Canon 1000d / Rebel XS

Started by coutts, August 14, 2012, 02:41:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

SysCall

@shmadul

1. Making dumps of RAM and ROM of the camera
2. Map all the magic lantern functions to the addresses located in the RAM

Magic Lantern use most of the standard functions of the original firmware which is loaded into the RAM after the boot up.
What you have to do is to "hook" (I think that is the term for it) those functions in the stubs.S file.

BTW, Ant123 gave you already the answer.

Quote
If you want to convert 450D port, the first thing you should do is set bootflag and check it with help of AUTOEXEC.BIN from "display test" topic. It's because all VxWorks ports use AUTOEXEC.BIN startup method.

Then you should find addresses of functions for 1000D in your firmware dump and change them in "\platform\450D.110\stubs.S". It can take many days or weeks.

After this you should edit cache related stuff in "\platform\450D.110\init.c", and edit another files in "\platform\450D.110\" and in "\src"

a1ex

Quote
The interesting part is, even the Magic Lantern Rescue menu shows BOOT=0, the camera still auto execute the autoexec.bin.

That's because both autoexec.bin and ramexec are handled from the same routine, which happens to check the card bootflags first. You were quite lucky with this one; by disabling the boot flag, you risked removing the ability to run user code on the camera (other than ramexec, which simply jumps to 0x800000 without initializing that memory area; it assumes something was already loaded there somehow).

I wouldn't advise messing with boot flags just to see what happens, as you may get a configuration that no longer boots at all. In particular, on DIGIC 5, such configuration is very easy to get by changing the value at 0xF8000024 (even by mistake). Recovery from this would only be possible with hardware changes (lookup Ant123's posts on CHDK forum for an example).

Do you still have the FIR file that bricked the camera? It would be helpful to understand what happened.

Ant123

Quote from: SysCall on December 09, 2016, 09:44:25 PM
I want to make sure that it works stable, before posting it.

You should not reinvent the wheel. Use modified common installer for VxWorks cameras.

You can also easily modify it to repair you camera.

SysCall

@Ant123

QuoteYou should not reinvent the wheel.

No, that was not my intention, but maybe I should test it by myself before post it for others. At least I felt the needed to do some kind of verification. I always went with the mindset that I could damage my camera for this project. At least if I damage it myself, I can blame myself for it. Now, what if I just post the .fir and someone else brick their camera. Of course, even if state "use at your own risk", people would not be happy with it.

Especially if it is the only camera that they own:

QuoteThe 1000D is my main Camera and I can't risk it bricking

Of course you can argue, this is the development section and not the release section.

QuoteUse modified common installer for VxWorks cameras. You can also easily modify it to repair you camera.


After reading this I'm not sure if it is that easy.

QuotePosted by: a1ex
« on: Yesterday at 10:40:25 PM »

You were quite lucky with this one;
...
I wouldn't advise messing with boot flags just to see what happens, as you may get a configuration that no longer boots at all. In particular, on DIGIC 5, such configuration is very easy to get by changing the value at 0xF8000024 (even by mistake). Recovery from this would only be possible with hardware changes (lookup Ant123's posts on CHDK forum for an example).


I do appreciate you and a1ex to take the time to give us advices and answer the questions.

You guys surely have better stuff to do then answering noob questions.

SysCall

Warning: Still under investigation, don't try anything described below if you don't want to damage your camera.

a1ex mentioned:

Quote
The boot flag can be enabled from both bootloader context (as done in the old 5D) or from main firmware.
EnableBootDisk only works from main firmware, but usually there is an equivalent bootloader routine, found in the FROMUTIL menu.

I tried with EnableBootDisk in the firmware.

In entry_stubs.S are the following function references defined.


NSTUB(EnableBootDisk, 0xFFD21248)
NSTUB(DisableBootDisk, 0xFFD21260)


Only, calling them in the main.c does not enable or disable the boot flag.

Coutts (original author) defined a pointer in the main.h

typedef void (*Funktion)();

and call it the main.c with the address of the EnableBootDisk.

// EnableBootDisk() 
Funktion f = 0xFFD21248;
f();

By doing this the boot flag gets enabled.

Calling this:
// DisableBootDisk()
/*  Funktion f = 0xFFD21260;
f();


will disable it again.

At least that is what I observed.


@Ant123

QuoteUse modified common installer for VxWorks cameras.

Just for my understanding.

The installer enables the boot flag from the bootloader context?

You also needed the address of the write and read functions.

     * 0xFFFF89F0 | start of write_bootflag in 5dc BL.
     * 0xFFFF8A94 | end of write_bootflag in 5dc BL.
     * 0xFFFF8AE0 | start of read_bootflag in 5dc BL.
     * 0xFFFF8B20 | end of read_bootflag in 5dc BL.


