Canon 80D

Started by ariznaf, June 02, 2016, 09:27:03 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

a1ex

Quote from: sombree on December 23, 2017, 01:40:14 PM
Weird thing - LOG000.LOG is in chinese :o

Try interpreting it as ASCII (notepad, cat to a terminal etc, hex editor as a last resort).

sombree

Thanks, with cat I'm getting proper output which looks pretty same as yours - link.

dfort

Quote from: a1ex on November 10, 2017, 08:02:36 AM
Todo: try on 700D/100D/M/6D/M2 in QEMU and ask owners of these cameras to try on real hardware).

Tried on 700D:

Key event: b9 -> 0c00
[MPU] Sending : 06 05 06 0c 00 00  (GUI_SWITCH)
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #292)
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #292)
Save configs...
Opening serial flash...
Dumping serial flash... 100%
Closing serial flash...
Done!
[MPU] Received: 06 05 03 11 01 00  (unnamed - spell #14)


MD5 checks out between the SFDATA.BIN that was created on the camera and the one created in QEMU.


MD5 (/Users/rosiefort/qemu/700D/SFDATA.BIN) = bd83f093d587027a03922f47711b57da
MD5 (/Volumes/EOS_DIGITAL/ML/LOGS/SFDATA.BIN) = bd83f093d587027a03922f47711b57da


So is this really working? The SFDATA.BIN was needed to run QEMU on the 700D in the first place.

Back on topic -- will this work on the 80D in QEMU? Seems we are a long way away from getting the sf_dump module working on this camera.

Randyc714

I hope you can pull it off and it works on the 750d - I'd love to ditch the plugged in intravalometer and use ML like I could with a T3i!!

OlRivrRat

                     TATMBI (To Any1 That Might Be Interested)

           Thanks to Clear Directions from DFort I have in My possession a Set of ROM Dumps from the 80D ~

EMail Me if You would like to have them to tinker with ~ [email protected] ~

                                                                                   ORR ~ DeanB
ORR~DeanB  ~~  80D-ML  &  SL1+ML  &  5D2+ML  &  5DC+ML  &  70D+ML(AliveAgain)

sombree

I've playing a little with qemu and found this:

Sadly, console locks up after pushing any button.

Also, I think I've found stubs needed for sf_dump module:
/** File I/O **/
NSTUB(0xFE482A10 + 1,  FIO_CloseFile)
NSTUB(0xFE4834DC + 1,  FIO_FindClose)                           // proper name: FindClose
NSTUB(0xFE48345A + 1,  FIO_FindNextEx)
NSTUB(0xFE482890 + 1, _FIO_ReadFile)
NSTUB(0xFE482900 + 1,  FIO_SeekSkipFile)
NSTUB(0xFE4829A2 + 1, _FIO_WriteFile)
NSTUB(0xFE482FFE + 1, _FIO_CreateDirectory)
NSTUB(0xFE4827BA + 1, _FIO_CreateFile)
NSTUB(0xFE4833C6 + 1, _FIO_FindFirstEx)
NSTUB(0xFE482AFC + 1, _FIO_GetFileSize)
NSTUB(0xFE482744 + 1, _FIO_OpenFile)
NSTUB(0xFE482824 + 1, _FIO_RemoveFile)
// NSTUB(    ???, _FIO_RenameFile)

/** Serial Flash **/
NSTUB(0xFE344B2A + 1, SF_CreateSerial)
NSTUB(0xFE344AEE + 1, SF_readSerialFlash)
NSTUB(0xFE34663E + 1, SF_Destroy)

a1ex

Nice - starting from this screenshot (which confirmed there are serial flash routines in the bootloader), we might have found a way to dump the... serial flash contents directly from bootloader (750D, easy to port to other D6 models):

http://www.magiclantern.fm/forum/index.php?topic=17627.msg195297#msg195297

BTW, to play with the FROMUTILITY menu, all you have to do is to delete AUTOEXEC.BIN from the virtual card and leave it bootable (see the "fromutil" test in run_tests.sh).

sombree

Here is what I've found:
- 80D copies blob to 0x40100000 too; blobs size is 0xC890; blob start at 0xFE0259B4
- 6. SROM Dump (SIO READ) is at 0xFE02A8A8
- 7. SROM Dump (QUAD READ) is at 0xFE02ABD8

When I try to execute this from reboot.c
    SF_test     = (void*)0x40104EF4;
    SF_testl();

it shows proper output like "Read Address[0x000000-0x7FFF00]:0x".

Point is that when I'm doing this:
b *0x40104EF4
command
  silent
  print_current_location
  printf "sf_read_sio(%x { ", $r0
  set $addr = $r0
  while *(int*)$addr != -1
    printf "%x ", *(int*)$addr
    set $addr = $addr + 4
  end
  printf "-1 }, %x, %x, %x)\n", $r1, $r2, $r3
  c
end

console outputs this:
[CPU0] 408001CC: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x320      (P:RW U:RW; Inner Non-cacheable; Outer Non-cacheable; Non-shared)
[            :408002c8 ] sf_read_sio(0 { e59ff018 e59ff018 e59ff018 e59ff018 e59ff018 e320f000 e59ff018 e59ff018 fe020040 40800014 40800014 40800014 40800014 0 40800014 40800014 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

