The SX1 IS Porting Thread

[fboesch]

Hi all....(SX1 Owners)

Due to missing feedback on my other thread and (still) no answer from "ewavr" on my mail request, I've started to "dig" into porting CHDK to the SX1 IS for Fw 2.00h.

Based on SX10 FW/CHDK  / I've compared/searched for the corresponding Adresses in the FW 2.00h Firmware. That's so far my findings....(see below). Some values have not yet been found by me....(the one's marked with X NOT FOUND YET). The other lines reflect the values needed for FW 2.00h

I hope some other Porters can help me / give hints of how to find the values for "stubs_entry_2"....I would proceed faster...nevertheless...I'm confident to be able to compile a first Alpha version this weekend.


___________________________
stubs_entry_2
___________________________


#include "stubs_asm.h"

NHSTUB(AllocateUncacheableMemory, 0xFF82806C)
NHSTUB(GetDrive_ClusterSize, 0xFF85E284)
NHSTUB(GetDrive_TotalClusters, 0xFF85E2B8)
NHSTUB(GetDrive_FreeClusters, 0xFF85E2EC)
NHSTUB(SetPropertyCase, 0xFF87DAC4)
NHSTUB(kbd_read_keys, 0xFF821AF4)
NHSTUB(platformsub_kbd_fetch_data, 0xFF84D880) 
NHSTUB(kbd_read_keys_r2, 0xFF84D130)
NHSTUB(qsort, 0xFFAE3D50) 
NHSTUB(strchr, 0xFF8A0820)
NHSTUB(strrchr, 0xFF9FCED8) 
NHSTUB(TurnOffBackLight, 0xFF893FC8)
NHSTUB(vsprintf, 0xFF81CAE8)
NHSTUB(VbattGet, 0xFF82046C)   
NHSTUB(GetZoomLensCurrentPoint, 0xFF9548A8)
NHSTUB(GetZoomLensCurrentPosition, 0xFFA820F8)
NHSTUB(RefreshPhysicalScreen, 0xFF9FA6FC)
NHSTUB(EnterToCompensationEVF, 0xFF825B44)
NHSTUB(ExitFromCompensationEVF, 0xFF825BAC)
NHSTUB(PT_PlaySound, 0xFF869110)
NHSTUB(DoAFLock, 0xFF825898)
NHSTUB(UnlockAF, 0xFF8258D0)
NHSTUB(LEDDrive, 0xFF84CC34)
NHSTUB(WriteSDCard, 0xFF93DD0C)
NHSTUB(PostLogicalEventForNotPowerType, 0xFF88328C)

// null sub

NHSTUB(kbd_pwr_off, 0xFFC00958)
NHSTUB(kbd_pwr_on, 0xFFC00958)
NHSTUB(Mount_FileSystem, 0xFFC00958)
NHSTUB(Unmount_FileSystem, 0xFFC00958)
NHSTUB(SetZoomActuatorSpeedPercent, 0xFFC00958)
NHSTUB(rewinddir, 0xFFC00958)
________________________

Stubs_min

#include "stubs_asm.h"

DEF(physw_status, 0x12DA4)
DEF(physw_run, 0x1C30)       
DEF(FlashParamsTable,0xFFBBB2A4)  
DEF(led_table, 0x264B)
DEF(zoom_busy, 0x9AE8)
DEF(focus_busy, 0x9974)
DEF(zoom_status, 0xF2A0) 
DEF(enabled_refresh_physical_screen, 0xCABC+0x34)   
DEF(canon_menu_active, 0x5A58 + 4)   
DEF(playrec_mode, 0x57C0+0x4)
DEF(canon_shoot_menu_active, 0xAC28 + 1)      X NOT YET FOUND
DEF(recreview_hold, 0xA78C + 0xDC)        X NOT YET FOUND
DEF(movie_status, 0x53F8 + 0x38)      X NOT YET FOUND
__________________________________________

[pev69]

Hi fboesch,

and thank you very much for starting the SX1 porting! I have the SX1, and have been waiting for CHDK for it. I would like to help, but I do not have IDA (I am not yet willing to pay the 360 EUR for it just for this, although it might be nice for some other reverse-engineering as well  ). I've been doing professional embedded programming for about 10 years, but I'm new to reverse-engineering.

[meddie]

[MrSpoon]

You can compile builds with the unknown functions set as nullstubs.

I found one of the most time consuming parts of porting is just going through all the assembler code in boot.c, capt_seq.c etc. You need to change all the assembler code in these files and replace them with code taken from your camera's firmware dump, modifying bits in the same way done in existing ports.

