Author Topic: DIGIC 8 'PowerShot' development (M50, SX70, SX740)  (Read 26793 times)

KelvinK

  • Senior
  • ****
  • Posts: 267
  • Less words, more films
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #100 on: April 03, 2019, 02:43:04 PM »
@a1ex do you think it's possible in theory to add touchscreen navigation in ML?
6D - 5D - NEX - M50!

Sapporo

  • Freshman
  • **
  • Posts: 68
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #101 on: April 03, 2019, 03:12:48 PM »
Scroll up ...
I was blind...sorry :-\

But 80MB/s, isn't that slow? If M5 has 81MB/s as average speed the fastest write speed with M5 should be around 90MB/s. M50 should have the same write speed as the other new Canon cameras with the same SD interface.
https://www.cameramemoryspeed.com/canon-m5/fastest-sd-cards/

linux4eva

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #102 on: April 03, 2019, 11:00:56 PM »
Hey!
I'm following the topic for a while since deciding to get (and got) M50 recently! Really excited to see thing moving forward. Please let me know if there's anything I can help with.
Regarding the write speed why 80 MB/s on SD card should be considered slow?
The other camera I have is 7D and I just did a YouTube review of new Kingston 256Gb CF card which had 60 MB/s in Magic Lantern benchmark, 80 MB/s while recording RAW video and was closer to 130 MB/s using USB 3.0 card reader. I thought the usual SD cards supposed to be slower than CF.

acarboni

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #103 on: April 04, 2019, 12:06:28 AM »
Amazing work and wonderful news! Thanks to everyone who got things this far!

linux4eva

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #104 on: April 04, 2019, 05:36:06 AM »
I got to check the 1st April's thread and I find suggestion to monetarily boost the ML development by accepting donations from the community while keeping software free and open source.
You might think to raise funds for a specific goals - that might keep developers more motivated. I can imagine that it is difficult to work on such projects while having a number of 'real' jobs. I guess there are many M50 owners out there who would gladly contribute for an upgrade to their camera.

joanllm

  • New to the forum
  • *
  • Posts: 4
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #105 on: April 07, 2019, 08:04:29 PM »
This is great news! hopefully the video on Raw is very soon in this camera, I have an M50 so I will be happy to help you sharing here the results of the previews

Keep it up, very good job

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #106 on: April 10, 2019, 02:56:29 AM »
My M50 arrived today - Yay!

With 1.0.2 firmware - Uh oh!

and Pelican's firmware archive has the M50--KissM-v101-win.zip file is listed - Yay!

But clicking on the link gives a 404 file not found error - oooooh

However, the file is there--I mean here -> https://pel.hu/down/M50-KissM-v101-win.zip

Almost ready--uh, where's the ML-SETUP.FIR file? Available only by special request? Not sure where to start. Maybe with a firmware update to 1.0.2 for starters? That's the one thing that seems almost doable at the moment. In the meantime I'm attempting to put an "M50 Canon Firmware for Testers" package on my downloads page so others won't have to go through that rollercoaster ride to find the "right" firmware version. Compared to other cameras these firmware updater files are humongous.
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

shadimar69

  • New to the forum
  • *
  • Posts: 5
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #107 on: April 10, 2019, 03:50:15 AM »
Congrats on the M50 dfort! Absolutely in love with mine.
Almost ready--uh, where's the ML-SETUP.FIR file? Available only by special request? Not sure where to start. Maybe with a firmware update to 1.0.2 for starters?

This is what I used for my testing: The 'Fishy' is only running on firmware 1.0.1 currently.
Please find the FIR file for enabling the boot flag on the EOS/PowerShot M50:
BOOT_M50.FIR (confirmed by 71m363nd3r; works on any Canon firmware version)
This will modify your camera.
magiclantern-fishy.2019Apr01.M50101.zip

Appears to be a proof of concept at the moment. When I tested it, pressing the trash can button to activate only opened into the ML menu once every 5-7 times. The menu itself does not have fully fledged out functionality just yet. I am sure it will get there, obviously there is a lot of hard work that needs to go into this still. Absolutely brilliant work so far IMO! =Þ
Canon M50 tinkerer

yokashin

  • New to the forum
  • *
  • Posts: 12

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12222
  • Maintenance mode
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #109 on: April 10, 2019, 10:57:51 AM »
My M50 arrived today - Yay!

Welcome to the future :D

Canon has introduced the EOS Rebel SL3 (EOS 250D / EOS Kiss X10)

Oh no, another camera to take care of!

To prepare the portable ROM dumper, I "only" need a CR3 image (i.e. wait for reviews with sample images). If that won't work, hardware hack à la EOS R.

BTW, after playing a bit with M and M50, I started to wonder what's the purpose of all other Rebel cameras on the market. Do they have better battery life, or...?

