Canon 7D Mark II

Started by Pelican, November 02, 2014, 09:55:18 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

atonal

Quote from: Pelican on May 29, 2016, 06:29:24 PM
I don't know what is .W at the end of B and BLX...

The .W forces a 32-bit instruction in Thumb-2 mode, even if a 16-bit instruction existed. [1]

I also tried to construct the macro for B.W, based on the ARMv7-M specification which defines the 32-bit B.W [2]. Here's what I came up with:

#define OFFSET(pc,dest) ((uint32_t)(dest) - (uint32_t)(pc) - 4)
#define S(offset) (((offset) >> 24) & 0x1)
#define I1(offset) (((offset) >> 23) & 0x1)
#define I2(offset) (((offset) >> 22) & 0x1)
#define IMM10(offset) (((offset) >> 12) & 0x3ff)
#define IMM11(offset) (((offset) >> 1) & 0x7ff)
#define J1(i1,s) ((!((i1) ^ (s))) & 0x1)
#define J2(i2,s) ((!((i2) ^ (s))) & 0x1)

#define B_W_INSTR(pc,dest) \
    ( \
      0xf0009000 | \
      (S(OFFSET(pc,dest)) << 26) | \
      (IMM10(OFFSET(pc,dest)) << 16) | \
      (J1(I1(OFFSET(pc,dest)),S(OFFSET(pc,dest))) << 13) | \
      (J2(I2(OFFSET(pc,dest)),S(OFFSET(pc,dest))) << 11) | \
      (IMM11(OFFSET(pc,dest))) \
    )


Not extensively tested, so feel free to fix and improve.

I guess the binutils implementation [3] could be used as a reference too.

For the BLX I did not find a specification that defines the .W version. If such a specification exists, I'd be glad to see it.

From the ARM page [1] I can see that there are two different BLX instructions: BLX <Rm>, and BLX <label>. The latter one seems to be the only one which has a 32-bit version. Is that the one you're after, a1ex? Although, both the ARM page and the ARMv7-M spec says that the BLX <label> is not part of ARMv7-M. Do we know for sure what architecture the DICIG 6 has?

[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0489e/Cihfddaf.html
[2] https://web.eecs.umich.edu/~prabal/teaching/resources/eecs373/ARMv7-M_ARM.pdf
[3] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob;f=gas/config/tc-arm.c;h=3b0a021a379bc72c21ba8f0c312789fc25dd2d5e;hb=HEAD#l22108

a1ex

Thanks atonal and Pelican.

I don't know the exact architecture, but there are both ARM and Thumb-2 instructions in the firmware, so it's probably not ARMv7-M. In IDA, I've used ARMv7-A&R, if that tells you anything, and in QEMU I've used ARM_FEATURE_V8 (CPU definition here). I managed to get it somewhat working with ARM_FEATURE_V7 and ARM_FEATURE_MPU as well, but got errors about execution permissions (these are probably configured by the bootloader code, which I don't have).

From what I could tell from the updater code, the bootloader loads the firmware update at 0x40800120 on both cores and expects ARM code (just like the 7D), so we don't actually have to compile Thumb code. To call Thumb functions, I've declared them as "long call" and made sure the function address has the LSB bit set (not sure if there's a simpler way with gcc).

For figuring out DryOS internals in QEMU, I've also used the EOS M3 firmware (yes, it's a PowerShot, but the DryOS core is the same) and the 100D QEMU patches from @nkls (his changes allowed me to trace Canon's debug messages from GDB, without having to load custom code in the firmware).

For the dumper, I've used atonal's code, slightly modified (swapped the 16-bit halves and turned it into a function), compared it to gcc output (test code here) and seems to work fine. Didn't test Pelican's code.

For BLX.W (this is how IDA displays it, for example FE0A0B36    E2 F1 90 E3    BLX.W bzero32), I've changed the 0xf0009000 to 0xf000c000. Don't know where to find it in the spec, but it matches gcc output and gets recognized by IDA (at least for this particular case).