To find those addresses I have to do this:

Quote* I located these functions by hand using the 400d bootloader as a reference. I had
   * to write code to search the bootloader region (0xFFFF0000-0xFFFFFFFF) for signatures
   * of the read_bootflag and write_bootflag functions. It was a very long/tedious process
   * checking each address one at a time - blinking everything through the LEDs. These
   * routines are safe to run to the best of my knowledge, I have not had any issues yet.

Digging a little bit in this thread:
https://www.magiclantern.fm/forum/index.php?topic=1452.0

Coutts said:

Quote
If 40d is similar to the 5dc, then you won't be able to run any practical code from a FIR (including calling the EnableBootDisk function or booting the firmware/camera) so you will need
to write some code that scans the bootloader area (0xFFFF0000-0xFFFFFFFF) for function signatures to identify the read/write bootflag functions. This will allow you to set the camera's bootflag,
to boot an autoexec.bin file with a prepared card, and development takes off from there (you will be able to boot the firmware and do anything from autoexec). I created this bootdisk code from the 350d method, using the 400d bootloader to find the signatures I needed.

You can use this to write code to search for specific signatures of the read_bootflag and write_bootflag functions.
Some signatures would be instructions like:

    MOVEQ   R7, #0xF8000000

which is assembled and looks like this in memory:

    0x03A0733E

I'll just tell you the signatures to find.
First, for write_bootflag. Here is a small snippet from that function, the first 5 instructions:

    ROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

If you were scanning memory, these 5 instructions would look like this(starting at 0xFFFF89F0 on the left and ending on 0xFFFF8A00 on the right):

    0xE92D41F0 0xE1A05001 0xE3A04000 0xE3500000 0x13A0733E

So, look for the signature for the MOVNE R7, #0xF8000000 instruction, then once you find it, search backwards for the STMFD (push) instruction signature, and you will have located write_bootflag in the 40d bootloader. Chances are the functions will probably be identical, but take caution to verify at least 3 times that you have located the correct function and it seems the same / similar to the 5dc one (remember we are working blind here).


Now, read_bootflag. First 5 instructions look like:

    ROM:FFFF8AE0                 STR     LR, [SP,#var_4]!
    ROM:FFFF8AE4                 CMP     R0, #0
    ROM:FFFF8AE8                 MOVNE   R3, #0xF8000000
    ROM:FFFF8AEC                 ADDNE   R3, R3, #0x2000
    ROM:FFFF8AF0                 MOVNE   R2, #0x40

And in memory would look like this (same thing as before, starting at 0xFFFF8AE0 on left and ending at 0xFFFF8AF0 on the right):

    0xE52DE004 0xE3500000 0x3E33A013 0x12833A02 0x13A02040

Note: there isn't a STMFD (push) instruction in read_bootflag. The 400d bootloader is like this too, so chances are the 40d is as well.



Now there are a few things that I don't understand.

1.
Search for specific signatures of the read_bootflag and write_bootflag functions

According to the two sources I have to blink through the address range (0xFFFF0000-0xFFFFFFFF) and find the "signature".

Where I can find the asm signature?

Example:

Do I have to blink one address and then make a ROM dump?

Afterwards I would load the ROM.BIN in IDA and jump to the part where I did the blinking and check if I can see the signature?

Otherwise I don't know how he gets the assembly instructions:

QuoteROM:FFFF89F0                 STMFD   SP!, {R4-R8,LR}
    ROM:FFFF89F4                 MOV     R5, R1
    ROM:FFFF89F8                 MOV     R4, #0
    ROM:FFFF89FC                 CMP     R0, #0
    ROM:FFFF8A00                 MOVNE   R7, #0xF8000000

2.
I don't know why Coutts skip the installer way and try "to invent the wheel new" by the EnableBootDisk / DisableBootDisk in his last release?

Maybe because he doesn't want to blink the whole address range again for the canon 1000d?

Ant123

Quote from: SysCall on December 10, 2016, 12:05:25 PM

The installer enables the boot flag from the bootloader context?

You also needed the address of the write and read functions.
I think 5DC installer is documented well enough.


Quote
Do I have to blink one address and then make a ROM dump?

Maybe because he doesn't want to blink the whole address range again for the canon 1000d?

I suspect that bootloader should be the same for different firmware versions.

http://www.magiclantern.fm/forum/index.php?topic=18337.msg176013#msg176013

But you can create your own dump using  dumpmemo() function



SysCall

I wrote a small sequence, which will help us to find the signature.

We know that the functions are in the boot loader area, from FFFF0000 to FFFFFFFF.

The program will create a log file on the SD card with the address and content within the boot loader area.


