Hacking the Canon Powershot SX20 IS

I’ve had my Canon Powershot SX20 IS camera for a few years now and have always regarded it as a stepping-stone to a better, “proper” camera. The problem is I have never quite got to the point where I can justify shelling out the considerable wonga to take the next step.

What I’d like is a modern digital equivalent to my brilliant old Nikon FM that served me well for a number of years, with up to date features as well as the best of the old. Two things in particular have annoyed me about the SX20 – the maximum exposure time of 15 seconds and the digital compression which irrationally leaves me with FOMO – something is missing from my photographs.

Having resolved not to spend a grand on a new camera, instead I lobbed a hundred quid into the Physics Pixies UNICEF appeal and set about altering the camera I have to deal with the two “problems”. The alterations amount to a firmware update using the CHDK (Canon Hack Development Kit) firmware addon. This is now an open-source project built on the work of programmer VitalyB’s RAW enabler and Andrei Gratchev’s development kit. The firmware update now includes a number of other really nice features including time-lapse, motion detection and bracketing of exposure and focus.

Finding out the camera’s firmware

The EXIF data in a digital photograph tells you quite a lot about the camera that took it and the settings used – see, for example, this picture on Flickr. Click “show EXIF”. This tells me almost but not quite enough about the firmware Revision – 1.02 rev 2.00. Your camera will tell you, though. First, create an empty file called ver.req in the root of the SD card. I did this on a MacBook Pro with the SD card in a slot on the laptop by issuing these commands:

$ cd Volumes/CANON_DC/
$ touch ver.req

Put the card in your camera and start it up in playback mode. From the main screen (should be displaying NO IMAGE for no images on the card), press FUNC SET and DISP. buttons and the camera will display a screen like this for about 5 seconds:


So my firmware version is GM1.02B. Other information is available – read the CHDK wiki for more.

Getting the firmware update

There are lots of different versions of the CHDK available and it seems to be important that you get the right one. Visit the download page and click the link to the stable build – this takes you the list of available versions. Obviously, pick the right one for your camera – the SX20 files are near the end of the page. I went for this one:


I downloaded and unzipped the archive locally, then removed the quarantine tag from the binary (something the OSX archive utility does to protect you from yourself):

$ xattr -d com.apple.quarantine DISKBOOT.BIN

Choosing the load method

There are two possible methods to set up your camera with this new software, neither of which alters the camera’s installed firmware. In the first and simplest, the SD card contains files that are loaded by the camera using the normal “firmware update” menu function. It doesn’t actually update the firmware: the code is loaded into RAM which means that the camera reverts to standard operation when it is switched off.

The second method requires a “bootable” SD card containing the CHDK and partitioned in the right way – a slightly more complex procedure being required to set this up. I wanted to go with the first method initially, principally because I am impatient, but discovered (because the required PS.FIR file was missing from the download archive) that the SX20 CHDK does not support the firmware update method. All the details for both methods are available on the wiki.

Preparing the SD card

First step in preparing for the “bootable” method is to partition and format the SD card. I used the OSX disk utility to do this on an 8GB SD card, setting up a 500MB MBR partition and the rest in a second partition, both formatted as FAT. The disk utility seemed to throw an error after partitioning and didn’t mount the first partition at this stage.

The next step requires the first partition to be unmounted anyway, as we convert it to a FAT16 partition by issuing this command using the appropriate disk identifier (disk1s1 in my case):

$ sudo newfs_msdos -F 16 -v Canon_DC -b 4096 -c 128 /dev/disk1s1

Ejecting and re-inserting the SD card shows the new partition arrangement is OK and both partitions mounted. The next step is to make the card bootable – first, by invoking the fdisk utility (you type the bold bits):

$ sudo fdisk -e /dev/disk1
fdisk: could not open MBR file [] No such file or directory <== IGNORE THIS
fdisk: 1> setpid 1
Partition id ('0' to disable) [0 - FF]: [B] (? for help) 1
fdisk:*1> write
Device could not be accessed exclusively.
A reboot will be needed for changes to take effect. OK? [n] y
Writing MBR at offset 0.
fdisk: 1> exit

Next, we have to edit the SD card’s Master Boot Record. Get a copy of it locally by issuing this:

$ sudo dd if=/dev/disk1s1 of=BootSector.bin bs=512 count=1

Remember to use the correct disk identifier (disk1s1 in my case). If you get “Resource busy”, it’s because the first partition is mounted – unmount (do not eject) it and try the dd command again. Next, the BootSector.bin file needs to be edited – I used HexEdit.app – to overwrite from position 0x40 the word BOOTDISK:


You should finish up with a file that’s still exactly 512 bytes that you can dd back to the SD card boot partition:

$ sudo dd if=BootSector.bin of=/dev/disk1s1 bs=512 count=1

Remounting the partition (using disk utility), the final step in preparing the SD card is to copy the CHDK files over. The file DISKBOOT.BIN (and PS.FI?, if you have it) goes in the first partition, everything else from the archive goes in the second, larger partition.


