(M)JPEG encoder

Started by Chucho, September 11, 2012, 03:40:07 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Marvin

I believe the code was written by Japanese programmers, "Jukai" is a place in japan (sea of trees), where many people go there and commit suicide. Jukai is a place that's often associated with death.
Film is truth 24 frames per second.

nanomad

That means it's probably some sort of cleanup routine. Thanks for the info.

(or maybe the code is so fucked up the programmer hated it :P)
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

Marvin

 I guess they did this on purpose to make reverse engineering more difficult...

one off-topic thing, nanomad there is a grammar mistake in your headline "All your websites are belong to us", it should be "All your websites belong to us" or "All your websites are ours"
Film is truth 24 frames per second.


Marvin

Film is truth 24 frames per second.

Chucho


nanomad

Quote from: Marvin on September 20, 2012, 07:29:24 PM
I guess they did this on purpose to make reverse engineering more difficult...

I've actually worked on code where half the functions were documented in Chinese. Never underestimate the laziness of programmers ...
As far as I know most of the "core" development is still done by Canon JP so that actually makes sense
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

jplxpto

Quote from: nanomad on September 20, 2012, 06:51:23 PM
That means it's probably some sort of cleanup routine. Thanks for the info.

(or maybe the code is so fucked up the programmer hated it :P)


The life is fucked... be a programmer is like living in a bed of roses with many thorns ... lololol

jplxpto

Quote from: 1% on September 19, 2012, 06:39:23 PM
FA_LvJpegCheck 429392408 << returns this.

called like:

int *foof;
*foof = 24;
FA_LvJpegCheck(&foof);


Also found virtual keyboard but can't get it to come up.
319: 22447.067 [GUI] ERROR ***** GetMenuTypeFromVKType illegal type(0)
    320: 22447.176 [GUI] ERROR ***** INPUT_BUF_SIZE = 0

But this OT

----------------------------


NSTUB(0xFF8B9B74, StartVirtualKeyboard)           // might be good (dumps=1, score=50)
NSTUB(0xFF8B9F24, DlgVirtualKeyboard)             // might be good (dumps=1, score=0.97)
NSTUB(0xFF8BC060, StopVirtualKeyboard)            // Good. Found matches: ff8bc060/16, ff8bc050/0.18

1%

I tried startvirtualkeyboard but I didn't try the dialog... this would make renaming things, etc much easier, no?

Hehe, there was a reason I didn't want to code for a living....

nanomad

You keep forgetting about function parameters :P

Try calling StartVirtualKeyboard(0x10) and make sure you have a hidden canon menu in the background
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

1%

http://imgur.com/KYVQg

Not sure how to set the dmac register.

EngDrvOut(0xC0F27000, 4);

nanomad

So it worked? Great!
Now we need to figure out where the resulting string is stored
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

nanomad

From the 1100D

M:FF10DC10 FA_GetJpegBufForLV                      ; DATA XREF: ROM:FF535FB0o
ROM:FF10DC10                 LDR     R0, =0x50AC
ROM:FF10DC14                 LDR     R0, [R0,#0x38]
ROM:FF10DC18                 BX      LR
ROM:FF10DC18
ROM:FF10DC18 ; End of function FA_GetJpegBufForLV

ROM:FF10DC1C FA_GetJpegSizeForLV                     ; DATA XREF: ROM:FF535FA8o
ROM:FF10DC1C                 LDR     R0, =0x50AC
ROM:FF10DC20                 LDR     R0, [R0,#0x34]
ROM:FF10DC24                 BX      LR
ROM:FF10DC24
ROM:FF10DC24 ; End of function FA_GetJpegSizeForLV


They are never called like on the 600D :(
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

1%

Didn't work, was asking if I did that right. Keyboard worked though.

nanomad

I was talking about the keyboard :P
Did you manage to read the entered string?
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

1%

Didn't move since I put a canon menu in the background via piggyback function. But I assume where the string goes can be found via looking at the function in firmware.  I'd really like to see what how a1ex did pacmem edmac register and see what it does on 600D. Theoretically he shouldn't have LVCDEV running either and when I called the fa test function jpeg has a read buffer or address but not a wire. Better than trying to start it up with all of those parameters.

I think I'm missing a lot of parameters because I'm going off the HTML and not doing it in IDA. Maybe I need to start/learn that and arm console so I can look at more than just what it gives me. I don't see flags or how many parameters it takes, etc.

For me, FA_GetJpegBufferforLV just a pointer.

Chucho

1%, I don't use IDA, I use http://pel.hu/armu/ good free program. Pel is also a good programmer, photographer  and friend.

1%

not 100% under wine but I like it much better than IDA.

nanomad

EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

jplxpto

I found this in the firwmare 5DC v1.1.1

ff983150 EnoJPEG4:jpgShare.c::CREATED BY M.ENOKIDA, CANON INC.
ff983b6c EnoJPEG4:jpgRCore.c::CREATED BY M.ENOKIDA, CANON INC.
ff986fe4 EnoJPEG4:jpgRScal.c::CREATED BY M.ENOKIDA, CANON INC.
ff9882e0 EnoJPEG4:jpgRVLC.c::CREATED BY M.ENOKIDA, CANON INC.
ff98b704 EnoJPEG4:jpgRClr.c::CREATED BY M.ENOKIDA, CANON INC.

ffab719e  encdec_jpeg rev2.12 2004/11/11 Yukio Chiba & Satoshi Naito


and this on the 40D firmware v1.1.1


ffc170e4 EnoJPEG4:jpgShare.c::CREATED BY M.ENOKIDA, CANON INC.
ffc17b14 EnoJPEG4:jpgRCore.c::CREATED BY M.ENOKIDA, CANON INC.
ffc1b210 EnoJPEG4:jpgRScal.c::CREATED BY M.ENOKIDA, CANON INC.
ffc1c4fc EnoJPEG4:jpgRVLC.c::CREATED BY M.ENOKIDA, CANON INC.
ffc29310 EnoJPEG4:jpgRClr.c::CREATED BY M.ENOKIDA, CANON INC.

ffcfdcb6  jp56_jpeg rev3.31 2007/02/19 Yukio Chiba & Satoshi Naito

1%

There is an enojpeg4.dll in canon zoom browser. Wonder whats in it.

jplxpto

Quote from: Chucho on September 22, 2012, 11:54:13 PM
1%, I don't use IDA, I use http://pel.hu/armu/ good free program. Pel is also a good programmer, photographer  and friend.

I also already know that emulator but when I tested had some difficulty. In brief test it again. If I need to, I know who I can ask for help :) ... my friend :)

1%

Back OT:

What about:

FF56E9CC:   ff111534       ; 0xff111534: pointer to 0xe51f1140   
FF56E9D0:   ff72db27       ; *'lv_save_jpeg'

a1ex

OK on 5D2, does nothing on 5D3.