Oh where oh where have my fonts gone?

Started by dfort, February 14, 2017, 01:09:34 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

dfort

I've been playing around with getting ML working on the 5D3.134 firmware and have gotten quite far but am stumped trying to find the addresses for the fonts.

According to the 5D3.123 code:

// http://magiclantern.wikia.com/wiki/Fonts
#define BFNT_CHAR_CODES    0xF7363A50
#define BFNT_BITMAP_OFFSET 0xF7366BC4
#define BFNT_BITMAP_DATA   0xF7369D38


Ok, been there before on the 700D firmware update and treated these just like finding stubs but these addresses aren't in the ROM1.BIN disassembly. I looked up the wiki reference and it pointed to the find_fnt.py script which is in the contrib/indy directory and it needs to be run on ROM0.BIN. Ok, so far so good. This is what I got this for the 5D3.123:

Find bitmap fonts in Canon DSLR firmwares
Arm.Indy. based on work by Pel, Trammel Hudson and A1ex

0xff373a2c: FNT
0xff373a30: (+0x04) 0xffd8
0xff373a32: (+0x06) font_width = 40
0xff373a34: (+0x08) charmap_offset = 0x24
0xff373a38: (+0x0c) charmap_size = 0x3174
0xff373a3c: (+0x10) bitmap_size = 0x89f16
0xff373a40: (+0x14) font name = 'HCanonGothic///'
0xff373a50: (+0x24) char_codes[]. 3165 chars
0xff376bc4: (+0x3198) offsets[]. Last offset value = 0x89ee0
0xff379d38: (+0x630c) bitmaps[]
  0xff403c18: (+0x901ec) last bitmap
  +0x00: bitmap width = 28
  +0x02: bitmap height = 28
  +0x04: char width = 36
  +0x06: X offset = 4
  +0x08: Y offset = 16
    bitmap size = 0x70

0xff403c50: FNT
0xff403c54: (+0x04) 0xffd8
0xff403c56: (+0x06) font_width = 40
0xff403c58: (+0x08) charmap_offset = 0x24
0xff403c5c: (+0x0c) charmap_size = 0x188
0xff403c60: (+0x10) bitmap_size = 0x31c4
0xff403c64: (+0x14) font name = 'CanonMonospace'
0xff403c74: (+0x24) char_codes[]. 98 chars
0xff403dfc: (+0x1ac) offsets[]. Last offset value = 0x3142
0xff403f84: (+0x334) bitmaps[]
  0xff4070c6: (+0x3476) last bitmap
  +0x00: bitmap width = 22
  +0x02: bitmap height = 22
  +0x04: char width = 22
  +0x06: X offset = 0
  +0x08: Y offset = 0
    bitmap size = 0x42

0xffb73a2c: FNT
0xffb73a30: (+0x04) 0xffd8
0xffb73a32: (+0x06) font_width = 40
0xffb73a34: (+0x08) charmap_offset = 0x24
0xffb73a38: (+0x0c) charmap_size = 0x3174
0xffb73a3c: (+0x10) bitmap_size = 0x89f16
0xffb73a40: (+0x14) font name = 'HCanonGothic///'
0xffb73a50: (+0x24) char_codes[]. 3165 chars
0xffb76bc4: (+0x3198) offsets[]. Last offset value = 0x89ee0
0xffb79d38: (+0x630c) bitmaps[]
  0xffc03c18: (+0x901ec) last bitmap
  +0x00: bitmap width = 28
  +0x02: bitmap height = 28
  +0x04: char width = 36
  +0x06: X offset = 4
  +0x08: Y offset = 16
    bitmap size = 0x70

0xffc03c50: FNT
0xffc03c54: (+0x04) 0xffd8
0xffc03c56: (+0x06) font_width = 40
0xffc03c58: (+0x08) charmap_offset = 0x24
0xffc03c5c: (+0x0c) charmap_size = 0x188
0xffc03c60: (+0x10) bitmap_size = 0x31c4
0xffc03c64: (+0x14) font name = 'CanonMonospace'
0xffc03c74: (+0x24) char_codes[]. 98 chars
0xffc03dfc: (+0x1ac) offsets[]. Last offset value = 0x3142
0xffc03f84: (+0x334) bitmaps[]
  0xffc070c6: (+0x3476) last bitmap
  +0x00: bitmap width = 22
  +0x02: bitmap height = 22
  +0x04: char width = 22
  +0x06: X offset = 0
  +0x08: Y offset = 0
    bitmap size = 0x42


So now I'm more lost than ever. Where are the character codes, bitmap offset and bitmap data and how did someone come up with values of around 0xF736xxxx?

