Messages

Thanks a lot.

This does the trick:

Try loading it as ROM1, without splitting.

Btw, if anyone found an old ROM dump of the 1000D Firmware 1.0.5 on the internet and want to test in QEMU, renamed it to ROM1.BIN as mentioned above.

It was created the same way a1ex explained.

Both firmwares 1.0.5 and 1.0.7 are running in QEMU.

When I try to run QEMU, I get only a gray image.

Code Select Expand

./run_canon_fw.sh 1000D,firmware=boot=1

DebugMsg=0xFFD0D5F4 (from GDB script)
Lockdown read 0
Lockdown read 0
Lockdown read 1
Lockdown read 1
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 0FFFFFFF: eos.ram
10001000 - 1FFFFFFF: eos.ram_uncached
10000000 - 10000FFF: eos.ram_uncached0
F8000000 - F87FFFFF: eos.rom1
F8800000 - F8FFFFFF: eos.rom1_mirror
F9000000 - F97FFFFF: eos.rom1_mirror
F9800000 - F9FFFFFF: eos.rom1_mirror
FA000000 - FA7FFFFF: eos.rom1_mirror
FA800000 - FAFFFFFF: eos.rom1_mirror
FB000000 - FB7FFFFF: eos.rom1_mirror
FB800000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FC7FFFFF: eos.rom1_mirror
FC800000 - FCFFFFFF: eos.rom1_mirror
FD000000 - FD7FFFFF: eos.rom1_mirror
FD800000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FE7FFFFF: eos.rom1_mirror
FE800000 - FEFFFFFF: eos.rom1_mirror
FF000000 - FF7FFFFF: eos.rom1_mirror
FF800000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.iomem
[EOS] loading './1000D/ROM1.BIN' (expected size 0x00800000, got 0x00400000) to 0xF8000000-0xF83FFFFF
[MPU] warning: non-empty spell #14 (PROP_CARD2_STATUS) has duplicate(s): #51
[MPU] warning: non-empty spell #34 (PROP_TFT_STATUS) has duplicate(s): #33 #43 #44
[MPU] warning: non-empty spell #42 (PROP_TFT_STATUS) has duplicate(s): #24 #29 #32 #74

[MPU] Available keys:
- Arrow keys   : Navigation
- PgUp, PgDn   : Sub dial (rear scrollwheel)
- [ and ]      : Main dial (top scrollwheel)
- SPACE        : SET (press only)
- DELETE       : guess (press only)
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- J            : JUMP (press only)
- D            : Direct Print
- W            : Pic.Style (press only)
- Z/X          : Zoom in/out
- Shift        : Half-shutter
- 0/9          : Mode dial (press only)
- B            : Open battery door
- C            : Open card door
- F10          : Power down switch
- F1           : show this help

Setting BOOTDISK flag to FFFFFFFF

It looks like this is the problem:

Code Select Expand

[EOS] loading './1000D/ROM1.BIN' (expected size 0x00800000, got 0x00400000) to 0xF8000000-0xF83FFFFF

I did split the ROM.BIN dump in two equals ROM0.BIN and ROM1.BIN as mentioned in the EOS M2 thread.

8388608 ROMDUMP.BIN
4194304 ROM0.BIN
4194304 ROM1.BIN

Does anyone knows how to fix this?

It looks like nobody is working on it at the moment. I did in the past but took a break.

a1ex still looking on the emulations side I guess.

I'm starting to looking into it again, from time to time.

Don't expect anything in the near future, but you can always join and help changing that

[1. Software]

Hi all,

I just came across two software that might be useful for learning, debugging or reverse engineering when working on magic lantern.

I hope it's not considered as spam, if yes please delete this post.

1. Software
Retargetable Decompiler's
RetDec is an open-source machine-code decompiler based on LLVM.

The decompiler is not limited to any particular target architecture, operating system, or executable file format:

    Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
    Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.

Link: https://retdec.com/home/

2. Software
VisUAL - a Visual Arm Emulator to learn and understand the ARM Assembly language

VisUAL has been developed as a cross-platform tool to make learning ARM Assembly language easier. In addition to emulating a subset of the ARM UAL instruction set, it provides visualisations of key concepts unique to assembly language programming and therefore helps make programming ARM assembly more accessible.

Link: https://salmanarif.bitbucket.io/visual/index.html

@a1ex

That is great, thanks a lot.

[Note]

Not really, I was too busy photographing, I hope my Canon 1000D does not brake anytime soon (over 53000 shutter counts), to much time-lapse 

I can't tell about any progress soon, because I want to use the summer and the good weather as much as possible.

Anyway, I started with the stubs.S and found so far a few function entry points (see below).

Note: Keep in mind the entry points (function addresses) are not verified yet nor tested.

Lines with "//SC" are the ones modified or updated with the addresses for the 1000D, again no guarantee that they are correct!

