Messages

if you need a 64 bit capable hex editor, use HxD

http://www.jongbel.com/download/AtomBoxStudio_Trial.msi

this tool is quite helpful for analyzing the structure

from: http://multimedia.cx/mirror/qtff-2007-09-04.pdf

Extended Size
If the size field of an atom is set to 1, the type field is followed by a 64-bit extended size
field, which contains the actual size of the atom as a 64-bit unsigned integer. This is used when
the size of a media data atom exceeds 2^32 bytes.

and images show, if the size is 0, the section is as large as the file.
patched that, but still vlc cannot play

thanks for the hint with exiftool.
hmm looking deeper into my file...

EXIFtool says MovieDataSize is 235351288(dec), 0x0E072CF8(hex).
looking into that file, i see "mdat" start at 0x30008
this means, mdat ends at 0x0E0A2D00 - but it ends at 0x10E0A2D00.

looking at the qt container structure, right before mdat i see a 0x0E072D00 hex value.
so the .mov container structure seems to be organized like:
[4 byte size header+data] [4 byte type] [n byte data]

and since the size is 32 bit, we already have an overflow there with payload > 4GiB.
so the .mov container the camera uses seems causing severe problems with large movies.

this explains why windows media player will fail to play more than a few seconds (maybe only 0x0E072D00 bytes)
still it doesnt explain, why vlc can play the video at all until it reaches the 4GiB mark.
i would expect that VLC honors the buggy - overflowed length field..

weird...
now... what?

success.
i am able to access the LED to drive some photodiode/opamp circuitry that amplifies the signal.
still have to increase amplification, cancel overshoot, add schmitt-trigger and feed that to some MAX232, but as proof of concept this is fairly good

not sure if i will do that. i dont need it
http://www.youtube.com/watch?v=ZSymgFdn4Fc

circuit:

So instead of re-writing all of the boot code (which appears to be the problem with the 5dc, some cameras work some don't. The ones that don't are halting on the bootcode I have written), we call the camera's normal boot procedure directly and hardly have to do a thing

yep, thats the point about the cache hack
minimally invasive patching of instructions "pseudo-in-place"

unfortunately we got weird results on models like 60D, i was not able to explain

Region 2, not sure about. I know the flag area is at 0xF8000000 so maybe related to that.

Region 2 is data flash. this must not be cached else flashing will not work as expected.

Edit: Movie recording stopped automatically at curr: 00004B35000000000.

00004B35(hex) = 19253(dec)
19253 / 60 / 25 = 12min 50sec

true?
then this is not the file size, but the frame count

ok lets search for the file size. i will upload a new file tonight.

For me it's around 172–180 degrees.

i really, really hope this is wrong

yes, thats correct.
hmm give me some minutes to think about it.

the only thing i will open is the card slot to swap CF card and the battery slot if the camera locks up
both will be done a few hundred times i guess.

my SD card reader slot in my PC is already defective due to plugging/unplugging the card too often

http://upload.g3gg0.de/pub_files/b9221309f4c40b3ee0e8db28515bebca/autoexec.bin

i added some autodetection.
can you 60D guys try?
thanks

you mean, switching WB/Picstyle on a per-frame basis?
what use is that for?

sorry, didnt have time tonight. will try this night.

okay thanks, will update the demo firmware tonight,
i guess, we are just off a few bytes in the target structure.

what is "cur" saying exactly?

thanks alex,
a really useful log

i just looked deeper into movie recording state machine.
i think i will apply your logging routines to the movierecorder also.
especially file opening and closing is some unclear stuff.

br,
g3gg0

I can't figure out how to record a longer video on a 60D. Card is formatted in exFAT and used EOScard to make it bootable. ML runs fine and I can see the text after clicking the 'Don't click me' button (before starting recording). However, I'm still getting the 'recording has been stopped automatically' error after around 13 minutes. Sound is also disabled.

how big was the file you recorded?

did the line show:
    max: 0x3FFFFFFFF cur: 0x000(counting up)
?

hi,

thanks for testing!
i hoped that the solution for the models with exFAT support would be just increasing the max size.
so we would have a clean solution for these cameras.
unfortunately we now face a MOV issue with 4GiB files. annoying

so the next step is to analyze the MovieRecorder object and file writing routines to find
a sane location where to add multi-file support.
this is more than just remapping file pointer to another file, since then we would end up with
the same problems as we have with exFAT now: MOV-container issues later when merging the files.

we actually have to clean up and close the file properly and then reopen the next movie file for writing.
this is more a MovRec StateObject issue.

use this:
http://chdk.wikia.com/wiki/EOScard

[WARNING: Make sure you use exFAT filesystem. Beware! Your files, your card or even your CAMERA may get damaged]

for all cameras:

http://upload.g3gg0.de/pub_files/f23cf5caa18af51a912658eac3834ce4/autoexec.bin
(removed some of my bad-ass hacks in the startup code, so it is stock init code again )

it will scan for the MovieRecorder object in memory and display the memory addresses it found in the top line.
in the second line you will see the maximum and current file size.
the file size will get patched for 16GiB limit. (0x3FFFFFFFF)

maybe it works for other models than 600D.

