CHDK Forum
CHDK Development => General Discussion and Assistance => Firmware Dumping => Topic started by: anwe79 on 05 / October / 2009, 13:10:44
-
I'm on Linux, so I can't use Card Tricks, but this is what I've done so far:
1. I haven't got a small SD-card, so I'm trying this with a 16 GB SDHC, with a small boot-partition.
2. I tried putting a vers.req and ver.req on the card and using "set+disp" to get a version string. No go.
3. I formatted the card using gparted, one 32 MB FAT16 partition and one big Fat32 for the rest of the card.
4. I labeled the boot partition "BOOT" for no apparent reason (just for me to be able to tell them appart).
5. I then used 'sudo sh -c "echo -n BOOTDISK | dd bs=1 count=8 seek=64 of=/dev/mmcblk0p1"' to write the bootsector of the partition.
6. I tried "booting" the camera with the empty card, hoping to make it halt the boot process (to proove to myself it would read the card). No go.
7. I tried putting newdryos.bin (from udumpfull.zip, renamed to diskboot.bin) on the card and then booting. No go.
8. I tried renaming the file autoexec.bin. No go.
"No go" means that the camera started normally, with the occasional addition of warning for a full/write protected SD-card.
Thats about as far as I've got right now. Oh, I should add that I did have write protection on while booting, and removed (and replaced :)) the battery prior.
There was a mention about labeling the partition with "EOS_DEVELOP" instead of "BOOTDISK" on the 5D mark II page, I'll try that next.
BTW, did i overwrite the bootsector with gparted when I labeled it? I'm guessing not, but I'm not totally sure where the partition label gets written to. I'll try reading it back with dd to make sure. Would a 2 GB card help? I'm guessing the limit is in partition size and not overall card size, but I think I have a 2 GB lying around somewhere I could try.
I will update this thread as I try different things... Any pointers from more experienced CHDK users is very welcome.
/Andreas
-
I've now confirmed that my hunch was right, the volume label and the "boot sector" of the disk is (obviously) two separate things, I read 'em both in hexedit. Should've probably known that already, but my mind tends to discard info I can easily look up, and keep really useless trivia instead... I also saw that I accidentaly left the "LOP" behind when I reentered "BOOTDISK" into the boot sector. Sloppy...
Well, I've now tried different combinations of labels in the boot sector and different file names for the diskboot.bin, but none seem to work.
I'm guessing a 2GB card would be no better than a 16GB, so I'm not going down that road unless someone recommends it.
Since the 50D and 5D mark II seems similar (DryOS, Digic IV, DSLR), I'll look into how those boot and see if I can get anything useful out of it.
PS Could someone confirm what should happen when the camera actually tries to boot the dumper? The first sign should be a blank screen, right?
/Andreas
-
Ok, so I found out how to start the camera in playback mode (press playback button while turning on, doh!), but still no joy with ver.req/vers.req. Maybe the procedure is different with a DSLR?
/Andreas
-
Argh, I'm realy flaunting my ignorance here :D. Maybe a little RTFM would do me good.
There's no need for ver.req, the version number (1.0.9) is right there in the menu, but only when in non-auto modes. Hidden from dummies like me ;).
I found my 2GB card, so I'm gonna use that instead, as I wasn't using it for anything in particular anyway.
I now have tested with the combination of "EOS_DEVELOP" in the partition label (0x2B) and "BOOTDISK" in the boot record (0x40) as in this post (http://chdk.setepontos.com/index.php/topic,1618.0.html) on the 400d. Still unsure about filename, so i tried both BOOTDISK.BIN and AUTOEXEC.BIN, no joy. I also tried the bootdisk.bin from "udumper-new-new-dryos.zip" (can't find the thread again), but still no go.
Maybe i need repack to encode the bin to fi2? There's very little info on the 500d, I'm basically in the dark here.
I'm guessing the easiest way right now would be to load something through the firmware update mechanism. I'm a little hesitant about this, need to read a little more so I'm sure not to brick my camera.
/Andreas
-
Very little progress...
I might have a valid PID though. Lsusb gives me; VID: 04a9 PID: 31cf. Mighty similar to other recent cameras, so I'm guessing it is correct.
Edit: Also, the firmware update menu responds to a PS.FIR but not a PS.FI2 file (I used a renamed diskboot.bin, so haven't tried running anything this way).
