Magic Lantern Forum

Developing Magic Lantern => Reverse Engineering => Topic started by: nikfreak on March 09, 2016, 08:02:54 PM

Title: JTAG / UART & more
Post by: nikfreak on March 09, 2016, 08:02:54 PM
Hi everybody,

I've been playing around with Espressif's ESP-modules lately for some private projects.

OT-OT:
i can recommend NodeMCU (http://en.wikipedia.org/wiki/NodeMCU)
...

Guess, who's playing actually with it (https://twitter.com/qrs/status/706552734170935296)  :P

Anyways I just ordered a Bus Pirate  (http://dangerousprototypes.com/docs/Bus_Pirate)V3.6.
My goal is to JTAG our EOS cams. A big package of older cams, mainly EOS 10D, 20D, 30D, 40D, 50D,1000D and 650D should arrive in the next weeks at my door (thanks @Dayton) and I am going to start to get familar dismantling them. Main focus will be JTAG for 50D and 650D and I hope to get access to the bootloader / kernel in some way to get more insights of the cams. There's UART, so there must be a bootloader, too. This may become useful for linux development in some way. Maybe we can get U-BOOT ported to our cams or I am going to fail right at the beginning, who knows? Will keep this post updated from time to time but don't expect miracles anytime soon, I am just going to replicate this tutorial  (http://nada-labs.net/2014/finding-jtag-on-a-canon-elph100hs-ixus115/) to EOS dslrs and with some luck and hope there will be results to report and try on Digic6 cameras   ;D.
Title: Re: JTAG / UART & more
Post by: Danne on March 09, 2016, 08:16:33 PM
Oh, this is hardcore stuff. I will definitely follow this with great interest. And thanks for the great work on porting cams already. Beautiful work.
Title: Re: JTAG / UART & more
Post by: DeafEyeJedi on March 10, 2016, 03:53:30 AM
I am so high reading your post @nikfreak and flying with massive hopes on this wonderful project of yours!
Title: Re: JTAG / UART & more
Post by: eduperez on March 10, 2016, 11:35:56 PM
You might want to contact with member 0xAF (http://www.magiclantern.fm/forum/index.php?action=profile;u=157) in this forum: if I remember correctly, he already worked on JTAG with the 400D.
Title: Re: JTAG / UART & more
Post by: g3gg0 on March 12, 2016, 01:59:07 AM
yeah, the ESP8266 is (http://www.g3gg0.de/wordpress/uncategorized/esp8266-xmas-tree-lights/) nice (https://www.youtube.com/watch?v=ea7AFVHCEq0)  ;)
Title: Re: JTAG / UART & more
Post by: nikfreak on March 15, 2016, 04:44:23 PM
@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?
Title: Re: JTAG / UART & more
Post by: a1ex on March 15, 2016, 06:21:25 PM
To my knowledge, ROM0/1.BIN are the complete chip contents.

Knowing the chip could be interesting in understanding how to emulate it (for reflashing), for example.

Since you are interested in UART, here's a trick: returning from autoexec.bin will bring a bootloader menu via UART (visible in QEMU as well). IIRC g3gg0 already tried this menu in his emulator (TriX).
Title: Re: JTAG / UART & more
Post by: Maqs on April 01, 2016, 10:47:17 AM
@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?

25Q64 has 64 megabits, so 8 MB.
Title: Re: JTAG / UART & more
Post by: rbrune on April 04, 2016, 09:50:10 AM
The buspirate is a fine little device.

Here is me dumping some flash memory with it: https://twitter.com/_deeperblue/status/466329008746266624

As a1ex said the flash will likely just be 1:1 the content of the ROM0/1.BIN dump files. But if you're able to read/write the flash with the chip still on the camera board (like I did in the photo - but sometimes that doesn't work due to the board layout and how power is distributed) that would open up a great way to reanimate bricked cameras. Same is true if you get JTAG working. Also the buspirate together with flashrom should autodetect the flash chip/type - if that doesn't happen there's probably a wiring issue and/or reading/writing the chip in place doesn't work due to the board layout and it's voltage distribution.
Title: Re: JTAG / UART & more
Post by: Maqs on April 07, 2016, 10:02:58 PM
See also https://www.flashrom.org/ISP (https://www.flashrom.org/ISP) (some hints for ISP).