ADTG and CMOS registers

Started by a1ex, June 25, 2013, 11:01:20 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Indy

550d 1.0.9
19259c ( pTgRegister->dwSrFstAdtg[4] & 0xFFFF0000 ) == 0x81720000
1925dc ( pTgRegister->dwSrFstAdtg[5] & 0xFFFF0000 ) == 0x81730000

26efb4 [REG] @@@@@@@@@@@@ Start ADTG[CS:%lx]
26efe8 [REG] ADTG:[0x%08x]
26effc [REG] ADTG:[%08x] <----- Excel Tab Number
26f270 [REG] ############ Start CMOS
26f29c [REG] CMOS:[0x%04x]
26f2b0 [REG] CMOS:[%04x] <----- Excel Tab Number

dlrpgmsvc

Whoa ! I managed to solve the problem ! Now module loads ok !  ;)
If you think it's impossible, you have lost beforehand

dlrpgmsvc

Do this procedure is correct to use log module ? (with all ML video and helper functions disabled) :

[1] Enter ML menu
[2] Enable adtg from MOVIE menu
[3] Exit ML menu
[4] Start video recording 1920x1080 25p
[5] Stop video recording
[6] Enter ML menu
[7] Disable adtg from MOVIE menu
[8] Shut off camera

I obtain a "ADTG.BIN" file inside the photos folder on SD.

Do this procedure is right ?
If you think it's impossible, you have lost beforehand

a1ex

For 550D, the address for ADTG function is at 0xff27ee34, and for CMOS, 0xff27f028.

I didn't try these numbers, and I have no idea how Indy got these RAM addresses. Afaik, the 550D runs all the code from ROM (but there may be exceptions).

dlrpgmsvc

Quote from: a1ex on July 24, 2013, 09:04:08 PM
For 550D, the address for ADTG function is at 0xff27ee34, and for CMOS, 0xff27f028.

I didn't try these numbers, and I have no idea how Indy got these RAM addresses. Afaik, the 550D runs all the code from ROM (but there may be exceptions).

Great ! Many thanks A1ex ! It works !

So, the trick is to find the nearest point around the strings (not the exact string start address) where there is the following instruction :

[1] For CMOS (it is before the strings) :       STMFD      SP!, {R4-R8, LR}
[2] For ADTG (it is before the strings)  :       STMFD      SP!, {R4-R10, LR}

Do this is correct ?

And for CARTRIDGE registers and Others (like the first strange two lines found by Indy) do it will be similar ?
If you think it's impossible, you have lost beforehand

g3gg0

Yes. The stmfd is usually the function entry.
In some rare cases you will find a mov before.
The best is to have a database that is neraly completely disassembled (a lot of 'P' presses to do ;) )
Then you see where the xrefs go.

Cardridge is the same. But its not that important. We focus on adtg at the moment.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

dlrpgmsvc

Very good!

I have some toughts :

1 - these adtg registers are yet indirectly used for fps-shutter speed override and they have the same limitations (low fps still equals to low shutter speeds)

2 - resulutions can only be decreased but not increased (as for latest tests), and lower Canon in-camera standard resolutions of 720p and 480p are more than enough

So, the only real useful discovery (so far) is the CMOS16 register (only in newer cameras models) to obtain dual iso feature.
It seems we cannot squeeze nothing more out of them, at least for now, right?

This is just to know if the works for dumps on other camera models will be worthwile, or if it is better to first study the behavior of these registers on yet dumped models, until something useful will eventually arise.
Or if someone has yet some ideas to implement with these registers.
If you think it's impossible, you have lost beforehand

Andy600

I've compiled adtg_log and it loads ok but I can't get it to save a log file on the 50D. Any ideas?  ???
Colorist working with Davinci Resolve, Baselight, Nuke, After Effects & Premier Pro. Occasional Sunday afternoon DOP. Developer of Cinelog-C Colorspace Management and LUTs - www.cinelogdcp.com

dlrpgmsvc

Quote from: Andy600 on July 26, 2013, 12:03:37 PM
I've compiled adtg_log and it loads ok but I can't get it to save a log file on the 50D. Any ideas?  ???

Do you see the cmos values running on screen (not zeroes values) ?
If you think it's impossible, you have lost beforehand

Andy600

Quote from: dlrpgmsvc on July 26, 2013, 12:56:56 PM
Do you see the cmos values running on screen (not zeroes values) ?

I see 8x cmos values. Not sure what you mean by 'running'? They don't change.

The 50D doesn't have a dedicated Movie mode so I switch adtg log on, enabled movie record and powered off. No logs on the card. I've tried recording a bit too and also tried with raw video enabled and disabled.
Colorist working with Davinci Resolve, Baselight, Nuke, After Effects & Premier Pro. Occasional Sunday afternoon DOP. Developer of Cinelog-C Colorspace Management and LUTs - www.cinelogdcp.com

dlrpgmsvc

Quote from: Andy600 on July 26, 2013, 01:07:42 PM
I see 8x cmos values. Not sure what you mean by 'running'? They don't change.

