Canon EOS 1300D / Rebel T6

[ArcziPL]

Code: [Select]

dd if=ROM1.BIN of=BOOT.BIN bs=64K skip=1 count=1
dd: bs: illegal numeric value


Code: [Select]

dd if=ROM1.BIN of=BOOT.BIN bs=64000 skip=1 count=1


Equivalent of bs=64K would be bs=65536.

[critix]

@a1ex
My camera firmware is 1.1.0. Can you give FIR for setting bootflag?
I want bootflag set for my camera for testing magiclantern. I tried HELO1303, HELO1302, HELO1300.fir firmware on my camera, but without success. Start update, then the screen is black. I have to remove the battery because it does not respond at all.
Can you help me?
Thanks a lot...

[dfort]

Equivalent of bs=64K would be bs=65536.

Doh! You are absolutely right.

So for anyone else on a Mac or with an old version of dd, you need to run this on the firmware dump before running it in QEMU:

Code: [Select]

dd if=ROM1.BIN of=BOOT.BIN bs=65536 skip=1 count=1
dd if=BOOT.BIN of=ROM1.BIN bs=65536 seek=511


[critix]

@a1ex: Fir HELO1300-1303 is not for firmware 1.3.3 of camera?

[dfort]

There is no 1.3.3 for this camera. The only firmware updates published by Canon were 1.0.2 and 1.1.0. Development is being done on 1.1.0. Reading over previous posts it looks like those ".FIR" files were used to find the firmware signature so they have already served their purpose. Reading through this topic it looks like there is some more that should be done in QEMU before it is "safe" to set the camera boot flag.

Check Reply #173 - Next Steps for more information.

[EDIT] Running the lua tests is on the list. Some tests won't run in QEMU as documented on this post. In addition, the camera_gui test wouldn't run on the 1300D so there might be a stub that needs fixing. I commented it out and got through most of the tests:

ML/scripts/api_test.lua

Code: [Select]

...
function api_tests()
    menu.close()
    console.clear()
    console.show()
    test_log = logger("LUATEST.LOG")

    -- note: each test routine must print a blank line at the end
    strict_tests()
    generic_tests()
   
    printf("Module tests...\n")
    test_io()
--  test_camera_gui()
    test_menu()
    msleep(1000)
    test_multitasking()
    test_camera_exposure()
   
    printf("Done!\n")
   
    test_log:close()
    key.wait()
    console.hide()
end
...

The problem I ran into was that the "A" key would not switch to Av mode so the test ends there:

LUATEST.LOG

Code: [Select]

===============================================================================
ML/SCRIPTS/API_TEST.LUA - 2017-9-30 12:15:00
===============================================================================

Strict mode tests...
Strict mode tests passed.

