Magic Lantern Forum

Magic Lantern Releases => Camera-specific discussion => Topic started by: dfort on April 21, 2018, 04:20:27 PM

Title: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on April 21, 2018, 04:20:27 PM
Edit: the EOS M50 appears to run EOS firmware (https://bitbucket.org/hudson/magic-lantern/commits/f6e763a002080605887dcc4a5c882b626fe97553) (other recent models, i.e. M3, M5, M6, M10 and M100, are based on PowerShot firmware). Looking for a volunteer to try the LED blinking test on this camera, too :)

+1
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: acarboni on May 22, 2018, 05:40:24 PM
Hi! I've got an M50, a second camera, and I went out and bought a couple low-capacity SD cards. I'd love to help out with the blinking led test. Do I just use the standard one from the diagnostic tools thread (http://a1ex.magiclantern.fm/blink/autoexec.bin)? Does anyone have a link to instructions/materials that I might've missed to help me through the process?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: lovefilm on June 03, 2018, 10:46:06 PM
Portable ROM dumpers (https://www.magiclantern.fm/forum/index.php?topic=16534) ready 8)

M50_DUMP.FIR (need a second volunteer who has either another camera to film the display, or a phototransistor connected to soundcard/arduino/whatever)

Emulation coming soon.

Hello a1ex!

Also got a M50 and a 2nd camera, would be happy to help as well.

Since the M50 is running EOS firmware, would that mean its easier to port Magic Lantern to it? :)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on June 04, 2018, 04:19:01 PM
I went out and bought a couple low-capacity SD cards.

Really? You only need a small filesystem; card size doesn't matter. You can run the test on 128GB cards just as easy as on a 2GB card (in other words, both of them will have to be formatted at a smaller capacity anyway).

LED blinking FIR sent via PM.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: lovefilm on June 04, 2018, 11:04:07 PM
LED blinking FIR sent via PM.

Trying to get it working on my M50,

I used dd to write the QEMU image suggested in here https://www.magiclantern.fm/forum/index.php?topic=16534.0 to my SD-Card, this it how it looks now:
Code: [Select]
root@cubeX:/home/freezer/Canon# fdisk -l /dev/sdd
Disk /dev/sdd: 59,5 GiB, 63864569856 bytes, 124735488 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot Start    End Sectors   Size Id Type
/dev/sdd1          99 506879  506781 247,5M  6 FAT16

And the file-structure within the FAT16:

Code: [Select]
root@cubeX:/media/freezer/EOS_DIGITAL# find .
.
./autoexec.bin
./LEDIDM50.FIR
./DCIM
./DCIM/autoexec.bin
./DCIM/LEDIDM50.FIR
./DCIM/100CANON
./DCIM/EOSMISC
./MISC

filesizes:
-rw-r--r-- 1 freezer freezer   604 Jun  4 19:16 LEDIDM50.FIR
-rw-r--r-- 1 freezer freezer 25312 Jun  4 20:07 autoexec.bin

I used the autoexec.bin from the Portable ROM-Dumper thread above and the .FIR provided. Copied them to both / and /DCIM

However nothing really seems to happen when turning it on with the SD-Card inserted. As far as I understand the .FIR file is to enable the boot-flag in the Canon Firmware, is there anything special needed to do to apply it?


Thanks!

Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: ArcziPL on June 04, 2018, 11:28:58 PM
Run "firmware update" from the original menu.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: lovefilm on June 04, 2018, 11:48:06 PM
Run "firmware update" from the original menu.

Can't find any option to update firmware in the original menu.

EOS Utility seems to have an option for Firmware Update, not sure if that would work? Don't have a Windows installation right now.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: ArcziPL on June 05, 2018, 08:06:09 AM
You have to be in one of the following modes: M/Av/Tv/P. The camera manual describes it for sure. And don't use EOS Utility for that.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on June 05, 2018, 08:58:52 AM
Page 299 of your manual contains a screenshot showing firmware information. Highlight/select this item and open sub-menu to access firmware update option.
@ArcziPL: Nope, Canon don't bother users with this kind of geeky stuff ...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: lovefilm on June 05, 2018, 09:15:16 AM
Thanks,
got it now.

However when i confirm "Update firmware" with OK, the LCD screen goes black immediately with no LED blinking or anything else happening.
Have to remove the battery to revive it. 
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: ldevulder on June 10, 2018, 05:23:09 PM
Hi all,

I've got a M50 and another camera (6D). I'm ready to help any developper to port ML on this camera.

I didn't find the FIR file to perform the LED blinking test on the M50.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on June 11, 2018, 10:00:32 PM
I didn't find the FIR file to perform the LED blinking test on the M50.

You need to get it from a1ex via PM.

Also read over posts from lovefilm because he tried running the M50 LED blinking test.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Ant123 on August 07, 2018, 11:06:24 PM
Canon released firmware update (https://www.usa.canon.com/internet/portal/us/home/support/details/cameras/eos-m-series-digital-cameras/eos-m50-body?subtab=downloads-firmware) for EOS M50.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on August 08, 2018, 05:55:59 PM
Looks very much like DIGIC 7. Dual core.

Code: [Select]
EC412 READY
EC412 ICU Firmware Version 1.0.1 ( 6.8.0 )
ICU Release DateTime May 23 2018 15:50:06
...
[CPU0] [        init:e014499b ] task_create(PowerMgr, prio=20, stack=400, entry=e01448ed, arg=0)
[CPU0] [        init:e0558f51 ] task_create(DbgMgr, prio=1f, stack=0, entry=e0558ecf, arg=c81c78)
[CPU0] [        init:e0097255 ] CreateStateObject(DMState, 0xe09d49c0, inputs=22, states=2)
[CPU0] [        init:e004c24b ] task_create(EEPROM, prio=1f, stack=400, entry=e004bea5, arg=0)
[CPU0] [        init:e0044ea9 ] task_create(ROM0R, prio=11, stack=400, entry=e00448c1, arg=620004)
[CPU0] [        init:e0044ebb ] task_create(ROM1R, prio=11, stack=400, entry=e00448c1, arg=640006)
...
[CPU0] [        init:e0622337 ] register_func('EnableBootDisk', e062228b, 0)
[CPU0] [        init:e0622343 ] register_func('DisableBootDisk', e0622295, 0)
...
[CPU0] [        init:e0050521 ] task_create(Startup, prio=15, stack=2800, entry=e0050415, arg=c826a0)
[CPU0] [        init:e0040905 ] task_create(TaskMain, prio=1d, stack=0, entry=e0040525, arg=0)
[CPU0] [     Startup:e0558f51 ] task_create(PropMgr, prio=14, stack=0, entry=e0558ecf, arg=cc9264)

akashimorino
[CPU0] [    TaskMain:e00461e9 ] register_func('drysh', e07393e9, 0)
[CPU0] [    TaskMain:e00461ff ] register_func('NewTaskShell', e00461ad, 0)
[CPU0] [    TaskMain:e00461c9 ] task_create(EvShel, prio=18, stack=8000, entry=e0046105, arg=0)
[CPU0] [      EvShel:e05773eb ] task_create(LowConsole, prio=19, stack=800, entry=e005153d, arg=0)
[CPU0] [      EvShel:e05773eb ] task_create(ConsoleSvr, prio=18, stack=800, entry=e0051141, arg=0)

Open Console EC412[1]>...

EC412[1]>drysh

Dry[WarpPUX]> ?
[Kern]
 extask  memmap  meminfo  mkcfg  dminfo  exobjinfo  stdlibcfg  efatcfg
 sysvers  xd  xm  prio  resume  suspend  release  sem  mutex  event  mq  exit

Dry[WarpPUX]> memmap
e008f6c0 : Exception vector
000dc870 : Heap start
           0x00114920(1132832)
001f1190 : Heap end
001f1190 : DRYOS system object
           0x000094e0(38112)
001fa670 : DRYOS system memory
           0x000e2200(926208)
000dc070 : Error exception stack start (PU0)
           0x00000400(1024)
000dc470 : Error exception stack end (PU0)
000dc470 : Error exception stack start (PU1)
           0x00000400(1024)
000dc870 : Error exception stack end (PU1)
df000000 : IRQ exception stack start (PU0)
           0x00001000(4096)
df001000 : IRQ exception stack end (PU0)
df001000 : IRQ exception stack start (PU1)
           0x00001000(4096)
df002000 : IRQ exception stack end (PU1)

Dry[WarpPUX]> meminfo -m
Malloc Information (onetime type)
  Start Address       = 0x000dc878
  End Address         = 0x001f0ec0
  Total Size          = 0x00114648 (  1132104)
  Allocated Size      = 0x000018c8 (     6344)
  Allocated Peak      = 0x000018c8 (     6344)
  Allocated Count     = 0x00000008 (        8)
  Free Size           = 0x00112d80 (  1125760)
  Free Block Max Size = 0x00112d80 (  1125760)
  Free Block Count    = 0x00000001 (        1)

Dry[WarpPUX]> sysvers
SystemIF 0.97
DRYOS version 2.3, release #0060+p2
 MACH 0.50

TODO: figure out LED address(es), bootloader display registers and a way to dump the ROM. Currently running it from a modified 200D bootloader.

