Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - emklap

Camera-specific Development / Re: Canon 80D
July 18, 2019, 10:37:56 AM
Hi a1ex,

Thanks for your your reply. This manual will help people getting started with the environment set-up much faster. I did get a system work after several evenings of debugging and installing of libraries and apps. In the end I was not confident that I had the proper set-up because my gdb logs/screens did not always match what I saw from others . That's where a pre-configured VM image could help. Uploading gigabytes of data doesn't make sense when a vanilla Ubuntu distro is the prerequisite.

I will go through the getting started guide and a video guide once again.

If not me, the guideline will for sure help others as well.

Camera-specific Development / Re: Canon 80D
July 17, 2019, 04:15:04 PM
I have seen offers to help several times on this forum, but I know from experience that the learning curve is steep, to say the least.

I have a VM machine set up with QEMU and ML myself and did do some analyses on the 80D Code. The difficult thing for me was to get the compiler working and make QEMU run the compiled code. The compiler was constantly showing errors due to missing libraries which I then had to to install. In the end I want sure anymore if my set-up was correct and had to stop participating.  :(

It would be a great help if someone could share a pre-setup VM image that could be downloaded and started by anyone with some knowledge of Linux and VMWare. That will give people a head-start and possibly kickstart the development. :D  Possibly with a 1 page start-up guide.

Is anyone able and willing to share a VM Image? (if it is within the rules of this Forum of course.)

Camera-specific Development / Re: Canon 80D
June 01, 2018, 03:47:21 PM
Tested this new dumper, manually executed from 2GB card.  The files looks fine to me, 32 MB & 8 MB with what looks to me read data.
Both BIN files contain data; SFDATA md5 matches previous ones, ROM1 md5 not.

2nd attempt on 128MB card + autoexecute.bin.Now background is normal (black) again.
New MD5 for ROM1.bin again, md5 SFDATA unchanged.

Camera-specific Development / Re: Canon 80D
June 01, 2018, 12:21:00 PM
Great to see some progress :-)

I found some time and have created new dumps on my camera  again, just for  fun. (80D / 1/.02) .Any interest in the files ROM1.BIN and SFDATA.BIN?

By the way, I performed 2 attempts on two SD cards. The MD5's of SFDATA is matching, the ones for ROM1 are not.

Camera-specific Development / Re: Canon 80D
April 25, 2018, 10:51:24 AM
Nice progress guys :-)

80D burst speeds according to Canon's website

Approximate Speed:Shooting Conditions
Approx. 7 shots/sec.:during High-speed continuous shooting
Max. approx. 5.0 shots/sec:during Live View shooting or when [Servo AF] is set.
Approx. 3 shots/sec.:Low-speed continuous shooting Silent continuous shooting
Camera-specific Development / Re: Canon 80D
December 21, 2017, 04:16:43 PM
Super!!  :D
Camera-specific Development / Re: Canon 80D
June 14, 2017, 05:59:47 PM
:D, fresh install of Ubuntu 17 (64 BIT), toolchain 4.8.4 and qemu 2.5.0 did the trick

./ 80D,firmware=\"boot=1\" -s -S & arm-none-eabi-gdb -x 80D/debugmsg.gdb

gives this display I wanted  :)

Camera-specific Development / Re: Canon 80D
June 07, 2017, 10:37:01 PM
I'm, Stuck  >:(

I tried for several days to start the ROM dumper and the display test in qemu 1.6 but no luck. Can someone help me. this is what I tried so far.

I updated the file qemu/qemu-1.6.0/hw/arm/eos.c and added the lines
ML_MACHINE(80D,   0xFE0A0000);
EOS_MACHINE(80D,  0xFE0A0000);

I also tried 0xFC000000 and 0xFC000008

In  the folder magiclantern/magic-lantern/platform I created a new folder (80D.102) and copied all files from folder of the 60D fw 1.1.1.
I added 80D.102 to the Makefile of ML.
Made updated the files Makefile and Makefile.platform.default located in the 80D.102 folder to reflect the 80D.
I used the following address in Makefile.platform.default in the 80D.102 folder.