After tons of zeores I have a lof of this:
000 e3e00000 e58d0004 e3a00000 eb0019fa e3560000 a000005 e3560001 a000006 e1a00006 eb000f88 e28dd028 e8bd87f0 e28f0e2a eb001a25 ea000002 e3a05001 e28f0fa5 eb001a21 eb000724 eb0006e8 e59f928c e5990024 e3700001 a000002 e28f0d0a eb001a19 e3a05001 e3550000 1a000024 e28f0f9f eb001a14 eb0004f4 e599000c e3700001 a000002 eb000740 eb00028b ea000017 e28f0f97 eb001a0b e3a00001 e5991004 e3710001 1a000003 e28f0f8a eb001a05 eb000735 eb0008ea e3500001 1a00000b e28f0e23 eb0019ff e5990000 e3700001 a000004 eb000744 e28f0f87 eb0019f9 e3a00001 eaffffcd eb000727 eb000272 e5990008 e3700001 a000000 eb0004c0 e59f01f8 e3a01c05 e580140c e2811802 e580140c e590640c e3a01c06 e580140c e2811802 e580140c e590740c e28d0004 eb000679 e59f01c8 e5908000 e3a05000 e3a0a000 ea0001d6 e28f0f6e eb0019dd e3a01e35 e28f0f79 eb001a41 e28f1f7a e28f0f7a eb001a3e e28f1f7b e28f0e1f eb001a3b e20610ff e28f0f7d eb001a38 e20620ff e3520001 a000002 e3520003 a000006 ea00000a e28f0e1e eb0019c9 e20710ff e28f0e1e eb001a2d ea000004 e28f0e1e eb0019c3 e20710ff e28f0f72 eb001a27 e59d0004 e20010ff e28f0e1d eb001a23 e59d0004 e20000ff e3500089 a000002 e35000c2 a000003 ea000004 e28f0e1a eb0019b3 ea000001 e28f0f6b eb0019b0 e208100f e28f0f6b eb001a14 e28f0f6d eb0019ab e28f0f71 eb0019a9 e28f0f73 eb0019a7 e28f0f75 eb0019a5 e28f0f78 eb0019a3 e28f0f7b eb0019a1 e5992000 e1a01009 e28f0e1f eb001a04 e5990000 e3700001 a0000a1 e28f0f7f eb001998 e5992004 e59f11f4 e28f0f7d eb0019fb e5990004 e3700001 a00009b e28f0f80 eb00198f e599200c e59f11fc e28f0f7f eb0019f2 e599000c e3700001 a000095 e28f0f6d eb001986 e28f0f80 eb001984 e28f0f83 eb001982 e3a00000 eb000689 e3500000 a00008e ea00008f 4c 706d756a a fc040000 6e654d0a 6c462075 4e4f2067 a 6f 64 65 72 d2030000 d6060000 2a2a2a0a 2a2a2a2a 2a2a2a2a 5246202a 54554d4f 54494c49 454d2059 5620554e 30207265 2037302e 2a2a2a2a 2a2a2a2a 2a2a2a2a a 7079545b 78253a65 20 4344 79646f42 2073253a 0 30302e30 0 69766552 6e6f6973 5d73253a a 4d41525b 2578303a 78 4d415328 474e5553 29 76655228 2578303a 292978 43494d28 294e4f52 0 4d4f5220 2578303a 78 43414d28 494e4f52 2958 462d4520 3a455355 78257830 a5d 78452e30 66207469 206d6f72 4d4f5246 6e654d20 a75 72452e31 20657361 74636553 a726f 72452e32 20657361 70696843 a 72452e33 20657361 6d726946 65724120 a61 72572e34 20657469 6d6f7266 72616320 a64 72572e35 20657469 6d6f7266 41524420 a4d 69462e36 20206d72 616c6620 78302067 78383025 25783020 20783830 0 a4e4f fc040004 6f422e37 2020746f 616c6620 78302067 78383025 25783020 20783830 0 a46464f 0 fc04000c 70552e38 65746144 616c6620 78302067 78383025 25783020 20783830 0 72432e39 65746165 6f6f4220 69442074 a6b73 78452e41 50206365 72676f72 66206d61 206d6f72 64726163 a e24f0064 eb0018f6 eaffff5c e24f0098 eb0018f3 eaffff62 e24f007c eb0018f0 eaffff68 e28f0f9b eb0018ed e28f0f9d eb0018eb e28f0f9f eb0018e9 e28f0fa1 eb0018e7 e28f0fa3 eb0018e5 e28f0fa5 eb0018e3 e28f3fa7 e28f2fa9 e28f1e2b e28f0fae eb001945 e28f1fb1 e28f0fb3 eb001942 e28f0fb5 eb0018d9 e5cda008 ea000001 eb0007f4 e5cd0008 e5dd0008 e3500000 afffffa e3a0000a e5cd0009 e5cda00a e28d0008 eb0018cd e5dd0008 e2400030 e350004b 308ff100 ea0000bd ea0000b7 ea000048 ea000049 ea00004a ea00004b ea00004c ea00004d ea00004f ea000051 ea000053 ea0000b2 ea0000b1 ea0000b0 ea0000af ea0000ae ea0000ad ea0000ac ea00004d ea00004f ea000051 ea000058 ea000059 ea00005a ea00005b ea00008e ea00008f ea000090 ea0000a1 ea0000a0 ea00009f ea00009e ea00009d ea00009c ea00009b ea00009a ea000089 ea000098 ea000089 ea00008a ea000095 ea00008a ea000093 ea00008b ea000091 ea000090 ea00008f ea00008e ea00008d ea00008c ea00002d ea00002f ea000031 ea000038 ea000039 ea00003a ea00003b ea00006e ea00006f ea000070 ea000081 ea000080 ea00007f ea00007e ea00007d ea00007c ea00007b ea00007a ea000069 ea000078 ea000069 ea00006a ea000075 ea00006a ea000073 ea00006b eb00032f ea000072 eb000318 ea000070 eb000301 ea00006e eb0002b2 