hacking the canon 300d digital camera
play

Hacking the Canon 300D digital camera Lex Augusteijn November 2018 - PowerPoint PPT Presentation

Jan 04, 2023 •95 likes •332 views

Hacking the Canon 300D digital camera Lex Augusteijn November 2018 www.lex-augusteijn.nl lex.augusteijn@gmail.com History March 2003: Canon 10D was introduced $1500 DSLR 6Mpix CMOS sensor August 2003: Canon 300D was introduced

  1. Hacking the Canon 300D digital camera Lex Augusteijn November 2018 www.lex-augusteijn.nl lex.augusteijn@gmail.com

  2. History • March 2003: Canon 10D was introduced • $1500 DSLR • 6Mpix CMOS sensor • August 2003: Canon 300D was introduced • $900 • Same image sensor, same image quality • Reduced feature set • I bought mine June 2004

  3. 10D vs 300D ISO 100-3200 ISO 100-1600 Mirror lock-up No mirror lock-up Servo AF Servo AF only in sports mode Programmable SET button SET button only for menu selection Flash sync 1/200 in AV Shutter speed variable in AV ½ or 1/3 stop exposure increments 1/3 stop exposure increments Flash exposure compensation Fixed flash exposure Raw + Any Jpeg Raw + Medium Jpeg Programmable curtain sync Flash on first curtain 300D Hommage: https://www.youtube.com/watch?v=HVvaUAT4c-8

  4. History • 2004: Wasia firmware hack ISO 100-3200 Mirror lock-up with programmable delay Servo AF only in sports mode Programmable SET button Flash sync 1/200 in AV 1/3 stop exposure increments Flash exposure compensation Raw + Any Jpeg Flash on first curtain

  5. History Wasia disappeared No material apart from the firmware binary left behind Alex Bernstein: Firmware decryptor Michael Tan : Yahoo group about Canon camera hacking • To distribute firmware • Many camera models + topics, e.g. Tetris on Powershots Reconstructing firmware: me and some other dutchman Steve Yeager: Private forum for developers + 40 beta testers • Beta leaking elsewhere on the web https://groups.yahoo.com/neo/groups/canondigicamhacking/info http://www.digitalrebel.nl/firmware.html

  6. History • 2004: Wasia firmware hack • 2005: UnDutchables firmware hack ISO 100-3200 ISO 100-3200 Mirror lock-up with programmable delay Mirror lock-up with programmable delay Servo AF only in sports mode Servo AF in all modes Programmable SET button Programmable SET button Flash sync 1/200 in AV Flash sync 1/200 in AV 1/3 stop exposure increments 1/3 stop exposure increments Flash exposure compensation Flash exposure compensation Raw + Any Jpeg Raw + Any Jpeg Flash on first curtain Flash on first curtain Custom settings in all modes Raw in all modes

  7. Architecture • 80186 • Running DOS • Menu handling and camera settings • Segmented memory: 16 bit registers, 20 bit address space • Bank switching • 20 bit pointers not unique • Nightmare for reverse engineering • Mips • Hardware control, e.g. metering, lens control • Deeply embedded • Memory dump obtained through debug port (Jtag?) • Disassembled

  8. Bank switching DS

  9. Bank switching Module.img Camera.exe (DiskA.img) backward trampoline 18 - print line with parameter: Bwd table 0xec2e5 far target, 0xec1b:0x135 0xec2e5 TEC-S- c8 04 00 00 enter $0x4,$0x0 0xec2e9 T----- 8c 5e fe mov %ds,-0x2(%bp) 0xec2ec T----- c7 46 fc e6 01 movw $0x1e6,-0x4(%bp) 0xec2f1 T----- ff 5e fc lcall *-0x4(%bp) Trampolines Offset CS 0xec2f4 T----- c9 leave 0xec2f5 T----- cb lret ….. 0xeced1 T----- 9a 35 01 1b ec lcall $0xec1b,$0x135 (0xec2e5) backward trampoline 18 - print line with parameter Text Text Fwd table Offset CS Trampolines print line with parameter: 0xdc01b ; WB backward function pointer 18

