Canon 1200D

Started by akkotyni, July 12, 2014, 02:48:26 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

a1ex

Here's the dumper for 1200D, not tested, instructions here.

dumper-1200D-qemu.fir

From the release date, it should be fairly similar to 70D/700D/100D, so it's a good idea to follow these ports and look for similarities.

artur_d

dmilligan:  thank you for the important explanations.

a1ex: thank you very much. After using this file I have new file on my card with the name "AS" (33.554.432 Bytes).
Is it good way? (because on Canon 100D with dumper to Canon 100D the name was "(NULL)")

a1ex


blakekibo

If it helps I can test it on 3 different 100D of 3 different regions lol. I got a white one from Korea, a black one from Hong Kong, and another black one from Europe.

dan.solati

Hi everyone. I'm new in the forum and also to the ML world.
I just got a 1200d and I'm very interested in having ML on it, specially for the intervalometer.
I'm not a coder but have often written scripting for different uses, and I'd love to help get it done if I can be useful in some way. The thing is that I don't understand the steps ahead. I don't know enough about ML to even know what questions I should ask. Is there any basic tutorial or could someone give me a basic guide of the steps to port ML to a new camera? (A basic explanation about the steps in the process)
What comes next after dumping the firmware with the fir dumper?
Thank you all.

Daniel

Drbunn

Any word on the progress of the port? I heard it was started, but I've yet to hear of any word on it.

BigMikeD

I too am interested in MagicLantern for the T5.  i feel the camera is a great value but is somewhat lacking without the intervalometer functions.  Anything i can do to help the process along please let me know. 

Karlos_01

What good it is already working on the 1200d :D, I'll be watching to upgrade my canon ... 8)

Drbunn

Quote from: Karlos_01 on March 04, 2015, 08:59:18 PM
What good it is already working on the 1200d :D, I'll be watching to upgrade my canon ... 8)

Karlos_01 is it working? i don't understand your statement...

matija

The problem I have is that there is no clear explanation what has to be done. I cant really know how much work it is. I do have 1200D and I do make living as a (python) dev, so I am willing to spend some time on this.
I did look at the bitbucket, again, same issue.

dmilligan

step 0: setup the toolchain (you can also do it like this)
step 1: dump the firmware (see a couple posts back)
step 2: analyze/decompile the firmware dump to find function stubs
step 3: run it in QEMU
step 4: if you get this far, get in touch with a1ex to create a bootflag fir, so you can run on actual camera

see also: some of the porting work done by recently for 70D (look at the commit history and diffs):
https://bitbucket.org/hudson/magic-lantern/branch/70d-support
https://bitbucket.org/hudson/magic-lantern/pull-request/620/add-support-for-eos-70d-111-both-revisions/diff#

matija

@dmilligan
Thank you ... it does look simpler when you have the main steps in one place.
I disassembled it. I am not sure how to proceed, I have following files:


-rw-r--r--  1 matija matija  33554432 Tra  4 20:09 ROM1.BIN
-rw-rw-r--  1 matija matija 399838361 Tra  4 21:17 ROM1.BIN.dis
-rw-rw-r--  1 matija matija  33554942 Tra  4 21:10 ROM1.BIN.elf
-rw-rw-r--  1 matija matija   3422646 Tra  4 21:13 ROM1.BIN.labels
-rw-rw-r--  1 matija matija   2676549 Tra  4 21:10 ROM1.BIN.strings


Do I go to step 3 (your link is to the branch, not instructions, a sentence or two might help.
Thank you

dmilligan

So now you need to analyze the disassembly and find the addresses of functions in the Canon firmware that ML uses. Please refer to the tutorial in step 2.

fjriosp

Hi all,

I've dumped the firmware of my 1200d, disassembled and now I'm starting to find some stubs, but.. which could be the correct start address?

The dump is ROM0+ROM1 and starts at 0xF7000000??

I also have a 700d and i've using that dump to guide to find the stubs on the 1200d firmware. Almost all the stubs on the 700d port have an address like 0xFFxxxxxx.

What are the correct base address for ROM0 and ROM1?

Thanks a lot!

fjriosp

Hi again,

I've found all the FIO stubs:


/** File I/O **/
NSTUB(0xFF2A2930,  FIO_CloseFile)
NSTUB(0xFF2A3900,  FIO_FindClose)                           // FindClose
NSTUB(0xFF2A3820,  FIO_FindNextEx)
NSTUB(0xFF2A26E0,  FIO_ReadFile)
NSTUB(0xFF2A2790,  FIO_SeekSkipFile)
NSTUB(0xFF2A2880,  FIO_WriteFile)
NSTUB(0xFF2A316C, _FIO_CreateDirectory)
NSTUB(0xFF2A258C, _FIO_CreateFile)
NSTUB(0xFF2A372C, _FIO_FindFirstEx)
NSTUB(0xFF2A2AAC, _FIO_GetFileSize)
NSTUB(0xFF2A24D0, _FIO_OpenFile)
NSTUB(0xFF2A2638, _FIO_RemoveFile)
NSTUB(0xFF2A2fA4, _FIO_RenameFile)


Should I create a new directory under platform on the unified branch to upload the changes?

