Author Topic: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)  (Read 55299 times)

calle2010

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #100 on: November 03, 2018, 12:22:29 PM »
Very nice! Not familiar with vagrant, but if it makes easier to setup a build environment, it might be an interesting option.

I do only my first steps with Vagrant. I want to automate all the manual steps and setting up the build environment on my MacOS created too much clutter for my taste.

Moving qemu.monitor into /tmp sounds interesting.

This was just the first place that came to my mind. The working directory in this setup is on the VirtualBox filesystem mounted with nodev, so creation of the socket fails with "no permission" error message.

I didn't double-check them yet, only noticed the Thumb bit was not set in most of the stubs (and it should be; refer to 200D for details).

I will check the 200D code and see if I can find the same stubs for 77D. My assembler experience is very limited, though. Also I do not yet quite understand how to test the stubs without the GUI emulation.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11902
  • 5D Mark Free
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #101 on: November 04, 2018, 09:09:10 AM »
Also I do not yet quite understand how to test the stubs without the GUI emulation.

The emulation goes far enough to start a couple of Canon tasks; it even initializes the virtual SD card and is able to save logs. That's pretty much what can be tested at this stage.

Canon firmware even creates a DCIM directory when started from an empty card. From QEMU test results:
Code: [Select]
Testing file I/O (DCIM directory)...
     [...]
    77D: OK
   200D: OK
    6D2: OK
   800D: OK

Once the startup process works, you'll be able to get logs directly from the camera and start experimenting.

tekrevz

  • New to the forum
  • *
  • Posts: 1
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #102 on: December 03, 2018, 08:24:27 PM »
i have a 6D mark 2 how can I help out??

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11902
  • 5D Mark Free
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #103 on: January 08, 2019, 10:58:30 PM »
M50 moved over here, alongside with other DIGIC 8 PowerShots.

Short recap for DIGIC 7:
- source code: digic6-dumper branch ( actually covering DIGIC 6, 7 and 8 )
- bootloader experiments: recovery branch ( portable code, running on DIGIC 2...8 )
- emulation: qemu branch (README.rst, HACKING.rst, no GUI yet, but file I/O is working)
- CPU info (Cortex A9 dual core), MMU configuration (mostly flat mapping), ROM layout (32MB at 0xE0000000, 16MB at 0xF0000000)
- see also Initial firmware analysis in QEMU docs
- 200D: proof of concept code available; I'm ready to enable the boot flag, too. Or, to capture DNGs from LiveView or other simple tasks.
- 800D, 77D, 6D2: find a couple of stubs (tutorial) to run the 200D PoC. Once you do that, I'm ready to enable the boot flag on these models, too.
- image sensor on all these models appears to run at 27 MHz x 12 channels (hypothesis), i.e. fast enough for 4K video.
- I have no plans to get any of these cameras; it's up to the user community to push the development further.

Have fun!

DeafEyeJedi

  • Hero Member
  • *****
  • Posts: 3105
  • 5D3 / M1 / 7D / 70D / SL1 / M2
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #104 on: January 09, 2019, 03:21:15 AM »
Sounds fabulous in regards to these updates. Thanks for reporting them @a1ex and definitely feels encouraging!
5D3.113 • 5D3.123 • EOSM.203 • 7D.203 • 70D.112 • 100D.101 • EOSM2.*

jack001214

  • New to the forum
  • *
  • Posts: 5
  • EOS 200D
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #105 on: January 14, 2019, 07:29:58 AM »
M50 moved over here, alongside with other DIGIC 8 PowerShots.