// Function to read the content of the bootloader and write it to logfile
void booloader_mem_dump_0()
{
// Create a logfile
MyGlobalStdSet();

// We use this pointer to read the content of an address
unsigned int *p_addr = NULL;


// The address range of the boot loader is from 0xFFFF0000 to 0xFFFFFFFF
// START_ADR: 0xFFFF0000
// END_ADR: 0xFFFFFFFC (last address not relevant, therefore 0xFFFFFFFC instead of 0xFFFFFFFF)
//
// Each address holds a 32 bit value => 4 bytes, therefore we have to increment the address by 4.
// 0xFFFF0000
// 0xFFFF0004
// 0xFFFF0008
// 0xFFFF000C
// ...
//


printf("\nAddr:      Data");
printf("\n---------------");


for(unsigned int i=START_ADR; ((i <= END_ADR) && (i!=0)); i=i+4)
{
// Before assignment, "reset" the pointer to null
p_addr = NULL;

// Now point to the content of the address (in this case "i" is the address)
p_addr = *(int*)i;

// Write the data to the log file
printf("\n%x :       %x", i, p_addr);
}

printf("\n\n END \n\n");

// Set pointer to null, since we not needed anymore.
p_addr = NULL;

// Signal finish
SleepTask(5000);

LEDRED = LEDON;
LEDBLUE = LEDON;

SleepTask(5000);

LEDRED = LEDOFF;
LEDBLUE = LEDOFF;
}



// ------------------------------------------------


@shmadul and Levas

We will continue once we found the boot flag functions, therefore we have to make sure that the boot flag functions are correct.

Note: The program will not do anything to the boot flag!

Link: https://1drv.ms/f/s!AsC1K_kH7N9pbYhpDPUbSuC8Iss

1. Download the zip "bootloader_mem_dump.zip" and extract it
2. Build the project by "./run" in terminal (inside the folder)
3. Set the "Auto power of" to 8 or 15 minutes on your camera, we don't want to cancel the write process in between
4. Copy the .fir file on the SD card and execute it (don't touch any buttons afterwards)
5. After the sequence finish (both led, red and blue, turn on and off), copy the "address_log.txt" to your computer
6. Search now for signatures

Log file should look like this (example):

Addr:               Data
------------------------
ffff0000 : e59ff018
ffff0004 : e59ff018
....

Now, go through the file and search for the signature (see below, compare Data with the values below).

Once you found them copy the whole section (including address and data) and post it here, then we compare if we all have the same addresses.


// ---------------------------------------------
Signatures

Attention: The order is very important!

The write function should be easy to find. Compare the data values in the log file with the following values.

write_bootflag signature (order of the data):
Quote
   Data
  --------------
    E92D41F0
    E1A05001
    E3A04000
    E3500000
    13A0733E


The read function will differ from the one that is posted here.

Hint, search first all sequences that has E52DE004 and E3500000. Then search if the sequence has the rest values (3E33A013, 12833A02,  13A02040). The read functions has 2 values (unique) which differs from the sequence listed below.

Lets see if you guys can find the sequence.

read_bootflag signature (order of the data):
Quote
   Data
  --------------
   E52DE004
   E3500000
   3E33A013
   12833A02
   13A02040


PS: Can you guys provide me your log files so I can check if there is any differences between them? Just PM me with the link.

Levas

@Syscall keep up the good work  ;D
Will check it out tomorrow and send the log file

Luckiliy your 1000d is no longer a brick :D

Levas

Run the program on my 1000d which has version 1.0.7 canon firmware.
Searched the log file:

write_bootflag signature:

ffff5fe0 : e92d41f0
ffff5fe4 : e1a05001
ffff5fe8 : e3a04000
ffff5fec : e3500000
ffff5ff0 : 13a0733e

read_bootflag signature:
Couldn't find something exactly similar, but I did found this

ffff60d0 : e52de004
ffff60d4 : e3500000
ffff60d8 : 13a0333e
ffff60dc : 12833a02
ffff60e0 : 13a020aa

My logfile:
https://drive.google.com/drive/folders/0B1BxGc3dfMDaRUZweUJ5NWZUTTQ?usp=sharing

Ant123

You are strange people...
Printig bootloader memory values to log file instead making full ROM dump. Why?

Levas


SysCall

@Levas

Perfect, confirmed.

I got the same result  :D .

Now we can working on the bootflag installer.

Only one thing left is, I have to find out the write_card_bootflag address for canon 1000d.

From 450D port:
https://bitbucket.org/hudson/magic-lantern/src/18ac6b0f992918c7ba6dd282c3e74ca42574561c/installer/450D.110/bootdisk.c?at=vxworks&fileviewer=file-view-default#bootdisk.c-156
Quote
    //~ Not sure if this is correct or not
    write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

I have read that someone just skip it and make the SD card bootable manually.

Ant123

Quote from: SysCall on December 15, 2016, 07:51:11 PM
I have read that someone just skip it and make the SD card bootable manually.
On 450D write_card_bootflag() function works well.
I forgot to delete the comment.

SysCall

@Ant123

Quote from: Ant123 on December 15, 2016, 03:42:18 PM
You are strange people...
Printig bootloader memory values to log file instead making full ROM dump. Why?
Thats because I did not have the correct setup yet. Even if have a dump I could not do anything with it.

Correct me if I'm wrong, but most people are using IDA Pro or GPL Tools/ARM console and QEMU for debugging.

