Author Topic: Porting ML to 1000D (AKA Compiling for 1000D/XS)  (Read 6417 times)

shmadul

  • New to the forum
  • *
  • Posts: 26
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #75 on: December 08, 2016, 11:19:50 PM »
@syscall so you are still able to boot into magic lantern recovery ??
Please Report wether you get this fixed and how because unlike you, The 1000D is my main Camera and i cant risk it bricking :P
Whats next after we have bootdisk enabled ?

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 9727
  • 5D Mark Free
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #76 on: December 09, 2016, 12:48:54 AM »
https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss



Code: [Select]
CF is not a startup disk.
Now jump to RAMEXEC!!

Should be easy to fix:
Code: [Select]
asm("LDR PC, =0xF8010000");

autoexec.bin

See also http://magiclantern.wikia.com/wiki/Bootflags

shmadul

  • New to the forum
  • *
  • Posts: 26
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #77 on: December 09, 2016, 09:09:29 PM »
@syscall any Luck ?
@a1ex, Whats next after we have bootdisk enabled ?

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #78 on: December 09, 2016, 09:44:25 PM »
@ a1ex

Thank you very much for your help.


Here is my observation so far if someone is interested.
----------------------------------------------------------------------------------------------

What happened:
After enabling and disabling the boot flag several times the camera stops booting.

Why would I enable and disable multi times?
I want to make sure that it works stable, before posting it.

Camera still load autoexec.bin if the SD card was prepared for autoboot.

Observation:
Camera stays black after turning on, regardless of normal SD card or if it was made bootable.
Camera still functioning, if looking through the view finder, settings like aperture or exposure time can still be changed.
Taking picture is not possible only focus when pressing the shutter button.

Test 1:
-------
Putting display test (Magic Lantern Rescue) autoexec.bin on a bootable SD card shows:

Boot flags:
FIR=1610949440
BOOT=-348549156
RAM=-304267216
UPD=-1

Test 2:
-------
Putting (RAMEXEC fix) autoexec.bin from a1ex on the bootable SD card:

Camera boots up into canon menu, camera operates normal, taking pictures also possible now.
Magic Lantern Rescue still shows the same values.
Then did "clear setting" in canons menu, no changes.

Test 3:
-------
Same configuration as Test 2 plus canon original firmware update (e6kr5107.fir):

After updating the firmware, the FIR was reseted to zero. Rest still the same.

Boot flags:
FIR=0
BOOT=-348549156
RAM=-304267216
UPD=-1


Test 4:
-------
Same configuration as Test 2, now with the .fir that I compiled myself and was using to disable the boot flag.
After booting up and executed the .fir in menu update, camera boots up normal.

Looking again in the Magic Lantern Rescue shows:

Boot flags:
FIR=0
BOOT=0
RAM=-304267216
UPD=-1


The only thing that is not reseted is the RAM, which is still RAM=-304267216 instead of RAM=-1.

But now the camera still need a bootable SD card and the RAMEXEC fix autoexec.bin (or valid autoexec.bin) to boot into orignal firmware. When booting without SD card, the camera shows black screen, but still focus if press shutter button.

The interesting part is, even the Magic Lantern Rescue menu shows BOOT=0, the camera still auto execute the autoexec.bin.

Also, usually if the camera has the latest update it says "latest firmware installed" or something similar and
refuse a firmware update, but I'm still able to update the original firmware update as many time as I want.

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #79 on: December 09, 2016, 09:51:40 PM »
@shmadul

1. Making dumps of RAM and ROM of the camera
2. Map all the magic lantern functions to the addresses located in the RAM

Magic Lantern use most of the standard functions of the original firmware which is loaded into the RAM after the boot up.
What you have to do is to "hook" (I think that is the term for it) those functions in the stubs.S file.

BTW, Ant123 gave you already the answer.

Quote
If you want to convert 450D port, the first thing you should do is set bootflag and check it with help of AUTOEXEC.BIN from "display test" topic. It's because all VxWorks ports use AUTOEXEC.BIN startup method.

Then you should find addresses of functions for 1000D in your firmware dump and change them in "\platform\450D.110\stubs.S". It can take many days or weeks.

