New firmware feature guide in the wiki - page 2 - General Discussion and Assistance - CHDK Forum

New firmware feature guide in the wiki

  • 24 Replies
  • 12445 Views
*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: New firmware feature guide in the wiki
« Reply #10 on: 05 / August / 2008, 17:49:09 »
Advertisements
hm, you used the linux toolchain, things seem to look different in the program i use. can you maybe just gimme the adresses of these two functions for the s3is so i can "reverse engineer" your tutorial?

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: New firmware feature guide in the wiki
« Reply #11 on: 06 / August / 2008, 15:59:23 »
Well, S3IS addresses them in a different way, so the tutorial doesn't apply to it step by step.

Strings:
ff974ff0 EnterToCompensationEVF
ff974fd8 ExitFromCompensationEVF

Find where the string pointers are stored:
Code: [Select]
ff97488c:       ff9765c8        undefined instruction 0xff9765c8
ff974890:       ff974ff0        undefined instruction 0xff974ff0 <--
ff974894:       ff9765ec        undefined instruction 0xff9765ec
ff974898:       ff974fd8        undefined instruction 0xff974fd8 <--
ff97489c:       ff9765fc        undefined instruction 0xff9765fc

Ok, look, the pointers are right there next to each other. This is not code but it's some sort of a list instead. There's one word between these two pointers, and none of the words next to them point to strings. So, it's fair to assume that this is a table with addresses to string, code, string, code etc. Or maybe code, string, code, string...remains to be seen.

The pointer between these two string pointers is then surely attached to one of these functions. Let's see what we find there:
Code: [Select]
ff9765ec:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff9765f0:       eb000960        bl      ff978b78 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168b78>
ff9765f4:       e3a00000        mov     r0, #0  ; 0x0
ff9765f8:       e49df004        pop     {pc}            ; (ldr pc, [sp], #4)

Ok, it doesn't do much, basically it just jumps to ff978b78 and returns. Let's see what happens there:
Code: [Select]
ff978b78:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff978b7c:       e59f3048        ldr     r3, [pc, #72]   ; ff978bcc VALUE:<0000664c>
ff978b80:       e5932000        ldr     r2, [r3]
ff978b84:       e3a01e76        mov     r1, #1888       ; 0x760
ff978b88:       e3520000        cmp     r2, #0  ; 0x0
ff978b8c:       e59f003c        ldr     r0, [pc, #60]   ; ff978bd0 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978b90:       e2811009        add     r1, r1, #9      ; 0x9
ff978b94:       1a000000        bne     ff978b9c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168b9c>
ff978b98:       ebfa6bf8        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978b9c:       e59f1030        ldr     r1, [pc, #48]   ; ff978bd4 VALUE:<00092e2c>
ff978ba0:       e3a0001a        mov     r0, #26 ; 0x1a
ff978ba4:       e3a02002        mov     r2, #2  ; 0x2
ff978ba8:       ebfaaf77        bl      ff82498c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x1498c>
ff978bac:       e3a01e76        mov     r1, #1888       ; 0x760
ff978bb0:       e3100001        tst     r0, #1  ; 0x1
ff978bb4:       e281100a        add     r1, r1, #10     ; 0xa
ff978bb8:       e59f0010        ldr     r0, [pc, #16]   ; ff978bd0 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978bbc:       0a000000        beq     ff978bc4 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bc4>
ff978bc0:       ebfa6bee        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978bc4:       e49de004        pop     {lr}            ; (ldr lr, [sp], #4)
ff978bc8:       ea00061f        b       ff97a44c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x16a44c>

The last few instructions are laid out pretty similar to those from my a570is 1.00e EnterToCompensationEVF (and that's where the real stuff is, the start is just various checks that apparently are different in s3is)

So, entry point 0xff978b78 for EnterToCompensationEVF is what I'd try.

Let's find the other one too. The list that was found first had a string pointer and a code pointer. From the EnterTo* function it looks like string pointer is first and code pointer after it. So, let's look at ff9765fc for the ExitFrom* function link:
Code: [Select]
ff9765fc:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff976600:       eb000974        bl      ff978bd8 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bd8>
ff976604:       e3a00000        mov     r0, #0  ; 0x0
ff976608:       e49df004        pop     {pc}            ; (ldr pc, [sp], #4)

So, our suspected entry point is 0xff978bd8 for ExitFromCompensationEVF:
Code: [Select]
ff978bd8:       e52de004        push    {lr}            ; (str lr, [sp, #-4]!)
ff978bdc:       e59f3020        ldr     r3, [pc, #32]   ; ff978c04 VALUE:<0000664c>
ff978be0:       e5932000        ldr     r2, [r3]
ff978be4:       e3a01e77        mov     r1, #1904       ; 0x770
ff978be8:       e3520000        cmp     r2, #0  ; 0x0
ff978bec:       e59f0014        ldr     r0, [pc, #20]   ; ff978c08 VALUE:<ff97736c> STRING:<ShootCtrl.c>
ff978bf0:       e2811001        add     r1, r1, #1      ; 0x1
ff978bf4:       1a000000        bne     ff978bfc <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x168bfc>
ff978bf8:       ebfa6be0        bl      ff813b80 <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x3b80>
ff978bfc:       e49de004        pop     {lr}            ; (ldr lr, [sp], #4)
ff978c00:       ea00061d        b       ff97a47c <_binary_______primaries_s3is_sub_100a_PRIMARY_BIN_start+0x16a47c>

It's not very similar to the a570is function but it's pretty much the same length so chances are real good.

*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: New firmware feature guide in the wiki
« Reply #12 on: 06 / August / 2008, 16:34:07 »
omg this actually works!
thank you! now with my fast_ev switch in the collaborative build you can quickly increase or decrease ev and see the result instantly - without having to enter the menu. attached is a build for the s3is. you have to enable fast_ev switch in the photo overrides menu. then by pressing up/down you increase ev. preview screen gets instantly brighter or darker. actually i just used EnterToCompensationEVF() in this case, because exiting isnt needed (you can exit or reset it by switching mode dial or something).

alright, i guess this "magic" you do with asm cannot be put into a signature file or idc script to feed ida with it to then gain the adresses for the other cameras automatically?
i guess i really have to understand your steps. right now its all gibberish to me :D
thanks!

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: New firmware feature guide in the wiki
« Reply #13 on: 06 / August / 2008, 19:02:20 »
omg this actually works!
thank you! now with my fast_ev switch in the collaborative build you can quickly increase or decrease ev and see the result instantly - without having to enter the menu. attached is a build for the s3is. you have to enable fast_ev switch in the photo overrides menu. then by pressing up/down you increase ev. preview screen gets instantly brighter or darker. actually i just used EnterToCompensationEVF() in this case, because exiting isnt needed (you can exit or reset it by switching mode dial or something).

Cool.

Does this make zebra and histogram work accurately without a half shutter press?

alright, i guess this "magic" you do with asm cannot be put into a signature file or idc script to feed ida with it to then gain the adresses for the other cameras automatically?
i guess i really have to understand your steps. right now its all gibberish to me :D
thanks!

I don't have IDA, but anything that has a clear logic can obviously be scripted. Signatures for the tools in trunk is probably something that can be done. I haven't looked at those much so I don't know if they're just copy&pastes from some random firmwares or have they been modified somehow.