I have difficulties to set it up on Mac OS, I'm considering to switch to linux and setup everything there.

QuoteOn 450D write_card_bootflag() function works well.

Is it a global function that you just can call?

In the installer it is defined as typedef:

typedef void (*ft_write_card_bootflag)(int arg0);

How do you determine the address (0xFFFF4140) anyway?
write_card_bootflag = (ft_write_card_bootflag)0xFFFF4140;

Ant123

Quote from: SysCall on December 15, 2016, 09:34:01 PM
Correct me if I'm wrong, but most people are using IDA Pro or GPL Tools/ARM console.
There is no another way to  make ML port.

QuoteIs it a global function that you just can call?
Yes.

QuoteHow do you determine the address (0xFFFF4140) anyway?
Just looked on the bootloader code.


ROM:FFFF29A4 04 E0 2D E5       STR             LR, [SP,#-4]!
ROM:FFFF29A8 80 D0 4D E2       SUB             SP, SP, #0x80
ROM:FFFF29AC 11 0F 8F E2       ADR             R0, aYouChoseTheWri ; "You chose the writing of a Volume Label"...
ROM:FFFF29B0 76 27 00 EB       BL              sub_FFFFC790
ROM:FFFF29B4 0D 10 A0 E1       MOV             R1, SP
ROM:FFFF29B8 1B 0F 8F E2       ADR             R0, aMayIWriteYN  ; "May I write(Y/N)? :"
ROM:FFFF29BC 80 20 A0 E3       MOV             R2, #0x80
ROM:FFFF29C0 41 00 00 EB       BL              sub_FFFF2ACC
ROM:FFFF29C4 00 00 DD E5       LDRB            R0, [SP]
ROM:FFFF29C8 79 00 50 E3       CMP             R0, #0x79 ; 'y'
ROM:FFFF29CC 00 00 DD 15       LDRNEB          R0, [SP]
ROM:FFFF29D0 59 00 50 13       CMPNE           R0, #0x59 ; 'Y'
ROM:FFFF29D4 05 00 00 1A       BNE             loc_FFFF29F0
ROM:FFFF29D8 00 00 A0 E3       MOV             R0, #0
ROM:FFFF29DC D7 05 00 EB       BL              sub_FFFF4140
ROM:FFFF29E0 16 3F 8F E2       ADR             R3, aWriteError_  ; "WRITE error.\n"
ROM:FFFF29E4 19 2F 8F E2       ADR             R2, aWriteDone_   ; "WRITE done.\n"
ROM:FFFF29E8 00 10 A0 E3       MOV             R1, #0
ROM:FFFF29EC 32 00 00 EB       BL              sub_FFFF2ABC

SysCall

@Ant123

Cool, thank you very much.


//---------------------------------------
Note to myself:

Link: https://www.magiclantern.fm/forum/index.php?topic=12627.25
Quotestep 0: setup the toolchain (you can also do it like this)
step 1: dump the firmware (see a couple posts back)
step 2: analyze/decompile the firmware dump to find function stubs
step 3: run it in QEMU
step 4: if you get this far, get in touch with a1ex to create a bootflag fir, so you can run on actual camera

see also: some of the porting work done by recently for 70D (look at the commit history and diffs):
https://bitbucket.org/hudson/magic-lantern/branch/70d-support
https://bitbucket.org/hudson/magic-lantern/pull-request/620/add-support-for-eos-70d-111-both-revisions/diff#

SysCall


Ok, I just found out how to disassemble the ROM.BIN.

As Ant123 mentioned earlier, in the "bootloader_mem_dump/main.c" just replace in "void MyTask2()"

booloader_mem_dump_0();

with

dumpmemo();

Now, compile and executed it on the camera.

After the dump finished, two files should be on the SD card.

RAMDUMP.BIN
ROMDUMP.BIN

Afterwards, follow the instruction from this link:

https://www.magiclantern.fm/forum/index.php?topic=12177.0

If you followed this thread (for Mac OS), update the "disassemble.pl" to this.

# adjust these for your needs (note final slash):
$path = "~/gcc-arm-none-eabi-4_8-2013q4/bin/";

# note on "strings": default is a minimum length of 4 chars.
# So if u are hunting for e.g. "FI2" add -n3
# However, it gives a lot of false positive.
$strdump = "strings -t x";
$objdump = "${path}arm-none-eabi-objdump";
$objcopy = "${path}arm-none-eabi-objcopy";


Now, looking at the main.c code, the ROM dump starts at FF800000, so modify the call like this.

perl disassemble.pl 0xFF800000 ROMDUMP.BIN

Once finished, open the "ROMDUMP.BIN.dis" in a text file.

