supplierdeeply

IXUS160/ELPH160 Porting attempt

  • 497 Replies
  • 110506 Views
*

Offline adong

  • **
  • 66
Re: IXUS160/ELPH160 Porting attempt
« Reply #40 on: 23 / May / 2015, 09:48:20 »
Advertisements
After testing PROPCASE_SHOOTING, I think its value is correct: 0 when not shooting, 1 when half press / shooting / saving to sd card.

None of the hooks seem to work so I think my code_gen code is not complete yet.
It was made by comparing with ixus140 and a2500 but there are small differences which could lead to the generated code not to work.

*

Offline srsa_4c

  • ******
  • 3728
Re: IXUS160/ELPH160 Porting attempt
« Reply #41 on: 23 / May / 2015, 11:31:57 »
After testing PROPCASE_SHOOTING, I think its value is correct: 0 when not shooting, 1 when half press / shooting / saving to sd card.
It's probably OK then.
Quote
None of the hooks seem to work so I think my code_gen code is not complete yet.
I see it now. CreateTask is located in ROM (and therefore can't be patched with conventional methods). Its lower level function (sub_6B15A4) will need to be patched instead which is still in RAM. I'll get back to this later.

edit:
candidate patch attached
« Last Edit: 23 / May / 2015, 15:37:03 by srsa_4c »

*

Offline adong

  • **
  • 66
Re: IXUS160/ELPH160 Porting attempt
« Reply #42 on: 23 / May / 2015, 16:28:42 »
Sadly it crashes after taking a shot. Attached the romlog.

Tested shooting over PTP and physically: both crash at the same time, which is as soon as the shot ends and it shows "busy" for writing the data.

It does go further as the RAW folder gets created.

Maybe the raw address hook is wrong, I will test again without it.

Edit:
RAW hook is wrong, that's why it crashed.

Now it still takes two shots, but overrides works (I tried 10 sec tv and it worked)
« Last Edit: 23 / May / 2015, 16:37:07 by adong »

*

Offline srsa_4c

  • ******
  • 3728
Re: IXUS160/ELPH160 Porting attempt
« Reply #43 on: 23 / May / 2015, 19:06:58 »
The hook(s) might be fine.
The crash happens inside GetImageFolder(). Note that GetImageFolder() only has 3 arguments in this firmware, so please remove the fourth one when you call it in get_target_dir_name().
time()'s correct address is 0xffa1b39c (it's referenced in the SetDate_FW function). Since GetImageFolder() has apparently changed somewhat, its arguments / return value may not be what's expected.
_log10 can be found with help of the CalcLog10 firmware function (and you guessed its address right). The temperature functions are found correctly by the sigfinder.


*

Offline adong

  • **
  • 66
Re: IXUS160/ELPH160 Porting attempt
« Reply #44 on: 24 / May / 2015, 07:12:49 »
Back with more testing:

With only 3 parameters it still crashed.
Looking at the asm and comparing to the ixus140, while the beginning of the function looks the same, the codepath to the sprintf is quite different.

For now I replaced the _GetImageFolder with some C code to test if it worked.

RAW + DNG:
The DNG gets written, size about 24MB, but I can't seem to open it in my image viewer (I think it can open dng files fine, may have to test that). I quickly downloaded Able RAWer and i gave me floating point division by zero error or something like that.

First few bytes as I don't know if there's a magic header for dng:

Code: [Select]
49492A00080000002200FE0004
At the beginning there is also a string:
Code: [Select]
02215252CanonCanon IXUS 160CHDK ver. 1.3.0-3002015:05:24 12:54:43Canon IXUS [email protected]:05:24 12:54:43
Apart from this, when I enable RAW saving, the jpg image has weird colors in some places (purple shade)

RAW (without DNG):
Saves JPG correctly (no color issue), didn't try to open it as i don't have converter software.


