SX30 IS porting thread

philmoz

3450

SX30 IS porting thread

« on: 27 / November / 2010, 19:15:07 »

Advertisements

Hi All,

I've made some progress porting CHDK to the SX30 IS thanks to all the great help so far (http://chdk.setepontos.com/index.php?topic=5789.0).

Thought it time to move the discussion out of the firmware dumping section.

First problem is I've hit a snag that has me stumped - whenever 'GetParameterData' is called the camera shuts down - I've checked the code in IDA against the SX20 and S95 ports and I'm pretty sure the function address is correct.

Also in taskCreateHook (boot.c) the mykbd_task and init_file_modules_task get succesfully hooked; but init_file_modules_task only gets called if I put a delay after hooking mykbd_task. Code is below. Anyone seen this before, I don't see anything like this in the SX20 or S95 ports. If I take out the delay then init_file_modules_task doesn't get called (tested by blinking the LED), with the delay it does.

void taskCreateHook(int *p) {
p-=17;
if (p[0]==0xFF8A3B4C) {
    p[0]=(int)init_file_modules_task;
}
if (p[0]==0xFF8345E8) {
    p[0]=(int)mykbd_task;
{
   int i;
   // Wait a while, otherwise init_file_modules_task doesn't get hooked when starting in play mode
   for (i=0; i<0x100000; i++)
   {
      asm volatile ( "nop\n" );
   }
}
}

Regards,
Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)

reyalp

14082

Re: SX30 IS porting thread

« Reply #1 on: 27 / November / 2010, 19:30:53 »

Some cameras seem to need two different task hooks for init_file_modules_task. See a480 or sx10 for example.

You may also want to use new style task hooking, using reverse engineered dryos structures, see a480 or d10. This won't fix your problem with init_file_modules_task not starting, but it's a little bit clearer.

Re GetParameterData are you sure FlashParamsTable in stubs_min.S is correct ? Also, if you are trying to use param browsing functions, make sure get_flash_params_count is correct in platform/<camera>/lib.c

ROMLOG may help with this too, "crash" is probably an assert.

Logged

Don't forget what the H stands for.

philmoz

3450

Re: SX30 IS porting thread

« Reply #2 on: 27 / November / 2010, 20:11:03 »

I'm trying to call get_file_counter() in gui_draw_debug_vals_osd because that's the function that was crashing when I tried to implement the raw capture. get_file_counter just calls GetParameterData.

I'm pretty sure the FlashParamsTable is correct, not sure about get_flash_params_count yet; but are these really necessary just to get the file counter?

Dumb question - where do I find the ROMLOG?

Thanks,
Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)

philmoz

3450

Re: SX30 IS porting thread

« Reply #3 on: 27 / November / 2010, 21:04:13 »

OK, I found the correct value for PARAM_FILE_COUNTER so it doesn't crash on this anymore.

Tried to run romlog.lua but get "SystemEventInit failed" message.
'ExecuteEventProcedure' was found in the firmware dump and looks OK.

Regards,
Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)

reyalp

14082

Re: SX30 IS porting thread

« Reply #4 on: 27 / November / 2010, 21:14:28 »

Quote from: philmoz on 27 / November / 2010, 21:04:13

OK, I found the correct value for PARAM_FILE_COUNTER so it doesn't crash on this anymore.

Tried to run romlog.lua but get "SystemEventInit failed" message.
'ExecuteEventProcedure' was found in the firmware dump and looks OK.

Regards,
Phil.

Replace SystemEventInit with System.Create, or use http://chdk.wikia.com/wiki/Canon_Basic/Scripts/Romlog

I'll update the version in SVN to try both

Logged

Don't forget what the H stands for.

philmoz

3450

Re: SX30 IS porting thread

« Reply #5 on: 28 / November / 2010, 20:17:06 »

Trying to get a raw image out of the camera.
Implemented capt_seq_task by copying the code from IDA - camera works correctly if I call the firmware functions. I know it gets to my capt_seq_task code by blinking the LED.

The capt_seq_task code doesn't look like any of other implementation in the current trunk (that I can see).

Any suggestions on how best to tackle understanding and patching the capt_seq_task code?
What sort of things should I be looking for?

Regards,
Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)

reyalp

14082

Re: SX30 IS porting thread

« Reply #6 on: 28 / November / 2010, 20:39:46 »

Quote from: philmoz on 28 / November / 2010, 20:17:06

Trying to get a raw image out of the camera.
Implemented capt_seq_task by copying the code from IDA - camera works correctly if I call the firmware functions. I know it gets to my capt_seq_task code by blinking the LED.

The capt_seq_task code doesn't look like any of other implementation in the current trunk (that I can see).

In sx30 100h, I see CaptSeqTask at FF8868C0

Quote

Any suggestions on how best to tackle understanding and patching the capt_seq_task code?
What sort of things should I be looking for?

Normally, refer to other cameras and do the same thing they do. If it really is very different, then you have to find pieces of code that are executed at similar stages in the shooting process.

captseq, like most of the Canon tasks, sits in a loop reading messages. There is a big jumptable (switch statement) which handles all the different messages. The messages correspond to different stages of the shooting process: pre-capture, capture, shooting related setting changes etc.

Generally, overrides are set somewhere in message 0, and raw hook is called somewhere in message 1.

You may want to look at other in-progress ports of recent cameras (sx210, ixus300, s95).

Logged

Don't forget what the H stands for.

philmoz

3450

Re: SX30 IS porting thread

« Reply #7 on: 28 / November / 2010, 20:54:46 »

Quote from: reyalp on 28 / November / 2010, 20:39:46

Quote from: philmoz on 28 / November / 2010, 20:17:06
Trying to get a raw image out of the camera.
Implemented capt_seq_task by copying the code from IDA - camera works correctly if I call the firmware functions. I know it gets to my capt_seq_task code by blinking the LED.

The capt_seq_task code doesn't look like any of other implementation in the current trunk (that I can see).
In sx30 100h, I see CaptSeqTask at FF8868C0

Quote
Any suggestions on how best to tackle understanding and patching the capt_seq_task code?
What sort of things should I be looking for?
Normally, refer to other cameras and do the same thing they do. If it really is very different, then you have to find pieces of code that are executed at similar stages in the shooting process.

captseq, like most of the Canon tasks, sits in a loop reading messages. There is a big jumptable (switch statement) which handles all the different messages. The messages correspond to different stages of the shooting process: pre-capture, capture, shooting related setting changes etc.

Generally, overrides are set somewhere in message 0, and raw hook is called somewhere in message 1.

You may want to look at other in-progress ports of recent cameras (sx210, ixus300, s95).

Thanks,

The code at FF8868C0 is what I copied from IDA to get the initial version of capt_seq_task.
Using the LED I can see message 0 is called when the shutter is half pressed and message 1 is called on a full press.
The code at message 0 and message 1 doesn't match the sx20 or s95 (which I've used as references so far), s95 is closer; but still quite different. I did a quick scan through the other capt_seq.c files in the trunk and can't see anything similar. I haven't been able to find a match for the sub-routines called from the message 0 or message 1 code in the sx20 or s95 code; but as I don't have a deep understanding of what is going on here yet I may be missing the obvious

The only thing I can think to do next is make my own copies of the various sub-routines called and then use trial and error and the LED blinker to see if I can make sense of it.

Any suggestions on how to proceed appreciated.

Regards,
Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)

reyalp

14082

Re: SX30 IS porting thread

« Reply #8 on: 28 / November / 2010, 22:14:53 »

Rather than blinking, you may want to log messages to a file. You can use the cameras built in functions to do this, the StartRedirectUART event proc will send the cameras console output to a file, and then you can use Printf to put things there.

You can also send things to the camera log (same as recorded in the romlog for a crash or assert) using LogPrintf(<number>,...). You can find out valid values of <number> by looking at calls in the firmware. On d10, 0x120 is an SS: message.

This camera log isn't normally saved anywhere, but you can send the most recent messages to the uart log by calling ShowCameraLog

The nice thing about using the camera log is that you get time stamped messages from the original firmware too, so you can see where in the sequence yours is called. You can also search for the strings in the canon factory messages to find the corresponding code.

You can wrap your logging calls with ASM_SAFE to avoid trashing registers. See include/asmsafe.h

UART redirection is discussed in the canon basic thread http://chdk.setepontos.com/index.php?topic=5549.0

I've attached the lua module I wrote to set up uart logging.

uartr.lua (1.75 kB - downloaded 129 times.)

Logged

Don't forget what the H stands for.

philmoz

3450

Re: SX30 IS porting thread

« Reply #9 on: 29 / November / 2010, 05:21:17 »

Quote from: reyalp on 28 / November / 2010, 22:14:53

Rather than blinking, you may want to log messages to a file. You can use the cameras built in functions to do this, the StartRedirectUART event proc will send the cameras console output to a file, and then you can use Printf to put things there.

You can also send things to the camera log (same as recorded in the romlog for a crash or assert) using LogPrintf(<number>,...). You can find out valid values of <number> by looking at calls in the firmware. On d10, 0x120 is an SS: message.

This camera log isn't normally saved anywhere, but you can send the most recent messages to the uart log by calling ShowCameraLog

The nice thing about using the camera log is that you get time stamped messages from the original firmware too, so you can see where in the sequence yours is called. You can also search for the strings in the canon factory messages to find the corresponding code.

You can wrap your logging calls with ASM_SAFE to avoid trashing registers. See include/asmsafe.h

UART redirection is discussed in the canon basic thread http://chdk.setepontos.com/index.php?topic=5549.0

I've attached the lua module I wrote to set up uart logging.

I can't seem to get this logging to work, if I try and call StartRedirectUART or Printf from within the capt_seq_task code the camera just shuts down. I've wrapped it in ASM_SAFE as suggested.
If I dump the romlog it has a 'Exception!! Vector 0x10' error at the start.

Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)
g5x (1.00c, 1.01a, 1.01b)
g7x2 (1.01a, 1.01b, 1.10b)