Portable ROM dumper

Started by a1ex, January 25, 2016, 09:29:53 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

polkah

Here the result, hope it'll help, don't hesitate if you need anything more:
Algorithm : MD5
Hash      : 67B48C0A6B19664F261DC502AFAABF38
Path      : G:\ROM1.BIN

Algorithm : MD5
Hash      : 99821E45B63D737CCD055BD8A6ED1367
Path      : G:\SFDATA.BIN

Walter Schulz

Thanks!
Better results than critix's and mine: Checksum computed in cam match with those from PC.

timoxd7

I tested it on a 750D, worked and right MD5:

  Magic Lantern Rescue
----------------------------
- Model ID: 0x393 750D
- Camera model: Canon EOS K393
- Firmware version: 1.0.0 / 8.5.1 B4(52)
- IMG naming: 100CANON/IMG_9903.JPG
- Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
- ROMBASEADDR: 0xFE0A0000
- card_bootflags 10b4ac
- boot_read/write_sector 10b904 10b9cc
- 101CA4 Card init => 2
- Dumping ROM1... 100%
- MD5: b54721cec6d5ba1ca1c248765f73739d
- 105fb0: \n**** SROM(SIO%d) Menu ****\n
- 105F60: tag c0820200
- sf_init 105F4C
- 105764: Read Address[0x%06x-0x%06x]:0x
- 104DB4: tag d20b0000
- sf_command_sio 104DA8
- Reading serial flash... 100%
- Writing SFDATA.BIN... 100%
- MD5: f393c9b3d25485c4b5016ca20e39dedf
- Saving RESCUE.LOG ...

a1ex

Some minor updates:
- for 5DS/R (old dumper didn't work, new one tested in QEMU, not yet confirmed on real hardware)
- for the old 5D (prop_diag working)
- for models with narrow screens (fewer strings overflowing)

I'd like a test on 400D and 30D, if anyone happens to have one. Low priority, just for fun.

Edit Feb.10: confirmed on 5DS R.

eduperez

Results on a 400D:

  Magic Lantern Rescue
----------------------------
- Model ID: 0x236 400D
- Camera model: ???
- Firmware version: ???
- IMG naming: 100?????/????0000.JPG
- User PS: ??? ??? ???
- Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
- ROMBASEADDR: 0xFF810000
- card_bootflags 101c0c
- boot_read/write_sector 10735c 107374
- 1023a0: cf_dir (cfata_init error)\n
- 1020d8: cf_read_dma (cfata_init error)\n
- 107260 Card init => 0
- Dumping ROM0... 100%
- MD5: 2c7ab85a893283e98c931e9511add182
- Dumping ROM1... 100%
- MD5: 51d4dc45a6cf2cf1ea077ac13c404786
- No serial flash.


MD5 verified on computer.

codezion

Quote from: a1ex on February 05, 2019, 06:22:27 PM

I'd like a test on 400D and 30D, if anyone happens to have one. Low priority, just for fun.


I have a 30D if you want me to try anything. I must admit though that I am an absolute beginner in this space and will need some handholding to get me going.

eduperez

Quote from: codezion on February 19, 2019, 08:19:04 PM
I have a 30D if you want me to try anything. I must admit though that I am an absolute beginner in this space and will need some handholding to get me going.

Just download the file for your camera from the first post in this thread to a memory card, then place the card in the camera, and follow the firmware update procedure (it should be explained in the camera's manual, if it is not obvious by following the menus). Read the instructions on the screen, wait until it tells you to take the battery out, then share the new files that got created in the memory card.

Walter Schulz

Run build from 17. Feb. on 7D (classic) two times from a bootable card.

=== Run 1 ===
  Magic Lantern Rescue
----------------------------
- Model ID: 0x250 7D
- Camera model: Canon EOS 7D
- Firmware version: ???
- IMG naming: 100EOS7D/IMG_0000.JPG
- User PS: ??? ??? ???
- Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
- ROMBASEADDR: 0xFF010000
- card_bootflags 109a18
- boot_read/write_sector 109d54 109d64
- Patching 104294 from e3500001 to e3500000
- 104254 Card low-level init => F4240
- 1026EC Card init => 0
- Patching 1026FC from e3510001 to e3510000
- 1026EC Card init #2 => 1
- Dumping ROM0... 100%
- MD5: a4c2c9e93c8a65ae8b9675e66a63b7ec
- Dumping ROM1... 100%
- MD5: 0f38a9a5f0aaf973a540ddc7f17cfe77
- No serial flash.
- Saving RESCUE.LOG ...