---------------------
The write_bootflag and read_bootflag for the canon 1000d look like this in assembly.

write_bootflag:

Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff5fe0: e92d41f0 push {r4, r5, r6, r7, r8, lr}
ffff5fe4: e1a05001 mov r5, r1
ffff5fe8: e3a04000 mov r4, #0
ffff5fec: e3500000 cmp r0, #0
ffff5ff0: 13a0733e movne r7, #-134217728 ; 0xf8000000


read_bootflag:

Address reg value ASM code / instruction
--------- ----------- -------------------------

ffff60d0: e52de004 push {lr} ; (str lr, [sp, #-4]!)
ffff60d4: e3500000 cmp r0, #0
ffff60d8: 13a0333e movne r3, #-134217728 ; 0xf8000000
ffff60dc: 12833a02 addne r3, r3, #8192 ; 0x2000
ffff60e0: 13a020aa movne r2, #170 ; 0xaa



Next step would be to find the addresses of the functions for the 1000D and add them to the stubs.S.
This will take time ...

Hunt3r

ML on the 1000 would be awesome, thank you!
I use my 1000D as "every day camera", becuase it's lighter and smaller than my 50D and 5D2, and it still rocks!
Can't help you with this port, 'cause I suck with programming, but just wanted to thank you ;)

shmadul


SysCall

Not really, I was too busy photographing, I hope my Canon 1000D does not brake anytime soon (over 53000 shutter counts), to much time-lapse  :D

I can't tell about any progress soon, because I want to use the summer and the good weather as much as possible.

Anyway, I started with the stubs.S and found so far a few function entry points (see below).

Note: Keep in mind the entry points (function addresses) are not verified yet nor tested.

Lines with "//SC" are the ones modified or updated with the addresses for the 1000D, again no guarantee that they are correct!

File: stubs.S



/** \file
* Entry points into the firmware image.
*
* These are the functio//NS that we can call from our tasks
* in the Canon 1.0.9 firmware for the 450d.
*
* \todo Sort this file?  Generate it from the IDA map?
*/
/*
* Copyright (C) 2010 Magic Lantern Team
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Lice//NSe
* as published by the Free Software Foundation; either version 2
* of the Lice//NSe, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public Lice//NSe for more details.
*
* You should have received a copy of the GNU General Public Lice//NSe
* along with this program; if not, write to the
* Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor,
* Boston, MA  02110-1301, USA.
*/

#include <stub.h>

.text

//NSTUB( ROMBASEADDR, firmware_entry )

//NSTUB(0xFFCFEBD4, AcquireRecursiveLock)
NSTUB(0xFF855870, AllocateFileCacheBuffer) //SC
NSTUB(0xffd1cc88, AllocateMemory) //SC
NSTUB(0xffd1cc88, _AllocateMemory) //SC
NSTUB(0xff960420, CreateDialogBox) //SC
NSTUB(0xFFD05A54, CreateTask) //SC
NSTUB(0xFFD0C544, CreateRecursiveLock) //SC
NSTUB(0xffd0c190, CreateMessageQueue) //SC
//NSTUB(0xFFD03C60, CreateMessageQueue) //SC from coutts

//NSTUB(0xff2ff7c4, DeleteDialogBox)
//NSTUB(0xFFD07654, DryosDebugMsg)
NSTUB(0xFFD0E1C4, dumpf)
//NSTUB(0xFFCCD90C, FIO_FindClose) // AJ__switch_0x1A50_n_calls_fstOpenDir FIO_FindClose
NSTUB(0xFFCDD570, FIO_CloseFile)
//NSTUB(0xFFCCD6DC, _FIO_CreateDirectory)
NSTUB(0xFFCDD558, _FIO_CreateFile) //SC
//NSTUB(0xFFCCCCD0, _FIO_FindFirstEx)
//NSTUB(0xFFCCCE34, FIO_FindNextEx)
NSTUB(0xffcd6f1c, _FIO_GetFileSize) // SC
NSTUB(0xFFCDD54C, _FIO_OpenFile) //SC
NSTUB(0xFFCDD57C, FIO_ReadFile) //SC
NSTUB(0xFFCDD564, _FIO_RemoveFile) // SC
NSTUB(0xFFCDD588, FIO_WriteFile) //SC
NSTUB(0xFFCDD594, FIO_SeekFile) //SC

//NSTUB(0xFFD16DB4, FreeMemory)
//NSTUB(0xFFD16DB4, _FreeMemory)
//NSTUB(0xff022004, GUI_ChangeMode)
//NSTUB(0xFF861F8C, GUI_Control)
NSTUB(0xffd44ef8, GUI_GetFirmVersion) //SC
//NSTUB(0xFF91E3BC, GetCFnData)
//NSTUB(0xff8dd40c, GuiEdLedBlink)
NSTUB(0xFF8DD40C, ___GuiEdLedBlink) //SC
//NSTUB(0xFF8DA670, GuiEdLedOff)
NSTUB(0xFF8DD3F4, ___GuiEdLedOff) //SC
//NSTUB(0xFF8DA640, GuiEdLedOn)
NSTUB(0xFF8DD3E0, ___GuiEdLedOn) //SC
NSTUB(0xFFD3F214, ioGlobalStdSet) //SC