When I tested it, pressing the trash can button to activate only opened into the ML menu once every 5-7 times.

Really? It just worked here... and I'm pretty sure I've opened it more than 100 times.

You were in plain LiveView when pressing the delete button, right?

zerocool22

  • New to the forum
  • *
  • Posts: 29
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #110 on: April 10, 2019, 12:29:08 PM »
BTW, after playing a bit with M and M50, I started to wonder what's the purpose of all other Rebel cameras on the market. Do they have better battery life, or...?
True the only camera's from canon that matter atm are the 5D IV and canon eos r. Hope ML will run on either soon :)

shadimar69

  • New to the forum
  • *
  • Posts: 5
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #111 on: April 10, 2019, 01:49:06 PM »
Really? It just worked here... and I'm pretty sure I've opened it more than 100 times.
You were in plain LiveView when pressing the delete button, right?

Yes tested in plain LiveView. To be able to consistently get the ML menu to come up, I have to double press the trash button, about 500ms between presses. If I just press once, screen goes black for 1 second, then returns back to normal live view.
Canon M50 tinkerer

KenSoftTH

  • New to the forum
  • *
  • Posts: 32
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #112 on: April 10, 2019, 08:04:07 PM »

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #113 on: April 10, 2019, 08:39:03 PM »
The 200D Mark II probably belongs in the DIGIC 7 development (200D/SL2, 800D/T7i, 77D, 6D2) topic.

Back to the M50. First of all, I dumped the 1.0.2 firmware. Just in case I get the urge to port the current firmware.



Then I downgraded to 1.0.1 and turned on the camera bootflag -- no turning back now?



I had no problems opening the ML menu with the Trash button but the first thing I noticed was that the ML menu hiccups every few seconds. Ok--this is an early port.

Hey, the selftest module included with the "fishy" build so how well does that work on the camera?

