Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - lorenzo353

Thank you!
Expected sequence at 0xe0040000 !
But, I did not find a way to compare bytes seq in CBasic to find automatically the right address, using if or strcmp, memcmp...

the code here is requested:

' tested on R6.150 and R.180
' source :
' should work on Digix8 and Digic10 at least

dim pRom0BaseAddressD10 = 0xE0100000
dim pRom0BaseAddressD8 = 0xE0040000
dim pRom1BaseAddress = 0xF0000000
dim sigLen          = 0x10000

' checksum code by Coon
private sub compute_signature(startSign, sLen)
  p = startSign
  c = 0
  For i = 0 To (sLen - 1)
    c = c + *p
    p = p + 4   
  compute_signature = c
end sub

private sub disp_hex_string(address, len, file)
  memStart = address
  WriteFileString(file, "at %x: ", memStart) 
  For i = memStart To (memStart+len)
    WriteFileString(file, "%02x", Peek8(i) & 255 )
  WriteFileString(file, "\n" ) 
end sub
private sub Initialize()
  fileName = "B:/FW_SIGN.TXT"

  f = OpenFileCREAT(fileName)

  f = OpenFileWR(fileName)

  WriteFileString(f, "model_id : 0x%08x\n", *pRom1BaseAddress)
  WriteFileString(f, "rom version: %s\n", pRom1BaseAddress +4)
  WriteFileString(f, "GetFirmwareVersion: %d\n", GetFirmwareVersion() ) 

  WriteFileString(f, "fw signature from 0x%x: 0x%08x\n", pRom0BaseAddressD10, compute_signature(pRom0BaseAddressD10, sigLen ) ) 
  WriteFileString(f, "fw signature from 0x%x: 0x%08x\n", pRom0BaseAddressD8, compute_signature(pRom0BaseAddressD8, sigLen) ) 
  'should look like: xx 48 0C EE 10 0F BF F3 6F 8F 42 F2 00 00 C0 F2 00 00 85 46 10 EE B0 5F 15 F0 0F 00
  disp_hex_string( pRom0BaseAddressD10, 28, f )
  disp_hex_string( pRom0BaseAddressD8, 28, f )

  ' dumpf()
end sub


Already posted in another thread, sorry, but it seems a better place here.

I posted a CBasic script that determine in a portable way model ID and firmware version:

Could you please check it ?

on my R6.150 :
model_id : 0x80000453
rom version: 4.9.0
GetFirmwareVersion: 150
fw signature from 0xe0100000: 0x129372a8
fw signature from 0xe0040000: 0xce84b41f
at e0100000: 09480cee100fbff36f8f42f20000c0f20000854610eeb05f15f00f0001
at e0040000: cef81cc143f2300cddf81ce0cef820c14ef22e7cddf81ce0cef824c1dd


Could you please run this script on Digic8 and Digic10 cameras?

model_id : 0x80000453
rom version: 4.9.0
GetFirmwareVersion: 150
fw signature from 0xe0100000: 0x129372a8
fw signature from 0xe0040000: 0xce84b41f
at e0100000: 09480cee100fbff36f8f42f20000c0f20000854610eeb05f15f00f0001
at e0040000: cef81cc143f2300cddf81ce0cef820c14ef22e7cddf81ce0cef824c1dd

Quote from: coon on February 06, 2021, 03:21:04 PM
I am thinking about something like this (pseudo code):

dim model_name        = "Canon EOS RP"
dim firmware_version  = "1.6.0"
dim model_name_addr   = 0xe121d57c
dim firmware_ver_addr = 0xe00408e0

public sub check_compat()
    if model_name_addr == model_name and firmware_ver_addr == firmware_version then
        check_compat = 1
        check_compat = 0
    end if
end sub

That way the code would self document for what model the script is for. I Just need to find a way to do a strncmp in canon basic for that.

"The goal of this repository is to promote collaboration between camera hackers and **provide validated scripts** : tested on given Digic version, given Camera or firmware version."

