Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - DeinGott

Pages1 2
#1
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 18, 2018, 09:35:34 PM
ok.. without the PROP_HANDLER( PROP_MVR_REC_START ) the image is booting without errors on qemu .. what should be the next steps?
#2
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 16, 2018, 10:48:23 PM
ok the stubs schould be more or less complete now there is current interupt and task max missing but the rest should be correct. do you know why the propmgr has the assert called?
#3
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 16, 2018, 09:46:05 PM
is it posible they changed the way how they address the audio_ic? in powerSpeakerOnForWav they call it normaly like this:

Code Select
ROM1_7:FF06A570 PowerSpeakerForWAV                      ; CODE XREF: PowerAudioOutput+24p
ROM1_7:FF06A570                 STMFD   SP!, {R4,LR}
ROM1_7:FF06A574                 ADR     R2, aPowerspeakerforwav ; "PowerSpeakerForWAV"
ROM1_7:FF06A578                 MOV     R1, #3
ROM1_7:FF06A57C                 MOV     R0, #0x14
ROM1_7:FF06A580                 BL      DryosDebugMsg
ROM1_7:FF06A584                 LDR     R4, =byte_274C
ROM1_7:FF06A588                 MOV     R1, #0
ROM1_7:FF06A58C                 LDR     R0, [R4,#(dword_2780 - 0x274C)]
ROM1_7:FF06A590                 BL      take_semaphore
ROM1_7:FF06A594                 LDR     R0, =0x5507
ROM1_7:FF06A598                 BL      _audio_ic_write
ROM1_7:FF06A59C                 LDR     R0, =0x4903
ROM1_7:FF06A5A0                 BL      _audio_ic_write
ROM1_7:FF06A5A4                 MOV     R0, #0x4B00
ROM1_7:FF06A5A8                 BL      _audio_ic_write
ROM1_7:FF06A5AC                 LDR     R0, =0x2713
ROM1_7:FF06A5B0                 BL      _audio_ic_write
ROM1_7:FF06A5B4                 LDR     R0, =0x271F
ROM1_7:FF06A5B8                 BL      _audio_ic_write
ROM1_7:FF06A5BC                 LDR     R0, =0x4901
ROM1_7:FF06A5C0                 BL      _audio_ic_write
ROM1_7:FF06A5C4                 ADD     R0, R4, #0x58
ROM1_7:FF06A5C8                 LDRB    R0, [R0,#(byte_2A4F - 0x27A4)]
ROM1_7:FF06A5CC                 ORR     R0, R0, #0x6B00
ROM1_7:FF06A5D0                 BL      _audio_ic_write
ROM1_7:FF06A5D4                 LDR     R0, [R4,#(dword_2780 - 0x274C)]
ROM1_7:FF06A5D8                 LDMFD   SP!, {R4,LR}
ROM1_7:FF06A5DC                 B       give_semaphore
ROM1_7:FF06A5DC ; End of function PowerSpeakerForWAV

but on the 1300D it looks more like this:

