Help Dumping Firmware for SD1000/IXUS 70

Sokoban

5

Help Dumping Firmware for SD1000/IXUS 70

« on: 24 / December / 2007, 06:32:17 »

Advertisements

Hi,

I've recently purchased a SD1000, so I am currently working on getting the firmware dumped for this camera. This is the first camera that I have attempted to dump the firmware from, and I'm finding some of the info in the Wiki a bit vague and/or confusing and would greatly appreciate it if someone with experience dumping firmware could chime in.

Here is what I have done thus far:

I am using the Phototransistor/Camera LED Blinking method to get the firmware.
- Phototransistor is wired up to a 3.5mm Headphone plug connected to the mic-in of soundcard on computer
- I can verify that I am getting a response to light by the Phototransistor
I have modified the G7 blinker to work with the SD1000
- Changed LED Addresses
- Cam ID in Make.bat).
I have compiled the blinker source on Windows.
- One FIR file with Starting Address: 0xFF800000
- One FIR file with Starting Address: 0xFFA00000
I am using Audacity to record the blinking
- 96kHz
- 16 Bit (8-bit not selectable)
- Mono
The blinking finished in about 45 minutes (per FIR file)
Exported RAW file of recording
- 8-Bit Unsigned PCM

Questions:

Once I have recorded the blinking, do I need to do anything to the files before processing them with ADC.exe?
Why do I do the recording twice (starting at 0xFF800000 and then again from 0xFFA00000)? Am I supposed to merge these two files and process the merged file with ADC.exe?
When I run ADC.exe on the exported files (merged or individual), I get a lot of lines saying "Sync Error!". What does this mean and how do I fix it?

Thanks a lot for any info or assistance you can offer.

« Last Edit: 24 / December / 2007, 06:47:14 by Sokoban »

Logged

GrAnd

916
[A610, S3IS]

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #1 on: 24 / December / 2007, 06:54:44 »

What is the version of your camera firmware? I'm asking because the 1.01B was already dumped.

Then... The G7-based blinker is intended to work with serial port. It does not encode the firmware for ADC.exe recognition.

Logged

CHDK Developer.

Sokoban

5

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #2 on: 24 / December / 2007, 07:26:48 »

Yes, I noticed that this page states that the firmware for the SD1000 has been dumped, however, I have not been able to find out where I can download it from. Is the firmware available download somewhere on the web? (And yes, my firmware is also 1.01B)

Also, thanks for the clarification regarding the G7 blinker. I'll compile the other blinker software (blinker.rar from http://grandag.nm.ru/hdk/blinker/, right?) and see what kind of results I get. If I can indeed download the firmware, then that would make things quite a bit easier, but nonetheless, I'm mostly going through all the steps (dumping the firmware, etc.) just for the fun of it

Thanks again for the info GrAnd.

« Last Edit: 24 / December / 2007, 07:29:08 by Sokoban »

Logged

GrAnd

916
[A610, S3IS]

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #3 on: 24 / December / 2007, 07:36:35 »

Quote from: Sokoban on 24 / December / 2007, 07:26:48

Yes, I noticed that this page states that the firmware for the SD1000 has been dumped, however, I have not been able to find out where I can download it from. Is the firmware available download somewhere on the web? (And yes, my firmware is also 1.01B)

The link was in one of the discussion threads on the dpreview forum. As I do not remember the old location, I've re-uploaded the file - SD1000 1.01B firmware dump.

Quote from: Sokoban on 24 / December / 2007, 07:26:48

Also, thanks for the clarification regarding the G7 blinker. I'll compile the other blinker software (blinker.rar from http://grandag.nm.ru/hdk/blinker/, right?) and see what kind of results I get. If I can indeed download the firmware, then that would make things quite a bit easier, but nonetheless, I'm mostly going through all the steps (dumping the firmware, etc.) just for the fun of it

Yes. This blinker is for sound-card dumping. Read this section in the wiki (and corresponding discussion) if you did not.

« Last Edit: 24 / December / 2007, 07:50:06 by GrAnd »

Logged

CHDK Developer.

Sokoban

5

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #4 on: 24 / December / 2007, 16:54:24 »

Quote from: GrAnd on 24 / December / 2007, 07:36:35

The link was in one of the discussion threads on the dpreview forum. As I do not remember the old location, I've re-uploaded the file - SD1000 1.01B firmware dump.

Thanks very much

BTW, would it be okay for me to add this link the SD1000 page in the Wiki so that others can find it easily? (As I said, I'm new here, so I don't want to step on anyone's toes)

Quote from: GrAnd on 24 / December / 2007, 07:36:35

Yes. This blinker is for sound-card dumping. Read this section in the wiki (and corresponding discussion) if you did not.

