G3 X 1.00C FW Dump - page 3 - Firmware Dumping - CHDK Forum

G3 X 1.00C FW Dump

  • 24 Replies
  • 21654 Views
Re: G3 X 1.00C FW Dump
« Reply #20 on: 11 / May / 2020, 18:43:51 »
Advertisements
If anyone wants to play with this as-is, here are DISKBOOT.BIN and PS.FI2 for firmware 1.10E (as well as the patch so far).
Only the ~minimum of task hooks is implemented so far:
task_PhySw (Keyboard)
task_InitFileModules (Signal that CHDK can start)
task_FileWrite (PTP remote file write)
task_TricInitTask (FI2 boot workaround)

Re: G3 X 1.00C FW Dump
« Reply #21 on: 12 / May / 2020, 14:06:30 »
So 1.20A and 1.10E are basically identical as far as main firmware stub addresses are concerned.
Code: [Select]
--- platform/g3x/sub/110e/stubs_entry.S 2020-05-12 09:52:34.549894406 +0200
+++ platform/g3x/sub/120a/stubs_entry.S 2020-05-12 19:57:29.668140755 +0200
@@ -4,7 +4,7 @@
 // Camera info:
 //   Main firmware start: 0xfc020000
 //   DRYOS R57 (DRYOS version 2.3, release #0057) @ 0xfc616ec8 ref @ 0xfc0359c8
-//   Firmware Ver GM1.10E   // Found @ 0xfc54e0a8, "GM1.10E" @ 0xfc54e0b5
+//   Firmware Ver GM1.20A   // Found @ 0xfc54e0a8, "GM1.20A" @ 0xfc54e0b5
 
 // Values for makefile.inc
 //   PLATFORMOSVER = 57

The release notes say:
> Support for the "image.canon" cloud platform has been added.

AFAICS all that changed is that a certificate was exchanged for a newer one  :haha

