Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Indy

#26
OK, thanks for the clarification.
can we have these Digic data ? there are related to attached lend right ? which lens it is ?

Indy
#27
Reverse Engineering / Re: RE contributions
March 09, 2013, 10:02:57 AM
thank you!
it is for 5dm3 ?
Quote from: 1% on March 09, 2013, 12:18:03 AM
Here you go:

http://www.qfpost.com/file/d?g=Z6gLh6Gv7

tokina 11-16 was attached.
#28
How are used the lens00.bin tables to produce Digic correction data ? how are used aperture and focal ?

Indy
#29
Please,
could someone call
ROM:FF0C9098 SaveLensToFile
on 5dm3 1.1.3 ? I would like to check vignetting values on the full frame compared to 60D APS-C.

if it is easier on 6D 1.1.2:
ROM:FF0C9318 SaveLensToFile

it should be callable by name and create a 'LENS00.BIN'

Indy
#31
Reverse Engineering / Re: RE contributions
March 03, 2013, 10:35:44 PM
I was on the path with my parse_lens*.py scripts. I'll study your findings tomorrow.
thank you, you definitely went further !

#32
Reverse Engineering / Re: RE contributions
March 03, 2013, 12:15:25 PM
I'm happy to see it is useful !
again and as usual, excellent work G3gg0!

any idea about lens00.bin content ?
it seems it contains vignetting and chromatic aberration tables for correction...
I can provide 60D and 550D data if needed.

would it be useful to create a custom update with modified properties / bitmap / strings ?
yes it is risky.

Indy
#33
Reverse Engineering / Re: RE contributions
March 02, 2013, 09:31:54 PM
updates need to be decrypted first.
the script (dec_fir.py) is not public because it contains keys and crypto algorithms from Canon.

Indy
#34
Reverse Engineering / RE contributions
March 02, 2013, 10:05:39 AM
hi,

Just to let you know, I put on the bitbucket most of my python scripts (the public ones)
https://bitbucket.org/hudson/magic-lantern/src/fa4b9a00d0ca859ea86a4a0c9b0b144ef2e9b02b/contrib/indy/readme.TXT?at=unified

"it is working at least for me" ;-)

Indy
#35
Reverse Engineering / Re: Modify EXIF Data through USB
January 30, 2013, 11:10:38 PM
that would be enable a paying feature (7d Studio version VS normal 7d) and this could make Canon not happy...
Quote from: coutts on January 30, 2013, 05:23:27 AM
if someone knows how to make the camera read QR codes, they support up to 4000 characters, not sure where to even start with that though.
#36
Scripting Q&A / Re: existing Canon scripting ?
January 26, 2013, 07:47:18 PM
it seems linked to direct printing menu, no ?
FF14525C                 BL      script_trigger_maybe
#37
Scripting Q&A / Re: existing Canon scripting ?
January 26, 2013, 06:32:31 PM
Good catch!

Quote from: nanomad on January 26, 2013, 04:33:35 PM
There's quite a bit of stuff in the main parser routine.

And the trashcan button is a classy move

edit: ROM:FF31DA34   looks like a button handler to me

edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"
#38
Scripting Q&A / Re: existing Canon scripting ?
January 26, 2013, 04:21:19 PM
Way, reverse is cool,
but I do not have a Digic 5 camera:

loaded from SDcard?
ROM:FF31D4D0                 ADR     R1, aBS_0       ; "B:/%s"
ROM:FF31D4D4                 MOV     R0, SP
ROM:FF31D4D8                 BL      sub_FF144418
ROM:FF31D4DC                 MOV     R1, SP
ROM:FF31D4E0                 ADR     R0, aOpenS      ; "open %s\n"
ROM:FF31D4E4                 BL      sub_FF0C1F40

when pressing delete button ?
ROM:FF31DA34                 ADR     R0, aOn_erase   ; "ON_ERASE\n"
ROM:FF31DA38                 BL      sub_FF0C1F40
ROM:FF31DA3C                 LDR     R0, [R6,#8]
ROM:FF31DA40                 CMP     R0, #7
ROM:FF31DA44                 BNE     loc_FF31DA58
ROM:FF31DA48                 LDR     R0, [R6,#0x14]
ROM:FF31DA4C                 CMP     R0, #0
ROM:FF31DA50                 BLEQ    check_script_file


main parser is here = FF31C880 parser
FF31D250 hash_something
FF31D228 computeHash
FF31B930 strcpy
FF484F88 separator_something
FF1448C0 strcmp
FF31C444 bin_operations

Indy
#39
Scripting Q&A / existing Canon scripting ?
January 26, 2013, 01:04:24 PM
Hi,