No RAW:
shoot works correctly (1 time), as well as remote shoot.
« Last Edit: 24 / May / 2015, 07:22:11 by adong »

*

Offline srsa_4c

  • ******
  • 3728
Re: IXUS160/ELPH160 Porting attempt
« Reply #45 on: 24 / May / 2015, 07:36:14 »
Back with more testing:

With only 3 parameters it still crashed.
Looking at the asm and comparing to the ixus140, while the beginning of the function looks the same, the codepath to the sprintf is quite different.
Problem is, (the function we call) GetImageFolder is unreferenced in the firmware, so guessing its arguments is not so easy.

Quote
The DNG gets written, size about 24MB, but I can't seem to open it in my image viewer (I think it can open dng files fine, may have to test that). I quickly downloaded Able RAWer and i gave me floating point division by zero error or something like that.
Did you fix time()? If yes, perhaps one or more stubs could be wrong (i.e. incorrectly found by the sigfinder).
Quote
Apart from this, when I enable RAW saving, the jpg image has weird colors in some places (purple shade)
The raw hook is placed too 'late', the firmware has already started image processing prior that point. It could also be that hooking raw in capt_seq is no longer possible (like on the sx170).

Quote
RAW (without DNG):
Saves JPG correctly (no color issue), didn't try to open it as i don't have converter software.
You can experiment with http://chdk.wikia.com/wiki/DNG4PS-2 or upload a sample.

*

Offline adong

  • **
  • 66
Re: IXUS160/ELPH160 Porting attempt
« Reply #46 on: 24 / May / 2015, 09:28:13 »
Is there any way to create a buffer in chdkptp ? My understanding is that the first argument is a char* that the function fills, the others are enough information to make the directory unique (per month).
I could try different values and try to call it using call_func_ptr instead of recompiling firmwares everytime.

I did fix time() to the address you gave me.

I will try to put the hook earlier.

Edit: multiple tries to put it earlier, it either does not work anymore (2 shots) or it doesn't save at all, the way it is now is the earliest i can put it (unless there is another way I haven't explored)
« Last Edit: 24 / May / 2015, 10:28:41 by adong »

*

Offline srsa_4c

  • ******
  • 3728
Re: IXUS160/ELPH160 Porting attempt
« Reply #47 on: 24 / May / 2015, 10:29:35 »
Is there any way to create a buffer in chdkptp ? My understanding is that the first argument is a char* that the function fills, the others are enough information to make the directory unique (per month).
I could try different values and try to call it using call_func_ptr instead of recompiling firmwares everytime.
You can call fw functions (such as malloc) with call_func_ptr().
You can also use 0x1000 bytes starting at 0x40000000 without allocation (this can cause trouble if the function you're calling ignores the caching bit of the address). If you're not using 'ARAM', you can also use this area without allocating it:
Quote
//   ARAM_HEAP_START = 0x60e000  // Found @ 0xff9a53d0
//   ARAM_HEAP_SIZE  = 0x22000   // Found @ 0xff9a5390

Quote
I did fix time() to the address you gave me.
That means the cause of DNG header corruption is yet to be found...

edit:
Edit: multiple tries to put it earlier, it either does not work anymore (2 shots) or it doesn't save at all, the way it is now is the earliest i can put it (unless there is another way I haven't explored)
You may have to take a look at the sx170 code and hook DvlpSeqTask instead.
« Last Edit: 24 / May / 2015, 10:35:04 by srsa_4c »


*

Offline adong

  • **
  • 66
Re: IXUS160/ELPH160 Porting attempt
« Reply #48 on: 24 / May / 2015, 13:38:30 »
Tried different ways to call GetImageFolder, always crashes the camera. I kept the C way for now.

Looked at the sx170 code, tried to port it, but camera does not even boot, romlog gives a crash at expdrv task.

*

Offline srsa_4c

  • ******
  • 3728
Re: IXUS160/ELPH160 Porting attempt
« Reply #49 on: 24 / May / 2015, 13:57:17 »
Quote
Looked at the sx170 code, tried to port it, but camera does not even boot, romlog gives a crash at expdrv task.
You only need the dvlpseq related part from that, along with a boot.c modification to replace the original dvlpseq task. The only hook that needs to be relocated is the raw hook.

 

Related Topics