Code: [Select]
[Pass] is_play_mode() => 0x1
[INFO] Camera model: Canon EOS M50 1.0.1 (0x412 M50)
[Pass] is_camera("DIGIC", "*") => 0x1
[Pass] is_camera(__camera_model_short, firmware_version) => 0x1
       m0 = MALLOC_FREE_MEMORY => 0x60fe0
[Pass] p = (void*)_malloc(50*1024) => 0x10ff70
[Pass] CACHEABLE(p) => 0x10ff70
       m1 = MALLOC_FREE_MEMORY => 0x547d0
       _free(p)
       m2 = MALLOC_FREE_MEMORY => 0x60fe0
[Pass] ABS((m0-m1) - 50*1024) => 0x10
[Pass] ABS(m0-m2) => 0x0
       m0 = GetFreeMemForAllocateMemory() => 0x24273c
[Pass] p = (void*)_AllocateMemory(128*1024) => 0xe5288c
[Pass] CACHEABLE(p) => 0xe5288c
       m1 = GetFreeMemForAllocateMemory() => 0x22272c
       _FreeMemory(p)
       m2 = GetFreeMemForAllocateMemory() => 0x24273c
[Pass] ABS((m0-m1) - 128*1024) => 0x10
[Pass] ABS(m0-m2) => 0x0
       m01 = MALLOC_FREE_MEMORY => 0x60fe0
       m02 = GetFreeMemForAllocateMemory() => 0x24273c
[Pass] p = (void*)_alloc_dma_memory(128*1024) => 0x40e528a0
[Pass] UNCACHEABLE(p) => 0x40e528a0
[Pass] CACHEABLE(p) => 0xe528a0
[Pass] UNCACHEABLE(CACHEABLE(p)) => 0x40e528a0
       _free_dma_memory(p)
[Pass] p = (void*)_shoot_malloc(16*1024*1024) => 0x4660c094
[Pass] UNCACHEABLE(p) => 0x4660c094
       _shoot_free(p)
       m11 = MALLOC_FREE_MEMORY => 0x60fe0
       m12 = GetFreeMemForAllocateMemory() => 0x24273c
[Pass] ABS(m01-m11) => 0x0
[Pass] ABS(m02-m12) => 0x0
[Pass] suite = shoot_malloc_suite_contig(16*1024*1024) => 0xeb980
[Pass] suite->signature => 'MemSuite'
[Pass] suite->num_chunks => 0x1
[Pass] suite->size => 0x1000000
[Pass] chunk = GetFirstChunkFromSuite(suite) => 0x10ff70
[Pass] chunk->signature => 'MemChunk'
[Pass] chunk->size => 0x1000000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x4660c090
[Pass] UNCACHEABLE(p) => 0x4660c090
       shoot_free_suite(suite); suite = 0; chunk = 0;
[Pass] suite = shoot_malloc_suite_contig(0) => 0xeb980
[Pass] suite->signature => 'MemSuite'
[Pass] suite->num_chunks => 0x1
[Pass] suite->size => 0x2000000
[Pass] chunk = GetFirstChunkFromSuite(suite) => 0x10ff70
[Pass] chunk->signature => 'MemChunk'
[Pass] chunk->size => 0x2000000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x7b93e470
[Pass] UNCACHEABLE(p) => 0x7b93e470
       largest_shoot_block = suite->size => 0x2000000
[INFO] largest_shoot_block: 32MB
       shoot_free_suite(suite); suite = 0; chunk = 0;
[Pass] suite = shoot_malloc_suite(largest_shoot_block + 1024*1024) => 0xeb980
[Pass] suite->signature => 'MemSuite'
[Pass] suite->num_chunks => 0x3
[Pass] suite->size => 0x2100000
[Pass] chunk = GetFirstChunkFromSuite(suite) => 0x10ff70
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x1388000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x4660c090
[Pass] UNCACHEABLE(p) => 0x4660c090
       chunk = GetNextMemoryChunk(suite, chunk) => 0x10ffa8
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x1780000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x46110070
[Pass] UNCACHEABLE(p) => 0x46110070
       chunk = GetNextMemoryChunk(suite, chunk) => 0x10ffe0
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x2100000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x7b93e470
[Pass] UNCACHEABLE(p) => 0x7b93e470
       chunk = GetNextMemoryChunk(suite, chunk) => 0x0
[Pass] total => 0x2100000
       shoot_free_suite(suite); suite = 0; chunk = 0;
[Pass] suite = shoot_malloc_suite(0) => 0xeb980
[Pass] suite->signature => 'MemSuite'
[Pass] suite->num_chunks => 0x4
[Pass] suite->size => 0x3f00000
[Pass] chunk = GetFirstChunkFromSuite(suite) => 0x10ff70
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x1388000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x4660c090
[Pass] UNCACHEABLE(p) => 0x4660c090
       chunk = GetNextMemoryChunk(suite, chunk) => 0x10ffa8
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x1780000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x46110070
[Pass] UNCACHEABLE(p) => 0x46110070
       chunk = GetNextMemoryChunk(suite, chunk) => 0x10ffe0
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x3780000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x7b93e470
[Pass] UNCACHEABLE(p) => 0x7b93e470
       chunk = GetNextMemoryChunk(suite, chunk) => 0x110018
[Pass] chunk->signature => 'MemChunk'
[Pass] total += chunk->size => 0x3f00000
[Pass] p = GetMemoryAddressOfMemoryChunk(chunk) => 0x7d93e480
[Pass] UNCACHEABLE(p) => 0x7d93e480
       chunk = GetNextMemoryChunk(suite, chunk) => 0x0
[Pass] total => 0x3f00000
       shoot_free_suite(suite); suite = 0; chunk = 0;
[Pass] strlen("abc") => 0x3
[Pass] strlen("qwertyuiop") => 0xa
[Pass] strlen("") => 0x0
[Pass] strcpy(msg, "hi there") => 0x2ca654
[Pass] msg => 'hi there'
[Pass] snprintf(a, sizeof(a), "foo") => 0x3
[Pass] snprintf(b, sizeof(b), "foo") => 0x3
[Pass] strcmp(a, b) => 0x0
[Pass] snprintf(a, sizeof(a), "bar") => 0x3
[Pass] snprintf(b, sizeof(b), "baz") => 0x3
[Pass] strcmp(a, b) => 0xfffffff8
[Pass] snprintf(a, sizeof(a), "Display") => 0x7
[Pass] snprintf(b, sizeof(b), "Defishing") => 0x9
[Pass] strcmp(a, b) => 0x4
[Pass] snprintf(buf, 3, "%d", 1234) => 0x2
[Pass] buf => '12'
[Pass] memcpy(foo, bar, 6) => 0x2ca700
[Pass] foo => 'asdfghuiop'
[Pass] memset(bar, '*', 5) => 0x2ca6e0
[Pass] bar => '*****hjkl;'
       call("TurnOnDisplay")
[Pass] DISPLAY_IS_ON => 0x1
       call("TurnOffDisplay")
[FAIL] DISPLAY_IS_ON => 0x1
       call("TurnOnDisplay")
[Pass] DISPLAY_IS_ON => 0x1
       task_create("test", 0x1c, 0x1000, test_task, 0) => 0x6c6013c
[Pass] test_task_created => 0x1
[Pass] get_current_task_name() => 'run_test'
[FAIL] get_task_name_from_id(current_task->taskId) => '?'
[Pass] mq = mq ? mq : (void*)msg_queue_create("test", 5) => 0x6c8012a
[Pass] msg_queue_post(mq, 0x1234567) => 0x0
[Pass] msg_queue_receive(mq, (struct event **) &m, 500) => 0x0
[Pass] m => 0x1234567
[Pass] msg_queue_receive(mq, (struct event **) &m, 500) => 0x9
[Pass] sem = sem ? sem : create_named_semaphore("test", 1) => 0x6ca0242
[Pass] take_semaphore(sem, 500) => 0x0
[Pass] take_semaphore(sem, 500) => 0x9
[Pass] give_semaphore(sem) => 0x0
[Pass] take_semaphore(sem, 500) => 0x0
[Pass] give_semaphore(sem) => 0x0
[Pass] rlock = rlock ? rlock : CreateRecursiveLock(0) => 0x6cc003c
[Pass] AcquireRecursiveLock(rlock, 500) => 0x0
[Pass] AcquireRecursiveLock(rlock, 500) => 0x0
[Pass] ReleaseRecursiveLock(rlock) => 0x0
[Pass] ReleaseRecursiveLock(rlock) => 0x0
       SetGUIRequestMode(1); msleep(1000);
[FAIL] CURRENT_GUI_MODE => 0x0
       SetGUIRequestMode(2); msleep(1000);
[Pass] CURRENT_GUI_MODE => 0x2
       SetGUIRequestMode(0); msleep(1000);
[Pass] CURRENT_GUI_MODE => 0x0
[Pass] display_idle() => 0x1
       GUI_Control(BGMT_PLAY, 0, 0, 0); msleep(1000);
[Pass] PLAY_MODE => 0x1
[Pass] MENU_MODE => 0x0
       GUI_Control(BGMT_MENU, 0, 0, 0); msleep(1000);
[Pass] MENU_MODE => 0x1
[Pass] PLAY_MODE => 0x0
       GUI_Control(BGMT_MENU, 0, 0, 0); msleep(500);
[Pass] MENU_MODE => 0x0
[Pass] PLAY_MODE => 0x0
       SW1(1,100)
[FAIL] HALFSHUTTER_PRESSED => 0x0
       SW1(0,100)
[Pass] HALFSHUTTER_PRESSED => 0x0
[Pass] is_play_mode() => 0x1
[FAIL] is_pure_play_photo_mode() => 0x0
[Pass] is_pure_play_movie_mode() => 0x0
[Pass] is_play_mode() => 0x1
[Pass] is_pure_play_photo_mode() => 0x0
[Pass] is_pure_play_movie_mode() => 0x0
[Pass] is_play_mode() => 0x1
[Pass] is_pure_play_photo_mode() => 0x0
[FAIL] is_pure_play_movie_mode() => 0x0
[Pass] is_play_mode() => 0x1
[Pass] is_pure_play_photo_mode() => 0x0
[Pass] is_pure_play_movie_mode() => 0x0
=========================================================
Test complete, 4423 passed, 6 failed.
.

