What is the memory layout of DIGIC 4/5 cameras like?

Started by ilia3101, May 24, 2021, 10:29:52 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ilia3101

I see that the cameras have 4GB of address space (32 bit), and that different parts seem to be mapped to different things (?)

The cameras obviously don't have 4GB of ram, only 128mb-1gb.

And I see the graphs here: https://www.magiclantern.fm/forum/index.php?topic=5071.50, is this just for normal RAM/main memory? I see that all of the graphs start at 0x40000000, which is 1GB offset from 0. What about firmware/ROM code, where in memory is that placed and is it in ram, or some special memory? I know it's not a direct mapping to the ROM, as you can't just write to that, but it does get copied to somewhere while the camera runs that isn't main memory??


I am curious to know what address ranges are mapped to what devices, and what can be done with them in terms of read/write/execute.

I could not find anything about this topic as a whole, only little fragments that I can't piece together.

Also what is ROM0 and ROM1 about? Why are they separate and mapped to different addresses... and why is there a 'mirror' double mapping or something

kitor

On D4/D5 roms are at 0xF8000000  and 0xF0000000. They are mirrored multiple times in this range.

You want to take a look at qemu branch, memory maps for almost every camera is there in hardware configuration.
https://foss.heptapod.net/magic-lantern/magic-lantern/-/blob/branch/qemu/contrib/qemu/eos/model_list.c

Not sure if this is the latest one, but it should give you the general idea:)

Canon code copies some chunks of ROM into RAM. You can see this by running qemu with (iirc) -romcpy argument, as it happens during runtime. It will produce a script with dd commands to extract those parts, and log all the target offsets.

QuoteI know it's not a direct mapping to the ROM, as you can't just write to that
Address space is just "address space" Not "memory". Peripherals also live there. Or any memory mapped I/O...

RAM doesn't need to start at 0x0, as well as parts of address space may be executable, parts not, parts be RO, etc.

QuoteAlso what is ROM0 and ROM1 about?
IIRC on D4/D5 ROM1 contains main firmware including bootloader, ROM0 contains some code on some cameras, but it is mostly used for resources. I may be wrong on that.

This is swapped on D7+ (D6+?) where ROM0 contains bootloader and main firmware, and they sit on different addresses.

I think they have different addresses on Powershoots too. What I don't get is how Digic jump to bootloader - as so far I was used to code execution starting from the very top or very bottom of the memory space. With that mapping bootloader is obviously not there. Is it somehow configurable on ARM?
Too many Canon cameras.
If you have a dead R, RP, 250D mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.