Canon 40D

[heder]

I need to set the bootflag in the camera to true, but I can't seems to find any ".fir" files for that.

Suggestions ?

Ok .. I found the solution .. read page 1+2 of this thread really carefully  and create a fir file that will toggle the camera bootflag

[heder]

Finally some success!

Got a bootloader constructed and loaded with ML. Images of vxwork branch running in my camera (upper images) and changeset 8159 from unified  (lower images). I will spend the next days by getting a status of the Canon 40D progress, create proper bootloader and hopefully commit and push needed files for continued development. Then I'll make a new post.


Vxwork branch + modified (fonts have been included as static fonts)

Unified - changeset 8159 (commit 091b9f8)

[ilex]

Up with de great work!!....Congrats.

[Theta Sigma]

Thank you heder!

[heder]

Hi all! .. Long post.

I have worked the last couple of days to get a overview of the Canon 40D port which is born with the DIGIC III processor. All models with this processor have more or less stalled so getting one model ported should make it much easier to complete the others.  It's the first processor in the DIGIC series to have 14 bits support and with the Canon 40D's LiveView support, we have all the possibilities for a great ML upgrade - it's just here around the corner.

I hope more people with a canon 40d (or 450d, 1100d = all DIGIC III) will come help me creating a experimental release of ML for Canon 40d before Christmas, that would be cool (if not - its gonna be a easter release). I know it and old camera, but it still a pretty cool camera no matter if you use it as your primary or backup camera. And in these days with mercurial "sunsetting" (what a shitty word) on bitbucket we need some development to move the focus away from this.

Here is a short status:


Rom dumper
Link: https://www.magiclantern.fm/forum/index.php?topic=16534.0
The rom dumper work fine, but is victim of a power save mode and thus after 1-2 seconds after executing the rom dumper the screen goes dark. The rom dumper works, and you will need to wait for a minute or two before removing the battery. The ROM files are in ML\LOGS folder. Only ROM1.BIN has code, you can decompile/analyse it in Ghidra, specs are here (click image to expand):



Useable source repositories:
1. https://bitbucket.org/jmheder/vxworks_canon40d/src/vxworks/ (vxworks branch)
2. https://bitbucket.org/hudson/magic-lantern/src/vxworks/ (vxworks branch)
3. https://bitbucket.org/hudson/magic-lantern/unified (unified changeset 8159)

1. My working branch, properbly the best starting point atm. This is based on 2. with a some modifications (stubs,debug, defines, temporary static rbf fonts )   
2. main "vxworks branch", rufustfirefly rework of 3. will load, but no font are loaded (so no text)
3. The branch vnd used, old menu, but with static font, so text is shown, missing cache_lock() call.


Compilers
Compilers from launchpad, which I have been lightly tested are listed below. If you are on a Linux you will need multiverse for executing the old compilers (they are x86 compiled).

(4.6.2) ok, gcc-arm-none-eabi-4_6-2012q4-20121016.tar.bz2
(4.7.3) ok, gcc-arm-none-eabi-4_7-2012q4-20121208-linux.tar.bz2
(4.7.4) ok, gcc-arm-none-eabi-4_7-2014q2-20140408-linux.tar.bz2
(4.9.3) ok, gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2
(5.4.1) ok, gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2
(6.3.1) ok, arm-none-eabi-gcc (15:6.3.1+svn253039-1build1) 6.3.1 20170620 - Ubnutu standard
(8.3.1) bad, ML crashes at boot. gcc-arm-none-eabi-8-2019-q3-update-linux.tar.bz2


Bootloader / Flipper:
It works, but the code is not ready for releasing yet. It's based on the 5DC, but it does not work consistenly everytime, but so far it has'nt kill my 40D, so the errors are not fatal. This is my priority no.1 to get done.


