Author Topic: Canon 750D  (Read 94296 times)

t3r4n

  • Contributor
  • New to the forum
  • *****
  • Posts: 48
Re: Canon 750D
« Reply #125 on: April 05, 2018, 07:10:26 PM »
Hey space928,
maybe I go first and tell my understanding and a1ex can correct me  ;D.
So lets start with a working autoexec.bin for the 750D, the SFDUMPER :)

I understand that there is a part in DryOS which looks for an autoexec.bin if the boot flag is enabled.
This happens after the Bootloader finished and some hardware is set up and the main kernel is being copied to RAM (we see later) .

enter minimal.c

this seems to be our main()
Code: [Select]
void
 __attribute__((noreturn,noinline,naked))
 copy_and_restart( int offset )
 {
here we clean some memory with 0 values:
Code: [Select]
     zero_bss();
This part is well documented:
Code: [Select]

     // Copy the firmware to somewhere safe in memory
     const uint8_t * const firmware_start = (void*) ROMBASEADDR;
     const uint32_t firmware_len = RELOCSIZE;
     uint32_t * const new_image = (void*) RELOCADDR;

     blob_memcpy( new_image, firmware_start, firmware_start + firmware_len );

     /*
      * in cstart() make these changes:
      * calls bzero(), then loads bs_end and calls
      * create_init_task
      */
     // Reserve memory at the end of malloc pool for our application
     // Note: unlike most (all?) DIGIC 4/5 cameras,
     // the malloc buffer is specified as start + size (not start + end)
     // so we adjust both values in order to keep things close to the traditional ML boot process
     // (alternative: we could adjust only the size, and place ML at the end of malloc buffer)
     uint32_t ml_reserved_mem = (uintptr_t) _bss_end - INSTR( HIJACK_INSTR_BSS_END );
     INSTR( HIJACK_INSTR_BSS_END     ) += ml_reserved_mem;
     INSTR( HIJACK_INSTR_BSS_END + 4 ) -= ml_reserved_mem;

Now its becoming interesting we "bend" the vector for the init_task:

Code: [Select]
     // Fix the calls to bzero32() and create_init_task()
     FIXUP_BRANCH( HIJACK_FIXBR_BZERO32, my_bzero32 );
     FIXUP_BRANCH( HIJACK_FIXBR_CREATE_ITASK, my_create_init_task );

     // Set our init task to run instead of the firmware one
     INSTR( HIJACK_INSTR_MY_ITASK ) = (uint32_t) my_init_task;

     // Make sure that our self-modifying code clears the cache
     sync_caches();
and last we call the function:
Code: [Select]
     // We enter after the signature, avoiding the
     // relocation jump that is at the head of the data
     // this is Thumb code
     MEM(0xD20C0084) = 0;
     thunk __attribute__((long_call)) reloc_entry = (thunk)( RELOCADDR + 0xC + 1 );
     reloc_entry();
so at the moment we don't return from this but normally this would be just a call for a task in DryOS and the normal boot routine resumes at the vector we've bend above.

So the tasks at the moment:
- find the stubs (addresses) of the functions needed for the blind dump to work, as we experienced with the dumper these can hide in RAM or ROM as the kernel gets copied at startup (see above)
- with the stubs in place the firmware can resume booting and have our code as a task.
- we can dump the memory and search for whatever is needed

Question from me if ant123 is still reading on the CHDK M3 porting thread you mentioned finsig back in 2015 I haven't read all the 47 Pages yet but did you have any luck with the new finsig_thumb2? The M3 seems to be on the same DryOS release (55) as the 750D. If I try to generate stubs as described in the wiki it it will produce some warnings and then nothing more after 4 hours of generating sporadic high CPU Load I killed it.

Ant123

  • Contributor
  • Member
  • *****
  • Posts: 117
Re: Canon 750D
« Reply #126 on: April 05, 2018, 11:44:08 PM »
did you have any luck with the new finsig_thumb2?
No. There was no luck with finsig_thumb2 & DSLR's firmware. But it found more than hundred functions in M3 firmware.

