log1949.txt -- Wondering how to to glitch the camera into producing these logs

Sat, 20 Feb 2010 14:06:33 -0600

DSLR-A100 main firm:r021w-108

logFlg[0] 0xff00ff00
logFlg[1] 0xdf00ff00
logFlg[2] 0xff00ff00
logFlg[3] 0xfd00ff00
logFlg[4] 0xfd00ff00
logFlg[5] 0xff00ff00
logFlg[6] 0xff00ff00
logFlg[7] 0xff00ff00

log1949.log -- created on CF card

Sat, 20 Feb 2010 14:04:34 -0600

FastBoot(0|0)0x3
RecCommandControl() Mode Change
recCommand[0]:0x10,0x0,0x1
----- ChangeBuf 0x0000000f -> 0x00000001 1
Cont 3,109,5,414,2439270,3,3
Rec Start Req
RelLock 0x0,rem 3,buf 3,0x0->0x3
StopIdu-NotEnable
Set LLK IRQ.
--- ImgProc Task start ---
--- Spool Task start ---
drawAll = 63683
------------- usb start --------------
--- procs Task start ---
--- Cache Task start ---
--- Storage Task start ---
str msg:25
CardDetect CardIn
Cont 3,109,5,414,2439270,3,1
idle_root Started
drawAll = 139978
UIRec 8
Card speed is mid.
UIRec 4
UIRec 5
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
getDirIndex:ffff
UIRec 5
DpofParse-OpenFile-Error:0xffffff9a[A:\MISC\AUTPRINT.MRK]
getDirIndex:0
MakeEntryList Start 0
MakeEntryList End
UIRec 5
str msg:26
Cont 3,109,5,414,2439270,3,3
str msg:26
Storage UnMountDisk() OpenCnt:0
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60849
drawAll = 64170
drawAll = 60687
drawAll = 64906
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32768
Afe 0x50
Cont 2,109,5,413,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205d 205d 205d
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,413,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6f,sv:30,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32769
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205e 205e 205e
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6d,sv:30,NR:0
UIRec 3
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x30, ch0 0x59, ch1 0x59, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32770
Afe 0x50
Cont 2,109,5,412,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:205f 205f 205f
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,412,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
StopIdu-NotEnable
UIRec 10
UIAfterView 8
cursor x = 1936 : y = 1452
RelLock 0x2,rem 3,buf 3,0x3->0x50
writeJpeg END
str msg:26
UIAfterView 4
UIAfterView 4
str msg:26
Storage UnMountDisk() OpenCnt:0
UIRec 8
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 64863
drawAll = 60283
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60843
SetBossLogicalKeyNopForUi
Bracket Cancel
UIRec 12
Nothing for key:0
RelLock 0x2,rem 3,buf 3,0x3->0x50
UIRec 8
CacheTaskMain:bfffcfbb
CACHE_AHEAD_DISABLE
RelLock 0x0,rem 3,buf 3,0x50->0x3
drawAll = 60787
drawAll = 64873
UIRec 9
UIRec 3
Afe 0x61
Afe 0x90
Afe 0x72
Afe 0x12
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
#tv:6c,sv:38,NR:0
Afe 0x10
#expOkSmph
expOk
Afe 0x80
Afe 0x30
SV 0x38, ch0 0x119, ch1 0x119, Analog 0x0
Afe 0x71
Afe 0x31
Afe 0x40
ipc msg:1

