Sergey Ilyin
19.11.2003, 17:37
Привет!
Найдено на первой странице dpreview:
hacking: 300D runs DOS on x86 compatible CPU (http://forums.dpreview.com/forums/read.asp?forum=1031&message=6680774)
Цитата[/b] ]There has been a lot talk in this forum about hacking 300D firmware. Some say that this is something next to impossible, mainly because of proprietary processor/architecture used in the camera and "encrypted" firmware. Here's what I found after a few searches in Google:
In their older cameras Canon appears to have used a version of DOS from Datalight ( http://www.datalight.com ). Here's a BusinessWire press release reprinted by the DPReview in 1999: http://www.dpreview.com/news/9902/99022402canonromdos.asp . This basically means that processor in these cameras is x86 compatible and not some unknown proprietary architecture. Does 300D use ROM-DOS? Read on.
USB protocol used by Canon cameras have been reverse engineered by folks at Gphoto ( http://www.gphoto.org ) to enable using them with Linux. Additionaly, a simple application s10sh ( http://www.reynoldsnet.org/s10sh/ ) has been developed that uses this protocol to send "arbitrary" USB commands to the camera. Using s10sh, it is clear that in addition to CF picture storage drive (C: or D:), two other drives A: and B: are present that store camera firmware. It appears that drive A: contains DOS executable camera.exe that runs all the functions. Here's a page describing contents of S40: http://www.darkskiez.co.uk/digital.html
Moreover, folks at http://translate.google.com/transla....&u=http (http://translate.google.com/translate?hl=en&sl=de&u=http://www.ixus-world.de/workshops/os/os_project_3.htm) have even managed to run a simple program on the S40.
After mucking around for a few hours with my 300D, Knoppix Linux-on-CD, and making a few trivial changes to s10sh to support 300D here's what I found on my 300D (v1.1.1 firmware):
[Canon EOS DIGITAL REBEL] C:> dir A:
--n- CAMERA .EXE 391k Wed Oct 8 14:56:36 2003
1 files 401000 bytes
[Canon EOS DIGITAL REBEL] A:> dir B:
--n- CAMERA .EXE 117k Wed Oct 8 14:57:32 2003
--n- LOGSAVE .EXE 34k Wed Oct 8 14:51:36 2003
-i-- DATA Thu Jan 1 00:00:00 1970
-i-- BOOTDISK Thu Jan 1 00:00:00 1970
4 files 396492 bytes
[Canon EOS DIGITAL REBEL] B:> dir B:\DATA
--n- NOTHM .JPG 5k Wed Oct 8 14:50:38 2003
1 files 5145 bytes
[Canon EOS DIGITAL REBEL] B:\DATA> dir B:\BOOTDISK
--n- COMMAND .COM 27k Wed Oct 8 14:51:02 2003
--n- VSSVER .SCC 48 bytes Wed Oct 8 14:51:02 2003
--n- RESTOOL .EXE 56k Wed Oct 8 14:51:36 2003
--n- CAMERA .EXE 6k Wed Oct 8 14:51:32 2003
--n- AUTOEXEC.BAT 10 bytes Wed Oct 8 14:51:32 2003
5 files 93171 bytes
[Canon EOS DIGITAL REBEL] B:\BOOTDISK> dir C:
-i-- DCIM Thu Jan 1 00:00:00 1970
1 files 0 bytes
I've transferred files to my PC, and found references to ROM-DOS and Datalight in them (as if .exe extension, command.com and autoexec.bat are not telling enough). Any real hackers want to takeover from here?
Найдено на первой странице dpreview:
hacking: 300D runs DOS on x86 compatible CPU (http://forums.dpreview.com/forums/read.asp?forum=1031&message=6680774)
Цитата[/b] ]There has been a lot talk in this forum about hacking 300D firmware. Some say that this is something next to impossible, mainly because of proprietary processor/architecture used in the camera and "encrypted" firmware. Here's what I found after a few searches in Google:
In their older cameras Canon appears to have used a version of DOS from Datalight ( http://www.datalight.com ). Here's a BusinessWire press release reprinted by the DPReview in 1999: http://www.dpreview.com/news/9902/99022402canonromdos.asp . This basically means that processor in these cameras is x86 compatible and not some unknown proprietary architecture. Does 300D use ROM-DOS? Read on.
USB protocol used by Canon cameras have been reverse engineered by folks at Gphoto ( http://www.gphoto.org ) to enable using them with Linux. Additionaly, a simple application s10sh ( http://www.reynoldsnet.org/s10sh/ ) has been developed that uses this protocol to send "arbitrary" USB commands to the camera. Using s10sh, it is clear that in addition to CF picture storage drive (C: or D:), two other drives A: and B: are present that store camera firmware. It appears that drive A: contains DOS executable camera.exe that runs all the functions. Here's a page describing contents of S40: http://www.darkskiez.co.uk/digital.html
Moreover, folks at http://translate.google.com/transla....&u=http (http://translate.google.com/translate?hl=en&sl=de&u=http://www.ixus-world.de/workshops/os/os_project_3.htm) have even managed to run a simple program on the S40.
After mucking around for a few hours with my 300D, Knoppix Linux-on-CD, and making a few trivial changes to s10sh to support 300D here's what I found on my 300D (v1.1.1 firmware):
[Canon EOS DIGITAL REBEL] C:> dir A:
--n- CAMERA .EXE 391k Wed Oct 8 14:56:36 2003
1 files 401000 bytes
[Canon EOS DIGITAL REBEL] A:> dir B:
--n- CAMERA .EXE 117k Wed Oct 8 14:57:32 2003
--n- LOGSAVE .EXE 34k Wed Oct 8 14:51:36 2003
-i-- DATA Thu Jan 1 00:00:00 1970
-i-- BOOTDISK Thu Jan 1 00:00:00 1970
4 files 396492 bytes
[Canon EOS DIGITAL REBEL] B:> dir B:\DATA
--n- NOTHM .JPG 5k Wed Oct 8 14:50:38 2003
1 files 5145 bytes
[Canon EOS DIGITAL REBEL] B:\DATA> dir B:\BOOTDISK
--n- COMMAND .COM 27k Wed Oct 8 14:51:02 2003
--n- VSSVER .SCC 48 bytes Wed Oct 8 14:51:02 2003
--n- RESTOOL .EXE 56k Wed Oct 8 14:51:36 2003
--n- CAMERA .EXE 6k Wed Oct 8 14:51:32 2003
--n- AUTOEXEC.BAT 10 bytes Wed Oct 8 14:51:32 2003
5 files 93171 bytes
[Canon EOS DIGITAL REBEL] B:\BOOTDISK> dir C:
-i-- DCIM Thu Jan 1 00:00:00 1970
1 files 0 bytes
I've transferred files to my PC, and found references to ROM-DOS and Datalight in them (as if .exe extension, command.com and autoexec.bat are not telling enough). Any real hackers want to takeover from here?