Canon 1000d / Rebel XS

Started by coutts, August 14, 2012, 02:41:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

SysCall

I already explained shmadul it is not a final built or even close to it.

Since he is new (like me), it is a little bit confusing to get into the development.

It is hard to start from scratch and figured out everything, especially since the forum is big and the information are spread all over the forum (use search engine, I know, but still confusing).

@shmadul
If you have troubles to compile, you should have posted in the other thread instead of opening a new one, then I would noticed it earlier.
Unfortunately, I do not look that much often in the forum, since I have a full time job and I spend the rest of time mostly shooting :D

If you still interested or anybody else, here is the compiled version:

Status: Awesome blue LED blinking
https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

Instruction:
1. Format your SD card in the camera
2. Extract the rar and copy and paste in the root of the SD card
3. Go to Menu -> Firmware update -> start it
4. Profit -> blue LED should blink and turn off after while

@Levas
Thank you for another bit of useful information ;-), I was searching for the next step.
In general I was looking for a development process to port magic lantern to different cameras, but didn't know where to start.

Maybe we can manage to organize a Canon 1000D team or something.


Cheers

shmadul

@syscall That would be great, as i desperately need this for a class project..... Im a quick learner, i know a bit of everything when it comes to programming languages, C++, Java, JS, html, python, ive done some exploitation work for other platforms such as OS X and iOS, but from what im picking up as i go this seems a bit easier...

Just have a few Questions for You or anyone really....
1. How do i go about changing what is executed (iE: Currently the blinking lights script runs) but what file(s) control that,
Dont want to mess with any of the exploit work, because that seems to be working fine..
2. What all needs to be done scripting wise to tell it to hijack the canon Ui and boot ML ?

Thats it for now :)
Thanks,
Mason Dulemba

shmadul

So i've Read this post   
   "A. Bootloader starts up and checks card and boot settings
    B. It will find the Boot Flag set so it will check for a bootable card
    C. Once found it will load canon firmware and then ML's autoexec.bin"
and have a guess as to how this works
1. The 1000D.fir file contains the exploit and sets the Boot Flag which then looks for the autoexec.bin file Correct ?
2. The autoexec.bin file contains the script to make the blue light blink
3. And normaly there is a ML folder for all the ML menus and stuff, does this need to be custom made specifically for the Eos XS ? Or are all ML folders the same for all builds?

Thanks,
Mason Dulemba

shmadul

Im currently trying to port the 450D version to the 1000D....
And have gotten a solid blue light and a black screen (My Cameras Ok though :) )

Levas

@Syscal and @shmadul
Great, so we got three people who are willing to put some effort in the 1000d.

Alex is willing to help us if we can get some stuff done
http://www.magiclantern.fm/forum/index.php?topic=14732.msg172723#msg172723
I've send him a message a few weeks ago that I got the blue led blinking, now he asks for making the blue and the red led to blink
Probably to prove some sort of understanding of the written code.
But I got stuck letting the blue and red blink, here's where you guys probably could help.

As far as I understand, the program that runs on 1000d exists from these files.
main.c
main.h
Entry.s
Entry_subs.s

All these files can be viewed in a normal text editor and edited and compiled for testing.
Most stuff is done in the main.c
The entry.s contains arm code, see this link:
http://magiclantern.wikia.com/wiki/ASM_introduction
The entry_subs.s contains addresses where commands are called in the 1000 firmware I think.

So does one of you know how to change the above files to get both the red and blue led blinking ?




shmadul

@levas Like this ?
 
   while (1)
   {
      LEDBLUE = LEDON;
                LEDRED = LEDON;
      msleep(500);
      LEDBLUE = LEDOFF;
                LEDRED = LEDOFF;
      msleep(500);
   }

Also, Could http://www.magiclantern.fm/forum/index.php?topic=14732.0 help us, Who wants to set up a github project for our team ??

shmadul

Just a Note, Use Firmware Version 1.0.7 because anything Lower doesnt seem to work with anything that has been developed so far

SysCall

Sounds good guys.

Can you guys also post when something is working, how you do it, especially if it was mentioned in the previous post as issue or problem?

E.g. shmadul, you mentioned you couldn't get it compiling and suddenly it works, but you did not mentioned the solution.

So, how you resolved the problem?

The answer would not only help other if they running into the same problem, but also document the status of the current work.


I'm currently trying to clean some code and make a readme.txt, it needs some time.

I will post it once it is done.

cheers

Levas

I tried your piece of code, put it in the main.c
Compiled and only the blue led blinks  ???

