Magic Lantern Forum

Developing Magic Lantern => Reverse Engineering => Topic started by: coutts on August 13, 2012, 07:24:08 PM

Title: How the bootloader boots FIR or AUTOEXEC.BIN files
Post by: coutts on August 13, 2012, 07:24:08 PM
I was tracing back the 5dc bootloader when I thought I should start making some notes of how it boots things.

The code that actually starts the firmware can be found at FFFF36EC

The flush_caches__start_firmware function is at  FFFFE358

So, working backwards.. jump_to_firmware is called in 3 different spots. Arg0 is the name of the file that the bootloader has loaded/ is going to jump into, so it could either be the FIR filename or it will be AUTOEXEC.BIN. Arg1 is the actual address it is going to jump to. This address is determined by load_file_to_execute (FFFF4388), which is the function that I believe copies the file into RAM at 0x800000.

The 3 spots that jump_to_firmware are called give somewhat of a clue as to what it is booting:
- one passes arg0 as AUTOEXEC.BIN
- one passes arg0 as an inputted filename (probably used for debug purposes by canon)
- one passes arg0 as the return of sub_FFFF46B8. Initial look at this indicates maybe this is an auto-calculated FIR filename, used with the flasher during a normal firmware update procedure.



So, it appears it goes like this:
- load_file_to_execute is called with arg0 as the filename to load into memory. arg1 to this function is some variable (stack variable) to hold a return value. This return value is the link address of the file being loaded into memory. It has 2 options: it will either be 0x800000 or 0x10800000. Not sure yet what this caching bit of 0x10000000 means.
- jump_to_firmware is called with arg0 as the filename being executed and arg1 as the load address of that file.
Title: Re: How the bootloader boots FIR or AUTOEXEC.BIN files
Post by: nanomad on August 13, 2012, 08:12:09 PM
I've deleted the images as they contain canon code (even if disassembled)
Title: Re: How the bootloader boots FIR or AUTOEXEC.BIN files
Post by: jplxpto on August 13, 2012, 08:58:06 PM
Quote from: coutts on August 13, 2012, 07:24:08 PM
I was tracing back the 5dc bootloader when I thought I should start making some notes of how it boots things.

The code that actually starts the firmware can be found at FFFF36EC

The flush_caches__start_firmware function is at  FFFFE358

So, working backwards.. jump_to_firmware is called in 3 different spots. Arg0 is the name of the file that the bootloader has loaded/ is going to jump into, so it could either be the FIR filename or it will be AUTOEXEC.BIN. Arg1 is the actual address it is going to jump to. This address is determined by load_file_to_execute (FFFF4388), which is the function that I believe copies the file into RAM at 0x800000.

The 3 spots that jump_to_firmware are called give somewhat of a clue as to what it is booting:
- one passes arg0 as AUTOEXEC.BIN
- one passes arg0 as an inputted filename (probably used for debug purposes by canon)
- one passes arg0 as the return of sub_FFFF46B8. Initial look at this indicates maybe this is an auto-calculated FIR filename, used with the flasher during a normal firmware update procedure.



So, it appears it goes like this:
- load_file_to_execute is called with arg0 as the filename to load into memory. arg1 to this function is some variable (stack variable) to hold a return value. This return value is the link address of the file being loaded into memory. It has 2 options: it will either be 0x800000 or 0x10800000. Not sure yet what this caching bit of 0x10000000 means.
- jump_to_firmware is called with arg0 as the filename being executed and arg1 as the load address of that file.


Again thank you for your explanations!
Like who you share your knowledge with others!
We are in the right place ... ML Forum;)