iiewpie was right about ExMenu0.
Using Alex's decryption code, I created a decrypted firmware file
from e3kr111.fir. Then I hexedited it and changed
the byte at offset 121CBDh (first byte of ExMenu0) to 1,
ran it through the decrypter, and put it into my 300D.
Sure enough, a secret menu came out!
On the 3rd, there is a new item at the bottom called "Color"
when you select it, a very strange menu comes up that looks like
it's for calibration or something. It has 2 boxes and AEB/AF/AE/ISO.
when you hit the arrow buttons some other information appears. I'm
afraid to hit the Set button for fear of messing up some internal
settings of the camera. Too bad it doesn't do what we wanted, but
interesting nevertheless.
One thing that surprises me is that the firmware loader doesn't even
compute a checksum to make sure the firmware image isn't corrupted!
... Wow! You are a lot braver than I am! I guess the next most obvious thing to try is to change the value in CrwNum4.img from 0004 to 0009 and see if will...
Mary christmas, this is a great breakthrough . I can decrypt the FIR file and extract the img files in it. Cool. But can you explain how you encrypted the...
Alex's latest program lists the offsets of the files it extracts as it decrypts the FIR file. I also have a version which just decrypts and spits out the...
First of all, you guys are doing a great kob and if I were a bit better in this sort of things I would try to hack my camera too. Anyways, here is something to...
no, it's not a menu that and end user could ever figure out. it's very cryptic, and clearly for engineering or support use. i didn't post a pic of it because i...
Remember the secret "Color" menu controlled by ExMenu flag? Well, setting that flag value to 3 enables both the "Color" menu and the C- Fn menu. The flashng...
Hmmm.... seems that even though the menu is enabled, I cannot change the value of some functions. Hiting set returns me to the main functions menu with no...
Can any one post a modified firmware of this modify? or give a diff to the oringal firmware? Thanx. ... From: Alex To: canondigicamhacking@yahoogroups.com ...
Alex, Great work again! :) actually, the C.Fn menu seems to function identically to the one we get w/ the NOP NOP hack. The only diff is the additional Color...
... Turns out I couldn't change values because I was in green mode. In P mode everything works. ... 3 seems to be the only value that should work. In the...
OOPS! thanks for correcting me, Alex. I got my diff's mixed up after trying all 3 values. ... 121cbd ... flag ... Well, ... and ... firmware ... appears. ... ...
Thanks, its clearer now, I used the next data fro Menu170.img I suppose that removing the instructios/data as asked for when creating the 1st segment is...
I see the compare statemens and have lots of code but I also see lots of "red" calls to addresses like 0EC15h:4BAh 0EC15h:3 and 0EC15h:465h The exmenu flag is...
That's what I meant in step 4. These references indicate a segement starting somewhere around EC150. In this case, it is EC153. Create a segement using EC153...
I have made some tests and arrived at this conclusion: Starting from the original Canon firmware: The 1 byte patch only active the secret Color menu. To reveal...
Or any can point out offset in orginal firmware that coresponding first byte of ExMenu0? ... From: starmoon To: canondigicamhacking@yahoogroups.com Sent:...
Thank you, eos_hacker. Is the original value @ 0x121cbd "0x8D"? Thank you again. ... From: eos_hacker To: canondigicamhacking@yahoogroups.com Sent: Thursday,...
I wonder it also. I had read the first messages about Color menu but I could not understand. Does the color menu have anything useful for the owners of EOS...
this makes sense since if you look at the code controlling whether the menus are enabled you have: cmp word ptr ds:68h, 0 jnz gh_display_color_menu ...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email