get firmware dump from Digic6+ camera

Started by GregoryOfManhattan, September 09, 2016, 03:55:28 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

GregoryOfManhattan

for a new device without an existing .FIR file, is there a procedure to get an initial firmware dump for a Digic 6+ camera?

a1ex

There is a procedure that worked on single (not dual) Digic 6 models; with some luck, may work on D6+ as well.

http://www.magiclantern.fm/forum/index.php?topic=16534.0

GregoryOfManhattan

great, thank you. will try Portable ROM dumper.
I believe that I will also need a signed binary .FIR - I will search for how to generate that.

a1ex

I can sign one for you, just drop me a PM.

GregoryOfManhattan

Portable ROM Dumper does not appear to work on this camera.
Have tried with .FIR provided and autoexec.bin from http://www.magiclantern.fm/forum/index.php?topic=16534.0
on a 32 GB SD card formatted in camera made bootable with contrib/make_bootable.

Same card works immediately on a 5D3.

Attempting to load new Firmware displays Update file cannot be found.

GregoryOfManhattan

also tried with 64GB CF card and Portable ROM dumper did not run.
same card work immediately on 5D3 this time without even moving the power switch to On.

trying to load firmware shows Loading... and hangs, this is different from the behavior using an SD card.

wonder if I should try a different build of the ROM dumper - is this built from the recovery branch?

GregoryOfManhattan

blinkenlights
card formatted in camera, adding LED .FIR and autoexec.bin on a not bootable card.
click to load firmware
get only a single blink along with the loading... screen
led goes off
then screen goes black
http://imgur.com/a/Qo1dB
camera remains on but locked up with no display of any kind not even a single blinkenlight.
waited 5 minutes and pulled the battery.
same result with CF or SD card.

same process with DISP_5D3.FIR and the same autoexec.bin on a 5D3 shows the Magic Lantern Rescue screen

GregoryOfManhattan

LED FIR with wider address range 2048 addresses from 0xd20b0000
is displaying blinkenlights - should i start to build an opto sensor as on olde chdk dumps?

a1ex

LED address identified :)

From the video with LED blinks:


# crop the video to show only the LED
# (the LCD backlight flickers as well, as it's driven by a GPIO in the same address range - we don't want it)
ffmpeg -i IMG_6368.MOV -vf "crop=200:200:1300:600" -acodec copy -vsync 0 LED.MOV

# compute average brightness from each frame
ffmpeg -i LED.MOV -vsync 0 -f image2pipe -vcodec ppm - | identify -format "%[mean]\n" - > blinks.log

# plot the graph in octave
octave --eval "plot(dlmread('blinks.log')); \
               grid on; axis([0 inf 0 5000]); \
               print('-dpng', '-S800,200', '-FHelvetica', 'blinks.png');"




The ON/OFF codes are reversed, so a short pause is 0 and a long pause is 1.

This gives 000010001001 -> 0x89. Search range was 0xd20b0000 - 0xd20b1ffc, addresses are 32-bit aligned, so the LED address is 0xd20b0000 + (0x89 << 2) = 0xd20b0224.

Please find:

BLINK5D4.FIR - simple blinker
BDMP_5D4.FIR - ROM dumper using the CHDK soundcard method (decoder available under contrib/led_blink_dumper in the digic6-dumper branch).

Happy hacking.