Canon EOS M5 - page 3 - Firmware Dumping - CHDK Forum

Canon EOS M5

  • 40 Replies
  • 92132 Views
*

Offline Ant

  • *****
  • 509
Re: Canon EOS M5
« Reply #20 on: 15 / January / 2017, 06:10:36 »
Advertisements
Grattis, bra jobbat!  :)
Your firmware dump looks valid.
It's 32MB, as expected.
Bootloader, adjustment and user areas are at the same places.
Platform - ID: 32BB / 12987
Now it's interesting to get CPUINFO log.
« Last Edit: 15 / January / 2017, 07:38:50 by Ant »

*

Offline srsa_4c

  • ******
  • 4451
Re: Canon EOS M5
« Reply #21 on: 15 / January / 2017, 09:04:13 »
Created an AdditionAgentRAM-based version of the armv7 cpuinfo routine. It saves the resulting uninterpreted binary data in a file named CPUINFO.DAT .
Code: [Select]
private sub Initialize()
System.Create()
AdditionAgentRAM("A/CPUINFO.BIN","unknown")
end sub
Source and binary attached, the above short Canon Basic script is needed to execute the binary (has to be copied to card root along with the usual Canon Basic support files).
Many things can go wrong (permissions, unsupported instructions, etc), so I can't guarantee that this will actually work. No visual feedback is provided, but it should finish within a second if it doesn't crash the camera.

edit:
The binary only works on firmware 1.00G

Re: Canon EOS M5
« Reply #22 on: 15 / January / 2017, 11:39:46 »
Created an AdditionAgentRAM-based version of the armv7 cpuinfo routine. It saves the resulting uninterpreted binary data in a file named CPUINFO.DAT .
Code: [Select]
private sub Initialize()
System.Create()
AdditionAgentRAM("A/CPUINFO.BIN","unknown")
end sub
Source and binary attached, the above short Canon Basic script is needed to execute the binary (has to be copied to card root along with the usual Canon Basic support files).
Many things can go wrong (permissions, unsupported instructions, etc), so I can't guarantee that this will actually work. No visual feedback is provided, but it should finish within a second if it doesn't crash the camera.

edit:
The binary only works on firmware 1.00G
The camera turned off.

*

Offline srsa_4c

  • ******
  • 4451
Re: Canon EOS M5
« Reply #23 on: 15 / January / 2017, 12:12:38 »
The camera turned off.
Can you get the romlog please? It's odd that the file was created, seems to have content, but the camera still crashed for some reason.

Decoded content attached (modified the cpuinfo module to get a fast result). Don't know if it can be trusted. 0xc09 is Cortex A9.

edit:
Looks like R4 and A9 interpret many of these registers differently. Anyone fancy writing a Cortex A9 specific routine?
« Last Edit: 15 / January / 2017, 12:34:30 by srsa_4c »

Re: Canon EOS M5
« Reply #24 on: 15 / January / 2017, 12:37:13 »
The camera turned off.
Can you get the romlog please? It's odd that the file was created, seems to have content, but the camera still crashed for some reason.
I suppose I can't use romlog and the short Canon Basic script you added before in the same extend.m. Should I do exactly as last time I created a romlog? Will not that give exactly the same log as I already posted?
« Last Edit: 15 / January / 2017, 12:39:01 by Sapporo »

*

Offline srsa_4c

  • ******
  • 4451
Re: Canon EOS M5
« Reply #25 on: 15 / January / 2017, 12:46:56 »
I suppose I can't use romlog and the short Canon Basic script you added before in the same extend.m.
No. Just replace the file's content.
Quote
Should I do exactly as last time I created a romlog? Will not that give exactly the same log as I already posted?
If the camera recorded a new romlog (which it likely did when it crashed again), you'll get the new one.

Re: Canon EOS M5
« Reply #26 on: 15 / January / 2017, 12:59:10 »
I suppose I can't use romlog and the short Canon Basic script you added before in the same extend.m.
No. Just replace the file's content.
Quote
Should I do exactly as last time I created a romlog? Will not that give exactly the same log as I already posted?
If the camera recorded a new romlog (which it likely did when it crashed again), you'll get the new one.
I tried again to create a CPUINFO.dat, but the camera just turned off without creating anything. After that I created a romlog.

*

Offline srsa_4c

  • ******
  • 4451
Re: Canon EOS M5
« Reply #27 on: 15 / January / 2017, 13:17:49 »
I tried again to create a CPUINFO.dat, but the camera just turned off without creating anything. After that I created a romlog.
Thanks. Unfortunately it's not really obvious what happened (hard to follow a disassembly that has no annotations).

