get firmware dump from Digic6+ camera

Started by GregoryOfManhattan, September 09, 2016, 03:55:28 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.


for a new device without an existing .FIR file, is there a procedure to get an initial firmware dump for a Digic 6+ camera?


There is a procedure that worked on single (not dual) Digic 6 models; with some luck, may work on D6+ as well.


great, thank you. will try Portable ROM dumper.
I believe that I will also need a signed binary .FIR - I will search for how to generate that.


I can sign one for you, just drop me a PM.


Portable ROM Dumper does not appear to work on this camera.
Have tried with .FIR provided and autoexec.bin from
on a 32 GB SD card formatted in camera made bootable with contrib/make_bootable.

Same card works immediately on a 5D3.

Attempting to load new Firmware displays Update file cannot be found.


also tried with 64GB CF card and Portable ROM dumper did not run.
same card work immediately on 5D3 this time without even moving the power switch to On.

trying to load firmware shows Loading... and hangs, this is different from the behavior using an SD card.

wonder if I should try a different build of the ROM dumper - is this built from the recovery branch?


card formatted in camera, adding LED .FIR and autoexec.bin on a not bootable card.
click to load firmware
get only a single blink along with the loading... screen
led goes off
then screen goes black
camera remains on but locked up with no display of any kind not even a single blinkenlight.
waited 5 minutes and pulled the battery.
same result with CF or SD card.

same process with DISP_5D3.FIR and the same autoexec.bin on a 5D3 shows the Magic Lantern Rescue screen


LED FIR with wider address range 2048 addresses from 0xd20b0000
is displaying blinkenlights - should i start to build an opto sensor as on olde chdk dumps?


LED address identified :)

From the video with LED blinks:

# crop the video to show only the LED
# (the LCD backlight flickers as well, as it's driven by a GPIO in the same address range - we don't want it)
ffmpeg -i IMG_6368.MOV -vf "crop=200:200:1300:600" -acodec copy -vsync 0 LED.MOV

# compute average brightness from each frame
ffmpeg -i LED.MOV -vsync 0 -f image2pipe -vcodec ppm - | identify -format "%[mean]\n" - > blinks.log

# plot the graph in octave
octave --eval "plot(dlmread('blinks.log')); \
               grid on; axis([0 inf 0 5000]); \
               print('-dpng', '-S800,200', '-FHelvetica', 'blinks.png');"

The ON/OFF codes are reversed, so a short pause is 0 and a long pause is 1.

This gives 000010001001 -> 0x89. Search range was 0xd20b0000 - 0xd20b1ffc, addresses are 32-bit aligned, so the LED address is 0xd20b0000 + (0x89 << 2) = 0xd20b0224.

Please find:

BLINK5D4.FIR - simple blinker
BDMP_5D4.FIR - ROM dumper using the CHDK soundcard method (decoder available under contrib/led_blink_dumper in the digic6-dumper branch).

Happy hacking.