Status, what works
* Basic bootloader works
* Booting magic lantern works
* GUI menu system works
* Totals Clicks (in debug menu)
* Temperature partial works (only shows raw temperature, but changeset 8159 (unified) shows celcius)
* Showing edmac channels (we have 16 channels)
* Showing vxworks threads
* Dumping log via call("dumpf") works see end of post for example (unified changeset 8159)


What does'nt work
* FIO_* system does not work and will result in somekind of file system lock
* Camera will not save images after capture (FIO issue), busy spinning icon appears, when powering off.
* Fonts are not loaded (FIO_ issue)
* Modules are not found/loaded (FIO_ issue)
* Dumping rom and does not work (?)
* Small fonts is incorrect scaled, totally unreadable
* Power off will sometimes result in crash
* Menu/GUI system LiveView button (set) not recognised, after liveview press PLAY before going into ML


QEMU emulation (QEMU branch)
I'm building on vxworks, but using QEMU branch to run it. On my mini server (intel atom) QEMU is rather unstable, only using vnc or no display will get it running
properly with a properbility of 50%. The emulator plays more nice that the real camera. I don't have the same problems with file system (FIO). I can dump
rom and call("dumpf") without problems my working branch.


Digic III
The Digic III processor uses same address space like all others, yet since this is a older Digic processor it might miss out on some features. CF address space is same. EDMAC address space is same (but only have 16 channels) FPS_REGISTER_A and FPS_REGISTER_B are same as all others. DMA0 the same .. ect. Mainboard comparison 40D/50D/5DMKII can be seen here - they are quite similar (click to expand image)



Medium/Larger tasks (random listed)
* Create a proper bootloader ("You may now remove the battery") (my priority 1)
* Fix FIO_* vxworks issue, file system lock (my priority 2)
* Get modules / Digic Poke working (FIO fix needed)
* Find free eDMAc channels and enable edmac_memcpy (channel 7,14,15 is reported as "unused?" in debug menu)
* Investigate how many dma channels we have, I have seen DMA0 is ghidra, but not DMA1.
* Investigate liveView
* Iso register investigation
* Bulb mode investigation
* ect ..


Small (random listed)
* Verify that we have 16 edmac channels
* Find Base Clock Mhz and compute default fps in liveView
* Compute FPS_REGISTER_B default (computed, see code at 0xFFFFA050) FPS_REGISTER_A = 0A070A07h (defined at 0xFFFFA130)
* Implement take_screenshot (FIO fix needed)
* Perform benchmark with slow and fast CF cards (bench.mo - FIO fix needed)
* Use Digit Poke to check for CF UDMA 3/4 support
  -> CFA3.0 is supported (string is present in FW)
  -> cfSetTiming does not touch UDMA registers
  -> 1Ds Mk III (DIGIC III) supports UDMA mode 3 - 45 MB/S
  -> new 2019 CF disks just uses CFA3.0 80 ns access (pio mode I guess) - see dumpf log below
* Test arkanoid for a couple of hours (long term test - FIO fixed needed)
* Investigate dump log (startup + enabling liveview), maybe the experts can find some interessing stuff in there ?

Canon 40d "dumpf" log from camera (Properly from source 3.). I started the camera and went into LiveView and then disabled LiveView again.
https://drive.google.com/file/d/10SMuQdFO1qWTv7p5qGRpd0wwj211At_6/view?usp=sharing

/heder

[Ant123]

heder

Do you have the same problem with ML menu in LV mode?

[heder]

heder

Do you have the same problem with ML menu in LV mode?

I cannot said yet, LiveView is'nt enabled and supported on my build yet, but I will keep that in mind.

I don't known about 450D, but in Canon 40D LiveView has no special button, and must be enabled in Canon menu system. Once enabled LiveView can be enabled in some mode when pressing "set" button.

[Ant123]

I don't known about 450D, but in Canon 40D LiveView has no special button, and must be enabled in Canon menu system. Once enabled LiveView can be enabled in some mode when pressing "set" button.

EOS 450D also uses "Set" button to turn on LiveView.

for your camera see page 161

[heder]

I realized driving home from work that CF card system was really slow, so I did a really quick test.  It turns out that ML uses the CF card system before it was initialized which leads to wrong behaviour and lock of the file system. Inserting a long delay after inside ml_init_task before executing anything else solved the FIO issue. 

* Fonts can be loaded
* Camera can shoot images
* Camera can dump logs and ROMs

[aprofiti]

@heder Can you load modules?
Make sure module_task is launched from ml_big_init_task() inside custom init.c

I get wrong behaviour with 5DC, they are listed with wrong filename (it show only last 4 characters of the module's name) so can't be found on card.
Would like to know if it’s the same with 40D.

