1
2 // Firmware file handling for Canon camera firmware dumps
3 // Note: only supports DryOS based cameras and ARM32 code.
4
5 /*
6 General Notes:
7 uint32_t values are addresses (as seen in the Camera)
8 int values are indexes into the 'buf' array containing the firmware dump
9 e.g. for a firmware dump that loads at address 0xFF810000, then
10 the 'base' value will be 0xFF810000.
11 the corresponding 'index' value is 0.
12 address 0xFF810004 has an index of 1, etc.
13
14 Access to the firmware dump info should be via tha functions listed, not by
15 direct access to the 'buf' array. This ensures that access is correct for
16 cameras with and 'alt' base address, and when firmware code is copied to RAM
17 */
18
19 #define MIN(a,b) ((a) < (b) ? (a) : (b))
20 #define MAX(a,b) ((a) > (b) ? (a) : (b))
21
22 // Stores a range of valid data in the firmware dump (used to skip over empty blocks)
23 typedef struct bufrange {
24 uint32_t *p;
25 int off;
26 int len;
27 struct bufrange* next;
28 } BufRange;
29
30 #define OS_DRYOS 0
31 #define OS_VXWORKS 1
32
33 // Firmware storage and information
34 typedef struct {
35 uint32_t *buf; // Firmware data
36 BufRange *br, *last; // Valid ranges
37
38 int os_type; // 0 = DryOS, 1 = VxWorks
39
40 uint32_t base; // Base address of the firmware in the camera
41 int main_offs; // Offset of main firmware from the start of the dump (for DIGIC 4+ cams)
42 uint32_t memisostart; // Start address of the Canon heap memory (where CHDK is loaded)
43 int size; // Size of the firmware (as loaded from the dump)
44 int fsize; // Size of the firmware (as determined from the start address)
45 int cam_idx; // Index of the camera name in the firmware
46 uint32_t pid_adr; // Address of the camera ID in the firmware
47 int dryos_ver; // DryOS version number (capped at the highest known revision)
48 int real_dryos_ver; // DryOS version number (the real one, warn if not equal to dryos_ver)
49 char *dryos_ver_str; // DryOS version string
50 char *firmware_ver_str; // Camera firmware version string
51 char *fw_build_date; // Firmware build date
52 char *fw_build_time; // Firmware build time
53 int fwver_idx; // Index of camera firmware version string
54 int pid; // Camera ID
55 uint32_t maxram; // How much memory does the camera have
56 char *cam; // Pointer to camera name string
57 char *ksys; // Pointer to encryption key
58 int ksys_idx; // Index of the encryption key in the firmware dump
59 uint32_t dancing_bits; // Dancing Bits number for the encryption key
60 int dancing_bits_idx; // Index of the dancing bits data in the firmware dump
61 uint32_t data_start; // Start of DATA section in RAM
62 uint32_t data_init_start; // Start of initialisation section for DATA in ROM
63 int data_len; // Length of data section
64 uint32_t uncached_adr; // Start of un-cached copy of RAM
65 int uncached_adr_idx; // Index where un-cached address found
66
67 // Alt copy of ROM in RAM (DryOS R50, R51)
68 uint32_t *buf2; // pointer to loaded FW data that is copied
69 uint32_t base2; // RAM address copied to
70 uint32_t base_copied; // ROM address copied from
71 int size2; // Block size copied (in words)
72 int lowest_idx; // Lowest valid index
73
74 // Alt copy of ROM (DryOS R51 - only seen on S110 so far)
75 uint32_t alt_base; // Alternative base address
76
77 // Values loaded from stubs & other files
78 stub_values *sv;
79 } firmware;
80
81 // Load a firmware file
82 void load_firmware(firmware *fw, const char *filename, const char *base_addr, const char *alt_base_addr, int os_type);
83
84 // Functions for analysing a firmware dump
85
86 // Check if index value is valid
87 int idx_valid(firmware *fw, int i);
88
89 // Convert index to address and vice-versa
90 uint32_t idx2adr(firmware *fw, int idx);
91 int adr2idx(firmware *fw, uint32_t adr);
92 char* adr2ptr(firmware *fw, uint32_t adr);
93
94 // index correction for cams with RAM code
95 int idxcorr(firmware *fw, int idx);
96
97 void set_ignore_errors(int n);
98 uint32_t* fwadr(firmware *fw, int i);