Yep, I read both of those pages. I guess I was just unsure of which software to use since the G7 blinker and blinker.rar were both listed in the link to the blinker software to use for soundcard input on that page in the Wiki.

Before I dive in, any thoughts on why CHDK was never ported to the SD1000 if the firmware dump was available? Maybe someone knows of some pitfalls that I may encounter?

Thanks again

Logged

quietschi

116
Ixus70 102a

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #5 on: 08 / January / 2008, 12:58:16 »

Hi Sokoban

I have also a sd1000 ixus70 but with firmware vers. 102a.
The dump is available at

http://www.zshare.net/download/63129850141872/

Have you start porting the dump?

greetings quietschi

Logged

quietschi

116
Ixus70 102a

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #6 on: 09 / January / 2008, 12:44:55 »

Hi Developers

I've starting porting the sd1000 102a dump. Here is what i find out right now. Maybe someone can check it.

boot.c
___________________________________________________________

#include "lolevel.h"
#include "platform.h"
#include "core.h"

/* Ours stuff */
extern long wrs_kernel_bss_start;
extern long wrs_kernel_bss_end;
extern void createHook (void *pNewTcb);
extern void deleteHook (void *pTcb);

void boot();

/* "relocated" functions */
void __attribute__((naked,noinline)) h_usrInit();
void __attribute__((naked,noinline)) h_usrKernelInit();
void __attribute__((naked,noinline)) h_usrRoot();

void boot()
{
long *canon_data_src = (void*)0xFFB88020;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xCA00;
long *canon_bss_start = (void*)0xE300; // just after data
long canon_bss_len = 0xBEF70 - 0xE300;
long i;

asm volatile (
"MRC p15, 0, R0,c1,c0\n"
"ORR R0, R0, #0x1000\n"
"ORR R0, R0, #4\n"
"ORR R0, R0, #1\n"
"MCR p15, 0, R0,c1,c0\n"
:::"r0");

for(i=0;i<canon_data_len/4;i++)
canon_data_dst=canon_data_src;

for(i=0;i<canon_bss_len/4;i++)
canon_bss_start=0;

asm volatile (
"MRC p15, 0, R0,c1,c0\n"
"ORR R0, R0, #0x1000\n"
"BIC R0, R0, #4\n"
"ORR R0, R0, #1\n"
"MCR p15, 0, R0,c1,c0\n"
:::"r0");

h_usrInit();
}

void h_usrInit()
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FF811968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FF919D64\n"
"BL sub_FF90DE5C\n" //excVecInit
"BL sub_FF8111C4\n"
"BL sub_FF811728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n"
);
}

void h_usrKernelInit()
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FF91A264\n" //classLibInit
"BL sub_FF92A390\n" //taskLibInit
"LDR R3, =0x59C0\n"
"LDR R2, =0xBBFE0\n"
"LDR R1, [R3]\n"
"LDR R0, =0xBCC30\n"
"MOV R3, #0x100\n"
"BL sub_FF925F80\n" //qInit
"LDR R3, =0x5980\n"
"LDR R0, =0x5D20\n"
"LDR R1, [R3]\n"
"BL sub_FF925F80\n" //qInit
"LDR R3, =0x5A3C\n"
"LDR R0, =0xBCC04\n"
"LDR R1, [R3]\n"
"BL sub_FF925F80\n" //qInit
"BL sub_FF92E74C\n" //workQInit
"BL sub_FF8112AC\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n"
"MOV R1, #0x4000\n"
"LDR R2, =0xEEF70\n" // 0xBEF70 + 0x30000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FF9275D0\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
}

static long drv_struct[16];

static long dh_err()
{
return -1;
}

static void drv_self_hide()
{
long drvnum;

drvnum = _iosDrvInstall(dh_err,dh_err,dh_err,dh_err,dh_err,dh_err,dh_err);
if (drvnum >= 0)
_iosDevAdd(drv_struct, "A/DISKBOOT.BIN", drvnum);
}

void h_usrRoot()
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FF8119D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF91ED1C\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF91F794\n" //memPartLibInit
"BL sub_FF8117E8\n" //nullSub_1
"BL sub_FF811704\n"
"BL sub_FF811A0C\n"
"BL sub_FF8119F0\n"
"BL sub_FF811A38\n"
"BL sub_FF8119C4\n"
);

_taskCreateHookAdd(createHook);
_taskDeleteHookAdd(deleteHook);

drv_self_hide();

asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FF81136C\n" //IsEmptyWriteCache_2
);
}

