Canon 80D

Started by ariznaf, June 02, 2016, 09:27:03 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

gsanchez922

Hello I want to ask if you will work with 5Ds & R?

_OLLE_

Guys! please! it's not going faster because you are asking!

ccs86

Nobody is asking for it to go faster. All I see is people offering help, and appreciation.

a1ex

Progress: zloe managed to dump the firmware using LED blinking :)

Early findings:

- the first address executed is *(uint32_t*)0xFC000000, just like EOS M3
- bootloader starts at FC000008, ARM code
- main firmware starts at FE0A0000, Thumb-2 code, and looks similar to 7D2
- the bootloader prints progress in a way similar to LILO: it prints "Boot" as the bootloader progresses, but in QEMU it just prints "Boo" :)

QEMU log so far:

FC000008: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x0
FC000010: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0x0
FC000018: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3F
FC000020: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x320
FC000028: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x2001
FE020040: MCR p15,0,Rd,cr9,cr1,1:       BTCM <- 0x1
FE025884: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x1
FE02588C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0x0
FE025894: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE02589C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3B
FE0258A4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x2
FE0258AC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xBFE00000
FE0258B4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x324
FE0258BC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x29
FE0258C4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x4
FE0258CC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xDFE00000
FE0258D4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x324
FE0258DC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x29
FE0258E4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x5
FE0258EC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xEE000000
FE0258F4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE0258FC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x31
FE025904: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x6
FE02590C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xFE000000
FE025914: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE02591C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x31
FE025924: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x3
FE02592C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xC0000000
FE025934: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x305
FE02593C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3B
FE025944: MCR p15,0,Rd,cr15,cr5,0:        idk <- 0x0
FE025944: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x1005
FE020400: MCR p15,0,Rd,cr9,cr1,0:       ATCM <- 0x80000001
BooBTCM Start
MR[5]=00000001
MR[6]=00000011
MR[7]=00000000
MR[8]=00000018
MID=SAMSUNG
Erase FROM(start:0xFC080000,size:0x68)
Sector erase error
MEMIF Uncomplete


For emulation, I've used the Cortex R5 CPU in QEMU.

I'd appreciate if somebody would interpret the p15 registers listed above (you probably just have to look them up in the ARM ARM v7-A&R).

tecgen

If MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x0
is the same as MCR p15, 0, <Rt>, c6, c2, 0 ; Write Rt to RGNR
then I found the following section.

Quote
Accessing the RGNR

To access the RGNR, software reads or writes the CP15 registers with <opc1> set to 0, <CRn> set to c6, <CRm> set to c2, and <opc2> set to 0. For example:
MRC p15, 0, <Rt>, c6, c2, 0 ; Read RGNR into Rt
MCR p15, 0, <Rt>, c6, c2, 0 ; Write Rt to RGNR

Do you need to know what RGNR and so on is?

RGNR = MPU Region Number Register
RGNR = MPU Region Number Register
DRBAR = Data Region Base Address Register
DRSR = Data Region Size and Enable Register
DRACR = Data Region Access Control Register
SCTLR = System Control Register (?)
BTCM =  B? Trapping Control Mechnism (?)
ATCM = A? Trapping Control Mechnism (?)

Canon 5D Mark II, 50D, 550D/Rebel T2i, EF 40mm f/2.8 STM, Sigma 18-35mm f/1.8, EF 85 f1.8, EF 135 f2.8 SF, Zoom H2n

a1ex

Yes, these registers show what memory ranges are configured for the memory protection unit, with what start address, what size, what access permisions and so on (in other words, the memory map).

