DIGIC 8+ MPU investigation

Started by coon, December 14, 2020, 07:17:02 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

coon

As already mentioned here https://www.magiclantern.fm/forum/index.php?topic=7531.msg232995#msg232995 we were wrong about the pinout of the service connector. Mike Tornado has found out the correct one which is:


1: VCC_ICU (1v8)
2: RX_ICU (1v8)
3: TX_ICU (1v8)
4: GND
5: /MPU_FORCED_WAKEUP (3v3)
6: TX_MPU (3v3)
7: RX_MPU (3v3)
8: VCC_MPU (3v3)


When using this pinout I do now get an echo from MPU. Hitting enter shows a prompt:


>>>MON


Typing HELP lists all available commands on MPU:


MON>>>HELP

-----------------------------------------------
             Monitor Command List             
-----------------------------------------------
INDIINFO INDICLK INDIAVE ACCCAMPOS CYCLE
ADPTEST BATTCLOSE BATTCHECK BCINFO BATTLEVEL
BATTUSEERR BATTREPREQ BATTEXCLU BATTCHECKSPEC
GETRCP GETRC GETSC FGCOMM FGCOMME4 BATTINFO
VLDET CHGBATTLEVEL ABOUT VER FAABOUT FAVER HELP
UPBNY TRMOSC DEBUGLOG ICUREQ DISPPORTKEEP REGR
REGW MEMR MEMW EEPR EEPW EEPCLK ADCHECK
ADCHECK2 ADTIME ADMODE SCOUT UARTMODE UARTBRD
UARTSEND DNFCLK DNFON DNFOFF RTCON RTCOFF
RTCADJON RTCADJOFF TIMEOUT KWUPCNT I2C ICUTEST
MODE MPUSHUTDOWN MPUMUKO SHUTDOWNDEBUG USBCHG
BATSEL GRIPLED LENSPOWER E1ON E1OFF FACMD
TIMERCMD INFOCMD STACKINFO SW MDIALMODE
TEMPINFO TEMPCLK DRYCTEST SYSRESET DLOG DTASK
DUMP LED


Prompt is not available when camera is turned off.

And here we have another set of functions which are waiting to be explored.  8)
EOS RP

coon

ABOUT prints some information about the MPU:


MON>>>ABOUT
-----------------------------------------------
             Debug Monitor Version             
                     K433 ES2A
        Internal high-speed oscillation
-----------------------------------------------
        MPU Ver...0x0110
        MPU check sum...0xBB677C8A

        EEP Ver...0x0A


MPU seems to have a Flashrom and an EEPROM, similiar to ICU.

VER, FAABOUT and FAVER do also print this output.
EOS RP

coon

DUMP prints all running tasks plus a hex dump of memory region 0x20001000 - 0x20001ffc with unknown content:


MON>>>DUMP

    TaskName |         SP |         PC |         LR |        PSR
             |      State | WaitReason |     WaitID |       puID
             |   StackTop |  StackSize |  StackUsed |           
================================================================
     DbgTask | 0x20008ca8 | 0x00008142 | 0x0000c595 | 0x01000000
             |      READY |  536884630 |  536884560 |          0
             | 0x20008c98 |        500 |        500 |           
---------------------------------------------------------------
      SwTask | 0x20007178 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          1 |          0
             | 0x20006fc8 |        660 |        552 |           
---------------------------------------------------------------
    MainTask | 0x20008898 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          2 |          0
             | 0x20008450 |       1200 |        604 |           
---------------------------------------------------------------
    BattTask | 0x200074d8 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          3 |          0
             | 0x20007268 |        752 |        436 |           
---------------------------------------------------------------
    TempTask | 0x20007780 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          4 |          0
             | 0x20007560 |        640 |        460 |           
---------------------------------------------------------------
     AccTask | 0x20007a08 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          5 |          0
             | 0x200077e8 |        640 |        404 |           
---------------------------------------------------------------
    DispTask | 0x20007c58 | 0x00008142 | 0x0000c827 | 0x01000000
             |       WAIT |    W_EVENT |          2 |          0
             | 0x20007a70 |        600 |        412 |           
---------------------------------------------------------------
AdapterTask | 0x20007f00 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          6 |          0
             | 0x20007cd0 |        660 |        408 |           
---------------------------------------------------------------
     LogTask | 0x20009370 | 0x00008142 | 0x0000cbf7 | 0x01000000
             |       WAIT |    W_MQRCV |          7 |          0
             | 0x20008e98 |       1340 |        448 |           
---------------------------------------------------------------
MonitorTask | 0x20008c28 | 0x0004c93c | 0x00000002 | 0x20008d7c
             |       WAIT |    W_MQRCV |          8 |          0
             | 0x20008908 |        900 |        168 |           
---------------------------------------------------------------
    IdleTask | 0x200095c0 | 0x00019c28 | 0x00019c27 | 0x21000000
             |      READY |    W_MQRCV |          8 |          0
             | 0x200093e0 |        500 |        280 |         