I take it this is a short test and not the one from the lua_fix branch? Still, pretty good for an early port.
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

lorenzo353

  • New to the forum
  • *
  • Posts: 12
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #114 on: April 11, 2019, 06:26:28 PM »
about Canon EOS Rebel SL3 (EOS 250D / EOS Kiss X10)

To prepare the portable ROM dumper, I "only" need a CR3 image (i.e. wait for reviews with sample images). If that won't work, hardware hack à la EOS R.

https://cweb.canon.jp/eos/lineup/kissx10/img/sample/downloads/sample01.jpg
https://cweb.canon.jp/eos/lineup/kissx10/img/sample/downloads/sample02.jpg

Canon Image Type                : Canon EOS Kiss X10
Canon Firmware Version          : Firmware Version 4.0.5
Canon Model ID                  : Unknown (0x80000436)

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #115 on: April 11, 2019, 08:31:35 PM »
About those EOS Rebel SL3 (EOS 250D / EOS Kiss X10) sample images --

...I "only" need a CR3 image...

Those links point to JPEG files.

Hum, it does have a Digic 8 processor so maybe it should be discussed on this topic.

Now about the M50 --

Looks like the firmware dumper isn't dumping ROM1.BIN. It goes through the motions and the MD5 checks out but the entire file is filled with zeros. I'm talking about this one: https://a1ex.magiclantern.fm/debug/portable-rom-dumper/new/DUMP_M50.FIR

Maybe there's a newer one or perhaps an older one that works? I was able to get a 1.0.1 dump from @leathc a while back with a valid ROM1.BIN.

In any case, the "fishy" April 1 build did save a valid ROM1.BIN dump but if I compile an autoexec.bin file from the current digic6-dumper branch it doesn't create a valid ROM1.BIN dump.

