Magic Lantern Forum

Magic Lantern Releases => Camera-specific discussion => Topic started by: feedrail on June 12, 2017, 07:05:50 AM

Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: feedrail on June 12, 2017, 07:05:50 AM
Ive used ML on my t2i for years and loved it, now I want to do my part and bring ML to my t7i. Point me in the right direction and a few do's and don't s and I'll do whatever I can. I had some coding years ago vb+, c++, java. I don't know it that will be any use but I'm willing and want to try.

(was: Newbie Here wantingg to help on 800d)
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on June 12, 2017, 10:40:26 AM
A few days ago I've tried to find the LED address on a 77D (also digic 7), on IRC, without success. If you want to try the same steps, just get in touch with me.

The good news is that we can run code on the camera. The next step would be to produce some sort of side effects (such as LED blinks, or even variations in power consumption, that can be noticed with a multimeter).

What we know about D7 can be found on the EOS M5 (https://chdk.setepontos.com/index.php?topic=13014.0) thread, but that model runs PowerShot firmware. It's very likely a dual-core Cortex A9, with MMU, and runs Thumb-2 code (therefore, we might have some luck matching code patterns from some D6 models).

Caching issues (not yet solved on D6) are probably similar (that is, once it's solved for one model, it will very likely apply to all others).
Title: Re: Newbie Here wantingg to help on 800d
Post by: GabrielJLozano on September 08, 2017, 07:59:13 AM
So I tried looking all over the forums and the only information I could find about anyone even remotely talking about working on the t7i is this thread. Is anyone trying to port it at all? I'd love to help as well so long as someone points me in the right direction.
Title: Re: Newbie Here wantingg to help on 800d
Post by: Walter Schulz on September 08, 2017, 09:24:38 AM
Read the post above yours.
Title: Re: Newbie Here wantingg to help on 800d
Post by: a1ex on September 08, 2017, 09:47:36 AM
Some of the easier things you can do to help, in order of increasing difficulty:

- wait for a firmware update
- open your camera and take high-resolution pictures of the mainboard
- hook a multimeter / Arduino / oscilloscope / whatever to an external power supply (see above)
- find some UART (https://www.magiclantern.fm/forum/index.php?topic=7531) or JTAG (https://nada-labs.net/2014/finding-jtag-on-a-canon-elph100hs-ixus115/) port and attempt to communicate with it
- read the Cortex A9 manuals and the PowerShot ROM dumps (CHDK forum), then suggest things to try running on the camera, in order to get any kind of side effects (LED blinks, display activity, writing to SD, variations in power draw)

If you want to run your own code on the camera, I recommend starting from either recovery or digic6-dumper branches. However, you'll need to sign the code, and the tools for doing that are not public, but I can help with that - just drop me a PM.

Good luck!
Title: Canon T7I/800D
Post by: A8M on December 03, 2017, 02:40:09 AM
Okay.  Just got off the phone with Canon.  No good news.  According to their techs, the company has NO PLANS to release a firmware update for this model until 2019!!!  Could be a lie, but if it is, the company's personnel told it.  Sucks to be us I guess as the new kids on the block.

Having said that, is it still possible to go forward and try to figure out a ML for this model?  I'm somewhat skeptical it will happen since the T6i hasn't had any good luck thus far, along with other models that have been out there on the block longer than this one with the newer chipsets.  Al3x has already said he isn't going to invest the time/energy into building newer model MLs from scratch leaving the burden on others, but most of us are just not coders/assemblers/hackers like that.  At most I think you have more script kiddies at the site's disposal than actual hardcore coders that know enough C++, Python, or Linux enough to be viable.  If I had 2 of these I'd be willing to try, but with only one as my daily driver for projects I can't afford a brick tinkering with it.   

I've trolled a little bit in the forums trying to see if there were any people actively figuring this out and so far there hasn't been a lot of discussion threads about the 800D.  But from what I've seen this is all I've been able to answer:
1.  Chipset is Digic7.  Haven't found on the forums yet whether or not there is a specific dumper for this digic, as what digic6 has.
2.  Can't open the camera to take pics of the hardware; don't have the right bits for these screws and that's sad considering I tried 25 different pieces.
3.  Dont have a  multimeter / Arduino / oscilloscope / whatever to hook to an external power supply.
4.  JTAG port can't say yay or nay because of #2. 







Title: ML for Canon 200D / SL2
Post by: TheCallumP on December 29, 2017, 12:52:09 AM
Is there a version of ML that can be used with this camera? I bought this camera for content creation not realising that it doesn't offer a clean HDMI output ('clean' in the respect that it hides all of the on-screen information). I literally have everything set up, but could not for the life of me figure out a way to hide the on-screen information...until I found Magic Lantern. Sadly, I've found that my camera is not supported.

Are there any plans to support this camera, or is there a version that I can use that will work with my 200D? Sorry if either of these are dumb questions, I'm completely new to this and am grasping at straws here.

