Canon EOS R5 / R6

[yourboylloyd]

I've tried that. I tried FAT16 and FAT32. I even tried running Windows in safe mode. It just won't work. Someone on discord suggested that I should use a smaller card, or that I should somehow trick my CPU into thinking that my card is smaller.

I'm using a 128gb lexar card. I don't have anything smaller nor do I know how to make my card "look smaller."

I don't know how to use Linux, but I do have a Ubuntu VM. I can possibly try to make the card work if I can do it in Linux. I would need a LOT of guidance though.

[names_are_hard]

Canon Basic has a very, very small chance to work on EOS R.  I don't think there are any EOS cams that Canon Basic is known to work on.  UART is the most likely route to dump an R rom.

[yourboylloyd]

I'm not sure @names_are_hard. A1ex JUST posted this.

Confirmed working on M50. Very cool!

I have to figure out how to make this work.

[a1ex]

Yeah, today I woke up earlier than usual for some reason, so I've dusted off the M50 and tested the dumper

Guess what: the EOS R has some Canon Basic scripts in the firmware, pretty much the same ones as on the M50, so it's definitely worth trying.

If it works, it may provide a way to execute code on newer cameras cameras without hardware hacks, and without us having to break the encryption. Which hopefully keeps us safe(r) from the DMCA as well, but IANAL

That is, it might be possible to enable the boot flag directly from a Canon Basic script. At least, the execution context looks relatively safe at first sight (outside LiveView, with GUI locked up).

I'm using a 128gb lexar card. I don't have anything smaller nor do I know how to make my card "look smaller."

You could write our QEMU card image to the card, which will shrink the filesystem to 256MB (FAT16 iirc):

Formatting a larger card at a much lower capacity (e.g. 256MB) does the trick. For example, you can write the SD image that comes with QEMU to your SD or CF card (follow this guide). This image contains the portable display test and is bootable (so, you can test it in the camera straight away).

To verify it, test the card on any other ML-enabled camera. Once that works, make the card scriptable by following CHDK instructions (EosCard or whatever), then start the camera, go to PLAY mode and press SET. At least, that's what I did on M50.

I can also prepare a scriptable card image with Canon Basic dumper, if needed.

[names_are_hard]

Interesting.  I knew the M50 was hybrid Powershot / EOS, so there it makes sense, but I'm surprised about R!  Maybe they've merged their code bases??  Or maybe all mirrorless use the hybrid code base, that could make sense?

If your suggestions don't work, I've got a Canon Basic disk image confirmed to work on my G15 that I can probably send a script to @yourboylloyd that'll write to a card via Linux VM.

[kitor]

So it looks easy to get to. The problem is that the pins are extremely tiny. I'm going to try to measure the distance between them once I get a good battery for my calipers. But it's so small that I probably won't be able to tell if the pitch was between 0.4mm or 0.3mm or something.

Oh, so looks that my guess was right  We just need an confirmation, but the pitch basically confirms that.

Between 0.35 and 0.4mm according to my measurements on R. Thus I'd expect same pinout, as I don't see them having set of identical but differently wired interfaces.

As for EOSCARD, be sure it's not formatted in exfat. I forgot that yesterday when upgrading R to latest FW. Good news is that bootflag persisted, and dumper still works on 1.7.0

Guess what: the EOS R has some Canon Basic scripts in the firmware, pretty much the same ones as on the M50, so it's definitely worth trying.

Oh, that's why you asked Nope, but I'll try later today.

Interesting.  I knew the M50 was hybrid Powershot / EOS, so there it makes sense, but I'm surprised about R!  Maybe they've merged their code bases??  Or maybe all mirrorless use the hybrid code base, that could make sense?

IIRC R and M50 bootloaders were identical. For the firmware I have no clue.

[chris_overseas]

You could write our QEMU card image to the card, which will shrink the filesystem to 256MB (FAT16 iirc):

To verify it, test the card on any other ML-enabled camera. Once that works, make the card scriptable by following CHDK instructions (EosCard or whatever), then start the camera, go to PLAY mode and press SET. At least, that's what I did on M50.

I can also prepare a scriptable card image with Canon Basic dumper, if needed.

I have an R5 here and just tried to get this working without luck so far. I did the following:

• Low level formatted a 128GB SD card in the R5
• On my PC I then wrote the QEMU SD card image to it using Win32 Disk Imager, verified the card was showing as 256MB
• Checked the card worked as expected in my 5D3
• Used EOScard 1.40 to set the card as scriptable (by ticking SCRIPT, unticking EOS_DEVELOP and BOOTDISK, then choosing "Save")
• Created a script.req file containing the string "for DC_scriptdisk"
• Created an extend.m file containing Hello World
• Created an extend.m file containing the dumper script
• Put the card in the camera, powered up, pressed Play followed by Set (also tried Play followed by Q)

Unfortunately nothing happens. Have I made a mistake or are we out of luck? Maybe there's a different combination required to trigger the script?