ea00006c eb00025f ea00006a e3a00000 eb000163 ea000067 e3a00001 eb000160 ea000064 e3a00003 eb00015d ea000061 eb000736 ea00005f e3a00000 eb00022b ea00005c e28f0c01 eb000228 ea000059 e3a00000 eb000569 e3500000 a000001 eb0005a6 ea000053 eb00058c ea000051 eb0001eb ea00004f eb000181 ea00004d eb00016a ea00004b eb0007e2 ea000049 6f432e43 63656e6e 61632074 a6472 654d2e47 79726f6d 6d754420 a70 72572e49 20657469 61746144 a 69442e4a 74636572 6d754a20 a70 52532e53 4d204d4f a756e65 0 69462e55 75206d72 74616470 a65 48504943 422e5245 4e49 4f534552 45435255 4e49422e 0 544f4f42 4e49422e 0 73252e56 20732520 75207325 74616470 a65 42435242 2e444e49 4e4942 73252e5a 64707520 a657461 0 3e3e20 54474d49 2e545345 4e4942 eb000815 ea000015 eb0007ee ea000013 eb0000fb ea000011 eb0013b3 ea00000f eb000094 ea00000d eb000042 ea00000b e3a04000 e3a05001 ea000008 eb00001f ea000006 e28f002c eb00180d e3a04000 e3a05000 ea000001 e28f0020 eb001808 e3540000 1afffe26 eb0015b5 eb00054d e1a00005 eafffdd8 74697845 a2e 61766e69 2064696c 75706e69 a74 e3510075 a0027d7 e3510073 a002a42 e3b00000 e1a0f00e e1500001 1a000001 e1a00002 ea0017f2 e1a00003 ea0017f0 e92d401c e1a0000d eb000540 e3500000 1a000017 e3a00000 e58d0004 e59f4260 e59d0000 e28d3004 e1a02004 e28f1f95 eb000559 e3500000 1a00000d e59d2004 e3a03001 e1a01004 e3a0033f eb000396 e1a04000 e28f1f8b e28f0f8d eb00183f e28f3e23 e28f2f8f e3a01000 e1a00004 ebffffdc e8bd801c e92d41fc e3a04000 e1a0000d eb000521 e3500000 1a000035 e59f61ec e3a05c01 e3a07000 e58d7004 e59d0000 e28d3004 e1a02006 e28f1c02 eb000539 e3500000 a00002b e1a02005 e3a0133f e1a00006 eb00287a e59f51ec e3a08a15 e58d7004 e59d0000 e28d3004 e1a02005 e28f1f76 eb00052b e3500000 a000024 e59f11d8 e1a02008 e1a00005 eb00286c e59f51cc e3a08caf e58d7004 e59d0000 e28d3004 e1a02005 e28f1f6e eb00051d e3500000 a00001c e59f11b4 e1a02008 e1a00005 eb00285e e3540000 a000008 e3a03001 e3a02802 e1a01006 e3a0033f eb000354 e28f3f4e e28f2f51 e3a01000 ebffff9f e8bd81fc e59d0004 e2601c01 e2800101 e2800502 eb00289f e3a04001 eaffffd0 e59d0004 e2601a15 e0800005 eb002899 e3a04001 eaffffd8 e59d0004 e2601caf e0800005 eb002893 e3a04001 eaffffe0 e52de004 e24dd024 e3e01000 e3a00003 eb000465 eb00155a e3a00000 eb00153a e1a0100d e28d0004 eb00062a e3500005 308ff100 ea00001f ea000003 ea000009 ea00000d ea000011 ea000015 eb00151e eb0004b6 e59d1000 e28d0004 eb000696 e28dd024 e49df004 e3a00001 eb
and then
0 0 0 0 1 494d4448 0 0 0 0 0 0 0 1 49445541 4f 0 0 0 0 0 0 1 20554349 726556 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -1 }, fffffff0, 0, 40104ef4)
Read Address[0x000000-0x7FFF00]:0x2345
[EEPROM] CS = 0
[DIGIC6]   at 0x40104584:40104FA4 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Got READ (03h)
[EEPROM] Verbose: address is now: 0x002345
[EEPROM] Verbose: Sent 256 bytes
[EEPROM] CS = 1
[DIGIC6]   at 0x401046E8:40104FA4 [0xD20B0D8C] <- 0xD0002   : SPI
          5  6  7  8  9  A  B  C  D  E  F  0  1  2  3  4
00002345 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002355 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002365 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002375 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002385 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002395 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023A5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023B5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023C5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023D5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023E5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000023F5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002405 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002415 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002425 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00002435 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

