Emulating Digicam with QEMU - page 2 - General Discussion and Assistance - CHDK Forum

Emulating Digicam with QEMU

  • 51 Replies
  • 49663 Views
*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: Emulating Digicam with QEMU
« Reply #10 on: 01 / August / 2008, 10:49:39 »
Advertisements
The comments are intended. But you can't find any strings after ldr/add/sub ???
is pointer to pointer ... my script doesn't look up that, yet. But should easy to hack. I haven't thought about this.
Any more ideas for the next script version? ;)

Yes the comment was obviously working properly. But now that you made me look closer, yes there is one subvs instruction and a few dozen ldr instructions with strings, no adds. Mostly these strings are junk. There's a reason I made my script look up those pointers to pointers... that's how the strings are addressed in the a570is 1.00e firmware. Apparently the firmware(s?) you tested were compiled somewhat differently from mine?

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: Emulating Digicam with QEMU
« Reply #11 on: 02 / August / 2008, 04:39:16 »
Oh and since you asked for feature suggestions...

It would be great if the disassembly would include data from CHDK stubs as comments (of course with some kind of a remark from which file this information was taken; it may be incorrect after all especially if it's something newly ported and coming from signatures) for both function stubs (stubs_entry_2.S and if not found from there, stubs_entry.S) and memory location stubs (stubs_min.S).

Maybe add a comment line before each matching line of disassembly and each line that loads or those addresses or jumps to one, for example just a copy of the stub (a copy may be a good idea because some have comments):

; CHDK stubs_min.S: DEF(movie_status, 0xA30C8)
fff26bb0:       e59f2024        ldr     r2, [pc, #36]   ; fff26bdc VALUE:<000a30c8>

*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #12 on: 07 / August / 2008, 10:31:25 »
ok, i put the next version in the wiki:

GPL:disassemble.pl - CHDK Wiki

it also looks up pointer to string pointer.

Including stubs_entry is not in, yet. I just started to port my cam ;)



*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #13 on: 07 / August / 2008, 18:27:58 »
Hi!

Just hacking:

1. BUG im my disassemble.pl: unaligned strings are not handled ...

ffb114a1 GetCurrentAvValue
ffb114b3 Bat_Save
ffb114bc StopBDrive

2.
I got a
Dry>
in qemu :)

=== Dry-shell start ===
qemu: fatal: Trying to execute code outside RAM or ROM at 0xe59ff014

Mh, there is more ROM to dump. Since I have no cam with chdk and a hexdump on it ... which parts am I missing?

I found refs like this:

ff9367dc:   e24f10b0    sub r1, pc, #176    ; ff936734: (e92d4010)
ff9367e0:   e28f0f41    add r0, pc, #260    ; ff9368ec: (776f6853)  *"ShowSDStatus"
ff9367e4:   ebfcccf3    bl  ff869bb8 <_binary_dump_bin_start+0x59bb8>
ff9367e8:   e24f10ac    sub r1, pc, #172    ; ff936744: (eafbade2)
ff9367ec:   e28f0f42    add r0, pc, #264    ; ff9368fc: (53746547)  *"GetSDDetect"
ff9367f0:   ebfcccf0    bl  ff869bb8 <_binary_dump_bin_start+0x59bb8>
ff9367f4:   e24f10b4    sub r1, pc, #180    ; ff936748: (eafbade3)
ff9367f8:   e28f0f42    add r0, pc, #264    ; ff936908: (53746547)  *"GetSDProtect"

e92d4010 ... eafbade2

Mh, I dumped 0xea000000 (or 0xe900000, don't remember, already delered that file) looked the same as the stuff at 0xff810000

3.
Is there no thumb code in Canon's ROM ?



*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: Emulating Digicam with QEMU
« Reply #14 on: 07 / August / 2008, 20:11:31 »
It seems that 0xEnnnnnnn is opcodes, not addresses...

qemu: fatal: Trying to execute code outside RAM or ROM at 0xe59ff014
e59ff014    ldr   pc, [pc, #20]
Quote
e92d4010 ... eafbade2
e92d4010    stmdb   sp!, {r4, lr}
eafbade2    b (some address)   

Use IDA  :D.

ROM:FF9367DC                 ADR     R1, ShowSDStatus
ROM:FF9367E0                 ADR     R0, aShowsdstatus ; "ShowSDStatus"
ROM:FF9367E4                 BL      ExportToEventProcedure
ROM:FF9367E8                 ADR     R1, GetSDDetect
ROM:FF9367EC                 ADR     R0, aGetsddetect ; "GetSDDetect"
ROM:FF9367F0                 BL      ExportToEventProcedure
ROM:FF9367F4                 ADR     R1, GetSDProtect
ROM:FF9367F8                 ADR     R0, aGetsdprotect ; "GetSDProtect"
ROM:FF9367FC                 BL      ExportToEventProcedure

ROM:FF936734 ShowSDStatus                            ; DATA XREF: Driver.Create+7Co
ROM:FF936734                 STMFD   SP!, {R4,LR}
ROM:FF936738                 BL      sub_FF821E94
ROM:FF93673C                 MOV     R0, #0
ROM:FF936740                 LDMFD   SP!, {R4,PC}

ROM:FF936744 GetSDDetect                             ; DATA XREF: Driver.Create+88o
ROM:FF936744                 B       sub_FF821ED4

ROM:FF936748 GetSDProtect                            ; DATA XREF: Driver.Create+94o
ROM:FF936748                 B       sub_FF821EDC
« Last Edit: 07 / August / 2008, 20:22:49 by ewavr »

*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #15 on: 07 / August / 2008, 21:17:08 »
It seems that 0xEnnnnnnn is opcodes, not addresses...

