Display access from bootloader / Portable binary test

Started by a1ex, March 15, 2015, 07:13:36 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

a1ex

About one month ago, g3gg0 found a way to access the LCD display from bootloader context, without calling anything from the main firmware. This makes a very powerful tool for diagnosing bricked cameras, and also a playground for low-level reverse engineering.

The only camera-specific bits for printing stuff on the LCD are:
- we have to call a Canon routine that initializes the display (which is in bootloader, not in main firmware): we named it "fromutil_disp_init".
- for the YUV layer, newer cameras use YUV422, while older cameras (only checked 5D2) use YUV411. This difference is not essential (you can print on the BMP layer only).

Today I wrote an autodetection routine that finds the display init routine from ROM strings, and the result is a portable "hello world" binary. That means, it should print something on any ML-enabled camera (and maybe even on cameras without ML). Same binary for all cameras, of course.

I've tested the code on 5D3 and 60D, and I'm looking for confirmation on the other models.

If you are already running ML, just download this autoexec.bin, run it, take a picture of your camera screen (sorry, no screenshots yet) and upload it here.

If you have a Canon DSLR without a ML port available, we need to sign this binary (create a FIR). Just mention your camera model and I'll create one for you. Don't expect this to speed up the porting process for your camera. But I hope this proof of concept will convince you to start tinkering with your new little computer :)

Walter Schulz

650D: Inserted card, closed door and this showed up without turning power switch to ON.


7D: Not working. Black screen.

Indy

Hi,

550D 1.0.8 = sub_FFFF5ECC (in bootcode)
6D = sub_FFFE5018 (in rcbind.bin)

with 550D I was also able to autodetect and call FIO_CreateFile, FIO_Write and FIO_Close to dump the memory, but it did not work on all models.

Indy

a1ex

@Walter: can you download it again and retry the test?

@Indy: yeah, file writing from bootloader behaves the same here (works on some cameras, but not all); g3gg0 also tried direct SD access, which works on 5D3 and 600D only for now.

Walter Schulz

650D: Downloaded AUTOEXEC.BIN again


7D: Still the same

dhilung

5D2 | 40D


vroem


Greg


g3gg0

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

nikfreak

EOS 70D:



Cool way to simply identify FW revisions
[size=8pt]70D.112 & 100D.101[/size]

g3gg0

@nikfreak:

image does not load here
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

dmilligan


Katabatic

Haha but at what cost, vroem? I can't seem to boot ML on it anymore...

Audionut



No more running code on top of Canons firmware!  :P

Walter Schulz

Quote from: Katabatic on March 16, 2015, 02:19:45 AMHaha but at what cost, vroem? I can't seem to boot ML on it anymore...

Removing battery won't work?
Put card in cardreader. Backup ML directory. Delete ML directory and Autoexec.bin from card. Copy extracted nightly content to card.
(In fact: The only thing you really need to do is to replace Autoexec.bin with the one used before).

nikfreak

[size=8pt]70D.112 & 100D.101[/size]


boszmann

700D



NOTE: it is possible to execute with the card door open.

blade

EOS 650D, got some more info than walter

(not sure how to post the picture from dropbox, but here is the link.

Cool that it works without turning the camera on!

https://www.dropbox.com/s/uawd0finhm9kl28/Foto%2016-03-15%2023%2030%2005.jpg?dl=0

eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

Pelican

blade's 650D:


Edit: It worked for me yesterday. I moved it to my page.
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

blade

Thanks for the effort Pelican. Sill not working do, should not matter as the link works!
eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

dmilligan


rbrune

EOS-M:

I compiled the autoexec.bin myself from the recovery branch using the portable platform.

Interestingly when one compares the output for my EOS-M with the one from jpaana - the second IMG-naming property looks correctly resolved on mine but not on his? I have the feeling something with the property parsing is not going correctly.

a1ex

It's this change: https://bitbucket.org/hudson/magic-lantern/commits/0456d1c173b8

Can you also check if the DUAL prefix option from Dual ISO works on EOS-M? I guess it doesn't.