Code: [Select]
--- 110e/PRIMARY.HEX>---2020-05-12 20:00:14.633419004 +0200
+++ 120a/PRIMARY.HEX>---2020-05-12 20:00:22.633674965 +0200
@@ -97868,7 +97868,7 @@
 0x0017e4b0: 4a 42 48 4c 70 52 39 6b - 69 70 38 55 45 62 59 4d JBHLpR9kip8UEbYM
 0x0017e4c0: 6b 32 74 55 4a 6f 38 58 - 54 6f 00 00 6c 0a 01 00 k2tUJo8XTo..l...
 0x0017e4d0: 30 30 31 00 43 61 6e 6f - 6e 20 49 6e 63 2e 00 00 001.Canon Inc...
-0x0017e4e0: 31 2e 31 30 00 00 00 00 - 25 30 38 58 00 00 00 00 1.10....%08X....
+0x0017e4e0: 31 2e 32 30 00 00 00 00 - 25 30 38 58 00 00 00 00 1.20....%08X....
 0x0017e4f0: 25 30 38 58 25 30 38 58 - 25 30 38 58 25 30 38 58 %08X%08X%08X%08X
 0x0017e500: 00 00 00 00 25 30 32 78 - 3a 25 30 32 78 3a 25 30 ....%02x:%02x:%0
 0x0017e510: 32 78 3a 25 30 32 78 3a - 25 30 32 78 3a 25 30 32 2x:%02x:%02x:%02
@@ -147069,7 +147069,7 @@
 0x0023e7c0: 0d 98 0f c8 0f c4 03 ac - 0c 98 0a a3 07 aa 07 a9 ................
 0x0023e7d0: 0f c4 09 a9 28 46 0e c9 - 8d e8 0e 00 05 a3 07 aa ....(F..........
 0x0023e7e0: 06 a1 44 f1 b1 fa 0f b0 - 30 bd 00 00 44 43 25 30 ..Dñ±...0...DC%0
-0x0023e7f0: 34 58 00 00 31 2e 31 30 - 00 00 00 00 25 73 2f 25 4X..1.10....%s/%
+0x0023e7f0: 34 58 00 00 31 2e 32 30 - 00 00 00 00 25 73 2f 25 4X..1.20....%s/%
 0x0023e800: 73 28 43 41 4e 4f 4e 3b - 25 30 38 58 25 30 38 58 s(CANON;%08X%08X
 0x0023e810: 25 30 38 58 25 30 38 58 - 3b 25 73 3b 25 73 3b 25 %08X%08X;%s;%s;%
 0x0023e820: 73 29 00 00 30 b5 ac 4b - 05 24 00 22 53 f8 32 50 s)..0µ¬K.$."S.2P
@@ -152874,7 +152874,7 @@
 0x00255290: 00 e0 21 46 88 42 01 d1 - 00 26 0e e0 0a f1 98 fb ..!F.B...&......
 0x002552a0: 39 5d 89 07 00 d5 2c 46 - a0 42 01 d1 01 26 04 e0 9]....,F.B...&..
 0x002552b0: 50 22 00 20 06 a1 c6 f0 - b2 ee 30 46 bd e8 f0 81 P". .¡Æð².0F½è..
-0x002552c0: 47 4d 31 2e 31 30 45 00 - 47 4d 00 00 50 41 00 00 GM1.10E.GM..PA..
+0x002552c0: 47 4d 31 2e 32 30 41 00 - 47 4d 00 00 50 41 00 00 GM1.20A.GM..PA..
 0x002552d0: 46 69 6c 65 46 6f 72 6d - 61 74 4c 69 62 72 61 72 FileFormatLibrar
 0x002552e0: 79 2e 63 00 7c 6f 61 fc - 09 68 40 22 00 68 cb f1 y.c.|oa..h@".hËñ
 0x002552f0: 66 bb 2d e9 f0 41 0d 46 - 07 46 60 21 28 46 c6 f0 f.-éðA.F.F`!(FÆð
@@ -347653,11 +347653,11 @@
 0x0054e040: a4 e7 2e 48 00 68 70 47 - 03 46 00 20 02 46 10 b5 ¤ç.H.hpG.F. .F..
 0x0054e050: 03 e0 13 f8 01 4b 52 1c - 20 44 8a 42 f9 d3 10 bd .....KR. D.BùÓ..
 0x0054e060: 49 e0 54 fc 52 6f 6d 43 - 68 65 63 6b 53 75 6d 00 I.T.RomCheckSum.
-0x0054e070: 4e 6f 76 20 32 37 20 32 - 30 31 37 00 25 73 0a 00 Nov 27 2017.%s..
-0x0054e080: 32 31 3a 34 38 3a 30 34 - 00 00 00 00 46 69 72 6d 21:48:04....Firm
-0x0054e090: 77 61 72 65 20 56 65 72 - 73 69 6f 6e 20 31 2e 31 ware Version 1.1
+0x0054e070: 4e 6f 76 20 32 37 20 32 - 30 31 39 00 25 73 0a 00 Nov 27 2019.%s..
+0x0054e080: 31 33 3a 35 32 3a 30 32 - 00 00 00 00 46 69 72 6d 13:52:02....Firm
+0x0054e090: 77 61 72 65 20 56 65 72 - 73 69 6f 6e 20 31 2e 32 ware Version 1.2
 0x0054e0a0: 30 00 00 00 b4 ca 6c fc - 46 69 72 6d 77 61 72 65 0...´Êl.Firmware
-0x0054e0b0: 20 56 65 72 20 47 4d 31 - 2e 31 30 45 00 00 00 00  Ver GM1.10E....
+0x0054e0b0: 20 56 65 72 20 47 4d 31 - 2e 32 30 41 00 00 00 00  Ver GM1.20A....
 0x0054e0c0: 44 00 00 00 42 75 69 6c - 64 49 6e 66 6f 2e 63 00 D...BuildInfo.c.
 0x0054e0d0: 72 00 00 00 0a 43 68 65 - 63 6b 53 75 6d 20 53 6b r....CheckSum Sk
 0x0054e0e0: 69 70 20 28 6e 6f 20 25 - 73 29 0a 00 0a 43 68 65 ip (no %s)...Che
@@ -445609,7 +445609,7 @@
 0x006cca80: 58 2c 30 78 25 30 38 58 - 2c 30 78 25 30 38 58 2c X,0x%08X,0x%08X,
 0x006cca90: 30 78 25 30 38 58 2c 30 - 78 25 30 38 58 2c 30 78 0x%08X,0x%08X,0x
 0x006ccaa0: 25 30 38 58 2c 30 78 25 - 30 38 58 2c 30 78 25 30 %08X,0x%08X,0x%0
-0x006ccab0: 38 58 0a 00 31 2e 31 30 - 00 00 00 00 00 00 00 00 8X..1.10........
+0x006ccab0: 38 58 0a 00 31 2e 32 30 - 00 00 00 00 00 00 00 00 8X..1.20........
 0x006ccac0: 0a 43 68 65 63 6b 53 75 - 6d 20 45 52 52 4f 52 3a .CheckSum ERROR:
 0x006ccad0: 20 66 72 6f 6d 20 30 78 - 25 30 38 58 20 25 64 20  from 0x%08X %d~
 0x006ccae0: 62 79 74 65 73 20 2d 2d - 20 65 78 70 65 63 74 20 bytes -- expect~
@@ -2031614,101 +2031614,101 @@
 0x01efffd0: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff ................
 0x01efffe0: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff ................
 0x01effff0: ff ff ff ff ff ff ff ff - ff ff ff ff ff ff ff ff ................
-0x01f00000: 3a 04 00 00 00 00 00 00 - 30 82 04 36 30 82 03 1e :.......0..60...
-0x01f00010: a0 03 02 01 02 02 01 01 - 30 0d 06 09 2a 86 48 86 ........0...*.H.
-0x01f00020: f7 0d 01 01 05 05 00 30 - 6f 31 0b 30 09 06 03 55 .......0o1.0...U
-0x01f00030: 04 06 13 02 53 45 31 14 - 30 12 06 03 55 04 0a 13 ....SE1.0...U...
-0x01f00040: 0b 41 64 64 54 72 75 73 - 74 20 41 42 31 26 30 24 .AddTrust AB1&0$
-0x01f00050: 06 03 55 04 0b 13 1d 41 - 64 64 54 72 75 73 74 20 ..U....AddTrust~
-0x01f00060: 45 78 74 65 72 6e 61 6c - 20 54 54 50 20 4e 65 74 External TTP Net
-0x01f00070: 77 6f 72 6b 31 22 30 20 - 06 03 55 04 03 13 19 41 work1"0 ..U....A
-0x01f00080: 64 64 54 72 75 73 74 20 - 45 78 74 65 72 6e 61 6c ddTrust External
-0x01f00090: 20 43 41 20 52 6f 6f 74 - 30 1e 17 0d 30 30 30 35  CA Root0...0005
+0x01f00000: dc 05 00 00 00 00 00 00 - 30 82 05 d8 30 82 03 c0 ........0...0...
+0x01f00010: a0 03 02 01 02 02 10 4c - aa f9 ca db 63 6f e0 1f .......LªùÊÛco..
+0x01f00020: f7 4e d8 5b 03 86 9d 30 - 0d 06 09 2a 86 48 86 f7 .N.[...0...*.H..
+0x01f00030: 0d 01 01 0c 05 00 30 81 - 85 31 0b 30 09 06 03 55 ......0..1.0...U
+0x01f00040: 04 06 13 02 47 42 31 1b - 30 19 06 03 55 04 08 13 ....GB1.0...U...
+0x01f00050: 12 47 72 65 61 74 65 72 - 20 4d 61 6e 63 68 65 73 .Greater Manches
+0x01f00060: 74 65 72 31 10 30 0e 06 - 03 55 04 07 13 07 53 61 ter1.0...<8e>Õ....<8e>Óa
+0x01f00070: 6c 66 6f 72 64 31 1a 30 - 18 06 03 55 04 0a 13 11 lford<8e>±.<8e>°...<8e>Õ....
+0x01f00080: 43 4f 4d 4f 44 4f 20 43 - 41 20 4c 69 6d 69 74 65 COMODO CA Limite
+0x01f00090: 64 31 2b 30 29 06 03 55 - 04 03 13 22 43 4f 4d 4f d1+0)..U..."COMO
[...]

