Canon 750D

Started by Goonism101, July 27, 2016, 04:44:28 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

t3r4n

Hey space928,
maybe I go first and tell my understanding and a1ex can correct me  ;D.
So lets start with a working autoexec.bin for the 750D, the SFDUMPER :)

I understand that there is a part in DryOS which looks for an autoexec.bin if the boot flag is enabled.
This happens after the Bootloader finished and some hardware is set up and the main kernel is being copied to RAM (we see later) .

enter minimal.c

this seems to be our main()

void
__attribute__((noreturn,noinline,naked))
copy_and_restart( int offset )
{

here we clean some memory with 0 values:
     zero_bss();

This part is well documented:


     // Copy the firmware to somewhere safe in memory
     const uint8_t * const firmware_start = (void*) ROMBASEADDR;
     const uint32_t firmware_len = RELOCSIZE;
     uint32_t * const new_image = (void*) RELOCADDR;

     blob_memcpy( new_image, firmware_start, firmware_start + firmware_len );

     /*
      * in cstart() make these changes:
      * calls bzero(), then loads bs_end and calls
      * create_init_task
      */
     // Reserve memory at the end of malloc pool for our application
     // Note: unlike most (all?) DIGIC 4/5 cameras,
     // the malloc buffer is specified as start + size (not start + end)
     // so we adjust both values in order to keep things close to the traditional ML boot process
     // (alternative: we could adjust only the size, and place ML at the end of malloc buffer)
     uint32_t ml_reserved_mem = (uintptr_t) _bss_end - INSTR( HIJACK_INSTR_BSS_END );
     INSTR( HIJACK_INSTR_BSS_END     ) += ml_reserved_mem;
     INSTR( HIJACK_INSTR_BSS_END + 4 ) -= ml_reserved_mem;


Now its becoming interesting we "bend" the vector for the init_task:


     // Fix the calls to bzero32() and create_init_task()
     FIXUP_BRANCH( HIJACK_FIXBR_BZERO32, my_bzero32 );
     FIXUP_BRANCH( HIJACK_FIXBR_CREATE_ITASK, my_create_init_task );

     // Set our init task to run instead of the firmware one
     INSTR( HIJACK_INSTR_MY_ITASK ) = (uint32_t) my_init_task;

     // Make sure that our self-modifying code clears the cache
     sync_caches();

and last we call the function:
     // We enter after the signature, avoiding the
     // relocation jump that is at the head of the data
     // this is Thumb code
     MEM(0xD20C0084) = 0;
     thunk __attribute__((long_call)) reloc_entry = (thunk)( RELOCADDR + 0xC + 1 );
     reloc_entry();

so at the moment we don't return from this but normally this would be just a call for a task in DryOS and the normal boot routine resumes at the vector we've bend above.

So the tasks at the moment:
- find the stubs (addresses) of the functions needed for the blind dump to work, as we experienced with the dumper these can hide in RAM or ROM as the kernel gets copied at startup (see above)
- with the stubs in place the firmware can resume booting and have our code as a task.
- we can dump the memory and search for whatever is needed

Question from me if ant123 is still reading on the CHDK M3 porting thread you mentioned finsig back in 2015 I haven't read all the 47 Pages yet but did you have any luck with the new finsig_thumb2? The M3 seems to be on the same DryOS release (55) as the 750D. If I try to generate stubs as described in the wiki it it will produce some warnings and then nothing more after 4 hours of generating sporadic high CPU Load I killed it.

Ant123

Quote from: t3r4n on April 05, 2018, 07:10:26 PM
did you have any luck with the new finsig_thumb2?
No. There was no luck with finsig_thumb2 & DSLR's firmware. But it found more than hundred functions in M3 firmware.

