Canon 40D

[jplxpto]

I have good news.

The autoboot already works!!!

I used the addresses of functions and LEDs that I presented to you earlier.
I used some test applications of Coutts, and made the necessary changes.

The second obstacle has been overcome.

I level up but, the game becomes more complicated and risky.

Wish me luck!

[jplxpto]

My next steps are:

1) find the addresses of the functions Open, Write and Close;

2) create BL & ROM dumps.

[coutts]

My next steps are:

1) find the addresses of the functions Open, Write and Close;

2) create BL & ROM dumps.

you must boot the firmware first. you cannot call file i/o until it has been initialized by VxWorks. now that you can run autoexec.bin, you can boot the firmware

[jplxpto]

I've been reading the forums and ML CHDK and found some examples to dump the ROM and BL.

http://chdk.setepontos.com/index.php?topic=1651.45

I found one that allowed you to dump the 40D FW 1.0.8.
They called on four functions in the code of the flasher.
The 'ASalina' made ??the dump from earlier versions.
I now want to do with version 1.1.1.

They found these features in version 1.0.8:

/ / 40d - flasher v1.0.8
         open = (ft_open) 0x00989a34;
         create = (ft_creat) 0x00989a44;
         write = (ft_write) 0x00989534;
         close = (ft_close) 0x009896a0;

I've been researching the same functions in version 1.1.1:

/ / 40d - flasher v1.1.1
         open = (ft_open) 0x00989a3c;
         create = (ft_creat) 0x00989a4c
         write = (ft_write) 0x0098953c;
         close = (ft_close) 0x009896a8;

I've thought maybe it was not possible to call these functions before starting VxWorks.
I got confused with anything ...

The flasher code calls functions of the ROM?! ...

I still can not understand well the memory map and this is making me lose some time and let me crazy

Someone can give me some tips? Maybe you Coutts ... Again ...

[jplxpto]

you must boot the firmware first. you cannot call file i/o until it has been initialized by VxWorks. now that you can run autoexec.bin, you can boot the firmware

Coutts I understand but how do I boot VxWorks?! ...
My apologies if the question is basic!

I've been to see the entry.S 5DC but still seems to me very complicated.
How do you know the sequence of function calls to boot.
I studied multitasking, but on the VxWorks I only know the name: (

How do I use AUTOEXEC.BIN to start the VxWorks?! ...

Can I use the functions DEBUGMSG and dump before starting VxWorks?

[coutts]

Coutts I understand but how do I boot VxWorks?! ...
My apologies if the question is basic!

I've been to see the entry.S 5DC but still seems to me very complicated.
How do you know the sequence of function calls to boot.
I studied multitasking, but on the VxWorks I only know the name: (

How do I use AUTOEXEC.BIN to start the VxWorks?! ...

Can I use the functions DEBUGMSG and dump before starting VxWorks?

Those functions you listed earlier sound like they are bootloader functions but they are being called from RAM, so I wouldn't call those (not sure if the functions are copied there or not). I've been looking for file i/o in the bootloader for a while but haven't found it, if you have found these functions in the BL, then that is huge progress! It will help new ports a lot.

Now for booting VxWorks, what I mean is you must copy/paste the boot code starting at 0xFF810000 far enough to where you can spawn your own task. We need to hook ourselves into VxWorks. Once we have started our one task, we can hand execution back to canon and boot the camera like normal.

So, I used some bootcode from chuchin but it is literally copy/pasted line for line from the ROM (at FF810000). As a test, see if you can make your entry.S jump execution to FF810000 and see if the camera boots like normal.

Then begin tracing the boot process to know how much code needs to be re-written. You only need to write until the part where it calls CreateTask on the startup task. We can hook our task in here.

[jplxpto]

As a test, see if you can make your entry.S jump execution to FF810000 and see if the camera boots like normal.

I'll test it ...

[jplxpto]

I'm working on it ...

I already have the dump of the ROM. I've also got the boot flag active.

The Coutts and Cucho have given me a great help ..
They have been fantastic.

The Nano has sent me a file entry.S.

I'll be a little busy, but soon I hope to present you some results.


Does anyone else want to help me?! ... Any help is welcome.

[jplxpto]

I have good news ...

I already have a tread running ... flashing blue LED!

The LED turns off when the TFT is turned off but with the MENU button it lights up again.

I already found the address of some functions but there is still much work ahead to be able to integrate my code with ML.

