Topics

Hi,

I know it is certainly off topic, but for the curious, as they use SREC format as well as some parts of DSLR updates:

https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/

http://magiclantern.wikia.com/wiki/Update_records

Indy

Should we contact them so that they do not reveal all open doors publically and to Canon ?

http://www.insinuator.net/2013/02/paparazzi-over-ip/
https://www.troopers.de/agenda13/troopers13-presentations/index.html#paparazzi

Indy

hi,

Just to let you know, I put on the bitbucket most of my python scripts (the public ones)
https://bitbucket.org/hudson/magic-lantern/src/fa4b9a00d0ca859ea86a4a0c9b0b144ef2e9b02b/contrib/indy/readme.TXT?at=unified

"it is working at least for me" ;-)

Indy

Hi,

And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

25ca00 %d: %s -%s, -%s, -%s, %d
25ca1c Script error!! %d
25ca30 %d: %s %s, %s, %s, %d
25cd34 while
25cd40 else
25cd48 break
25cd50 wait
25cd58 print
25cd60 ExecuteProc
25cd6c ExecuteProc %s %d ...
25cd84 CallInnerFunc
25cd94 checkCallInnerFunc
25cda8 Displaywindow
25d0bc Hidewindow
25d0c8 SetTimerAfter
25d0d8 Createwindow
25d0ec Drawtext
25d0f8 DrawtextFocus
25d108 Drawtextf
25d114 Drawrect
25d120 peek
25d128 poke
25d130 peekl
25d138 pokel
25d36c Call
...
25d9f0 AUTOEXEC.SC

"Creator Comments:

ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor. "

http://www.opensecuritytraining.info/IntroARM.html

Hi,

Just to let you know, Nikon hackers are discussing about the TX19A chip here:
http://nikonhacker.com/viewtopic.php?f=2&t=214
http://nikonhacker.com/viewtopic.php?f=2&t=167
this chip is also in our camera body.

ML Wiki page is here:
http://magiclantern.wikia.com/wiki/Tx19a

IDA Pro edition (with MIPS support) is required for TX19A. Starter edition does not support MIPS

could we add AF micro-adjustment on xxxD bodies if we understand TX19A code ?

Indy

Hi,

It seems there currently interest about how to progress on the 7D side. Here is a status below.

Why ML is not running yet on this camera ?
http://magiclantern.wikia.com/wiki/7D_support
Because it is dual digic with dual Dryos Instances.
http://magiclantern.wikia.com/wiki/7D_internals
http://magiclantern.wikia.com/wiki/7d_intercom
No one achieved in hijacking execution like Trammel did with the 5Dm2 and the 550D:
http://magiclantern.wikia.com/wiki/DryOS_boot_process
http://magiclantern.wikia.com/wiki/5d-hack
http://magiclantern.wikia.com/wiki/Autoexec

Existing bootcode is described here by G3gg0
http://magiclantern.wikia.com/wiki/Boot_procedure
but the 7D bootcode is different, at least by doing intercom between the 2 Digics (ARM  + Canon image processing)
See FFFF5F18 ipc_read_interr, for example.

If someone can understand how the 2 DryOs instances are launched (Master at 0xFF810000 and Slave at 0xFF010000) by the bootcode (0xFFFF0000), it could be the good track to follow to discover how to hijack execution for ML...

We are able to patch the Canon slave updater to create a dumper,
https://groups.google.com/forum/?fromgroups#!topic/ml-devel/ljZ4Ko8lu30
blick the drive led
http://magiclantern.wikia.com/wiki/7D_internals#LED
and enable the bootflag.

Please read -carefully- the Wiki pages above before asking questions.

If someone can offer a 7D (even broken but software layer is OK) during several weeks, it can -really- help ML team!

And yes, I failed in solving this problem, so I give the token to more clever / experimented people. I'll help him / her...

I can not attach files to this post :-(

Indy