Are you sure nothing needs to be changed in the entry.s file ?



Levas

I do get a lot of warnings during compiling, don't know if it means anything?

in terminal I do the command 'make' and this shows up:
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc    -c -o entry.o entry.S
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc    -c -o entry_subs.o entry_subs.S
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc -nostdlib -march=armv5te -fno-builtin -Wall -pedantic -std=gnu99   -c -o main.o main.c
main.c: In function 'dumpmemo':
main.c:19:3: warning: implicit declaration of function 'FIO_CloseFile' [-Wimplicit-function-declaration]
   FIO_CloseFile(f);
   ^
main.c:22:2: warning: implicit declaration of function 'FIO_OpenFile' [-Wimplicit-function-declaration]
  f = FIO_OpenFile("B:/ROMDUMP.BIN", 0, 0644);
  ^
main.c: In function 'MyTask2':
main.c:34:2: warning: implicit declaration of function 'msleep' [-Wimplicit-function-declaration]
  msleep(5000);
  ^
main.c:37:5: warning: implicit declaration of function 'prop_request_change' [-Wimplicit-function-declaration]
     prop_request_change(0x80040007, &x, 4);
     ^
main.c: In function 'CreateMyTask':
main.c:94:2: warning: ISO C forbids passing argument 4 of 'CreateTask' between function pointer and 'void *' [-Wpedantic]
  CreateTask("MyTask2", 0x1A, 0x2000, MyTask2, 0);
  ^
In file included from main.c:1:0:
main.h:2:12: note: expected 'void *' but argument is of type 'void (*)()'
extern int CreateTask (const char *name, int prio, int stack_size /*?*/, void *entry, long parm /*?*/);
            ^
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc -nostdlib -march=armv5te -fno-builtin -Wall -pedantic -std=gnu99 -Wl,-T,link.script -oAUTOEXEC.arm.elf entry.o entry_subs.o main.o link.script
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-objcopy -O binary AUTOEXEC.arm.elf AUTOEXEC.BIN

SysCall

-----------------------------
Baseline: 0
-----------------------------

Let start fresh.

A: Set up a workspace
-----------------------------

1. Setup Magic Lantern for development, I used this instruction
http://www.magiclantern.fm/forum/index.php?topic=16012.0

My setup:
Thinkpad T420 with hackintosh, El Capitan 10.11.4

Make sure that you can compile one of the current working projects 5D3, 6D or etc.

2. Download Canon 1000d project and put it in the platform folder of magic lantern.
https://bitbucket.org/coutts/1000d_dev/src

3. We have to fix the makefile and update it to a newer version of the compiler.

Go to:
magic-lantern/platform/coutts-1000d_dev-a7835d17602f/

Open the makefile with a text editor and replace the following code

CC=arm-none-eabi-gcc
AS=arm-none-eabi-as
OBJCOPY=arm-none-eabi-objcopy

with

CC=~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc
AS=~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-as
OBJCOPY=~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-objcopy

Don't forget to save it!

Source:
https://www.magiclantern.fm/forum/index.php?topic=17991.0

4. Now try to compile it, when everything works, you should end up with a new "AUTOEXEC.BIN"

Open a terminal and type:
make clean
make

"make clean" - removed compiled files
"make"          - compiles the project

5. Generate a firmware for the Canon 1000d.

We have to compile a .fir file to be able to boot our own code.
Note: AUTOEXEC.BIN has to be generated first, since it is the input for the .fir

In terminal type:
perl assemble_fw

A file called 1000d.fir should be now generated.

6. Put it on a SD card
Take an empty SD card and format it in the camera.
Copy the following files to SD card:

1000d.fir
AUTOEXEC.BIN

7. Try it in the camera.
Go to Menu and then to Firmware update section.
Select firmware to get to firmware update screen and press ok.


B: LED blinking example
------------------------------

I have take a look in the "engelmarkus_examples/2_1000D LED-Dumper" folder and used it as base for this example.

Download the example from here (led_blinking.zip):
https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

What is it:    
It lets both LEDs (blue and red) blinking in sync.
It is intended to have something to play with.
You guys can modified the time of blinking in the main.c and now the code should behave like it should.

What is it not:   
A full working version of Magic Lantern.

Instruction:
The example comes with everything pre-compiled.
You can extract the files and follow step 6 from the instruction of section A.
Or you can compile it by yourself.

