Dump of 0xFFFF0000 from 40D - DSLR Hack development - CHDK Forum
« previous next »
Pages: [1]   Go Down

Dump of 0xFFFF0000 from 40D

  • 7 Replies
  • 7083 Views
*

ASalina

Dump of 0xFFFF0000 from 40D
« on: 13 / June / 2008, 02:07:48 »
Advertisements
Attached is the 1meg dump of 0xFFFF0000.
Logged
*

Offline owerlord

  • ***
  • 115
Re: Dump of 0xFFFF0000 from 40D
« Reply #1 on: 13 / June / 2008, 03:04:21 »
Good news is, the attached loader program is at FFFF246C.
Bad news is the first IRQ only calls it with "code" = 0 :\
Logged
*

Offline owerlord

  • ***
  • 115
Re: Dump of 0xFFFF0000 from 40D
« Reply #2 on: 13 / June / 2008, 03:19:28 »
ok. camera boot's from CF if the flags are : -1,*,-1 or 0,0,-1. Flags are F8000004, 8 and C. The names and things are like in the 400D. I think you have to check what are the flags while .fir - It's easy to change them as I wrote:

FFFF69A4 loadFlags
FFFF6990 writeFlags

They load and save an aray of bytes. Copy them first to RAM like in

FFFF0E30 RunTheLoader

NEW: Ah, I forgot: the flags in 400D are -1 -1 -1 when booting.
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: Dump of 0xFFFF0000 from 40D
« Reply #3 on: 13 / June / 2008, 04:08:41 »
Just stopping by to point out that this dump is already present in the full 40D firmware dumps :P
Logged
*

Offline emklap

  • *
  • 45
Re: Dump of 0xFFFF0000 from 40D
« Reply #4 on: 13 / June / 2008, 04:42:12 »
I wonder what the FROMUTILITY MENU at FFFF2558 is for ?
option 5 = "5.Erase Program area (0xF8010000 -> 0xF862FFFF)"
Logged
*

Offline _MAG_

  • *
  • 47
Re: Dump of 0xFFFF0000 from 40D
« Reply #5 on: 13 / June / 2008, 05:00:08 »
hov about this:
Input start_address (ram 0x00000000 -> 0x40000000) :
Input end_address   (ram 0x00000000 -> 0x40000000) :   
Input address       (rom 0xf8000000 -> 0xf87FE000) :
so we Program area in rom. BUT maybe they size not all rom.
example. i dont know why program area start tfom 0xF8010000 and this range 0xf8000000  - 0xF8010000 why they need.
and i dont know about range 0xF862FFFF - 0xf87FE000.

I have 1 idea. This rom ranges contain critically important data and if their erased ...... :(
« Last Edit: 13 / June / 2008, 05:16:02 by _MAG_ »
Logged
*

ASalina

Re: Dump of 0xFFFF0000 from 40D
« Reply #6 on: 13 / June / 2008, 09:21:28 »
Quote from: emklap on 13 / June / 2008, 04:42:12
I wonder what the FROMUTILITY MENU at FFFF2558 is for ?
option 5 = "5.Erase Program area (0xF8010000 -> 0xF862FFFF)"

I think it's a Flash Rom Utility that talks to the Magic Console
(see sub_FFFF1D54, which is the Magic Console Output routine). The loader program attachment that owerlord is talking about contains a text menu system which has that string as one of its options. The attachment gets loaded into 0x100000 in sub_FFFF0E30 and then execution is diverted to it.

Logged
*

Offline owerlord

  • ***
  • 115
Re: Dump of 0xFFFF0000 from 40D
« Reply #7 on: 16 / June / 2008, 08:43:54 »
The untility is loaded to RAM, and then you can change FLASH-ROM with it. Like erasing and loading firmware and so.
Logged
Pages: [1]   Go Up
« previous next »
 

Related Topics