[heder]

@heder Can you load modules?
Make sure module_task is launched from ml_big_init_task() inside custom init.c

I get wrong behaviour with 5DC, they are listed with wrong filename (it show only last 4 characters of the module's name) so can't be found on card.
Would like to know if it’s the same with 40D.

Hi. No I don't have the issue you have. I can now load modules in the camera - Arkanoid and File_mgr works just fine.

[aprofiti]

Thanks for checking. Need to figure out somehow to solve the issue, I'll try to have a look again

[heder]

More stubs found

• _EngDrvOut,_engio_write,shamen_read
  
• Cancel(Stop)DateTimer,StartTimerAfter
• dm_Set_store_level
• and others ..

   
* Interface to dm_det_store_level on Canon 40D is different than other camera, but input data is the same, so I'm creating a wrapper function. 40D interface is

Code: [Select]

foo(uint32_t *) Newer camera uses

Code: [Select]

foo(uint32_t,uint32_t)
 
* Bulb mode does'nt work, PROP SW1 and SW2 is not defined exactly as in newer camera, but call("dumpf") revealed the SW1 and SW2   
  is defined. The old property values are 0x80002001{5/6} but Canon 40D checks on 0x1000002B (SW1) and 0x1000002D (SW2)
 
  ...    
  562:  4627.423 [GUI] IDLEHandler PRESS_SW1_BUTTON
  ...
  571:  4672.101 [GUI] IDLEHandler PRESS_SW2_BUTTON
  ...
  609:  7982.061 [GUI] IDLEHandler UNPRESS_SW2_BUTTON
  ...
  614:  7999.412 [GUI] IDLEHandler UNPRESS_SW1_BUTTON

 
* take_screenshot() saves incorrectly (but does'nt crash either)

[heder]

Quick update 

I'm still working being the scenes, stubs, reading decompiled code to get the 40D running better. The good thing it that the boot up process work better and better. ML is becomming more
stable and with less crashes.

Boot

• prop_init() need to be called early on to get all PROP messages. (shutter PROP comes early)
• CF card is really slow and after prop_init() I sleep 1600 ms before CF card system is ready for use

Debug Stuff

• dm_set_store_level is working fine, dumpf log is being spammed.
• dm-spy (my_DebugMsg) works in QEMU but not camera - so I'm using internal dumpf

Shooting menu

• I located a nice function, named is usbShutterActivation, I guess it used via usb to activate shutter release in normal mode, liveview mode and bulb
• Bulb with intervalometer is now working using usbShutterActivation
• Bulb in standalone mode is not working (I think half pressed shutter is not detected, but i'm not sure)
• PROP_SW1 and PROP_SW2 is not present is firmware

Expo menu

• Started to populate Expo menu and it's better than I expected
• Shutter works - only minor issue BULB/32". Moving dial to BULB is seen as BULB, but when changing it from within ML from 30" into BULB .. ML says 32"
• Aperture works - only minor issue is the aperture is not always 100% correct, sometimes only 90% or so
• ISO works fine
• White Balance not enabled (PROP modes need to be verified) - now verified and working

[ilex]

@heder
Thanks for your great effort to run ML in 40D. Regards

[heder]

Weekly status report, week 39

Font bugs

• Drop down menus were subject to a shawdow bug (low resolution display ?) making the text look ugly. Solved by not drawing shadow (background)
• Scaling bug on small font making the text unreable (low resolution display ?). This was solved, text is still not 100% ok, but readable.

CF card benchmark (using new Sandisk 833x card)

• Benchmark module crashes due to multiple reasons, so I included bechmark into ML inorder to get a first benchmark using PIO mode; Result was 13 MB/s, both read and write.
• Will tryout all other PIO modes later, CF_SetTiming(uint) checks for 0,4,50,100,120 as input argument. 0 is for some Lexar cards

LiveView

• LiveView is running 30 fps in all modes (standard, zoom x5 x10), which is nice (analyzed dumpf logs)
• When setting dm_set_store_level to minimum (maxmimum logging) zoom modes will have corrupted timing (info just so I don't forget)

Exposure menu

• Picture style is now recognized

Stubs and consts

• msg_queue_count located (all needed msg_queues are located)
• 3 additional timer stubs have now been located (all timers are now located) - but not tested yet
• Located Canon 40D's internal memcpy, not strictly needed
• WINSYS_BMP_DIRTY_NEG might be wrong
• half shutter pressed is not defined (const.h), bulb standard alone mode and focus trap need this feature
• Trying to located AE_STATE and AE_LEVEL, code tells me around 0x4700 - 0x4900, will try out mem_spy later
• Digic III will crash when accessing 0x40000000 (dump RAM) and 0x50000000 (benchmark module), need to find proper mirror addreess

Modules status

• Modules are loading even worse now than before, at start of september (4th) it was much better.