MPU Dump Log[0x20001000 - 0x20001ffc]

<hex dump with unknown content here>


Having running tasks suggests that some RTOS is running on MPU.
EOS RP

coon


MON>>>LED

Type ID = 0
Contrl ID = 7
blink cnt = 0
blink on time  = 0
blink off time = -1
Error! Unknown LED ctrl Cmd


I don't know how to use this yet. Maybe it is possible to control the USB charge LED with that.
EOS RP

coon


MON>>>INDIINFO
Indicator ave x:103 y:-7 z:-1017 roll:170 pitch:554 HV:Grip Up
Indicator ave x:102 y:-5 z:-1016 roll:172 pitch:554 HV:Grip Up
Indicator ave x:102 y:-5 z:-1018 roll:172 pitch:554 HV:Grip Up
Indicator ave x:101 y:-6 z:-1017 roll:171 pitch:554 HV:Grip Up
Indicator ave x:102 y:-6 z:-1016 roll:171 pitch:554 HV:Grip Up
Indicator ave x:101 y:-6 z:-1014 roll:171 pitch:554 HV:Grip Up


Does start a periodic logging of the cameras gyroscope. Moving the camera does change the values.
EOS RP

coon


MON>>>BATTINFO

TYPE   :00
NAME   :000000004C502D453137
BNO    :248A0228
FCB    :0442
RV     :1C20
RSVD1  :0000
CYCNT  :0011
CERCNT :00
CARCNT :00
CCNT   :000475
RSVD2  :00000000


Shows information about the battery. Does output nothing, when an AC adapter is used.
EOS RP

coon


MON>>>BCINFO
BC Result
Battery   :Li-ion
Vop       :0276
Vbc       :0258
Iop       :002A
Ibc       :00D3
R         :2D719
R(ohm)    :0024
Vfo1      :0229
Vfo2      :0000
VfoSt     :0229
VfoMotor  :0229


Starts periodic logging of charge / discharge status of the battery.
EOS RP

coon


MON>>>STACKINFO
Sw Task Stack Info addr=0x20008C98 size=500 used=448
Main Task Stack Info addr=0x20006FC8 size=660 used=552
Batt Task Stack Info addr=0x20008450 size=1200 used=604
Temp Task Stack Info addr=0x20007268 size=752 used=436
Acc Task Stack Info addr=0x20007560 size=640 used=460
Disp Task Stack Info addr=0x200077E8 size=640 used=404
Adapter Task Stack Info addr=0x20007A70 size=600 used=412
Log Task Stack Info addr=0x20007CD0 size=660 used=408
Monitor Task Stack Info addr=0x20008E98 size=1340 used=536
Idle Task Stack Info addr=0x20008908 size=900 used=432
(null) Task Stack Info addr=0x200093E0 size=500 used=280


Some info about the stack of all running tasks.
EOS RP

coon


MON>>>TEMPINFO
Battery    : 0x01D4
TEMP(MAIN) : 0x2370 (35.4deg)
TEMP(SH)   : 0x227F (34.4deg)
TEMP(A)    : 0x2BF0 (43.9deg)
TEMP(BACK) : 0x1DB0 (29.6deg)


Displays the values of several temperature sensors. TEMP(A) seems to be the sensor of the main CPU.
When recording a video in 4K @ 25fps on RP, temperature rises over 53C° but I have stopped this after some minutes and may do a long term test later to find out where the temperature maxes out.

Someone with an R5 may try this while doing 8K recording to find out at which temperature the camera is shut down.
EOS RP

coon


MON>>>I2C

Usage: i2c set   channel prs clk slaveaddr
Usage: i2c write channel addr data [data]
Usage: i2c read  channel count
Usage: i2c read  channel addr count


Can possibly be used to send arbitrary data to the cameras I2C devices. Since I don't know which devices are connected to I2C nor which addresses they have and what commands they do expect, I won't touch this for now.
EOS RP

coon


MON>>>SW

LockSw                        : UnLock(On)
LockSw(Raw)                   : UnLock(On)
CardCover                     : Open
CardCover(Raw)                : Open
BatCover                      : Close
BatCover(Raw)                 : Close
CF2DetectSw                   : On
ELButton                      : Off
SubDialLockSw                 : Off
Sw1                           : Off
Sw2                           : Off
AELockButton                  : Off
AFStartButton                 : Off
AFFrameSelectButton           : Off
MIFSw                         : Off
ShotModeButton                : Off
M                             : Off
SetButton                     : Off
MenuButton                    : Off
PlayButton                    : Off
InfoButton                    : Off
EraseButton                   : Off
LvMovieStartButton            : Off
NFCDetectSw                   : Off
BLEDetectSw                   : Off
CrossUp                       : Off
CrossDown                     : Off
CrossRight                    : Off
CrossLeft                     : Off
MainDial                      : 0
SubDial                       : 0
ModeDial[d3,d2,d1,d0]         : 1 0 1 1


Displays the current state of all switches.
I may also use this naming convention for the MPU button codes I have found earlier.

