[转载]Camcorder Flash Memory Analysis
信息来源:[url]http://www.maushammer.com/systems/cvscamcorder/flash.html[/url]<p><div style="text-align: center;"><big><big><big>Camcorder Flash MemoryAnalysis</big></big></big><br>
</div>
<br>
<div style="text-align: center;"><big><big>Pure Digital's CVS variation</big></big><br>
</div>
<br>
<div style="text-align: center;"><img
style="width: 90px; height: 144px;" alt="[camcorder pic]"
src="camcorder-icon.jpg"><br>
</div>
<hr style="width: 100%; height: 2px;"><big><big><small><br>
<big><span style="font-weight: bold;">Storage format</span></big></small></big></big><br>
The built-in 128MB Hynix flash (<a
href="http://www.hynix.com/datasheet/pdf/flash/HY27%28U_S%29A%2808_16%291G1M%28Rev0.5%29.pdf">datasheet</a>)
uses the standard Smart Media <a
href="../dakotadigital/flash-storage-format.html">format
used in the first version</a>
of the still camera. As per the standard, every 512 bytes of data
has
an additional 16 bytes allocated it to help manage bad blocks. The ECC
field and Block Address fields are used, so I used the same conversion
program I wrote for the older camera -- flashdump2iso.c.<br>
<br>
<big><big><span style="font-weight: bold;">Partitions</span><br
style="font-weight: bold;">
</big></big>Once the Smart Media format has been stripped, the flash
contains five volumes. I've only identified them by sight, so I'm not
sure if there is a formal partition table like those found on hard
drives.<br>
<br>
The flash memory is divided like this:<br>
<br>
<table style="text-align: left;" border="1" cellspacing="2"
cellpadding="2">
<tbody>
<tr>
<td style="vertical-align: top;">start<br>
</td>
<td style="vertical-align: top;">end<br>
</td>
<td style="vertical-align: top;">size<br>
</td>
<td style="vertical-align: top;">Format<br>
</td>
<td style="vertical-align: top;">Description<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">0<br>
</td>
<td style="vertical-align: top; text-align: right;">3FF<br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top;">?<br>
</td>
<td style="vertical-align: top;">Unknown - partition table?<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">400<br>
</td>
<td style="vertical-align: top; text-align: right;">5FF<br>
</td>
<td style="vertical-align: top; text-align: right;">512 B<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;">volume header for firmware
partition<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">600<br>
</td>
<td style="vertical-align: top; text-align: right;">139bff</td>
<td style="vertical-align: top; text-align: right;">1253 KB<br>
</td>
<td style="vertical-align: top;">ELF<br>
</td>
<td style="vertical-align: top;">Firmware<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">0x139c00</td>
<td style="vertical-align: top; text-align: right;">1bbfff<br>
</td>
<td style="vertical-align: top; text-align: right;">521 KB<br>
</td>
<td style="vertical-align: top;">FAT12<br>
</td>
<td style="vertical-align: top;">"ResourcesA" - general system
resources<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">1bc000</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top; text-align: right;">~112 MB<br>
</td>
<td style="vertical-align: top;">FAT16<br>
</td>
<td style="vertical-align: top;">"NO_NAME" - user data<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">7008000*<br>
</td>
<td style="vertical-align: top; text-align: right;">706fff0*<br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;">unknown; could be part of user
data or ResourcesB.<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">736c000*<br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top;">FAT12<br>
</td>
<td style="vertical-align: top;">"ResourcesB" - serial number<br>
</td>
</tr>
<tr>
<td style="vertical-align: top; text-align: right;">7788000*<br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top; text-align: right;"><br>
</td>
<td style="vertical-align: top;">FAT12<br>
</td>
<td style="vertical-align: top;">"ResourcesC" -
application-specific resources</td>
</tr>
</tbody>
</table>
* Absolute location in FLASH, not after smartmedia wear-leveling
algorithm. I accidently overwrote my ECC data while doing that
analysis, so now it's impossible to find out the <br>
<br>
<br>
<big><big><span style="font-weight: bold;"><a name="firmware"></a>Firmware</span></big></big><br>
The firmware is not in a unique file (as it was on the PV2). Instead,
it is just a section of flash memory near the beginning, about 1255 kB
big.<br>
<br>
The <a href="http://www.cs.ucdavis.edu/%7Ehaungs/paper/node10.html">ELF
header</a> yields this general information:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left; margin-right: auto; margin-left: 40px;">
<tbody>
<tr>
<td style="vertical-align: top;">
<div style="text-align: center;"><span
style="font-family: monospace;">firmware.o: ELF 32-bit LSB executable,
MIPS, version 1 (SYSV), statically linked, stripped<br>
</span></div>
<span style="font-family: monospace;"></span> </td>
</tr>
</tbody>
</table>
<div style="text-align: right;"><br>
</div>
The standard unix utility <a
href="http://www.linuxdevcenter.com/linux/cmd/cmd.csp?path=o/objdump">objdump</a>
provides information on the structure of the file:<br>
<br>
<table style="text-align: left; margin-right: auto; margin-left: 40px;"
border="1" cellspacing="2" cellpadding="2">
<tbody>
<tr>
<td style="vertical-align: top;">architecture: mips:isa32, flags
0x00000002: EXEC_P<br>
start address 0x80000600<br>
<br>
Program Header:<br>
<span style="font-family: monospace;"> LOAD
off 0x000000d4 vaddr 0x80000180 paddr 0x80000180
align 2**0</span><br style="font-family: monospace;">
