chdk in the DIGIC6 world - page 17 - General Discussion and Assistance - CHDK Forum supplierdeeply

chdk in the DIGIC6 world

  • 182 Replies
  • 98812 Views
*

Offline srsa_4c

  • ******
  • 4229
Re: DIGIC 4
« Reply #160 on: 17 / June / 2019, 19:12:23 »
Advertisements
It seems to have a data(?) RAM area above 0xc0270000, length 0x2000. There is 'life' in it around offset 0x1900 (on ixus150), bytes are changing. There is no Xtensa code there.
GetISFirmVersion gets its data from reading around 0xc0271900...
Quote
It's also possible that this MechaCPU is not Xtensa, it's just fed from the same ROM blob that has Xtensa code.
Wrong. Xtensa firmware is copied to RAM (from 0x60e000, size 0x80d8 bytes), in task_MechaCPUTransfer.

*

Offline srsa_4c

  • ******
  • 4229
CHDK in the DIGIC7 world
« Reply #161 on: 07 / November / 2019, 18:56:43 »
That splash screen is the only sign of life at the moment. Will post more later.

Re: CHDK in the DIGIC7 world
« Reply #162 on: 08 / November / 2019, 07:37:49 »
That splash screen is the only sign of life at the moment. Will post more later.

Do you have an M100?
M100 100a, M3 101a, 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

*

Offline srsa_4c

  • ******
  • 4229
Re: CHDK in the DIGIC7 world
« Reply #163 on: 08 / November / 2019, 13:30:12 »
Do you have an M100?
Yes, I took that photo.

For those who might be interested, I'm attaching the current state of the port. A bare minimum is implemented to allow using the GUI. The rest is mostly a copy of the g7x2 source. I'll open a porting thread when the port reaches a point in usability.
I have already seen a few cases of null pointer anomalies, thanks to the unusual memory map (the first 0x1000 bytes are unmapped and any access there causes an exception).


*

Offline reyalp

  • ******
  • 12589
Re: chdk in the DIGIC6 world
« Reply #164 on: 08 / November / 2019, 15:35:22 »
Nice work  :D

I had been thinking about picking one up for D7 development since they are cheap on canon refurb, but figured I'd wait to see what comes up on black friday.
Don't forget what the H stands for.

Re: chdk in the DIGIC6 world
« Reply #165 on: 08 / November / 2019, 16:28:46 »
Nice work  :D
I can only agree
I had been thinking about picking one up for D7 development since they are cheap on canon refurb, but figured I'd wait to see what comes up on black friday.
I have paid 210€ for a new M100 plus 15-45. It was sold for a log tine for 222€. I would see what black Friday brings… 
M100 100a, M3 101a, 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

*

Offline philmoz

  • *****
  • 3156
    • Photos
Re: CHDK in the DIGIC7 world
« Reply #166 on: 08 / November / 2019, 17:03:04 »
For those who might be interested, I'm attaching the current state of the port. A bare minimum is implemented to allow using the GUI. The rest is mostly a copy of the g7x2 source. I'll open a porting thread when the port reaches a point in usability.


Have you solved the D7 startup issues?
Would this be usable for the G7X2?


Phil.

CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)

*

Offline srsa_4c

  • ******
  • 4229
Re: CHDK in the DIGIC7 world
« Reply #167 on: 08 / November / 2019, 17:17:11 »
Have you solved the D7 startup issues?
I think so, the camera seems stable. It's possible to do it worse (where it seems to work, but unexpected things happen), I was hunting non-existing bugs for weeks...
Quote
Would this be usable for the G7X2?
That was my reason for publishing at this stage.


*

Offline reyalp

  • ******
  • 12589
Re: chdk in the DIGIC6 world
« Reply #168 on: 06 / December / 2019, 17:12:36 »
I added some information about Omar to the wiki https://chdk.fandom.com/wiki/Digic_6_Porting

I ended up re-discovering much what what srsa_4c wrote way back on https://chdk.setepontos.com/index.php?topic=11316.msg119473#msg119473 because SX730 puts the Omar firmware in the main firmware data area *before* the ctypes for the main firmware. This causes the sig finder to pick up the Omar ctypes, and also breaks my assumption that the main firmware code ends around ctypes. I'm on updating finsig_thumb2 to deal with this now.

Some additional notes:
Omar is initialized from a very simple table in ROM, which looks like (sx710 101a)
Code: [Select]
0xdff00000 - target address for Omar TCM (mapped to 0 in Omar address space)
0xfc56bef0 - source address for Omar TCM code
0x00000ed0 - length of Omar TCM data
0x40700000 - uncached target address for Omar main code (Omar sees it as 0x700000)
0xfc56cdc0 - source address for Omar main code
0x0004f1c4 - length of Omar code
This is used by a function fc53a0b4 which is called via fc055ff0 from task_Startup.
Since all the code is in RAM, and it's initialized from from a task we already control, running custom code on Omar should be quite easy. Not sure what we'd do with it, but it would be interesting to run cpuinfo at least.

You can load the Omar code in Ghidra easily, just using the offsets from the table described above and loading one chunk as an additional file. armv7le seems to do an adequate job.

Edit:
Another note: SX730 contains 3 *different* DryOS versions:
Omar and Marius are "DRYOS version 2.3, release #0059+p4"
Zico appears to be "DRYOS version 2.3, release #0058+p8"
and "DRYOS version 2.3, release #0059+p3" is also present.
This also has the potential to confuse the sig finder.
« Last Edit: 06 / December / 2019, 17:29:16 by reyalp »
Don't forget what the H stands for.

*

Offline srsa_4c

  • ******
  • 4229
Re: chdk in the DIGIC6 world
« Reply #169 on: 07 / December / 2019, 14:15:08 »
"DRYOS version 2.3, release #0059+p3" is also present.
Interesting. That belongs to a blob that appears to be an alternative firmware for the main core. It starts at 0xfd260000. It has several references, one from ExecuteInitFactorySetting_FW. Also present in M100.

 

Related Topics