Code

• For reference all my code is pushed to my local repo, I don't work there much, other than pushing my code onces a while, as backup.
  https://bitbucket.org/jmheder/vxworks_canon40d/branch/vxworks

[heder]

Last engio write before liveview start to stream

5584:  8729.649 [ENGIO][0](Addr:0xc0f06008, Data:0x5490549 )
5585:  8729.703 [ENGIO][1](Addr:0xc0f0600c, Data:0x5490549 )
5586:  8729.741 [ENGIO][2](Addr:0xc0f06010, Data:0x549 )
5587:  8729.781 [ENGIO][3](Addr:0xc0f06084, Data:0x20271 )
5588:  8729.826 [ENGIO][4](Addr:0xc0f06088, Data:0x369050d )
5589:  8729.857 [ENGIO][5](Addr:0xc0f06000, Data:0x1 )
5590:  8729.908 [ENGIO][0](Addr:0xc0f06014, Data:0x49d )
5591:  8729.940 [ENGIO][1](Addr:0xc0f06000, Data:0x1 )
     
T1 = 1181+1 = 1182
T0 = 1353+1 = 1354
VideoClock = 30 fps * 1182 * 1354 = 48012840  => 48 Mhz.

AFAIK this is the highest video clock of all Canon EOS, see https://docs.google.com/spreadsheets/d/16cgnRivbUv7nA9PUlCLmLdir3gXdIN3pqzCNAAybepc/edit#gid=3

[heder]

I don't get this

5587:  8729.781 [ENGIO][3](Addr:0xc0f06084, Data:0x20271 )
5588:  8729.826 [ENGIO][4](Addr:0xc0f06088, Data:0x369050d )

According to https://magiclantern.fandom.com/wiki/Register_Map this means

0xC0F06084 RAW first line|column.  = 0x2    | 0x0271  =   2  |  625
0xC0F06088 RAW last line|column.  = 0x369 | 0x050d  = 873| 1293

RAW LV image size = 871 x 668

[a1ex]

The 450D appears to have 56 MHz x 1 channel

For the raw buffer size, the lower half is the number of column groups read out in parallel (i.e. it needs to be multiplied by 2 or 4 or something like this). More likely, 1336x871. Judging from still photo resolution (3888×2592, maybe slightly higher with dcraw), expected active area in LiveView is about 1296x864, as most EOS cameras use 3x3 column binning / line skipping.

Timing analysis, similar to the one from 450D:
- VSizeSetting = 0xFFC2F5F4 (called after [CAP] GetPassResources)
- 53 microseconds / line (from emulating VSizeSetting)
- timer A in still photo mode: 0xA0D + 1 (from FFC2F358 -> FFC32D90 -> 0x94B4 -> 0xc0f06008: 0xa0d0a0d)
- the above confirms the 48 MHz clock and gives 53.625 microseconds / line
- timer B in still photo mode: 2622? (guessed from VSizeSetting)
- 140 ms / frame (up to 7.1 fps burst; 6.5 fps official - check)

Not bad at all - 48 MHz x 2 channels, i.e. as fast as 5D2

[heder]

• timer A (FPS_REGISTER_A) is hardcoded as const in code to 0xa0d0a0d (photo mode)
• Taking a normal image timer B (FPS_REGISTER_B) becomes 0xa3d = (2621) and with the "+1" = 2622 

[heder]

5580:  8729.414 [LV] GetImageTrimming X(1998)=0(0, 0), Y(1319)=0(0, 0)
5581:  8729.469 [LV] GetAfWindowArea W=1336, H=872
5582:  8729.498 [LV] GetAfWindowArea X=567, Y=353
5583:  8729.524 [LV] GetAfWindowArea AfW=256, AfH=172

Yes liveview is 1336x872

[heder]

Nothing much going on other than I'm trying to decode the CF address and registers .. updating https://magiclantern.fandom.com/wiki/Register_Map/40D this might take awhile