Can be also discussed on

General Development / Re: Testers wanted: Qemu 4.2.1
November 13, 2020, 09:38:39 PM

I'm pretty sure, it is the same with 2.5.0. and last time I tested it, it certainly crashed because of wrong DebugMsb value in DebugMsg.gdb

Alex wrote a bash script to generate DebugMsg.gdb for each new updates :;topicseen#msg200846
but I wonder if this file is mandatory, and which function are needed.

What is the mininal DebugMsg, like a minimal stub.s ?

is it used by EOS patches for QEMU?

General Development / Re: Testers wanted: Qemu 4.2.1
November 09, 2020, 10:18:07 PM

using qemu 4.2.1:


cat: EOSR/debugmsg.gdb: No such file or directory
DebugMsg= (from GDB script)
qemu-system-arm: -M EOSR: unsupported machine type
Use -machine help to list supported machines

in, line 130:
if [ "$CAM" ] && [ ! "$QEMU_EOS_DEBUGMSG" ]; then
    QEMU_EOS_DEBUGMSG=`cat $CAM/debugmsg.gdb | $GREP DebugMsg_log -B 1 | $GREP -Pom1 "(?<=b \*)0x.*"`
    echo "DebugMsg=$QEMU_EOS_DEBUGMSG (from GDB script)"
    echo "DebugMsg=$QEMU_EOS_DEBUGMSG (overriden)"
General Development / Re: Testers wanted: Qemu 4.2.1
November 08, 2020, 11:22:09 PM

I'm trying to summarize here available info splitted in different forum posts, legacy and new HG repositories.

Sorry, I'm a total noob about qemu building and emulating. I'm just a user: I would like to debug from IDA pro with QEmu.
Just to be sure, I'm doing everything OK, here are the steps I'm following.

* for qemu 2.5.0

old and new links after hg migration:

doc on

m50 patch (digic8):

question: what is the good ubuntu version to ease qemu 2.5.0 building ?

- to install:

hg clone
cd magic-lantern/
hg update qemu -C
cd contrib/qemu/

I had a crash last week, I'll publish later traces.

I have built successfully
with my config (same system as with 2.5.0):

   Static hostname: ubuntu
         Icon name: computer-vm
    Virtualization: vmware
  Operating System: Ubuntu 18.04.1 LTS
            Kernel: Linux 4.15.0-122-generic
      Architecture: x86-64

*** Using GCC: /usr/bin/arm-none-eabi-gcc
gcc version 6.3.1 20170620 (15:6.3.1+svn253039-1build1)

*** Using GDB: /usr/bin/gdb-multiarch
GNU gdb (Ubuntu 8.1-0ubuntu3)

I have created directory EOSR and put ROM0.bin and ROM1.bin here. But debugmsg.gdb is required, right ?
even with the simple
/path/to/qemu-eos$  ./ EOSR,firmware="boot=1"


Camera-specific Development / Re: Canon EOS R5 / R6
October 12, 2020, 11:57:11 PM

could you please send me craw files ?


Quote from: yourboylloyd on September 21, 2020, 12:24:45 AM
Ohhhhh sorry. Didn't know that there was a difference. I'll take some in a few
Camera-specific Development / Re: Canon EOS R5 / R6
September 20, 2020, 08:06:37 PM
Quote from: lorenzo353 on September 20, 2020, 07:49:25 PM
Thank you!
you sent me raw, not craw.
Camera-specific Development / Re: Canon EOS R5 / R6
September 20, 2020, 07:48:54 PM
Quote from: Lars Steenhoff on September 18, 2020, 11:54:09 PM
You can find some raw files from the R6 here:
Thank you, Lars, but I need CRAW (compact raw) files, please
Camera-specific Development / Re: Canon EOS R5 / R6
September 17, 2020, 11:05:42 PM
Hi camera hackers,

Could you please send me a craw file from R6 ?
Optionnally with dust removal option enabled ?
it is to improve my work at:

Kind regards,


you can use this
to extract embedded pictures in CR2 files
use -x


please see this research

how is your hardware / software setup please ?


