MLV Lite - The sweet taste of MLV with none of the extra calories™

Lua scripting updated


Twitter: @autoexec_bin    Facebook: magiclantern.firmware    Live chat: [email protected]

Want to help with Magic Lantern development, but have no coding skills?

Author Topic: [UNMAINTAINED] Canon 40D  (Read 188773 times)

dichterDichter

  • New to the forum
  • *
  • Posts: 6
[UNMAINTAINED] Canon 40D
« on: July 18, 2012, 08:55:06 AM »
wow. I have a 40D and i think the 5Dc and the 40D are both VxWorks. Am i right? So would it work on a 40D?
It would be awsome to be able to record movies with the 40D.

nice work.
« Last Edit: February 06, 2014, 04:45:42 PM by a1ex »

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 8820
  • 5D Mark Free
Re: Canon 40D
« Reply #1 on: July 18, 2012, 09:09:09 AM »
In theory, you have the foundation for running user code on 40D and most other VxWorks cameras.

In practice, there should also be a developer who must have this camera, skills and lots of time to work on it.

dichterDichter

  • New to the forum
  • *
  • Posts: 6
Re: Canon 40D
« Reply #2 on: July 18, 2012, 09:24:59 AM »
thank you.
ok... i have that camera, skills : hmmm, lots of time : doh!
but why not. maybe as a winter project.
Is it the current release or is there a special fork?
« Last Edit: July 18, 2012, 09:31:10 AM by dichterDichter »

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 8820
  • 5D Mark Free
Re: Canon 40D
« Reply #3 on: July 18, 2012, 09:30:59 AM »
It's in the current source tree.

dichterDichter

  • New to the forum
  • *
  • Posts: 6
Re: Canon 40D
« Reply #4 on: July 18, 2012, 02:41:20 PM »
ok, lets see what happens when i start that on my 40D this evening.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 8820
  • 5D Mark Free
Re: Canon 40D
« Reply #5 on: July 18, 2012, 02:50:42 PM »
Don't run that code blindly, first understand how it works. It has zero chances to work on 40D unmodified, and can be dangerous.

http://magiclantern.wikia.com/wiki/Other_dslr
http://magiclantern.wikia.com/wiki/For_Developers

First get a firmware dump, find out LED address and try blinking it.

dichterDichter

  • New to the forum
  • *
  • Posts: 6
Re: Canon 40D
« Reply #6 on: July 18, 2012, 04:21:06 PM »
yes, right. i will start with little steps. Thank you.

coutts

  • Developer
  • Senior
  • *****
  • Posts: 401
Re: Canon 40D
« Reply #7 on: July 18, 2012, 06:29:52 PM »
I suggest you look at my initial project for the 5dc:
www.bitbucket.org/coutts/5dplus

Everything starts in entry.S. First use a dumper tool to extract the firmware image from a canon firmware update file (see the build_scripts/eos_tools_v11 folder in that project linked above). Use decrypt_fw and then dissect_fw to split the FIR up. See this wiki page for more details:
http://magiclantern.wikia.com/wiki/Packing_FIR_Files

After you analyze the firmware dump using a program like IDA Pro (or the free ARM Console created by Alex) to see how the camera boots/works, then attempt to boot a custom FIR file running user code. Use the assemble_fw perl script in the eos_tools directory to assemble a new FIR file with your usercode (compiled autoexec.bin) instead of canon's payload. The final step is to run decrypt_fw again on this fir to sign it for the camera to accept it. (Note: this step may or may not be necessary, depends on the camera. Try both if one doesn't work). Start by just blinking an LED or something basic to know your code runs. You don't need to boot the main firmware to blink an LED.

If 40d is similar to the 5dc, then you won't be able to run any practical code from a FIR (including calling the EnableBootDisk function or booting the firmware/camera) so you will need to write some code that scans the bootloader area (0xFFFF0000-0xFFFFFFFF) for function signatures to identify the read/write bootflag functions. This will allow you to set the camera's bootflag, to boot an autoexec.bin file with a prepared card, and development takes off from there (you will be able to boot the firmware and do anything from autoexec). I created this bootdisk code from the 350d method, using the 400d bootloader to find the signatures I needed. Only modification you will need is to change are the references to these:
Quote
read_bootflag = (ft_read_bootflag)0xFFFF8AE0;
write_bootflag = (ft_write_bootflag)0xFFFF89F0;
https://bitbucket.org/coutts/5dplus/src/e486f2e53796/bootdisk.c