Many thanks.
Title: Re: ML for Canon 200D / SL2
Post by: Walter Schulz on December 29, 2017, 05:28:21 PM
Short A: No.

Long A:
There is no such thing as project management, masterplan, schedule in ML development. If someone takes up the task of porting a cam it's a start. But again: That's not a promise you will see a port going "full ML" at a given time or at all.
At time of writing there are serious efforts to port ML to cams housing Digic 6 processors. But 200D doesn't run on Digic 6 but Digic 7. And porting ML to an unknown processor generation is a very hard task to master.
And dev time is sparce. Devs made it pretty clear they will help in development for new ports but do not have the time to maintain newer cams. Each and every cam needs a maintainer for long time support.


My general advice: If there is no ML port for your cam act like there will be no ML for your cam ever.

Or you have a spare dev at hand: Skilled in embedded devices (preferable ARM architecture), assembler and C programming. And some time to waste.
Title: Re: ML for Canon 200D / SL2
Post by: TheCallumP on December 29, 2017, 05:52:21 PM
Thank you for taking the time to respond, I appreciate it. Bummer, but totally understandable. 

Are there any alternatives to ML that I may be unaware of? Literally all I'm looking for is a way to turn off the on-screen overlay entirely.
Title: Re: ML for Canon 200D / SL2
Post by: dfort on December 30, 2017, 01:28:52 AM
This is the least expensive of the Digic 7 DSLR's.

Would asking for a ROM dumper be unreasonable? Maybe Digic 7 code isn't all that different from Digic 6?
Title: Re: ML for Canon 200D / SL2
Post by: a1ex on December 30, 2017, 01:37:13 AM
Answered at http://www.magiclantern.fm/forum/index.php?topic=19737.
Title: Re: ML for Canon 200D / SL2
Post by: deathline on January 16, 2018, 10:38:03 PM
Answered at http://www.magiclantern.fm/forum/index.php?topic=19737.

Canon released a firmware update for eos 200d but Firload can't decrypt it.Is another solution is avaible?

http://gdlp01.c-wss.com/gds/8/0400003508/01/v101-sl2-200d-x9-win.zip (http://gdlp01.c-wss.com/gds/8/0400003508/01/v101-sl2-200d-x9-win.zip)
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on January 20, 2018, 12:27:49 AM
Dual-core Cortex A9 (just like M5). The firmware is still based on the EOS codebase and doesn't look too different from DIGIC 6.

Main firmware: 0xE0040000, starts as Thumb, entry point code different from D6.
Bootloader: no idea how it looks like, we'll need to run some code blindly until we manage to dump its contents.
MPU (http://www.magiclantern.fm/forum/index.php?topic=17596.0) (microcontroller) present (similar to other EOS models, same interrupts as D6, didn't look further).
MMU (memory mapping unit) present (likely configured in the same way as M5).
All previous Canon models use a MPU - memory protection unit (not to be confused with the microcontroller with the same name). D7 uses a MMU instead.
Interrupt system: same as D6.
Some DryOS tasks are starting with single-core emulation (unlike 7D/7D2), even with this (incomplete) ROM.
The DryOS shell works out of the box!

Code: [Select]
K417 READY
K417 ICU Firmware Version 1.0.1 ( 5.0.2 )
ICU Release DateTime 2017.09.21 12:53:23

Open Console K417[1]>...

Dry[MusaPUX]> ?
[Kern]
 extask  memmap  meminfo  mkcfg  dminfo  exobjinfo  stdlibcfg  efatcfg
 sysvers  xd  xm  prio  resume  suspend  release  sem  mutex  event  mq  exit

Dry[MusaPUX]> sysvers
SystemIF 0.88
DRYOS version 2.3, release #0059+p4
 MACH 0.83+p1

WLAN led at 0xD2080190: 0x20D0002 (on), 0x20C0003 (off)
Could not find the SD card led yet.

There are many early tests I can run with the above knowledge, on any DIGIC 7 model:
- blink the LED
- identify the SD card LED (we did that on DIGIC 6)
- dump the bootloader using CHDK soundcard method (requires extra hardware)
- attempt to jump to main firmware (assuming it's the same as D6)

Ready to try?
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on January 20, 2018, 10:43:18 AM
6D Mark II also has a firmware update available (just noticed it):

Code: [Select]
K406 READY
K406 ICU Firmware Version 1.0.3 ( 6.4.4 )
ICU Release DateTime 2017.08.28 12:49:25

Dry[MusaPUX]> sysvers
SystemIF 0.88
DRYOS version 2.3, release #0059+p4
 MACH 0.83+p1

WLAN led not found (does it have one?)
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: grtor on January 24, 2018, 08:01:17 PM
No, the 6dii doesn't have a WLAN led only an SD card led
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on February 25, 2018, 10:52:59 AM
Tried scanning 0xD2080000 - 0xD2081FFC and 0xD2080000 - 0xD20BFFFC on a 77D, with led_on = 0x20D0002 and led_off = 0x20C0003 (based on the above info). No success.