File: stubs.S

Code Select Expand



/** \file
* Entry points into the firmware image.
*
* These are the functio//NS that we can call from our tasks
* in the Canon 1.0.9 firmware for the 450d.
*
* \todo Sort this file?  Generate it from the IDA map?
*/
/*
* Copyright (C) 2010 Magic Lantern Team
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Lice//NSe
* as published by the Free Software Foundation; either version 2
* of the Lice//NSe, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public Lice//NSe for more details.
*
* You should have received a copy of the GNU General Public Lice//NSe
* along with this program; if not, write to the
* Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor,
* Boston, MA  02110-1301, USA.
*/

#include <stub.h>

.text

//NSTUB( ROMBASEADDR, firmware_entry )

//NSTUB(0xFFCFEBD4, AcquireRecursiveLock)
NSTUB(0xFF855870, AllocateFileCacheBuffer) //SC
NSTUB(0xffd1cc88, AllocateMemory) //SC
NSTUB(0xffd1cc88, _AllocateMemory) //SC
NSTUB(0xff960420, CreateDialogBox) //SC
NSTUB(0xFFD05A54, CreateTask) //SC
NSTUB(0xFFD0C544, CreateRecursiveLock) //SC
NSTUB(0xffd0c190, CreateMessageQueue) //SC
//NSTUB(0xFFD03C60, CreateMessageQueue) //SC from coutts

//NSTUB(0xff2ff7c4, DeleteDialogBox)
//NSTUB(0xFFD07654, DryosDebugMsg)
NSTUB(0xFFD0E1C4, dumpf)
//NSTUB(0xFFCCD90C, FIO_FindClose) // AJ__switch_0x1A50_n_calls_fstOpenDir FIO_FindClose
NSTUB(0xFFCDD570, FIO_CloseFile)
//NSTUB(0xFFCCD6DC, _FIO_CreateDirectory)
NSTUB(0xFFCDD558, _FIO_CreateFile) //SC
//NSTUB(0xFFCCCCD0, _FIO_FindFirstEx)
//NSTUB(0xFFCCCE34, FIO_FindNextEx)
NSTUB(0xffcd6f1c, _FIO_GetFileSize) // SC
NSTUB(0xFFCDD54C, _FIO_OpenFile) //SC
NSTUB(0xFFCDD57C, FIO_ReadFile) //SC
NSTUB(0xFFCDD564, _FIO_RemoveFile) // SC
NSTUB(0xFFCDD588, FIO_WriteFile) //SC
NSTUB(0xFFCDD594, FIO_SeekFile) //SC

//NSTUB(0xFFD16DB4, FreeMemory)
//NSTUB(0xFFD16DB4, _FreeMemory)
//NSTUB(0xff022004, GUI_ChangeMode)
//NSTUB(0xFF861F8C, GUI_Control)
NSTUB(0xffd44ef8, GUI_GetFirmVersion) //SC
//NSTUB(0xFF91E3BC, GetCFnData)
//NSTUB(0xff8dd40c, GuiEdLedBlink)
NSTUB(0xFF8DD40C, ___GuiEdLedBlink) //SC
//NSTUB(0xFF8DA670, GuiEdLedOff)
NSTUB(0xFF8DD3F4, ___GuiEdLedOff) //SC
//NSTUB(0xFF8DA640, GuiEdLedOn)
NSTUB(0xFF8DD3E0, ___GuiEdLedOn) //SC
NSTUB(0xFFD3F214, ioGlobalStdSet) //SC

//NSTUB(0xFFCF3C34, LoadCalendarFromRTC)
NSTUB(0xFF8458D4, MpuMonRead) //SC
NSTUB(0xFF845CFC, MpuMonWrite) //SC
//NSTUB(0xFFC6DD48, MuteOff_0)
//NSTUB(0xFFC6DDC4, MuteOn_0)

NSTUB(0xFFD04464, PostMessageQueue) //SC

NSTUB(0xFFD03FDC, ReceiveMessageQueue)

//NSTUB(0xFF97D5C4, RedrawDisplay)
//NSTUB(0xFFCFECFC, ReleaseRecursiveLock) // AJ_KernelDry_KerRLock.c_p2
//NSTUB(0xff15fd74, RemoteRelease)
NSTUB(0xFF855A54, RemoveAllFileCache) //SC
//NSTUB(0xff06f2fc, SetBitmapVramAddress)
//NSTUB(0xFF91E43C, SetCFnData)
//NSTUB(0xFF883E88, SetGUIRequestMode)
NSTUB(0xDD847338, TurnOnDisplay) //SC
NSTUB(0xFF8473BC,   TurnOffDisplay) //SC