What am I doing wrong?

Edit: Ok, I got it to work. Still, output isn't exactly the same as yours from 750D:
AUTOEXEC.BIN not found.
File not found.
[GPIO]     at 0x00101CE4:00101EE8 [0xD20B0A24] <- 0xC0003   : Card LED
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] <- 0x500     : MR (RAM manufacturer ID)
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] <- 0x20500   : MR (RAM manufacturer ID)
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] -> 0x3       : MR (RAM manufacturer ID)
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] <- 0x600     : MR (RAM manufacturer ID)
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] <- 0x20600   : MR (RAM manufacturer ID)
[DIGIC6]   at 0x0010011C:00101EE8 [0xD203040C] -> 0x1       : MR (RAM manufacturer ID)
[FlashIF]  at 0x00101648:00101B4C [0xC0000000] -> 0x0       : ???
[FlashIF]  at 0x00101648:00101B4C [0xC0000000] <- 0x1000000 : ???
[FlashIF]  at 0x00101648:00101B4C [0xC0000010] <- 0xD9C50000: 'Write enable' enabled
[ROM1:2]   at 0x00101B4C:00101B4C [0xFC000AAA] <- 0xAA      : ???
[ROM1:2]   at 0x00101B4C:00101B4C [0xFC000554] <- 0x55      : ???
[ROM1:2]   at 0x00101B4C:00101B4C [0xFC000AAA] <- 0x90      : ???
[ROM1:2]   at 0x00101B4C:00101B4C [0xFC000000] <- 0xF0      : ???
[FlashIF]  at 0x00101668:00101B80 [0xC0000010] <- 0x0       : 'Write enable' disabled
[DIGIC6]   at 0x00100150:00101B80 [0xD6060000] -> 0x0       : E-FUSE

************ FROMUTILITY MENU Ver 0.07 ************
[Type:350 Body:DC Revision:0.00]
[RAM:0x3(MICRON)(Rev:0x1)) ROM:0x8 E-FUSE:0x0]
0.Exit from FROM Menu
1.Erase Sector
2.Erase Chip
3.Erase Firm Area
4.Write from card
5.Write from DRAM
6.Firm   flag 0xFC040000 0x00000000 ON
7.Boot   flag 0xFC040004 0xFFFFFFFF ON
8.UpDate flag 0xFC04000C 0xFFFFFFFF OFF
9.Create Boot Disk
A.Exec Program from card
G.Memory Dump
I.Write Data
J.Direct Jump
S.SROM Menu
U.Firm update
V.BOOT.BIN RESOURCE.BIN CIPHER.BIN update
Z.BRCBIND.BIN update
>>s
[DIGIC6]   at 0x0010574C:0010087C [0xD2090008] -> 0x10004   : CLOCK_ENABLE
[DIGIC6]   at 0x0010574C:0010087C [0xD2090008] <- 0x210004  : CLOCK_ENABLE

**** SROM(SIO2) Menu ****
0.Exit from SROM Menu
1.Erase Chip   0x00800000
2.Erase Block  0x00010000
3.Erase Sector 0x00001000
4.Write Data
5.Write from Card
6.SROM Dump(SIO Read)
7.SROM Dump(QUAD Read)
8.Get Info
>>6
Read Address[0x000000-0x7FFF00]:0x1234
[            :00104fa0 ] sf_read_sio(80000f10 { 3 0 12 34 -1 }, 80000b10, 100, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00104FA4 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Got READ (03h)
[EEPROM] Verbose: address is now: 0x001234
[EEPROM] Verbose: Sent 256 bytes
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00104FA4 [0xD20B0D8C] <- 0xD0002   : SPI
          4  5  6  7  8  9  A  B  C  D  E  F  0  1  2  3
00001234 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001244 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001254 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001264 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001274 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001284 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001294 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012A4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012B4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012C4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012D4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012E4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000012F4 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001304 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001314 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00001324 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

**** SROM(SIO2) Menu ****
0.Exit from SROM Menu
1.Erase Chip   0x00800000
2.Erase Block  0x00010000
3.Erase Sector 0x00001000
4.Write Data
5.Write from Card
6.SROM Dump(SIO Read)
7.SROM Dump(QUAD Read)
8.Get Info
>>8
[            :001056bc ] sf_read_sio(80000f3c { 3 0 0 0 -1 }, 80000f0c, c, 1)                                                                                                                                                   
[EEPROM] CS = 0                                                                                                                                                                                                                 
[DIGIC6]   at 0x00104588:001056C0 [0xD20B0D8C] <- 0xC0003   : SPI                                                                                                                                                               
[EEPROM] Verbose: Got READ (03h)                                                                                                                                                                                                 
[EEPROM] Verbose: address is now: 0x000000                                                                                                                                                                                       
[EEPROM] Verbose: Sent 12 bytes                                                                                                                                                                                                 
[EEPROM] CS = 1                                                                                                                                                                                                                 
[DIGIC6]   at 0x001046E8:001056C0 [0xD20B0D8C] <- 0xD0002   : SPI                                                                                                                                                               
0x80000325                                                                                                                                                                                                                       
                                                                                                                                                                                                                                 