You'll probably need to understand some basics of asm and processor architectures before you can comfortably dig into the ARM assembly and architecture manuals, because ARM is not the smallest and simplest processor out there. Starting with a primer for some decades old 8-bit microcontroller with a narrow instruction set could be a convenient start. When you get past the all the icky instruction abbreviations and addressing methods and their syntaxes, it's kind of like obfuscated BASIC. :D


*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: New firmware feature guide in the wiki
« Reply #14 on: 06 / August / 2008, 20:10:55 »
well, attached are two "screenshots" of this new function in effect.
one is with ev 0, the other one is with ev 2. the blue canon histogram i just enabled for reference to show you that the chdk histogram works correctly (actually when i enable the canon histogram i dont need to call ev compensation, but like i said, its just for reference, i get the same effect when i disable it). in the fast_ev options of the collabobuild i set the step size to 2. so between these two pics i only pressed "UP" once, to increase ev by two, screen instantly shows the result. also zebra works correctly. would have loved to do a video, but my cellphone can only go macro in photomode.
so, question is, are you willing to find out these adresses for the other cams as well? tedious job, tedious job that i can say :D
thanks for the tips on asm and so on, will get me a book one of these days.

p.s. i wonder if this function works on ixuses, since afaik they dont have manual ev correction, or do they?

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: New firmware feature guide in the wiki
« Reply #15 on: 27 / August / 2008, 17:58:53 »
Entry points to EnterToCompensationEVF and ExitFromCompensationEVF for some firmwares. Needless to say most haven't been tested.

Code: [Select]
platform sub EnterToC* ExitFromC*
-----------------------------------------
a450 100d ffe8b110 ffe8b194
a540 100b ffd43ac8 ffd43b28
a560 100a ffe90258 ffe902dc
a570 100e ffea4f84 ffea5008
a570 101a ffea4ff8 ffea507c
a610 100e ffd34f38 ffd34f98
a610 100f ffd352c0 ffd35320
a620 100f ffd35c44 ffd35ca4
a630 100c ffd4fd90 ffd5337c
a640 100b ffd5235c ffd55be0
a700 100b ffd4424c ffd442ac
a710 100a ffd58f08 ffd5c524
ixus70_sd1000 100c ffafaa6c ffafaaf0
ixus70_sd1000 101b ffafaae0 ffafaae0
ixus70_sd1000 100c ffafab60 ffafabe4
s3is 100a ff978b78 ff978bd8
s5is 101b ff827fa8 ff82809c
tx1 101b ffb26938 ffb269bc

*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: New firmware feature guide in the wiki
« Reply #16 on: 28 / August / 2008, 09:00:12 »
confirmed for a620. thanks! i assume the other adresses also are correct, as you have proven multiple times now that you know your way around in a firmware disass ;)
will cook a patch tonight, along with some other stuff.

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: New firmware feature guide in the wiki
« Reply #17 on: 28 / August / 2008, 13:36:31 »
confirmed for a620. thanks! i assume the other adresses also are correct, as you have proven multiple times now that you know your way around in a firmware disass ;)
will cook a patch tonight, along with some other stuff.

There may very well be stupid mistakes in copy-pasting things to that list from the disassemblies, I didn't triple check them. But each one of the addresses I ment to add to the list looked like a proper function. :D

There's probably no reason why all others couldn't be found as well, I just got plenty bored and tired of it and stopped... btw some disassemblies turned out bad, I guess I have unaligned firmware dumps...? I ran Chr's gpl disassembly script recursively (modified my old disassemble all bash script) using start addresses from makefile.inc ROMBASEADDR and dumps collected from the fw dump thread...

a460 100d, a530 100a, a650 100d, a720 100c, s5is 100a were among the bad ones.


*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: New firmware feature guide in the wiki
« Reply #18 on: 28 / August / 2008, 14:28:07 »
yeah, a bunch of these dumps dont have stripped zeros afaik. we will see what people will say. i guess when the adresses are wrong, camera will freeze or shutdown.

*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: New firmware feature guide in the wiki
« Reply #19 on: 28 / August / 2008, 15:28:14 »
yeah, a bunch of these dumps dont have stripped zeros afaik. we will see what people will say. i guess when the adresses are wrong, camera will freeze or shutdown.

Hmm.. I took a look at the a530 disassembly and it's aligned properly...kind of... it works now and I wrote about it here: http://chdk.setepontos.com/index.php/topic,1918.msg20564.html#msg20564.

 

Related Topics