Display access from bootloader / Portable binary test

Started by a1ex, March 15, 2015, 07:13:36 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2 3 ... 6
User actions

a1ex

March 15, 2015, 07:13:36 PM
About one month ago, g3gg0 found a way to access the LCD display from bootloader context, without calling anything from the main firmware. This makes a very powerful tool for diagnosing bricked cameras, and also a playground for low-level reverse engineering.

The only camera-specific bits for printing stuff on the LCD are:
- we have to call a Canon routine that initializes the display (which is in bootloader, not in main firmware): we named it "fromutil_disp_init".
- for the YUV layer, newer cameras use YUV422, while older cameras (only checked 5D2) use YUV411. This difference is not essential (you can print on the BMP layer only).

Today I wrote an autodetection routine that finds the display init routine from ROM strings, and the result is a portable "hello world" binary. That means, it should print something on any ML-enabled camera (and maybe even on cameras without ML). Same binary for all cameras, of course.

I've tested the code on 5D3 and 60D, and I'm looking for confirmation on the other models.

If you are already running ML, just download this autoexec.bin, run it, take a picture of your camera screen (sorry, no screenshots yet) and upload it here.

If you have a Canon DSLR without a ML port available, we need to sign this binary (create a FIR). Just mention your camera model and I'll create one for you. Don't expect this to speed up the porting process for your camera. But I hope this proof of concept will convince you to start tinkering with your new little computer :)

Walter Schulz

#1
March 15, 2015, 07:38:31 PM
650D: Inserted card, closed door and this showed up without turning power switch to ON.


7D: Not working. Black screen.

Indy

#2
March 15, 2015, 07:58:29 PM
Hi,

550D 1.0.8 = sub_FFFF5ECC (in bootcode)
6D = sub_FFFE5018 (in rcbind.bin)

with 550D I was also able to autodetect and call FIO_CreateFile, FIO_Write and FIO_Close to dump the memory, but it did not work on all models.

Indy

a1ex

#3
March 15, 2015, 09:10:03 PM
@Walter: can you download it again and retry the test?

@Indy: yeah, file writing from bootloader behaves the same here (works on some cameras, but not all); g3gg0 also tried direct SD access, which works on 5D3 and 600D only for now.

Walter Schulz

#4
March 15, 2015, 09:31:53 PM
650D: Downloaded AUTOEXEC.BIN again


7D: Still the same

dhilung

#5
March 15, 2015, 09:33:11 PM
Works in 5D2!



5D2 | 40D

vroem

#7
March 15, 2015, 10:16:55 PM
Katabatic, you beat me to it  ;)

Greg

#8
March 15, 2015, 10:45:15 PM
500D:

g3gg0

#9
March 15, 2015, 10:56:37 PM
600D:
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

nikfreak

#10
March 15, 2015, 11:06:35 PM
EOS 70D:



Cool way to simply identify FW revisions
[size=8pt]70D.112 & 100D.101[/size]

g3gg0

#11
March 15, 2015, 11:38:46 PM
@nikfreak:

image does not load here
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

dmilligan

#12
March 16, 2015, 01:36:38 AM
1100D gets weird flashing horizontal bars:



here's a 240fps video of it: https://dl.dropboxusercontent.com/u/74060/Video%20Mar%2015%2C%208%2025%2041%20PM.mov

Katabatic

#13
March 16, 2015, 02:19:45 AM
Haha but at what cost, vroem? I can't seem to boot ML on it anymore...

Audionut

#14
March 16, 2015, 04:36:11 AM


No more running code on top of Canons firmware!  :P

Walter Schulz

#15
March 16, 2015, 05:34:21 AM
Quote from: Katabatic on March 16, 2015, 02:19:45 AMHaha but at what cost, vroem? I can't seem to boot ML on it anymore...

Removing battery won't work?
Put card in cardreader. Backup ML directory. Delete ML directory and Autoexec.bin from card. Copy extracted nightly content to card.
(In fact: The only thing you really need to do is to replace Autoexec.bin with the one used before).

nikfreak

#16
March 16, 2015, 07:42:40 AM
Quote from: g3gg0 on March 15, 2015, 11:38:46 PM
@nikfreak:

image does not load here

fixed
[size=8pt]70D.112 & 100D.101[/size]

boszmann

#18
March 16, 2015, 01:51:31 PM
700D



NOTE: it is possible to execute with the card door open.

blade

#19
March 16, 2015, 11:37:57 PM
EOS 650D, got some more info than walter

(not sure how to post the picture from dropbox, but here is the link.

Cool that it works without turning the camera on!

https://www.dropbox.com/s/uawd0finhm9kl28/Foto%2016-03-15%2023%2030%2005.jpg?dl=0

eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

Pelican

#20
March 17, 2015, 09:12:54 AM
blade's 650D:


Edit: It worked for me yesterday. I moved it to my page.
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

blade

#21
March 17, 2015, 11:24:18 AM
Thanks for the effort Pelican. Sill not working do, should not matter as the link works!
eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

dmilligan

#22
March 17, 2015, 11:40:58 AM
the problem is the 's' in https://

rbrune

#23
March 18, 2015, 06:12:06 PM
EOS-M:

I compiled the autoexec.bin myself from the recovery branch using the portable platform.

Interestingly when one compares the output for my EOS-M with the one from jpaana - the second IMG-naming property looks correctly resolved on mine but not on his? I have the feeling something with the property parsing is not going correctly.

a1ex

#24
March 18, 2015, 06:21:54 PM
It's this change: https://bitbucket.org/hudson/magic-lantern/commits/0456d1c173b8

Can you also check if the DUAL prefix option from Dual ISO works on EOS-M? I guess it doesn't.
Print
Go Up Pages1 2 3 ... 6
User actions