IXUS75/SD750 1.01a | 1.00b | 1.02a - Update 09Nov2008 - Passing the Torch - page 3 - General Discussion and Assistance

whim

2013
A495/590/620/630 ixus70/115/220/230/300/870 S95

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #20 on: 07 / April / 2008, 18:57:27 »

Advertisements

@somacore
@GrAnd

we got the 101B dump already: [DOWNLOAD LINKS] Firmware dumps available

wim

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

somacore

18

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #21 on: 07 / April / 2008, 20:26:34 »

I could use some assistance.

I've stepped through my dump side by side with the "how to add a new camera" guide and am not getting anywhere. I've changed some entries in lib.c, boot.c as shown below and CHDK still doesn't seem to want to load.

On the firm update screen it asks if I want to change from 1.0.2.0 to 1.0.1.1, I was thinking that might be the problem, the camera thinks it's downgrading, so it might not load chdk? I'm not sure.

void boot() - setup .data and .bss - Done

void h_usrInit() - Nothing interesting here. Just don't forget to fix the call to h_usrKernelInit(). -Done

void h_usrKernelInit() -Done
- fix R0(h_usrRoot) and (IMPORTANT!)
R2 (pMemPoolStart) parameters of kernelInit() call

Any thoughts? At all?

Edit: I'm using the source tree TPC gave me when he was done porting v1.01a

« Last Edit: 07 / April / 2008, 20:29:27 by somacore »

Logged

kennyb03

25

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #22 on: 08 / April / 2008, 00:37:15 »

somacore, I was in the same boat as you were at the top of this page. I dumped and messed with my firmware for the sd450 and when I put it on the memory card, the camera restarted and nothing changed. What did you change that made your camera not boot any more? I know it's still not working, but it might help me because I'm stuck as well.

Logged

somacore

18

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #23 on: 08 / April / 2008, 07:01:26 »

Quote from: kennyb03 on 08 / April / 2008, 00:37:15

somacore, I was in the same boat as you were at the top of this page. I dumped and messed with my firmware for the sd450 and when I put it on the memory card, the camera restarted and nothing changed. What did you change that made your camera not boot any more? I know it's still not working, but it might help me because I'm stuck as well.

The camera still does what it did at the top of page 2, reboots as though nothing is changed.

1. generate firmware
2. load to camera
3. upgrade firmware 1.0.2.0 -> 1.0.1.1
4. Say OK. Camera reboots, power LED flashes twice. Blue LED does NOT flash.
5. Camera goes back to playback mode, ignoring my effort

I think I might need to step through all the memory addresses in capt_seq or some other files, but we'll see. I have a sneaking suspicion about the version though.

Logged

somacore

18

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #24 on: 08 / April / 2008, 07:56:11 »

Here's my IDB link if anyone wants to give this a shot.

sd750is1.02a.idb - 38.77MB

Logged

kennyb03

25

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #25 on: 08 / April / 2008, 12:47:08 »

ok...that's exactly what's happening to me. BUT my camera asks if I want to go from 1.0.0.0 to 1.0.1.1. It doesn't work. I also went though all these files: boot.c, capt_seq.c, lib.c, movie_rec.c, stubs_entry_2.s, stubs_min.s.

By going through, I mean I had a working firmware (1.00c) open in IDA and looked where every single address pointed to in the firmware. Then I changed all the addresses in my files to match my firmware (1.00d). I assume you're doing the same thing with your (1.01a) and (1.02a) firmwares.

...I just wanted to let you know that the version number is probably not the problem...I hope you can find out what's going.

Logged

mproko

16

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #26 on: 08 / April / 2008, 12:54:53 »

somacare, try this hint from the TX-1 discussion:
http://chdk.setepontos.com/index.php/topic,774.msg6447.html#msg6447

This is to check if the changes to the platform/<camera>/main.c, platform/<camera>/sub/<version>/boot.c and platform/<camera>/sub/<version>/makefile.inc are done correct. It should take you to the blue led and splash screen.

