hacking: 300D runs DOS on x86 compatible CPU

Started Nov 17, 2003 | Discussions thread
ForumParentFirstPreviousNextNext unread
Flat view
Alex Bernstein
New MemberPosts: 24
Like?
hacking: 300D runs DOS on x86 compatible CPU
Nov 17, 2003

There has been a lot talk in this forum about hacking 300D firmware. Some say that this is something next to impossible, mainly because of proprietary processor/architecture used in the camera and "encrypted" firmware. Here's what I found after a few searches in Google:

In their older cameras Canon appears to have used a version of DOS from Datalight ( http://www.datalight.com ). Here's a BusinessWire press release reprinted by the DPReview in 1999: http://www.dpreview.com/news/9902/99022402canonromdos.asp . This basically means that processor in these cameras is x86 compatible and not some unknown proprietary architecture. Does 300D use ROM-DOS? Read on.

USB protocol used by Canon cameras have been reverse engineered by folks at Gphoto ( http://www.gphoto.org ) to enable using them with Linux. Additionaly, a simple application s10sh ( http://www.reynoldsnet.org/s10sh/ ) has been developed that uses this protocol to send "arbitrary" USB commands to the camera. Using s10sh, it is clear that in addition to CF picture storage drive (C: or D:), two other drives A: and B: are present that store camera firmware. It appears that drive A: contains DOS executable camera.exe that runs all the functions. Here's a page describing contents of S40: http://www.darkskiez.co.uk/digital.html

Moreover, folks at http://translate.google.com/translate?hl=en&sl=de&u=http://www.ixus-world.de/workshops/os/os_project_3.htm have even managed to run a simple program on the S40.

After mucking around for a few hours with my 300D, Knoppix Linux-on-CD, and making a few trivial changes to s10sh to support 300D here's what I found on my 300D (v1.1.1 firmware):
[Canon EOS DIGITAL REBEL] C:> dir A:

-- hide signature --

n- CAMERA .EXE 391k Wed Oct 8 14:56:36 2003
1 files 401000 bytes

[Canon EOS DIGITAL REBEL] A:> dir B:

--n- CAMERA .EXE 117k Wed Oct 8 14:57:32 2003
--n- LOGSAVE .EXE 34k Wed Oct 8 14:51:36 2003
-i-- DATA Thu Jan 1 00:00:00 1970
-i-- BOOTDISK Thu Jan 1 00:00:00 1970
4 files 396492 bytes

[Canon EOS DIGITAL REBEL] B:> dir B:\DATA

--n- NOTHM .JPG 5k Wed Oct 8 14:50:38 2003
1 files 5145 bytes

[Canon EOS DIGITAL REBEL] B:\DATA> dir B:\BOOTDISK

--n- COMMAND .COM 27k Wed Oct 8 14:51:02 2003
--n- VSSVER .SCC 48 bytes Wed Oct 8 14:51:02 2003
--n- RESTOOL .EXE 56k Wed Oct 8 14:51:36 2003
--n- CAMERA .EXE 6k Wed Oct 8 14:51:32 2003
--n- AUTOEXEC.BAT 10 bytes Wed Oct 8 14:51:32 2003
5 files 93171 bytes

[Canon EOS DIGITAL REBEL] B:\BOOTDISK> dir C:

-i-- DCIM Thu Jan 1 00:00:00 1970
1 files 0 bytes

I've transferred files to my PC, and found references to ROM-DOS and Datalight in them (as if .exe extension, command.com and autoexec.bat are not telling enough). Any real hackers want to takeover from here?

ForumParentFirstPreviousNextNext unread
Flat view
Post (hide subjects)Posted by
(nt)New
bumpNew
ForumParentFirstPreviousNextNext unread
Keyboard shortcuts:
FForum PPrevious NNext WNext unread UUpvote SSubscribe RReply QQuote BBookmark post MMy threads
Color scheme? Blue / Yellow