Code Select
ROM1:FE11CE60 PowerSpeakerForWAV                      ; CODE XREF: sub_FE11D1CC:loc_FE11D21Cp
ROM1:FE11CE60                                         ; SelectOutCheckFOut+68p
ROM1:FE11CE60 STMFD   SP!, {R4,LR}
ROM1:FE11CE64 ADR     R2, aPowerspeakerforwav         ; "PowerSpeakerForWAV"
ROM1:FE11CE68 MOV     R1, #3
ROM1:FE11CE6C MOV     R0, #0x14
ROM1:FE11CE70 BL      DryosDebugMsg
ROM1:FE11CE74 LDR     R4, =unk_31B5C
ROM1:FE11CE78 MOV     R1, #0
ROM1:FE11CE7C LDR     R0, [R4,#(unk_31BA4 - 0x31B5C)]
ROM1:FE11CE80 BL      takeSemaphore_ram
ROM1:FE11CE84 LDR     R0, =unk_FE8CAC8C
ROM1:FE11CE88 BL      sub_FE2B36D4
ROM1:FE11CE8C LDR     R0, [R4,#(unk_31B74 - 0x31B5C)]
ROM1:FE11CE90 CMP     R0, #0
ROM1:FE11CE94 BNE     loc_FE11CEB0
ROM1:FE11CE98 LDRB    R1, [R4,#(unk_31B61 - 0x31B5C)]
ROM1:FE11CE9C LDR     R0, =unk_FE8CACC8
ROM1:FE11CEA0 BL      sub_FE2B3A18
ROM1:FE11CEA4 LDRB    R1, [R4,#(unk_31B61 - 0x31B5C)]
ROM1:FE11CEA8 LDR     R0, =unk_FE8CAD20
ROM1:FE11CEAC BL      sub_FE2B3A18
ROM1:FE11CEB0
ROM1:FE11CEB0 loc_FE11CEB0                            ; CODE XREF: PowerSpeakerForWAV+34j
ROM1:FE11CEB0 MOV     R0, #1
ROM1:FE11CEB4 STR     R0, [R4,#0x2C]
ROM1:FE11CEB8 LDR     R0, [R4,#0x48]
ROM1:FE11CEBC LDMFD   SP!, {R4,LR}
ROM1:FE11CEC0 B       giveSemaphore_ram
ROM1:FE11CEC0 ; End of function PowerSpeakerForWAV

Am I missing a point? can i switch it of somehow? The whole audio stuff is now via serial i would guess..

Code Select
stefan@morbo-3: ~/Develop/qemu% ./run_canon_fw.sh 1300D,firmware="boot=0" -d debugmsg |& grep SerialCommand_Send
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x1080000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x3960000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x5000000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x7000000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x9030000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xb050000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xf080000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x21010000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xff001b58]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x21020000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xff001b58]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x3960000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x5000000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x7000000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x9030000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xb050000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xf080000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xd010000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xd030000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xd070000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xd0f0000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x55080000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x3b160000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x27130000]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0xff004e20]
[     Startup:fe2b3724 ] (14:03) SerialCommand_Send[0x271f0000]
[   AudioCtrl:fe2b3724 ] (14:03) SerialCommand_Send[0x3b160000]


vs. old

Code Select
stefan@morbo-3: ~/Develop/qemu% ./run_canon_fw.sh 600D,firmware="boot=0" -d debugmsg |& grep 'Reg('               
[     Startup:ff06a16c ] (14:03) Reg(0x0D) Data(0x0001)
[     Startup:ff06a16c ] (14:03) Reg(0x0F) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0x01) Data(0x0008)
[     Startup:ff06a16c ] (14:03) Reg(0x01) Data(0x0008)
[     Startup:ff06a16c ] (14:03) Reg(0x03) Data(0x0096)
[     Startup:ff06a16c ] (14:03) Reg(0x05) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0x07) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0x09) Data(0x0003)
[     Startup:ff06a16c ] (14:03) Reg(0x0B) Data(0x0005)
[     Startup:ff06a16c ] (14:03) Reg(0x0F) Data(0x0004)
[     Startup:ff06a16c ] (14:03) Reg(0x0D) Data(0x0003)
[     Startup:ff06a16c ] (14:03) Reg(0x0D) Data(0x000f)
[     Startup:ff06a16c ] (14:03) Reg(0x61) Data(0x000b)
[     Startup:ff06a16c ] (14:03) Reg(0x63) Data(0x000b)
[     Startup:ff06a16c ] (14:03) Reg(0x65) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0xB1) Data(0x0001)
[     Startup:ff06a16c ] (14:03) Reg(0xB3) Data(0x0008)
[     Startup:ff06a16c ] (14:03) Reg(0xB5) Data(0x0008)
[     Startup:ff06a16c ] (14:03) Reg(0xB7) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0xB9) Data(0x000b)
[     Startup:ff06a16c ] (14:03) Reg(0xBB) Data(0x0070)
[     Startup:ff06a16c ] (14:03) Reg(0xBD) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0xBF) Data(0x0001)
[     Startup:ff06a16c ] (14:03) Reg(0xC1) Data(0x0004)
[     Startup:ff06a16c ] (14:03) Reg(0xC3) Data(0x0005)
[     Startup:ff06a16c ] (14:03) Reg(0xC5) Data(0x000d)
[     Startup:ff06a16c ] (14:03) Reg(0xC7) Data(0x0070)
[     Startup:ff06a16c ] (14:03) Reg(0xC9) Data(0x0010)
[     Startup:ff06a16c ] (14:03) Reg(0xCB) Data(0x0000)
[     Startup:ff06a16c ] (14:03) Reg(0x31) Data(0x0002)
[     Startup:ff06a16c ] (14:03) Reg(0x21) Data(0x0001)
[     Startup:ff06a16c ] (14:03) Reg(0x21) Data(0x0002)
[     Startup:ff06a16c ] (14:03) Reg(0x21) Data(0x0006)
[     Startup:ff06a16c ] (14:03) Reg(0x3B) Data(0x001b)
[     Startup:ff06a16c ] (14:03) Reg(0x6B) Data(0x0010)
#4
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 16, 2018, 03:47:29 PM
Ok with your method i have now a lot more States: :) thx ..

