New firmware feature guide in the wiki

[fudgey]

Hi, I wrote a small guide for finding and adding stuff from the firmware to CHDK and uBASIC. It would be great if people who actually know something about these things would review it .

http://chdk.wikia.com/wiki/Adding_Firmware_Features

[fe50]

GREAT  (+) !!!

*Edit: Added link to "For Developers" in the wikia, also added link to the stubs.sh-script to "Category:GPL"

[PhyrePhoX]

excellent.

edit: wow, so you finally found the evcompensation switch. if i call this from my "fast ev switch", lcd will adjust brightness, so i dont have to either be in the menu (ev setting) or use canon live histogram - right?
so can i integrate it? will you help with the adresses?

[ewavr]

edit: wow, so you finally found the evcompensation switch. if i call this from my "fast ev switch", lcd will adjust brightness, so i dont have to either be in the menu (ev setting) or use canon live histogram - right?
so can i integrate it? will you help with the adresses?

Hmm... For A710, EnterToCompensationEVF == RectifyExposureWithMeasure (byte-to-byte, except assertion line number ). I tried second function to adjust brightness in video. Sometimes it works, but:
- it locks exposure,
- it must be called at least once before video recording started, otherwise by second call (while video is recorded) it crashes camera,
- sometimes it crashes camera in video even if previous condition is satisfied,
- some other strange things 
So, I removed RectifyExposureWithMeasure from my personal build.

[PhyrePhoX]

i wonder what other things you have (or did have in that case ) in your private build. care to tell us? seems like you found out lotsa stuff
anyhow, so you removed it even though it was helpful (well, not for video though)?
it is quiete annoying on the cameras to enter ev menu, adjust ev, see the changed brightness, exit canon menu, see the "old" auto-brightness, only to see the "new" brightness on half-press again
so using the fast-ev plus this EnterToCompensationEVF function should work, no?

by the way, why do you think they included two functions doing exactly the same?

[fudgey]

edit: wow, so you finally found the evcompensation switch. if i call this from my "fast ev switch", lcd will adjust brightness, so i dont have to either be in the menu (ev setting) or use canon live histogram - right?
so can i integrate it? will you help with the adresses?

I think I've forgotten what the fast ev switch is? Anyway, I haven't tested it much yet. I just found it, made a very quick test  and wrote the tutorial. I haven't actually tried doing anything useful with it yet. Haven't crashed the camera with it either.

I don't quite have all the disassemblies ready for porting yet, but once Chr updates his wonderful perl script, I think it'll be easier...

Hmm... For A710, EnterToCompensationEVF == RectifyExposureWithMeasure (byte-to-byte, except assertion line number ). I tried second function to adjust brightness in video. Sometimes it works, but:
- it locks exposure,
- it must be called at least once before video recording started, otherwise by second call (while video is recorded) it crashes camera,
- sometimes it crashes camera in video even if previous condition is satisfied,
- some other strange things 
So, I removed RectifyExposureWithMeasure from my personal build.

Pretty interesting. RectifyExposureWithMeasure is very similar to EnterToCompensationEVF on a570is as well, but not identical. After the fourth bl (to ffc0bc94), they load different values to r1.

When I tried it (EnterToC... and ExitFromC... that is), it seemed to work just like pressing the ev compensation button without calling the ev osd, which alsomeans it only did anything in modes where ev compensation is available (not M or video).

But now that you mention your video experiments, I tried it too. Looks like it indeed successfully does lock exposure in video record (when called before pressing rec in video mode, and also during video record). That return function undoes this. No lockups experienced so far, even when calling the function (from uBASIC) during record for the first time after camera power-on.

But anyway, the intended use I had for this function was not in video mode (before your post I thought it didn't do anything in video mode) but for P/Av/Tv/SCN modes, ie ones with user accessible Ev compensation. If found unstable in video mode, the CHDK function could check the modemap (one more reason to check those) and only call it when in a safe mode.

[ewavr]

RectifyExposureWithMeasure is very similar to EnterToCompensationEVF on a570is as well, but not identical. After the fourth bl (to ffc0bc94), they load different values to r1.

ffc0bc94 = GetPropertyCase

Value in R1 is only assertion line number for DebugAssert. So, even for A570 EnterToCompensationEVF is equal to RectifyExposureWithMeasure.