NSTUB(0xFFD046C0, TryPostMessageQueue)  //SC

//NSTUB(0xff072f7c, _audio_ic_read)
//NSTUB(0xff0730c8, _audio_ic_write)
//NSTUB(   0x4154, additional_version) // or 4154 not sure
//NSTUB(0xFFD12088, alloc_dma_memory)
//NSTUB(0xFFD12088, _alloc_dma_memory)
//NSTUB(   0x30A90, bmp_vram_info ) // need checking
//NSTUB(0xffd7d718, bzero32) // memset at 0xffd7d718
//NSTUB(0xFFCF9788, call)
//NSTUB(0xC0220000, camera_engine)
////NSTUB(0xffd1989c, cfReadBlk)
NSTUB(0xFFCD9A34, cfReadBlk) //SC
//NSTUB(   0x314F8, cf_device) // not sure
//NSTUB(0xFFD2073C, cli_save)
//NSTUB(0xff01559c, create_init_task)
//NSTUB(0xFFCFEE00, create_named_semaphore)
//NSTUB(0xff010fb0, cstart)
//NSTUB(0xff2fe9f4, ctrlman_dispatch_event)
//NSTUB(0xFF95EF4C, dialog_redraw)
//NSTUB(0xFF8F0758, dialog_set_property_str)
//NSTUB(    0x2b18, dm_names)
//NSTUB(0xffd4cb6c, dm_set_store_level)
NSTUB(0xFFD3CC4C, free) //SC // not good points to FreeMemory
NSTUB(0xFFD3CC4C, _free) //SC // not good points to FreeMemory
//NSTUB(0xFFD120B4, free_dma_memory)
//NSTUB(0xFFD120B4, _free_dma_memory)
//NSTUB(0xff3d7798, fsuDecodePartitionTable) // AJ_fsuGetPart_related
//NSTUB(0xFFCFF390, give_semaphore)
//NSTUB(0xFF8646A4, gui_change_lcd_state_post)
//NSTUB(0xFF863B18, gui_change_mode)
NSTUB(0xFF864A4C, GUI_CHANGE_MODE) //SC
//NSTUB(0xFF8645E4, gui_change_shoot_type_post)
//NSTUB(0xFF861538, gui_init_end)
//NSTUB(0xFF8B3268, gui_init_event)
//NSTUB(0xFF863EE4, gui_local_post)
//NSTUB(    0x17530, gui_main_struct)
//NSTUB(0xFF861A28, gui_main_task)
//NSTUB(0xFF862734, gui_massive_event_loop)
//NSTUB(0xFF864380, gui_other_post)
//NSTUB(0xFF864514, gui_post_10000062)
//NSTUB(0xFF95BC58, gui_task_create)
//NSTUB(0xFF95BDA8, gui_task_destroy)
//NSTUB(   0x4AF8, gui_task_list)
//NSTUB(0xFFCFD6F4, gui_timer_something)
//NSTUB(    0x3624, gui_timer_struct)
//NSTUB(0xdeadbeef, init_task)
NSTUB(0xFFD3CC64, _malloc) //SC
//NSTUB(0xFFCFE720, msg_queue_post)
//NSTUB(0xFFCFE03C, msg_queue_receive)
NSTUB(0xFFD05708, msleep) // SC
    ////NSTUB(0xff1e0e04, mvrFixQScale)
    ////NSTUB(0xff1e0870, mvrSetDeblockingFilter)
    ////NSTUB(0xff1e08e0, mvrSetDefQScale)
    ////NSTUB(0xff1e0e24, mvrSetPrintMovieLog)
    ////NSTUB(    0xa39c, mvr_config)
    ////NSTUB(0xff078e6c, oneshot_timer)
//NSTUB(0xFFC35324, _prop_cleanup)
//NSTUB(0xFFC35144, prop_deliver)
//NSTUB(0xFFC35458, prop_get_value)
//NSTUB(0xFFC35200, prop_register_slave)
//NSTUB(0xFFC353AC, _prop_request_change)

//NSTUB(0xFFCF98C4, register_func)
////NSTUB(0xFFB97BF4, sdReadBlk)                      // might be good (dumps=1 score=8.2)
NSTUB(0xFFCDEBD8, sdReadBlk)
////NSTUB(   0x208D8, sd_device)
//NSTUB(0xFFD0ADA4, sei_restore)
    ////NSTUB(    0x1f54, sounddev)
    ////NSTUB(0xff063d64, sounddev_task)
    ////NSTUB(0xFF0640EC, sounddev_active_in)
//NSTUB(0xFFCFF1F4, take_semaphore)
//NSTUB(0xFFCFFAB4, task_create)
    ////NSTUB(    0x1934, task_dispatch_hook )
    ////NSTUB(0xff084ca4, task_trampoline)
    ////NSTUB(0xff2cb1e0, vram_get_number)
//NSTUB(0x00030528, vram_info)
//NSTUB(0xFFD08758, vsnprintf)

//NSTUB(0xFF8C1EA0, LiveViewApp_handler)
//NSTUB(0xFF8A6A04, PlayMain_handler)
    ////NSTUB(0xFF42B700, PlayMovieGuideApp_handler)
//NSTUB(0xFF8D560C, OlcAFFrameApp_handler)
//NSTUB(0xdeadbeef, ErrCardForLVApp_handler)
    ////NSTUB(0xFF3674A4, LiveViewWbApp_handler)
//NSTUB(0xFF8D64DC, ErrForCamera_handler) // ERR70 ERR80 etc (DlgErrForCamera.c AJ_DIALOG.HANDLER_DlgErrForCamera.c)

    ////NSTUB(0xff1f6b20, _engio_write)
    ////NSTUB(0xff1f664c, shamem_read) // AJ_0x8FB0_engio_struct_n_R0_manipulation_to_get_ptr
    ////NSTUB(0xff1f675c, _EngDrvOut) // AJ_EngDrvOut_1xVar_to_ShadowStruct