  10. How was it done • Canon released firmware update 1.1.1 to replace shipped 1.0.2 • E3kr111.fir file • Firmware uploader to copy fir file to CF card in camera through USB • Decryptor from Alex Bernstein: Cyclic XOR with 512 and 513 tables • Firmware unpacker • S10sh: camera control through USB • http://s10sh.sourceforge.net/ • Control camera through USB port • Take pictures • Download pictures • Set camera parameters (my contribution, 2006) • Debug log through USB

  11. [TX]R1:13 [SHQ] ShqPowonProjection (PoleFin)00002199 [TX]R1:12 [TX]IN 01 03 10 00 [FWT] ResumeWrite [CAMUI-R]ID:0214(0000)B:0000GS:0000CS:00// Debug log to USB [TX]R1:11 [FILE NO] reflesh 4070776 [TX]IN 01 20 58 00 1C [TX]IN 01 00 91 1C 00 1C 00 4B [CAMUI]_CheckAvailFileNumber:4070776:OK [CAMUI]//GS:0000CS:0000 [TX]R1:12 [TX]R1:82 [MC]R3:20 [TX]IN 01 20 58 00 1C [TX]OUT82 11 20 31 40 50 61 70 80 90 A0 B0 C1 D0 E0 F0 00 10 [MC]R3:21 [Mc]AvoChanged! [TX]R1:81 [CAMUI-R]ID:0213(0000)B:0000GS:0000CS:00// [MC]R3:04 [TX]OUT81 01 01 01 08 00 50 30 18 00 01 [CAMUI]//GS:0000CS:0000 [MC]R3:06 [SwDrv] ModeD: 0008 [CamUI] ShtUI GotoCapture ! [TX]R1:82 [CamUI] sw int 0105:000C, post. [MC]R3:20 [TX]OUT82 11 20 31 40 50 61 70 80 90 A0 B0 C1 D0 E0 F0 00 10 [CamUI] QREV _Stop [TX]R1:16 [TX]R1:81 [TX]R1:19 [AVS]CalcAvailShot [TX]OUT81 01 01 01 08 00 50 30 18 00 00 [TX]IN 01 18 [TX]IN 01 75 FF [MC]R2:19 [TX]R1:16 [AE]Tv:0075 [TX]R1:19 [AVS]CalcAvailShot [AE]Av:00FF [TX]IN 01 18 [TX]IN 01 75 FF [AVS]CalcSize, LNSN [MC]R2:40 [AE]Tv:0075 [AVS]Shot #262 [MC]R2:40 [AE]Av:00FF [CAMUI] AvSht4:262 [MC]tvchg:75 [AVS]CalcSize, LNSN [MC]R3:28 [AE]Tv:0075 [AVS]Shot #262 [CAMUI-R]ID:0214(0000)B:0000GS:0000CS:00// [MC]aemodchg:01 [CAMUI] AvSht3:262 [CAMUI]//GS:0000CS:0000 [MC]R2:40 [CamUI] sw int 0102:0000, post. [MC]R3:20 [MC]R2:04 [CamUI] sw int 0102:0002, post. [MC]R3:21 [TX]R1:16 [CamUI] sw int 0102:0004, post. [CAMUI-R]ID:0213(0000)B:0000GS:0000CS:00// [TX]IN 01 75 FF [CamUI] sw int 0102:0006, post. [CAMUI]//GS:0000CS:0000 [TX]R1:12 [CamUI] sw int 0102:0008, post. [CamUI] ShtUI GotoCapture ! [TX]IN 01 20 58 00 1C [CamUI] sw int 0103:0002, post.0000 [MC]R3:20 [TX]R1:12 [CamUI] sw int 0104:0000 [TX]R1:16 [TX]IN 01 20 58 00 1C [CamUI] sw int 0104:0002 [AVS]CalcAvailShot [WB] Page 15 / Offset 11180 [CamUI] sw int 0104:0006 [TX]IN 01 75 FF [CPU] CPU24MHz [CamUI] sw int 0104:0008 [AE]Tv:0075 [CPU] CPU48MHz [CamUI] sw int 0104:000A [AE]Av:00FF [CPU] CPU24MHz [CamUI] sw int 0104:000C [AVS]CalcSize, LNSN [CPU] CPU48MHz [TX]R1:16 [AVS]Shot #262 [WD]START;#1 [CamUI] Init End. [CAMUI] AvSht4:262 [SUP]Time:#1400 [TX]IN 01 75 FF [MC]R3:28

