Quantcast HF10/100 Firmware Analysis - CHDK Wiki
Recent changes Random page
GAMING
Technology
 
Gaming
Entertainment
Science Fiction
 Biggest wikis
Hobbies
Music
See more...

HF10/100 Firmware Analysis

From CHDK Wiki

Jump to: navigation, search

Contents

[edit] Firmware decoding

Where and how to get the firmware and a serial number:

http://chdk.setepontos.com/index.php/topic,1641.0.html

0x1040 XOR key, derived from 300D still camera keys. Search for the decoder in the above topic.

[edit] Firmware analysis

[edit] Decoded f/w content

The next logical parts are detected for now:

  • 0x0 - 0x200000 (including the first unencrypted 0x10010 bytes)

A kind of data area, some self-references shows that it should be placed at 0xBFA00000 linear address. Probably its a static data (language resources, etc).

  • 0x200000

Simple 0x20 length header for the next. Contains this section size: 0x5f7344 bytes

  • 0x200020 - ROM&RAM data.
  • 0x2C sized tail - no understanding of its content yet.

[edit] Processor and architecture

The processor is of M32R family (Mitsubishi, now Renesas) Documentation:

  • e32rsm.pdf - Instruction reference
  • 32182um.pdf/e32172um.pdf - Chip architecture

The exact processor and peripherial models are unknown, however the code shows that CR5 (EIT Vector Base) register is used - and this register seems to be present only in M32R2 processors.

[edit] Code location

Code section should be loaded at 0x04000000 location. Initialization routine starts up at 0x04000000 (reset interrupt).

[edit] DATA location

No clear location for the data section is found yet, but it starts averagely at 0x04306B20, and then moved to the destination location at 0x4C8A6840. This gives all valid string and data references.

[edit] RAM location

No clear understanding yet - most probably a free usage RAM comes after the data (0x4C8A6840 and above)

[edit] Special locations

Many of peripherial IO ports, etc. Some are documented in Renesas PDFs, but they seems not to be the same for our case.

[edit] Things to do

  • Processor model. No documentation for M32R2 ?
  • Bootstrap understanding (some section init/movements should be there)
  • TRAP 7/8 usage (system calls?)
  • stdlib exploration
  • No information on how to detect OS related calls (tasks, sems, etc.)
  • Which os (could be not dryos, but MR32R)?
Retrieved from "http://chdk.wikia.com/wiki/HF10/100_Firmware_Analysis"
Rate this article:
Share this article: