Thanks atonal and Pelican.
I don't know the exact architecture, but there are both ARM and Thumb-2 instructions in the firmware, so it's probably not ARMv7-M. In IDA, I've used ARMv7-A&R, if that tells you anything, and in QEMU I've used ARM_FEATURE_V8 (CPU definition here
). I managed to get it somewhat working with ARM_FEATURE_V7 and ARM_FEATURE_MPU as well, but got errors about execution permissions (these are probably configured by the bootloader code, which I don't have).
From what I could tell from the updater code, the bootloader
loads the firmware update at 0x40800120 on both cores and
expects ARM code (just like the 7D), so we don't actually have to compile Thumb code. To call Thumb functions, I've declared them as "long call" and made sure the function address has the LSB bit set (not sure if there's a simpler way with gcc).
For figuring out DryOS internals in QEMU, I've also used the EOS M3 firmware (yes, it's a PowerShot, but the DryOS core is the same) and the 100D QEMU patches from @nkls
(his changes allowed me to trace Canon's debug messages from GDB, without having to load custom code in the firmware).
For the dumper, I've used atonal's code, slightly modified (swapped the 16-bit halves and turned it into a function), compared it to gcc output (test code here
) and seems to work fine. Didn't test Pelican's code.
For BLX.W (this is how IDA displays it, for example FE0A0B36 E2 F1 90 E3 BLX.W bzero32), I've changed the 0xf0009000 to 0xf000c000. Don't know where to find it in the spec, but it matches gcc output and gets recognized by IDA (at least for this particular case).
Emulation log for master core, with the dumper loaded: 7D2-master-dumper.log
Dumper source code: https://bitbucket.org/hudson/magic-lantern/branch/7D2-dumper
So, I'm looking for a volunteer to try the dumper on his 7D2 1.0.4