Author Topic: [UNMAINTAINED] Canon 40D  (Read 290956 times)

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #75 on: September 19, 2012, 11:05:19 PM »
no guts no glory they say
As a suggestion stay away from factory mode and prop changes unless you absolutely need them

I appreciate your advice. I've been through some of these stubs and thought the same.

I hope not to make any serious mistake ... I really want to have the ML in my precious camera.

Thank you

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #76 on: September 20, 2012, 01:18:51 AM »
40D v 1.1.1 - StateObjects List

Code: [Select]
NSTUB(0x62B4, DpImgEditState);
NSTUB(0x5D88, DpState);
NSTUB(0x7E38, TOMState);

//NSTUB(, USBC20State_1);
//NSTUB(, USBC20State_2);
//NSTUB(, USBC20State_3);
//NSTUB(, USBC20State_4);

NSTUB(0x7E60, CeresStateState);
NSTUB(0x1AF60, PtpDpsStateState);
NSTUB(0x1AF64, PtpEvtListAccsSem);
NSTUB(0x1D34, RMTState);

NSTUB(0x7824, FSSState);
//NSTUB(0xB710, PropState);  // maybe
NSTUB(0x7840, RDState);
NSTUB(0x7770, LVCDEVState);
NSTUB(0x7748, LVCAFState);
NSTUB(0x7738, LVCAEState);
NSTUB(0x7628, LVState);
//NSTUB(???, FWState);
//NSTUB(???, FRState);
NSTUB(0x834C, MrkState);
NSTUB(0x781C, FCSState);
NSTUB(0x7E10, SdioTskState);
NSTUB(0x82CC, FMNormalState);
NSTUB(0xEFDC, DMState);