After this you should edit cache related stuff in "\platform\450D.110\init.c", and edit another files in "\platform\450D.110\" and in "\src"

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 9727
  • 5D Mark Free
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #80 on: December 09, 2016, 10:40:25 PM »
Quote
The interesting part is, even the Magic Lantern Rescue menu shows BOOT=0, the camera still auto execute the autoexec.bin.

That's because both autoexec.bin and ramexec are handled from the same routine, which happens to check the card bootflags first. You were quite lucky with this one; by disabling the boot flag, you risked removing the ability to run user code on the camera (other than ramexec, which simply jumps to 0x800000 without initializing that memory area; it assumes something was already loaded there somehow).

I wouldn't advise messing with boot flags just to see what happens, as you may get a configuration that no longer boots at all. In particular, on DIGIC 5, such configuration is very easy to get by changing the value at 0xF8000024 (even by mistake). Recovery from this would only be possible with hardware changes (lookup Ant123's posts on CHDK forum for an example).

Do you still have the FIR file that bricked the camera? It would be helpful to understand what happened.

Ant123

  • Freshman
  • **
  • Posts: 63
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #81 on: December 10, 2016, 07:35:44 AM »
I want to make sure that it works stable, before posting it.

You should not reinvent the wheel. Use modified common installer for VxWorks cameras.

You can also easily modify it to repair you camera.

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #82 on: December 10, 2016, 11:54:40 AM »
@Ant123

Quote
You should not reinvent the wheel.

No, that was not my intention, but maybe I should test it by myself before post it for others. At least I felt the needed to do some kind of verification. I always went with the mindset that I could damage my camera for this project. At least if I damage it myself, I can blame myself for it. Now, what if I just post the .fir and someone else brick their camera. Of course, even if state "use at your own risk", people would not be happy with it.

Especially if it is the only camera that they own:

Quote
The 1000D is my main Camera and I can't risk it bricking

Of course you can argue, this is the development section and not the release section.

Quote
Use modified common installer for VxWorks cameras. You can also easily modify it to repair you camera.


After reading this I'm not sure if it is that easy.

Quote
Posted by: a1ex
« on: Yesterday at 10:40:25 PM »

You were quite lucky with this one;
...
I wouldn't advise messing with boot flags just to see what happens, as you may get a configuration that no longer boots at all. In particular, on DIGIC 5, such configuration is very easy to get by changing the value at 0xF8000024 (even by mistake). Recovery from this would only be possible with hardware changes (lookup Ant123's posts on CHDK forum for an example).


I do appreciate you and a1ex to take the time to give us advices and answer the questions.

You guys surely have better stuff to do then answering noob questions.

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #83 on: December 10, 2016, 12:05:25 PM »
Warning: Still under investigation, don't try anything described below if you don't want to damage your camera.

a1ex mentioned:

Quote
The boot flag can be enabled from both bootloader context (as done in the old 5D) or from main firmware.
EnableBootDisk only works from main firmware, but usually there is an equivalent bootloader routine, found in the FROMUTIL menu.

I tried with EnableBootDisk in the firmware.

In entry_stubs.S are the following function references defined.

Code: [Select]
NSTUB(EnableBootDisk, 0xFFD21248)
NSTUB(DisableBootDisk, 0xFFD21260)

Only, calling them in the main.c does not enable or disable the boot flag.

Coutts (original author) defined a pointer in the main.h

Code: [Select]
typedef void (*Funktion)();
and call it the main.c with the address of the EnableBootDisk.

Code: [Select]
// EnableBootDisk() 
Funktion f = 0xFFD21248;
f();
By doing this the boot flag gets enabled.

Calling this:
Code: [Select]
// DisableBootDisk()
/*  Funktion f = 0xFFD21260;
f();

will disable it again.

At least that is what I observed.


@Ant123

Quote
Use modified common installer for VxWorks cameras.

Just for my understanding.

The installer enables the boot flag from the bootloader context?

You also needed the address of the write and read functions.

Code: [Select]
     * 0xFFFF89F0 | start of write_bootflag in 5dc BL.
     * 0xFFFF8A94 | end of write_bootflag in 5dc BL.
     * 0xFFFF8AE0 | start of read_bootflag in 5dc BL.
     * 0xFFFF8B20 | end of read_bootflag in 5dc BL.