Edit: might have found the LEDs (drive values: on = 0xD0002, off = 0xC0003)
- 0: SD card LED 0xD01300E4
- 6: WLAN LED 0xD01300E4 (same LED?!)
- 7, 8, 10, 11: 0xD01300E4 (same LED?!)
- 1, 2, 3, 4, 9: unknown 0xD01301A4
- 5: ?! (no obvious MMIO activity)

Volunteers willing to run untested code are welcome.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: shadimar69 on October 18, 2018, 04:12:32 AM
Hi all,

Just received my shiny new M50 and then rapidly proceeded to wonder how I can make it do what it 'should' be able to do. ;)

I have read through this forum, and have not seen any definitive working versions of ML(Magic Lantern) for the M50. Can someone significantly more intelligent than myself in regards to firmware code injection, please advise current status of a functioning ML for the Canon M50 on the DIGIC 8?

Please let me know if there is anything I can do to help progress/assist with the project moving forward.

Thanks in advance! :)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on October 18, 2018, 09:22:22 AM
Status:
- can run custom code (FIR files for now; I need to prepare those)
- can blink the LEDs
- can flip error screen from bootloader
- can jump to main firmware from FIR (no special tricks required)
- cannot boot main firmware with 200D code (likely easy to debug)
- can not display custom stuff on the screen, not even from bootloader (likely easy after seeing the bootloader)

I can prepare test files for #5, but not right now.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: shadimar69 on October 18, 2018, 10:14:58 AM
Thank you for the status update a1ex!

Please let me know if there is anything that I can do to help expedite any of the steps.

Thank you again! :)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: c_joerg on October 23, 2018, 09:38:54 AM
Edit: the EOS M50 appears to run EOS firmware (https://bitbucket.org/hudson/magic-lantern/commits/f6e763a002080605887dcc4a5c882b626fe97553) (other recent models, i.e. M3, M5, M6, M10 and M100, are based on PowerShot firmware). Looking for a volunteer to try the LED blinking test on this camera, too :)

Does anyone know if Canon Basic is available on the M50 or EOS R(as with the M3)?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on October 23, 2018, 10:02:27 AM
Maybe. The M50 ROM contains the following strings:

Code: [Select]
B:/script.req
uartr.req
FIO_GetFileInfo (%s) ver.req failed
(%s) ver.req Dir
for DC_scriptdisk
B:/Factory.m
B:/AutoTest.m
B:/Extend.m

I have not tested it, but it's worth trying (http://chdk.wikia.com/wiki/Canon_Basic).

There is some (different) scripting interface in DIGIC 5 DSLRs (https://www.magiclantern.fm/forum/index.php?topic=2864.msg190986#msg190986) as well, but I have not explored it (it's left as a nice exercise for the community). This scripting engine is not present on DIGIC 6 or newer "pure EOS" models, from what I could tell.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: SniperJunkie on December 06, 2018, 10:10:56 PM
I have a Canon EOS M50, If you need me to do anything to help, Please feel free to ask.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: kenthinson on December 07, 2018, 06:38:11 AM
For DIGIC 7 models, the next step is porting the 80D startup code (https://www.magiclantern.fm/forum/index.php?topic=19737.msg200895;topicseen#msg200895) (i.e. running user code alongside Canon firmware). I expect this step to be straightforward, so it's left as an exercise to the owners of these cameras. You can debug the startup code in the emulator; once you get it working, just ask me to enable the boot flag so you can test it on the camera.

The previous post was for M50 ( DIGIC 8 ). On this camera, I don't know yet how the bootloader looks like, and the code written for DIGIC 7 didn't work, so I'll probably attempt to dump the ROM directly from main firmware. The tests you'll run are:
- jumping to Canon firmware (expecting to be identical to DIGIC 7, i.e. jumping to 0xE0040000)
- LED blinking (testing the above addresses)
- LED blinking from main firmware (if I'll get this working in QEMU)
- ROM dumping from main firmware (could not test this one in QEMU yet)
- other tests (CPU model, diagnostic logs etc)

After publishing the ROM dumper, I'll update the emulator, attempt to enable the boot flag and get some diagnostic logs. Further progress will require a developer with a camera in their hands and plenty of spare time for experiments. If that describes you, your contribution will be more than welcome. I'll be here to help if you get stuck, but please be aware I'm not interested in maintaining yet another camera port alone.

If the code damages the camera, I'll try to help, but cannot guarantee success.

Hi a1ex. I'm a software engineering student. I'll be graduating the end of the month. I'm interested in working on my m50 with my spare time. I see the documentation on the site about setting up qemu dev environment. Looks exciting. Any advice you have for me before I jump in? Thanks :)

I'll be jumping in after the semester is over. For now back to writing papers  :'(
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on December 07, 2018, 07:49:20 AM
I have a Canon EOS M50, If you need me to do anything to help, Please feel free to ask.

Do you have another cam with ML running on it?
If not:
Take a look into http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump#Using_soundcard_input

@kenthinson: Welcome abord! Best luck for the finals!
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: srsa on December 08, 2018, 07:11:57 PM
After exploring the D8 disassembly I have (I was given a reconstructed M50 dump) I decided to publish my findings here.

- The camera does appear to have the scripting language we (@CHDK) refer to as Canon Basic.
- I have the impression that the card setup is the same as described here: http://chdk.wikia.com/wiki/Canon_Basic/Card_Setup
- Event procedures (short: eventproc) do exist, the eventproc handling firmware routines seem to be the same as on PowerShots.
- There seems to be support for extend.m and autotest.m scripts, but their invocation may differ from what's described here: http://chdk.wikia.com/wiki/Canon_Basic#Starting_the_script

- Now, the differences:
 - Most event procedures that appear in CHDK related scripts do not exist. That means, CHDK scripts will not work on D8 cams.
 - Many event procedures seem to be pre-registered, so registration functions such as System.Create() are not necessarily needed.
 - In file names, the card root is B:/
 - I have not yet found an eventproc to write binary files from script, or, to write text on screen.
 
Problem is, I can't say for sure whether using a prepared script card is enough to run scripts. So, everything below is speculation.

Script support seems to be enabled when the cam is in factory mode - the factory mode flag is at 0xE1FF802C.
I think it is also enabled when there's a script named "AutoTest.m" in the root of the card. The code I found loads "AutoTest.m" automatically at the end of the startup procedure.

The following minimal script should make a hex dump of the first 0x40000 bytes of ROM. I'm not certain that my WriteFileString interpretation is correct.
For a first try, name the script "AutoTest.m".

Code: [Select]
dim startadr=0xe0000000
dim romsize=0x40000
dim fname="B:/ROM.TXT"

private sub Initialize()
    p = startadr
    f = OpenFileCREAT(fname)
    do while p < (startadr+romsize)
        WriteFileString(f,"%08X: %08x %08x %08x %08x\n",p,*p,*(p+4),*(p+8),*(p+12))
        p = p + 16
    loop
    CloseFile(f)
end sub

This script is not camera specific, so it can be tried on any D8 cameras (assuming that all D8 cams share the same codebase):
EOS M50, R; PowerShot SX740, SX70

To make sure the card is correctly prepared for scripting, get any older PowerShot (2005...2017) and use the universal dumper script (http://chdk.wikia.com/wiki/Canon_Basic/Scripts/Dumper) to check.

I can't guarantee success, but I think it's worth to try this route.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: StefanKeller.AC on December 18, 2018, 05:40:54 PM
sorry, but I didnt have success on my M50, I prepared the Card with EOSCard after true formating in the M50
(but with my M50 I also did not have success with the dumper scripts)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on December 18, 2018, 06:09:09 PM
EOScard?
Is there a bootflag enabler for the real (not emulated) M50 body?
Wondering if I missed something ...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: srsa on December 18, 2018, 06:13:04 PM
sorry, but I didnt have success on my M50, I prepared the Card with EOSCard after true formating in the M50
(but with my M50 I also did not have success with the dumper scripts)
Thanks for trying. I guess we'll know more when emulation of the M50 becomes possible.
EOScard?
Is there a bootflag enabler for the real (not emulated) M50 body?
Wondering if I missed something ...
EOSCard can also set PowerShot-related flags, in this case the SCRIPT signature.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on December 18, 2018, 06:28:18 PM
EOSCard can also set PowerShot-related flags, in this case the SCRIPT signature.

Thanks for the explanation! I should get accustomed to those "hybrid cams" (for lack of a better word) terms...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on December 24, 2018, 10:39:36 PM
Please find a ROM dumper for the EOS/PowerShot M50. It took an entire week of trial and error to figure it out - thanks @71m363nd3r for testing!

D_M50101.FIR (https://a1ex.magiclantern.fm/bleeding-edge/M50/D_M50101.FIR) (only for M50 firmware 1.0.1)

Source code: commit 568e05a (https://bitbucket.org/hudson/magic-lantern/commits/568e05a).

This is not using the portable codebase, but runs directly from the main firmware, using the regular ML boot process. For this reason, it is only compatible with M50 firmware 1.0.1. On other firmwares, it will just lock up.

There were two mysterious bugs that were preventing ML from booting on the M50 on real hardware, although it was working fine in the emulator, and its early startup code was apparently identical to 200D's:

1) The FIR is running on both CPU cores (unlike DIGIC 7, but I need to double-check). The two cores do not start at the same time; the main one (CPU0) wakes up the secondary one (CPU1) somewhere in cstart. It was easy to fix (https://bitbucket.org/hudson/magic-lantern/commits/0f8fc984f719c52d3b), but figuring it out with LED blinks was very puzzling.