Just for fun I thought I'd try to port the 1.0.2 firmware and as far as I can tell it is working. Here's what the check-stubs.py script shows:

Code: [Select]
python check-stubs.py /Users/rosiefort/magic-lantern-hudson/platform/M50.101/stubs.S /Users/rosiefort/magic-lantern/platform/M50.102/stubs.S
Module termcolor missing, no color support will be available
STUB                    OLD           NEW     DELTA
current_interrupt    0x00001010 -> 0x00001010 [0x000] [contents not checked]
current_task         0x00001028 -> 0x00001028 [0x000] [contents not checked]
bmp_vram_info        0x0000fc20 -> 0x0000fc20 [0x000] [contents not checked]
init_task            0xe0040225 -> 0xe0040225 [0x000] [contents not checked] [!!!]
dump_file            0xe0085f61 -> 0xe0085f71 [0x010] [contents not checked]
memmap_info          0xe009de99 -> 0xe009deb9 [0x020] [contents not checked]
malloc_info          0xe00f1bd9 -> 0xe00f1c1d [0x044] [contents not checked]
sysmem_info          0xe00f1c71 -> 0xe00f1cb5 [0x044] [contents not checked]
create_init_task     0xe0143cbd -> 0xe0143d01 [0x044] [contents not checked]
smemShowFix          0xe0146f97 -> 0xe0146fdb [0x044] [contents not checked]
_malloc              0xe03c2307 -> 0xe03c2387 [0x080] [contents not checked]
_free                0xe03c233f -> 0xe03c23bf [0x080] [contents not checked]
task_create          0xe0545dd7 -> 0xe0545e4f [0x078] [contents not checked] [!!!]
_FIO_OpenFile        0xe0546429 -> 0xe05464a1 [0x078] [contents not checked]
_FIO_CreateFile      0xe05464db -> 0xe0546553 [0x078] [contents not checked]
_FIO_RemoveFile      0xe0546811 -> 0xe0546889 [0x078] [contents not checked]
_FIO_ReadFile        0xe05468ab -> 0xe0546923 [0x078] [contents not checked]
FIO_SeekSkipFile     0xe0546977 -> 0xe05469ef [0x078] [contents not checked]
_FIO_WriteFile       0xe0546a37 -> 0xe0546aaf [0x078] [contents not checked]
FIO_CloseFile        0xe0546c4b -> 0xe0546cc3 [0x078] [contents not checked]
_FIO_GetFileSize     0xe0546de7 -> 0xe0546e5f [0x078] [contents not checked]
_FIO_RenameFile      0xe054781b -> 0xe0547893 [0x078] [contents not checked]
_FIO_CreateDirectory 0xe0547ca5 -> 0xe0547d1d [0x078] [contents not checked]
FIO_Flush            0xe0547e8f -> 0xe0547f07 [0x078] [contents not checked]
_FIO_FindFirstEx     0xe0548107 -> 0xe054817f [0x078] [contents not checked]
FIO_FindNextEx       0xe054820d -> 0xe0548285 [0x078] [contents not checked]
FIO_FindClose        0xe05482cf -> 0xe0548347 [0x078] [contents not checked]
SetTimerAfter        0xe054ce09 -> 0xe054ce81 [0x078] [contents not checked]
CancelTimer          0xe054cebf -> 0xe054cf37 [0x078] [contents not checked]
msleep               0xe05597ef -> 0xe0559867 [0x078] [contents not checked]
uart_printf          0xe055a7a9 -> 0xe055a821 [0x078] [contents not checked]
_alloc_dma_memory    0xe055a9e9 -> 0xe055aa61 [0x078] [contents not checked]
_free_dma_memory     0xe055aa1d -> 0xe055aa95 [0x078] [contents not checked]
GetSizeOfMaxRegion   0xe055ade7 -> 0xe055ae5f [0x078] [contents not checked]
GetMemoryInformation 0xe055ae13 -> 0xe055ae8b [0x078] [contents not checked]
_AllocateMemory      0xe055af89 -> 0xe055b001 [0x078] [contents not checked]
_FreeMemory          0xe055b141 -> 0xe055b1b9 [0x078] [contents not checked]
call                 0xe05721bb -> 0xe0572233 [0x078] [contents not checked]
dcache_clean         0xe05776c5 -> 0xe057773d [0x078] [contents not checked]
icache_invalidate    0xe0577799 -> 0xe0577811 [0x078] [contents not checked]
DryosDebugMsg        0xe0577ec5 -> 0xe0577f3d [0x078] [contents not checked]
bzero32              0xe0578c59 -> 0xe0578cd1 [0x078] [contents not checked]
SetHPTimerAfterNow   0xe0732957 -> 0xe0732abf [0x168] [contents not checked]
SetHPTimerNextTick   0xe07329b7 -> 0xe0732b1f [0x168] [contents not checked]

Copying the M50.102 autoexec.bin to a bootable card (and with the camera bootflag set of course) will create a valid ROM0.BIN and an invalid ROM1.BIN just like the M50.101 version. That's pretty much all it does but hey--that's something!

