IXUS 510 HS/ELPH 530 HS porting attempt

makomk

IXUS 510 HS/ELPH 530 HS porting attempt

« on: 01 / August / 2015, 16:25:48 »

Advertisements

I've started trying to write a chdk port for the IXUS 510 HS, based on the existing IXUS 240 HS port in the tree. (Firmware dump is here). So far I've managed to get it to boot as far as the CHDK version message before the camera switches off. Note that I have literally never done any CHDK development before now, so I really don't know what I'm doing and any help is very much welcome!

In particular, I'm not sure how to find the correct address for touch_screen_active or why CHDK is currently crashing, and there are probably still things that need changing that I've missed. (The author of the 240 HS port very helpfully documented where most of the other addresses came from - thank you for that, it's what made it possible to even get as far as I did.)

ixus510-wip.zip (84.62 kB - downloaded 69 times.)

« Last Edit: 01 / August / 2015, 16:28:37 by makomk »

Logged

reyalp

11514

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #1 on: 01 / August / 2015, 17:12:41 »

Very good progress

touch_screen_active seems to come from the TouchPanel task. On ixus240 101a, one of the global structs related to this task is 0x2B60 (FF06A038). touch_screen_active is offset 0x28 in this struct.

In your ixus510 dump, the corresponding struct is 0x3B18 (at FF06CE30). You could find the code in ixus240 that refers to the 0x28 offset and look for the corresponding code in ixus510, but I'd start by just guessing the offset hasn't changed, and see if it has the same behavior described for ixus240.

I try to write addresses for things like this as (0x2B60+0x28) because you can search the disassembly for the struct address.

Beware that there's a lot of copy/pasted code in CHDK ports, so those "helpful" comments may sometimes refer to a completely different camera. Also, the ixus240 port has some unresolved issues (see http://chdk.setepontos.com/index.php?topic=9005.msg122292#msg122292)

Logged

Don't forget what the H stands for.

makomk

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #2 on: 02 / August / 2015, 04:38:03 »

Fortunately, the comments seemed to match up with the firmware dump from the 240 HS, and I've updated them for the 510 when I remembered to. Unfortunately, I can't actually get the thing to boot CHDK or figure out why. Even with code_gen.txt modified to disable everything, I still get the exact same boot failure. (Note that I'm using the "firmware update" method because this is a MicroSD camera and I'm not sure how to get diskboot working or even if it's possible.)

Code: [Select]

//-------------------------- BOOT.C ---------------------------------------------------------------
FILE boot.c

>>> file=../boot_hdr.c

//////////////////////////////////////////////////////////////
// boot
//////////////////////////////////////////////////////////////
FUNC start=0xFF00000C name=boot length=95
ASM
FW $-1
FW // PATCHSUB ref=0
ENDASM
ENDFUNC

Code: [Select]

