You are right. A:\CAMERA.EXE is most definetely an RXE executable. On page 12 of RXETO.DOC, RXE header is described. seg000:0000 starts with string XIP ...
36
eos_hacker
Dec 11, 2003 4:51 pm
definitely not. it's some sort of debug output function. here are some sample strings it has in ES:BX when it's called: seg001:000B db 'Build Date: ',0 ...
37
eos_hacker
Dec 11, 2003 6:14 pm
Thanks for the info. I tried with the 6.1.2 SDK today, and now my code is working. I used cdFLASH_MODE_AUTO and cdFLASH_MODE_NA and both work fine. ... and...
38
eos_hacker
Dec 11, 2003 6:18 pm
I think your efforts on reverse-engineering the .FIR files is going to be instrumental, since so far, I haven't been sucessful in my efforts to put or change...
39
Alex Bernstein
pofig37
Dec 11, 2003 7:11 pm
Here's what I know so far about the structure of firmware header: typedef struct { uint32 length; uint32 field4; char string1[32]; char string2[32]; char...
40
eos_hacker
Dec 11, 2003 7:50 pm
It's been over 5yrs since I used IDA, and I'm a bit rusty with it. I wasn't able to disassemble much in the "unexplored" section of dseg...it just kept giving...
41
Alex Bernstein
pofig37
Dec 12, 2003 7:22 pm
When I read this, I remebered that when you initially load a file IDA offers you an optio nto either load it as EXE or as binary. Loading it as binary gets the...
43
eos_hacker
Dec 15, 2003 11:32 pm
Yes, I realized that after I made the post. What a mess to figure out when the references are all garbled. I've been too busy to mess with it the past few...
44
Alex Bernstein
pofig37
Dec 16, 2003 5:27 am
... Damn endian problems again. I wrote it on a Sun workstation at work, and couldn't figure out why the length wasn't making any sense. Then I added some ...
45
iiepwie@...
iiepwie
Dec 16, 2003 2:18 pm
00121C25: Resource ExMenuFlg ExMenu0.img 2 Can anybody change ExMenuFlg and discribe result? iiepwie.narod.ru/E3kr111.html...
46
eos_hacker@...
eos_hacker
Dec 16, 2003 4:36 pm
wow, how did you extract all that stuff? can you tell us what tools you used? i don't quite understand what you want us to do... and don't we need a tool to...
47
Alex Bernstein
pofig37
Dec 16, 2003 5:12 pm
He extracted this out of decrypted firmware file using http://iiepwie.narod.ru/module_list2.zip Apparently, I've been looking only into first portion of the...
48
Alex Bernstein
pofig37
Dec 16, 2003 7:35 pm
Found a bug in the decrypter: if ((i++) >= CRYPT1_SIZE) i=0; if ((j++) >= CRYPT2_SIZE) j=0; should be: i++; j++; if (i >= CRYPT1_SIZE) i=0; if (j >=...
49
eos_hacker@...
eos_hacker
Dec 16, 2003 8:48 pm
ahh. much better now. but module_list2 still croaks before it gets through the whole file. It got to ExMenu0.img before it crashed, at least. Just contains...
50
eos_hacker@...
eos_hacker
Dec 17, 2003 6:01 pm
OK, solved the problem w/ module_list2.cpp ... I was using VC6 to compile, and I forgot to use "#pragma pack(1)" so that structures would be packed on 1-byte...
51
eos_hacker@...
eos_hacker
Dec 17, 2003 6:29 pm
hmm. i spoke too soon. the disk images appear to be corrupted. have you been able to successfully extract the files? my files come up too short after...
52
emklap@...
emklap0000
Dec 17, 2003 6:50 pm
Thanks for pointingout the "#pragma , i cound have never found it. I still get extraction faults, some filenames (RESTOOL EXE, CAMERA EXEAUTOEXECBAT) on the...
53
emklap@...
emklap0000
Dec 17, 2003 6:52 pm
Something I thougt of. While analyzing the crash I noticed that the analises was some 15 .img files ahead of what was written to disk. Do we need to flush any...
54
Alex Bernstein
pofig37
Dec 17, 2003 6:57 pm
I'm working on a Sun worktation with GNU tools and I couldn't get module_list.cpp to compile because g++ couldn't find "dir.h" to include. I've expanded my...
55
eos_hacker@...
eos_hacker
Dec 17, 2003 6:59 pm
I added fflush() everywhere before fclose() for a file opened for output. also, if you're working in windows, don't forget to open the files in binary mode...
56
eos_hacker@...
eos_hacker
Dec 17, 2003 7:09 pm
so there's no checksum or signature of any sort to update? that's pretty scary if the firmware loader doesn't perform any integrity checks....
57
eos_hacker@...
eos_hacker
Dec 17, 2003 7:14 pm
dir.h is just for chdir() and mkdir(). also, be sure to make sure you're packing the structures. ... include. I've...
58
Alex Bernstein
pofig37
Dec 17, 2003 7:16 pm
There are signatures like FirFileSignature, etc. but they are already there, so no need to add or modify them. I'm not sure about checksums yet. We should look...
59
cyburn@...
plumikus
Dec 18, 2003 3:20 am
Wow, This is getting really interesting. This hiden menu avenue is quite promising. Do you think the firmware upgrade feature would happily upgrade using this...
60
eos_hacker@...
eos_hacker
Dec 18, 2003 4:02 am
You guys are great! Whew, that was scary... iiewpie was right about ExMenu0. Using Alex's decryption code, I created a decrypted firmware file from...
61
Alex Bernstein
pofig37
Dec 18, 2003 4:13 am
... Wow! You are a lot braver than I am! I guess the next most obvious thing to try is to change the value in CrwNum4.img from 0004 to 0009 and see if will...
62
eos_hacker@...
eos_hacker
Dec 18, 2003 4:17 am
do you dare? your turn ;) ... more pictures...
63
eos_hacker@...
eos_hacker
Dec 18, 2003 6:09 am
OK, OK I couldn't resist. I just wanted to know if Canon was being slimy and giving us the same amount of buffer memory but purposely not using it. The...
65
Dan C.
danimal4326
Dec 18, 2003 7:45 am
Wow.. great job guys.. I've been hanging out in the sidelines reading. I tried using IDA myself will no luck, but thats probably because I've never...
66
emklap0000
Dec 18, 2003 8:06 am
Mary christmas, this is a great breakthrough . I can decrypt the FIR file and extract the img files in it. Cool. But can you explain how you encrypted the...