FYI, the CRX codec of the CR3 format has been reverse engineered and open sourced:

Kind regards,

Camera-specific Development / Re: Canon EOS M6 Mark II
September 19, 2019, 06:13:22 PM

I'm documenting the CR3 format at, and I need samples of some camera, could you please help me ?

For example, I need examples of 'raw-burst-mode' CR3 from the M6 Mark II.
It will contains several pictures in a single file with name will with "CSI_" and ending with ".CR3".
FYI, you can edit such "roll" (sequence of files) in DPP.

Could you please send me 1 or 2 files of this kind with Dropbox or similar ?

Kind regards,

It seems continuous mode in M50 produces 14 bits, sorry.
But G5 X Mark II and G7 X Mark III do produce 'raw burst', with several pictures in one CR3.

"Another thing to note - the camera saves all the image in a sort of 'wrapper,' with the 'CR3' suffix. To open them on a desktop machine, you'll need to use Canon's Digital Photo Professional software. You can also extract and process individual files from the camera and save them out as JPEGs that way if you prefer."

Kind regards

I'm documenting the CR3 format here :
Any CR3 capable model with continuous model can help, please.

12bits in continuous mode has been discussed in this thread, that's why I'm asking here.

Kind regards

Laurent and


Could you please provide me raw samples in continuous mode (both raw and c-raw) ?
So that I can check it is 12bits or not ?
It should be stored in CMP1, offset 32.

Kind regards

Quote from: aprofiti on April 11, 2019, 08:48:41 PM
Easy way is to use Qemu with a faked value in src/fw-signature.h and let it print what src/reboot.c expect to be :)
You can find it under "Canon CanonModelID Values" at or

Are they discovered from image metadata?

Also usually last digits are printed on serial console by the camera at firmware startup (ex. K412) and is reported under Model ID of the rom dumper.

you can use Exiftool to extract modelId from raw (CR2, CR3) or jpeg.

C:\Users\laurent>exiftool -CanonModelId d:\cr3_samples\m50\canon_eos_m50_02.jpg
Canon Model ID                  : EOS M50 / Kiss M

C:\Users\laurent>exiftool -CanonModelId d:\cr3_samples\250d\sample01.jpg
Canon Model ID                  : Unknown (0x80000436)

C:\Users\laurent>exiftool -CanonModelId d:\cr3_samples\r\447A0582.CR3
Canon Model ID                  : EOR R

for CR3 you can study

for CR2 see this poster :,
it is stored in Makernote

you can also use craw2tool :
about Canon EOS Rebel SL3 (EOS 250D / EOS Kiss X10)

Quote from: a1ex on April 10, 2019, 10:57:51 AM
To prepare the portable ROM dumper, I "only" need a CR3 image (i.e. wait for reviews with sample images). If that won't work, hardware hack à la EOS R.

Canon Image Type                : Canon EOS Kiss X10
Canon Firmware Version          : Firmware Version 4.0.5
Canon Model ID                  : Unknown (0x80000436)
Dcraw 9.28 has been published in june 2018, so Dave Coffin is going on!

