supplierdeeply

Powershot A3100 - Porting thread

  • 139 Replies
  • 23102 Views
Powershot A3100 - Porting thread
« on: 16 / August / 2010, 09:20:15 »
Advertisements
Ok, let's start.
Firmware:
DUMP_FF810000_A3100_1.00B.BIN - 23.81MB
Start adress: 0xFF810000
Just cut it to 8mb and start to disasm
Key/iv, as I saw, is different with the 2009th cameras

*

Offline c10ud

  • ***
  • 244
Re: Powershot A3100 - Porting thread
« Reply #1 on: 16 / August / 2010, 13:52:58 »

*

Offline fe50

  • ******
  • 3038
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: Powershot A3100 - Porting thread
« Reply #2 on: 17 / August / 2010, 01:35:00 »
Good work; added to the dumps archive...
Added the A3100 1.00B dump from this post (8MB full dump, by Ameglin / c10ud, dumped with reyalP's new CBasic udumper) to the drop.io - chdkdumps3 backup archive.
  http://drop.io/chdkdumps3/asset/a3100-100b-7z
Thx to the 'dumpers' & uploaders !

*

Offline reyalp

  • ******
  • 10069
Re: Powershot A3100 - Porting thread
« Reply #3 on: 17 / August / 2010, 01:59:59 »
"DRYOS version 2.3, release #0043"

A new one, the highest previously known was 39 (edit: for P&S, looks like EOS 550D uses this too)

edit:
Looks to me like the key is different by the IV is same as other d4 ?

Also, dancingbits updated.
« Last Edit: 17 / August / 2010, 03:00:35 by reyalp »
Don't forget what the H stands for.


Re: Powershot A3100 - Porting thread
« Reply #4 on: 17 / August / 2010, 09:12:57 »
Dancingbits is correct. I used it as encoder in udumper nudryos and dumped SX210IS&A3100 firmware so I suppose, that other 2010th cameras has the same dancingbits:
http://chdk.setepontos.com/index.php/topic,5045.msg53819.html#msg53819

Re: Powershot A3100 - Porting thread
« Reply #5 on: 18 / August / 2010, 07:55:24 »
I found all LED's using cycling code:
Code: [Select]
#define LED_POWER   0xC0220010
#define LED_AF   0xC0220008
#define LED_AF_ALT           0xC0220009
#define LED_AF_ALT_2        0xC022000A
#define LED_AF_ALT_3   0xC022000B
#define WHITE_SCREEN   0xC0220007
#define WHITE_SCREEN_ALT 0xC0220006
#define FLASH 0xC022000C
AF LED has 4 various adresses
WHITE_SCREEN "LED" powers on display with just white color (has 2 various adresses)
FLASH "LED" shoots flash once

Re: Powershot A3100 - Porting thread
« Reply #6 on: 19 / August / 2010, 09:13:32 »
I'm now trying to boot CHDK, and  have a little problem. After executing resetcode/main.c program doesn't jump to core/entry.s
Here some code:
Code: [Select]
resetcode/main.c

void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {

        {
char *dst = dst_void;
                const char *src = src_void;

                if (src < dst && dst < src + length)
                {
                        /* Have to copy backwards */
                        src += length;
                        dst += length;
                        while (length--)
                        {
                            *--dst = *--src;
                        }
                }
                else
                {
                        while (length--)
                        {
                                *dst++ = *src++;
                        }
                }