You will need physw_run though, iirc its quite easy to find by looking for PhySw

[fboesch]

Hi all!

Thank you all for your feedback and tips! Well, I'm eager myself to have CHDK also running on my SX1....(until now I walk around with my old S2IS, due to the nice Motion Scripts)....

Hope that I will have a first (alpha) build this weekend....

Cu later

Fredi

P.S. As you may have seen...i'm progressing....there are only a few adresses not found yet....(see first entry). All SX1 Adresses have been ported into Boot.c and capt_seq.c, and other Files too...movie_req.c not yet....i think to come closer to an "Alpha" Compilation....however: Need to setup an XP Machine first....The CHDK-Shell really does not like Vista....

[pev69]

Hey fboesch,

If you have difficulties arranging an XP machine, I might be able to help. I have XP in both my PCs. I was thinking that I might arrange you access to my second pc (which is just chewing folding@home currently) through windows terminal services. If you need that, PM me. It is now about 5.30 here in Finland and I'll propably go to bed soon, but in about ten or twelve hours tops I'll try to check in here again.

[MrSpoon]

There's really no reason to go installing XP (except for the fact Vista sucks )

Following this guide will set up a development environment in Cygwin that works in Vista. I've added a caution about binutils 2.19 on it since they *will not* link CHDK properly. In fact I couldn't compile 2.18 on my machine either, so had to go with binutils 2.17.

[fe50]

....however: Need to setup an XP Machine first....The CHDK-Shell really does not like Vista....

...running XP in a virtual machine should also work, e.g. you can try Sun's Virtualbox (free / OS)...

[fboesch]

....however: Need to setup an XP Machine first....The CHDK-Shell really does not like Vista....

...running XP in a virtual machine should also work, e.g. you can try Sun's Virtualbox (free / OS)...

Thanks for all suggestions.... No problem, regarding XP Machine...i've got a Desktop PC with XP @Home....but right now I'm in the mountains (holiday appartment) just with my MacBook :-). I will be back in Zurich in 10hours....and be eager to check it out.


@MrSpoon: Thanks - I've tried actually with Cygwin....but with 2.18 (as recommended!!) I did not work for me either....then I "copied" the SH.exe, Sort & ZED.exe from Cygwin to the gcc/gcc4 of the CHDK-Shell....seemed to go through, but a "sed.exe" error (Syntax) will still prevent that a "build" is finally created...(eventually missing other tools, because of this quick-n-dirty patching)....

@all: As soon I've seen that my modified files are good to create successfully a first Alpha Build (starting up at least on my SX1 but certainly still with errors/no movie_rec feature) I will put my files together and publish them here....

Till later

Fredi


P.S. Status of other files (chkd-shell)

\CHDK-Shell-v212.ini (local copy)             <Edited - New SX1 Entries>

\trunk727\Makefile                                  <Edited - Nex SX1 Section>
\trunk727\Makefile.inc                             <Edited - New SX1 Section>
\trunk727\include\camera.h                     <Edited - New SX1 Section>

\trunk727\platform\sx1\shooting.c                            <checked, but no value obviously changed. Taking SX10 defaults>
\trunk727\platform\sx1\main.c                                 <checked, but no value obviously changed. Taking SX10 defaults>
\trunk727\platform\sx1\lib.c                                     <checked, but no value obviously changed. Taking SX10 defaults>
\trunk727\platform\sx1\kbd.c                                   <checked, but no value obviously changed. Taking SX10 defaults>

\trunk727\loader\sx1\...several files                         <checked, but no value obviously changed. Taking SX10 defaults>

\trunk727\platform\sx1\sub\200h\boot.c                    <done>
\trunk727\platform\sx1\sub\200h\capt_seq.c             <done>
\trunk727\platform\sx1\sub\200h\lib.c                       <done>
\trunk727\platform\sx1\sub\200h\makefile.inc           <done>
\trunk727\platform\sx1\sub\200h\stubs_entry_2.S     <done - see above>
\trunk727\platform\sx1\sub\200h\stubs_min.S           <partly - see above>
\trunk727\platform\sx1\sub\200h\movie_rec.c            <not yet started>

<done> means that all adresses, values & even required patch-code have been ported to SX1-Adresses/Code/Values. Work I did was to compare the location (with IDA) in the SX10 1.01a FW and then look for the "new" location (with IDA in a second window) in SX1 2.00h FW....took me a while to find out also more difficult adresses (just assembler code with no "textual reference" in the sub_FFxxxxxx)...

On files with only a reference to a "value" (e.g. 0x01C0) and no given ROM Adresses of another Cam) I'm a little bit unsure .... starting with values of the SX10 can't be to bad (as I've seen in the other files - but there are differences...)