Sw2 = Half Shutter
Sw1 = Shutter

MainDial and SubDial values are stored as absolute values and do count from 0 after boot.
EOS RP

coon


MON>>>EEPR 0 1000
address   0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00000000 0A FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
...


Does a hex dump from a region of the MPUs EEPROM. First argument is start address, second argument is end address.
When dumping from 0x0 to 0x1000, hex data is not displayed anymore after 0x7FF:


...
000007E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
000007F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000800                                               
00000810                                               
00000820                                               
00000830                                               
00000840                                               
00000850
...


Therefore MPUs EEPROM has a size of 0x800 Bytes (2KB).
A full EEPROM dump can be done by executing:


EEPR 0 7FF


Be careful not to type EEPW by accident, which will overwrite data in the EEPROM and may render the MPU unbootable!

The content of the EEPROM is unknown yet. It does probably contain user settings.
EOS RP

coon


MEMR 0 FFFFF


Does a hex dump from a region of the MPUs memory. First argument is start address, second argument is number of bytes to read.
Maximum value allowed for second argument is FFFFF.

When executing the command above, the complete firmware of MPU is dumped, since firmware is mapped to 0.
From address ~0x60000 to 0xFFFFF data bytes are all 0xFF on EOS RP and do not need to be dumped.

The firmware of MPU on EOS RP can be dumped by executing the following command:


MEMR 0 60000


Be careful not to type MEMW by accident, which will overwrite data in RAM and may lead to undefined behaviour of the MPU! This meight destroy hardware components in worst case.
EOS RP

coon

Architecture of MPU is 32 bit ARMv7 (little endian) like ICU. Therefore it is not TX19a / MIPS anymore.
Base address of MPU firmware image is 0x20000000.

It looks like that a minimal version of DryOS is running on MPU. I think it should be possible to emulate MPU in qemu now.
We may also abuse the MPUs update mechanism to boot up some MPU version of ML and start our own tasks there, if we should ever be in need for that.
EOS RP

c_joerg

Quote from: coon on December 14, 2020, 08:22:55 PM
Displays the values of several temperature sensors. TEMP(A) seems to be the sensor of the main CPU.

It would be interesting to know which temperature value can be found in the EXIF data of the RAW file.
EOS R

kitor

Just wow!

Quote from: coon on December 14, 2020, 07:17:02 PM
As already mentioned here https://www.magiclantern.fm/forum/index.php?topic=7531.msg232995#msg232995 we were wrong about the pinout of the service connector.

Completly my fault. I extrapolated TX line based on testpads on PCB, never got a prompt on R.
Lesson learned: never trust random guy in internet, even if he seems to know what's he's doing  8)

With so many discoveries, i think this is separate thread(s) worthy? One for drysh on Digic8 and one for MPU. I think nobody dug into MPU that far yet.
Too many Canon cameras.
If you have a dead R or RP mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.

coon

Quote from: c_joerg on December 15, 2020, 08:33:14 AM
It would be interesting to know which temperature value can be found in the EXIF data of the RAW file.

I am using RAW Therapee which cannot read EXIF data from CR3 RAW files which are used on newer canon models. Therefore I cannot answer that right now. If someone knows another free tool which can do that, please let me know!

Quote from: kitor on December 15, 2020, 08:36:18 AM
Completly my fault. I extrapolated TX line based on testpads on PCB, never got a prompt on R.
Lesson learned: never trust random guy in internet, even if he seems to know what's he's doing  8)

No worries, it is undocumented hardware and mistakes do happen. :) Without your post about the existence of the connector I wouldn't have built the cable + dev kit and wouldn't have such a huge progress as I have right now.

Quote from: kitor on December 15, 2020, 08:36:18 AM
With so many discoveries, i think this is separate thread(s) worthy? One for drysh on Digic8 and one for MPU. I think nobody dug into MPU that far yet.

Good point. I may also create some pages on the wiki about my findings.