And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

25ca00 %d: %s -%s, -%s, -%s, %d
25ca1c Script error!! %d
25ca30 %d: %s %s, %s, %s, %d
25cd34 while
25cd40 else
25cd48 break
25cd50 wait
25cd58 print
25cd60 ExecuteProc
25cd6c ExecuteProc %s %d ...
25cd84 CallInnerFunc
25cd94 checkCallInnerFunc
25cda8 Displaywindow
25d0bc Hidewindow
25d0c8 SetTimerAfter
25d0d8 Createwindow
25d0ec Drawtext
25d0f8 DrawtextFocus
25d108 Drawtextf
25d114 Drawrect
25d120 peek
25d128 poke
25d130 peekl
25d138 pokel
25d36c Call
...
25d9f0 AUTOEXEC.SC
#40
...and do not forget the Wiki
http://magiclantern.wikia.com/wiki/PTP

indy
#41
Archived porting threads / Re: Canon 6D
December 14, 2012, 08:07:44 PM
Quote from: coutts on December 14, 2012, 06:34:39 PM
that was my plan.. until i found out that the fonts are missing in the firmware! seriously this is odd. gonna have to see what canon changed here..
they are not, check your email
#42
do NOT use a 'prepared card' with EOScard or similar !
use normal card, as formatted by the camera or your operating system.

Indy
#44
Hi Namomad,

Could you please publish the 650d_101.fir in the source tree ?
It will allow other 650D/T4i owners to enable the bootflag and get a backup (but nothing more) ?
We need more developers, so we have to help them.

Indy
#45
Reverse Engineering / Re: The IDA Pro Book
December 08, 2012, 10:11:31 PM
an excellent book!
#46
Reverse Engineering / Introduction to ARM
December 02, 2012, 07:13:45 PM
"Creator Comments:

ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor. "

http://www.opensecuritytraining.info/IntroARM.html
#47
Archived porting threads / Re: 6D
December 01, 2012, 08:47:05 AM
no TX19A this time?
#48
Archived porting threads / Re: EOS M
November 26, 2012, 08:35:55 AM
good work Coutts!

do allow other developpers working on the EOS M, why not adding a dump feature and providing a .FIR that enable the bootflag ?

Indy
#49
Archived porting threads / Re: EOS M
November 25, 2012, 07:50:15 PM
stubs.s
// ROMBASEADDR 0xff0c0000

NSTUB( ROMBASEADDR, firmware_entry )

#define RAM_OFFSET (FFA6A658-1900) // some functions are copied to RAM at around ff0c009c; they have to be called from RAM...
//FFA6A658 assert

// 0x37338, bzero32       
NSTUB(FF0C10E4, cli_save)
NSTUB(FF0C10F8, sei_restore)
NSTUB(FF0C1C10, cstart )

NSTUB(FF137768 EnableBootDisk)
NSTUB(FF137774 DisableBootDisk)

NSTUB(FF346008, FIO_OpenFile)
NSTUB(FF347560, FIO_GetDeviceName)
NSTUB(FF3465E4, FIO_GetFileSize)
NSTUB(FF3460C4, FIO_CreateFile)
NSTUB(FF3463B8, FIO_WriteFile)
NSTUB(FF346468, FIO_CloseFile)

//FF4EF6AC drive_led_on
0x2EB8 create_inittask // 2eb8-1900+assert = FFA6BC10
FF0C5488 init_task
FFA6FC70 msleep
FFA6FD24 task_create


consts.h
#define CARD_LED_ADDRESS 0xC022C188 // like 5dm3
#define LEDON 0x138800
#define LEDOFF 0x838C00

#define HIJACK_INSTR_BL_CSTART  0xFF0C0D80
#define HIJACK_INSTR_BSS_END 0xFF0C1CBC
#define HIJACK_FIXBR_BZERO32 0xFF0C1C20
#define HIJACK_FIXBR_CREATE_ITASK 0xFF0C1CAC
#define HIJACK_INSTR_MY_ITASK 0xFF0C1CC8
//#define HIJACK_TASK_ADDR 0x23E14

#50
Camera-specific Development / Re: Canon 40D
November 12, 2012, 12:04:25 PM
Hi,

good progress Jplxpto !

maybe by enable debug on these functions we can find LVRAM addresses (offsets in firmware in the 1st column) :
  4a0290 [BmpDDev] CreatePhysicalVram (PUB)
4a03b4 [BmpDDev] DeletePhysicalVram (PUB)


in 40d 1.1.1 it seems there are function to monitor the MPU=TX19A
  32fa8 MonOpen
  32fb0 MonClose
  32fbc MonRead
  32fc4 MonReadAndGetData
  32fd8 MonWrite
  32fe4 MonCall
  32fec FA_TestMonRead
  32ffc FA_TestMonCall
  3300c FA_TestMonReadAndWrite
  33130 m_hSemaphoreDataComp
  33148 ../MpuMonitor.c


Indy