SX280 HS 101B Dump - I am truly willing to help test if someone develops - page 4 - Firmware Dumping - CHDK Forum
« previous next »
Pages: 1 2 3 [4] 5 6   Go Down

SX280 HS 101B Dump - I am truly willing to help test if someone develops

  • 54 Replies
  • 39288 Views
*

Offline reyalp

  • ******
  • 14080
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #30 on: 08 / September / 2013, 16:09:07 »
Advertisements
Quote from: robertb on 08 / September / 2013, 15:25:03
As an aside, I think 0xfe000000 aliases 0xfc000000, since the code appears to be the same, but the absolute addresses in both areas reference 0xfc000000.
This should be correct, matches srsa's comments http://chdk.setepontos.com/index.php?topic=9992.msg100929#msg100929

Quote
So it's probably sufficient to dump 0xFC020000 - 0xFDFFFFFF rather than all the way to 0xFFFFFFFF as the dumper does.
For the code this is probably correct, but it's possible that there is other useful information in other sections of the dump. For example, on current cameras the PID and key for FI2 decoding come from the an area around FFFF0000 (but this is where the ROMSTARTER bootloader is on these cams, so if the bootloader is at FC000000, that information may be there as well.)
Logged
Don't forget what the H stands for.
*

Offline robertb

  • *
  • 11
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #31 on: 08 / September / 2013, 17:47:05 »
As for IRC, eh... I'd rather have my exploration permanently documented here, hopefully it would help others.

So I found the code (in both the known sx260 firmware and my sx280 firmware) which references StartDiskboot:

sx280:

Code: [Select]
ROM:FC04F9C2 ; =============== S U B R O U T I N E =======================================
ROM:FC04F9C2
ROM:FC04F9C2
ROM:FC04F9C2 sub_FC04F9C2                            ; CODE XREF: sub_FC04F6C2+14p
ROM:FC04F9C2                                         ; DATA XREF: sub_FC04F9C2+2o
ROM:FC04F9C2                 PUSH            {R4,LR}
ROM:FC04F9C4                 ADR.W           R0, (sub_FC04F9C2+1)
ROM:FC04F9C8                 LSRS            R0, R0, #0x18
ROM:FC04F9CA                 BEQ             loc_FC04FA0C
ROM:FC04F9CC                 MOVS            R0, #0
ROM:FC04F9CE                 BL              sub_FC05F5CE
ROM:FC04F9D2                 LSLS            R0, R0, #0x1F
ROM:FC04F9D4                 BNE             loc_FC04FA0C
ROM:FC04F9D6                 BL              sub_FC08848A
ROM:FC04F9DA                 MOVS            R0, #1
ROM:FC04F9DC                 BL              sub_FC05F5CE
ROM:FC04F9E0                 LSLS            R0, R0, #0x1F
ROM:FC04F9E2                 BEQ             loc_FC04FA0C
ROM:FC04F9E4                 BL              nullsub_189
ROM:FC04F9E8                 MOVS            R0, #0
ROM:FC04F9EA                 BL              sub_FC2A4A54
ROM:FC04F9EE                 MOVS            R0, #0
ROM:FC04F9F0                 BL              sub_FC2A4A82
ROM:FC04F9F4                 CBZ             R0, loc_FC04FA0C
ROM:FC04F9F6                 ADR             R0, aStartdiskboot ; "\nStartDiskboot\n"
ROM:FC04F9F8                 BL              printf_
ROM:FC04F9FC                 MOVS            R0, #0
ROM:FC04F9FE                 BL              sub_FC2A4AB0
ROM:FC04FA02                 BL              lookForDiskbootFile
ROM:FC04FA06                 MOVS            R0, #0
ROM:FC04FA08                 BL              sub_FC2A49F6
ROM:FC04FA0C
ROM:FC04FA0C loc_FC04FA0C                            ; CODE XREF: sub_FC04F9C2+8j
ROM:FC04FA0C                                         ; sub_FC04F9C2+12j ...
ROM:FC04FA0C                 POP.W           {R4,LR}
ROM:FC04FA10                 B.W             nullsub_189
ROM:FC04FA10 ; End of function sub_FC04F9C2
ROM:FC04FA10
ROM:FC04FA14
ROM:FC04FA14 ; =============== S U B R O U T I N E =======================================
ROM:FC04FA14
ROM:FC04FA14
ROM:FC04FA14 lookForDiskbootFile                     ; CODE XREF: sub_FC04F9C2+40p
ROM:FC04FA14
ROM:FC04FA14 var_18          = -0x18
ROM:FC04FA14
ROM:FC04FA14                 PUSH            {R3-R7,LR}
ROM:FC04FA16                 ADR             R0, aADiskboot_bin ; "A/DISKBOOT.BIN"
ROM:FC04FA18                 MOV             R1, SP
ROM:FC04FA1A                 BL              sub_FC04F970
ROM:FC04FA1E                 MOVS            R4, R0
ROM:FC04FA20                 BNE             loc_FC04FA36
ROM:FC04FA22                 ADR             R0, aAUpgrader_bin ; "A/Upgrader.bin"
ROM:FC04FA24                 MOV             R1, SP
ROM:FC04FA26                 BL              sub_FC04F970
ROM:FC04FA2A                 MOVS            R4, R0
ROM:FC04FA2C                 BNE             loc_FC04FA36
ROM:FC04FA2E                 ADR             R0, aDiskbootFileNo ; "Diskboot file not found\n"
ROM:FC04FA30                 BL              printf_
ROM:FC04FA34                 POP             {R3-R7,PC}
ROM:FC04FA36 ; ---------------------------------------------------------------------------
ROM:FC04FA36
ROM:FC04FA36 loc_FC04FA36                            ; CODE XREF: lookForDiskbootFile+Cj
ROM:FC04FA36                                         ; lookForDiskbootFile+18j
ROM:FC04FA36                 LDR             R1, [SP,#0x18+var_18]
ROM:FC04FA38                 MOV             R0, R4
ROM:FC04FA3A                 BL              sub_FC0D2220
ROM:FC04FA3E                 CBZ             R0, loc_FC04FA4E
ROM:FC04FA40                 ADR             R0, aNotExecutable ; "not executable\n"
ROM:FC04FA42                 BL              printf_
ROM:FC04FA46                 MOVS            R0, #1
ROM:FC04FA48                 BL              sub_FC0626DE
ROM:FC04FA4C                 POP             {R3-R7,PC}
ROM:FC04FA4E ; ---------------------------------------------------------------------------
ROM:FC04FA4E
ROM:FC04FA4E loc_FC04FA4E                            ; CODE XREF: lookForDiskbootFile+2Aj
ROM:FC04FA4E                 MOVW            R0, #0x4000
ROM:FC04FA52                 LDR             R5, [SP,#0x18+var_18]
ROM:FC04FA54                 LDR             R6, [R0]
ROM:FC04FA56                 BLX             sub_FC251D18
ROM:FC04FA5A                 MOV             R1, R5
ROM:FC04FA5C                 MOVW            R0, #0x8000
ROM:FC04FA60                 BL              sub_FC12DE82
ROM:FC04FA64                 MOVW            R3, #0x8001
ROM:FC04FA68                 MOV             R2, R5
ROM:FC04FA6A                 MOV             R1, R4
ROM:FC04FA6C                 LSLS            R0, R3, #0xF
ROM:FC04FA6E                 BLX             R6
ROM:FC04FA70                 POP             {R3-R7,PC}
ROM:FC04FA70 ; End of function lookForDiskbootFile
Not quite sure what I should be following at this point?
Logged
*

Offline robertb

  • *
  • 11
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #32 on: 08 / September / 2013, 20:09:29 »
Here's my progress so far finding function correlates in the sx280 firmware.

Of the 1672 functions listed in the sx260 funcs_by_address file, I've found 181 so far (which includes all 62 relocated to RAM). Of the 191 functions mentioned in stubs_entry.S, I've found 62.

I've run the Canon Basic LED blinker script, and that works.