**** SROM(SIO2) Menu ****                                                                                                                                                                                                       
0.Exit from SROM Menu                                                                                                                                                                                                           
1.Erase Chip   0x00800000                                                                                                                                                                                                       
2.Erase Block  0x00010000                                                                                                                                                                                                       
3.Erase Sector 0x00001000                                                                                                                                                                                                       
4.Write Data                                                                                                                                                                                                                     
5.Write from Card                                                                                                                                                                                                               
6.SROM Dump(SIO Read)                                                                                                                                                                                                           
7.SROM Dump(QUAD Read)                                                                                                                                                                                                           
8.Get Info                                                                                                                                                                                                                       
>>7                                                                                                                                                                                                                             
Read Addr[0x000000-0x7FFF00]:0x1234                                                                                                                                                                                             
Read Size[0x4-0x800000]:0x100                                                                                                                                                                                                   
[            :00105194 ] sf_read_sio(80000ee8 { 9f -1 }, 80000edc, 3, 1)                                                                                                                                                         
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00105198 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Got RDID
[EEPROM] Verbose: READ in RDID = C2h
[EEPROM] Verbose: READ in RDID = 10h
[EEPROM] Verbose: READ in RDID = 0Ch
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00105198 [0xD20B0D8C] <- 0xD0002   : SPI
MID=0xC2
[            :0010473c ] sf_read_sio(80000ebc { 6 -1 }, 0, 0, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00104740 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Set Write Enable Latch
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00104740 [0xD20B0D8C] <- 0xD0002   : SPI
[            :00104768 ] sf_read_sio(80000ebc { 5 -1 }, 80000eb4, 1, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:0010476C [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: [SR] >> 0x2
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:0010476C [0xD20B0D8C] <- 0xD0002   : SPI
[            :001047b4 ] sf_read_sio(80000ee8 { 1 40 -1 }, 0, 0, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:001047B8 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: [SR] << ...
[EEPROM] Verbose: [SR] << 0x40
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:001047B8 [0xD20B0D8C] <- 0xD0002   : SPI
[            :001047d8 ] sf_read_sio(80000ebc { 5 -1 }, 80000eb4, 1, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:001047DC [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: [SR] >> 0x40
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:001047DC [0xD20B0D8C] <- 0xD0002   : SPI
[            :0010482c ] sf_read_sio(80000ebc { 4 -1 }, 0, 0, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00104830 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Reset Write Enable Latch
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00104830 [0xD20B0D8C] <- 0xD0002   : SPI
[            :00104850 ] sf_read_sio(80000ebc { 5 -1 }, 80000eb4, 1, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00104854 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: [SR] >> 0x40
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00104854 [0xD20B0D8C] <- 0xD0002   : SPI
[EEPROM] CS = 0
[DIGIC6]   at 0x001052E0:00104854 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Got QOFR (6Bh)
[EEPROM] Verbose: address is now: 0x001234
[DIGIC6]   at 0x00105330:00105330 [0xD20B0D80] <- 0xA0005   : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0D84] <- 0xA0005   : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0D88] <- 0xA0005   : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A14] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A10] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A0C] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A08] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A04] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD20B0A00] <- 0xF       : ???
[DIGIC6]   at 0x00105330:00105330 [0xD209065C] <- 0x1       : ???
[SFIO]     at 0x0010537C:0010537C [0xC8070004] <- 0x1       : ???
[SFIO]     at 0x0010537C:0010537C [0xC8070090] <- 0xFFBFFFF9: ???
[SFIO]     at 0x0010537C:0010537C [0xC8070000] <- 0x0       : ???
[SFIO]     at 0x0010537C:0010537C [0xC8070018] <- 0xFF      : init?
[SFIO]     at 0x0010537C:0010537C [0xC807001C] <- 0x0       : ???
[SFIO]     at 0x0010537C:0010537C [0xC807002C] <- 0x80002701: response setup?
[SFIO]     at 0x0010537C:0010537C [0xC8070030] <- 0x0       : ???
[SFIO]     at 0x0010537C:0010537C [0xC8070070] <- 0xFFFF    : transfer status?
[SFIO]     at 0x0010537C:0010537C [0xC8070058] <- 0x3       : bus width
[SFIO]     at 0x0010537C:0010537C [0xC8070064] <- 0x610103  : bus width
[SFIO]     at 0x0010537C:0010537C [0xC8070074] <- 0x0       : ???
[SFIO]     at 0x0010537C:0010537C [0xC8070078] <- 0xFF      : ???
[SFIO]     at 0x0010537C:0010537C [0xC80700D0] <- 0x11040606: ???
[SFIO]     at 0x001053DC:0010537C [0xC8070068] <- 0x100     : read block size
[SFIO]     at 0x00105400:001053F4 [0xC807007C] <- 0x1       : transfer block count
[SFIO]     at 0x0010540C:001053F4 [0xC8070010] <- 0x0       : Status
[SFIO]     at 0x0010540C:001053F4 [0xC8070048] <- 0xFFFFFFFF: ???
[SFIO]     at 0x0010540C:001053F4 [0xC807004C] <- 0xFFFFFF  : ???
[SFIO]     at 0x0010540C:001053F4 [0xC8070050] <- 0xFFFFFFFF: ???
[SFIO]     at 0x0010540C:001053F4 [0xC8070054] <- 0xFFFFFF  : ???
[SFIO]     at 0x0010540C:001053F4 [0xC8070008] <- 0xF1      : DMA
[*unk*]    at 0x00105448:001053F4 [0xC8030000] <- 0x40800000: ???
[*unk*]    at 0x00105448:001053F4 [0xC8030004] <- 0x100     : ???
[*unk*]    at 0x00105448:001053F4 [0xC8030014] <- 0x0       : ???
[*unk*]    at 0x00105448:001053F4 [0xC8030018] <- 0x3       : ???
[*unk*]    at 0x00105448:001053F4 [0xC8030010] <- 0x39      : ???
[DIGIC6]   at 0x00105448:001053F4 [0xD20B0A14] <- 0xC0003   : ???
[DIGIC6]   at 0x00105448:001053F4 [0xD20B0A10] <- 0xA0005   : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090630] <- 0x0       : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090640] <- 0x104     : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090644] <- 0x1D000002: ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090648] <- 0x0       : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090654] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090658] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD209064C] <- 0x302     : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090650] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:00105478 [0xD2090634] <- 0x3       : ???
[DIGIC6]   at 0x0010511C:0010511C [0xD2090638] <- 0x1       : ???
[DIGIC6]   at 0x0010511C:0010511C [0xD209063C] <- 0x1       : ???
[SFIO]     at 0x00105478:0010511C [0xC8070024] <- 0x5100    : cmd_hi
[SFIO]     at 0x00105478:0010511C [0xC8070020] <- 0x1       : cmd_lo
[SFIO]     at 0x00105478:0010511C [0xC8070028] <- 0x30      : Response size (bits)
[SFIO]     at 0x00105478:0010511C [0xC807002C] <- 0x80002701: response setup?
[SFIO]     at 0x00105478:0010511C [0xC8070010] <- 0x0       : Status
[SFIO] sdio_send_command (UNHANDLED)
[SFIO]     at 0x00105478:0010511C [0xC807000C] <- 0x14      : Command flags?
[DIGIC6]   at 0x0010512C:001054AC [0xD209063C] <- 0x0       : ???
[DIGIC6]   at 0x00105144:00105144 [0xD2090638] <- 0x80000000: ???
[DIGIC6]   at 0x001054B4:001054B4 [0xD20B0A14] <- 0xF       : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090630] <- 0x0       : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090640] <- 0x104     : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090644] <- 0x1D000002: ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090648] <- 0x0       : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090654] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090658] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD209064C] <- 0x302     : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090650] <- 0x403     : ???
[DIGIC6]   at 0x001050D0:001054C0 [0xD2090634] <- 0x3       : ???
[DIGIC6]   at 0x0010511C:0010511C [0xD2090638] <- 0x1       : ???
[DIGIC6]   at 0x0010511C:0010511C [0xD209063C] <- 0x1       : ???
[*unk*]    at 0x00105558:0010511C [0xC8030010] -> 0x0       : ???
[SFIO]     at 0x00105584:0010511C [0xC8070010] -> 0x200001  : Status
[SFIO]     at 0x001055AC:0010511C [0xC8070008] <- 0x0       : DMA
[DIGIC6]   at 0x0010512C:001055B4 [0xD209063C] <- 0x0       : ???
[DIGIC6]   at 0x00105144:00105144 [0xD2090638] <- 0x80000000: ???
[DIGIC6]   at 0x001055B4:00105144 [0xD209065C] <- 0x0       : ???
[EEPROM] CS = 1
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0D8C] <- 0xD0002   : SPI
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0D80] <- 0xF       : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0D84] <- 0xF       : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0D88] <- 0xF       : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0A14] <- 0xA0005   : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0A0C] <- 0xA0005   : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0A08] <- 0xA0005   : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0A04] <- 0xA0005   : ???
[DIGIC6]   at 0x001055B4:00105144 [0xD20B0A00] <- 0xA0005   : ???
          0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
40800000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40800090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
408000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