Emulation log for master core, with the dumper loaded: 7D2-master-dumper.log

Dumper source code: https://bitbucket.org/hudson/magic-lantern/branch/7D2-dumper


So, I'm looking for a volunteer to try the dumper on his 7D2 1.0.4 :)

ddelreal

I could probably do it but wouldn't be able to get to it until later this week.

menoc

I could try this Tuesday or Wednesday.

Peter Linov

I could do it, but I do not quite understand, this is a firmware for the camera, and I can test it?
  My camera has 1.0.5 firmware, it will not work with ML?

Pelican

I've just put 1.0.4 to my 7D2 but I cannot find the updater fir
Should I compile it by myself?
If somebody could compile it would save a lot of time for me because I have no gcc on my laptop right now...
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

a1ex

Already tried it with atonal, but didn't work. Simply jumping to 0xFE0A0000 on both cores didn't work either (gives black screen).

Back to the drawing board.

Pelican

EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

DeafEyeJedi

Assuming I have a running gcc on my MBP (gcc-arm-none-eabi-4_8-2013q4) and recently when I tried cloning the dumper source code it gives me these enlisted options and wasn't sure which one to choose from via command terminal?

Last login: Mon Jun 13 10:48:46 on ttys000
Apples-Macintosh-10:~ DeafEyeJedi$ hg clone -r https://bitbucket.org/hudson/magic-lantern/branch/7D2-dumper
hg clone: invalid arguments
hg clone [OPTION]... SOURCE [DEST]

make a copy of an existing repository

options ([+] can be repeated):

-U --noupdate          the clone will include an empty working directory
                        (only a repository)
-u --updaterev REV     revision, tag or branch to check out
-r --rev REV [+]       include the specified changeset
-b --branch BRANCH [+] clone only the specified branch
    --pull              use pull protocol to copy metadata
    --uncompressed      use uncompressed transfer (fast over LAN)
-e --ssh CMD           specify ssh command to use
    --remotecmd CMD     specify hg command to run on the remote side
    --insecure          do not verify server certificate (ignoring web.cacerts
                        config)

(use "hg clone -h" to show more help)
Apples-Macintosh-10:~ DeafEyeJedi$


Happy to help with this dumper as I also have a co-worker that owns a 7D2 and is willingly to have me test/play with it for you guys as well.
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

cmccullum

How do I "unwatch" this thread??

a1ex

Quote from: cmccullum on June 14, 2016, 06:34:08 AM
How do I "unwatch" this thread??

Best "motivational" phrase.




On-topic: I'm looking for a 7D2 user able and willing to measure the current from his camera while running this FIR. It can be done easily with an external power adapter and a multimeter, but you may need to sacrifice the cable.

The FIR simply jumps to 0xFE0A0000 on both cores (which I thought it should boot Canon firmware), but gives black screen according to atonal. Firmware version doesn't matter for this test.


00800120: e51ff004 ldr pc, [pc, #-4] ; 00800124 <_start+0x4>
00800124: fe0a0000 .word 0xfe0a0000


I'm looking at this option for two reasons:
- I want to find out whether the camera locks up or shuts down
- if I manage to lock up the camera without starting the main firmware (which was quite hard on the original 7D, as there was a watchdog shutting it down if the other digic was not initialized), I'm thinking to execute two code sequences that result in different power consumption (such as entering powersaving mode vs a busy waiting loop). This will let me dump the ROM bit by bit (probably slow). That's because I know neither the LED address, nor how to drive any other device that could give some sort of output, nor how to start Canon firmware.

atonal

Just to elaborate a bit on the trial with my camera: after trying to do the firmware update with the DUMMY7D2.FIR, the screen went black and the camera became totally unresponsive. Shutting down and removing the battery for a while made the camera come back to live again. Here's a short video, so you know what to expect: https://dl.dropboxusercontent.com/u/37493196/MOV_0017.mp4

Unfortunately I don't have an external power adapter nor a multimeter, so I can't help with this step.

a1ex

That's a good sign => the camera is locked up.

In this case, it would be best if, instead of a multimeter, one could use an arduino board that reads the current from the analog input pin, then sends the data to the serial port so you can plot it on the PC. Tutorials: for example this and this (there are many other similar projects, so feel free to use the one you like best).

cmccullum

Quote from: a1ex on June 15, 2016, 06:13:44 PM
Best "motivational" phrase.