2) The startup code, although nearly identical to 200D's, expected one of the cache maintenance functions to preserve R3 across the call (something not compatible with the C ABI). In our relocated startup code (that makes room for loading ML), I had to use a veneer to make a long call to that function. From all of the available registers, GCC picked exactly R3 to make that long call...

... and the side effect was disabling a loop that was zeroing out some memory. The trick is that, at camera startup, the RAM is not zeroed; you still have some electrical noise or maybe even some data from previous run. In the emulator, the RAM is always zeroed at startup. The result was that my test code was booting just fine in the emulator, but was locking up on real hardware. Good luck figuring out with binary feedback from the camera (i.e. works or locks up). I've solved it comparing the execution traces between the files reported to work (i.e. jumping to unmodified Canon firmware), and the ones reported to lock up (jumping to relocated Canon firmware); if anyone is curious, . I highly doubt I could have figured it out without an emulator. This change (https://bitbucket.org/hudson/magic-lantern/commits/b85a1b13a2fe0b32b52b6f8fe8d16812dcf10698) fixed it.

Once the two quirks were fixed, the startup code previously written for 200D worked out of the box.

When dumping the ROM, there was yet another quirk: initial attempt (calling dump_file with a ROM address) saved a file with correct size, that contained garbage. Oddly enough, it had fragments from the diagnostic log. Best guess: the DMA channel used for file I/O might be simply unable to read from the ROM. Instead, it probably ignores the higher address bits and just saves something from the RAM (matching the lower address bits). I'm not sure whether this step was working on 200D - need to double-check. Anyway, fixing this was straightforward: copying the ROM contents to RAM (https://bitbucket.org/hudson/magic-lantern/commits/568e05a9639874f25eed96f1084182d6e1f2a390) before saving did the trick.

Emulation is not ready yet; still working on it. I am able to emulate the bootloader (including file I/O), but main firmware doesn't initialize the SD card, so I'm unable to test Canon Basic scripts yet.

The same dumper source code works on 200D (I've actually used it to test the M50 dumper in QEMU, as file I/O isn't fully working), and - after finding a few stubs - on all the other DIGIC 7 models. If anyone is looking for some low-hanging fruit to get started with development, the new stubs are relatively easy to find and they can be tested in QEMU. Once you do that, I'll enable the boot flag, so you'll be able to run custom code on real hardware.

Dear Santa, please (https://www.magiclantern.fm/forum/index.php?topic=23084.msg208831#msg208831) give us the time and energy to port ML on these new cameras!
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on December 27, 2018, 08:52:31 PM
so, apologies for being that guy, but where exactly do I start here?

I'm a skilled developer, but new to photography.  I have an M50 with the 1.0.1 firmware, and a decent amount of experience reverse engineering software.  I don't need any excessive hand-holding, just links, docs, and maybe a little setup troubleshooting.

If anyone is looking for some low-hanging fruit to get started with development, the new stubs are relatively easy to find and they can be tested in QEMU

Given the above, I can definitely give this a shot.  Sounds fun.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on December 28, 2018, 09:02:48 AM
Docs:
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/README.rst
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst

However, that easy coding task mostly applies to models other than M50 and 200D. The current experiments are working out of the box on these two cameras; it's the other 3 models that could use some help from the community in order to reach the same stage.

I have yet to commit the emulator bits for M50, but I've got most of the stuff working locally (including file I/O after manually calling the initialization routine from the serial console). For now, you may run the ROM dumper and follow the steps from the "Initial firmware analysis" section in the docs. ROM layout and startup code on M50 are pretty much identical to DIGIC 7 (to the point that some stubs are identical with 200D).

Once you are ready to run this code on your camera, I can prepare a tool to enable the boot flag (for any model from this thread).
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on December 28, 2018, 04:23:36 PM
Docs:
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/README.rst
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst

However, that easy coding task mostly applies to models other than M50 and 200D. The current experiments are working out of the box on these two cameras; it's the other 3 models that could use some help from the community in order to reach the same stage.

I have yet to commit the emulator bits for M50, but I've got most of the stuff working locally (including file I/O after manually calling the initialization routine from the serial console). For now, you may run the ROM dumper and follow the steps from the "Initial firmware analysis" section in the docs. ROM layout and startup code on M50 are pretty much identical to DIGIC 7 (to the point that some stubs are identical with 200D).

Once you are ready to run this code on your camera, I can prepare a tool to enable the boot flag (for any model from this thread).

I assume the risk of bricking my camera with these tools is low (but not zero)?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on December 28, 2018, 04:54:59 PM
That's right. All of the binaries available in this thread were already confirmed to work on at least one other camera, and they were also tested in QEMU (where I could confirm they are reserving memory properly so our binary won't be overwritten by Canon firmware). They do not (at the time of writing) attempt to make any permanent changes to the camera. Sure, that will no longer apply after enabling the boot flag.

However, Canon firmware is, by design, unsafe (https://bitbucket.org/hudson/magic-lantern/pull-requests/825/prevent-canon-settings-from-being-saved/). Any DryOS task is able to write anywhere in memory, so a programming mistake can - in theory - have devastating effects. Starting from DIGIC 7, we've got a MMU, which currently doesn't do much other than a flat mapping, but can - in theory - be used to implement some sort of protection between ML code and Canon data structures. TLDR: there is a small probability of getting invalid settings written into one of the nonvolatile memories; that's usually recoverable, but I'm unable to guarantee it.

So far, the worst case I've recovered successfully was a Canon firmware update interrupted in the middle (i.e. not caused by ML). Last time I've unbricked a camera was two days ago (an EOS M with invalid video settings; ask Danne for details).
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Danne on December 28, 2018, 05:17:35 PM
Last time I've unbricked a camera was two days ago (an EOS M with invalid video settings; ask Danne for details).
Word! My prop value mistake analyzed, narrowed down and fixed to camera original state within the hour...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on December 28, 2018, 05:24:31 PM
So far, the worst case I've recovered successfully was a Canon firmware update interrupted in the middle (i.e. not caused by ML). Last time I've unbricked a camera was two days ago (an EOS M with invalid video settings; ask Danne for details).

that makes me feel a lot better

I'll report back here once I get a chance to read the docs and get set up.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 02, 2019, 05:15:51 PM
Docs:
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/README.rst
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst

However, that easy coding task mostly applies to models other than M50 and 200D. The current experiments are working out of the box on these two cameras; it's the other 3 models that could use some help from the community in order to reach the same stage.

I have yet to commit the emulator bits for M50, but I've got most of the stuff working locally (including file I/O after manually calling the initialization routine from the serial console). For now, you may run the ROM dumper and follow the steps from the "Initial firmware analysis" section in the docs. ROM layout and startup code on M50 are pretty much identical to DIGIC 7 (to the point that some stubs are identical with 200D).

Once you are ready to run this code on your camera, I can prepare a tool to enable the boot flag (for any model from this thread).

I'm having a bit of trouble with `hg` and `brew` at the moment.  I still want to help, but I need to get back to LA first where I can clean up my Mac.  :)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: kenthinson on January 03, 2019, 01:55:02 PM
Ok progress report and questions for you guys!

Progress.

I have been following:
https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/README.rst
Step 1, and 2 under installation complete. Got dependencies installed through home-brew.

In addition I dumped my m50 rom files. I got two bin files
540b1d00a2631c6a29a0280d75679440 ROM0.BIN
1e7c58573aa62d016f3b355205d8fed5 ROM1.BIN

Should I continue with step 3? Is qemu ready? or do we need to do some more work first.

Lets get this thing rolling :)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 03, 2019, 05:00:49 PM
I'm having a bit of trouble with `hg` and `brew` at the moment.  I still want to help, but I need to get back to LA first where I can clean up my Mac.  :)

A couple of forum topics that will help get your Mac up and running in a hurry:

Setting up a Magic Lantern development environment on a Macintosh (https://www.magiclantern.fm/forum/index.php?topic=16012.0)

Magic Lantern development compiler.app (Mac OS) (https://www.magiclantern.fm/forum/index.php?topic=21882.0)

PM me when you get back to LA if you want to get together. I live nearby in Redondo Beach.

I keep thinking about getting an M50 for my next ML project--once the M2 is up and running.

Should I continue with step 3? Is qemu ready? or do we need to do some more work first.

I just checked and it looks like there isn't an EOSM50 directory yet so it might still be a little early. Though if you want to get started you can create that directory and start figuring out what is needed for the debugmsg.gdb file. The EOSM2 port started from scratch so you can see what was done to get that camera working in QEMU starting around this post in the ML on EOS-M2 (https://www.magiclantern.fm/forum/index.php?topic=15895.msg185103#msg185103) topic.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on January 03, 2019, 06:09:06 PM
Though if you want to get started you can create that directory and start figuring out what is needed for the debugmsg.gdb file.

Well, that would be quite a bit of duplicated work. Please find here (https://a1ex.magiclantern.fm/bleeding-edge/M50/qemu.patch) the draft QEMU patches for M50 in their current state. Not double-checked yet, but emulation goes far enough to save a log file on the virtual SD card with these commands in the serial console:
Code: [Select]
akashimorino
mount 2
dumpf

Not sure if that's enough for testing the Canon Basic scripts, but that's all I've got for now.

