Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - g3gg0

#2751
but that card is cool :)
(if its true)
#2752
Reverse Engineering / Re: ARM + EOS Emulator
September 29, 2012, 01:55:48 AM
i updated the description in the first post.
you can checkout TriX and the emulator plugins from my SVN.
#2753
User Introduction / Re: Hello- trying to learn & donate
September 28, 2012, 09:50:31 PM
welcome ;)
#2754
Reverse Engineering / Re: ARM + EOS Emulator
September 28, 2012, 08:34:02 PM
Quote from: jplxpto on September 28, 2012, 03:58:59 AM
Thanks for your explanation ... either way I had managed to follow these steps. These files are new? had some correction?

yes i added some new features like MRC/MCR handling of basis CP15 functions.
this is needed e.g. for setting up cache etc. and some HWemu function.
its not complete yet.

are you interested in the source code of TriX/ARMulate/HWemuEOS?
#2755
Reverse Engineering / Re: ARM + EOS Emulator
September 27, 2012, 02:27:38 PM
Quote from: 1% on September 25, 2012, 09:19:25 PM
Input device unique? Is that the serial.

not sure, it might be the signature for signing "authentic" camera photos?
afaik this feature was disabled because it was already hacked.
#2756
Reverse Engineering / Re: ARM + EOS Emulator
September 27, 2012, 02:26:06 PM
using this ARMulate plugin:
http://upload.g3gg0.de/pub_files/94598913edfe93f9c9b556a1f02bf925/TriX_ARMulate.txp

and this HWEmuEOS plugin:
http://upload.g3gg0.de/pub_files/2770e0e87a7c7a8ac36e441e072cfdda/TriX_HWemuEOS.txp

you should get a bit further.
it might lock somewhere in CF code.
if you tell me some 0xC0... registers, how they should behave, i can implement this.

but you still should be able to boot the ROMUTIL.
simply execute until 0xFFFF0320 (using '8', 'FFFF0320') then skip that one BL instruction that
executes FROMUTIL (this causes emulator to hang with some output on terminal)

simply continue execution at FFFF0324 and you get the ROMUTIL asking you what to do ;)
#2757
Reverse Engineering / Re: ARM + EOS Emulator
September 25, 2012, 07:57:28 PM
are you sure about all the addresses?
sure that at the address is a valid instruction (try setting PC manually there)

can you upload the firmware file (http://upload.g3gg0.de/) and tell me the start address?
#2758
Reverse Engineering / Re: ARM + EOS Emulator
September 24, 2012, 09:20:47 PM
Quote from: nanomad on September 24, 2012, 06:47:00 PM
Uhm, weird. I'm loading the 600D bin you provided and it looks like it boots into some kind of factory mode for K286. It prints the first message then hangs
The last routine called is at 0xFFFF18F8

press enter in the "Terminal" window ;)

you are booting the bootloader.
to boot normal firmware, modify the .trx file or set the PC (register 15) manually to 0xf8010000
#2759
Reverse Engineering / Re: ARM + EOS Emulator
September 24, 2012, 06:37:47 PM
Quote from: nanomad on September 24, 2012, 04:46:26 PM
Well, after trying the emulator I have to admit it's quite powerful. One question, how far in the firmware execution can you go?

thanks ;)
well, after patching one data word in flash (no idea why this was neccessary) the os booted and started tasks.
task switching worked, as i emulated the timer interrupt too.
not sure if this is still in the current version.

the patch i made is below.
it will not work anymore, since the flash data cannot simply be written with a SetWord due to the flash ic emulation.
best is to do this in original flash image file :)
Quote
    // some timeout? set to 1 else debugmsg will fail :(
    SetWord(0xF85A1630, 1);

i got a lot debug messages during boot.
cant find where ive stored the logs atm :)

#2760
Reverse Engineering / Re: ARM + EOS Emulator
September 24, 2012, 03:39:53 PM
makes most sense with IDA pro :)
#2761
Reverse Engineering / Re: ARM + EOS Emulator
September 24, 2012, 12:48:31 PM
and if you dont start the GDB stub with '17', bu you start execution normally ('8' (run until) then '0' (or any oher address))
you will see the boot rom output in the terminal window.

it is waiting for input there. you can enter commands in this terminal window like testing audio ;)
but of course many things wont work. but it is helpful for testing how things work.
e.g. setting boot flags or PAL/NTSC parameters should work in this version as flash emulation is integrated.

pressing ctrl-c in terminal will break execution
#2762
Reverse Engineering / Re: ARM + EOS Emulator
September 24, 2012, 12:41:20 PM
uuh, well a lot :)
it is a patcher plattform that is scriptable and has plugins.
so there are some techniques that are e.g. loading DLLs into RAM by injecting in EXE etc.
that is for loading encrypted plugins. but not used here in this example.

i (ab)use my TriX to load a ARM emulator and a ARM disassembler plugin and control that with a script (.trx).
these scripts are C-code that gets compiled dynamically.

its open source too and also contains a plugin named HWemu_EOS which emulates the DIGiC behavior.
e.g. serial port, DMA timers and even flash chip emulation with reflashing etc.
#2763
Reverse Engineering / ARM + EOS Emulator
September 24, 2012, 12:08:57 AM
well, it think i can make it public.

1. ready-to-run package

Quote
i added GDB stubs to my emulator.
what this means?
you can use IDA Pro to connect to the emulator and step through code using breakpoints, dumping memory etc etc.
check contents of main routine at line 938 and make fit them to your firmware.

