hacking: 300D runs DOS on x86 compatible CPU

Started Nov 17, 2003 | Discussions thread
Flat view
Alex Bernstein New Member • Posts: 24
hacking: 300D runs DOS on x86 compatible CPU

There has been a lot talk in this forum about hacking 300D firmware. Some say that this is something next to impossible, mainly because of proprietary processor/architecture used in the camera and "encrypted" firmware. Here's what I found after a few searches in Google:

In their older cameras Canon appears to have used a version of DOS from Datalight ( http://www.datalight.com ). Here's a BusinessWire press release reprinted by the DPReview in 1999: http://www.dpreview.com/news/9902/99022402canonromdos.asp . This basically means that processor in these cameras is x86 compatible and not some unknown proprietary architecture. Does 300D use ROM-DOS? Read on.

USB protocol used by Canon cameras have been reverse engineered by folks at Gphoto ( http://www.gphoto.org ) to enable using them with Linux. Additionaly, a simple application s10sh ( http://www.reynoldsnet.org/s10sh/ ) has been developed that uses this protocol to send "arbitrary" USB commands to the camera. Using s10sh, it is clear that in addition to CF picture storage drive (C: or D:), two other drives A: and B: are present that store camera firmware. It appears that drive A: contains DOS executable camera.exe that runs all the functions. Here's a page describing contents of S40: http://www.darkskiez.co.uk/digital.html

Moreover, folks at http://translate.google.com/translate?hl=en&sl=de&u=http://www.ixus-world.de/workshops/os/os_project_3.htm have even managed to run a simple program on the S40.

After mucking around for a few hours with my 300D, Knoppix Linux-on-CD, and making a few trivial changes to s10sh to support 300D here's what I found on my 300D (v1.1.1 firmware):
[Canon EOS DIGITAL REBEL] C:> dir A:

-- hide signature --

n- CAMERA .EXE 391k Wed Oct 8 14:56:36 2003
1 files 401000 bytes

[Canon EOS DIGITAL REBEL] A:> dir B:

--n- CAMERA .EXE 117k Wed Oct 8 14:57:32 2003
--n- LOGSAVE .EXE 34k Wed Oct 8 14:51:36 2003
-i-- DATA Thu Jan 1 00:00:00 1970
-i-- BOOTDISK Thu Jan 1 00:00:00 1970
4 files 396492 bytes


--n- NOTHM .JPG 5k Wed Oct 8 14:50:38 2003
1 files 5145 bytes


--n- COMMAND .COM 27k Wed Oct 8 14:51:02 2003
--n- VSSVER .SCC 48 bytes Wed Oct 8 14:51:02 2003
--n- RESTOOL .EXE 56k Wed Oct 8 14:51:36 2003
--n- CAMERA .EXE 6k Wed Oct 8 14:51:32 2003
--n- AUTOEXEC.BAT 10 bytes Wed Oct 8 14:51:32 2003
5 files 93171 bytes


-i-- DCIM Thu Jan 1 00:00:00 1970
1 files 0 bytes

I've transferred files to my PC, and found references to ROM-DOS and Datalight in them (as if .exe extension, command.com and autoexec.bat are not telling enough). Any real hackers want to takeover from here?

Flat view
Post (hide subjects) Posted by
Keyboard shortcuts:
FForum PPrevious NNext WNext unread UUpvote SSubscribe RReply QQuote BBookmark MMy threads
Color scheme? Blue / Yellow