Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Maqs

Pages: [1]

here's some stuff I found. Doesn't work in LV though, as Canon locks the resources it needs (see ResLock stuff thread).

The following is by no means complete:

Code: [Select]
// start image player (driver only)
// there's also StartImagePlayer(...)
// start image play driver, returns handle
void *img_play_driver_handle = StartImagePlayDriver();

// do something with it
void *handle = Execute.....(img_play_driver_handle, params, cb, cb_priv);
wait for Execute... to finish, i.e. using a semaphore
// delete handle

// stop image play driver by handle
// stop image player

There's quite a list of things you can do:
  • void *ExecuteJpegAnalysis(void *img_play_driver_handle, struct jpeg_decode_params, void (jpeg_decode_cb)(void *cb_priv, int err), void *cb_priv);
    Analyze (as in decode, but return meta data only) a JPEG
  • void *ExecuteJpegDecoding(void *img_play_driver_handle, struct jpeg_decode_params, void (jpeg_decode_cb)(void *cb_priv, int err), void *cb_priv);
    Decode a JPEG
  • void *ExecuteYuvResizing(void *img_play_driver_handle, struct yuv_resize_params, void (yuv_resize_cb)(void *cb_priv, int err), void *cb_priv);
    Resize YUV buffer
  • void *ExecuteYuvRotating(void *img_play_driver_handle, struct yuv_rorate_params, void (yuv_rorate_cb)(void *cb_priv, int err), void *cb_priv);
    Rotate YUV buffer
  • void *ExecuteLowPassFilter(void *img_play_driver_handle, struct lpf_params, void (lpf_cb)(void *cb_priv, int err), void *cb_priv);
    Some low pass filter?
  • void *ExecuteRectangleCopy(void *img_play_driver_handle, struct rect_copy_params, void (rect_copy_cb)(void *cb_priv, int err), void *cb_priv);
    Rect to rect copying
  • void *ExecuteRectangleColoring(void *img_play_driver_handlestruct rect_color_params, void (rect_color_cb)(void *cb_priv, int err), void *cb_priv);
    Guess what ;-)
  • void *ExecuteJpegEncoding(void *img_play_driver_handle, struct jpeg_encode_params, void (jpeg_encode_cb)(void *cb_priv, int err), void *cb_priv);
    Encode jpeg

All the functions above result in a call to the specified callback with the specified value as the first and an error code (0 meaning success) as the second parameter. They immediately return with the return value being an image play driver handle that needs to be deleted _after the operation finishes_ using
Code: [Select]
DeleteImagePlayDriverHandle(void *handle);
The uninit functions can also be called from the callback, but Canon code usually uses a semaphore to wait after calling the Execute* function (GiveSemaphore in the callback, TakeSemaphore after the function call).

I only checked ExecuteJpegDecoding/ExecuteJpegAnalysis and ExecuteJpegEncoding so far. The parameters should be something like that:
Code: [Select]
struct jpeg_decode_params
  struct memSuite *in_suite; // needed!
  unsigned int in_size; // needed!
  int unknown_1;
  int unknown_2;
  int unknown_3;
  int out_addr; // address of output
  int out_size; // size of buffer for output?
  int x;
  int y;
  int width;
  int height;
  int Pfil;
  int PreRes;
  int xxa;
  int xxb;
  int xya;
  int xyb;

struct jpeg_encode_params
  int yuv_maybe; // always 1?
  void *baseAdd; // address in memory
  unsigned int baseW;
  int x;
  int y;
  int width;
  int height;
  int Pfil; // 1
  int PreRes; // 1
  int xxa; // 8
  int xya; // 8
  int jpgAdd; // allocated buffer for output
  unsigned int maxSize; // size in output buffer
  int unknown; // 2
  int Qscal; // 2
  unsigned int *size; // used to return real size, must not be NULL

Feel free to try around and fill in the gaps.  ;)

Camera-specific Development / Canon 6D
« on: May 01, 2015, 09:56:15 AM »
ML now has support for 6D.116: Nightly download

Please report any new bugs via the issue tracker. Please include the firmware version in your bug report.

You can find known (and partly obsolete) bugs here.

1) Format the card from the camera.
2) Make sure you are running Canon firmware 1.1.6.
3) Copy ML files on the card and run Firmware Update.