You may fill the results on this page if you prefer: http://magiclantern.wikia.com/wiki/Memory_map

tecgen

Canon 5D Mark II, 50D, 550D/Rebel T2i, EF 40mm f/2.8 STM, Sigma 18-35mm f/1.8, EF 85 f1.8, EF 135 f2.8 SF, Zoom H2n

nikfreak

[size=8pt]70D.112 & 100D.101[/size]

a1ex


atonal

Added my interpretation of the memory mapping to the wiki.

a1ex

Thanks atonal. I found a function in 80D firmware that reads these registers and decodes the base address, size and some access permissions:

[      init:fe237fa9 ] Memory region: start=00000000 end=00000000 flags=00000001
[      init:fe237fbf ] Memory region: start=00000000 end=00000000 flags=00000002
[      init:fe237fcb ] Memory region: start=E0000000 end=FFFFFFFF flags=00000020
[      init:fe237ffd ] Memory region: start=FE000000 end=FFFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=EE000000 end=EFFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=DFE00000 end=DFFFFFFF flags=00000004
[      init:fe237ffd ] Memory region: start=C0000000 end=FFFFFFFF flags=00000010
[      init:fe237ffd ] Memory region: start=BFE00000 end=BFFFFFFF flags=00000004
[      init:fe237ffd ] Memory region: start=00000000 end=3FFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=00000000 end=FFFFFFFF flags=00000004
[      init:fe237e5f ] Memory region: start=00000000 end=FFFFFFFF flags=00000000


And here's CHDK cpuinfo log for the same memory regions:

MPU region 0 base 0x00000000
  Base address         0x0 0
MPU region 0 size & enable 0x0000003F
  Enabled              0x1 1
  Size                 0x1F 31 [4G]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 0 access control 0x00000320
  Region attributes    0x20 32 [Inner Non-cacheable; Outer Non-cacheable; Non-shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 1 base 0x00000000
  Base address         0x0 0
MPU region 1 size & enable 0x0000003B
  Enabled              0x1 1
  Size                 0x1D 29 [1G]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 1 access control 0x00000329
  Region attributes    0x29 41 [Inner Write-back, write-allocate; Outer Write-back, write-allocate; Non-shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 2 base 0xBFE00000
  Base address         0xBFE00000 -1075838976
MPU region 2 size & enable 0x00000029
  Enabled              0x1 1
  Size                 0x14 20 [2M]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 2 access control 0x00000324
  Region attributes    0x24 36 [Inner Non-cacheable; Outer Non-cacheable; Shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 3 base 0xC0000000
  Base address         0xC0000000 -1073741824
MPU region 3 size & enable 0x0000003B
  Enabled              0x1 1
  Size                 0x1D 29 [1G]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 3 access control 0x00000305
  Region attributes    0x5 5 [Shareable device; Shareable]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 4 base 0xDFE00000
  Base address         0xDFE00000 -538968064
MPU region 4 size & enable 0x00000029
  Enabled              0x1 1
  Size                 0x14 20 [2M]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 4 access control 0x00000324
  Region attributes    0x24 36 [Inner Non-cacheable; Outer Non-cacheable; Shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 5 base 0xEE000000
  Base address         0xEE000000 -301989888
MPU region 5 size & enable 0x00000031
  Enabled              0x1 1
  Size                 0x18 24 [32M]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 5 access control 0x00000329
  Region attributes    0x29 41 [Inner Write-back, write-allocate; Outer Write-back, write-allocate; Non-shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0
MPU region 6 base 0xFE000000
  Base address         0xFE000000 -33554432
MPU region 6 size & enable 0x00000031
  Enabled              0x1 1
  Size                 0x18 24 [32M]
  -                    0x0 0
  Sub-regions disabled 0x0 0 [00000000]
MPU region 6 access control 0x00000329
  Region attributes    0x29 41 [Inner Write-back, write-allocate; Outer Write-back, write-allocate; Non-shared]
  -                    0x0 0
  Access permission    0x3 3 [P:RW U:RW]
  -                    0x0 0
  Execute never        0x0 0


Side-note: the usual folks who were helping me are a bit busy these days; I'm looking for a volunteer to try a few things on 80D or 750D/760D.

a1ex


dinissilva

Here back to do some tests!!