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #77 on: September 20, 2012, 02:28:17 AM »
Dump from 0x00007600 to 0x00008000, when camera menu is showed and mode equal to M :
Code: [Select]
MEM(0x00007600) = 0xFFB2BDA4 (-5063260)
MEM(0x00007604) = 0xFFB2C4A0 (-5061472)
MEM(0x00007608) = 0x00000000 (0)
MEM(0x0000760C) = 0x00000000 (0)
MEM(0x00007610) = 0x1024F09C (270856348)
MEM(0x00007614) = 0x00000001 (1)
MEM(0x00007618) = 0x10206DC0 (270560704)
MEM(0x0000761C) = 0x10252520 (270869792)
MEM(0x00007620) = 0x10223820 (270678048)
MEM(0x00007624) = 0x007975F4 (7960052)
MEM(0x00007628) = 0x00797940 (7960896)
MEM(0x0000762C) = 0x00000000 (0)
MEM(0x00007630) = 0xC0F03030 (-1058000848)
MEM(0x00007634) = 0x80010000 (-2147418112)
MEM(0x00007638) = 0xC0F03068 (-1058000792)
MEM(0x0000763C) = 0x80010004 (-2147418108)
MEM(0x00007640) = 0xC0F03070 (-1058000784)
MEM(0x00007644) = 0x80010007 (-2147418105)
MEM(0x00007648) = 0xC0F0B008 (-1057968120)
MEM(0x0000764C) = 0x00000000 (0)
MEM(0x00007650) = 0xFFFFFFFF (-1)
MEM(0x00007654) = 0xFFFFFFFF (-1)
MEM(0x00007658) = 0xC0F03044 (-1058000828)
MEM(0x0000765C) = 0x00000002 (2)
MEM(0x00007660) = 0xC0F03044 (-1058000828)
MEM(0x00007664) = 0x00000000 (0)
MEM(0x00007668) = 0xC0F0B000 (-1057968128)
MEM(0x0000766C) = 0x00000000 (0)
MEM(0x00007670) = 0xC0F0B004 (-1057968124)
MEM(0x00007674) = 0x00000001 (1)
MEM(0x00007678) = 0xC0F09000 (-1057976320)
MEM(0x0000767C) = 0x00000001 (1)
MEM(0x00007680) = 0xFFFFFFFF (-1)
MEM(0x00007684) = 0xFFFFFFFF (-1)
MEM(0x00007688) = 0xC0F09000 (-1057976320)
MEM(0x0000768C) = 0x80000000 (-
MEM(0x00007690) = 0xC0F0B000 (-1057968128)
MEM(0x00007694) = 0x00000001 (1)
MEM(0x00007698) = 0xC0F0B004 (-1057968124)
MEM(0x0000769C) = 0x00000000 (0)
MEM(0x000076A0) = 0xFFFFFFFF (-1)
MEM(0x000076A4) = 0xFFFFFFFF (-1)
MEM(0x000076A8) = 0xC0F03030 (-1058000848)
MEM(0x000076AC) = 0x00000000 (0)
MEM(0x000076B0) = 0xC0F03068 (-1058000792)
MEM(0x000076B4) = 0x00000000 (0)
MEM(0x000076B8) = 0xC0F03070 (-1058000784)
MEM(0x000076BC) = 0x00000000 (0)
MEM(0x000076C0) = 0xFFFFFFFF (-1)
MEM(0x000076C4) = 0xFFFFFFFF (-1)
MEM(0x000076C8) = 0xC0F0851C (-1057979108)
MEM(0x000076CC) = 0x00060258 (393816)
MEM(0x000076D0) = 0xC0F08520 (-1057979104)
MEM(0x000076D4) = 0x032C0568 (53216616)
MEM(0x000076D8) = 0xC0F11250 (-1057942960)
MEM(0x000076DC) = 0x00900000 (9437184)
MEM(0x000076E0) = 0xC0F11254 (-1057942956)
MEM(0x000076E4) = 0x028F02FF (42926847)
MEM(0x000076E8) = 0xFFFFFFFF (-1)
MEM(0x000076EC) = 0xFFFFFFFF (-1)
MEM(0x000076F0) = 0xC0F0851C (-1057979108)
MEM(0x000076F4) = 0x00060258 (393816)
MEM(0x000076F8) = 0xC0F08520 (-1057979104)
MEM(0x000076FC) = 0x032C0568 (53216616)
MEM(0x00007700) = 0xC0F11250 (-1057942960)
MEM(0x00007704) = 0x011000C0 (17825984)
MEM(0x00007708) = 0xC0F11254 (-1057942956)
MEM(0x0000770C) = 0x020F0241 (34538049)
MEM(0x00007710) = 0xFFFFFFFF (-1)
MEM(0x00007714) = 0xFFFFFFFF (-1)
MEM(0x00007718) = 0x00000000 (0)
MEM(0x0000771C) = 0x00000006 (6)
MEM(0x00007720) = 0xFFB38304 (-5012732)
MEM(0x00007724) = 0x00000000 (0)
MEM(0x00007728) = 0x00796F74 (7958388)
MEM(0x0000772C) = 0x00000000 (0)
MEM(0x00007730) = 0x00000000 (0)
MEM(0x00007734) = 0x00000000 (0)
MEM(0x00007738) = 0x00796FB4 (7958452)
MEM(0x0000773C) = 0x00000000 (0)
MEM(0x00007740) = 0x007973EC (7959532)
MEM(0x00007744) = 0x10202438 (270541880)
MEM(0x00007748) = 0x0079742C (7959596)
MEM(0x0000774C) = 0x00000000 (0)
MEM(0x00007750) = 0x00000000 (0)
MEM(0x00007754) = 0x0079750C (7959820)
MEM(0x00007758) = 0x00000000 (0)
MEM(0x0000775C) = 0x00000005 (5)
MEM(0x00007760) = 0x00000000 (0)
MEM(0x00007764) = 0x00000000 (0)
MEM(0x00007768) = 0x00000000 (0)
MEM(0x0000776C) = 0x00000000 (0)
MEM(0x00007770) = 0x0079754C (7959884)
MEM(0x00007774) = 0x00000000 (0)
MEM(0x00007778) = 0x00010339 (66361)
MEM(0x0000777C) = 0xFFFF0000 (-65536)
MEM(0x00007780) = 0x00040002 (262146)
MEM(0x00007784) = 0x00080004 (524292)
MEM(0x00007788) = 0x009000A4 (9437348)
MEM(0x0000778C) = 0x00200010 (2097168)
MEM(0x00007790) = 0x00FA0020 (16384032)
MEM(0x00007794) = 0x0015FF06 (1441542)
MEM(0x00007798) = 0xFFE80000 (-1572864)
MEM(0x0000779C) = 0x00100040 (1048640)
MEM(0x000077A0) = 0x0018000E (1572878)
MEM(0x000077A4) = 0x00480078 (4718712)
MEM(0x000077A8) = 0x00000010 (16)
MEM(0x000077AC) = 0x00000098 (152)
MEM(0x000077B0) = 0x00000060 (96)
MEM(0x000077B4) = 0x00000088 (136)
MEM(0x000077B8) = 0x0000006F (111)
MEM(0x000077BC) = 0x00000048 (72)
MEM(0x000077C0) = 0x00000058 (88)
MEM(0x000077C4) = 0x00000056 (86)
MEM(0x000077C8) = 0x00000100 (256)
MEM(0x000077CC) = 0x00000080 (128)
MEM(0x000077D0) = 0x00000000 (0)
MEM(0x000077D4) = 0x00000000 (0)
MEM(0x000077D8) = 0x00000000 (0)
MEM(0x000077DC) = 0x00000000 (0)
MEM(0x000077E0) = 0x00000000 (0)
MEM(0x000077E4) = 0x00000000 (0)
MEM(0x000077E8) = 0x00000000 (0)
MEM(0x000077EC) = 0x00000001 (1)
MEM(0x000077F0) = 0x00000000 (0)
MEM(0x000077F4) = 0x00000000 (0)
MEM(0x000077F8) = 0x00000004 (4)
MEM(0x000077FC) = 0x00000000 (0)