Short recap for DIGIC 7:
- source code: digic6-dumper branch ( actually covering DIGIC 6, 7 and 8 )
- bootloader experiments: recovery branch ( portable code, running on DIGIC 2...8 )
- emulation: qemu branch (README.rst, HACKING.rst, no GUI yet, but file I/O is working)
- CPU info (Cortex A9 dual core), MMU configuration (mostly flat mapping), ROM layout (32MB at 0xE0000000, 16MB at 0xF0000000)
- see also Initial firmware analysis in QEMU docs
- 200D: proof of concept code available; I'm ready to enable the boot flag, too. Or, to capture DNGs from LiveView or other simple tasks.
- 800D, 77D, 6D2: find a couple of stubs (tutorial) to run the 200D PoC. Once you do that, I'm ready to enable the boot flag on these models, too.
- image sensor on all these models appears to run at 27 MHz x 12 channels (hypothesis), i.e. fast enough for 4K video.
- I have no plans to get any of these cameras; it's up to the user community to push the development further.

Have fun!
What is the main reason for limited support for the dual core camera's anyways?
Willing to run bootflag modification on my 200D

Sayfog

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #106 on: January 15, 2019, 05:38:28 AM »
Where is the 200D proof of concept code stored? I've got one and want to help develop, I've also got an oscilloscope if stuff needs probing to help out development.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 11902
  • 5D Mark Free
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #107 on: January 16, 2019, 10:24:08 PM »
What is the main reason for limited support for the dual core camera's anyways?

For DIGIC 7/8:
- There's very little reason for ML to run on both cores, on these models. They both can access nearly the entire memory space (except for a small private page).
- This does not apply to earlier dual core models. On 7D, ML running only on a single core means reduced functionality (or much harder to implement certain features).
- Emulation-wise, it's important, but one has to understand the low-level interfaces between the two cores. Likely doable with io_trace (after updating it to run on the newer CPUs).

Where is the 200D proof of concept code stored? I've got one and want to help develop, I've also got an oscilloscope if stuff needs probing to help out development.

We've been in touch on IRC. Short summary, for those who didn't follow the conversation:

Where to find stuff: see my recap post above.

Electronics probing: I see very little need for this in order to port ML. I'm pretty sure such low-level investigation is going to reveal very interesting stuff about camera internals, but first we need to get the basics working (i.e. bringing up the ML menu). I won't refuse a few high-res pictures of the circuit boards, though :D

In other words, an important task is figuring out how to print things on the screen (i.e. a software-only task). Then, there comes the easy stuff - identifying button codes, adapting the display routines for the new image format (likely this), figuring out ARM-Thumb calling quirks, enabling and testing ML features...



CPU info from 200D (same as 6D2):

