Author Topic: Canon EOS 1300D / Rebel T6 (Read 274039 times)

a1ex · « **Reply #75 on:** June 06, 2017, 05:29:55 PM »

I have some progress on 1300D emulation (will publish soon), but still no GUI. We might have to get the MPU conversation from a real camera for that (and the path of least resistance requires booting ML first).

Probably the best way to proceed would be to try a minimal hello world first (to validate the startup process), and then do the same with regular ML.

Feel free to merge the qemu branch in your 1300D fork, as it has some useful tools for debugging the boot process, and I'd like to include it in the mainline soon. For example, you can now simply call qprint/qprintn/qprintf whenever you want to print something to emulator console (example and results). These calls are only compiled with CONFIG_QEMU=y, so regular builds will not include these messages. The first two are available very early in the boot process; the third requires Canon's vsnprinf, which appears to require some initialization.

Also take look at other recent ports (EOS M2, 1200D, 100D, 70D) for a general idea.

Makky · « **Reply #76 on:** June 24, 2017, 03:55:13 PM »

Hi, I've just purchased my first canon(1300D) and found this forum. Thanks for all the work you are all doing, I have not much in the way of skills to help only do a bit of programing in c+ for arduino. But happy to help if I can. I don't know if this is possible but it would be great to be able to activate the wifi tethering to windows/laptop which is blocked.
Cheers
Makky

cbbrowne · « **Reply #77 on:** June 29, 2017, 09:12:14 PM »

Quote from: Makky on June 24, 2017, 03:55:13 PM

Hi, I've just purchased my first canon(1300D) and found this forum. Thanks for all the work you are all doing, I have not much in the way of skills to help only do a bit of programing in c+ for arduino. But happy to help if I can. I don't know if this is possible but it would be great to be able to activate the wifi tethering to windows/laptop which is blocked.
Cheers
Makky

I'm in a similar boat; I bought a T6/1300D a few months ago, and noticed that efforts are ongoing to get MagicLantern working on it.

I have some C experience, so shouldn't be completely helpless, but I'm not at all sure what is useful to try to do. Perhaps the best to say is "watching with interest".

a1ex · « **Reply #78 on:** July 13, 2017, 10:39:11 PM »

Minor progress with emulation:

- SD also works in main firmware, not just bootloader
- found the HDMI status GPIO (but didn't help much, other than cleaning the debug messages)
- patched JPCORE to avoid an assertion

Here's how I've found what to patch for the assert:

Code: [Select]

b *0x3CBC
assert_log

Code: [Select]

./run_canon_fw.sh 1300D,firmware="boot=0" -d callstack -s -S & arm-none-eabi-gdb -x 1300D/debugmsg.gdb 
...
Current stack: [158398-157398] sp=158238                                         at [ShootCapture:3cbc:3320]
0xFE2BE514(796b3c &"StageClass", fe2be514, 19980218, 19980218)                   at [ShootCapture:41fc:158388] (pc:sp)
 0xFE0CAAC4(796a70 &"ShootCapture", 0, 0, 0)                                     at [ShootCapture:fe2be570:158360] (pc:sp)
  0xFE2BE970(796ab8 &"StateObject", 796a70 &"ShootCapture", 0, 0)                at [ShootCapture:fe0caaf0:158348] (pc:sp)
   0xFE2BE9A8(796ab8 &"StateObject", 796a70 &"ShootCapture", 0, 0)               at [ShootCapture:fe2be9a0:158338] (pc:sp)
    0xFE12DB28(796a70 &"ShootCapture", 0, 0, fe12db28)                           at [ShootCapture:fe2bea28:158318] (pc:sp)
     0xFE3ABD84(4fb1c080, 80000, 1, 25335c)                                      at [ShootCapture:fe12db84:1582f0] (pc:sp)
      0xFE539194(0, 142240, 141dfc, 31170)                                       at [ShootCapture:fe3abdf0:1582a8] (pc:sp)
       0xFE2A0164(40797480, 4079bd60, 792e34, 25)                                at [ShootCapture:fe5391b4:158290] (pc:sp)
        0xFE2A16C8(0, 80000013, 4f550, 40000000)                                 at [ShootCapture:fe2a01e4:158280] (pc:sp)
         0xFE2A0088(7, 142240, 141dfc, 31170)                                    at [ShootCapture:fe2a16ec:158270] (pc:sp)
          0xFE4244FC(fe2a02c0 "JPEGICError", 0, 141dfc, 31170)                   at [ShootCapture:fe2a00d4:158260] (pc:sp)
           0x3270(0, 0, 141dfc, 31170)                                           at [ShootCapture:fe424510:158250] (pc:sp)
            0x3CBC(3340, 332c "SystemIF::KerSem.c", 13a, 31170)                  at [ShootCapture:331c:158238] (pc:sp)
[ShootCapture:0000331c ] [ASSERT] 0 at SystemIF::KerSem.c:314, 3320

Code: [Select]

# patch JPCORE (assert)
set *(int*)0xFE4244FC = 0xe12fff1e

With this, the emulation moved forward, but still no GUI.

What's missing:

Code: [Select]

[     Startup:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 1, 0x20000002, Flag = 0x20000000)
[    PowerMgr:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 1, 0x2, Flag = 0x2)
[     FileMgr:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 2, 0x10, Flag = 0x10)
[     Startup:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 3, 0xe0110, Flag = 0x40000)
[     Startup:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 3, 0xa0110, Flag = 0x80000)
[     Startup:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 3, 0x20110, Flag = 0x100)
[     FileMgr:fe0d4054 ] (00:03) [SEQ] NotifyComplete (Cur = 3, 0x20010, Flag = 0x10)

Notice the pattern? The startup code expects a bunch of things to complete, but it doesn't really care about their order. There are a bunch of binary flags that get cleared whenever some component finishes its initialization. When all these flags are reset, the startup code moves on to the next stage. Therefore, to push the emulation even further (and hopefully get the GUI), one needs to:

1) find out who calls NotifyComplete(Flag = 0x20000) - easy
2) understand why it doesn't get called - hard
3) adjust the emulation so it gets called - easy after solving 2.

The above is not required for porting ML; you already have everything you need to print Hello World. It just makes things a bit easier.

prvashisht · « **Reply #79 on:** July 17, 2017, 05:06:50 PM »

Just stumbled upon this link. I have a 1300D myself and wanted to thank you guys for all the efforts being put into the ML build for 1300D. I have had some coding experience too in C/C++/Java/JavaScript etc. Let me know if I can help in any way.

a1ex · « **Reply #80 on:** July 18, 2017, 12:09:07 AM »

Quote from: prvashisht on July 17, 2017, 05:06:50 PM

Let me know if I can help in any way.

Of course. However, I'm afraid you'll have to... well... read the previous posts.

In particular, go to http://builds.magiclantern.fm/ and scroll to "Your camera is not listed?"

If you are waiting for me to port ML, it might not be the best choice. I'm providing tools, walkthroughs, tutorials, advice and so on, other community members did their part (in particular, this tutorial is very helpful), but it's up to somebody who owns the camera to go through all this and complete the port.

I expect this to be one of the easiest cameras for porting ML (it's DIGIC 4, but has some things borrowed from both D5 and D6). 1200D and EOSM2 are marginally easier, but that's just because the emulator is able to display the GUI.

adamnock · « **Reply #81 on:** July 19, 2017, 09:24:13 AM »

Ive put off coming back for too long (honestly I got quite lost but im still going to try and muddle my way through this).

a1ex / kennetrunner

Was there a branch of the project which included the QEMU hacks and currently identified stubs I can check out and work from?
I think I understand the project topology well enough now to compile a hello world test and run it on metal.

a1ex · « **Reply #82 on:** July 19, 2017, 12:08:12 PM »

All the emulation stuff for 1300D is in the "main" qemu branch.

https://builds.magiclantern.fm/jenkins/view/QEMU/job/QEMU-tests/lastSuccessfulBuild/console - look up 1300D
https://builds.magiclantern.fm/jenkins/view/QEMU/job/QEMU-1300D/

adamnock · « **Reply #83 on:** July 19, 2017, 02:29:02 PM »

Yeah I checked out that branch earlier.
Realised id not backed up my ROM copies so ill redo that shortly.

Hoping some of kennetrunners stubs progress might have been recorded in one of the build branches, but no matter, still needs doing.

@anyone else. Dont expect rapid progress here. Im going to have to properly learn this stuff as I go, im no reverse engineering genius

anandhusajan · « **Reply #84 on:** July 23, 2017, 11:45:25 PM »

How to edit or extract firmware of canon 1300D .FIR File format?

Is there any tool available?

Walter Schulz · « **Reply #85 on:** July 25, 2017, 05:14:33 AM »

Top of page -> Downloads -> Download Nightly Builds -> Scroll down to "ROM dumpers"

Geekyamitjain · « **Reply #86 on:** October 10, 2017, 09:07:04 AM »

A request to admin/mod /post owner

Please edit the main thread for all related updates on the 1300d.
so that we don't have to dig in all the posts.

please, just a request.

also, need to know is it possible to connect mic using USB port of 1300d

Audionut · « **Reply #87 on:** October 11, 2017, 05:43:58 AM »

Compile the required information into a single post and I'll happily transfer it to the opening post.

dmitrys · « **Reply #88 on:** November 05, 2017, 01:38:26 AM »

I tried running DUMP1300.FIR on my recently purchased 1300.102. It takes quite a long time and results in

Code: [Select]

a7b9cc485a85b94448bbda6a6bb9e428  ROM0.BIN
f53fb78da3de0089f9d14d1fd904c1da  ROM1.BIN

However, ROM0.MD5 reads:

Code: [Select]

b7bd14aa3245c539d5327434be9e0e4b ROM0.BIN
(ROM1.MD5 is a match). I tried twice with identical outcomes.

a1ex · « **Reply #89 on:** November 05, 2017, 01:41:13 AM »

That's OK - it means ROM0 is not connected physically (all you get in the dump is electrical noise).

This is true for most (if not all) Rebel models; the dumper is "one size fits all", so it tries to save both ROMs regardless.

~~edit: doesn't apply to 1300D; ROM0 has valid contents here, and ROM0.MD5 matches my dump; try this workaround.~~ edit2: false alarm?!

dmitrys · « **Reply #90 on:** November 05, 2017, 08:35:57 PM »

Quote from: a1ex on November 05, 2017, 01:41:13 AM

This is true for most (if not all) Rebel models

Thanks, although I'm not sure what "Rebel models" mean, since I've got plain old 1300D ;-)

Anyway, should I upgrade to 1.1.0? It seems there had been some progress on porting ML there, but would I be able to downgrade later on?

a1ex · « **Reply #91 on:** November 05, 2017, 08:50:57 PM »

https://en.wikipedia.org/wiki/Canon_EOS#Naming_scheme

The firmware-specific bits from ML repo are at 1.1.0. That's just a few stubs, so if there is a newer firmware available, it's easiest to upgrade at this stage (not later).

Dddiego · « **Reply #92 on:** November 21, 2017, 07:39:47 AM »

Hey guys, I'm writing for advice!. I've had a T1i for the longest time and I love it. I thought it was time for an update and bought a T6, only to find out today ML is not yet available for it.

I already had a online ad placed for my T1i. Now I'm considering taking it down and put one up for the T6 instead. I know the improvements are mainly in video resolution and wifi connectivity. But tho that would seriously make my life easier, on the other hand I would lose a little water proof resistance, better build and infra red sensor.

I've came to the conclusion i will sell the T6 If ML is not available for it. And since you guys are the experts I wanted to ask you all. Should I hold my horses and hang on to the hope of a ML release? How are things looking so far?

I'm sorry if I'm being impertinent and not actually providing any help. Im short on money and I thought it would be best to ask.

Thanks in advance

a1ex · « **Reply #93 on:** December 22, 2017, 11:42:15 PM »

Update: emulation now boots Canon GUI!

What does this mean?

The 1300D, also being a DIGIC 4, is right now the easiest to port ML on - looking forward to seeing your Hello World!

For the impatient: QEMU guide, installation video for Ubuntu, for Mac and guide for Windows.
Next steps: dfort's porting tutorial and the EOS M2 walkthrough.

Q: If it's so easy, why don't you do this ML port and call it a day?
A: Every camera has its own quirks - somebody has to sit down and find them, see what works, what not and so on. I could easily do an initial ML port in the emulator, with menus working, but that would kill all the fun from the potential 1300D developer - besides, I don't like doing things alone.

Have fun!

Stilia.johny · « **Reply #94 on:** December 23, 2017, 04:00:45 PM »

sorry for my silliness but, is the ML ported on 1300d yet? just a bit confused after all these posts..

cbbrowne · « **Reply #95 on:** December 24, 2017, 09:27:25 PM »

That is mighty encouraging, after so long with little visible activity.

I'll take a browse of the material; I'm not sure I'm ready to be a developer for it.

DeinGott · « **Reply #96 on:** December 29, 2017, 02:46:52 PM »

hey a1ex,

i tried to dump the firmware, but got different md5 sums

the ROM0 i got the same MD5 dmitrys got: b7bd14aa3245c539d5327434be9e0e4b
the ROM1 I got a totaly different MD5: a34ed91ac69e2a73bc6689709c37f755/b00208bc8040358280f574711adcc51d

i used your dumper script, which is linked to on the nighlybuild page (http://www.magiclantern.fm/forum/index.php?topic=17969.msg172875#msg172875).

I used a 8GB and an 256MB SD card to verify that my cards are not somehow the reason. How can i run the "generic" dumper on my vanilla 1300D camera? or is it the same code?

I do not get it to work on qemu as well. the console logs:

Code: [Select]

./run_canon_fw.sh 1300D

DebugMsg=0xFE11F394 (from GDB script)
Lockdown read 0
Lockdown read 0
Lockdown read 1
Lockdown read 1
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 1FFFFFFF: eos.ram
40001000 - 5FFFFFFF: eos.ram_uncached
F0000000 - F1FFFFFF: eos.rom0
F2000000 - F3FFFFFF: eos.rom0_mirror
F4000000 - F5FFFFFF: eos.rom0_mirror
F6000000 - F7FFFFFF: eos.rom0_mirror
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.iomem
[EOS] enabling code execution logging.
[EOS] loading './1300D/ROM0.BIN' to 0xF0000000-0xF1FFFFFF
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #12 (PROP 80030040) has duplicate(s): #11 
[MPU] warning: non-empty spell #13 (PROP_CARD2_STATUS) has duplicate(s): #49 
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36 

[MPU] Available keys:
- Arrow keys   : Navigation ...

but the gui does not show up. Do i need a special parameter on the ./run_canon_fw.sh? i only used ./run_canon_fw.sh 1300D.

thx in advance

a1ex · « **Reply #97 on:** December 29, 2017, 03:25:08 PM »

User settings are saved in the ROM (usually ROM1), so it's actually very difficult to get identical MD5 for this one. Not sure if clearing Canon settings does the trick (probably not, as the location of these settings also changes in the ROM).

Their role is to make sure the dumping process was successful (so if the checksum from ROM1.MD5 matches your ROM1.BIN, it's fine).

Full log? Also try running with -d debugmsg to see more messages.

DeinGott · « **Reply #98 on:** December 29, 2017, 03:56:40 PM »

yes the md5 of the rom1 is equal to the actual md5 of the rom1. The rom0.md5 is different, but as i get if from the other posts, the rom0 is not connected, so this is expected.

the parameter -debugmsg does not give other output. is there any other way, to get more debug output? i redownloaded all the magiclatern repo (hg clone .. ) and build all new, but still the same problems.

The output again:

Code: [Select]

./run_canon_fw.sh 1300D -d debugmsg

DebugMsg=0xFE11F394 (from GDB script)
Lockdown read 0
Lockdown read 0
Lockdown read 1
Lockdown read 1
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 1FFFFFFF: eos.ram
40001000 - 5FFFFFFF: eos.ram_uncached
F0000000 - F1FFFFFF: eos.rom0
F2000000 - F3FFFFFF: eos.rom0_mirror
F4000000 - F5FFFFFF: eos.rom0_mirror
F6000000 - F7FFFFFF: eos.rom0_mirror
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.iomem
[EOS] enabling code execution logging.
[EOS] loading './1300D/ROM0.BIN' to 0xF0000000-0xF1FFFFFF
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #12 (PROP 80030040) has duplicate(s): #11 
[MPU] warning: non-empty spell #13 (PROP_CARD2_STATUS) has duplicate(s): #49 
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36 

[MPU] Available keys:
- Arrow keys   : Navigation 
- PgUp, PgDn   : Sub dial (rear scrollwheel) 
- [ and ]      : Main dial (top scrollwheel) 
- SPACE        : SET 
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- Q            : guess (press only)
- L            : LiveView (press only)
- A            : Av 
- Shift        : Half-shutter 
- B            : Open battery door 
- C            : Open card door 
- F10          : Power down switch 
- F1           : show this help

[MPU] WARNING: forced shutdown.

For clean shutdown, please use 'Machine -> Power Down'
(or 'system_powerdown' in QEMU monitor.)

a1ex · « **Reply #99 on:** December 29, 2017, 04:04:05 PM »

Forgot about this one, as no other camera requires this - reply #7.

On 1300D, ROM0 is connected (there is valid data if you open it with a hex editor), but since you've got the same MD5 as other users, it means there are no user-specific or calibration data in this ROM.

On most other Rebels, it's not, but 1300D is an unusual mix between DIGIC 4 and 6 (a lot closer to D4).

News:

Author Topic: Canon EOS 1300D / Rebel T6 (Read 274039 times)

Stilia.johny