Quote from: Walter Schulz on March 12, 2018, 11:00:56 PM
Ouch! Not the news I wanted to read. Totally slipped under my radar!
>python -v2 canon_eos_m50_02.cr3|more
filesize 0x256fbe8
00000:ftyp: major_brand=b'crx ', minor_version=1, [b'crx ', b'isom'] (0x18)
00018:moov: (0x6b70)
00020:  uuid: b'85c0b687820f11e08111f4ce462b6a48' (0x62c0)
00038:    CNCV: b'CanonCR3_001/00.09.00/00.00.00' (0x26)
0005e:    b'CCTP' b'000000000000000100000003000000184343445400000000' (0x5c)
0003a:      b'CCDT' b'00000000000000100000000000000001' (0x18)
00052:      b'CCDT' b'00000000000000010000000000000002' (0x18)
0006a:      b'CCDT' b'00000000000000000000000000000003' (0x18)
000ba:    CTBO: (0x5c)
            1    6b88   10018
            2   16ba0   56d90
            3   6d930 25022b8
            4       0       0
00116:    b'free' b'0000' (0xa)
00120:    b'CMT1' b'49492a00080000000d000001030001000000701700000101' (0x188)
002a8:    b'CMT2' b'49492a000800000027009a82050001000000e20100009d82' (0x428)
006d0:    b'CMT3' b'49492a00080000002f000100030031000000420200000200' (0x1438)
01b08:    b'CMT4' b'49492a000800000001000000010004000000020300000000' (0x718)
02220:    THMB: width=160, height=120, jpeg_size=0x40a3 (0x40c0)
062e0:  b'mvhd' b'00000000d6b31018d6b31018000000010000000100010000' (0x6c)
0634c:  b'trak' b'0000005c746b686400000007d6b31018d6b3101800000001' (0x1e4)
06354:    b'tkhd' b'00000007d6b31018d6b31018000000010000000000000001' (0x5c)
063b0:    b'mdia' b'000000206d64686400000000d6b31018d6b3101800000001' (0x180)
063b8:      b'mdhd' b'00000000d6b31018d6b31018000000010000000115c70000' (0x20)
063d8:      b'hdlr' b'000000000000000076696465000000000000000000000000' (0x21)
063f9:      b'minf' b'00000014766d686400000001000000000000000000000024' (0x137)
06401:        b'vmhd' b'000000010000000000000000' (0x14)
06415:        b'dinf' b'0000001c6472656600000000000000010000000c75726c20' (0x24)
0641d:          b'dref' b'00000000000000010000000c75726c2000000001' (0x1c)
00010:            b'url ' b'00000001' (0xc)
06439:        b'stbl' b'000000807374736400000000000000010000007043524157' (0xf7)
06441:          b'stsd' b'000000000000000100000070435241570000000000000001' (0x80)
00010:            CRAW: (0x70)
                    width=6000, height=4000
0005a:              b'JPEG' b'00000000' (0xc)
00066:              b'free' b'0000' (0xa)
064c1:          b'stts' b'00000000000000010000000100000001' (0x18)
064d9:          b'stsc' b'0000000000000001000000010000000100000001' (0x1c)
064f5:          stsz: version=0, size=0x30d6ef, count=1 (0x14)
06509:          b'free' b'00000000000000' (0xf)
06518:          co64: version=0, size=0x6d940, count=1 (0x18)
06530:  b'trak' b'0000005c746b686400000007d6b31018d6b3101800000002' (0x248)
06538:    b'tkhd' b'00000007d6b31018d6b31018000000020000000000000001' (0x5c)
06594:    b'mdia' b'000000206d64686400000000d6b31018d6b3101800000001' (0x1e4)
0659c:      b'mdhd' b'00000000d6b31018d6b31018000000010000000115c70000' (0x20)
065bc:      b'hdlr' b'000000000000000076696465000000000000000000000000' (0x21)
065dd:      b'minf' b'00000014766d686400000001000000000000000000000024' (0x19b)
065e5:        b'vmhd' b'000000010000000000000000' (0x14)
065f9:        b'dinf' b'0000001c6472656600000000000000010000000c75726c20' (0x24)
06601:          b'dref' b'00000000000000010000000c75726c2000000001' (0x1c)
00010:            b'url ' b'00000001' (0xc)
0661d:        b'stbl' b'000000e4737473640000000000000001000000d443524157' (0x15b)
06625:          b'stsd' b'0000000000000001000000d4435241570000000000000001' (0xe4)
00010:            CRAW: (0xd4)
                    width=1624, height=1080
0005a:              CMP1: (0x3c)
00096:              CDI1: (0x34)
00048:                IAD1: (0x28)
000ca:              b'free' b'0000' (0xa)
06709:          b'stts' b'00000000000000010000000100000001' (0x18)
06721:          b'stsc' b'0000000000000001000000010000000100000001' (0x1c)
0673d:          stsz: version=0, size=0x1cbc40, count=1 (0x14)
06751:          b'free' b'00000000000000' (0xf)
06760:          co64: version=0, size=0x37b030, count=1 (0x18)
06778:  b'trak' b'0000005c746b686400000007d6b31018d6b3101800000003' (0x258)
