Author Topic: get firmware dump from Digic6+ camera  (Read 4000 times)

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
get firmware dump from Digic6+ camera
« on: September 09, 2016, 03:55:28 PM »
for a new device without an existing .FIR file, is there a procedure to get an initial firmware dump for a Digic 6+ camera?

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 10015
  • 5D Mark Free
Re: get firmware dump from Digic6+ camera
« Reply #1 on: September 09, 2016, 04:33:53 PM »
There is a procedure that worked on single (not dual) Digic 6 models; with some luck, may work on D6+ as well.

http://www.magiclantern.fm/forum/index.php?topic=16534.0

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
Re: get firmware dump from Digic6+ camera
« Reply #2 on: September 09, 2016, 06:05:10 PM »
great, thank you. will try Portable ROM dumper.
I believe that I will also need a signed binary .FIR - I will search for how to generate that.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 10015
  • 5D Mark Free
Re: get firmware dump from Digic6+ camera
« Reply #3 on: September 09, 2016, 07:34:56 PM »
I can sign one for you, just drop me a PM.

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
Re: get firmware dump from Digic6+ camera
« Reply #4 on: September 10, 2016, 03:31:58 PM »
Portable ROM Dumper does not appear to work on this camera.
Have tried with .FIR provided and autoexec.bin from http://www.magiclantern.fm/forum/index.php?topic=16534.0
on a 32 GB SD card formatted in camera made bootable with contrib/make_bootable.

Same card works immediately on a 5D3.

Attempting to load new Firmware displays Update file cannot be found.

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
Re: get firmware dump from Digic6+ camera
« Reply #5 on: September 10, 2016, 04:02:53 PM »
also tried with 64GB CF card and Portable ROM dumper did not run.
same card work immediately on 5D3 this time without even moving the power switch to On.

trying to load firmware shows Loading... and hangs, this is different from the behavior using an SD card.

wonder if I should try a different build of the ROM dumper - is this built from the recovery branch?

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
Re: get firmware dump from Digic6+ camera
« Reply #6 on: September 13, 2016, 04:11:04 AM »
blinkenlights
card formatted in camera, adding LED .FIR and autoexec.bin on a not bootable card.
click to load firmware
get only a single blink along with the loading... screen
led goes off
then screen goes black
http://imgur.com/a/Qo1dB
camera remains on but locked up with no display of any kind not even a single blinkenlight.
waited 5 minutes and pulled the battery.
same result with CF or SD card.

same process with DISP_5D3.FIR and the same autoexec.bin on a 5D3 shows the Magic Lantern Rescue screen

GregoryOfManhattan

  • Member
  • ***
  • Posts: 170
Re: get firmware dump from Digic6+ camera
« Reply #7 on: September 13, 2016, 12:24:16 PM »
LED FIR with wider address range 2048 addresses from 0xd20b0000
is displaying blinkenlights - should i start to build an opto sensor as on olde chdk dumps?

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 10015
  • 5D Mark Free
Re: get firmware dump from Digic6+ camera
« Reply #8 on: September 19, 2016, 12:29:35 PM »
LED address identified :)

From the video with LED blinks:

Code: [Select]
# crop the video to show only the LED
# (the LCD backlight flickers as well, as it's driven by a GPIO in the same address range - we don't want it)
ffmpeg -i IMG_6368.MOV -vf "crop=200:200:1300:600" -acodec copy -vsync 0 LED.MOV

# compute average brightness from each frame
ffmpeg -i LED.MOV -vsync 0 -f image2pipe -vcodec ppm - | identify -format "%[mean]\n" - > blinks.log

# plot the graph in octave
octave --eval "plot(dlmread('blinks.log')); \
               grid on; axis([0 inf 0 5000]); \
               print('-dpng', '-S800,200', '-FHelvetica', 'blinks.png');"



The ON/OFF codes are reversed, so a short pause is 0 and a long pause is 1.

This gives 000010001001 -> 0x89. Search range was 0xd20b0000 - 0xd20b1ffc, addresses are 32-bit aligned, so the LED address is 0xd20b0000 + (0x89 << 2) = 0xd20b0224.

Please find:

BLINK5D4.FIR - simple blinker
BDMP_5D4.FIR - ROM dumper using the CHDK soundcard method (decoder available under contrib/led_blink_dumper in the digic6-dumper branch).

Happy hacking.