[jplxpto]

Hi guys,

I keep working on this project and I having some successes

Now I can write logs on the card.

I've been analyzing the logs and found some messages that can help me identify the VRAM.

Then I present some:

Code: [Select]

   304:   591.053 < GUI Lock > InitializeGUILock (PUB)
   305:   592.017 [GUI] MasterResultCBR
   306:   592.224 [GUI] GUI_Initialize ClassID[21]GUI[23]Ctrl[24]
   307:   593.033 [GUI] -> handleGuiInit
   308:   598.963 [DispCon] InitializeDisplayDeviceController (PUB)
   309:   600.121 [IMP] (PUB) InitializeImagePlayer 1113
   310:   601.818 [CERES] RegisterAdapterStatusCallback
   311:   607.638 [Graphics] GuiStartGraphics (PUB)
   312:   608.057 [IMP] (PUB) StartImagePlayer(mode=0) 1189
   313:   608.094 [IMP] CreateVram 665
   330:   684.874 [Graphics] GuiClearImage
   331:   684.933 [IMP] (PUB) SetVramInformation(w:720 h:240) 1291
   332:   684.997 SetImageVramParameter x:0 y:0 w:720 h:240/* Aspect:0*/
   333:   685.032 [IMP] (PUB) SyncroAllClearImagePlayWorkVramWithoutEngine 2644
   334:   685.052 [IMP] GetVramNumber 580
   335:   685.072 [IMP] GetVramNumber 580
   336:   716.486 [IMP] (PUB) RefreshImageVram 1597
   337:   716.519 [IMP] GetVramNumber 580
   338:   716.765 [IMP] GetVramNumber 580
   339:   716.791 [IMP] GetVramNumber 580
   340:   716.823 [GUI] StopDateTimer
   341:   716.852 [GUI] ClearColorPalette (0)
   342:   716.924 [GUI] GUI_RegisterPropertySlave
   343:   724.367 [GUI] MasterResultCBR_AvailableMyMenuList(0x79594c)
   344:   724.618 [GUI] MasterResultCBR_ErrBattery(0x79599c)
   345:   725.033 [DP]Dp_GetGlbRegisterCbrTAdr()
   346:   725.182 [DP]Dp_GetGlbRegisterCbrTAdr()
   347:   725.645 [GUI] GUI_SetLanguage (15)

[a1ex]

Sounds good.

Point the camera to something recognizable and dump roughly 1MB from the VRAM address to confirm it.

Another way to find VRAM buffers: look for EDMAC registers. In digic 4, these are c0f04008, c0f04108 ... c0f04f08, then c0f26008, c0f26108 etc. One of those registers should point to the LiveView buffer.

[jplxpto]

Now I'm trying to change the logging level.
I hope to see something else, but I'm not having great success.

I have to confirm my stubs ... I must be doing something wrong.

I changed the amount of logging that is written but there is something wrong.
I have to understand what is happening.

I wanted to make sure that those are the addresses of VRAM.

I'm going to dump the VRAM (1M) but I still do not know what to do with it...

[jplxpto]

Sounds good.

Point the camera to something recognizable and dump roughly 1MB from the VRAM address to confirm it.

Another way to find VRAM buffers: look for EDMAC registers. In digic 4, these are c0f04008, c0f04108 ... c0f04f08, then c0f26008, c0f26108 etc. One of those registers should point to the LiveView buffer.

These  EDMAC registers are also valid in the DIGIC III?

[a1ex]

You can post them here.

I have no idea what's inside DIGIC III.

[jplxpto]

Thanks Alex, I'll analyze the problem better

[coutts]

One way to find vram:

All vram buffers are like structures, with off_0x00 pointing to a string in the ROM that says "Vram Instance". There's a few of these so you'll have to check for all of them. But, you can dump say the first 0x10000 bytes of ram and look for these pointers. Tip for dumping: you might need to do what I have to do with the 5dc (which I learned from 0xAF with the 400d) and dump using a buffer.