[fboesch]

Status: Sunday Night (Swiss Time 00:32)

The compilation process on my XP Desktop went (finally) nicely through (had about 10 typo mistakes in my files).   

Now CHDK-Shell creates a first build (diskboot.bin + CHDK Folder) with my modifies files (for the SX1)....however: the ps.fi2 file is missing (to startup the pseudo-firmware upgrade with CHDK).... so I can't start it up on my SX1 .....

Don't know right now where to get it (or which switch to use on CHDK-Shell)...will investigate tomorrow...

G'night for now

F.

[fe50]

Now CHDK-Shell creates a first build (diskboot.bin + CHDK Folder) with my modifies files (for the SX1)....however: the ps.fi2 file is missing (to startup the pseudo-firmware upgrade with CHDK).... so I can't start it up on my SX1 .....
Don't know right now where to get it (or which switch to use on CHDK-Shell)...will investigate tomorrow...

Hi Fredi,
For the autoboot method use a small SD card (<=4GB),
format it (FAT16) & make it CHDK-bootable with CardTricks,
copy the diskboot.bin to the root dir of the card, enable the card's RW lock,
then start (or try to start  ) your camera...

For the creation of the PS.FI2 file you need to store the encryption keys in the \platform\fi2.inc file.
You can get the keys from the G10 1.00F firmware dump (available from the CHDKdumps2 drop),
read about it here: http://chdk.setepontos.com/index.php/topic,2995.0.html

The SX1 needs the d4 (G10) keys: read, prepare & rename the file fi2.inc.txt for this, then you can
enable the OPT_FI2 option in the CHDK-Shell (button "Compile Options", disabled by default).

Just use a hex editor, e.g. HxD & get the 16 bytes from the correct offsets; write down the bytes without spaces, it should look like this
  ifeq ($(KEYSYS), d4)
   FI2KEY=112233445566778899AABBCCDDEEFF
   FI2IV=112233445566778899AABBCCDDEEFF
 endif

[pev69]

Thanks, fe50, for the FI2 info. I found the keys, and successfully tested fi2 compilation for the SX10 port. Now I'm just eagerly waiting for fboesch to put the SX1 port (even if aplha) for download

[fboesch]

...after a long day @work (...I'm not a developer, but a Service Management Consultant) finally came home and went on to the what I really wanted to do the whole day: Bring CHDK to work on the SX1...

FE50: Thank you for your "summary hint"! Helped to bring me onto the right track (with other forum links). Indeed the key/IV are the same as the G10 (despite at some slightly shifted ROM Adresses in HexEditor)....(better safe - than sorry) :-)

Now status: I've got now a "full" compilation (incl. ps.fi2)...Inserting it in my SX1 and choosing "Firm Update" Menu shows


Update firmware version?
2.0.0.0 -> 1.1.0.0

(Cancel) (OK)

I just hat a couple of "sweat-drops": The "Update" does not (yet) show the know CHDK Welcome Screen, but just blanks out the Main LCD (Power LED stays on)...no reaction onto key entries...

After a while I've decided to take out the batteries....re-inserting them and my SX1 was working normally again. 


Well...seems that I need to dig as next deeper into the LED Adresses thing....I've found one adress so far...but the other one'es seem to be also important... for the other adresses (phys_run etc.) I'm pretty confident that they are correct.

So proceeding a little bit further with adresses - as you may understand: I want to see CHDK startup (at least Mainscreen) on my SX1. As soon this is accomplished, I will provide the "Alpha" files to the community...

So it is a little bit "Trial & error" now... :-)

Till later

Fredi

P.S...I'm not a developer or so....but i've got assembler (HD61700) skills from my youth and the "understanding" of what IDA is showing me. Actually I once even "patched" with an Hex Editor a raw DB2-Database file to fix it....so my sx1 adress translation is certainly (conceptually) correct...must be typo's or the (still) missing values....

 

[fboesch]

Thanks, fe50, for the FI2 info. I found the keys, and successfully tested fi2 compilation for the SX10 port. Now I'm just eagerly waiting for fboesch to put the SX1 port (even if aplha) for download

Thanks for the "mental support" :-)  & Glad to see that I'm not the only ambitious SX1 owner :-D

[pev69]

Sure, since mental support is the only thing I can give at the moment

Darn the setback though... Some suggestions:
- Are you sure you got the key and iv in correct order (they were in reverse order in fi2.inc.txt compared to the offset addresses)?
- Perhaps you could try the diskboot method, that is not dependent on the fi2...?
- Maybe you can test if it's the LEDs by putting one confirmed address to all LEDs?