Eject the card and move the lock switch to the LOCK position (this is required to make CHDK operate – in the UNLOCK position, it’s just a normal Powershot but limited to the first partition). Put the SD card in the camera and start it up – you’ll notice a new splash screen:


You’ll also see some new items, like a battery monitor, but most of the CHDK functions are accessed through their own menus – you (and I) will have to spend a little time with the user manual, but look out for results on BlipFoto, Flickr or maybe even 500px.

WordPress XML-RPC Attack

This week, one of my sites, sptr.net, has been under a co-ordinated and sustained attack from what appears to be a botnet – a collective of several hundred virus-infected computers running Microsoft Windows. The attack comprises attempts to use the remote procedure call methods built into WordPress to post unauthorised content.


I was notified by one of my independent monitoring services that the site was having trouble some time after the attack began. It appears that once triggered by the attacker, it takes a while for the command to spread to a significant number of infected machines – this is reasonable if you assume the greatest number of infected PCs is in the USA. The attack peaked around the middle of the day in Scotland, coincident with the switching on of computers as the sun moved East to West across the continental US. Although the server remained operational, it was struggling to continue to respond to requests in a reasonable time as the CPU usage soared way above 1000% of nominal maximum. A look at the top processes on the server showed that it was trying to keep things together:

  PID USER      PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command
12345 xxxxxxx    20   0 55992 36080  7128 R 49.0  6.9  0:15.73 [see below]
12346 xxxxxxx    20   0 56036 36124  7188 R 46.0  6.9  0:04.96 [see below]
12347 xxxxxxx    20   0 55940 36076  7128 R 46.0  6.9  0:03.82 [see below]
12349 xxxxxxx    20   0 55912 35908  6984 R 46.0  6.8  0:07.88 [see below]
12340 xxxxxxx    20   0 55976 36116  7180 R 46.0  6.9  0:03.59 [see below]
12342 xxxxxxx    20   0 55940 36064  7128 R 44.0  6.9  0:07.21 [see below]
12341 xxxxxxx    20   0 55948 36140  7196 R 44.0  6.9  0:34.79 [see below]
12343 xxxxxxx    20   0 55972 36248  7276 R 44.0  6.9  2:20.11 [see below]

The command attempted showed that it was an attack on a php script:

/usr/bin/php-cgi -c /var/www/vhosts/sptr.net/etc/php.ini

Further investigation

Looking at the server access logs identified the specific script targeted by the attacker, the machines and methodology involved. The range of IP addresses showed that the infected PCs were world-wide (in the sample below, India, Poland, Egypt, Thailand, Algeria, Brazil and Pakistan). - - [10/Jul/2014:14:03:19 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:03:34 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:03:43 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:03:54 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:04:04 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:04:06 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" - - [10/Jul/2014:14:04:14 +0000] "POST /xmlrpc.php HTTP/1.1" 200 159 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"


Restarting the VPS container made no difference. CPU usage remained very high. Installing a plugin to disable XML-RPC in WordPress seemed to make things better, probably because of the response time improvement but as the day progressed, the attack seemed to abate and the server was coping better with CPU usage falling below 100% nominal maximum. The log sample above is from today, when the attacks have fallen to a few per minute instead of the hundreds per second on Tuesday. It looks like the botnet is learning that there are robust passwords on the system that will take too long to guess and is giving up.

Brute force solution

I’m not happy with this constant knocking at my door, however, so have decided that I don’t need a door there at all. Removing the target script doesn’t directly affect the rate of attack, it changes the 200 response to a 404 (page not found), which is quickly delivered. - - [10/Jul/2014:14:09:13 +0000] "POST /xmlrpc.php HTTP/1.1" 404 430 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

WordPress Redirect Loop

WordPress is a brilliant tool, probably the best of the CMSs – Google says so – but every now and then it can stop you in your tracks. It did this today as I was setting up a new site for Marc Walker, the British Biathlon veteran and team manager who is retiring from Her Majesty’s service in August to set up a very special personal trainer business in Knutsford.

Marc Walker (image copyright Marcel Laponder CC-BY-3.0)
Marc Walker (image copyright Marcel Laponder CC-BY-3.0)

I hit a wee problem with an unexpected redirect loop when trying to access the back end. There are plenty of articles and “fixes” available on the web, none of which were relevant to my installation and most of which relate to permalinks and .htaccess. Because my installation is a long-standing derivative of WPMU or multi-site, it could not have been that.

For others in the same position, here’s what my install looks like:

  • LAMP hosted (on a VPS)
  • Version 3.9.1
  • Multiple WP sites, domain-mapped

I had a while ago, for some reason I have now forgotten, network disabled the default WordPress themes. When I added this new site, created the new admin user and mapped the domain, I found that the admin or login pages simply got stuck in a redirect loop.