Another issue with the 1.0.2 port is getting the firmware signature. Following my own tutorial I defined CONFIG_HELLO_WORLD but it required a value for SIG_M50_102 or it would not compile and it didn't print "Hello World" on the LCD, much less print out the firmware signature.

One last piece of the puzzle:

platform/M50.102/Makefile.platform.default
Code: [Select]
FIRMWARE_ID     = 0x00000412 # Not sure where to find this
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

aprofiti

  • Contributor
  • Member
  • *****
  • Posts: 173
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #116 on: April 11, 2019, 08:48:41 PM »
Another issue with the 1.0.2 port is getting the firmware signature. Following my own tutorial I defined CONFIG_HELLO_WORLD but it required a value for SIG_M50_102 or it would not compile and it didn't print "Hello World" on the LCD, much less print out the firmware signature.
Easy way is to use Qemu with a faked value in src/fw-signature.h and let it print what src/reboot.c expect to be :)

One last piece of the puzzle:

platform/M50.102/Makefile.platform.default
Code: [Select]
FIRMWARE_ID     = 0x00000412 # Not sure where to find this
You can find it under "Canon CanonModelID Values" at https://sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html or https://github.com/lclevy/libcraw2/blob/54caceb6aa3ec8aff1ae3102a498cb5438a75d74/docs/cameras.txt

Are they discovered from image metadata?

Also usually last digits are printed on serial console by the camera at firmware startup (ex. K412) and is reported under Model ID of the rom dumper.

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #117 on: April 12, 2019, 02:06:32 AM »
Ah -- there it is, first line on the RESCUE.LOG:

Code: [Select]
  Magic Lantern Rescue
 ----------------------------
 - Model ID: 0x412 M50
 - Camera model: Canon EOS KISS M
 - Firmware version: 1.0.2 / 7.0.0 34(00)
 - IMG naming: 100CANON/????0000.JPG
 - User PS: ??? ??? ???
 - Boot flags: FIR=0 BOOT=0 RAM=-1 UPD=-1
 - ROMBASEADDR: 0xE0040000
 - boot_read_sector 103604
 - boot_write_sector 10361a
 - 10362a: BL 104dc4
 - 10180B Card init => 2
 - Dumping ROM0... 100%
 - MD5: 0f1e58aea6c1b77d2d8ac244050069c0
 - Dumping ROM1... 100%
 - MD5: 2c7ab85a893283e98c931e9511add182
 - No serial flash.
 - Saving RESCUE.LOG ...

Ok, so that's the Model ID. I suspected that but wanted to make sure. Of course it doesn't change on a firmware update.

Looked up those links and it appears that the M50 hasn't been integrated into exiftool or libcraw2 or dcraw for that matter. There is one little hint on the dcraw source code about the M50:

Code: [Select]
    { "Canon EOS M5", 0, 0, /* also M50 */
{ 8532,-701,-1167,-4095,11879,2508,-797,2424,7010 } },

That might be useful for future reference though if you run the latest build of dcraw with the -T option on a .CR3 file from the M50 all you come up with is a black frame.

To run the M50 in QEMU it still needs to be patched. I saved a patched version in my repository so I merged in the latest qemu branch changes and -- ugh, more to do. There is a bunch of stubs that need to be updated in debugmsg.gdb. Hope I got all of them right:

qemu-eos/M50/debugmsg.gdb
Code: [Select]
# ./run_canon_fw.sh M50 -d debugmsg
# ./run_canon_fw.sh M50 -d debugmsg -s -S & arm-none-eabi-gdb -x M50/debugmsg.gdb

source -v debug-logging.gdb

# To get debugging symbols from Magic Lantern, uncomment one of these:
symbol-file ../magic-lantern/platform/M50.102/magiclantern
#symbol-file ../magic-lantern/platform/M50.102/autoexec
#symbol-file ../magic-lantern/platform/M50.102/stubs.o

macro define CURRENT_TASK 0x1028
macro define CURRENT_ISR  (*(int*)0x100C ? (*(int*)0x1010) : 0)
macro define NUM_CORES 2
macro define NULL_STR 0xE0041041

