Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - dedmen

Pages1
#1
Camera-specific Development / Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
January 04, 2020, 04:52:11 AM
Quoteyou can enable the bootflag with the special firmware update
wow, now I feel great for spending like.. 12 hours overnight on working on my exploit. :D

QuoteI think I was working with an older version of Unified branch
Yeah, I would also appreciate updating qemu with the one from main qemu branch, gave me quite a headache to get running.

Is there a more direct communication channel? Like Discord/Slack or smth? Not sure about what specific things I could be working on.
Yeah need to verify stubs, but not sure which from the stubs file are missing and required, and which need verification.
And as this is the first version I'm working on, I don't have references to older version patterns to compare.
#2
Camera-specific Development / Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
December 22, 2019, 06:26:37 AM
Hi! I'm the new guy.
I wanted to use my 200D as a webcam, but the resolution it sends in live view feels too low so I thought I'll just hack the firmware.
I dumped the rom, decompiled most of it in IDA, and made myself a autoexec build of magic lantern from stephen's bitbucket repo.

Now theres the question, how I can set the boot flag to let it execute my autoexec, the 200d firmware dumper sadly is compiled without the bootflag set enabled, and the FIR compile tools are not available.
I already found the FIR crypto code, but I don't really want to go to the effort to reverse it.

Is there a easy-ish way to simply enable the bootflag?
I assume simply running ML build for another camera won't work.

I found the FROMUTILITY MENU which apparently can set bootflag, but I'm not sure how to activate that.
I assume its USB serial stuff, but that seems like too much effort, I don't really want to figure out their whole support, debug access stuff.
I know which flags I need to set on which address to enable the command mode... mh maybe I'll figure out their whole debug stuff afterall..
Yeah its UART, I don't want to rip off the rubber to get to it, finding some software vuln to get in seems easier.

(in case its not obvious, I'm actually constantly pausing while writing this post, while i continue reversing stuff, in case it sounds a bit chaotic.)

Okey already found a stack buffer overflow in PTP, I can probably just use that to get code execution and set the bootflag myself.
Or I can just run the "run autoexec.bin" function directly from there, ignoring the bootflag check...

I'll probably invest more time into helping getting ML running on the 200D, but I have two weeks of vacation coming up, and am currently quite busy so.. no promises.
I will most likely not even finish this stuff before I leave.
Pages1