Code: [Select]
CHDK CPU info for 0x417 200D
------------------------------
ID         0x414FC091
  Revision             0x1 1
  Part                 0xC09 3081
  ARM Arch             0xF 15
  Variant              0x4 4
  Implementor          0x41 65
Cache type 0x83338003
  Icache min words/line 0x3 3 [8]
  (zero)               0x0 0
  L1 Icache policy     0x2 2
  Dcache min words/line 0x3 3 [8]
  Exclusives Reservation Granule 0x3 3 [8]
  Cache Writeback Granule 0x3 3 [8]
  (zero)               0x0 0
  (register format)    0x4 4
TCM type   0x00000000
  (raw value)          0x0 0
MPU type   0x414FC091
  S                    0x1 1
  -                    0x48 72
  Num of MPU regions   0xC0 192
Multiprocessor ID 0x80000000
  (raw value)          0x80000000 -2147483648
Processor feature 0 0x00001231
  ARM inst set         0x1 1
  Thumb inst set       0x3 3
  Jazelle inst set     0x2 2
  ThumbEE inst set     0x1 1
  -                    0x0 0
Processor feature 1 0x00000011
  Programmers' model   0x1 1
  Security extensions  0x1 1
  Microcontr. prog model 0x0 0
  -                    0x0 0
Debug feature 0x00010444
  (raw value)          0x10444 66628
Aux feature 0x00000000
  (raw value)          0x0 0
Mem model feature 0 0x00100103
  VMSA support         0x3 3
  PMSA support         0x0 0
  Cache coherence      0x1 1
  Outer shareable      0x0 0
  TCM support          0x0 0
  Auxiliary registers  0x1 1
  FCSE support         0x0 0
  -                    0x0 0
Mem model feature 1 0x20000000
  L1 Harvard cache VA  0x0 0
  L1 unified cache VA  0x0 0
  L1 Harvard cache s/w 0x0 0
  L1 unified cache s/w 0x0 0
  L1 Harvard cache     0x0 0
  L1 unified cache     0x0 0
  L1 cache test & clean 0x0 0
  Branch predictor     0x2 2
Mem model feature 2 0x01230000
  L1 Harvard fg prefetch 0x0 0
  L1 Harvard bg prefetch 0x0 0
  L1 Harvard range     0x0 0
  Harvard TLB          0x0 0
  Unified TLB          0x3 3
  Mem barrier          0x2 2
  WFI stall            0x1 1
  HW access flag       0x0 0
Mem model feature 3 0x00102111
  Cache maintain MVA   0x1 1
  Cache maintain s/w   0x1 1
  BP maintain          0x1 1
  -                    0x102 258
  Supersection support 0x0 0
ISA feature 0 0x00101111
  Swap instrs          0x1 1
  Bitcount instrs      0x1 1
  Bitfield instrs      0x1 1
  CmpBranch instrs     0x1 1
  Coproc instrs        0x0 0
  Debug instrs         0x1 1
  Divide instrs        0x0 0
  -                    0x0 0
ISA feature 1 0x13112111
  Endian instrs        0x1 1
  Exception instrs     0x1 1
  Exception AR instrs  0x1 1
  Extend instrs        0x2 2
  IfThen instrs        0x1 1
  Immediate instrs     0x1 1
  Interwork instrs     0x3 3
  Jazelle instrs       0x1 1
ISA feature 2 0x21232041
  LoadStore instrs     0x1 1
  Memhint instrs       0x4 4
  MultiAccess Interruptible instructions 0x0 0
  Mult instrs          0x2 2
  MultS instrs         0x3 3
  MultU instrs         0x2 2
  PSR AR instrs        0x1 1
  Reversal instrs      0x2 2
ISA feature 3 0x11112131
  Saturate instrs      0x1 1
  SIMD instrs          0x3 3
  SVC instrs           0x1 1
  SynchPrim instrs     0x2 2
  TabBranch instrs     0x1 1
  ThumbCopy instrs     0x1 1
  TrueNOP instrs       0x1 1
  T2 Exec Env instrs   0x1 1
ISA feature 4 0x00011142
  Unprivileged instrs  0x2 2
  WithShifts instrs    0x4 4
  Writeback instrs     0x1 1
  SMC instrs           0x1 1
  Barrier instrs       0x1 1
  SynchPrim_instrs_frac 0x0 0
  PSR_M instrs         0x0 0
  -                    0x0 0
ISA feature 5 0x00000000
  -                    0x0 0
Cache level ID 0x09200003
  Cache type, level1   0x3 3 [Separate Icache, Dcache]
  Cache type, level2   0x0 0 [no cache]
  Cache type, level3   0x0 0 [no cache]
  Cache type, level4   0x0 0 [no cache]
  Cache type, level5   0x0 0 [no cache]
  Cache type, level6   0x0 0 [no cache]
  Cache type, level7   0x0 0 [no cache]
  Cache type, level8   0x1 1 [Icache only]
  Level of coherency   0x1 1
  Level of unification 0x1 1
  (zero)               0x0 0
