400D bootloader - DSLR Hack development - CHDK Forum  

400D bootloader

  • 5 Replies
  • 5481 Views
400D bootloader
« on: 23 / May / 2008, 19:28:27 »
Advertisements
I decided to begin a new thread - becose propably all the dslr have a bootloader.
I blinked it out from my 400D. It was at adress FFFF0000.

In the loader program of 400D firmware there are addresses:
bootloader 0xF87F0000 (+0x07800000 = 0xFFFF0000)
firmware 0xF8010000 (+0x07800000 = 0xFF810000)

Propably the addresses in the loader are the ROM *write* adreses. When you try to write to 0xFF810000 segment - it don't work - I didn't yet tried to write to the 0xF8010000 segment.

I attach the bootloader from 400D (all versions of firmware)

NEW: there is a "Run program from CF" option in the bootloader menu :-) I hope it's ELF. I'll check it tomorrow
« Last Edit: 23 / May / 2008, 19:47:26 by owerlord »

*

ASalina

Re: 400D bootloader
« Reply #1 on: 23 / May / 2008, 21:00:19 »
Great find, owerlord! You rock! I think partly this code is for Canon Service people to make adjustments and to do diagnostics on malfunctioning cameras.

I hope (and would imagine) that there is such code in the 40D firmware. I'm still trying to find a usable CF card file writing routine so we can do memory dumps. One of the first places I'll dump is FFFF0000!

PS I tried to find the address of the LEDs but have had no luck yet.

*

ASalina

Re: 400D bootloader
« Reply #2 on: 24 / May / 2008, 01:18:55 »
I've been studying this program for a while now, and it is indeed a Canon Service program. So far I've mapped out the input and output routines (even a formatted printf-like output routine), an LED flasher routine, and part of the command interpreter section that prompts for a file on CF to run. I haven't figured out what format the program file is, except to say that there are references to "AUTOEXEC.BIN" and possibly some others. It also seems to be able to run .fir files on the CF card.

My guess is that this program is accessed through the serial debug port inside the battery compartment because it has the ability to check the USB port (and really, if the USB is malfunctioning then diagnosing would be impossible). The addresses that it outputs to and inputs from are

Output: 0xC0800014
Input: 0xC0800008

I'm going to keep studying this program. If there is anything that I can help with, just ask.

*

Offline mx3

  • ****
  • 372
Re: 400D bootloader
« Reply #3 on: 24 / May / 2008, 02:46:35 »
I decided to begin a new thread - becose propably all the dslr have a bootloader.
I blinked it out from my 400D. It was at adress FFFF0000.
great

there is a "Run program from CF" option in the bootloader menu :-) I hope it's ELF. I'll check it tomorrow

some strings
FFFF27E0,12,"AUTOEXEC.BIN"
FFFF428C,8,"BOOTDISK"

Powershots - when card marked as bootable "BOOTDISK" and locked it launch bin file from card
edit: see cardtricks for BOOTDISK explanation

I suggest you to use -PIC option when you compile file
« Last Edit: 24 / May / 2008, 02:50:39 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


*

Offline Seklth

  • **
  • 54
  • 400D
Re: 400D bootloader
« Reply #4 on: 24 / May / 2008, 02:56:39 »
>Great find, owerlord! You rock! I think partly this code is for Canon Service people to make adjustments and to do diagnostics on malfunctioning cameras.
main firmware have functions to enter factory mode)

*

ASalina

Re: 400D bootloader
« Reply #5 on: 24 / May / 2008, 03:17:02 »
The addresses that it outputs to and inputs from are

Output: 0xC0800014
Input: 0xC0800008


On further study it's looking more like 0xC0800014 is bi-directional and 0xC0800008 is some sort of control register.

 

Related Topics