The 5dc took me many hours to get going, I dumped many memory addresses through LED blinks in binary, you should be prepared to do the same. Here is some code that you can use to blink out the contents of a memory address if you know the red/blue LED addresses:
https://bitbucket.org/coutts/5dplus/src/a1cc964de4af/init.c

You can use this to write code to search for specific signatures of the read_bootflag and write_bootflag functions. Some signatures would be instructions like:
Quote
MOVEQ   R7, #0xF8000000
which is assembled and looks like this in memory:
Quote
0x03A0733E

Use the 5dc bootloader (I can send you it) to know what signatures you're looking for (unique instructions that would only appear in the read/write bootflag functions). After you find a signature and have a match at some spot in the BL area (0xFFFF0000-0xFFFFFFFF), use this address and search in reverse (going backwards in memory to lower addresses) until you find the nearest PUSH (STMFD) instruction, this will be the address of the start of the function so that you can call it / use it.



I'll just tell you the signatures to find.
First, for write_bootflag. Here is a small snippet from that function, the first 5 instructions:
Quote
ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
ROM:FFFF89F4                 MOV     R5, R1
ROM:FFFF89F8                 MOV     R4, #0
ROM:FFFF89FC                 CMP     R0, #0
ROM:FFFF8A00                 MOVNE   R7, #0xF8000000
If you were scanning memory, these 5 instructions would look like this(starting at 0xFFFF89F0 on the left and ending on 0xFFFF8A00 on the right):
Quote
0xE92D41F0 0xE1A05001 0xE3A04000 0xE3500000 0x13A0733E

So, look for the signature for the MOVNE R7, #0xF8000000 instruction, then once you find it, search backwards for the STMFD (push) instruction signature, and you will have located write_bootflag in the 40d bootloader. Chances are the functions will probably be identical, but take caution to verify at least 3 times that you have located the correct function and it seems the same / similar to the 5dc one (remember we are working blind here).


Now, read_bootflag. First 5 instructions look like:
Quote
ROM:FFFF8AE0                 STR     LR, [SP,#var_4]!
ROM:FFFF8AE4                 CMP     R0, #0
ROM:FFFF8AE8                 MOVNE   R3, #0xF8000000
ROM:FFFF8AEC                 ADDNE   R3, R3, #0x2000
ROM:FFFF8AF0                 MOVNE   R2, #0x40
And in memory would look like this (same thing as before, starting at 0xFFFF8AE0 on left and ending at 0xFFFF8AF0 on the right):
Quote
0xE52DE004 0xE3500000 0x3E33A013 0x12833A02 0x13A02040
Note: there isn't a STMFD (push) instruction in read_bootflag. The 400d bootloader is like this too, so chances are the 40d is as well.

NOTE: you may need to reverse endianness of the assembled instructions above to see them in memory, but maybe not, I can't remember :P


So, once you have located read_bootflag() and write_bootflag(), you will be able to really start developing. :) This may seem confusing, and I'm sorry, but I hope you will see how valuable this information is (I had to figure it all out on my own). The 350d people dumped the bootloader using a photo diode and the LED to blink the code in binary to a computer, I couldn't figure that out so I did it this way. Let me know if you have any questions, I can probably help a lot. Do you use gmail?
« Last Edit: July 18, 2012, 06:35:00 PM by coutts »

dichterDichter

  • New to the forum
  • *
  • Posts: 6
Re: Canon 40D
« Reply #8 on: July 23, 2012, 01:54:30 PM »
Argh, first i have to repair my camera... broken release.
Thats really annoying.

Michael Zöller

  • Administrator
  • Senior
  • *****
  • Posts: 304
  • 5D Mark II
Re: Canon 40D
« Reply #9 on: July 23, 2012, 04:20:39 PM »
coutts, thats some very helpful information and should probably go into the wiki!
neoluxx.de
EOS 5D Mark II | EOS 600D | EF 24-70mm f/2.8 | Tascam DR-40

coutts

  • Developer
  • Senior
  • *****
  • Posts: 401
Re: Canon 40D
« Reply #10 on: July 24, 2012, 10:01:22 PM »
coutts, thats some very helpful information and should probably go into the wiki!
should be more than enough to get any port started :)

imme

  • New to the forum
  • *
  • Posts: 26
Re: Canon 40D
« Reply #11 on: July 27, 2012, 07:18:23 AM »
There are plenty of Canon 40d users like me waiting to use MagicLantern on their 40d. Please! Make it happen. I am not a developer.....all can I do is to pray for your success :)

 

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #12 on: July 29, 2012, 02:09:36 AM »
Finally some good news! I am enjoying the ML. I thank all who have worked on this project. I hope one day to use the ML with a 40D. I hope to give my contribution to make this possible.

