Canon 80D

[a1ex]

Alright, so that caching thing probably makes a difference. Here's one more that runs from uncacheable memory:

BOOTU80D.FIR

Just for my own curiosity - if you try to run a FIR 10 or 20 times in a row, does it use the same colors every single time, or are there any differences? The question applies to all the 3 FIRs (BOOTD80D.FIR, BOOTE80D and BOOTU80D).

[sombree]

BOOTD80D.FIR - now I've tried it after BOOTE80D.FIR and it kinda works (for 10 attempts: worked 3 times, 7 times it just turn blue); once background was red and twice it was blue: red, blue
BOOTE80D.FIR - font is always blue (like in the screen from the qemu that you've posted) and background is black
BOOTU80D.FIR - works as BOOTE80D.FIR; only difference is the last line being dark blue: https://imgur.com/8W0aVJi
I've run BOOTE80D and BOOTU80D ten times each and result was always the same.

[a1ex]

The last line is using the last palette entry - I have a feeling this is a quirk that we have to understand in order to boot ML later. Let's try a barrier (DSB):

BOOTB80D.FIR

Hope you don't mind trying this one 50 times to make sure it shows the same colors every time

[sombree]

I don't have to check it 50 times - for 10 attempts seven times I've had normal (black) background and for three times I've had red background :/

[a1ex]

Alright - so the caching issue is still not solved. However, the results from previous experiments gave me some ideas for solving the issue of running code alongside Canon firmware. Also found some more docs on this:

http://infocenter.arm.com/help/topic/com.arm.doc.ihi0053b/IHI0053B_arm_c_language_extensions_2013.pdf
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka14041.html
https://community.arm.com/community-help/f/discussions/2109/dmb-vs-dsb
https://stackoverflow.com/questions/15491751/real-life-use-cases-of-barriers-dsb-dmb-isb-in-arm

In particular, the second link has a concise explanation in the self-modifying code section. Let's try it.

All these FIRs should jump to Canon firmware (in other words, after the Loading screen, the camera should return to normal firmware). They will also execute various stages of loading ML - some may fail (camera will lock up). The outcome might not be always the same, so it's best to try each FIR a couple of times.

All of them will write the self-modifying code to uncacheable memory (something we didn't try before).

JMPA_80D.FIR - jump to Canon firmware at 0xFE0A0000 (any firmware version)
JMPB_80D.FIR - copy ML, DSB/ISB, then jump to Canon firmware (any firmware version)
JMPC_80D.FIR - vanilla reboot.c, jump to Canon firmware from copy_and_restart (any firmware version)
JMPD_80D.FIR - relocate Canon's startup code without patching it (1.0.1 only)
JMPE_80D.FIR - relocate Canon's startup code, reserve RAM, jump to Canon firmware (1.0.1 only)
JMPF_80D.FIR - LED blinking alongside Canon firmware (1.0.1 only).
JMPG_80D.FIR - relocate Canon's startup code, reserve RAM, run our init task, dump ROM1.BIN on the card after 5 seconds (1.0.1 only)

Source code for all of the above

Crossing fingers

[OlRivrRat]

                    @Alex

            Attempt to Download JMPE,F,G brings up "404 Not Found"

[sombree]

JMPA_80D.FIR - camera returns to normal firmware
JMPB_80D.FIR - camera returns to normal firmware
JMPC_80D.FIR - camera locks up
JMPD_80D.FIR - camera locks up
As for the rest - your server returns 404.

[a1ex]

Solved - copy/paste error. However, if JMPC didn't work, the remaining ones won't work either.

If anyone wants to fiddle with the code, here's the FIR to enable the boot flag (on any firmware version):

BOOTF80D.FIR.

This will modify your camera.

After enabling the boot flag in the camera, you may run:

- the portable display test (copy autoexec.bin and make your card bootable)
- the portable ROM dumper (you may have to format the card to a very small size, or dd this 256MB image - howto)
- anything compiled from the recovery branch (it runs from bootloader context); check Makefile.user.default for options
- the digic6-dumper branch (you will have to modify the code and experiment - it won't boot in its current state)

For troubleshooting the above experiment (trying to run code alongside Canon firmware):
- make sure you are running firmware 1.0.1
- make your card bootable
- compile autoexec.bin from digic6-dumper (full boot, works in QEMU but not on the camera) or from 80D-troubleshooting (partial boot - last good is cc66eb4 = JMPB)
- no other data files are required at this time
- tell me what I'm doing wrong (you may study the above ARM docs, get an execution trace in QEMU, try similar code on another ARMv7 device or whatever else you can think of)

(I'm still looking into it)

[sombree]

It's also possible that code is fine - maybe RESTARTSTART addres (or any other stub for that matter) just changed in 1.0.2.