99 // Get a 32 bit value from the dump at the specified index
100 uint32_t fwval(firmware *fw, int i);
101 // Extract the source register, destination register or operand2 from the instruction at the specified index
102 int fwRd(firmware *fw, int i);
103 int fwRn(firmware *fw, int i);
104 int fwRnMOV(firmware *fw, int i);
105 int fwOp2(firmware *fw, int i);
106
107 // Follow a branch (or BL) instruction to get to the called address
108 int idxFollowBranch(firmware *fw, int fidx, int offset);
109 uint32_t followBranch(firmware *fw, uint32_t fadr, int offset);
110 uint32_t followBranch2(firmware *fw, uint32_t fadr, int offset);
111
112 // Extract operand from LDR, ADR, or data processing instructions
113 uint32_t LDR2adr(firmware *fw, int offset);
114 uint32_t LDR2idx(firmware *fw, int offset);
115 uint32_t LDR2val(firmware *fw, int offset);
116 uint32_t ADR2adr(firmware *fw, int offset);
117 uint32_t ALUop2(firmware *fw, int offset);
118 uint32_t ALUop2a(firmware *fw, int offset);
119
120 // Test instruction at specfied index
121 int isLDR_PC(firmware *fw, int offset);
122 int isLDR_SP(firmware *fw, int offset);
123 int isLDR_PC_cond(firmware *fw, int offset);
124 int isADR_PC(firmware *fw, int offset);
125 int isADR_PC_cond(firmware *fw, int offset);
126 int isLDMFD(firmware *fw, int offset);
127 int isLDMFD_PC(firmware *fw, int offset);
128 int isLDR(firmware *fw, int offset);
129 int isLDR_cond(firmware *fw, int offset);
130 int isADR(firmware *fw, int offset);
131 int isSTMFD(firmware *fw, int offset);
132 int isSTMFD_LR(firmware *fw, int offset);
133 int isSTR(firmware *fw, int offset);
134 int isSTR_cond(firmware *fw, int offset);
135 int isBX(firmware *fw, int offset);
136 int isBX_LR(firmware *fw, int offset);
137 int isBLX(firmware *fw, int offset);
138 int isBL(firmware *fw, int offset);
139 int isBL_cond(firmware *fw, int offset);
140 int isBLEQ(firmware *fw, int offset);
141 int isB(firmware *fw, int offset);
142 int isBorBL(firmware *fw, int offset);
143 int isCMP(firmware *fw, int offset);
144 int isMOV(firmware *fw, int offset);
145 int isMOV_immed(firmware *fw, int offset);
146 int isORR(firmware *fw, int offset);
147 int isADD(firmware *fw, int offset);
148 int isSUB(firmware *fw, int offset);
149
150 int isASCIIstring(firmware *fw, uint32_t adr);
151
152 // Find a string in the firmware dump
153 int find_str(firmware *fw, char *str);
154 int find_Nth_str(firmware *fw, char *str, int N);
155 // Find the next instruction of a specified type starting at idx within len instructions
156 int find_inst(firmware *fw, int (*inst)(firmware*,int), int idx, int len);
157 // Find the previous instruction of a specified type starting at idx within len instructions
158 int find_inst_rev(firmware *fw, int (*inst)(firmware*,int), int idx, int len);
159 // Find the Nth instruction of a specified type starting at idx within len instructions
160 int find_Nth_inst(firmware *fw, int (*inst)(firmware*,int), int idx, int len, int N);
161 // Find the Nth previous instruction of a specified type starting at idx within len instructions
162 int find_Nth_inst_rev(firmware *fw, int (*inst)(firmware*,int), int idx, int len, int N);
163
164 // Find the first or next reference to a specified string in the dump
165 int find_strptr_ref(firmware *fw, char *str);
166 int find_str_ref(firmware *fw, char *str);
167 int find_nxt_str_ref(firmware *fw, int str_adr, int ofst);
168 int find_nxt_str_ref_alt(firmware *fw, char *str, int ofst, int limit);
169
170 // Find a B or BL instruction that calls/jumps to the 'v1' address
171 int find_BL(firmware *fw, int k, uint32_t v1, uint32_t v2);
172 int find_B(firmware *fw, int k, uint32_t v1, uint32_t v2);
173
174 // Search the firmware dump calling the 'func' code to see if the current location matches what we are looking for
175 int search_fw(firmware *fw, int (*func)(firmware*, int, uint32_t, uint32_t), uint32_t v1, uint32_t v2, int len);
176 int search_fw_bytes(firmware *fw, int (*func)(firmware*, int));