Canon 40D

Started by dichterDichter, July 18, 2012, 08:55:06 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

dichterDichter

wow. I have a 40D and i think the 5Dc and the 40D are both VxWorks. Am i right? So would it work on a 40D?
It would be awsome to be able to record movies with the 40D.

nice work.

a1ex

In theory, you have the foundation for running user code on 40D and most other VxWorks cameras.

In practice, there should also be a developer who must have this camera, skills and lots of time to work on it.

dichterDichter

thank you.
ok... i have that camera, skills : hmmm, lots of time : doh!
but why not. maybe as a winter project.
Is it the current release or is there a special fork?

a1ex

It's in the current source tree.

dichterDichter

ok, lets see what happens when i start that on my 40D this evening.

a1ex

Don't run that code blindly, first understand how it works. It has zero chances to work on 40D unmodified, and can be dangerous.

http://magiclantern.wikia.com/wiki/Other_dslr
http://magiclantern.wikia.com/wiki/For_Developers

First get a firmware dump, find out LED address and try blinking it.

dichterDichter

yes, right. i will start with little steps. Thank you.

coutts

I suggest you look at my initial project for the 5dc:
www.bitbucket.org/coutts/5dplus

Everything starts in entry.S. First use a dumper tool to extract the firmware image from a canon firmware update file (see the build_scripts/eos_tools_v11 folder in that project linked above). Use decrypt_fw and then dissect_fw to split the FIR up. See this wiki page for more details:
http://magiclantern.wikia.com/wiki/Packing_FIR_Files

After you analyze the firmware dump using a program like IDA Pro (or the free ARM Console created by Alex) to see how the camera boots/works, then attempt to boot a custom FIR file running user code. Use the assemble_fw perl script in the eos_tools directory to assemble a new FIR file with your usercode (compiled autoexec.bin) instead of canon's payload. The final step is to run decrypt_fw again on this fir to sign it for the camera to accept it. (Note: this step may or may not be necessary, depends on the camera. Try both if one doesn't work). Start by just blinking an LED or something basic to know your code runs. You don't need to boot the main firmware to blink an LED.

If 40d is similar to the 5dc, then you won't be able to run any practical code from a FIR (including calling the EnableBootDisk function or booting the firmware/camera) so you will need to write some code that scans the bootloader area (0xFFFF0000-0xFFFFFFFF) for function signatures to identify the read/write bootflag functions. This will allow you to set the camera's bootflag, to boot an autoexec.bin file with a prepared card, and development takes off from there (you will be able to boot the firmware and do anything from autoexec). I created this bootdisk code from the 350d method, using the 400d bootloader to find the signatures I needed. Only modification you will need is to change are the references to these:
Quote
read_bootflag = (ft_read_bootflag)0xFFFF8AE0;
write_bootflag = (ft_write_bootflag)0xFFFF89F0;
https://bitbucket.org/coutts/5dplus/src/e486f2e53796/bootdisk.c

The 5dc took me many hours to get going, I dumped many memory addresses through LED blinks in binary, you should be prepared to do the same. Here is some code that you can use to blink out the contents of a memory address if you know the red/blue LED addresses:
https://bitbucket.org/coutts/5dplus/src/a1cc964de4af/init.c

You can use this to write code to search for specific signatures of the read_bootflag and write_bootflag functions. Some signatures would be instructions like:
Quote
MOVEQ   R7, #0xF8000000
which is assembled and looks like this in memory:
Quote
0x03A0733E

Use the 5dc bootloader (I can send you it) to know what signatures you're looking for (unique instructions that would only appear in the read/write bootflag functions). After you find a signature and have a match at some spot in the BL area (0xFFFF0000-0xFFFFFFFF), use this address and search in reverse (going backwards in memory to lower addresses) until you find the nearest PUSH (STMFD) instruction, this will be the address of the start of the function so that you can call it / use it.



I'll just tell you the signatures to find.
First, for write_bootflag. Here is a small snippet from that function, the first 5 instructions:
Quote
ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
ROM:FFFF89F4                 MOV     R5, R1
ROM:FFFF89F8                 MOV     R4, #0
ROM:FFFF89FC                 CMP     R0, #0
ROM:FFFF8A00                 MOVNE   R7, #0xF8000000
If you were scanning memory, these 5 instructions would look like this(starting at 0xFFFF89F0 on the left and ending on 0xFFFF8A00 on the right):
Quote
0xE92D41F0 0xE1A05001 0xE3A04000 0xE3500000 0x13A0733E

So, look for the signature for the MOVNE R7, #0xF8000000 instruction, then once you find it, search backwards for the STMFD (push) instruction signature, and you will have located write_bootflag in the 40d bootloader. Chances are the functions will probably be identical, but take caution to verify at least 3 times that you have located the correct function and it seems the same / similar to the 5dc one (remember we are working blind here).


Now, read_bootflag. First 5 instructions look like:
Quote
ROM:FFFF8AE0                 STR     LR, [SP,#var_4]!
ROM:FFFF8AE4                 CMP     R0, #0
ROM:FFFF8AE8                 MOVNE   R3, #0xF8000000
ROM:FFFF8AEC                 ADDNE   R3, R3, #0x2000
ROM:FFFF8AF0                 MOVNE   R2, #0x40
And in memory would look like this (same thing as before, starting at 0xFFFF8AE0 on left and ending at 0xFFFF8AF0 on the right):
Quote
0xE52DE004 0xE3500000 0x3E33A013 0x12833A02 0x13A02040
Note: there isn't a STMFD (push) instruction in read_bootflag. The 400d bootloader is like this too, so chances are the 40d is as well.

