Magic Lantern Forum

Developing Magic Lantern => Reverse Engineering => Topic started by: ø on October 25, 2019, 07:37:04 PM

Title: Investigating custom PTP commands
Post by: ø on October 25, 2019, 07:37:04 PM
Hi everyone,

I've been playing with a USB analyzer lately with my 60D and some software. I'm trying here to better understand the custom PTP commands involved in service mode.

Here's what I got so far, I hope to have something more exciting to show soon.

Code: [Select]
OUT#1
14 00 00 00 - Bulk packet length
01 00 - PTP_USB_CONTAINER_COMMAND
52 90 - Vendor (Canon) specific command
01 00 00 00 - Transaction id
00 00 00 00 - ?
00 00 00 00 - ?

OUT#2
67 00 00 00 - Bulk packet length
02 00 - PTP_USB_CONTAINER_DATA
52 90 - Vendor (Canon) specific command
01 00 00 00 - Transaction id
46 41 5f 53 65 74 50 72 6f 70 65 72 74 79 00 - "FA_SetProperty\0"
03 00 00 00 - Number of parameters?
02 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00
00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00 01 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00
00 00 00 00

IN#1
10 00 00 00 - Bulk packet length
03 00 - PTP_USB_CONTAINER_RESPONSE
01 20 - PTP_RC_OK
01 00 00 00 - ?
00 00 00 00 - ?
Title: Re: Investigating custom PTP commands
Post by: ø on October 26, 2019, 02:49:15 PM
Some quick notes regarding Canon commands:

TftCff: turns off the screen
Title: Re: Investigating custom PTP commands
Post by: lorenzo353 on November 10, 2019, 11:01:21 AM
Hi,

please see this research
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

how is your hardware / software setup please ?

Laurent