I think the work done by Coutts to 5DC will be useful for even the 40D and 400D.
« Last Edit: July 29, 2012, 02:11:45 AM by jplxpto »

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #13 on: July 31, 2012, 01:30:31 AM »
I'm thinking start doing the first tests.
I know it's a bit risky. Certainly, I will need your help.
Firstly, I will begin by installing and configuring ubuntu to compile the project. When I can, I will test the tools specified by Coutts.


jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #14 on: August 05, 2012, 02:39:09 AM »
Hi,

I still have nothing to work but I have spent many hours reading the forums CHDK / ML.
I'm learning, have some patience with me. This still seems very complicated. Sorry if the questions are basic.

I got the firmware version 40d1.1.1. With application dissect_fw3_2, I got the unencrypted header and body. I've compiled a small application to try to find the addresses of the red and blue LED, but I've got a problem. I do not know how to encrypt the new firmware to be able to use on my machine. I read a lot about it but I could not understand the steps that have to follow.

If I can correctly encrypt my firmware I can proceed with my tests.

Since I've been searching for some string in the firmware files and I could see some interesting things. I found the string EnableBootDisk.

After seeing the flashing LEDs, I'll try to do a DUMP the firmware.
When I succeed in the previous tests, I proceed to the discovery of the function EnableBootDisk addresses.

Someone can help me create my own firmware for the 40D?

« Last Edit: August 05, 2012, 02:42:36 AM by jplxpto »

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #15 on: August 10, 2012, 05:09:08 AM »
I have a 40D with version 1.1.1. After much reading and testing I was able to flash both LEDs.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #16 on: August 10, 2012, 04:07:49 PM »
I used the information provided by Coutts to flash both LEDs.

See the examples:


1_1000D LED Finder


2_1000D LED-Dumper


These are the addresses of blue and red LEDs:

LED_RED     0xC02200E0
LED_BLUE    0xC02200E8
« Last Edit: August 10, 2012, 04:09:37 PM by jplxpto »

coutts

  • Developer
  • Senior
  • *****
  • Posts: 401
Re: Canon 40D
« Reply #17 on: August 10, 2012, 08:20:03 PM »
I used the information provided by Coutts to flash both LEDs.

See the examples:


1_1000D LED Finder


2_1000D LED-Dumper


These are the addresses of blue and red LEDs:

LED_RED     0xC02200E0
LED_BLUE    0xC02200E8
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #18 on: August 10, 2012, 08:35:04 PM »
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus


Coutts,

yes I am currently reading your posts in CHDK.
In 2008 there were major developments, but for some unknown reason you moved away from this project. Made great advances that have helped future ports to other cameras but 40D & 450D were forgotten! Why?! ...

Their progress in the port 1000D can give a great help! I think the cameras 1000D, 450D, 40D have many similarities. This can be an advantage.

Thank you for providing the code :

https://bitbucket.org/coutts/1000d_dev
« Last Edit: August 10, 2012, 08:44:31 PM by jplxpto »

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #19 on: August 10, 2012, 08:42:48 PM »
I really want to install the Magic Lantern in my camera and give my modest contribution to the community but,
 without your precious help will not go away.

You have done an excellent job over the years.

Congratulations.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #20 on: August 10, 2012, 08:58:18 PM »
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus


Many will read this and get to thinking that an easy task! ;)

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #21 on: August 11, 2012, 05:45:19 PM »
Has anyone done a dump of the ROM and BL fir v 1.1.1.?

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #22 on: August 12, 2012, 06:31:20 AM »
I read a lot and follow the tips and suggestions from Coutts.

I analyzed the 5DC BL code and found the signatures of functions and read_bootflag write_bootflag.
Later, I created a small program to find them in my 40d fir 1.1.1.

I still do not know the original values of bootflags but I have called the function read_bootflags.

Not yet confirmed, but I believe that the addresses are:

read_bootflag -> 0xffff 63a8
write_bootflag -> 0xffff 62b8

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #23 on: August 12, 2012, 06:34:09 AM »
Someone can explain me how to operate the boot flags?

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #24 on: August 12, 2012, 08:07:59 PM »
The original values of bootflags are:

F8000000 =  0
F8000004 =  0
F8000008 = -1
F800000C = -1

 

courtesy