Thanks again for running all these tests. If someone wrote a more specific routine for CPU research, that would provide the potential future developers (if any) with more useful info. Keep following the thread in case new stuff gets posted.

*

Offline a1ex

  • *****
  • 671
  • ML dev
Re: Canon EOS M5
« Reply #28 on: 19 / January / 2017, 03:40:41 »
Some early notes:

* There seem to be 2 CPU cores (PU0/PU1 or puId 0/1). Current core ID is read from 0x1000.

* There seem to be 2 DryOS instances:
  - first runs E0012E88 init_task_1, does the usual stdio setup, then starts RomStarter
  - second DryOS is launched from RomStarter, at E0020000; it runs E00202E0 init_task_2, runs the stdio setup again, then launches the Startup task

* There are 2 types of interrupts: old-style (similar to D6) and new style (GIC, see Generic Interrupt Controller Architecture Specification):
  - old-style: PU0 uses 0xD4011000 (same as D6), PU1 uses 0xD5011000
  - new style: 0xC1000000 (this appears to be the Private memory region):
      - 0x010C: GICC_IAR, returns 0x20 for an old-style interrupt
      - 0x1100: GICD_ISENABLERn (bit array to enable interrupts; not sure how many)
      - 0x1800: GICD_ITARGETSRn (one byte for each interrupt, unaligned access)
      - full list in arm_gic_architecture_specification.pdf
         -> see e.g. Distributor register map at 0x1000 or CPU interface register map at 0x100
  - DryOS heartbeat is identical to D6 (timer 1, interrupt 1B, 10ms)

Memory blocks copied to RAM during startup:
Code: [Select]
0xE001AF2C -> 0xDF020000 size 0x3B8   at E0005AAC
0xE001B2E4 -> 0x4000     size 0xF1C   at E000492C
0xE115CF88 -> 0x8000     size 0x6054C at E002003C
0xE11BD4D4 -> 0x1900000  size 0x1444  at E0020060
0xE11BE918 -> 0xDFFC4900 size 0x152A0 at E0020084

Excerpt from emulation log (QEMU, processor "cortex-a9"):
Code: [Select]
E0017B98: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
E0017BBE: MCR p15,0,Rd,cr12,cr0,0:       VBAR <- 0xE000001D
E0017BEA: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0xC52078
E0017BE0: MCR p15, ...          : CACHEMAINT x1 (omitted)
E0017C02: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C50878
E0004CE6: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x40C50878
E0004CE6: MCR p15, ...          : CACHEMAINT x3 (omitted)
E0004CE6: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C51878
E0017C2A: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
E0004D0A: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x40C51878
E0004DD4: MCR p15, ...          : CACHEMAINT x512 (omitted)
E0004D0A: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C50878
E0004D1A: MCR p15, ...          : CACHEMAINT x1 (omitted)
E0004C7A: MCR p15,0,Rd,cr3,cr0,0:       DACR <- 0x55555555
E0004C82: MCR p15,0,Rd,cr2,cr0,0:  TTBR0_EL1 <- 0xE0004800
E0004C86: MCR p15,0,Rd,cr2,cr0,1:  TTBR1_EL1 <- 0xE0000080
E0004C8A: MCR p15,0,Rd,cr13,cr0,1: CONTEXTIDR(S) <- 0x0       
E0004C8E: MCR p15,0,Rd,cr2,cr0,2:      TTBCR <- 0x7       
E0004C96: MCR p15,0,Rd,cr8,cr7,0:    TLBIALL <- 0x0       
E0004C9E: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x40C50878
E0004C9E: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C50879
E0017C90: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x40C50879
E0017C90: MCR p15, ...          : CACHEMAINT x1 (omitted)
E0017C90: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C51879
E0017CA8: MRC p15,0,Rd,cr1,cr0,0:      SCTLR -> 0x40C51879
E0017CA8: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- 0x40C5187D
E0017CB4: MRC p15,0,Rd,cr1,cr0,1:  ACTLR_EL1 -> 0x0
E0017CB4: MCR p15,0,Rd,cr1,cr0,1:  ACTLR_EL1 <- 0x45       
E0017CB4: MRC p15,0,Rd,cr15,cr0,0:  A9_PWRCTL -> 0x0
E0017CB4: MCR p15,0,Rd,cr15,cr0,0:  A9_PWRCTL <- 0x1       
E0017CD4: MRC p15,0,Rd,cr15,cr0,1:    A9_DIAG -> 0x0
E0017CD4: MCR p15,0,Rd,cr15,cr0,1:    A9_DIAG <- 0x400000   
E0004900: MCR p15,0,Rd,cr12,cr0,0:       VBAR <- 0xE0018C40
E000490A: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
E0011E3A: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
[          :e0008301 ] set_int_handler(0, 1ca, e00082e1)
[          :e0008305 ] set_int_handler(0, 1cc, e0011749)
[          :e0010d8d ] set_int_handler(0, 1eb, e0004a87)
[          :e0010d99 ] set_int_handler(0, 1ed, e0004a87)
[          :e0010db7 ] enable_interrupt_1(1eb)
[          :e0010dbd ] enable_interrupt_1(1ed)
E0004E38: MCR p15, ...          : CACHEMAINT x512 (omitted)
E0004CC6: MCR p15,0,Rd,cr7,cr8,0:        ATS <- 0xC6000000
E0004CCE: MRC p15,0,Rd,cr7,cr4,0:        PAR -> 0xB
E0004CC6: MCR p15,0,Rd,cr7,cr8,0:        ATS <- 0xC2000000
E0004CCE: MRC p15,0,Rd,cr7,cr4,0:        PAR -> 0xB
[          :e000846d ] set_int_handler(0, 1cb, e0008449)
[          :e0008477 ] set_int_handler(0, 1b, e00083dd)
[          :e0008485 ] enable_interrupt_1(1b)
[EOS] trigger int 0x1B (delayed!)