//NSTUB(0xFF8BBA54, ShootOlcApp_handler) // AJ_DIALOG.HANDLER_DlgShootOlcInfo.c

    ////NSTUB(0x29A9C, LCD_Palette) // in InitializeBitmapDisplayDevice right after 0xc0f14800

//NSTUB(0xFFD16E84, GetMemoryInformation)

//NSTUB(0xFFD06204, msg_queue_create)

    ////NSTUB(0xff0372b4, PD_RemoteRelease)
    ////NSTUB( 0xff16004c, PtpDps_remote_release_SW1_SW2_worker ) // called from: ptpRemoteRelease Occupy

// for task information
    ////NSTUB(0x2B24, task_max)
    ////NSTUB(0xFF087940, is_taskid_valid) // AJ_task_trampoline_related_p10
    ////NSTUB(0xff08779c, get_obj_attr) // AJ_checks_if_Process_id_created_by_Dryos
    ////NSTUB(0xff014c10, get_current_task)

//NSTUB(0xFFD17E18, AllocateMemoryResource) // m_pfAllocMemoryCBR
//NSTUB(0xFFD17E6C, AllocateContinuousMemoryResource) // m_pfContAllocMemoryCBR
//NSTUB(0xFFD17EC0, FreeMemoryResource) // m_pfFreeMemoryCBR
//NSTUB(0xFFD03548, GetFirstChunkFromSuite) // AJ_PackMemory_PackMem_p3
//NSTUB(0xFFD031B4, GetMemoryAddressOfMemoryChunk)

    ////NSTUB(0xff07365c, PowerAudioOutput)
    ////NSTUB(0xff061c44, StartASIFDMADAC)
    ////NSTUB(0xFF061A88, StartASIFDMAADC)
    ////NSTUB(0xff061d20, StopASIFDMADAC)
    ////NSTUB(0xFF0621C4, SetNextASIFADCBuffer) // called by SetNextUINT8ASIFADCBuffer and SetNextINT16ASIFADCBuffer
    ////NSTUB(0xFF06227C, SetNextASIFDACBuffer)
    ////NSTUB(0xff0736f4, SetSamplingRate )
    ////NSTUB(0xFF073944, SetAudioVolumeOut)

    ////NSTUB(0xFF06EDD0, AsyncEnableImagePhysicalScreenParameter)
    ////NSTUB(0xff06e8b0, EnableImagePhysicalScreenParameter)

//NSTUB(0xFF8A8C78, StartPlayProtectGuideApp)
NSTUB(0xFF8ABE0C, StartPlayProtectGuideApp) //SC
//NSTUB(0xFF8A9144, StopPlayProtectGuideApp)
NSTUB(0xFF8ABF1C, StopPlayProtectGuideApp) //SC

//NSTUB(0xFFCFFCC0, DeleteTask)
//NSTUB(0xFFD0068C, QueryTaskByName)

//NSTUB(0x30A98, LCD_Palette)
//NSTUB(0x30AD8, RGB_Palette)
//NSTUB(0x309C8, PB_Palette)

//NSTUB(0xFFC64BE8, SetRGBPaletteToDisplayDevice)
NSTUB(0xFFC6E838, SetRGBPaletteToDisplayDevice)
//NSTUB(0xFF8F08C4, ChangeColorPalette)
NSTUB(0xFF8F35A8, ChangeColorPalette)

//NSTUB(0xFFC63A88, SetParameterToBitmapDisplayDevice)
NSTUB(0xFFC6D6D4, SetParameterToBitmapDisplayDevice)


//NSTUB(0xFFC6D1EC, EnableBitmapVBufferForPlayBackAndWaiting)
NSTUB(0xFFC76AB0, EnableBitmapVBufferForPlayBackAndWaiting)

//NSTUB(0xFFC6B6B0, BmpDDev_give_semaphore)
//NSTUB(0xFFC6B660, BmpDDev_take_semaphore)

//NSTUB(0xFF81594C, bindGUISwitchCBR)

//NSTUB(0xFFCFDC18, register_interrupt)
//NSTUB(0xFFC3B624, SIO3_ISR)
NSTUB(0xFFC45108, MREQ_ISR)
//NSTUB(0xFFC3B55C, MREQ_ISR)
NSTUB(0xFFC45114, SIO3_ISR)

NSTUB(0xFFD04288, TryReceiveMessageQueue) // SC from coutts

//NSTUB(0xFFD0A7A0, TryPostEvent)
//NSTUB(0xFFD0A800, TryPostEvent_end)

//NSTUB(0xFFD1180C, TryPostStageEvent)
//NSTUB(0xFFD1197C, TryPostStageEvent_end) // PendStageEvent

//NSTUB(0xFFD28528, get_current_task) // 0x22E00
//NSTUB(0xFFD282EC, get_task_info)
//NSTUB(0xFFD29C10, get_active_task_list)

//NSTUB(0xFFD0A0D4, create_task_cmd_shell)

//NSTUB(0xFFB4AB18, ptp_register_handler)
//NSTUB(0xFFB42198, ptp_register_handlers_0x9800)

//NSTUB(0xFFD07654, DM_TryPostEvent)