I've installed the arm-elf-gcc toolchain, but I'm not sure what I need to do to create a bootdisk. I did download the latest svn trunk, but couldn't compile it (for sx260hs sub 101a) because I'm missing all the sig_ref_dryos_?.bin files... not sure where to get them.

I haven't started to look at getting the FI2 keys yet.

Logged
*

Offline reyalp

  • ******
  • 14080
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #33 on: 08 / September / 2013, 21:02:07 »
Excellent work so far!
Quote from: robertb on 08 / September / 2013, 20:09:29
Here's my progress so far finding function correlates in the sx280 firmware.

Of the 1672 functions listed in the sx260 funcs_by_address file, I've found 181 so far (which includes all 62 relocated to RAM). Of the 191 functions mentioned in stubs_entry.S, I've found 62.
Note that you do NOT need everything in funcs by address, these are just useful reference points.

Quote
I've installed the arm-elf-gcc toolchain, but I'm not sure what I need to do to create a bootdisk. I did download the latest svn trunk, but couldn't compile it (for sx260hs sub 101a) because I'm missing all the sig_ref_dryos_?.bin files... not sure where to get them.
You should be able to compile without them, but in any case they are just copies of dumps you can find in the firmware dump repository https://drive.google.com/folderview?id=0B08pqRtyrObjTy11Y003Sk1lYTQ#list

readme_gensig_dryos.txt tells you which they are.

However, to build a bootable file for your camera, you have a bigger challenge. You need to generate code that digic6 can boot.

1) getting the right instruction set
Assuming the canon restart code runs in the thumb2 state, you would need at least the initial assembler in loader/entry.S to be in thumb2. From what I can gather, it probably doesn't support traditional ARM code. The CHDK build system and much of the code assumes the firmware is traditional 32 bit ARM, while most chdk code is thumb (original, not thumb2). The CHDK code contains a bunch of ARM assembler, so you can't just flip a compile option. So for initial testing, you might be better off just building a raw binary in thumb2.

2) Getting your code located right
You need to build your binary to be located wherever the camera boot code loads it. In previous digic versions, this is always 0x1900. In sx260, the code that sets this up is at FF027260. It looks like it's a bit different on sx280, so I'm not sure what the initial load address will be.

3) Getting your boot image encoded right:
In the sub_FC04F9C2 you mentioned earlier, the function call just before the reference to "not executable" is responsible for decoding the diskboot, which accesses a list of values we call the "dancing bits" values. These are used in the tools/dancingbits tool to generate a correctly encoded diskboot.
In sx260 101a, these values are located at FF5AAC34, referenced by a function sub_FF283CCC which is referenced as a function pointer in sub_FF0A6314, which is called by the decoding function.
The dancingbits encoding usually corresponds to dryos version, so it's possible that the existing values for version 10 will be correct (you can try searching for the existing values as a sequence of words). If it is, you can use the dancingbits tool as is to encode your binary. If it uses the same system with different values, you can just add them.

edit:
It looks like the dryos R52 dancingbits values appear at FC0042EC
« Last Edit: 08 / September / 2013, 21:25:42 by reyalp »
Logged
Don't forget what the H stands for.
*

Offline robertb

  • *
  • 11
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #34 on: 08 / September / 2013, 21:58:24 »
Quote
You need to build your binary to be located wherever the camera boot code loads it. In previous digic versions, this is always 0x1900. In sx260, the code that sets this up is at FF027260. It looks like it's a bit different on sx280, so I'm not sure what the initial load address will be.

Wait... I'm looking at entry.S, and it has this:

Code: [Select]
MOV     SP, #0x1900
MOV     R11, #0
B       my_restart
So it looks like the stack pointer is set to 0x1900. Then we jump to my_restart, which copies blob_chdk_core into MEMISOSTART, which for the sd280 appears to be 0x2bd558, based on this thread showing that initialized data gets copied (sd280: into 0x8000 - 0x29460) and then bss is initialized (sd280: from 0x29460 - 0x2bd558).

So it seems to me that the stack pointer should be set to 0x8000, and blob_chdk_core would be copied to 0x2bd558, no? So that would be the initial load address?

