Canon 5d Classic Development ***BOOTDISK NOW ENABLED*** - page 2 - DSLR Hack development - CHDK Forum  
« previous next »
Pages: 1 [2] 3 4 5 6 7   Go Down

Canon 5d Classic Development ***BOOTDISK NOW ENABLED***

  • 65 Replies
  • 61860 Views
*

Offline Coutts

  • *****
  • 538
  • www.flickr.com/couttsphotog
    • Flickr
Re: Canon 5d Classic Development
« Reply #10 on: 05 / March / 2012, 15:26:43 »
Advertisements
Quote from: srsa_4c on 05 / March / 2012, 13:58:51
Hi!

It won't help much, but you should remember: you're doing a "firmware upgrade". VxWorks is up and running, you can't just jump back into the ROM.
There is some code in the 350d thread (bootflg2) which runs with the firmware update method. It can maybe give some ideas (I wouldn't touch the bootflag at this point).
This is a good point - but I'm not sure what code has run already as I don't have the bootloader dumped.

All I have is a decrypted/dissected canon FIR which gave me the ROM and that's all..
Logged
Canon 5d
Canon 50mm f/1.8
Sigma 24mm f/1.8

Flickr
*

Offline 0xAF

  • ***
  • 220
    • 0xAF
Re: Canon 5d Classic Development
« Reply #11 on: 05 / March / 2012, 16:18:03 »
Quote from: srsa_4c on 05 / March / 2012, 13:58:51
It won't help much, but you should remember: you're doing a "firmware upgrade". VxWorks is up and running, you can't just jump back into the ROM.

This actually makes a perfect sense.

Andrew, perhaps I helped in misleading you, as I didn't counted that the VxWorks is already running...
This actually explains why 'owerlord' had the same troubles like you when started the 400d hack.
He tried to run the firmware like you and he got same problems. He only got success once he started AUTOEXEC.BIN.
Meaning (IMO) that when starting the AUTOEXEC.BIN from BootLoader (BL) the camera hasn't been initialized and the restart code worked, but trying to initialize the camera once it's already initialized (the case with the .FIR) makes good sense to bring troubles.

Perhaps you should find a good place to jump (after the initialization code) and it could work. Maybe the FW Upgrade code can help, but IIRC the 400d wants you to hard reboot the camera after FW Upgrade, which means it has no code to resume normal operation.

If you find a way to enable the bootflags, I would say it's you chance to success.


EDIT:
BTW I think you wont need the BL code if you manage to enable the bootflags, since it's irrelevant to .FIR hack, only important for AUTOEXEC.BIN hack, though you already know what it will do for you. i.e. copy the .BIN and start it from address you already know.
« Last Edit: 05 / March / 2012, 16:23:51 by 0xAF »
Logged
// AF
*

Offline 0xAF

  • ***
  • 220
    • 0xAF
Re: Canon 5d Classic Development
« Reply #12 on: 05 / March / 2012, 16:33:30 »
Quote from: srsa_4c on 05 / March / 2012, 13:58:51
There is some code in the 350d thread (bootflg2) which runs with the firmware update method. It can maybe give some ideas (I wouldn't touch the bootflag at this point).

Could you please give some pointers to the code ? I'm interested in it, since I want to run 400Plus from .FIR file too.
Logged
// AF
*

Offline srsa_4c

  • ******
  • 4451
Re: Canon 5d Classic Development
« Reply #13 on: 05 / March / 2012, 16:48:07 »
Quote from: 0xAF on 05 / March / 2012, 16:33:30
Could you please give some pointers to the code ? I'm interested in it, since I want to run 400Plus from .FIR file too.
It's here: http://chdk.setepontos.com/index.php?topic=4202.msg57328#msg57328
Logged
*

Offline 0xAF

  • ***
  • 220
    • 0xAF
Re: Canon 5d Classic Development
« Reply #14 on: 05 / March / 2012, 18:09:55 »
Quote from: srsa_4c on 05 / March / 2012, 16:48:07
It's here: http://chdk.setepontos.com/index.php?topic=4202.msg57328#msg57328

srsa_4c, , thanks for the link, this helped me better understand the basic procedure of enabling the bootflags, i just need to find the routines in 400d bootloader. We can get rid of our 'testfir.fir' (bootflags enabler) and make a better one with some feedback now.


Andrew, just spotted something interesting, the bootflg2.bin from the .FIR file for 350D is linked at address 0x1900 i.e.  -Wl,-N,-Ttext,1900   (from the 'ld' man page it's clear that 1900 is hexadecimal and 0x in the front can be omitted)

IIRC this is the stack pointer address, which grows backwards, thus everything >0x1900 will not mess with the stack.
I'm not sure why it's linked there, but this could be your link address (instead of 0x800000)

Hope this helps a bit.
Logged
// AF
*

Offline Chuchin

  • *
  • 13
Re: Canon 5d Classic Development
« Reply #15 on: 06 / March / 2012, 00:12:47 »
Some stubs for the 5d FIO_OpenFile= 0xFFAE5B1C, FIO_CreateFile= 0xFFAE5B2C, FIO_RemoveFile= 0xFFAE5B3C, FIO_ReadFile= 0xFFAE5B54, FIO_SeekFile= 0xFFAE5B60, FIO_WriteFile= 0xFFAE5B6C, FIO_CloseFile= 0xFFAE5B78
Logged
*