NSTUB(0xFF841908, FA_Release) //SC

/** EDMAC routines **/
//NSTUB(0xFFCADCA0, SetEDmac)
//NSTUB(0xFFCADD00, StartEDmac)
//NSTUB(0xFFCADDC0, PopEDmac)
////NSTUB([idk], AbortEDmac)
//NSTUB(0xFFCADCC0, ConnectWriteEDmac)
//NSTUB(0xFFCADCDC, ConnectReadEDmac)

/** keep the old name until all are refcatored **/
////NSTUB(0xFFCADDA0, EDMAC_RegisterCompleteCBR)

/** register/unregister CBR names **/
//NSTUB(0xFFCADDA0, RegisterEDmacCompleteCBR)
//NSTUB(0xFFCADDD8, RegisterEDmacAbortCBR)
NSTUB(0xFFCB6D60, RegisterEDmacAbortCBR)
//NSTUB(0xFFCADE58, RegisterEDmacPopCBR)
//NSTUB(0xFFCADDC0, UnregisterEDmacCompleteCBR)
//NSTUB(0xFFCADE20, UnregisterEDmacAbortCBR)
NSTUB(0xFFCB6D80, UnregisterEDmacAbortCBR)
//NSTUB(0xFFCADE78, UnregisterEDmacPopCBR)

// DEF(0xffd18c2c, GetSizeOfMaxRegion) // SC


Ok, I just found out how to disassemble the ROM.BIN.

As Ant123 mentioned earlier, in the "bootloader_mem_dump/main.c" just replace in "void MyTask2()"

Code Select Expand

booloader_mem_dump_0();

with

Code Select Expand

dumpmemo();

Now, compile and executed it on the camera.

After the dump finished, two files should be on the SD card.

RAMDUMP.BIN
ROMDUMP.BIN

Afterwards, follow the instruction from this link:

https://www.magiclantern.fm/forum/index.php?topic=12177.0

If you followed this thread (for Mac OS), update the "disassemble.pl" to this.

Code Select Expand

# adjust these for your needs (note final slash):
$path = "~/gcc-arm-none-eabi-4_8-2013q4/bin/";

# note on "strings": default is a minimum length of 4 chars.
# So if u are hunting for e.g. "FI2" add -n3
# However, it gives a lot of false positive.
$strdump = "strings -t x";
$objdump = "${path}arm-none-eabi-objdump";
$objcopy = "${path}arm-none-eabi-objcopy";


Now, looking at the main.c code, the ROM dump starts at FF800000, so modify the call like this.

Code Select Expand

perl disassemble.pl 0xFF800000 ROMDUMP.BIN

Once finished, open the "ROMDUMP.BIN.dis" in a text file.

---------------------
The write_bootflag and read_bootflag for the canon 1000d look like this in assembly.

write_bootflag:

Code Select Expand


Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff5fe0: e92d41f0 push {r4, r5, r6, r7, r8, lr}
ffff5fe4: e1a05001 mov r5, r1
ffff5fe8: e3a04000 mov r4, #0
ffff5fec: e3500000 cmp r0, #0
ffff5ff0: 13a0733e movne r7, #-134217728 ; 0xf8000000


read_bootflag:

Code Select Expand


Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff60d0: e52de004 push {lr} ; (str lr, [sp, #-4]!)
ffff60d4: e3500000 cmp r0, #0
ffff60d8: 13a0333e movne r3, #-134217728 ; 0xf8000000
ffff60dc: 12833a02 addne r3, r3, #8192 ; 0x2000
ffff60e0: 13a020aa movne r2, #170 ; 0xaa



Next step would be to find the addresses of the functions for the 1000D and add them to the stubs.S.
This will take time ...

@Ant123

Cool, thank you very much.


//---------------------------------------
Note to myself:

Link: https://www.magiclantern.fm/forum/index.php?topic=12627.25

step 0: setup the toolchain (you can also do it like this)
step 1: dump the firmware (see a couple posts back)
step 2: analyze/decompile the firmware dump to find function stubs
step 3: run it in QEMU
step 4: if you get this far, get in touch with a1ex to create a bootflag fir, so you can run on actual camera

see also: some of the porting work done by recently for 70D (look at the commit history and diffs):
https://bitbucket.org/hudson/magic-lantern/branch/70d-support
https://bitbucket.org/hudson/magic-lantern/pull-request/620/add-support-for-eos-70d-111-both-revisions/diff#

@Ant123

You are strange people...
Printig bootloader memory values to log file instead making full ROM dump. Why?

Thats because I did not have the correct setup yet. Even if have a dump I could not do anything with it.

Correct me if I'm wrong, but most people are using IDA Pro or GPL Tools/ARM console and QEMU for debugging.

I have difficulties to set it up on Mac OS, I'm considering to switch to linux and setup everything there.

On 450D write_card_bootflag() function works well.

Is it a global function that you just can call?

In the installer it is defined as typedef:

Code Select Expand

typedef void (*ft_write_card_bootflag)(int arg0);

How do you determine the address (0xFFFF4140) anyway?

Code Select Expand

write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

@Levas

Perfect, confirmed.

I got the same result  .

Now we can working on the bootflag installer.

Only one thing left is, I have to find out the write_card_bootflag address for canon 1000d.

From 450D port:
https://bitbucket.org/hudson/magic-lantern/src/18ac6b0f992918c7ba6dd282c3e74ca42574561c/installer/450D.110/bootdisk.c?at=vxworks&fileviewer=file-view-default#bootdisk.c-156

    //~ Not sure if this is correct or not
    write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

I have read that someone just skip it and make the SD card bootable manually.

I wrote a small sequence, which will help us to find the signature.

We know that the functions are in the boot loader area, from FFFF0000 to FFFFFFFF.

The program will create a log file on the SD card with the address and content within the boot loader area.

Code Select Expand


// Function to read the content of the bootloader and write it to logfile
void booloader_mem_dump_0()
{
// Create a logfile
MyGlobalStdSet();

// We use this pointer to read the content of an address
unsigned int *p_addr = NULL;


// The address range of the boot loader is from 0xFFFF0000 to 0xFFFFFFFF
// START_ADR: 0xFFFF0000
// END_ADR: 0xFFFFFFFC (last address not relevant, therefore 0xFFFFFFFC instead of 0xFFFFFFFF)
//
// Each address holds a 32 bit value => 4 bytes, therefore we have to increment the address by 4.
// 0xFFFF0000
// 0xFFFF0004
// 0xFFFF0008
// 0xFFFF000C
// ...
//


printf("\nAddr:      Data");
printf("\n---------------");


for(unsigned int i=START_ADR; ((i <= END_ADR) && (i!=0)); i=i+4)
{
// Before assignment, "reset" the pointer to null
p_addr = NULL;

// Now point to the content of the address (in this case "i" is the address)
p_addr = *(int*)i;

// Write the data to the log file
printf("\n%x :       %x", i, p_addr);
}

printf("\n\n END \n\n");

// Set pointer to null, since we not needed anymore.
p_addr = NULL;

// Signal finish
SleepTask(5000);

LEDRED = LEDON;
LEDBLUE = LEDON;

SleepTask(5000);

LEDRED = LEDOFF;
LEDBLUE = LEDOFF;
}



// ------------------------------------------------


@shmadul and Levas

We will continue once we found the boot flag functions, therefore we have to make sure that the boot flag functions are correct.

Note: The program will not do anything to the boot flag!

Link: https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

1. Download the zip "bootloader_mem_dump.zip" and extract it
2. Build the project by "./run" in terminal (inside the folder)
3. Set the "Auto power of" to 8 or 15 minutes on your camera, we don't want to cancel the write process in between
4. Copy the .fir file on the SD card and execute it (don't touch any buttons afterwards)
5. After the sequence finish (both led, red and blue, turn on and off), copy the "address_log.txt" to your computer
6. Search now for signatures

Log file should look like this (example):

Addr:               Data
------------------------
ffff0000 : e59ff018
ffff0004 : e59ff018
....

Now, go through the file and search for the signature (see below, compare Data with the values below).

Once you found them copy the whole section (including address and data) and post it here, then we compare if we all have the same addresses.


// ---------------------------------------------
Signatures

Attention: The order is very important!

The write function should be easy to find. Compare the data values in the log file with the following values.

write_bootflag signature (order of the data):

   Data
  --------------
    E92D41F0
    E1A05001
    E3A04000
    E3500000
    13A0733E

The read function will differ from the one that is posted here.

Hint, search first all sequences that has E52DE004 and E3500000. Then search if the sequence has the rest values (3E33A013, 12833A02,  13A02040). The read functions has 2 values (unique) which differs from the sequence listed below.

Lets see if you guys can find the sequence.

read_bootflag signature (order of the data):

   Data
  --------------
   E52DE004
   E3500000
   3E33A013
   12833A02
   13A02040

PS: Can you guys provide me your log files so I can check if there is any differences between them? Just PM me with the link.

Warning: Still under investigation, don't try anything described below if you don't want to damage your camera.

a1ex mentioned:

The boot flag can be enabled from both bootloader context (as done in the old 5D) or from main firmware.
EnableBootDisk only works from main firmware, but usually there is an equivalent bootloader routine, found in the FROMUTIL menu.

I tried with EnableBootDisk in the firmware.

In entry_stubs.S are the following function references defined.

Code Select Expand


NSTUB(EnableBootDisk, 0xFFD21248)
NSTUB(DisableBootDisk, 0xFFD21260)


Only, calling them in the main.c does not enable or disable the boot flag.

Coutts (original author) defined a pointer in the main.h

Code Select Expand

typedef void (*Funktion)();

and call it the main.c with the address of the EnableBootDisk.

Code Select Expand

// EnableBootDisk() 
Funktion f = 0xFFD21248;
f();

By doing this the boot flag gets enabled.

Calling this:

Code Select Expand

// DisableBootDisk()
/*  Funktion f = 0xFFD21260;
f();


will disable it again.

At least that is what I observed.


@Ant123

Use modified common installer for VxWorks cameras.

Just for my understanding.

The installer enables the boot flag from the bootloader context?

You also needed the address of the write and read functions.

Code Select Expand

     * 0xFFFF89F0 | start of write_bootflag in 5dc BL.
     * 0xFFFF8A94 | end of write_bootflag in 5dc BL.
     * 0xFFFF8AE0 | start of read_bootflag in 5dc BL.
     * 0xFFFF8B20 | end of read_bootflag in 5dc BL.

To find those addresses I have to do this:

* I located these functions by hand using the 400d bootloader as a reference. I had
   * to write code to search the bootloader region (0xFFFF0000-0xFFFFFFFF) for signatures
   * of the read_bootflag and write_bootflag functions. It was a very long/tedious process
   * checking each address one at a time - blinking everything through the LEDs. These
   * routines are safe to run to the best of my knowledge, I have not had any issues yet.

Digging a little bit in this thread:
https://www.magiclantern.fm/forum/index.php?topic=1452.0

Coutts said:

If 40d is similar to the 5dc, then you won't be able to run any practical code from a FIR (including calling the EnableBootDisk function or booting the firmware/camera) so you will need
to write some code that scans the bootloader area (0xFFFF0000-0xFFFFFFFF) for function signatures to identify the read/write bootflag functions. This will allow you to set the camera's bootflag,
to boot an autoexec.bin file with a prepared card, and development takes off from there (you will be able to boot the firmware and do anything from autoexec). I created this bootdisk code from the 350d method, using the 400d bootloader to find the signatures I needed.

You can use this to write code to search for specific signatures of the read_bootflag and write_bootflag functions.
Some signatures would be instructions like:

    MOVEQ   R7, #0xF8000000

which is assembled and looks like this in memory:

    0x03A0733E

I'll just tell you the signatures to find.
First, for write_bootflag. Here is a small snippet from that function, the first 5 instructions:

    ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

If you were scanning memory, these 5 instructions would look like this(starting at 0xFFFF89F0 on the left and ending on 0xFFFF8A00 on the right):

    0xE92D41F0 0xE1A05001 0xE3A04000 0xE3500000 0x13A0733E

So, look for the signature for the MOVNE R7, #0xF8000000 instruction, then once you find it, search backwards for the STMFD (push) instruction signature, and you will have located write_bootflag in the 40d bootloader. Chances are the functions will probably be identical, but take caution to verify at least 3 times that you have located the correct function and it seems the same / similar to the 5dc one (remember we are working blind here).


Now, read_bootflag. First 5 instructions look like:

    ROM:FFFF8AE0                 STR     LR, [SP,#var_4]!
    ROM:FFFF8AE4                 CMP     R0, #0
    ROM:FFFF8AE8                 MOVNE   R3, #0xF8000000
    ROM:FFFF8AEC                 ADDNE   R3, R3, #0x2000
    ROM:FFFF8AF0                 MOVNE   R2, #0x40

And in memory would look like this (same thing as before, starting at 0xFFFF8AE0 on left and ending at 0xFFFF8AF0 on the right):

    0xE52DE004 0xE3500000 0x3E33A013 0x12833A02 0x13A02040

Note: there isn't a STMFD (push) instruction in read_bootflag. The 400d bootloader is like this too, so chances are the 40d is as well.

Now there are a few things that I don't understand.

1.
Search for specific signatures of the read_bootflag and write_bootflag functions

According to the two sources I have to blink through the address range (0xFFFF0000-0xFFFFFFFF) and find the "signature".

Where I can find the asm signature?

Example:

Do I have to blink one address and then make a ROM dump?

Afterwards I would load the ROM.BIN in IDA and jump to the part where I did the blinking and check if I can see the signature?

Otherwise I don't know how he gets the assembly instructions:

ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

2.
I don't know why Coutts skip the installer way and try "to invent the wheel new" by the EnableBootDisk / DisableBootDisk in his last release?

Maybe because he doesn't want to blink the whole address range again for the canon 1000d?

@Ant123

You should not reinvent the wheel.

No, that was not my intention, but maybe I should test it by myself before post it for others. At least I felt the needed to do some kind of verification. I always went with the mindset that I could damage my camera for this project. At least if I damage it myself, I can blame myself for it. Now, what if I just post the .fir and someone else brick their camera. Of course, even if state "use at your own risk", people would not be happy with it.

Especially if it is the only camera that they own:

The 1000D is my main Camera and I can't risk it bricking

Of course you can argue, this is the development section and not the release section.

Use modified common installer for VxWorks cameras. You can also easily modify it to repair you camera.

After reading this I'm not sure if it is that easy.

Posted by: a1ex
« on: Yesterday at 10:40:25 PM »

You were quite lucky with this one;
...
I wouldn't advise messing with boot flags just to see what happens, as you may get a configuration that no longer boots at all. In particular, on DIGIC 5, such configuration is very easy to get by changing the value at 0xF8000024 (even by mistake). Recovery from this would only be possible with hardware changes (lookup Ant123's posts on CHDK forum for an example).

I do appreciate you and a1ex to take the time to give us advices and answer the questions.

You guys surely have better stuff to do then answering noob questions.

@shmadul

1. Making dumps of RAM and ROM of the camera
2. Map all the magic lantern functions to the addresses located in the RAM

Magic Lantern use most of the standard functions of the original firmware which is loaded into the RAM after the boot up.
What you have to do is to "hook" (I think that is the term for it) those functions in the stubs.S file.

BTW, Ant123 gave you already the answer.