#Makefile.setup.platform for 80D

FIRMWARE_ID = 0x80000350
FIR_BASE = 0x00800120
AUTOEXEC_BASE = 0x00800000

RESTARTSTART    = 0x001CC400
ROMBASEADDR     = 0xFE0A0000
ML_SRC_PROFILE  = minimal

Now the command make fails  (FYI If I set  "ML_SRC_PROFILE = generic" the make command finishes without errors).

The make command fails with the error "
Quoteminimal.c: In function 'my_create_init_task':
minimal.c:72:5: error: too many arguments to function 'create_init_task'
In file included from ../../src/dryos.h:41:0,
                 from minimal.c:5:
../../src/tasks.h:104:1: note: declared here

When changing the line in task.h to
Quotecreate_init_task( int a, int b, int c );
I get further but now the make command stops with a new error.
The new error is
Quotefont_direct.o: In function `font_draw':
font_direct.c:(.text+0xb0): undefined reference to `disp_set_pixel'
make: *** [magiclantern] Error 1

I am sure that disp_set_pixel is declared but the linker doesn't think so

Can some give me some tips / hints?. What am I doing wrong ? or what do I need to do to get the display test or ROM dumper  running in QEMU

Th s happens when i start quemu. I used the duplicate ROM from my 80D.102 to get a 64MB BIN file

Quotemake: Leaving directory `/home/magiclantern/qemu/qemu-1.6.0'
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 3FFFFFFF: eos.ram
40001000 - 7FFFFFFF: eos.ram_uncached
F0000000 - F0FFFFFF: eos.rom0
F1000000 - F1FFFFFF: eos.rom0_mirror_F1
F2000000 - F2FFFFFF: eos.rom0_mirror_F2
F3000000 - F3FFFFFF: eos.rom0_mirror_F3
F4000000 - F4FFFFFF: eos.rom0_mirror_F4
F5000000 - F5FFFFFF: eos.rom0_mirror_F5
F6000000 - F6FFFFFF: eos.rom0_mirror_F6
F7000000 - F7FFFFFF: eos.rom0_mirror_F7
F8000000 - F8FFFFFF: eos.rom1
F9000000 - F9FFFFFF: eos.rom1_mirror_F9
FA000000 - FAFFFFFF: eos.rom1_mirror_FA
FB000000 - FBFFFFFF: eos.rom1_mirror_FB
FC000000 - FCFFFFFF: eos.rom1_mirror_FC
FD000000 - FDFFFFFF: eos.rom1_mirror_FD
FE000000 - FEFFFFFF: eos.rom1_mirror_FE
FF000000 - FFFFFFFF: eos.rom1_mirror_FF
C0000000 - CFFFFFFF: eos.iomem
[EOS] loading 'ROM-80D.BIN' to 0xF0000000-0xF3FFFFFF
[EOS] loading 'ROM-80D.BIN' to 0xF8000000-0xFBFFFFFF

When I run ML-80D it loads autoexec.bin and qemu-helper.bin like this

Quote[EOS] loading 'ROM-80D.BIN' to 0xF0000000-0xF3FFFFFF
[EOS] loading 'ROM-80D.BIN' to 0xF8000000-0xFBFFFFFF
[EOS] loading 'autoexec.bin' to 0x00800000-0x0080207F
[EOS] loading 'qemu-helper.bin' to 0x30000000-0x30008C9F
[QEMU_HELPER] stub ff86af64 -> 30000130 (d195d000)
[QEMU_HELPER] stub ff9abbf4 -> 30000768 (ce83cf89)
[QEMU_HELPER] stub ff9abd20 -> 3000073c (294b2030)
[QEMU_HELPER] stub ff9abe20 -> 3000010c (93b8e0b2)
[QEMU_HELPER] stub ff9ab304 -> 3000027c (64616c62)
[QEMU_HELPER] stub ff9aac68 -> 300000dc (e3a781e3)
[QEMU_HELPER] stub ff9aabb4 -> 3000022c (e080a0ee)
[QEMU_HELPER] stub ff9aafa0 -> 3000033c (6f76754e)
[QEMU_HELPER] stub ff9ab150 -> 30000078 (36206163)
[QEMU_HELPER] stub ff9aad10 -> 30000054 (617262)
[QEMU_HELPER] stub ff9ab050 -> 30000830 (a4e5b498)
[QEMU_HELPER] stub ff85f0f0 -> 300001b8 (84cfb7ce)
[QEMU_HELPER] stub ff85f228 -> 3000019c (b49be583)
[QEMU_HELPER] stub ff9a8170 -> 30000184 (baef208b)