By the way, here's what find_fnt.py is reporting on the 5D3.134 ROM0.BIN file:

Find bitmap fonts in Canon DSLR firmwares
Arm.Indy. based on work by Pel, Trammel Hudson and A1ex

0xff373a2c: FNT
0xff373a30: (+0x04) 0xffd8
0xff373a32: (+0x06) font_width = 40
0xff373a34: (+0x08) charmap_offset = 0x24
0xff373a38: (+0x0c) charmap_size = 0x3180
0xff373a3c: (+0x10) bitmap_size = 0x8a18c
0xff373a40: (+0x14) font name = 'HCanonGothic///'
0xff373a50: (+0x24) char_codes[]. 3168 chars
0xff376bd0: (+0x31a4) offsets[]. Last offset value = 0x8a156
0xff379d50: (+0x6324) bitmaps[]
  0xff403ea6: (+0x9047a) last bitmap
  +0x00: bitmap width = 28
  +0x02: bitmap height = 28
  +0x04: char width = 36
  +0x06: X offset = 4
  +0x08: Y offset = 16
    bitmap size = 0x70

0xff403edc: FNT
0xff403ee0: (+0x04) 0xffd8
0xff403ee2: (+0x06) font_width = 40
0xff403ee4: (+0x08) charmap_offset = 0x24
0xff403ee8: (+0x0c) charmap_size = 0x188
0xff403eec: (+0x10) bitmap_size = 0x31c4
0xff403ef0: (+0x14) font name = 'CanonMonospace'
0xff403f00: (+0x24) char_codes[]. 98 chars
0xff404088: (+0x1ac) offsets[]. Last offset value = 0x3142
0xff404210: (+0x334) bitmaps[]
  0xff407352: (+0x3476) last bitmap
  +0x00: bitmap width = 22
  +0x02: bitmap height = 22
  +0x04: char width = 22
  +0x06: X offset = 0
  +0x08: Y offset = 0
    bitmap size = 0x42

0xffb73a2c: FNT
0xffb73a30: (+0x04) 0xffd8
0xffb73a32: (+0x06) font_width = 40
0xffb73a34: (+0x08) charmap_offset = 0x24
0xffb73a38: (+0x0c) charmap_size = 0x3180
0xffb73a3c: (+0x10) bitmap_size = 0x8a18c
0xffb73a40: (+0x14) font name = 'HCanonGothic///'
0xffb73a50: (+0x24) char_codes[]. 3168 chars
0xffb76bd0: (+0x31a4) offsets[]. Last offset value = 0x8a156
0xffb79d50: (+0x6324) bitmaps[]
  0xffc03ea6: (+0x9047a) last bitmap
  +0x00: bitmap width = 28
  +0x02: bitmap height = 28
  +0x04: char width = 36
  +0x06: X offset = 4
  +0x08: Y offset = 16
    bitmap size = 0x70

0xffc03edc: FNT
0xffc03ee0: (+0x04) 0xffd8
0xffc03ee2: (+0x06) font_width = 40
0xffc03ee4: (+0x08) charmap_offset = 0x24
0xffc03ee8: (+0x0c) charmap_size = 0x188
0xffc03eec: (+0x10) bitmap_size = 0x31c4
0xffc03ef0: (+0x14) font name = 'CanonMonospace'
0xffc03f00: (+0x24) char_codes[]. 98 chars
0xffc04088: (+0x1ac) offsets[]. Last offset value = 0x3142
0xffc04210: (+0x334) bitmaps[]
  0xffc07352: (+0x3476) last bitmap
  +0x00: bitmap width = 22
  +0x02: bitmap height = 22
  +0x04: char width = 22
  +0x06: X offset = 0
  +0x08: Y offset = 0
    bitmap size = 0x42


So close yet so lost!

a1ex

The key to this mystery is here:

if (len(sys.argv)>2):
  base = int(sys.argv[2], 16)
else:
  base = 0xff010000


Therefore, that script assumes the ROM dump loads at 0xff010000 (this was the main firmware start address for DIGIC 4 models, so in the early days, ROM files were saved from that address).