/Andreas
-
As you can tell I'm talking to myself here. This is intentional, I use the thread to document what I've tried and any progress made. Please feel free to chime in though, I'm basically blindfolded right now and any pointers will probably help.
Hey wait a minute... This page (http://chdk.wikia.com/wiki/DryOS_Porting) on the wiki implies the camera is not a DryOS-camera since it doesn't respond to an fi2-file. Can this really be true? Seems unlikely...
/Andreas
-
As you can tell I'm talking to myself here. This is intentional, I use the thread to document what I've tried and any progress made. Please feel free to chime in though, I'm basically blindfolded right now and any pointers will probably help.
No problem.
Hey wait a minute... This page (http://chdk.wikia.com/wiki/DryOS_Porting) on the wiki implies the camera is not a DryOS-camera since it doesn't respond to an fi2-file. Can this really be true? Seems unlikely...
/Andreas
DSLRs are run very different code, even if they use the same OS. If you haven't already, I suggest you take a long look through the DSLR subforum, and the possibly the magic lantern wiki http://magiclantern.wikia.com/wiki/Magic_Lantern_Firmware_Wiki (http://magiclantern.wikia.com/wiki/Magic_Lantern_Firmware_Wiki)
I basically ignore the DSLR stuff since I don't own one, so I can't offer any specific advice.
-
Thanks for the input, I'll be sure to check up on Magic Lantern and the DSLR threads more tomorrow, right now I'm too tired and my head is full from reading the forum/wiki :).
Yep, I kinda figured DSLRs are different beasts alltogether, I'll focus on Magic Lantern and 5d mark II, seems to be the most similar camera with progress made.
No real progress yet, but I stumbled on a version string embedded in a photo with hexedit: 1.0.9.4a(01), it seems to match well with what the camera reports. I also made a Wiki-page and updated the PID-list.
/Andreas
-
I'm working on dumping the firmware for the 7D (http://magiclantern.wikia.com/wiki/7D_support) and am in much the same position as you are with the 500D. Since neither has had an official firmware update from Canon, we do not have pre-existing .fir files for analysis. I've been able to determine the device id for the first quad word of the firmware file, but something else must be wrong since it rejects files that are acceptable to the 5D. They might have changed the checksum algorithm or are perhaps looking for some values elsewhere in the header that we're not setting correctly.
(https://chdk.setepontos.com/proxy.php?request=http%3A%2F%2Fimages2.wikia.nocookie.net%2Fmagiclantern%2Fimages%2Fthumb%2Fd%2Fd8%2F7d-error.jpg%2F250px-7d-error.jpg&hash=30a1ce917722ea3c29149ecc16557f42)
-
Yes, I guess we're in the same boat, although you have som "mad skillz" that I lack. I'm in complete awe of Magic Lantern, I'll be happy if I can just make my camera hang in the boot process or, if I'm lucky, blink a led :).
I'm guessing there might be a boot flag similar to 450D that needs to be set in firmware before boot from SD is possible, so I'm giving up those tests now. (Tried FAT32 also, with adjusted offsets, no go. BTW, why are there 2 blank bytes in the "Operating system boot code" area before "BOOTDISK"?)
Right now I'm installing "EOS utility" in QEMU and trying USB passthrough. I figured I may as well snoop the USB a little as I wasn't getting anywhere with the card. I need to read up on USB first though...
I have not tried loading anything via firmware update yet, in fear of bricking. As I understand "firmware update" really only loads a flasher embedded in the .fir that does the actual flashing. Is there a dummy .fir somewhere that would be safe to play with? I haven't set up a build environment yet, maybe now is the time. I have somewhat of a learning curve to climb here, my C knowledge is mighty rusty, and I've only done ASM on a 6809...
PS Hudson; how did you "guess" the device ID for the firmware? I noticed you mentioned trial and error, care to elaborate? Does it have any connection with model # or P-ID?
Sorry for the barrage of questions, I'm basically thinking out loud :-[.
/Andreas
-
The device ID was determined through trial and error. Based on the other devices, I figured it was in the 0x800002xx range, so I built 256 firmware images and tried them in order. Most of them generate an error screen with a black background, but 0x80000250 has the orange box shown above. I confirmed the same behaviour on the 5D -- invalid ids have the black error, while valid ids with corrupt firmware has the orange box.