ASSERT!! StartupEeko.c Line 84
Occured Time  2015:08:02 09:26:38
Task ID: 22020146
Task name: CommonDriver0
SP: 0x00560218
StackDump:
0x00000000
0xFF3F2B80
0x00000054
0x00000009
0xFF3F2B80
0x00000054
0x19980218
0x19980218
0x19980218
0x19980218
0x19980218
0x0068AEE4
0x000076FC
0x19980218
0x19980218
0xFF3F2B30
0x000076FC
0xFF17D3E8
0x00003B18
0xFF06D16C
0x00000000
0x00000002
0x00000000
0x00000001
0x00000001
0x00000001
0x00000000
0x00000000
0x00000000
0x00000000
0x00540280
0xFF0C3C50
0x00540280
0x0068738C
0x19980218
0x19980218
0x00001008
ShootConDump:
0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 
CameraConDump:
07 0f 0f 0f 0f 0f 0f 0f 0f 0f 
00000120: *** Camera Log Start ***
00000130: UI:_BeforeCBRForPlay
00000140: UI:_AfterCBRForPlay
00000140: UI:DSIC:55,0
00000140: UI:LogicalEvent:0x5003:adr:0,Para:0
00000140: UI:LogicalEvent:0x1165:adr:0,Para:0
00000140: UI:_SImage
00000140: UI:SetPanelBrightnessToLcdController
00000140: UI:SetDisplayType
00000140: UI:TurnOnDisplayForStartup
00000140: UI:LogicalEvent:0x5007:adr:0,Para:0
00000180: SS:S-Imag
00000180: SS:SoundComp
00000180: UI:VideoDrv_InitializeUiEDmacLib
00000180: UI:Initialized WindowSystem.
00000180: UI:ScreenLock
00000180: UI:ScreenUnLock
00000180: UI:LogicalEvent:0x300a:adr:0,Para:0
00000180: UI:CECConnectCnt
00000190: UI:HDMIConnectCnt
00000190: UI:PB.Create
00000200: UI:LogicalEvent:0x301c:adr:0,Para:0
00000220: UI:ScreenLock
00000220: UI:ScreenUnLock
00000220: UI:DispSwCon_TurnOnBackLight
00000220: UI:TurnOnBackLight
00000230: UI:PB.CreateE
00000230: UI:DisplayPhysicalScreenCBR
00000230: UI:DSIC:f1,0
00000230: UI:DisplayPhysicalScreenCBR
00000300: UI:MuteOffPhysicalScreen
00000300: UI:LogicalEvent:0x3138:adr:0,Para:0
00000360: UI:LogicalEvent:0x5006:adr:0,Para:0

Logged

waterwingz

11578

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #3 on: 02 / August / 2015, 08:48:41 »

Quote from: makomk on 02 / August / 2015, 04:38:03

Even with code_gen.txt modified to disable everything, I still get the exact same boot failure.

One common method from here is to insert a bit of code to blink an LED at various points in the boot process (boot.c and main.c) to detect how far things get. Information on that is here : Debugging : LEDs

Quote

Note that I'm using the "firmware update" method because this is a MicroSD camera and I'm not sure how to get diskboot working or even if it's possible.

The Powershot N uses microSD cards as well. I've found that by inserting the card into the slot in the camera AND leaving the cover door for the slot open, the camera would autoboot CHDK.

« Last Edit: 02 / August / 2015, 08:52:59 by waterwingz »

Logged

Ported : A1200 SD940 G10 Powershot N G16

makomk

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #4 on: 02 / August / 2015, 14:01:39 »

To be honest, I've no idea where I'd want to check is being reached right now, sorry. The CHDK version message is showing up, which I think means the spy task has been created successfully and signalled to start running. Also, I can't manage to blink an LED anyway for whatever reason. (People seem to have had issues controlling LEDs on the IXUS 240 and this may be the same, plus the Canon firmware seems to blink the power LED itself during startup.)

Oh, and I don't seem to be able to get autoboot working usefully either. If it does work the same way as the Facebook N, it presumably needs an override for the SD card switch which isn't currently there. On the positive side, if I introduce an infinite loop early in the boot sequence and try and turn the camera on with the SD door open, the screen doesn't turn on and I have to pull the battery, so presumably autoboot does work the same way as on the 510 HD.

Logged

waterwingz

11578

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #5 on: 02 / August / 2015, 14:47:41 »

Quote from: makomk on 02 / August / 2015, 14:01:39

To be honest, I've no idea where I'd want to check is being reached right now, sorry. The CHDK version message is showing up, which I think means the spy task has been created successfully and signalled to start running. Also, I can't manage to blink an LED anyway for whatever reason. (People seem to have had issues controlling LEDs on the IXUS 240 and this may be the same, plus the Canon firmware seems to blink the power LED itself during startup.)

LED blinking on recent cameras is more complicated than previous ones. srsa_4c is pretty good a figuring it out - I expect he will comment at some point.

Alternatively, you may be far enough along to simple print to the screen. There is some commented out code at the bottom of the spy_task code in main.c that shows how to do this.