To find bitmap, raw, video buffers in RAM dump I recommend this tool.

ruedigers

Hello to all,
I am new here in the forum. I read thru most of the thread, but will have to start over to gather where I need to start off.
My reasons 'd like to unlock my firmware:

  • unlock time limit for videos - apparently the video duration is limited to something below to 30 minutes (to avoid being taxed at a higher rate for video cameras)
  • unlock exposure time / shutter speed to for long time or manual exposure
I will try to help once I have figured out the basics (without bricking my camera).
Cheers,
Rudy
- Canon EOS 750D
- Canon EOS Digital Rebel XTi
- Canon PowerShot A3200 IS

a1ex

Quote from: space928 on April 02, 2018, 01:07:23 PM
Hi, I'm still still looking for an SFDATA.BIN dump

Added support for serial flash to the portable ROM dumper.

t3r4n

Some observations:
I got myself a cheap camera grip with battery that has the needle connections for the "maybe" serial IO equipped. I soldered some connections to it and with a hint from ant123 I've been able to identify some candidates
Quote from: t3r4n on April 30, 2018, 12:18:45 PMoriginal thread
But so far I can't get it to talk to me properly.... so I watched the output of qemu with -d uart :

[UART]         at 0xFE0204F4:FE02013C ESC[1;33m[0xC0800010] <- 0x19     : ???
[UART]         at 0xFE020500:FE02013C ESC[1;33m[0xC0800018] <- 0x4       : interrupt flags?
[UART]         at 0xFE02050C:FE02013C ESC[1;33m[0xC0800008] <- 0x8081  : Flags?

After some reading on the arm website I suspect the UART to be similar to an IP core they call PL010, as the registers only match here and not the newer PL011. According to the doc the 0x19 in register 0x10 set the divider to 25 which doesn't make sense on a 3.988... clock as in the dock, but if they use a 4Mhz clock that would give exactly 9600 baud. But the other two registers are not to senseful (DCD enable, two stop bits? line return to 0 after send?).  As written above I can't get any senseful bytes out of it, at the moment I suspect my resistor based level shifter puts to much load on the interface.
Also by reading the docs I noticed that newer memory coupled devices on the AXI bus have something like an IDRegister so they can be identified in code. Maybe of interest with other function blocks.

samuk190

Quote from: ruedigers on April 14, 2018, 10:03:08 AM
Hello to all,
I am new here in the forum. I read thru most of the thread, but will have to start over to gather where I need to start off.
My reasons 'd like to unlock my firmware:

  • unlock time limit for videos - apparently the video duration is limited to something below to 30 minutes (to avoid being taxed at a higher rate for video cameras)
  • unlock exposure time / shutter speed to for long time or manual exposure
I will try to help once I have figured out the basics (without bricking my camera).
Cheers,
Rudy
AS far as I Read in this forum post, the progress is 80% done.. they can run some code inside the firmware I think...

Treshet


space928

Quote from: Treshet on July 07, 2018, 11:40:14 PM




:D
Great job Treshet! Now the stage we're currently at is basically all within the emulator so set up a VM (or a use a real machine if that's your style) and get QEMU running with the ROMS, you'll see you can only get so far into the boot process before it stops, see some of my earlier posts and what people like A1lex have said about them for tips on what to do next. The gist of it is that we need to disassemble the ROMs, and identify any parts where it breaks in qemu (I recommend using GDB to debug and then looking in the disassembly for how it's meant to works) and try patching any bits you can. I use Cutter as a disassembler because it's quite powerful and offers a QUI wrapper for the popular radare disassembler (which is entirely CLI but still very good).
Canon EOS 750D + Canon 28-80mm USM + Fujifilm Finepix s9200

matteopd

Hi All! How are you?

@t3r4n it seems you are the one with deeper experience in this porting.

Months ago I helped with the ROM dumpering but I wasn't able to go further due to my lack of programming knoledge.

Is there anything I can help now, for example testing something with a real 750D?