The M50 also has a serial flash, so one of the next steps is dumping its contents (easy; one way is to adapt this code (https://bitbucket.org/hudson/magic-lantern/src/unified/modules/sf_dump/sf_dump.c) on the minimal codebase, which is not able to load modules yet, and the other is to work from the "recovery" branch, i.e. directly from bootloader). Probably not a very straightforward task for a newcomer, but it's not very hard either.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 04, 2019, 12:36:11 AM
A couple of forum topics that will help get your Mac up and running in a hurry:

Setting up a Magic Lantern development environment on a Macintosh (https://www.magiclantern.fm/forum/index.php?topic=16012.0)

Magic Lantern development compiler.app (Mac OS) (https://www.magiclantern.fm/forum/index.php?topic=21882.0)

PM me when you get back to LA if you want to get together. I live nearby in Redondo Beach.

I keep thinking about getting an M50 for my next ML project--once the M2 is up and running.

Thanks for the links.  I'll check it out.

Also, neat.  Maybe we can meet up and you can play with the M50 a bit.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 04, 2019, 04:46:27 PM
Please find here (https://a1ex.magiclantern.fm/bleeding-edge/M50/qemu.patch) the draft QEMU patches for M50 in their current state.

I had no idea it was this far along. Feel like we were just given the password to get into a speakeasy and now it is time to get drunk.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 05, 2019, 02:51:04 AM
I had no idea it was this far along. Feel like we were just given the password to get into a speakeasy and now it is time to get drunk.

I'm buyin' if it means I can get my camera to do all the stuff it should be able to do...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 06, 2019, 06:35:08 PM
Applied the qemu patch and got the M50 running. No GUI emulation yet and this is what the default qemu autoexec.bin looks like but hey, it is a start.

(https://farm5.staticflickr.com/4851/39668670933_28ffcae26e.jpg) (https://flic.kr/p/23roiQi)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on January 08, 2019, 04:43:20 PM
No twitter account: M50?
https://twitter.com/autoexec_bin/status/1082649361484529667
(https://pbs.twimg.com/media/DwZX1SCXQAMtgGo.jpg:small)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on January 08, 2019, 05:30:03 PM
Nope, M50 looks like this:

(https://a1ex.magiclantern.fm/bleeding-edge/M50/M50-hello.jpg)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: srsa on January 08, 2019, 05:45:21 PM
I know what it is, but not spoiling the game.
@a1ex Can it save files yet?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on January 08, 2019, 06:14:04 PM
Aspect ratio 4:3! Boy, you got us! And we're totally offtopic. Totally!
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Greg on January 08, 2019, 06:15:41 PM
Fujifilm?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on January 08, 2019, 06:16:40 PM
Nope, it's a Canon. But no DiGiC 7/8 on board!
Those Twitter members will hunt you down, a1ex!

Disclaimer: If I'm right, of course ...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: nikfreak on January 08, 2019, 06:25:53 PM
No twitter either over here:

7D Mark II
EOS M3

Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Greg on January 08, 2019, 06:38:08 PM
SX50 HS
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Ant123 on January 08, 2019, 06:43:39 PM
SX70HS
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: nikfreak on January 08, 2019, 06:48:54 PM
Canon PowerShot G1 X Mark III

 :D
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: nikfreak on January 08, 2019, 06:53:50 PM
EOS M5?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 08, 2019, 08:41:13 PM
Somebody here got it right.

(https://farm5.staticflickr.com/4816/46667116051_124f326d51_n.jpg) (https://flic.kr/p/2e6PaKa)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on January 08, 2019, 10:39:27 PM
Yes, it's a Canon. Yes, it has DIGIC 8 on board. Yes, it has a 4:3 screen.

SX70HS

... running EOS firmware!

@a1ex Can it save files yet?

Yes, just got a ROM dump.

Dumper (really hackish): SX70DUMP.FIR (https://a1ex.magiclantern.fm/bleeding-edge/SX70/SX70DUMP.FIR). I'll upload a nicer one later. I've used g3gg0's FullFAT-based dumper from the "recovery" branch; other than that, it was code written for M50 running from bootloader context.

The SX740 probably belongs to the same group, according to CHDK folks; I didn't look into it yet.

Have fun!



P.S. QEMU patches for M50 (linked earlier (https://www.magiclantern.fm/forum/index.php?topic=23296.msg210122#msg210122)) worked out of the box for the SX70 bootloader:

(https://a1ex.magiclantern.fm/bleeding-edge/SX70/SX70-qemu.png)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on January 08, 2019, 11:05:45 PM
Where does EOS R fit in? DiGiC 8 but EOS or Powershot codebase or mixed-breed?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on January 08, 2019, 11:14:29 PM
I did not see the EOS R firmware yet, but previous experiments (https://www.magiclantern.fm/forum/index.php?topic=22770.msg207211#msg207211) suggest it might be significantly different from the smaller models.

Though I'm tempted to repeat the tests, now that we've got the display working.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 09, 2019, 03:53:26 AM
The M50 also has a serial flash, so one of the next steps is dumping its contents (easy; one way is to adapt this code (https://bitbucket.org/hudson/magic-lantern/src/unified/modules/sf_dump/sf_dump.c) on the minimal codebase, which is not able to load modules yet, and the other is to work from the "recovery" branch, i.e. directly from bootloader). Probably not a very straightforward task for a newcomer, but it's not very hard either.

Did this ever get done?  I have to say, it's certainly not very straightforward.  :)  I have the green screen running on QEMU for the M50, but I can't get the screen you posted.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: LebedevRI on January 09, 2019, 09:32:15 AM
SX70HS
... running EOS firmware!

While kinda off-topic here, i wonder if someone could help us @ darktable / pixls.us with providing a full raw sample set from that "Powershot SX70 HS" camera for https://raw.pixls.us/
RPU is used e.g. by RawSpeed fast raw decoding library (https://github.com/darktable-org/rawspeed) for integration testing.
Total of 8 samples needed: {RAW, CRAW} x {16:9, 4:3, 3:2, 1:1}.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 10, 2019, 02:07:00 AM
oooh now I have a blinking LED on my M50 qemu, pls advise
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: DeafEyeJedi on January 11, 2019, 04:45:57 AM
Great work, @leathc!
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 11, 2019, 04:57:29 AM
Great work, @leathc!

Thanks!  and thanks dfort for helping me!  haha
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: oswa on January 11, 2019, 06:40:13 AM
... running EOS firmware!


While kinda off-topic here, i wonder if someone could help us @ darktable / pixls.us with providing a full raw sample set from that "Powershot SX70 HS" camera for https://raw.pixls.us/
RPU is used e.g. by RawSpeed fast raw decoding library (https://github.com/darktable-org/rawspeed) for integration testing.
Total of 8 samples needed: {RAW, CRAW} x {16:9, 4:3, 3:2, 1:1}.

Below you can dl all the raw samples.

https://we.tl/t-X8KcVPjtVX (https://we.tl/t-X8KcVPjtVX)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 14, 2019, 08:12:01 AM
This (https://www.magiclantern.fm/forum/index.php?topic=17714.msg210501#msg210501) might help the M50 port.

Code: [Select]
  Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x412 M50
 - Camera model: Canon EOS M50 / KISS M
 - Firmware version: 1.0.1 / 6.8.0 34(00)
 - IMG naming: 100CANON/IMG_2868.JPG
 - User PS: CineStyle 
 - Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xE0040000