Code Select
Dmstate: 0x39DD0
PropState: 0x38DB0
MFCMGRState: 0x39B50
EmState 0x36F24
FMnormalState 0x38558
SrmState 0x36FD0
Srmexmem1State 0x3702C
Srmexmem2State 0x37030
ScsState 0x35A74
ScseshutState 0x35A78
ScssrState 0x35A7C
SbsState 0x35AE8
SpsState 0x35B60
TomState 0x38500
FssState 0x36E94
AudioLevelStateSig 0x38CD0
SdsFrontState 0x36158
SdsFrontState 0x3615C
SdsFrontState 0x36160
SdsFrontState 0x36164
SdsFrontState 0x36168
SdsRearState 0x36078
SdsRearState 0x3607C
SdsRearState 0x36080
SoundEffetStateSig 0x38CDC
AsifState 0x38CF0
ActrlState 0x3D9DC
MovwState 0x3872C
MovrecState 0x38744
MovplayState 0x38750
MovrState 0x3BBE8
LvcdevState 0x37EE4
GmtState 0x933F68 // somehow off but valid
GmtMovieState 0x933F6C
GmtwakuState 0x933F70
EvfState 0x37930
ColorcalcState 0x380F8
AewbState 0x941C70
LvfaceState 0x37990
MotionDetectState 0x37DE8
MotionManagerState 0x94BB10
UsbControlPipe 0x6135C
UsbDataPipeBulkIn 0x61360
UsbDataPipeBulkOut 0x61364
UsbDataPipeInterupt 0x61368
UsbDeviceEvent 0x6136C
PtpdpsState 0x98D644
CeresState 0x38540
FcsState 0x36EA4
NwComState 0x3A504
MetactgState 0x3BC50
FrState 0xA478B4
FwState 0xA47AF0
VoiState 0x3BB34
SoundState 0x3BBCC
WavreaderState 0x40400
MrkState 0x3BB20
RdState 0x38124
DpState 0x371B4
DpimgeditState 0x3792C
InnerdevelopState 0x39C68
SasState 0x36270
SasState 0x36274
SasState 0x36278
SasState 0x3627C
SasState 0x36280
DisplayState 0x318B8
DisplayStateWithImgMute 0x318BC
#5
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 16, 2018, 09:00:26 AM
a1ex i found all that were present in the state-object.h. (like three) are there more needed? did not scanl through all the code .. i am still investigating, why the state error occures

