Hi,
And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras
25ca00 %d: %s -%s, -%s, -%s, %d
25ca1c Script error!! %d
25ca30 %d: %s %s, %s, %s, %d
25cd34 while
25cd40 else
25cd48 break
25cd50 wait
25cd58 print
25cd60 ExecuteProc
25cd6c ExecuteProc %s %d ...
25cd84 CallInnerFunc
25cd94 checkCallInnerFunc
25cda8 Displaywindow
25d0bc Hidewindow
25d0c8 SetTimerAfter
25d0d8 Createwindow
25d0ec Drawtext
25d0f8 DrawtextFocus
25d108 Drawtextf
25d114 Drawrect
25d120 peek
25d128 poke
25d130 peekl
25d138 pokel
25d36c Call
...
25d9f0 AUTOEXEC.SC
Well...
- we don't know how to execute it
- it's only on digic 5 cameras
- it looks more useful for reverse engineering than for user-level scripting
The idea for PicoC is user-level scripting, similar to CHDK.
Way, reverse is cool,
but I do not have a Digic 5 camera:
loaded from SDcard?
ROM:FF31D4D0 ADR R1, aBS_0 ; "B:/%s"
ROM:FF31D4D4 MOV R0, SP
ROM:FF31D4D8 BL sub_FF144418
ROM:FF31D4DC MOV R1, SP
ROM:FF31D4E0 ADR R0, aOpenS ; "open %s\n"
ROM:FF31D4E4 BL sub_FF0C1F40
when pressing delete button ?
ROM:FF31DA34 ADR R0, aOn_erase ; "ON_ERASE\n"
ROM:FF31DA38 BL sub_FF0C1F40
ROM:FF31DA3C LDR R0, [R6,#8]
ROM:FF31DA40 CMP R0, #7
ROM:FF31DA44 BNE loc_FF31DA58
ROM:FF31DA48 LDR R0, [R6,#0x14]
ROM:FF31DA4C CMP R0, #0
ROM:FF31DA50 BLEQ check_script_file
main parser is here = FF31C880 parser
FF31D250 hash_something
FF31D228 computeHash
FF31B930 strcpy
FF484F88 separator_something
FF1448C0 strcmp
FF31C444 bin_operations
Indy
There's quite a bit of stuff in the main parser routine.
And the trashcan button is a classy move
edit: ROM:FF31DA34 looks like a button handler to me
edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"
Good catch!
Quote from: nanomad on January 26, 2013, 04:33:35 PM
There's quite a bit of stuff in the main parser routine.
And the trashcan button is a classy move
edit: ROM:FF31DA34 looks like a button handler to me
edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"
it seems linked to direct printing menu, no ?
FF14525C BL script_trigger_maybe
Here is Oren Isacson and Alfredo Ortega presentation at Defcon 18 http://www.youtube.com/watch?v=jp_cwNUGeWU