Oh dear, I had almost forgotten about this thread.
The fact that you guys have gotten to the point of attempting to load CHDK through the firmware update prompt tells me that you're getting it to compile successfully. Cool! Still, I'm going to post a summary of EVERYTHING I did (all files that I modified) so you guys can get this running on your cameras too. CHDK for the my 1.01A has been running pretty good for the past few days, I figure it's mature enough.
I started by copying the SD1000 1.01b trunk source and then modified the files as follows:
\src\trunk\makefile.incComments: I added the following line so I just had to type "GMAKE FIR" to compile my firmware, instead of specifying the platform and sub each time. Be sure to comment out all the other cameras, and check that your PLATFORMSUB is correct.
PLATFORM=ixus75_sd750
PLATFORMSUB=101a
\src\trunk\include\camera.hComments: I added the following quote directly below the IXUS65/SD650.
These settings seem to work fine for me. Keep in mind though that if you're getting a bunch of compile warnings, check to see that you haven't set one of these variables to "1" after using a "#undef".
#elif defined (CAMERA_ixus75_sd750)
#define CAM_PROPSET 2
#define CAM_RAW_ROWPIX 3072 // for 7 MP
#define CAM_RAW_ROWS 2304 // for 7 MP
/*
#undef CAM_USE_ZOOM_FOR_MF
#undef CAM_HAS_ERASE_BUTTON
#undef CAM_HAS_IRIS_DIAPHRAGM
#define CAM_HAS_ND_FILTER 1
#undef CAM_HAS_MANUAL_FOCUS
#undef CAM_HAS_USER_TV_MODES
#define CAM_SHOW_OSD_IN_SHOOT_MENU 1
#undef CAM_HAS_IS
*/
#undef CAM_SWIVEL_SCREEN // Camera has rotated LCD screen
#undef CAM_USE_ZOOM_FOR_MF // Zoom lever can be used for manual focus adjustments
#undef CAM_ADJUSTABLE_ALT_BUTTON // ALT-button can be set from menu
#undef CAM_REMOTE // Camera supports USB-remote
#undef CAM_MULTIPART // Camera supports SD-card multipartitioning
#define CAM_HAS_ZOOM_LEVER 1 // Camera has dedicated zoom buttons
#undef CAM_DRAW_EXPOSITION // Output expo-pair on screen (for cameras which (sometimes) don't do that)
#undef CAM_HAS_ERASE_BUTTON // Camera has dedicated erase button
#define CAM_HAS_IRIS_DIAPHRAGM 1 // Camera has real diaphragm mechanism
#define CAM_HAS_ND_FILTER 1 // Camera has build-in ND filter
#undef CAM_CAN_SD_OVER_NOT_IN_MF // Camera allows subject distance (focus) override when not in manual focus mode
#undef CAM_CAN_SD_OVERRIDE // Camera allows to do subject distance override
#undef CAM_HAS_MANUAL_FOCUS // Camera has manual focus mode
#define CAM_HAS_USER_TV_MODES 1 // Camera has tv-priority or manual modes with ability to set tv value
#define CAM_SHOW_OSD_IN_SHOOT_MENU 1 // On some cameras Canon shoot menu has additional functionality and useful in this case to see CHDK OSD in this mode
#define CAM_CAN_UNLOCK_OPTICAL_ZOOM_IN_VIDEO 1 // Camera can unlock optical zoom in video (if it is locked)
#define CAM_FEATURE_FEATHER 1 // Cameras with "feather" or touch wheel.
#undef CAM_HAS_IS // Camera has image stabilizer
#define CAM_CONSOLE_LOG_ENABLED 1 // Development: internal camera stdout -> A/stdout.txt
//-- --------------------------------------------------------
\src\trunk\loader\ixus75_sd750\main.cComments: Changed the following line:
#define LED_PR 0xc02200C4
To:
#define LED_PR 0xc02200C0
At the time I didn't know if this was really the address for the print button LED, so I went with an address that I knew worked. You can probably get away with leaving it alone.
\src\trunk\platform\ixus75_sd750\main.cComments: Uncommented the following line:
// { MODE_M, 32772 },
MODE_P and MODE_M have the same property case, and there were alot of references in the code to MODE_M. I did this to "fix" problems in advance.
\src\trunk\platform\ixus75_sd750\sub\101a\boot.cComments:Made the following changes/additions at the beginning of boot():
// Theses values have been modified for the SD750 101a
long *canon_data_src = (void*)0xFFB95390;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xCBF0;
long *canon_bss_start = (void*)0xE4F0;
long canon_bss_len = 0xBF650 - 0xE4F0;
I then copy and pasted
h_usrInit function out of IDA and placed them in the file:
// Found at 0xFF811990
// Theses values have been modified for the SD750 101a
void h_usrInit()
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FF811968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FF924148\n" //unknown_libname_237
"BL sub_FF918240\n" //excVecInit
"BL sub_FF8111C4\n"
"BL sub_FF811728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n" // Originally loc_FF811744 <--- MAKE SURE YOU CHANGE THIS LINE
);
}
h_usrKernelInit, with a modified line:
// Found at 0xFF811744
// Theses values have been modified for the SD750 101a
void h_usrKernelInit()
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FF924648\n" //classLibInit
"BL sub_FF934774\n" //taskLibInit
"LDR R3, =0x5AD0\n"
"LDR R2, =0xBC6C0\n"
"LDR R1, [R3]\n"
"LDR R0, =0xBD310\n"
"MOV R3, #0x100\n"
"BL sub_FF930364\n" //qInit
"LDR R3, =0x5A90\n"
"LDR R0, =0x5E30\n"
"LDR R1, [R3]\n"
"BL sub_FF930364\n" //qInit
"LDR R3, =0x5B4C\n"
"LDR R0, =0xBD2E4\n"
"LDR R1, [R3]\n"
"BL sub_FF930364\n" //qInit
"BL sub_FF938B30\n" //workQInit
"BL sub_FF8112AC\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n" // R0, =sub_FF811A60 (h_usrRoot)) <--- MAKE SURE YOU CHANGE THIS LINE
"MOV R1, #0x4000\n"
);
// "LDR R2, =0xBF650\n"
asm volatile (
"LDR R2, =new_sa\n"
"LDR R2, [R2]\n"
);
asm volatile (
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FF9319B4\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
}
Finally,
h_usrRoot:
// Found at 0xFF811A60
// Theses values have been modified for the SD750 101a
void h_usrRoot()
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FF8119D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF929100\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF929B78\n" //memPartLibInit
"BL sub_FF8117E8\n" //nullSub_1
"BL sub_FF811704\n"
"BL sub_FF811A0C\n"
"BL sub_FF8119F0\n"
"BL sub_FF811A38\n"
"BL sub_FF8119C4\n"
);
_taskCreateHookAdd(createHook); <--- MAKE SURE YOU ADD THIS LINE
_taskDeleteHookAdd(deleteHook); <--- AND THIS LINE TOO
drv_self_hide();
asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FF81136C\n" //IsEmptyWriteCache_2
);
}
\src\trunk\platform\ixus75_sd750\capt_seq.cComments: Next I modified capt_seq.c, as it is required to make the camera boot.
I found the value in this line by finding the original value in the SD1000 dump, and then cross-referencing nearby functions in the SD750 dump:
long *nrflag = (long*)0xCF74;
Moving on, I found sub_FF80D8CC (which may be different for your dump) the same way, by comparing line patterns and searching for nearby strings in the SD750 and SD1000 dumps. I copy/pasted from IDA and made the following changes. Pay careful attention to the way that the ASM lines have been formatted so as not to confuse the compiler (like the difference between "\n" and ":\n").
void __attribute__((naked,noinline)) sub_FFB0D8CC_my(long p) <--- ADD "_my" TO THE END OF THIS
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"MOV R4, R0\n"
"SUB SP, SP, #0xC\n"
"BL sub_FFB0E33C\n"
"MVN R1, #0\n"
"BL sub_FFB1EAAC\n" // ClearEventFlag
"MOV R0, #0x8A\n"
"ADD R1, SP, #4\n"
"MOV R2, #4\n"
"BL sub_FF81BCAC\n"
"TST R0, #1\n"
"BEQ loc_FFB0D90C\n"
"MOV R1, #0x1D0\n"
"LDR R0, =0xFFB0D750\n" // aSscaptureseq_c
"ADD R1, R1, #2\n"
"BL sub_FFB2C138\n" // DebugAssert
"loc_FFB0D90C:\n"
"LDR R3, =0xBE160\n"
"LDR R2, =0xBE220\n"
"LDR R0, [R3,#0x7C]\n"
"LDRSH R1, [R2,#0xE]\n"
"BL sub_FFA44DE0\n"
"MOV R0, R4\n"
"BL sub_FFB0D6D4\n"
"BL capt_seq_hook_set_nr\n" // + <-- ADD THIS LINE
"LDR R3, =0xCF78\n"
"LDR R0, [R3]\n"
"B sub_FFB0D930\n"
);
}
Next function, sub_FFB0A6F4, copied and modified:
void __attribute__((naked,noinline)) sub_FFB0A6F4_my(long p) <--- ADD "_my" TO THE END OF THIS
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"LDR R3, =0xBE160\n"
"LDR R5, [R0,#0xC]\n"
"LDR R1, [R3,#0x24]\n"
"LDR R2, [R5,#8]\n"
"CMP R1, #0\n"
"ORR R2, R2, #1\n"
"STR R2, [R5,#8]\n"
"BNE loc_FFB0A748\n"
"MOV R0, #0xC\n"
"BL sub_FFB14C44\n"
"TST R0, #1\n"
"BEQ loc_FFB0A748\n"
"LDR R3, [R5,#8]\n"
"MOV R0, #1\n"
"ORR R3, R3, #0x40000000\n"
"STR R3, [R5,#8]\n"
"loc_FFB0A738:\n"
"MOV R2, R5\n"
"MOV R1, #1\n"
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FFB08E9C\n"
"loc_FFB0A748:\n"
"LDR R4, =0xBE160\n"
"BL sub_FFB0B1EC\n" // Set_CMD25Write_62
"LDR R3, [R4,#0x24]\n"
"CMP R3, #0\n"
"BNE loc_FFB0A790\n"
"MOV R0, R5\n"
"BL sub_FFB0C3D0\n"
"TST R0, #1\n"
"BNE loc_FFB0A738\n"
"BL sub_FF82668C\n"
"BL sub_FF81BEA8\n"
"STR R0, [R5,#0x14]\n"
"MOV R0, R5\n"
"BL sub_FFB0D7B4\n"
"BL sub_FFB0E1A8\n"
"MOV R0, R5\n"
"BL sub_FFB0D8CC_my\n" //------------> <-- ADD THIS LINE, MAKE SURE THE FUNCTION NAMES MATCH
"BL capt_seq_hook_raw_here\n" // + <-- OH YEAH ADD THIS TOO
"B loc_FFB0A7A4\n"
"loc_FFB0A790:\n"
"LDR R3, =0xCF60\n"
"LDR R2, [R3]\n"
"CMP R2, #0\n"
"MOVNE R0, #0x1D\n"
"MOVEQ R0, #0\n"
"loc_FFB0A7A4:\n"
"MOV R1, #1\n"
"MOV R2, R5\n"
"BL sub_FFB08E9C\n"
"BL sub_FFB0DC48\n"
"CMP R0, #0\n"
"LDRNE R3, [R5,#8]\n"
"ORRNE R3, R3, #0x2000\n"
"STRNE R3, [R5,#8]\n"
"LDMFD SP!, {R4,R5,PC}\n"
);
}