What was done:
- I took some functions defined in the "2_1000D LED-Dumper" and put them in the
   basic_functions.h
   basic_functions.c
- Some cleanups and documentation of the code.
- The firmware generation was base on e6kr5106, I updated the firmware generation to e6kr5107 (just used the script and files from latest release).
- All basic_functions functions are binded in the main.c now.
- Adapted it for the compilation.

Note:
This version does not contains the sub routines, which was defined in the latest release by Coutts in the entry.S or entry_subs.S files.
I guess he tried to adapt the boot routine from the 450? to the 1000d, but I could not get the LED blinking working on the latest version.


If you guys find some errors in the code let me know, I will update the example.
Hope this help some people to get into development for the Canon 1000D.


Have fun, I'm out photographing.


SysCall

Don't like typing each time in the terminal the three commands?


make clean
make
perl assemble_fw


Me too, lets change that and create a bash script.

Create a new file, add the following "code" and save it as run.sh (compilation.sh or something else as you like).

Works on Mac and should also work in Linux.



#!/bin/bash

echo "Compiling starting ..."

echo "Removed previous compiled files ..."
make clean

echo "Compile the project ..."
make

echo "Generate the new firmware ..."
perl assemble_fw

echo "Compilation finished."



Put it in your project folder.

Now, in terminal only execute the script with:


./run.sh

shmadul

@syscall I fixed the compiling errors by upgrading back to 1.0.7 firmware on my 1000D

shmadul

@syscall about the script you made, Very similiar idea to one i had, heres a script that builds it, assembles it moves it over to the sd card, renames the sd card to EOS_DIGITAL, and then makes the card bootable, just by typing updateml in terminal :) Just Edit it to suit your needs and replace the directories where appropriate :) FOR OSX ONLY !!
Download makebootable.sh here https://mega.nz/#!MlZh1JzJ!M3hLfDDJ_zjI85QdNKyTUmdMnJri_EZJJmmrMmxe-KA

//PLACE THIS IN ~/.bash_profile

alias updateml="
sudo /usr/sbin/diskutil rename EOS_DEVELOP EOS_DIGITAL
echo Changing SD CARD NAME TO EOS_DIGITAL
cd /Users/masonpc/Desktop/ML/1000D_dev
FIXING FILES
sudo chmod 777 /Users/masonpc/Desktop/ML/1000D_dev/assemble_fw /Users/masonpc/Desktop/ML/1000D_dev/make_bootable.sh /Users/masonpc/Desktop/ML/1000D_dev/makefile
sudo /Users/masonpc/Desktop/ML/1000D_dev/makefile
sudo /Users/masonpc/Desktop/ML/1000D_dev/assemble_fw
echo copying files to sdcard
sudo cp /Users/masonpc/Desktop/ML/1000D_dev/AUTOEXEC.BIN /Volumes/EOS_DIGITAL/
sudo cp /Users/masonpc/Desktop/ML/1000D_dev/1000d.fir /Volumes/EOS_DIGITAL/
sudo /Users/masonpc/Desktop/ML/1000D_dev/make_bootable.sh
echo Updated ML On SD Card"

//PLACE THIS IN ~/.bash_profile

shmadul

@Syscall Im On Mountain Lion right now on my black 2007 macbook So Far So Good, May Upgrade to Maverick or Yosemite later on  ;D

shmadul

@Levas, No thats normal , its just saying its done now u need to run the assemble_fw File

Levas

Great work you guys  :D

Will try it this stuff out today, start clean, make the autoexec.bin, and after that the FIR file.


Levas

Ok, now that I compiled the autoexec.bin and the 1000d.fir myself.
I only get a blue burning led on the 1000d, no more blinking...