EOS RP

c_joerg

Quote from: coon on December 15, 2020, 03:21:58 PM
I am using RAW Therapee which cannot read EXIF data from CR3 RAW files, used on newer canon models. Therefore I cannot answer that right now. If someone knows another free tool which can do that, please let me know!

exiftool -h IMG_1234.CR3 >t.txt
Writes all EXIF Data to File. Then you can search for Camera Temperature
EOS R

coon

Yep, exiftool worked.

In point of time a picture was taken MPU said:


Battery    : 0x03D3
TEMP(MAIN) : 0x2120 (33.1deg)
TEMP(SH)   : 0x1EFF (30.9deg)
TEMP(A)    : 0x2760 (39.3deg)
TEMP(BACK) : 0x1B00 (27.0deg)


EXIF said:


Camera Temperature    39 C


Therefore the value of TEMP(A) is taken for EXIF.
EOS RP

c_joerg

Thank you, good to know that the highest temperature is in the EXIF data ...
EOS R

kitor

As I was digging inside R today, I decided to play with MPU (and confirm its pinout).

MON>>>help

-----------------------------------------------
             Monitor Command List             
-----------------------------------------------
INDIINFO INDICLK INDIAVE ACCCAMPOS CYCLE
ADPTEST BATTCLOSE BATTCHECK BCINFO BATTLEVEL
BATTUSEERR BATTREPREQ BATTEXCLU BATTCHECKSPEC
GETRCP GETRC GETSC FGCOMM BATTINFO VLDET ABOUT
VER FAABOUT FAVER HELP UPBNY TRMOSC DEBUGLOG
REGR REGW EEPR EEPW EEPCLK FROMR FROMW FROME
FROMWAKEUP FROMSLEEP FROMCLK ADCHECK ADCHECK2
ADTIME ADMODE SCOUT UARTMODE UARTBRD UARTSEND
DNFCLK DNFON DNFOFF RTCON RTCOFF RTCADJON
RTCADJOFF TIMEOUT KWUPCNT DMACCHK I2C ICUTEST
GRIPSERIOPEN GRIPSERICLOSE GRIPSERISEND
DISPTEST DISPON DISPOFF LIGHTON LIGHTOFF MODE
MPUSHUTDOWN MPUMUKO SHUTDOWNDEBUG USBCHG BATSEL
GRIPLED LENSPOWER E1ON E1OFF FACMD TIMERCMD
INFOCMD STACKINFO SW MDIALMODE TEMPINFO TEMPCLK
GETIDAC TPULOG DRYCTEST SYSRESET


Command set is a little different than in RP.


MON>>>ABOUT

-----------------------------------------------
             Debug Monitor Version             
                     K424 ES2A
        Internal high-speed oscillation
-----------------------------------------------
        MPU Ver...0x014D
        MPU check sum...0xFE12FC7E

        EEP Ver...0x10
        FROM Ver...0x15
        TPU Ver...0x14
        FROM gang sum...0x937E


Interesting parts: R MPU has additional SPI flash, 2MB in size (not present in RP). It is exposed via FROM* commands. Parameters for FROMR are the same as for EEPR:

MON>>>FROMR 1FFFFF 20000F

address   0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
001FFFF0                                              FF
00200000


Thus you can dump it using FROMR 0 1FFFFF

EDIT: FROM contains images for top LCD (black and white format). R5 also contains such SPI flash near MPU.

Buttons map:

MON>>>sw

LockSw                        : UnLock(On)
LockSw(Raw)                   : UnLock(On)
CardCover                     : Close
CardCover(Raw)                : Close
BatCover                      : Close
BatCover(Raw)                 : Close
CF2DetectSw                   : Off
ELButton                      : Off
SubDialLockSw                 : Off
Sw1                           : Off
Sw2                           : Off
AELockButton                  : Off
AFStartButton                 : Off
AFFrameSelectButton           : Off
MIFSw                         : Off
ShotModeButton                : Off
M                             : Off
SetButton                     : Off
MenuButton                    : Off
PlayButton                    : Off
InfoButton                    : Off
EraseButton                   : Off
LvMovieStartButton            : Off
NFCDetectSw                   : On
BLEDetectSw                   : Off
CrossUp                       : Off
CrossDown                     : Off
CrossRight                    : Off
CrossLeft                     : Off

MainDial                      : 0
SubDial                       : 0
Grip                          : Off


TPULOG unknown. Note TPU version in VER output.
My guess (after camera was reassembled) - Touch Panel Unit? ;)

Spams this over and over again:
Pos,255 ,Raw, 0, 0, 0

GETIDAC
MON>>>getidac
getidac end(60ms)
MODULATOR_IDAC 0x00000030
SNS0_IDAC      0x00000015
SNS1_IDAC      0x00000018
SNS2_IDAC      0x00000021
SNS0_RAW       0x00002CD0
SNS1_RAW       0x00002C87
SNS2_RAW       0x00002CE9
SNS0_BSLN      0x00002CC6
SNS1_BSLN      0x00002C82
SNS2_BSLN      0x00002CE0
SNS0_DIFF      0x00000000
SNS1_DIFF      0x00000000
SNS2_DIFF      0x00000000


UARTMODE UARTBRD UARTSEND maybe some kind of uart redirection to talk to some MPU slave?