        }
        asm volatile (

"MRS     R0, CPSR\n"
                 "BIC     R0, R0, #0x3F\n"
                 "ORR     R0, R0, #0xD3\n"
                 "MSR     CPSR, R0\n"
"STM SP!,{R1,R2}\n"
"LDM SP!,{R1,R2}\n"
                 "LDR     R1, =0xC0200000\n"
                 "MOV     R0, #0xFFFFFFFF\n"
                 "STR     R0, [R1,#0x10C]\n"
                 "STR     R0, [R1,#0xC]\n"
                 "STR     R0, [R1,#0x1C]\n"
                 "STR     R0, [R1,#0x2C]\n"
                 "STR     R0, [R1,#0x3C]\n"
                 "STR     R0, [R1,#0x4C]\n"
                 "STR     R0, [R1,#0x5C]\n"
                 "STR     R0, [R1,#0x6C]\n"
                 "STR     R0, [R1,#0x7C]\n"
                 "STR     R0, [R1,#0x8C]\n"
                 "STR     R0, [R1,#0x9C]\n"
                 "STR     R0, [R1,#0xAC]\n"
                 "STR     R0, [R1,#0xBC]\n"
                 "STR     R0, [R1,#0xCC]\n"
                 "STR     R0, [R1,#0xDC]\n"
                 "STR     R0, [R1,#0xEC]\n"
                 "CMP     R4, #7\n"
                 "STR     R0, [R1,#0xFC]\n"
                 "LDMEQFD SP!, {R4,PC}\n"
                 "MOV     R0, #0x78\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "MOV     R0, #0\n"
                 "MCR     p15, 0, R0,c7,c10, 4\n"
                 "MCR     p15, 0, R0,c7,c5\n"
                 "MCR     p15, 0, R0,c7,c6\n"
                 "MOV     R0, #0x40000006\n"
                 "MCR     p15, 0, R0,c9,c1\n"
                 "MCR     p15, 0, R0,c9,c1, 1\n"
                 "MRC     p15, 0, R0,c1,c0\n"
                 "ORR     R0, R0, #0x50000\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "LDR     R0, =0x12345678\n"
                 "MOV     R1, #0x40000000\n"
                 "STR     R0, [R1,#0xFFC]\n"
                 //"LDR     R0, =sub_FF810000\n"
                 "MOV     R0, #0\n"              // new jump-vector

                 "LDMFD   SP!, {R4,LR}\n"

//"STM SP!,{R1,R2}\n"
//"LDR     R1, =0xC0220000\n"
//"MOV   R2, #0x46\n" //LED_On
//"STR   R2, [R1,#0x10]\n"
//"LDM   SP!,{R1,R2}\n"
                 "BX      R0\n"
                 : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
        while(1);
}
I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value. I tried to light LED at the beginning of core/entry.s with this code (it works in other entry's), but had no success:
Code: [Select]
STM SP!,{R1,R2}
LDR    R1, =0xC0220000
MOV   R2, #0x46
STR   R2, [R1,#0xA]
LDM SP!,{R1,R2}
Has anyone ideas why it can be?

*

Offline whoever

  • ****
  • 280
  • IXUS950
Re: Powershot A3100 - Porting thread
« Reply #7 on: 19 / August / 2010, 09:30:56 »
I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value.
It does have a wrong value, as you have "MOV  R0, #0\n" a few lines before BX. I reckon it should be "mov  R0, %0\n" instead.


Re: Powershot A3100 - Porting thread
« Reply #8 on: 23 / August / 2010, 06:51:33 »
Thanks! It was my mistake. After changing to MOV R0, %0 jump succeed.
Now I'm trying to adapt boot process to this camera...

Re: Powershot A3100 - Porting thread
« Reply #9 on: 24 / August / 2010, 05:19:00 »
For now loader works well. Here it is:
Code: [Select]
loader\a3100\resetcode\main.c:
void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {
        {
char *dst = dst_void;
                const char *src = src_void;

                if (src < dst && dst < src + length)
                {
                        /* Have to copy backwards */
                        src += length;
                        dst += length;
                        while (length--)
                        {
                            *--dst = *--src;
                        }
                }
                else
                {
                        while (length--)
                        {
                                *dst++ = *src++;
                        }
                }
        }
        asm volatile (

"MRS     R0, CPSR\n"
                 "BIC     R0, R0, #0x3F\n"
                 "ORR     R0, R0, #0xD3\n"
                 "MSR     CPSR, R0\n"
//"STM   SP!,{R1,R2}\n"
//"LDR   R1, =0xC0220000\n"
//"MOV   R2, #0x46\n" //Debug LED_on
//"STR   R2, [R1,#0x10]\n"                           //0x10 - Power_LED
//"LDM   SP!,{R1,R2}\n"
                 "LDR     R1, =0xC0200000\n"
                 "MOV     R0, #0xFFFFFFFF\n"
                 "STR     R0, [R1,#0x10C]\n"
                 "STR     R0, [R1,#0xC]\n"
                 "STR     R0, [R1,#0x1C]\n"
                 "STR     R0, [R1,#0x2C]\n"
                 "STR     R0, [R1,#0x3C]\n"
                 "STR     R0, [R1,#0x4C]\n"
                 "STR     R0, [R1,#0x5C]\n"
                 "STR     R0, [R1,#0x6C]\n"
                 "STR     R0, [R1,#0x7C]\n"
                 "STR     R0, [R1,#0x8C]\n"
                 "STR     R0, [R1,#0x9C]\n"
                 "STR     R0, [R1,#0xAC]\n"
                 "STR     R0, [R1,#0xBC]\n"
                 "STR     R0, [R1,#0xCC]\n"
                 "STR     R0, [R1,#0xDC]\n"
                 "STR     R0, [R1,#0xEC]\n"
                 "CMP     R4, #7\n"
                 "STR     R0, [R1,#0xFC]\n"
                 "LDMEQFD SP!, {R4,PC}\n"
                 "MOV     R0, #0x78\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "MOV     R0, #0\n"
                 "MCR     p15, 0, R0,c7,c10, 4\n"
                 "MCR     p15, 0, R0,c7,c5\n"
                 "MCR     p15, 0, R0,c7,c6\n"
                 "MOV     R0, #0x40000006\n"
                 "MCR     p15, 0, R0,c9,c1\n"
                 "MCR     p15, 0, R0,c9,c1, 1\n"
                 "MRC     p15, 0, R0,c1,c0\n"
                 "ORR     R0, R0, #0x50000\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "LDR     R0, =0x12345678\n"
                 "MOV     R1, #0x40000000\n"
                 "STR     R0, [R1,#0xFFC]\n"
                 //"LDR     R0, =sub_FF810000\n"
                 "MOV     R0, %0\n"              // new jump-vector
                 "LDMFD   SP!, {R4,LR}\n"
                 "BX      R0\n"

