Ixus Wireless - SD430 Porting thread - General Help and Assistance on using CHDK stable releases

ahull

634

Ixus Wireless - SD430 Porting thread

« on: 24 / September / 2013, 17:56:26 »

Advertisements

Reyalps recent "Wireless Investigations" has re-awakened my interest in porting the venerable Ixus Wireless (SD430).

Fortunately for me, nafraf has shown some interest too, so between us, with a bit of luck we should have a working port for this camera soon. So far as I can see there have been a couple of fruitless attempts to port this model in the past with such limited success that I thought this attempt probably warranted a new thread.

So far progress is as follows.

1) We have a dump of firmware 1.00f and 1.10a both dumped from the same camera. I dumped the firmware on my camera then upgraded it to the latest firmware I could find on the web, then dumped it again.

The dumps were actually done over a year ago, and the original reference to the 1.00f dump can be found here with the dump in the usual place here.

2) I therefore have a working Ixus Wireless (SD430) with firmware version 1.10a to test with, anybody else with an Ixus Wireless who wants to contribute and test is also welcome.

3) I have set up a cross compiler for GCC-4.5.2 on my Ubuntu 13.04 laptop so I can play along with nafraf (and have updated the instructions on the CHDK Wikia page here for anyone else who wants to do this).

4) Nafraf has started porting for the Ixus Wireless 1.10a and 1.00f - SVN repo is here.

« Last Edit: 29 / September / 2013, 04:50:33 by ahull »

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #1 on: 26 / September / 2013, 11:23:26 »

It seems the Ixus Wireless is sufficiently primitive for me to have to do a bit of head scratching when it came to finding the LED addresses. None of the existing methods or scripts worked (or they lead to dead links or 404 errors).

This Canon Basic script is a result of that head scratching. It switches on the LEDs I describe, then loops over an address space looking for more. See here for some of the clues that let me write the script.

Code: [Select]

private sub Initialize()
 SystemEventInit()
 UI_RegistDebugEventProc()
 ControlViewEvent(0x18D, "LED Finder for VxWorks")
 Wait(1000) 
 ControlViewEvent(0x66, 0) ' Hide the message

 ControlViewEvent(0x18D, "Yellow LED")
 Poke8(0xC02200B0, 0x46)
 Wait(1000) 
 ControlViewEvent(0x66, 0) ' Hide the message  
 
 ControlViewEvent(0x18D, "Blue LED")
 Poke8(0xC02200B5, 0x46)
 Wait(1000) 
 ControlViewEvent(0x66, 0) ' Hide the message  

 ControlViewEvent(0x18D, "Focus Assist LED")
 Poke8(0xC02200BF, 0x46)
 Wait(1000) 
 ControlViewEvent(0x66, 0) ' Hide the message 

 ControlViewEvent(0x18D, "Wireless Enable LED")
 Poke8(0xC0220088, 0x46)
 Wait(1000) 
 ControlViewEvent(0x66, 0) ' Hide the message


 for c = 0xC0220060 to 0xC0220100
 ControlViewEvent(0x18D, "Next Address")
    Poke8(c, 0x46)
    Wait(1000)
  next

end sub

What it boils down to is that I was able to find *some* of the LEDs as follows.

"Yellow (focus status beside viewfinder)LED" 0xC02200B0
"Blue Print LED" 0xC02200B5
"Focus Assist LAMP (Ultrabright LED on front of camera)" 0xC02200BF
and the interesting one, the "Wireless Enabled - Blue LED" looks to be at
"Wireless Enable LED" 0xC0220088

I think that should do for debugging purposes, the risk of randomly poking 0x46 into large areas of I/O or memory space is starting to worry me.

I am only missing the power LED and the amber/green dual colour viewfinder "Ready to shoot" LED

« Last Edit: 26 / September / 2013, 11:51:31 by ahull »

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #2 on: 01 / October / 2013, 09:46:42 »

Some progress has been made, nafraf has built a test version for 1.1a, we have shown that the blink code works on my camera. Now we are slowly working our way through the boot process.

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #3 on: 04 / October / 2013, 17:01:53 »

If anybody is looking for a status update, by moving the "my_blinker" code through boot.c we we have worked our way almost entirely through and almost make it out of the other end!