MON>>>UARTMODE
Usage: uartmode [master | slave]

MON>>>UARTBRD
Usage: uartbrd prs ken brn brk

MON>>>UARTSEND
Usage: uartsend data


DISPTEST DISPON DISPOFF
LIGHTON LIGHTOFF


Functions for top (settings) display present only on R. DISPON/OFF and LIGHTON/OFF does exactly what you think. DISPTEST takes three arguments, not sure how to use it.

TEMPINFO
The same result as on RP, with the same sensors.

Others
coon was getting a ton of temp_task.c:421 I2C Comm Error ret=1 spam in his RP logs. Mine (R) is spamming this only when main LCD assembly is disconnected from camera.

All tests done on R running latest (1.8.0) firmware.
Too many Canon cameras.
If you have a dead R or RP mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.

kitor

MON>>>about

-----------------------------------------------
             Debug Monitor Version             
                     K429 ES2A
        Internal high-speed oscillation
-----------------------------------------------
        MPU Ver...0x0016
        MPU check sum...0x17927A70

        EEP Ver...0x04


Hello from MPU in... EOS R Battery grip (BG-E22)!

Long story short: Yesterday, before i dug into R i was talking with @coon looking for possible R/RP MPU datasheets. I found a photo of my battery grip internals and we realized that it has exactly the same microcontroller as R/RP MPU. This explains why those things are so damn expensive  >:(

You will find how to access UART in Battery grip pins / UART thread.

Now the fun parts:

Command list:

MON>>>help

-----------------------------------------------
             Monitor Command List             
-----------------------------------------------
BATTCLOSE BATTCHECK BCINFO BATTLEVEL BATTUSEERR
BATTREPREQ BATTEXCLU BATTCHECKSPEC GETRCP GETRC
GETSC FGCOMM BATTINFO VLDET ABOUT VER FAABOUT
FAVER HELP UPBNY TRMOSC DEBUGLOG DISPPORTKEEP
REGR REGW MEMR MEMW EEPR EEPW EEPCLK ADCHECK
ADCHECK2 ADTIME ADMODE SCOUT UARTMODE UARTBRD
UARTSEND DNFCLK DNFON DNFOFF RTCON RTCOFF
RTCADJON RTCADJOFF TIMEOUT KWUPCNT I2C ICUTEST
MODE MPUSHUTDOWN MPUMUKO SHUTDOWNDEBUG USBCHG
BATSEL GRIPLED LENSPOWER E1ON E1OFF FACMD
TIMERCMD INFOCMD STACKINFO DRYCTEST SYSRESET


STACKINFO

MON>>>stackinfo
Sw Task Stack Info addr=0x20005DB0 size=4000 used=68
Main Task Stack Info addr=0x20007228 size=1200 used=244
Batt Task Stack Info addr=0x20007228 size=1200 used=244
Temp Task Stack Info addr=0x20007228 size=1200 used=244
Acc Task Stack Info addr=0x20007228 size=1200 used=244
Disp Task Stack Info addr=0x20007228 size=1200 used=244
Adapter Task Stack Info addr=0x20007228 size=1200 used=244
Log Task Stack Info addr=0x200076E0 size=1340 used=520
Monitor Task Stack Info addr=0x20007C28 size=900 used=168
Idle Task Stack Info addr=0x20007FB8 size=500 used=156


UPBNY update binary?

DANGEROUS! Grip won't exit this mode even after power was disconnected. But fortunately ctrl+z broke the sequence after tense 5 minutes.

MON>>>upbny
RSTFLG : 0100

Please Send *.bny
.

Please Send *.bny
Update File Unknown


GRIPLED - toggle grip (charging) LEDs. Argument is (L)eft / (R)ight / (C)lear

MON>>>gripled
Usage:GRIPLED [L/R/C]
Too many Canon cameras.
If you have a dead R or RP mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.

leegong

Quote from: coon on December 14, 2020, 11:08:48 PM
Architecture of MPU is 32 bit ARMv7 (little endian) like ICU. Therefore it is not TX19a / MIPS anymore.
Base address of MPU firmware image is 0x20000000.

