[UNMAINTAINED] Canon 100D / SL1

Started by chilimac02, May 20, 2013, 03:47:38 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

GeramyL

I have decompiled the dump file and got my strings hex and dis file now im going to start finding function addresses if anyone has any information i might need to make this faster please post.

GeramyL

Okay I will post this,
loc_1137964: ; 2 refs
1137964:    e92d41f0    push   {r4, r5, r6, r7, r8, lr}
1137968:    e1a04000    mov   r4, r0
113796c:    e28f2f53    add   r2, pc, #332   ; 01137ac0: (74696e49)  *"InitializeBitmapDisplayDevice"

would that make the address for init dibtmap display device 113796x or 01137ac0 ?

dmilligan


GeramyL

So in the case here
loc_10d6348: ; 23 refs
10d6348:    e92d40f8    push   {r3, r4, r5, r6, r7, lr}
10d634c:    e1a05000    mov   r5, r0
10d6350:    e1a06001    mov   r6, r1
10d6354:    e1a04002    mov   r4, r2
10d6358:    e1a03000    mov   r3, r0
10d635c:    e58d1000    str   r1, [sp]
10d6360:    e28f2e16    add   r2, pc, #352   ; 010d64c8: (5f495547)  *"GUI_Control:%d 0x%x"
10d6364:    e3a01003    mov   r1, #3
10d6368:    e3a00085    mov   r0, #133   ; 0x85
10d636c:    eb3cb9c0    bl   loc_2004a74

my GUI_Control address is 10d6348
I just want to make sure i'm right before I go verifying addresses and changing them

GeramyL

Well this is what I have so far!
you can tell all replaced functions because they do not have 0xFF in them they are 0x10 - 0x13

http://pastebin.com/eT9xy2z8

nikfreak

Hey GeramyL,

I prepared weeks ago some stuff for 100D in QEMU. Have a look here:
https://bitbucket.org/nikfreak/magic-lantern/src/6dcf49fc0f401247c686945616a8f9ff0e8353fc/platform/unmaintained/100D.100/?at=qemu

If stubs are commented with fnd it means found (didn't exist before, so newly found)
If stubs are commented with vfd it means verified (they existed before and I verified them)

Don't need to reinvent the wheel. Big problem is the boot / gui hijacking. Sursprisingly 100D doesn't seem to use the hijacking method of 70D / 6D. I may be wrong about that find but this is where you can try to help.

Regarding the stubs you found: they look wrong to me. I do 95% of my stub identifying process with ARMu. Rest see above -> fnd / vfd
[size=8pt]70D.112 & 100D.101[/size]

GeramyL

I think I know why my addresses were wrong I would guess its because I pulled it off the rom file and not via memory of a virtual machine running the dumped rom.
How would I go about finding the hijacking process what am i looking for code or function wise?

dmilligan

You've probably loaded the dump to the wrong location. Please see the link I posted.

Quote from: a1ex on June 03, 2014, 02:35:25 PM
2) Disassembling

You can find a ROM dump from your camera under ML/LOGS, on your card. Usually, the one containing code is ROM1 and loads at 0xFF000000. So, run the script with:


perl disassemble.pl 0xFF000000 ROM1.BIN


This script saves two interesting files: ROM1.BIN.strings and ROM1.BIN.dis. For finding stubs, you are interested in the disassembled code, ROM1.BIN.dis. Open that in a text editor.

dmilligan

I don't know how you got that file or how it was generated, but I imagine it's probably just ROM0 + ROM1 together (since you say its 32MB). So just split it exactly in half and try it on the second half.

GeramyL

I had a 16MB file that one did work correctly I was able to match up my findings with nik's and verify them as well to be correct. some of his findings
do not have labels directly in the method but they are from a bl within that method with the label so i'm guessing that I dont know exactly what im looking yet but I can see its accurate thanks.

I am going to get qemu on my debian installation and then get compiling to work get my toolchain setup correctly build the ML run the dump in qemu and start trying
to figure out where hijacking starts and see if I can figure out the process lol seems all very confusing but im sure i'll get it.

GeramyL

I have been at this for a hour or so but I cant get this damn thing to compile?

magiclantern@magiclantern-VirtualBox:~/nikfreak/magic-lantern$ make -j4 100D ROMBASEADDR=0xFF0C0000 RESTARTSTART=0x000C5300 AUTOEXEC_BASE=0x40800000 FIR_BASE=0x40800120
make -C  /home/magiclantern/nikfreak/magic-lantern/platform/100D.100
make[1]: Entering directory `/home/magiclantern/nikfreak/magic-lantern/platform/100D.100'
[ VERSION  ]   ../../platform/100D.100/version.bin
[ CPP      ]   magiclantern.lds
cc: error: unrecognized command line option '-mthumb-interwork'
[ AS       ]   entry.o
make[1]: *** [magiclantern.lds] Error 1
make[1]: *** Waiting for unfinished jobs....
../../src/entry.S: Assembler messages:
../../src/entry.S:87: Error: no such instruction: `b copy_and_restart'
make[1]: *** [entry.o] Error 1
make[1]: *** wait: No child processes.  Stop.
make: *** [100D] Error 2

nikfreak

GeramyL just try it with a simple "make" without adding anything else after it. Don't forget to adjust "makefile.user.default". put 100D to supported models for testing in that file and check arm library paths. In "platform\platform.map" check also existence of 100D depending on the source you use. If you still get problems best thing you can do is to use the prebuilt VM linked on forums.
[size=8pt]70D.112 & 100D.101[/size]

MiKe MiKe

Hello programmers,

I am new to this forum and I'm one of the poor Eos 100D/SL1 users that found out thar ML is not supported, but really needs RAW Video.
I don't know if reading this thread gives me hope or not.

of course I know that programming a new release for the 100D is not weekend job, especially if its on an voluntary basis - but maybe some of the remarkable programmers around here could give a status update on the progress. Is there a chance? Please! Please!