DRYOS version 2.3, release #0059+p3
Copyright (C) 1997-2015 by CANON Inc.
[      init:e00079cb ] set_int_handler(0, df, e0007967)
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[      init:e00079d9 ] set_int_handler(0, 16d, e0007955)
[      init:e0007a0f ] enable_interrupt_1(df)
[      init:e0007a15 ] enable_interrupt_1(16d)
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
#[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]

E002000C: MCR p15,0,Rd,cr12,cr0,0:       VBAR <- 0xE0020200
E002001A: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
[EOS] trigger int 0x1B (delayed)
E002010E: MRC p15,0,Rd,cr0,cr0,5:      MPIDR -> 0x80000000
[          :e002189b ] enable_interrupt_2(1eb)
[          :e00218a1 ] enable_interrupt_2(1ed)
E036C51A: MCR p15, ...          : CACHEMAINT x3038 (omitted)
DFFC49BE: MCR p15,0,Rd,cr7,cr8,0:        ATS <- 0xC6000000
DFFC49C6: MRC p15,0,Rd,cr7,cr4,0:        PAR -> 0xB
DFFC49BE: MCR p15,0,Rd,cr7,cr8,0:        ATS <- 0xC2000000
DFFC49C6: MRC p15,0,Rd,cr7,cr4,0:        PAR -> 0xB
[          :e002135d ] enable_interrupt_2(1b)
[EOS] trigger int 0x1B (delayed)
[EOS] trigger int 0x1B (delayed!)

DRYOS version 2.3, release #0059+p3
Copyright (C) 1997-2015 by CANON Inc.
Taking exception 5 [IRQ]
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[      init:e0021773 ] enable_interrupt_2(df)
[      init:e0021779 ] enable_interrupt_2(16d)
[      init:e00206cb ] task_create(Startup, prio=19, stack=0, entry=e002061d, arg=0)
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[   Startup:dffcd187 ] task_create(ClockSavePU0, prio=20, stack=200, entry=e010af35, arg=0)
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[   Startup:e0466b45 ] task_create(SD1stInit, prio=18, stack=0, entry=e0466ad5, arg=0)
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
[EOS] trigger int 0x1B (delayed)
Taking exception 5 [IRQ]
...

HTH
« Last Edit: 19 / January / 2017, 04:45:50 by a1ex »

*

Offline c_joerg

  • *****
  • 1251
Re: Canon EOS M5
« Reply #29 on: 21 / January / 2017, 11:29:07 »
I have seen the he universal dumper was modified.
We don't know what to expect, but it would be interesting to find out. (edit: Past experience would suggest D7 cameras would behave similarly, but it's realy just a guess)
When I had a chance to make a dump on a G7x mark II should I use this version?
M100 100a, M3 121a, G9x II (1.00c), 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

 

Related Topics


SimplePortal © 2008-2014, SimplePortal