The fix was easy enough – I simply had to enable Twenty-Fourteen (the default WP theme) for the new site via the network admin panel.

If you want to visit Marc’s new site, it’s at AvantgardePT.com. His new business will start up in August and will have a strong European baseline from his track record in Biathlon, military fitness, Iron Man, and an impressive bunch of competitive sports.

CentOS 6.5 on MSWind

Rather than make a pig’s ear out of my live VPS by testing out new Ruby code I’m playing with, I thought it would be prudent to have a machine that I can break without upsetting users. I have an Atom-based Advent netbook which only ever gets played with occasionally and this afternoon, seems quite willing to volunteer for a rebuild as a CentOS server. The world loves a volunteer. Continue reading “CentOS 6.5 on MSWind”

Redmine on CentOS

If you listened to that last audioboo, you’ll maybe recognise that I like the idea that being in control of your destiny is connected to how much you know about your life. The podcast was talking about organisations but my life at the moment is not unlike an organisation, with projects, finance and time management all being features. I have been using a number of tools to track all of this activity and frankly they’re not good enough, so I thought I’d give Redmine a try, after a couple of strong recommendations. Here’s I how I set it up on my CentOS VPS (Virtual Private Server). Continue reading “Redmine on CentOS”

WordPress network domain mapping fix

I’ve just been on an interesting little journey that started last September when I discovered that some of the sites on one of my WordPress networks had stopped working.

You might enjoy a little schadenfreude if I admit now that it was because I had a brilliant idea and did something stupid. I’ve posted details here in the hope that (a) if I do it again, I can find out how to fix it, and (b) if you’ve done it too, you’re closer to the solution than I have been for the past six months. I’ve ‘genericed’ the details to help you map it to your own setup. Continue reading “WordPress network domain mapping fix”

Beeswing: a brilliant critical literacy resource in the making

(c) 2013 Jack King-Spooner
Used without permission but I hope he doesn’t mind

I stumbled across an incredible project yesterday whilst lobbing a few quid into the KickStarter kitty of the makers of The Seventh Guest 3: The Collector. I like T7G and its sister, the 11th Hour, because they are what I wish many more computer games were: things that help the player grow as a person instead of the vast majority of nasty, violent, dehumanising poison that infects the minds of so many young people.

The project I found is called Beeswing and is a creative development by Jack King-Spooner of a handcrafted role-playing game, without violence (or puzzles!), set in rural Scotland. Jack is creating “a world of intertwining stories” within a game setting using beautiful media such as watercolour pictures, graphite sketches and clay animation, all set to original music. From the kickstarter project page:

It is a story about the past, about community and childhood, attachment and growing up. Scottish folk tales, morally dubious parables, cloudy anecdotes and more contemporary stories of homelessness and immigration all combine to create a truly dynamic narrative.

This is lovely enough, but the thing that really caught my attention was the value in the dialogues within the stories: there is a depth to them that goes beyond what you might at first expect. Jack describes them as, “trues stories, blended with fiction”. I think this game will have potential to be of great value to teachers in developing connected thinking and critical literacy in children, and a capacity to see the world around them in much more richer terms. Here’s an example from the video on the kickstarter project page:

I like the scarecrow, I know what it means.
See the flowers in the field? The poppies and buttercups? Rare sight.
They mean there’s no pesticide in the fields.
No pesticide means insects.
Insects mean rooks and crows.
Rooks and crows mean scarecrows.
I like the scarecrow, I know what it means.

If you liked Inanimate Alice, you’re going to love this. Why not click the picture and go support Jack? You’ll get the game when it’s out next year and an opportunity to really develop the children you’re involved with. Hurry, there’s only a couple of weeks left.

Code Hacks: WordPress WP-Filebase Pro

I updated my WordPress installations to 3.7 “Basie” this weekend and found that the file download stopped working for all users except admins. The files affected are those for which permissions are required (Subscriber and above).

I made a workaround to get it working for my physics teachers resource site at http://sptr.net. In classes/Item.php, within function CurUserCanAccess($for_tpl=false, $user = null), above the loop that checks user roles, you have to populate the roles array by calling get_role_caps(), thus:

if(empty($frs)) return true; // item is for everyone!
foreach($user->roles as $ur) { // check user roles against item roles
 if(in_array($ur, $frs))
 return true;

It looks like it’s working for now. I’ve posted the fix to the Plugin support forum.

Mavericks OSX 10.9 Update php fix

I updated to OSX 10.9 Mavericks this week, and as with all updates, it broke PHP. I run a local MAMP server for development purposes and it all works OK except that you have to re-enable PHP in the apache configuration file. I found a useful guide over at coolestguidesontheplanet.com which included these steps:

Open a terminal window and edit the httpd.conf file:

sudo nano /etc/apache2/httpd.conf

Uncomment this line:

LoadModule php5_module libexec/apache2/libphp5.so

Write out and save the file, then restart apache:

sudo apachectl restart

… and Robert’s your Mother’s Brother.