Author Topic: Portable ROM dumper  (Read 28133 times)

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3127
Re: Portable ROM dumper
« Reply #50 on: October 27, 2017, 05:58:36 PM »
wondering why it failed in the first place.
maybe some counter overflowing? hmmm
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3219
Re: Portable ROM dumper
« Reply #51 on: April 10, 2018, 08:17:19 PM »
Got my hands on a 500D and thought I'd try dumping the 1.1.2 firmware but ran into this:



Same issue with 1.1.1. I have used the portable dumper a few times and have never seen this before.
5D3.* 7D.206 700D.115 EOSM.203

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11833
  • 5D Mark Free
Re: Portable ROM dumper
« Reply #52 on: April 10, 2018, 08:26:27 PM »
Old-style model; covered in first post.

The good old blind dumper appears to work in QEMU (should work on all D4 and D5 models with bootflag enabled, except 7D). Make sure you have a valid image on the card, then go to PLAY mode. Split the dump in two, like you did on M2.

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3219
Re: Portable ROM dumper
« Reply #53 on: April 10, 2018, 09:18:10 PM »
Well that does look similar to what we were doing a year ago. Tried the "blind dumper" and it gave me a file named "As" that was apparently the ROM1.BIN and didn't need to be split. Disassembled it and it looks good.

Thanks again!
5D3.* 7D.206 700D.115 EOSM.203

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11833
  • 5D Mark Free
Re: Portable ROM dumper
« Reply #54 on: April 24, 2018, 09:54:20 AM »
The issue: Canon's bootloader routines for file I/O copy the data to some cacheable (!) memory; when that buffer reaches 0x4000 bytes, it's written to card using DMA.

Canon finally fixed this in DIGIC 7 8)

The bug is, however, present in DIGIC 6 and earlier.

Updated autoexec.bin (first post) with:
- DIGIC 6 support, including serial flash dump (thanks t3r4n)
- DIGIC 7 support, when the time will come
- same portable binary loads on DIGIC 2, 3, 4, 5, 6, 7 AND 8!

ROM dumpers ready for 200D, 77D, 6D2 and 800D; will post the FIR versions in the DIGIC 7 thread.

These dumpers still require a very small card, but just formatting with a smaller filesystem will do the trick. The easiest way is (still) to write the QEMU SD image onto the card (howto).

The issue can be reproduced in QEMU on a large SD image (or by running from a physical card), so it's clearly not a caching issue. It can be reproduced from the FROMUTILITY menu, without loading AUTOXEC.BIN (proof of concept and details available on request). I believe are two different issues in Canon code: writing from cacheable memory (fixed on D7) and large card support (still present on D7).

rafaelbf

  • New to the forum
  • *
  • Posts: 5
Re: Portable ROM dumper
« Reply #55 on: June 01, 2018, 04:50:44 AM »
Got my hands on a 500D and thought I'd try dumping the 1.1.2 firmware but ran into this:

Same issue with 1.1.1. I have used the portable dumper a few times and have never seen this before.

Hi dfort,

sorry for the late reply... I've tried Portable Dumper on my 500D, same screen on booth firmware, even with low capacity card.

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3219
Re: Portable ROM dumper
« Reply #56 on: June 01, 2018, 10:29:20 PM »
@rafaelbf -- We need to use the blind dumper on the 500D.

Supported cameras:
- most DIGIC 4 (exceptions: 500D, 50D, 5D2, 7D)

The good old blind dumper appears to work in QEMU (should work on all D4 and D5 models with bootflag enabled, except 7D). Make sure you have a valid image on the card, then go to PLAY mode. Split the dump in two...

At first I had some issues splitting the dump in two but eventually figured it out.
5D3.* 7D.206 700D.115 EOSM.203

DrEVILish

  • New to the forum
  • *
  • Posts: 3
Re: Portable ROM dumper
« Reply #57 on: June 15, 2018, 11:54:04 PM »
I have just ordered a 5Ds, which has D6+ like the 7D2, let me know if I can be of assistance, with testing and dumping.

JagoUK

  • New to the forum
  • *
  • Posts: 33
Re: Portable ROM dumper
« Reply #58 on: August 29, 2018, 04:15:14 AM »
7Dmk2 (Dual digic 6) dumped


Had to tell it to dump to CF but it actually dumped to the SD.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11833
  • 5D Mark Free
Re: Portable ROM dumper
« Reply #59 on: October 06, 2018, 06:18:53 PM »
Updated with serial flash support for DIGIC 5 models (first post). Tested only in QEMU; please try and report back.

To check:
- make sure the MD5 sums are correct for all files (including SFDATA.BIN if present)
- make sure SFDATA.BIN looks like valid data (i.e. not full of zeros or full of FF or otherwise containing garbage - this condition is not covered by the checksums)

QEMU test results:
Code: [Select]
Testing portable ROM dumper...
     5D: skipping
    5D2: skipping
    5D3: SD: ROM0.BIN: OK ROM1.BIN: OK
    5D4: SD: ROM1.BIN: OK SFDATA.BIN: OK
     6D: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
    6D2: SD: ROM0.BIN: OK ROM1.BIN: OK
     7D: CF: ROM0.BIN: OK ROM1.BIN: OK
   7D2M: ROMs not saved
    40D: skipping
    50D: skipping
    60D: SD: ROM0.BIN: OK ROM1.BIN: OK
    70D: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
    77D: SD: ROM0.BIN: OK ROM1.BIN: OK
    80D: SD: ROM1.BIN: OK SFDATA.BIN: OK
   400D: skipping
   450D: skipping
   500D: skipping
   550D: SD: ROM0.BIN: OK ROM1.BIN: OK
   600D: SD: ROM0.BIN: OK ROM1.BIN: OK
   650D: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
   700D: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
   750D: SD: ROM1.BIN: OK SFDATA.BIN: OK
   760D: SD: ROM1.BIN: OK SFDATA.BIN: OK
   800D: SD: ROM0.BIN: OK ROM1.BIN: OK
   100D: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
   200D: SD: ROM0.BIN: OK ROM1.BIN: OK
  1000D: skipping
  1100D: SD: ROM0.BIN: OK ROM1.BIN: OK
  1200D: SD: ROM0.BIN: OK ROM1.BIN: OK
  1300D: SD: ROM0.BIN: OK ROM1.BIN: OK
   EOSM: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK
  EOSM2: SD: ROM0.BIN: OK ROM1.BIN: OK SFDATA.BIN: OK

7D2 has the serial flash on the other CPU...