OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Wednesday, February 17 2010 23:15.11 CST

Modified: Wednesday, February 17 2010 23:16.55 CST

Printer Friendly ...

Trying to reverse the firmware for the Sony DSLR A100 camera

Author: thesprawler

# Views: 3051

Firmware for MIPS R3000, big endian
I have no experience programming in assembly but with a reference manual I can slowly follow pieces of a deadlisting. This project is for fun and a way to learn about embedded systems and reversing.

The firmware is version 1.04 and downloaded from Sony's support website for the camera. Users are instructed to copy the file ("DSCA100.APP") to the root folder of the camera's compact flash card.

The first 256 bytes of the file appear to be a header that identifies the firmware revision, country of operation, and is padded with nulls.

The next 12 bytes are two instructions:
la      $1 0x80001110
jr      $1 0x80001110

Q: Is 0x80001110 the entry point for the camera app? Where is this address relative to the firmware file?

My camera created a logfile on the compact flash card that appears to include a fn stack trace:

SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:

By calculating the number of bytes between each of the (presumed) addresses I can attempt to discover how the firmware file is located in memory. Assuming that the three bytes 27 BD FF represent the beginning of a function, I can scan the firmware file for function addresses that are spaced apart according to the stack trace. I wrote a script to do this and...success! Well, at least the pattern of spacing between functions indicated in the fn stack does exist.

Fn trace   =Firmware file function address
0x800021ecL=0x14d4       0x800023a0L=0x1688L
0x800023a0L=0x3780       0x800023f8L=0x37d8L
0x800023f8L=0x58bd4       0x80002860L=0x5903cL
0x80002860L=0x60324       0x800029d8L=0x6049cL
0x800029d8L=0x6acc8       0x80002a9cL=0x6ad8cL
0x80002a9cL=0x73218       0x8001eab8L=0x8f234L

Blog Comments

igorsk	Posted: Thursday, February 18 2010 10:25.34 CST
Looks like the load address is 0x80001000.

thesprawler	Posted: Thursday, February 18 2010 22:26.58 CST
Thank you for the note. Without real world experience it's hard to know what are safe assumptions since verification costs are high!

cyphunk

Posted: Saturday, February 20 2010 11:45.12 CST

yoohoo im down with this. have one of these cameras and will try to catchup with where you are in the next couple days. Its interesting that they dont go the route that cannon and panasonic use for updates: update image is just a zipped up package of firmware+etc+update=scripts that it runs to actually load the firmware. fyi, the chdk group has done a lot on the cannons and i have a post somewhere on the panasonic.

thesprawler	Posted: Saturday, February 20 2010 13:54.52 CST
Cyphunk: try a search for "minolta 2186adj" -- have to run out the door now but I have a hunch (hope) that the A100 has useful similarities with the 7D.

thesprawler	Posted: Saturday, February 20 2010 14:24.23 CST
The website dynax.newmail.ru has good starting info and rsrcs for the adjustment program.

There are 28,229 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit