Key Pages: Home | WikiSyntax | Recent Changes
Recently Viewed: Canon Camera Hacking
Canon Camera Hacking
Hacking The Canon Powershot S40

Sorry folks, had no time to update this or work much on the project. my email address below has been spammed to hell, I haven't ignored your emails deliberately. Please prefix subject with [CAMERAHACK] to not get auto-deleted. When I get the chance I'll track down the programs I got to run / display messages etc.

UPDATED: 13/04/04 - Added excuses/Links
UPDATED: 02/06/02 - Added kernel call details
UPDATED: 01/06/02 - Added FLPCX.INI details
CREATED: 31/05/02

Yahoo Group - Canon Digi Hacking
CanonDigitalRebelHacking Wiki

Digital Camera Hacking

This is a summary of everything I have found out about my camera!
I am interested in running my own software on it for fun, like the MAME port for digita cameras

If you can help contact me on camerahack at darkskiez d0t co d0t uk, prefixing
mail subject with [CAMERAHACK] to not get erased. This account has been spammed to hell.

Camera: Powershot S40
CPU: x86 Compatible metapc
OS: Canon DigitalEye - A version of Datalight's ROM-DOS -

The camera runs x86 binaries and is mostly compatible with MSDOS function calls thanks to datalight. I have managed to get a few simple program to run.

The camera has drive letters mapped as follows

Whats On The Camera

--n-  CAMERA  .EXE         400k  Thu Mar  7 10:00:56 2002

p-n-  CFFMT   .EXE          15k  Thu Sep 13 17:50:30 2001
p-n-  FLPC110 .EXE          20k  Thu Sep 13 17:50:30 2001
p-n-  FLPCX   .INI    159 bytes  Thu Sep 13 17:50:30 2001
p-n-  FLPCZ   .EXE          19k  Thu Sep 13 17:50:30 2001
p-n-  FPSYS1  .EXE           9k  Thu Sep 13 17:50:30 2001
-i--  TBL                        Thu Sep 13 17:50:38 2001
-i--  DATA                       Thu Sep 13 17:50:34 2001
p-n-  TB_APC  .IMG    600 bytes  Thu Sep 13 17:50:38 2001 - No idea
p-n-  TB_CLR  .IMG    576 bytes  Thu Sep 13 17:50:38 2001
p-n-  TB_GAM  .IMG     80 bytes  Thu Sep 13 17:50:38 2001
p-n-  NOTHM   .JPG           5k  Thu Sep 13 17:50:34 2001 - No Thumbnail Image
p-n-  OPERATE .WAV           3k  Thu Sep 13 17:50:34 2001 - Beep?
p-n-  SELF    .WAV          21k  Thu Sep 13 17:50:34 2001 - Self Timer Sound
p-n-  SHUT    .WAV           3k  Thu Sep 13 17:50:34 2001 - Shutter Sound
p-n-  STRINGS .BIN          34k  Wed Jan 23 10:21:08 2002 - Translation Text
p-n-  STUP    .JPG          14k  Thu Sep 13 17:50:36 2001 - Startup Image
p-n-  STUP    .WAV          12k  Thu Sep 13 17:50:36 2001 - and Sound

CAMERA.EXE I'm guessing is what you see when you turn it on!
CFFMT: Compact Flash ForMaT?

FLPCZ: Flash ROM Writer (Excerpt of help from inside it)
 flpcy i/e/w/v/p [address] [size] [file-name] [r]
 ID check:        flpcy i
 Erase:           flpcy e address size
 Write:           flpcy w address file-name
 Verify:          flpcy v address file-name
 Erase & Write:   flpcy p address file-name [r]
 Dump:            flpcy d address [size]
                  address = hex  80000 - 0x27FFFE
                  size    = hex      1 - 8000
                  r       = system reset
 Write(DRAM data):flpcy a rom-adr ram-adr size
                  rom-adr = hex  80000 - 0x27FFFE
                  ram-adr = hex  00000 - 7FFFFE
                  size    = hex      2 - FFFE

FLPCX.INI contains

;FLPCX.INI for 404e
ID 0x2249 0x0004
RLED 1 0x1000 0x0002 0x1010 0x0002 0x1012 0x0008
GLED 1 0x1000 0x0002 0x1010 0x0002 0x1012 0x0010

404e is the Internal Model Number for the Powershot S40.

Havent a scooby what the rest of it means though? The Flash ROM's Address and Manufacturer Details?
Codes for some hardware access to turn the power LED between Red and Green during Flash Process?

Loading Your Own Executables

To get binaries to load make a directory D:\DC97\MISC place in an INI file with the EXE of the same name containing

"Canon DigitalEye executable:VERSION=0001:Name Here "

eg. TEST.EXE and TEST.INI. The last field must have padded spaces up to 15chars long for some reason. (I think)

Then power the camera up in replay mode and it is at the bottom of the replay menu! It dissapears when you take any pictures and reappears if you delete them.
Update: They seem to hang about now even when I take pictures.. Odd.

Interrupts Of Interest

21h - Multiplex Interrupt. DOS calls go here :]
E2h/90h - I think this is where the camera keeps its functions. I suppose this is where ROM-BASIC normally resides so it doesnt have to boot completely into a DOS system a-la datalight rom-dos. Perhaps thats why there are no dos binary commands, such as command.cometc

Camera Kernel Calls

Int 0xFF - Aha! This is hooked to return you addresses of various functions on the cameras!
Input: AH - Function Number
Returns: DS:DX - Pointer to kernel function

AH=1 Get Firmware Version Info
AH=7 Print Screen Message?
AH=8 OK/Cancel Dialog?
AH=A Something to do with the above.

They unfortunately don't seem to be simple calls to the functions, but include DS:DX+OFFSET for a whole slew of them too.