Messages

The blinker linked above is just a simple LED test.

I've compiled a dumper for 7D2 bootloader, using the CHDK soundcard method, here: BDMP-7D2.FIR. The decoder is under contrib/led_blink_dumper in the digic6-dumper branch.

Hi Alex.

Thanks for that, unfortunately I have had to order a new diode so will have to wait till tomorrow.

One thing I have noticed is that the flashing appears to stop after 5mins. Isn't this too quick for a 30MB dump?

Shame the dump to card does not work.

I tried to use the blinker last night to get the firmware out
I seem to be having the same issue as Fraggy where every byte seems the same.

So i tested LCD Firmware... And it worked...
So next step is testing the extractor...
Got no sync...
Looks like every blink contains the same bit...

https://www.dropbox.com/s/2f91dqj1xd43t5b/7d2%20dump.png

Thanks for trying. Afraid it does not work. Camera locked up and wouldn't respond to power button or card flap. Had to take battery out.

https://www.dropbox.com/s/2vc6s05oi7tp0iz/7d2.png

There was an image embedded, but for some reason this forum does not like dropbox links in its own IMG tags? Untagged it now.

No need to thank me, i've not done anything.

Any luck with this bootflag Alex?
I see you have a dumper for 80d, any chance of one for 7D2? Would really like to get a look at the FW. Obviously bootflag is more important as I could craft my own dumper if bootflag was enabled.

Cheers

Hi A1ex

Responded to your other post, as did atonal.

As for bootflag firmware.
I was under the impression the bootflag is a simple switch using a known command ENABLEBOOTFLAG and not sending random commands?
As long as there is not a bootable card in containing an Autoexec.bin the camera should boot properly no?

I appreciate running an Autoexec.bin with bad code could be a big problem though.

I am happy to give it a try if my interpretation is correct.

Would like to get on with being able to dump firmware as I have a photodiode connected via a raspberry pi but the recordings appear very noisy (Might be due to the pi)

Anyway let me know and i'll do what I can to help. I have already managed to compile your autoexec.bin so customising the code should be ok this end.

Cheers

Hi A1ex

Here are pictures from my 7DII

It is running FW 1.0.5, let me know if you need me to downgrade.
https://www.dropbox.com/s/9qvn4ap1ckqernq/1.jpg
https://www.dropbox.com/s/rsfd39tuqqwjd2p/2.jpg
https://www.dropbox.com/s/iixu0uegfrdhfl7/3.jpg
https://www.dropbox.com/s/3p5n8c783di6w2e/4.jpg
https://www.dropbox.com/s/y3x0myw8m5nmb9b/5.jpg
https://www.dropbox.com/s/svsygseeoeigv6p/6.jpg

Seems atonal beat me too it, oh well they are there if needed and as stated from 1.0.5 fw,

Hi @A1ex

Just a quick update as I was getting myself upto speed. (Installing arm, Mercurial etc)

Anyway, spotted a little bug that might stumble some.
I tried the DUMMY7D2 and BLINK7D2 FIR files and they would not work.
Turns out if you have normal firmware files on your card the selection menu comes up and this triggers some kind of check which makes the two files invalid.
Renaming the other files got the BLINK7D2 file to work.

However I do not have a photodiode to dump the FW. Pity no one has done a headphone output instead (Given there is a photodiode to mic input method).

So i'll be pretty much stuck till I can dump the FW.

Anyway moving on.

I did compile your 7D2-dumper, but noted it only gives me Autoexec.bin and Magiclantern.bin and no .FIR file due to the missing build_fir7.py file which I understand to be the AES encryption to make a FIR file.

Any chance you can make a bootflag FIR file so I can get it to read the Autoexec.bin files as I understand they don't have to be encrypted and would allow me to help out.

Currently trying to get QEMU installed but I obviously won't be able to get that working without FW either.

Cheers.

Well I disappear for a short while and almost missed the boat!

Nope, I'm a bit stuck. Trying to jump to Canon firmware on the slave processor doesn't work (I need to see the bootloader code), and LED blinking from that processor doesn't work either. So, I have to understand the IPC mechanism (inter-processor communication, I guess) and how to use it from the master processor's bootloader (the place where I can run user code) in order to dump the slave bootloader.

The 80D will be easier, as I was able to jump to Canon firmware, but there I have trouble with self-modifying code (caches) on the new ARM architecture. I still have a few things to try, but the ARM documentation is a bit overwhelming for me (so, any help is welcome).

For 760D/750D, probably similar to 80D, I have no feedback (I sent a few copies of the firmware dumper, but there was no response from the testers).

Hi A1ex

I'm more than willing to help.
I have a 7D II, admittedly limited programming experience (Bit of python and C++) but indepth knowledge of decoding hex in unique applications/filesystems.
(Already mapped out the FW for 1.0.4 months ago then realised they encrypted it with new keys and no tool to extract)

Anyway, anything you want me to try i'd be more than happy to help.

Ok I have looked into this a bit more and it seems canon has added AES encryption to the loader and the firmware so will no longer work with dissect and decrypt.

From what I understand this key is not going to be disclosed by the group and so is going to be a non starter for anyone outside of the group who wants to decrypt the image to work on it.

I guess Pelican is on the inside of the group now as he has managed to decode it?

Any help would be appreciated.

Cheers

Hi Guys/Gals

Got a 7Dii here and looking to help get the ball rolling.
It has been a few years but I do remember getting the 450d to respond to the boot flag switch when messing with CHDK so willing to give it a try here.
Currently learning C# as my first programming language although I understand ML is in C.
Any help would be appreciated.