Would be helpful (for all D7 models) if a 200D owner would be willing to run the LED blinking test, since it's the only model with a known LED address.
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: deathline on February 26, 2018, 05:01:05 PM
Tried scanning 0xD2080000 - 0xD2081FFC and 0xD2080000 - 0xD20BFFFC on a 77D, with led_on = 0x20D0002 and led_off = 0x20C0003 (based on the above info). No success.

Would be helpful (for all D7 models) if a 200D owner would be willing to run the LED blinking test, since it's the only model with a known LED address.

Is  this https://www.magiclantern.fm/forum/index.php?topic=2296.0 (https://www.magiclantern.fm/forum/index.php?topic=2296.0) generic one?
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on February 26, 2018, 07:02:27 PM
No, it would be a FIR crafted specifically for this camera (I can create one on request).

Source: https://bitbucket.org/hudson/magic-lantern/src/digic6-dumper/src/reboot-dumper.c
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: gunny2k6 on March 08, 2018, 08:27:15 PM
Interesting Topic to read ML is already maybe possible on DIGIC 7... traded my 450D for a 77D and wasnt even thinking of asking about ML running on it at all as the work on the DIGI 6 is still ongoing
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: deathline on April 03, 2018, 03:57:00 PM
No, it would be a FIR crafted specifically for this camera (I can create one on request).

Source: https://bitbucket.org/hudson/magic-lantern/src/digic6-dumper/src/reboot-dumper.c

Hi alex, you can send me blink test for eos200d, i will try it :)
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: DieHertz on April 12, 2018, 01:37:27 PM
I have a 6D2, is there anything I could help with without taking the camera apart? :-)
Title: Re: ML for Canon 200D / SL2
Post by: topit1972 on April 20, 2018, 11:14:44 AM
Wish i had researched my camera, 200D, prior to buying.  This 29min is a real paid as i record and manage a band.  I had a Sony HVR 5ZE Pro cam, but having to use MiniDV tapes was a pain, so thought i'd go digital not knowing the 29min cap!

Pity there isn't a generic one for 200D

Is there a version of ML that can be used with this camera? I bought this camera for content creation not realising that it doesn't offer a clean HDMI output ('clean' in the respect that it hides all of the on-screen information). I literally have everything set up, but could not for the life of me figure out a way to hide the on-screen information...until I found Magic Lantern. Sadly, I've found that my camera is not supported.

Are there any plans to support this camera, or is there a version that I can use that will work with my 200D? Sorry if either of these are dumb questions, I'm completely new to this and am grasping at straws here.

Many thanks.
Title: Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
Post by: a1ex on April 20, 2018, 12:07:22 PM
200D LED blinking test didn't work, but here's a small detail I've overlooked: bootloader seems to loads external code as Thumb (as opposed to ARM on DIGIC 6 and earlier). [ edit: confirmed, IT WORKS! ]

6D2: not much luck finding the LED address, but found out this (https://www.magiclantern.fm/forum/index.php?topic=21981) instead.

@ all DIGIC 7 EOS owners (800D, 77D, 6D2): let's retry the LED brute-forcing test (PM me if you don't mind running some blind code that pokes some GPIOs hoping to find the right one).

Source code for previous experiments committed to the digic6-dumper (https://bitbucket.org/hudson/magic-lantern/branch/digic6-dumper) branch.



Next step is to dump the bootloader with one of these methods:
- CHDK soundcard method (http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump#Using_soundcard_input) (phototransistor connected to PC soundcard input)
- a photodiode/phototransistor connected to an Arduino board or similar.

Please PM me once you have the hardware ready.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on April 21, 2018, 12:21:43 PM
77D: LED address identified (https://bitbucket.org/hudson/magic-lantern/commits/8c068b8ff7cf0d0c9d217696dc5520db9bb4b110), thanks @alpha232 8)

Blinking pattern:

(https://a1ex.magiclantern.fm/bleeding-edge/77D/image.png)

Wide black bar = 1, narrow black bar = 0, pattern repeats 3 times. Scan range started at 0xD2080000, 32-bit aligned addresses only => 77D LED address is 0xD2080000 + 0b00001011011 * 4 = 0xD208016C.

Background (https://www.magiclantern.fm/forum/index.php?topic=17848.msg172321#msg172321) info (https://www.magiclantern.fm/forum/index.php?topic=16052.msg168592#msg168592).

Next step: please see previous post.



