Canon 80D

Started by ariznaf, June 02, 2016, 09:27:03 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Greg

I do not have 80D. It's too expensive.
I have only qemu cameras :P

Straight_Shooter

I am now the owner of an 80D, in addition to my old 1100D.  :)

As soon as we have some binary that we can test I will be happy to help with testing.

pawl

I'm still using 60d
The main reason I didn't upgrade it yet to 80d is because of ML not ready  :D :D :D

(in addition: 80D comes with DIGIC6, but 77D comes with DIGIC7. I'm afraid Canon will release a 8xD with DIGICx)

JaSt

Greetings to ML developers,
I have an 80D. Contact me if you want to help with testing of early version.
Thanks in advance.  :)

benzett

hey folks, are there any news about a ML version for the 80d? Im thinking about buying it, but unless i can get rid of the focus boxes, i wont... :) thanks for your work!

Muwex

Hi!
I am also owner of Canon 80D and been for a long while, i have had Canon 500D which i had Magic lantern on sooooo.... i would be more than happy to finally have it on 80D.
Ofcourse i understand that it takes time, but if help is needed, i can try my best and do some testing :)

I do videos into 5 channels, this is my main channel: https://www.youtube.com/channel/UCXzdh4S1HOEpTTLreDBprlw
So i have like 5 years experiance with video making and creativity on YouTube :)

deathbyderps

Hey i too got an 80d about a month back.
I'd be happy to test any form of early software, as unstable as it may be.
Feel free to drop me an email.

Spakes

Hi. New here.
I got 80D too, updated it to 1.0.2 through EOS Utility 3. Don't have enough knowledge for QEMU/Low-Level C (only learning C++ and Java for Android), but open for testing anything. If you have some manuals for reverse engineering or need to test something, I'm ready to help. Just tell me what to do.

Spakes

I know, there are minor updates in 1.0.2, but I still made a dump of 1.0.2 (why not, better for Norwegians and lens registration).
I can give you a link to all dumps if you PM me.
Is there also anything I can do which doesn't require a lot of time? I'll try to do some disassembly after June 10th, maybe, can't do it now 'cause exams.

Greg

Any plans with digic 6/7?


Greg

It looks like no one wants a sensor in technology from 15 years ago.  :P

emklap

Hi, I'm new here and have started on 80D reverse engineering.

I made custom firmware for the EOS 300D long time back and think its fun to try the port ML to the 80D.

I have virualbox setup and am able to compile the ML code, qemu still needs to be setup.

I use 80D FW1.0.2 because that was on my camera and could not find FW 1.0.1 . Th rom dumper worked fine a gave me three ROM1 dumps, one with a valid CRC.




I duplicated the file and load into IDA with offset 0xFC000000 and analysis of the code went smoothly. I now need to run an idc script because the automatic analyses does not start recognize the first character of a strings. See if my old code still works  :-)

Also the perl script disassamble.pl ran fine giving me lots of strings to work with. Some (2x) 330,000 way to may  :D to work with and I need to somehow remove the ones that do not make sense.

start of code looks like this
ROM:FC000000 ; Processor       : ARM
ROM:FC000000 ; ARM architecture: metaarm
ROM:FC000000 ; Target assembler: Generic assembler for ARM
ROM:FC000000 ; Byte sex        : Little endian
ROM:FC000000
ROM:FC000000 ; ===========================================================================
ROM:FC000000
ROM:FC000000 ; Segment type: Pure code
ROM:FC000000                 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:FC000000                 ; ORG 0xFC000000
ROM:FC000000                 CODE32
ROM:FC000000
ROM:FC000000 loc_FC000000                            ; DATA XREF: sub_FC0274EC+34r
ROM:FC000000                                         ; sub_FC0274EC+40w
ROM:FC000000                 STC2            p0, c0, [R0], {8}
ROM:FC000004                 STC2            p0, c0, [R0], {0x48}
ROM:FC000008                 MOV             R0, #0
ROM:FC00000C                 MCR             p15, 0, R0,c6,c2, 0
ROM:FC000010                 MOV             R0, #0
ROM:FC000014                 MCR             p15, 0, R0,c6,c1, 0
ROM:FC000018                 MOV             R0, #0x3F
ROM:FC00001C                 MCR             p15, 0, R0,c6,c1, 2
ROM:FC000020                 MOV             R0, #0x320
ROM:FC000024                 MCR             p15, 0, R0,c6,c1, 4
ROM:FC000028                 MRC             p15, 0, R0,c1,c0, 0
ROM:FC00002C                 BIC             R0, R0, #0x20000
ROM:FC000030                 ORR             R0, R0, #1
ROM:FC000034                 DSB             SY
ROM:FC000038                 MCR             p15, 0, R0,c1,c0, 0
ROM:FC00003C                 ISB             SY
ROM:FC000040                 LDR             PC, =0xFE020000