I still get an error in the Propmgr. But since i did not check that all the props are there and correct it is expected.
#6
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 15, 2018, 10:11:34 PM
btw. Still get some errors, but the ml menu is loading



if someone knows howto get rid of the SYMBOLS not found error (the file is on the sd)


Code Select
stefan@morbo-3: ~/Develop/qemu% l /Volumes/EOS_DIGITAL/ML/modules/1300D_110.sym
-rwxrwxrwx  1 stefan  staff    34K 15 Jan 22:13 /Volumes/EOS_DIGITAL/ML/modules/1300D_110.sym
#7
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 15, 2018, 06:46:30 PM
since i code a bit more, i forked the repo to my own bitbucket.

https://bitbucket.org/shorst/magic-lantern

so yes the merge were successfull :)

i still have a problem to find the STATE objects. Do you have any easy way to find them?

Code Select

#define DISPLAY_STATEOBJ (*(struct state_object **)0x2480) // posible: 0x000318C8

#define EVF_STATE (*(struct state_object **)0x3737C) // hope this is correct
#define MOVREC_STATE (*(struct state_object **)0x5720) // still 600D
#define SDS_FRONT3_STATE (*(struct state_object **)0x3660) // still 600D
#8
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 14, 2018, 10:30:53 PM
so confirmed on my hw as well. Did not upload the ml files to the card. So missing ml files :)





but still different from qemu: hw: 0x3d8461b5 vs qemu: 0xCD12E936 .. am i correct that the qemu variant is tainted by the cache hack? and we should update the signature in src/fw-signature.h
#9
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 09:58:08 PM
thx for the fir. i am not home at the weekend. will test it on monday. (if anybody else wants, please post picture :) )

I found some more offsets i had to change :) .. you merged the stuff to the unifi branch? or only pulled the branches into the main repo?
#10
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 03:51:23 PM
ok .. problem might be, hello_world does not overwrite this task :) I will try without the strings attached :)
#11
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 11:53:59 AM
ok .. one problem was an old RESTARTSTART address.

check on that later. :) one error is gone now :)
#12
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 10:24:10 AM
that is because the ml_gui_initialized is not called for some reason. this causes a timeout .. (see boot-hack.c function my_init_task at the bottom)
#13
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 07:59:29 AM
ok .. i first have to fix the malloc call. This still gets an assert triggered. Which should not happen, as i guess. But otherwise this looks prommising..

OK .. narrowed it down to mem.c and the __mem_malloc function .. the problem is, that the memory is somehow not initialized (mem_init). i have to investigate why this is so, but calling the mem_init when the mem_sem is not set, fixed the exception.
#14
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 12, 2018, 12:03:50 AM
at last:


 
the code is pushed to the repo: https://bitbucket.org/maugriman/magic-lantern-1300d
#15
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 11, 2018, 07:32:36 PM
so.. i pushed the print_serial. i made it a macro, which will just be nulled, if CONFIG_HAS_PRINT_SERIAL is not set. it will print to serial (even on the real camera it would).

I added some more stubs. But still the gui does not show anything. i think that there is still some things in const.h missing/wrong. will look into this tomorrow.
#16
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 11, 2018, 11:28:43 AM
it is not QEMU special .. but i will make it include it and make it save for the other cameras .. :)

regarding the FONTS .. i found them, but still no output on the screen :/ .. i start to question the memory buffers and stuff .. do you or anyone else have an inside into this? a1ex what do we need to have the output right. The disp_direct.c works in restart.c. Is it possible, that i have to disable the "default" screen first?