Edit: the EOS M50 appears to run EOS firmware (https://bitbucket.org/hudson/magic-lantern/commits/f6e763a002080605887dcc4a5c882b626fe97553) (other recent models, i.e. M3, M5, M6, M10 and M100, are based on PowerShot firmware). Looking for a volunteer to try the LED blinking test on this camera, too :)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: dfort on April 21, 2018, 04:20:27 PM
Edit: the EOS M50 appears to run EOS firmware (https://bitbucket.org/hudson/magic-lantern/commits/f6e763a002080605887dcc4a5c882b626fe97553) (other recent models, i.e. M3, M5, M6, M10 and M100, are based on PowerShot firmware). Looking for a volunteer to try the LED blinking test on this camera, too :)

+1
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on April 24, 2018, 10:28:49 AM
Portable ROM dumpers (https://www.magiclantern.fm/forum/index.php?topic=16534) ready 8)

77D_DUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/77D/77D_DUMP.FIR) (confirmed by alpha232)
200DDUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/200D/200DDUMP.FIR) (confirmed by deathline)
6D2_DUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/6D2/6D2_DUMP.FIR) (confirmed by DieHertz)
800DDUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/800D/800DDUMP.FIR) (confirmed by ids1024)
M50_DUMP.FIR (need a second volunteer who has either another camera to film the display, or a phototransistor connected to soundcard/arduino/whatever)

Emulation coming soon.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on April 24, 2018, 10:39:33 AM
So I don't need my STM32 Discovery and phototransistors anymore? :-( :-D
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on April 24, 2018, 10:45:12 AM
Hehe... the other testers were quicker :D

Still need that hardware setup for M50. Or maybe for initial debugging, as all these recent cameras are dual-core.

Decoding LED blinks may also be possible with a camera that has automatic LCD brightness (5D3, 5D2, 7D) and already runs ML (I can look into it if needed).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: deathline on April 24, 2018, 04:27:56 PM
So I don't need my STM32 Discovery and phototransistors anymore? :-( :-D


Is there any working project file code?
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on April 24, 2018, 09:58:21 PM
I have found a 2GiB SD card, formatted it via my 6D2 (low-level format), then dd-ed 256 MB filesystem .img over it, and copied 6D2_DUMP.FIR into SD root.
Then put the SD card into camera, turned it on, screen lit up as usual, I let it sit for a minute and then turned camera off, opened SD card bay and after 10 seconds ejected it.
There are no new files on the SD card following this procedure, did I miss something?
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: Walter Schulz on April 24, 2018, 10:03:05 PM
You have to "load" FIR file using Firmware Update in Canon menu!
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on April 24, 2018, 10:05:38 PM

(https://thumb.ibb.co/huLePH/IMG_20180424_230954_HDR.jpg) (https://ibb.co/huLePH)
Oh indeed, I forgot this is the firmware update file format.
Thank you!

Battery taken out, can I put it back now? :)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: alpha232 on April 27, 2018, 07:27:42 AM
I'm getting all antsy for something else to test :D

Much thanks to poor a1ex for his tolerating my odd schedule.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on April 28, 2018, 08:03:14 AM
LED number on 6d2 appears to be 0x5b.
Speaker/beeper is a bit weird, the second least significant bit seems to have some echo which makes it hard to distinguish whether it's 1 or 0, there seem to be 3 clicks per just two edges. It's either 0x40, 0x42, or both.
Maybe that explains why there are 3 clicks, rising edges coincide, while falling edges are spread apart as one of them is longer than the other.
https://youtu.be/MFp3pxfomGM

Result:
SD LED: 0xD208016C
Speaker 1: 0xD2080100
Speaker 2: 0xD2080108

P.S. 77D looks similar :)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on April 28, 2018, 10:28:42 AM
Let's try to get some CPU info (http://www.magiclantern.fm/forum/index.php?topic=17714.0):

CPUI_6D2.FIR (https://a1ex.magiclantern.fm/bleeding-edge/6D2/CPUI_6D2.FIR)

(other D7 models on request)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on April 28, 2018, 09:18:42 PM
a1ex, here's the CPU info from 6D2.
Maybe it could be easier if it wrote output to SD card, taking these photos was far from easy :-)

(https://thumb.ibb.co/dGc1Tc/IMG_20180428_221221_HDR.jpg) (https://ibb.co/dGc1Tc)

(https://thumb.ibb.co/gBmH1x/IMG_20180428_221224_HDR.jpg) (https://ibb.co/gBmH1x)

(https://thumb.ibb.co/griaoc/IMG_20180428_221228_HDR.jpg) (https://ibb.co/griaoc)

(https://thumb.ibb.co/fqWT8c/IMG_20180428_221110_HDR.jpg) (https://ibb.co/fqWT8c)


I wonder what is the level8 cache it mentions
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on April 30, 2018, 09:51:12 AM
Emulation (https://bitbucket.org/hudson/magic-lantern/commits/a20c79bcfe12867a2d62fc50e2fe628fa16f9200) ready (https://builds.magiclantern.fm/jenkins/view/QEMU/job/QEMU-tests/331/console) 8)

(https://a1ex.magiclantern.fm/bleeding-edge/qemu/77D.png)

Please refer to README.rst (https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/README.rst), HACKING.rst (https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst), the sticky tweet (https://twitter.com/autoexec_bin/status/913530810686418944) and the 80D (https://www.magiclantern.fm/forum/index.php?topic=17360.msg194898#msg194898)/750D (https://www.magiclantern.fm/forum/index.php?topic=17627.msg190275#msg190275) threads to get started.