Offline Chuchin

  • *
  • 13
Re: Canon 5d Classic Development
« Reply #16 on: 06 / March / 2012, 01:28:38 »
Booting stubs romStrat= 0xFF8102B0, usrInit= 0xFF810ED8, usrInit_1= 0xFF810A8C, usrRoot= 0xFF810FA0, usrAppInit= 0xFF810A10, task_Startup= 0xFF811080 CreatTask= 0xFFB18B40 and kernelInit= 0xFFB534B8
« Last Edit: 06 / March / 2012, 08:32:14 by Chuchin »
Logged
*

Offline Coutts

  • *****
  • 538
  • www.flickr.com/couttsphotog
    • Flickr
Re: Canon 5d Classic Development
« Reply #17 on: 06 / March / 2012, 11:04:19 »
^ thanks! how did you find those? I identified possibile similar functions to usrInit and romStart, but it is very different from VxWorks of the 400d. It's somewhat like DryOS and VxWorks.. strange.


Also, as a test, I blinked out the location of my function my_romStart() to see where the code is loading at.




My test code:

entry.S
Quote
.text
.org 0

_start:

                SUB     SP, SP, #0x1000
                STMFD   SP!, {R0-R11,LR}
                BL      COPY
                LDR     R0, =my_romStart
                B       my_romStart

init.c
Quote
#include "arm-mcr.h"




void COPY() {
   int i;
   
   long *from = (long*) 0x800000;
   long *to   = (long*) 0x7F0000;
   
   for (i = 0; i < 0x4000; i++) {
      to = from;
   }
}

static void ledOn()
{
    *(int*)0xC02200A0 |= 2;
}

static void ledOff()
{
    *(int*)0xC02200A0 &= ~2;
}

static void sleep(int n)
{
    int i,j;
    static volatile int k = 0;
    for (i = 0; i < n; i++)
        for (j = 0; j < 100000; j++)
            k++;
}

void my_romStart(int loc)
{
    int i;
   
    for (i=0; i<32; i++)
    {
        if (((loc >> i) & 1))
        {
            ledOn();
            sleep(1);
            ledOff();
            sleep(1);
            ledOn();
            sleep(1);
            ledOff();
            sleep(7);
        }
        else
        {
            ledOn();
            sleep(2);
            ledOff();
            sleep(7);
        }
    }
}

When I load at 0x7F0000 and use the COPY function up there, this is my output from the LED:

00010011000000001111111000000000

now reverse this:

00000000011111110000000011001000 == 0x7F00C8
This sounds about right.

But.. When I try to load at 0x800000 (and not call the COPY() function) and blink the location of my_romStart(), it blinks out all 0s.. odd.
« Last Edit: 06 / March / 2012, 11:07:21 by Coutts »
Logged
Canon 5d
Canon 50mm f/1.8
Sigma 24mm f/1.8

Flickr
*

Offline Coutts

  • *****
  • 538
  • www.flickr.com/couttsphotog
    • Flickr
Re: Canon 5d Classic Development
« Reply #18 on: 06 / March / 2012, 11:43:57 »
Another note:

If I take out the STMFD and SUB SP instructions, my code doesn't run. So I think I know how to run my own code in a stable manner now, that's a step forward. Slowly making progress :)
Logged
Canon 5d
Canon 50mm f/1.8
Sigma 24mm f/1.8

Flickr
*

Offline 0xAF

  • ***
  • 220
    • 0xAF
Re: Canon 5d Classic Development
« Reply #19 on: 06 / March / 2012, 17:35:03 »
Quote from: Coutts on 06 / March / 2012, 11:04:19
entry.S
Quote
.text
.org 0

_start:

                SUB     SP, SP, #0x1000
                STMFD   SP!, {R0-R11,LR}
                BL      COPY
                LDR     R0, =my_romStart
                B       my_romStart

With this code you did not blinked your loading address, you've got the address where you have linked and later copied your code.
My guess is that, when you call "LDR R0, =my_romStart" the linker will replace "=my_romStart" with 0x7f0000 on the compile time. Though it seems your loading address is 0x800000 if you're able to run stable code with routine calls, since you copied your code from there to 0x7f0000.
You can check the generated binary for the representation of LDR R0 instruction in binary (which should be available on the net) and the 0x7f0000 around it (not sure about the endianess).
Perhaps you should try to get the PC, as you were going to try. You need to blink-out something which is run-time, not compile-time ;)

About my previous comments, concerning 350D's bootflg2 code, I said it is linked to run from 0x1900, but then when I thunk of it more, they do not have routine calls in their code (besides the routines from the BootLoader, but they do not count, since they have their addresses already), so they do not care where they're linked.

If you have a way to run stable code now, you should try to blink-out the bootloader. Then find the routines for bootflags in the bootloader... this way you will be able to run AUTOEXEC.BIN ;)
« Last Edit: 06 / March / 2012, 18:02:07 by 0xAF »
Logged
// AF
Pages: 1 [2] 3 4 5 6 7   Go Up
« previous next »
 

Related Topics