Author Topic: Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)  (Read 47116 times)

Dennis_K

  • New to the forum
  • *
  • Posts: 1
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #100 on: September 30, 2018, 02:24:06 PM »
I own a 77D and I would love to help the development. Is there anything I can do? Unfortunately, I have zero expereience with coding.

aprofiti

  • Freshman
  • **
  • Posts: 97
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #101 on: October 01, 2018, 09:07:12 PM »
I'm trying to find stubs for 77D, using 200D as a reference.

This is what I have at the moment:
Code: [Select]
/** Startup **/
NSTUB( ROMBASEADDR, firmware_entry )
NSTUB(0xE00400EC,  cstart)                 /* calls bzero32 and create_init_task(..., init_task, ...) */
NSTUB(0xDF00D285,  bzero32)                /* zeros out a data structure. From sub_E0428334
      LDR             PC, =(loc_DF00D284+1) */

NSTUB(0xDF006515,  create_init_task)       /* low-level DryOS initialization. From sub_E0427890
      LDR             PC, =(sub_DF006514+1) */
NSTUB(0xE0040215,  init_task)              /* USER_MEM size checking, dmSetup, termDriverInit, stdlibSetup etc */
NSTUB(0xe065e278,  dcache_clean)           /* loop with MCR p15 c7,c10,1; DSB */
NSTUB(0xe065e34c,  icache_invalidate)      /* loop with MCR p15 c7,c5,1; c7,c1,6; c7,c1,0; ISB */

/** Tasks **/
NSTUB(0xDF008F7E,  task_create)            /* used to start TaskMain, GuiMainTask etc */
NSTUB(0xDF0087FE,  msleep)                 /* argument is always multiple of 10 */
//NSTUB(    0x????,  current_task)           /* from task_create; pointer to the current task structure */
//NSTUB(    0x????,  current_interrupt)      /* from interrupt handler (VBAR + 0x18); where the interrupt ID is stored */

/** Dumper **/
NSTUB(0xe007fc46,  dump_file)              /* tries to save a file to either "A:/%s" or "B:/%s"; calls FIO_RemoveFile/CreateFile/WriteFile/CloseFile/Flush */

/** Memory info **/
NSTUB(0xe02640b4,  malloc_info)            /* Malloc Information */
NSTUB(0xe026414c,  sysmem_info)            /* System Memory Information */
NSTUB(0xe01eaf80,  memmap_info)            /* Exception vector, DRYOS system memory etc */
NSTUB(0xe0164ca6,  smemShowFix)            /* Common Lower, Common Upper etc */

/** Memory allocation **/
NSTUB(0xDF0079D3,  GetMemoryInformation)   /* called from AllocateMemory */

/** Debug messages **/
NSTUB(0xDF006E6D,  DryosDebugMsg)          /* lots of debug messages; format string is third argument */

/** Eventprocs (call by name) **/
NSTUB(0xe04d8aee,  call)                   /* many functions called by name (lv_start, lv_stop etc) */

/** GUI timers **/
NSTUB(0xe04d499a,  CancelTimer)            /* from error message */
NSTUB(0xe05aad76,  SetHPTimerAfterNow)     /* from error message */
NSTUB(0xe05aadca,  SetHPTimerNextTick)     /* same "worker" function as SetHPTimerAfterNow */
NSTUB(0xe04d48e4,  SetTimerAfter)          /* from error message */

/** Interrupts **/
//NSTUB(    0x????,  pre_isr_hook)
//NSTUB(    0x????,  post_isr_hook)
//NSTUB(   0x?????,  isr_table_handler)
//NSTUB(   0x?????,  isr_table_param)