Quote
e92d4010 ... eafbade2
I just (my eyes) << 1 and I saw ff936734 and ff936744 :lol:


Use IDA  :D.


How about 0xffaa4c98 in the sd1100 dump ... whats that? ??? ;)


*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: Emulating Digicam with QEMU
« Reply #16 on: 08 / August / 2008, 03:10:18 »
How about 0xffaa4c98 in the sd1100 dump ... whats that? ??? ;)
Code: [Select]
ROM:FFAA4C98 sub_FFAA4C98                            ; CODE XREF: sub_FF813C40+24p
ROM:FFAA4C98                                         ; sub_FF821C58+40p ...
ROM:FFAA4C98                 SUBS    R2, R2, #0x20
ROM:FFAA4C9C                 STMFD   SP!, {R4,LR}
ROM:FFAA4CA0                 BCC     loc_FFAA4CBC
ROM:FFAA4CA4
ROM:FFAA4CA4 loc_FFAA4CA4                            ; CODE XREF: sub_FFAA4C98+20j
ROM:FFAA4CA4                 LDMCSIA R1!, {R3,R4,R12,LR}
ROM:FFAA4CA8                 STMCSIA R0!, {R3,R4,R12,LR}
ROM:FFAA4CAC                 LDMCSIA R1!, {R3,R4,R12,LR}
ROM:FFAA4CB0                 STMCSIA R0!, {R3,R4,R12,LR}
ROM:FFAA4CB4                 SUBCSS  R2, R2, #0x20
ROM:FFAA4CB8                 BCS     loc_FFAA4CA4
ROM:FFAA4CBC
ROM:FFAA4CBC loc_FFAA4CBC                            ; CODE XREF: sub_FFAA4C98+8j
ROM:FFAA4CBC                 MOVS    R12, R2,LSL#28
ROM:FFAA4CC0                 LDMCSIA R1!, {R3,R4,R12,LR}
ROM:FFAA4CC4                 STMCSIA R0!, {R3,R4,R12,LR}
ROM:FFAA4CC8                 LDMMIIA R1!, {R3,R4}
ROM:FFAA4CCC                 STMMIIA R0!, {R3,R4}
ROM:FFAA4CD0                 MOVS    R12, R2,LSL#30
ROM:FFAA4CD4                 LDMFD   SP!, {R4,LR}
ROM:FFAA4CD8                 LDRCS   R3, [R1],#4
ROM:FFAA4CDC                 STRCS   R3, [R0],#4
ROM:FFAA4CE0                 MOVEQ   PC, LR
ROM:FFAA4CE4
ROM:FFAA4CE4 loc_FFAA4CE4                            ; CODE XREF: sub_FFAA4B30+4j
ROM:FFAA4CE4                                         ; sub_FFAA4B30+40j ...
ROM:FFAA4CE4                 MOVS    R2, R2,LSL#31
ROM:FFAA4CE8                 LDRMIB  R2, [R1],#1
ROM:FFAA4CEC                 LDRCSB  R3, [R1],#1
ROM:FFAA4CF0                 LDRCSB  R12, [R1],#1
ROM:FFAA4CF4                 STRMIB  R2, [R0],#1
ROM:FFAA4CF8                 STRCSB  R3, [R0],#1
ROM:FFAA4CFC                 STRCSB  R12, [R0],#1
ROM:FFAA4D00                 MOV     PC, LR
ROM:FFAA4D00 ; End of function sub_FFAA4C98

*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #17 on: 08 / August / 2008, 09:40:05 »
How about 0xffaa4c98 in the sd1100 dump ... whats that? ??? ;)
Code: [Select]
ROM:FFAA4C98 sub_FFAA4C98                            ; CODE XREF: sub_FF813C40+24p
...
Mh, this does not answer my question ... or I must ask more precisely: What does it do? It's called from many interesting functions ... e.g. while putting acid on a diskboot.bin
So IDA has no idea about "sub_FFAA4C98", too.

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: Emulating Digicam with QEMU
« Reply #18 on: 10 / August / 2008, 06:52:42 »
1. BUG im my disassemble.pl: unaligned strings are not handled ...

ffb114a1 GetCurrentAvValue
ffb114b3 Bat_Save
ffb114bc StopBDrive

Are they ever referenced to with those addresses? I.e. could the strings file be preprocessed to align them?
ffb114bc is aligned, isn't it?

*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #19 on: 10 / August / 2008, 13:47:02 »
1. BUG im my disassemble.pl: unaligned strings are not handled ...

ffb114a1 GetCurrentAvValue
ffb114b3 Bat_Save
ffb114bc StopBDrive

Are they ever referenced to with those addresses? I.e. could the strings file be preprocessed to align them?
ffb114bc is aligned, isn't it?


I found many strings aligned 0x0 padded to 4, but also strings only 1x 0x0 terminated. The only thing we are missing is the insert:

"GetCurrentAvValue":
ffb114a1  blahblah ...

Ah, I also wrote a stubs2diss.pl  8)

Anyone wants it?

 

Related Topics


SimplePortal © 2008-2014, SimplePortal