Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Indy

Pages: [1]
1
Reverse Engineering / Hacking Canon Pixma Printers - Doomed Encryption
« on: February 05, 2017, 10:34:59 PM »
Hi,

I know it is certainly off topic, but for the curious, as they use SREC format as well as some parts of DSLR updates:

https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/

http://magiclantern.wikia.com/wiki/Update_records

Indy

2
Reverse Engineering / Paparazzi over IP
« on: March 19, 2013, 06:10:25 PM »
Should we contact them so that they do not reveal all open doors publically and to Canon ?

http://www.insinuator.net/2013/02/paparazzi-over-ip/
https://www.troopers.de/agenda13/troopers13-presentations/index.html#paparazzi

Indy

3
Reverse Engineering / RE contributions
« on: March 02, 2013, 10:05:39 AM »
hi,

Just to let you know, I put on the bitbucket most of my python scripts (the public ones)
https://bitbucket.org/hudson/magic-lantern/src/fa4b9a00d0ca859ea86a4a0c9b0b144ef2e9b02b/contrib/indy/readme.TXT?at=unified

"it is working at least for me" ;-)

Indy

4
Scripting Q&A / existing Canon scripting ?
« on: January 26, 2013, 01:04:24 PM »
Hi,

And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

 25ca00 %d: %s -%s, -%s, -%s, %d
 25ca1c Script error!! %d
 25ca30 %d: %s %s, %s, %s, %d
 25cd34 while
 25cd40 else
 25cd48 break
 25cd50 wait
 25cd58 print
 25cd60 ExecuteProc
 25cd6c ExecuteProc %s %d ...
 25cd84 CallInnerFunc
 25cd94 checkCallInnerFunc
 25cda8 Displaywindow
 25d0bc Hidewindow
 25d0c8 SetTimerAfter
 25d0d8 Createwindow
 25d0ec Drawtext
 25d0f8 DrawtextFocus
 25d108 Drawtextf
 25d114 Drawrect
 25d120 peek
 25d128 poke
 25d130 peekl
 25d138 pokel
 25d36c Call
...
 25d9f0 AUTOEXEC.SC

5
Reverse Engineering / Introduction to ARM
« on: December 02, 2012, 07:13:45 PM »
"Creator Comments:

ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor. "

http://www.opensecuritytraining.info/IntroARM.html

6
Reverse Engineering / Toshiba TX19A discussions on nikonhacker.com
« on: November 02, 2012, 02:30:09 PM »
Hi,

Just to let you know, Nikon hackers are discussing about the TX19A chip here:
http://nikonhacker.com/viewtopic.php?f=2&t=214
http://nikonhacker.com/viewtopic.php?f=2&t=167
this chip is also in our camera body.

ML Wiki page is here:
http://magiclantern.wikia.com/wiki/Tx19a

IDA Pro edition (with MIPS support) is required for TX19A. Starter edition does not support MIPS

could we add AF micro-adjustment on xxxD bodies if we understand TX19A code ?

Indy

7
Hi,

It seems there currently interest about how to progress on the 7D side. Here is a status below.

Why ML is not running yet on this camera ?
http://magiclantern.wikia.com/wiki/7D_support
Because it is dual digic with dual Dryos Instances.
http://magiclantern.wikia.com/wiki/7D_internals
http://magiclantern.wikia.com/wiki/7d_intercom
No one achieved in hijacking execution like Trammel did with the 5Dm2 and the 550D:
http://magiclantern.wikia.com/wiki/DryOS_boot_process
http://magiclantern.wikia.com/wiki/5d-hack
http://magiclantern.wikia.com/wiki/Autoexec

Existing bootcode is described here by G3gg0
http://magiclantern.wikia.com/wiki/Boot_procedure
but the 7D bootcode is different, at least by doing intercom between the 2 Digics (ARM  + Canon image processing)
See FFFF5F18 ipc_read_interr, for example.

If someone can understand how the 2 DryOs instances are launched (Master at 0xFF810000 and Slave at 0xFF010000) by the bootcode (0xFFFF0000), it could be the good track to follow to discover how to hijack execution for ML...

We are able to patch the Canon slave updater to create a dumper,
https://groups.google.com/forum/?fromgroups#!topic/ml-devel/ljZ4Ko8lu30
blick the drive led
http://magiclantern.wikia.com/wiki/7D_internals#LED
and enable the bootflag.

Please read -carefully- the Wiki pages above before asking questions.

If someone can offer a 7D (even broken but software layer is OK) during several weeks, it can -really- help ML team!

And yes, I failed in solving this problem, so I give the token to more clever / experimented people. I'll help him / her...

I can not attach files to this post :-(

Indy

Pages: [1]