chdk in the DIGIC6 world - page 14 - General Discussion and Assistance - CHDK Forum

chdk in the DIGIC6 world

  • 160 Replies
  • 72206 Views
*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #130 on: 09 / December / 2017, 10:22:16 »
Advertisements
I have updated the Xtensa related scripts. disassemble_xtensa.pl now takes advantage of the CHDK thumb2 sigfinder's output. The scripts' usage has also been simplified.

find_zico_msg_handlers.pl only requires Perl
disassemble_xtensa.pl also needs an objdump binary with Xtensa support and 'strings'. The name and path of these utilities needs to be corrected manually in the script.
 
Short howto:

1) Place PRIMARY.BIN in an empty directory, cd to that directory
2) Run finsig_thumb2 on PRIMARY.BIN. It should generate stubs_entry.S, in the same directory.
   finsig_thumb2 PRIMARY.BIN 0xfc000000 stubs_entry.S
3) Make (rough) disassemblies of two blobs:
   disassemble_xtensa.pl -exPRIMARY.BIN 0x80a00000
   disassemble_xtensa.pl -exPRIMARY.BIN 0xbff20000
4) In the disassembly (bff20000.bin.dis or 80a00000.bin.dis), locate the first reference to "ID Error[%d] -- msg:0x%08x".
   Some Xtensa assembly knowledge is required for this step. Examples are below.
   The code is likely more or less different in other models.
 a) (g1x2)
   Find the first 'movi' instruction backwards that has a constant operand greater than 200.
   That constant is the number of messages.
   Continue reading the disassembly backwards and find the first 'l32r' instruction. The constant it references
   is the start of the table of message handler functions.
 b) (sx280)
   Find the first 'movi' instruction backwards that has a constant operand greater than 200.
Code: [Select]
80a2c1d0:       b2a0e2                  movi    a11, 226   That constant is the maximum message index, the number of messages is (constant + 1).
   Find the label the next 'bgeu' instruction points at.
Code: [Select]
80a2c1d3:       37bb63                  bgeu    a11, a3, loc_80a2c23a   The first 'l32r' instruction there loads the address of the message handler table (points inside the same binary, near its start).
Code: [Select]
loc_80a2c23a:
80a2c23a:       8172f4                  l32r    a8, 0x80a29404  ; (0x80a001d0)
5) Execute
   find_zico_msg_handlers.pl 80a00000.bin.dis <decimal num> 80a00000.bin <hex offset>
   substituting <decimal num> with the number of messages and <hex offset> with the message handler table's offset inside the binary.

*

Offline ftm

  • *
  • 43
Re: chdk in the DIGIC6 world
« Reply #131 on: 13 / December / 2017, 17:38:45 »

Edit: I got it to work. The hex offset according to this example was 001d0. Now that I have this file, I will check what is the next step.
Code: [Select]
./find_zico_msg_handlers.pl 80a00000.bin.dis 227 80a00000.bin 001d0Thanks for this tool. I am running this but the output file at the last step 80a00000.bin.dis.names is empty. As an exercise, I tried it on the sx280 (102c) version. All the other steps worked.
Code: [Select]
./find_zico_msg_handlers.pl 80a00000.bin.dis 227 80a00000.bin 0x80a29404I also tried just 80a2904 as well. That also gave an empty file. Thanks for your help.
« Last Edit: 13 / December / 2017, 20:31:18 by ftm »

*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #132 on: 01 / March / 2018, 14:50:11 »
Update on movie recording related findings. Many of these have already been mentioned in the M3 thread, starting here.
At time of writing, following features seem doable:
- Time limit removal
 File size based limit (4GB) remains.
- Video bitrate adjustment
In firmware, bitrate is specified by 3 values. The highest value seems to be the maximum bitrate. The exact purpose of the other two is not known. The sx280 seems to be configured to constant bitrate (CBR), the 3 values differ by 100 (kbit/sec). With the lowest value adjusted to be a much lower number, the recording bitrate seems to vary according to scene (VBR).
Bitrate seems to have an upper limit that can't be exceeded (limit seems independent of frame rate or resolution). That limit is approx. 35000 kbit/s on the sx280, Ant reported higher limit on the M3.
- Audio bitrate adjustment
The sx280 always uses 128kb/s AAC audio. I have successfully changed this to 64 and 32 kbit/s (256 is probably also doable). Changing this in the initialization function I mentioned in the M3 thread does not affect the file properties (header?), it will still say 128kbit/s.

- Video keyframe period
The sx280 does not have an ALL-I mode, but parts of ALL-I support are present. Using those parts of the fw code results in ALL-I recording, but camera crashes after completing the recording. Simply adjusting key frame period to 1 also works, but the resulting file does not seem entirely correct (and can't be played back in cam). The limited bitrate makes a forced ALL-I mode kind of pointless, so I'm just mentioning this in case someone shows interest.

A big problem with all above is that those changes need to be made in a copy of a huge firmware function - that's something I'd prefer to avoid.

edit:
- the audio bitrate constant I found turned out to NOT affect the actual recorded bitrate, unfortunately
- modifying the above mentioned huge fw function seems unavoidable due to that routine's complexity
« Last Edit: 11 / March / 2018, 09:07:23 by srsa_4c »

*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #133 on: 17 / March / 2018, 12:03:09 »
Preliminary patch for D6 movie mode overrides, implemented on sx280 (102b) and M10 (110d).