To find those addresses I have to do this:

Quote
   * I located these functions by hand using the 400d bootloader as a reference. I had
   * to write code to search the bootloader region (0xFFFF0000-0xFFFFFFFF) for signatures
   * of the read_bootflag and write_bootflag functions. It was a very long/tedious process
   * checking each address one at a time - blinking everything through the LEDs. These
   * routines are safe to run to the best of my knowledge, I have not had any issues yet.

Digging a little bit in this thread:
https://www.magiclantern.fm/forum/index.php?topic=1452.0

Coutts said:

Quote
If 40d is similar to the 5dc, then you won't be able to run any practical code from a FIR (including calling the EnableBootDisk function or booting the firmware/camera) so you will need
to write some code that scans the bootloader area (0xFFFF0000-0xFFFFFFFF) for function signatures to identify the read/write bootflag functions. This will allow you to set the camera's bootflag,
to boot an autoexec.bin file with a prepared card, and development takes off from there (you will be able to boot the firmware and do anything from autoexec). I created this bootdisk code from the 350d method, using the 400d bootloader to find the signatures I needed.

You can use this to write code to search for specific signatures of the read_bootflag and write_bootflag functions.
Some signatures would be instructions like:

    MOVEQ   R7, #0xF8000000

which is assembled and looks like this in memory:

    0x03A0733E

I'll just tell you the signatures to find.
First, for write_bootflag. Here is a small snippet from that function, the first 5 instructions:

    ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

If you were scanning memory, these 5 instructions would look like this(starting at 0xFFFF89F0 on the left and ending on 0xFFFF8A00 on the right):

    0xE92D41F0 0xE1A05001 0xE3A04000 0xE3500000 0x13A0733E

So, look for the signature for the MOVNE R7, #0xF8000000 instruction, then once you find it, search backwards for the STMFD (push) instruction signature, and you will have located write_bootflag in the 40d bootloader. Chances are the functions will probably be identical, but take caution to verify at least 3 times that you have located the correct function and it seems the same / similar to the 5dc one (remember we are working blind here).


Now, read_bootflag. First 5 instructions look like:

    ROM:FFFF8AE0                 STR     LR, [SP,#var_4]!
    ROM:FFFF8AE4                 CMP     R0, #0
    ROM:FFFF8AE8                 MOVNE   R3, #0xF8000000
    ROM:FFFF8AEC                 ADDNE   R3, R3, #0x2000
    ROM:FFFF8AF0                 MOVNE   R2, #0x40

And in memory would look like this (same thing as before, starting at 0xFFFF8AE0 on left and ending at 0xFFFF8AF0 on the right):

    0xE52DE004 0xE3500000 0x3E33A013 0x12833A02 0x13A02040

Note: there isn't a STMFD (push) instruction in read_bootflag. The 400d bootloader is like this too, so chances are the 40d is as well.



Now there are a few things that I don't understand.

1.
Search for specific signatures of the read_bootflag and write_bootflag functions

According to the two sources I have to blink through the address range (0xFFFF0000-0xFFFFFFFF) and find the "signature".

Where I can find the asm signature?

Example:

Do I have to blink one address and then make a ROM dump?

Afterwards I would load the ROM.BIN in IDA and jump to the part where I did the blinking and check if I can see the signature?

Otherwise I don't know how he gets the assembly instructions:

Quote
    ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

2.
I don't know why Coutts skip the installer way and try "to invent the wheel new" by the EnableBootDisk / DisableBootDisk in his last release?

Maybe because he doesn't want to blink the whole address range again for the canon 1000d?

Ant123

  • Freshman
  • **
  • Posts: 63
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #84 on: December 10, 2016, 02:58:45 PM »

The installer enables the boot flag from the bootloader context?

You also needed the address of the write and read functions.
I think 5DC installer is documented well enough.


Quote
Do I have to blink one address and then make a ROM dump?

Maybe because he doesn't want to blink the whole address range again for the canon 1000d?

I suspect that bootloader should be the same for different firmware versions.

http://www.magiclantern.fm/forum/index.php?topic=18337.msg176013#msg176013

But you can create your own dump using  dumpmemo() function


shmadul

  • New to the forum
  • *
  • Posts: 26
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #85 on: December 12, 2016, 06:48:32 PM »
Any Progress ?

