Magic Lantern Releases > Camera-specific discussion

Porting ML to XSi (450D)

(1/17) > >>

ML has been ported to 5D and 40D but there seems to be lack of activity for XSi, which I believed Canon should have sold quite a lot. Yep, you are right, I have one. But I am looking at this porting thing not as an ML user but as an ML developer. For the past couple of weeks I have roamed this website and CHDK in an effort to understand what this "hacking" business is all about and to size up the development work. Well, it is big, at least to me. As someone who doesn't do video, I am wondering if it is worth the effort for me to jump in. From the information I came across it seems that firmware dump, v1.0.9 has been available ( but a later thread asking for help to dump the same firmware ( while using the same file I/O function pointers. Intrigued by this and as an IDA learning exercise (new tool to me), I set out to find what is going on. Well, I found the correct pointer values for those file I/O functions in Canon's flasher code and they are the same for both v1.0.9 and v1.1.0. Hmm, I wonder how one could get the firmware from apparently wrong function pointers. No, I have not dumped anything yet (need to set up the build environment in Ubuntu first, not to mention the build scripts) but I am sure mine are correct because I have cross-checked with those known working pointers in 40D firmware dump code in this thread ( to make sure they executes the same flasher file I/O code and they do. As a matter of fact, XS (1000D) has the exact same flasher file I/O code. They are just in different places (pointer values). I have not decided whether to continue further and certainly will not in the next two/three months but if anyone is interested in porting, I have no problem published the correct pointer values. Just want to get this porting thing move forward, albeit tortoise-wise. :)

- Rick

I got two extra weeks before my planned two month's away from home to do some more exploration. The file I/O pointer values that I found in the flasher code are correct. I have used them to dump Canon's firmware v1.1.0 successfully (from 0xFF810000 to 0xFFFFFFFF). It is not as straight as I thought. There were some more details I had to know about to actually dump the firmware without the risk of killing my XSi.

so you were able to dump the rom content?
i recommend to dump starting from 0xF8000000 btw

That (rom dump) is affirmative. I started by dumping 0xFF800000 - 0xFFFFFFFF but then discovered that IDA  isn't happy about 0xFFFFFFFF being used (used by IDA?) and that 0xFF800000 - 0xFF8100000 just contains 0xFF's. I ended up just dumping 0xFF810000 - 0xFFFFFFFC so that I don't have to change file size when loading it into IDA. I am too lazy even though one only has to do it once - the first time loading.

0xF8000000 - 0xFFFFFFFF is a huge chunk (128MB). Can IDA handle that? Or would it be more advantageous to dump it in separate smaller chunks. I know 0xF8000000 - 0xF800000F is used as boot_flags and I guess it is probably in non-volatile memory. How big it may be? Also what other regions that presents interesting stuff for porting. I have taken a snapshot of the source code and am able to compile it. But I have not looked into the code yet.

By the way I think the next thing to do is to find the function pointers in the firmware to enable/disable boot-capability. I have followed the lead in a posting by Coutts ( and found something close to the code (for 5D) in the posting but not quite the same. In 1000D (v1.0.5) I also found the same (XSi) code (in different places but very close by). Both of them are above 0xFFFF0000. I believe I have found them but until I learn ARM enough to be able to follow the code, I am not 100% sure.

After this exercise I have a better grasp of this porting business. It is not very challenged per se if one has the right knowledge (ARM assembly language for me) but requires a ton of labor to find where those equivalent pointers are in XSi, for starter. There should be more things I don't know yet.


--- Quote from: g3gg0 on March 03, 2013, 11:56:37 AM ---ROM0: 0xF0000000 - 0xF7FFFFFF (when camera has a ROM0, then its 8 or 16M, so its 0xF0000000-0xF0FFFFFF)
ROM1: 0xF8000000 - 0xFFFFFFFF (most cameras have 16M, so its 0xF8000000-0xF8FFFFFF)

--- End quote ---

use these ranges, they are the the real base address and repeat over and over until 0xFFFFFFFF.
the processor uses the image at various addresses.
on boot, 0xFFFF0000 is executed, which is at 0xF7FF0000. later it may jump to 0xFF810000 which really is 0xFF010000 etc.

but when dumping, you best use the ranges i quoted above.
relocating in memory can be done later in IDA without any problem

for IDA: just use addresses until 0xFFFFFFFC


[0] Message Index

[#] Next page

Go to full version