**** SROM(SIO2) Menu ****
0.Exit from SROM Menu
1.Erase Chip   0x00800000
2.Erase Block  0x00010000
3.Erase Sector 0x00001000
4.Write Data
5.Write from Card
6.SROM Dump(SIO Read)
7.SROM Dump(QUAD Read)
8.Get Info

a1ex

The output looks quite good.

Next step would be to dump 8MB of serial flash data (starting from address 0) and save it to a file. This part is very easy.

sombree

Ok, so with this
b *0x104588
command
  silent
  print_current_location
  printf "sf_read_sio(%x { ", $r0
  set $addr = $r0
  while *(int*)$addr != -1
    printf "%x ", *(int*)$addr
    set $addr = $addr + 4
  end
  printf "-1 }, %x, %x, %x)\n", $r1, $r2, $r3
  c
end

I have output like this
>>6
Read Address[0x000000-0x7FFF00]:0x10000
[            :00104fa0 ] sf_read_sio(80000f10 { 3 1 0 0 -1 }, 80000b10, 100, 1)
[EEPROM] CS = 0
[DIGIC6]   at 0x00104588:00104FA4 [0xD20B0D8C] <- 0xC0003   : SPI
[EEPROM] Verbose: Got READ (03h)
[EEPROM] Verbose: address is now: 0x010000
[EEPROM] Verbose: Sent 256 bytes
[EEPROM] CS = 1
[DIGIC6]   at 0x001046E8:00104FA4 [0xD20B0D8C] <- 0xD0002   : SPI
          0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00010000 0F FF F0 00 00 00 01 20 00 00 00 00 18 CB C1 20
00010010 00 00 00 00 0F 00 20 00 00 00 00 00 10 C0 00 00
00010020 0F FF FF FF F0 10 00 00 10 C0 00 00 0F EA FD CB
00010030 A0 80 00 00 11 80 00 00 00 00 00 00 00 00 00 00
00010040 00 00 00 00 00 00 00 00 00 20 00 00 11 80 00 00
00010050 04 64 13 23 33 23 23 33 03 60 00 00 00 00 00 00
00010060 00 30 00 00 10 C0 00 00 00 41 00 00 00 40 00 00
00010070 10 C0 00 00 0E 40 C0 00 00 60 00 00 11 00 00 00
00010080 05 D0 00 00 08 F1 02 1D 80 70 00 00 11 00 00 00
00010090 04 94 D4 75 F0 00 00 00 00 90 00 00 10 C0 00 00
000100A0 00 00 00 00 00 A0 00 00 10 C0 00 00 00 00 00 00
000100B0 00 B0 00 00 11 00 00 00 00 00 00 00 00 00 00 00
000100C0 00 C0 00 00 11 C0 00 00 00 77 41 9B FD 64 35 76
000100D0 F9 C4 26 39 E7 26 88 EC 3B FF 24 7C 51 10 00 00
000100E0 1D 00 10 00 00 00 00 00 00 90 00 04 00 00 00 00
000100F0 02 80 00 00 0B 48 69 C0 00 00 00 00 01 A0 10 00

which means logging hook is alive, right?