Code: [Select]
./run_canon_fw.sh 77D -d debugmsg -s -S & arm-none-eabi-gdb -x 77D/debugmsg.gdb

<<<<< Musa(PU0) Boot Ver 0.21 >>>>>
BootLoader
K408 READY
K408 ICU Firmware Version 1.0.2 ( 7.3.6 )
ICU Release DateTime 2017.02.23 14:49:29
...
[SD] Name: QEMU! Size: 247(7bc00)
...
[STARTUP] ERROR WaitPU1 TimeOut
...

Next steps:
- attempt to jump to main firmware (will it work? we've got two CPUs)
- enable the boot flag (might be risky, we will reflash a small part of the ROM)
- port ML startup process (likely similar to 80D)
- run the proof of concept code from 80D thread (logging, photo capture etc)
- figure out how to print things on the screen
- start porting ML!

More about the bootflag:
- recovery branch (https://bitbucket.org/hudson/magic-lantern/branch/recovery) with CONFIG_BOOT_BOOTFLAG=y (https://bitbucket.org/hudson/magic-lantern/commits/2ed80d7cebcf7039652db278b2e4be362f34763d)
- doesn't work yet; stub autodetection routines have to be updated for Thumb (they were written for DIGIC 6 (https://www.magiclantern.fm/forum/index.php?topic=17360.msg189584#msg189584))
- the risk is more about bugs or other unexpected behavior in Canon bootloader (unlikely)
- this will let you compile ML (in these early stages) and run test code on your camera.

Have fun!

P.S. just got a cool feature request - audio output to Bluetooth headphones. Not tempting enough for me to get another camera, but if any of you is willing to look into it, I'll be here to help (at least with the reverse engineering side).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: deathline on May 01, 2018, 03:13:12 PM
P.S. just got a cool feature request - audio output to Bluetooth headphones. Not tempting enough for me to get another camera, but if any of you is willing to look into it, I'll be here to help (at least with the reverse engineering side).

Are you sure digic7 cameras have  hardware support for Bluetooth 4.0 BR/EDR? 200d canon firmware support only bluetooth low energy and there is no profile for audio headsets.But i've found a low energy supported hid profile gamepad for playing mario :D 
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 01, 2018, 09:11:02 PM
Great job Alex, I guess now is the case for us, owners of 6d2 and other DIGIC 7 cameras, to continue the effort :-)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on May 01, 2018, 09:23:27 PM
You still need my help to enable the boot flag, but at least you can now debug your binaries in QEMU.

Good news - we were able to jump to main firmware without any special tricks! (confirmed by both DieHertz and deathline). In reboot-dumper.c from the digic6-dumper branch, run this:

Code: [Select]
void(*firmware_start)(void) = (void*) 0xE0040001;
firmware_start();

while(1);

That means, one can already start to port the 80D boot process (minimal.c) and debug it in QEMU. Same for the DIGIC 6 boot flag enabling code (recovery branch).

DIGIC 6 cameras require a special trick to jump to main firmware (poking register 0xD20C0084 on single-core D6). This was not needed for DIGIC 7.

Feel free to play around with the virtual machine and report your findings.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 01, 2018, 10:23:18 PM
I'm sure we'll need your help for much more than that :-)
Title: Re: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 03, 2018, 04:19:35 PM
I think it fails earlier, unless "irregular TotalSheets 0" is a known and insignificant error message.
6D2 seems to wait for startup config to finish, last flag `0x40000` isn't cleared for a couple of minutes
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 03, 2018, 09:43:44 PM
Is it safe to assume that most of these messages are errors?
(https://thumb.ibb.co/bXJ9PS/Screen_Shot_2018_05_03_at_22_43_16.png) (https://ibb.co/bXJ9PS)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on May 04, 2018, 11:09:24 AM
The TotalSheets and EstimatedSize errors are likely caused by wrong / incomplete MPU messages (these will have to be logged from a real camera); the WaitPU1 error is probably what's blocking right now. It appears to wait at a semaphore.

200D:

startupPrepareCapture -> take_semaphore(PU1Wait_sem, 2000) -> DebugMsg("WaitPU1 TimeOut") if failed.
This semaphore (PU1Wait) is created right after launching TaskMain (E00413E6).
The function that gives this semaphore is E0040220 -> E004053C, referenced at:
Code: [Select]
  call 0xE0426000(e0040221, 0, 0, 1000)                                          at [init:e00402dd:e004029d]
That's something named init1 / init_task1. It does a bunch of initialization, then calls give_semaphore(PU1Wait_send) at the end.
It also appears to initialize Omar (a small secondary core likely used to offload some image processing tasks).