Code: [Select]
MEM(0x00007648) = 0xC0F0B008 (-1057968120)

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #78 on: September 20, 2012, 04:15:34 AM »
Sounds good.

Point the camera to something recognizable and dump roughly 1MB from the VRAM address to confirm it.

Another way to find VRAM buffers: look for EDMAC registers. In digic 4, these are c0f04008, c0f04108 ... c0f04f08, then c0f26008, c0f26108 etc. One of those registers should point to the LiveView buffer.

        These are the values ​​I got ...

   EDMAC Registers (maybe)
Code: [Select]
MEM(0xC0F04008) = 0x3FBFFFF6
MEM(0xC0F04108) = 0x3695B69E
MEM(0xC0F04208) = 0x3F802DFC
MEM(0xC0F04308) = 0x1BB044CA
MEM(0xC0F04408) = 0x3E04583E
MEM(0xC0F04508) = 0x3A91B07C
MEM(0xC0F04608) = 0x1EA3FFCC
MEM(0xC0F04708) = 0x00000000
MEM(0xC0F04808) = 0x3A6F3EDE
MEM(0xC0F04908) = 0x3F20DE9E
MEM(0xC0F04A08) = 0x3D701EFE
MEM(0xC0F04B08) = 0x194F3D52
MEM(0xC0F04C08) = 0x34794AD6
MEM(0xC0F04D08) = 0x2A674EDE
MEM(0xC0F04E08) = 0x00000000
MEM(0xC0F04F08) = 0x00000000


at 0xFFCF8184 : MOV     R3, 0xC0F04008

Code: [Select]
NSTUB(0xFFCF8184, GetEDmacAddress)

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12200
  • Maintenance mode
Re: Canon 40D
« Reply #79 on: September 20, 2012, 08:35:01 AM »
Doesn't look like anything known, so it's probably not edmac.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #80 on: September 20, 2012, 12:27:58 PM »
I also did not like the results.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #81 on: September 21, 2012, 02:25:14 AM »
I found several LV functions that are registered, so they can be invoked by name.

