"?HWIO:"
word=0xbc000078,"?HWIO:"
word=0xbc00007c,"?HWIO:"
word=0xbc0000cc,"?HWIO:"
word=0xbc0000d0,"?HWIO:"
word=0xbc0000d4,"?HWIO:"
word=0xbc0000d8,"?HWIO:"
|
|
Great work CVSfan, your documentation on states 0-19 has saved me a bunch of time. |
|
|
|
|
di2356
Joined: 06 Jun 2007
Posts: 84
Location: NYC
|
| Posted:
Thu Nov 22, 2007 12:58 am |
|
im interested, however, lazy. Can anyone please upload dissmipper.exe for me?
and if possible, objdump-mips.exe? |
|
|
  |
|
zapped
Joined: 08 Jul 2005
Posts: 785
Location: 4 8 15 16 23 42
|
| Posted:
Sun Nov 25, 2007 6:30 pm |
|
| di2356 wrote: |
im interested, however, lazy. Can anyone please upload dissmipper.exe for me?
and if possible, objdump-mips.exe? |
I put dismipper.exe on the wiki at http://camerahacks.wikispaces.com/Disassembling+Firmware and am still working on compiling objdump-mips.exe that doesn't require the cygwin dll to run.
If anyone has comments files please post them to the wiki. |
|
|
|
|
zapped
Joined: 08 Jul 2005
Posts: 785
Location: 4 8 15 16 23 42
|
| Posted:
Mon Nov 26, 2007 1:34 am |
|
After about a dozen tries I STILL can't get objdump-mips.exe compiled to run without cygwin. |
|
|
|
|
di2356
Joined: 06 Jun 2007
Posts: 84
Location: NYC
|
| Posted:
Wed Nov 28, 2007 1:42 am |
|
| Quote: |
| After about a dozen tries I STILL can't get objdump-mips.exe compiled to run without cygwin. |
neither can i. Again, if anyone has it, please pm me. or, di2356@gmail.com |
|
|
|
|
brite_eye
Joined: 14 Apr 2005
Posts: 2518
Location: In my dreams higher than a kite as a wingsuit flyer
|
| Posted:
Wed Nov 28, 2007 2:15 am |
|
| di2356 wrote: |
| Quote: |
| After about a dozen tries I STILL can't get objdump-mips.exe compiled to run without cygwin. |
neither can i. Again, if anyone has it, please pm me. or, di2356@gmail.com |
I ran it under cygwin! Why are you trying to avoid running under cygwin?
| CVSfan wrote: |
Got dismipper to run under cygwin, two files needed patching to work around some stack corruption and other memory issues (diff with original to see changes): pass_one.c and sections.c. Hopefully the output is accurate ...
To compile under cygwin (as pure-analog discovered, needs no-cygwin):
$ gcc -mno-cygwin -o dismipper *.c
And for reference:
- Get camcorder firmware by using Ops' Download Memory button:
Start Location=200043008 and Length=1283583; save as firmware.o
- Using objdump built to understand MIPS, generate firmware.hd:
$ objdump-mips -w -f -h -D -M reg-names=r3000 firmware.o > firmware.hd
[To build objdump for MIPS, get the GNU binutils package (I got VER 2.16.1). Extract and configure (./configure --target=mips), type make and then find the binary in binutils/objdump.exe ... rename to objdump-mips]
- Generate the re-disassembly:
$ dismipper > firmware.lst |
|
|
|
|
|
zapped
Joined: 08 Jul 2005
Posts: 785
Location: 4 8 15 16 23 42
|
| Posted:
Wed Nov 28, 2007 11:53 am |
|
I'm trying to avoid the need for cygwin to run objdump, because even though I have cygwin on my computer doesn't mean that everyone else does. The more people who can more easily get into the camcorder disassembly the better. |
|
|
|
|
SaturnNiGHTS
Joined: 24 May 2006
Posts: 971
Location: Nightopia
|
| Posted:
Wed Nov 28, 2007 1:58 pm |
|
| zapped wrote: |
| I'm trying to avoid the need for cygwin to run objdump, because even though I have cygwin on my computer doesn't mean that everyone else does. The more people who can more easily get into the camcorder disassembly the better. |
you don't need a full installation, iirc. isn't it just something like cygwin1.dll in the exe's directory? whatever the cygwin shared library is, distribute it with that in the package. |
_________________
amount of hardware hacked:
enough to be forum administrator
http://www.dynarec.net/blog/
author of avidownload
co-author of mediadownload
current maintainer of ops-win32
half-ass developer of the new all-platform ops |
|
|
|
zapped
Joined: 08 Jul 2005
Posts: 785
Location: 4 8 15 16 23 42
|
| Posted:
Wed Nov 28, 2007 3:58 pm |
|
Yeah, I think it is true, but I'd still like to get it to run without the dll. One thing I still have not tried is to cross-compile it on linux to run on Windows. |
|
|
|
|
|
|
|
View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
