Canon EOS 1300D / Rebel T6

Started by the12354, October 03, 2016, 11:51:34 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

denizza



Chris Thomas

Hey!
I own the 1300D and I really want to get hold of this firmware for a few upcoming projects. I have almost no idea about what's going on here and I don't think I could be of much help, but I wanna know if it's usable on the canon 1300d yet and if someone could point me in the right direction.

Thanks in advance

heder

Brief update.

I promised somewere around april to look into the patch_instruction / cache_fake issue, but was delayed because I could'nt get the 40D raw module running correctly, and after critix reminded my a few times, I have started to look in this issue.

It possible to solve the general patch instruction issue for 1300D, but the problem is more general and the optimal solution is if we can get a solution that works for all cameras. I guess that is why the more simple cache_fake evolved into the patch_manager. Different cpu requires different tricks and hack to cope with our demands.

The issue that is annoying us is that normally we could change one single jump instruction into a new jumping instruction that could end up in our code, but due to the 32MB ROM layout that is not longer possible. Hijacking a complete function works fine with a1ex double patch instruction because when we hijack the complete function we have multiple instruction that we can change, but the problem is when we change a single instruction inside a function into a jump, or hijacking a jump inside a function to jump somewere else, when we fail because we can only jump +/- 32MB.

There are around two major solution to this problem, hard ones and perhaps a easy one. The hard one will allow us to use two instruction patch and thereby overwriting one additional instruction, and to avoid a crash, we would have to jump to a hook function then call the new funtion and afterward take into account (recode) the overwritten instruction. If we were hijacking a complete function fixup (recoding) would not be nessesary. Coding this => not me.

The easy solution is jumping multiple jumps, works fine, tested it. Each jump can to +/- 32MB, so two jumps and we're +/-64MB, then 1300D will work out just fine, should also work just fine with all other cameras. This one however requires that we can allocate a small ammount of memory (to store the 2nd jump instruction) within +/-32MB from ROM layout. I tried to use the ITCM area on the 500D (1300d branch) but that was a failure, because the 500D seems to uses that area, so other cameras may fail aswell. But looking at the memory layout it seems like 1300D malloc's has it first avilable memory is 0xBF408, see Reply #251. The ROM layout starts at 0xFE0C0000, which means we can jump anywere from ROM and below 0xC0000 (garanteed), and that solves the issue. Solution is to reserve a few bytes from 0xBF408 and use that as 2nd jumping table. Just need to code that.

Any comments, idea suggestions, yes, please.   
... some text here ..

critix

Congratulations. I hope you succeed
with the code.
Canon 1300D, 500D, EOS M, EOS M2

Alsenor de Paula

Quote from: critix on February 07, 2020, 12:22:43 PM
ML is not running on 1300D yet.
Boa tarde amigos!
Enquanto não sai o ML para a 1300D tem alguma forma de deixar a HDMI limpa neste equipamento?

heder

Breif update.

I have been coding a new patch_instruction_jump function specific for jumps, (jump above +/- 32 MB address range) that uses multiple jumps.  It's not complete yet, but now its holiday :) so I'm off programming the next two weeks. Still need to allocate memory correctly and I also have some troubles making my second jump into a absolute jump, LDR PC, [PC,offset] crashes for some unknown reasons. These tests does not jump above 32 MB, but so far only verifies that multiple jumps are working as intended.

Here is a output from my lastest test in QEMU (500D.111):



============================================
======== Memory before patching      =======
============================================
failure_stubs1 addr 4da4c (e92d4008)
failure_stubs2 addr 4da30 (e92d4008)
failure_stubs3 addr 4da14 (e92d4008)
failure_stubs4 addr 4d9f8 (e92d4008)
failure_stubs5 addr 4d9e0 (e92d4008)
failure_stubs6 addr 4d9c8 (e92d4008)
success_stubs  addr 4d9b0 (e92d4008)
============================================
= Testing cache_fake (QEMU ROM patching)   =
============================================
* calling failure_stub1, return value expected (1000) actual = 1000
* calling success_stub , return value expected (1) actual = 1
* patching (re-route failure stub to success stub)
* calling failure_stub1, return value expected (1) actual = 1
* Test was a success

============================================
= Testing MEM(data) (QEMU ROM patching)    =
============================================
* calling failure_stub2, return value expected (1001) actual = 1001
* calling success_stub , return value expected (1) actual = 1
* patching (re-route failure stub to success stub)
* calling failure_stub2, return value expected (1) actual = 1
* Test was a success

============================================
= Simple double jump (relative) hardcoded  =
============================================
* calling failure_stub3, return value expected (1002) actual = 1002
* calling success_stub , return value expected (1) actual = 1
* patching (re-route failure stub to success stub)
* calling failure_stub3, return value expected (1) actual = 1
* Test was a success

============================================
= Simple double jump:                      =
= patch_instruction + MEM(data) patch      =
============================================
* calling failure_stub4, return value expected (1003) actual = 1003
* calling success_stub , return value expected (1) actual = 1
* patching (re-route failure stub to success stub)
* calling failure_stub4, return value expected (1) actual = 1
* Test was a success

============================================
= patch_instruction_jump (double rel jump) =
============================================
* calling failure_stub5, return value expected (1004) actual = 1004
* calling success_stub , return value expected (1) actual = 1
* using jump_vector 0 (address 9895e4)
* patching (re-route failure stub to success stub)
* calling failure_stub5, return value expected (1) actual = 1
* Test was a success

============================================
= patch_instruction_jump (single rel jump) =
============================================
* calling failure_stub6, return value expected (1005) actual = 1004
* calling success_stub , return value expected (1) actual = 1
* patching (re-route failure stub to success stub)
* calling failure_stub6, return value expected (1) actual = 1
* Test was a success

============================================
= patch_instruction_jump (double abs jump) =
= This test is missing                     =
============================================

============================================
= malloc versus stack versus static        =
= This test is missing                     =
============================================

============================================
======== Memory after patching       =======
============================================

failure_stubs1 addr 4da4c (eaffffd7)
failure_stubs2 addr 4da30 (eaffffde)
failure_stubs3 addr 4da14 (ea01ea43)
failure_stubs4 addr 4d9f8 (ea01ea4a)
failure_stubs5 addr 4d9e0 (ea24eeff)
failure_stubs6 addr 4d9c8 (eafffff8)
success_stubs  addr 4d9b0 (e92d4008)

============================================
============ Done ==========================
============================================
... some text here ..

cbbrowne

Quote from: heder on June 11, 2020, 02:38:37 PM
Brief update.
(Lots elided!)

Solution is to reserve a few bytes from 0xBF408 and use that as 2nd jumping table. Just need to code that.

I must say, that was NOT a "brief" update  :)

I'm very pleased to see that an understanding of the nature of the problem has emerged, as well as the general shape of a solution.  Oh, my, jump tables  :) :) :)

It is especially pleasing that this seems likely to help other cameras too.

rubiaso

You guys have all my support!
I wish I could help you, I wish you the best.

heder

Hello :)

Help needed

I now have alternative patch_instruction called patch_instruction_jump running using a jump table which utilizes the
FAR_CALL trampoline. I have reserved room for 16 far call jumps, and I'm searching for people who are ready to test
and verify this in the QEMU. These tests verify that the cache hijack tricks are working as intended.

Requirements:
Due to bitbucket is closing down the test process is abit different than normally.

1. Download 1300d branch (https://bitbucket.org/hudson/magic-lantern/branch/1300D)
2. Overwrite some files from https://github.com/jmheder/ml/raw/master/update.zip (patch.c,patch.h,init.c,boot-hack.h)
3. make autoexec.bin (other targets will properly fail and is not needed anyway)
4. run _ONLY_ in QEMU (update autoexec.bin in sd.img/cf.img)
5. Post the console output from start until :
   ============================================
   ============ Done ==========================
   ============================================

Output result from 500d
Lockdown read 1
Lockdown read 1
Lockdown read 0
Lockdown read 0
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
Lockdown read 5
Lockdown read 5
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 0FFFFFFF: eos.ram
40001000 - 4FFFFFFF: eos.ram_uncached
F8000000 - F8FFFFFF: eos.rom1
F9000000 - F9FFFFFF: eos.rom1_mirror
FA000000 - FAFFFFFF: eos.rom1_mirror
FB000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FCFFFFFF: eos.rom1_mirror
FD000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FEFFFFFF: eos.rom1_mirror
FF000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.mmio
[EOS] loading './500D/ROM1.BIN' to 0xF8000000-0xF8FFFFFF
[MPU] warning: non-empty spell #9 (PROP_CARD2_STATUS) has duplicate(s): #39

[MPU] Available keys:
- Arrow keys   : Navigation
- [ and ]      : Main dial (top scrollwheel)
- SPACE        : SET
- DELETE       : guess (press only)
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- L            : LiveView (press only)
- A            : Av
- Z/X          : Zoom in/out
- Shift        : Half-shutter
- 0/9          : Mode dial (press only)
- V            : Movie mode (press only)
- B            : Open battery door
- C            : Open card door
- F10          : Power down switch
- F1           : show this help

Setting BOOTDISK flag to FFFFFFFF
FFFF23C8: MCR p15,0,Rd,cr6,cr0,0:  946_PRBS0 <- 0x3F       (00000000 - FFFFFFFF, 0x100000000)
FFFF23D0: MCR p15,0,Rd,cr6,cr1,0:  946_PRBS1 <- 0x3D       (00000000 - 7FFFFFFF, 0x80000000)
FFFF23D8: MCR p15,0,Rd,cr6,cr2,0:  946_PRBS2 <- 0xE0000039 (E0000000 - FFFFFFFF, 0x20000000)
FFFF23E0: MCR p15,0,Rd,cr6,cr3,0:  946_PRBS3 <- 0xC0000039 (C0000000 - DFFFFFFF, 0x20000000)
FFFF23E8: MCR p15,0,Rd,cr6,cr4,0:  946_PRBS4 <- 0xFF00002F (FF000000 - FFFFFFFF, 0x1000000)
FFFF23F0: MCR p15,0,Rd,cr6,cr5,0:  946_PRBS5 <- 0x39       (00000000 - 1FFFFFFF, 0x20000000)
FFFF23F8: MCR p15,0,Rd,cr6,cr6,0:  946_PRBS6 <- 0xF780002D (F7800000 - F7FFFFFF, 0x800000)
FFFF2400: MCR p15,0,Rd,cr2,cr0,0: DCACHE_CFG <- 0x70
FFFF2408: MCR p15,0,Rd,cr3,cr0,0:       DACR <- 0x70
FFFF240C: MCR p15,0,Rd,cr2,cr0,1: ICACHE_CFG <- 0x70
FFFF2410: MCR p15,0,Rd,cr5,cr0,0:    DATA_AP <- 0x3FFF
FFFF2418: MCR p15,0,Rd,cr5,cr0,1:    INSN_AP <- 0x3FFF
FFFF241C: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x2078
FFFF241C: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC000307D
FFFF05F0: MCR p15,0,Rd,cr9,cr1,1:       ITCM <- 0x6        (00000000 - 00000FFF, 0x1000)
FFFF0604: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC000307D
FFFF0604: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC004307D
FFFF062C: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC004307D
FFFF062C: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC004107D
FFFF0640: MCR p15,0,Rd,cr9,cr1,0:       DTCM <- 0x40000006 (40000000 - 40000FFF, 0x1000)
FFFF0648: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC004107D
FFFF0648: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005107D
SD: CMD12 in a wrong state
[SDIO] Error
SD: CMD12 in a wrong state
[SDIO] Error
CF LOAD OK.
Open file for read : AUTOEXEC.BIN
SD: CMD12 in a wrong state
[SDIO] Error
SD: CMD12 in a wrong state
[SDIO] Error
Total_size=7DC60
Now jump to AUTOEXEC.BIN!!
0010AA80: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC005107D
0010AA80: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005107D
0010A954: MCR p15,0,Rd,cr7,cr5,0: FlushICache <- 0x0
0087D61C: MCR p15, ...          : CACHEMAINT x770 (omitted)
0087D61C: MCR p15,0,Rd,cr7,cr5,0: FlushICache <- 0x0
[boot] copy_and_restart 0x4d000 (315392)
[BOOT] changing user_mem_start from 0x4c5c4 (312772) to 0xdea40 (911936)
[BOOT] changing init_task from 0xff011dbc (-16704068) to 0x4d3dc (316380)
[BOOT] expecting armlib to overwrite A44C4: 9A000088 (task id 20002)
[BOOT] autoexec.bin loaded at 4D000 - DEA40.
[BOOT] calling pre_init_task 4E550...
[BOOT] installing task dispatch hook at 0x1934 (6452)
[BOOT] reserved 596544 bytes for ML (used 596544)
[BOOT] starting init_task 12BEFC...
K252 READY
[BOOT] A44C4 now contains 0, restoring 9A000088.
[BOOT] calling post_init_task 4E5B4...
[****] Starting task ff07102c(0) EvShel
[****] Starting task ff014ecc(0) ConsoleSvr

Open Console K252[1]>...

K252[1]>[****] Starting task ff0292cc(302430) Startup
[****] Starting task ff013580(0) Startup
[DMA1] Copy [0xF8A00000] -> [0x40304800], length [0x00196794], flags [0x00030001]
[DMA1] OK
[DMA2] Copy [0xF8910000] -> [0x405C4A00], length [0x000323DC], flags [0x00030001]
[DMA2] OK
[****] Starting task ff01563c(0) LowConsole
[****] Starting task ff1a67b0(302174) DbgMgr
[DMA2] Copy [0xF88F7000] -> [0x40604C00], length [0x00000864], flags [0x00030001]
[DMA2] OK
[DMA2] Copy [0xF89B0000] -> [0x40605E00], length [0x0000F3BC], flags [0x00030001]
[DMA2] OK
[DMA2] Copy [0xF8EB0000] -> [0x40626000], length [0x00008DDC], flags [0x00030001]
[DMA2] OK
[****] Starting task ff1a67b0(65827c) PropMgr
[MPU] Received: 06 04 02 00 00 00  (Init - spell #1)
[MPU] Sending : 0a 08 03 2f 00 00 00 00 00 00  (PROP_SPECIAL_OPTION)
[MPU] Sending : 06 05 01 37 00 00  (PROP_CARD_EXTENSION)
[MPU] Sending : 08 07 01 33 00 00 00 00  (PROP 80000029)
[MPU] Sending : 14 12 02 04 0d 01 01 00 02 00 00 03 00 00 00 00 00 00 00 00  (PROP_CFN)
[MPU] Sending : 06 05 01 20 00 00  (PROP_CARD1_EXISTS)
[MPU] Sending : 06 05 01 21 01 00  (PROP_CARD2_EXISTS)
[MPU] Sending : 06 05 01 22 00 00  (PROP_CARD3_EXISTS)
[MPU] Sending : 06 05 03 0c 00 00  (PROP_CARD1_RECORD)
[MPU] Sending : 06 05 03 0d 01 00  (PROP_CARD2_RECORD)
[MPU] Sending : 06 05 03 0e 01 00  (PROP_CARD3_RECORD)
[MPU] Sending : 08 06 01 23 00 01 00 00  (PROP_CARD1_STATUS)
[MPU] Sending : 08 06 01 24 00 00 00 00  (PROP_CARD2_STATUS)
[MPU] Sending : 08 06 01 25 00 00 00 00  (PROP_CARD3_STATUS)
[MPU] Sending : 06 05 01 2e 01 00  (PROP_SAVE_MODE)
[MPU] Sending : 06 05 01 37 00 00  (PROP_CARD_EXTENSION)
[MPU] Sending : 06 05 01 2c 02 00  (PROP_CURRENT_MEDIA)
[MPU] Sending : 06 05 03 20 00 00  (PROP_STARTUP_CONDITION)
[MPU] Sending : 06 05 01 42 00 00  (PROP_PHOTO_STUDIO_MODE)
[MPU] Sending : 06 05 01 43 00 00  (PROP 80040017)
[MPU] Sending : 06 05 01 44 00 00  (PROP 80040018)
[MPU] Sending : 06 05 01 46 00 00  (PROP_PHOTO_STUDIO_ENABLE_ISOCOMP)
[MPU] Sending : 06 05 01 48 01 00  (PROP_LIVE_VIEW_MOVIE_SELECT)
[MPU] Sending : 06 05 01 49 01 00  (PROP_LIVE_VIEW_AF_SYSTEM)
[MPU] Sending : 06 05 01 4b 01 00  (PROP_LIVE_VIEW_VIEWTYPE_SELECT)
[MPU] Sending : 08 06 01 47 0a 02 00 00  (PROP_SELFTIMER_CONTINUOUS_NUM)
[MPU] Sending : 06 05 03 37 00 00  (PROP_MIRROR_DOWN_IN_MOVIE_MODE)
[MPU] Sending : 2c 2a 02 00 03 03 03 00 03 00 00 48 01 00 00 0a 8c 00 00 00 00 83 06 00 00 04 06 00 00 04 06 00 00 04 01 00 00 00 00 00 58 24 aa 00  (Init group)
[****] Starting task ff1a67b0(65cd48) EventMgr
[MPU] Sending : 06 05 03 04 00 00  (PROP_POWER_KIND)
[MPU] Sending : 06 05 03 05 01 00  (PROP_POWER_LEVEL)
[MPU] Sending : 1e 1c 03 30 1b 1b 21 65 65 65 47 65 10 3a 10 3a 10 3a 00 1d 00 1d 00 1d 00 1d 00 00 00 00  (PROP 8003002A)
[MPU] Sending : 06 05 01 38 00 00  (PROP 80040005)
[MPU] Sending : 06 05 01 39 00 00  (PROP 80040006)
[MPU] Sending : 0c 0b 01 0a 00 79 00 00 00 00 00 00  (PROP_AFPOINT)
[MPU] Sending : 0e 0c 03 2e 00 00 22 81 00 00 26 89 00 00  (PROP_SHUTTER_COUNTER)
[MPU] Sending : 0a 08 03 2f 00 00 00 00 00 00  (PROP_SPECIAL_OPTION)
[MPU] Sending : 06 05 03 23 01 00  (unnamed)
[MPU] Sending : 06 05 03 24 00 00  (PROP_LENS_NAME)
[MPU] Sending : 06 04 03 25 00 00  (unnamed)
[MPU] Sending : 08 06 01 45 00 10 00 00  (PROP_METERING_TIMER_FOR_LV)
[MPU] Received: 08 06 00 00 02 00 00 00  (Complete WaitID = 0x80000001 Init - spell #2)
[MPU] Sending : 06 05 01 09 00 00  (PROP_FEC)
[MPU] Sending : 06 05 01 0d 00 00  (PROP_WB_MODE_PH)
[MPU] Sending : 06 05 01 3e 00 00  (PROP_ELECTRIC_SHUTTER_MODE)
[MPU] Sending : 06 05 01 3f 00 00  (PROP_FLASH_ENABLE)
[MPU] Sending : 06 05 01 40 00 00  (PROP_STROBO_ETTLMETER)
[MPU] Sending : 06 05 01 41 00 00  (PROP_STROBO_CURTAIN)
[****] Starting task ff1a67b0(65d32c) FileMgr
[****] Starting task ff1a67b0(77db1c) FileCache
[****] Starting task ff1a67b0(77dddc) RscMgr
[MPU] Received: 0a 08 03 06 00 00 00 00 00 00  (PROP_AVAIL_SHOT - spell #3)
[MPU] Received: 06 04 03 10 00 00  (PROP 80030008 - spell #4)
[MPU] Received: 06 05 03 07 ff 00  (PROP_BURST_COUNT - spell #5)
[MPU] Received: 06 05 01 2e 01 00  (PROP_SAVE_MODE - spell #6)
[MPU] Sending : 06 05 01 2e 01 00  (PROP_SAVE_MODE)
[MPU] Received: 0a 08 03 0b 00 00 00 00 00 00  (PROP 80030007 - spell #7)
[****] Starting task ff1a5e0c(781340) ShootCapture
[****] Starting task ff1a5e0c(7c2a4c) ShootBlack
[EDMAC#3] Starting transfer to 0x1FF0000 from <0>, 32x2048, flags=0x0
[CAPTURE] FIXME: what should we do here?
[EDMAC#3] 65536 bytes written to 1FF0000-2000000.
[EDMAC#3] transfer delay 1 x 256 us.
[EDMAC#10] Starting transfer from 0x61425C to <8>, 2000x1000, flags=0x20000
[EDMAC#10] 2000000 bytes read from 61425C-7FC6DC.
[EDMAC#10] transfer delay 38 x 256 us.
[ADKIZ] Data unavailable; will try again later.
[HIV] Data unavailable; will try again later.
[EDMAC#11] Starting transfer from 0x431C64 to <15>, 2000x1000, flags=0x40000
[EDMAC#11] 2000000 bytes read from 431C64-61A0E4.
[EDMAC#11] transfer delay 38 x 256 us.
[ADKIZ] Dummy operation.
[HIV] Data unavailable; will try again later.
[EDMAC#3] Starting transfer to 0x1FE0000 from <0>, 32x2048, flags=0x0
[CAPTURE] FIXME: what should we do here?
[EDMAC#3] 65536 bytes written to 1FE0000-1FF0000.
[EDMAC#3] transfer delay 1 x 256 us.
[EDMAC#10] Starting transfer from 0x61465C to <8>, 2000x1000, flags=0x20000
[EDMAC#10] 2000000 bytes read from 61465C-7FCADC.
[EDMAC#10] transfer delay 38 x 256 us.
[ADKIZ] Data unavailable; will try again later.
[HIV] Data unavailable; will try again later.
[EDMAC#11] Starting transfer from 0x414DDC to <15>, 2000x1000, flags=0x40000
[EDMAC#11] 2000000 bytes read from 414DDC-5FD25C.
[EDMAC#11] transfer delay 38 x 256 us.
[ADKIZ] Dummy operation.
[HIV] Data unavailable; will try again later.
[****] Starting task ff1a5e0c(7c2e54) ShootPreDevelop
[****] Starting task ff020828(0) MainCtrl
[MPU] Received: 06 05 04 0e 01 00  (PROP 8002000D - spell #8)
[****] Starting task ff1a5e0c(7c31ec) TOMgr
[****] Starting task ff1a5e0c(7c4380) Fstorage
[****] Starting task ff064b28(0) DOSDriver
[****] Starting task ff329c04(0) CSMgrTask
[****] Starting task ff01dccc(0) HotPlug
     0:    51.968 [STARTUP]
K252 ICU Firmware Version 1.1.1 ( 3.6.4 )
    42:   162.304 [RSC] PROP_IMG_VRAM_OFFSET = 30720
    43:   162.560 [RSC] AllocateMemoryUnit For ExMem1
    44:   162.560 [RSC] AllocateMemoryUnit For ExMem1_2
    64:   215.552 [RSC] this->MovSize = 0
    86:   266.240 [ENG] [ENGIO](Addr:0x4ff80000, Data:0x   30000)
    87:   287.232 [CAPE] FIRM TYPE:::DD_B
   111:   314.112 [SHTB] LV PDEF MERGE DONE
   113:   316.672 [FM] FM_RegisterSpaceNotifyCallback
   116:   317.952 [FM] FM_RegisterSpaceNotifyCallback
   138:   337.408 [MC] PROP_GUI_STATE 0
   143:   338.688 [MC] JobState 0
   144:   339.712 [MC] HDMIConnect ---> (0)
   148:   344.576 [MC] regist master CardCover
[****] Starting task ff1a293c(0) PowerMgr
SD: Unknown CMD1
[SDIO] Error
SD: Unknown CMD1
[SDIO] Error
SD: Unknown CMD1
[SDIO] Error
   163:   588.800 [SD] ERROR SDINTREP=0x00000000
   164:   589.056 [SD] ERROR UNEXPECTED ERROR
[MPU] Received: 08 06 01 24 00 01 00 00  (PROP_CARD2_STATUS - spell #9)
[MPU] Sending : 08 06 01 24 00 01 00 00  (PROP_CARD2_STATUS)
[MPU] Received: 08 06 01 27 00 64 00 00  (PROP_CARD2_FOLDER_NUMBER - spell #10)
[MPU] Received: 06 05 03 07 07 00  (unknown - PROP_BURST_COUNT)
[MPU] Received: 0a 08 03 06 00 00 00 07 00 00  (unknown - PROP_AVAIL_SHOT)
[MPU] Received: 08 07 01 2a 20 ae 00 00  (PROP_CARD2_FILE_NUMBER - spell #13)
[MPU] Received: 06 05 03 11 01 00  (PROP_ICU_AUTO_POWEROFF - spell #14)
[MPU] Received: 06 05 02 0a 00 00  (PROP_PERMIT_ICU_EVENT - spell #15)
[MPU] Sending : 06 05 03 37 00 00  (PROP_MIRROR_DOWN_IN_MOVIE_MODE)
[MPU] Sending : 0a 08 03 00 4a 00 00 01 00 00  (PROP 80030000)
[MPU] Received: 06 05 03 0d 00 00  (PROP_CARD2_RECORD - spell #16)
[MPU] Received: 06 05 03 0c 00 00  (PROP_CARD1_RECORD - spell #17)
[MPU] Sending : 14 12 03 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PROP_LENS)
[****] Starting task ff1a5e0c(840778) FrontShtDevelop
[MPU] Sending : 06 05 03 17 9a 00  (PROP_EFIC_TEMP)
[MPU] Sending : 06 05 03 0d 00 00  (PROP_CARD2_RECORD)
[****] Starting task ff1a5e0c(8409cc) RearShtDevelop
[MPU] Sending : 06 05 03 0c 00 00  (PROP_CARD1_RECORD)
[****] Starting task ff023998(0) GuiLockTask
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #18)
   190:   693.248 [RSC] AddExMem1UnitToShootMemoryObject
   210:   709.888 [PRP] M:4A F:0 L:0 P:1
[****] Starting task ff05326c(0) ASIF
[****] Starting task ff1a67b0(85f724) MovWriter
[****] Starting task ff1a67b0(85f988) MovieRecorder
[****] Starting task ff1a67b0(85facc) LVC_AE
[****] Starting task ff1a67b0(8604e0) LVC_AF
[****] Starting task ff1a67b0(865794) LVC_DEV
[****] Starting task ff1a67b0(8658f8) LVC_MD
[****] Starting task ff037ed8(0) LVC_FACE
[****] Starting task ff1a67b0(868130) LiveViewMgr
[MPU] Received: 06 05 09 11 01 00  (PROP_LV_DISPSIZE - spell #19)
[MPU] Received: 08 06 03 18 00 00 00 00  (PROP 8003000F - spell #20)
[MPU] Received: 08 06 03 1f 00 00 00 00  (PROP 80030019 - spell #21)
[MPU] Received: 06 05 03 13 00 00  (PROP_LOGICAL_CONNECT - spell #22)
[MPU] Received: 06 05 03 1e 00 00  (PROP 8003001A - spell #23)
[****] Starting task ff0549e8(0) SoundDevice
[****] Replacing task ff0549e8 with 80a44
[****] Starting task ff1a5e0c(86a4c0) DiUSB20Drv
[****] Starting task ff1a5e0c(86b374) Remote
[****] Starting task ff104c38(0) USBTrns
[****] Starting task ff10e88c(0) SDIOTrns
[****] Starting task ff20b714(86c904) PTPSessionTASK
[****] Starting task ff1a5e0c(86d6c8) PtpDps
[****] Starting task ff1a5e0c(89e008) Fcreate
[****] Starting task ff1a67b0(86829c) LiveViewAngelMgr
[****] Starting task ff1a5e0c(89f42c) Fread
[****] Starting task ff14a38c(0) AviRead
[****] Starting task ff1468d8(0) MovRead
[****] Starting task ff048390(0) MoviePlay
[****] Starting task ff061a70(0) TftRecover
[****] Starting task ff062f34(0) HDMI
[****] Starting task ff022a9c(0) GuiMainTask
[****] Replacing task ff022a9c with 5bd10
[****] Starting task ff18ab40(0) CtrlSrv
[****] Starting task ff175370(0) ImgPlayDrv
[****] Starting task ff1a67b0(8b6484) ReDevelop
[****] Starting task ff1a67b0(8b6528) DpMgr
[****] Starting task ff0cd2b4(0) DpsReceiveTask
[****] Starting task ff1a67b0(8b83c8) DpImgEditMgr
[****] Starting task ff05ea28(0) EyeFi
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #24)
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #25)
[MPU] Received: 06 05 02 0a 01 00  (PROP_PERMIT_ICU_EVENT - spell #26)
[MPU] Sending : 42 41 0a 08 ff 1f 01 00 01 03 98 10 00 58 01 01 00 00 00 01 01 00 48 04 01 00 15 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PD_NotifyOlcInfoChanged)
[MPU] Sending : 06 05 06 11 01 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 12 00 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 13 00 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 1c 00 00  (GUI_SWITCH)
[****] Starting task ff1e22f0(0) PTPtoFAPI_EventProcTask
[****] Starting task ff1a5e0c(89f674) Fwrite
[****] Starting task ff1a67b0(8b606c) Mrk
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #31)
[****] Starting task ff08b160(0) LpfMode
   234:   811.008 [LVAF] lvcafProperty(PROP_LV_AF_RESULT_MPU)
   235:   811.264 [LVAF] lvcafProperty ID=0x80050029(0x0)
[BOOT] my_init_task completed.

======================================
=       jump vector allocation       =
======================================
jump-vector using malloc == 0xfc480 (1033344)
jump-vector alloca == 0x12bdf0 (1228272)
jump_vector_static == 0xd4800 (870400)
jump vector winner was static allocation
   236:   818.432 [LVMD] Init RCh1=0, RCh2=0
   239:   823.808 [LV] InitializeLiveViewDefectDetection
   248:   832.512 [LVMD] Set RCh1=a, RCh2=19
   250:   841.216 [LV] AE ModeDial=3
   258:   849.152 [LVCFG] PROP_LV_ACTION STOP
   259:   849.408 [LV] JudgeStartLV 0x1 0x0 0xFFFF 2 0 0 5138
   262:   850.944 [LVCFG] PROP_LV_LOCK PERIMIT
   263:   851.456 [LV] JudgeStartLV 0x1 0x1 0xFFFF 2 0 0 5145
   266:   851.968 [LVCFG] PROP_SHOOTING_TYPE 0
   267:   854.016 [LV] JudgeStartLV 0x1 0x1 0x0 2 0 0 5152
   282:   861.184 [LV] MovieResolution=0
jump vector allocation doneLens moving (0, 0)
jump_vector - from boot.h = d4800
jump_vector - aligned = d4800
   283:   861.696 [LVCFG] PROP_LIVE_VIEW_VIEWTYPE_SELECT 0->1
   285:   862.208 [LVCFG] PROP_LIGHT_FALLOFF_COMP 0
   313:   928.000 [FM] cnvMakerFocus_Alloc : Not Regist
   315:   928.512 [FM] cnvMakerFocus_Free : Not Regist
   396:   966.656 [PTPCOM] SetPtpTransportResources:0,31cf
   478:  1027.840 [HDMI] HPD OFF
   539:  1129.984 [LV] PROP_OUTPUT_TYPE(0) 9-0 1 0
   589:  1183.488 [GUI] HDMI_VIDEO_CODE 0
   625:  1263.104 [GUI] MainEventHndler PROP_MIRROR_DOWN_IN_MOVIE_MODE(0)
   678:  1291.776 [STARTUP] startupInitializeComplete
   680:  1293.312 [MC] cam event guimode comp. 0
   698:  1304.576 [MC] cam event guimode comp. 0
   723:  1331.200 [MC] notice Lock 1
[****] Starting task 4dbf8(0) ml_backup
[****] Starting task 55b94(0) menu_task
[****] Starting task 58854(0) menu_redraw_task
[****] Starting task 61b78(0) bitrate_task
[****] Starting task 6e1e0(0) focus_task
[****] Starting task 6f368(0) notifybox_task
[****] Starting task 71a88(0) fps_task
[****] Starting task 79ddc(0) shoot_task
[****] Starting task 75854(0) clock_task
[****] Starting task 80630(0) audio_common_task
[****] Starting task 87d34(0) livev_hiprio_task
[****] Starting task 866dc(0) cls_task
[****] Starting task 89858(0) beep_task
[****] Starting task 9622c(0) console_task
[****] Starting task 5add8(0) debug_task
[****] Starting task 643b0(0) tweak_task
[****] Starting task 6e920(0) focus_misc_task
[****] Starting task 7bd2c(0) vignetting_init
[****] Starting task 87524(0) livev_loprio_task
============================================
======== Camera modole 500D
======== Memory before patching      =======
============================================
failure_stubs1 addr 4db2c (e92d4008)
failure_stubs2 addr 4db10 (e92d4008)
failure_stubs3 addr 4daf4 (e92d4008)
failure_stubs4 addr 4dadc (e92d4008)
failure_stubs5 addr 4dac0 (e92d4008)
failure_stubs6 addr 4daa4 (e92d4008)
failure_stubs7 addr 4da88 (e92d4008)
success_stubs  addr 4da70 (e92d4008)
============================================
= Testing cache_fake (QEMU ROM patching)   =
============================================
* calling failure_stub1, return value expected (1001) actual = 1001
* calling success_stub , return value expected (1) actual = 1
* patching using old patching method, (jump only few bytes) rerouting to succes_stubs (0)
* calling failure_stub1, return value expected (1) actual = 1
* Test was a success
============================================
= Testing MEM(data) (QEMU ROM patching)    =
============================================
* calling failure_stub2, return value expected (1002) actual = 1002
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub2, return value expected (1) actual = 1
* Test was a success
============================================
= Simple double jump (relative) hardcoded  =
============================================
* calling failure_stub3, return value expected (1003) actual = 1003
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub3, return value expected (1) actual = 1
* Test was a success
============================================
= Simple double jump:                      =
= patch_instruction + MEM(data) patch      =
============================================
* calling failure_stub4, return value expected (1004) actual = 1004
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub4, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (double rel jump) =
============================================
* calling failure_stub5, return value expected (1005) actual = 1005
* calling success_stub , return value expected (1) actual = 1
* using jump_vector 0 (address d4800)
* double relative
* patching done
* calling failure_stub5, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (single rel jump) =
============================================
* calling failure_stub6, return value expected (1006) actual = 1006
* calling success_stub , return value expected (1) actual = 1
* patch_instruction = Using single jump
* patching done
* calling failure_stub6, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (rel+abs jump)    =
= This is primary goal :)                  =
============================================
* calling failure_stub7, return value expected (1007) actual = 1007
* calling success_stub , return value expected (1) actual = 1
* using jump_vector 1 (address d480c)
* relative plus absolute (trampoline)
* patching done
* calling failure_stub7, return value expected (1) actual = 1
* Test was a success
============================================
======== Memory after patching       =======
============================================
failure_stubs1 addr 4db2c (eaffffcf)
failure_stubs2 addr 4db10 (eaffffd6)
failure_stubs3 addr 4daf4 (ea01eb0b)
failure_stubs4 addr 4dadc (ea01eb11)
failure_stubs5 addr 4dac0 (ea021b4e)
failure_stubs6 addr 4daa4 (eafffff1)
failure_stubs7 addr 4da88 (ea021b5f)
success_stubs  addr 4da70 (e92d4008)
============================================
============ Done ==========================
============================================



... some text here ..

critix

I will check and come back with results ...
Thanks
Canon 1300D, 500D, EOS M, EOS M2

critix

OK...results:
DebugMsg=0xFE11F394 (from GDB script)
Lockdown read 1
Lockdown read 1
Lockdown read 0
Lockdown read 0
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
Lockdown read 5
Lockdown read 5
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 0FFFFFFF: eos.ram
40001000 - 4FFFFFFF: eos.ram_uncached
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.mmio
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #11 (PROP_CARD2_STATUS) has duplicate(s): #52
[MPU] warning: non-empty spell #20 (PROP_TFT_STATUS) has duplicate(s): #37 #38 #75
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36
[MPU] warning: non-empty spell #43 (PROP_TFT_STATUS) has duplicate(s): #41 #42 #44 #46

[MPU] Available keys:
- Arrow keys   : Navigation
- [ and ]      : Main dial (top scrollwheel)
- SPACE        : SET
- DELETE       : guess (press only)
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- Q            : guess (press only)
- L            : LiveView (press only)
- A            : Av
- Z/X          : Zoom in/out
- Shift        : Half-shutter
- 0/9          : Mode dial (press only)
- V            : Movie mode (press only)
- B            : Open battery door
- C            : Open card door
- F10          : Power down switch
- F1           : show this help

Setting BOOTDISK flag to FFFFFFFF
FFFF0AE0: MCR p15,0,Rd,cr6,cr0,0:  946_PRBS0 <- 0x3F       (00000000 - FFFFFFFF, 0x100000000)
FFFF0AE8: MCR p15,0,Rd,cr6,cr1,0:  946_PRBS1 <- 0x3D       (00000000 - 7FFFFFFF, 0x80000000)
FFFF0AF0: MCR p15,0,Rd,cr6,cr2,0:  946_PRBS2 <- 0x37       (00000000 - 0FFFFFFF, 0x10000000)
FFFF0AF8: MCR p15,0,Rd,cr6,cr3,0:  946_PRBS3 <- 0xC0000039 (C0000000 - DFFFFFFF, 0x20000000)
FFFF0B00: MCR p15,0,Rd,cr6,cr4,0:  946_PRBS4 <- 0xF8000031 (F8000000 - F9FFFFFF, 0x2000000)
FFFF0B08: MCR p15,0,Rd,cr6,cr5,0:  946_PRBS5 <- 0xFE000031 (FE000000 - FFFFFFFF, 0x2000000)
FFFF0B10: MCR p15,0,Rd,cr2,cr0,0: DCACHE_CFG <- 0x24
FFFF0B18: MCR p15,0,Rd,cr3,cr0,0:       DACR <- 0x24
FFFF0B1C: MCR p15,0,Rd,cr2,cr0,1: ICACHE_CFG <- 0x24
FFFF0B20: MCR p15,0,Rd,cr5,cr0,0:    DATA_AP <- 0xFFF
FFFF0B28: MCR p15,0,Rd,cr5,cr0,1:    INSN_AP <- 0xFFF
FFFF0B2C: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x2078
FFFF0B2C: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC000307D
FFFF00C4: MCR p15,0,Rd,cr9,cr1,1:       ITCM <- 0x6        (00000000 - 00000FFF, 0x1000)
FFFF00CC: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC000307D
FFFF00CC: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC004307D
FFFF00D8: MCR p15,0,Rd,cr9,cr1,0:       DTCM <- 0x40000006 (40000000 - 40000FFF, 0x1000)
FFFF00E0: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC004307D
FFFF00E0: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005307D
FFFF0108: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC005307D
FFFF0108: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005107D
SD LOAD OK.
Open file for read : AUTOEXEC.BIN
File size : 0x66580
Now jump to AUTOEXEC.BIN!!
00865F9C: MCR p15, ...          : CACHEMAINT x770 (omitted)
00865F9C: MCR p15,0,Rd,cr7,cr5,0: FlushICache <- 0x0
00C80684: MCR p15,0,Rd,cr7,cr5,0: FlushICache <- 0x0
00C8068C: MCR p15,0,Rd,cr9,cr0,1:  ILockDown <- 0x80000000
00C80694: MCR p15,0,Rd,cr9,cr0,1:  ILockDown <- 0x1
00C8069C: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x0
00C806A0: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x20
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x20
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x40
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x40
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x60
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x60
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x80
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x80
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xA0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xA0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xC0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xC0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xE0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xE0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x100
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x100
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x120
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x120
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x140
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x140
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x160
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x160
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x180
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x180
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x1A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x1C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x1E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x200
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x200
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x220
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x220
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x240
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x240
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x260
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x260
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x280
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x280
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x2A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x2C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x2E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x300
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x300
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x320
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x320
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x340
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x340
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x360
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x360
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x380
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x380
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x3A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x3C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x3E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x400
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x400
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x420
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x420
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x440
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x440
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x460
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x460
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x480
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x480
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x4A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x4C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x4E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x500
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x500
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x520
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x520
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x540
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x540
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x560
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x560
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x580
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x580
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x5A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x5C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x5E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x600
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x600
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x620
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x620
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x640
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x640
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x660
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x660
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x680
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x680
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x6A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x6C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x6E0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x700
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x700
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x720
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x720
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x740
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x740
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x760
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x760
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x780
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x780
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7A0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x7A0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7C0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x7C0
00C806AC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7E0
00C806A8: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0x7E0
00C806E8: MCR p15, ...          : CACHEMAINT x256 (omitted)
00C80708: MCR p15,0,Rd,cr9,cr0,0:  DLockDown <- 0x80000000
00C80710: MCR p15,0,Rd,cr9,cr0,0:  DLockDown <- 0x1
00C80718: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x0
00C8071C: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x20
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x20
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x40
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x40
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x60
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x60
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x80
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x80
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xA0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xA0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xC0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xC0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0xE0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xE0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x100
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x100
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x120
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x120
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x140
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x140
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x160
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x160
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x180
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x180
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x1A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x1C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x1E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x1E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x200
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x200
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x220
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x220
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x240
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x240
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x260
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x260
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x280
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x280
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x2A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x2C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x2E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x2E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x300
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x300
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x320
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x320
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x340
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x340
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x360
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x360
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x380
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x380
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x3A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x3C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x3E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x3E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x400
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x400
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x420
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x420
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x440
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x440
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x460
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x460
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x480
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x480
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x4A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x4C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x4E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x4E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x500
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x500
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x520
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x520
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x540
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x540
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x560
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x560
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x580
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x580
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x5A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x5C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x5E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x5E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x600
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x600
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x620
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x620
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x640
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x640
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x660
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x660
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x680
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x680
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x6A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x6C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x6E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x6E0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x700
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x700
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x720
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x720
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x740
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x740
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x760
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x760
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x780
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x780
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7A0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x7A0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7C0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x7C0
00C80728: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x7E0
00C80724: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0x7E0
00C80464: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x320
Lockdown read 2
00C80468: MRC p15,3,Rd,cr15,cr2,0:  DcacheTag -> 0x0
00C803BC: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x320
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xFE129684
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x324
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE12FFF1E
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x328
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE92D400E
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x32C
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE59F0254
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x330
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE3A010FF
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x334
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE5CD1008
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x338
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE3A01000
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x33C
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xE58D0000
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x320
00C803C0: MCR p15,3,Rd,cr15,cr2,0:  DcacheTag <- 0xFE0C3B30
00C803C4: MCR p15,3,Rd,cr15,cr4,0:  DcacheVal <- 0xC8047C
Cache patch: [FE0C3B20] <- C8047C (was FE129684)
00C803F4: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
Lockdown read 1
00C803F8: MRC p15,3,Rd,cr15,cr1,0:  IcacheTag -> 0x0
00C803A8: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x360
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE92D4010
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x364
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE24DD018
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x368
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE28F0F9A
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x36C
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEBFFFDB5
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x370
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEB015F44
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A0160D
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x378
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A0082D
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x37C
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xEB01960B
00C80390: MCR p15,3,Rd,cr15,cr0,0: CacheDbgIdx <- 0x374
00C803AC: MCR p15,3,Rd,cr15,cr1,0:  IcacheTag <- 0xFE0C1B70
00C803B0: MCR p15,3,Rd,cr15,cr3,0:  IcacheVal <- 0xE3A018C8
Cache patch: [FE0C1B74] <- E3A018C8 (was E3A0160D)
DRYOS PANIC: Module Code = 64, Panic Code = 1

Unfortunately ... DRYOS PANIC
Canon 1300D, 500D, EOS M, EOS M2

heder

Critix, it's working :D

I will post a reply later today with all the information needed to repeat this test and I will just sum up all the thing that you and I found and
write them down. I will write the way I got everything running, because there are more way to get everything running, and all the bits and
bytes needed are in many replies.

But for now just lets see and anaylze the output !

Output


heder@heder-Aspire-R3610:~/magic-root/repositories/unified/qemu-eos$ ./go_hijack_test_1300d.sh
Lockdown read 1
Lockdown read 1
Lockdown read 0
Lockdown read 0
Lockdown read 2
Lockdown read 2
Lockdown read 3
Lockdown read 3
Lockdown read 4
Lockdown read 4
Lockdown read 5
Lockdown read 5
00000000 - 00000FFF: eos.tcm_code
40000000 - 40000FFF: eos.tcm_data
00001000 - 0FFFFFFF: eos.ram
40001000 - 4FFFFFFF: eos.ram_uncached
F0000000 - F1FFFFFF: eos.rom0
F2000000 - F3FFFFFF: eos.rom0_mirror
F4000000 - F5FFFFFF: eos.rom0_mirror
F6000000 - F7FFFFFF: eos.rom0_mirror
F8000000 - F9FFFFFF: eos.rom1
FA000000 - FBFFFFFF: eos.rom1_mirror
FC000000 - FDFFFFFF: eos.rom1_mirror
FE000000 - FFFFFFFF: eos.rom1_mirror
C0000000 - CFFFFFFF: eos.mmio
[EOS] loading './1300D/ROM0.BIN' (expected size 0x02000000, got 0x0000000A) to 0xF0000000-0xF0000009
[EOS] loading './1300D/ROM1.BIN' to 0xF8000000-0xF9FFFFFF
[MPU] warning: non-empty spell #11 (PROP_CARD2_STATUS) has duplicate(s): #52
[MPU] warning: non-empty spell #20 (PROP_TFT_STATUS) has duplicate(s): #37 #38 #75
[MPU] warning: non-empty spell #35 (PROP_VIDEO_MODE) has duplicate(s): #36
[MPU] warning: non-empty spell #43 (PROP_TFT_STATUS) has duplicate(s): #41 #42 #44 #46

[MPU] Available keys:
- Arrow keys   : Navigation
- [ and ]      : Main dial (top scrollwheel)
- SPACE        : SET
- DELETE       : guess (press only)
- M            : MENU (press only)
- P            : PLAY (press only)
- I            : INFO/DISP (press only)
- Q            : guess (press only)
- L            : LiveView (press only)
- A            : Av
- Z/X          : Zoom in/out
- Shift        : Half-shutter
- 0/9          : Mode dial (press only)
- V            : Movie mode (press only)
- B            : Open battery door
- C            : Open card door
- F10          : Power down switch
- F1           : show this help

Setting BOOTDISK flag to FFFFFFFF
FFFF0AE0: MCR p15,0,Rd,cr6,cr0,0:  946_PRBS0 <- 0x3F       (00000000 - FFFFFFFF, 0x100000000)
FFFF0AE8: MCR p15,0,Rd,cr6,cr1,0:  946_PRBS1 <- 0x3D       (00000000 - 7FFFFFFF, 0x80000000)
FFFF0AF0: MCR p15,0,Rd,cr6,cr2,0:  946_PRBS2 <- 0x37       (00000000 - 0FFFFFFF, 0x10000000)
FFFF0AF8: MCR p15,0,Rd,cr6,cr3,0:  946_PRBS3 <- 0xC0000039 (C0000000 - DFFFFFFF, 0x20000000)
FFFF0B00: MCR p15,0,Rd,cr6,cr4,0:  946_PRBS4 <- 0xF8000031 (F8000000 - F9FFFFFF, 0x2000000)
FFFF0B08: MCR p15,0,Rd,cr6,cr5,0:  946_PRBS5 <- 0xFE000031 (FE000000 - FFFFFFFF, 0x2000000)
FFFF0B10: MCR p15,0,Rd,cr2,cr0,0: DCACHE_CFG <- 0x24
FFFF0B18: MCR p15,0,Rd,cr3,cr0,0:       DACR <- 0x24
FFFF0B1C: MCR p15,0,Rd,cr2,cr0,1: ICACHE_CFG <- 0x24
FFFF0B20: MCR p15,0,Rd,cr5,cr0,0:    DATA_AP <- 0xFFF
FFFF0B28: MCR p15,0,Rd,cr5,cr0,1:    INSN_AP <- 0xFFF
FFFF0B2C: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x2078
FFFF0B2C: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC000307D
FFFF00C4: MCR p15,0,Rd,cr9,cr1,1:       ITCM <- 0x6        (00000000 - 00000FFF, 0x1000)
FFFF00CC: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC000307D
FFFF00CC: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC004307D
FFFF00D8: MCR p15,0,Rd,cr9,cr1,0:       DTCM <- 0x40000006 (40000000 - 40000FFF, 0x1000)
FFFF00E0: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC004307D
FFFF00E0: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005307D
FFFF0108: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC005307D
FFFF0108: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0xC005107D
SD LOAD OK.
Open file for read : AUTOEXEC.BIN
File size : 0x6FBA0
Now jump to AUTOEXEC.BIN!!
0086F55C: MCR p15, ...          : CACHEMAINT x770 (omitted)
0086F55C: MCR p15,0,Rd,cr7,cr5,0: FlushICache <- 0x0
[boot] copy_and_restart 0xc80000 (13107200)
[BOOT] changing init_task from 0xfe1296c8 (-32336184) to 0xc80570 (13108592)
[BOOT] autoexec.bin loaded at C80000 - CFE180.
[BOOT] calling local pre_init_task C80380...
[BOOT] changing AllocMem end address: 0xd00000 (13631488)  -> 0xc80000 (13107200)
0xfe0c1b74:  e3a0160d      mov  r1, #13631488   ; 0xd00000
0xfe0c1b78:  e3a0082d      mov  r0, #2949120    ; 0x2d0000
0xfe0c1b74:  e3a018c8      mov  r1, #13107200   ; 0xc80000
0xfe0c1b78:  e3a0082d      mov  r0, #2949120    ; 0x2d0000
[BOOT] calling pre_init_task C81590...
[BOOT] installing task dispatch hook at 0x35924 (219428)
[BOOT] reserved 524288 bytes for ML (used 516480)
[BOOT] starting init_task 14B704...
K404 READY
[BOOT] calling local post_init_task C804EC...
[BOOT] uninstalling cache hacks...
[BOOT] calling post_init_task C815F4...
[****] Starting task fe0d3c68(2d2da0) Startup
[DMA1] Copy [0xF8E60000] -> [0x402D4000], length [0x0026BBF8], flags [0x00030001]
[DMA1] OK
[****] Starting task fe0c12ac(0) TaskMain
[****] Starting task fe2c2114(2d2ae4) DbgMgr
     0:    12.544 [STARTUP]
K404 ICU Firmware Version 1.1.0 ( 4.4.6 )
[****] Starting task fe2bafd0(0) PowerMgr
[DMA1] Copy [0xF8D80000] -> [0x40584200], length [0x0007135C], flags [0x00030001]
[DMA1] OK
[DMA1] Copy [0xF8C20000] -> [0x40624300], length [0x00000F6C], flags [0x00030001]
[DMA1] OK
[DMA1] Copy [0xF8CE0000] -> [0x40625500], length [0x00016234], flags [0x00030001]
[DMA1] OK
[DMA1] Copy [0xF8C80000] -> [0x40645700], length [0x0001AEE8], flags [0x00030001]
[DMA1] OK
[****] Starting task fe2c2114(66a874) PropMgr
[MPU] Received: 06 04 02 00 00 00  (Init - spell #1)
[MPU] Sending : 06 05 01 00 03 00  (PROP_SHOOTING_MODE)
[MPU] Sending : 06 05 01 05 45 00  (PROP_SHUTTER)
[MPU] Sending : 06 05 01 06 5b 00  (PROP_APERTURE)
[MPU] Sending : 06 05 01 0b 00 00  (PROP_AEB)
[MPU] Sending : 2c 2a 02 00 03 03 03 00 03 00 00 00 00 00 00 12 5c 00 00 00 00 87 01 00 00 03 01 00 00 03 01 00 00 03 01 01 00 00 00 00 45 5b 01 00  (Init group)
[MPU] Sending : 08 07 01 33 09 00 00 00  (PROP 80000029)
[MPU] Sending : 06 05 01 20 00 00  (PROP_CARD1_EXISTS)
[MPU] Sending : 06 05 01 21 01 00  (PROP_CARD2_EXISTS)
[MPU] Sending : 06 05 01 22 00 00  (PROP_CARD3_EXISTS)
[MPU] Sending : 06 05 03 0c 01 00  (PROP_CARD1_RECORD)
[MPU] Received: 08 06 00 00 02 00 00 00  (Complete WaitID = 0x80000001 Init - spell #2)
[MPU] Sending : 06 05 03 0d 01 00  (PROP_CARD2_RECORD)
[MPU] Sending : 06 05 03 0e 01 00  (PROP_CARD3_RECORD)
[MPU] Sending : 08 06 01 23 00 01 00 00  (PROP_CARD1_STATUS)
[MPU] Sending : 08 06 01 24 00 00 00 00  (PROP_CARD2_STATUS)
[MPU] Sending : 08 06 01 25 00 01 00 00  (PROP_CARD3_STATUS)
[****] Starting task fe2c2114(6719b4) EventMgr
[MPU] Sending : 06 05 01 2e 01 00  (PROP_SAVE_MODE)
[MPU] Sending : 06 05 01 2c 02 00  (PROP_CURRENT_MEDIA)
[MPU] Sending : 06 05 03 20 01 00  (PROP_STARTUP_CONDITION)
[MPU] Sending : 06 05 01 3d 00 00  (PROP_TEMP_STATUS)
[MPU] Sending : 06 05 01 42 00 00  (PROP_PHOTO_STUDIO_MODE)
[MPU] Sending : 0c 0b 03 42 00 00 00 00 00 00 00 00  (PROP_LED_LIGHT)
[MPU] Sending : 0c 0b 01 0a 00 01 00 00 00 00 00 00  (PROP_AFPOINT)
[MPU] Sending : 06 05 01 37 00 00  (PROP_CARD_EXTENSION)
[MPU] Sending : 06 05 01 49 01 00  (PROP_LIVE_VIEW_AF_SYSTEM)
[MPU] Sending : 06 05 01 3e 00 00  (PROP_ELECTRIC_SHUTTER_MODE)
[MPU] Sending : 08 06 01 45 07 08 00 00  (PROP_METERING_TIMER_FOR_LV)
[****] Starting task fe2c2114(671f80) FileMgr
[MPU] Sending : 06 05 01 48 01 00  (PROP_LIVE_VIEW_MOVIE_SELECT)
[MPU] Sending : 06 05 01 4b 01 00  (PROP_LIVE_VIEW_VIEWTYPE_SELECT)
[MPU] Sending : 06 05 01 40 00 00  (PROP_STROBO_ETTLMETER)
[MPU] Sending : 06 05 01 41 00 00  (PROP_STROBO_CURTAIN)
[MPU] Sending : 06 05 01 3f 00 00  (PROP_FLASH_ENABLE)
[MPU] Sending : 08 06 01 57 00 01 00 00  (PROP_BUILTIN_STROBO_MODE)
[MPU] Sending : 1a 18 01 4e 00 00 00 00 00 00 00 00 00 00 00 1e 00 00 00 0f 00 00 00 00 00 00  (PROP_VIDEO_MODE)
[MPU] Sending : 06 05 01 48 01 00  (PROP_LIVE_VIEW_MOVIE_SELECT)
[MPU] Sending : 06 05 01 53 00 00  (PROP_SHUTTER_AF_DURING_RECORD)
[MPU] Sending : 06 05 01 58 00 00  (PROP_VIDEOSNAP_MODE)
[MPU] Sending : 06 05 01 59 00 00  (PROP_MOVIE_SERVO_AF)
[****] Starting task fe2c2114(79287c) FileCache
[MPU] Sending : 06 05 01 4a 00 00  (PROP_PROGRAM_SHIFT)
[MPU] Sending : 06 05 01 50 00 00  (PROP_AE_MODE_MOVIE)
[MPU] Sending : 08 06 01 51 78 48 00 00  (PROP_AUTO_ISO_RANGE)
[****] Starting task fe2c2114(792b8c) RscMgr
[MPU] Received: 1a 18 01 4e 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 0c 00 00 00 00 00 00  (unknown - PROP_VIDEO_MODE)
[MPU] Sending : 06 05 01 52 03 00  (PROP_ALO)
[MPU] Sending : 06 05 01 54 00 00  (PROP_SUBDIAL_LOCK_MODE)
[MPU] Sending : 08 06 01 47 0a 02 00 00  (PROP_SELFTIMER_CONTINUOUS_NUM)
[MPU] Sending : 06 05 03 37 00 00  (PROP_MIRROR_DOWN_IN_MOVIE_MODE)
[MPU] Sending : 12 11 02 04 00 00 01 00 00 03 00 00 00 00 00 00 00 00  (PROP_CFN)
[MPU] Received: 0a 08 03 06 00 00 00 00 00 00  (PROP_AVAIL_SHOT - spell #4)
[MPU] Received: 06 04 03 10 00 00  (PROP 80030008 - spell #5)
[MPU] Received: 06 05 03 07 ff 00  (PROP_BURST_COUNT - spell #6)
[MPU] Sending : 0e 0c 03 2e 00 00 29 7e 00 00 47 49 00 00  (PROP_SHUTTER_COUNTER)
[MPU] Sending : 08 07 01 55 00 02 01 01  (PROP_MULTIPLE_EXPOSURE_SETTING)
[MPU] Sending : 08 07 01 55 00 02 01 01  (PROP_MULTIPLE_EXPOSURE_SETTING)
[MPU] Sending : 08 07 01 55 00 02 01 01  (PROP_MULTIPLE_EXPOSURE_SETTING)
[MPU] Received: 08 06 00 00 01 55 00 00  (Complete WaitID = 0x8000003F PROP_MULTIPLE_EXPOSURE_SETTING - spell #3)
[MPU] Sending : 08 07 01 55 00 02 01 01  (PROP_MULTIPLE_EXPOSURE_SETTING)
[MPU] Received: 08 06 00 00 01 55 00 00  (Complete WaitID = 0x8000003F PROP_MULTIPLE_EXPOSURE_SETTING - spell #3)
[MPU] Received: 08 06 00 00 01 55 00 00  (Complete WaitID = 0x8000003F PROP_MULTIPLE_EXPOSURE_SETTING - spell #3)
[MPU] Received: 08 06 00 00 01 55 00 00  (Complete WaitID = 0x8000003F PROP_MULTIPLE_EXPOSURE_SETTING - spell #3)
[MPU] Received: 06 05 01 2e 01 00  (PROP_SAVE_MODE - spell #7)
[MPU] Sending : 06 05 01 2e 01 00  (PROP_SAVE_MODE)
[MPU] Received: 0a 08 03 0b 00 00 00 00 00 00  (PROP 80030007 - spell #8)
[MPU] Received: 08 07 03 54 00 03 00 00  (unknown - PROP_MPU_GPS)
[****] Starting task fe2be514(7969b4) ShootCapture
[****] Starting task fe2be514(7d88c4) ShootBlack
[****] Starting task fe0cd444(0) GuiLockTask
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #20)
[MPU] Sending : 0a 09 03 00 50 00 00 1b 01 00  (PROP 80030000)
[MPU] Sending : 06 05 03 04 00 00  (PROP_POWER_KIND)
[MPU] Sending : 1a 18 03 15 01 28 53 00 30 00 12 00 37 91 75 92 1f 00 ff ff ff ff ff ff 00 00  (PROP_LENS)
[MPU] Sending : 24 22 03 3c 00 00 17 3f bb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PROP 8003003C)
[MPU] Sending : 06 05 03 17 98 00  (PROP_EFIC_TEMP)
[MPU] Sending : 1a 18 03 15 01 28 53 00 30 00 12 00 37 91 75 92 1f 00 ff ff ff ff ff ff 00 00  (PROP_LENS)
[****] Starting task fe0c975c(0) MainCtrl
[MPU] Received: 06 05 01 56 00 00  (unnamed - spell #9)
[MPU] Received: 06 05 04 0e 01 00  (PROP 8002000D - spell #10)
[****] Starting task fe2be514(7d9118) TOMgr
[****] Starting task fe2be514(7da2c0) Fstorage
[****] Starting task fe2c2114(7db60c) AudioLevel
[****] Starting task fe2be514(7d8c74) ShootPreDevelop
[****] Starting task fe12b9c0(0) AEmodeJudge
[****] Starting task fe2c2114(671470) NFCMgr
[****] Starting task fe5423d8(0) CSMgrTask
[****] Starting task fe0c69c8(0) HotPlug
    61:   202.496 [RSC] hMemoryQueue (0x660012) hStorageQueue (0x680014)
    62:   208.128 [PRP] ERROR ILLEGAL PARAM SIZE ID = 0x80010004 L:794
    63:   208.128 [PRP] PropertyList:12 Current:13
   129:   290.048 [RTC] PROPAD_GetPropertyData : PROP_RTC 0xfd
   130:   299.776 [RTC] ChangePropertyCBR 0x0, 0x0
   131:   300.800 [RTC] RTC_Permit 0x20
   142:   303.360 [SND] Seq LPC fin
   159:   314.112 [ENG] [ENGIO](Addr:0x4fb40000, Data:0x   30000)
   162:   357.120 [WB] AdjustWb Done.
   176:   367.360 [TERMINATE] SHUTDOWN init comp
   178:   367.872 [TERMINATE] Abort init comp
   179:   368.384 [PRP] M:50 F:0 L:0 P:1B T:1
   180:   369.152 [STARTUP] update inner version string. "4.4.6 50(1b)"
   181:   369.408 [STARTUP] update coded version.
   204:   387.584 [MC] PROP_GUI_STATE 0
   209:   388.864 [MC] JobState 0
   212:   391.936 [MC] PROP_LCD_OFFON_BUTTON : 0
   214:   392.192 [MC] PROP_VARIANGLE_GUICTRL : Enable
   217:   395.520 [MC] regist master CardCover
SD: Unknown CMD1
[SDIO] Error
SD: Unknown CMD1
[SDIO] Error
SD: Unknown CMD1
[SDIO] Error
   244:   620.032 [SD] ERROR SDINTREP=0x00000000
   245:   620.032 [SD] ERROR UNEXPECTED ERROR
[MPU] Received: 08 06 01 24 00 01 00 00  (PROP_CARD2_STATUS - spell #11)
[MPU] Sending : 08 06 01 24 00 01 00 00  (PROP_CARD2_STATUS)
[MPU] Received: 08 06 01 27 00 64 00 00  (PROP_CARD2_FOLDER_NUMBER - spell #12)
[MPU] Received: 08 07 01 2a 0a 6a 00 00  (PROP_CARD2_FILE_NUMBER - spell #13)
[MPU] Received: 06 05 03 07 15 00  (unknown - PROP_BURST_COUNT)
[MPU] Received: 0a 08 03 06 00 00 00 15 00 00  (unknown - PROP_AVAIL_SHOT)
[MPU] Received: 06 05 03 11 01 00  (PROP_ICU_AUTO_POWEROFF - spell #16)
[MPU] Received: 06 05 02 0a 00 00  (PROP_PERMIT_ICU_EVENT - spell #17)
[MPU] Sending : 06 05 01 2c 02 00  (PROP_CURRENT_MEDIA)
[****] Starting task fe2be514(8de0a4) FrontShtDevelop
[MPU] Received: 06 05 03 0d 00 00  (PROP_CARD2_RECORD - spell #18)
[MPU] Sending : 06 05 03 23 19 00  (unnamed)
[MPU] Received: 06 05 03 0c 00 00  (PROP_CARD1_RECORD - spell #19)
[MPU] Sending : 1e 1d 03 24 45 46 2d 53 31 38 2d 35 35 6d 6d 20 66 2f 33 2e 35 2d 35 2e 36 20 49 53 00 00  (PROP_LENS_NAME)
[****] Starting task fe2be514(8de534) RearShtDevelop
[MPU] Sending : 06 04 03 25 00 00  (unnamed)
[MPU] Sending : 06 05 01 3d 00 00  (PROP_TEMP_STATUS)
[MPU] Sending : 06 05 03 37 00 00  (PROP_MIRROR_DOWN_IN_MOVIE_MODE)
[MPU] Sending : 06 05 03 0d 00 00  (PROP_CARD2_RECORD)
[MPU] Sending : 06 05 03 0c 00 00  (PROP_CARD1_RECORD)
[DMA1] Copy [0xF8C60000] -> [0x408E2000], length [0x0000003C], flags [0x00030001]
[DMA1] OK
[****] Starting task fe2c2114(91a370) SoundEffect
[****] Starting task fe2c2114(91a80c) ASIF
[****] Starting task fe2c2114(91a95c) AudioCtrl
[MPU] Received: 06 05 04 1c 0c 00  (unknown - unnamed)
[MPU] Received: 06 05 04 1c 05 00  (unknown - unnamed)
[****] Starting task fe2c2114(930774) MovWriter
[****] Starting task fe2c2114(930bb8) MovieRecorder
[****] Starting task fe2c2114(931200) MoviePlay
[****] Starting task fe23cbc0(0) AviRead
[****] Starting task fe2c2114(931448) MovReader
[****] Starting task fe2c2114(9315a4) LVC_DEV
[****] Starting task fe0e1640(0) LVC_FACE
[****] Starting task fe2c2114(932238) Gmt
[MPU] Received: 06 05 09 11 01 00  (PROP_LV_DISPSIZE - spell #21)
[MPU] Received: 12 11 09 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PROP 80050020 - spell #22)
[MPU] Received: 08 06 09 1f 00 00 00 00  (PROP 80050034 - spell #23)
[MPU] Received: 06 05 01 5a 00 00  (PROP_CONTINUOUS_AF_VALID - spell #24)
[MPU] Received: 06 05 01 5a 01 00  (PROP_CONTINUOUS_AF_VALID - spell #25)
[****] Starting task fe2c2114(936820) Evf
[****] Starting task fe2c2114(93f500) AeWb
[MPU] Received: 26 24 09 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PROP_LV_FOCUS_DATA - spell #26)
[MPU] Received: 0a 08 09 1a 00 00 00 00 00 00  (PROP 8005002A - spell #27)
[****] Starting task fe2c2114(949170) LVFACE
[****] Starting task fe2c2114(94925c) LVC_MD
[****] Starting task fe2c2114(9494f8) MotionManager
[MPU] Received: 08 06 03 18 00 00 00 00  (PROP 8003000F - spell #28)
[MPU] Sending : 06 05 01 58 00 00  (PROP_VIDEOSNAP_MODE)
[MPU] Received: 08 06 03 1f 00 00 00 00  (PROP 80030019 - spell #29)
[MPU] Received: 08 06 04 20 00 00 00 00  (unknown - unnamed)
[MPU] Received: 06 05 03 13 00 00  (PROP_LOGICAL_CONNECT - spell #30)
[MPU] Received: 06 05 03 1e 00 00  (PROP 8003001A - spell #31)
[MPU] Received: 06 05 04 1f 00 00  (unknown - unnamed)
[MPU] Received: 08 07 03 55 00 00 00 00  (unknown - PROP 8003005A)
[MPU] Received: 06 05 03 56 00 00  (unknown - PROP 8003005B)
[MPU] Received: 08 07 01 3b ff ff 00 00  (unknown - PROP_USBDEVICE_CONNECT)
[MPU] Received: 08 07 01 3b ff 00 00 00  (unknown - PROP_USBDEVICE_CONNECT)
[****] Starting task fe108660(0) SoundDevice
[****] Starting task fe253b50(0) TestGero
[****] Starting task fe2c2114(93f42c) CLR_CALC
[****] Starting task fe2be514(9497ac) DaUSB20Drv
[****] Starting task fe1dba04(0) USBTrns
[****] Starting task fe1ebeec(0) SDIOTrns
[****] Starting task fe1da608(98a110) PTPSessionTASK
[****] Starting task fe2be514(98afd0) PtpDps
[****] Starting task fe2c2114(9e6c40) Ceres
[****] Starting task fe2be514(9edd70) Remote
[****] Starting task fe2be514(9f1460) Fcreate
[****] Starting task fe2c2114(9f2098) NwComMgr
[****] Starting task fe2be514(a47d3c) Fwrite
[****] Starting task fe2c2114(a48280) Sound
[MPU] Received: 08 07 01 2a 0a 6a 00 00  (PROP_CARD2_FILE_NUMBER - spell #32)
[****] Starting task fe2be514(a47af0) Fread
[****] Starting task fe2c2114(a4805c) Voice
[****] Starting task fe2c2114(a48398) WavReader
[****] Starting task fe2be514(a62284) ShootArtFilter
[****] Starting task fe2c2114(ad7b80) DisplayMgr
[****] Starting task fe0cc4bc(0) GuiMainTask
[****] Replacing task fe0cc4bc with c8edc0
[****] Starting task fe27e808(0) ImgPlayDrv
[EDMAC#18] Starting transfer to 0xD08700 from <6>, 3840x1079, flags=0x0
[EDMAC#18] Data unavailable; will try again later.
[EDMAC#13] Starting transfer from 0xD07800 to <6>, (3840, skip -3840) x 1079, flags=0x50000
[EDMAC#13] 4143360 bytes read from D07800-D08700.
[EDMAC#13] transfer delay 78 x 256 us.
[EDMAC#18] Starting transfer to 0xD08700 from <6>, 3840x1079, flags=0x0
[EDMAC#18] 4143360 bytes written to D08700-10FC000.
[EDMAC#18] transfer delay 77 x 256 us.
[HIV] Data unavailable; will try again later.
[****] Starting task fe299678(0) CtrlSrv
[****] Starting task fe2c2114(a5f0c4) ReDevelop
[****] Starting task fe2c2114(a5f168) DpMgr
[****] Starting task fe196770(0) DpsReceiveTask
[****] Starting task fe2c2114(a6136c) DpImgEditMgr
[****] Starting task fe2c2114(a615c4) InnerDevelopMgr
[****] Starting task fe2ab288(0) HDMIIP
[****] Starting task fe2374cc(0) EyeFi
[MPU] Received: 06 05 03 3d 00 00  (PROP_AFSHIFT_LVASSIST_STATUS - spell #33)
[EDMAC#18] Starting transfer to 0xC234700 from <6>, 3840x1079, flags=0x0
[EDMAC#18] Data unavailable; will try again later.
[EDMAC#13] Starting transfer from 0xC233800 to <6>, (3840, skip -3840) x 1079, flags=0x50000
[EDMAC#13] 4143360 bytes read from C233800-C234700.
[EDMAC#13] transfer delay 78 x 256 us.
[EDMAC#18] Starting transfer to 0xC234700 from <6>, 3840x1079, flags=0x0
[EDMAC#18] 4143360 bytes written to C234700-C628000.
[EDMAC#18] transfer delay 77 x 256 us.
[HIV] Data unavailable; will try again later.
[MPU] Received: 06 05 02 0a 01 00  (PROP_PERMIT_ICU_EVENT - spell #34)
[MPU] Sending : 06 05 06 11 01 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 12 00 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 13 00 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 1c 00 00  (GUI_SWITCH)
[MPU] Sending : 06 05 06 26 01 00  (GUI_SWITCH)
[MPU] Sending : 44 43 0a 08 ff 1f 01 00 01 03 98 0c 00 45 01 01 53 28 53 01 01 00 00 04 01 00 23 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (PD_NotifyOlcInfoChanged)
[MPU] Sending : 06 05 04 0e 01 00  (PROP 8002000D)
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #37)
[BOOT] my_init_task completed.

======================================
=       jump vector allocation       =
======================================
jump-vector using malloc == 0xeeef0 (978672)
jump-vector alloca == 0x14b5f8 (1357304)
jump_vector_static == 0xcf6400 (13591552)
jump vector winner was _malloc
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #38)
[MPU] Received: 06 05 03 19 01 00  (PROP_TFT_STATUS - spell #75)
[MPU] Received: 06 05 08 06 ff 00  (COM_FA_CHECK_FROM - spell #40)
[MPU] Sending : 06 05 08 06 00 00  (COM_FA_CHECK_FROM)
jump vector allocation done[****] Starting task fe32cba0(0) PTPtoFAPI_EventProcTask
[****] Starting task fe2c2114(a5ec24) Mrk
[****] Starting task fe2c2114(9f7a4c) MetaCtg
[MPU] Received: 06 05 03 19 00 00  (PROP_TFT_STATUS - spell #41)
[****] Starting task fe149508(0) LpfMode
[****] Starting task c81300(0) ml_init
   405:   879.104 [LV] [GMTLens moving (0, 0)
jump_vector - from boot.h = eeef0
jump_vector - aligned = eeef0
] PROP_TEMP_STATUS : STATUS_NORMAL
   527:   913.664 [LV] InitializeLiveViewDefectDetection
   541:   948.480 [MD] Init RCh1=0, RCh2=0
   544:   950.784 [MD] Set RCh1=d, RCh2=18
   867:  1175.808 [INDEV] INDEV_Initialize
   874:  1186.816 [HDMI] [MID] HDMI_IP_Initialize
   887:  1257.728 [IMPP] H264E InitializeH264EncodeFor1080pDZoom
   888:  1257.984 [IMPP] H264E InitializeH264EncodeFor1080p25fpsDZoom
   924:  1320.448 [MR_MOV] (Empty Func) MVW_RegisterXmpDataCallback
   966:  1361.920 WARN [LVDS] First Get DTS_GetAllRandomData
  1064:  1415.168 [GUI] MainEventHandler PROP_QR_DIDNOT_EXECUTE(0)(0)
  1111:  1436.672 [STARTUP] startupInitializeComplete
  1113:  1437.696 [MC] cam event guimode comp. 0
  1238:  1540.608 [GUI] ERROR ***** ConvertPropertyMovieDataToMovieSizeKind UnKnown MovieInfo
  1239:  1540.864 [GUI] ERROR MovieSize(1), FrameRate(81), ZoomMode(88), MovieMode(0)
  1257:  1545.728 [GUI] ERROR ***** ConvertPropertyMovieDataToMovieSizeKind UnKnown MovieInfo
  1258:  1545.728 [GUI] ERROR MovieSize(1), FrameRate(81), ZoomMode(88), MovieMode(0)
  1261:  1546.752 [MC] cam event guimode comp. 0
  1305:  1857.024 [DISP] TurnOnDisplay action Type=0
[****] Starting task c88c7c(0) menu_task
[****] Starting task c8b954(0) menu_redraw_task
[****] Starting task c94930(0) bitrate_task
[****] Starting task ca0324(0) focus_task
[****] Starting task ca0e78(0) notifybox_task
[****] Starting task ca368c(0) fps_task
[****] Starting task ca7288(0) shoot_task
[****] Starting task ca50e4(0) clock_task
[****] Starting task cad85c(0) audio_common_task
[****] Starting task cb4d8c(0) livev_hiprio_task
[****] Starting task cb35e4(0) cls_task
[****] Starting task cb67a8(0) beep_task
[****] Starting task cc07ec(0) console_task
[****] Starting task c8de90(0) debug_task
[****] Starting task c96154(0) tweak_task
[****] Starting task ca0b50(0) focus_misc_task
[****] Starting task ca8bec(0) vignetting_init
[****] Starting task cc6030(0) module_task
[****] Starting task c80c38(0) ml_backup
[****] Starting task cb4444(0) livev_loprio_task
============================================
======== Camera modole 1300D
======== Memory before patching      =======
============================================
failure_stubs1 addr c80abc (e92d4008)
failure_stubs2 addr c80aa0 (e92d4008)
failure_stubs3 addr c80a84 (e92d4008)
failure_stubs4 addr c80a6c (e92d4008)
failure_stubs5 addr c80a50 (e92d4008)
failure_stubs6 addr c80a34 (e92d4008)
failure_stubs7 addr c80a18 (e92d4008)
success_stubs  addr c80a00 (e92d4008)
============================================
= Testing cache_fake (QEMU ROM patching)   =
============================================
* calling failure_stub1, return value expected (1001) actual = 1001
* calling success_stub , return value expected (1) actual = 1
* patching using old patching method, (jump only few bytes) rerouting to succes_stubs (0)
* calling failure_stub1, return value expected (1) actual = 1
* Test was a success
============================================
= Testing MEM(data) (QEMU ROM patching)    =
============================================
* calling failure_stub2, return value expected (1002) actual = 1002
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub2, return value expected (1) actual = 1
* Test was a success
============================================
= Simple double jump (relative) hardcoded  =
============================================
* calling failure_stub3, return value expected (1003) actual = 1003
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub3, return value expected (1) actual = 1
* Test was a success
============================================
= Simple double jump:                      =
= patch_instruction + MEM(data) patch      =
============================================
* calling failure_stub4, return value expected (1004) actual = 1004
* calling success_stub , return value expected (1) actual = 1
* patching done
* calling failure_stub4, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (double rel jump) =
============================================
* calling failure_stub5, return value expected (1005) actual = 1005
* calling success_stub , return value expected (1) actual = 1
* using jump_vector 0 (address eeef0)
* double relative
* patching done
* calling failure_stub5, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (single rel jump) =
============================================
* calling failure_stub6, return value expected (1006) actual = 1006
* calling success_stub , return value expected (1) actual = 1
* patch_instruction = Using single jump
* patching done
* calling failure_stub6, return value expected (1) actual = 1
* Test was a success
============================================
= patch_instruction_jump (rel+abs jump)    =
= This is primary goal :)                  =
============================================
* calling failure_stub7, return value expected (1007) actual = 1007
* calling success_stub , return value expected (1) actual = 1
* using jump_vector 1 (address eeefc)
* relative plus absolute (trampoline)
* patching done
* calling failure_stub7, return value expected (1) actual = 1
* Test was a success
============================================
======== Memory after patching       =======
============================================
failure_stubs1 addr c80abc (eaffffcf)
failure_stubs2 addr c80aa0 (eaffffd6)
failure_stubs3 addr c80a84 (ea01a567)
failure_stubs4 addr c80a6c (ea01a56d)
failure_stubs5 addr c80a50 (ead1b926)
failure_stubs6 addr c80a34 (eafffff1)
failure_stubs7 addr c80a18 (ead1b937)
success_stubs  addr c80a00 (e92d4008)
============================================
============ Done ==========================
============================================
updating Movie Tweaks -> Movie Logging
updating Movie Tweaks -> Time Indicator
[NotifyBox] Camera was not shut down cleanly.
Skipping module loading.



The tests were so far a success. I tryed to allocate 3 different way to see which allocate has the lowest address (there are more
ways to allocate but I have not included them yet !). This address will be used a jump table, and the winner is canon's malloc:


======================================
=       jump vector allocation       =
======================================
jump-vector using malloc == 0xeeef0 (978672)
jump-vector alloca == 0x14b5f8 (1357304)
jump_vector_static == 0xcf6400 (13591552)
jump vector winner was _malloc


The rom starts at 0xFE0C0000, but our allocation start at 0xeeef0, that is a jump over 32MB so there we can't hijack the very start, but it's
really close and we can use that to continue working on the 1300d for now. With this alternative patch function we can hijack
from 0xFE0EEEF0 to 0xFFFFFFFF which is more or less everything (~99.99%).


Todo

1. Use other allocation routines to find the lowest address (would be nice if we could get allocation address below 0xC0000)
2. Implement a unpatch function
3. Cleanup and make the code pretty.
... some text here ..

heder

My updated 1300D cooking recipe

(my gcc = arm-none-eabi-gcc-4.7.4)

1. Download 1300d branch (https://bitbucket.org/hudson/magic-lantern/branch/1300D)
2. Overwrite some files from https://github.com/jmheder/ml/raw/master/update1.zip (patch.c,patch.hinit.c,boot-hack.h,boot-45d-ch.c,fw_signatures.h)
3. Compile QEMU from QEMU branch (https://bitbucket.org/hudson/magic-lantern/branch/QEMU)
4. Update 1300D ROM1.bin

dd if=ROM1.BIN of=BOOT.BIN bs=64K skip=1 count=1
dd if=BOOT.BIN of=ROM1.BIN bs=64K seek=511

5. Update 1300D ROM0.bin (ROM0.bin = garbage, better use empty ROM0.bin)

mv ROM0.bin ROM0.bin.orig
touch ROM0.bin


6. Execute "make autoexec.bin" inside the 1300D platrform.
7. Run autoexec.bin in QEMU


How to use this temporary patch instruction jump function:

If you are hijacking a complete function (this is normally what we do ...):
patch_instruction_jump((uintptr_t)function_to_hijack,(uint32_t)function_to_hijack,(uint32_t)new_function,JUMP_B," hijacking some function ",2);

If you are hijacking a single instruction or branch instruction (BL) and turning it into a new BL:
patch_instruction_jump((uintptr_t)address_to_hijack,(uint32_t)address_to_hijack,(uint32_t)new_function,JUMP_BL," jumping from within some function",2);

... some text here ..

critix

Thank you, @heder.
A1ex, can you check what @heder did? If you think it's ok, can ML be run on the 1300D?
Thank you.
Canon 1300D, 500D, EOS M, EOS M2

heder

I night be wrong, but i dont see why we need my alternative patch function to run ML in 1300D. The only reason we need it is to develop ML for 1300D. Once ML is completed my patch function becomes useless. Its only a development tool.
... some text here ..

critix

I didn't ask the right question. I wanted to ask a1ex if the bootflag can now be set to 1300D.
Thanks
Canon 1300D, 500D, EOS M, EOS M2

heder

Quote from: critix on July 25, 2020, 07:49:31 PM
I didn't ask the right question. I wanted to ask a1ex if the bootflag can now be set to 1300D.
Thanks
Ok, thats a1ex's job.
... some text here ..

Ant123

But a1ex hasn't posted on the forum for 4 weeks...

Walter Schulz

Busy with repository migration, maybe? Last active 24th of July, though. No worries!

heder

I have finalized the new function. I have updated the development patch_instruction_jump for 1300D. patch_instruction_jump will only be enabled on 1300D builds, as others do not need that one right now. Since bitbucket is read-only the patch are not checked, the only solution is a zip file with modified files.

1. Download 1300d branch (https://bitbucket.org/hudson/magic-lantern/branch/1300D)
2. Overwrite files in patch-update.zip from https://github.com/jmheder/ml/raw/master/patch_update.zip
3. Compile QEMU from QEMU branch (https://bitbucket.org/hudson/magic-lantern/branch/QEMU)
4. Update 1300D ROM1.bin

dd if=ROM1.BIN of=BOOT.BIN bs=64K skip=1 count=1
dd if=BOOT.BIN of=ROM1.BIN bs=64K seek=511

5. Update 1300D ROM0.bin (ROM0.bin = garbage, better use empty ROM0.bin)

mv ROM0.bin ROM0.bin.orig
touch ROM0.bin


6. Execute "make autoexec.bin" inside the 1300D platrform.
7. Run autoexec.bin in QEMU


I performed a verification on DryosDebugMsg, similar the a1ex'es here. I hijacked DryosDebugMsg and intercepted ~750 messages, before
I then unpatched it again, and let the system run for a while, and last I called dumpf log. Everything worked as excepted.

So final instruction are:

patch_instruction_jump(uintptr_t rom_func_addr, uintptr_t new_func_addr, uint32_t jump_type, const char * description);
rom_func_addr = address in rom of function
new_func_addr = address of new function
jump_type     = JUMP_B for normal hijack (~ overwrite function), JUMP_BL if you are replacing an existing bl instruction
description   = ...


unpatch_memory(uintptr_t rom_func_addr)
rom_func_addr = undo patch at address

... some text here ..

CanonCasey

Is there any update on the progress?
Astrophotographer/Photographer

rubiaso

Does this mean we can use ML on 1300D?

names_are_hard

No.  It means progress is still being made.

moloch

There is no percentage to know how it goes? :'(