                 : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
        while(1);
}
Code: [Select]
loader\a3100\resetcode\entry.s:
              .section .entry
MOV     SP, #0x1900
MOV     R11, #0
B copy_and_restart
Code: [Select]
loader\a3100\main.c:
static void __attribute__((noreturn)) shutdown();
static void __attribute__((noreturn)) panic(int cnt);

extern long *blob_chdk_core;
extern long *blob_copy_and_reset;
extern long blob_chdk_core_size;
extern long blob_copy_and_reset_size;


void __attribute__((noreturn)) my_restart()
{
    void __attribute__((noreturn)) (*copy_and_restart)(char *dst, char *src, long length);
    int i;

    for (i=0; i<(blob_copy_and_reset_size/sizeof(long)); i++){
((long*)(RESTARTSTART))[i] = blob_copy_and_reset[i];
    }

    copy_and_restart = (void*)RESTARTSTART;
    copy_and_restart((void*)MEMISOSTART, (char*)blob_chdk_core, blob_chdk_core_size);
//LED_power_on_short();
//LED_power_off();
}

#define LED_PR 0xC0220010


static void __attribute__((noreturn)) shutdown()
{
    volatile long *p = (void*)LED_PR;       // turned off later, so assumed to be power
       
    asm(
         "MRS     R1, CPSR\n"
         "AND     R0, R1, #0x80\n"
         "ORR     R1, R1, #0x80\n"
         "MSR     CPSR_cf, R1\n"
         :::"r1","r0");
       
    *p = 0x44;  // led off.

    while(1);
}


static void __attribute__((noreturn)) panic(int cnt)
{
volatile long *p=(void*)LED_PR;
int i;

for(;cnt>0;cnt--){
p[0]=0x46;

for(i=0;i<0x200000;i++){
asm ("nop\n");
asm ("nop\n");
}
p[0]=0x44;
for(i=0;i<0x200000;i++){
asm ("nop\n");
asm ("nop\n");
}
}
shutdown();
}
Code: [Select]
loader\a3100\entry.s:
MOV     R3, #0x8000   
1:
SUB R3, R3, #1
CMP R3, #0
BNE 1b

// ordinary startup...

MOV     SP, #0x1900
MOV     R11, #0
B my_restart
Code: [Select]
loader\a3100\blobs.s:
    .globl blob_copy_and_reset, blob_copy_and_reset_size
    .globl blob_chdk_core, blob_chdk_core_size

    .section .blob_copy_and_reset
blob_copy_and_reset_start:
    .incbin RESET_FILE
blob_copy_and_reset_end:

    .section .blob_chdk_core
blob_chdk_core_start:
    .incbin CORE_FILE
blob_chdk_core_end:

    .text
blob_chdk_core_size:
    .long blob_chdk_core_end - blob_chdk_core_start
blob_chdk_core:
    .long blob_chdk_core_start

blob_copy_and_reset_size:
    .long blob_copy_and_reset_end - blob_copy_and_reset_start
blob_copy_and_reset:
    .long blob_copy_and_reset_start
And I modified boot.c, so camera now starts normally with spytask, but all hooks don't work yet. My next step will be founding right func addresses (stubs_entry_2.s) and making all hooks work properly.

 

Related Topics