[a1ex]

Right - forgot about the new firmware. Can you PM me a ROM dump?

However, the steps that depend on the firmware version are starting from D. Step C is generic code that works on all D6 models.

BTW, two more generic FIRs (compatible with any firmware version):

JMPH_80D.FIR - similar to JMPC, but runs all our code in uncacheable memory.
JMPI_80D.FIR - similar to JMPC, but disables caches in SCTLR and memory region 1 (DRACR 0x320; will be reconfigured by Canon firmware when booting).

And yet another attempt for fixing the colors (marked the memory as Shareable - I don't really know what I'm doing):

BOOTS80D.FIR

[sombree]

PM sent.
JMPH_80D.FIR - camera returns to normal firmware
JMPI_80D.FIR - camera returns to normal firmware
BOOTS80D.FIR - works only partially - sometimes LCD turns blue, sometimes it loads but background is blue or red

[a1ex]

That means progress

JMPJ_80D.FIR - similar to JMPD, but for 1.0.2 and using the trick from JMPH.
JMPK_80D.FIR - similar to JMPD, but for 1.0.2 and using the trick from JMPI.

[sombree]

JMPJ_80D.FIR - camera locks up
JMPK_80D.FIR - camera locks up

[goldenchild9to5]

Awesome work @a1ex

[matija]

Hi,

I read through the whole topic, but just to make sure.
I have to install http://a1ex.magiclantern.fm/bleeding-edge/80D/BOOTF_80D.FIR, which will "only" modify the boot flag, after which the tests should not modify anything, they are just some test and then normal situation should resume? Can I go back to Canon firmware only? I am aware there is some risk involved.

[a1ex]

Before enabling the boot flag, you'll see BOOT=0. Afterwards, you'll see BOOT=1.

Disabling the boot flag is easy - I can prepare a FIR for that, if needed.

So far, the boot flag enabler was confirmed to work on 5DS (g3gg0) and 760D (xabi) - that means, camera boots normally without card or with a formatted card, and runs autoexec.bin if the card is bootable (we have checked these scenarios). The 750D, 760D and 80D are very similar, so I don't expect any surprises.

[OlRivrRat]

"I have to install http://a1ex.magiclantern.fm/bleeding-edge/80D/BOOTF_80D.FIR, which will "only" modify the boot flag,"

Is that supposed to be a Real Link > I get a 404 Not Found.

[Walter Schulz]

-> Reply #157, #159

[OlRivrRat]

      @Walter

   Insufficient/Incorrect answer ~

Correct answer would have been >

   Try This >

http://a1ex.magiclantern.fm/bleeding-edge/80D/BOOTF80D.FIR

[eduperez]

I have to install http://a1ex.magiclantern.fm/bleeding-edge/80D/BOOTF_80D.FIR, which will "only" modify the boot flag, after which the tests should not modify anything, they are just some test and then normal situation should resume?

Just for clarification: you only need to enable the boot flag to execute AUTOEXEC.BIN files, all .FIR files are executed using the firmware update procedure, and do not need the boot flag enabled.
On the other hand, only the "BOOTF_80D.FIR" makes changes to the camera, all other .FIR files are supposed to be harmless.

[sombree]

Result of running BOOTF_80D.FIR:

I thought that BOOT will change to 1, not to -1. Also I've tried autoexec.bin with portable display test but nothing happens - camera loads to normal firmware.

Edit: my bad - after using Eoscard to make card bootable something happens - screen turns blue when camera turns on. In fact, it turns blue no matter if switch is set to ON or OFF 
Without modified card it boots to normal firmware as it supposed to.

[a1ex]

That means, success. On the first run, you had BOOT=0; after that, you already have it enabled. The FIR doesn't check the boot flags; it just prints their raw value.

At this stage, anyone can compile run his own code on the camera.

[sombree]

Ah, good to hear. Anyway before you've mentioned that probably we can copy cache functions from CHDK - what about something like this?  Though I guess that it's not that simple xD

[Pierro777]

You guys are awesome !!! Keep up the hard work !

[zeus12]

Wonderful news. It seems that 80D has a writing speed close to 80 mb/s (70D only 40 mb/s). It is quite possible that we can get more than 1080p with compressed raw. The 10 bit should work as well. Thanks guys!