Canon EOS 1300D / Rebel T6

Started by the12354, October 03, 2016, 11:51:34 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

dfort

Tried running a minimal build from the vanilla "hudson" repository and came up with the same error:

./run_canon_fw.sh 1300D,firmware="boot=1" -d debugmsg
SD LOAD OK.
Open file for read : AUTOEXEC.BIN
File size : 0x15A0
Now jump to AUTOEXEC.BIN!!
DRYOS PANIC: Module Code = 1, Panic Code = 2


Quote from: a1ex on June 25, 2017, 05:16:06 PM
That's a good sign - this message can only appear from the main firmware, so we are no longer in bootloader context. Still, probably something went wrong when patching the startup process.

Ok--we've been here before with the EOSM2 but in this case a full ML build is working on the 1300D but a minimal build isn't.

@a1ex -- any hints?

a1ex

Yeah, discussed this on IRC with critix some days ago. The issue appears with the classic boot process, while reserving memory for ML. Unfortunately, this is not possible with current minimal startup code if we just adjust the constants. This code is also used for the installer and some other "minimal" experiments. I should find a way to refactor that code, as DIGIC 2, 3, 6, 7 and very likely 8 are also affected.

In the DryOS shell (QEMU window: View -> Serial0), type "akashimorino", then "drysh", then "meminfo -m". You'll get:

K404[1]>drysh
Dry> meminfo -m
Malloc Information (onetime type)
  Start Address       = 0x000bf408
  End Address         = 0x00141ac8
  Total Size          = 0x000826c0 (   534208)
  Allocated Size      = 0x0002fac8 (   195272)
  Allocated Peak      = 0x0002fb28 (   195368)
  Allocated Count     = 0x00000055 (       85)
  Free Size           = 0x00052bf8 (   338936)
  Free Block Max Size = 0x00052b98 (   338840)
  Free Block Count    = 0x00000002 (        2)


What does that mean?

This is the heap used by Canon firmware for malloc. It's quite small, i.e. not large enough for loading the full ML; that's why we use AllocateMemory for that on cameras with a small "malloc" heap. However, for mission-critical stuff (like setting the boot flag, which is going to modify the ROM) I prefer this minimalist "one size fits all" code, which so far worked on all DIGIC 4 and 5 cameras. 1300D is the first exception.

Why?


0xFE0C3A60   LDR R0, =0x14B400
0xFE0C3A6C   SUB R1, R0, #0x8C000  ; result is 0xbf400


These two are the start (R1) and end (R0) address of our malloc heap. We want to resize (shrink) it and load autoexec.bin there. This trick is to make sure Canon firmware is not going to overwrite our code.

On all other DIGIC 4 and 5 models, these two addresses are loaded from a PC-relative address, i.e. with LDR instructions. Therefore, we define HIJACK_INSTR_BSS_END*) to point to that constant, and we change its value in the relocated startup code according to autoexec.bin size. If we load ML at the beginning of that heap, we have RESTARTSTART set slightly above 0xbf400, and we modify the start address of that heap to be above our BSS (that is, after the last memory address our autoexec.bin is going to use for statically allocated things).

*) I have a feeling the BSS_END name actually comes from this:

Dry> memmap
== DRAM ==
00001900 : data start
           0x0004dbac(318380)
0004f4ac : bss start
           0x000358d0(219344)
000bf400 : heap start      <-- see Trammell's comment: "Reserve memory after the BSS for our application"
           0x000828ec(534764)
00141cec : heap end


Anyway. The amount of memory we take away from Canon's malloc heap is, from 80D's minimal.c:

    uint32_t ml_reserved_mem = (uintptr_t) _bss_end - INSTR( HIJACK_INSTR_BSS_END );


On 1300D, to change the start address, we no longer a constant that we can just modify in the relocated startup code; it's an instruction that we have to change. Some ways to fix:

- allocate space for this constant (e.g. somewhere in the _reloc buffer) and replace that SUB instruction with a LDR
- replace that SUB instruction with a MOV (e.g. MOV R1, #new_address)
- change the end address instead (that won't help, as we'd have to recompute that SUB so the start address stays the same)
- load the minimal binary elsewhere, e.g. there's a 0.88MB gap apparently unused (however, I wouldn't trust it for mission-critical code, as the 60D also has apparently unused regions in that graph that are actually used by Canon firmware).

Option #2 appears to be fairly straightforward, except we need a way to encode arbitrary values in a MOV instructions. We've got a bunch of definitions in arm-mcr.h:

#define MOV_R0_0x450000_INSTR 0xE3A00845
#define MOV_R1_0xC80000_INSTR 0xE3A01732
#define MOV_R1_0xC60000_INSTR 0xE3A018C6


However, the constant I want to encode depends on autoexec.bin size (that would be the address of _bss_end, rounded up). Therefore, I'd like a generic definition that would encode some arbitrary constant as a MOV instruction. Back then, Nanomad tried to provide such a definition, but it's currently incomplete:

#define MOV_RD_IMM_INSTR(rd,imm)\
    ( 0xE3A00000 \
    | (rd << 15) \
    )


So, that's a small low-level coding task I've suggested to critix, but anyone else is welcome to give it a try.

a1ex

Quote from: a1ex on August 05, 2018, 06:12:41 PM
I should find a way to refactor that code, as DIGIC 2, 3, 6, 7 and very likely 8 are also affected.

Hopefully done; I could finally compile the installer and other minimal examples!


cd minimal/hello-world
make MODEL=1300D clean
make MODEL=1300D install_qemu CONFIG_QEMU=y

dfort

Yay!



Does this mean that a .FIR file is near?

critix

Superb ... That means we are a big step forward.
Congratulations...
I can hardly wait to start the 1300D magic-lantern.
Canon 1300D, 500D, EOS M, EOS M2

cbbrowne

Quote from: dfort on August 21, 2018, 12:54:41 AM
Yay!

Fantastic, indeed!  I tried duplicating the process without much luck...

cbbrowne@cbbrowne2:~/GitStuff/magic-lantern/minimal/hello-world$ ls
Makefile  minimal.c
cbbrowne@cbbrowne2:~/GitStuff/magic-lantern/minimal/hello-world$ make MODEL=1300D clean
../../platform/Makefile.platform.base:19: FW_VERSION for 1300D is not defined
../../platform/Makefile.platform.base:60: *** ROMBASEADDR is not defined.  Stop.

But if others are moving forwards, tis awesome!

critix

Minimal it's work. I tested like dfort and i's work.
Canon 1300D, 500D, EOS M, EOS M2

Bigby

Hi, long time thread lurker, first time poster. I was wondering how things were coming along with getting ML to run on the 1300D? It seems like some significant progress has been made last but there hasn't been a new post in almost a month now. 

dfort

Minimal should be working on camera but the boot flag needs to be enabled. Compiling a ML-SETUP.FIR for the 1300D is pretty much up to a1ex's discretion at this point.

tusabescomoesquebrego

Hello I am new and I saw a friend used ML but it is a 5D and I have the 1300D, my kind question is whether the full or workable version for the 1300D is already available and where you can download it, thanks.

D3ADgiveaway

Quote from: a1ex on August 20, 2018, 09:53:25 PM
Hopefully done; I could finally compile the installer and other minimal examples!


cd minimal/hello-world
make MODEL=1300D clean
make MODEL=1300D install_qemu CONFIG_QEMU=y


I am also curious as how this port is coming along?


evshaddock

hey... I don't wanna be one of those guys, but I've been checking this thread every other day for like a year... every bump gives me hope

RAWWORK

Money time what is needed to finish the T6 ML?

Walter Schulz

Money isn't an issue. Work is done by devs in their spare time (if any).
Time might be, though. But only if one requirement is met:
Top of page -> Downloads -> Download nightly builds -> Your camera is not listed?
"A port of a new camera model happens if and only if there is a developer who has the camera and sufficient time, motivation and skill to complete the port."

nikfreak

Camera is rather old but entry level. Porting ML onto it should be straight forward once you've already done a port. I several times was thinking about doing EOS 2000D port but would never invest or buy that cam on my own. It's identical to the EOS 1300D. Even the sdcard is still crippled and will only do 20MB/s (forget raw video!!!)  but it has 24Mpx sensor which got my interest (seems to be on par with 750D). So would be useful for stills photography.
[size=8pt]70D.112 & 100D.101[/size]

D3ADgiveaway

Quote from: Walter Schulz on November 01, 2018, 08:06:18 AM
Money isn't an issue. Work is done by devs in their spare time (if any).
Time might be, though. But only if one requirement is met:
Top of page -> Downloads -> Download nightly builds -> Your camera is not listed?
"A port of a new camera model happens if and only if there is a developer who has the camera and sufficient time, motivation and skill to complete the port."

Looks like it is an issue over here on Twitter... lol
https://twitter.com/RandumAccess/status/1055627275406843904?s=20

Chris7945

Hi long time thread lurker. I'm just wondering is their anything i could do to help?

Bigby

I don't mean for this come off as an ad but maybe some of the people on here still waiting for ML to get ported over to the 1300D, should check out an app called DslrController. The things I was most interested in ML were focus peaking, crop marks and zebras and this app makes your phone or tablet act like an external monitor that offers up those options. It can be quite laggy when recording but you get used to it and I find that it's a decent alternative to ML.

stealthkk

Hey guys. Full stack principal dev here. I have this camera and I want to help. No idea where to start. What do I need and what can I do to help? I really want ML on the EOS Rebel T6. Been monitoring the thread for a long time and I have no idea where to start. I don't know of any wiki that has a getting started thing and I can't seem to glean WTF is going on from any of the random posts I read. Are there other areas on this forum that are generic enough to get started with something???

jox58

@stealthkk

Another long time lurker here who hasn't had the time to contribute.

In answer to your question, as far as I can make out, at the top of this forum page there is a link for Downloads. From there is a Source Code section with links to download the source code and a compiler.

There is also a link to Browse the Source Code. From there is a Branches link from where you will get to the select and view the 1300D commit history and code.

There is also a General Development Discussion forum.

critix

Hi.
Alex, can you generate Magic Lantern State Diagrams for 1300D?
Thanks.
Canon 1300D, 500D, EOS M, EOS M2

stealthkk

Quote from: jox58 on December 08, 2018, 06:01:45 AM
@stealthkk

Another long time lurker here who hasn't had the time to contribute.

In answer to your question, as far as I can make out, at the top of this forum page there is a link for Downloads. From there is a Source Code section with links to download the source code and a compiler.

There is also a link to Browse the Source Code. From there is a Branches link from where you will get to the select and view the 1300D commit history and code.

There is also a General Development Discussion forum.

Soooooo.....yyyeah, I was going to clone source and begin helping today but to my surprise the repo is in Mercurial.... ummmmm... ooookay. Interesting choice. Unfortunately I, and most of the development world, use git so I guess I'll have to get Mercurial and learn it. Slight setback.

dfort

Maybe this helps?

https://bitbucket.org/durin42/hg-git/src/default/

In any case, using Mercurial probably isn't the hard part. Dump the firmware, patch it to run in QEMU, disassemble it and find the missing pieces.

critix

I have defined CONFIG_PROP_REQUEST_CHANGE in internals.h.
I left only the following active modules for compilation:
file_man \
lua \
bench \
selftest \
adv_int \
edmac \

If I set the lines in all_features.h:

#ifdef CONFIG_PROP_REQUEST_CHANGE
    #define FEATURE_LV_ZOOM_SETTINGS
    #define FEATURE_LV_ZOOM_SHARP_CONTRAST
    #ifdef CONFIG_EXPSIM
    #define FEATURE_LV_ZOOM_AUTO_EXPOSURE
    #endif
    //~ #define FEATURE_ZOOM_TRICK_5D3 // not reliable

    #define FEATURE_LV_FOCUS_BOX_FAST
    #define FEATURE_LV_FOCUS_BOX_SNAP
    //~ #define FEATURE_LV_FOCUS_BOX_SNAP_TO_X5_RAW
    #define FEATURE_LV_FOCUS_BOX_AUTOHIDE
....
#endif

everything is compiled without errors, but once I start qemu, it blocks itself to:

00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xC80480
Cache patch: [FE0C3B20] <- C80480 (was FE1296C8)
00C803F4: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
Lockdown read 1
00C803F8: MRC p15,3,Rd,cr15,cr1,0:  IcacheTag -> 0x0
00C803A8: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x360
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE92D4010
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x364
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE24DD018
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x368
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE28F0F9A
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x36C
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEBFFFDB5
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x370
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEB015F55
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A0160D
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x378
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A0082D
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x37C
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEB01961C
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A018C8
Cache patch: [FE0C1B74] <- E3A018C8 (was E3A0160D)

If those definitions are commented, then it's ok.
I'm trying to run Hello Word from script with definition commented but crash:
ASSERT: 0
at SystemIF::KerQueue.c:522, GuiMainTask:7860
lv:0 mode:3

GuiMainTask stack: 19d878 [19d948-19b948]
0x02426B7C @ 23b4240:19d8b8
0x00003CBC @ 785c:19d8b0
0x00C80378 @ c80804:19d878

Magic Lantern version : Nightly.2019Jan13.1300D110
Mercurial changeset   : 788eff4f6400+ (1300D)
Built on 2019-01-13 10:17:22 UTC by root@cristi.
Free Memory  : 256K + 622K


Why is it blocking the patch cache?
Canon 1300D, 500D, EOS M, EOS M2