# GDB hook is very slow; -d debugmsg is much faster
# ./run_canon_fw.sh will use this address, don't delete it
# b *0xE0577F3C
# DebugMsg_log

b *0xE0786538
assert_log

b *0xE0545E4E
task_create_log

# what's the difference?!
b *0xE0546072
task_create_log

b *0xE057783C
register_interrupt_log

b *0xE05721B8
register_func_log

if 0
  b *0xE05727D0
  create_semaphore8_log

  b *0xE0572896
  take_semaphore_log
end

b *0xE0559272
CreateStateObject_log

b *0xE02A89E4
mpu_send_log

b *0xE016F31A
generic_log

b *0xE074F0F0
generic_log


b *0xE00508B0
generic_log

b *0xE0577ADC
generic_log

b *0xE06704E4
commands
  silent
  print_current_location
  printf "I2C_Write(%x, %x, %x, %x)\n", $r0, $r1, $r2, $r3
  set $r0 = 0
  set $pc = $lr
  c
end

b *0xE0573522
commands
  silent
  print_current_location
  printf "!! NIGHTMARE !! S_PROPAD_INVALIDPARAMETER 20003\n"
  set $r0 = 0
  set $pc = $lr
  c
end

b *0xE004490E
commands
  silent
  print_current_location
  printf "DataLoad_wait hack\n"
  set $r1 = 1000
  c
end

b *0xE004A488
commands
  silent
  print_current_location
  printf "lens init?\n"
  set $r0 = 0
  set $pc = $lr
  c
end

b *0xE01E1318
commands
  silent
  print_current_location
  printf "RemCPUSwChk\n"
  set $r0 = 0
  set $pc = $lr
  c
end

b *0xE016F31A
commands
  silent
  print_current_location
  printf "conductor\n"
  set $r0 = 0
  set $pc = $lr
  c
end

if 0
b *0xE01E12B8
commands
  silent
  print_current_location
  printf "SwitchCheck\n"
  set $r0 = 5
  set $r1 = 0
  set $pc = 0xE07599BC
  c
end
end

b *0xE0759A98
commands
  silent
  print_current_location
  KRED
  printf "LED drive %x %x\n", $r0, $r1
  KRESET
  log_result
  c
end

if 0
b *0xE05E994E
commands
  silent
  print_current_location
  printf "rtc drv\n"
  set $r0 = 0
  set $pc = $lr
  c
end
end

#b *0x1b1d40
#b *0x1b1c40
#b my_cstart
#b my_dcache_clean

#b *0xE0004cea thread 2
#b *0xe00400fe
#commands
#    dump binary memory 40000000.bin 0x40000000 0x40100000
#    dump binary memory DF000000.bin 0xDF000000 0xDF100000
#end

# i2c_read
b *0xE0670444
generic_log

# i2c_write
b *0xE06704E4
generic_log

# hpcopy
if 0
b *0xE02E02EE
commands
    silent
    print_current_location
    KRED
    printf "HPCopy(%x, %x, %x)\n", $r0, $r1, $r2
    KRESET
    set $r2 = 0x4
    tbreak *($lr & ~1)
    commands
        silent
        print_current_location
        KRED
        printf "HPCopy ret %x\n", $r0
        KRESET
    end
end
#generic_log
end


# HPCopy
# Hardware protocol looks complex; emulating from GDB for now
b *0xE02E02EE
commands
  silent
  print_current_location
  KRED
  printf "HPCopy(%x, %x, %x)\n", $r0, $r1, $r2
  KRESET

  # execute plain memcpy instead (same arguments)
  set $pc = 0xe065e8dd

  # we need to return 0 on success, unlike memcpy
  tbreak *($lr & ~1)
  commands
    silent
    set $r0 = 0
    c
  end
  c
end

b *0xE01E1318

b *0xE06599A0
commands
  silent
  print_current_location
  KRED
  printf "Wakeup\n"
  KRESET
  c
end

b *0xE01E12B8
commands
  silent
  print_current_location
  KRED
  printf "SwitchCheck skipping\n"
  KRESET
  set $pc = $lr
  c
end

b *0xE01A4B92
commands
  silent
  print_current_location
  KRED
  printf "RTCMgrState_S00_I00 skipping\n"
  KRESET
  set $pc = $lr
  c
end

b *0xE01E3796
commands
  silent
  print_current_location
  KRED
  printf "PhySw stuff skipping\n"
  KRESET
  set $pc = $lr
  c
end

b *0xE0040C90
commands
  silent
  print_current_location
  KRED
  printf "take_sem WaitCCInit\n"
  KRESET
  set $r1 = 1000
  c
end

b *0xE00EE288
commands
  silent
  print_current_location
  KRED
  printf "SubCPU something skipping\n"
  KRESET
  set $pc = $lr
  c
end

#b *0xE00504B2


cont

As I recall the gui emulation isn't working yet. The invalid 1.0.2 ROM1.BIN is a problem, QEMU kept crashing so I "borrowed" the valid file from 1.0.1 and the Frankenstein monster awoke:



Reason I'm calling it Frankenstein is because even though it is clearly running 1.0.2, the CineStyle Picture Style came from the 1.0.1 firmware dump ROM1.BIN file from @leathc.