[yourboylloyd]

To verify it, test the card on any other ML-enabled camera.

Unfortunately I sold my t3i and all I have is a CFcardaccepting 5d2. I won't have a way to verify.

I can also prepare a scriptable card image with Canon Basic dumper, if needed.

That would be awesome probably. Especially since we're in two different time zones and it would be harder to communicate (bedtime was 2 hours ago for me ).

I actually do want to learn how to do it though so I'll probably follow your instructions anyway.

[kitor]

Canon basic dumper works on R! Not sure if without bootflag enabled too.

I created the files with Unix line endings (LF only). I made card by using EOScard, with only option "script" selected.
Both files (extend.m and script.req) you can download here: https://kitor.pl/eos_r/cbasic_dumper.zip

Of course credits for dumper goes to @srsa as I took his code directly from this post

After I put card into camera, I went into playback mode, pressed Q/Set button and red light turned on. A minute later it was done, ROM.txt was saved to card root!

[c_joerg]

Unfortunately nothing happens. Have I made a mistake or are we out of luck? Maybe there's a different combination required to trigger the script?

Sure the SD Card is not exfat?
You need FAT.

[chris_overseas]

Sure the SD Card is not exfat?
You need FAT.

Yes, it's FAT

[c_joerg]

On my M100, the basic scripts only start every second time (on average).
There has to be some kind of temporal behavior.

[srsa]

The R5 and R6 have two card slots. In the firmwares I've seen, the extend.m script is expected to be on drive B: . Single card models seem to map their SD slot to B:
Of course, it's possible that scripting is not available on these models, or, they may have changed something to hinder 3rd party research.

@yourboylloyd
The UART likely uses 1.8V signalling level, your 3.3V and 5V adapters won't work on that. @kitor can probably recommend a compatible hw.

On my M100, the basic scripts only start every second time (on average).

I don't remember seeing that on my cameras. If the script card is prepared correctly, the script can be started reliably.

[kitor]

The UART likely uses 1.8V signalling level, your 3.3V and 5V adapters won't work on that. @kitor can probably recommend a compatible hw.

I did simple voltage divider on TX of my usual 3v3 UART, RX was able to pick 1v8 leves fine. Judging by old photo, I used my CH341A based UART:
https://twitter.com/_kitor/status/1095729715284008960

or, they may have changed something to hinder 3rd party research.

That's why I updated R to latest 1.7 - we know that at least there it wasn't removed.

[a1ex]

Does anyone have advice on a way to probe the pins? I have an arduino uno, usb host shield,  FTDI USB UART IC ‘FT232RL’ adapter that can run at 3.3V or 5V, and all the accessories that come with an arduino (breadboard, wires etc). But I don't know how to make a connector that could probe pins that are that small.

I've got the FT232RL adapter, and can confirm it can listen to 1.8V signals via its RX pin, with the jumper set to 3.3V. That's the easiest way to probe for the UART, in my opinion:
- connect the GND pin between FT232 and camera
- use the FT232 RX pin to probe around, while watching the Arduino serial monitor (a needle could be handy)

Expecting a bunch of messages right after camera startup, but also while in LiveView, for example.

TLDR: initial probing can be done with only the GND and RX pins from the FT232 adapter.

For sending messages to the camera, via the FT232 TX pin, you will need a voltage divider, as suggested by Kitor. When you reach this step, you may want to join the chat room

[turtius]

I am going to try out the Jtagulator: http://www.grandideastudio.com/jtagulator/

This device can scan up to 24 pins simultaneously and figures out the pinout of UART or JTAG. You can also set the voltage via software at which the device scans the pins (pretty handy for 1.8V pins).
It is a bit expensive but it is also open source so I will solder it by myself within the next few days.

I will let you let you know once I've tried that out but first the PCB and the parts needs to arrive...

What about the connectors and the FPC cable itself? any ideas?

[kitor]

I went the hard way with R, and probed testpoints with needle soldered to wire, that was connected to UART TX. Yes, this required removing whole back case.
Later, I used 0.5mm pitch FPC, just removed all unused pins, and tried to slightly shrink those needed ones so they won't short nearby pins.

You can deal with GND by just taking it from any outside connector, like USB case - instead of having it on ribbon. It's easier to deal with two instead of three pins.

Anyway, I'd try Canon Basic again. No disassembly needed, and it's confirmed to work on R and RP... so there's a high hope getting there without disassembly. Just check in both slots, as it was mentioned that it needs to be B:\, which we have no idea how maps two slots to letters in R5/R6.