Pierro777

Picked up an 80d today. Let me know how I can help.

hugovlnv

I'm hesitating buying an 80D right now just because I'm not sure how much time it'd take for ML to come out, probably quite a long way. Seems to be a great camera which could be made even greater with ML. Thanks for the appreciated work !


a1ex

Please find a ROM dumper for 80D that does not require additional hardware:

DMPD_80D.FIR

Thanks zloe and Ant123 for confirmation.

The dumper is based on this code and it saves 3 copies of the ROM, because the bootloader file I/O routines are tricky and sometimes they write invalid data. You only need one of the ROMs - check the MD5 sums to find out which copies are valid:


md5sum -c *.MD5


If it doesn't work, try a smaller card, or format it with an older filesystem (such as FAT12).

Please don't send me a copy of your ROM, I already have it. If your firmware version is not "1.0.1 6.2.2 9C(84)", please paste it. You can get the full firmware version with this command:

strings ROM1A.BIN | grep -C 2 "1\.0\.1"


To replicate my experiments in QEMU, duplicate the ROM contents to get a 64MB file, then run:


./run_canon_fw.sh 80D -s -S & arm-none-eabi-gdb -x 80D/debugmsg.gdb


Happy hacking. I'll probably need some help writing self-modifying code on this ARM platform (Cortex R4), so if you already have experience with that, please get in touch with me.

Pierro777

If there a step by step or anything I can follow to help with this last step id gladly do it. I'm no programmer so the above post looks like gibberish to me. Sorry.

vzhivkov

I'm a newbie. I just boght 80D and I'm so very sorry for that. I need it for many other reasons where Canon is great but I also need it for HDMI output and as I found out after I bought it that's not working as expected on 80D. So my question is whenever (doesn't matter when) ML for 80D is ready will it allow me to use HDMI out as clean HDMI? If it is not going to offer such thing I'd rather try to return the camera now until it is too late.

Walter Schulz

ML has no "delivery date". Nobody is able to say how long it will take and if your cam is not supported by ML you should act like there will be no ML for your cam ever.
Top of page -> User Guide -> FAQ -> Troll Questions section
Same for features ...

jtvision

Quote from: Walter Schulz on August 30, 2016, 09:54:45 PM
ML has no "delivery date". Nobody is able to say how long it will take and if your cam is not supported by ML you should act like there will be no ML for your cam ever.
Top of page -> User Guide -> FAQ -> Troll Questions section
Same for features ...

I have seen this quote several times in this forum. How many of your 4866 posts are copy paste of these, Walter Schulz? 

Felipe

jtvision if you need ML functionality rareway, buy The Canon C100 Mark II only $4500,
The pleasure of using good things cost money,. ML Team is extremly generous
650D-700D

jtvision

I am on this forum everyday. Because I am very curious of what developments are happening here. And developments are happening!
"if your cam is not supported by ML you should act like there will be no ML for your cam ever" is simply not true!

Pierro777

Can we stick on topic?

The devs do this out of the kindness of their heart. If you want ML on your camera like everyone else posting here offer to help...

That's the only way to get it.

If people are willing to chip in to get @A1ex a 80d id chip in.

Aside from that I could always offer to troubleshoot. I just don't know where to start.

eduperez

Quote from: jtvision on August 30, 2016, 10:26:18 PM "if your cam is not supported by ML you should act like there will be no ML for your cam ever" is simply not true!

If you are thinking about buying a new camera and you positively need ML, do not buy one not supported now with hopes that it will be supported in the future; it may never be supported, and you will be stuck to an unsupported camera.

If you need ML for your project, and your camera is not supported, do not wait until it gets support, or you might wait forever and lose the opportunity to create your project.

...

yostergeo

So I've been combing the web for help on this, but my 80D won't work with Canon Image Gateway.  Tells me it's not avilable in my region, despite me living in the US.  This is probably because i purchased a camera from the graymarket via Abes of Maine.  What i'm wondering is if I can flash my camera with the US version of the firmware.  If so how would I go about converting a US .bin dumped from an 80D to a .fir and would any of you be so kind as to send me your US .bin