For whatever reason, I can't seem to dump very much without using a buffer. simple code:

Code: [Select]

//~ dump memory 64kb at a time using a buffer.
void dump_with_buffer(int addr, int len, char* filename)
{
    FIO_RemoveFile(filename);
    FILE* f = FIO_CreateFile(filename);
    if (f!=-1)
    {
        int address = addr;
        while (address<addr+len)
        {
            char buf[0x10000];
            memcpy(buf, (void*)address, 0x10000);
            FIO_WriteFile(f, buf, 0x10000);
            address += 0x10000;
        }
        FIO_CloseFile(f);
    }
}

[coutts]

when I found the 5dc vram, I did it a bit oddly. I used img.py (http://magiclantern.wikia.com/wiki/VRAM/550D#How_to_find_segments[/url]). You should look into this. You already know the dimensions of the buffer (same as 5dc): 720x240 with a pitch of 360 I believe. so, dump an area of memory and run it all through img.py to see if you can see the menu or whatever screen you dumped the ram at.

[jplxpto]

Coutts, once again thank you for your help.

I already knew that page. I've also ran this section of your code.
I've done dump part of RAM, but I have not had time to test this python script. Once I have the opportunity I will do this test.

However, I've spent a few hours looking at the 40D firmware. I identified many functions on my camera.
I think there are too many in your 5DC. If you want I send you my stubs for 40D v1.1.1.

I try to read all your posts. You have written some things that I have been very useful for my port.

Soon I will try to present some results. I've been working on it a little every day.

[jplxpto]

I have found many functions in 40D firmware.
These are the ones that create the state objects (I still do not know if missing some function)

Code: [Select]

NSTUB(0xFFD4F17C, CreateTaskClass);

NSTUB(0xFFD4EE48, CreateStateObject);

NSTUB(0xFFB04634, DpImgEditState_CreateStateObject);
NSTUB(0xFFB06DC4, DpState_CreateStateObject);
NSTUB(0xFFBB0A2C, TOMState_CreateStateObject);
NSTUB(0xFFC7F9E0, USBC20State_CreateStateObject);

NSTUB(0xFFBB7DFC, CeresState_CreateStateObject);
NSTUB(0xFFB72BEC, PtpDpsState_CreateStateObject);
NSTUB(0xFF84BD74, RMTState_CreateStateObject);
NSTUB(0xFFB57FC4, FSSState_CreateStateObject);
NSTUB(0xFFC86AFC, PropState_CreateStateObject);
NSTUB(0xFFB618B8, RDState_CreateStateObject);
NSTUB(0xFFB3D088, LVCDEVState_CreateStateObject);
NSTUB(0xFFB3BC98, LVCAFState_CreateStateObject);
NSTUB(0xFFB3A554, LVCAEState_CreateStateObject);
NSTUB(0xFFB32CB8, LVState_CreateStateObject);
NSTUB(0xFFBFDB18, FWState_CreateStateObject);
NSTUB(0xFFBFB9A8, FRState_CreateStateObject);
NSTUB(0xFFBF0B6C, MrkState_CreateStateObject);
NSTUB(0xFFB56580, FCSState_CreateStateObject);
NSTUB(0xFFBAE9D8, SdioTskState_CreateStateObject);
NSTUB(0xFFBD5564, FMNormalState_CreateStateObject);
NSTUB(0xFFD5CEA4, DMState_CreateStateObject);


[a1ex]

Yay!

http://a1ex.bitbucket.org/ML/states/40D-alt/index.html

Some functions named automatically with my scripts: http://a1ex.magiclantern.fm/bleeding-edge/40D.111.idc

Try to dump from MEM(0x7768), size MEM(0x7764), while you are in LiveView. If successful, we can record MJPEG video

[jplxpto]

Alex,

Thanks for your help.

I'll do this test ..

[jplxpto]

Yay!

http://a1ex.bitbucket.org/ML/states/40D-alt/index.html

Some functions named automatically with my scripts: http://a1ex.magiclantern.fm/bleeding-edge/40D.111.idc

Try to dump from MEM(0x7768), size MEM(0x7764), while you are in LiveView. If successful, we can record MJPEG video

----------------------------------------

Alex,

I want to know which of your script made ​​this excellent work. I have little experience in the use of your tools. I saw nothing that did that.

I found hundreds of methods in firmware but it took me many hours looking at the assembly.

And how did you get those addresses? ...

Thanks in advance ...

[ilguercio]

How is this going on?

[a1ex]

This one:

1) guessfunc.run(dump) in arm console
2) run -i namefuncx.py

http://a1ex.magiclantern.fm/name_funcx.py

[jplxpto]

IT'S WORKING !!! IT'S WORKING !!! IT'S WORKING !!!

Alex, thanks for the tip

Finally, I got a little time I did the test and it worked!!

I got the JPEG successfully.