//NSTUB(0xFFCF3C34, LoadCalendarFromRTC)
NSTUB(0xFF8458D4, MpuMonRead) //SC
NSTUB(0xFF845CFC, MpuMonWrite) //SC
//NSTUB(0xFFC6DD48, MuteOff_0)
//NSTUB(0xFFC6DDC4, MuteOn_0)

NSTUB(0xFFD04464, PostMessageQueue) //SC

NSTUB(0xFFD03FDC, ReceiveMessageQueue)

//NSTUB(0xFF97D5C4, RedrawDisplay)
//NSTUB(0xFFCFECFC, ReleaseRecursiveLock) // AJ_KernelDry_KerRLock.c_p2
//NSTUB(0xff15fd74, RemoteRelease)
NSTUB(0xFF855A54, RemoveAllFileCache) //SC
//NSTUB(0xff06f2fc, SetBitmapVramAddress)
//NSTUB(0xFF91E43C, SetCFnData)
//NSTUB(0xFF883E88, SetGUIRequestMode)
NSTUB(0xDD847338, TurnOnDisplay) //SC
NSTUB(0xFF8473BC,   TurnOffDisplay) //SC

NSTUB(0xFFD046C0, TryPostMessageQueue)  //SC

//NSTUB(0xff072f7c, _audio_ic_read)
//NSTUB(0xff0730c8, _audio_ic_write)
//NSTUB(   0x4154, additional_version) // or 4154 not sure
//NSTUB(0xFFD12088, alloc_dma_memory)
//NSTUB(0xFFD12088, _alloc_dma_memory)
//NSTUB(   0x30A90, bmp_vram_info ) // need checking
//NSTUB(0xffd7d718, bzero32) // memset at 0xffd7d718
//NSTUB(0xFFCF9788, call)
//NSTUB(0xC0220000, camera_engine)
////NSTUB(0xffd1989c, cfReadBlk)
NSTUB(0xFFCD9A34, cfReadBlk) //SC
//NSTUB(   0x314F8, cf_device) // not sure
//NSTUB(0xFFD2073C, cli_save)
//NSTUB(0xff01559c, create_init_task)
//NSTUB(0xFFCFEE00, create_named_semaphore)
//NSTUB(0xff010fb0, cstart)
//NSTUB(0xff2fe9f4, ctrlman_dispatch_event)
//NSTUB(0xFF95EF4C, dialog_redraw)
//NSTUB(0xFF8F0758, dialog_set_property_str)
//NSTUB(    0x2b18, dm_names)
//NSTUB(0xffd4cb6c, dm_set_store_level)
NSTUB(0xFFD3CC4C, free) //SC // not good points to FreeMemory
NSTUB(0xFFD3CC4C, _free) //SC // not good points to FreeMemory
//NSTUB(0xFFD120B4, free_dma_memory)
//NSTUB(0xFFD120B4, _free_dma_memory)
//NSTUB(0xff3d7798, fsuDecodePartitionTable) // AJ_fsuGetPart_related
//NSTUB(0xFFCFF390, give_semaphore)
//NSTUB(0xFF8646A4, gui_change_lcd_state_post)
//NSTUB(0xFF863B18, gui_change_mode)
NSTUB(0xFF864A4C, GUI_CHANGE_MODE) //SC
//NSTUB(0xFF8645E4, gui_change_shoot_type_post)
//NSTUB(0xFF861538, gui_init_end)
//NSTUB(0xFF8B3268, gui_init_event)
//NSTUB(0xFF863EE4, gui_local_post)
//NSTUB(    0x17530, gui_main_struct)
//NSTUB(0xFF861A28, gui_main_task)
//NSTUB(0xFF862734, gui_massive_event_loop)
//NSTUB(0xFF864380, gui_other_post)
//NSTUB(0xFF864514, gui_post_10000062)
//NSTUB(0xFF95BC58, gui_task_create)
//NSTUB(0xFF95BDA8, gui_task_destroy)
//NSTUB(   0x4AF8, gui_task_list)
//NSTUB(0xFFCFD6F4, gui_timer_something)
//NSTUB(    0x3624, gui_timer_struct)
//NSTUB(0xdeadbeef, init_task)
NSTUB(0xFFD3CC64, _malloc) //SC
//NSTUB(0xFFCFE720, msg_queue_post)
//NSTUB(0xFFCFE03C, msg_queue_receive)
NSTUB(0xFFD05708, msleep) // SC
    ////NSTUB(0xff1e0e04, mvrFixQScale)
    ////NSTUB(0xff1e0870, mvrSetDeblockingFilter)
    ////NSTUB(0xff1e08e0, mvrSetDefQScale)
    ////NSTUB(0xff1e0e24, mvrSetPrintMovieLog)
    ////NSTUB(    0xa39c, mvr_config)
    ////NSTUB(0xff078e6c, oneshot_timer)
//NSTUB(0xFFC35324, _prop_cleanup)
//NSTUB(0xFFC35144, prop_deliver)
//NSTUB(0xFFC35458, prop_get_value)
//NSTUB(0xFFC35200, prop_register_slave)
//NSTUB(0xFFC353AC, _prop_request_change)