After you have the splash screen working, start enabling the lines from the hint and updating the other files.

Logged

Basq

16

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #27 on: 08 / April / 2008, 14:58:00 »

Quote from: kennyb03 on 08 / April / 2008, 12:47:08

ok...that's exactly what's happening to me. BUT my camera asks if I want to go from 1.0.0.0 to 1.0.1.1. It doesn't work. I also went though all these files: boot.c, capt_seq.c, lib.c, movie_rec.c, stubs_entry_2.s, stubs_min.s.

By going through, I mean I had a working firmware (1.00c) open in IDA and looked where every single address pointed to in the firmware. Then I changed all the addresses in my files to match my firmware (1.00d). I assume you're doing the same thing with your (1.01a) and (1.02a) firmwares.

...I just wanted to let you know that the version number is probably not the problem...I hope you can find out what's going.

That's absolutely the same for me with an SD550 (IXUS750) as for you kennyb03. It wants to upgrade from 1.0.0.0 to 1.0.1.1. I made the same way as you mentioned (disassemlby dumped firmware, changing adresses, recompile the firmware) but the camera doesn't want to boot the CHDK.

And I can't find also where this stores the firmware version number in the CHDK.

Logged

somacore

18

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #28 on: 08 / April / 2008, 20:45:06 »

Quote from: mproko on 08 / April / 2008, 12:54:53

somacare, try this hint from the TX-1 discussion:
http://chdk.setepontos.com/index.php/topic,774.msg6447.html#msg6447

This is to check if the changes to the platform/<camera>/main.c, platform/<camera>/sub/<version>/boot.c and platform/<camera>/sub/<version>/makefile.inc are done correct. It should take you to the blue led and splash screen.

After you have the splash screen working, start enabling the lines from the hint and updating the other files.

I do not have those lines in my main.c.

Halp.

Logged

TPC

46
SD750 1.01a

Publish

Re: IXUS75/SD750 1.01a - Port (Maybe) Finished

« Reply #29 on: 09 / April / 2008, 15:08:58 »

Oh dear, I had almost forgotten about this thread.

The fact that you guys have gotten to the point of attempting to load CHDK through the firmware update prompt tells me that you're getting it to compile successfully. Cool! Still, I'm going to post a summary of EVERYTHING I did (all files that I modified) so you guys can get this running on your cameras too. CHDK for the my 1.01A has been running pretty good for the past few days, I figure it's mature enough.

I started by copying the SD1000 1.01b trunk source and then modified the files as follows:

\src\trunk\makefile.inc

Comments: I added the following line so I just had to type "GMAKE FIR" to compile my firmware, instead of specifying the platform and sub each time. Be sure to comment out all the other cameras, and check that your PLATFORMSUB is correct.

Quote

PLATFORM=ixus75_sd750
PLATFORMSUB=101a

\src\trunk\include\camera.h

Comments: I added the following quote directly below the IXUS65/SD650.

These settings seem to work fine for me. Keep in mind though that if you're getting a bunch of compile warnings, check to see that you haven't set one of these variables to "1" after using a "#undef".

Quote

#elif defined (CAMERA_ixus75_sd750)
#define CAM_PROPSET 2

#define CAM_RAW_ROWPIX 3072 // for 7 MP
#define CAM_RAW_ROWS 2304 // for 7 MP

/*
#undef CAM_USE_ZOOM_FOR_MF
#undef CAM_HAS_ERASE_BUTTON
#undef CAM_HAS_IRIS_DIAPHRAGM
#define CAM_HAS_ND_FILTER 1
#undef CAM_HAS_MANUAL_FOCUS
#undef CAM_HAS_USER_TV_MODES
#define CAM_SHOW_OSD_IN_SHOOT_MENU 1
#undef CAM_HAS_IS
*/