which gets followed by endless lines like this
[???] [0xE0411003] -> [0xCFFF9534] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9538] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF953C] PC: 0x00000004
[???] [0xE0030092] -> [0xCFFF9520] PC: 0x00000004
[???] [0xE0411003] -> [0xCFFF9524] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9528] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF952C] PC: 0x00000004
[???] [0xE0030092] -> [0xCFFF9510] PC: 0x00000004
[???] [0xE0411003] -> [0xCFFF9514] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9518] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF951C] PC: 0x00000004

Again, can some give me some tips / hints?. What am I doing wrong ? or what do I need to do to get the display test or ROM dumper  running in QEMU.
After that i would like to create my own bin file, rename it to autoexec.bin and load this file.
Quote from: Chellyandruu on August 18, 2016, 06:18:12 PM
hey ALEX,on the 80d i got the same information  as atonal got on the 7d2.only difference was the first line which read -
CHDK CPU info for 0x350 80d
ID              0x411FC143.If you need picture proof just tell me.

80D Fw1.02 I have similar data but a few lines more on page1, and page 4

Extra on page 1
Multiprocessor ID  0x00000000
  (raw value)           0x0 0

Extra on page 4
SCTRL        0x08E5187D
  (raw value)           0x08E5187D 149231741
ACTRL        0x00000030
  (raw value)           0x20 32
ACTRL2        0x00000000
  (raw value)           0x0 0
CPACR        0x00000000
  (raw value)           0x0 0

Page 1

Page 4

Camera-specific Development / Re: Canon 80D
May 15, 2017, 12:54:33 PM
Hi A1ex,

Yes, I am the emklap of CHDK, there are not may of me around  :D
I already set IDA to ARMv7 A&R, didn't see any immediate change. I have no performance degradation with the entire FW Bootloader  & ROM RAM loaded in one IDA project, but the suggestion to split it is a nice one, might try that myself as well.

Next steps for me will be to get QEMU up and running and to adjust the CHDK IDC Scripts for my project.
I have limited time over the next weekends so it might take some time but I will report my progress in due time. I catch up with ARM disassembly as well.

Camera-specific Development / Re: Canon 80D
May 11, 2017, 09:44:29 PM
Hi, I'm new here and have started on 80D reverse engineering.

I made custom firmware for the EOS 300D long time back and think its fun to try the port ML to the 80D.

I have virualbox setup and am able to compile the ML code, qemu still needs to be setup.

I use 80D FW1.0.2 because that was on my camera and could not find FW 1.0.1 . Th rom dumper worked fine a gave me three ROM1 dumps, one with a valid CRC.

I duplicated the file and load into IDA with offset 0xFC000000 and analysis of the code went smoothly. I now need to run an idc script because the automatic analyses does not start recognize the first character of a strings. See if my old code still works  :-)

Also the perl script ran fine giving me lots of strings to work with. Some (2x) 330,000 way to may  :D to work with and I need to somehow remove the ones that do not make sense.

start of code looks like this
ROM:FC000000 ; Processor       : ARM
ROM:FC000000 ; ARM architecture: metaarm
ROM:FC000000 ; Target assembler: Generic assembler for ARM
ROM:FC000000 ; Byte sex        : Little endian
ROM:FC000000 ; ===========================================================================
ROM:FC000000 ; Segment type: Pure code
ROM:FC000000                 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:FC000000                 ; ORG 0xFC000000
ROM:FC000000                 CODE32
ROM:FC000000 loc_FC000000                            ; DATA XREF: sub_FC0274EC+34r
ROM:FC000000                                         ; sub_FC0274EC+40w
ROM:FC000000                 STC2            p0, c0, [R0], {8}
ROM:FC000004                 STC2            p0, c0, [R0], {0x48}
ROM:FC000008                 MOV             R0, #0
ROM:FC00000C                 MCR             p15, 0, R0,c6,c2, 0
ROM:FC000010                 MOV             R0, #0
ROM:FC000014                 MCR             p15, 0, R0,c6,c1, 0
ROM:FC000018                 MOV             R0, #0x3F
ROM:FC00001C                 MCR             p15, 0, R0,c6,c1, 2
ROM:FC000020                 MOV             R0, #0x320
ROM:FC000024                 MCR             p15, 0, R0,c6,c1, 4
ROM:FC000028                 MRC             p15, 0, R0,c1,c0, 0
ROM:FC00002C                 BIC             R0, R0, #0x20000
ROM:FC000030                 ORR             R0, R0, #1
ROM:FC000034                 DSB             SY
ROM:FC000038                 MCR             p15, 0, R0,c1,c0, 0
ROM:FC00003C                 ISB             SY
ROM:FC000040                 LDR             PC, =0xFE020000