Re: G3 X 1.00C FW Dump
« Reply #22 on: 12 / May / 2020, 14:09:55 »
Updated DISKBOOT.BIN and PS.FI2 for 1.20A attached (unmodified except for the auto-generated firmware version check, which is the only thing preventing the 110E binary from running unmodified).

Re: G3 X 1.00C FW Dump
« Reply #23 on: 08 / September / 2023, 10:30:08 »
Is the porting still updated? I got a G3X recently but I haven't being able to get it to boot from DISKBOOT. I copied some files from G7x and SX710, but all I get is the camera stuck in black.

Re: G3 X 1.00C FW Dump
« Reply #24 on: 08 / September / 2023, 23:07:50 »

Code: [Select]
  led1addr = 0xd20b0884
  led2addr = 0xd20b0810
 
  Poke32(led2addr, 0x4d0002)  'It is ON now!!
  *led2addr = 0x4d0002        'Works, too!
   
  Poke32(led1addr, 0x4c0003)  'It is OFF now!!
 
Interestingly, each time I try to read the value of the addresses (using dereferencing or Peek32), I just get "5C" as value.
So, Poke32, Peek32 is equal to pointer-usage in Canon Basic.

Code: [Select]
0xd20b0884 'Status light - Back facing green LED
0xd20b0810 'Focus helper - Front facing white LED

There is a lot of knowledge hidden here.
Each time I crawl through the forum, the wiki pages or the Repository, I find something new.
If I knew a way to glue this all together, I'd try to help. :')


I actually got the LED light up and off with C in main.c this way! Wow it's so cool!

 

Related Topics


SimplePortal © 2008-2014, SimplePortal