WARNING: Make sure you use exFAT filesystem.
Beware! Your files, your card or even your CAMERA may get damaged

(although i dont think your camera will take any damage)

tried with avidemux and it fails also. simply cannot seek behind 4GiB mark.

hmm i dont have any decoded firmware files for 60D here.
5D / 5DII / 5DIII / 7D / 550D / 600D thats all i have atm.

anyone else has IDA and the decrypted firmware files?

it really seems to be a quicktime 4GiB problem.
but cannot find details about the exact header structure, why this is a problem and what we can do about.

anyone can help?

edit: this seems to be a quicktime MPEG-2 playback component issue.
but as i tried VLC, i doubt its the same reason..

so i still home that someone with proper video editing tools will be so kind to look at such a file

here the try to make some RS232 compatible transmit function.
will build an optocoupler to verify if it works.

Code Select Expand



#define BITBANG_BAUDRATE       9600
#define BITBANG_TIME_NORMAL    10000
#define BITBANG_TIME_TRANSFER  (1000000/BITBANG_BAUDRATE)

uint32_t bitbang_orig_handler = 0;
uint32_t bitbang_time = 0;
uint32_t bitbang_bits = 0;
uint32_t bitbang_tb = 0;
uint32_t bitbang_hook_counter = 0;


void bitbang_main()
{
    uint32_t *led_port = ((uint32_t*)0xC0220134);
    uint32_t led_status = 0;   
   
    led_status = (*led_port) & (~0x02);
    led_status |= ((bitbang_tb & 0x01) << 1);
    (*led_port) = led_status;
   
    bitbang_tb >>= 1;
    bitbang_bits--;
}

void bitbang_transmit(uint32_t data, uint32_t bits)
{
    /* called from user space. we have to wait until transfer is finished */
    while(bitbang_bits)
    {
        msleep(1);
    }
   
    bitbang_tb = data;
    bitbang_bits = bits;
}

void bitbang_transmit_rs232(uint8_t character)
{ 
    uint32_t data = 0;
   
    /* invert data bits */
    character ^= 0xFF;
   
    /* we transmit in RS232 mode 8,N,1. add 4 idle bits bit and start bit */
    data |= (1 << 4);
    data |= ((uint32_t)character << 5);
   
    /* no parity, stop bits are zero, so we are done */
    bitbang_transmit(data, 5 + 8 + 1);
}

uint32_t bitbang_timer_hook()
{
    uint32_t *timer_reg = ((uint32_t*)0xC0210208);
    uint32_t (*handler)() = bitbang_orig_handler;
   
    /* for debugging */
    bitbang_hook_counter++;
   
    /* check if we have to transmit data */
    if(bitbang_bits)
    {
        /* use high timer rate while shifting out the bits */
        *timer_reg = BITBANG_TIME_TRANSFER - 1;
       
        /* call the bitbanging routine */
        bitbang_main();
   
        /* get as close to 10 ms as we can get. for longer use, we need fraction correction */
        if(bitbang_time > BITBANG_TIME_NORMAL)
        {
            bitbang_time -= BITBANG_TIME_NORMAL;
            handler();
        }
       
        /* when we get called the next time, time has advanced by BITBANG_RATE_TRANSFER */
        bitbang_time += BITBANG_TIME_TRANSFER;
    }
    else
    {
        /* no data to transmit, low timer rate, directly call original handler */
        *timer_reg = BITBANG_TIME_NORMAL - 1;
        handler();
    }
   
    return;
}

void run_test()
{
    /* install bitbang handler */
    bitbang_orig_handler = *((uint32_t*) 0x40000720);
    *((uint32_t*) 0x40000720) = &bitbang_timer_hook;
   
    int loops = 0;
    while(1)
    {
        msleep(100);
        bmp_printf(FONT_SMALL, 10,50, "Calls: %d", bitbang_hook_counter);
       
        if((loops++ % 10) == 0)
        {
            bitbang_transmit_rs232(0xAA);
        }
    }
}



unfortunately i dont have 50D firmware, nor did i ananlyze it.

well, tried with windows media, it aborted after some seconds.
adobe premiere elements simply hangs when i just add the 4.2GiB file to the project...