HF10 & HV30 (Digic DV II) decrypted! - page 21 - General Discussion and Assistance - CHDK Forum  
« previous next »
Pages: 1 ... 16 17 18 19 20 [21] 22   Go Down

HF10 & HV30 (Digic DV II) decrypted!

  • 215 Replies
  • 129824 Views
*

Offline terig

  • *
  • 9
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #200 on: 10 / July / 2009, 18:33:24 »
Advertisements
So both of my efforts hit a wall...

As far as the service mode goes, looks like the triggers for the osd actions come from exchange task, so presumably from a different core. Perhaps by examining relevant locations in a running camera while pressing various key combination could help figure out what's going on, unfortunately I can't do that myself.

On PAL/NTSC switching, the flag comes from 0x00150027 which looks like MMIO but how it get's there I have no clue, perhaps it's harcoded somewhere, perhaps from the MIPS core or one of the MB8AA101 modules (or whatever the heck they are).

I still have some enthusiasm for reversing left but not sure what to be looking for... any ideas?

t.
Logged
*

Offline Jollyrogerxp

  • *
  • 40
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #201 on: 11 / July / 2009, 03:54:56 »
I have investigated the PAL/NTSC switch further too, but not much.
It looks like the locations around 0x00150000 are definitely MMIO registers, in fact it looks like they are interleaved read-only and write registers.
By setting values at the write locations the read-only location values can be altered, so I managed to set 0x00150027 to the desired value, but apparently it is not sufficient; it must be a combination of parameters and initialization because the code writes the same value to those registers both on the PAL and NTSC cameras, but the read only registers "reply" with different values...

I have also been looking at the way the exchange task works to some extent, and it looks like all the camera OSD functionality actually comes from it.
The other core passes to the FR71 status flags that determine what the OSD has to display on the screen, so far I found several camera states values, which are set in the first byte of a data structure I found inside the exchange buffer:

0x10 = CAMERA MODE PLAY TAPE
0x20 = CAMERA MODE RECORD TAPE
0x20 = ??CAMERA MODE PLAY CARD??
0x22 = DEMO
0x30 = CAMERA MODE PLAY CARD
0x30 = ??CAMERA MODE RECORD TAPE??
0x40 = ??CAMERA MODE RECORD CARD??
0x43 = IMAGE OPERATIONS
0x46 = FIRMWARE UPDATE MENU
0x50 = CAMERA MODE RECORD CARD
0x60 = PC CONNECT and TRANSITION BETWEEN MODEA
0x61 = IMAGES TRANSFER
0xE0 = SERVICE MODE
0xE6 = SELF CHECK
0xF0 = RECORD VIDEO???

This structure appears to contain the current camera mode, the menu to be displayed, the options available in the menu, etc... all in form of flags/indices. This suggests me that it is the other core that composes the structure and the FR71 merely displays the requested information.

So I went back to study the MIPS core, unfortunately there is a lot of code using the MIPS16 ISA extension, IDA Pro is very buggy in the MIPS16 support and it is hard to progress; I disassembled part of the binary by hand using a compiled mips gcc toolchain, but I cannot reimport this into IDA and I have to read it in a separate editor...

This is where I am at now.

Jolly
Logged
*

Offline terig

  • *
  • 9
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #202 on: 14 / July / 2009, 13:28:46 »
Jolly,

Glad to hear that you're still going strong.

Quote from: Jollyrogerxp on 11 / July / 2009, 03:54:56
By setting values at the write locations the read-only location values can be altered, so I managed to set 0x00150027 to the desired value, but apparently it is not sufficient; it must be a combination of parameters and initialization because the code writes the same value to those registers both on the PAL and NTSC cameras, but the read only registers "reply" with different values...

Not sure I understand, does the flag have the intended value when you read it? How is that not sufficient exactly? Otherwise, I agree, these look like MMIO registers.