But when have this in reboot.c:
static int (*sf_command_sio)(uint32_t command[], void * out_buffer, int out_buffer_size, int toggle_cs) = (void*) 0x104588;
char buffer[0x100];
int addr = 0x10000;
sf_command_sio((uint32_t[]) {3, (addr >> 16) & 0xFF, (addr >> 8) & 0xFF, addr & 0xFF, -1}, buffer, sizeof(buffer), 1);

emulation (./run_canon_fw.sh 80D,firmware="boot=1" -d io,sflash) ends with
03C30000: Palette[E] -> R195 G195 B195
03EB0000: Palette[F] -> R235 G235 B235
[DIGIC6]   at 0x40800C38:40804598 [0xD20139A0] <- 0x1       : Bootloader palette confirm
[DIGIC6]   at 0x40800A30:40800A04 [0xD2030108] <- 0x440000  : BMP VRAM
[ROM1:4]   at 0x00104588:408002F4 [0xFC040D8C] <- 0x104588  : ???
[EEPROM] Verbose: Got READ (03h)
[EEPROM] Verbose: address is now: 0x010000
[ROM1:4]   at 0x001046E8:408002F4 [0xFC040D8C] <- 0xD0002   : ???


Probably it's something obvious as I'm not good at coding.

a1ex


int addr = 0x10000;

matches:

[EEPROM] Verbose: address is now: 0x010000


however, the chip select signal is wrong (either uninitialized or there is some sort of memory corruption):

[ROM1:4]   at 0x00104588:408002F4 [0xFC040D8C] <- 0x104588  : ???


From your second log:

[            :00104fa0 ] sf_read_sio(80000f10 { 3 0 12 34 -1 }, 80000b10, 100, 1)
[            :001056bc ] sf_read_sio(80000f3c { 3 0 0 0 -1 }, 80000f0c, c, 1)                                                                                                                                                   
[            :0010473c ] sf_read_sio(80000ebc { 6 -1 }, 0, 0, 1)
...


All these addresses have this instruction:

BL              sub_10456C


and 0x104588 is somewhere in the middle of that function.

The registers we are interested in (R0-R3) were not changed until that point, which is why the logging hook worked just fine.

What happened? Play this game and you'll find the answer after a few levels :D

t3r4n

Based on the ideas of a1ex I've started a dumper tool look here https://www.magiclantern.fm/forum/index.php?topic=17627.msg195393#msg195393 happy hacking.

sombree

I can confirm that 0x10456C is correct address for 80D. Also I'm able to dump serial flash in qemu using t3r4n's code :D

@t3r4n - to be able to save file you need some part of dump_rom_with_canon_routines function:
    init_boot_file_io_stubs();

    /* are we calling the right stubs? */

    if (!boot_open_write)
    {
        print_line(COLOR_RED, 2, " - Boot file write stub not set.\n");
        fail();
    }

    if (MEM(boot_open_write)  != 0xe92d47f0)
    {
        print_line(COLOR_RED, 2, " - Boot file write stub incorrect.\n");
        printf(" - Address: %X   Value: %X\n", boot_open_write, MEM(boot_open_write));
        fail();
    }

    if (!boot_card_init)
    {
        print_line(COLOR_YELLOW, 2, " - Card init stub not found.\n");
    }

    if ((((uint32_t)boot_open_write & 0xF0000000) == 0xF0000000) ||
        (((uint32_t)boot_card_init  & 0xF0000000) == 0xF0000000))
    {
        print_line(COLOR_YELLOW, 2, " - Boot file I/O stubs called from ROM.");
    }

    if (boot_card_init)
    {
        /* not all cameras need this, but some do */
        printf(" - Init SD... (%X)\n", boot_card_init);
        boot_card_init();
    }


Edit: dumpf from qemu with SFDATA.BIN from 80D - link.

Also I've checked sf dumper in qemu with 8MB SFDATA.BIN from 700D. Sadly, sha1 is different for each file:
47b4da39f459c4a6d14a2458fa0ab8d2671b6402  /media/sombre/EOS_DIGITAL/SFDATA.BIN
955714c9ea9d60045ff57325ddf3b6a825a2d0b2  /home/sombre/Documents/temp2/qemu/80D/SFDATA.BIN


Edit2: Checked sha1 again, but this time using 16MB sfdata.bin from camera and now it's fine :)
3b4417fc421cee30a9ad0fd9319220a8dae32da2  /home/sombre/Documents/temp2/qemu/80D/SFDATA.BIN
3b4417fc421cee30a9ad0fd9319220a8dae32da2  /media/sombre/EOS_DIGITAL/SFDATA.BIN

goldenchild9to5

Great work guy's..  :D

t3r4n

@sombree:
I've changed the code so that it will initialise the canon routines if you only compile with the CONFIG_BOOT_SROM_DUMPER=y option, but also with the CONFIG_BOOT_DUMPER=y so both routines or just one can be selected for the image.