/** MPU communication **/
NSTUB(0xE01E781F,  mpu_send)                  // "dwSize < TXBD_DATA_SIZE"
NSTUB(0xE058866B,  mpu_recv)                  // passed as last argument by InitializeIntercom and eventually stored into mpu_recv_cbr
NSTUB(    0x7CF4,  mpu_recv_cbr)              // mpu_recv is called indirectly through this function pointer
NSTUB(   0x887D4,  mpu_send_ring_buffer)      // ring buffer used in mpu_send
NSTUB(    0x7CD8,  mpu_send_ring_buffer_tail) // ring buffer index incremented in mpu_send
NSTUB(   0x88694,  mpu_recv_ring_buffer)      // ring buffer used in SIO3_ISR, subroutine that processes two chars at a time
NSTUB(    0x7CD0,  mpu_recv_ring_buffer_tail) // ring buffer index incremented in the above subroutine

/** Misc **/
NSTUB(0xe11f93d4,  vsnprintf)              /* called near dmstart; references "01234567", "0123456789", "0123456789abcdef" and "0123456789ABCDEF"; second arg is size; the one called by DebugMsg only knows %s */
Still missing a couple of references to data structures.
After figuring out it should be able to run the same minimal code as current state of 200D.

If someone want to double check and find the remaining stubs, please write down here your finding.

EDIT: More address found. Still missing last isr related stubs
Code: [Select]
NSTUB(    0x1020,  current_task)           /* from task_create; pointer to the current task structure */
NSTUB(    0x1008,  current_interrupt)      /* from interrupt handler (VBAR + 0x18); where the interrupt ID is stored */

/** Interrupts **/
//NSTUB(    0x????,  pre_isr_hook)
//NSTUB(    0x????,  post_isr_hook)
NSTUB(   0x6D0C0,  isr_table_handler)
//NSTUB(   0x?????,  isr_table_param)

jack001214

  • New to the forum
  • *
  • Posts: 3
  • EOS 200D
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #102 on: October 07, 2018, 11:23:29 AM »
does ML even work for 200D?
Willing to run bootflag modification on my 200D

Mikerofilm

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #103 on: October 07, 2018, 04:45:00 PM »
Through rom dumpers are we able to expand the range of the video codec on the 6d mk2?

Walter Schulz

  • Hero Member
  • *****
  • Posts: 6324
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #104 on: October 07, 2018, 06:33:32 PM »
Misconception: ROM dumpers read ROM data from cam. That's a very basic step in ML development. Don't hold your breath waiting for ML files loaded from card and ML code running in the cam. Devs just taking the very first steps in a very, very long journey.

Don't know what you expect in "codec range expanding" but you may take a look into what ML enabled cams are actually able to do. You may be disappointed, though.

jack001214

  • New to the forum
  • *
  • Posts: 3
  • EOS 200D
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #105 on: October 10, 2018, 06:23:52 PM »
What if i want to run some simple code on my 200D? Like a simple calculation and store it in the RAM or some accessible space. What can i do too access the full CPU instructions in assembler? I am not looking for fancy Screen gui's and touch or anything above those categories.
Willing to run bootflag modification on my 200D

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11837
  • 5D Mark Free
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #106 on: October 10, 2018, 07:23:07 PM »
You can already do that in the emulator - see e.g. reply #83. For example, a simple intervalometer coded in C would be very easy to write.

After enabling the boot flag, you will be able to do the same on real hardware. Proof of concept code was already tested and confirmed to work. I'm looking for a volunteer willing to be the first one who enables the boot flag on DIGIC 7 (see previous page); nobody took the risk yet. The FIR file for enabling the boot flag for 200D is ready, just drop me a PM if (or when) you are prepared to run it.

jack001214

  • New to the forum
  • *
  • Posts: 3
  • EOS 200D
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #107 on: October 11, 2018, 09:24:06 AM »
I'm ready
Willing to run bootflag modification on my 200D

shadimar69

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #108 on: October 18, 2018, 04:12:32 AM »
Hi all,

Just received my shiny new M50 and then rapidly proceeded to wonder how I can make it do what it 'should' be able to do. ;)

I have read through this forum, and have not seen any definitive working versions of ML(Magic Lantern) for the M50. Can someone significantly more intelligent than myself in regards to firmware code injection, please advise current status of a functioning ML for the Canon M50 on the DIGIC 8?

Please let me know if there is anything I can do to help progress/assist with the project moving forward.