Thank you

a1ex

Just a heads up - porting the 80D startup code to other models is really just a matter of updating the stubs and startup constants, and can be tested/debugged in QEMU. Verified on 5D4 and 200D. Source code (still) on the digic6-dumper branch.

riki_le_pozzo

 ???
hi guys, I'm new to the group I have a Canon EOS 750d and I wanted to install the ML!
Mha sincerely after days of tests and re-readings of your posts I can't understand the method yet, I hope someone can help me thank you so much !!!

Walter Schulz

There is no ML for your cam.

snackyfav

Dear all,

Can I check the shutter count canon 750d with ML?
I already check the shutter count using some web online checking but the notification is "Your camera doesn't add shutter count information to images."
I can't check the shutter count using connecting camera to the computer because some reasons.
Need some helps.

Thank you.

Walter Schulz

Read post above yours.

matteopd

Hi Alex! I tried but I'm not so skilled in coding. However I really wish to help. Is there any developer I can finance personally to build the release? Thank you!



Quote from: a1ex on September 07, 2018, 09:54:00 AM
Just a heads up - porting the 80D startup code to other models is really just a matter of updating the stubs and startup constants, and can be tested/debugged in QEMU. Verified on 5D4 and 200D. Source code (still) on the digic6-dumper branch.

names_are_hard

I'll do it for $20k a month, if you pay a year in advance.  I don't know if I'll succeed.

Or, see this thread where trying to arrange paying devs is discussed:
https://www.magiclantern.fm/forum/index.php?topic=24339.0

matteopd

Alex what do u think?

Quote from: names_are_hard
link=topic=17627.msg220502#msg220502 date=1568254372

I'll do it for $20k a month, if you pay a year in advance.  I don't know if I'll succeed.

Or, see this thread where trying to arrange paying devs is discussed:
https://www.magiclantern.fm/forum/index.php?topic=24339.0

names_are_hard

I was not being entirely serious :)  But it does illustrate some of the points about why it's hard to pay for projects like this.  I would want that much money to quit my current job and nobody is going to pay that for ML - especially when I can't know if I'll succeed.  If you don't want to pay me full time, well, I'm already working part time on it for free (200D).

And of course, I'm not very good at it.  But how do you check that before paying people?

a1ex

Quote from: matteopd on September 12, 2019, 11:45:50 PM
Alex what do u think?

What I can say is that @names_are_hard definitely has the skills (I'd bet on 95% chances of success if he were to work full time for 2-3 months), which means I trust his opinion.

And he's right with this. Most of us already have full-time jobs and families, and that means we are no longer tempted by one or two $200 offers, or by a brand new camera (even though these can be pretty significant expenses for the average user). I'd certainly consider a break from my job for $20k a month (with some reservations), but I might have to share this money 50-50 with some very good IP lawyers. This topic is controversial among developers, to say the least.

blade

On the risk of telling to myself that this is off topic... Has a patreon account an added value?

I do support some podcasters, that say, if you like us, support us, you will not get any thing extra, just the worm feeling of doing good!

That could work here too. I would happily do a monthly contribution that would be used for eg hosting, tools etc.

eos400D :: eos650D  :: Sigma 18-200 :: Canon 100mm macro

a1ex

I've actually considered Patreon, but ended up deciding against it. Still looking into alternatives.

Hosting and tools are not very expensive, but developer time (aka "code doesn't grow on trees") is a problem. I used to be able to spend a large part of my time on hobbies (ML project in particular), but this is no longer the case (can't speak for other developers, though). Providing me with free tools to work on, isn't going to motivate me any more; if anything, these will only serve to create some kind of guilty feelings, and that's not what I want.

webpresence101

Hi All.

Quick one. Is the 750D ML ready now?

matteopd

Ingenuous question: what may happen if I try to install the release for 700D on my 750D?  :D

Walter Schulz

Quote from: matteopd on November 12, 2019, 11:43:20 PM
Ingenuous question: what may happen if I try to install the release for 700D on my 750D?  :D

Your doorbell will ring and you'll get full refund for all STEM classes you ever took. Without interest.

Christophermike94hlg

where can i download it for 759D??