1) Run Firmware Update from your ML card.
2) Follow the instructions.

ML for the previous firmware version 1.1.3 (won't be updated):


the "NameService" is used by different parts of the firmware. One well-known place for this would be register_function/call.

register_function calls NameService_Lookup to check whether a function is already registered or not. If it's registered, it frees the memory used by the old entry and allocates new memory. At the end, NameService_Register is called to register the new function.
unregister_function calls NameService_Lookup and NameService_Unregister in that order. Besides the calls to the callback function, call(..) only calls NameService_Lookup.

None of the NameService functions deal with allocating or freeing memory for the stored data.

Below, you will find a quick overview over the structures and a few functions I found, some of them untested.

Code: [Select]
struct NameServiceEntry
    struct NameServiceEntry *next;
    void *data;
    char Name[];

struct NameService
    char *aNameService;
    int number_of_entries;
    int semaphore;
    int hash_table_size;
    void *ptr1;   // ptr to ptr1
    void *ptr2;   // ptr to ptr2
    struct NameServiceEntry *hash_table[hash_table_size];

// name will be used for the named semaphore created, can be zero if create_semaphore is 0
// if create_semaphore, creates (and uses) a semaphore
struct NameService *NameService_Create(char *name, int hash_table_size, int create_semaphore);

// Free NameService structures (not the data!).
// 0 on success
int NameService_Destroy(struct NameService *n);

// (Over)Write named entry.
// Will overwrite existing entries silently without free()ing it! Use NameService_Lookup first and free data.
// 0 on success
int NameService_Register(struct NameService *n, char *name, void *data);

// Remove named entry.
// 0 on success
int NameService_Unregister(struct NameService *n, char *name);

// Lookup named entry.
// 0 on success
int NameService_Lookup(struct NameService *n, char *name, void **data);     // 0 on success, data points to entry

// Calls callback for each NameService entry. This is useful for freeing all the data.
// 0 on success
int NameService_ForEach(struct NameService *n, void (*callback)(char *name, void *data, void *priv), void *priv);

// 0 if n is a NameService
int NameService_IsInstance(struct NameService *n);

// Internal hash function used by NameService.
int NameService_HashFunction(char *name);

Stubs for 6D.113:
Code: [Select]
FF32CD20 NameService_Create
FF32D304 NameService_Destroy
FF32D114 NameService_Register
FF32D124 NameService_Unregister
FF32D2EC NameService_Lookup
FF32D480 NameService_IsInstance
FF32D554 NameService_ForEach
FF32D5F4 NameService_HashFunction


I did a bit of GPS reverse engineering, resulting in the following experimental module that makes GPS accessible:


The compiled version only works for 6D.113 and 6D.116, but may work with any camera that supports built-in or external GPS. See source code (gpsinfo.c) for more information. I had to redefine both _prop_request_change and _prop_cleanup, as they are not exported and the ML core wrappers available do not work for that purpose. Therefore, the module refuses to run on other cameras/firmware versions.

The more adventurous among you with other cameras may try to point the two functions to the respective functions in your firmware, add is_camera("<your camera>", "<your firmware version>"), rebuild the module and run it at your own risk. Remember: your camera may blow up, come to life or other strange things.

You need to press set on one of the informational entries to update stuff, although the data will only be updated every "GPS refresh interval" internally in the hardware responsible. The GPS related properties I found are in gpsinfo.h.


PS: I just wanted to share what I've done so far. Feel free to improve stuff, ask questions etc.
PSS: The module is now called "", as objects with the same name as core objects will result in modules without any symbols being built.

Reverse Engineering / [6D] crypto and networking
« on: March 18, 2014, 02:20:00 PM »

I've just created a wiki page for some reverse engineering done for the Canon EOS 6D at

It contains some stuff I found out about a few month ago:

1. Networking

The same functions may or may not exist on the EOS 70D, which also has built in WiFi, and perhaps future cameras, but I think it's likely.

There's also IPv6 support, FTP functionality, DHCP, PTP over IP, ... and TLS hidden in the firmware.

2. Crypto

HMAC-SHA1, together with the networking functionality, could be used to implement OAuth and write a flickr/dropbox/... uploader.

Contributions are welcome!


Pages: [1]