Ok--so how about running my firmware update on it to get the firmware signature? It did seem to run fine on the camera but no matter how high I flew the kites or number of lightning strikes, qemu refused to go past this:

Code: [Select]
Now jump to AUTOEXEC.BIN(0x00800000)!!
[CPU0] 00800008: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

aprofiti

  • Contributor
  • Member
  • *****
  • Posts: 173
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #118 on: April 12, 2019, 02:54:52 AM »
Two reasons I have encountered which can make it hang there:
1. It reached firmware signature check and failed to pass
2. Some wrong address for patching cache or others in platform/m50/constants.h

Have you compiled with Qemu debugging messages enabled?

Firmware signature message are that kind of type (like this).

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #119 on: April 12, 2019, 05:07:42 AM »
I've got the debugging messages enabled.

Code: [Select]
./run_canon_fw.sh M50,firmware="boot=0" -d debugmsg -s -S & arm-none-eabi-gdb -x M50/debugmsg.gdb
Lot of this going on:

Code: [Select]
[CPU0] [  HeartBeat0:e0234c7f ] SubCPU something skipping

Went back and forth between M50.101 and M50.102 and as far as I can see they are both running the same in QEMU with the exception of not being able to get past that sticking point (with "boot-1" of course) because of the firmware signature. Just to see if your suggestion of a "faked" value will show a message like what you got on the 200D I changed the M50.101 firmware signature and it got stuck at exactly the same place.

So--looks like I got a firmware update that is 99% there. It is just missing the key to unlock it.  :-X

Yeah, I know--this firmware update is just a minor one but going through the process is a good way to get familiar with the camera.

Code: [Select]
Firmware Version 1.0.2 incorporates the following fix:

1. Improves reliability of communication with external flashes.
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

aprofiti

  • Contributor
  • Member
  • *****
  • Posts: 173
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #120 on: April 12, 2019, 11:57:22 AM »
I mean compile with CONFIG_QEMU=y to enable qprintf in console.
Can't retrieve the exact command line now, should be appended after make command (tried in makefile one time and didn't worked with digic6 branch  so not sure about that method)

dfort

  • Developer
  • Hero Member
  • *****
  • Posts: 3707
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #121 on: April 12, 2019, 02:11:10 PM »
Code: [Select]
make CONFIG_QEMU=y
BINGO!

Code: [Select]
[CPU0] 00800008: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
[boot] firmware signature: 0x3b70901c (997232668)
                 expected: 0x80bd9b4b (-2135057589)
            computed from: 0xe0040000 (-536608768)

It woke up:

Code: [Select]
[BOOT] jumping to relocated startup code at 0x1b2349 (1778505)
[CPU0] 001B1890: MCR p15, ...          : CACHEMAINT x514 (omitted)
[CPU0] 001B2348: MCR p15,0,Rd,cr12,cr0,0:       VBAR <- 0xE008F6E0
[CPU0] 001B2352: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
Wake up CPU1
Wake up CPU1
[CPU1] E00088B4: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000001
[CPU1] E00088C4: MCR p15,0,Rd,cr12,cr0,0:       VBAR <- 0xE000001D

Now how to get a valid ROM1.BIN dump. It is working on the "fishy" build but that hasn't been pushed to the remote yet. (Probably because there's something fishy with that changeset?)

Code: [Select]
Magic Lantern fishy.2019Apr01.M50101
Camera   : M50
Firmware : 101
Changeset: dd284faf66c8 (fishy-april-fools) tip
Built on : 2019-04-01 12:00:19 by alex@thinkpad

Code: [Select]
hg up -C dd284faf66c8
abort: unknown revision 'dd284faf66c8'!
5D3.* 7D.206 700D.115 EOSM.203 EOSM2.103 M50.102

70MM13

  • Member
  • ***
  • Posts: 229
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #122 on: April 12, 2019, 03:47:28 PM »
dfort, this is very cool to watch!

keep sharing...

ughhhml

  • New to the forum
  • *
  • Posts: 2
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #123 on: April 12, 2019, 05:47:38 PM »

will anyone send a link to the full m50 software? pleas!!

Walter Schulz

  • Contributor
  • Hero Member
  • *****
  • Posts: 6737
Re: DIGIC 8 'PowerShot' development (M50, SX70, SX740)
« Reply #124 on: April 12, 2019, 07:08:19 PM »
There is no full ML for M50 yet.
Photogs and videographers: Assist in proof reading upcoming in-camera help!. Your input is wanted and needed!