Firmware Update/Downdate?

Started by dfort, February 11, 2017, 02:58:02 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Philbo

Hey guys, I'm a noob here and in the 5D3/1.3.6 club.  Just seeing if there is any progress running ML on 1.3.6, I would dearly
love to run ML.

dfort

Quote from: Philbo on March 01, 2020, 06:02:11 AM
Just seeing if there is any progress running ML on 1.3.6, I would dearly
love to run ML.

A few of us have tried. Here's my attempt:
https://bitbucket.org/daniel_fort/magic-lantern/branch/update-to-5D.136-wip

Note added to first post of this discussion because several people have been asking this same question.

Joshiewowa

I've got hardware with 1.3.6, anything I can help with?

Danne

Go through this forum post from start and try to understand the difficulties around firmware upgrade then proceed.

Philbo

I wish I could somehow contribute, I just know not one thing about coding, firmware, stubs or anything like that.  It seems that it's a complex process that will take time that people can sometimes generously donate.  Might just have to swallow the fact that I can only record 720p @ 60fps (definitely a first world problem, I get it).  :)

Thank you to anyone who has or is going to donate their time to this.

firexball

Hi,
I now have a 5D3 with 1.3.6 after a repair... >:(

I'm not a programmer (just a bit), but wouldn't it be possible to take a firmware of 1.3.5 and "rename" it to 1.3.7 so that it is possible to run an "update" to this Firmware in the cam?
I tried it by renaming and changing the version in the file with an hex editor... as expected no success. The cam tried to update but then stopped, because there is a checksum somewhere in the file. If there would be a possibility to correct this checksum...

After installing the 1.3.7 Version of the 1.3.5 firmware, there would be the chance to downgrade to 1.2.3.

Any suggestions? I would try...

Walter Schulz

You can't just put a Bugatti Veyron sticker on a Prius and run 400+ km/h.
That's not how it works. Period.

firexball

Well, it's more like putting a Bugatti Veyron sticker on a Prius and make someone believe ist a Veyron. That's not impossible.  :P
I don't think the Firmware check is that intelligent...

Walter Schulz

Your analogy is misleading. It does not work this way and hampering with the checking process to make ML run on a different firmware will put your cam in serious danger. The check is there for this very reason. Code won't run as expected. But it's your cam and if you want to render it unusable you can also throw it against the wall until you have a clear view on the sensor. It's less work!



dfort

Really?

Seems to me that switching cards during a firmware update is extremely risky.


Sent from my iPhone using Tapatalk


Walter Schulz


Apollo7

Quote from: Walter Schulz on April 16, 2020, 02:37:10 PM
Same! I'm afraid some may be not aware of the risks.
https://www.reddit.com/r/MagicLantern/comments/g2dh63/how_to_downgrade_5d_mk_iii_3_firmware_from_136_to/

It should be risk free operation, the only thing that is happening within this window is the camera starting up the "update" part of it's firmware, it's not actually making any changes to the firmware.
The changes happen later on once you select the new firmware and start installing it

a1ex

Yep, it's probably OK, and here's the long answer:

1. You select Update Firmware from Canon menu (main firmware)
2. Canon code checks the firmware version of every FIR file from the card; if any of them is less than 1.3.6, the update is refused (main firmware)
3. Canon code temporarily disables the main firmware
4. Camera reboots itself
5. Canon bootloader looks for a FIR file on the card
6. Canon bootloader loads the FIR file (card LED on)
7. Canon bootloader decrypts the FIR file (card LED off, simple CPU-based loop, no peripherals checked - that's when you remove the card)
7a. [edit] after decryption, Canon bootloader unmounts the card and - from what I could tell from emulation - turns off its power (so, you will be removing the card while it's powered on!)
8. Canon bootloader executes the FIR file (the one loaded from the first card) which contains a mini DryOS (and a simplified user interface)
9. Firmware updater mounts the card and reads its contents from scratch
10. You confirm the firmware update (from the simplified user interface of the firmware updating program)

From this point, I can no longer tell what exactly is going on, but apparently the firmware file is read once again from the card. In the past, you were able to place multiple FIR files on the card, and the firmware updating program has a feature that allowed selecting one of these FIR files to perform the update. That feature is still there, and it's probably what makes this trick possible. From my limited understanding, you will be using the 1.3.6 updater code, with the payload from the earlier firmware version.

[Edit] you will be removing the card while it's still powered on, so there is a small risk of hardware damage.

While trying to test the above, I've found a slightly different method, which requires a single card and - in my opinion - is a little safer:
A. select Update Firmware from menu, click OK
B. open the battery door ASAP (but don't remove the battery!)
C. make sure the Firmware Update Loading screen does not appear!
D. camera remains turned off; do not close the battery door
E. remove the card, replace the FIR file and insert it back
F. close the battery door

At this point, Canon bootloader will load the newly copied FIR file and execute it from scratch, without any trickery.

So simple, yet so un-obvious :)

BTW - if you close the battery door without inserting the card (step E), the camera will show an error message. Reboot and you are back to the old firmware. Explanation: see step 3 (main firmware was disabled temporarily, only for one reboot).

If anything goes wrong, I can offer remote assistance, but cannot guarantee a prompt response. Cannot guarantee a 100% success rate either; you perform the procedure at your own risk.