#17
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 11, 2018, 12:28:31 AM
a1ex what stubs do i need to set for the printing (hello worls) how do i find the offsets for the fonts for example? i think there is the problem still. other question does the hello world draw in front of other stuff or do i have to diable the screen somehow? right now it shows the configuration screen. not the menu.
#18
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 10, 2018, 05:02:10 PM
ok .. i got the hello world to run, but it does not show anything on the screen .. the last output on the serial:

Code Select
[DM] FROM Write Complete!!!
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 314
ASSERT : SystemIF::KerSem.c, Task = ml_init, Line 354
HELLO WORLD
firmware signature = 0xCD13B11F
firmware signature = 0xCD13B11F


(i patched it to print to serial, can check that code in as well, but it is only 1300 so not sure if it only clutters the source)
#19
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 10, 2018, 10:41:11 AM
Sorry did not copy the 1300D changes to compile the HELLO World. But i see you already found the code. i only copied it from other cameras.

i am working on that hello world. some offsets seam broken. i narrowed the problem down to the is_dir function and there the FIO_FindFirstEx function call, the stub should point to the correct place (0xFE2A51FC, if someone can verify). But it looks as if we cannot execute that function i always get an exception at pc ff1f94d8. I added some debug print output to the beginning of the functions. But Ida does not stop in FIO_FindFirstEx. I am investigating that.

Code Select

start MY BIG INIT
start _find_ml_card
start is_dir
Searching for A:/ML
< Error Exception>
TYPE        : 4
ISR         : 0
TASK IDSR   : 50135115
TASK Name   : ml_init
R 0         : 2fa9874
R 1         : 1ff
R 2         : 10aadc
R 3         : 1a9874
R 4         : 11de24
R 5         : 10ab88
R 6         : 10ab11
R 7         : 212
R 8         : 108506
R 9         : 19980198
R10         : 19980218
R11         : ff
R12         : 19980218
R13         : 1a9860
R14         : d157c
PC          : ff1f94d8
CPSR        : 13
  1406:   736.000 [STARTUP] ###exceptionhandlercbr 0xff1f94d8 0
  1407:   737.280 [STARTUP] #####exceptionhandlercbr 0xff1f94d8
  1430:   737.536 [STARTUP] Exception : Time 2017/9/30 13:15:0
#20
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 10:56:16 PM
all i had to do, was fix the offsets. no additional patching required .. here is my ml/platform/1300D.110 folder.

https://www.ultrachaos.de/share/1300D.110/

I basicaly copied the 600 to the 1300. in the stubs.S file i indented every old offset by one space. so i can see the old offsets when i search for new ones (i have the code for the 600 as well, so it is easyer to spott the stubs)

will work there further to find all the stubs .. and fix some internals.h and consts.h. This code should run as is in qemu did not try on an actual camera as of now, because mine does not have the bootflag set yet. Will look into that later.. Try to get the hello world running.
#21
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 09:23:26 PM
so fixed that backup code thingie ..


#22
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 09:05:36 PM
i already tried that .. it starts my code but breaks with an exception in the filemgr ..

Code Select
< Error Exception>
TYPE        : 4
ISR         : 0
TASK IDSR   : 1318396
TASK Name   : FileMgr
R 0         : 6cfe0c08
R 1         : 84fe0c08
R 2         : b0fe0c08
R 3         : cc000004
R 4         : 34fe0c08
R 5         : 4c0010b0
R 6         : 10b0
R 7         : 0
R 8         : 0
R 9         : 0
R10         : 0
R11         : 0
R12         : 0
R13         : 4f4ac
R14         : 0
PC          : 0
CPSR        : c8100008


qemu: fatal: Trying to execute code outside RAM or ROM at 0xe59ff010

i am investigating that .. lets see, where this path breaks..
#23
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 08:01:34 PM
alex do you have any suggestions to this error: it comes from the relocate script, which copies init_task and createInitTask.

