Author Topic: Portable ROM dumper  (Read 74702 times)

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12420
Re: Portable ROM dumper
« Reply #125 on: July 27, 2019, 12:04:55 PM »
I tried DUMP_40D.FIR with 4 different CF cards, also old ones with 256 MB capacity, but it does not seem to work: the MD5 for ROM1.BIN is different each time (even if the check with PC always succeeds).
ROM0.MD5 is always the same though...

Already answered this one in the 40D thread (noticed this message afterwards).

That's probably alright - Canon firmware reflashes the ROM at every shutdown, to save their settings. If you compare the two ROMs, you will see differences only in the settings area (not in the executable code).

To get the same MD5 every time, you need to avoid starting the main Canon firmware between the two attempts (i.e. just run the dumper twice, possibly on different cards, without booting the camera normally in-between).

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #126 on: August 07, 2019, 05:51:12 PM »
I tried running DMP2000D.FIR on my Canon EOS Rebel T7 and RESCUE.LOG shows this:

  Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.
 - Saving RESCUE.LOG ...


But when I try to check the MD5 I get this:

root@craig-ubuntu:~# md5sum -c ROM0.BIN
md5sum: ROM0.BIN: no properly formatted MD5 checksum lines found
root@craig-ubuntu:~# md5sum -c ROM1.BIN
md5sum: ROM1.BIN: no properly formatted MD5 checksum lines found


I tried recreating the ROM files several times but the results are always the same.

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 7305
Re: Portable ROM dumper
« Reply #127 on: August 07, 2019, 07:47:12 PM »
Code: [Select]
md5sum ROM?.BIN -c ROM?.MD5
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #128 on: August 14, 2019, 11:23:24 PM »
This is what I see for Canon EOS Rebel T7.

Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.
 - Saving RESCUE.LOG ...


root@craig-ubuntu:~# ls -l ROM*
-rw-r--r-- 1 root root 33554432 Dec 31  1979 ROM0.BIN
-rw-r--r-- 1 root root       43 Dec 31  1979 ROM0.MD5
-rw-r--r-- 1 root root 33554432 Dec 31  1979 ROM1.BIN
-rw-r--r-- 1 root root       43 Dec 31  1979 ROM1.MD5

root@craig-ubuntu:~# md5sum -c ROM0.MD5
ROM0.BIN: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
root@craig-ubuntu:~# md5sum -c ROM1.MD5
ROM1.BIN: OK

md5sum: ROM1.BIN: no properly formatted MD5 checksum lines found
ROM1.BIN: OK

Does that mean ROM1.BIN is the good firmware?




r

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #129 on: August 20, 2019, 04:50:28 PM »
Dumping EOS Rebel T7 gives this:

- Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.


-rw-r--r-- 1 root root 33554432 Aug 15 15:05 ROM0.BIN
-rw-r--r-- 1 root root 33554432 Aug 15 15:05 ROM1.BIN


The MD5 checksum for ROM1.BIN is good. If I run disassemble.pl I get this:

root@craig-ubuntu:/usr/local/qemu-eos/1500D# perl disassemble.pl 0xFE0C0000 ROM1.BIN
offset + filesize - 1 > 0xffffffff. We can't wrap around!

game over at disassemble.pl line 50.


Does that mean the ROM1.BIN file is too big? Is the ROMBASEADDR of 0xFE0C0000 from the RESCUE.LOG the correct address to use?





names_are_hard

  • Contributor
  • Member
  • *****
  • Posts: 207
  • 200D idiot
Re: Portable ROM dumper
« Reply #130 on: August 20, 2019, 10:28:10 PM »
Try this:
perl disassemble.pl 0xFE000000 ROM1.BIN

Magiclantern is a bit inconsistent about what "base address" means.  In some places it uses it to mean "entry point address", which is confusing.  0xFE000000 is the base address, ie, the address at which the first byte in the ROM is loaded into memory.  0xFE0C0000 is the entry point address, the address at which execution of the code starts.

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #131 on: September 03, 2019, 01:46:10 AM »
That solved the disassemble problem for 1500D.  :)

Given what you said in your post, would these be correct parameters to use in hw/eos/model_list.c?

           .firmware_start         = 0xFE0C0000,
           .rom1_addr              = 0xFE000000,

And how would I know what to use for ram_size?

names_are_hard

  • Contributor
  • Member
  • *****
  • Posts: 207
  • 200D idiot
Re: Portable ROM dumper
« Reply #132 on: September 03, 2019, 03:11:09 AM »
I'd expect that to be right for firmware_start and rom1_addr.  I don't know the ram size for 1500D.  model_list.c has 256MB for 1300D, so I'd guess 1500D is either the same, or maybe 512MB since it's a later camera.