We currently come unstuck here...

Code: [Select]


...
"    BL      sub_FF81409C \n"
"    BL      sub_FF812130 \n"
);

// This blink happens 
asm volatile (
        " MOV R0, #3 \n"
        " BL  my_blinker \n"
);

    _taskCreateHookAdd(createHook);
    _taskDeleteHookAdd(deleteHook);

    drv_self_hide();

// This blink also happens
asm volatile (
        " MOV R0, #3 \n"
        " BL  my_blinker \n"
);

asm volatile (
"    LDMDB   R11, {R11,SP,PC} \n"
);


// This blink doesnt happen
asm volatile (
        " MOV R0, #3 \n"
        " BL  my_blinker \n"
);
...

Thanks once again to nafraf for his assistance. All suggestions welcome.

« Last Edit: 04 / October / 2013, 17:06:15 by ahull »

Logged

srsa_4c

4451

Re: Ixus Wireless - SD430 Porting thread

« Reply #4 on: 04 / October / 2013, 17:49:00 »

Quote from: ahull on 04 / October / 2013, 17:01:53

Code: [Select]
_taskCreateHookAdd(createHook); _taskDeleteHookAdd(deleteHook); drv_self_hide(); // This blink also happens asm volatile ( " MOV R0, #3 \n" " BL my_blinker \n" ); asm volatile ( " LDMDB R11, {R11,SP,PC} \n" ); // This blink doesnt happen asm volatile ( " MOV R0, #3 \n" " BL my_blinker \n" );

It doesn't happen, because the subroutine has already ended (LDMDB instruction).
Does the cam crash?
Since the task hooks are already planted, execution should continue in generic/main.c (this file's content can be copied into the port's main.c instead of #include'ing it, if that's easier).
A note about the blinker: I would recommend using the ASM_SAFE macro, the current code overwrites the R0 register.

I should add, I'm surprised to see STMFD + LDMDB style subroutines here. I have only encountered them in the s1is firmware so far.

@ahull
<OFF>Do you, by any chance, happen to have an ixus50 around?</OFF>

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #5 on: 04 / October / 2013, 18:17:06 »

Quote from: srsa_4c on 04 / October / 2013, 17:49:00

Quote from: ahull on 04 / October / 2013, 17:01:53
Code: [Select]
_taskCreateHookAdd(createHook); _taskDeleteHookAdd(deleteHook); drv_self_hide(); // This blink also happens asm volatile ( " MOV R0, #3 \n" " BL my_blinker \n" ); asm volatile ( " LDMDB R11, {R11,SP,PC} \n" ); // This blink doesnt happen asm volatile ( " MOV R0, #3 \n" " BL my_blinker \n" );
It doesn't happen, because the subroutine has already ended (LDMDB instruction).

Ahh... I see, presumably the LDMDB in effect is the return from subroutine instruction. I had spotted that it influenced the PC and SP registers, but hadn't quite figured out what it did. Bear in mind the last time I wrote assembler was a long time ago, for the 6502, so ARM assembler may be a bit of a steep learning curve.

Quote

Does the cam crash?

Yes, it does, but in light of what you just said, I can be sure exactly where and why.

Quote

Since the task hooks are already planted, execution should continue in generic/main.c (this file's content can be copied into the port's main.c instead of #include'ing it, if that's easier).
A note about the blinker: I would recommend using the ASM_SAFE macro, the current code overwrites the R0 register.

Enlighten me, how do I call that?

Quote

I should add, I'm surprised to see STMFD + LDMDB style subroutines here. I have only encountered them in the s1is firmware so far.

This is a fairly old and odd camera, so I am sure it has quite a few surprises.

Quote

@ahull
<OFF>Do you, by any chance, happen to have an ixus50 around?</OFF>

I certainly do, I presume there is something you would like me to try.