<span style="font-family: monospace;">
filesz 0x0000013c memsz 0x0000013c flags r-x</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> LOAD
off 0x00000220 vaddr 0x80000600 paddr 0x80000600
align 2**5</span><br style="font-family: monospace;">
<span style="font-family: monospace;">
filesz 0x0012e19c memsz 0x0012e19c flags r-x</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> LOAD
off 0x0012e3c0 vaddr 0x8012e7a0 paddr 0x8012e7a0
align 2**4</span><br style="font-family: monospace;">
<span style="font-family: monospace;">
filesz 0x0000a820 memsz 0x000173c0 flags rw-</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> LOAD
off 0x00138bec vaddr 0x90009800 paddr 0x90009800
align 2**2</span><br style="font-family: monospace;">
<span style="font-family: monospace;">
filesz 0x00000400 memsz 0x00000400 flags rw-</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> LOAD
off 0x00138fec vaddr 0xbfc08000 paddr 0xbfc08000
align 2**2</span><br style="font-family: monospace;">
<span style="font-family: monospace;">
filesz 0x00000210 memsz 0x00000210 flags rwx</span><br>
private flags = 50000001: [no abi set] [mips32] [not 32bitmode]<br>
<br>
Sections:<br>
<span style="font-family: monospace;">Idx
Name
Size
VMA
LMA File off Algn</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 0
.spc0 00000210
bfc08000 bfc08000 00138fec 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD, CODE</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 1
.spc1 00000000
bfc09000 bfc09000 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 2
.spc2 00000000
bfc09400 bfc09400 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 3
.spc3 00000000
bfc09800 bfc09800 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 4
.spd0 00000000
90008000 90008000 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 5
.spd1 00000000
90009000 90009000 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 6
.spd2 00000000
90009400 90009400 001391fc 2**0</span><span
style="font-family: monospace;"> CONTENTS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 7
.spd3 00000400
90009800 90009800 00138bec 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD, DATA</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> 8
.exception 0000013c 80000180
80000180 000000d4 2**0</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, CODE</span><br style="font-family: monospace;">
<span style="font-family: monospace;"> 9
.boot 00000040
80000600 80000600 00000220 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, CODE</span><br style="font-family: monospace;">
<span style="font-family: monospace;">10
.text 0012dfc0
80000640 80000640 00000260 2**5</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, CODE</span><br style="font-family: monospace;">
<span style="font-family: monospace;">11
__ex_table 00000010 8012e600
8012e600 0012e220 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, DATA</span><br style="font-family: monospace;">
<span style="font-family: monospace;">12
.scratch 0000011c 8012e610
8012e610 0012e230 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, CODE</span><br style="font-family: monospace;">
<span style="font-family: monospace;">13 .scratchpad3
00000070 8012e72c 8012e72c 0012e34c 2**0</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD,
READONLY, CODE</span><br style="font-family: monospace;">
<span style="font-family: monospace;">14
.data 0000a808
8012e7a0 8012e7a0 0012e3c0 2**3</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD, DATA</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">15
.data1 00000018
80138fa8 80138fa8 00138bc8 2**2</span><span
style="font-family: monospace;"> CONTENTS, ALLOC, LOAD, DATA</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">16
.sbss 000005c4
80138fc0 80138fc0 00138be0 2**2</span><span
style="font-family: monospace;"> ALLOC</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">17
.bss
0000c5d0 80139590 80139590 00138bec 2**4</span><span
style="font-family: monospace;"> ALLOC</span><br>
<br>
SYMBOL TABLE:<br>
no symbols<br>
</td>
</tr>
</tbody>
</table>
<div style="text-align: right;"><br>
</div>
<br>
Although there are no symbols (which would identify function and
variable names & be a great help), there are plenty of text
strings. Some are just informational and some suggest what the code is
capable of.<br>
<br>
Here are some clues about tools used to build the project:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top;"><span
style="font-family: monospace;">Copyright (c) 1996-2001 <a
href="http://www.rtos.com/">Express Logic
Inc</a>. * <a href="http://www.rtos.com/txtech.asp">ThreadX</a> <a
href="http://www.ghs.com/products/lexra_development.html">LX4180</a>/<a
href="http://www.cs.ucdavis.edu/%7Ehaungs/paper/node10.html">Green
Hills</a> Version G4.0.4.0 *</span><br style="font-family: monospace;">
<span style="font-family: monospace;">G-GB-GL-M-D-DL-KML-CMR-HMR-ML2-GZ-KH2-CM-RP-TC-NH-TD-AP-HA-GF-DD-AT-MF-MS-DW-USA-CA-SD-SDSU</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Copyright (c) 1996-2004
Express Logic Inc. * <a href="http://www.rtos.com/fxtech.asp">FileX</a>
LX4180/Green Hills Version G3.1a.3.1a *</span><br
style="font-family: monospace;">
<br style="font-family: monospace;">
<span style="font-family: monospace;">Zoran Corporation</span><br
style="font-family: monospace;">
<a href="http://www.zoran.com/products/mobile/dig_cam.html"><span
style="font-family: monospace;">COACH</span></a><br
style="font-family: monospace;">
<span style="font-family: monospace;">COACHWare 1.0</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">2002:01:13 12:06:00</span><br>
</td>
</tr>
</tbody>
</table>
<br>