So, one puzzle is to debug this init_task1 to see where it locks up / why it doesn't finish / whether it's starting at all.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: BHybes on May 04, 2018, 12:40:26 PM
I ran the FIR file as an update on my 800D and only got this from it:
(https://thumb.ibb.co/iHGnDn/20180504_113428.jpg) (https://ibb.co/iHGnDn)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on May 04, 2018, 01:06:08 PM
One of the ROMs is very slow, so it takes a while. Updated the binaries to skip that step.

@ 200D/6D2/77D owners: please check whether the new dumpers are still working (same link, top of the page).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 04, 2018, 03:17:21 PM
I'm still figuring my way through radare2, ARM console, and probably something else. Having no IDA complicates it a bit, reading raw undecorated ASM in GDB is too hardcore for now :)
Will try the new dumper tonight
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on May 04, 2018, 06:12:14 PM
Radare2 should be the most promising one; I doubt you'll get anything useful from ARM-console on Thumb.

I find GDB useful not for step-by-step debugging (I find that too slow, and IDA crashes very often, so it doesn't help that much), but with:
- watch *0x1234 (to tell what code writes to that memory address)
- custom logging hooks (to tell when a particular sequence of code executes, and with what arguments / return values / etc)

Most of the time, I use various logging options from qemu -d (many of them are custom logging code, not found in vanilla QEMU), possibly coupled with small GDB scripts (see e.g. generic_log) and grep. The most useful ones: I/O trace with interrupts (-d debugmsg,io,int), call trace (-d calls,tail), RAM trace (-d ram, with variations, or temporary edits to source code to define filters if grep is too slow).

Back to our issue. From what I could tell, the second core (CPU1) gets stuck waiting for interrupt 0xA, early in the boot process; see the EOS M5 notes about GIC.

Code: [Select]
; 77D
ROM:E0007752  BL      gicc_setup   ; writes to 0xC1000100 and 104
ROM:E0007756  MOV     R0, #0xA
ROM:E000775E  BL      wait_some_interrupt   ; calls WFI in a loop until it gets the expected interrupt

I believe these are meant to generate a software interrupt for CPU1 (77D):
Code: [Select]
[CPU0] [GICD]   at Startup:E0152F04:E0092855 [0xC1001F00] <- 0x2000A   : ???
[CPU0] [GICD]    at RscMgr:E0152F04:E0092855 [0xC1001F00] <- 0x2000A   : ???
[CPU0] [GICD]    at RscMgr:E0152F04:000350BF [0xC1001F00] <- 0x2000C   : ???

See arm_gic_architecture_specification.pdf, 4.3.15 Software Generated Interrupt Register GICD_SGIR: lowest hex digit is the interrupt ID, and the 0x2 is CPUTargetList (second CPU).

We've got some generic GIC emulation code in QEMU (intc/arm_gic.c); would be great if that can be reused.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: t3r4n on May 04, 2018, 07:03:03 PM
I'm still figuring my way through radare2,

well maybe I've got something
try adapting the following to your specific camera layout
Code: [Select]
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true

# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# (Show ESIL instead of mnemonic)
# e asm.esil = true

# Selected: asm.describe (Show opcode description)
e asm.describe = false

#asm.emu (Run ESIL emulation analysis on disasm)
e asm.emu = true

# Solarized theme
eco solarized

# Use UTF-8 to show cool arrows
e scr.utf8 = true
e scr.utf8.curvy=true

# set arch and cpu type
e io.va = true
e asm.arch = arm
e asm.bits = 16
e asm.cpu=cortex
# anal.armthumb (aae computes arm/thumb changes (lot of false positives ahead))
e anal.armthumb=true

# initialize esil vm
#e esil.stack.addr = 0x20000000
#e esil.stack.size = 0x000f0000

e asm.section.sub = true
e io.va=true

#S ${esil.stack.addr} ${esil.stack.addr} ${esil.stack.size} ${esil.stack.size} ram mrwx

#00000000 - 00003FFF: eos.tcm_code
S 0x0000000 0x00000000 0x3fff 0x3fff tcmcode mrwx

#00004000 - 1FFFFFFF: eos.ram
S 0x00004000 0x00004000 0x1FFFBFFF 0x1FFFBFFF  eosram mrw-

#40000000 - 40003FFF: eos.ram_uncached0
S 0x40000000 0x40000000 0x3fff 0x3FFF  eosramuncached0 mrw-

#40004000 - 5FFFFFFF: eos.ram_uncached
S 0x40004000 0x40004000 0x1FFFBFFF 0x1FFFBFFF  eosramuncached mrw-

#80000000 - 8000FFFF: eos.tcm_data
S 0x80000000 0x80000000 0xffff 0xffff tcmram mrw-