Cache size ID reg (data, level0) 0x700FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x1 1
  Read allocation      0x1 1
  Write back           0x1 1
  Write through        0x0 0
Cache size ID reg (inst, level0) 0x200FE019
  Line size in words   0x1 1 [8]
  Associativity        0x3 3 [4]
  Number of sets       0x7F 127 [128]
  Write allocation     0x0 0
  Read allocation      0x1 1
  Write back           0x0 0
  Write through        0x0 0
SCTLR      0x48C5187D
  MPU Enable           0x1 1
  Strict Align         0x0 0
  L1 DCache Enable     0x1 1
  - (SBO)              0xF 15
  - (SBZ)              0x0 0
  Branch Pred Enable   0x1 1
  L1 ICache Enable     0x1 1
  High Vectors         0x0 0
  Round Robin          0x0 0
  - (SBZ)              0x0 0
  - (SBO)              0x1 1
  MPU background reg   0x0 0
  - (SBO)              0x1 1
  Div0 exception       0x0 0
  - (SBZ)              0x0 0
  FIQ Enable           0x0 0
  - (SBO)              0x3 3
  VIC                  0x0 0
  CPSR E bit           0x0 0
  - (SBZ)              0x0 0
  NMFI                 0x1 1
  TRE                  0x0 0
  AFE                  0x0 0
  Thumb exceptions     0x1 1
  Big endian           0x0 0
ACTLR      0x00000045
  (raw value)          0x45 69
ACTLR2     0x00000201
  (raw value)          0x201 513
CPACR      0xC0000000
  (raw value)          0xC0000000 -1073741824
DBGDIDR    0x35137041
  Revision             0x1 1
  Variant              0x4 4
  - (RAZ)              0x70 112
  Version              0x3 3 [v7 full]
  Context              0x1 1 [2]
  BRP                  0x5 5 [6]
  WRP                  0x3 3 [4]
DBGDRAR    0x00000000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x0 0 [0x00000000]
DBGDSAR    0x00030000
  Valid                0x0 0
  - (UNK)              0x0 0
  Address              0x30 48 [0x00030000]
DBGDSCR    0x03000002
  HALTED               0x0 0
  RESTARTED            0x1 1
  MOE                  0x0 0
  SDABORT_l            0x0 0
  ADABORT_l            0x0 0
  UND_l                0x0 0
  FS                   0x0 0
  DBGack               0x0 0
  INTdis               0x0 0
  UDCCdis              0x0 0
  ITRen                0x0 0
  HDBGen               0x0 0
  MDBGen               0x0 0
  SPIDdis              0x0 0
  SPNIDdis             0x0 0
  NS                   0x0 0
  ADAdiscard           0x0 0
  ExtDCCmode           0x0 0
  - (SBZ)              0x0 0
  InstrCompl_l         0x1 1
  PipeAdv              0x1 1
  TXfull_l             0x0 0
  RXfull_l             0x0 0
  - (SBZ)              0x0 0
  TXfull               0x0 0
  RXfull               0x0 0
  - (SBZ)              0x0 0



Updated ROM dumpers to the latest codebase (no more restrictions on card/filesystem size, it just has to be FAT12/16/32):
DIGIC 7:  200D  6D2  77D  800D

And CPUINFO with log file support (same output expected on all models, but...):
DIGIC 7:  200D  6D2  77D  800D

jack001214

  • New to the forum
  • *
  • Posts: 5
  • EOS 200D
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #108 on: Yesterday at 06:07:44 AM »
Quote
figuring out how to print things on the screen (i.e. a software-only task)
How were able to achieve that with the ROM dumpers?


Quote
- 200D: proof of concept code available;
Is it from the digic6-dumper branch? The same one which you gave me few months back?
Willing to run bootflag modification on my 200D

Sayfog

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2)
« Reply #109 on: Today at 12:18:54 PM »
How were able to achieve that with the ROM dumpers?

Just going to repeat what A1ex said on IRC the other night, that ROM Dumper screen control is done from the bootloader, not the Canon formware. I've only just got my machine setup with Radare2 and a bunch of other tools but could we trace through the memory locations accessed by the rom dumper for the screen into the Canon FW? Unless its currently hanging on some other check and GUI will just fall out when that's figured out.

Edit: word of warning, WSL works great for the development environment, all the tools - not so much.