How to use WriteToRom? - General Discussion and Assistance - CHDK Forum
« previous next »
Pages: [1]   Go Down

How to use WriteToRom?

  • 9 Replies
  • 2345 Views
*

Offline ilia3101

  • *
  • 4
How to use WriteToRom?
« on: 24 / May / 2021, 14:37:37 »
Advertisements
Does anyone here have experience with WriteToRom? What kind of addresses does it take?

Are ROM and RAM addresses the same thing but with an offset ?
Logged
*

Offline Caefix

  • *****
  • 945
  • Sorry, busy deleting test shots...
Re: How to use WriteToRom?
« Reply #1 on: 24 / May / 2021, 14:59:07 »
 :-X ... and reasons why to avoid ... https://chdk.setepontos.com/index.php?topic=13473.0
Logged
All lifetime is a loan from eternity.
*

Offline reyalp

  • ******
  • 14079
Re: How to use WriteToRom?
« Reply #2 on: 24 / May / 2021, 15:10:51 »
There's some discussion in https://chdk.setepontos.com/index.php?topic=14052.0 and https://chdk.setepontos.com/index.php?topic=13893.msg141739#msg141739

You can also examples in the firmware where WriteToRom (or underlying functions) are called. I'd suggest spending some time with Ghidra and the firmware of your camera before attempting to modify ROM.

Note that WriteToRom does not erase, so it will only turn 1s to 0s. To write arbitrary values, you must erase and write an entire sector.

Quote
Are ROM and RAM addresses the same thing but with an offset ?
I'm not sure what you're asking. ROM is in the same address space as RAM, with a camera specific start address. In CHDK, this is platform ROMBASEADDR, but be aware this is not actually the start of flash memory in all cases. Actually communicating with the flash IC appears to be done through some special addresses, usually(?) in the ROM address range.
Logged
Don't forget what the H stands for.
*

Offline ilia3101

  • *
  • 4
Re: How to use WriteToRom?
« Reply #3 on: 24 / May / 2021, 15:29:20 »
Ah, so it can only flip from 1 to 0, with byte granularity, and EraseSectorOfRom can only flip zeros to 1s, at sector granularity. I see. Very cumbersome.

Surely it's possible to create  a proper ROM writing function that first makes a copy of all the sectors a desired write would affect (however that is done, from RAM or directly from ROM if that's possible), then inserts the data we want to add in to that copy, erases those sectors from ROM with EraseSectorOfRom, and then writes the entire modified data back in using WriteToRom...

This function would be difficult to implement but a lot more useful and safe (?)


Also what is the rom sector size. And does anyone know what the C function definition of EraseSectorOfRom would look like?
« Last Edit: 24 / May / 2021, 15:33:44 by ilia3101 »
Logged
*

Offline ilia3101

  • *
  • 4
Re: How to use WriteToRom?
« Reply #4 on: 24 / May / 2021, 15:30:55 »
Quote
I'm not sure what you're asking. ROM is in the same address space as RAM, with a camera specific start address. In CHDK, this is platform ROMBASEADDR, but be aware this is not actually the start of flash memory in all cases. Actually communicating with the flash IC appears to be done through some special addresses, usually(?) in the ROM address range.

I know you can access the ROM data using pointer addresseses starting at something like 0xF0000000 (camera specific I guess) - so I was wondering how those addresses map to what you would pass to WriteToRom.
Logged
*

Offline ilia3101

  • *
  • 4
Re: How to use WriteToRom?
« Reply #5 on: 24 / May / 2021, 15:51:33 »
Quote
You can also examples in the firmware where WriteToRom (or underlying functions) are called. I'd suggest spending some time with Ghidra and the firmware of your camera before attempting to modify ROM.

I will try Ghidra, I have only used disassemble.pl so far.
Logged
*

Offline reyalp

  • ******
  • 14079
Re: How to use WriteToRom?
« Reply #6 on: 24 / May / 2021, 17:09:36 »
Quote from: ilia3101 on 24 / May / 2021, 15:29:20
Surely it's possible to create  a proper ROM writing function that first makes a copy of all the sectors a desired write would affect (however that is done, from RAM or directly from ROM if that's possible), then inserts the data we want to add in to that copy, erases those sectors from ROM with EraseSectorOfRom, and then writes the entire modified data back in using WriteToRom...
In theory, but in practice remember that when CHDK is running, most of the Canon OS is running from ROM, and there is ~100 tasks running, interrupts, watchdog timers and so on. Some parts of WriteToRom and EraseSectorOfRom are themselves in ROM.