It looks like that a minimal version of DryOS is running on MPU. I think it should be possible to emulate MPU in qemu now.
We may also abuse the MPUs update mechanism to boot up some MPU version of ML and start our own tasks there, if we should ever be in need for that.
Could you please send MPU firmware dumping to my E-mail? [email protected]
I can analyze the firmware with IDA PRO, add value to your DIGIC 8 MPU investigation.

leegong


leegong

Just build IDB with RP_MPU Dumping,
ROM:00019E56                 BLX             R2  is call interface of all monitor function found by coon ,
key struc_table at 0x4ED38:
00000000 struc_DbgFunction struc
00000000 lp_DbgCmdString
00000004 lp_funcall
Anybody wants the IDB? send PM to me or let me know in this post please.       

leegong

structure of MPU Msg in RP is exactly same as that in EOS.
MainTimeLapse_SW1OFF : mpu_send(0x5 0x3 0x21 0x00 0x00);
MainTimeLapse_SW1ON : mpu_send(0x5 0x3 0x21 0x01 0x00);
MainTimeLapse_SW2OFF : mpu_send(0x5 0x3 0x22 0x00 0x00);
MainTimeLapse_SW2ON : mpu_send(0x5 0x3 0x22 0x01 0x00);

leegong

Quote from: coon on December 14, 2020, 10:58:34 PM

MEMR 0 FFFFF


Does a hex dump from a region of the MPUs memory. First argument is start address, second argument is number of bytes to read.
Maximum value allowed for second argument is FFFFF.

When executing the command above, the complete firmware of MPU is dumped, since firmware is mapped to 0.
From address ~0x60000 to 0xFFFFF data bytes are all 0xFF on EOS RP and do not need to be dumped.

The firmware of MPU on EOS RP can be dumped by executing the following command:


MEMR 0 60000


Be careful not to type MEMW by accident, which will overwrite data in RAM and may lead to undefined behaviour of the MPU! This meight destroy hardware components in worst case.

Based on analyzing of RP MPU firmware, Both of First argument and second argument are address ,
so Usage : MEMR StartingADDR EndingADDR
StartingADDR and EndingADDR could add prefix "0x"

leegong

LockSw                        // MPU_send_Msg0300(0x5,0x3, 0x0,LockSw,0x0);               
CardCover                    // MPU_send_Msg0301(0x5,0x3, 0x1,CardCover,0x0);           
BatCover                      // MPU_send_Msg0302(0x5,0x3, 0x2,BatCover,0x0);           
CF2DetectSw               // MPU_send_Msg0304(0x5,0x3, 0x4,CF2DetectSw,0x0);
ELButton                     // MPU_send_Msg0312(0x5,0x3, 0x12,ELButton,0x0);
SubDialLockSw            // MPU_send_Msg031B(0x5,0x3, 0x1B,SubDialLockSw,0x0);
Sw1                           // MPU_send_Msg0305(0x5,0x3, 0x5,Sw1,0x0);
Sw2                           // MPU_send_Msg0306(0x5,0x3, 0x6,Sw2,0x0);
AELockButton             // MPU_send_Msg0307(0x5,0x3, 0x7,AELockButton,0x0);
AFStartButton             // MPU_send_Msg0308(0x5,0x3, 0x8,AFStartButton,0x0);
AFFrameSelectButton       // MPU_send_Msg030B(0x5,0x3, 0x8,AFFrameSelectButton,0x0);
MIFSw                         : Off
ShotModeButton         // MPU_send_Msg030A(0x5,0x3, 0xA,ShotModeButton,0x0);
M                             // MPU_send_Msg030C(0x5,0x3, 0xC,M,0x0);
SetButton                     // MPU_send_Msg030D(0x5,0x3, 0xD,SetButton,0x0);
MenuButton                   // MPU_send_Msg030E(0x5,0x3, 0xE,MenuButton ,0x0);
PlayButton                    // MPU_send_Msg030F(0x5,0x3, 0xF,PlayButton ,0x0);
InfoButton                    // MPU_send_Msg0310(0x5,0x3, 0x10,InfoButton ,0x0);
EraseButton                  // MPU_send_Msg0311(0x5,0x3, 0x11,EraseButton ,0x0);
LvMovieStartButton       // MPU_send_Msg0314(0x5,0x3, 0x14,LvMovieStartButton ,0x0);
CrossUp                       // MPU_send_Msg0315(0x5,0x3, 0x15,CrossUp,0x0);
CrossDown                   // MPU_send_Msg0316(0x5,0x3, 0x16,CrossDown,0x0);
CrossRight                   // MPU_send_Msg0317(0x5,0x3, 0x17,CrossRight,0x0);
CrossLeft                     // MPU_send_Msg0318(0x5,0x3, 0x18,CrossLeft,0x0);

kitor

A few details based on Digic X / EOS R5 MPU firmwares (both internal MPU and grip MPU).

