existing Canon scripting ?

Started by Indy, January 26, 2013, 01:04:24 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Indy

Hi,

And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

25ca00 %d: %s -%s, -%s, -%s, %d
25ca1c Script error!! %d
25ca30 %d: %s %s, %s, %s, %d
25cd34 while
25cd40 else
25cd48 break
25cd50 wait
25cd58 print
25cd60 ExecuteProc
25cd6c ExecuteProc %s %d ...
25cd84 CallInnerFunc
25cd94 checkCallInnerFunc
25cda8 Displaywindow
25d0bc Hidewindow
25d0c8 SetTimerAfter
25d0d8 Createwindow
25d0ec Drawtext
25d0f8 DrawtextFocus
25d108 Drawtextf
25d114 Drawrect
25d120 peek
25d128 poke
25d130 peekl
25d138 pokel
25d36c Call
...
25d9f0 AUTOEXEC.SC

a1ex

Well...
- we don't know how to execute it
- it's only on digic 5 cameras
- it looks more useful for reverse engineering than for user-level scripting

The idea for PicoC is user-level scripting, similar to CHDK.

Indy

Way, reverse is cool,
but I do not have a Digic 5 camera:

loaded from SDcard?
ROM:FF31D4D0                 ADR     R1, aBS_0       ; "B:/%s"
ROM:FF31D4D4                 MOV     R0, SP
ROM:FF31D4D8                 BL      sub_FF144418
ROM:FF31D4DC                 MOV     R1, SP
ROM:FF31D4E0                 ADR     R0, aOpenS      ; "open %s\n"
ROM:FF31D4E4                 BL      sub_FF0C1F40

when pressing delete button ?
ROM:FF31DA34                 ADR     R0, aOn_erase   ; "ON_ERASE\n"
ROM:FF31DA38                 BL      sub_FF0C1F40
ROM:FF31DA3C                 LDR     R0, [R6,#8]
ROM:FF31DA40                 CMP     R0, #7
ROM:FF31DA44                 BNE     loc_FF31DA58
ROM:FF31DA48                 LDR     R0, [R6,#0x14]
ROM:FF31DA4C                 CMP     R0, #0
ROM:FF31DA50                 BLEQ    check_script_file


main parser is here = FF31C880 parser
FF31D250 hash_something
FF31D228 computeHash
FF31B930 strcpy
FF484F88 separator_something
FF1448C0 strcmp
FF31C444 bin_operations

Indy

nanomad

There's quite a bit of stuff in the main parser routine.

And the trashcan button is a classy move

edit: ROM:FF31DA34   looks like a button handler to me

edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

Indy

Good catch!

Quote from: nanomad on January 26, 2013, 04:33:35 PM
There's quite a bit of stuff in the main parser routine.

And the trashcan button is a classy move

edit: ROM:FF31DA34   looks like a button handler to me

edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"

Indy

it seems linked to direct printing menu, no ?
FF14525C                 BL      script_trigger_maybe

Chucho

Here is Oren Isacson and Alfredo Ortega presentation at Defcon 18 http://www.youtube.com/watch?v=jp_cwNUGeWU