Text in MD5 files:
a4c2c9e93c8a65ae8b9675e66a63b7ec  ROM0.BIN
0f38a9a5f0aaf973a540ddc7f17cfe77  ROM1.BIN

Manual checksum for both BINs:
Hash      : 6D051D73A55B8C0733D7B01CF6E2DA16
Hash      : 0F38A9A5F0AAF973A540DDC7F17CFE77
=== END ===

=== Run 2 ===
  Magic Lantern Rescue
----------------------------
- Model ID: 0x250 7D
- Camera model: Canon EOS 7D
- Firmware version: ???
- IMG naming: 100EOS7D/IMG_0000.JPG
- User PS: ??? ??? ???
- Boot flags: FIR=0 BOOT=-1 RAM=-1 UPD=-1
- ROMBASEADDR: 0xFF010000
- card_bootflags 109a18
- boot_read/write_sector 109d54 109d64
- Patching 104294 from e3500001 to e3500000
- 104254 Card low-level init => F4240
- 1026EC Card init => 0
- Patching 1026FC from e3510001 to e3510000
- 1026EC Card init #2 => 1
- Dumping ROM0... 100%
- MD5: 516c13deff73ba670a44e2ed6d6a84ee
- Dumping ROM1... 100%
- MD5: 0f38a9a5f0aaf973a540ddc7f17cfe77
- No serial flash.
- Saving RESCUE.LOG ...


Text in MD5 files:
516c13deff73ba670a44e2ed6d6a84ee  ROM0.BIN
0f38a9a5f0aaf973a540ddc7f17cfe77  ROM1.BIN

Manual checksum for both bins:
Hash      : 6D051D73A55B8C0733D7B01CF6E2DA16
Hash      : 0F38A9A5F0AAF973A540DDC7F17CFE77
=== END ===


Observation: Manual checksum consistent. Checksum computed in cam for ROM0.BIN is inconsistent.

a1ex

Quote from: g3gg0 on July 12, 2013, 11:28:06 PM
at 0xF0000000 is ROM0 which is rarely used. (flash ic usually not populated, just on 5d2 iirc)
if not populated, reading there will give some random noise or fading bits.

Quote from: a1ex on January 25, 2016, 09:29:53 AM
Some cameras have only ROM1 connected, so dumping ROM0 will give just random noise. In this case, the ROM0 checksum may not match, but that's OK.

On the "slave" side of the 7D, where this dumper runs, only ROM1 is connected. Reading from ROM0 gives only electrical noise.

The dumper doesn't know, or attempt to find out, which cameras use ROM0 and which ones don't. It just dumps both.

Walter Schulz

Thanks, understood. Puzzling (me): Both runs gave exactly the same data for ROM0.BIN. That kind of noise sounds deterministic. Haven't looked into it, though (not my strong side, debugging binaries).
EDIT: Fine string of repeating non-sense it is.
ROM0.BIN: 16.384 KB -> 7-zip -> 3 KB
ROM1.BIN: 16.384 KB -> 7-zip -> 3.027 KB

a1ex

Yes, it's not exactly Gaussian noise, but rather something with very low entropy. And yes, in some cases it appears to be deterministic, or it may flip only a small number of bits.

In any case, it's not used by the firmware, so it's not a big deal if the checksum doesn't match.

scrax

On 600D it works and gives correct checksum only for ROM1.BIN
I'm using ML2.3 for photography with:
EOS 600DML | EOS 400Dplus | EOS 5D MLbeta5- EF 100mm f/2.8 USM Macro  - EF-S 17-85mm f4-5.6 IS USM - EF 70-200mm f/4 L USM - 580EXII - OsX, PS, LR, RawTherapee, LightZone -no video experience-

calle2010

I can confirm that the latest 77D.FIR works. Checksums displayed (and in RESCUE.LOG) of ROM0.BIN and ROM1.BIN match the values calculated on the saved files. ROM1.BIN dumping and checksum calculation is very slow.

QuoteMagic Lantern Rescue
----------------------------
- Model ID: 0x408 77D
- Camera model: Canon EOS 77D / 9000D
- Firmware version: 1.0.2 / 7.3.6 6E(44)
- IMG naming: 100CANON/IMG_2067.JPG
- Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
- ROMBASEADDR: 0xE0040000
- boot_read/write_sector 106f85 107081
- 10190B Card init => 2
- Dumping ROM0... 100%
- MD5: a12fc3b5b380e81352f8e5d4ae5c3983
- Dumping ROM1... 100%
- MD5: ee61883e763361f9f8374960a219088b
- No serial flash.
- Saving RESCUE.LOG ...

Md Rajib

i have try 800D. but not working and showing massage "No Serial Flash". Please Help me. how to install magic lantern on EOS 800D

scrax

Quote from: a1ex on January 25, 2016, 09:29:53 AM
Latest download: autoexec.bin (2019Feb17, c019793)

- red = not working, no idea how to fix


Is this still true? Because in the EOS R thead seem solved, right?
Maybe this build don't have the fixes for the R ?