The second key is:

0xff373a40: (+0x14) font name = 'HCanonGothic///'
0xffb73a40: (+0x14) font name = 'HCanonGothic///'


so ROM0 size is actually 0x800000 = 8MB.

The third key is the ROM layout, also visible in QEMU startup logs:


F0000000 - F0FFFFFF: eos.rom0
F1000000 - F1FFFFFF: eos.rom0_mirror_F1
F2000000 - F2FFFFFF: eos.rom0_mirror_F2
F3000000 - F3FFFFFF: eos.rom0_mirror_F3
F4000000 - F4FFFFFF: eos.rom0_mirror_F4
F5000000 - F5FFFFFF: eos.rom0_mirror_F5
F6000000 - F6FFFFFF: eos.rom0_mirror_F6
F7000000 - F7FFFFFF: eos.rom0_mirror_F7
F8000000 - F8FFFFFF: eos.rom1
F9000000 - F9FFFFFF: eos.rom1_mirror_F9
FA000000 - FAFFFFFF: eos.rom1_mirror_FA
FB000000 - FBFFFFFF: eos.rom1_mirror_FB
FC000000 - FCFFFFFF: eos.rom1_mirror_FC
FD000000 - FDFFFFFF: eos.rom1_mirror_FD
FE000000 - FEFFFFFF: eos.rom1_mirror_FE
FF000000 - FFFFFFFF: eos.rom1_mirror_FF


Therefore, 0xF[0-7][3B]63A50 should all be valid choices for BFNT_CHAR_CODES.

dfort

Thanks! Fonts are working.

Keep inching closer.


Danne


DeafEyeJedi

5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

chris_overseas

This looks promising! Does my old repo containing a 1.3.3 port help with this at all? Last I tried it, the port was running OK though it needed more extensive testing, and there were some flickering menus that I didn't know how to solve:

https://bitbucket.org/chris_miller/magic-lantern/branch/5D3-133
https://bitbucket.org/hudson/magic-lantern/pull-requests/605/support-for-5d3-firmware-133/diff
EOS R5 1.1.0 | Canon 16-35mm f4.0L | Tamron SP 24-70mm f/2.8 Di VC USD G2 | Canon 70-200mm f2.8L IS II | Canon 100-400mm f4.5-5.6L II | Canon 800mm f5.6L | Canon 100mm f2.8L macro | Sigma 14mm f/1.8 DG HSM Art | Yongnuo YN600EX-RT II

dfort

Quote from: chris_overseas on February 14, 2017, 09:45:30 PM
This looks promising! Does my old repo containing a 1.3.3 port help with this at all? Last I tried it, the port was running OK though it needed more extensive testing, and there were some flickering menus that I didn't know how to solve:

I looked at that pull request a while back but it says:

QuoteNothing to merge. The source or destination branch was deleted or these changes already exist in the destination repository.

So I thought it was dead. Looks like I should have looked up your repository because it would have saved me a lot of hours--though it was fun to figure out something this challenging. Been having some issues with running the Stubs API test so just I tried your MALLOC_STRUCT and it worked. The 1.3.3 to 1.3.4 update was a very minor update.

Here's my work in progress. I made a pull request on my repository to see what a "real" pull request would look like and to make notes. Please add any comments you may have.

https://bitbucket.org/daniel_fort/magic-lantern/pull-requests/2/update-to-5d3134-wip/diff

I might test your 5D3.113 version and maybe try out some more of your addresses. Stubs weren't much of a problem but several of those constants have me stumped.