Logged

srsa_4c

4451

Re: Ixus Wireless - SD430 Porting thread

« Reply #6 on: 04 / October / 2013, 18:39:01 »

I'm not sure about the values at the start of boot() in the 110a boot.c.
Can you try with this instead? Disclaimer: the related assembly routine in the firmware is really horrific (uses stack variables instead of registers), it could be that I'm misunderstanding it.
long *canon_data_src = (void*)0xffc33020; long *canon_data_dst = (void*)0x1900; long canon_data_len = 0x18c70 - 0x1900; long *canon_bss_start = (void*)0x18c70; long canon_bss_len = 0xc5d80 - 0x18c70;

Quote

Enlighten me, how do I call that?

ASM_SAFE(
"MOV R0, #3\n"
"BL my_blinker\n"
)
It's defined in include/asmsafe.h, don't forget to include that header.

Quote

I certainly do, I presume there is something you would like me to try.

Great! Can you make a full firmware dump? It's one of the early unusual cameras, and we don't have a full dump of its firmware.

This PDF can help with ARM assembly (google first hit for "arm instruction set").

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #7 on: 05 / October / 2013, 14:12:43 »

Progress (of sorts). I made the changes suggested by srsa_4c - now the camera boots up, I get a brief flash of the blue "Canon" logo, and then the camera shuts down (sometimes I get a very brief flash of an all white screen before it shuts down).

EDIT: This is when I boot using the locked card method.. see next post.

Interestingly it seems to shut down cleanly. In other words I can press the power button a few seconds later and it comes back on, flashes the Canon logo again and shuts down again. I don't need to pull the battery to recover the camera.

The Ixus 50 dump is also proving a little bit of a head scratcher. I tried the universal dumper, and the various variants of it, but I cant seem to get any of them to run. I reformatted the SD card I was using in the Ixus 50, and tried various tricks. I may be doing something daft, but I don't think so. I'm full of the cold at the moment, so the brain may not be not firing on all cylinders.

Since there is a working CHDK for this camera (an Ixus 50 with Firmware GM1.01B), I might resort to using CHDK and lua to dump the ROM. (In the unlikely event that there is already a lua script to do this, point me at it, to save me the time).

« Last Edit: 05 / October / 2013, 14:32:06 by ahull »

Logged

ahull

634

Re: Ixus Wireless - SD430 Porting thread

« Reply #8 on: 05 / October / 2013, 14:28:35 »

Actually its better than that.. If I use the <Firmware Update> method of booting I actually boot CHDK on the Ixus Wireless - A world first I believe

. The menu layout is a bit screwy...

...but it kinda works.

Furthermore I can navigate the menus.

Conveniently I had an Ixus 50 next to me to take a picture

There are a few other rough edges, for example if I leave CHDK, the power button no longer works.

« Last Edit: 05 / October / 2013, 14:35:17 by ahull »

Logged

srsa_4c

4451

Re: Ixus Wireless - SD430 Porting thread

« Reply #9 on: 05 / October / 2013, 14:48:38 »

Quote from: ahull on 05 / October / 2013, 14:12:43

Progress (of sorts). I made the changes suggested by srsa_4c - now the camera boots up, I get a brief flash of the blue "Canon" logo, and then the camera shuts down (sometimes I get a very brief flash of an all white screen before it shuts down).

Try to get a romlog (if that works at this point). Also, comment out every task replacement in generic/main.c createHook() (or in ixusw_sd430/main.c if you copied it there), including the code that starts spytask. Re-enable them one by one. The old sigfinder is not perfect, a few firmware function address could be wrong.

Quote

The Ixus 50 dump is also proving a little bit of a head scratcher. I tried the universal dumper, and the various variants of it, but I cant seem to get it to run. I reformatted the SD card I was using in the Ixus 50, and tried various tricks.

It's more than likely not your fault. Try using my version of the Canon Basic dumper: http://chdk.setepontos.com/index.php?topic=6934.msg96394#msg96394, and make sure the card is not write protected (I forgot about this several times in the past).

Quote from: ahull on 05 / October / 2013, 14:28:35

The menu layout is a bit screwy...

Hmmm.
edit: perhaps that's the reason (sub/110a/lib.c):

Code: [Select]

//To do: all this file!!!
edit2:
void *vid_get_bitmap_fb()
{
return (void*)0x103c79a0;
}

« Last Edit: 05 / October / 2013, 15:22:05 by srsa_4c »

Logged