Canon 7D ML

Started by Pelican, October 02, 2012, 11:40:53 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Pelican

Thanks to g3gg0 it's coming soon now, so it's time to open this topic... :-)
I've already built 7D ML from the latest source and started to check the features.
What is the workflow of the developing?
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

a1ex

The current problem is how to enable the bootflag without having to distribute Canon code.

Currently, user code runs after loading the FIR, but the camera gets restarted after a very small period of time (g3gg0 estimated 50ms). It's probably not safe to alter the ROM in this situation.

Indy's solution was to post a bspatch. I don't like to use this idea for regular users (for developers may be OK) because:

1) it's not that easy to use
2) it enables other users to do a derivative work from Canon's copyrighted code (the updater); if they post it online, I smell trouble.

Point 2) applies to any program that patches the original firmware IMO.

Pelican

I see.
I enabled the bootflag on my camera with a patched firmware update too.
Hmm. And we cannot make a magiclantern.fir file as for the other cameras...
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

Quote from: Pelican on October 02, 2012, 12:41:29 PM
I see.
I enabled the bootflag on my camera with a patched firmware update too.
Hmm. And we cannot make a magiclantern.fir file as for the other cameras...

you enabled the flag on 7D? Or did you enable it on models where we can run our own (not canon patched) updater code?

thats the problem on 7D. we can run our updater code, but it seems we must do some special comm, else the slave cpu gets reset.
i dont know if it is IPC comm with master processor, or if it is some watchdog or whatever.

the "normal" firmware boot with ML enabled is now possible because of the ipc command register, we have to write with 0x80000010. see reboot.c.
if we don't write that command, both digics are out of sync and firmware will halt.
(see http://magiclantern.wikia.com/wiki/Register_Map in section IPC - there is a list of Slave->Master commands
written to that register.

a more cleaner version of that missing piece for 7D looks like that:

        /* clear IPC interrupt lines */
        *(volatile int*)0xC0A0000C = *(volatile int*)0xC0A00008;
        /* send command to master processor, so it is in right state for rebooting */
        *(volatile int*)0xC0A00024 = 0x80000010;
        /* wait for interrupt */
        asm("MCR p15, 0, R0, c7, c0, 4\n":::"r0");
       
        /* clear IPC interrupt lines */
        *(volatile int*)0xC0A0000C = *(volatile int*)0xC0A00008;

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Pelican

Quote from: g3gg0 on October 02, 2012, 03:04:44 PM
you enabled the flag on 7D?
Yes, I've enabled the bootflag with the original Canon 1.1.0 fw updater patched by TH (or Indy?) wich makes the ROM dumps.
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

very good :)

at the moment i am focusing on how to make the first alpha user-ready.

features and how good they are working are explained here:
    http://magiclantern.wikia.com/wiki/7D_support
many features work fine, some not due to property setting is still disabled.
(enabling property setting could cause some unrecoverable error!)


as soon there is a clean way to run ML without patching/distributing canon code,
i will head over to the alpha feature set. this means i will disable all the functions that
are not working clean or dont work at all. (like alex' 5D3 alpha)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Pelican

And why you cannot purify the updater fir to a very very basic one which would set the bootflag only and do nothing else?
It could contain almost none Canon code.

(That was my idea to run ML long time ago: put the whole ML to the updater and run as a fw update, but never got working.)
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

do you mean to keep some basic canon code that statisfies the wdt behavior?
then we still have legal issues. so this is a (almost) no-go

if you mean we should jump to reset vector/firmware from our updater1 context, then
we still have the problem i am stuck at - master processor is in a different state due to
the slave bootloader sending it there right before the .fir gets executed.

the commands sent before executing .fir updater1 (slave side)

0x80000052 (fromutil_ipc_wakeup)
0x80000031 (before entering autoexec.bin)
   to undo:   0x80000010, then boot normal firmware
0x80000034 or 0x80000030 (before entering FIR load code)
   to cancel: 0xC8000000, then continue fromutil
0x88000001 (when going to load .FIR)
   to cancel: 0xC8000000, then continue fromutil
0x98000000 (when going to execute .FIR)
0xB8000000|fir_length (when going to execute .FIR)
0x80000040 (when going to execute .FIR)
   to cancel: no idea

when bootflag is set and our autoexec.bin was executed, we simply
can send command 0x80000010 and can continue normal boot.