@all:
- the code is prepared for more models, and as described above modularised
- still todo:
   - the byte vs char stuff to get it correct
   - make it work on my camera :(  qemu works now fine for me but the camera its still unwilling to put something else than 0x00 into the file  :'(.

sombree

@t3r4n
Have you tried to dump only 0x100 (256 bytes, default value) starting from 0x10000?

t3r4n


a1ex

This wrapper may help. Maybe a bit slow*), but...

*) "You can use several loads with a wheelbarrow, many loads with a bucket, or lots and lots of loads with a spoon" (Absolute FreeBSD, 2nd Ed.)


static void sf_read(uint32_t addr, uint8_t * buf, int size)
{
    static uint32_t teaspoon[0x100];

    for (int i = 0; i < size; i++)
    {
        if (i % COUNT(teaspoon) == 0)
        {
            uint32_t a = addr + i;
            sf_command_sio((uint32_t[]) {3, (a >> 16) & 0xFF, (a >> 8) & 0xFF, a & 0xFF, -1}, teaspoon, COUNT(teaspoon), 1);
        }

        buf[i] = teaspoon[i % COUNT(teaspoon)];
    }
}


Happy new year!

Theta Sigma

To think the 40D and the 80D might be on the cusp of being freed from their shackles is inspiring. :)

sombree

@a1ex
I've tried this wrapper but same result as for t3r4n - in qemu it works, in camera I'm getting only zeroes.

t3r4n

Yeah in the meantime I did even try to dump some bytes to the screen (like the original function did) to make sure it is not the file writing that is wrong but to no avail.
So next thing I did was to modify the rom dumper and look what is in memory (at the moment only the copied section 0xX0100000 to ..e500. So far the following discoveries (using radiff2 from radare2):
- adresses 0x0000e470, 0x0000e480 are different every time. No other difference if I take a photo in the meantime (so no "shutter count"). This is true on qemu and cam.
- on the cam 0x0000e495 differs between starts and on qemu 0x0000e496 also some more differences in that area between the two "architectures".

Will include a1ex wrapper and make a push later.

BTW: Wouldn't it be better to move to the RE section and doing a "Joint digic6" thread?

a1ex

This means, some additional hardware initialization may be required.


./run_canon_fw.sh 80D,firmware="boot=1" -d io,sflash

AUTOEXEC.BIN not found.
File not found.

(some I/O activity, unlikely to be any of these)

S.SROM Menu

>>s
[DIGIC6]   at 0x0010575C:0010087C [0xD2090008] -> 0x10004   : CLOCK_ENABLE
[DIGIC6]   at 0x00105764:0010087C [0xD2090008] <- 0x210004  : CLOCK_ENABLE

**** SROM(SIO2) Menu ****
...

>>0
Exit
[DIGIC6]   at 0x00105804:0010690C [0xD2090008] <- 0x10004   : CLOCK_ENABLE


That must be it - the clock_enable register is used to power various devices (for example, SD and display initialization also use something similar).

Before attempting to read the SROM contents, try this:

*(volatile uint32_t *)0xD2090008 |= 0x200000;

sombree

I'm still getting only zeroes on real camera.
What about these lines? They appear when booting in qemu to fromutulity menu too.
[DIGIC6]   at 0xFE020400:FE02013C [0xD2090008] -> 0x0       : CLOCK_ENABLE
[DIGIC6]   at 0xFE020400:FE02013C [0xD2090008] <- 0x10004   : CLOCK_ENABLE


a1ex

These happen before loading autoexec.bin. You could try printing this register's value on the screen: *(volatile uint32_t*)0xD2090008 (maybe before and after setting the above flag, to make sure it worked).

BTW, the SROM menu code also calls 0x105710 (no arguments) after setting 0x200000; try calling that too:


*(volatile uint32_t *)0xD2090008 |= 0x200000;
void (*srom_init_maybe)(void) = (void *) 0x105710;
srom_init_maybe();


That function also does some I/O (visible with -d io,sflash,v):


[DIGIC6]   at 0x0010575C:0010087C [0xD2090008] -> 0x10004   : CLOCK_ENABLE
[DIGIC6]   at 0x00105764:0010087C [0xD2090008] <- 0x210004  : CLOCK_ENABLE
[SIO2-SF]  at 0x0010572C:0010576C [0xC0820208] <- 0x1       : ???
[SIO2-SF]  at 0x00105734:0010576C [0xC0820200] <- 0x0       : ???
[SIO2-SF]  at 0x00105738:0010576C [0xC0820210] <- 0x0       : write mode?
[SIO2-SF]  at 0x0010573C:0010576C [0xC0820214] <- 0x0       : ???
[SIO2-SF]  at 0x00105744:0010576C [0xC0820238] <- 0xA00408  : mode

sombree

Ok, it seems that srom_init_maybe() actually does something - SFDATA.BIN isn't empty anymore  :D
**** SROM(SIO2) Menu ****
0.Exit from SROM Menu
1.Erase Chip   0x00800000
2.Erase Block  0x00010000
3.Erase Sector 0x00001000
4.Write Data
5.Write from Card
6.SROM Dump(SIO Read)
7.SROM Dump(QUAD Read)
8.Get Info
>>8
[            :001056bc ] sf_read_sio(80000f3c { 3 0 0 0 -1 }, 80000f0c, c, 1)
0x80000350

0x80000350 is CanonModelID for 80D :D