Apollo7

thanks a lot for the technical clarification and further testing a1ex

Made a longer visual here: https://www.youtube.com/watch?v=SumXIvd-Lvc

Quote from: a1ex on April 16, 2020, 03:49:57 PM
Yep, it's probably OK, and here's the long answer:

1. You select Update Firmware from Canon menu (main firmware)
2. Canon code checks the firmware version of every FIR file from the card; if any of them is less than 1.3.6, the update is refused (main firmware)
3. Canon code temporarily disables the main firmware
4. Camera reboots itself
5. Canon bootloader looks for a FIR file on the card
6. Canon bootloader loads the FIR file (card LED on)
7. Canon bootloader decrypts the FIR file (card LED off, simple CPU-based loop, no peripherals checked - that's when you remove the card)
8. Canon bootloader executes the FIR file (the one loaded from the first card) which contains a mini DryOS (and a simplified user interface)
9. Firmware updater mounts the card and reads its contents from scratch
10. You confirm the firmware update (from the simplified user interface of the firmware updating program)

From this point, I can no longer tell what exactly is going on, but apparently the firmware file is read once again from the card. In the past, you were able to place multiple FIR files on the card, and the firmware updating program has a feature that allowed selecting one of these FIR files to perform the update. That feature is still there, and it's probably what makes this trick possible. From my limited understanding, you will be using the 1.3.6 updater code, with the payload from the earlier firmware version.

While trying to test the above, I've found a slightly different method, which requires a single card and - in my opinion - is a little safer:
A. select Update Firmware from menu, click OK
B. open the battery door ASAP (but don't remove the battery!)
C. make sure the Firmware Update Loading screen does not appear!
D. camera remains turned off; do not close the battery door
E. remove the card, replace the FIR file and insert it back
F. close the battery door

At this point, Canon bootloader will load the newly copied FIR file and execute it from scratch, without any trickery.

So simple, yet so un-obvious :)

BTW - if you close the battery door without inserting the card (step E), the camera will show an error message. Reboot and you are back to the old firmware. Explanation: see step 3 (main firmware was disabled temporarily, only for one reboot).

If anything goes wrong, I can offer remote assistance, but cannot guarantee a prompt response. Cannot guarantee a 100% success rate either; you perform the procedure at your own risk.

ilia3101


Danne


Walter Schulz

I imagine some Canon programmer banging his/her head on the keyboard and muttering "I hate users!".

Apollo7

Quote from: Walter Schulz on April 16, 2020, 06:50:45 PM
I imagine some Canon programmer banging his/her head on the keyboard and muttering "I hate users!".

I can totally see that happening hahaha  :D :D :D

a1ex

Identified a tiny risk - with the original procedure, you will be removing the card while it's powered on (edited the original post). Canon bootloader unmounts the card *after* the decryption, right before executing the firmware updating code; that is, after those ~ 10 seconds when you can remove the card. While it's probably OK, I can imagine some cards may not like a sudden loss of power, so there is some slight possibility of hardware damage (correct me if I'm wrong).

Another quirk: when using a CF card to perform the update, the card will be accessed without LED activity (remember the 5D2/50D?), so you won't know when to remove the card. So, if you follow the original procedure, I highly recommend an SD card.

In any case, if you remove the card too early, you will do so in the middle of a data transfer. The bootloader will be reading from the card (nothing will be written during that access), so I don't expect filesystem corruption. After an interrupted read, the decryption process will fail, so there's no chance to end up flashing an incomplete firmware, even by mistake. I wouldn't exclude a tiny chance of hardware damage, but again, I might be overreacting here.

It's probably a lot more likely to physically damage the SD card while trying to perform the swap in a hurry.

Considering the above, I strongly prefer the second method (also summarized here), which doesn't have any of these risks. Here's a longer description:

- copy firmware 1.3.6 (5D300136.FIR) to the card
- launch Update Firmware from Canon menu, click OK
- open the battery door ASAP, but don't remove the battery!
   - if you did it right, the camera will turn off (wait for a few seconds to make sure it's really off)
   - if you see the Firmware Update Program Loading screen, it means you have opened the battery door a bit too late; wait until it disappears and try again!
- open the card door and remove the card from the camera (do not close the battery door; also leave the power switch on)
- copy firmware 1.1.3 (5D300113.FIR) or 1.2.3 (5D300123.FIR) to the card
   - you may leave the original 1.3.6 FIR on the card, or you may delete it; doesn't matter
- put the card back into the camera, close the card door
- close the battery door; you should see the Firmware Update Program Loading screen
- confirm the firmware downgrade from 1.3.6 to 1.1.3 / 1.2.3
- whatever you do, do not remove the battery in the middle of a firmware update!



That's it. The only tight timing is when opening the battery door; afterwards, the camera will be off, so you can take your time, no need to rush swapping the cards.

To answer a question from another thread:

Quote from: yourboylloyd on April 16, 2020, 07:20:15 PM
Can this possibly be used on all Canon cameras?

Yes, I expect this (second method) to work on all current EOS cameras, from DIGIC 2 to DIGIC 8. The only assumption is that, after clicking Firmware Update and opening the battery door right away, the camera will turn off, rather than restarting (and having the bootloader execute the firmware update file). Following this investigation, this is likely to happen on all EOS models.

The original procedure (swapping the cards while the update is loading) depends on what exactly the firmware updating code is doing - will it always re-read the firmware file from scratch? I don't know. It will probably work as well.


ilia3101

Holy fuck. I can try this on the 5Ds then?

a1ex


ilia3101

Seems pel hu has removed 5D series firmwares: https://pel.hu/eoscard/

Edit: Luckily I have the firmware already downloaded on my own computer, but what do we do about this?