NOTE: you may need to reverse endianness of the assembled instructions above to see them in memory, but maybe not, I can't remember :P


So, once you have located read_bootflag() and write_bootflag(), you will be able to really start developing. :) This may seem confusing, and I'm sorry, but I hope you will see how valuable this information is (I had to figure it all out on my own). The 350d people dumped the bootloader using a photo diode and the LED to blink the code in binary to a computer, I couldn't figure that out so I did it this way. Let me know if you have any questions, I can probably help a lot. Do you use gmail?

dichterDichter

Argh, first i have to repair my camera... broken release.
Thats really annoying.

Michael Zöller

coutts, thats some very helpful information and should probably go into the wiki!
neoluxx.de
EOS 5D Mark II | EOS 600D | EF 24-70mm f/2.8 | Tascam DR-40

coutts

Quote from: Michael Zöller on July 23, 2012, 04:20:39 PM
coutts, thats some very helpful information and should probably go into the wiki!
should be more than enough to get any port started :)

imme

There are plenty of Canon 40d users like me waiting to use MagicLantern on their 40d. Please! Make it happen. I am not a developer.....all can I do is to pray for your success :)


jplxpto

Finally some good news! I am enjoying the ML. I thank all who have worked on this project. I hope one day to use the ML with a 40D. I hope to give my contribution to make this possible.

I think the work done by Coutts to 5DC will be useful for even the 40D and 400D.

jplxpto

I'm thinking start doing the first tests.
I know it's a bit risky. Certainly, I will need your help.
Firstly, I will begin by installing and configuring ubuntu to compile the project. When I can, I will test the tools specified by Coutts.


jplxpto

Hi,

I still have nothing to work but I have spent many hours reading the forums CHDK / ML.
I'm learning, have some patience with me. This still seems very complicated. Sorry if the questions are basic.

I got the firmware version 40d1.1.1. With application dissect_fw3_2, I got the unencrypted header and body. I've compiled a small application to try to find the addresses of the red and blue LED, but I've got a problem. I do not know how to encrypt the new firmware to be able to use on my machine. I read a lot about it but I could not understand the steps that have to follow.

If I can correctly encrypt my firmware I can proceed with my tests.

Since I've been searching for some string in the firmware files and I could see some interesting things. I found the string EnableBootDisk.

After seeing the flashing LEDs, I'll try to do a DUMP the firmware.
When I succeed in the previous tests, I proceed to the discovery of the function EnableBootDisk addresses.

Someone can help me create my own firmware for the 40D?


jplxpto

I have a 40D with version 1.1.1. After much reading and testing I was able to flash both LEDs.

jplxpto

I used the information provided by Coutts to flash both LEDs.

See the examples:


1_1000D LED Finder


2_1000D LED-Dumper


These are the addresses of blue and red LEDs:

LED_RED     0xC02200E0
LED_BLUE    0xC02200E8

coutts

Quote from: jplxpto on August 10, 2012, 04:07:49 PM
I used the information provided by Coutts to flash both LEDs.

See the examples:


1_1000D LED Finder


2_1000D LED-Dumper


These are the addresses of blue and red LEDs:

LED_RED     0xC02200E0
LED_BLUE    0xC02200E8
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus

jplxpto

Quote from: coutts on August 10, 2012, 08:20:03 PM
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus


Coutts,

yes I am currently reading your posts in CHDK.
In 2008 there were major developments, but for some unknown reason you moved away from this project. Made great advances that have helped future ports to other cameras but 40D & 450D were forgotten! Why?! ...

Their progress in the port 1000D can give a great help! I think the cameras 1000D, 450D, 40D have many similarities. This can be an advantage.

Thank you for providing the code :

https://bitbucket.org/coutts/1000d_dev

jplxpto

I really want to install the Magic Lantern in my camera and give my modest contribution to the community but,
without your precious help will not go away.

You have done an excellent job over the years.

Congratulations.

jplxpto

Quote from: coutts on August 10, 2012, 08:20:03 PM
great job! Let's get the 40d port on its way :)
Next step: copy/paste boot code into entry.S like the 5dc one. copy enough of the boot code until you can hook a task.

For initial hacking you may want to refer to 5dplus:
https://bitbucket.org/coutts/5dplus


Many will read this and get to thinking that an easy task! ;)

jplxpto

Has anyone done a dump of the ROM and BL fir v 1.1.1.?

jplxpto

I read a lot and follow the tips and suggestions from Coutts.

I analyzed the 5DC BL code and found the signatures of functions and read_bootflag write_bootflag.
Later, I created a small program to find them in my 40d fir 1.1.1.

I still do not know the original values of bootflags but I have called the function read_bootflags.

Not yet confirmed, but I believe that the addresses are:

read_bootflag -> 0xffff 63a8
write_bootflag -> 0xffff 62b8

jplxpto

Someone can explain me how to operate the boot flags?

jplxpto

The original values of bootflags are:

F8000000 =  0
F8000004 =  0
F8000008 = -1
F800000C = -1