Author Topic: Canon 80D  (Read 49439 times)

Greg

  • Hero Member
  • *****
  • Posts: 550
Re: Canon 80D
« Reply #100 on: February 26, 2017, 08:06:25 PM »
I do not have 80D. It's too expensive.
I have only qemu cameras :P

Straight_Shooter

  • New to the forum
  • *
  • Posts: 9
  • Canon 80D, Canon 1100D
Re: Canon 80D
« Reply #101 on: March 05, 2017, 05:01:32 PM »
I am now the owner of an 80D, in addition to my old 1100D.  :)

As soon as we have some binary that we can test I will be happy to help with testing.

pawl

  • Just arrived
  • *
  • Posts: 1
Re: Canon 80D
« Reply #102 on: April 04, 2017, 10:01:39 AM »
I'm still using 60d
The main reason I didn't upgrade it yet to 80d is because of ML not ready  :D :D :D

(in addition: 80D comes with DIGIC6, but 77D comes with DIGIC7. I'm afraid Canon will release a 8xD with DIGICx)

JaSt

  • Just arrived
  • *
  • Posts: 1
Re: Canon 80D
« Reply #103 on: April 10, 2017, 10:12:28 AM »
Greetings to ML developers,
I have an 80D. Contact me if you want to help with testing of early version.
Thanks in advance.  :)

benzett

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D
« Reply #104 on: April 18, 2017, 04:16:42 PM »
hey folks, are there any news about a ML version for the 80d? Im thinking about buying it, but unless i can get rid of the focus boxes, i wont... :) thanks for your work!

Muwex

  • Just arrived
  • *
  • Posts: 1
Re: Canon 80D
« Reply #105 on: April 20, 2017, 02:59:51 PM »
Hi!
I am also owner of Canon 80D and been for a long while, i have had Canon 500D which i had Magic lantern on sooooo.... i would be more than happy to finally have it on 80D.
Ofcourse i understand that it takes time, but if help is needed, i can try my best and do some testing :)

I do videos into 5 channels, this is my main channel: https://www.youtube.com/channel/UCXzdh4S1HOEpTTLreDBprlw
So i have like 5 years experiance with video making and creativity on YouTube :)

deathbyderps

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D
« Reply #106 on: April 23, 2017, 01:45:27 PM »
Hey i too got an 80d about a month back.
I'd be happy to test any form of early software, as unstable as it may be.
Feel free to drop me an email.

Spakes

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D
« Reply #107 on: April 29, 2017, 07:55:52 AM »
Hi. New here.
I got 80D too, updated it to 1.0.2 through EOS Utility 3. Don't have enough knowledge for QEMU/Low-Level C (only learning C++ and Java for Android), but open for testing anything. If you have some manuals for reverse engineering or need to test something, I'm ready to help. Just tell me what to do.

Spakes

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D 1.0.2
« Reply #108 on: May 02, 2017, 01:57:33 PM »
I know, there are minor updates in 1.0.2, but I still made a dump of 1.0.2 (why not, better for Norwegians and lens registration).
I can give you a link to all dumps if you PM me.
Is there also anything I can do which doesn't require a lot of time? I'll try to do some disassembly after June 10th, maybe, can't do it now 'cause exams.

Greg

  • Hero Member
  • *****
  • Posts: 550
Re: Canon 80D
« Reply #109 on: May 09, 2017, 06:23:16 PM »
Any plans with digic 6/7?

Ant123

  • Freshman
  • **
  • Posts: 65

Greg

  • Hero Member
  • *****
  • Posts: 550
Re: Canon 80D
« Reply #111 on: May 10, 2017, 02:07:07 PM »
It looks like no one wants a sensor in technology from 15 years ago.  :P

emklap

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D
« Reply #112 on: May 11, 2017, 09:44:29 PM »
Hi, I'm new here and have started on 80D reverse engineering.

I made custom firmware for the EOS 300D long time back and think its fun to try the port ML to the 80D.

I have virualbox setup and am able to compile the ML code, qemu still needs to be setup.

