TX-1 - loading to IDA and porting...

[cybercom]

Also, FWIW, camera writes 82 byte file:

UpgradeLog.txt

to SD card.

ASCII is:

4‰ž\-ËèÌŠéÊ1¾jD+^OlNì‚qÏ&³ŽŠ,éCáZAì¾ÝÉÂú²|­Bp<€Œ9š]PÛ)tH…ƒG"!   xàEÇ-S›ï

HEX is:

00000000  34 89 9E 5C  2D CB 1F E8  CC 8A E9 CA  31 BE 6A 44   4%z\-EèISéE1_jD 
00000010  2B 5E 4F 6C  4E EC 82 02  71 12 CF 26  B3 19 8E 8A     +^OlNì,qI&3ZS 
00000020  2C E9 43 E1  03 90 5A 41  EC 04 BE DD  C9 C2 FA B2    ,éCá_ZAì_YÉAú² 
00000030  7C 11 AD 42  70 3C 80 8C  06 39 9A 5D  50 DB 29 74    |-Bp<_O9s]PU)t 
00000040  48 85 18 83  47 22 0B 21  09 78 0E E0  45 C7 2D 53       H.ƒG"!   xàEÇ-S 
00000050  9B EF                                                                              >ï               

[GrAnd]

"Power LED blinks twice. Camera shuts down."

is due to

I have not altered capt_seq yet.

[Microfunguy]

is due to

I have not altered capt_seq yet.

OK, I have been given conflicting information about this so I will take your word for it   

Strange that the capture-sequence has to work just to power-up the camera.


David

[GrAnd]

Strange that the capture-sequence has to work just to power-up the camera.

Because that file contains one of important task procedure created on camera startup.

[ewavr]

Small hint: if kbd.c, capt_seq.c, movie_rec.c are not rewritten yet, in file platform/<camera>/main.c  simply disable lines:

// *entry = (long)physw_hook;

// *entry = (long)capt_seq_hook;

// *entry = (long)movie_record_hook;

[Microfunguy]

Small hint: if kbd.c, capt_seq.c, movie_rec.c are not rewritten yet, in file platform/<camera>/main.c  simply disable lines:

// *entry = (long)physw_hook;

// *entry = (long)capt_seq_hook;

// *entry = (long)movie_record_hook;

Thanks, I will try that to save time.


David

[Microfunguy]

Small hint: if kbd.c, capt_seq.c, movie_rec.c are not rewritten yet, in file platform/<camera>/main.c  simply disable lines:

// *entry = (long)physw_hook;

// *entry = (long)capt_seq_hook;

// *entry = (long)movie_record_hook;

Big hint !

We now have the splashscreen displayed and the CHDK folder and sub-folders created.

(apparently the splashscreen was covered in 'bands').

I guess that I now have to get the keyboard working somehow.


David

[ewavr]

We now have the splashscreen displayed and the CHDK folder and sub-folders created.

I guess that I now have to get the keyboard working somehow.

Great!
I see that keyboard is very similar to other cameras, but not uses kbd_pwr_on() and kbd_pwr_off() functions....

[Microfunguy]

I see that keyboard is very similar to other cameras, but not uses kbd_pwr_on() and kbd_pwr_off() functions....

Well, I enabled the create keyboard task and of course the camera crashed and locked-up.

For no particular reason, I use the ixus55  kbd.c.

So, what do I do now   

[ewavr]

It seems that kbd.c from A570 is better solution.

Please check in CHDK following ROM addresses:
0xFFA433D0 kbd_p2_f
0xFFA42FB4 kbd_p1_f_cont
0xFFA4457C kbd_read_keys_r2

And RAM adresses:

physw_status 0x64E00
physw_run 0x8738

Do no use kbd_pwr_on() and kbd_pwr_off()  function, because TX1 do not have it.

If camera boots, enable showing of "misc values" in OSD and adjust keyboard map and KEYS_MASKn by pressing all keys.

[Microfunguy]

It seems that kbd.c from A570 is better solution.

Thanks EWAVR that will be very helpful.

Please check in CHDK following ROM addresses:

Yes, I started doing that last night.

physw_status 0x64E00

Yes, I know that is correct, I will now check the the others.

All the values in stubs_min.s seem to be incorrect.

There are now no missing functions in stubs_entry.s but some functions are uncertain :-


NSTUB(ExitTask, 0xffb41f08)
// Best match: 95%

NSTUB(GetParameterData, 0xffb66c14)
// Best match: 89%

NSTUB(kbd_p1_f_cont, 0xffa42fb4)
// Best match: 56%

NSTUB(kbd_read_keys_r2, 0xffa44644)
// Best match: 93%

NSTUB(taskDeleteHookAdd, 0xff92e018)
// Best match: 82%



and a few others.