Generic tests...
arg = table:
  [0] = "API_TEST.LUA"
camera = table:
  shutter = table:
    raw = 104
    apex = 6.
    ms = 16
    value = 0.015625
  aperture = table:
    raw = 83
    apex = 9.375
    value = 25.7
    min = table:
      raw = 40
      apex = 4.
      value = 4.
    max = table:
      raw = 83
      apex = 9.375
      value = 25.7
  iso = table:
    raw = 0
    apex = 0
    value = 0
  ec = table:
    raw = 0
    value = 0
  flash_ec = table:
    raw = 0
    value = 0
  kelvin = 4700
  mode = 3
  metering_mode = 3
  drive_mode = 0
  model = "Canon EOS 1300D"
  model_short = "1300D"
  firmware = "1.1.0"
  temperature = 152
  gui = table:
    menu = false
    play = false
    play_photo = false
    play_movie = false
    qr = false
    idle = true
  wait = function: p
  bulb = function: p
  burst = function: p
  reboot = function: p
  shoot = function: p
event = table:
  pre_shoot = nil
  post_shoot = nil
  shoot_task = nil
  seconds_clock = nil
  keypress = nil
  custom_picture_taking = nil
  intervalometer = nil
  config_save = nil
console = table:
  hide = function: p
  show = function: p
  write = function: p
  clear = function: p
lv = table:
  enabled = false
  paused = false
  running = false
  zoom = 1
  overlays = false
  start = function: p
  resume = function: p
  stop = function: p
  wait = function: p
  info = function: p
  pause = function: p
lens = table:
  name = "EF-S18-55mm f/3.5-5.6 IS"
  focal_length = 0
  focus_distance = 14080
  hyperfocal = 0
  dof_near = 0
  dof_far = 0
  af = false
  af_mode = 3
  autofocus = function: p
  focus = function: p
display = table:
  idle = nil
  height = 480
  width = 720
  line = function: p
  off = function: p
  load = function: p
  screenshot = function: p
  clear = function: p
  on = function: p
  rect = function: p
  circle = function: p
  print = function: p
  notify_box = function: p
  pixel = function: p
  draw = function: p
key = table:
  last = 10
  wait = function: p
  press = function: p
menu = table:
  visible = false
  select = function: p
  get = function: p
  new = function: p
  block = function: p
  close = function: p
  set = function: p
  open = function: p
movie = table:
  recording = false
  start = function: p
  stop = function: p
dryos = table:
  clock = 3
  ms_clock = 3550
  image_prefix = "IMG_"
  dcim_dir = table:
    exists = true
    create = function: p
    children = function: p
    files = function: p
    parent = table:
      exists = true
      create = function: p
      children = function: p
      files = function: p
      parent = table:
        exists = true
        create = function: p
        children = function: p
        files = function: p
        parent = nil
        path = "B:/"
      path = "B:/DCIM/"
    path = "B:/DCIM/100CANON/"
  config_dir = table:
    exists = true
    create = function: p
    children = function: p
    files = function: p
    parent = table:
      exists = true
      create = function: p
      children = function: p
      files = function: p
      parent = table:
        exists = true
        create = function: p
        children = function: p
        files = function: p
        parent = nil
        path = "B:/"
      path = "ML/"
    path = "ML/SETTINGS/"
  ml_card = table:
    cluster_size = 16384
    drive_letter = "B"
    file_number = 8700
    folder_number = 100
    free_space = 216896
    type = "SD"
    _card_ptr = userdata
    path = "B:/"
  shooting_card = table:
    cluster_size = 16384
    drive_letter = "B"
    file_number = 8700
    folder_number = 100
    free_space = 216896
    type = "SD"
    _card_ptr = userdata
    path = "B:/"
  date = table:
    wday = 2
    day = 30
    month = 9
    sec = 0
    min = 15
    isdst = false
    year = 2017
    hour = 12
    yday = 1
  rename = function: p
  remove = function: p
  directory = function: p
  call = function: p
interval = table:
  time = 10
  count = 0
  running = false
  stop = function: p
battery = table:
function not available on this camera
stack traceback:
[C]: in ?
[C]: in for iterator 'for iterator'
ML/SCRIPTS/LIB/logger.lua:125: in function 'logger.serialize'
ML/SCRIPTS/API_TEST.LUA:36: in function <ML/SCRIPTS/API_TEST.LUA:35>
[C]: in function 'xpcall'
ML/SCRIPTS/API_TEST.LUA:35: in function 'print_table'
ML/SCRIPTS/API_TEST.LUA:81: in function 'generic_tests'
ML/SCRIPTS/API_TEST.LUA:1338: in function 'api_tests'
ML/SCRIPTS/API_TEST.LUA:1359: in main chunktask = table:
  create = function: p
  yield = function: p
property = table:
Generic tests completed.

Module tests...
Testing file I/O...
Copy test: autoexec.bin -> tmp.bin
Copy test OK
Append test: tmp.txt
Append test OK
Rename test: apple.txt -> banana.txt
Rename test OK
Rename test: apple.txt -> ML/banana.txt
Rename test OK
File I/O tests completed.

Testing ML menu API...
Menu tests completed.

Testing multitasking...
Only one task allowed to interrupt...
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Main task yielding.
Task C started.
Task C finished.
Main task back.
Multitasking tests completed.

Testing exposure settings...
Camera    : Canon EOS 1300D (1300D) 1.1.0
Lens      : EF-S18-55mm f/3.5-5.6 IS
Shoot mode: 3
Shutter   : Ç60 (raw 104, 0.015625s, 16ms, apex 6.)
Aperture  : Å25 (raw 83, f/25.7, apex 9.375)
Av range  : Å4.0..Å25 (raw 40..83, f/4...f/25.7, apex 4...9.375)
ISO       : 1600 (raw 104, 1600, apex 9.)
EC        : 0.0 (raw 0, 0 EV)
Flash EC  : 0.0 (raw 0, 0 EV)
Setting shutter to random values...
Setting ISO to random values...
Setting aperture to random values...
Please switch to Av mode.


[critix]

Ok I understand. But seeing DeinGott as he tested the camera in this https://www.magiclantern.fm/forum/index.php?topic=17969.msg195984#msg195984, I thought I could set the flag to test myself on the camera.
For:

Code: [Select]

battery = table:
function not available on this camera
stack traceback:
 [C]: in ?
 [C]: in for iterator 'for iterator'
 ML/SCRIPTS/LIB/logger.lua:125: in function 'logger.serialize'
 ML/SCRIPTS/API_TEST.LUA:36: in function <ML/SCRIPTS/API_TEST.LUA:35>
 [C]: in function 'xpcall'
 ML/SCRIPTS/API_TEST.LUA:35: in function 'print_table'
 ML/SCRIPTS/API_TEST.LUA:81: in function 'generic_tests'
 ML/SCRIPTS/API_TEST.LUA:1338: in function 'api_tests'
 ML/SCRIPTS/API_TEST.LUA:1359: in main chunktask = table:
just comment line in

Code: [Select]

function generic_tests()
--    print_table("battery")


[dfort]

If you search for "battery = table:" on this forum you'll find this is common with most cameras. The battery table test will continue even if it encounters an error.

Running only test_camera_gui() will not complete and the lua script will come to a screeching halt.

Code: [Select]

===============================================================================
ML/SCRIPTS/API_TEST.LUA - 2017-9-30 12:15:00
===============================================================================

Module tests...
Testing Canon GUI functions...

However, I tried the same test on the 1200D in QEMU and got the same results so maybe test_camera_gui() can't be done in QEMU?

It does seem to me that we are close to testing ML on the 1300D but that's not my call. Besides, I don't have access to one of these cameras.

- double-check the stubs (at least one of them is wrong), consts and other model-specific parameters (prefer to be done by other users)

I was able to find the missing GUI timers stubs but I'm going on vacation tomorrow for about three weeks so I won't have time to double-check all of the stubs. At least not for a while. It isn't difficult, it just takes time. This is the first Digic 4+ camera being ported and it seems to share characteristics of both Digic 4 and 5. I'd suggest comparing the 1300D stubs with the 1200D and other (somewhat) similar cameras.

[critix]

I saw that the complete test was not done ...

[critix]

I've found some "new" stubs:

Code: [Select]

GUI_SetLvMode -> 0xFE2EB7F8
SetSamplingRate - > 0xFE11C6A8 - Now it is  0xFE11C690
ChangeHDMIOutputSizeToFULLHD -> 0xFE48A9C0
ChangeHDMIOutputSizeToVGA ->  0xFE48AC84
GUI_GetFirmVersion -> 0xFE2F3BA8
FSUunMountDevic -> 0xFE41C994
EnableImagePhysicalScreenParameter -> 0xFE2A75D4
GUI_GetCFnForTab4 -> 0xFE4716F0
StartPlayProtectGuideApp -> 0xFE5E91B4
StopPlayProtectGuideApp -> 0xFE5E8E04
ptpPropSetUILock -> 0xFE1FDBE8

print_serial -> 0xFE0180A8I do not know if it helps with anything or not in development ...
Thanks.

[dfort]

@critix - That helps. Could you do a pull request for the new stubs? That way you'll get credit for the find and it makes it easier to track the changes.

[critix]

How can do that? 

[dfort]

Here's a simple way to do it with just a web browser:

Submitting a pull request all via web browser

If you are using Mercurial (hg) you can make the edits on the 1300D branch of your Magic Lantern fork, commit the changes and do a pull request on bitbucket. There are plenty of posts and tutorials on how to do pull requests.

Look over the current pull requests and the merged pull requests to see how it is done.

https://bitbucket.org/hudson/magic-lantern/pull-requests/?state=MERGED

[critix]

Done.
I made requests for the new Stubs...

[dfort]

199 files changed for just a few stubs?

https://bitbucket.org/hudson/magic-lantern/pull-requests/928/1300d-new-stubs/diff

[critix]

Sorry, I was wrong with Pull requests.
P.S. It's OK now?

[dfort]

@critix -- your new pull request looks much better. I'm running around on vacation for another couple of weeks but will try it out on QEMU when I get home.

[maarinhof]

Hello

I am a beginner in the Magic Lantern and I own a Canon 1300d. My question would be whether you already had something working or at least an orientation to the installation? I am willing to help, taking into account that I do not have the basics to develop something. I'm from Brazil and I'm really looking forward to the launch for my Canon.

[dfort]

@a1ex -- Would it be possible to get a ML-SETUP.FIR for this camera or are there still some issues that need to be resolved first?

[a1ex]

Will check; I'm also catching up after holidays.

edit: replied on bitbucket.

[dfort]

Been doing some private stub hunting coaching with @critix -- private because we've been looking at disassembled Canon code. The pull request he is working on will need to be redone so I thought some of the notes that came up should be discussed on this forum topic.

First thing obviously wrong: bzero32.

How's this?

platform/1300D.110/stubs.S

Code: [Select]

NSTUB(   0x29898,  bzero32)                                 // called by cstart() rom

This seems to be working fine in QEMU though I'm not really sure what to look for.

Second thing obviously wrong: task list doesn’t work; is_taskid_valid has a different syntax (address is correct). This one could have been noticed within minutes of playing with QEMU; don’t remember anyone mentioning it.

I've been playing with QEMU but again not sure what to look for. Here's a snippet from a QEMU session and it looks to me that tasks are starting up fine:

Code: [Select]

[****] Starting task fe2be514(7d7940) TOMgr
[       TOMgr:fe123c94 ] (00:01) [PM] DisablePowerSave (Counter = 2)
[       TOMgr:fe37e258 ] (43:05)  tomSetRawJpgMode (Type = 0x4)
[       TOMgr:fe123d04 ] (00:01) [PM] EnablePowerSave (Counter = 1)
[****] Starting task fe2be514(7da6fc) Fstorage
[****] Starting task fe2be514(7d754c) ShootPreDevelop
[ShootPreDevelop:fe134a38 ] (95:05) spsInit
[****] Starting task fe12b9c0(0) AEmodeJudge
[****] Starting task fe5423d8(0) CSMgrTask
    55:   110.080 [RSC] hMemoryQue[MPU] Sending : 1a 18 01 4e 00 00 00 00 00 00 00 00 00 00 00 1e 00 00 00 0f 00 00 00 00 00 00  (PROP_VIDEO_MODE)
[      DbgMgr:fe123c94 ] (00:01) [PM] DisablePowerSave (Counter = 2)
[      DbgMgr:fe123d04 ] (00:01) [PM] EnablePowerSave (Counter = 1)
ue (0x660012) hStorageQueue (0x680014)
   117:   115.456 [RTC] PROPAD_GetPropertyData : PROP_RTC 0xfd
   120:   117.504 [RTC] ChangePropertyCBR 0x0, 0x0
   121:   117.760 [RTC] RTC_Permit 0x20
   135:   118.784 [SND] Seq LPC fin
   153:   119.808 [ENG] [ENGIO](Addr:0x4fb40000, Data:0x   30000)
   167:   122.880 [TERMINATE] SHUTDOWN init comp
   169:   122.880 [TERMINATE] Abort init comp
   176:   128.256 [WB] AdjustWb Done.
   196:   130.048 [MC] PROP_GUI_STATE 0
   201:   130.048 [MC] JobState 0
   204:   130.304 [MC] PROP_LCD_OFFON_BUTTON : 0
   206:   130.304 [MC] PROP_VARIANGLE_GUICTRL : Enable
   209:   130.816 [MC] regist master CardCover

Modules are loading:

Code: [Select]

Register modules...
Load configs...
Init modules...
  [i] Init: 'lua'
[ module_task:00c002bc ] task_create(lua_load_task, prio=1c, stack=10000, entry=c01a60, arg=0)
[****] Starting task c01a60(0) lua_load_task
  [i] cbr 'CBR_PRE_SHOOT' -> 000C021D8
  [i] cbr 'CBR_POST_SHOOT' -> 000C021A4
  [i] cbr 'CBR_SHOOT_TASK' -> 000C02170
  [i] cbr 'CBR_SECONDS_CLOCK' -> 000C0213C
  [i] cbr 'CBR_KEYPRESS' -> 000C0209C
  [i] cbr 'CBR_CUSTOM_PICTURE_TAKING' -> 000C02068
  [i] cbr 'CBR_INTERVALOMETER' -> 000C02030
  [i] cbr 'CBR_CONFIG_SAVE' -> 000C01FFC
Updating symbols...
  [i] 404: edmac_format_size c81930
  [i] 404: edmac_format_size c83a50
  [i] 404: edmac_format_size c8d230
  [i] 404: edmac_format_size c8eba0
  [i] 404: dual_iso_get_recovery_iso c97b10
  [i] 404: dual_iso_is_active c97b10
  [i] 404: auto_ettr_intervalometer_wait ca41b0
  [i] 404: auto_ettr_intervalometer_warning ca41b0
  [i] 404: auto_ettr_export_correction caaca0
  [i] 404: dual_iso_get_dr_improvement cb85d0
  [i] 404: dual_iso_get_recovery_iso cb85d0
  [i] 404: edmac_format_size cbc250

And the GUI is looking good:




Several modules aren't building but that's also a problem with the 1100D (shameless plug for my pull request)

A few more: FOCUS_CONFIRMATION 0x36EC4, HALFSHUTTER_PRESSED 0x359BC, INFO_BTN_NAME "DISP" and I could go on.

I'm confused. This is what is in the current code:

platform/1300D.110/consts.h [EDIT] originally pasted the 1200D values, these are from the 1300D

Code: [Select]

// guess
 #define FOCUS_CONFIRMATION (*(int*)0x479C)
#define HALFSHUTTER_PRESSED (*(int*)0x31308) // same as 60D

Finding stubs using pattern matching won't help with these and I'm not sure how to use QEMU to ferret them out.

I was hoping to find somebody who understands how a computer works, to some extent…

Not me--I went to art school 

[a1ex]

FOCUS_CONFIRMATION and HALFSHUTTER_PRESSED were copied from 1200D and not updated. The former was covered here and the latter around here.

Tasks: Debug menu. They start (task_create is correct), but you cannot get much info about them. The stubs are correct, but the syntax is not; maybe it's better to enumerate them by walking the internal DryOS structure; hopefully that's a bit more portable. So far, offsets for task name and ID were the same on DIGIC 4 until 7 (even the Eeko secondary core, which runs a very lightweight firmware, uses the same DryOS task structure). I'd expect the tasks to be stored in a linked list, and the next/prev pointers are likely at the same offset on all DryOS models.

bzero32 looks fine now.

[dfort]

FOCUS_CONFIRMATION and HALFSHUTTER_PRESSED were copied from 1200D and not updated.

Sorry, I pasted the wrong values on my previous post (corrected). The 1200D and 1300D values are different.

1200D

Code: [Select]

// From Alex
#define FOCUS_CONFIRMATION (*(int*)0x3EA8) // a1ex
#define HALFSHUTTER_PRESSED (*(int*)0x2A28) // used for Trap Focus and Magic Off.

1300D

Code: [Select]

// guess
 #define FOCUS_CONFIRMATION (*(int*)0x479C)
#define HALFSHUTTER_PRESSED (*(int*)0x31308) // same as 60D

This gives me something to chew on:

#define HALFSHUTTER_PRESSED (*(int*)0x24884) is ok [0x2486C+0x18].

When searching through the disassembly for a pattern there are instances where the value that we're looking for needs to be offset. Why? I don't know, maybe it is a structure?

[critix]

I search for HIJACK_INSTR_BL_CSTART and a found this value: 0xFE0C062C
1200D:

Code: [Select]

loc_ff0c0190:
ff0c0190: e1500003 cmp r0, r3
ff0c0194: 34802004 strcc r2, [r0], #4
ff0c0198: 3afffffc bcc loc_ff0c0190
ff0c019c: eb0003a1 bl loc_ff0c1028 <--- value of cstart

1300D

Code: [Select]

loc_fe0c062c:
fe0c062c: e1500003 cmp r0, r3
fe0c0630: 34802004 strcc r2, [r0], #4
fe0c0634: 3afffffc bcc loc_fe0c062c
fe0c0638: ea000cf9 b loc_fe0c3a24 <--- value of cstart

I also looked for:

Code: [Select]

#define HIJACK_INSTR_BSS_END FE0C3B10ok
define HIJACK_FIXBR_BZERO32 FE0C3A58
#define HIJACK_FIXBR_CREATE_ITASK FE0C3AF8
#define HIJACK_INSTR_MY_ITASK FE0C3B20but the values seem to be good.
Is OK?

[dfort]

I don't understand why you say that the value you found is 0xFE0C062C. The current value of 0xFE0C0638 matches what is in the 1200D.

What do you think of this one?

Code: [Select]

#define HIJACK_INSTR_BSS_END 0xFE0C3B14
These constants are tough to find using just pattern matching. Maybe there's a better way using QEMU? I don't have access to IDA Pro and wouldn't know how to use it if I did!

[critix]

I have disassembled with arm_console, and I searched through 60D values for FOCUS_CONFIRMATION and HALFSHUTTER_PRESSED.
I found the value given by dfort for HALFSHUTTER_PRESSED -> 0x31308.
For FOCUS_CONFIRMATION I found 0x4680.
Is ok this value?
Thanks.