FW v 1.1.1

Code: [Select]
NSTUB(0xFFB2E208, lv_start)
NSTUB(0xFFB2E244, lv_stop)

NSTUB(0xFFB2E280, lv_vram_dump)
NSTUB(0xFFB2E308, lv_yuv_dump)
NSTUB(0xFFB2E38C, lv_fps)

NSTUB(0xFFB2E3FC, lv_psave_on)
NSTUB(0xFFB2E46C, lv_psave_off)

NSTUB(0xFFB2DB54, lv_debug_ae)
NSTUB(0xFFB2DCF4, lv_debug_wb)
NSTUB(0xFFB2E4DC, lv_debug_af)

NSTUB(0xFFB2E5F8, lv_ae)
NSTUB(0xFFB2E668, lv_wb)
NSTUB(0xFFB2E6D8, lv_af_raw)

NSTUB(0xFFB2E748, lv_debug_flag)

NSTUB(0xFFB2E588, lv_data_count)

NSTUB(0xFFB2E82C, lv_eshutter)
NSTUB(0xFFB2E97C, lv_tvaf_start)
NSTUB(0xFFB2E89C, lv_magnify)

NSTUB(0xFFB2E90C, lv_save_raw)

LensPainter

  • New to the forum
  • *
  • Posts: 4
Re: Canon 40D
« Reply #82 on: September 21, 2012, 10:01:58 AM »
Hi,
I'm new here and anxious to see the 40D to be used with ML:)
This is very very techy-stuff and hard for me to understand - so I'd just like to know, if there is a lantern at the end of the tunnel;)

Is there any way to support you?

Kind regards

Uwe

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #83 on: September 21, 2012, 11:33:17 AM »
Hi,
I'm new here and anxious to see the 40D to be used with ML:)
This is very very techy-stuff and hard for me to understand - so I'd just like to know,
if there is a lantern at the end of the tunnel;)

Is there any way to support you?

Kind regards

Uwe


I'm also very anxious to see the ML working for the first time ... and on my camera :)

I am new at this but I'm motivated ... soon I hope to ignite that light ...
for now i just lit the blue and red LED :)

I never received anything for my work, but donations are welcome.
They are the fuel needed to be able to see the light ... My God! :)


jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #84 on: September 21, 2012, 11:37:48 AM »
I found the location of the structure 'vram_info'.

Code: [Select]
/** VRAM info in the BSS.
 *
 * Pixels are in an YUV 422 format.
 * This points to the image VRAM, not the bitmap vram
 */
struct vram_info
{
        uint8_t *               vram;           // off 0x00
        uint32_t                width;          // maybe off 0x04
        uint32_t                pitch;          // maybe off 0x08
        uint32_t                height;         // off 0x0c
        uint32_t                vram_number;    // off 0x10
};
SIZE_CHECK_STRUCT( vram_info, 0x14 );

extern struct vram_info vram_info[2];

Code: [Select]
NSTUB(0x0001E010, vram_info)

 MEM(0x0001E010) = 0x1065BE00 (275103232)
 MEM(0x0001E014) = 0x000002D0 (720)
 MEM(0x0001E018) = 0x000002D0 (720)
 MEM(0x0001E01C) = 0x000000F0 (240)
 MEM(0x0001E020) = 0x00000002 (2)
 
 MEM(0x0001E024) = 0x106F3C8C (275725452)
 MEM(0x0001E028) = 0x000002D0 (720)
 MEM(0x0001E02C) = 0x000002D0 (720)
 MEM(0x0001E030) = 0x000000F0 (240)
 MEM(0x0001E034) = 0x00000000 (0)

mediabaron

  • New to the forum
  • *
  • Posts: 5
Re: Canon 40D
« Reply #85 on: September 23, 2012, 04:36:05 AM »
Having the 40D record video would be excellent. The resolution of 1024 x 680 is plenty for web video.

People do have to realize that the 40D was never intended to shoot video so it doesn't have a microphone or audio circuitry built into it. You will have to capture audio separately or lay down a background track of something like music.

But having the other ML still image features would greatly increase the use of the 40D for things like time-lapse photography and other applications.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #86 on: September 23, 2012, 05:31:55 PM »
Having the 40D record video would be excellent. The resolution of 1024 x 680 is plenty for web video.

People do have to realize that the 40D was never intended to shoot video so it doesn't have a microphone or audio circuitry built into it. You will have to capture audio separately or lay down a background track of something like music.

But having the other ML still image features would greatly increase the use of the 40D for things like time-lapse photography and other applications.