and on FE0A0000 like this
ROM:FE0A0000                         ; ---------------------------------------------------------------------------
ROM:FE0A0000                         ; START OF FUNCTION CHUNK FOR sub_FE020000
ROM:FE0A0000                         loc_FE0A0000                            ; CODE XREF: ROM:FC020E78j
ROM:FE0A0000                                                                 ; sub_FE020000+E78j
ROM:FE0A0000                                                                 ; DATA XREF: ROM:FC020E74o
ROM:FE0A0000                                                                 ; ROM:off_FC021278o ...
ROM:FE0A0000 04 00 8F E2                             ADR             R0, loc_FE0A000C
ROM:FE0A0004 01 00 80 E3                             ORR             R0, R0, #1
ROM:FE0A0008 10 FF 2F E1                             BX              R0 ; loc_FE0A000C
ROM:FE0A000C                         ; ---------------------------------------------------------------------------
ROM:FE0A000C                                         CODE16
ROM:FE0A000C                         loc_FE0A000C                            ; CODE XREF: sub_FE020000+80008j
ROM:FE0A000C                                                                 ; DATA XREF: sub_FE020000:loc_FE0A0000o
ROM:FE0A000C 40 F2 00 00 C0 F2 00 00                 MOV             R0, #0
ROM:FE0A0014 40 F2 38 03 C0 F2 00 03                 MOV             R3, #0x38
ROM:FE0A001C 20 F0 01 00                             BIC.W           R0, R0, #1
ROM:FE0A0020 23 F0 01 03                             BIC.W           R3, R3, #1
ROM:FE0A0024 40 F2 00 01 C0 F2 00 01                 MOV             R1, #0
ROM:FE0A002C                         loc_FE0A002C                            ; CODE XREF: sub_FE020000+80038j
ROM:FE0A002C 98 42                                   CMP             R0, R3
ROM:FE0A002E 3C BF                                   ITT CC
ROM:FE0A0030 50 F8 04 2B                             LDRCC.W         R2, [R0],#4
ROM:FE0A0034 41 F8 04 2B                             STRCC.W         R2, [R1],#4
ROM:FE0A0038 F8 D3                                   BCC             loc_FE0A002C
ROM:FE0A003A 4F F0 01 00                             MOV.W           R0, #1
ROM:FE0A003E 06 EE 12 0F                             MCR             p15, 0, R0,c6,c2, 0
ROM:FE0A0042 40 F2 21 11                             MOVW            R1, #0x121
ROM:FE0A0046 06 EE 91 1F                             MCR             p15, 0, R1,c6,c1, 4
ROM:FE0A004A BF F3 4F 8F                             DSB.W           SY
ROM:FE0A004E 19 EE 11 0F                             MRC             p15, 0, R0,c9,c1, 0
ROM:FE0A0052 00 F0 7D 00                             AND.W           R0, R0, #0x7D
ROM:FE0A0056 40 F2 01 01 C8 F2 00 01                 MOV             R1, #0x80000001
ROM:FE0A005E 40 EA 01 00                             ORR.W           R0, R0, R1
ROM:FE0A0062 09 EE 11 0F                             MCR             p15, 0, R0,c9,c1, 0
ROM:FE0A0066 40 F6 00 00 C8 F2 00 00                 MOV             R0, #0x80000800

The next step is to find stubs but have no clue where to start, IDA show just over 100000 functions!! again where do I start????
Can anyone provide some tips, e.g. which functions are important to find and which not? are there some easy one to start with.
Are the idc scripts available that can do some of the work for me/us.

Looking forward to some coding time