Here's the sx280 init code:

Code: [Select]
ROM:FC020000 loc_FC020000                            ; CODE XREF: sub_FC095C40+7Aj
ROM:FC020000                                         ; DATA XREF: sub_FC095C40+74o ...
ROM:FC020000                 B.W             EntryPoint
ROM:FC020000 ; END OF FUNCTION CHUNK FOR sub_FC095C40
ROM:FC020000 ; ---------------------------------------------------------------------------
ROM:FC020004 aGaonisoy       DCB "gaonisoy"
ROM:FC02000C ; ---------------------------------------------------------------------------
ROM:FC02000C ; START OF FUNCTION CHUNK FOR sub_FC095C40
ROM:FC02000C
ROM:FC02000C EntryPoint                              ; CODE XREF: sub_FC095C40:loc_FC020000j
ROM:FC02000C                 LDR.W           SP, =0x80010000
ROM:FC020010                 BL              sub_FC020064
ROM:FC020014                 LDR             R2, =0xC0242010
ROM:FC020016                 LDR             R1, [R2]
ROM:FC020018                 ORR.W           R1, R1, #1
ROM:FC02001C                 STR             R1, [R2]
ROM:FC02001E                 LDR             R0, =0xFC9538D4
ROM:FC020020                 LDR             R1, =0x10C1000
ROM:FC020022                 LDR             R3, =0x10E03C4
ROM:FC020024
ROM:FC020024 loc_FC020024                            ; CODE XREF: sub_FC095C40-75C10j
ROM:FC020024                 CMP             R1, R3
ROM:FC020026                 ITT CC
ROM:FC020028                 LDRCC.W         R2, [R0],#4
ROM:FC02002C                 STRCC.W         R2, [R1],#4
ROM:FC020030                 BCC             loc_FC020024
ROM:FC020032                 LDR             R0, =0x10C1000
ROM:FC020034                 LDR             R1, =0x1F3C4
ROM:FC020036                 BL              sub_FC12DD3A
ROM:FC02003A                 LDR             R0, =0xFC932474
ROM:FC02003C                 LDR             R1, =0x8000
ROM:FC02003E                 LDR             R3, =0x29460
ROM:FC020040
ROM:FC020040 loc_FC020040                            ; CODE XREF: sub_FC095C40-75BF4j
ROM:FC020040                 CMP             R1, R3
ROM:FC020042                 ITT CC
ROM:FC020044                 LDRCC.W         R2, [R0],#4
ROM:FC020048                 STRCC.W         R2, [R1],#4
ROM:FC02004C                 BCC             loc_FC020040
ROM:FC02004E                 LDR             R3, =0x29460
ROM:FC020050                 LDR             R1, =0x2BD558
ROM:FC020052                 MOV.W           R2, #0
ROM:FC020056
ROM:FC020056 loc_FC020056                            ; CODE XREF: sub_FC095C40-75BE2j
ROM:FC020056                 CMP             R3, R1
ROM:FC020058                 IT CC
ROM:FC02005A                 STRCC.W         R2, [R3],#4
ROM:FC02005E                 BCC             loc_FC020056
ROM:FC020060                 B.W             sub_FC04F194
ROM:FC020060 ; END OF FUNCTION CHUNK FOR sub_FC095C40
Logged
*

Offline reyalp

  • ******
  • 14080
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #35 on: 08 / September / 2013, 22:58:46 »
Quote from: robertb on 08 / September / 2013, 21:58:24
Quote
You need to build your binary to be located wherever the camera boot code loads it. In previous digic versions, this is always 0x1900. In sx260, the code that sets this up is at FF027260. It looks like it's a bit different on sx280, so I'm not sure what the initial load address will be.

Wait... I'm looking at entry.S, and it has this:

Code: [Select]
MOV     SP, #0x1900
MOV     R11, #0
B       my_restart
So it looks like the stack pointer is set to 0x1900.
The stack grows down.