//NSTUB(0xFFCF98C4, register_func)
////NSTUB(0xFFB97BF4, sdReadBlk)                      // might be good (dumps=1 score=8.2)
NSTUB(0xFFCDEBD8, sdReadBlk)
////NSTUB(   0x208D8, sd_device)
//NSTUB(0xFFD0ADA4, sei_restore)
    ////NSTUB(    0x1f54, sounddev)
    ////NSTUB(0xff063d64, sounddev_task)
    ////NSTUB(0xFF0640EC, sounddev_active_in)
//NSTUB(0xFFCFF1F4, take_semaphore)
//NSTUB(0xFFCFFAB4, task_create)
    ////NSTUB(    0x1934, task_dispatch_hook )
    ////NSTUB(0xff084ca4, task_trampoline)
    ////NSTUB(0xff2cb1e0, vram_get_number)
//NSTUB(0x00030528, vram_info)
//NSTUB(0xFFD08758, vsnprintf)

//NSTUB(0xFF8C1EA0, LiveViewApp_handler)
//NSTUB(0xFF8A6A04, PlayMain_handler)
    ////NSTUB(0xFF42B700, PlayMovieGuideApp_handler)
//NSTUB(0xFF8D560C, OlcAFFrameApp_handler)
//NSTUB(0xdeadbeef, ErrCardForLVApp_handler)
    ////NSTUB(0xFF3674A4, LiveViewWbApp_handler)
//NSTUB(0xFF8D64DC, ErrForCamera_handler) // ERR70 ERR80 etc (DlgErrForCamera.c AJ_DIALOG.HANDLER_DlgErrForCamera.c)

    ////NSTUB(0xff1f6b20, _engio_write)
    ////NSTUB(0xff1f664c, shamem_read) // AJ_0x8FB0_engio_struct_n_R0_manipulation_to_get_ptr
    ////NSTUB(0xff1f675c, _EngDrvOut) // AJ_EngDrvOut_1xVar_to_ShadowStruct

//NSTUB(0xFF8BBA54, ShootOlcApp_handler) // AJ_DIALOG.HANDLER_DlgShootOlcInfo.c

    ////NSTUB(0x29A9C, LCD_Palette) // in InitializeBitmapDisplayDevice right after 0xc0f14800

//NSTUB(0xFFD16E84, GetMemoryInformation)

//NSTUB(0xFFD06204, msg_queue_create)

    ////NSTUB(0xff0372b4, PD_RemoteRelease)
    ////NSTUB( 0xff16004c, PtpDps_remote_release_SW1_SW2_worker ) // called from: ptpRemoteRelease Occupy

// for task information
    ////NSTUB(0x2B24, task_max)
    ////NSTUB(0xFF087940, is_taskid_valid) // AJ_task_trampoline_related_p10
    ////NSTUB(0xff08779c, get_obj_attr) // AJ_checks_if_Process_id_created_by_Dryos
    ////NSTUB(0xff014c10, get_current_task)

//NSTUB(0xFFD17E18, AllocateMemoryResource) // m_pfAllocMemoryCBR
//NSTUB(0xFFD17E6C, AllocateContinuousMemoryResource) // m_pfContAllocMemoryCBR
//NSTUB(0xFFD17EC0, FreeMemoryResource) // m_pfFreeMemoryCBR
//NSTUB(0xFFD03548, GetFirstChunkFromSuite) // AJ_PackMemory_PackMem_p3
//NSTUB(0xFFD031B4, GetMemoryAddressOfMemoryChunk)

    ////NSTUB(0xff07365c, PowerAudioOutput)
    ////NSTUB(0xff061c44, StartASIFDMADAC)
    ////NSTUB(0xFF061A88, StartASIFDMAADC)
    ////NSTUB(0xff061d20, StopASIFDMADAC)
    ////NSTUB(0xFF0621C4, SetNextASIFADCBuffer) // called by SetNextUINT8ASIFADCBuffer and SetNextINT16ASIFADCBuffer
    ////NSTUB(0xFF06227C, SetNextASIFDACBuffer)
    ////NSTUB(0xff0736f4, SetSamplingRate )
    ////NSTUB(0xFF073944, SetAudioVolumeOut)

    ////NSTUB(0xFF06EDD0, AsyncEnableImagePhysicalScreenParameter)
    ////NSTUB(0xff06e8b0, EnableImagePhysicalScreenParameter)

//NSTUB(0xFF8A8C78, StartPlayProtectGuideApp)
NSTUB(0xFF8ABE0C, StartPlayProtectGuideApp) //SC
//NSTUB(0xFF8A9144, StopPlayProtectGuideApp)
NSTUB(0xFF8ABF1C, StopPlayProtectGuideApp) //SC