If you want to convert 450D port, the first thing you should do is set bootflag and check it with help of AUTOEXEC.BIN from "display test" topic. It's because all VxWorks ports use AUTOEXEC.BIN startup method.

Then you should find addresses of functions for 1000D in your firmware dump and change them in "\platform\450D.110\stubs.S". It can take many days or weeks.

After this you should edit cache related stuff in "\platform\450D.110\init.c", and edit another files in "\platform\450D.110\" and in "\src"

@ a1ex

Thank you very much for your help.


Here is my observation so far if someone is interested.
----------------------------------------------------------------------------------------------

What happened:
After enabling and disabling the boot flag several times the camera stops booting.

Why would I enable and disable multi times?
I want to make sure that it works stable, before posting it.

Camera still load autoexec.bin if the SD card was prepared for autoboot.

Observation:
Camera stays black after turning on, regardless of normal SD card or if it was made bootable.
Camera still functioning, if looking through the view finder, settings like aperture or exposure time can still be changed.
Taking picture is not possible only focus when pressing the shutter button.

Test 1:
-------
Putting display test (Magic Lantern Rescue) autoexec.bin on a bootable SD card shows:

Boot flags:
FIR=1610949440
BOOT=-348549156
RAM=-304267216
UPD=-1

Test 2:
-------
Putting (RAMEXEC fix) autoexec.bin from a1ex on the bootable SD card:

Camera boots up into canon menu, camera operates normal, taking pictures also possible now.
Magic Lantern Rescue still shows the same values.
Then did "clear setting" in canons menu, no changes.

Test 3:
-------
Same configuration as Test 2 plus canon original firmware update (e6kr5107.fir):

After updating the firmware, the FIR was reseted to zero. Rest still the same.

Boot flags:
FIR=0
BOOT=-348549156
RAM=-304267216
UPD=-1


Test 4:
-------
Same configuration as Test 2, now with the .fir that I compiled myself and was using to disable the boot flag.
After booting up and executed the .fir in menu update, camera boots up normal.

Looking again in the Magic Lantern Rescue shows:

Boot flags:
FIR=0
BOOT=0
RAM=-304267216
UPD=-1


The only thing that is not reseted is the RAM, which is still RAM=-304267216 instead of RAM=-1.

But now the camera still need a bootable SD card and the RAMEXEC fix autoexec.bin (or valid autoexec.bin) to boot into orignal firmware. When booting without SD card, the camera shows black screen, but still focus if press shutter button.

The interesting part is, even the Magic Lantern Rescue menu shows BOOT=0, the camera still auto execute the autoexec.bin.

Also, usually if the camera has the latest update it says "latest firmware installed" or something similar and
refuse a firmware update, but I'm still able to update the original firmware update as many time as I want.

I just removed my instruction on how to set the boot flag to prevent others from bricking their cameras.

@Levas

It was my backup, time lapse and magic lantern dev camera.

My main camera is the Canon 80D, maybe I should hang the 1000d on my tripod now to stabilize it

Interesting, if I set the dial to macro mode and push the shutter button the flash opens XD

@shmadul

"Funktion" is German for Function (2 years of German finally paying off LOL)

It has nothing to do with the naming.

Coutts was german himself that is why he named it "Funktion", you can name it whatever you want even Ffuisdb() would work. 

I'm out of the game.

I just successfully bricked my camera.

I managed to enable and disable the boot flag a few times in row without any issues and then ...

Now the boot flag says BOOT=-348549156

Camera can still read the autoexec.bin after removing the battery and put it back.

Black screen when no SD card or none bootable SD card is inserted.

Picture:
https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

I know it is not ML, I was using it as base to get into ML development.

I totally new to this.

Since I couldn't find a description about the workflow on how to port ML to a camera, I tried to understand everything first.

If you look at the date of this thread, you would realize that we just started.

It helps that we just have a basic project like the one from coutts to play with.

Also it is the only project of the canon 1000D that I know or could find.

How can I start porting something if I don't understand the basics?

Yesterday we didn't have a boot flag that was set.

Sorry for the confusion, for me the latest is the last release from coutts is:

https://bitbucket.org/coutts/1000d_dev/src

Now I see. But why you are playing with LEDs and don't modifying VxWorks branch

Start simple


What I did was, in Coutts latest release, I just comment out the following code section.

Code Select Expand


// EnableBootDisk() 
Funktion f = 0xFFD21248;
f();


After that, I made the SD card bootable by executing in terminal:

Code Select Expand


sudo ./make_bootable.sh


After executing .fir the first time, I don't need it anymore and the camera loads the AUTOEXEC.BIN automatically.

Video is online, same link as previous post.

Btw, why is your flag set?

You got it already running?

If BOOTFLAG is set you will see "BOOT=-1" ( -1 == 0xFFFFFFFF)

Guess my boot flag is set then, look at my link.

@ Ant123

Well looking at the image, I don't know what it is all about to be honest, especially what the BOOT value means, guess BOOT=-1 is wrong?

https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

But I can confirm, I can change the AUTOEXEC.BIN only and it will executed after each restart:
- removed battery and put it back
- switch the camera off and on

Maybe I should make a video.