I have spent many hours with my camera, but I've done a few shots. I can not say when will release the first version for testing. I believe there are many users around the world who have this camera. I started this project because I feel a little revolted. The canon has never released a version with AF microadjustment. Many of us bought high quality lenses that would greatly benefit from this functionality. We gave billions of profit to Canon. I think they should respect us more and remember living of our money. I know the camera was discontinued but I did not let being a customer paying for a quality service. I may be a drop in the ocean with sharks but many, donald duck got rich collecting small coins. This is my response to the canon. If things go the way I want in a few months you can all enjoy my work without being forced to pay a penny.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #87 on: September 23, 2012, 06:41:38 PM »
I found some more interesting things:

Code: [Select]
strings -t x 40d.111.ROMF1.0xFF800000.bin | perl renumber.pl 0xFF800000 > 40d.111.ROMF1.0xFF800000.string

grep 40d.111.ROMF1.0xFF800000.strings -e "Mgr$"

Code: [Select]
ffacff30 DpMgr
ffb04078 DpImgEditMgr
ffb2d10c LiveViewMgr
ffbaee34 TOMgr
ffbc55a0 FileMgr
ffc49060 DDDMgr
ffc877fc PropMgr
ffd17614 CardServiceMgr
ffd4c084 DbgMgr
ffd5a30c PowerMgr


With this simple command is simple filter many of the file names of the source code.
Sometimes it may be useful to help find some things in the dump.

Code: [Select]
grep 40d.111.ROMF1.0xFF800000.strings -e ".*\.c" > 40d.111.ROMF1.0xFF800000.files

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #88 on: September 23, 2012, 07:13:01 PM »
Some memory address at firmware:

Code: [Select]
ffff1c6c Write Address : 0x00000000
ffff1c8c Write Address : 0x04000000
ffff2714 4.Erase TORNADO and Command area (0x%x -> 0x%x)
ffff2748 5.Erase Program area (0xF8010000 -> 0xF862FFFF)
ffff3578 Is flg written(Y=ON(0xFFFFFFFF)/N=OFF(0x00000000))? :
ffff3608 Is flg written(Y=ON(0x00000000)/N=OFF(0xFFFFFFFF))? :
ffff3774 ERASE [ROM1][0x00000000]
ffff39e4 Input start_address (ram 0x00000000 -> 0x40000000) :
ffff3a1c Input end_address   (ram 0x00000000 -> 0x40000000) :
ffff3a54 Input address       (rom 0xf8000000 -> 0xf87FE000) :
ffff5914 FROM Check Sum is 0x%08x
ffff5930 ( 0xF8010000 - 0xF85FFFFF )

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #89 on: September 23, 2012, 07:27:06 PM »


grep 40d.111.ROMF1.0xFF800000.strings -e ".*[GUI].*StartMn" | awk -F' ' '{ print $3 }' | sort | uniq -u

Code: [Select]
StartMnActiveSweepApp
StartMnActiveSweepAutoApp
StartMnBrightnessApp
StartMnBusyApp
StartMnBusyKeepEventBtnApp()
StartMnCameraClearApp
StartMnCameraRegApp
StartMnCameraRegConfirmApp
StartMnCameraUnRegApp
StartMnCameraUnRegConfirmApp
StartMnCameraUnRegSelectApp
StartMnCardExtensionApp
StartMnCardFormatBeginAp
StartMnCardFormatexcuteApp
StartMnCopyBusyApp()
StartMnCopyConfirmApp
StartMnCopyMsgApp(
StartMnCopyResultApp(
StartMnCustomFnApp(%d)(%d)
StartMnCustomFnClearApp
StartMnDustOffDataApp
StartMnDustOffDataCompleteApp
StartMnDustOffDataExcuteApp
StartMnEraseImageApp
StartMnEraseImageBusyApp
StartMnEraseImageConfirmApp
StartMnEraseImageDummyApp
StartMnHandWorkSweepApp
StartMnImageZoneQualityApp
StartMnLanguageApp
StartMnLiveViewApp
StartMnMainCustomFuncApp()
StartMnMainMyMenuApp()
StartMnMainPlay1App()
StartMnMainPlay2App()
StartMnMainRec1App()
StartMnMainRec2App()
StartMnMainSetup1App()
StartMnMainSetup2App()
StartMnMainSetup3App()
StartMnMainStudioApp()
StartMnMmMessageApp(
StartMnMwbImageConfirmApp
StartMnMWBWarningApp
StartMnMyMenuDeleteApp()
StartMnMyMenuPreRearrange(
StartMnMyMenuRearrange(
StartMnMyMenuSelect()
StartMnMyMenuSetting()
StartMnPictureStyleDetailApp
StartMnPictureStyleMain
StartMnPictureUserDetail
StartMnQualityApp
StartMnQualityDivideApp
StartMnQualityDivideSelectApp
StartMnSensorCleanApp
StartMnStroboBuiltInSettingApp
StartMnStroboControlApp
StartMnStroboCustomFnApp
StartMnStroboCustomFnClearApp
StartMnStroboErrorApp
StartMnStroboFnSettingApp
StartMnStroboFnSettingClearApp
StartMnStroboFnSettingHeaderApp()
StartMnStroboOldOutSettingApp
StartMnStroboWirelessApp
StartMnStudioModeChangeConfirmApp
StartMnWBApp
StartMnWbBktApp

