Messages

ok .. i am a bit further .. i can start code. but when ml tries to start the init_task i get an error:

Code Select Expand

DRYOS PANIC: Module Code = 1, Panic Code = 4

do you have a list, what the panic codes mean? i traced it down to the function sub_FEA8A450  which looks like it copies some basic structure and then checks if some checksum is correct. and then returns -1.

In the ml code it is right after the

Code Select Expand

void (*ram_cstart)(void) = (void*) &INSTR( cstart );
ram_cstart();

i verified, everything seams correctly patched ..

it is to late now, to look any further.. will continue tomorrow.

so i managed to get code runing. i hooked up the restart.c file, and get my own code runing. But the copy of the ml code and the restart does not work. it always crashes. How do i find the BSS and therefor the RESTARTSTART value? i used the same the 600D does (which is 0x00082000/0x00C80100). is it guessing for empty space, or can i find a structure there, where i can read the address from?

So i started finding stubs in the ROM. A1ex can you have a look if this offsets make sense.

Code Select Expand

/** Startup **/
NSTUB( ROMBASEADDR, firmware_entry )                        // 0xF8010000
NSTUB(0xFE0C3A24,  cstart)                               
NSTUB(0x00029898,  bzero32)                               
NSTUB(0xFE0C3AF8,  create_init_task)                       
NSTUB(0xFE1296C8,  init_task)                               
NSTUB(   0x61123,  additional_version)
NSTUB(0xFE11F394,  DryosDebugMsg)     
NSTUB(    0x38FC,  task_create) 

/** File I/O **/
NSTUB(0xFE2A43FC,  FIO_CloseFile)
NSTUB(0xFE2A53D0,  FIO_FindClose)
NSTUB(0xFE2A52F0,  FIO_FindNextEx)                     
NSTUB(0xFE2A41AC, _FIO_ReadFile)                         
NSTUB(0xFE2A425C,  FIO_SeekSkipFile)                   
NSTUB(0xFE2A434C, _FIO_WriteFile)                       
NSTUB(0xFE2A4C3C, _FIO_CreateDirectory)                   
NSTUB(0xFE2A4058, _FIO_CreateFile)                         
NSTUB(0xFE2A51FC, _FIO_FindFirstEx)                     
NSTUB(0xFE2A4578, _FIO_GetFileSize)                       
NSTUB(0xFE2A3F9C, _FIO_OpenFile)                         
NSTUB(0xFE2A4104, _FIO_RemoveFile)                       
NSTUB(0xFE2A4A74, _FIO_RenameFile)

What is the minimum stubs i need to find (and which) so i can test, if i can run ml in qemu?

I copied the 1100D folder in ml/platforms to a new 1300D and poked around in some files. I can run the code, but some stub is not correct. How can i enable an hello world only ml build? is there a tutorial, i did not find?

ok .. i found the problem, why the dump did not run in qemu .. after reading the forum again. i found this post (http://www.magiclantern.fm/forum/index.php?topic=17969.msg172893#msg172893)

- I've assumed there is some sort of mapping from FFFF0000 to F8010000. To run the ROM in QEMU, you will need to patch the dump like this:

Code Select Expand

dd if=ROM1.BIN of=BOOT.BIN bs=64K skip=1 count=1
dd if=BOOT.BIN of=ROM1.BIN bs=64K seek=511

After this, running in QEMU is more or less straightforward, with a small reverse engineering puzzle to solve.

now i get the gui in qemu. Thx for the help. Now we can work with that.

i tried it some more, but there is no way, to get it correct. Is there a "best" way to do it? I partitioned my 8gb cards to 256mb. Now the dumper do not finish at all. What are the problems, why the camera get wrong checksums?

UPDATE: I formated the SD Card fat16 and shrinked it a bit more (240mib). but still wrong md5:

Code Select Expand

user@morbo: /Volumes/Untitled% md5 ROM0.BIN && cat ROM0.MD5
MD5 (ROM0.BIN) = e913c61b9717324b2aa16f366586e081
b7bd14aa3245c539d5327434be9e0e4b  ROM0.BIN

ok .. i totaly ignored the rom0 since i thought that is not connected .. i will try to get a correct dump .. thx for the help .. hope it works after that..