When you enable adtg_log and then you exit from ml menu (back to liveview mode), you should see the 8 cmos values printed onto the viewfinder that change continuously. Do this happens ? It should. If you see the values unchanged and fixed at 0 value (on vf, not inside the menu), then it's a problem of start_cmos hardcoded value: are you sure it's correct ?
If you think it's impossible, you have lost beforehand

Andy600

Quote from: dlrpgmsvc on July 26, 2013, 01:14:10 PM
When you enable adtg_log and then you exit from ml menu (back to liveview mode), you should see the 8 cmos values printed onto the viewfinder that change continuously. Do this happens ? It should. If you see the values unchanged and fixed at 0 value (on vf, not inside the menu), then it's a problem of start_cmos hardcoded value: are you sure it's correct ?

Ok, no they don't change. Where do you change the start_cmos value?
Colorist working with Davinci Resolve, Baselight, Nuke, After Effects & Premier Pro. Occasional Sunday afternoon DOP. Developer of Cinelog-C Colorspace Management and LUTs - www.cinelogdcp.com

dlrpgmsvc

Quote from: Andy600 on July 26, 2013, 01:18:37 PM
Ok, no they don't change. Where do you change the start_cmos value?

it is at start of "adtg_log.c" inside "src" and then "modules" directory
If you think it's impossible, you have lost beforehand

Andy600

Quote from: dlrpgmsvc on July 26, 2013, 01:20:27 PM
it is at start of "adtg_log.c" inside "src" and then "modules" directory

Ok, some values have been set for the 50D in adtg_log.c but must be wrong. I don't know where or how to find the correct values. Looked in stubs etc but cant see any cmos addresses. Does it mean dumping the FW to find the correct numbers?
Colorist working with Davinci Resolve, Baselight, Nuke, After Effects & Premier Pro. Occasional Sunday afternoon DOP. Developer of Cinelog-C Colorspace Management and LUTs - www.cinelogdcp.com

dlrpgmsvc

Quote from: Andy600 on July 26, 2013, 01:28:45 PM
Ok, some values have been set for the 50D in adtg_log.c but must be wrong. I don't know where or how to find the correct values. Looked in stubs etc but cant see any cmos addresses. Does it mean dumping the FW to find the correct numbers?

Yes... however I have read that 1% managed to dump 50D and found the values, for sure. So, you can ask him or disassemble by yourself the ROM. If you decide this latter option, I can assist you.
If you think it's impossible, you have lost beforehand

Andy600

Quote from: dlrpgmsvc on July 26, 2013, 02:06:17 PM
Yes... however I have read that 1% managed to dump 50D and found the values, for sure. So, you can ask him or disassemble by yourself the ROM. If you decide this latter option, I can assist you.

The values must be the ones 1% added (as I'm using Tragic Lantern source code). Probably best to wait for him to come back online then.

Thanks anyway :)
Colorist working with Davinci Resolve, Baselight, Nuke, After Effects & Premier Pro. Occasional Sunday afternoon DOP. Developer of Cinelog-C Colorspace Management and LUTs - www.cinelogdcp.com

1%

Quote
//~ #define ADTG_WRITE_FUNC   0xFFA11FDC
//~ #define CMOS_WRITE_FUNC   0xFFA12190
//~ #define CMOS16_WRITE_FUNC 0
//~ #define CARTRIDGE_WRITE_FUNC 0

Thats 50D.

ilguercio

So, what if i try poking the Digic on the 6D?
Any hint? I might have some free time tomorrow.
If you give me a hand i can try and do a bit of trial and error.
Canon EOS 6D, 60D, 50D.
Sigma 70-200 EX OS HSM, Sigma 70-200 Apo EX HSM, Samyang 14 2.8, Samyang 35 1.4, Samyang 85 1.4.
Proud supporter of Magic Lantern.

v8rrc

Is it worth trying this on a 60D?

Greg

How do I find these values ​​for the 500D?
ADTG_WRITE_FUNC
CMOS_WRITE_FUNC
CMOS16_WRITE_FUNC
CARTRIDGE_WRITE_FUNC

coutts

Quote from: Greg on August 14, 2013, 01:07:14 AM
How do I find these values ​​for the 500D?
ADTG_WRITE_FUNC
CMOS_WRITE_FUNC
CMOS16_WRITE_FUNC
CARTRIDGE_WRITE_FUNC

you have ida right or arm console for firmware analysis

Greg

Quote from: coutts on August 14, 2013, 02:51:44 PM
you have ida right or arm console for firmware analysis
I do not know how to do it  :o


I found such a value, I do not know if they are correct.
500D:
#define ADTG_WRITE_FUNC   0xFF23FB4C
#define CMOS_WRITE_FUNC   0xFF23FB90

Greg

Did I do something wrong?
Traceback (most recent call last):
  File "parse_bin.py", line 21, in <module>
    with open(filename,"rb") as f:
TypeError: coercing to Unicode: need string or buffer, NoneType found


edit:

It does not look good.
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   

1%

//60D
//~ #define ADTG_WRITE_FUNC   0xFF2C9788 //"[REG] @@@@@@@@@@@@ Start ADTG[CS:%lx]"
//~ #define CMOS_WRITE_FUNC   0xFF2C997C //"[REG] ############ Start CMOS"
//~ #define CMOS16_WRITE_FUNC 0x0 //"[REG] ############ Start CMOS16 OC_KICK"
//~ #define CARTRIDGE_WRITE_FUNC 0xFF402884 //CARTRIDGE1_ADDR Adder ==> 0x%


For 500D just look for the strings.. im not sure on cartridge.. I've never seen anything come out of that.

Greg

I lost a couple of hours and found nothing.
Each time:
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]   
[----------- VSYNC ------------]