JamesSteele


Quote from: MiKe MiKe on December 07, 2014, 05:52:20 PM
Hello programmers,

I am new to this forum and I'm one of the poor Eos 100D/SL1 users that found out thar ML is not supported, but really needs RAW Video.
I don't know if reading this thread gives me hope or not.

of course I know that programming a new release for the 100D is not weekend job, especially if its on an voluntary basis - but maybe some of the remarkable programmers around here could give a status update on the progress. Is there a chance? Please! Please!

I have to be honest and wonder if RAW video on cameras like the SL-1 is worth the hassle because models like it and the T5i that can continuously focus during video have the "pink dots" on the RAW footage which looks like a real PITA to have to deal with. :(

Silverleapers

Any news? (sorry, but we hope several people have a serious project started).
650D/KissX6/T4i (japanese version), 100D/SL1 (Canadian version), many canon and some sigma lenses.

Gavin

Hey guys, I recently got the SL1 and know c++, could I be of any help to this project?

nikfreak

Gavin I was able to boot it up in QEMU some hours ago. But needs more adjustments and verifying of constants. Stubs should be fine. You can try to help.

Check this out:
https://bitbucket.org/nikfreak/100d_testing

use the dumper from this thread posted by a1ex and try to boot it up yourself in QEMU.
[size=8pt]70D.112 & 100D.101[/size]

nkls

I've managed to get the GUI running in QEMU, and my camera has a different revision of 1.00 than the one you have been working on nikfreak.

The two revisions (or are there more?) of the 100D 1.00 seems to have everything same in RAM, i.e. relocated functions and static stuff are at the same addresses but the RAM_OFFSET is different. Functions in ROM are shuffled around though. Any thought on how we are to distinguish between the different 1.00's?
100D.100A

nikfreak

As far as I know there's only 1.00 available yet. So regarding RAM_OFFSET you should double check "/src/qemu-helper.c". For QEMU it needs to be defined there, too.
[size=8pt]70D.112 & 100D.101[/size]

nkls

There are actually two different firmwares with version number 1.00 around, it's been mentioned here and in fw-signature.h in the repo.

The MD5 of my roms are:

46226ec402c825a4796212e84e53846d  D100-ROM0.bin
489543fee0032a6e657005971c567903  D100-ROM1.bin

and I suspect that at least your checksum of ROM1.bin is different than mine.

Regarding the ROM_OFFSET, in firmware_entry I have:

ROM:FF0C0098                 LDR     R0, =sub_FFA9970C
ROM:FF0C009C                 LDR     R1, =assert     ; 0x1900
ROM:FF0C00A0                 LDR     R3, =unk_87690
ROM:FF0C00A4
ROM:FF0C00A4 loc_FF0C00A4                            ; CODE XREF: firmware_entry+B0
ROM:FF0C00A4                 CMP     R1, R3          ; Copy initial RAM
ROM:FF0C00A4                                         ; 0x1900-0x87690
ROM:FF0C00A8                 LDRCC   R2, [R0],#4
ROM:FF0C00AC                 STRCC   R2, [R1],#4
ROM:FF0C00B0                 BCC     loc_FF0C00A4
ROM:FF0C00B4                 LDR     R1, =0xC52E8
ROM:FF0C00B8                 MOV     R2, #0

so I have to use
#define RAM_OFFSET (0xFFA9970C - 0x1900)
to get the qemu specific things running.

Also, my signature in fw-signature.h evaluates to 0x2EBD343C even without QEMU, so to get signature checking to work I have to redefine SIG_100D_100.

Since the ML GUI is running in QEMU with these changes and all debug messages shows up in the console, I'm quite sure that they are correct.
100D.100A

nikfreak

wow i even didn't knew that different dumps exist. Yours might be ofc the right one - but at least you got it booting up, too.
[size=8pt]70D.112 & 100D.101[/size]

nkls

Yeah, Canon made it hard for us on this one. Since there is no way to switch from one 1.00 to the other I guess we have to maintain two versions until Canon releases a firmware update.

Anyhow, if the code runs in QEMU would it run on the camera as well? Since there are stubs missing and constants are wrong it would barley be functional but would the ML menu show up if I compiled it and loaded it to the camera?
100D.100A

nkls

So it seems like the two versions of firmware 1.00 can be differentiated by their "ICU Firmware Version", one is 3.4.3 and one is 3.4.7.

I've pushed the stubs.S I've been working on to this repo, it also describes how you can determine what ICU version a dump has.
100D.100A

YoungPup

Bump. Do you guys think this ML will ever come out? I'm going to be getting a Canon in February, and if I can get the T5i at a decent price, I'll get that. But if I can't, I'll probably have to go with the 100D, and it would really suck if I couldn't get ML on it :/

JamesSteele

Definitely watch the Canon online store. They sell Refurbs and I scored a refurbed T5i with the 18-55mm STM lens for $441 + tax. Keep an eye on the site and check it frequently for sales.