📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
thesprawler
's Blog
Created: Saturday, February 20 2010 14:06.33 CST
Direct Link, View / Make / Edit Comments
log1949.txt -- Wondering how to to glitch the camera into producing these logs
Author:
thesprawler
# Views:
3723
DSLR-A100 main firm:r021w-108
logFlg[0] 0xff00ff00
logFlg[1] 0xdf00ff00
logFlg[2] 0xff00ff00
logFlg[3] 0xfd00ff00
logFlg[4] 0xfd00ff00
logFlg[5] 0xff00ff00
logFlg[6] 0xff00ff00
logFlg[7] 0xff00ff00
Created: Saturday, February 20 2010 14:04.34 CST
Direct Link, View / Make / Edit Comments
log1949.log -- created on CF card
Author:
thesprawler
# Views:
3696
FastBoot(0|0)0x3
RecCommandControl() Mode Change
recCommand[0]:0x10,0x0,0x1
----- ChangeBuf 0x0000000f -> 0x00000001 1
Cont 3,109,5,414,2439270,3,3
Rec Start Req
RelLock 0x0,rem 3,buf 3,0x0->0x3
StopIdu-NotEnable
Set LLK IRQ.
--- ImgProc Task start ---
--- Spool Task start ---
drawAll = 63683
------------- usb start --------------
--- procs Task start ---
--- Cache Task start ---
--- Storage Task start ---
str msg:25
CardDetect CardIn
Cont 3,109,5,414,2439270,3,1
idle_root Started
drawAll = 139978
UIRec 8
Card speed is mid.
UIRec 4
UIRec 5
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
getDirIndex:ffff
UIRec 5
DpofParse-OpenFile-Error:0xffffff9a[A:\MISC\AUTPRINT.MRK]
getDirIndex:0
MakeEntryList Start 0
MakeEntryList End
UIRec 5
str msg:26
Cont 3,109,5,414,2439270,3,3
str msg:26
Storage UnMountDisk() OpenCnt:0
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60849
drawAll = 64170
drawAll = 60687
drawAll = 64906
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1
spl msg:1
splImg 32768
Afe 0x50
Cont 2,109,5,413,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205d 205d 205d
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,413,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6f,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1
spl msg:1
splImg 32769
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205e 205e 205e
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6d,sv:30,NR:0
UIRec 3
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1
spl msg:1
splImg 32770
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205f 205f 205f
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
StopIdu-NotEnable
UIRec 10
UIAfterView 8
cursor x = 1936 : y = 1452
RelLock 0x2,rem 3,buf 3,0x3->0x50
writeJpeg END
str msg:26
UIAfterView 4
UIAfterView 4
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 8
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 64863
drawAll = 60283
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60843
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60787
drawAll = 64873
UIRec 9
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:38,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1
spl msg:1
splImg 32771
Afe 0x50
Cont 2,109,5,411,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:2060 2060 2060
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,411,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
BOOT WORK AROUND
BOOT COMM Not First1
bossCameraCommReceiveCommand 0x0
receiveBossCameraSize Error 0x0,0x33
bossCameraCommSendCommand 0x4
bossCameraCommSendSize 0x20
S[0]04,00
S[1]1d,00
S[2]00,00
S[3]04,00
S[4]80,00
S[5]80,00
S[6]01,00
S[7]70,00
S[8]30,00
S[9]54,00
S[a]00,00
S[b]04,00
S[c]00,00
S[d]07,00
S[e]01,00
S[f]00,00
S[10]00,00
S[11]00,00
S[12]01,00
S[13]03,00
S[14]00,00
S[15]00,00
S[16]04,00
S[17]01,00
S[18]00,00
S[19]00,00
S[1a]00,00
S[1b]00,00
S[1c]00,00
S[1d]01,00
S[1e]00,00
S[1f]00,00
bossCameraCommReceiveCommandBk 0x3
bossCameraCommReceiveSizeBk 0x2d
R[0]ff
R[1]df
R[2]e3
R[3]0c
R[4]0f
R[5]00
R[6]00
R[7]00
R[8]00
R[9]00
R[a]e1
R[b]30
R[c]12
R[d]7f
R[e]02
R[f]79
R[10]02
R[11]4f
R[12]03
R[13]00
R[14]02
R[15]00
R[16]00
R[17]70
R[18]30
R[19]6b
R[1a]39
R[1b]00
R[1c]02
R[1d]80
R[1e]00
R[1f]00
R[20]00
R[21]00
R[22]00
R[23]00
R[24]00
R[25]00
R[26]00
R[27]00
R[28]00
R[29]00
R[2a]00
R[2b]00
R[2c]00
SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:
System Error:ff010001
DSLR-A100 main firm:r021w-108
2009:08:14 18:40
>>>>>>>
Created: Wednesday, February 17 2010 23:15.11 CST
Modified: Wednesday, February 17 2010 23:16.55 CST
Direct Link, View / Make / Edit Comments
Trying to reverse the firmware for the Sony DSLR A100 camera
Author:
thesprawler
# Views:
4236
Firmware for MIPS R3000, big endian
I have no experience programming in assembly but with a reference manual I can slowly follow pieces of a deadlisting. This project is for fun and a way to learn about embedded systems and reversing.
The firmware is version 1.04 and downloaded from Sony's support website for the camera. Users are instructed to copy the file ("DSCA100.APP") to the root folder of the camera's compact flash card.
The first 256 bytes of the file appear to be a header that identifies the firmware revision, country of operation, and is padded with nulls.
The next 12 bytes are two instructions:
la $1 0x80001110
jr $1 0x80001110
Q: Is 0x80001110 the entry point for the camera app? Where is this address relative to the firmware file?
My camera created a logfile on the compact flash card that appears to include a fn stack trace:
SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:
By calculating the number of bytes between each of the (presumed) addresses I can attempt to discover how the firmware file is located in memory. Assuming that the three bytes 27 BD FF represent the beginning of a function, I can scan the firmware file for function addresses that are spaced apart according to the stack trace. I wrote a script to do this and...success! Well, at least the pattern of spacing between functions indicated in the fn stack does exist.
Fn trace =Firmware file function address
0x800021ecL=0x14d4 0x800023a0L=0x1688L
0x800023a0L=0x3780 0x800023f8L=0x37d8L
0x800023f8L=0x58bd4 0x80002860L=0x5903cL
0x80002860L=0x60324 0x800029d8L=0x6049cL
0x800029d8L=0x6acc8 0x80002a9cL=0x6ad8cL
0x80002a9cL=0x73218 0x8001eab8L=0x8f234L
Archived Entries for thesprawler
Subject
# Views
Created On
No archived blog entries found.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}