  12. Work flow unpack mount E3kr111.fir DiskA.img Camera.exe decrypt *.img 173 code banks disassemble patch *.img *.dis encrypt E3kr111.fir DiskA.img Camera.exe pack

  13. Tooling • LDA (Lex’ DisAssembler) • Using binutils for disassembling • Distributed hacking • Hacker can specify • Comments • Entry points • Patches • Automatic cross references • Detect bank-switching, xrefs accross banks through trampolines • No code movement: just modifying instructions without changing size • Most 10D code was still there: needed activation • Needed 2 hours to revive tooling from 13 years ago (old Redhat to latest Ubuntu).

  14. Tooling image entries entries lda comments comments patches patches image fwd refs bwd refs

  15. Text Disassembly Callee Start 0xac3d6 .. 0xac3df "\r\n[AE]Tv:" 0xac424 T----- 75 11 jne 0x000ac437 0xac426 T----- c6 06 a5 03 00 movb $0x0,933 0xac3e0 CALLEE 0xac42b T----- 6a 00 push $0x0 XREFS 0xac2ec 0xac42d T----- 6a 00 push $0x0 0xac3e0 T-C-S- 56 push %si 0xac42f T----- 9a 7b 02 2e b4 lcall $0xb42e,$0x27b (0xb455b) 0xac3e1 T----- 9a ad 1f 2e b4 lcall $0xb42e,$0x1fad (0xb628d) 0xac434 T----- 83 c4 04 add $0x4,%sp 0xac3e6 T----- 8b f0 mov %ax,%si 0xac437 TARGET 0xac3e8 T----- 9a 46 01 84 c0 lcall $0xc084,$0x146 (0xc0986) XREFS 0xac424 0xac410 0xac40a 0xac3ed T----- 0a c0 or %al,%al 0xac437 T--J-- 0e push %cs 0xac3ef T----- 74 2e je 0x000ac41f 0xac438 T----- 68 0c 01 push $0x10c 0xac3f1 T----- 9a a5 1e 2e b4 lcall $0xb42e,$0x1ea5 (0xb6185) 0xac43b T----- 9a 28 00 47 d1 lcall $0xd147,$0x28 (0xd1498) 0xac3f6 T----- 3d 02 00 cmp $0x2,%ax 0xac440 T----- 83 c4 04 add $0x4,%sp 0xac3f9 T----- 75 24 jne 0x000ac41f 0xac443 T----- 56 push %si 0xac3fb T----- 6a 02 push $0x2 0xac444 T----- 9a 62 00 47 d1 lcall $0xd147,$0x62 (0xd14d2) 0xac3fd T----- 9a 82 01 2e b4 lcall $0xb42e,$0x182 (0xb4462) 0xac449 T----- 59 pop %cx 0xac402 T----- 59 pop %cx 0xac44a T----- 9a a5 1e 2e b4 lcall $0xb42e,$0x1ea5 (0xb6185) 0xac403 T----- 0a c0 or %al,%al 0xac405 T----- 75 18 jne 0x000ac41f 0xac407 T----- 83 fe 75 cmp $0x75,%si 0xac40a T----- 74 2b je 0x000ac437 0xac40c T----- 81 fe ff 00 cmp $0xff,%si 0xac410 T----- 74 25 je 0x000ac437 0xac412 T----- 9a d8 02 2e b4 lcall $0xb42e,$0x2d8 (0xb45b8) 0xac417 T----- c6 06 a5 03 01 movb $0x1,933 0xac41c T----- e9 99 00 jmp 0x0000c4b8 (0xac4b8) 0xac41f TARGET XREFS 0xac405 0xac3f9 0xac3ef Text 0xac41f T--J-- 80 3e a5 03 01 cmpb $0x1,933 Jump target