I do get a lot of error messages during autoexec.bin compiling:
Command make:
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc    -c -o entry.o entry.S
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc    -c -o entry_subs.o entry_subs.S
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc -nostdlib -march=armv5te -fno-builtin -Wall -pedantic -std=gnu99   -c -o main.o main.c
main.c: In function 'dumpmemo':
main.c:19:3: warning: implicit declaration of function 'FIO_CloseFile' [-Wimplicit-function-declaration]
   FIO_CloseFile(f);
   ^
main.c:22:2: warning: implicit declaration of function 'FIO_OpenFile' [-Wimplicit-function-declaration]
  f = FIO_OpenFile("B:/ROMDUMP.BIN", 0, 0644);
  ^
main.c: In function 'MyTask2':
main.c:34:2: warning: implicit declaration of function 'msleep' [-Wimplicit-function-declaration]
  msleep(5000);
  ^
main.c:37:5: warning: implicit declaration of function 'prop_request_change' [-Wimplicit-function-declaration]
     prop_request_change(0x80040007, &x, 4);
     ^
main.c: In function 'CreateMyTask':
main.c:94:2: warning: ISO C forbids passing argument 4 of 'CreateTask' between function pointer and 'void *' [-Wpedantic]
  CreateTask("MyTask2", 0x1A, 0x2000, MyTask2, 0);
  ^
In file included from main.c:1:0:
main.h:2:12: note: expected 'void *' but argument is of type 'void (*)()'
extern int CreateTask (const char *name, int prio, int stack_size /*?*/, void *entry, long parm /*?*/);
            ^
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-gcc -nostdlib -march=armv5te -fno-builtin -Wall -pedantic -std=gnu99 -Wl,-T,link.script -oAUTOEXEC.arm.elf entry.o entry_subs.o main.o link.script
~/gcc-arm-none-eabi-4_8-2013q4/bin/arm-none-eabi-objcopy -O binary AUTOEXEC.arm.elf AUTOEXEC.BIN

SysCall

@Levas

Those are not "errors" they are warnings and as long as you end up with an AUTOEXEC.BIN, that means your compilation was successful.


QuoteI only get a blue burning led on the 1000d, no more blinking...

Exactly, some clarification here.

In my explanation / little tut (Section A) above I explained the work flow to get an AUTOEXEC.BIN and a firmware file 1000.fir.

If you do so, it will re-compile the current code in coutts folder.

The latest code in coutts folder and the pre-compiled AUTOEXEC.BIN and 1000.fir which comes with it are not the same!

He changed the code after he generated the AUTOEXEC.BIN and 1000.fir files.

That means, if you compile the source code new, you will always end up with a black screen on your camera and a glowing blue LED.

I don't know why yet, but it does not matter what I change in the main.c, I always end up with a blue LED glowing.



That is why I included an example in my Tut (section B), which contains a working version of blinking of both LEDs (with a camera black screen).

So if you download my example (B: LED blinking example) and re-compile it and put it on your camera, you should end up with two LEDs blinking in sync.

The files led_blinking.zip, comes with all source code and pre-compiled files, use this as project folder and compile inside this folder.

When you change e. g. duration or order of the blinking in the main.c and re-compile it you should be able to see the result on the camera.

And take a look into the source files, since I try to explain what each code line does.

Levas

Thanks Syscall, and sorry for the bad reading on my part  :P , the working files were already there in you earlier post.

So now we've got a 1000d with flashing LED's. Perfect decoration for under the tree this christmass season  ;D

So I've downloaded your zip file and compiled it myself, there where some files missing to do that, which I took from Coutts files.
I want to start with a clean directory of files, I've downloaded your zipfile and added these files, are they all necessary ?

assemble.wf
crc16.c
crc16.h
e6kr5107.fir_0_header.bin
e6kr5107.fir_1_flasher.bin
entry.S
link.script
entry_subs.S
header.bi
main.h


Something went wrong here, all files are in the zip

SysCall

Hahaha

I though my memories are bad, since I compiled out of that folder XD.

Everything should be in that folder.

Levas

@Alex

Look, both leds are blinking, even made them alternate blinking, just like you asked for  ;D

http://drive.google.com/open?id=0B1BxGc3dfMDaRUZweUJ5NWZUTTQ

What's next ?

Levas

@shmadul and @Syscall,

Meanwhile I checked the topic of the 450d progress.
http://www.magiclantern.fm/forum/index.php?topic=8119.msg174078#msg174078

Seems to be a vxworks branch for this type of camera's
https://bitbucket.org/hudson/magic-lantern/src/18ac6b0f992918c7ba6dd282c3e74ca42574561c/?at=vxworks

In the platform folder, you can find the 450d folder and it's source files.


shmadul

@levas, Nice Work  :D, Ive Heard the 450D is almost the same as the 1000D so maybe we could either see if we can apply the code to our port or see if we could get one of the guys working on the 450D port to help us get ML running, We already have the FW exploited and booting custom code, we just need to port the ML GUI and stuff

Direct Link to VXWorks Repo
https://bitbucket.org/hudson/magic-lantern/get/vxworks.zip

SysCall

-----------------------------
Documentation
-----------------------------

Before we can port magic lantern to this camera, we have to understand what magic lantern is doing in the first place.

I will try to explain what my understanding of how magic lantern works so far is.

If some information are wrong or missing, please let me know.


