Author Topic: Portable ROM dumper  (Read 52406 times)

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12280
  • Emergencies only
Re: Portable ROM dumper
« Reply #125 on: July 27, 2019, 12:04:55 PM »
I tried DUMP_40D.FIR with 4 different CF cards, also old ones with 256 MB capacity, but it does not seem to work: the MD5 for ROM1.BIN is different each time (even if the check with PC always succeeds).
ROM0.MD5 is always the same though...

Already answered this one in the 40D thread (noticed this message afterwards).

That's probably alright - Canon firmware reflashes the ROM at every shutdown, to save their settings. If you compare the two ROMs, you will see differences only in the settings area (not in the executable code).

To get the same MD5 every time, you need to avoid starting the main Canon firmware between the two attempts (i.e. just run the dumper twice, possibly on different cards, without booting the camera normally in-between).

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #126 on: August 07, 2019, 05:51:12 PM »
I tried running DMP2000D.FIR on my Canon EOS Rebel T7 and RESCUE.LOG shows this:

  Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.
 - Saving RESCUE.LOG ...


But when I try to check the MD5 I get this:

root@craig-ubuntu:~# md5sum -c ROM0.BIN
md5sum: ROM0.BIN: no properly formatted MD5 checksum lines found
root@craig-ubuntu:~# md5sum -c ROM1.BIN
md5sum: ROM1.BIN: no properly formatted MD5 checksum lines found


I tried recreating the ROM files several times but the results are always the same.

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 6836
Re: Portable ROM dumper
« Reply #127 on: August 07, 2019, 07:47:12 PM »
Code: [Select]
md5sum ROM?.BIN -c ROM?.MD5
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #128 on: August 14, 2019, 11:23:24 PM »
This is what I see for Canon EOS Rebel T7.

Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.
 - Saving RESCUE.LOG ...


root@craig-ubuntu:~# ls -l ROM*
-rw-r--r-- 1 root root 33554432 Dec 31  1979 ROM0.BIN
-rw-r--r-- 1 root root       43 Dec 31  1979 ROM0.MD5
-rw-r--r-- 1 root root 33554432 Dec 31  1979 ROM1.BIN
-rw-r--r-- 1 root root       43 Dec 31  1979 ROM1.MD5

root@craig-ubuntu:~# md5sum -c ROM0.MD5
ROM0.BIN: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
root@craig-ubuntu:~# md5sum -c ROM1.MD5
ROM1.BIN: OK

md5sum: ROM1.BIN: no properly formatted MD5 checksum lines found
ROM1.BIN: OK

Does that mean ROM1.BIN is the good firmware?




r

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #129 on: August 20, 2019, 04:50:28 PM »
Dumping EOS Rebel T7 gives this:

- Model ID: 0x432 2000D
 - Camera model: Canon EOS Rebel T7 / K432
 - Firmware version: 1.0.0 / 2.3.2 13(03)
 - IMG naming: 100CANON/IMG_0786.JPG
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xFE0C0000
 - card_bootflags 1069ec
 - boot_read/write_sector 1071e0 1072d8
 - 101F70 Card init => 2
 - Dumping ROM0... 100%
 - MD5: 66354cabd287d45faae4c6158ba09606
 - Dumping ROM1... 100%
 - MD5: 65a90329df0b77b083a27a1f5583810f
 - No serial flash.


-rw-r--r-- 1 root root 33554432 Aug 15 15:05 ROM0.BIN
-rw-r--r-- 1 root root 33554432 Aug 15 15:05 ROM1.BIN


The MD5 checksum for ROM1.BIN is good. If I run disassemble.pl I get this:

root@craig-ubuntu:/usr/local/qemu-eos/1500D# perl disassemble.pl 0xFE0C0000 ROM1.BIN
offset + filesize - 1 > 0xffffffff. We can't wrap around!

game over at disassemble.pl line 50.


Does that mean the ROM1.BIN file is too big? Is the ROMBASEADDR of 0xFE0C0000 from the RESCUE.LOG the correct address to use?





names_are_hard

  • Contributor
  • Freshman
  • *****
  • Posts: 71
  • 200D idiot
Re: Portable ROM dumper
« Reply #130 on: August 20, 2019, 10:28:10 PM »
Try this:
perl disassemble.pl 0xFE000000 ROM1.BIN

Magiclantern is a bit inconsistent about what "base address" means.  In some places it uses it to mean "entry point address", which is confusing.  0xFE000000 is the base address, ie, the address at which the first byte in the ROM is loaded into memory.  0xFE0C0000 is the entry point address, the address at which execution of the code starts.

chapan

  • New to the forum
  • *
  • Posts: 6
Re: Portable ROM dumper
« Reply #131 on: September 03, 2019, 01:46:10 AM »
That solved the disassemble problem for 1500D.  :)

Given what you said in your post, would these be correct parameters to use in hw/eos/model_list.c?

           .firmware_start         = 0xFE0C0000,
           .rom1_addr              = 0xFE000000,

And how would I know what to use for ram_size?

names_are_hard

  • Contributor
  • Freshman
  • *****
  • Posts: 71
  • 200D idiot
Re: Portable ROM dumper
« Reply #132 on: September 03, 2019, 03:11:09 AM »
I'd expect that to be right for firmware_start and rom1_addr.  I don't know the ram size for 1500D.  model_list.c has 256MB for 1300D, so I'd guess 1500D is either the same, or maybe 512MB since it's a later camera.

If you want, try:
.ram_size               = 0x10000000

and see if it makes your camera explode.  That's 256MB.  Try 0x20000000 for 512MB.  I don't know what the risk is if you get the ram size wrong.  Maybe the correct size is listed in some other thread.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12280
  • Emergencies only
Re: Portable ROM dumper
« Reply #133 on: September 03, 2019, 07:09:59 AM »
If you declare - in QEMU - a RAM size smaller than physical size, emulation will not run. The firmware will attempt to address memory outside the declared size (unmapped). In particular, the RscMgr task is going to initialize its data structures, covering pretty much the entire RAM.

If you declare a RAM size larger than physical size, nothing obvious will happen. There will be some memory that's never going to be addressed. The emulation will run just as well as if you would declare the correct size.

RAM size is not currently used in ML.