and on FE0A0000 like this
ROM:FE0A0000                         ; ---------------------------------------------------------------------------
ROM:FE0A0000                         ; START OF FUNCTION CHUNK FOR sub_FE020000
ROM:FE0A0000
ROM:FE0A0000                         loc_FE0A0000                            ; CODE XREF: ROM:FC020E78j
ROM:FE0A0000                                                                 ; sub_FE020000+E78j
ROM:FE0A0000                                                                 ; DATA XREF: ROM:FC020E74o
ROM:FE0A0000                                                                 ; ROM:off_FC021278o ...
ROM:FE0A0000 04 00 8F E2                             ADR             R0, loc_FE0A000C
ROM:FE0A0004 01 00 80 E3                             ORR             R0, R0, #1
ROM:FE0A0008 10 FF 2F E1                             BX              R0 ; loc_FE0A000C
ROM:FE0A000C                         ; ---------------------------------------------------------------------------
ROM:FE0A000C                                         CODE16
ROM:FE0A000C
ROM:FE0A000C                         loc_FE0A000C                            ; CODE XREF: sub_FE020000+80008j
ROM:FE0A000C                                                                 ; DATA XREF: sub_FE020000:loc_FE0A0000o
ROM:FE0A000C 40 F2 00 00 C0 F2 00 00                 MOV             R0, #0
ROM:FE0A0014 40 F2 38 03 C0 F2 00 03                 MOV             R3, #0x38
ROM:FE0A001C 20 F0 01 00                             BIC.W           R0, R0, #1
ROM:FE0A0020 23 F0 01 03                             BIC.W           R3, R3, #1
ROM:FE0A0024 40 F2 00 01 C0 F2 00 01                 MOV             R1, #0
ROM:FE0A002C
ROM:FE0A002C                         loc_FE0A002C                            ; CODE XREF: sub_FE020000+80038j
ROM:FE0A002C 98 42                                   CMP             R0, R3
ROM:FE0A002E 3C BF                                   ITT CC
ROM:FE0A0030 50 F8 04 2B                             LDRCC.W         R2, [R0],#4
ROM:FE0A0034 41 F8 04 2B                             STRCC.W         R2, [R1],#4
ROM:FE0A0038 F8 D3                                   BCC             loc_FE0A002C
ROM:FE0A003A 4F F0 01 00                             MOV.W           R0, #1
ROM:FE0A003E 06 EE 12 0F                             MCR             p15, 0, R0,c6,c2, 0
ROM:FE0A0042 40 F2 21 11                             MOVW            R1, #0x121
ROM:FE0A0046 06 EE 91 1F                             MCR             p15, 0, R1,c6,c1, 4
ROM:FE0A004A BF F3 4F 8F                             DSB.W           SY
ROM:FE0A004E 19 EE 11 0F                             MRC             p15, 0, R0,c9,c1, 0
ROM:FE0A0052 00 F0 7D 00                             AND.W           R0, R0, #0x7D
ROM:FE0A0056 40 F2 01 01 C8 F2 00 01                 MOV             R1, #0x80000001
ROM:FE0A005E 40 EA 01 00                             ORR.W           R0, R0, R1
ROM:FE0A0062 09 EE 11 0F                             MCR             p15, 0, R0,c9,c1, 0
ROM:FE0A0066 40 F6 00 00 C8 F2 00 00                 MOV             R0, #0x80000800


The next step is to find stubs but have no clue where to start, IDA show just over 100000 functions!! again where do I start????
Can anyone provide some tips, e.g. which functions are important to find and which not? are there some easy one to start with.
Are the idc scripts available that can do some of the work for me/us.