CHDK CPU info for 0x412 M50
------------------------------
ID         0x414FC091
  Revision             0x1 1
  Part                 0xC09 3081
  ARM Arch             0xF 15
  Variant              0x4 4
  Implementor          0x41 65
Cache type 0x83338003
  Icache min words/line 0x3 3 [8]
  (zero)               0x0 0
  L1 Icache policy     0x2 2
  Dcache min words/line 0x3 3 [8]
  Exclusives Reservation Granule 0x3 3 [8]
  Cache Writeback Granule 0x3 3 [8]
  (zero)               0x0 0
  (register format)    0x4 4
TCM type   0x00000000
  (raw value)          0x0 0
MPU type   0x414FC091
  S                    0x1 1
  -                    0x48 72
  Num of MPU regions   0xC0 192
Multiprocessor ID 0x80000000
  (raw value)          0x80000000 -2147483648
Processor feature 0 0x00001231
  ARM inst set         0x1 1
  Thumb inst set       0x3 3
  Jazelle inst set     0x2 2
  ThumbEE inst set     0x1 1
  -                    0x0 0
Processor feature 1 0x00000011
  Programmers' model   0x1 1
  Security extensions  0x1 1
  Microcontr. prog model 0x0 0
  -                    0x0 0
Debug feature 0x00010444
  (raw value)          0x10444 66628
Aux feature 0x00000000
  (raw value)          0x0 0
Mem model feature 0 0x00100103
  VMSA support         0x3 3
  PMSA support         0x0 0
  Cache coherence      0x1 1
  Outer shareable      0x0 0
  TCM support          0x0 0
  Auxiliary registers  0x1 1
  FCSE support         0x0 0
  -                    0x0 0
Mem model feature 1 0x20000000
  L1 Harvard cache VA  0x0 0
  L1 unified cache VA  0x0 0
  L1 Harvard cache s/w 0x0 0
  L1 unified cache s/w 0x0 0
  L1 Harvard cache     0x0 0
  L1 unified cache     0x0 0
  L1 cache test & clean 0x0 0
  Branch predictor     0x2 2
Mem model feature 2 0x01230000
  L1 Harvard fg prefetch 0x0 0
  L1 Harvard bg prefetch 0x0 0
  L1 Harvard range     0x0 0
  Harvard TLB          0x0 0
  Unified TLB          0x3 3
  Mem barrier          0x2 2
  WFI stall            0x1 1
  HW access flag       0x0 0
Mem model feature 3 0x00102111
  Cache maintain MVA   0x1 1
  Cache maintain s/w   0x1 1
  BP maintain          0x1 1
  -                    0x102 258
  Supersection support 0x0 0
ISA feature 0 0x00101111
  Swap instrs          0x1 1
  Bitcount instrs      0x1 1
  Bitfield instrs      0x1 1
  CmpBranch instrs     0x1 1
  Coproc instrs        0x0 0
  Debug instrs         0x1 1
  Divide instrs        0x0 0
  -                    0x0 0
ISA feature 1 0x13112111
  Endian instrs        0x1 1
  Exception instrs     0x1 1
  Exception AR instrs  0x1 1
  Extend instrs        0x2 2
  IfThen instrs        0x1 1
  Immediate instrs     0x1 1
  Interwork instrs     0x3 3
  Jazelle instrs       0x1 1
ISA feature 2 0x21232041
  LoadStore instrs     0x1 1
  Memhint instrs       0x4 4
  MultiAccess Interruptible instructions 0x0 0
  Mult instrs          0x2 2
  MultS instrs         0x3 3
  MultU instrs         0x2 2
  PSR AR instrs        0x1 1
  Reversal instrs      0x2 2
ISA feature 3 0x11112131
  Saturate instrs      0x1 1
  SIMD instrs          0x3 3
  SVC instrs           0x1 1
  SynchPrim instrs     0x2 2
  TabBranch instrs     0x1 1
  ThumbCopy instrs     0x1 1
  TrueNOP instrs       0x1 1
  T2 Exec Env instrs   0x1 1
ISA feature 4 0x00011142
  Unprivileged instrs  0x2 2
  WithShifts instrs    0x4 4
  Writeback instrs     0x1 1
  SMC instrs           0x1 1
  Barrier instrs       0x1 1
  SynchPrim_instrs_frac 0x0 0
  PSR_M instrs         0x0 0
  -                    0x0 0
ISA feature 5 0x00000000
  -                    0x0 0
Cache level ID 0x09200003
  Cache type, level1   0x3 3 [Separate Icache, Dcache]
  Cache type, level2   0x0 0 [no cache]
  Cache type, level3   0x0 0 [no cache]
  Cache type, level4   0x0 0 [no cache]
  Cache type, level5   0x0 0 [no cache]
  Cache type, level6   0x0 0 [no cache]
  Cache type, level7   0x0 0 [no cache]
  Cache type, level8   0x1 1 [Icache only]
  Level of coherency   0x1 1
  Level of unification 0x1 1
  (zero)               0x0 0
Cache size ID reg (data, level0) 0x700FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x1 1
  Read allocation      0x1 1
  Write back           0x1 1
  Write through        0x0 0
Cache size ID reg (inst, level0) 0x200FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x0 0
  Read allocation      0x1 1
  Write back           0x0 0
  Write through        0x0 0
SCTLR      0x48C5187D
  MPU Enable           0x1 1
  Strict Align         0x0 0
  L1 DCache Enable     0x1 1
  - (SBO)              0xF 15
  - (SBZ)              0x0 0
  Branch Pred Enable   0x1 1
  L1 ICache Enable     0x1 1
  High Vectors         0x0 0
  Round Robin          0x0 0
  - (SBZ)              0x0 0
  - (SBO)              0x1 1
  MPU background reg   0x0 0
  - (SBO)              0x1 1
  Div0 exception       0x0 0
  - (SBZ)              0x0 0
  FIQ Enable           0x0 0
  - (SBO)              0x3 3
  VIC                  0x0 0
  CPSR E bit           0x0 0
  - (SBZ)              0x0 0
  NMFI                 0x1 1
  TRE                  0x0 0
  AFE                  0x0 0
  Thumb exceptions     0x1 1
  Big endian           0x0 0
ACTLR      0x00000045
  (raw value)          0x45 69
ACTLR2     0x00000001
  (raw value)          0x1 1
CPACR      0x00000000
  (raw value)          0x0 0
DBGDIDR    0x35141000
  Revision             0x0 0
  Variant              0x0 0
  - (RAZ)              0x10 16
  Version              0x4 4 [v7 basic]
  Context              0x1 1 [2]
  BRP                  0x5 5 [6]
  WRP                  0x3 3 [4]
DBGDRAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSCR    0x00000000
  HALTED               0x0 0
  RESTARTED            0x0 0
  MOE                  0x0 0
  SDABORT_l            0x0 0
  ADABORT_l            0x0 0
  UND_l                0x0 0
  FS                   0x0 0
  DBGack               0x0 0
  INTdis               0x0 0
  UDCCdis              0x0 0
  ITRen                0x0 0
  HDBGen               0x0 0
  MDBGen               0x0 0
  SPIDdis              0x0 0
  SPNIDdis             0x0 0
  NS                   0x0 0
  ADAdiscard           0x0 0
  ExtDCCmode           0x0 0
  - (SBZ)              0x0 0
  InstrCompl_l         0x0 0
  PipeAdv              0x0 0
  TXfull_l             0x0 0
  RXfull_l             0x0 0
  - (SBZ)              0x0 0
  TXfull               0x0 0
  RXfull               0x0 0
  - (SBZ)              0x0 0

 - DONE!
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on January 15, 2019, 01:26:02 PM
It's worth noting the above log was not from a real M50, but from the emulator. In other words, it's what I thought it might be, i.e. what I knew from DIGIC 7 (https://www.magiclantern.fm/forum/index.php?topic=19737.msg200715#msg200715) (alongside with a few emulator quirks).