Thanks in advance! :)
Canon M50 tinkerer

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11837
  • 5D Mark Free
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #109 on: October 18, 2018, 09:22:22 AM »
Status:
- can run custom code (FIR files for now; I need to prepare those)
- can blink the LEDs
- can flip error screen from bootloader
- can jump to main firmware from FIR (no special tricks required)
- cannot boot main firmware with 200D code (likely easy to debug)
- can not display custom stuff on the screen, not even from bootloader (likely easy after seeing the bootloader)

I can prepare test files for #5, but not right now.

shadimar69

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #110 on: October 18, 2018, 10:14:58 AM »
Thank you for the status update a1ex!

Please let me know if there is anything that I can do to help expedite any of the steps.

Thank you again! :)
Canon M50 tinkerer

c_joerg

  • New to the forum
  • *
  • Posts: 30
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #111 on: October 23, 2018, 09:38:54 AM »
Edit: the EOS M50 appears to run EOS firmware (other recent models, i.e. M3, M5, M6, M10 and M100, are based on PowerShot firmware). Looking for a volunteer to try the LED blinking test on this camera, too :)

Does anyone know if Canon Basic is available on the M50 or EOS R(as with the M3)?
6D

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11837
  • 5D Mark Free
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #112 on: October 23, 2018, 10:02:27 AM »
Maybe. The M50 ROM contains the following strings:

Code: [Select]
B:/script.req
uartr.req
FIO_GetFileInfo (%s) ver.req failed
(%s) ver.req Dir
for DC_scriptdisk
B:/Factory.m
B:/AutoTest.m
B:/Extend.m

I have not tested it, but it's worth trying.

There is some (different) scripting interface in DIGIC 5 DSLRs as well, but I have not explored it (it's left as a nice exercise for the community). This scripting engine is not present on DIGIC 6 or newer "pure EOS" models, from what I could tell.

juarez13

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #113 on: October 29, 2018, 11:11:35 PM »
I didnt undertand how to install the magic lantern on 77d, someone can help?

Jonn3y

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #114 on: October 30, 2018, 06:18:09 PM »
I didnt undertand how to install the magic lantern on 77d, someone can help?

There is no tested and working ML for 77D yet :)

calle2010

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #115 on: November 02, 2018, 03:43:50 PM »
Hi,

I've dumped the ROMs of my 77D and created a build environment that brings me up to this point:





I also did the test with changing reboot.c to disable the boot flag. Is the output of this still relevant for anybody?

I have a few questions now:
- I unterstand the next step is to collect the stubs. Is there already a more complete list than aprofiti posted on October 1st?
- Has anybody already done the steps described here? https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst?fileviewer=file-view-default#rst-header-adding-support-for-a-new-camera-model
- In branch "digic6-dumper" I see directory "platform/77D.100". Shouldn't this be "77D.102" since the current firmware version is 1.0.2?
- Is there a repository where people work together on porting to the 77D?

Thanks you so far for the good documentation. I hope I can help to get some steps further to a working port of ML for the 77D.

Cheers,
Christian.

PS: If you are interested on how I created my environment have a look at https://github.com/calle2010/magic-lantern-77d-vagrant. I use Vagrant and VirtualBox hosted on MacOs.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11837
  • 5D Mark Free
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #116 on: November 02, 2018, 07:38:20 PM »
PS: If you are interested on how I created my environment have a look at https://github.com/calle2010/magic-lantern-77d-vagrant. I use Vagrant and VirtualBox hosted on MacOs.

Very nice! Not familiar with vagrant, but if it makes easier to setup a build environment, it might be an interesting option.

I've tried Docker some time ago, but the experience wasn't straightforward. I couldn't install it on my main machine (OpenSUSE Tumbleweed), so I had to try it in a virtual machine.

Moving qemu.monitor into /tmp sounds interesting.

Quote
- I unterstand the next step is to collect the stubs. Is there already a more complete list than aprofiti posted on October 1st?

That's the most complete one. I didn't double-check them yet, only noticed the Thumb bit was not set in most of the stubs (and it should be; refer to 200D for details).

