JTAG / UART & more

Started by nikfreak, March 09, 2016, 08:02:54 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

nikfreak

Hi everybody,

I've been playing around with Espressif's ESP-modules lately for some private projects.

Quote from: g3gg0 on June 02, 2015, 12:32:26 AM
OT-OT:
i can recommend NodeMCU (http://en.wikipedia.org/wiki/NodeMCU)
...

Guess, who's playing actually with it  :P

Anyways I just ordered a Bus Pirate V3.6.
My goal is to JTAG our EOS cams. A big package of older cams, mainly EOS 10D, 20D, 30D, 40D, 50D,1000D and 650D should arrive in the next weeks at my door (thanks @Dayton) and I am going to start to get familar dismantling them. Main focus will be JTAG for 50D and 650D and I hope to get access to the bootloader / kernel in some way to get more insights of the cams. There's UART, so there must be a bootloader, too. This may become useful for linux development in some way. Maybe we can get U-BOOT ported to our cams or I am going to fail right at the beginning, who knows? Will keep this post updated from time to time but don't expect miracles anytime soon, I am just going to replicate this tutorial to EOS dslrs and with some luck and hope there will be results to report and try on Digic6 cameras   ;D.
[size=8pt]70D.112 & 100D.101[/size]

Danne

Oh, this is hardcore stuff. I will definitely follow this with great interest. And thanks for the great work on porting cams already. Beautiful work.

DeafEyeJedi

I am so high reading your post @nikfreak and flying with massive hopes on this wonderful project of yours!
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

eduperez

You might want to contact with member 0xAF in this forum: if I remember correctly, he already worked on JTAG with the 400D.

g3gg0

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

nikfreak

@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?
[size=8pt]70D.112 & 100D.101[/size]

a1ex

To my knowledge, ROM0/1.BIN are the complete chip contents.

Knowing the chip could be interesting in understanding how to emulate it (for reflashing), for example.

Since you are interested in UART, here's a trick: returning from autoexec.bin will bring a bootloader menu via UART (visible in QEMU as well). IIRC g3gg0 already tried this menu in his emulator (TriX).

Maqs

Quote from: nikfreak on March 15, 2016, 04:44:23 PM
@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?

25Q64 has 64 megabits, so 8 MB.

rbrune

The buspirate is a fine little device.

Here is me dumping some flash memory with it: https://twitter.com/_deeperblue/status/466329008746266624

As a1ex said the flash will likely just be 1:1 the content of the ROM0/1.BIN dump files. But if you're able to read/write the flash with the chip still on the camera board (like I did in the photo - but sometimes that doesn't work due to the board layout and how power is distributed) that would open up a great way to reanimate bricked cameras. Same is true if you get JTAG working. Also the buspirate together with flashrom should autodetect the flash chip/type - if that doesn't happen there's probably a wiring issue and/or reading/writing the chip in place doesn't work due to the board layout and it's voltage distribution.

Maqs