The story of how the CHDK was born is really amazing. Remember that "print" button on your camera, the one you never use? It has a light on it. Apparently someone coaxed their camera into outputting the source code of the firmware getting the "print" button to flash on and off.....
Reminds me of how people cracked the iPod Nano (I think) firmware - one of the first steps was exploiting a buffer overrun and dumping the bootloader acoustically, through the clicker. There's a page somewhere with a photo of an iPod and a mike, all in styrofoam.
BTW, CHDK doesn't use any exploit or vulnerability as all Canon cameras can boot from the SD memory, you only need to know the firmware file format, that it is of course already documented by the folks from CHDK.