Quote
- Has anybody already done the steps described here? https://bitbucket.org/hudson/magic-lantern/src/qemu/contrib/qemu/HACKING.rst?fileviewer=file-view-default#rst-header-adding-support-for-a-new-camera-model

Emulation is at the same level as 200D and all other DIGIC 7 ports. It gets stuck as soon as the two cores expect to talk to each other.

I hope this experiment is going to capture the info needed to understand these interactions, but it has to be adapted to the ARMv7 architecture. The two cores are talking via MMIO registers, interrupts, and they both access the same memory (flat mapping, except for a private 4K page for each core, just like EOS M5).

Quote
- In branch "digic6-dumper" I see directory "platform/77D.100". Shouldn't this be "77D.102" since the current firmware version is 1.0.2?

That's right. Initial experiments on 77D were done before Canon published a firmware update.

Quote
- Is there a repository where people work together on porting to the 77D?

The digic6-dumper branch currently covers the DIGIC 6 and newer models, so... that's pretty much it. RE notes and other findings are shared on the forum.

Some bootloader experiments can be found in the "recovery" branch. That's portable code, running on all models since DIGIC 2.

BTW, we could successfully enable the boot flag on 200D; will post the FIR files soon.

calle2010

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #117 on: November 03, 2018, 12:22:29 PM »
Very nice! Not familiar with vagrant, but if it makes easier to setup a build environment, it might be an interesting option.

I do only my first steps with Vagrant. I want to automate all the manual steps and setting up the build environment on my MacOS created too much clutter for my taste.

Moving qemu.monitor into /tmp sounds interesting.

This was just the first place that came to my mind. The working directory in this setup is on the VirtualBox filesystem mounted with nodev, so creation of the socket fails with "no permission" error message.

I didn't double-check them yet, only noticed the Thumb bit was not set in most of the stubs (and it should be; refer to 200D for details).

I will check the 200D code and see if I can find the same stubs for 77D. My assembler experience is very limited, though. Also I do not yet quite understand how to test the stubs without the GUI emulation.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11837
  • 5D Mark Free
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #118 on: November 04, 2018, 09:09:10 AM »
Also I do not yet quite understand how to test the stubs without the GUI emulation.

The emulation goes far enough to start a couple of Canon tasks; it even initializes the virtual SD card and is able to save logs. That's pretty much what can be tested at this stage.

Canon firmware even creates a DCIM directory when started from an empty card. From QEMU test results:
Code: [Select]
Testing file I/O (DCIM directory)...
     [...]
    77D: OK
   200D: OK
    6D2: OK
   800D: OK

Once the startup process works, you'll be able to get logs directly from the camera and start experimenting.

tekrevz

  • New to the forum
  • *
  • Posts: 1
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #119 on: December 03, 2018, 08:24:27 PM »
i have a 6D mark 2 how can I help out??

SniperJunkie

  • New to the forum
  • *
  • Posts: 1
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #120 on: December 06, 2018, 10:10:56 PM »
I have a Canon EOS M50, If you need me to do anything to help, Please feel free to ask.

kenthinson

  • New to the forum
  • *
  • Posts: 1
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #121 on: December 07, 2018, 06:38:11 AM »
For DIGIC 7 models, the next step is porting the 80D startup code (i.e. running user code alongside Canon firmware). I expect this step to be straightforward, so it's left as an exercise to the owners of these cameras. You can debug the startup code in the emulator; once you get it working, just ask me to enable the boot flag so you can test it on the camera.

The previous post was for M50 ( DIGIC 8 ). On this camera, I don't know yet how the bootloader looks like, and the code written for DIGIC 7 didn't work, so I'll probably attempt to dump the ROM directly from main firmware. The tests you'll run are:
- jumping to Canon firmware (expecting to be identical to DIGIC 7, i.e. jumping to 0xE0040000)
- LED blinking (testing the above addresses)
- LED blinking from main firmware (if I'll get this working in QEMU)
- ROM dumping from main firmware (could not test this one in QEMU yet)
- other tests (CPU model, diagnostic logs etc)

After publishing the ROM dumper, I'll update the emulator, attempt to enable the boot flag and get some diagnostic logs. Further progress will require a developer with a camera in their hands and plenty of spare time for experiments. If that describes you, your contribution will be more than welcome. I'll be here to help if you get stuck, but please be aware I'm not interested in maintaining yet another camera port alone.