Bad Things will happen if the Canon OS tries to access between the erase and the write completing.

The code that actually interacts with the flash chip is generally(?) copied to RAM and runs with interrupts disabled, but executing the entire erase / write cycle without involving ROM or having interrupts handled would take significant work at a minimum.

Canon firmware updates presumably (I've never actually bothered to reverse engineer one) avoid this by including all the necessary code and running entirely from RAM, but in general, CHDK doesn't have this capability, because all the code to interface with the hardware is in ROM. You could theoretically modify a Canon firmware updater to install custom modifications, but only for the camera it was originally intended to run on.

Quote
And does anyone know what the C function definition of EraseSectorOfRom would look like?
It fiddles with the values and calls some function (usually in RAM) which writes some values to some MMIOs.

Note some cameras have EraseSectorOfRom while others have EraseRom, which seems to correspond to somewhat different implementations.

Also, some cameras have GetRomId which appears to query the flash hardware. If the flash chips can be identified, there might be data sheets or other useful information.
Logged
Don't forget what the H stands for.
*

Offline srsa_4c

  • ******
  • 4451
Re: How to use WriteToRom?
« Reply #7 on: 24 / May / 2021, 17:14:17 »
Quote from: ilia3101 on 24 / May / 2021, 15:29:20
Surely it's possible to create  a proper ROM writing function that first makes a copy of all the sectors a desired write would affect (however that is done, from RAM or directly from ROM if that's possible), then inserts the data we want to add in to that copy, erases those sectors from ROM with EraseSectorOfRom, and then writes the entire modified data back in using WriteToRom...

This function would be difficult to implement
I'd say very difficult and camera specific. You'd have to experiment on real hardware.
As for usefulness, the cameras are working quite well without such a function. You sound like someone who intends to change the firmware on a larger scale.

Quote
Also what is the rom sector size.
In all cases I've seen, EraseSectorOfRom uses 64kB granularity with 64kB alignment. The underlying flash chip can possibly offer smaller erase blocks, but those are not taken advantage of.

Quote
And does anyone know what the C function definition of EraseSectorOfRom would look like?
I'd recommend studying the disassembly before using it. Newer PowerShots have a different function for the same purpose, with a different number of arguments. The EOS firmware might be different.

Quote
I know you can access the ROM data using pointer addresseses starting at something like 0xF0000000 (camera specific I guess) - so I was wondering how those addresses map to what you would pass to WriteToRom.
You need to use the ROM addresses, WriteToRom takes care of the necessary address translation.
Logged
*

Offline hardlock

  • *
  • 35
Re: How to use WriteToRom?
« Reply #8 on: 31 / May / 2021, 13:55:54 »
Quote from: ilia3101 on 24 / May / 2021, 14:37:37
Does anyone here have experience with WriteToRom? What kind of addresses does it take?

Are ROM and RAM addresses the same thing but with an offset ?

i have killed 3-4 cameras by "experimenting" with underling code for ROM writing. You should understand that WriteToROM API is intended just for saving settings and/or crash logs to small specific region of the flash.

if you are going to modify something outside of the safe region.. like to patch the program itself... you should remember that erasing (which must be done before WriteToRom) comes in big blocks of  64K/128K  size and it is easy to damage the code of WriteToROM itself or one of numerous subroutines which is still used during execution.  it is hard to replace parts of a motor while it is on and running...  There also minor multitasking and cache related issues but i am not qualified enough to understand them fully.

in short, it heavily depends what are you going to modify, where to write to.

« Last Edit: 31 / May / 2021, 14:57:12 by hardlock »
Logged
*

Offline momo

  • *
  • 18
Re: How to use WriteToRom?
« Reply #9 on: 02 / June / 2021, 02:15:37 »
Alex from Magic Lantern did that, the whole ROM. From the bootloader. I don't bother to look for the relevant posts now, but should be easy to find. Better yet ask him.

PS. It was DSLR of course, but probably similar on PowerShots

PPS. A very long time ago I tried (and failed) to access ROM directly, using its interface, which would require knowing and understanding that interface. For anyone willing to sacrifice a few cameras, might be an interesting project.


« Last Edit: 02 / June / 2021, 17:16:30 by momo »
Logged
Pages: [1]   Go Up
« previous next »
 

Related Topics