  16. Entries 0x8d26e 0x992f7 0x9d500 0x8d2b8 0x9970c 0x9d88c 0x8d400 0x99e 0x9dba3 0x8d524 0x9a208 0x9dda1 0x8d70c 0x9a3b3 0x9e060 0x8d908 0x9a69f 0x9e4e9 0x8d984 0x9ab82 0x9e99c 0x8d9b6 0x9ae68 0x9ebc6 0x940dd 0x9aff3 0x9edfc 0x907f7 0x9b152 -0x9d293 0x90e31 0x9b2f3 -0x93dd5 0x9190e 0x9b6d4 -0x9d831 0x979d4 0x9bc0b -0x9efee 0x97bb9 -0x9f523 0x9bd4e 0x97ff5 0x9bedf -0xa5930 0x98238 0x9c13f -0xa5938 0x985e5 0x9c344 -0xab64e 0x98c44 0x9c569 -0xad8bb 0x98e56 0x9ca2f 0x98ff0 0x9d0d5 0x99123 0x9d2fc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG Canon cares Image Quality Scalability is the Key to support Higher Resolution W3C SVG Working Group Member since 2000 Device APIs Canon

158 views • 5 slides
Digital cameras and Imaging! CSE467 1 Today: Pinhole camera Film camera Digital

Digital cameras and Imaging! CSE467 1 Today: Pinhole camera Film camera Digital

Digital cameras and Imaging! CSE467 1 Today: Pinhole camera Film camera Digital camera Sensor types Signal chain Demo project Let Lets build a camera CSE467 2 1 Camera trial #1 film scene Put a piece of film

686 views • 27 slides
HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL

HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL

James BRETT HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL LEADERS 400 YEARS In 20 MINUTES LEADERSHIP IS HARD! HACKING = SMART 400 YEARS In 20 MINUTES 400 YEARS In 20 MINUTES OUR PATH

275 views • 23 slides
CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your guide Inspire Weve been inspiring customers to explore the power of imaging for over 80 years. Inspire And today were still working together 5

558 views • 37 slides
The Recognition of the Biblical Writings What is the Canon of Scripture? What is the Canon

The Recognition of the Biblical Writings What is the Canon of Scripture? What is the Canon

Canonization The Recognition of the Biblical Writings What is the Canon of Scripture? What is the Canon of Scripture? The canon of Scripture is the list of books that have been recognized as being inspired by God and which

1k views • 74 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
# Camera camera = Camera.open(); Camera camera

# Camera camera = Camera.open(); Camera camera

# Camera camera = Camera.open(); Camera camera = Camera.open(); camera.setDisplayOrientation(90); camera.setDisplayOrientation(90); camera.unlock(); SurfaceHolder holder = getHolder();

1.34k views • 45 slides
Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao

Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao

Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao Functionality A simple digital camera implementation Colour/grayscale image Switch, button user control VGA screen display Image

289 views • 12 slides
New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

Canon New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications Workshop, San Jose, June 2004 Canon Goals Break Web applications out of the browser! Freedom to build wider variety of applications

612 views • 18 slides
SOFTWARE MODULES: SERIAL COMUNICATIONS -BASIC FOR DEBUGGING -RECEIVING BUFFER -INTERRUPTION I2C

SOFTWARE MODULES: SERIAL COMUNICATIONS -BASIC FOR DEBUGGING -RECEIVING BUFFER -INTERRUPTION I2C

Digital Camera Interface INTERFACE BETWEEN THE C3088 CAMERA (OV6620 CHIP OMNIVISION) A COMPUTER USING THE AVR Atmega16 PROPOUSED TASKS: CAMERA WORKING--> IMAGES IN TV COMUNNICATIONS WITH PC (USART) ACCESS TO REGISTERS IN THE

181 views • 5 slides
Available and Upcoming Web Graphics Standards Canon, Inc. Jun Fujisawa fujisawa.jun@canon.co.jp

Available and Upcoming Web Graphics Standards Canon, Inc. Jun Fujisawa fujisawa.jun@canon.co.jp