Quote from: Jollyrogerxp on 11 / July / 2009, 03:54:56
This structure appears to contain the current camera mode, the menu to be displayed, the options available in the menu, etc... all in form of flags/indices. This suggests me that it is the other core that composes the structure and the FR71 merely displays the requested information.

This makes sense for functionality controlled by MIPS core, but not sure that FR71 merely displays the information in general. For example, when I plug in the firewire cable, it doesn't make sense that FR signals mips to signal back to FR to overlay the firewire icon.

Can you see the exchange messages changing with button presses in a predictable way?

Quote from: Jollyrogerxp on 11 / July / 2009, 03:54:56
So I went back to study the MIPS core, unfortunately there is a lot of code using the MIPS16 ISA extension, IDA Pro is very buggy in the MIPS16 support and it is hard to progress; I disassembled part of the binary by hand using a compiled mips gcc toolchain, but I cannot reimport this into IDA and I have to read it in a separate editor...

This sucks, unfortunately can't help here, my ida even chokes on MIPS32, I've written a bunch of scripts to disassemble the FR part and don't feel like repeating the process with MIPS.

What are you looking for specifically?

Perhaps by considering the MIPS16 part to be a black box, we can make progress just by observing the behavior.
Logged
*

Offline Jollyrogerxp

  • *
  • 40
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #203 on: 17 / July / 2009, 08:51:34 »
Hi Terig,

here are comments and news:

Quote from: terig on 14 / July / 2009, 13:28:46
Not sure I understand, does the flag have the intended value when you read it? How is that not sufficient exactly? Otherwise, I agree, these look like MMIO registers.

What I mean is that the values I read back from the read-only locations are the ones I "need" only if I set specific values in the write only locations, and these values are different from the ones the standard firmware writes to those locations.
In short the firmware seems to write identical values to those registers, both on the PAL and on the NTSC cameras, but the read-only registers return different values on PAL and NTSC cameras, which might mean that either the hadrware is different, or there is some other setup that configures those registers to respond differently on the different cameras.

Quote from: terig on 14 / July / 2009, 13:28:46
This makes sense for functionality controlled by MIPS core, but not sure that FR71 merely displays the information in general. For example, when I plug in the firewire cable, it doesn't make sense that FR signals mips to signal back to FR to overlay the firewire icon.

Can you see the exchange messages changing with button presses in a predictable way?

Of course the FR71 does a lot more than displaying data, what I mean is that the MIPS core seems to control the camera mode, the OSD menus and quite a lot of other still camera functionality, while the FR71 seems to handle the video camera functionality and actually displays the OSD menus.
I wrote a small real-time memory viewer using the firewire port, and I can definitely see the locations that correspond to specific messages, for example it looks like the MIPS sends a structure that contains all the menu indices for what needs to be displayed.
When I press the func. or set. menus, and then the up/down arrows, I can see this strucure being updated.
Other keys also produce value changes in the data block, but again it looks like the MIPS sends pre-processed status flags rather than the raw keypresses.

Quote from: terig on 14 / July / 2009, 13:28:46
This sucks, unfortunately can't help here, my ida even chokes on MIPS32, I've written a bunch of scripts to disassemble the FR part and don't feel like repeating the process with MIPS.

What are you looking for specifically?

Perhaps by considering the MIPS16 part to be a black box, we can make progress just by observing the behavior.

Unfortunately We cannot consider the MIPS16 code as black box, as I found that the exchange data block that is transferred between the cores is actually managed by the MIPS16 code.

But here I have some news too; I investigated some "strange" MIPS16 instructions that I found in the binary, and tracing back some of these custom instructions I traced them back to a specific processor: the Toshiba TX19A.
This chip not only supports MIPS16 extension, but also a Toshiba custom extension to MIPS16: the MIPS16e-TX.
So I wrote from scratch a IDA processor extension for IDA 5.2 (it took two nights), and I can now fully disassemble the entire MIPS16e-TX code block, so I can now start the analysis on the MIPS16 code...