Quote

Oh, and I don't seem to be able to get autoboot working usefully either. If it does work the same way as the Facebook N, it presumably needs an override for the SD card switch which isn't currently there. On the positive side, if I introduce an infinite loop early in the boot sequence and try and turn the camera on with the SD door open, the screen doesn't turn on and I have to pull the battery, so presumably autoboot does work the same way as on the 510 HD.

An override for the SD card door cover switch won't help anything as the switch is checked immediately on camera power on - before any CHDK code loads. If the switch shows the door open, it checks for the boot string in the boot block and loads diskboot.bin if it's found.

Logged

Ported : A1200 SD940 G10 Powershot N G16

srsa_4c

3695

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #6 on: 02 / August / 2015, 16:55:32 »

Quote from: makomk on 02 / August / 2015, 14:01:39

Also, I can't manage to blink an LED anyway for whatever reason. (People seem to have had issues controlling LEDs on the IXUS 240 and this may be the same, plus the Canon firmware seems to blink the power LED itself during startup.)

The camera probably has another LED you could control (the AF LED), see potential MMIO addresses in stubs_entry.S.

Code: [Select]

// LED table init @ 0xff17ad1c
// LED #1: 0xc022c0f0 (#17 in GPIO table), offset 0x104
// LED #2: 0xc022c0d0 (#9 in GPIO table), offset 0x204
// LED #3: 0xc022c0cc (#8 in GPIO table), offset 0x4
// GPIO table @ 0xff5ba3f8

The LED routines (in task_LEDCon) use the 0x83dc00 and 0x93d800 magic values to turn the LEDs off/on. See lib.c in the ixus255 port for an example.
The issue with LEDs on the ixus320 is that no developers had access to the camera - it was a blind port.

Logged

Menu jumping/flickering on M10?

makomk

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #7 on: 02 / August / 2015, 17:27:30 »

Thanks, that explains why the LEDs wouldn't turn on before - was writing the wrong magic values. 0xc022c0f0 is the autofocus LED and 0xc022c0d0 the WiFi LED. This also helped me confirm that turning the camera on with the SD card cover open does indeed cause it to autoboot CHDK - it's just that it switches off again without ever turning the screen, I guess because the SD card cover is open. Still have no idea why it's crashing though.

Also, so long as I launch CHDK with firmware upgrade mode, I do indeed get far enough into the boot to write to the screen.

« Last Edit: 02 / August / 2015, 17:33:49 by makomk »

Logged

srsa_4c

3695

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #8 on: 02 / August / 2015, 17:47:20 »

About the crashes:
I did not finish reviewing your source, ~~but I found stuff that shouldn't be there~~:
boot.c

Code: [Select]

    *(int*)0x1938=(int)taskHook;
    *(int*)0x193C=(int)taskHook;

~~This kind of task hook is no longer usable in recent cameras; you're corrupting memory.~~

Some of the needed firmware variables in stubs_min.S are written by CHDK. If the address is wrong (they might be OK, didn't check), you're corrupting memory.

edit:
Hmmm, I was wrong, this DryOS version still supports the old hooking method.

« Last Edit: 02 / August / 2015, 17:51:55 by srsa_4c »

Logged

Menu jumping/flickering on M10?

srsa_4c

3695

Re: IXUS 510 HS/ELPH 530 HS porting attempt

« Reply #9 on: 03 / August / 2015, 15:09:56 »

About the diskboot failure:
Try checking whether you get into this trap while booting up:
"loc_FF00D0B0:\n" " B loc_FF00D0B0 \n"
My guess is that you do. One of the conditions needed by startup is that either the playback or the ON/OFF button needs to be pressed. Those button states are most likely GPIO #0x48 and #0x49 in sub_FF00D050. If you follow sub_ff03b1f0, you'll get the GPIO address and bitmask:
for 0x48:
ff5ba7c4: c022f48c ff5ba7c8: 00100000 for 0x49: ff5ba7cc: c022f48c ff5ba7d0: 00200000
Use one of these in this line of boot.c:
*(int*)(0x285C) = (*(int*)0xC022C30C)&1 ? 0x200000 : 0x100000; // FIXME

Logged

Menu jumping/flickering on M10?