I use 80D FW1.0.2 because that was on my camera and could not find FW 1.0.1 . Th rom dumper worked fine a gave me three ROM1 dumps, one with a valid CRC.
<br /><br />

I duplicated the file and load into IDA with offset 0xFC000000 and analysis of the code went smoothly. I now need to run an idc script because the automatic analyses does not start recognize the first character of a strings. See if my old code still works  :-)

Also the perl script disassamble.pl ran fine giving me lots of strings to work with. Some (2x) 330,000 way to may  :D to work with and I need to somehow remove the ones that do not make sense.

start of code looks like this
Code: [Select]
ROM:FC000000 ; Processor       : ARM
ROM:FC000000 ; ARM architecture: metaarm
ROM:FC000000 ; Target assembler: Generic assembler for ARM
ROM:FC000000 ; Byte sex        : Little endian
ROM:FC000000
ROM:FC000000 ; ===========================================================================
ROM:FC000000
ROM:FC000000 ; Segment type: Pure code
ROM:FC000000                 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:FC000000                 ; ORG 0xFC000000
ROM:FC000000                 CODE32
ROM:FC000000
ROM:FC000000 loc_FC000000                            ; DATA XREF: sub_FC0274EC+34r
ROM:FC000000                                         ; sub_FC0274EC+40w
ROM:FC000000                 STC2            p0, c0, [R0], {8}
ROM:FC000004                 STC2            p0, c0, [R0], {0x48}
ROM:FC000008                 MOV             R0, #0
ROM:FC00000C                 MCR             p15, 0, R0,c6,c2, 0
ROM:FC000010                 MOV             R0, #0
ROM:FC000014                 MCR             p15, 0, R0,c6,c1, 0
ROM:FC000018                 MOV             R0, #0x3F
ROM:FC00001C                 MCR             p15, 0, R0,c6,c1, 2
ROM:FC000020                 MOV             R0, #0x320
ROM:FC000024                 MCR             p15, 0, R0,c6,c1, 4
ROM:FC000028                 MRC             p15, 0, R0,c1,c0, 0
ROM:FC00002C                 BIC             R0, R0, #0x20000
ROM:FC000030                 ORR             R0, R0, #1
ROM:FC000034                 DSB             SY
ROM:FC000038                 MCR             p15, 0, R0,c1,c0, 0
ROM:FC00003C                 ISB             SY
ROM:FC000040                 LDR             PC, =0xFE020000

and on FE0A0000 like this
Code: [Select]
ROM:FE0A0000                         ; ---------------------------------------------------------------------------
ROM:FE0A0000                         ; START OF FUNCTION CHUNK FOR sub_FE020000
ROM:FE0A0000
ROM:FE0A0000                         loc_FE0A0000                            ; CODE XREF: ROM:FC020E78j
ROM:FE0A0000                                                                 ; sub_FE020000+E78j
ROM:FE0A0000                                                                 ; DATA XREF: ROM:FC020E74o
ROM:FE0A0000                                                                 ; ROM:off_FC021278o ...
ROM:FE0A0000 04 00 8F E2                             ADR             R0, loc_FE0A000C
ROM:FE0A0004 01 00 80 E3                             ORR             R0, R0, #1
ROM:FE0A0008 10 FF 2F E1                             BX              R0 ; loc_FE0A000C
ROM:FE0A000C                         ; ---------------------------------------------------------------------------
ROM:FE0A000C                                         CODE16
ROM:FE0A000C
ROM:FE0A000C                         loc_FE0A000C                            ; CODE XREF: sub_FE020000+80008j
ROM:FE0A000C                                                                 ; DATA XREF: sub_FE020000:loc_FE0A0000o
ROM:FE0A000C 40 F2 00 00 C0 F2 00 00                 MOV             R0, #0
ROM:FE0A0014 40 F2 38 03 C0 F2 00 03                 MOV             R3, #0x38
ROM:FE0A001C 20 F0 01 00                             BIC.W           R0, R0, #1
ROM:FE0A0020 23 F0 01 03                             BIC.W           R3, R3, #1
ROM:FE0A0024 40 F2 00 01 C0 F2 00 01                 MOV             R1, #0
ROM:FE0A002C
ROM:FE0A002C                         loc_FE0A002C                            ; CODE XREF: sub_FE020000+80038j
ROM:FE0A002C 98 42                                   CMP             R0, R3
ROM:FE0A002E 3C BF                                   ITT CC
ROM:FE0A0030 50 F8 04 2B                             LDRCC.W         R2, [R0],#4
ROM:FE0A0034 41 F8 04 2B                             STRCC.W         R2, [R1],#4
ROM:FE0A0038 F8 D3                                   BCC             loc_FE0A002C
ROM:FE0A003A 4F F0 01 00                             MOV.W           R0, #1
ROM:FE0A003E 06 EE 12 0F                             MCR             p15, 0, R0,c6,c2, 0
ROM:FE0A0042 40 F2 21 11                             MOVW            R1, #0x121
ROM:FE0A0046 06 EE 91 1F                             MCR             p15, 0, R1,c6,c1, 4
ROM:FE0A004A BF F3 4F 8F                             DSB.W           SY
ROM:FE0A004E 19 EE 11 0F                             MRC             p15, 0, R0,c9,c1, 0
ROM:FE0A0052 00 F0 7D 00                             AND.W           R0, R0, #0x7D
ROM:FE0A0056 40 F2 01 01 C8 F2 00 01                 MOV             R1, #0x80000001
ROM:FE0A005E 40 EA 01 00                             ORR.W           R0, R0, R1
ROM:FE0A0062 09 EE 11 0F                             MCR             p15, 0, R0,c9,c1, 0
ROM:FE0A0066 40 F6 00 00 C8 F2 00 00                 MOV             R0, #0x80000800