My 5D autoboots, but the 7D does not. I don't believe that I've ever set the autoboot flag, but it seems to be working anyway.
To test the firmware update I build a dummy firmware with an infinite loop for the first instruction. Once I know that that part of the code is running (by the fact that the camera hangs), I move the loop a little further down. You should download the Magic Lantern code and can build your own .fir files with it. reboot.c is where the code starts, with the inline assembly in the first bit of the file.
-
Thanks, as soon as I get a cross toolchain working I'll try and make some dummy .firs to find the correct ID.
I've tried using crosstools-ng, but I'm missing headers so things won't compile. I probably did something wrong or neglected to export some path, but right now I can't figure out how to fix it. I'm trying a package from embdev.net next. If that doesn't work I might need to get my hand's dirty and roll my own...
PS USB-snooping via QEMU didn't work well, apparently it's not really stable yet for highspeed USB stuff. It crashes EOS utility and gave me a couple of bluescreens. Native gphoto2 worked ok though.
/Andreas
-
to find a model id for a given Camera model, just look inside a RAW file or unedited jpeg file produced by this camera, and look the "modelid" exif tag:
http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html#CanonModelID (http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html#CanonModelID)
to do that, you can use ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool (http://www.sno.phy.queensu.ca/~phil/exiftool)) or PhotoME (http://www.photome.de/ (http://www.photome.de/))
yes, 7d modelid is 0x80000250, 500D is 0x80000252
Lorenzo
-
Thanks! Confirmed, the id is 0x80000252 for the 500D. There really is alot of information in the exif-tags.
I really haven't gotten much further, although I have what seems to be a working crosscompiler now ("hello world" works). I tried compiling Magic Lantern, but it doesn't work all the way through. Right now i'm sick so haven't got any energy to fiddle around with the code/build, but when I get better I'll try it again.
Hmm... A little thought has crept into my mind. If you can get some of the exif info through system calls (as i assume), you could possibly calculate (or through tables of known lenses) and auto adjust a motorized pano-rig for no-parallax. That would be cool, but quite some work to realize...
Other stuff i'd like to try my hand at would be an extended AEB-mode, some fiddling with video modes, fps and possibly cropping the sensor for lower bandwith needs. All very, very remote targets right now, but I can dream can't i?
/Andreas
-
anwe79, Although I can`t directly help you (I`m no programer) I just wana say that I`m glad that someone put effort in 500D/T1i firmware.
Only thing I can do is pass some ideas.
Because 500D and 5d mkII shares many things, and if you successfuly Dump 500d firmware, is there a possibilty to analize difference on 5dmkII 1.0.7 and 1.1.0 firmware? That difference could lead to manual controls registar.
I hope that you`re well now and I`m eagerly waiting any post.
Keep Up!!!
-
anwe79, Although I can`t directly help you (I`m no programer) I just wana say that I`m glad that someone put effort in 500D/T1i firmware.
I hope that you`re well now and I`m eagerly waiting any post.
Keep Up!!!
I just know this website from one of my frinds today. It's great to see that someone is working on dumping 500D firmware! Good luck!
-
Thanks for the encouragement!
I've been busy with "real life" since my last post, but I will try to get my hands dirty again some time this or next week. I first need to confirm that my crosscompiler is sound (i think so), then i need to figure out how to build a firmware image/loader that a) will be accepted by the camera and b) will not brick the camera. And finally I'll need to muster up enough courage to actually load the thing ;).
/Andreas
-
where are you Andreas? :)
did you got some progress?
-
I'm currently in Australia backpacking :D.
Have been out of touch with this for some time now, but I see there is an official update out now. Just catching up now and reading on cinema5d.com and ML mailing list.
Maybe just maybe, if i have time and energy i will try to make some progress with ML and 500d. But thats a big maybe, as i didn't get anywhere last time, i would not recommend you to hold your breath... I'm as already stated not experienced with low level hacking, so it might take a very long time to get anywhere.
/Andreas
-
already done
http://magiclantern.wikia.com/wiki/500D (http://magiclantern.wikia.com/wiki/500D)
see also the stub file for the FIO* functions addresses
Lorenzo