The ROM0.MD5 is different from the actual MD5 sum. is there a problem? or can i ignore this? should i try to dump, since i get the same md5?

yes the md5 of the rom1 is equal to the actual md5 of the rom1. The rom0.md5 is different, but as i get if from the other posts, the rom0 is not connected, so this is expected.

the parameter -debugmsg does not give other output. is there any other way, to get more debug output? i redownloaded all the magiclatern repo (hg clone .. ) and build all new, but still the same problems.

The output again:

Code Select Expand

./run_canon_fw.sh 1300D -d debugmsg

DebugMsg=0xFE11F394 (from GDB script)
Lockdown read 0
Lockdown read 0
Lockdown read 1
Lockdown read 1
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 1FFFFFFF: eos.ram
40001000 - 5FFFFFFF: eos.ram_uncached
F0000000 - F1FFFFFF: eos.rom0
F2000000 - F3FFFFFF: eos.rom0_mirror
F4000000 - F5FFFFFF: eos.rom0_mirror
F6000000 - F7FFFFFF: eos.rom0_mirror
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.iomem
[EOS] enabling code execution logging.
[EOS] loading './1300D/ROM0.BIN' to 0xF0000000-0xF1FFFFFF
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #12 (PROP 80030040) has duplicate(s): #11
[MPU] warning: non-empty spell #13 (PROP_CARD2_STATUS) has duplicate(s): #49
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36

[MPU] Available keys:
- Arrow keys   : Navigation
- PgUp, PgDn   : Sub dial (rear scrollwheel)
- [ and ]      : Main dial (top scrollwheel)
- SPACE        : SET
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- Q            : guess (press only)
- L            : LiveView (press only)
- A            : Av
- Shift        : Half-shutter
- B            : Open battery door
- C            : Open card door
- F10          : Power down switch
- F1           : show this help

[MPU] WARNING: forced shutdown.

For clean shutdown, please use 'Machine -> Power Down'
(or 'system_powerdown' in QEMU monitor.)


hey a1ex,

i tried to dump the firmware, but got different md5 sums

the ROM0 i got the same MD5 dmitrys got: b7bd14aa3245c539d5327434be9e0e4b
the ROM1 I got a totaly different MD5: a34ed91ac69e2a73bc6689709c37f755/b00208bc8040358280f574711adcc51d

i used your dumper script, which is linked to on the nighlybuild page (http://www.magiclantern.fm/forum/index.php?topic=17969.msg172875#msg172875).

I used a 8GB and an 256MB SD card to verify that my cards are not somehow the reason. How can i run the "generic" dumper on my vanilla 1300D camera? or is it the same code?

I do not get it to work on qemu as well. the console logs:

Code Select Expand

./run_canon_fw.sh 1300D

DebugMsg=0xFE11F394 (from GDB script)
Lockdown read 0
Lockdown read 0
Lockdown read 1
Lockdown read 1
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 1FFFFFFF: eos.ram
40001000 - 5FFFFFFF: eos.ram_uncached
F0000000 - F1FFFFFF: eos.rom0
F2000000 - F3FFFFFF: eos.rom0_mirror
F4000000 - F5FFFFFF: eos.rom0_mirror
F6000000 - F7FFFFFF: eos.rom0_mirror
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.iomem
[EOS] enabling code execution logging.
[EOS] loading './1300D/ROM0.BIN' to 0xF0000000-0xF1FFFFFF
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #12 (PROP 80030040) has duplicate(s): #11
[MPU] warning: non-empty spell #13 (PROP_CARD2_STATUS) has duplicate(s): #49
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36

[MPU] Available keys:
- Arrow keys   : Navigation ...

but the gui does not show up. Do i need a special parameter on the ./run_canon_fw.sh? i only used ./run_canon_fw.sh 1300D.

thx in advance