Author Topic: Display access from bootloader / Portable binary test  (Read 135818 times)

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12564
Display access from bootloader / Portable binary test
« on: March 15, 2015, 07:13:36 PM »
About one month ago, g3gg0 found a way to access the LCD display from bootloader context, without calling anything from the main firmware. This makes a very powerful tool for diagnosing bricked cameras, and also a playground for low-level reverse engineering.

The only camera-specific bits for printing stuff on the LCD are:
- we have to call a Canon routine that initializes the display (which is in bootloader, not in main firmware): we named it "fromutil_disp_init".
- for the YUV layer, newer cameras use YUV422, while older cameras (only checked 5D2) use YUV411. This difference is not essential (you can print on the BMP layer only).

Today I wrote an autodetection routine that finds the display init routine from ROM strings, and the result is a portable "hello world" binary. That means, it should print something on any ML-enabled camera (and maybe even on cameras without ML). Same binary for all cameras, of course.

I've tested the code on 5D3 and 60D, and I'm looking for confirmation on the other models.

If you are already running ML, just download this autoexec.bin, run it, take a picture of your camera screen (sorry, no screenshots yet) and upload it here.

If you have a Canon DSLR without a ML port available, we need to sign this binary (create a FIR). Just mention your camera model and I'll create one for you. Don't expect this to speed up the porting process for your camera. But I hope this proof of concept will convince you to start tinkering with your new little computer :)

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 8809
Re: Display access from bootloader
« Reply #1 on: March 15, 2015, 07:38:31 PM »
650D: Inserted card, closed door and this showed up without turning power switch to ON.


7D: Not working. Black screen.

Indy

  • Developer
  • Member
  • *****
  • Posts: 112
Re: Display access from bootloader
« Reply #2 on: March 15, 2015, 07:58:29 PM »
Hi,

550D 1.0.8 = sub_FFFF5ECC (in bootcode)
6D = sub_FFFE5018 (in rcbind.bin)

with 550D I was also able to autodetect and call FIO_CreateFile, FIO_Write and FIO_Close to dump the memory, but it did not work on all models.

Indy

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12564
Re: Display access from bootloader
« Reply #3 on: March 15, 2015, 09:10:03 PM »
@Walter: can you download it again and retry the test?

@Indy: yeah, file writing from bootloader behaves the same here (works on some cameras, but not all); g3gg0 also tried direct SD access, which works on 5D3 and 600D only for now.

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 8809
Re: Display access from bootloader
« Reply #4 on: March 15, 2015, 09:31:53 PM »
650D: Downloaded AUTOEXEC.BIN again


7D: Still the same

dhilung

  • New to the forum
  • *
  • Posts: 27
Re: Display access from bootloader
« Reply #5 on: March 15, 2015, 09:33:11 PM »
Works in 5D2!



5D2 | 40D

Katabatic

  • New to the forum
  • *
  • Posts: 2
Re: Display access from bootloader
« Reply #6 on: March 15, 2015, 10:15:38 PM »
50D


vroem

  • New to the forum
  • *
  • Posts: 41
Re: Display access from bootloader
« Reply #7 on: March 15, 2015, 10:16:55 PM »
Katabatic, you beat me to it  ;)

Greg

  • Contributor
  • Hero Member
  • *****
  • Posts: 607
Re: Display access from bootloader
« Reply #8 on: March 15, 2015, 10:45:15 PM »
500D:

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3190
Re: Display access from bootloader
« Reply #9 on: March 15, 2015, 10:56:37 PM »
600D:
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

nikfreak

  • Developer
  • Hero Member
  • *****
  • Posts: 1197
Re: Display access from bootloader
« Reply #10 on: March 15, 2015, 11:06:35 PM »
EOS 70D:



Cool way to simply identify FW revisions
70D.112 & 100D.101

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3190
Re: Display access from bootloader
« Reply #11 on: March 15, 2015, 11:38:46 PM »
@nikfreak:

image does not load here
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

dmilligan

  • Developer
  • Hero Member
  • *****
  • Posts: 3218
  • 60Da / 1100D / EOSM
Re: Display access from bootloader / Portable binary test
« Reply #12 on: March 16, 2015, 01:36:38 AM »
1100D gets weird flashing horizontal bars:



here's a 240fps video of it: https://dl.dropboxusercontent.com/u/74060/Video%20Mar%2015%2C%208%2025%2041%20PM.mov

Katabatic

  • New to the forum
  • *
  • Posts: 2
Re: Display access from bootloader / Portable binary test
« Reply #13 on: March 16, 2015, 02:19:45 AM »
Haha but at what cost, vroem? I can't seem to boot ML on it anymore...

Audionut

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3657
  • Blunt and to the point
Re: Display access from bootloader / Portable binary test
« Reply #14 on: March 16, 2015, 04:36:11 AM »


No more running code on top of Canons firmware!  :P

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 8809
Re: Display access from bootloader / Portable binary test
« Reply #15 on: March 16, 2015, 05:34:21 AM »
Haha but at what cost, vroem? I can't seem to boot ML on it anymore...

Removing battery won't work?
Put card in cardreader. Backup ML directory. Delete ML directory and Autoexec.bin from card. Copy extracted nightly content to card.
(In fact: The only thing you really need to do is to replace Autoexec.bin with the one used before).

nikfreak

  • Developer
  • Hero Member
  • *****
  • Posts: 1197
Re: Display access from bootloader / Portable binary test
« Reply #16 on: March 16, 2015, 07:42:40 AM »
@nikfreak:

image does not load here

fixed
70D.112 & 100D.101

jpaana

  • New to the forum
  • *
  • Posts: 28
Re: Display access from bootloader / Portable binary test
« Reply #17 on: March 16, 2015, 01:22:30 PM »
EOS M


boszmann

  • New to the forum
  • *
  • Posts: 2
Re: Display access from bootloader / Portable binary test
« Reply #18 on: March 16, 2015, 01:51:31 PM »
700D



NOTE: it is possible to execute with the card door open.

blade

  • Member
  • ***
  • Posts: 195
Re: Display access from bootloader / Portable binary test
« Reply #19 on: March 16, 2015, 11:37:57 PM »
EOS 650D, got some more info than walter

(not sure how to post the picture from dropbox, but here is the link.

Cool that it works without turning the camera on!

https://www.dropbox.com/s/uawd0finhm9kl28/Foto%2016-03-15%2023%2030%2005.jpg?dl=0

eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

Pelican

  • Contributor
  • Senior
  • *****
  • Posts: 408
Re: Display access from bootloader / Portable binary test
« Reply #20 on: March 17, 2015, 09:12:54 AM »
blade's 650D:


Edit: It worked for me yesterday. I moved it to my page.
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

blade

  • Member
  • ***
  • Posts: 195
Re: Display access from bootloader / Portable binary test
« Reply #21 on: March 17, 2015, 11:24:18 AM »
Thanks for the effort Pelican. Sill not working do, should not matter as the link works!
eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

dmilligan

  • Developer
  • Hero Member
  • *****
  • Posts: 3218
  • 60Da / 1100D / EOSM
Re: Display access from bootloader / Portable binary test
« Reply #22 on: March 17, 2015, 11:40:58 AM »
the problem is the 's' in https://

rbrune

  • Contributor
  • Freshman
  • *****
  • Posts: 64
Re: Display access from bootloader / Portable binary test
« Reply #23 on: March 18, 2015, 06:12:06 PM »
EOS-M:

I compiled the autoexec.bin myself from the recovery branch using the portable platform.

Interestingly when one compares the output for my EOS-M with the one from jpaana - the second IMG-naming property looks correctly resolved on mine but not on his? I have the feeling something with the property parsing is not going correctly.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12564
Re: Display access from bootloader / Portable binary test
« Reply #24 on: March 18, 2015, 06:21:54 PM »
It's this change: https://bitbucket.org/hudson/magic-lantern/commits/0456d1c173b8

Can you also check if the DUAL prefix option from Dual ISO works on EOS-M? I guess it doesn't.