Author Topic: JTAG on DIGIC chips  (Read 1975 times)

saint tropez

  • New to the forum
  • *
  • Posts: 2
JTAG on DIGIC chips
« on: April 22, 2018, 12:41:09 PM »
Hi !

A few days ago, I started a topic on the CHDK forum, about DIGIC 5 JTAG on a Canon S100 : https://chdk.setepontos.com/index.php?topic=13408.0

So far, I'm able to connect to the ARM, but I can't do more than peeking registers values. The camera immediately freezes, and eventually turns off.

Does anyone here has some experience with JTAG on DIGIC chips ?

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12241
  • Maintenance mode
Re: JTAG on DIGIC chips
« Reply #1 on: April 23, 2018, 10:55:34 AM »
Very cool.

No experience with JTAG, but there might be a watchdog somewhere. If you lock up the CPU on a PowerShot model, by executing something like "cli(); while(1);" from some CHDK task, I remember the camera reboots (but no PowerShot currently here to double-check). That's different from EOS - there, it locks up and the MPU throws ERR80 shortly afterwards (as the main CPU is no longer responding). There's no MPU on PowerShots (there may be other secondary CPUs though).

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3143
Re: JTAG on DIGIC chips
« Reply #2 on: April 23, 2018, 09:53:26 PM »
good job.

never was that brave to try this on a 5D3 :)
or does anyone sponsor a mechanically defect one where i can solder on? :D

peeking registers and memory is definitely a helpful feature.
i am using a professional debugger (lauterbach TRACE32) at work.
on such a complex system, memory insight is very valuable.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 6762
Re: JTAG on DIGIC chips
« Reply #3 on: April 23, 2018, 09:59:37 PM »
You know if you really want one we can make it happen. Easily, I'm convinced.
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3143
Re: JTAG on DIGIC chips
« Reply #4 on: April 24, 2018, 12:26:10 AM »
nevermind, i think on the 5D3 i didnt even find a matching connector.
the 600D instead had an unpopulated one, which i guessed to be JTAG
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

eduperez

  • Contributor
  • Member
  • *****
  • Posts: 108
Re: JTAG on DIGIC chips
« Reply #5 on: April 24, 2018, 09:25:01 AM »
Somebody once told me that the JTAG connector was accessible through the grip connector...

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3143
Re: JTAG on DIGIC chips
« Reply #6 on: April 24, 2018, 09:15:02 PM »
possible, but i expected it to be closer to the PCB. hmm.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

saint tropez

  • New to the forum
  • *
  • Posts: 2
Re: JTAG on DIGIC chips
« Reply #7 on: April 28, 2018, 02:18:51 PM »
Effectively, that shutdown seems to be related to a watchdog timer. By analyzing Canon's watchdog functions, it seems that the only addressed used for interfacing with the watchdog is 0xC0410000.

The first line of code is equivalent to this :
Code: [Select]
*(0xC0410000) = 0;
So I thought this might disable the watchdog. In order to try this, I used chdkptp and used the EngDrvOut function :
Quote
=call_func_ptr(0xFF025C0C, 0xC0410000, 0, 0)

It seems that this solves the issue of the camera shutting down a few seconds after entering JTAG. However the camera remains non-responsive to physical buttons or USB communication  :-\

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3143
Re: JTAG on DIGIC chips
« Reply #8 on: April 28, 2018, 04:45:34 PM »
guess thats due to the MPU getting out of sync and shutting down
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12241
  • Maintenance mode
Re: JTAG on DIGIC chips
« Reply #9 on: April 28, 2018, 04:54:53 PM »
Quote
target halted in ARM state due to debug-request, current mode: Abort

That sounds like it stopped other DryOS tasks and waits for debugger commands, which may explain why it appears locked up. Just a guess.

guess thats due to the MPU getting out of sync and shutting down

There's no MPU on PowerShot cameras; there, button presses are handled by a background task on the ARM side (PhySw) that polls some hardware registers that encode button status (usually each button mapped to one bit).

Example from my experiments with A2200:
Code: [Select]
.physw_regs             = { 0xC0220200, 0xC0220204, 0xC0220208 },
.physw_idle_state       = { 0x4690C0C4, 0x04eff443, 0x00000000 },

KeyMap keymap[] = {
    /* tiny bug: key order matters. see kbd_get_pressed_key() */
    { 0, CHDK_KEY_PLAYBACK        ,0x01000000 }, // Found @0xffb561dc, levent 0x601   
    { 0, CHDK_KEY_MENU            ,0x04000000 }, // Found @0xffb561e4 (1.00B), levent 0x09
    { 0, CHDK_KEY_FACE            ,0x00800000 },
    { 1, CHDK_KEY_UP              ,0x00001000 }, // Found @0xffb56214 (1.00B), levent 0x04
    { 1, CHDK_KEY_RIGHT           ,0x00002000 }, // Found @0xffb5621c (1.00B), levent 0x07
    { 1, CHDK_KEY_DOWN            ,0x00004000 }, // Found @0xffb56224 (1.00B), levent 0x05
    { 1, CHDK_KEY_LEFT            ,0x00008000 }, // Found @0xffb5622c (1.00B), levent 0x06
    { 1, CHDK_KEY_ZOOM_OUT        ,0x00010000 }, // Found @0xffb56234 (1.00B), levent 0x03
    { 1, CHDK_KEY_ZOOM_IN         ,0x00020000 }, // Found @0xffb5623c (1.00B), levent 0x02
    { 1, CHDK_KEY_SET             ,0x00040000 }, // Found @0xffb56244 (1.00B), levent 0x08
    { 1, CHDK_KEY_DISPLAY         ,0x00080000 }, // Found @0xffb5624c (1.00B), levent 0x0a
    { 1, CHDK_KEY_SHOOT_FULL      ,0x00000003 }, // Found @0xffb5620c (1.00B), levent 0x01
    { 1, CHDK_KEY_SHOOT_FULL_ONLY ,0x00000002 }, // Found @0xffb5620c (1.00B), levent 0x01
    { 1, CHDK_KEY_SHOOT_HALF      ,0x00000001 }, // Found @0xffb56204 (1.00B), levent 0x00
    { 0, CHDK_KEY_POWER           ,0x02000000 }, // Found @0xffb561e4 (1.00D), levent 0x600
    { 0, 0, 0 }
};

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3143
Re: JTAG on DIGIC chips
« Reply #10 on: April 28, 2018, 06:00:18 PM »
That sounds like it stopped other DryOS tasks and waits for debugger commands, which may explain why it appears locked up. Just a guess.
depends how the "break" command is implemented. being in ABORT (see PC, which says DATA ABORT) is either due to accessing forbidden areas after breaking, or hmm it inserted that ABORT to stop the execution.
(not sure how the OpenOCD issues memory read commands)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!