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #86 on: December 14, 2016, 07:55:27 PM »
I wrote a small sequence, which will help us to find the signature.

We know that the functions are in the boot loader area, from FFFF0000 to FFFFFFFF.

The program will create a log file on the SD card with the address and content within the boot loader area.

Code: [Select]
// Function to read the content of the bootloader and write it to logfile
void booloader_mem_dump_0()
{
// Create a logfile
MyGlobalStdSet();

// We use this pointer to read the content of an address
unsigned int *p_addr = NULL;


// The address range of the boot loader is from 0xFFFF0000 to 0xFFFFFFFF
// START_ADR: 0xFFFF0000
// END_ADR: 0xFFFFFFFC (last address not relevant, therefore 0xFFFFFFFC instead of 0xFFFFFFFF)
//
// Each address holds a 32 bit value => 4 bytes, therefore we have to increment the address by 4.
// 0xFFFF0000
// 0xFFFF0004
// 0xFFFF0008
// 0xFFFF000C
// ...
//


printf("\nAddr:      Data");
printf("\n---------------");


for(unsigned int i=START_ADR; ((i <= END_ADR) && (i!=0)); i=i+4)
{
// Before assignment, "reset" the pointer to null
p_addr = NULL;

// Now point to the content of the address (in this case "i" is the address)
p_addr = *(int*)i;

// Write the data to the log file
printf("\n%x :       %x", i, p_addr);
}

printf("\n\n END \n\n");

// Set pointer to null, since we not needed anymore.
p_addr = NULL;

// Signal finish
SleepTask(5000);

LEDRED = LEDON;
LEDBLUE = LEDON;

SleepTask(5000);

LEDRED = LEDOFF;
LEDBLUE = LEDOFF;
}


// ------------------------------------------------


@shmadul and Levas

We will continue once we found the boot flag functions, therefore we have to make sure that the boot flag functions are correct.

Note: The program will not do anything to the boot flag!

Link: https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

1. Download the zip "bootloader_mem_dump.zip" and extract it
2. Build the project by "./run" in terminal (inside the folder)
3. Set the "Auto power of" to 8 or 15 minutes on your camera, we don't want to cancel the write process in between
4. Copy the .fir file on the SD card and execute it (don't touch any buttons afterwards)
5. After the sequence finish (both led, red and blue, turn on and off), copy the "address_log.txt" to your computer
6. Search now for signatures

Log file should look like this (example):

Addr:               Data
------------------------
ffff0000 : e59ff018
ffff0004 : e59ff018
....

Now, go through the file and search for the signature (see below, compare Data with the values below).

Once you found them copy the whole section (including address and data) and post it here, then we compare if we all have the same addresses.


// ---------------------------------------------
Signatures

Attention: The order is very important!

The write function should be easy to find. Compare the data values in the log file with the following values.

write_bootflag signature (order of the data):
Quote
   Data
  --------------
    E92D41F0
    E1A05001
    E3A04000
    E3500000
    13A0733E


The read function will differ from the one that is posted here.

Hint, search first all sequences that has E52DE004 and E3500000. Then search if the sequence has the rest values (3E33A013, 12833A02,  13A02040). The read functions has 2 values (unique) which differs from the sequence listed below.

Lets see if you guys can find the sequence.

read_bootflag signature (order of the data):
Quote
   Data
  --------------
   E52DE004
   E3500000
   3E33A013
   12833A02
   13A02040


PS: Can you guys provide me your log files so I can check if there is any differences between them? Just PM me with the link.

Levas

  • Hero Member
  • *****
  • Posts: 853
  • 6d - Nightly build user
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #87 on: December 14, 2016, 10:07:51 PM »
@Syscall keep up the good work  ;D
Will check it out tomorrow and send the log file

Luckiliy your 1000d is no longer a brick :D

Levas

  • Hero Member
  • *****
  • Posts: 853
  • 6d - Nightly build user
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #88 on: December 15, 2016, 10:24:51 AM »
Run the program on my 1000d which has version 1.0.7 canon firmware.
Searched the log file:

write_bootflag signature:

ffff5fe0 : e92d41f0
ffff5fe4 : e1a05001
ffff5fe8 : e3a04000
ffff5fec : e3500000
ffff5ff0 : 13a0733e

read_bootflag signature:
Couldn't find something exactly similar, but I did found this

ffff60d0 : e52de004
ffff60d4 : e3500000
ffff60d8 : 13a0333e
ffff60dc : 12833a02
ffff60e0 : 13a020aa

My logfile:
https://drive.google.com/drive/folders/0B1BxGc3dfMDaRUZweUJ5NWZUTTQ?usp=sharing

Ant123

  • Freshman
  • **
  • Posts: 63
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #89 on: December 15, 2016, 03:42:18 PM »
You are strange people...
Printig bootloader memory values to log file instead making full ROM dump. Why?