And maybe will be usefull to have also the .FIR build in first post?
I'm using ML2.3 for photography with:
EOS 600DML | EOS 400Dplus | EOS 5D MLbeta5- EF 100mm f/2.8 USM Macro  - EF-S 17-85mm f4-5.6 IS USM - EF 70-200mm f/4 L USM - 580EXII - OsX, PS, LR, RawTherapee, LightZone -no video experience-

kitor

If you need dumper for R, I can PM you one (but as autoexec.bin, not .fir), yesterday dumped 1.2.0 firmware so it works  ;).
Still won't work without bootflag enabled via UART.

From my knowledge, FIR encryption on R / RP is still a mystery.

Too many Canon cameras.
If you have a dead R, RP, 250D mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.

scrax

Ohhh right.. what a stupid question...
for the fir is needed the encription key, for the .bin bootflag -> UART
I'm using ML2.3 for photography with:
EOS 600DML | EOS 400Dplus | EOS 5D MLbeta5- EF 100mm f/2.8 USM Macro  - EF-S 17-85mm f4-5.6 IS USM - EF 70-200mm f/4 L USM - 580EXII - OsX, PS, LR, RawTherapee, LightZone -no video experience-

jcompton

Works on my 1300D in what sounds like expected fashion:

ROM1 MD5 matches
ROM0 MD5 doesn't. (my ROM0 as saved on card is just a huge stream of 0x00000100)

dfort

Just for the record, DUMP_M50.FIR on the first post doesn't save a valid ROM1.BIN dump. The only way I found to get a valid ROM1.BIN dump on the M50 is using the April 1 "fishy" build -- firmware 1.0.1 only.

There must be a way to get a valid ROM1.BIN because @leathc was able to get one back in January -- but only for 1.0.1.

chapan

Any chances for ROM dumper for 1500D?

a1ex

The canonical name of 1500D - according to Wikipedia - appears to be EOS 2000D. The dumper was already confirmed to work on this camera.

chapan

I am new to this; does the file need to have a particular name or will the camera try to load any file with a ".fir" extension?

a1ex

It will try to load any file with FIR extension and correct model ID. Some models will require a 8.3 filename (with exactly 8 characters in the name). If the file is still not recognized, format the card from the camera (not from PC) and try again.

cifra78

Canon 6D MKII:

Magic Lantern Rescue
----------------------------
- Model ID: 0x406 6D2
- Camera model: Canon EOS K406 / 6D Mark II
- Firmware version: 1.0.4 / 6.4.5 71(3e)
- IMG naming: 100CANON/IMG_1206.JPG
- User PS: CineStyle  C_LOG_htp
- Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
- ROMBASEADDR: 0xE0040000
- boot_read/write_sector 106f59 107055
- 1018F7 Card init => 2
- Dumping ROM0... 100%
- MD5: 4099deb7e6ce5124ff717b15cce80981
- Dumping ROM1... 100%
- MD5: 65e94999c18453b440c10f4a29d11a92
- No serial flash.
- Saving RESCUE.LOG ...

acasta

Hi,

I recently got interested in ML, but unfortunately both my Canon cameras are not supported yet.
One is the old 40D so I'd like to try and help make the port proceed a bit, hopefully.
A starting point could be what described here:
https://www.magiclantern.fm/forum/index.php?topic=1452.msg195051#msg195051
However, I'm stuck with the preliminary step of rom dump.
I tried DUMP_40D.FIR with 4 different CF cards, also old ones with 256 MB capacity, but it does not seem to work: the MD5 for ROM1.BIN is different each time (even if the check with PC always succeeds).
ROM0.MD5 is always the same though...

Here is a sample of my logs:
  Magic Lantern Rescue
----------------------------
- Model ID: 0x190 40D
- Camera model: Canon EOS 40D
- Firmware version: 1.1.1 / 4.0.1 6C(3e)
- IMG naming: 100CANON/IMG_2435.JPG
- Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
- ROMBASEADDR: 0xFF810000
- card_bootflags 101f34
- boot_read/write_sector 108350 108354
- Patching 10281C from e3510001 to e3510000
- 1027DC Card low-level init => F4240
- 101E18 Card init => 0
- Patching 101E28 from e3510001 to e3510000
- 101E18 Card init #2 => 1
- Dumping ROM0... 100%
- MD5: 2c7ab85a893283e98c931e9511add182
- Dumping ROM1... 100%
- MD5: 68e2c7549d97b6394f10607b6718606f
- No serial flash.
- Saving RESCUE.LOG ...


Any idea about what's wrong? Has DUMP_40D.FIR ever been tested in a camera, or only in QEMU?
I could try to do the dump in another way, but I understand I'd need ML to have a bootable camera... Could someone please point me at alternative ways to do that?