[PhyrePhoX]

fudgey, may i ask how you found the adress of

NHSTUB(EnterToCompensationEVF, 0xFFEA4F84)
NHSTUB(ExitFromCompensationEVF, 0xFFEA5008)

i'm trying to do the same for s3is, but somehow i fail. in your tutorial you pop out the adress of EnterToCompensationEVF out of the blue, it is mentioned only once (in the NHSTUB declaring).
can you please alaborate on that? thanks in advance

[ewavr]

Well, FixAEWithCompensation(short* ev_comp) is better for A710 than RectifyExposureWithMeasure() in video mode, no crashes. So, I will work with it for changing brightness in video.

[fudgey]

fudgey, may i ask how you found the adress of

NHSTUB(EnterToCompensationEVF, 0xFFEA4F84)
NHSTUB(ExitFromCompensationEVF, 0xFFEA5008)

i'm trying to do the same for s3is, but somehow i fail. in your tutorial you pop out the adress of EnterToCompensationEVF out of the blue, it is mentioned only once (in the NHSTUB declaring).
can you please alaborate on that? thanks in advance

Hmm... well added a few more words to that part when adding syntax hilighting, but it is and was the asm disassembly + the comment below that's supposed to be sort of enough.

[PhyrePhoX]

hm, you used the linux toolchain, things seem to look different in the program i use. can you maybe just gimme the adresses of these two functions for the s3is so i can "reverse engineer" your tutorial?

[fudgey]

Well, S3IS addresses them in a different way, so the tutorial doesn't apply to it step by step.

Strings:
ff974ff0 EnterToCompensationEVF
ff974fd8 ExitFromCompensationEVF

Find where the string pointers are stored:

Code: [Select]

ff97488c:       ff9765c8        undefined instruction 0xff9765c8
ff974890:       ff974ff0        undefined instruction 0xff974ff0 <--
ff974894:       ff9765ec        undefined instruction 0xff9765ec
ff974898:       ff974fd8        undefined instruction 0xff974fd8 <--
ff97489c:       ff9765fc        undefined instruction 0xff9765fc

Ok, look, the pointers are right there next to each other. This is not code but it's some sort of a list instead. There's one word between these two pointers, and none of the words next to them point to strings. So, it's fair to assume that this is a table with addresses to string, code, string, code etc. Or maybe code, string, code, string...remains to be seen.

The pointer between these two string pointers is then surely attached to one of these functions. Let's see what we find there:

Code: [Select]

ff9765ec:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff9765f0:       eb000960        bl      ff978b78 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168b78>
ff9765f4:       e3a00000        mov     r0, #0  ; 0x0
ff9765f8:       e49df004        pop     {pc}            ; (ldr pc, [sp], #4)

Ok, it doesn't do much, basically it just jumps to ff978b78 and returns. Let's see what happens there:

Code: [Select]

ff978b78:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff978b7c:       e59f3048        ldr     r3, [pc, #72]   ; ff978bcc VALUE:<0000664c>
ff978b80:       e5932000        ldr     r2, [r3]
ff978b84:       e3a01e76        mov     r1, #1888       ; 0x760
ff978b88:       e3520000        cmp     r2, #0  ; 0x0
ff978b8c:       e59f003c        ldr     r0, [pc, #60]   ; ff978bd0 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978b90:       e2811009        add     r1, r1, #9      ; 0x9
ff978b94:       1a000000        bne     ff978b9c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168b9c>
ff978b98:       ebfa6bf8        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978b9c:       e59f1030        ldr     r1, [pc, #48]   ; ff978bd4 VALUE:<00092e2c>
ff978ba0:       e3a0001a        mov     r0, #26 ; 0x1a
ff978ba4:       e3a02002        mov     r2, #2  ; 0x2
ff978ba8:       ebfaaf77        bl      ff82498c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x1498c>
ff978bac:       e3a01e76        mov     r1, #1888       ; 0x760
ff978bb0:       e3100001        tst     r0, #1  ; 0x1
ff978bb4:       e281100a        add     r1, r1, #10     ; 0xa
ff978bb8:       e59f0010        ldr     r0, [pc, #16]   ; ff978bd0 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978bbc:       0a000000        beq     ff978bc4 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bc4>
ff978bc0:       ebfa6bee        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978bc4:       e49de004        pop     {lr}            ; (ldr lr, [sp], #4)
ff978bc8:       ea00061f        b       ff97a44c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x16a44c>

The last few instructions are laid out pretty similar to those from my a570is 1.00e EnterToCompensationEVF (and that's where the real stuff is, the start is just various checks that apparently are different in s3is)

So, entry point 0xff978b78 for EnterToCompensationEVF is what I'd try.