spl msg:1
splImg 32771
Afe 0x50
Cont 2,109,5,411,2439270,2,3
RelLock 0x0,rem 2,buf 2,0x3->0x2
Afe 0x60
rec yccWait
ipc smraw
DcfEntry->play_current_entryno:2060 2060 2060
imgProcMain 2 1
spl smycc
rec yccWait
rec yccWait
rec yccWait
str msg:28
ipc end
spl END
Cont 3,106,5,411,2439270,3,3
rec yccWait OK
RelLock 0x0,rem 3,buf 3,0x2->0x3
Card speed is super.
MCARD works Multi-sector DMA mode.
Mount:0 10001
str msg:27
writeJpeg
writeJpeg END
str msg:26
str msg:26
Storage UnMountDisk() OpenCnt:0
BOOT WORK AROUND
BOOT COMM Not First1
bossCameraCommReceiveCommand 0x0
receiveBossCameraSize Error 0x0,0x33
bossCameraCommSendCommand 0x4
bossCameraCommSendSize 0x20
S[0]04,00
S[1]1d,00
S[2]00,00
S[3]04,00
S[4]80,00
S[5]80,00
S[6]01,00
S[7]70,00
S[8]30,00
S[9]54,00
S[a]00,00
S[b]04,00
S[c]00,00
S[d]07,00
S[e]01,00
S[f]00,00
S[10]00,00
S[11]00,00
S[12]01,00
S[13]03,00
S[14]00,00
S[15]00,00
S[16]04,00
S[17]01,00
S[18]00,00
S[19]00,00
S[1a]00,00
S[1b]00,00
S[1c]00,00
S[1d]01,00
S[1e]00,00
S[1f]00,00
bossCameraCommReceiveCommandBk 0x3
bossCameraCommReceiveSizeBk 0x2d
R[0]ff
R[1]df
R[2]e3
R[3]0c
R[4]0f
R[5]00
R[6]00
R[7]00
R[8]00
R[9]00
R[a]e1
R[b]30
R[c]12
R[d]7f
R[e]02
R[f]79
R[10]02
R[11]4f
R[12]03
R[13]00
R[14]02
R[15]00
R[16]00
R[17]70
R[18]30
R[19]6b
R[1a]39
R[1b]00
R[1c]02
R[1d]80
R[1e]00
R[1f]00
R[20]00
R[21]00
R[22]00
R[23]00
R[24]00
R[25]00
R[26]00
R[27]00
R[28]00
R[29]00
R[2a]00
R[2b]00
R[2c]00
SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:
System Error:ff010001
DSLR-A100 main firm:r021w-108
2009:08:14 18:40
>>>>>>>

Trying to reverse the firmware for the Sony DSLR A100 camera

Wed, 17 Feb 2010 23:15:11 -0600

Firmware for MIPS R3000, big endian
I have no experience programming in assembly but with a reference manual I can slowly follow pieces of a deadlisting. This project is for fun and a way to learn about embedded systems and reversing.

The firmware is version 1.04 and downloaded from Sony's support website for the camera. Users are instructed to copy the file ("DSCA100.APP") to the root folder of the camera's compact flash card.

The first 256 bytes of the file appear to be a header that identifies the firmware revision, country of operation, and is padded with nulls.

The next 12 bytes are two instructions:
la      $1 0x80001110
jr      $1 0x80001110

Q: Is 0x80001110 the entry point for the camera app? Where is this address relative to the firmware file?

My camera created a logfile on the compact flash card that appears to include a fn stack trace:

SystemFatalError = -16711679:8001eab8:80002860:800b0000:800029d8:800021ec:800023f8:80002a9c:800023a0:

By calculating the number of bytes between each of the (presumed) addresses I can attempt to discover how the firmware file is located in memory. Assuming that the three bytes 27 BD FF represent the beginning of a function, I can scan the firmware file for function addresses that are spaced apart according to the stack trace. I wrote a script to do this and...success! Well, at least the pattern of spacing between functions indicated in the fn stack does exist.

Fn trace   =Firmware file function address
0x800021ecL=0x14d4       0x800023a0L=0x1688L
0x800023a0L=0x3780       0x800023f8L=0x37d8L
0x800023f8L=0x58bd4       0x80002860L=0x5903cL
0x80002860L=0x60324       0x800029d8L=0x6049cL
0x800029d8L=0x6acc8       0x80002a9cL=0x6ad8cL
0x80002a9cL=0x73218       0x8001eab8L=0x8f234L

OpenRCE: Blog

log1949.txt -- Wondering how to to glitch the camera into producing these logs

log1949.log -- created on CF card

Trying to reverse the firmware for the Sony DSLR A100 camera