[yourboylloyd]

I have an R5 here and just tried to get this working without luck so far. I did the following:

• Low level formatted a 128GB SD card in the R5
• On my PC I then wrote the QEMU SD card image to it using Win32 Disk Imager, verified the card was showing as 256MB
• Checked the card worked as expected in my 5D3
• Used EOScard 1.40 to set the card as scriptable (by ticking SCRIPT, unticking EOS_DEVELOP and BOOTDISK, then choosing "Save")
• Created a script.req file containing the string "for DC_scriptdisk"
• Created an extend.m file containing Hello World
• Created an extend.m file containing the dumper script
• Put the card in the camera, powered up, pressed Play followed by Set (also tried Play followed by Q)

Unfortunately nothing happens.

I tried everything on the R6. I can confirm this isn't working either.

My card is 256mb. I used EOSCARD to make sure it was scriptable. Pressed PLAY and then SET = Nothing. Pull Out battery. Pressed PLAY and then Q = Nothing. Repeat for PLAY and then (EVERY OTHER BUTTON ON THE CAMERA) = Nothing.

I tried Card slot 1 and then card Slot 2.

Maybe I should try having 2 cards with the same script on them in both slots? Any ideas?

Edit: I just counted and found that there is a total of 26 buttons (including dials and joystick directions) on the R6. Assuming that there are 2 input combinations to start the script, there are a possible 26x26 = 676 combinations that are possible to be the solution XD

If no one else has a better idea, I'll get to fingering.

Edit 2:

edit:
It turned out that there are better ways to dump ROM content - I can tell what they are if anyone is interested.

Does anyone know what that "better way" is? I sent srsa a PM asking about it.

[c_joerg]

Edit: I just counted and found that there is a total of 26 buttons (including dials and joystick directions) on the R6. Assuming that there are 2 input combinations to start the script, there are a possible 26x26 = 676 combinations that are possible to be the solution XD

Or a combinaton with touchscreen 

https://chdk.fandom.com/wiki/Canon_Basic/Card_Setup
Some touchscreen cameras run the script when the focus lever is turned to the left.

[yourboylloyd]

Or a combinaton with touchscreen 

You gotta be kidding me... I didn't even think of that.

Some touchscreen cameras run the script when the focus lever is turned to the left.

What does that even meannn??? A focus lever?? Do I have to focus my lens at infinity? Or close focus? Does it have to be a canon lens? What if the lens is manual focus?

Whatever I'll try whatever I think it's saying and report back.

Edit: I tried focusing at close focus, half way, infinity, infinty and beyond. Multiple lenses. Multiple cardslots. The SET button. The Q button. Nothing.

[Walter Schulz]

You may be not aware that most PowerShot code-based cams don't have something like a focus ring but rely solely on remote focus control and this hack srsa most kindly introduced to us is born in the CHDK realm...

And: No, I don't have any idea if this focus thingy applies to R-cameras and (in case it does) how to handle this requirement. ;-) And I suspect he's acturally referring to "zoom lever".

[srsa]

Does anyone know what that "better way" is? I sent srsa a PM asking about it.

Replying here.
I added that edit before making the new thread about scripting. The 'better way' is nothing more than the two short dumper scripts in the first post of the new thread.

As for the lack of success running scripts on R5/R6, I still tend to think that Canon has changed some details in their script related code or even decided to remove it altogether.
So, IMO, the current way to go ahead is the UART.

[garry23]

 

https://www.diyphotography.net/take-a-peek-inside-the-canon-eos-r6-mirrorless-camera-in-this-disassembly-and-teardown/

[garry23]

 

https://petapixel.com/2020/09/04/teardown-reveals-overheating-timer-chip-inside-the-canon-eos-r6/

[yourboylloyd]

CANON BASIC DUMPER WORKS ON THE R6!!!! I'VE SUCESSFULLY RAN THE SCRIPT ON THE R6 Firmware 1.1.0

First:

I borrowed my friend's M50. Using Kitor's card image, I tried to run the same script on the 128gb SDXC card that I used for my R6 trials. I found that it wasn't working. So I knew something was up.

Second:

I went to walgreens and bought a $20 16GB SDHC-I card (why was that so expensive for 16 gigabytes?? I mean c'mon!) and I tried to run the script on the M50 again using that card. It worked on the M50!! I was given a boot00.bin file

So I figured it had work on the R6. I deleted the bin file and tried it on my R6. I put the SD card in the second card slot (the one labled 2). Turned it on. Pressed PLAY and then SET. Then the card LED turned RED and Voila! boot00.bin file!!

TLDR: SDXC cards don't work for some reason. The script also DOES NOT WORK in Slot 1 at all. Use SDHC cards to dump rom images. Thanks to Ant123 and Walter for the idea to use a different card! And Kitor for the image.

Edit: I ran the SaveAllRomImageToFile() script that was in srsa's example scripts and I was left with two files. gang100.bin (65,536KB) and gang200.bin (32,768KB).