#undef CAM_SWIVEL_SCREEN // Camera has rotated LCD screen
#undef CAM_USE_ZOOM_FOR_MF // Zoom lever can be used for manual focus adjustments
#undef CAM_ADJUSTABLE_ALT_BUTTON // ALT-button can be set from menu
#undef CAM_REMOTE // Camera supports USB-remote
#undef CAM_MULTIPART // Camera supports SD-card multipartitioning
#define CAM_HAS_ZOOM_LEVER 1 // Camera has dedicated zoom buttons
#undef CAM_DRAW_EXPOSITION // Output expo-pair on screen (for cameras which (sometimes) don't do that)
#undef CAM_HAS_ERASE_BUTTON // Camera has dedicated erase button
#define CAM_HAS_IRIS_DIAPHRAGM 1 // Camera has real diaphragm mechanism
#define CAM_HAS_ND_FILTER 1 // Camera has build-in ND filter
#undef CAM_CAN_SD_OVER_NOT_IN_MF // Camera allows subject distance (focus) override when not in manual focus mode
#undef CAM_CAN_SD_OVERRIDE // Camera allows to do subject distance override
#undef CAM_HAS_MANUAL_FOCUS // Camera has manual focus mode
#define CAM_HAS_USER_TV_MODES 1 // Camera has tv-priority or manual modes with ability to set tv value
#define CAM_SHOW_OSD_IN_SHOOT_MENU 1 // On some cameras Canon shoot menu has additional functionality and useful in this case to see CHDK OSD in this mode
#define CAM_CAN_UNLOCK_OPTICAL_ZOOM_IN_VIDEO 1 // Camera can unlock optical zoom in video (if it is locked)
#define CAM_FEATURE_FEATHER 1 // Cameras with "feather" or touch wheel.
#undef CAM_HAS_IS // Camera has image stabilizer

#define CAM_CONSOLE_LOG_ENABLED 1 // Development: internal camera stdout -> A/stdout.txt

//-- --------------------------------------------------------

\src\trunk\loader\ixus75_sd750\main.c
Comments: Changed the following line:

Quote

#define LED_PR 0xc02200C4

To:

Quote

#define LED_PR 0xc02200C0

At the time I didn't know if this was really the address for the print button LED, so I went with an address that I knew worked. You can probably get away with leaving it alone.

\src\trunk\platform\ixus75_sd750\main.c

Comments: Uncommented the following line:

Quote

// { MODE_M, 32772 },

MODE_P and MODE_M have the same property case, and there were alot of references in the code to MODE_M. I did this to "fix" problems in advance.

\src\trunk\platform\ixus75_sd750\sub\101a\boot.c

Comments:

Made the following changes/additions at the beginning of boot():

Quote

// Theses values have been modified for the SD750 101a
long *canon_data_src = (void*)0xFFB95390;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xCBF0;
long *canon_bss_start = (void*)0xE4F0;
long canon_bss_len = 0xBF650 - 0xE4F0;

I then copy and pasted h_usrInit function out of IDA and placed them in the file:

Quote

// Found at 0xFF811990
// Theses values have been modified for the SD750 101a
void h_usrInit()
{
asm volatile (
   "STR LR, [SP,#-4]!\n"
   "BL sub_FF811968\n"
   "MOV R0, #2\n"
   "MOV R1, R0\n"
   "BL sub_FF924148\n" //unknown_libname_237
   "BL sub_FF918240\n" //excVecInit
   "BL sub_FF8111C4\n"
   "BL sub_FF811728\n"
   "LDR LR, [SP],#4\n"
   "B h_usrKernelInit\n"   // Originally loc_FF811744 <--- MAKE SURE YOU CHANGE THIS LINE
);
}

h_usrKernelInit, with a modified line:

Quote

// Found at 0xFF811744
// Theses values have been modified for the SD750 101a
void h_usrKernelInit()
{
asm volatile (
   "STMFD SP!, {R4,LR}\n"
   "SUB SP, SP, #8\n"
   "BL sub_FF924648\n" //classLibInit
   "BL sub_FF934774\n" //taskLibInit
   "LDR R3, =0x5AD0\n"
   "LDR R2, =0xBC6C0\n"
   "LDR R1, [R3]\n"
   "LDR R0, =0xBD310\n"
   "MOV R3, #0x100\n"
   "BL sub_FF930364\n" //qInit
   "LDR R3, =0x5A90\n"
   "LDR R0, =0x5E30\n"
   "LDR R1, [R3]\n"
   "BL sub_FF930364\n" //qInit
   "LDR R3, =0x5B4C\n"
   "LDR R0, =0xBD2E4\n"
   "LDR R1, [R3]\n"
   "BL sub_FF930364\n" //qInit
   "BL sub_FF938B30\n" //workQInit
   "BL sub_FF8112AC\n"
   "MOV R4, #0\n"
   "MOV R3, R0\n"
   "MOV R12, #0x800\n"
   "LDR R0, =h_usrRoot\n" // R0, =sub_FF811A60 (h_usrRoot)) <--- MAKE SURE YOU CHANGE THIS LINE
   "MOV R1, #0x4000\n"
);
//   "LDR R2, =0xBF650\n"
asm volatile (
"LDR R2, =new_sa\n"
"LDR R2, [R2]\n"
);
asm volatile (
   "STR R12, [SP]\n"
   "STR R4, [SP,#4]\n"
   "BL sub_FF9319B4\n" //kernelInit
   "ADD SP, SP, #8\n"
   "LDMFD SP!, {R4,PC}\n"
);
}

Finally, h_usrRoot:

Quote

// Found at 0xFF811A60
// Theses values have been modified for the SD750 101a
void h_usrRoot()
{
asm volatile (
   "STMFD SP!, {R4,R5,LR}\n"
   "MOV R5, R0\n"
   "MOV R4, R1\n"
   "BL sub_FF8119D0\n"
   "MOV R1, R4\n"
   "MOV R0, R5\n"
   "BL sub_FF929100\n" //memInit
   "MOV R1, R4\n"
   "MOV R0, R5\n"
   "BL sub_FF929B78\n" //memPartLibInit
"BL sub_FF8117E8\n" //nullSub_1
   "BL sub_FF811704\n"
   "BL sub_FF811A0C\n"
   "BL sub_FF8119F0\n"
   "BL sub_FF811A38\n"
   "BL sub_FF8119C4\n"
);

_taskCreateHookAdd(createHook); <--- MAKE SURE YOU ADD THIS LINE
_taskDeleteHookAdd(deleteHook); <--- AND THIS LINE TOO

drv_self_hide();

asm volatile (
   "LDMFD SP!, {R4,R5,LR}\n"
   "B sub_FF81136C\n" //IsEmptyWriteCache_2
);
}

\src\trunk\platform\ixus75_sd750\capt_seq.c

Comments: Next I modified capt_seq.c, as it is required to make the camera boot.

I found the value in this line by finding the original value in the SD1000 dump, and then cross-referencing nearby functions in the SD750 dump:

Quote

long *nrflag = (long*)0xCF74;

Moving on, I found sub_FF80D8CC (which may be different for your dump) the same way, by comparing line patterns and searching for nearby strings in the SD750 and SD1000 dumps. I copy/pasted from IDA and made the following changes. Pay careful attention to the way that the ASM lines have been formatted so as not to confuse the compiler (like the difference between "\n" and ":\n").

Quote

void __attribute__((naked,noinline)) sub_FFB0D8CC_my(long p) <--- ADD "_my" TO THE END OF THIS
{
asm volatile (