#BFE00000 - BFFFFFFF: eos.ram_extra
S 0xBFE00000 0xBFE00000 0x1fffff 0x1fffff  eosramextra mrw-

#C0000000 - DFFFFFFF: eos.iomem
S 0xc0000000 0xc0000000 0x1fffffff 0x1fffffff  eosiomem mrw-


#FC000000 - FDFFFFFF: eos.rom1
#FE000000 - FFFFFFFF: eos.rom1_mirror
S 0xfc000000 0xfc000000 0x1fffffff 0x1fffffff  eosrom1 mr-x
S 0xfe000000 0xfe000000 0x1fffffff 0x1fffffff  eosrom1m mr-x

aa
aaa
aae
e anal.hasnext = true
# e io.sectonly = true
e search.in = io.sections.exec
#aac
dbe 0xFE020000

(taken from https://vimeo.com/211371081 (https://vimeo.com/211371081) and adapted to 750D)
then leave this open in a text editor
start qemu .... -S -s  and  radare with :
Code: [Select]
r2 -aarm -b16 -d gdb://localhost:1234
paste the commands above into radare (loading as a startup script does not seem to work with gdb option)
hit vv and start debugging.


Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: DieHertz on May 04, 2018, 09:06:04 PM
New ROM dumper on 6D2 works as intended, got different hashes, but I suppose it's because of change of settings since last dump?
@t3r4n you should consider moving these into ~/.radare2rc and not fiddle with text files and open editors :-)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: BHybes on May 05, 2018, 10:35:42 AM
800D Rom Dump didn't work, got stuck at ROM0
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on May 05, 2018, 11:06:42 AM
From the post with download links -> click on first link:

Requirements:
- a very small SD card or filesystem (important!)
- [...]

Formatting a larger card at a much lower capacity (e.g. 256MB) does the trick. For example, you can write the SD image that comes with QEMU (https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/sd.img.xz) to your SD or CF card (follow this guide (https://thepihut.com/blogs/raspberry-pi-tutorials/17789160-backing-up-and-restoring-your-raspberry-pis-sd-card)).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: deathline on May 05, 2018, 08:11:24 PM
One of the ROMs is very slow, so it takes a while. Updated the binaries to skip that step.

@ 200D/6D2/77D owners: please check whether the new dumpers are still working (same link, top of the page).

new dumper starting to work immediately, rom1.bin identically same priveous files, rom0.bin have slightly differences which has been seen all rom0.bin file.It's look like a block shifting flaws causing newlines.And you know where to find ;)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: ids1024 on May 10, 2018, 08:53:02 PM
The 800D ROM dumper seems to work, though it took me a while to figure out how to create a fatfs smaller than the card. "strings ROM0.BIN" and "strings ROM1.BIN" confirm they aren't just non-sense (I'm not sure what else to check).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: acarboni on May 22, 2018, 05:40:24 PM
Hi! I've got an M50, a second camera, and I went out and bought a couple low-capacity SD cards. I'd love to help out with the blinking led test. Do I just use the standard one from the diagnostic tools thread (http://a1ex.magiclantern.fm/blink/autoexec.bin)? Does anyone have a link to instructions/materials that I might've missed to help me through the process?
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: lovefilm on June 03, 2018, 10:46:06 PM
Portable ROM dumpers (https://www.magiclantern.fm/forum/index.php?topic=16534) ready 8)

M50_DUMP.FIR (need a second volunteer who has either another camera to film the display, or a phototransistor connected to soundcard/arduino/whatever)

Emulation coming soon.

Hello a1ex!

Also got a M50 and a 2nd camera, would be happy to help as well.

Since the M50 is running EOS firmware, would that mean its easier to port Magic Lantern to it? :)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on June 04, 2018, 04:19:01 PM
I went out and bought a couple low-capacity SD cards.

Really? You only need a small filesystem; card size doesn't matter. You can run the test on 128GB cards just as easy as on a 2GB card (in other words, both of them will have to be formatted at a smaller capacity anyway).

LED blinking FIR sent via PM.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: lovefilm on June 04, 2018, 11:04:07 PM
LED blinking FIR sent via PM.

Trying to get it working on my M50,

I used dd to write the QEMU image suggested in here https://www.magiclantern.fm/forum/index.php?topic=16534.0 to my SD-Card, this it how it looks now:
Code: [Select]
[email protected]:/home/freezer/Canon# fdisk -l /dev/sdd
Disk /dev/sdd: 59,5 GiB, 63864569856 bytes, 124735488 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot Start    End Sectors   Size Id Type
/dev/sdd1          99 506879  506781 247,5M  6 FAT16

And the file-structure within the FAT16:

Code: [Select]
[email protected]:/media/freezer/EOS_DIGITAL# find .
.
./autoexec.bin
./LEDIDM50.FIR
./DCIM
./DCIM/autoexec.bin
./DCIM/LEDIDM50.FIR
./DCIM/100CANON
./DCIM/EOSMISC
./MISC

filesizes:
-rw-r--r-- 1 freezer freezer   604 Jun  4 19:16 LEDIDM50.FIR
-rw-r--r-- 1 freezer freezer 25312 Jun  4 20:07 autoexec.bin

I used the autoexec.bin from the Portable ROM-Dumper thread above and the .FIR provided. Copied them to both / and /DCIM

However nothing really seems to happen when turning it on with the SD-Card inserted. As far as I understand the .FIR file is to enable the boot-flag in the Canon Firmware, is there anything special needed to do to apply it?