Looking forward to some coding time



80D, 40D, 300D,  15-85 IS, 18-55IS EFS, Tokina17-55/F2.8, ,70-200LIS/F4, 50EF/F1.8, extender 1.4, EX-430, Sigma 8-16

a1ex

Hi - emklap from CHDK, right?

For IDA, you need to select ARMv7 A&R, and also*) load the same ROM at 0xFE000000.

*) Loading both ROMs makes IDA very slow (at least here), so it may be best to define two "projects": one for analyzing the bootloader at 0xFC000000 and another one for the main firmware at 0xFE000000.

The perl script has a custom version for DIGIC 6, but I didn't try it. You should know the CHDK forum better than me :D

Some of the stubs are listed in the digic6-dumper branch. There is an initial platform directory for 80D, which uses a minimal file structure (suitable for experimenting around) - this works fine in QEMU, but not on the actual hardware. I believe the issue is caching in the context of self-modifying code (ARMv7 has a different way to deal with this), but didn't look too much into it yet. Copying CHDK cache functions is probably enough to move forward.

When you are ready to run code on your camera, just get in touch with me on IRC.

Ant123

http://chdk.wikia.com/wiki/Digic_6_Porting

Quote from: a1ex on May 12, 2017, 01:50:52 PMCopying CHDK cache functions is probably enough to move forward.

What is "CHDK cache functions" ?


emklap

Hi A1ex,

Yes, I am the emklap of CHDK, there are not may of me around  :D
I already set IDA to ARMv7 A&R, didn't see any immediate change. I have no performance degradation with the entire FW Bootloader  & ROM RAM loaded in one IDA project, but the suggestion to split it is a nice one, might try that myself as well.

Next steps for me will be to get QEMU up and running and to adjust the CHDK IDC Scripts for my project.
I have limited time over the next weekends so it might take some time but I will report my progress in due time. I catch up with ARM disassembly as well.


80D, 40D, 300D,  15-85 IS, 18-55IS EFS, Tokina17-55/F2.8, ,70-200LIS/F4, 50EF/F1.8, extender 1.4, EX-430, Sigma 8-16

Pierro777

Quote from: emklap on May 15, 2017, 12:54:33 PM
Hi A1ex,

Yes, I am the emklap of CHDK, there are not may of me around  :D
I already set IDA to ARMv7 A&R, didn't see any immediate change. I have no performance degradation with the entire FW Bootloader  & ROM RAM loaded in one IDA project, but the suggestion to split it is a nice one, might try that myself as well.

Next steps for me will be to get QEMU up and running and to adjust the CHDK IDC Scripts for my project.
I have limited time over the next weekends so it might take some time but I will report my progress in due time. I catch up with ARM disassembly as well.





I really hope you get it working!!!

Mr.Click

Thanks you for your engagement , keep the work up  :)
Canon
EOS 80D/ EOS M+ML /  EOS 50E/ EF-M 18-55 3,5-5,6 IS STM / EF-S 10-18 4,5-5,6 IS STM / A 24 1,4 DG HSM / EF 35 2,0 IS USM / EX 50 1,4 HSM / EF-S 55-250 4.5,6 IS STM , Speedlight 430 EX II

adindie

I'am a 80D owner too and i really want to install ML on this camera. I really want to shoot 4k video on my camera.

There is any update with ML status?

Walter Schulz


Muwex

Hi!

Just putting here my update, that if there is need for testing, feel free to contact me for example pm or [email protected]
I have Canon 80D and i have had Canon 500D with magic lantern, i am no help for any coding work for sure, but for some testing i might be  ;)

emklap

I'm, Stuck  >:(

I tried for several days to start the ROM dumper and the display test in qemu 1.6 but no luck. Can someone help me. this is what I tried so far.