Details on BG-R10 battery grip MPU UART: https://www.magiclantern.fm/forum/index.php?topic=7531.msg242570#msg242570

Firmware

For Ghidra I got a better disassembly using ARM Cortex instead of ARMv7.

1st stage bootloader starts at 0x0. It is very small compared to ICU counterpart. Some small chunks of bootloader are copied to RAM before execution.
Then there's a usual cstart() (including copy of some data into RAM) which follows up to a "regular" DryOS.
Early init_task is similar, but differences start quickly.

Init task literally kickstarts everything by filling in interrupt handlers, msg queues, flags, semaphores, registering assert handler and then spawning a single MainTask.

MainTask is where all the other hardware init happens (including spawning all other tasks at once). When its done, it goes into a loop that handles messages from queue.

There's no functions like task_create, firmware calls "internal" kernel functions directly. So it is definitely a lightweit version of DryOS.
R5 firmwares runs DryOS 060+p8, like ICU.

New thing, visible on R5/R5 grip is DbgMgr. Firmware is much more verbose on UART. R/RP/R grip used uart_printf directly.
It seems a simplified form of DbgMgr from EOS firmwares. `DryosDebugMsg` call format is the same.

As said, is it very verbose now (this is UART output on R5):

MON>>>      94.063 : MATRIX ksout:2
      94.071 : MATRIX ksin :2
      94.650 :  [LENS] kick-> 2
      94.669 :  [LENS] not kick-> 0
      94.733 :  [LENS] Event -> 2
      94.742 :  [!!LENS] CtrlEvent -> 5
      94.761 : VBAT2Off VDD2Off
      95.905 :  [LENS] Event -> 0
      95.924 :  [LENS] waitTimer start
     100.321 : AllTask InitComp
     114.086 : powerSupply stop
     114.105 :  [STM] STM_STATE_T:   -> SupplyOff
     116.426 : ----9V req
     117.336 : BATT INFO1 -> 4
     117.344 : BATT INFO2 -> 0
     117.478 : powerSupply stop
     117.497 :  [STM] STM_STATE_T:   -> SupplyOff
     151.749 : para2:1
     197.445 :  [!!LENS] timer comp-> 0
     197.473 :  [LENS] event Que Empty...
     696.636 : Rcv ICU Cmd :COM_INIT
     696.647 : Rcv ICU ID  :0x00
     696.655 : Rcv ICU DATA:0x00
     696.758 : init PDIC_USB_DET = High
     699.681 : ------------Startup Time Report------------
     699.726 :   NOT First run
     699.815 :   Lens  OFF
     699.860 :   ICU RESET RELEASE              [   68 ms]
     699.906 :   Response COM_INIT_DATA_REQUEST [    3 ms]
     699.939 : -------------------------------------------
     702.067 : Sw Rcv ICU Cmd :0x03
     702.116 : Sw Rcv ICU ID  :0x32
     702.165 : Sw Rcv ICU DATA:0x00
     702.266 : Sw Rcv ICU Cmd :0x03
     702.273 : Sw Rcv ICU ID  :0x32
     702.281 : Sw Rcv ICU DATA:0x00
     702.878 : Rcv ICU Cmd :COM_TIMER
     702.984 : Rcv ICU ID  :0x04
     703.032 : Rcv ICU DATA:0x00
     703.152 : Sw Rcv ICU Cmd :0x02
     703.159 : Sw Rcv ICU ID  :0x14
     703.167 : Sw Rcv ICU DATA:0x00
     704.864 : Sw Rcv ICU Cmd :0x02
     704.872 : Sw Rcv ICU ID  :0x14
     704.880 : Sw Rcv ICU DATA:0x00
     706.378 : Sw Rcv ICU Cmd :0x02
     706.386 : Sw Rcv ICU ID  :0x2E
     706.394 : Sw Rcv ICU DATA:0x02
     706.932 : Rcv ICU Cmd :COM_INFO
     706.981 : Rcv ICU ID  :0x12
     707.134 : Sw Rcv ICU Cmd :0x02
     707.183 : Sw Rcv ICU ID  :0x14
     707.292 : Sw Rcv ICU DATA:0x00
     707.456 : Sw Rcv ICU Cmd :0x02
     707.464 : Sw Rcv ICU ID  :0x2E
     707.471 : Sw Rcv ICU DATA:0x02
     707.489 : Rcv ICU DATA:0x00
     707.514 : Rcv ICU Cmd :COM_INFO
     707.521 : Rcv ICU ID  :0x31
     707.529 : Rcv ICU DATA:0x00
     707.539 : NOT exist WFT(default target 1)
     812.484 : Rcv ICU Cmd :COM_INFO
     812.492 : Rcv ICU ID  :0x10
     812.500 : Rcv ICU DATA:0xB4
     816.857 : MPU_ERROR_HISTORY[4]:0x00
     816.880 : MPU_ERROR_HISTORY[5]:0x00
     816.888 : MPU_ERROR_HISTORY[6]:0x00
     816.895 : MPU_ERROR_HISTORY[7]:0x00
     816.903 : MPU_ERROR_HISTORY[8]:0x00
     881.214 : Rcv ICU Cmd :COM_INFO
     881.221 : Rcv ICU ID  :0x12
     881.239 : Rcv ICU DATA:0x00
    1501.250 : Rcv ICU Cmd :COM_INFO
    1501.262 : Rcv ICU ID  :0x04
    1501.270 : Rcv ICU DATA:0x1F