To find bitmap, raw, video buffers in RAM dump I recommend this tool.

ruedigers

  • New to the forum
  • *
  • Posts: 1
Re: Canon 750D
« Reply #127 on: April 14, 2018, 10:03:08 AM »
Hello to all,
I am new here in the forum. I read thru most of the thread, but will have to start over to gather where I need to start off.
My reasons 'd like to unlock my firmware:
  • unlock time limit for videos - apparently the video duration is limited to something below to 30 minutes (to avoid being taxed at a higher rate for video cameras)
  • unlock exposure time / shutter speed to for long time or manual exposure
I will try to help once I have figured out the basics (without bricking my camera).
Cheers,
Rudy
- Canon EOS 750D
- Canon EOS Digital Rebel XTi
- Canon PowerShot A3200 IS

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12171
  • Maintenance mode
Re: Canon 750D
« Reply #128 on: April 24, 2018, 12:38:42 PM »
Hi, I'm still still looking for an SFDATA.BIN dump

Added support for serial flash to the portable ROM dumper.

t3r4n

  • Contributor
  • New to the forum
  • *****
  • Posts: 48
Re: Canon 750D
« Reply #129 on: May 01, 2018, 03:12:36 PM »
Some observations:
I got myself a cheap camera grip with battery that has the needle connections for the "maybe" serial IO equipped. I soldered some connections to it and with a hint from ant123 I've been able to identify some candidates
original thread
But so far I can't get it to talk to me properly.... so I watched the output of qemu with -d uart :
Code: [Select]
[UART]         at 0xFE0204F4:FE02013C ESC[1;33m[0xC0800010] <- 0x19     : ???
[UART]         at 0xFE020500:FE02013C ESC[1;33m[0xC0800018] <- 0x4       : interrupt flags?
[UART]         at 0xFE02050C:FE02013C ESC[1;33m[0xC0800008] <- 0x8081  : Flags?
After some reading on the arm website I suspect the UART to be similar to an IP core they call PL010, as the registers only match here and not the newer PL011. According to the doc the 0x19 in register 0x10 set the divider to 25 which doesn't make sense on a 3.988... clock as in the dock, but if they use a 4Mhz clock that would give exactly 9600 baud. But the other two registers are not to senseful (DCD enable, two stop bits? line return to 0 after send?).  As written above I can't get any senseful bytes out of it, at the moment I suspect my resistor based level shifter puts to much load on the interface.
Also by reading the docs I noticed that newer memory coupled devices on the AXI bus have something like an IDRegister so they can be identified in code. Maybe of interest with other function blocks.

samuk190

  • New to the forum
  • *
  • Posts: 1
Re: Canon 750D
« Reply #130 on: May 04, 2018, 11:48:29 AM »
Hello to all,
I am new here in the forum. I read thru most of the thread, but will have to start over to gather where I need to start off.
My reasons 'd like to unlock my firmware:
  • unlock time limit for videos - apparently the video duration is limited to something below to 30 minutes (to avoid being taxed at a higher rate for video cameras)
  • unlock exposure time / shutter speed to for long time or manual exposure
I will try to help once I have figured out the basics (without bricking my camera).
Cheers,
Rudy
AS far as I Read in this forum post, the progress is 80% done.. they can run some code inside the firmware I think...

Treshet

  • New to the forum
  • *
  • Posts: 1
Re: Canon 750D
« Reply #131 on: July 07, 2018, 11:40:14 PM »




 :D

space928

  • New to the forum
  • *
  • Posts: 15
Re: Canon 750D
« Reply #132 on: July 29, 2018, 09:02:43 PM »




 :D
Great job Treshet! Now the stage we're currently at is basically all within the emulator so set up a VM (or a use a real machine if that's your style) and get QEMU running with the ROMS, you'll see you can only get so far into the boot process before it stops, see some of my earlier posts and what people like A1lex have said about them for tips on what to do next. The gist of it is that we need to disassemble the ROMs, and identify any parts where it breaks in qemu (I recommend using GDB to debug and then looking in the disassembly for how it's meant to works) and try patching any bits you can. I use Cutter as a disassembler because it's quite powerful and offers a QUI wrapper for the popular radare disassembler (which is entirely CLI but still very good).
Canon EOS 750D + Canon 28-80mm USM + Fujifilm Finepix s9200

matteopd

  • New to the forum
  • *
  • Posts: 13
Re: Canon 750D
« Reply #133 on: August 21, 2018, 12:13:15 PM »
Hi All! How are you?

@t3r4n it seems you are the one with deeper experience in this porting.

Months ago I helped with the ROM dumpering but I wasn't able to go further due to my lack of programming knoledge.

Is there anything I can help now, for example testing something with a real 750D?

Thank you

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12171
  • Maintenance mode
Re: Canon 750D
« Reply #134 on: September 07, 2018, 09:54:00 AM »
Just a heads up - porting the 80D startup code to other models is really just a matter of updating the stubs and startup constants, and can be tested/debugged in QEMU. Verified on 5D4 and 200D. Source code (still) on the digic6-dumper branch.