A. Boot-up process
---------------------

Cases:

1. Turn camera on (normal):
The camera will boot up the firmware, normal camera operation.

2. Update the camera (normal):
With the original canon.fir on the SD card.

In the camera menu -> firmware update execution.

The new firmware will written into the internal flash.

This is the typical process for any firmware updates, not only on cameras.

After the firmware update finished, the camera reboots and the camera operates as usual.


3. Update with custom generated .fir file

With the custom .fir and AUTOEXEC.BIN on the SD card.

In the camera menu -> firmware update execution.

The custom firmware .fir on the SD card sets a boot-flag, which allows us to load the AUTOEXEC.BIN from the SD card.

The camera restart, now the camera is in normal operation + custom magic lantern code running in parallel.

Since the boot-flag is set, the camera will load the AUTOEXEC.BIN automatically each time the camera is started,

when turn on and off with camera switchI guess.


Comments on case 3:

This seems the normal operating process of magic lantern on most of the implementation so far.

Coutts explained here a little bit deeper:
https://www.magiclantern.fm/forum/index.php?topic=1452.0

And here in the wiki:
http://magiclantern.wikia.com/wiki/Packing_FIR_Files


B. Current development
---------------------------

Now that is interesting, because in my example "led_blinking.zip" I don't remember setting any bootflags.

So why does it work anyway?

The code for the modification of the boot process is usually defined in:

entry.S


Well looking into the entry.S shows:



.text
.org 0
.globl _start, start

start:
_start:
sysInit:
B main

.align 2
fin:




And the there is no entry_subs.S file so far in "led_blinking.zip" release.

So the question would be, does it also work without the AUTOEXEC.BIN on the SD card?

After a quick test with only the 1000d.fir on the SD card.

The answer is, yes it does. But why?


Well, thinking about it, what is the 1000d.fir?

It is base on the AUTOEXEC.BIN, which is again base on our code in the main.c.

Compilation order:  brain -> main.c -> AUTOEXEC.BIN -> 1000d.fir

Simple speaking, the 1000d.fir is like an .exe in windows with our code.

Each time we execute the 1000d.fir through the firmware update menu, our code will be executed.


That means:

1. The .fir file and AUTOEXEC.BIN, both can have the same code.

2. The .fir file can be executed standalone without the AUTOEXEC.BIN.

3. Each time we turn the camera off and on, we have to start the firmware update process again to load our code.

4. The AUTOEXEC.BIN can only be executed if the bootflag is set.

   And setting the bootflag can be done with the .fir file, since we know how to sign it and the camera can read and executed it.


Now, I just need some confirmation to back up my theory.

After thinking a while, I remember somebody gave a talk about magic lantern.

A quick google search and here we go:

Presentation:
https://events.ccc.de/congress/2013/Fahrplan/system/attachments/2246/original/Magic_Lantern_30C3.pdf

Video:
https://media.ccc.de/v/30C3_-_5554_-_en_-_saal_6_-_201312281400_-_magic_lantern_-_michael_zoller


From slide 23 of the presentation:

8.2 How is ML being executed?

Method 1: Firmware update
- We forge a firmware update file (.fir) with Magic Lantern as payload
   - Contains no flash data
   - Flash loaders in .fir are replaced with our code
   - Checksums and hashes need recalculation

- User runs firmware update from original firmware menu

- Firmware restarts into boot loader

- Bootloader loads .fir into RAM and executes it

- Magic Lantern takes over control of the system and boots original firmware


Method 2: Autoboot

- Using .fir we set a flag in flash called "BOOTDISK"

- Bootloader checks for "AUTOEXEC.BIN" on CF/SD

- If found, it gets loaded and executed without checks

- Magic Lantern takes over control of the system and boots original firmware

----------------------------

Now, looking at Coutts latest release, we do have functions to set and de-assert the bootflag.

The functions to enable and disable of the boot-flag is defined in:
entry_subs.S

NSTUB(EnableBootDisk, 0xFFD21248)
NSTUB(DisableBootDisk, 0xFFD21260)


C. Development outlook
----------------------------

Highest priority:

- Currently the screen is black during the code execution (led_blinking.zip).

- We have to find out, how to load the original firmware to get into the normal operation mode where we can see the camera menu.

- After that we can try to get the magic lantern menu showing up on the screen and porting all functions to get magic lantern works correctly.


Low priority: Highest priority:

Figured out how to set the bootflag correctly to auto load the AUTOEXEC.BIN.

If it was that simple, why Coutts comment the code section out with the functions call in his latest release?

Translating his comments of the latest release, he had troubles to get it working correctly.