Available and Upcoming Web Graphics Standards Canon, Inc. Jun Fujisawa fujisawa.jun@canon.co.jp General 2D/3D Graphics APIs HTML Canvas: www.w3.org/TR/2dcontext/ WebGL: www.khronos.org/registry/webgl/ specs/1.0/ Consider using SVG

485 views • 12 slides
Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao The

Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao The

Simple Digital Camera with Image Editor Group 3 Jun Zhao, Kwan Yin Lau, and Xiang Gao The System Major Components D5M camera DE2 Board VGA monitor Image processing operations Color Negation Brightness Adjustment Image

485 views • 11 slides
# Camera camera = Camera.open();

# Camera camera = Camera.open();

# Camera camera = Camera.open(); Camera camera = Camera.open(); camera.setDisplayOrientation(90); camera.setDisplayOrientation(90); camera.unlock(); SurfaceHolder holder =

819 views • 33 slides
HEBREW CANON HEBREW CANON TORAH NEVIIM KETHUVIM Psalms Joshua Genesis Proverbs Judges

HEBREW CANON HEBREW CANON TORAH NEVIIM KETHUVIM Psalms Joshua Genesis Proverbs Judges

HEBREW CANON HEBREW CANON TORAH NEVIIM KETHUVIM Psalms Joshua Genesis Proverbs Judges Exodus Leviticus Job Samuel Numbers Song of Songs Kings Deuteronomy Ecclesiastes Isaiah Daniel Jeremiah Ezra/Nehemiah Ezekiel Esther

582 views • 14 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Basics of Off-Camera Flash Off-Camera Flash www.jedi.com * What is it & why do we use it? *

Basics of Off-Camera Flash Off-Camera Flash www.jedi.com * What is it & why do we use it? *

Basics of Off-Camera Flash Off-Camera Flash www.jedi.com * What is it & why do we use it? * Bouncing on-camera flash to emulate off-camera light * True off-camera flash * Basic examples * Trigger mechanisms * Controlling the amount of

144 views • 11 slides
How to Hack Blockchain Systems Parinya Ekparinya Vincent Gramoli Guillaume Jourjon The

How to Hack Blockchain Systems Parinya Ekparinya Vincent Gramoli Guillaume Jourjon The

How to Hack Blockchain Systems Parinya Ekparinya Vincent Gramoli Guillaume Jourjon The University of Sydney Page 1 Blockchain Block #41 Block #42 Block #43 Block #44 Proof: Proof: Proof: Proof: 0xd00d1e 0xc0ffee 0xf00baa

630 views • 41 slides
What goes wrong when thousands of engineers share the same continuous build? Eran Messeri,

What goes wrong when thousands of engineers share the same continuous build? Eran Messeri,

What goes wrong when thousands of engineers share the same continuous build? Eran Messeri, Google eranm@google.com Goals Demonstrate feasibility of working from head Prove the importance of reliable, automated tests. Show how

3.03k views • 18 slides
Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Mr. Robot, an Emmy Award-winning TV drama starring a vigilante hacker CS 88S Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review last weeks material Hack Hollywood Hacking: The Good, The

718 views • 45 slides
UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same

UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same

UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same idea as Gmail's undo send. UNRM: USAGE Goal : after an rm , want to be able to recover all removed files under a certain directory within a set period

888 views • 58 slides
Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example Saghar Estehghari 1 Yvo Desmedt 1 , 2 1 Department of Computer Science University College London, UK 2 Research Center for Information Security

572 views • 28 slides
Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

The Derivative Finite Difference Floating Point Arithmetic Complex Analysis Crash Course Hack the Derivative Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University Math/Stat Dept Colloquium The

1.39k views • 106 slides
Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
02 October 2020 Association for Computing Machinery 02 October 2020 Miami Hacks | October

02 October 2020 Association for Computing Machinery 02 October 2020 Miami Hacks | October

Association for Creepy Mansions 02 October 2020 Association for Computing Machinery 02 October 2020 Miami Hacks | October 2nd-4th Florida International University 36 Hour Hackathon Online! October 2nd-4th Register at

640 views • 31 slides

More recommend