Hacking The Canon Powershot S40
Sorry folks, had no time to update this or work much on the project. my email address below has been spammed to hell, I haven't ignored your emails deliberately. Please prefix subject with [CAMERAHACK] to not get auto-deleted. When I get the chance I'll track down the programs I got to run / display messages etc.
UPDATED: 13/04/04 - Added excuses/Links
UPDATED: 02/06/02 - Added kernel call details
UPDATED: 01/06/02 - Added FLPCX.INI details
Digital Camera Hacking
This is a summary of everything I have found out about my camera!
If you can help contact me on camerahack at darkskiez d0t co d0t uk, prefixing
mail subject with [CAMERAHACK] to not get erased. This account has been spammed to hell.
CPU: x86 Compatible metapc
The camera runs x86 binaries and is mostly compatible with MSDOS function calls thanks to datalight. I have managed to get a few simple program to run.
The camera has drive letters mapped as follows
Whats On The Camera
--n- CAMERA .EXE 400k Thu Mar 7 10:00:56 2002
p-n- CFFMT .EXE 15k Thu Sep 13 17:50:30 2001
p-n- FLPC110 .EXE 20k Thu Sep 13 17:50:30 2001
p-n- FLPCX .INI 159 bytes Thu Sep 13 17:50:30 2001
p-n- FLPCZ .EXE 19k Thu Sep 13 17:50:30 2001
p-n- FPSYS1 .EXE 9k Thu Sep 13 17:50:30 2001
-i-- TBL Thu Sep 13 17:50:38 2001
-i-- DATA Thu Sep 13 17:50:34 2001
p-n- TB_APC .IMG 600 bytes Thu Sep 13 17:50:38 2001 - No idea
p-n- TB_CLR .IMG 576 bytes Thu Sep 13 17:50:38 2001
p-n- TB_GAM .IMG 80 bytes Thu Sep 13 17:50:38 2001
p-n- NOTHM .JPG 5k Thu Sep 13 17:50:34 2001 - No Thumbnail Image
p-n- OPERATE .WAV 3k Thu Sep 13 17:50:34 2001 - Beep?
p-n- SELF .WAV 21k Thu Sep 13 17:50:34 2001 - Self Timer Sound
p-n- SHUT .WAV 3k Thu Sep 13 17:50:34 2001 - Shutter Sound
p-n- STRINGS .BIN 34k Wed Jan 23 10:21:08 2002 - Translation Text
p-n- STUP .JPG 14k Thu Sep 13 17:50:36 2001 - Startup Image
p-n- STUP .WAV 12k Thu Sep 13 17:50:36 2001 - and Sound
CAMERA.EXE I'm guessing is what you see when you turn it on!
CFFMT: Compact Flash ForMaT?
FLPCZ: Flash ROM Writer (Excerpt of help from inside it)
flpcy i/e/w/v/p [address] [size] [file-name] [r]
ID check: flpcy i
Erase: flpcy e address size
Write: flpcy w address file-name
Verify: flpcy v address file-name
Erase & Write: flpcy p address file-name [r]
Dump: flpcy d address [size]
address = hex 80000 - 0x27FFFE
size = hex 1 - 8000
r = system reset
Write(DRAM data):flpcy a rom-adr ram-adr size
rom-adr = hex 80000 - 0x27FFFE
ram-adr = hex 00000 - 7FFFFE
size = hex 2 - FFFE
;FLPCX.INI for 404e
ID 0x2249 0x0004
RLED 1 0x1000 0x0002 0x1010 0x0002 0x1012 0x0008
GLED 1 0x1000 0x0002 0x1010 0x0002 0x1012 0x0010
404e is the Internal Model Number for the Powershot S40.
|Havent a scooby what the rest of it means though? The Flash ROM's Address and Manufacturer Details?|
|Codes for some hardware access to turn the power LED between Red and Green during Flash Process?|
Loading Your Own Executables
To get binaries to load make a directory D:\DC97\MISC place in an INI file with the EXE of the same name containing
"Canon DigitalEye executable:VERSION=0001:Name Here "
eg. TEST.EXE and TEST.INI. The last field must have padded spaces up to 15chars long for some reason. (I think)
Then power the camera up in replay mode and it is at the bottom of the replay menu! It dissapears when you take any pictures and reappears if you delete them.
Update: They seem to hang about now even when I take pictures.. Odd.
Interrupts Of Interest
|•||21h - Multiplex Interrupt. DOS calls go here :]|
|•||E2h/90h - I think this is where the camera keeps its functions. I suppose this is where ROM-BASIC normally resides so it doesnt have to boot completely into a DOS system a-la datalight rom-dos. Perhaps thats why there are no dos binary commands, such as command.cometc|
Camera Kernel Calls
Int 0xFF - Aha! This is hooked to return you addresses of various functions on the cameras!
Input: AH - Function Number
Returns: DS:DX - Pointer to kernel function
AH=1 Get Firmware Version Info
AH=7 Print Screen Message?
AH=A Something to do with the above.
They unfortunately don't seem to be simple calls to the functions, but include DS:DX+OFFSET for a whole slew of them too.