Code Select
Fixing from FE1296C8 to FE1298AC
FE1296D0: EBFE5CDE BL FFFE5CDE => FE0C0A50
FE1296D0: !!!! can not fixup jump from 0010232C to FE0C0A50 (offset -00810639)
FE1296F4: EB00006D BL 0000006D => FE1298B0
FE129704: EBFE692E BL FFFE692E => FE0C3BC4
FE129704: !!!! can not fixup jump from 00102360 to FE0C3BC4 (offset -0080F9E9)
FE129718: EBFE6960 BL FFFE6960 => FE0C3CA0
FE129718: !!!! can not fixup jump from 00102374 to FE0C3CA0 (offset -0080F9B7)
FE12972C: EBFE6B8C BL FFFE6B8C => FE0C4564
FE12972C: !!!! can not fixup jump from 00102388 to FE0C4564 (offset -0080F78B)
FE12973C: EB0673CD BL 000673CD => FE2C6678
FE12974C: EBFE5E80 BL FFFE5E80 => FE0C1154
FE12974C: !!!! can not fixup jump from 001023A8 to FE0C1154 (offset -00810497)
FE129760: EAFE60FE B  FFFE60FE => FE0C1B60
FE129760: !!!! can not fixup jump from 001023BC to FE0C1B60 (offset -00810219)
FE129770: EB7B63AD BL 007B63AD => 0000262C
FE129780: EAFE5DF0 B  FFFE5DF0 => FE0C0F48
FE129780: !!!! can not fixup jump from 001023DC to FE0C0F48 (offset -00810527)
FE12979C: 7A697320 B  00697320 => FFB86424
FE129814: 745F7469 LD 7, 15, ' => FE1293B3: 745F7164 356 data=812014E5
FE129830: EB066FA7 BL 00066FA7 => FE2C56D4
FE129844: EB066F8F BL 00066F8F => FE2C5688
FE129854: E51F6050 LD 6, 15, 80 => FE1298AC: E51F61A0 416 data=FE884A48
FE12987C: EB066FF3 BL 00066FF3 => FE2C5850
Fixups=10231C entry=102324 free_space=8
Fixing from FE0C1B60 to FE0C1EB8
FE0C1B6C: EBFFFDB5 BL FFFFFDB5 => FE0C1248
FE0C1B6C: !!!! can not fixup jump from 00102554 to FE0C1248 (offset -008104C5)
FE0C1B70: EB015F55 BL 00015F55 => FE1198CC
FE0C1B7C: EB01961C BL 0001961C => FE1273F4
FE0C1B80: EB7D0641 BL 007D0641 => 0000348C
FE0C1B8C: EB7D090E BL 007D090E => 00003FCC
FE0C1B9C: EB7D0667 BL 007D0667 => 00003540
FE0C1BA0: EB01795A BL 0001795A => FE120110
FE0C1BBC: EB7D0300 BL 007D0300 => 000027C4
FE0C1BE4: EB7D0353 BL 007D0353 => 00002938
FE0C1C0C: EB7D03BE BL 007D03BE => 00002B0C
FE0C1C30: EB7D042B BL 007D042B => 00002CE4
FE0C1C44: EB7D081C BL 007D081C => 00003CBC
FE0C1C48: EB017DD3 BL 00017DD3 => FE12139C
FE0C1C50: EB019C21 BL 00019C21 => FE128CDC
FE0C1C60: EB017AE3 BL 00017AE3 => FE1207F4
FE0C1C64: EB01885A BL 0001885A => FE123DD4
FE0C1C6C: EB018094 BL 00018094 => FE121EC4
FE0C1C70: EB017CDB BL 00017CDB => FE120FE4
FE0C1C74: EB01897A BL 0001897A => FE124264
FE0C1C78: EB0189C2 BL 000189C2 => FE124388
FE0C1C84: EB0187D7 BL 000187D7 => FE123BE8
FE0C1C88: EB0187EA BL 000187EA => FE123C38
FE0C1C94: EB01807C BL 0001807C => FE121E8C
FE0C1CA0: EB018079 BL 00018079 => FE121E8C
FE0C1CAC: EB018076 BL 00018076 => FE121E8C
FE0C1CB8: EB018073 BL 00018073 => FE121E8C
FE0C1CC4: EB018070 BL 00018070 => FE121E8C
FE0C1CD0: EB01806D BL 0001806D => FE121E8C
FE0C1CDC: EB01806A BL 0001806A => FE121E8C
FE0C1CFC: EB01750D BL 0001750D => FE11F138
FE0C1D08: EB01767B BL 0001767B => FE11F6FC
FE0C1D10: EB7D07F7 BL 007D07F7 => 00003CF4
FE0C1D18: EBFFFC67 BL FFFFFC67 => FE0C0EBC
FE0C1D18: !!!! can not fixup jump from 00102700 to FE0C0EBC (offset -00810613)
FE0C1D34: EB017596 BL 00017596 => FE11F394
FE0C1D48: EB017591 BL 00017591 => FE11F394
FE0C1D50: EB013313 BL 00013313 => FE10E9A4
FE0C1D70: EB0047FE BL 000047FE => FE0D3D70
FE0C1D70: !!!! can not fixup jump from 00102758 to FE0D3D70 (offset -0080BA7C)
FE0C1D78: E51F4848 LD 4, 15, 0 => FE0C1538: E51F4230 560 data=000310AC
FE0C1D90: 1B01757F BL 0001757F => FE11F394
FE0C1D9C: EB00488A BL 0000488A => FE0D3FCC
FE0C1D9C: !!!! can not fixup jump from 00102784 to FE0D3FCC (offset -0080B9F0)
FE0C1DA0: EB0177FA BL 000177FA => FE11FD90
FE0C1DA4: EB017494 BL 00017494 => FE11EFFC
FE0C1DA8: EB0190C9 BL 000190C9 => FE1260D4
FE0C1DAC: EB001112 BL 00001112 => FE0C61FC
FE0C1DAC: !!!! can not fixup jump from 00102794 to FE0C61FC (offset -0080F168)
FE0C1DB0: EB019E9B BL 00019E9B => FE129824
FE0C1DCC: EB7D06CA BL 007D06CA => 000038FC
FE0C1EA4: 6B736154 BL 00736154 => FFD9A3FC
FE0C1EB0: E51F1980 LD 1, 15, . => FE0C1538: E51F1364 868 data=000310AC
Fixups=102540 entry=102548 free_space=8