06780:    b'tkhd' b'00000007d6b31018d6b31018000000030000000000000001' (0x5c)
067dc:    b'mdia' b'000000206d64686400000000d6b31018d6b3101800000001' (0x1f4)
067e4:      b'mdhd' b'00000000d6b31018d6b31018000000010000000115c70000' (0x20)
06804:      b'hdlr' b'000000000000000076696465000000000000000000000000' (0x21)
06825:      b'minf' b'00000014766d686400000001000000000000000000000024' (0x1ab)
0682d:        b'vmhd' b'000000010000000000000000' (0x14)
06841:        b'dinf' b'0000001c6472656600000000000000010000000c75726c20' (0x24)
06849:          b'dref' b'00000000000000010000000c75726c2000000001' (0x1c)
00010:            b'url ' b'00000001' (0xc)
06865:        b'stbl' b'000000f4737473640000000000000001000000e443524157' (0x16b)
0686d:          b'stsd' b'0000000000000001000000e4435241570000000000000001' (0xf4)
00010:            CRAW: (0xe4)
                    width=6288, height=4056
0005a:              CMP1: (0x3c)
00096:              CDI1: (0x44)
00048:                IAD1: (0x38)
000da:              b'free' b'0000' (0xa)
06961:          b'stts' b'00000000000000010000000100000001' (0x18)
06979:          b'stsc' b'0000000000000001000000010000000100000001' (0x1c)
06995:          stsz: version=0, size=0x201ef28, count=1 (0x14)
069a9:          b'free' b'00000000000000' (0xf)
069b8:          co64: version=0, size=0x546c70, count=1 (0x18)
069d0:  b'trak' b'0000005c746b686400000007d6b31018d6b3101800000004' (0x1b8)
069d8:    b'tkhd' b'00000007d6b31018d6b31018000000040000000000000001' (0x5c)
06a34:    b'mdia' b'000000206d64686400000000d6b31018d6b3101800000001' (0x154)
06a3c:      b'mdhd' b'00000000d6b31018d6b31018000000010000000115c70000' (0x20)
06a5c:      b'hdlr' b'00000000000000006d657461000000000000000000000000' (0x21)
06a7d:      b'minf' b'0000000c6e6d6864000000000000002464696e660000001c' (0x10b)
06a85:        b'nmhd' b'00000000' (0xc)
06a91:        b'dinf' b'0000001c6472656600000000000000010000000c75726c20' (0x24)
06a99:          b'dref' b'00000000000000010000000c75726c2000000001' (0x1c)
00010:            b'url ' b'00000001' (0xc)
06ab5:        b'stbl' b'0000005c7374736400000000000000010000004c43544d44' (0xd3)
06abd:          b'stsd' b'00000000000000010000004c43544d440000000000000001' (0x5c)
00010:            b'CTMD' b'000000000000000100000007000000010000001800000003' (0x4c)
06b19:          b'stts' b'00000000000000010000000100000001' (0x18)
06b31:          b'stsc' b'0000000000000001000000010000000100000001' (0x1c)
06b4d:          stsz: version=0, size=0xa04c, count=1 (0x14)
06b61:          b'free' b'00000000000000' (0xf)
06b70:          co64: version=0, size=0x2565b98, count=1 (0x18)
06b88:uuid: b'be7acfcb97a942e89c71999491e3afac' (0x10018)
16ba0:uuid: b'eaf42b5e1c984b88b9fbb7dc406e4d16' (0x56d90)
16bc0:  PRVW: width=1620, height=1080, jpeg_size=0x56d58 (0x56d70)
6d930:b'mdat' b'ffd8ffdb008400060404060404060604' (0x25022b8)
{b'THMB': (160, 120, 16547, 8760), 'trak0': {b'CRAW': (6000, 4000), b'stsz': 3200751, b'co64': 448832}, 'trak1': {b'CRAW
': (1624, 1080), b'stsz': 1883200, b'co64': 3649584}, 'trak2': {b'CRAW': (6288, 4056), b'stsz': 33681192, b'co64': 55327
84}, 'trak3': {b'stsz': 41036, b'co64': 39213976}, b'PRVW': (1620, 1080, 355672, 93144)}
extracting jpeg (trak0) 6000x4000 from mdat... offset=0x6d940, size=0x30d6ef
extracting SD crx (trak1) 1624x1080 from mdat... offset=0x37b030, size=0x1cbc40
ff010008 001cbbd0 00000000
  ff020008 0007b5c0 08000000
  ff030008 0007b5c0 00200001
  ff020008 00070600 18000000
  ff030008 00070600 00200002
  ff020008 00070640 28000000
  ff030008 00070640 00200006
  ff020008 0006f9d0 38000000
  ff030008 0006f9d0 00200006
extracting HD crx (trak2) 6288x4056 from mdat... offset=0x546c70, size=0x201ef28
ff010008 00ff40b8 00000000
  ff020008 00405528 08000000
  ff030008 00405528 00200006
  ff020008 003fc8a8 18000000
  ff030008 003fc8a8 00200003
  ff020008 003fc6e8 28000000
  ff030008 003fc6e8 00200005
  ff020008 003f5c00 38000000
  ff030008 003f5c00 00200000
ff010008 0102ad98 00010000
  ff020008 0040cb88 08000000
  ff030008 0040cb88 00200006
  ff020008 0040eb50 18000000
  ff030008 0040eb50 00200006
  ff020008 0040ed48 28000000
  ff030008 0040ed48 00200002
  ff020008 00400978 38000000
  ff030008 00400978 00200007

