@ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

[whim]

In order to build a 'Swapper' for CHDK (on the fly switching from 1 version or configuration to another)
we need a cold reboot method, that is (roughly) the equivalent of pressing the on/off button twice.

Since CHDK's C code does not provide any function for it, I can only hope that some of you ARM assembly
savvy people can help us on this.

Thanks in advance,

wim

[GrAnd]

That should be some kind of magic in 'loader' folder.

[whim]

@GrAnd

Alas, I'm neither a magician nor an ARM assemby buff... I had an idea though, to to get the processor to jump to an
address between RAM and ROM (in a hole, so to speak). Do you think there's any chance that that would provoke a
reset ?

wim

BTW (unrelated) I'm just sross-ref'ing #319, and I get the same warning as for#317:
  "in /idc-scripts/resolve-tasks.idc: include file idc.idc not found"  I never got this warning before,
  I seem to remember that cail mentioned adding some stuff to the IDA scripts ?

[DataGhost]

As far as I know (I've only used the diskboot-method, not the 'firmware update'-method yet... and only DryOS), CHDK already reboots the camera when it's loaded. I think it's as easy as loading the necessary bits into 0x1900 and jumping there. I think the new CHDK will then load itself into the proper location and setup the camera.

Anyway, to do it the easy way, you can of course copy the chosen CHDK into diskboot.bin and call the reboot routine. It should be as easy as jumping to the beginning of the firmware (at least, the entrypoint) or maybe to a slightly different location. If I recall correctly, at least DryOS-based cameras have a separate reboot-routine (which does the same, more or less), I'm not sure about VxWorks cameras.

About jumping into holes: as far as I've experienced, the camera just shuts off (no reboot) when trying to read from a non-existant address. It will, of course, save you a keypress but there are better methods

[whim]

@DataGhost

Thanks !  If I understand you correctly, does that mean the first called entry.S actually performs the reset
(from: loader/a620/entry.S, example, platform-dependant of course)

Code: [Select]

    .section .entry

// Turn OFF SD Card power
// to support autostart
LDR     R3, =0xC02200BC
MOV     R2, #0x44
STR     R2, [R3]

// looks like idle cycle is required for proper shutdown
MOV     R3, #0x8000
1:
SUB R3, R3, #1
CMP R3, #0
BNE 1b

// ordinary startup...

MOV     SP, #0x1900
MOV     R11, #0
B my_restart

And about the easy method, that would be like jumping to 0xFFC0 0000 ?


wim

[DataGhost]

You mean this? http://stack.dataghost.com/S5-dualboot.avi
I didn't really feel like doing a lot of work so I just took the original diskboot routine from the camera firmware, however I bypassed the initialization steps. Sometimes (happened 2 times in 7 attempts) the camera display turns off and it hangs, I have to disconnect the batteries before it'll listen again. I guess this is because I'm bypassing some checks and I'm not exactly sure what to feed that thing. It shouldn't be an issue when this is rewritten in C, I think. All that needs to be done is load the file into 0x1900 and jump there.

edit: and I just noticed my clock is WAY off. I'm using linux in vmware to compile my stuff (I prefer my Windows editor and wireless drivers ) and I hibernate my laptop, so without synchronization... well. build date is not feb 13 but march 6

[whim]

@DataGhost

Looks like you're close .... was that a swap from Allbest to SDM there (never used the latter) ?
Also noticed good ol' 0xDEADBEEF is still popular as a magic number 
Anyway, just remembered I forgot to tell you there is some discussion on this subject in this thread:
Have fun and utility with the camera too, and look what mx3 said there:

I can foretell CHDK will be without built-in games, text viewer, rawmerge, memory dumper etc.
I would say it will be very soon.

Hope you get your system clock problem sorted (btw: have you checked the battery?) cause that might
eliminate your lock-ups (if you get lucky)

thanks,
wim

[DataGhost]

SDM? No, not as far as I know. That second one is a stripped-down-to-basic old CHDK build I got from jeff666... It's easier to start with a small one to get the camera going, I ported my stuff to allbest trunk about a week ago. I just swapped to that development version

About the clock... it's my Linux clock, which is inside a virtual machine with no time synchronization, so it runs at about half the speed and doesn't know about hibernation so it just pauses when I do that. I was just pointing out the odd compilation date in the CHDK splash screen.