If you want, try:
.ram_size               = 0x10000000

and see if it makes your camera explode.  That's 256MB.  Try 0x20000000 for 512MB.  I don't know what the risk is if you get the ram size wrong.  Maybe the correct size is listed in some other thread.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12420
Re: Portable ROM dumper
« Reply #133 on: September 03, 2019, 07:09:59 AM »
If you declare - in QEMU - a RAM size smaller than physical size, emulation will not run. The firmware will attempt to address memory outside the declared size (unmapped). In particular, the RscMgr task is going to initialize its data structures, covering pretty much the entire RAM.

If you declare a RAM size larger than physical size, nothing obvious will happen. There will be some memory that's never going to be addressed. The emulation will run just as well as if you would declare the correct size.

RAM size is not currently used in ML.

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 7305
Re: Portable ROM dumper
« Reply #134 on: December 14, 2019, 06:17:58 AM »
Got a new cam: 250D/Rebel SL3/Kiss X10/200D Mark II (seriously, Canon?) with firmware version 1.0.1.
Is there a ROM dumper for this DIGIC 8 cam?
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12420
Re: Portable ROM dumper
« Reply #135 on: December 14, 2019, 07:30:14 AM »
This model, alongside G7X III and 90D (maybe also M6 II), uses the same encryption as EOS R/RP, so the "state-of-art" way to dump the firmware is via UART (for now).

We actually made some progress figuring it out (thanks Indy), and it's likely that solving one of these will work for all others.

DeafEyeJedi

  • Hero Member
  • *****
  • Posts: 3391
  • 5D3 | M1 | 7D | 70D | SL1 | M2 | 50D
Re: Portable ROM dumper
« Reply #136 on: December 19, 2019, 06:45:05 AM »
...(seriously, Canon?)...

Seriously that's just flabergasting to hear... Does it feel more like 200D Mark II than 250D?
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

tanvir5971

  • Just arrived
  • *
  • Posts: 1
EOS 800D- Portable ROM dumper
« Reply #137 on: March 03, 2020, 07:45:11 PM »
After formated the 64gb sdxc card as FAT32, i put the "DUMP800D.FIR" in the card. As per instructions i try to dum the ROM but error occured. i dont know how to insert picture here so link of the Screenshot is given below.

https://photos.app.goo.gl/NMa5juPu3ufbEWVQ7

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 7305
Re: Portable ROM dumper
« Reply #138 on: March 04, 2020, 07:10:54 PM »
Try using a smaller card or repartition to a much, much smaller size. Do not expect to make ExFAT work.
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!

Pangu

  • Just arrived
  • *
  • Posts: 1
Re: Portable ROM dumper
« Reply #139 on: March 29, 2020, 04:00:33 AM »
I'd expect that to be right for firmware_start and rom1_addr.  I don't know the ram size for 1500D.  model_list.c has 256MB for 1300D, so I'd guess 1500D is either the same, or maybe 512MB since it's a later camera.

If you want, try:
.ram_size               = 0x10000000

and see if it makes your camera explode.  That's 256MB.  Try 0x20000000 for 512MB.  I don't know what the risk is if you get the ram size wrong.  Maybe the correct size is listed in some other thread.
Did this actually worked? I am looking forward for a fix. My dump gives exact same results. Thank you.

ilia3101

  • Moderators
  • Hero Member
  • *****
  • Posts: 923
Re: Portable ROM dumper
« Reply #140 on: April 17, 2020, 02:14:22 PM »


Code: [Select]
  Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x382 5DS
 - Camera model: Canon EOS K331
 - Firmware version: 1.1.1 / 8.1.2 94(37)
 - IMG naming: 100?????/5DS_7425.JPG
 - User PS: ??? ??? ???
 - Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0A0000
 - card_bootflags 10c074
 - boot_read/write_sector 10c698 10c784
 - 102A08 Card init => 1
 - Dumping ROM1... 100%
 - MD5: 1c4033b9cf1a088f29280ba4284216a6
 - No serial flash.
 - Saving RESCUE.LOG ...

Code: [Select]
1c4033b9cf1a088f29280ba4284216a6  ROM1.BIN
Confirmed MD5:
Code: [Select]
MD5 (/Volumes/EOS_DIGITAL/ROM1.BIN) = 1c4033b9cf1a088f29280ba4284216a6