Quote from: lorenzo353 on March 29, 2018, 08:29:23 PM

I have now published a python tool to parse the CR3 structure and extract jpeg, crx pictures...

Help is welcome to understand crx compression.

kind regard,

there are lines for sraw flavors

Quote from: dfort on March 30, 2018, 05:44:23 PM
I made a spreadsheet out of it, took out the PowerShot models, sorted by Model ID, added the name variations and highlighted the cameras supported by Magic Lantern.

Interesting that some cameras are listed multiple times with different values. Why???

you've got all info here, per camera

Quote from: a1ex on March 15, 2018, 07:57:11 PM
By default, a CR2 is smaller than a full-res DNG, so Canon code must be skipping some lines and columns. From that offset, we can figure out how many. Refer to this post for EDMAC configurations.

6D: 0x12369168 - 0x12345678 = 146160 bytes. Full buffer width: 9744 bytes = 5568 pixels. CR2 width (dcraw -i -v): 5568. 146160 / 9744 = 15 lines skipped.

In other words, to match a full-res silent DNG with a CR2 from 6D, one has to crop 15 lines at the top.

70D: 0x1235FFAA - 0x12345678 = 108850 bytes. Full buffer width: 9884 bytes = 5648 pixels. CR2 width: 5568 pixels. 108850 / 9884 = 11, 108850 % 9884 = 126 = 72px.

In other words, to match a full-res silent DNG with a CR2 from 70D, one has to crop 11 lines at the top, 72 columns at the left side and 8 columns at the right side.

Anyone has the patience to confirm this theory by pixel peeping? If you can get two images with absolutely no movement (e.g. with a Lua script or remote trigger), that's great; otherwise, just compare the active areas and ignore the image contents.

edit: found a CR2 from 70D on some camera review site and looked at active areas.
First active pixel in CR2: 72, 38.
Last active pixel in CR2: 5567, 3707 (with some doubts about the last line).
First active pixel in DNG: 144, 48 (delta = 72, 10 - where did one line go?)
Last active pixel in DNG: 5639, 3717 (delta = 72, 10, 8 black pixels at the right)