It looks like there may be a UART monitor, so if someone can find a
serial port (or serial-over-usb), the camera may be able to be remotely
controlled:<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top;"><span
style="font-family: monospace;">UART Monitor will be closed</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Failed to get command
string (%d)</span><br style="font-family: monospace;">
<span style="font-family: monospace;">%s is not recognized as an
internal command</span><br style="font-family: monospace;">
<span style="font-family: monospace;">%s> </span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Monitor</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">help</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"><name></span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Prints function help</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Prints all avaliable
functions help</span><br style="font-family: monospace;">
<span style="font-family: monospace;">quit</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Quits the monitor</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">prompt</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"><string></span><br
style="font-family: monospace;">
<span style="font-family: monospace;">Set new prompt</span><br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<big style="font-weight: bold;"><big><a name="resourcesA"></a>ResourcesA
Partition<br>
</big></big>This part of the FLASH memory starts (on my camera) at
offset 0x139c00 - 1bbfff (about 521kB total). It is a standard
FAT12 DOS partition
named "ResourcesA".<br>
<br>
The files contained in this partition are:<br>
<table cellpadding="2" cellspacing="2" border="1"
style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top;"><span
style="font-family: monospace;">-rwxrwxrwx
64 Jul 31 1971 YLUT.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
44 Jul 31 1971 WAVEXIF.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
38 Jul 31 1971 VIDSIZE.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
46 Jul 31 1971 USBSTRINGS.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
28 Jul 31 1971 USBMSINQSTR.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
36 Jul 31 1971 USBMODEDESC.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
6 Jul 31 1971 USBDEVDESC.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
12 Jul 31 1971 TGCFG.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
782 Jul 31 1971 TG1.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
782 Jul 31 1971 TG.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
3320 Jul 31 1971 P.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
59268 Jul 31 1971 MOTOFONT.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
50 Jul 31 1971 MEDIAFORMAT.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
512 Jul 31 1971 LCLUT0.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
928 Jul 31 1971 I.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
2159 Jul 31 1971 GRAYCHART.JPG</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
4252 Jul 31 1971 GPP.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT9.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT8.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT7.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT6.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT5.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT4.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT3.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT2.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT1.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
960 Jul 31 1971 GAMMALUT0.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
256 Jul 31 1971 GAMMADDE1.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
64 Jul 31 1971 EPS_XSCL.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
124 Jul 31 1971 EPS_GCP0.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
64 Jul 31 1971 DLUT.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
7844 Jul 31 1971 CTLUT1.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
10460 Jul 31 1971 COMIC.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
17328 Jul 31 1971 COLORCHART.JPG</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
128 Jul 31 1971 BASENLGF0.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
4592 Jul 31 1971 B.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
24 Jul 31 1971 AWBSETTINGS.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
54 Jul 31 1971 AWBCFG.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
38 Jul 31 1971 AVISTRLSTR.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
16 Jul 31 1971 AVIMODELSTR.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
13 Jul 31 1971 AGCCFG.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
263 Jul 31 1971 AGC1.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
263 Jul 31 1971 AGC.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
72 Jul 31 1971 AF.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
224 Jul 31 1971 AEGAIN.BIN</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
220 Jul 31 1971 AE.BIN</span><br style="font-family: monospace;">
<span style="font-family: monospace;">-rwxrwxrwx
898 Jul 31 1971 ADC.BIN</span><br>
</td>
</tr>
</tbody>
</table>
<br>
Colorchart.jpg is a rather poor 320x240 representation of the standard <a
href="http://www.gretagmacbeth.com/index/products/products_color-standards/products_colorchecker-charts/products_colorchecker.htm">Macbeth
color chart</a>. It's actually a screenshot of a windows program
with the title "The Macbeth ColorChecker
页:
[1]