CPU info log from a real M50 / real SX70:
Code: [Select]
CHDK CPU info for 0x412 M50 / 0x805 SX70
------------------------------
ID         0x414FC091
  Revision             0x1 1
  Part                 0xC09 3081
  ARM Arch             0xF 15
  Variant              0x4 4
  Implementor          0x41 65
Cache type 0x83338003
  Icache min words/line 0x3 3 [8]
  (zero)               0x0 0
  L1 Icache policy     0x2 2
  Dcache min words/line 0x3 3 [8]
  Exclusives Reservation Granule 0x3 3 [8]
  Cache Writeback Granule 0x3 3 [8]
  (zero)               0x0 0
  (register format)    0x4 4
TCM type   0x00000000
  (raw value)          0x0 0
MPU type   0x414FC091
  S                    0x1 1
  -                    0x48 72
  Num of MPU regions   0xC0 192
Multiprocessor ID 0x80000000
  (raw value)          0x80000000 -2147483648
Processor feature 0 0x00001231
  ARM inst set         0x1 1
  Thumb inst set       0x3 3
  Jazelle inst set     0x2 2
  ThumbEE inst set     0x1 1
  -                    0x0 0
Processor feature 1 0x00000011
  Programmers' model   0x1 1
  Security extensions  0x1 1
  Microcontr. prog model 0x0 0
  -                    0x0 0
Debug feature 0x00010444
  (raw value)          0x10444 66628
Aux feature 0x00000000
  (raw value)          0x0 0
Mem model feature 0 0x00100103
  VMSA support         0x3 3
  PMSA support         0x0 0
  Cache coherence      0x1 1
  Outer shareable      0x0 0
  TCM support          0x0 0
  Auxiliary registers  0x1 1
  FCSE support         0x0 0
  -                    0x0 0
Mem model feature 1 0x20000000
  L1 Harvard cache VA  0x0 0
  L1 unified cache VA  0x0 0
  L1 Harvard cache s/w 0x0 0
  L1 unified cache s/w 0x0 0
  L1 Harvard cache     0x0 0
  L1 unified cache     0x0 0
  L1 cache test & clean 0x0 0
  Branch predictor     0x2 2
Mem model feature 2 0x01230000
  L1 Harvard fg prefetch 0x0 0
  L1 Harvard bg prefetch 0x0 0
  L1 Harvard range     0x0 0
  Harvard TLB          0x0 0
  Unified TLB          0x3 3
  Mem barrier          0x2 2
  WFI stall            0x1 1
  HW access flag       0x0 0
Mem model feature 3 0x00102111
  Cache maintain MVA   0x1 1
  Cache maintain s/w   0x1 1
  BP maintain          0x1 1
  -                    0x102 258
  Supersection support 0x0 0
ISA feature 0 0x00101111
  Swap instrs          0x1 1
  Bitcount instrs      0x1 1
  Bitfield instrs      0x1 1
  CmpBranch instrs     0x1 1
  Coproc instrs        0x0 0
  Debug instrs         0x1 1
  Divide instrs        0x0 0
  -                    0x0 0
ISA feature 1 0x13112111
  Endian instrs        0x1 1
  Exception instrs     0x1 1
  Exception AR instrs  0x1 1
  Extend instrs        0x2 2
  IfThen instrs        0x1 1
  Immediate instrs     0x1 1
  Interwork instrs     0x3 3
  Jazelle instrs       0x1 1
ISA feature 2 0x21232041
  LoadStore instrs     0x1 1
  Memhint instrs       0x4 4
  MultiAccess Interruptible instructions 0x0 0
  Mult instrs          0x2 2
  MultS instrs         0x3 3
  MultU instrs         0x2 2
  PSR AR instrs        0x1 1
  Reversal instrs      0x2 2
ISA feature 3 0x11112131
  Saturate instrs      0x1 1
  SIMD instrs          0x3 3
  SVC instrs           0x1 1
  SynchPrim instrs     0x2 2
  TabBranch instrs     0x1 1
  ThumbCopy instrs     0x1 1
  TrueNOP instrs       0x1 1
  T2 Exec Env instrs   0x1 1
ISA feature 4 0x00011142
  Unprivileged instrs  0x2 2
  WithShifts instrs    0x4 4
  Writeback instrs     0x1 1
  SMC instrs           0x1 1
  Barrier instrs       0x1 1
  SynchPrim_instrs_frac 0x0 0
  PSR_M instrs         0x0 0
  -                    0x0 0
ISA feature 5 0x00000000
  -                    0x0 0
Cache level ID 0x09200003
  Cache type, level1   0x3 3 [Separate Icache, Dcache]
  Cache type, level2   0x0 0 [no cache]
  Cache type, level3   0x0 0 [no cache]
  Cache type, level4   0x0 0 [no cache]
  Cache type, level5   0x0 0 [no cache]
  Cache type, level6   0x0 0 [no cache]
  Cache type, level7   0x0 0 [no cache]
  Cache type, level8   0x1 1 [Icache only]
  Level of coherency   0x1 1
  Level of unification 0x1 1
  (zero)               0x0 0
Cache size ID reg (data, level0) 0x700FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x1 1
  Read allocation      0x1 1
  Write back           0x1 1
  Write through        0x0 0
Cache size ID reg (inst, level0) 0x200FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x0 0
  Read allocation      0x1 1
  Write back           0x0 0
  Write through        0x0 0
SCTLR      0x40C5187D
  MPU Enable           0x1 1
  Strict Align         0x0 0
  L1 DCache Enable     0x1 1
  - (SBO)              0xF 15
  - (SBZ)              0x0 0
  Branch Pred Enable   0x1 1
  L1 ICache Enable     0x1 1
  High Vectors         0x0 0
  Round Robin          0x0 0
  - (SBZ)              0x0 0
  - (SBO)              0x1 1
  MPU background reg   0x0 0
  - (SBO)              0x1 1
  Div0 exception       0x0 0
  - (SBZ)              0x0 0
  FIQ Enable           0x0 0
  - (SBO)              0x3 3
  VIC                  0x0 0
  CPSR E bit           0x0 0
  - (SBZ)              0x0 0
  NMFI                 0x0 0
  TRE                  0x0 0
  AFE                  0x0 0
  Thumb exceptions     0x1 1
  Big endian           0x0 0
ACTLR      0x00000045
  (raw value)          0x45 69
ACTLR2     0x00000701
  (raw value)          0x701 1793
CPACR      0xC0000000
  (raw value)          0xC0000000 -1073741824
DBGDIDR    0x35137041
  Revision             0x1 1
  Variant              0x4 4
  - (RAZ)              0x70 112
  Version              0x3 3 [v7 full]
  Context              0x1 1 [2]
  BRP                  0x5 5 [6]
  WRP                  0x3 3 [4]
DBGDRAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSAR    0x00030000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x30 48 [0x00030000]
DBGDSCR    0x03000002
  HALTED               0x0 0
  RESTARTED            0x1 1
  MOE                  0x0 0
  SDABORT_l            0x0 0
  ADABORT_l            0x0 0
  UND_l                0x0 0
  FS                   0x0 0
  DBGack               0x0 0
  INTdis               0x0 0
  UDCCdis              0x0 0
  ITRen                0x0 0
  HDBGen               0x0 0
  MDBGen               0x0 0
  SPIDdis              0x0 0
  SPNIDdis             0x0 0
  NS                   0x0 0
  ADAdiscard           0x0 0
  ExtDCCmode           0x0 0
  - (SBZ)              0x0 0
  InstrCompl_l         0x1 1
  PipeAdv              0x1 1
  TXfull_l             0x0 0
  RXfull_l             0x0 0
  - (SBZ)              0x0 0
  TXfull               0x0 0
  RXfull               0x0 0
  - (SBZ)              0x0 0

Difference from 200D: CPUINFO-200D-vs-M50.html (https://a1ex.magiclantern.fm/bleeding-edge/M50/CPUINFO-200D-vs-M50.html)



edit: updated ROM dumpers (SX740 untested):
DIGIC 8:  M50 (https://a1ex.magiclantern.fm/debug/portable-rom-dumper/new/DUMP_M50.FIR)  SX70 (https://a1ex.magiclantern.fm/debug/portable-rom-dumper/new/DUMPSX70.FIR)  SX740 (https://a1ex.magiclantern.fm/debug/portable-rom-dumper/new/DMPSX740.FIR)

and uploaded FIRs for getting the CPU info:
DIGIC 8:  M50 (https://a1ex.magiclantern.fm/debug/portable-cpuinfo/CPUI_M50.FIR)  SX70 (https://a1ex.magiclantern.fm/debug/portable-cpuinfo/CPUISX70.FIR)  SX740 (https://a1ex.magiclantern.fm/debug/portable-cpuinfo/CPUSX740.FIR)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 16, 2019, 10:52:27 PM
edit: updated ROM dumpers (SX740 untested):
and uploaded FIRs for getting the CPU info:

I'll try these out on the real hardware. EDIT: for the M50 that is
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 16, 2019, 11:03:23 PM
those both run great on the M50, but I'm not actually seeing the dumps

it could be because I didn't format the card correctly or something I suppose
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: dfort on January 17, 2019, 06:34:02 AM
Really? DUMP_M50.FIR isn't working for you? Maybe try a smaller SD card though the new dumper should be able to work on the larger cards as long as it is formatted as FAT32.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: leathc on January 17, 2019, 07:14:45 PM
Really? DUMP_M50.FIR isn't working for you? Maybe try a smaller SD card though the new dumper should be able to work on the larger cards as long as it is formatted as FAT32.

no I'm an idiot, I didn't do low level format

I have the dumps now, and RESCUE.log for the CPU info
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: cmku on January 21, 2019, 11:45:14 PM
I run this dump firmware on my M50

there is the log :)

Code: [Select]
Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x412 M50
 - Camera model: Canon EOS KISS M
 - Firmware version: 1.0.1 / 6.8.0 34(00)
 - IMG naming: 100CANON/0127.JPG
 - User PS: ??? ??? ???
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xE0040000