The next step is to find stubs but have no clue where to start, IDA show just over 100000 functions!! again where do I start????
Can anyone provide some tips, e.g. which functions are important to find and which not? are there some easy one to start with.
Are the idc scripts available that can do some of the work for me/us.

Looking forward to some coding time

 

300D,40D,80D

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 9819
  • 5D Mark Free
Re: Canon 80D
« Reply #113 on: May 12, 2017, 01:50:52 PM »
Hi - emklap from CHDK, right?

For IDA, you need to select ARMv7 A&R, and also*) load the same ROM at 0xFE000000.

*) Loading both ROMs makes IDA very slow (at least here), so it may be best to define two "projects": one for analyzing the bootloader at 0xFC000000 and another one for the main firmware at 0xFE000000.

The perl script has a custom version for DIGIC 6, but I didn't try it. You should know the CHDK forum better than me :D

Some of the stubs are listed in the digic6-dumper branch. There is an initial platform directory for 80D, which uses a minimal file structure (suitable for experimenting around) - this works fine in QEMU, but not on the actual hardware. I believe the issue is caching in the context of self-modifying code (ARMv7 has a different way to deal with this), but didn't look too much into it yet. Copying CHDK cache functions is probably enough to move forward.

When you are ready to run code on your camera, just get in touch with me on IRC.

Ant123

  • Freshman
  • **
  • Posts: 65
Re: Canon 80D
« Reply #114 on: May 12, 2017, 10:15:02 PM »
http://chdk.wikia.com/wiki/Digic_6_Porting

Copying CHDK cache functions is probably enough to move forward.

What is "CHDK cache functions" ?

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 9819
  • 5D Mark Free
Re: Canon 80D
« Reply #115 on: May 12, 2017, 10:32:30 PM »

emklap

  • Just arrived
  • *
  • Posts: 2
Re: Canon 80D
« Reply #116 on: May 15, 2017, 12:54:33 PM »
Hi A1ex,

Yes, I am the emklap of CHDK, there are not may of me around  :D
I already set IDA to ARMv7 A&R, didn't see any immediate change. I have no performance degradation with the entire FW Bootloader  & ROM RAM loaded in one IDA project, but the suggestion to split it is a nice one, might try that myself as well.

Next steps for me will be to get QEMU up and running and to adjust the CHDK IDC Scripts for my project.
I have limited time over the next weekends so it might take some time but I will report my progress in due time. I catch up with ARM disassembly as well.


300D,40D,80D

Pierro777

  • New to the forum
  • *
  • Posts: 8
Re: Canon 80D
« Reply #117 on: May 20, 2017, 11:12:29 PM »
Hi A1ex,

Yes, I am the emklap of CHDK, there are not may of me around  :D
I already set IDA to ARMv7 A&R, didn't see any immediate change. I have no performance degradation with the entire FW Bootloader  & ROM RAM loaded in one IDA project, but the suggestion to split it is a nice one, might try that myself as well.

Next steps for me will be to get QEMU up and running and to adjust the CHDK IDC Scripts for my project.
I have limited time over the next weekends so it might take some time but I will report my progress in due time. I catch up with ARM disassembly as well.





I really hope you get it working!!!