UART question: Rescue Loader / UART loopback switch

  • 51 Replies
  • 6381 Views
UART question: Rescue Loader / UART loopback switch
« on: 22 / October / 2017, 23:10:28 »
Advertisements
Greetings! You have got a great community here.

I was trying to modify the sx710 camera code by making permanent patches in the firmware.  I have replaced some strings and patched some code sucessfully, but (of course!) at the end  I did screw up.  My camera does not react to any buttons now.

I have looked at the bootloader code and (as far as I understand)  there is a thing called "Rescue Loader" that tries to boot DISKBOOT.BIN/ROMWRITE.BIN/UPGRADER.BIN  from an SD-card if

(1) "UART loopback switch ON" and then "UART loopback switch OFF" 
(2) main ''gaonisoy"  code starts with 0xFFFFFF word (e.g. was "erased" or not present at all)    ("Signature is OFF" message)

if booting DISKBOOT.BIN fails it should start some sort of interactive shell  "\n>> debug shell startted <<\n"

Therefore, there are my questions to people who have UART console soldered:

1) Does camera show something on UART when the  power is  on  (e.g. at the moment when a battery is inserted, not on  "power" button _press_)
2) What happens if you have UART's RX<->TX  shorted  (in a loopback).  Does it really  try load DISKBOOT.bin  or shows some sort of a commandline shell?



*

Offline reyalp

  • ******
  • 11090
Re: UART question: Rescue Loader / UART loopback switch
« Reply #1 on: 22 / October / 2017, 23:33:18 »
Welcome... and yikes :(

Your interpretation of the rescue loader stuff matches mine. I believe Ant successfully accessed the rescue loader using UART loopback, discussion starting at https://chdk.setepontos.com/index.php?topic=12542.msg129346#msg129346
Don't forget what the H stands for.

Re: UART question: Rescue Loader / UART loopback switch
« Reply #2 on: 22 / October / 2017, 23:54:14 »
ok, thank you very much for the reference, i will check it out.
it give me a hope, may be i will be able  to start my code (and blink a led) from rescue loader.

Re: UART question: Rescue Loader / UART loopback switch
« Reply #3 on: 23 / October / 2017, 19:49:18 »
ok, thank you very much for the reference, i will check it out.....
Just to be clear about some the details, in the M3 post's:-

Ref:- Re: EOS M3 porting « Reply #90 on: 17/July/2016,
”...Just copy EOS_M3.FI2 to SD card and start update from camera's menu...."

The "EOS_M3.FI2" was an official Canon Firmware up-grade for EOS m3-100d camera.

H-H


*

Offline reyalp

  • ******
  • 11090
Re: UART question: Rescue Loader / UART loopback switch
« Reply #4 on: 23 / October / 2017, 22:08:57 »
Just to be clear about some the details, in the M3 post's:-

Ref:- Re: EOS M3 porting « Reply #90 on: 17/July/2016,
”...Just copy EOS_M3.FI2 to SD card and start update from camera's menu...."

The "EOS_M3.FI2" was an official Canon Firmware up-grade for EOS m3-100d camera.

H-H
I don't understand how this is relevant or clarifies anything. hardlock was asking how to access the rescue loader. The firmware update related discussion has nothing to do with that.

If hardlock manages access the rescue loader, there will be a question of how to repair the damage, but it's unlikely to involve official firmware updates.
Don't forget what the H stands for.

*

Offline Ant

  • ****
  • 350
Re: UART question: Rescue Loader / UART loopback switch
« Reply #5 on: 24 / October / 2017, 11:34:26 »
but it's unlikely to involve official firmware updates.

If rescue loader is not destroyed may be it's possible to use canon's flasher extraced from official *.FIR. and encoded using dancing bits.

Otherwise I see only two ways:
trying to use JTAG or desoldering and programming flash chip on the programmer

P.S. QEMU  can be used to play with rescue loader for better understanding.
It has support of EOS M3 at least, but rescue loaders should be similar for another D6 Powershots...
« Last Edit: 24 / October / 2017, 11:48:50 by Ant »

*

Offline reyalp

  • ******
  • 11090
Re: UART question: Rescue Loader / UART loopback switch
« Reply #6 on: 24 / October / 2017, 12:42:21 »

If rescue loader is not destroyed may be it's possible to use canon's flasher extraced from official *.FIR. and encoded using dancing bits.
That makes sense, but AFAIK there is no official firmware update for sx710. I don't know if the Canon flasher is generic, I would guess not, but maybe for cameras of a similar generation it is.

My impression is the OP was modifying specific parts of the Canon ROM, so if it's possible to load self-compiled code from the rescue loader, the may be other ways to recover than a complete reflash. If a known part of ROM is damaged, then it may be able to boot the canon firmware "normally" using CHDK style copy and replace the damaged part with code in RAM.
Don't forget what the H stands for.

Re: UART question: Rescue Loader / UART loopback switch
« Reply #7 on: 24 / October / 2017, 15:56:23 »
thank you for your valuable suggestions.  I am not very good with hardware, but for now, my preliminary plan is as follow:

i have modified (erased) at most one sector (it is of 128K size for sx710). i am very sure that I know which one exactly. it is not  the bootloader.  Anyway it is easy to find which sector was modified (by quick checksum check).  RAM agent  (both of them for sx710?) that contain  EraseROM and WriteToROM implementations should be not damaged, i will copy the agent  from ROM to the proper place RAM and use it.

the problem will be that 'data' segment of diskboot.bin  (e.g. static char bin_data[]={0x44,0xAA,0x55..};) can't hold a lot of data, the limit is about 100Kb in my experience.  but for now, I just only want to run any code without a button press. 

Edit: English

« Last Edit: 24 / October / 2017, 16:01:44 by hardlock »


Re: UART question: Rescue Loader / UART loopback switch
« Reply #8 on: 24 / October / 2017, 16:15:34 »

Re: UART question: Rescue Loader / UART loopback switch
« Reply #9 on: 24 / October / 2017, 16:22:11 »
i know that many things can go wrong (e.g. enabled/disabled interrupts, DryOS must be properly initialized first, RAM agents call back damaged ROM etc).  But we will see.
« Last Edit: 24 / October / 2017, 16:26:02 by hardlock »

 

Related Topics