G11 porting

  • 527 Replies
  • 96747 Views
Re: G11 porting
« Reply #110 on: 30 / December / 2009, 18:17:31 »
Advertisements
« Last Edit: 30 / December / 2009, 18:38:00 by kingcang »

*

Offline ERR99

  • ****
  • 339
Re: G11 porting
« Reply #111 on: 30 / December / 2009, 18:31:12 »
For the benefits of those who will be browsing this thread in the future, can you explain your hardware setup and exact code used in some detail ?
Sure, i used this setup:
1. Hardware: The "serial port download solution" from the wiki. http://chdk.wikia.com/wiki/File:UART_receiver.jpeg#
    This is the simple build with only a 10 kOhm resistor and a SFH 300-3/4 photodiode.
    I placed the photodiode direct in front of the G11 AF-Light (ca. 2 cm distance or so..).
    Then i tested if the photodiode works as it should be, in the readme of the COM-Port software (Blinker_Java_Version_by_Syrius\by_grand_blink_g7) is described how to do that.
    (Measure the voltage between comport GND(Pin 5) and RX(Pin 2)).
2. Software: If modified the dumper software from grand_blink, so that this software permant sends infinity the same string with 9600 baud. So i could use a terminal programm to check if i can receive the text string or not and find the best distance between G11 and the photodiode. First i received only garbage, but than i doubled the delay value in the dumper software and i got a errorfree transmission. Then is switched back to the normal dumper code and started the firmware dump session with load.exe.
Bottomline: For the grand_blink dumper code, only the change of the LED address and of the delay value was necessary, and than it works. :)
For the java dumping tool (with crc-check and so), there was only the change of the LED adress necessary. I used here the default value define for 9600 Baud, and it fits also to the G11.

I also tested the Photodiode on the Mic-input of the soundcard. I got here also fine peaks with the G11-AF Light, so i think this readout methode should also work fine. The SFH 300-3/4 photodiode is now my favourite for firmware dumping via LED. ;)

*

Offline ERR99

  • ****
  • 339
Re: G11 porting
« Reply #112 on: 30 / December / 2009, 19:25:01 »
Okay, and here is my full 8MB Flash dump of the Canon G11 GM1.00J Firmware:

G11_GM100J_8MB.zip - 2.59MB

Re: G11 porting
« Reply #113 on: 30 / December / 2009, 19:52:10 »
So, it ends at 0x007eb9af ?



*

Offline reyalp

  • ******
  • 10055
Re: G11 porting
« Reply #114 on: 30 / December / 2009, 20:11:46 »
Looks like a complete dump to me.

DRYOS version 2.3, release #0039 <- this means it's probably like ixus200, sx20, with many functions different from earlier cameras.
Don't forget what the H stands for.

*

Offline fe50

  • ******
  • 3038
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: G11 porting
« Reply #115 on: 30 / December / 2009, 20:12:47 »
@ERR99: congratulations !

Added the G11 1.00j dump from this post (8MB dump, blinked out by ERR99) to the drop.io - chdkdumps2 backup archive.
  http://drop.io/chdkdumps2/asset/g11-100j-7z
Thx to the 'dumpers' & uploaders !

Re: G11 porting
« Reply #116 on: 30 / December / 2009, 20:32:57 »
Hmmm .. it is causing IDA to hang.

I will try again 'tomorrow'.


*

Offline ERR99

  • ****
  • 339
Re: G11 porting
« Reply #117 on: 31 / December / 2009, 03:46:48 »
I took allready a look into the code, to check if the G11 uses a new "dancingbits" code, which prevents the execution of diskboot.bin. But it has the same dancingbits code as one of the previous models { 5,3,6,1,2,7,0,4 }.
Can you test a diskboot encoded with this that just turns on an LED ?

This NEED_ENCODED_DISKBOOT=2 btw, like sx200.
Before if try to dump via LED, i allready used the dancingbit exe with all encoding variants (1,2,3) on my blinker software,but is did not start. But anyway, i will try it again now. ;)
BTW: In my previous post, i copy&pasted the wrong dancing bit code. In the G11 Firmware this one is used: { 2,5,0,4,6,1,3,7 }
(You can find it at 0xFFBBA698 in G11 firmware). So the correct dancingbits encoding number should be three, as used for ixus200_sd980, sx20.


*

Offline ERR99

  • ****
  • 339
Re: G11 porting
« Reply #118 on: 31 / December / 2009, 03:54:48 »
So, it ends at 0x007eb9af ?
I loaded the firmware into IDA with this values, and it works:
Startaddress: 0xFF810000
Length:  0x7EFFFC

*

Offline ERR99

  • ****
  • 339
Re: G11 porting
« Reply #119 on: 31 / December / 2009, 04:04:36 »
I took allready a look into the code, to check if the G11 uses a new "dancingbits" code, which prevents the execution of diskboot.bin. But it has the same dancingbits code as one of the previous models { 5,3,6,1,2,7,0,4 }.
Can you test a diskboot encoded with this that just turns on an LED ?

This NEED_ENCODED_DISKBOOT=2 btw, like sx200.
Before if try to dump via LED, i allready used the dancingbit exe with all encoding variants (1,2,3) on my blinker software,but is did not start. But anyway, i will try it again now. ;)
BTW: In my previous post, i copy&pasted the wrong dancing bit code. In the G11 Firmware this one is used: { 2,5,0,4,6,1,3,7 }
(You can find it at 0xFFBBA698 in G11 firmware). So the correct dancingbits encoding number should be three, as used for ixus200_sd980, sx20.
reyalp, you are right!  With dancingbits encoding 3, i can start my LED flashing program direkt via the diskboot.bin boot methode! Hmm, strange, i allready tried this before, but maybe i messed up something in my previous run.
Anyway, this is good and means we have a got chance to startup CHDK as usual.  :)

 

Related Topics