1. start TriX
2. select your firmware image as input file
3. click on "Scripts" tab ("General", "Scripts", "Editor")
4. click the lens at the bottom, right of "Script" and the textbox
5. choose "armulate_shell_eos.trx"
6. click "Add" button at bottom
7. click "Start" in the top toolbar
8. a few register/disassembly windows pop up
9. arrange them that you see every window
10. in the main dialog again where it asks you "Your choice", below is a text box. enter the number "16" and press enter


then in IDA just connect to localhost, port 23946 using gdb as debugger interface.

before connecting: in "Debugger Setup", "Set specific options" you should set "Max packet size" to 512
and in same window under "Memory map" you have to insert (rightclick into the list) a new memory segment which
starts at 0x000000 and ends at 0xFFFFFFFE, base 0, 32 bit, read only. delete the old one, if one is defined.

enjoy :)

http://upload.g3gg0.de/pub_files/0e7cc977a512c2168003a4ceb0e82932/TriX_EOS.7z

2. do-it-all-yourself repository

1. get a SVN client (e.g. TortoiseSVN)
2. checkout http://svn.g3gg0.de/svn/default/trunk/nokia/TriX/  (user: trix, pass: trix)
3. get Visual Studio 2008 (v9.0)
4. get Qt SDK (e.g. i have v4.5.1) and build/install *
5. set environment variable QTDIR to your Qt-Dir (that contains bin, lib, include, tools, ...) *
6. open \platform\msvc\TriX.sln
7. rebuild all

* = if you cannot get the project "TriX" compiling because of Qt issues, but the plugins TriX_DisARM, TriX_ARMulate, TriX_HWemuEOS are building fine, then it is also okay.
the most important stuff for emulating canon firmware is in HWemuEOS anyway.
#2764
does it disappear when you start without ML?
tried to reset your ML config?
#2765
well, i implemented a GDB interface in my ARM emulator.
i think i can do it in camera too, using cache hacks.
(using PTP as "gateway")

but you only can debug non-time-critical code like ML tasks or some background tasks.
i am afraid that some watchdog will cause ERRxx when stopping some canon code.

but worth a try.
#2766
Archived porting threads / Re: Canon 6D support?
September 17, 2012, 08:43:33 PM
Quote from: a1ex on September 17, 2012, 07:38:15 PM
Not sure what you mean, but ML bracketing can shoot at different ISOs, and if it's too dark, it goes to Bulb mode.

to complete my (off topic) idea:
in bulb mode multiple "frames" are merged without any shutter/mirror action between them.
my idea was to use this feature to make multiple exposures with different ISOs there.
if we can shorten the software exposure time, it might get smth like "instant-HDR" image as the whole HDR might take only 3*exposure time and has no shutter action between.

get my idea? :)
#2767
Archived porting threads / Re: Canon 6D support?
September 17, 2012, 07:32:43 PM
btw, alex.

cant we do this in "bulb exposure mode" too?
vary ISO and then abort early after some ISOs.
and then add custom postprocessing.. hmm

what do you think?
#2768
General Help Q&A / Re: 5D MKII Problem after Using ML
September 17, 2012, 12:08:14 PM
can you try both without any card?
do both cameras  have the same firmware version?
#2769
Archived porting threads / Re: Canon 5D Mark III
September 08, 2012, 12:43:03 AM
yeah, but then still a way of remapping flash is missing :)
#2770
Archived porting threads / Re: Canon 5D Mark III
September 07, 2012, 11:52:51 PM
Quote from: EDGERIDER on September 07, 2012, 02:27:28 PM
just for fun and for those who like Time-lapse here is a Time-lapse of 140 000 tilt and shift stills that I have done for Disney with my colleague Daniel Meyer :

just one word: wow!

about overclocking: the last time i looked at the registers, they looked as if there was no chance to increase the cpu speed.
we might win more, if we were able to allocate enough ram for copying firmware there and the chance to remap flash memory address to this RAM.
a speedup up to factor 2 could be possible for code execution.
#2771
Feature Requests / Re: Single frame info in the video
September 03, 2012, 05:45:32 PM
well, its technically possible.

but as this is some very special modification that probably noone else will need, i doubt that this will be done.

maybe it is doable with a plugin, specially developed for you.
it could preload a .422 file (containing static info like camera# etc) into RAM and overwrite the first few frames.
for the time and other numbers, it could load separate character bitmaps and write them into the frame too.

so its possible and someone can try to implement that concept for you - if you can convince him.

which camera model do you talk about?
#2772
well, we can use RAM starting at 0x40000000.
this area isnt cleared completely imho. (right?)

so we could do that:


uint32_t *mlSaveBuf = (uint32_t*) 0x40100000;

mlSaveBuf[3] = data...;
mlSaveBuf[...] = ...;

/* set data valid flag */
mlSaveBuf[0] = SAVE_MAGIC_1;
mlSaveBuf[1] = SAVE_MAGIC_2;



and upon startup, ML can read that area and compare for the magic, rewrite settings and clear the magic flags.

#2773
weird.

there was a "FIO_Flush" or similar somewhere. maybe calling it explicitely helps?
does that happen after an exact amount of bytes or call count?

#2774
did you check the returncode of FIO_WriteFile?
maybe the write buffer gets full and if writing into a full buffer would cause such behavior?
#2775
Feature Requests / Re: Single frame info in the video
September 03, 2012, 12:11:11 AM
could be also done while recording.
but we should know *what* to display...