With this command we can get the list of menus available in firmware. This command can be useful for finding the code some functionality that is available in the original firmware.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #90 on: September 23, 2012, 07:59:18 PM »
Some more strings...

Code: [Select]
grep -e "libc" 40d.111.ROMF1.0xFF800000.strings
Code: [Select]
ffcb9150 ../libcsvg/svg_canvas.c
ffcbd930 gfff../libcsvg/svg_paint.c
ffcbe118 ../libcsvg/svg_render.c
ffcbeb48 ../libcsvg/dom/dom.c
ffcbfc5c ../libcsvg/dom/dom_common.c
ffcc22e4 ../libcsvg/dom/dom_trait.c
ffcc629c ../libcsvg/core/attrib_core.c
ffcc6a88 ../libcsvg/core/attrib_graphics.c
ffcc733c ../libcsvg/core/attrib_paint.c
ffcca84c ../libcsvg/core/elem_anim.c
ffcd3138 ../libcsvg/core/elem_path.c
ffcd5b54 ../libcsvg/core/elem_shape.c
ffcd8354 ../libcsvg/core/elem_struct.c
ffcda5fc ../libcsvg/core/render_path.c
ffcdb054 ../libcsvg/core/render_shape.c
ffcdda64 ../libcsvg/core/stack_canvas.c
ffcddba4 ../libcsvg/core/stack_common.c
ffcddd38 ../libcsvg/core/stack_coordinate.c
ffcddedc ../libcsvg/core/stack_core.c
ffcde000 ../libcsvg/core/stack_element.c
ffcdebf8 ../libcsvg/core/stack_transform.c
ffce0f44 ../libcsvg/common/hash.c
ffce1274 ../libcsvg/common/id_table.c
ffce15b0 ../libcsvg/common/queue.c
ffce3a1c ../libcsvg/common/utils.c
ffce5bd8 ../libcucs/ucs.c
ffce9b34 ../libcsvg/common/uriref.c
ffcea324 ../libcsvg/svg_path.c
ffcef4e0 ../libcsvg/core/attrib_animtiming.c
ffcf09f4 ../libcsvg/core/datatype_preserveaspectratio.c
ffcf1568 ../libcsvg/core/render_anim.c

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12200
  • Maintenance mode
Re: Canon 40D
« Reply #91 on: September 23, 2012, 08:05:33 PM »
Those Start***App sometimes can be started, but it's not a clean method for using them IMO. These calls may bring the correct dialog, but they do not setup the keys (guimode) and probably other things.

There is a SVG library inside, but nobody figured out how to use it.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #92 on: September 23, 2012, 10:08:54 PM »
I keep looking for the addresses of VRAM ... My next goal is to write on the LCD.

Unfortunately I have not got great results ... soon, I hope to get this my goal.

I know there are many similarities between the 5DC and 40D cameras.
So I decided to look some things coutts already found in your 5DC.



from magic lantern source code...

Code: [Select]
/** Canon data structure containing BMP VRAM address.
 *
 * LCD: it points to a 720x480 cropped area, but the image buffer is actually 960x540.
 * HDMI: it points to the full image buffer.
 *
 * ML alters this pointer to always indicate the 720x480 cropped area
 * (to avoid the possibility of buffer overflow due to race conditions when changing display modes).
 */
struct bmp_vram_info
{
        uint8_t *               vram0;
        uint32_t                off_0x04;
        uint8_t *               vram2;
};

extern struct bmp_vram_info bmp_vram_info[];

from 5DC.111 firmware...

