some links about Eye-Fi hacking:
- Linux and Eye-Fi Hacking (Dave Hansen)
- Eye Fi Standalone Server Version 2.0 (Jeff Tchang)
- Inside the Eye-Fi card
- Inside the Eye-Fi: Secrets of the First Wireless SD Card
- The Eye-Fi: A Case Study in Next-Generation Application Security Issues
it runs eCos on an Atheros AR6001 chipset
in 550d 108;
- Eye-Fi task is started here: ROM:FF013650 B j_EyeFiTask_Initialize
- Task: ROM:FF16E5E0 EyeFiTask
- create a MessageQueue = EyeFi
- ROM:FF16E5FC LDR R0, [R4] ; queue_handle
ROM:FF16E600 MOV R2, #0 ; wait ROM:FF16E604 MOV R1, SP ; event_addr ROM:FF16E608 BL ReceiveMessageQueue ROM:FF16E60C LDR R0, [SP,#0x10+var_10] ROM:FF16E610 BL eyefi_queue_handler
- Related properties and functions:
- ROM:FF26CFC8 does REQM and REQC processing
- ROM:FF26DA58 does RSPM
- ROM:FF26DB14 does RSPC
which are the fake files to communicate with the card software: new-eyefi-card.html
but why the card is incompatible with enabled bootflag ? does the camera try to run code from eyefi card ?