I updated the file qemu/qemu-1.6.0/hw/arm/eos.c and added the lines
ML_MACHINE(80D,   0xFE0A0000);
EOS_MACHINE(80D,  0xFE0A0000);
qemu_register_machine(&canon_eos_machine_ml_80D);
qemu_register_machine(&canon_eos_machine_80D);

I also tried 0xFC000000 and 0xFC000008

In  the folder magiclantern/magic-lantern/platform I created a new folder (80D.102) and copied all files from folder of the 60D fw 1.1.1.
I added 80D.102 to the Makefile of ML.
Made updated the files Makefile and Makefile.platform.default located in the 80D.102 folder to reflect the 80D.
I used the following address in Makefile.platform.default in the 80D.102 folder.

#Makefile.setup.platform for 80D

CANON_NAME_FIR = 80D00102.FIR
FIRMWARE_ID = 0x80000350
UPDATE_NAME_FIR = BOOT_80D.FIR
FIR_BASE = 0x00800120
AUTOEXEC_BASE = 0x00800000

RESTARTSTART    = 0x001CC400
ROMBASEADDR     = 0xFE0A0000
ML_SRC_PROFILE  = minimal



Now the command make fails  (FYI If I set  "ML_SRC_PROFILE = generic" the make command finishes without errors).

The make command fails with the error "
Quoteminimal.c: In function 'my_create_init_task':
minimal.c:72:5: error: too many arguments to function 'create_init_task'
In file included from ../../src/dryos.h:41:0,
                 from minimal.c:5:
../../src/tasks.h:104:1: note: declared here

When changing the line in task.h to
Quotecreate_init_task( int a, int b, int c );
I get further but now the make command stops with a new error.
The new error is
Quotefont_direct.o: In function `font_draw':
font_direct.c:(.text+0xb0): undefined reference to `disp_set_pixel'
make: *** [magiclantern] Error 1

I am sure that disp_set_pixel is declared but the linker doesn't think so

Can some give me some tips / hints?. What am I doing wrong ? or what do I need to do to get the display test or ROM dumper  running in QEMU

Th s happens when i start quemu. I used the duplicate ROM from my 80D.102 to get a 64MB BIN file

Quotemake: Leaving directory `/home/magiclantern/qemu/qemu-1.6.0'
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 3FFFFFFF: eos.ram
40001000 - 7FFFFFFF: eos.ram_uncached
F0000000 - F0FFFFFF: eos.rom0
F1000000 - F1FFFFFF: eos.rom0_mirror_F1
F2000000 - F2FFFFFF: eos.rom0_mirror_F2
F3000000 - F3FFFFFF: eos.rom0_mirror_F3
F4000000 - F4FFFFFF: eos.rom0_mirror_F4
F5000000 - F5FFFFFF: eos.rom0_mirror_F5
F6000000 - F6FFFFFF: eos.rom0_mirror_F6
F7000000 - F7FFFFFF: eos.rom0_mirror_F7
F8000000 - F8FFFFFF: eos.rom1
F9000000 - F9FFFFFF: eos.rom1_mirror_F9
FA000000 - FAFFFFFF: eos.rom1_mirror_FA
FB000000 - FBFFFFFF: eos.rom1_mirror_FB
FC000000 - FCFFFFFF: eos.rom1_mirror_FC
FD000000 - FDFFFFFF: eos.rom1_mirror_FD
FE000000 - FEFFFFFF: eos.rom1_mirror_FE
FF000000 - FFFFFFFF: eos.rom1_mirror_FF
C0000000 - CFFFFFFF: eos.iomem
[EOS] loading 'ROM-80D.BIN' to 0xF0000000-0xF3FFFFFF
[EOS] loading 'ROM-80D.BIN' to 0xF8000000-0xFBFFFFFF