                        "STMFD SP!, {R4,LR}\n"
                        "MOV R4, R0\n"
                        "SUB SP, SP, #0xC\n"
                        "BL sub_FFB0E33C\n"
                        "MVN R1, #0\n"
                        "BL sub_FFB1EAAC\n"   // ClearEventFlag
                        "MOV R0, #0x8A\n"
                        "ADD R1, SP, #4\n"
                        "MOV R2, #4\n"
                        "BL sub_FF81BCAC\n"
                        "TST R0, #1\n"
                        "BEQ loc_FFB0D90C\n"
                        "MOV R1, #0x1D0\n"
                        "LDR R0, =0xFFB0D750\n"   // aSscaptureseq_c
                        "ADD R1, R1, #2\n"
                        "BL sub_FFB2C138\n"      // DebugAssert
"loc_FFB0D90C:\n"
                        "LDR R3, =0xBE160\n"
                        "LDR R2, =0xBE220\n"
                        "LDR R0, [R3,#0x7C]\n"
                        "LDRSH R1, [R2,#0xE]\n"
                        "BL sub_FFA44DE0\n"
                        "MOV R0, R4\n"
                        "BL sub_FFB0D6D4\n"
                        "BL capt_seq_hook_set_nr\n" // + <-- ADD THIS LINE
                        "LDR R3, =0xCF78\n"
                        "LDR R0, [R3]\n"
                        "B sub_FFB0D930\n"
);
}

Next function, sub_FFB0A6F4, copied and modified:

Quote

void __attribute__((naked,noinline)) sub_FFB0A6F4_my(long p) <--- ADD "_my" TO THE END OF THIS
{
asm volatile (

                     "STMFD SP!, {R4,R5,LR}\n"
                     "LDR R3, =0xBE160\n"
                     "LDR R5, [R0,#0xC]\n"
                     "LDR R1, [R3,#0x24]\n"
                     "LDR R2, [R5,#8]\n"
                     "CMP R1, #0\n"
                     "ORR R2, R2, #1\n"
                     "STR R2, [R5,#8]\n"
                     "BNE loc_FFB0A748\n"
                     "MOV R0, #0xC\n"
                     "BL sub_FFB14C44\n"
                     "TST R0, #1\n"
                     "BEQ loc_FFB0A748\n"
                     "LDR R3, [R5,#8]\n"
                     "MOV R0, #1\n"
                     "ORR R3, R3, #0x40000000\n"
                     "STR R3, [R5,#8]\n"
"loc_FFB0A738:\n"
                     "MOV R2, R5\n"
                     "MOV R1, #1\n"
                     "LDMFD SP!, {R4,R5,LR}\n"
                     "B sub_FFB08E9C\n"
"loc_FFB0A748:\n"
                     "LDR R4, =0xBE160\n"
                     "BL sub_FFB0B1EC\n"      // Set_CMD25Write_62
                     "LDR R3, [R4,#0x24]\n"
                     "CMP R3, #0\n"
                     "BNE loc_FFB0A790\n"
                     "MOV R0, R5\n"
                     "BL sub_FFB0C3D0\n"
                     "TST R0, #1\n"
                     "BNE loc_FFB0A738\n"
                     "BL sub_FF82668C\n"
                     "BL sub_FF81BEA8\n"
                     "STR R0, [R5,#0x14]\n"
                     "MOV R0, R5\n"
                     "BL sub_FFB0D7B4\n"
                     "BL sub_FFB0E1A8\n"
                     "MOV R0, R5\n"
                     "BL sub_FFB0D8CC_my\n"     //------------> <-- ADD THIS LINE, MAKE SURE THE FUNCTION NAMES MATCH
"BL capt_seq_hook_raw_here\n" // + <-- OH YEAH ADD THIS TOO
                     "B loc_FFB0A7A4\n"
"loc_FFB0A790:\n"
                     "LDR R3, =0xCF60\n"
                     "LDR R2, [R3]\n"
                     "CMP R2, #0\n"
                     "MOVNE R0, #0x1D\n"
                     "MOVEQ R0, #0\n"
"loc_FFB0A7A4:\n"
                     "MOV R1, #1\n"
                     "MOV R2, R5\n"
                     "BL sub_FFB08E9C\n"
                     "BL sub_FFB0DC48\n"
                     "CMP R0, #0\n"
                     "LDRNE R3, [R5,#8]\n"
                     "ORRNE R3, R3, #0x2000\n"
                     "STRNE R3, [R5,#8]\n"
                     "LDMFD SP!, {R4,R5,PC}\n"
);
}

Logged