Levas

  • Hero Member
  • *****
  • Posts: 853
  • 6d - Nightly build user
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #90 on: December 15, 2016, 04:15:26 PM »
I'm just following orders  :D

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #91 on: December 15, 2016, 07:51:11 PM »
@Levas

Perfect, confirmed.

I got the same result  :D .

Now we can working on the bootflag installer.

Only one thing left is, I have to find out the write_card_bootflag address for canon 1000d.

From 450D port:
https://bitbucket.org/hudson/magic-lantern/src/18ac6b0f992918c7ba6dd282c3e74ca42574561c/installer/450D.110/bootdisk.c?at=vxworks&fileviewer=file-view-default#bootdisk.c-156
Quote
    //~ Not sure if this is correct or not
    write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

I have read that someone just skip it and make the SD card bootable manually.

Ant123

  • Freshman
  • **
  • Posts: 63
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #92 on: December 15, 2016, 08:43:58 PM »
I have read that someone just skip it and make the SD card bootable manually.
On 450D write_card_bootflag() function works well.
I forgot to delete the comment.

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #93 on: December 15, 2016, 09:34:01 PM »
@Ant123

You are strange people...
Printig bootloader memory values to log file instead making full ROM dump. Why?
Thats because I did not have the correct setup yet. Even if have a dump I could not do anything with it.

Correct me if I'm wrong, but most people are using IDA Pro or GPL Tools/ARM console and QEMU for debugging.

I have difficulties to set it up on Mac OS, I'm considering to switch to linux and setup everything there.

Quote
On 450D write_card_bootflag() function works well.

Is it a global function that you just can call?

In the installer it is defined as typedef:

Code: [Select]
typedef void (*ft_write_card_bootflag)(int arg0);
How do you determine the address (0xFFFF4140) anyway?
Code: [Select]
write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

Ant123

  • Freshman
  • **
  • Posts: 63
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #94 on: December 15, 2016, 10:29:48 PM »
Correct me if I'm wrong, but most people are using IDA Pro or GPL Tools/ARM console.
There is no another way to  make ML port.

Quote
Is it a global function that you just can call?
Yes.

Quote
How do you determine the address (0xFFFF4140) anyway?
Just looked on the bootloader code.

Code: [Select]
ROM:FFFF29A4 04 E0 2D E5       STR             LR, [SP,#-4]!
ROM:FFFF29A8 80 D0 4D E2       SUB             SP, SP, #0x80
ROM:FFFF29AC 11 0F 8F E2       ADR             R0, aYouChoseTheWri ; "You chose the writing of a Volume Label"...
ROM:FFFF29B0 76 27 00 EB       BL              sub_FFFFC790
ROM:FFFF29B4 0D 10 A0 E1       MOV             R1, SP
ROM:FFFF29B8 1B 0F 8F E2       ADR             R0, aMayIWriteYN  ; "May I write(Y/N)? :"
ROM:FFFF29BC 80 20 A0 E3       MOV             R2, #0x80
ROM:FFFF29C0 41 00 00 EB       BL              sub_FFFF2ACC
ROM:FFFF29C4 00 00 DD E5       LDRB            R0, [SP]
ROM:FFFF29C8 79 00 50 E3       CMP             R0, #0x79 ; 'y'
ROM:FFFF29CC 00 00 DD 15       LDRNEB          R0, [SP]
ROM:FFFF29D0 59 00 50 13       CMPNE           R0, #0x59 ; 'Y'
ROM:FFFF29D4 05 00 00 1A       BNE             loc_FFFF29F0
ROM:FFFF29D8 00 00 A0 E3       MOV             R0, #0
ROM:FFFF29DC D7 05 00 EB       BL              sub_FFFF4140
ROM:FFFF29E0 16 3F 8F E2       ADR             R3, aWriteError_  ; "WRITE error.\n"
ROM:FFFF29E4 19 2F 8F E2       ADR             R2, aWriteDone_   ; "WRITE done.\n"
ROM:FFFF29E8 00 10 A0 E3       MOV             R1, #0
ROM:FFFF29EC 32 00 00 EB       BL              sub_FFFF2ABC

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #95 on: December 16, 2016, 07:08:43 PM »
@Ant123

Cool, thank you very much.