Haha Sorry I guess I should've been more clear. I'm getting email notifications every time a post is made here because I "watched" the thread at some point, and I can't figure out how to undo that.

DeafEyeJedi

Quote from: a1ex on June 15, 2016, 07:59:04 PM
That's a good sign => the camera is locked up.

Excellent progress, guys!  :)

FYI I have managed to get ahold of my co-worker to bring his 7D2 tomorrow into work as well as finding another colleague from the engineering dept at work that uses a Multimeter.

I also do have a Canon ACK-E6 AC Adapter Kit that can be put to use (even if I have to sacrifice the cable) which then can be 'fixed' with an electric tape.

@atonal -- would you mind sending me a PM with the DUMMY7D2.FIR attachment if possible as the gcc has been acting up on my MBP as of late.
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

Audionut

Quote from: cmccullum on June 15, 2016, 08:53:59 PM
Haha Sorry I guess I should've been more clear. I'm getting email notifications every time a post is made here because I "watched" the thread at some point, and I can't figure out how to undo that.

At the top of the thread, below the big notification box regarding MLV lite and such, on the right hand side.  "Mark as unread".


This message and yours will self destruct in 24 hours.  Good luck Ethan Hawk.

atonal

Quote from: DeafEyeJedi on June 16, 2016, 12:12:39 AM
would you mind sending me a PM with the DUMMY7D2.FIR attachment

You can find the link to the FIR from a1ex's post:

Quote from: a1ex on June 15, 2016, 06:13:44 PM
I'm looking for a 7D2 user able and willing to measure the current from his camera while running this FIR.

Pelican

Quote from: a1ex on June 15, 2016, 06:13:44 PM
I'm looking for a 7D2 user able and willing to measure the current from his camera while running this FIR. It can be done easily with an external power adapter and a multimeter, but you may need to sacrifice the cable.

The FIR simply jumps to 0xFE0A0000 on both cores (which I thought it should boot Canon firmware), but gives black screen according to atonal. Firmware version doesn't matter for this test.


00800120: e51ff004 ldr pc, [pc, #-4] ; 00800124 <_start+0x4>
00800124: fe0a0000 .word 0xfe0a0000


I'm looking at this option for two reasons:
- I want to find out whether the camera locks up or shuts down
- if I manage to lock up the camera without starting the main firmware (which was quite hard on the original 7D, as there was a watchdog shutting it down if the other digic was not initialized), I'm thinking to execute two code sequences that result in different power consumption (such as entering powersaving mode vs a busy waiting loop). This will let me dump the ROM bit by bit (probably slow). That's because I know neither the LED address, nor how to drive any other device that could give some sort of output, nor how to start Canon firmware.
So what should I see on the multimeter with this firmware?
Is it oscillating current or not?
Yes, it  is probably locked, it does nothing (black screen no response) until battery remove.
My external power adapter just died :( so I can use the cable of it to play with.
I'm going to photograph butterflies right now but next week I can test if the firmware can produce different current (3-4 sec period could be easy to measure)
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

a1ex

With the above FIR, you will probably only see a constant value.

I can prepare other FIRs which - hopefully - give different values on the multimeter. Once we have that part working, we can replace the multimeter with an arduino board and dump the firmware.

a1ex

I might have found the LED address.

Please try BLINK7D2.FIR (should work on any firmware version) and let me know whether the LED blinks.

Credits: https://chdk.setepontos.com/index.php?topic=11316.msg111290#msg111290

atonal


a1ex


Pelican

EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

Lukey

Hi Guys,

Looks like you're all working hard, I am not a developer just an ML user, I have not had time to read up this thread very far so sorry for the probably annoying/obvious questions. I was just curious as to whether one day we will have a functioning ML for the 7d2 and what it will be capable of. 4k, raw etc. Sorry to interrupt your coding conversation, I am very keen to use it on mine as I previously used it on my 60D and was very disappointed to see that it's not yet available. Although not a coder I am happy to be an extra pair of hands if anything else is needed! Thanks everyone.  :)

dinissilva

Can you show me your setup so i can do the same with my canon 80D! Please