Thanks!

Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: ArcziPL on June 04, 2018, 11:28:58 PM
Run "firmware update" from the original menu.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: lovefilm on June 04, 2018, 11:48:06 PM
Run "firmware update" from the original menu.

Can't find any option to update firmware in the original menu.

EOS Utility seems to have an option for Firmware Update, not sure if that would work? Don't have a Windows installation right now.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: ArcziPL on June 05, 2018, 08:06:09 AM
You have to be in one of the following modes: M/Av/Tv/P. The camera manual describes it for sure. And don't use EOS Utility for that.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: Walter Schulz on June 05, 2018, 08:58:52 AM
Page 299 of your manual contains a screenshot showing firmware information. Highlight/select this item and open sub-menu to access firmware update option.
@ArcziPL: Nope, Canon don't bother users with this kind of geeky stuff ...
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: lovefilm on June 05, 2018, 09:15:16 AM
Thanks,
got it now.

However when i confirm "Update firmware" with OK, the LCD screen goes black immediately with no LED blinking or anything else happening.
Have to remove the battery to revive it. 
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: ldevulder on June 10, 2018, 05:23:09 PM
Hi all,

I've got a M50 and another camera (6D). I'm ready to help any developper to port ML on this camera.

I didn't find the FIR file to perform the LED blinking test on the M50.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: dfort on June 11, 2018, 10:00:32 PM
I didn't find the FIR file to perform the LED blinking test on the M50.

You need to get it from a1ex via PM.

Also read over posts from lovefilm because he tried running the M50 LED blinking test.
Title: Re: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: overVolt on June 13, 2018, 05:38:31 PM
I have a 77d, some sort of programming skills and I'm ready to help in any way needed (if needed).

I just need to NOT brick my camera because I use it every day for work and have no other camera :)
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: CanonPrimoz on June 14, 2018, 06:29:51 PM
Hi!
I just got new 6D2 and I'm ready to help... I have some coding skills with C and C++
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: Rubsstar on June 27, 2018, 03:30:50 PM
Hi, I want to have magic lantern on my Canon 200D camera. I have already installed this fir document. then he says that I have to put out my battery and restart my camera. if I do that he does nothing... Is that right?

Portable ROM dumpers (https://www.magiclantern.fm/forum/index.php?topic=16534) ready 8)

77D_DUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/77D/77D_DUMP.FIR) (confirmed by alpha232)
200DDUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/200D/200DDUMP.FIR) (confirmed by deathline)
6D2_DUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/6D2/6D2_DUMP.FIR) (confirmed by DieHertz)
800DDUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/800D/800DDUMP.FIR) (confirmed by ids1024)
M50_DUMP.FIR (need a second volunteer who has either another camera to film the display, or a phototransistor connected to soundcard/arduino/whatever)

Emulation coming soon.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: kotik on July 12, 2018, 03:41:14 PM
Firmware update 6D200104.FIR is released.
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: a1ex on July 12, 2018, 04:02:55 PM
Previous dumper should work; feel free to double-check the stubs (https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/scripts/6D2/debugmsg.gdb).
Title: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
Post by: kotik on July 12, 2018, 05:15:47 PM
Can confirm that 6D2_DUMP.FIR is still working on 6D2 1.0.4.
https://ibb.co/hBUQK8 (https://ibb.co/hBUQK8)

Did 3 runs, MD5 of ROM0 is inconsistent, ROM1 is even.

Did run: ./run_canon_fw.sh 6D2 -d debugmsg
FileMerge detected 69 differences between 6D2.103 and 6D2.104, all memory address related.

Tried: ./run_canon_fw.sh 6D2 -d debugmsg -s -S & arm-none-eabi-gdb -x 6D2/debugmsg.gdb
but the iMac terminal complained: -bash: arm-none-eabi-gdb: command not found.

There seems to be a Homebrew problem not installing arm-none-eabi-gdb.
Found a script to fix that, but that didn't work!

Installed arm-none-eabi-gdb with Homebrew, now I get the following error.

Python Exception <type 'exceptions.ImportError'> No module named gdb:
warning:
Could not load the Python gdb module from `/Users/ibush/bin/arm-none-eabi/share/gdb/python'.
Limited Python support is available from the _gdb module.
Suggest passing --data-directory=/path/to/gdb/data-directory.

How can I fix this? Start all over again?   :o