Want to help? ;)

Jolly
Logged
*

Offline Jollyrogerxp

  • *
  • 40
Toshiba TX19A IDA processor extension plugin
« Reply #204 on: 23 / August / 2009, 14:46:12 »
Hello everybody,

I have received some requests to release the TX19A plugin, so here it is.

Attached to this message is the source code for the plugin, you will need IDA Pro 5.2 SDK to compile it.

It is pretty easy to use, the main issues to notice are:

- The plugin works only for Big Endian MIPS mode.

- Once compiled and placed in the IDA Pro plugins folder, it will appear in the Plugins menu, select it to activate it, select again to deactivate it.

- The plugin reads the value of the MIPS ISA segment register, and will decode instructions where the segment register is not set to zero; this way ensures that all the 32-bit code is disassembled by IDA Pro internal MIPS module.

- There are some issues with references registration: for some reason not all jumps and data references are correctly detected by IDA Pro when using the plugin.

For any clarifications please contact me, if any bugs are found and fixed please also let me know.

Cheers,

Jolly
Logged
*

Offline Jollyrogerxp

  • *
  • 40
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #205 on: 25 / August / 2009, 09:56:19 »
A quick note: I believe one of the ASICs contained in the HV30 (the one including the TX19A core) is the Toshiba TMP19A64C1D, or an extremely similar derivative.

Jolly
Logged
*

Offline Jollyrogerxp

  • *
  • 40
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #206 on: 26 / August / 2009, 16:23:55 »
Quick correction: the ASIC is almost certainly the Toshiba TMP19A64F20

Jolly
Logged
*

Offline nxb

  • *
  • 35
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #207 on: 02 / October / 2009, 17:55:55 »
In case some of you don't frequent HV20.com, here is the JTAG info I've not had the chance to test out due to time constraints:

Jolly's Service Conector Pic, notice its 20 PIN



Toshiba Mips Connector Pinout, notice its 20 PIN

http://www.jtagtest.com/pinouts/toshiba_mips


Buffered and Unbuffered JTAG parallel interfaces are available for $10-20 on ebay but they are for ARM. They have all of the pins you need just in a different order. Here is Jolly's pdf that you can cross reference the pinouts with:
http://www.amontec.com/pub/amt_ann003.pdf


The HV20/30 connector is available from JST Connectors:

Part Number is:

20R-JMDSS-G-1-TF(S)(LF)(SN)


Datasheet: http://s000.tinyupload.com/index.php?file_id=26631546974255462655

Samples are available at http://www.jst.com/, do not try to order terminated connectors as they are board to board connectors and they cried about it. You can just solder the wires yourself.

I can't work on this until my current project wraps in December and I think that is too long to wait! If anyone doesn't have to use their camera every other day, you can dump the HV20 firmware and this project can go on.

Canon is not selling the service manuals so it would be helpful if someone scanned the dumped firmware for the key presses necessary. It might have a firmware dump function or other neato stuff. Otherwise the cable costs probably $20 to make and you just have to find pin 1. You can probably do it by checking the grounds since they are supposed to be on one side.
Logged
*

Offline nxb

  • *
  • 35
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #208 on: 21 / October / 2009, 01:34:37 »
Get it before anyone else does. Service manual is here (free!):

http://drop.io/hidden/dvrp2khjrfobjx/asset/Y2Fub24taHYyMC1odjIwZS1zZXJ2aWNlLW1hbnVhbC1yZXBhaXItZ3VpZGUt
emlw

Proves the JTAG is in there. Unfortunately its the not connected spot. You can at least solder wires to it directly or make your own connector. Pinouts for JTAG and schematics are in there as well. As well as "service mode".
Logged
*

Offline SleeperService

  • *
  • 3
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #209 on: 31 / October / 2011, 20:21:03 »
Hi. Does anybody still have TX19A.cpp? I get a 404 from the forum :(
Logged
Pages: 1 ... 16 17 18 19 20 [21] 22   Go Up
« previous next »
 

Related Topics