CHDK CPU info for 0x412 M50
------------------------------
ID         0x414FC091
  Revision             0x1 1
  Part                 0xC09 3081
  ARM Arch             0xF 15
  Variant              0x4 4
  Implementor          0x41 65
Cache type 0x83338003
  Icache min words/line 0x3 3 [8]
  (zero)               0x0 0
  L1 Icache policy     0x2 2
  Dcache min words/line 0x3 3 [8]
  Exclusives Reservation Granule 0x3 3 [8]
  Cache Writeback Granule 0x3 3 [8]
  (zero)               0x0 0
  (register format)    0x4 4
TCM type   0x00000000
  (raw value)          0x0 0
MPU type   0x414FC091
  S                    0x1 1
  -                    0x48 72
  Num of MPU regions   0xC0 192
Multiprocessor ID 0x80000000
  (raw value)          0x80000000 -2147483648
Processor feature 0 0x00001231
  ARM inst set         0x1 1
  Thumb inst set       0x3 3
  Jazelle inst set     0x2 2
  ThumbEE inst set     0x1 1
  -                    0x0 0
Processor feature 1 0x00000011
  Programmers' model   0x1 1
  Security extensions  0x1 1
  Microcontr. prog model 0x0 0
  -                    0x0 0
Debug feature 0x00010444
  (raw value)          0x10444 66628
Aux feature 0x00000000
  (raw value)          0x0 0
Mem model feature 0 0x00100103
  VMSA support         0x3 3
  PMSA support         0x0 0
  Cache coherence      0x1 1
  Outer shareable      0x0 0
  TCM support          0x0 0
  Auxiliary registers  0x1 1
  FCSE support         0x0 0
  -                    0x0 0
Mem model feature 1 0x20000000
  L1 Harvard cache VA  0x0 0
  L1 unified cache VA  0x0 0
  L1 Harvard cache s/w 0x0 0
  L1 unified cache s/w 0x0 0
  L1 Harvard cache     0x0 0
  L1 unified cache     0x0 0
  L1 cache test & clean 0x0 0
  Branch predictor     0x2 2
Mem model feature 2 0x01230000
  L1 Harvard fg prefetch 0x0 0
  L1 Harvard bg prefetch 0x0 0
  L1 Harvard range     0x0 0
  Harvard TLB          0x0 0
  Unified TLB          0x3 3
  Mem barrier          0x2 2
  WFI stall            0x1 1
  HW access flag       0x0 0
Mem model feature 3 0x00102111
  Cache maintain MVA   0x1 1
  Cache maintain s/w   0x1 1
  BP maintain          0x1 1
  -                    0x102 258
  Supersection support 0x0 0
ISA feature 0 0x00101111
  Swap instrs          0x1 1
  Bitcount instrs      0x1 1
  Bitfield instrs      0x1 1
  CmpBranch instrs     0x1 1
  Coproc instrs        0x0 0
  Debug instrs         0x1 1
  Divide instrs        0x0 0
  -                    0x0 0
ISA feature 1 0x13112111
  Endian instrs        0x1 1
  Exception instrs     0x1 1
  Exception AR instrs  0x1 1
  Extend instrs        0x2 2
  IfThen instrs        0x1 1
  Immediate instrs     0x1 1
  Interwork instrs     0x3 3
  Jazelle instrs       0x1 1
ISA feature 2 0x21232041
  LoadStore instrs     0x1 1
  Memhint instrs       0x4 4
  MultiAccess Interruptible instructions 0x0 0
  Mult instrs          0x2 2
  MultS instrs         0x3 3
  MultU instrs         0x2 2
  PSR AR instrs        0x1 1
  Reversal instrs      0x2 2
ISA feature 3 0x11112131
  Saturate instrs      0x1 1
  SIMD instrs          0x3 3
  SVC instrs           0x1 1
  SynchPrim instrs     0x2 2
  TabBranch instrs     0x1 1
  ThumbCopy instrs     0x1 1
  TrueNOP instrs       0x1 1
  T2 Exec Env instrs   0x1 1
ISA feature 4 0x00011142
  Unprivileged instrs  0x2 2
  WithShifts instrs    0x4 4
  Writeback instrs     0x1 1
  SMC instrs           0x1 1
  Barrier instrs       0x1 1
  SynchPrim_instrs_frac 0x0 0
  PSR_M instrs         0x0 0
  -                    0x0 0
ISA feature 5 0x00000000
  -                    0x0 0
Cache level ID 0x09200003
  Cache type, level1   0x3 3 [Separate Icache, Dcache]
  Cache type, level2   0x0 0 [no cache]
  Cache type, level3   0x0 0 [no cache]
  Cache type, level4   0x0 0 [no cache]
  Cache type, level5   0x0 0 [no cache]
  Cache type, level6   0x0 0 [no cache]
  Cache type, level7   0x0 0 [no cache]
  Cache type, level8   0x1 1 [Icache only]
  Level of coherency   0x1 1
  Level of unification 0x1 1
  (zero)               0x0 0
Cache size ID reg (data, level0) 0x700FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x1 1
  Read allocation      0x1 1
  Write back           0x1 1
  Write through        0x0 0
Cache size ID reg (inst, level0) 0x200FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x0 0
  Read allocation      0x1 1
  Write back           0x0 0
  Write through        0x0 0
SCTLR      0x40C5187D
  MPU Enable           0x1 1
  Strict Align         0x0 0
  L1 DCache Enable     0x1 1
  - (SBO)              0xF 15
  - (SBZ)              0x0 0
  Branch Pred Enable   0x1 1
  L1 ICache Enable     0x1 1
  High Vectors         0x0 0
  Round Robin          0x0 0
  - (SBZ)              0x0 0
  - (SBO)              0x1 1
  MPU background reg   0x0 0
  - (SBO)              0x1 1
  Div0 exception       0x0 0
  - (SBZ)              0x0 0
  FIQ Enable           0x0 0
  - (SBO)              0x3 3
  VIC                  0x0 0
  CPSR E bit           0x0 0
  - (SBZ)              0x0 0
  NMFI                 0x0 0
  TRE                  0x0 0
  AFE                  0x0 0
  Thumb exceptions     0x1 1
  Big endian           0x0 0
ACTLR      0x00000045
  (raw value)          0x45 69
ACTLR2     0x00000701
  (raw value)          0x701 1793
CPACR      0xC0000000
  (raw value)          0xC0000000 -1073741824
DBGDIDR    0x35137041
  Revision             0x1 1
  Variant              0x4 4
  - (RAZ)              0x70 112
  Version              0x3 3 [v7 full]
  Context              0x1 1 [2]
  BRP                  0x5 5 [6]
  WRP                  0x3 3 [4]
DBGDRAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSAR    0x00030000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x30 48 [0x00030000]
DBGDSCR    0x03000002
  HALTED               0x0 0
  RESTARTED            0x1 1
  MOE                  0x0 0
  SDABORT_l            0x0 0
  ADABORT_l            0x0 0
  UND_l                0x0 0
  FS                   0x0 0
  DBGack               0x0 0
  INTdis               0x0 0
  UDCCdis              0x0 0
  ITRen                0x0 0
  HDBGen               0x0 0
  MDBGen               0x0 0
  SPIDdis              0x0 0
  SPNIDdis             0x0 0
  NS                   0x0 0
  ADAdiscard           0x0 0
  ExtDCCmode           0x0 0
  - (SBZ)              0x0 0
  InstrCompl_l         0x1 1
  PipeAdv              0x1 1
  TXfull_l             0x0 0
  RXfull_l             0x0 0
  - (SBZ)              0x0 0
  TXfull               0x0 0
  RXfull               0x0 0
  - (SBZ)              0x0 0

 - boot_read_sector 103604
 - boot_write_sector 10361a
 - 10362a: BL 104dc4
 - 10180B Card init => 2
 - Saving RESCUE.LOG ...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: digiboy on February 05, 2019, 11:16:44 AM
Hello,
I have M50. I am Android programmer and my knowledge in embedded systems is small (easy AVR programming)
Are there any simple tasks that I could do?
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on February 05, 2019, 03:54:06 PM
Since you mentioned AVR, what about this?

- find some UART (https://www.magiclantern.fm/forum/index.php?topic=7531) or JTAG (https://nada-labs.net/2014/finding-jtag-on-a-canon-elph100hs-ixus115/) port and attempt to communicate with it

Related: 600D (https://www.magiclantern.fm/forum/index.php?topic=7531.msg208794#msg208794) (successful) and R (https://www.magiclantern.fm/forum/index.php?topic=22770.msg210363#msg210363) (unsuccessful).

However, that would be of secondary importance for models in this thread, since we are already able to execute code alongside Canon's main firmware. It could be useful for interfacing with other peripherals, or - better not get there - for unbricking.

A better idea would be to start reading the thread, and also the threads for other recent models. Are there any tasks you could do? Are you able to run the firmware in QEMU? Are you able to push the emulation even further? Are you able to fix the logging code, which worked out of the box on 80D, 5D4 and 200D, but crashed on M50? (you will need QEMU for this one)

BTW - once you (or anyone else) are ready to run the proof of concept code (digic6-dumper branch) on your camera, I can enable the boot flag.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Karim on February 08, 2019, 04:56:36 AM
BTW - once you (or anyone else) are ready to run the proof of concept code (digic6-dumper branch) on your camera, I can enable the boot flag.
Is that digic6-dumper branch not safe to run on camera or what?
If my camera won't turn into a brick maybe I'll give it a shot
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Walter Schulz on February 08, 2019, 05:16:07 AM
https://mobile.twitter.com/autoexec_bin/status/1086653394142617601?p=p#
See a1ex's answer dated 07:55 - 19. Jan. 2019
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on February 08, 2019, 09:54:24 PM
See a1ex's answer dated 07:55 - 19. Jan. 2019

That answer was about ROM dumpers - these carry very little risk on new models. On M50, the ROM dumper was already confirmed to work, so the answer no longer applies.

Is that digic6-dumper branch not safe to run on camera or what?

The digic6-dumper branch works out of the box, but once you attempt to run the 80D experiments, it will fail. The issue is that Canon's DebugMsg is in RAM on DIGIC 6/7 (where we can override it easily), while on DIGIC 8 is in ROM (where we can override it with a little more coding). I didn't attempt to solve it yet, but I've documented the MMU configuration (https://chdk.setepontos.com/index.php?topic=13014.msg131247#msg131247) about 2 years ago.

Safety-wise, it's probably OK (but it's worth noting that Canon firmware reflashes the main ROM at shutdown (https://bitbucket.org/hudson/magic-lantern/pull-requests/825/prevent-canon-settings-from-being-saved/diff), so...)

If my camera won't turn into a brick maybe I'll give it a shot

I cannot guarantee that. Risks were explained for e.g. DIGIC 7 (https://www.magiclantern.fm/forum/index.php?topic=19737.75), 5D4 (https://www.magiclantern.fm/forum/index.php?topic=17695.msg208999#msg208999) etc. Enabling the boot flag will modify your camera, so there is a tiny chance of things going wrong when running this procedure on a new camera model.

Enabling the boot flag will enable anyone with (basic) programming skills to run the proof of concept code on their camera and experiment with it. You will still need QEMU for debugging and for understanding how your code will run. The logging code does not work yet; debugging will have to be done in QEMU. On hardware, you've only got LED blinks, file I/O (as long as the camera doesn't crash) and... display from bootloader context (but do check the 80D thread).

Still with me? If you are OK with the risks, just drop me a PM.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: srsa on February 12, 2019, 05:45:49 PM
Not sure where to post this as it's both DIGIC 7 and 8 related.
I've noticed that D7 and D8 ports still have
Code: [Select]
-march=armv7-rin platform/(cam)/Makefile.platform.default
"armv7-r" means ARM Cortex R. The Cortex R supports integer divide instructions in Thumb mode, whereas the Cortex A9 does not. To avoid getting undefined instruction exceptions in the future, I'd suggest using
Code: [Select]
-march=armv7-ainstead.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on February 12, 2019, 09:29:51 PM
Thanks, I wasn't aware of this difference.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: tn322201 on March 05, 2019, 03:03:50 PM
I am a new comer to magic lantern community. I have successfully dumped the ROM and CPU info from my M50. May I ask what this the next step in the development?

I was trying to use QEMU but do not know how to "clone" it to my computer. Consulting someone with experience could provide me with further steps in development.

