Author Topic: existing Canon scripting ?  (Read 7152 times)

Indy

  • Developer
  • Member
  • *****
  • Posts: 112
existing Canon scripting ?
« on: January 26, 2013, 01:04:24 PM »
Hi,

And what about understanding the -existing- scripting language from Canon since 5DM3 (EOS-M and 6D) ?
(below is 5dm3 firmware 1.1.3, offset in the first column).
it seems different than:http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Exploiting_Digital_Cameras

 25ca00 %d: %s -%s, -%s, -%s, %d
 25ca1c Script error!! %d
 25ca30 %d: %s %s, %s, %s, %d
 25cd34 while
 25cd40 else
 25cd48 break
 25cd50 wait
 25cd58 print
 25cd60 ExecuteProc
 25cd6c ExecuteProc %s %d ...
 25cd84 CallInnerFunc
 25cd94 checkCallInnerFunc
 25cda8 Displaywindow
 25d0bc Hidewindow
 25d0c8 SetTimerAfter
 25d0d8 Createwindow
 25d0ec Drawtext
 25d0f8 DrawtextFocus
 25d108 Drawtextf
 25d114 Drawrect
 25d120 peek
 25d128 poke
 25d130 peekl
 25d138 pokel
 25d36c Call
...
 25d9f0 AUTOEXEC.SC

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12564
Re: existing Canon scripting ?
« Reply #1 on: January 26, 2013, 01:26:58 PM »
Well...
- we don't know how to execute it
- it's only on digic 5 cameras
- it looks more useful for reverse engineering than for user-level scripting

The idea for PicoC is user-level scripting, similar to CHDK.

Indy

  • Developer
  • Member
  • *****
  • Posts: 112
Re: existing Canon scripting ?
« Reply #2 on: January 26, 2013, 04:21:19 PM »
Way, reverse is cool,
but I do not have a Digic 5 camera:

loaded from SDcard?
Code: [Select]
ROM:FF31D4D0                 ADR     R1, aBS_0       ; "B:/%s"
ROM:FF31D4D4                 MOV     R0, SP
ROM:FF31D4D8                 BL      sub_FF144418
ROM:FF31D4DC                 MOV     R1, SP
ROM:FF31D4E0                 ADR     R0, aOpenS      ; "open %s\n"
ROM:FF31D4E4                 BL      sub_FF0C1F40
when pressing delete button ?
Code: [Select]
ROM:FF31DA34                 ADR     R0, aOn_erase   ; "ON_ERASE\n"
ROM:FF31DA38                 BL      sub_FF0C1F40
ROM:FF31DA3C                 LDR     R0, [R6,#8]
ROM:FF31DA40                 CMP     R0, #7
ROM:FF31DA44                 BNE     loc_FF31DA58
ROM:FF31DA48                 LDR     R0, [R6,#0x14]
ROM:FF31DA4C                 CMP     R0, #0
ROM:FF31DA50                 BLEQ    check_script_file

main parser is here = FF31C880 parser
FF31D250 hash_something
FF31D228 computeHash
FF31B930 strcpy
FF484F88 separator_something
FF1448C0 strcmp
FF31C444 bin_operations

Indy

nanomad

  • Administrator
  • Hero Member
  • *****
  • Posts: 2918
  • All your websites are belong to us
Re: existing Canon scripting ?
« Reply #3 on: January 26, 2013, 04:33:35 PM »
There's quite a bit of stuff in the main parser routine.

And the trashcan button is a classy move

edit: ROM:FF31DA34   looks like a button handler to me

edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

Indy

  • Developer
  • Member
  • *****
  • Posts: 112
Re: existing Canon scripting ?
« Reply #4 on: January 26, 2013, 06:32:31 PM »
Good catch!

There's quite a bit of stuff in the main parser routine.

And the trashcan button is a classy move

edit: ROM:FF31DA34   looks like a button handler to me

edit: seems to be called only from a routine referencing a "Secret mode"
"[MC] Enter Secret mode : FA_SetReleaseModeForSR !"

Indy

  • Developer
  • Member
  • *****
  • Posts: 112
Re: existing Canon scripting ?
« Reply #5 on: January 26, 2013, 07:47:18 PM »
it seems linked to direct printing menu, no ?
FF14525C                 BL      script_trigger_maybe

Chucho

  • Developer
  • Freshman
  • *****
  • Posts: 86
Re: existing Canon scripting ?
« Reply #6 on: January 26, 2013, 08:20:40 PM »
Here is Oren Isacson and Alfredo Ortega presentation at Defcon 18