I guess it is best to find those first.



David

[Microfunguy]

Please check in CHDK following ROM addresses:
0xFFA433D0 kbd_p2_f
0xFFA42FB4 kbd_p1_f_cont

Yes, they are fine.

0xFFA4457C kbd_read_keys_r2

Well, that code is longer than for the A570 (or my A620).
I can see that similar constants have been used (0x223000, 0xC0000024, 0xC000001C) but how did you decide that is the address ?

And RAM adresses:
physw_status 0x64E00

Yes.

physw_run 0x8738

The constant at FFA4367C is 0x8730.

Comparing with my A620, I would add +4 to that to give 0x8734.

How do you arrive at 0x8738 ?


David

[ewavr]

Here is PhySw_task (for TX1, but  keyboard task is all cameras is very similar ):
Compare it to kbd.c source.

Code:

ROM:FFA42F60                 STMFD   SP!, {R4,LR}   
ROM:FFA42F64                 LDR     R2, =0x8738  // physw_run
ROM:FFA42F68                 LDR     R3, [R2]       
ROM:FFA42F6C                 CMP     R3, #0         
ROM:FFA42F70                 BEQ     loc_FFA42F9C
ROM:FFA42F74                 MOV     R4, R2         
ROM:FFA42F78 loc_FFA42F78                           
ROM:FFA42F78                 MOV     R0, #0xA     
ROM:FFA42F7C                 BL      SleepTask     
ROM:FFA42F80                 BL      kbd_p1_f       
ROM:FFA42F84                 CMP     R0, #1         
ROM:FFA42F88                 BNE     loc_FFA42F90
ROM:FFA42F8C                 BL      kbd_p2_f       
ROM:FFA42F90 loc_FFA42F90                           
ROM:FFA42F90                 LDR     R3, [R4]       
ROM:FFA42F94                 CMP     R3, #0         
ROM:FFA42F98                 BNE     loc_FFA42F78
ROM:FFA42F9C loc_FFA42F9C   
ROM:FFA42F9C                 LDMFD   SP!, {R4,LR}   
ROM:FFA42FA0                 B       ExitTask       

Next is kbd_p1_f:

Code:

ROM:FFA42FA8                 STMFD   SP!, {R4-R7,LR}
ROM:FFA42FAC                 SUB     SP, SP, #0xC   
ROM:FFA42FB0                 BL      kbd_read_keys 
ROM:FFA42FB4 kbd_p1_f_cont                           
 and so on...

next is kbd_read_keys:

Code:

ROM:FFA43074                 STMFD   SP!, {R4,LR}   
ROM:FFA43078                 LDR     R0, =0x64E00   // physw_status
ROM:FFA4307C                 MOV     R2, #2         
ROM:FFA43080                 MOV     R1, #0         
ROM:FFA43084
ROM:FFA43084 loc_FFA43084                           
ROM:FFA43084                 MOV     R3, R2,LSL#2 
ROM:FFA43088                 SUBS    R2, R2, #1     
ROM:FFA4308C                 STR     R1, [R0,R3]   
ROM:FFA43090                 BPL     loc_FFA43084 
ROM:FFA43094                 LDR     R4, =0x64E00
ROM:FFA43098                 MOV     R0, R4         
ROM:FFA4309C                 BL      kbd_fetch_data
ROM:FFA430A0                 MOV     R0, R4         
ROM:FFA430A4                 LDMFD   SP!, {R4,LR}   
ROM:FFA430A8                 B       kbd_read_keys_r2

[ewavr]

NSTUB(ExitTask, 0xffb41f08)
// Best match: 95%

NSTUB(GetParameterData, 0xffb66c14)
// Best match: 89%

NSTUB(kbd_p1_f_cont, 0xffa42fb4)
// Best match: 56%

NSTUB(kbd_read_keys_r2, 0xffa44644)
// Best match: 93%

NSTUB(taskDeleteHookAdd, 0xff92e018)
// Best match: 82%

All correct, except kbd_read_keys_r2

[cybercom]

 I have gone through the IDA List of the TX-1 disassembly and pulled out the labels in order. Thought it might be useful if people wanted to compare with other cameras for similar routines.

zSHARE - tx-1_ida_labels.zip

(Not being a programmer, I couldn't just sit by and watch everyone else do all the work, so hopefully this will contribute something... I still have 3299 pages to go, but they just seem to be "glue" and housekeeping).

HTH,