Code: [Select]

NSTUB(0x29448, bmp_vram_info)

MakeName(0xFFB0A95C, "str:[BmpDDev]_SelectParameter");
MakeName(0xFFB0B174, "str:[BmpDDev]_DisplayPhysicalScreen");

REAL BMP VRAM  : 0x29320+8 =0x29328

REAL BMP VRAM  : 0x29330+8 =0x29338
REAL BMP VRAM  : 0x29350+8 =0x29358

from 40D.111 firmware...

Code: [Select]
NSTUB(0x1E450, bmp_vram_info)

MakeName(0xFFCAFAE0, "str:[BmpDDev]_SelectParameter");
MakeName(0xFFCB0468, "str:[BmpDDev]_DisplayPhysicalScreen");

REAL BMP VRAM  : 0x1E328+8 = 1E330

REAL BMP VRAM  : 0x1E338+8 = 1E340
REAL BMP VRAM  : 0x1E358+8 = 1E360




Here are some of the logs generated by my tests ...

Code: [Select]
   667: 10003.609 myTaskDumpf:204: [JP] VRAM INFO:
   668: 10003.670 printVramInfo:25: [JP] VRAM_INFO: vram address = 0x1065BE00
   669: 10003.698 printVramInfo:26: [JP] VRAM_INFO: width = 720
   670: 10003.722 printVramInfo:27: [JP] VRAM_INFO: pitch = 720
   671: 10003.746 printVramInfo:28: [JP] VRAM_INFO: height = 240
   672: 10003.767 printVramInfo:29: [JP] VRAM_INFO: vram_number = 0
   673: 10003.806 printVramInfo:25: [JP] VRAM_INFO: vram address = 0x106F3C8C
   674: 10003.830 printVramInfo:26: [JP] VRAM_INFO: width = 720
   675: 10003.853 printVramInfo:27: [JP] VRAM_INFO: pitch = 720
   676: 10003.876 printVramInfo:28: [JP] VRAM_INFO: height = 240
   677: 10003.897 printVramInfo:29: [JP] VRAM_INFO: vram_number = 2
   678: 10003.921 printBmpVramInfo:45: [JP] BMP_VRAM_INFO: i = 0x00
   679: 10003.961 printBmpVramInfo:46: [JP] BMP_VRAM_INFO: vram0 address = 0x10631714
   680: 10003.988 printBmpVramInfo:47: [JP] BMP_VRAM_INFO: off_0x04 address = 0x00000000
   681: 10004.027 printBmpVramInfo:48: [JP] BMP_VRAM_INFO: vram2 address = 0x48544F00

   687: 11143.643 myTaskDumpf:230: [JP] MEM(0x0001E330) = 0x10631714  // vram0 address
   688: 11143.707 myTaskDumpf:231: [JP] MEM(0x0001E340) = 0x10631714  // vram0 address
   689: 11143.741 myTaskDumpf:232: [JP] MEM(0x0001E360) = 0x00000000
   690: 11143.773 myTaskDumpf:234: [JP] MEM(0x0000BEA0) = 0x00000000 // DisplayType
   691: 11143.802 myTaskDumpf:235: [JP] MEM(0x0000BEA4) = 0x00000000 // W x H = 720x240
   692: 11143.832 myTaskDumpf:236: [JP] MEM(0x0000B854) = 0x00000002

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #93 on: September 24, 2012, 01:42:59 AM »
These stubs are very important for our work so I decided to put them here ... require confirmation ...
I have not tested them all. I have used them to make some memory dumps.

40d v 1.1.1

Code: [Select]
NSTUB(0xFFC39AE4, FIO_RemoveFile)
NSTUB(0xFFD1682C, FIO_OpenFile)
NSTUB(0xFFD168F8, FIO_CreateFile)
NSTUB(0xFFD16A80, FIO_ReadFile)
NSTUB(0xFFD16BF0, FIO_WriteFile)
NSTUB(0xFFD16CA8, FIO_CloseFile)
NSTUB(0xFFD16D5C, FIO_GetFileSize)
NSTUB(0xFFD17244, FIO_GetDeviceName)
NSTUB(0xFFD7A968, FIO_FindNextEx)

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12200
  • Maintenance mode
Re: Canon 40D
« Reply #94 on: September 24, 2012, 08:40:42 AM »
Can you dump around 200K from each VRAM address?