//---------------------------------------
Note to myself:

Link: https://www.magiclantern.fm/forum/index.php?topic=12627.25
Quote
step 0: setup the toolchain (you can also do it like this)
step 1: dump the firmware (see a couple posts back)
step 2: analyze/decompile the firmware dump to find function stubs
step 3: run it in QEMU
step 4: if you get this far, get in touch with a1ex to create a bootflag fir, so you can run on actual camera

see also: some of the porting work done by recently for 70D (look at the commit history and diffs):
https://bitbucket.org/hudson/magic-lantern/branch/70d-support
https://bitbucket.org/hudson/magic-lantern/pull-request/620/add-support-for-eos-70d-111-both-revisions/diff#

SysCall

  • New to the forum
  • *
  • Posts: 32
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #96 on: December 20, 2016, 06:19:13 PM »

Ok, I just found out how to disassemble the ROM.BIN.

As Ant123 mentioned earlier, in the "bootloader_mem_dump/main.c" just replace in "void MyTask2()"

Code: [Select]
booloader_mem_dump_0();
with

Code: [Select]
dumpmemo();
Now, compile and executed it on the camera.

After the dump finished, two files should be on the SD card.

RAMDUMP.BIN
ROMDUMP.BIN

Afterwards, follow the instruction from this link:

https://www.magiclantern.fm/forum/index.php?topic=12177.0

If you followed this thread (for Mac OS), update the "disassemble.pl" to this.

Code: [Select]
# adjust these for your needs (note final slash):
$path = "~/gcc-arm-none-eabi-4_8-2013q4/bin/";
 
# note on "strings": default is a minimum length of 4 chars.
# So if u are hunting for e.g. "FI2" add -n3
# However, it gives a lot of false positive.
$strdump = "strings -t x";
$objdump = "${path}arm-none-eabi-objdump";
$objcopy = "${path}arm-none-eabi-objcopy";

Now, looking at the main.c code, the ROM dump starts at FF800000, so modify the call like this.

Code: [Select]
perl disassemble.pl 0xFF800000 ROMDUMP.BIN
Once finished, open the "ROMDUMP.BIN.dis" in a text file.

---------------------
The write_bootflag and read_bootflag for the canon 1000d look like this in assembly.

write_bootflag:
Code: [Select]
Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff5fe0: e92d41f0 push {r4, r5, r6, r7, r8, lr}
ffff5fe4: e1a05001 mov r5, r1
ffff5fe8: e3a04000 mov r4, #0
ffff5fec: e3500000 cmp r0, #0
ffff5ff0: 13a0733e movne r7, #-134217728 ; 0xf8000000

read_bootflag:
Code: [Select]
Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff60d0: e52de004 push {lr} ; (str lr, [sp, #-4]!)
ffff60d4: e3500000 cmp r0, #0
ffff60d8: 13a0333e movne r3, #-134217728 ; 0xf8000000
ffff60dc: 12833a02 addne r3, r3, #8192 ; 0x2000
ffff60e0: 13a020aa movne r2, #170 ; 0xaa


Next step would be to find the addresses of the functions for the 1000D and add them to the stubs.S.
This will take time ...

Hunt3r

  • Just arrived
  • *
  • Posts: 1
Re: Porting ML to 1000D (AKA Compiling for 1000D/XS)
« Reply #97 on: January 22, 2017, 03:29:15 PM »
ML on the 1000 would be awesome, thank you!
I use my 1000D as "every day camera", becuase it's lighter and smaller than my 50D and 5D2, and it still rocks!
Can't help you with this port, 'cause I suck with programming, but just wanted to thank you ;)

 

courtesy