Not all messages are forwarded to UART, like on usual ICU DebugMgr.


Hardware

It is still the same Toshiba chip. It is a custom part made for Canon, based on TMPM440F10XBG.

The "official" chip has only Japanese datasheet, I asked Toshiba for English one and got a reply that there's no EN datasheet as chip is just for Japan market.
With some translator magic it is possible to get a pretty good translation of that datasheet.

Some important details:
Internal flash is at 0x0. Size 0x100000. A lot of it is unused.
RAM at 0x20000000, size probably 0xE000 - this seems to match the datasheet.
Extra RAM (!) at 0x22000000, size 0x200000 - this is Canon specific.

Devices sit at 0x40000000. Addresses so far doesn't match those in datasheet.
The ones found so far are in "hard fault" regions from datasheet. For ROM to boot into DryOS I had to map 0x4009xxxx, 0x400Bxxxx, 0x400Fxxxx.
0x400Bxxxx contains I2C bus(es?). On R5 one is used to talk to a charger - ISL9241.


0x400bxxxx read: a4dc(4) == 0
0x400bxxxx read: a4dc(4) == 0
0x4009xxxx read: a200 4
0x4009xxxx read: a100 4
0x4009xxxx write: a200 4 60
(9030000:03)  <--enq cmd.dev=3,
(9030002:03) func=0,
(9030002:03) sync=1

(9030000:03)  -->deq cmd.dev=3,
(9030002:03) func=0,
(9030002:03) sync=1

(1010000:01) drv_i2ccomm.c:496 eventWait Error ch =0

(1010000:01) drv_i2ccomm.c:497 eventWait Error ret=-2

0x400bxxxx read: a4dc(4) == 0
0x400bxxxx read: a4dc(4) == 0
0x400bxxxx read: a4dc(4) == 0
0x400bxxxx read: a4dc(4) == 0


QEMU  :D

In QEMU for ICU emulation we just replay MPU messages from a list. For some time now I wanted to try emulating MPU ROM in QEMU - if possible it should be easy to spawn two instances (one for MPU and one for ICU) and... let them just talk.
It took just two evenings to see some results.

https://github.com/kitor/qemu-eos/tree/eosmpu/hw/arm/eosmpu.c

This code (with a little help of gdb to skip ISL9241 i2c init) is able to boot firmware into DryOS and MainTask. It then stays waiting for other tasks to spawn, but since timers and interrupts are not yet implemented (as well as UART), it just waits forever.

In the log above prints with data in brackets are taken using GDB from DryosDebugMsg() calls.


(5030000:03) wakeup[0] 00000000
(5030000:03) wakeup[1] 00000000
(5030000:03) wakeup[2] 00000000
(5030000:03) wakeup[3] 00000000
(5030000:03) wakeup[4] 00000000
(5030000:03) wakeup[5] 00000000
(3030000:03) lens VBAT2 VDD2 Keep (0)
(30000:03) INITIAL
(20000:02) Grip exist judge OK
(9030000:03)  <--enq cmd.dev=2,
(9030002:03) func=0,
(9030002:03) sync=1
(9030000:03)  -->deq cmd.dev=2,
(9030002:03) func=0,
(9030002:03) sync=1
(9030000:03)  <--enq cmd.dev=3,
(9030002:03) func=0,
(9030002:03) sync=1
(9030000:03)  -->deq cmd.dev=3,
(9030002:03) func=0,
(9030002:03) sync=1

Too many Canon cameras.
If you have a dead R or RP mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.

kitor

More on UART:

looks that R5 firmware can use SIO in UART mode or PL011-compatible UART. First one is used, which is a bummer as PL011 driver exists in QEMU.

From the code:
SIO sits at 0x400bb000 +0x100, +0x200, +0x300
PL011 at 0x44000000, maybe + 0x1000 too.
Too many Canon cameras.
If you have a dead R or RP mainboard (e.g. after camera repair) and want to donate for experiments, I'll cover shipping costs.