The initial code (when entry.S runs) is located at 0x1900 by the firmware. MEMISOSTART is where the final CHDK binary is located. That is placed such that it replaces part of the canon heap (unless exmem is in use) because we have to have the normal Canon OS stuff in it's normal place, which is also starting around 0x1900.

edit:
On pre-digic 6 cams, you can find the code that does this in a function I've called canon_copy_and_restart, which is located in the bootloader code (FFFF0B28 in sx260). A pointer to this is stored in data TCM and used by the firmware to boot code loaded into RAM (like diskboot or firmware updates). See FFFF0A14

This function looks like f(void *dst, void *src, int count, void *entry)
« Last Edit: 08 / September / 2013, 23:16:06 by reyalp »
Logged
Don't forget what the H stands for.
*

Offline srsa_4c

  • ******
  • 4451
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #36 on: 09 / September / 2013, 15:29:31 »
Quote from: reyalp on 08 / September / 2013, 21:02:07
From what I can gather, it probably doesn't support traditional ARM code.
I have seen a few ARM instructions in some places - most notably in these wrappers (wrapper is probably not the proper term):
Code: [Select]
loc_fc251d20: ; 7639 refs
fc251d20: f004 e51f ; <UNDEFINED> instruction: 0xf004e51f
fc251d24: 5c3d      ldrb r5, [r7, r0]
fc251d26: 010c      lsls r4, r1, #4
loc_fc251d28: ; 291 refs
fc251d28: f004 e51f ; <UNDEFINED> instruction: 0xf004e51f
fc251d2c: 2923      cmp r1, #35 ; 0x23
fc251d2e: 010c      lsls r4, r1, #4
loc_fc251d30: ; 129 refs
fc251d30: f004 e51f ; <UNDEFINED> instruction: 0xf004e51f
fc251d34: a128      add r1, pc, #160 ; 0xfc251dd8: (7b617be3)
fc251d36: 010d      lsls r5, r1, #4The above undefined instructions are in fact ARM instructions which objdump couldn't decode, see my notes at the top of http://chdk.wikia.com/wiki/User:Srsa_4c/GPL:disassemblev7.pl
I have absolutely no idea why they are using interworking though.
Logged
*

Offline mastodon

  • **
  • 93
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #37 on: 09 / October / 2013, 04:36:03 »
Does anybody working on this version?
I have an SX 280. I can not do programming, but want to help (for example testing).
Logged
(A 410), SX 200, (SX 280), SX 700
*

Offline mastodon

  • **
  • 93
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #38 on: 24 / October / 2013, 21:05:51 »
This camera is desperately looking for a CHDK hack, because the battery indicator issue.
And: raw, timelaps, auto ISO is poor (mostly 80 or 1600), ISO is locked if shutter speed is set to 1 sec or more in Shutter-priority mode...
Logged
(A 410), SX 200, (SX 280), SX 700
*

Offline waterwingz

  • ******
  • 12139
    • Waterwingz
Re: SX280 HS 101B Dump - I am truly willing to help test if someone develops
« Reply #39 on: 24 / October / 2013, 21:59:49 »
Quote from: mastodon on 09 / October / 2013, 04:36:03
Does anybody working on this version?
I have an SX 280. I can not do programming, but want to help (for example testing).
Quote from: mastodon on 24 / October / 2013, 21:05:51
This camera is desperately looking for a CHDK hack, because the battery indicator issue.
And: raw, timelaps, auto ISO is poor (mostly 80 or 1600), ISO is locked if shutter speed is set to 1 sec or more in Shutter-priority mode...
For the benefit of people who come across this thread hoping for CHDK for their SX270 / SX280,  you need to understand that the software in these cameras is substantially different from all the other cameras that run CHDK.  Without going into details,  it may very well be a long time until somebody has the patience to work through a hack for these cameras.  Its a really big job to get it all done! :'(

@mastodon :  if / when CHDK works on this camera,  its not going to solve Canon's battery problems - the other things you mentioned could get better though.
Logged
Ported :   A1200    SD940   G10    Powershot N    G16
Pages: 1 2 3 [4] 5 6   Go Up
« previous next »
 

Related Topics