//NSTUB(0xFFCFFCC0, DeleteTask)
//NSTUB(0xFFD0068C, QueryTaskByName)

//NSTUB(0x30A98, LCD_Palette)
//NSTUB(0x30AD8, RGB_Palette)
//NSTUB(0x309C8, PB_Palette)

//NSTUB(0xFFC64BE8, SetRGBPaletteToDisplayDevice)
NSTUB(0xFFC6E838, SetRGBPaletteToDisplayDevice)
//NSTUB(0xFF8F08C4, ChangeColorPalette)
NSTUB(0xFF8F35A8, ChangeColorPalette)

//NSTUB(0xFFC63A88, SetParameterToBitmapDisplayDevice)
NSTUB(0xFFC6D6D4, SetParameterToBitmapDisplayDevice)


//NSTUB(0xFFC6D1EC, EnableBitmapVBufferForPlayBackAndWaiting)
NSTUB(0xFFC76AB0, EnableBitmapVBufferForPlayBackAndWaiting)

//NSTUB(0xFFC6B6B0, BmpDDev_give_semaphore)
//NSTUB(0xFFC6B660, BmpDDev_take_semaphore)

//NSTUB(0xFF81594C, bindGUISwitchCBR)

//NSTUB(0xFFCFDC18, register_interrupt)
//NSTUB(0xFFC3B624, SIO3_ISR)
NSTUB(0xFFC45108, MREQ_ISR)
//NSTUB(0xFFC3B55C, MREQ_ISR)
NSTUB(0xFFC45114, SIO3_ISR)

NSTUB(0xFFD04288, TryReceiveMessageQueue) // SC from coutts

//NSTUB(0xFFD0A7A0, TryPostEvent)
//NSTUB(0xFFD0A800, TryPostEvent_end)

//NSTUB(0xFFD1180C, TryPostStageEvent)
//NSTUB(0xFFD1197C, TryPostStageEvent_end) // PendStageEvent

//NSTUB(0xFFD28528, get_current_task) // 0x22E00
//NSTUB(0xFFD282EC, get_task_info)
//NSTUB(0xFFD29C10, get_active_task_list)

//NSTUB(0xFFD0A0D4, create_task_cmd_shell)

//NSTUB(0xFFB4AB18, ptp_register_handler)
//NSTUB(0xFFB42198, ptp_register_handlers_0x9800)

//NSTUB(0xFFD07654, DM_TryPostEvent)

NSTUB(0xFF841908, FA_Release) //SC

/** EDMAC routines **/
//NSTUB(0xFFCADCA0, SetEDmac)
//NSTUB(0xFFCADD00, StartEDmac)
//NSTUB(0xFFCADDC0, PopEDmac)
////NSTUB([idk], AbortEDmac)
//NSTUB(0xFFCADCC0, ConnectWriteEDmac)
//NSTUB(0xFFCADCDC, ConnectReadEDmac)

/** keep the old name until all are refcatored **/
////NSTUB(0xFFCADDA0, EDMAC_RegisterCompleteCBR)

/** register/unregister CBR names **/
//NSTUB(0xFFCADDA0, RegisterEDmacCompleteCBR)
//NSTUB(0xFFCADDD8, RegisterEDmacAbortCBR)
NSTUB(0xFFCB6D60, RegisterEDmacAbortCBR)
//NSTUB(0xFFCADE58, RegisterEDmacPopCBR)
//NSTUB(0xFFCADDC0, UnregisterEDmacCompleteCBR)
//NSTUB(0xFFCADE20, UnregisterEDmacAbortCBR)
NSTUB(0xFFCB6D80, UnregisterEDmacAbortCBR)
//NSTUB(0xFFCADE78, UnregisterEDmacPopCBR)

// DEF(0xffd18c2c, GetSizeOfMaxRegion) // SC

a1ex

The 1000D GUI can now be emulated in QEMU (same for the 450D ML):



What does this mean?

Porting ML on these VxWorks models just got easier by one (or maybe two) order(s) of magnitude - I hope it will be as easy as following the tutorial and/or the walkthrough. The development tools run on all major operating systems (including Windows and Mac).

Good luck!

SysCall

@a1ex

That is great, thanks a lot.

canoneosrebelxs

I have the Canon EOS Rebel XS DSLR. (also called the 1000d)
The Magic Lantern 1080p video recording program isn't listed on your site for my camera.

Could someone please upload the program for that specific camera?

I see a lot of people talked about making the file for this camera on this thread.
Did anyone ever do it?? I don't see a link anywhere on here to download the file for that camera.

If any of you have the download, can you please email me at [email protected]?
Thanks!

PS: Would one of the mods mind sticking this thread to the "sticky posts" so that it is at the top of the message boards?
Thanks!

Walter Schulz

Unmaintained cams will not get a sticky thread. This is reserved for cams supported with nightly builds or (at least) labeled "Port in Progress". There is no ML for 1000D.