And could somebody give me a recommendation to find out 'cstart' and other difficult stubs?

Thanks a lot

a1ex

Yep, good start.

From 70D:
Quote from: a1ex on October 04, 2014, 08:30:21 AM
It dumps 32 MB from 0xF7000000, which covers both ROM0 and ROM1 - that's what you need to run ML in QEMU. For analyzing the code, you can load ROM1 (the second half of that file) at 0xFF000000.

So, split the dump in two parts and load the second half at 0xFF000000.

Why we use this trick?
To make QEMU load a single dump (from a single file) covering both ROMs.

Why does it work?
http://www.magiclantern.fm/forum/index.php?topic=2864.msg30367#msg30367
http://www.magiclantern.fm/forum/index.php?topic=6785.msg58899#msg58899

To find cstart, look for a function that calls bzero32 and then launches init_task. Usually, cstart is the first function ever called in Canon code (after initializing a bunch of stuff).

fjriosp

Perfect,

I've look at the 700d asm code and the cstart calls to bzero32 and create_init_task.

In the 1200d I've found the bzero32 function but I don't know how to find init_task, create_init_task or cstart.

There is some other way?

Thanks a lot!

fjriosp

Ok,

I think I have found the cstart.

fjriosp

Hi again,

I have more than the 50% of the stubs located. Could some one create the structure under platform for the 1200d?

How can I check if the stubs are correct or not? Could be simulated with qemu or in camera?

Thanks a lot!

fjriosp

Ok,

I have almost all the stubs located: http://pastebin.com/cStunbD2

Could someone give me a trick to find:

SetNextASIFADCBuffer
SetNextASIFDACBuffer
LiveViewApp_handler_end
LiveViewShutterApp_handler
sd_device
task_max
task_dispatch_hook
task_trampoline

I have search all the stubs found on the 700D port, if there is some other stub that could be interesting to find, please, tell me.

What's the next step?

nikfreak

are you familar with QEMU? You should compile from qemu branch and follow instructions to boot up your ROM.BIN. If successfull keep us informed about your progress. I will try to helpwherevever I can. The best thing would be to set up a bitbucket account and fork the ML repo. In the end you will need it anyways to create a pull request.

How many dumps exist for 1200D. Like 70D / 100D at least 2 different revisions or actually only one???
[size=8pt]70D.112 & 100D.101[/size]

fjriosp

I've used qemu to run linux virtual machines in the past, but never a canon firmware. xD

I have the dump of a 700D 1.1.3 and another one of the 1200D 1.0.0.

I think that 1200D only have the version 1.0.0.

I have try to run the firmware with qemu and I only have got a black screen. If I run the ml-1200 firmware i got the ML menu. But i don't know what to do. Can I check thw stubs in qemu?

nikfreak

So you got 1200D fw dump working in QEMU? Don't spend too much time on stubs. We can solve that always in post. First undefine state_objects + prop_request_changes in internals.h.
How about consts.h?? These are important too. As far as I know the 1200D has digic4 so probably it's just an updated 1100D. You should take a look at the 1100D platform tree ahh and btw send me your fw by PM (no public link). I will try to lead you a hand in hope that there are no other fw revisions...
[size=8pt]70D.112 & 100D.101[/size]

fjriosp

I think that I have qemu working. I got a white noise screen with the 'help' and with 'del' key I got the magic lantern menu.

I've copy the address of 1100d on the eos.c, but I also check another address and also works... really I dont know if works or not. I can navigate across the menu, but if I try to adjust ISO or WB y get some red messages and the log outputs a lot of text, after few seconds I got again the control of the menu.

Then, the next steps are internals.h and consts.h? Some help about that files? What contains? How to fill them? How to match with the 1200d firmware?

Thanks a lot!

nikfreak

Ok you are fine with most stubs if you got that far.
yes in internals.h you can undefine most of the stuff first or better use what 1100D has. Just be sure to start with
#undef CONFIG_PROP_REQUEST_CHANGE

I can help you if you provide me your dump in PM (not public). You may also have a look at my 70D-merge branch on bitbucket and check out 70D platform tree for comments
[size=8pt]70D.112 & 100D.101[/size]