If the code damages the camera, I'll try to help, but cannot guarantee success.

Hi a1ex. I'm a software engineering student. I'll be graduating the end of the month. I'm interested in working on my m50 with my spare time. I see the documentation on the site about setting up qemu dev environment. Looks exciting. Any advice you have for me before I jump in? Thanks :)

I'll be jumping in after the semester is over. For now back to writing papers  :'(

Walter Schulz

  • Hero Member
  • *****
  • Posts: 6324
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #122 on: December 07, 2018, 07:49:20 AM »
I have a Canon EOS M50, If you need me to do anything to help, Please feel free to ask.

Do you have another cam with ML running on it?
If not:
Take a look into http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump#Using_soundcard_input

@kenthinson: Welcome abord! Best luck for the finals!

Karim

  • New to the forum
  • *
  • Posts: 9
  • ML noob
Re: DIGIC 7 & 8 development (200D/SL2, 800D/T7i, 77D, 6D2, M50)
« Reply #123 on: December 07, 2018, 03:23:57 PM »
I'm really so Glad that we started to dig in these models  :D

I'm going to buy a 200D in jan 2019 I wanna help in the development but without disassembly or something that may totally screw it up I'm not expert for this and I got a 60d if another body may help in the process.
ps:I have no idea about coding at all  :-[

srsa

  • New to the forum
  • *
  • Posts: 3
Canon Basic in DIGIC8 cams
« Reply #124 on: December 08, 2018, 07:11:57 PM »
After exploring the D8 disassembly I have (I was given a reconstructed M50 dump) I decided to publish my findings here.

- The camera does appear to have the scripting language we (@CHDK) refer to as Canon Basic.
- I have the impression that the card setup is the same as described here: http://chdk.wikia.com/wiki/Canon_Basic/Card_Setup
- Event procedures (short: eventproc) do exist, the eventproc handling firmware routines seem to be the same as on PowerShots.
- There seems to be support for extend.m and autotest.m scripts, but their invocation may differ from what's described here: http://chdk.wikia.com/wiki/Canon_Basic#Starting_the_script

- Now, the differences:
 - Most event procedures that appear in CHDK related scripts do not exist. That means, CHDK scripts will not work on D8 cams.
 - Many event procedures seem to be pre-registered, so registration functions such as System.Create() are not necessarily needed.
 - In file names, the card root is B:/
 - I have not yet found an eventproc to write binary files from script, or, to write text on screen.
 
Problem is, I can't say for sure whether using a prepared script card is enough to run scripts. So, everything below is speculation.

Script support seems to be enabled when the cam is in factory mode - the factory mode flag is at 0xE1FF802C.
I think it is also enabled when there's a script named "AutoTest.m" in the root of the card. The code I found loads "AutoTest.m" automatically at the end of the startup procedure.

The following minimal script should make a hex dump of the first 0x40000 bytes of ROM. I'm not certain that my WriteFileString interpretation is correct.
For a first try, name the script "AutoTest.m".

Code: [Select]
dim startadr=0xe0000000
dim romsize=0x40000
dim fname="B:/ROM.TXT"

private sub Initialize()
    p = startadr
    f = OpenFileCREAT(fname)
    do while p < (startadr+romsize)
        WriteFileString(f,"%08X: %08x %08x %08x %08x\n",p,*p,*(p+4),*(p+8),*(p+12))
        p = p + 16
    loop
    CloseFile(f)
end sub

This script is not camera specific, so it can be tried on any D8 cameras (assuming that all D8 cams share the same codebase):
EOS M50, R; PowerShot SX740, SX70

To make sure the card is correctly prepared for scripting, get any older PowerShot (2005...2017) and use the universal dumper script (http://chdk.wikia.com/wiki/Canon_Basic/Scripts/Dumper) to check.

I can't guarantee success, but I think it's worth to try this route.