Here is the attached CPU info:

Code: [Select]
 
Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x412 M50
 - Camera model: Canon EOS KISS M
 - Firmware version: 1.0.1 / 6.8.0 34(00)
 - IMG naming: 100CANON/1900.JPG
 - User PS: ??? ??? ???
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xE0040000

CHDK CPU info for 0x412 M50
------------------------------
ID         0x414FC091
  Revision             0x1 1
  Part                 0xC09 3081
  ARM Arch             0xF 15
  Variant              0x4 4
  Implementor          0x41 65
Cache type 0x83338003
  Icache min words/line 0x3 3 [8]
  (zero)               0x0 0
  L1 Icache policy     0x2 2
  Dcache min words/line 0x3 3 [8]
  Exclusives Reservation Granule 0x3 3 [8]
  Cache Writeback Granule 0x3 3 [8]
  (zero)               0x0 0
  (register format)    0x4 4
TCM type   0x00000000
  (raw value)          0x0 0
MPU type   0x414FC091
  S                    0x1 1
  -                    0x48 72
  Num of MPU regions   0xC0 192
Multiprocessor ID 0x80000000
  (raw value)          0x80000000 -2147483648
Processor feature 0 0x00001231
  ARM inst set         0x1 1
  Thumb inst set       0x3 3
  Jazelle inst set     0x2 2
  ThumbEE inst set     0x1 1
  -                    0x0 0
Processor feature 1 0x00000011
  Programmers' model   0x1 1
  Security extensions  0x1 1
  Microcontr. prog model 0x0 0
  -                    0x0 0
Debug feature 0x00010444
  (raw value)          0x10444 66628
Aux feature 0x00000000
  (raw value)          0x0 0
Mem model feature 0 0x00100103
  VMSA support         0x3 3
  PMSA support         0x0 0
  Cache coherence      0x1 1
  Outer shareable      0x0 0
  TCM support          0x0 0
  Auxiliary registers  0x1 1
  FCSE support         0x0 0
  -                    0x0 0
Mem model feature 1 0x20000000
  L1 Harvard cache VA  0x0 0
  L1 unified cache VA  0x0 0
  L1 Harvard cache s/w 0x0 0
  L1 unified cache s/w 0x0 0
  L1 Harvard cache     0x0 0
  L1 unified cache     0x0 0
  L1 cache test & clean 0x0 0
  Branch predictor     0x2 2
Mem model feature 2 0x01230000
  L1 Harvard fg prefetch 0x0 0
  L1 Harvard bg prefetch 0x0 0
  L1 Harvard range     0x0 0
  Harvard TLB          0x0 0
  Unified TLB          0x3 3
  Mem barrier          0x2 2
  WFI stall            0x1 1
  HW access flag       0x0 0
Mem model feature 3 0x00102111
  Cache maintain MVA   0x1 1
  Cache maintain s/w   0x1 1
  BP maintain          0x1 1
  -                    0x102 258
  Supersection support 0x0 0
ISA feature 0 0x00101111
  Swap instrs          0x1 1
  Bitcount instrs      0x1 1
  Bitfield instrs      0x1 1
  CmpBranch instrs     0x1 1
  Coproc instrs        0x0 0
  Debug instrs         0x1 1
  Divide instrs        0x0 0
  -                    0x0 0
ISA feature 1 0x13112111
  Endian instrs        0x1 1
  Exception instrs     0x1 1
  Exception AR instrs  0x1 1
  Extend instrs        0x2 2
  IfThen instrs        0x1 1
  Immediate instrs     0x1 1
  Interwork instrs     0x3 3
  Jazelle instrs       0x1 1
ISA feature 2 0x21232041
  LoadStore instrs     0x1 1
  Memhint instrs       0x4 4
  MultiAccess Interruptible instructions 0x0 0
  Mult instrs          0x2 2
  MultS instrs         0x3 3
  MultU instrs         0x2 2
  PSR AR instrs        0x1 1
  Reversal instrs      0x2 2
ISA feature 3 0x11112131
  Saturate instrs      0x1 1
  SIMD instrs          0x3 3
  SVC instrs           0x1 1
  SynchPrim instrs     0x2 2
  TabBranch instrs     0x1 1
  ThumbCopy instrs     0x1 1
  TrueNOP instrs       0x1 1
  T2 Exec Env instrs   0x1 1
ISA feature 4 0x00011142
  Unprivileged instrs  0x2 2
  WithShifts instrs    0x4 4
  Writeback instrs     0x1 1
  SMC instrs           0x1 1
  Barrier instrs       0x1 1
  SynchPrim_instrs_frac 0x0 0
  PSR_M instrs         0x0 0
  -                    0x0 0
ISA feature 5 0x00000000
  -                    0x0 0
Cache level ID 0x09200003
  Cache type, level1   0x3 3 [Separate Icache, Dcache]
  Cache type, level2   0x0 0 [no cache]
  Cache type, level3   0x0 0 [no cache]
  Cache type, level4   0x0 0 [no cache]
  Cache type, level5   0x0 0 [no cache]
  Cache type, level6   0x0 0 [no cache]
  Cache type, level7   0x0 0 [no cache]
  Cache type, level8   0x1 1 [Icache only]
  Level of coherency   0x1 1
  Level of unification 0x1 1
  (zero)               0x0 0
Cache size ID reg (data, level0) 0x700FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x1 1
  Read allocation      0x1 1
  Write back           0x1 1
  Write through        0x0 0
Cache size ID reg (inst, level0) 0x200FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x0 0
  Read allocation      0x1 1
  Write back           0x0 0
  Write through        0x0 0
SCTLR      0x40C5187D
  MPU Enable           0x1 1
  Strict Align         0x0 0
  L1 DCache Enable     0x1 1
  - (SBO)              0xF 15
  - (SBZ)              0x0 0
  Branch Pred Enable   0x1 1
  L1 ICache Enable     0x1 1
  High Vectors         0x0 0
  Round Robin          0x0 0
  - (SBZ)              0x0 0
  - (SBO)              0x1 1
  MPU background reg   0x0 0
  - (SBO)              0x1 1
  Div0 exception       0x0 0
  - (SBZ)              0x0 0
  FIQ Enable           0x0 0
  - (SBO)              0x3 3
  VIC                  0x0 0
  CPSR E bit           0x0 0
  - (SBZ)              0x0 0
  NMFI                 0x0 0
  TRE                  0x0 0
  AFE                  0x0 0
  Thumb exceptions     0x1 1
  Big endian           0x0 0
ACTLR      0x00000045
  (raw value)          0x45 69
ACTLR2     0x00000701
  (raw value)          0x701 1793
CPACR      0xC0000000
  (raw value)          0xC0000000 -1073741824
DBGDIDR    0x35137041
  Revision             0x1 1
  Variant              0x4 4
  - (RAZ)              0x70 112
  Version              0x3 3 [v7 full]
  Context              0x1 1 [2]
  BRP                  0x5 5 [6]
  WRP                  0x3 3 [4]
DBGDRAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSAR    0x00030000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x30 48 [0x00030000]
DBGDSCR    0x03000002
  HALTED               0x0 0
  RESTARTED            0x1 1
  MOE                  0x0 0
  SDABORT_l            0x0 0
  ADABORT_l            0x0 0
  UND_l                0x0 0
  FS                   0x0 0
  DBGack               0x0 0
  INTdis               0x0 0
  UDCCdis              0x0 0
  ITRen                0x0 0
  HDBGen               0x0 0
  MDBGen               0x0 0
  SPIDdis              0x0 0
  SPNIDdis             0x0 0
  NS                   0x0 0
  ADAdiscard           0x0 0
  ExtDCCmode           0x0 0
  - (SBZ)              0x0 0
  InstrCompl_l         0x1 1
  PipeAdv              0x1 1
  TXfull_l             0x0 0
  RXfull_l             0x0 0
  - (SBZ)              0x0 0
  TXfull               0x0 0
  RXfull               0x0 0
  - (SBZ)              0x0 0

 - boot_read_sector 103604
 - boot_write_sector 10361a
 - 10362a: BL 104dc4
 - 10180B Card init => 2
 - Saving RESCUE.LOG ...
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: srsa on March 09, 2019, 03:33:45 PM
Just FYI, Canon has released firmware updates for
EOS M50 (1.0.2)
PowerShot SX740 (1.0.1)
PowerShot SX70 (1.1.0)
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: a1ex on March 09, 2019, 07:18:33 PM
In this case, it's probably best to upgrade the codebase now, while there are not too many stubs and other firmware-specific constants. That could be an easy coding task for newcomers, as it's just a matter of pattern matching between the two firmware versions (and it helps you get familiar, to some extent, with Canon's code structure).

For QEMU, if the main guide is hard to follow, refer to the sticky tweet and other videos on the forum (todo: link them in the guide), then apply the patch linked earlier. I'm cleaning up my local changes and putting them through the test suite for quite some time, but I keep bumping into test failures, so it's taking a bit longer, sorry about that...

As usual, once you are ready to run and debug the proof of concept code on the camera, I'm also ready to enable the boot flag. The procedure was already tested on EOS R, so I don't expect any surprises.
Title: Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
Post by: Greg on March 09, 2019, 10:44:10 PM
EOS M50 (1.0.2)

Code: [Select]
Firmware Version 1.0.2 incorporates the following fix:
1. Improves reliability of communication with external flashes.

It now works with yongnuo flash triggers.