[whim]

@GrAnd
@DataGhost


After several days of struggle with the trunk source, I still did not manage to get a
cold reboot, so I think it's time to ask some more advice and/or help.

I think I'm just gonna explain my approach so far:

What I want: to fully initialize the cam, just like Canon does, I'm assuming
that means a jump to 0xffc0 0000, aka $(ROMBASEADDR). I've looked at 3 IDA dumps, and in all 3
this address contains a jump to (I hope) the actual initialization code

What I've done (just for a620, for the moment):

I have tried to copy the calling sequence for the function enable_shutdown:
just like my cold_reboot, it is defined in wrappers.c, and calls a lowlevel function
_UnlockMainPower() which is, like my _Jump2CanonOEP(), defined in lolevel.h and
points to another NSTUB, NSTUB(UnlockMainPower, 0xffd49e50), in stubs_entry.S
(is stubs_entry.S treated any different than stubs_entry_2.S, BTW ?)

what I did in detail:

1. Create an entry in platforms/a620/sub/100f/stubs_entry_2.S:
        NSTUB(Jump2CanonOEP, 0xffc00000)

2. Create an entry in /include/lolevel.h:
        extern void _Jump2CanonOEP();

3. Create an entry in /platform/generic/wrappers.c:
        void cold_reboot()  {  _Jump2CanonOEP(); }

4. Create an entry in /include/platform.h
        void cold_reboot(void);

5. Replaced in /core/gui.c:
        The body of the function gui_draw_reversi(int arg) with:
        cold_reboot();

It does not work though - it compiles fine, no errors, but after booting from the created
DISKBOOT.BIN and starting "reversi" I get a screen freeze, 12 seconds pause and then a
camera shutdown.



wim

[whim]

  As usual, help came from totally unexpected side 

After answering in this topic Where are the strings for menus in original fw? I browsed the resulting text file
and searched 'Restart called'. (Jef666 refers to this in the DryOS porting topic)
Well, as a result I now replaced the address to jump to from FFC0 0000 to FFC1 27E0, recompiled, loaded, and.....

it WORKS !  I got a reliable cold reboot 10 times out of 10 !

Gonna have myself a nice beer to celebrate first, then I'm gonna hunt for the addresses in the other cam's binaries.

wim

[ewavr]

Well, as a result I now replaced the address to jump to from FFC0 0000 to FFC1 27E0, recompiled, loaded, and.....
it WORKS !  I got a reliable cold reboot 10 times out of 10 !

As GrAnd wrote, modified copy of this procedure CHDK uses for camera reboot (see loader/<camera model>/resetcode/main.c/copy_and_restart())

[whim]

@ewavr

I'm aware of that, but that routine reboots into a relocated CHDK, as far as I can tell (and that's not far at all -
the couple of pages of ARM assembly guide that I read already made my head spin  )

wim
 

[ewavr]

Wow, I found where shutdown() (platform/generic||other/lib.c) function located in original firmware (for A620 @ 0xFFC124CC) 
It seems that DIGIC3 (checked for G7 and A720) uses 0xC022004C and 0xC0410000 power-off port addresses instead of 0xC02200A0 for DIGIC2.

[whim]

Thanks, but most cams have a button to shutdown, but none to restart 

wim

[PhyrePhoX]

As usual, help came from totally unexpected side 

After answering in this topic Where are the strings for menus in original fw? I browsed the resulting text file
and searched 'Restart called'. (Jef666 refers to this in the DryOS porting topic)
Well, as a result I now replaced the address to jump to from FFC0 0000 to FFC1 27E0, recompiled, loaded, and.....

it WORKS !  I got a reliable cold reboot 10 times out of 10 !

Gonna have myself a nice beer to celebrate first, then I'm gonna hunt for the addresses in the other cam's binaries.

wim

great, very nice find!