Use the cacheable addresses if you can't (remove the first 1).

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #95 on: September 24, 2012, 12:01:31 PM »
Can you dump around 200K from each VRAM address?

Use the cacheable addresses if you can't (remove the first 1).

Yes, I will do that ..

coutts

  • Developer
  • Senior
  • *****
  • Posts: 401
Re: Canon 40D
« Reply #96 on: September 26, 2012, 08:12:32 PM »
Yes, I will do that ..
A simple test to see if you found the vram is to try and paint on the screen, write something like 64kb of 1s to the buffer and you should see a colored square on the screen.

great to see your progress!!

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #97 on: September 27, 2012, 12:39:35 AM »
A simple test to see if you found the vram is to try and paint on the screen, write something like 64kb of 1s to the buffer and you should see a colored square on the screen.

great to see your progress!!


Cloutts, thank you for this suggestion ... more I had thought about doing something similar but I am afraid to write to memory before I was sure it matches the VRAM.

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #98 on: September 27, 2012, 02:05:52 AM »
Hi guys

I did some more tests today ...
I finally got the memory address of LV_VRAM.
I made a small application that writes into log file the addresses of LV_VRAM.
I put the camera in LV mode, and every 40ms, I wrote in the log file, the address and size of the LV_VRAM.

I repeated the process twice, and got the following data:

Address : 0x1CA700C8 / Average Size : ??????????

Address : 0x1CEAE304 / Average Size : 0x0003D068


I've also downloaded the JPEG. I had done before but did not know the memory address.

The JPEG has 1024x680 pixels and has a size of 213446 bytes


Some logs...

Code: [Select]
45578: 63053.752 [LVCDEV]->lvcdevResourceGet(0,1)
 45579: 63054.313 [DPATH] LV_JPG START Y:0x1de43c64 J:0x1ca700c8 Y411:0x10798ea0
 45580: 63057.331 [LV] lvVDInterrupt
 45581: 63057.493 [LV] WB 1926 1135 1135 2454(1158)
 45582: 63059.349 [LV] lvReturnVram
 45583: 63059.379 < GUI Lock > GUILock_PermitPowerLock (PUB)
 45584: 63059.666 < GUI Lock > GUILockTask 1
 45585: 63059.735 [DispCon] TurnOnDisplay (PUB)
 45586: 63061.319 [DEV] LV_JPG YuvWriteCompleteCBR
 45587: 63061.365 [DEV] LV_JPG YUVReadCompleteCBR
 45588: 63061.498 [DEV] LV_JPG JpCoreCompleteCBR( 0x4af66 )
 45589: 63061.558 [DEV] LV_JPG JpegPopCompleteCBR
 45590: 63061.701 [DPATH] LV_JPG STOP Y:0x1df97c64 J:0x1cabb02e Y411:0x107a0e20
 45591: 63062.313 [LVCDEV]->PD(VF:0x1078d7e8,MS:0x485540)
 45592: 63081.284 [LV] WriteEDmacWbIntegCompleteCBR


 45579: 63054.313 [DPATH] LV_JPG START Y:0x1de43c64 J:0x1ca700c8 Y411:0x10798ea0
 45590: 63061.701 [DPATH] LV_JPG STOP   Y:0x1df97c64 J:0x1cabb02e  Y411:0x107a0e20

jplxpto

  • Developer
  • Hero Member
  • *****
  • Posts: 506
Re: Canon 40D
« Reply #99 on: September 27, 2012, 06:26:54 AM »

I managed to blur the image of the LCD. I now have to know the coordinates valid in order to draw a rectangle.

I used this STUB, and wrote somewhere in vram0.

NSTUB(0x1E450, bmp_vram_info)

In the coming days, I'll want to have a bmp_printf(...) function to write text on the display.

Once you get it, I want to improve the boot process.