when updater1 gets executed - we are already at bottom of the list. 0x80000040.
and i have no clue (yet) how to go back


and the problem we have everywhere - there is some watchdog. either master processor is resetting us
or there is some dedicated WDT module
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Pelican

This patched updater does its job and right after the camera restarts.
No hang up just restart.
It could be enough for us, isn't it?
I mean you don't have to return from updater1...
I don't remember how the dumper code ended but you can check it.
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

Pelican

code from the end of dumper.c:


...
abort_firmup1();
LOG();
abort_firmup2();
LOG();
uint32_t dummy = 0;
reboot_icu( 0x80010003, dummy, 4 );
...


Maybe this is how you can finish the fw update...
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

i tried another way. and the results look promising :)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Pelican

EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

was able to boot ML from fir ;)
will release a video in a few minutes.

about the technical details:
i couldnt get further with resetting master processor into the fitting state.
no idea how to get that done, as the master updater already was running.
so i decided to replace master updater code with a plain reboot into firmware main at 0xF8010000
whereas the slave does the same with magic lantern enabled.

one + for this methos is - we can also hook master firmware now using cache hacks ;)
but only as long we run ML from .fir. when switching to autoexec.bat, this feature is lost.
but that would help to get e.g. a bootrom dump from master processor.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

Pelican

Congratulations! :)
Waiting for the video...
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

g3gg0

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

jplxpto

Congratulations, you seem not to sleep ... everyday surprises us more ... every day more big news ...

g3gg0

haha "you seem not to sleep" - you sound like my girlfriend ;)

well, this demonstrated .fir wouldnt have been possible if indy wouldnt have made that great tools for replacing updaters
and also if trammels initial work on the 7D had failed and we wouldnt have any bootrom dump.
i just put the missing piece of code between some lines ;)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

LaLigueParis

you're our hero lol
good work

jplxpto


g3gg0

yeeha
using the FIR method i was able to hijack both processors.
so i am running my own RPC handler on both devices.

one ML can send commands and data via "official" RPC interfaces to the other processor.
e.g. triggered via RPC call the code
  "master_write_memory("ROM1.BIN", 0xf8000000, 0x00800000);"
on the master processor.

master_write_memory is a canon function that uses FIO_WriteFile over RPC to write files on slave device.
so i was able to dump the master processor ROM (8MiB)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

tonybeccar

Sorry to intervene, but WOW, does this mean that you can take advantage of BOTH processors of the 7D?? Will we be seeing awesome features because of their power??

I'm checking the forums every day.. and I never thanked you.. THANK YOU!!!!!!!!! YOU'RE MY HERO!!!!

g3gg0

Quote from: tonybeccar on October 03, 2012, 07:20:43 PM
Sorry to intervene, but WOW, does this mean that you can take advantage of BOTH processors of the 7D?? Will we be seeing awesome features because of their power??

I'm checking the forums every day.. and I never thanked you.. THANK YOU!!!!!!!!! YOU'RE MY HERO!!!!

i guess there will no awesome features, just more problems when it comes to special features that need to access the correct digic.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

bart

Well done G3gg0. Amazing work!

Pelican

I am waiting for this moment for 3 years... 8) OMG!
Unfortunately I'm very busy with a special Nikon camera mod/remote right now, but after that I'll jump right into the 7D ML source...
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down

Pelican

I was playing with ML this afternoon and found an interesting bug.
When minute changes in the camera's clock  the Date/Time/Zone menu item displays the top of the ML stuff.
It happens only when the Date/Time/Zone menu item selected in My Menu settings.
The position of the Date/Time/Zone  item on the ML screen is the same as on the My Menu screen.
It shows on ML menu only less than a second but stays on the ML info screens (because these are drawn once?).
EOS 7D Mark II, EOS 7D, EOS 5, EOS 100 + lenses (10mm to 300mm), 600EX, 550EX, YN600EX x 3
EOScard, EOS DSLR firmwares, ARMu, NiControl, etc.: http://pel.hu/down