Let's find the other one too. The list that was found first had a string pointer and a code pointer. From the EnterTo* function it looks like string pointer is first and code pointer after it. So, let's look at ff9765fc for the ExitFrom* function link:

Code: [Select]

ff9765fc:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff976600:       eb000974        bl      ff978bd8 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bd8>
ff976604:       e3a00000        mov     r0, #0  ; 0x0
ff976608:       e49df004        pop     {pc}            ; (ldr pc, [sp], #4)

So, our suspected entry point is 0xff978bd8 for ExitFromCompensationEVF:

Code: [Select]

ff978bd8:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff978bdc:       e59f3020        ldr     r3, [pc, #32]   ; ff978c04 VALUE:<0000664c>
ff978be0:       e5932000        ldr     r2, [r3]
ff978be4:       e3a01e77        mov     r1, #1904       ; 0x770
ff978be8:       e3520000        cmp     r2, #0  ; 0x0
ff978bec:       e59f0014        ldr     r0, [pc, #20]   ; ff978c08 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978bf0:       e2811001        add     r1, r1, #1      ; 0x1
ff978bf4:       1a000000        bne     ff978bfc <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bfc>
ff978bf8:       ebfa6be0        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978bfc:       e49de004        pop     {lr}            ; (ldr lr, [sp], #4)
ff978c00:       ea00061d        b       ff97a47c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x16a47c>

It's not very similar to the a570is function but it's pretty much the same length so chances are real good.

[PhyrePhoX]

omg this actually works!
thank you! now with my fast_ev switch in the collaborative build you can quickly increase or decrease ev and see the result instantly - without having to enter the menu. attached is a build for the s3is. you have to enable fast_ev switch in the photo overrides menu. then by pressing up/down you increase ev. preview screen gets instantly brighter or darker. actually i just used EnterToCompensationEVF() in this case, because exiting isnt needed (you can exit or reset it by switching mode dial or something).

alright, i guess this "magic" you do with asm cannot be put into a signature file or idc script to feed ida with it to then gain the adresses for the other cameras automatically?
i guess i really have to understand your steps. right now its all gibberish to me
thanks!

[fudgey]

omg this actually works!
thank you! now with my fast_ev switch in the collaborative build you can quickly increase or decrease ev and see the result instantly - without having to enter the menu. attached is a build for the s3is. you have to enable fast_ev switch in the photo overrides menu. then by pressing up/down you increase ev. preview screen gets instantly brighter or darker. actually i just used EnterToCompensationEVF() in this case, because exiting isnt needed (you can exit or reset it by switching mode dial or something).

Cool.

Does this make zebra and histogram work accurately without a half shutter press?

alright, i guess this "magic" you do with asm cannot be put into a signature file or idc script to feed ida with it to then gain the adresses for the other cameras automatically?
i guess i really have to understand your steps. right now its all gibberish to me
thanks!

I don't have IDA, but anything that has a clear logic can obviously be scripted. Signatures for the tools in trunk is probably something that can be done. I haven't looked at those much so I don't know if they're just copy&pastes from some random firmwares or have they been modified somehow.

You'll probably need to understand some basics of asm and processor architectures before you can comfortably dig into the ARM assembly and architecture manuals, because ARM is not the smallest and simplest processor out there. Starting with a primer for some decades old 8-bit microcontroller with a narrow instruction set could be a convenient start. When you get past the all the icky instruction abbreviations and addressing methods and their syntaxes, it's kind of like obfuscated BASIC.

[PhyrePhoX]

well, attached are two "screenshots" of this new function in effect.
one is with ev 0, the other one is with ev 2. the blue canon histogram i just enabled for reference to show you that the chdk histogram works correctly (actually when i enable the canon histogram i dont need to call ev compensation, but like i said, its just for reference, i get the same effect when i disable it). in the fast_ev options of the collabobuild i set the step size to 2. so between these two pics i only pressed "UP" once, to increase ev by two, screen instantly shows the result. also zebra works correctly. would have loved to do a video, but my cellphone can only go macro in photomode.
so, question is, are you willing to find out these adresses for the other cams as well? tedious job, tedious job that i can say
thanks for the tips on asm and so on, will get me a book one of these days.

p.s. i wonder if this function works on ixuses, since afaik they dont have manual ev correction, or do they?