When I run ML-80D it loads autoexec.bin and qemu-helper.bin like this

Quote[EOS] loading 'ROM-80D.BIN' to 0xF0000000-0xF3FFFFFF
[EOS] loading 'ROM-80D.BIN' to 0xF8000000-0xFBFFFFFF
[EOS] loading 'autoexec.bin' to 0x00800000-0x0080207F
[EOS] loading 'qemu-helper.bin' to 0x30000000-0x30008C9F
[QEMU_HELPER] stub ff86af64 -> 30000130 (d195d000)
[QEMU_HELPER] stub ff9abbf4 -> 30000768 (ce83cf89)
[QEMU_HELPER] stub ff9abd20 -> 3000073c (294b2030)
[QEMU_HELPER] stub ff9abe20 -> 3000010c (93b8e0b2)
[QEMU_HELPER] stub ff9ab304 -> 3000027c (64616c62)
[QEMU_HELPER] stub ff9aac68 -> 300000dc (e3a781e3)
[QEMU_HELPER] stub ff9aabb4 -> 3000022c (e080a0ee)
[QEMU_HELPER] stub ff9aafa0 -> 3000033c (6f76754e)
[QEMU_HELPER] stub ff9ab150 -> 30000078 (36206163)
[QEMU_HELPER] stub ff9aad10 -> 30000054 (617262)
[QEMU_HELPER] stub ff9ab050 -> 30000830 (a4e5b498)
[QEMU_HELPER] stub ff85f0f0 -> 300001b8 (84cfb7ce)
[QEMU_HELPER] stub ff85f228 -> 3000019c (b49be583)
[QEMU_HELPER] stub ff9a8170 -> 30000184 (baef208b)

which gets followed by endless lines like this
[???] [0xE0411003] -> [0xCFFF9534] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9538] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF953C] PC: 0x00000004
[???] [0xE0030092] -> [0xCFFF9520] PC: 0x00000004
[???] [0xE0411003] -> [0xCFFF9524] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9528] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF952C] PC: 0x00000004
[???] [0xE0030092] -> [0xCFFF9510] PC: 0x00000004
[???] [0xE0411003] -> [0xCFFF9514] PC: 0x00000004
[???] [0xE12FFF1E] -> [0xCFFF9518] PC: 0x00000004
[???] [0xFF811DC0] -> [0xCFFF951C] PC: 0x00000004


Again, can some give me some tips / hints?. What am I doing wrong ? or what do I need to do to get the display test or ROM dumper  running in QEMU.
After that i would like to create my own bin file, rename it to autoexec.bin and load this file.
80D, 40D, 300D,  15-85 IS, 18-55IS EFS, Tokina17-55/F2.8, ,70-200LIS/F4, 50EF/F1.8, extender 1.4, EX-430, Sigma 8-16

a1ex

When all else fails... read the instructions. Any recent post on the QEMU thread, that references the install instructions, should do the trick.

Or, this walkthrough. You'll want QEMU 2.5.0 (not 1.6.0 and neither 2.9.0 - for now).

Don't rush to get "Hello world" yet; on digic 6 we need some more baby steps. If you really want to run it, you can take a look in src/minimal.c from the unified branch (that shows hello world with a minimal "display driver"), and you'll probably get that working in QEMU without much trouble. Note the 80D (in the digic6-dumper branch) has a different minimal.c.

However, this won't boot on the actual hardware until the caching issues (discussed earlier) are addressed.

BTW, the "generic" ROM dumper and display test are compiled from the "recovery" branch, and they work directly from the bootloader (without starting the main firmware).

Spakes

Quote from: a1ex on June 08, 2017, 07:09:41 AM
When all else fails... read the instructions. Any recent post on the QEMU thread, that references the install instructions, should do the trick.

Or, this walkthrough. You'll want QEMU 2.5.0 (not 1.6.0 and neither 2.9.0 - for now).

Don't rush to get "Hello world" yet; on digic 6 we need some more baby steps. If you really want to run it, you can take a look in src/minimal.c from the unified branch (that shows hello world with a minimal "display driver"), and you'll probably get that working in QEMU without much trouble. Note the 80D (in the digic6-dumper branch) has a different minimal.c.

However, this won't boot on the actual hardware until the caching issues (discussed earlier) are addressed.

BTW, the "generic" ROM dumper and display test are compiled from the "recovery" branch, and they work directly from the bootloader (without starting the main firmware).
What caching issues and babysteps you are talking about?