Features bitrate manipulation and time limit removal, according to my current knowledge. Overrides are applied at start of recording, changing bitrate mid-recording is not possible.

Differences from existing movie override support:
- "Video mode" can be set to: default, CBR, VBR HI, VBR MID, VBR LOW
  Default means no bitrate modification. CBR means constant bitrate, VBR means variable bitrate. The 3 VBR variants set the middle bitrate value (see previous post) differently.
- "Video bitrate" specifies a bitrate relative to the current mode's firmware default value. In VBR modes, this is the highest bitrate. Bitrate has an absolute, model specific high limit which can only be found out by experimentation. That limit is applied silently (it's not reflected on UI).
- "VBR minimum bitrate" specifies the relative minimum bitrate for VBR modes. It's a percentage of the currently effective "Video bitrate" (which can't be higher than the high limit).

Time limit related:
- most time limits are raised unconditionally (normal limits on sx280 and m10 range from 30 minutes to 1 hour), to 3 hours
- high frame rate movie time limit (sx280 only) increased from 30 seconds to 300 seconds, but only when user enables time limit removal in menu

I only ever tested this on sx280, using the high frame rate mode.

Implementing the model specific parts can be a bit more challenging than usual.
I can provide help, if there is interest.


Re: chdk in the DIGIC6 world
« Reply #134 on: 17 / March / 2018, 22:35:00 »
I will definitely look at this for the sx60 hs. It looks like you've done all the heavy lifting and it should be pretty straight forward!😏

*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #135 on: 24 / March / 2018, 15:38:48 »
Updated movie override patch.

Changes:
- renamed the camera.h define
- reorganized the platform code - moved common routines to platform/generic/movie_rec.c
- made the cocoa task override related code a little bit less complicated
- added m10 110f

Re: chdk in the DIGIC6 world
« Reply #136 on: 24 / March / 2018, 17:51:17 »
thanks for the updated patch.  Almost done for the SX60HS / 100f but I have an assembler problem
I think the offending line is the back to ROM line..it was complaining it wasn't 4byte aligned so I adjusted it. Not sure if the address is right now as my math gives a different address for 100f..I've attached  two files movie_rec.c and the corresponding .s file, hoping someone will understand the error.

.
Code: [Select]
>> Entering to ./platform/sx60hs/sub/100f
movie_rec.c -> movie_rec.o
movie_rec.c: In function 'getchunkinfo':
movie_rec.c:1315:5: warning: implicit declaration of function 'bitrate_calc' [-Wimplicit-function-declaration]
     bitrate_calc(lsum);
     ^
/tmp/ccv51IuG.s: Assembler messages:
/tmp/ccv51IuG.s:615: Error: cannot represent T32_OFFSET_IMM relocation in this object file format
../../../makefile_sub.inc:45: recipe for target 'movie_rec.o' failed
make[1]: *** [movie_rec.o] Error 1

Code: [Select]
/**************************************************************/
// capdis -f=chdk -s=0xfc1d6a03 -c=15 -stubs PRIMARY.BIN 0xfc000000

void __attribute__((naked,noinline)) sub_fc1d6a02_my() {
    asm volatile (
"    push    {r4, r5, r6, r7, lr}\n"
"    sub     sp, #0x124\n"
"    ldr     r5, =0x00013ae0\n"
"    movs    r0, #0x1a\n"
"    add     r1, sp, #0x44\n"
"    str     r0, [sp]\n"
"    add     r0, sp, #0xb8\n"
"    ldrd    r2, r3, [r5, #0x14]\n"
"    mov     r4, r1\n"
"    bl      sub_fc1d44c8\n"
"    add     r0, sp, #0xb8\n"
"    bl      sub_fc2bf194\n"
"    add     r0, sp, #0x30\n"
"    mov     r1, r4\n"
"    bl      sub_fc1d46da_my\n" // ->
[color=orange]"    ldr     pc, 0xfc1d6a24\n"  // + back to rom[/color]
".ltorg\n"
    );

*

Offline reyalp

  • ******
  • 12074
Re: chdk in the DIGIC6 world
« Reply #137 on: 24 / March / 2018, 18:11:13 »
LDR must use =0x... for the constant
Don't forget what the H stands for.


*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #138 on: 24 / March / 2018, 18:12:14 »
thanks for the updated patch.  Almost done for the SX60HS / 100f but I have an assembler problem
I think the offending line is the back to ROM line
Yes. First, it should most likely be an odd address if you're doing ldr pc (since most parts of firmware are thumb). Second, you forgot the = in the same instruction. So it should look like
Code: [Select]
ldr pc, =0xfc1d6a25but I did not check if that address is correct.

The implicit declaration is probably caused by using the old define (from the v1 patch) in platform_camera.h.

*

Offline srsa_4c

  • ******
  • 3979
Re: chdk in the DIGIC6 world
« Reply #139 on: 24 / March / 2018, 19:07:16 »
Some sx60 100f hints.
Time limit and bitrate hooks go right after loc_FC1D4DF6, the register for set_movie_time_limit is r7.
The start of cocoa struct can be found in the cocoa task disasm, 0xFC66755C. The end of that struct and the offset of APENDSTRM can be found using a hex editor (an eventproc table follows that struct).
The address in sub_fc1d6a02_my at the end (ldr pc) is 0xFC1D6A29 (address of the next instruction in ROM plus the thumb bit).

 

Related Topics