OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, February 20 2010 14:06.33 CST

Direct Link, View / Make / Edit Comments

log1949.txt -- Wondering how to to glitch the camera into producing these logs

Author: thesprawler

# Views: 2702

DSLR-A100 main firm:r021w-108

logFlg[0] 0xff00ff00
logFlg[1] 0xdf00ff00
logFlg[2] 0xff00ff00
logFlg[3] 0xfd00ff00
logFlg[4] 0xfd00ff00
logFlg[5] 0xff00ff00
logFlg[6] 0xff00ff00
logFlg[7] 0xff00ff00

Created: Saturday, February 20 2010 14:04.34 CST

Direct Link, View / Make / Edit Comments

log1949.log -- created on CF card

Author: thesprawler

# Views: 2360

FastBoot(0|0)0x3
RecCommandControl() Mode Change
recCommand[0]:0x10,0x0,0x1
----- ChangeBuf 0x0000000f -> 0x00000001 1
Cont 3,109,5,414,2439270,3,3
Rec Start Req
RelLock 0x0,rem 3,buf 3,0x0->0x3
StopIdu-NotEnable
Set LLK IRQ.
--- ImgProc Task start ---
--- Spool Task start ---
drawAll = 63683
------------- usb start --------------
--- procs Task start ---
--- Cache Task start ---
--- Storage Task start ---
str msg:25
CardDetect CardIn
Cont 3,109,5,414,2439270,3,1
idle_root Started
drawAll = 139978
UIRec 8
Card speed is mid.
UIRec 4
UIRec 5
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
getDirIndex:ffff
UIRec 5
DpofParse-OpenFile-Error:0xffffff9a[A:\MISC\AUTPRINT.MRK]
getDirIndex:0
MakeEntryList Start 0
MakeEntryList End
UIRec 5
str msg:26
Cont 3,109,5,414,2439270,3,3
str msg:26
Storage UnMountDisk() OpenCnt:0
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60849
drawAll = 64170
drawAll = 60687
drawAll = 64906
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32768
Afe 0x50
Cont 2,109,5,413,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205d 205d 205d
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,413,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6f,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32769
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205e 205e 205e
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6d,sv:30,NR:0
UIRec 3
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32770
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205f 205f 205f
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
StopIdu-NotEnable
UIRec 10
UIAfterView 8
cursor x = 1936 : y = 1452
RelLock 0x2,rem 3,buf 3,0x3->0x50
writeJpeg END
str msg:26
UIAfterView 4
UIAfterView 4
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 8
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 64863
drawAll = 60283
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60843
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60787
drawAll = 64873
UIRec 9
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:38,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32771
Afe 0x50
Cont 2,109,5,411,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:2060 2060 2060
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,411,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
BOOT WORK AROUND
BOOT COMM Not First1
bossCameraCommReceiveCommand 0x0
receiveBossCameraSize Error 0x0,0x33
bossCameraCommSendCommand 0x4
bossCameraCommSendSize 0x20
S[0]04,00
S[1]1d,00
S[2]00,00
S[3]04,00
S[4]80,00
S[5]80,00
S[6]01,00
S[7]70,00
S[8]30,00
S[9]54,00
S[a]00,00
S[b]04,00
S[c]00,00
S[d]07,00
S[e]01,00
S[f]00,00
S[10]00,00
S[11]00,00
S[12]01,00
S[13]03,00
S[14]00,00
S[15]00,00
S[16]04,00
S[17]01,00
S[18]00,00
S[19]00,00
S[1a]00,00
S[1b]00,00
S[1c]00,00
S[1d]01,00
S[1e]00,00
S[1f]00,00
bossCameraCommReceiveCommandBk 0x3
bossCameraCommReceiveSizeBk 0x2d
R[0]ff
R[1]df
R[2]e3
R[3]0c
R[4]0f
R[5]00
R[6]00
R[7]00
R[8]00
R[9]00
R[a]e1
R[b]30
R[c]12
R[d]7f
R[e]02
R[f]79
R[10]02
R[11]4f
R[12]03
R[13]00
R[14]02
R[15]00
R[16]00
R[17]70
R[18]30
R[19]6b
R[1a]39
R[1b]00
R[1c]02
R[1d]80
R[1e]00
R[1f]00
R[20]00
R[21]00
R[22]00
R[23]00
R[24]00
R[25]00
R[26]00
R[27]00
R[28]00
R[29]00
R[2a]00
R[2b]00
R[2c]00
SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:
System Error:ff010001
DSLR-A100 main firm:r021w-108
2009:08:14 18:40
>>>>>>>

Created: Wednesday, February 17 2010 23:15.11 CST

Modified: Wednesday, February 17 2010 23:16.55 CST

Direct Link, View / Make / Edit Comments

Trying to reverse the firmware for the Sony DSLR A100 camera

Author: thesprawler

# Views: 3050

Firmware for MIPS R3000, big endian
I have no experience programming in assembly but with a reference manual I can slowly follow pieces of a deadlisting. This project is for fun and a way to learn about embedded systems and reversing.

The firmware is version 1.04 and downloaded from Sony's support website for the camera. Users are instructed to copy the file ("DSCA100.APP") to the root folder of the camera's compact flash card.

The first 256 bytes of the file appear to be a header that identifies the firmware revision, country of operation, and is padded with nulls.

The next 12 bytes are two instructions:
la      $1 0x80001110
jr      $1 0x80001110

Q: Is 0x80001110 the entry point for the camera app? Where is this address relative to the firmware file?

My camera created a logfile on the compact flash card that appears to include a fn stack trace:

SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:

By calculating the number of bytes between each of the (presumed) addresses I can attempt to discover how the firmware file is located in memory. Assuming that the three bytes 27 BD FF represent the beginning of a function, I can scan the firmware file for function addresses that are spaced apart according to the stack trace. I wrote a script to do this and...success! Well, at least the pattern of spacing between functions indicated in the fn stack does exist.

Fn trace   =Firmware file function address
0x800021ecL=0x14d4       0x800023a0L=0x1688L
0x800023a0L=0x3780       0x800023f8L=0x37d8L
0x800023f8L=0x58bd4       0x80002860L=0x5903cL
0x80002860L=0x60324       0x800029d8L=0x6049cL
0x800029d8L=0x6acc8       0x80002a9cL=0x6ad8cL
0x80002a9cL=0x73218       0x8001eab8L=0x8f234L

Archived Entries for thesprawler

Subject	# Views	Created On
No archived blog entries found.

There are 28,227 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit