ProcessTwoInTwoOutLosslessPath

Started by a1ex, December 18, 2016, 09:06:41 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

a1ex

Hypothesis: 4C XX is a relative jump of XX*2 bytes. It's used to guard the strings in the firmware (appears to jump over them).

Example (400D):

0000027e  4c 1a 6c 61 75 6e 63 68  65 72 2e 73 20 72 65 76  |L.launcher.s rev|
0000028e  2d 31 2e 30 20 32 30 30  31 2f 30 37 2f 31 37 20  |-1.0 2001/07/17 |
0000029e  61 75 74 68 6f 72 20 53  61 74 6f 73 68 69 20 4e  |author Satoshi N|
000002ae  61 69 74 6f eb 01 6a 17  ae 21 ba 07 a2 2f 8b 20  |aito..j..!.../. |


0x27e + 2 * 0x1A = 0x2b2 (right after the string, which is not null-terminated)

This matches most of the strings, with one exception (not sure how to interpret it):

00000400  4c c2 20 65 6e 63 64 65  63 5f 6a 70 65 67 20 72  |L. encdec_jpeg r|
00000410  65 76 32 2e 31 31 20 32  30 30 34 2f 30 32 2f 31  |ev2.11 2004/02/1|
00000420  32 20 59 75 6b 69 6f 20  43 68 69 62 61 20 26 20  |2 Yukio Chiba & |
00000430  53 61 74 6f 73 68 69 20  4e 61 69 74 6f 20 8a 00  |Satoshi Naito ..|


Side note: last night, jpaana suggested it might be a TMS320 DSP.

g3gg0

already tried TM320 but didnt work.
what i might try is to swap the endianess before decoding, but that would be kind of odd.

about string in the firmware it also could be some "store x following words somewhere" instruction
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

g3gg0

or better test all variants of the TMS320.. hold on..
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Ant123


g3gg0

the TMS320 processor family varies a lot with their opcode layout.
so code compiled for TMS320C54 will look totally different on TMS320C55.
got in touch with these when hacking nokia phones ages ago.

although when using TMS32054 for decompilation, the code looks senseful in terms of instruction alignment.
a1ex, you remember our chat about opcode length - mixed 16 and 32 bit instructions.

according to http://magiclantern.wikia.com/wiki/Datasheets we have tracks of a TMS320DM36x in a 5DII

so lets try this one.. unfortunately my IDA pro doesn't have this processor :(
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

g3gg0

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

stevefal

Hey guys, I noticed this news on the interwebs. Exciting. I'll surely be back to give video a try if it leads to that.
Steve Falcon

71m363nd3r

@a1ex
@g3gg0

I can understand that we go with DNG, but what do you think to push it farther with OpenEXR https://en.wikipedia.org/wiki/OpenEXR it's full opensource standard and better compresion.

a1ex

Right now, we are still limited by the compression engine implemented by Canon; its output simply happened to be valid for both CR2 and DNG, so we just changed the header and did some minor layout tweaks. Not sure what's the point of using other formats in this case.

If we manage to identify the DSP, that might be a different story.

Some other notes:




I've attempted to verify the hypothesis about 4C XX (relative jumps). On 60D, I did the following changes (works with either Debug -> Memory Browser or as C code):


/* hardcoded for 60D */
uint8_t * jpcore = (void *) ((MEM(0x350A0) + 31) & ~32);

/* original: jpcore[4:5] = 4C 7E => probably jumps to 0x100;
* jpcore[0x30] is in the middle of a string (400D) or spaces (60D)
*/

jpcore[0x5]  = (0x30 - 0x4) / 2;       /* jump to 0x30 instead */
jpcore[0x30] = 0x4C;                   /* from 0x30, jump to 0x100 */
jpcore[0x31] = (0x100 - 0x30) / 2;


Result: success (can take photos, can review them).

Next change (on top of the others):

jpcore[0x31] = 0;                       /* infinite loop */


Result: crash when taking photos (JPCORE interrupt not triggered).




On 60D, I've found the JP62 (H.264) firmware at 0xFF647D70 (initialization visible in QEMU, unlike 5D3). The code frequencies don't seem to match the regular JPCORE at all, so I guess it may be a different architecture.

16-bit codes with 16-bit alignment:

Code        60DJP62
    0000:     5288
    0ca8:      306
    0010:      301
    0020:      255
    0001:      238
    20c0:      149
    0c0c:      124
    5600:      123
    f01d:      113
    1ca8:      108

garry23

@Danne (@A1ex)

Thanks for sharing the test version for the 5D3-113.

I've just tried it out and managed a single lossless DNG, but I had,'t appreciated that this this meant much less pixels! That is my lossless DNGs are 1932 x 1290.

Also, I tried using my FRSP LE script, but the Lua call (camera.shoot(64, false) or camera.shoot(false)) triggers the mechanical shutter.

Cheers

Garry

garry23

OK, I think I worked out 'my mistakes'.

I don't think the lossless test build included the Lua fix.

Plus I hadn't switched to Full Res !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I'll wait a little :-)

calypsob

 Will this feature only be available on 5D Mark III?
Full spectrum T2i
T3i

goldenchild9to5

@calypsob Yeah it will be available for the 5D III when they figure it all out  8)

budafilms


gamedesign

Will this feature bring any benefits to RAW video on the 7D (mark 1)?
I currently use MLV all the time, its brilliant.

Licaon_Kter

Forum overload in 3...2...1... https://www.dpreview.com/news/2451079037/magic-lantern-proof-of-concept-shows-in-camera-dng-shooting

That being said, looks like I need to raise the issue or DNG lossless compression support in Darktable again :(

Walter Schulz

At least there might be a chance to comment on Petapixel not getting the point and put it right.

g3gg0

noone realized that it is mainly a saving format meant for silent pictures
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Licaon_Kter

Quote from: g3gg0 on January 03, 2017, 10:25:54 PM
noone realized that it is mainly a saving format meant for silent pictures
Details... details... that would need someone to actually read the thread, not only to grab the DNGs...  research in journalism, pffft

Walter Schulz

Hey, no more ranting or "the company" may get sued ...

g3gg0

this wasn't meant as negative comment.

well, it might be interesting for raw video too, but tests till now didn't show any way to make the JPCORE work in LV synchronized to frame display.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Walter Schulz

I haven't archived PetaPixel's post. There was some makeover, I think. Some corrections + introducing some weird concept (I take the liberty to say so).
QuoteIf and when this feature arrives, you won't have to worry about quality loss from converting your Canon RAW files into DNGs ...


Licaon_Kter

Quote from: Walter Schulz on January 04, 2017, 12:12:03 AM
I haven't archived PetaPixel's post. There was some makeover, I think. Some corrections + introducing some weird concept (I take the liberty to say so).
And a lot of comments discuss that (quality change on conversion), not sure why would anyone would think that.

Audionut

Quote from: Licaon_Kter on January 04, 2017, 12:57:31 AM
not sure why would anyone would think that.

The world is flat and there's a magical fairy that sends you to hell if you misbehave.

Walter Schulz

Quote from: Licaon_Kter on January 04, 2017, 12:57:31 AM
And a lot of comments discuss that

Just found out our proxy blocked PetaPixel's comments. Thanks for the info!
Got it wrong about makeover, too.