I added the checker, if we can reach the RAM, which does not trigger any error.

Code Select
/* relative jumps in ARM mode are +/- 32 MB */
         /* make sure we can reach anything in the ROM (some code, e.g. patchmgr, depend on this) */
         uint32_t jump_limit = (uint32_t) &_bss_end - 32 * 1024 * 1024;
         if (jump_limit > 0xFF000000 || jump_limit < 0xFC000000)
         {
             print_serial("[BOOT] warning: cannot use relative jumps to anywhere in the ROM (limit=%x)\n", jump_limit);

i will check there any further..
#24
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 07:14:07 PM
btw

i found this functions stub

NSTUB(0xFE0180A8,  print_serial)
extern int print_serial(const char* s, ...);

which does print to serial.

Bitbucket is down at the moment.. so i cannot upload my code there ..
#25
Camera-specific Development / Re: Canon EOS 1300D / Rebel T6
January 09, 2018, 04:44:27 PM
Hey, i am so far, that i get the ml bootup code running. but the CONFIG_ALLOCATE_MEMORY_POOL has the problem, that it copies the init code from the rom to the ram, but it is to far apart from the rom, that a normal BL does not work, to jump back to subs, it needs. I am trying to preconvent that by copying that code as well, but this is still broken.

i need to cleanup my code, to publish it ..will do that tonight.

For now my codeflow is this: (copy_and_restart() -> ram_cstart() -> my_init_task() -> init_task_patched() -> new_init_task()) this is where the problem starts.

The copy of the init task, which is patched in init_task_patched() has the wrong offsets, so it cannot jump back to rom. (but only on some functions. A thing i noticed, is if the offset is > 0x800000 it will jump to rom, if it is smaller, it will jump to the offset itself. Therefor there is a gab we cannot jump to :/ any ideas?) next step will be create a jump table next to the init function and try to jump via register jumps
Pages1 2