_________________________________________________

makefile.inc

_________________________________________________

#0x314F
PLATFORMID=12623

MEMBASEADDR=0x1900
RESTARTSTART=0x50000
MEMISOSTART=0xBEF70
MEMISOSIZE=0x30000
ROMBASEADDR=0xff810000

TARGET_PRIMARY=$(topdir)platform/$(PLATFORM)/sub/$(PLATFORMSUB)/PRIMARY.BIN

PLFLAGS=-DMEMBASEADDR=$(MEMBASEADDR) -DMEMISOSTART=$(MEMISOSTART) -DMEMISOSIZE=$(MEMISOSIZE)
PLFLAGS+=-DRESTARTSTART=$(RESTARTSTART)

_______________________________________________________

stubs_entry_2.s

_________________________________________________________

#include "stubs_asm.h"

NHSTUB(Close, 0xFFA9A008)
NHSTUB(Read, 0xFFA9A09C)
NHSTUB(Write, 0xFFA9A0A8)
NHSTUB(Remove, 0xFFA9A028)
NHSTUB(Mount_FileSystem, 0xFFA9932C)
NHSTUB(kbd_read_keys_r2, 0xFFA30724)
NHSTUB(DisplayImagePhysicalScreen, 0xFFA25068)
//NHSTUB(kbd_pwr_off, 0xFFA30C58) //maybe wrong
NHSTUB(SetPropertyCase, 0xFF81BB60)
NHSTUB(FreeMemory, 0xFF818650)
NHSTUB(GetFocusLensSubjectDistance, 0xFFAD4FBC)
NHSTUB(free, 0xFF9201CC)
NHSTUB(GetDrive_ClusterSize, 0xFFA997F4)
NHSTUB(GetDrive_TotalClusters, 0xFFA99830)
NHSTUB(GetDrive_FreeClusters, 0xFFA9986C)

_____________________________________________________

stubs_min.s

_____________________________________________________

#include "stubs_asm.h"

DEF(physw_status, 0x564B0)
DEF(physw_run, 0x87B4)

DEF(zoom_busy, 0x96804)
DEF(focus_busy, 0x95F50)
DEF(playrec_mode,0xD0CC)
DEF(FlashParamsTable,0xFFB3E4BC)
DEF(canon_menu_active,0x3760)
DEF(canon_shoot_menu_active,0x3019) //maybe wrong
DEF(recreview_hold, 0x25AC)

__________________________________________________________

capt_seq.c

__________________________________________________________

#include "lolevel.h"
#include "platform.h"
#include "core.h"

#define RAWDATA_AVAILABLE (1)
#define RAWDATA_SAVED (2)

#define NR_ON (2)
#define NR_OFF (1)

static long raw_save_stage;

void capt_seq_hook_raw_here()
{
raw_save_stage = RAWDATA_AVAILABLE;
core_rawdata_available();
while (raw_save_stage != RAWDATA_SAVED){
_SleepTask(10);
}
}

void hook_raw_save_complete()
{
raw_save_stage = RAWDATA_SAVED;
}

void capt_seq_hook_set_nr()
{
long *nrflag = (long*)0x1DAC;

switch (core_get_noise_reduction_value()){
case NOISE_REDUCTION_AUTO_CANON:
// leave it alone
break;
case NOISE_REDUCTION_OFF:
*nrflag = NR_OFF;
break;
case NOISE_REDUCTION_ON:
*nrflag = NR_ON;
break;
};
}

void __attribute__((naked,noinline)) sub_FF819B30_my(long p)
{
asm volatile (
"STMFD SP!, {R0-R3}\n"
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #0x90\n"
"MOV R4, SP\n"
"MOV R0, R4\n"
"LDR R1, [SP,#0x98+0]\n"
"ADD R2, SP, #0x98+4\n"
"BL sub_FF91BF28\n" //vsprintf
"MOV R0, R4\n"
"BL sub_FF819B68\n"
"BL capt_seq_hook_set_nr\n"
"ADD SP, SP, #0x90\n"
"LDMFD SP!, {R4,LR}\n"
"ADD SP, SP, #0x10\n"
);
}

void __attribute__((naked,noinline)) sub_FF819AB4_my(long p)
{
asm volatile (

"STR LR, [SP,#-4]!\n"
"LDR R3, =0x1DA4\n"
"SUB SP, SP, #4\n"
"LDR R1, [R3]\n"
"CMP R1, #0\n"
"LDR R0, =0xFF819A84\n" //aChangeConsoleS
"LDR R2, =0xFF819A74\n" //aTo
"LDR LR, =0xFF819A7C\n" //a___
"BEQ loc_FF819AF4\n"
"LDR R3, =0x1DA0\n"
"LDR R12, [R3]\n"
"LDR R1, [R1]\n"
"LDR R3, [R12]\n"
"STR LR, [SP,#4-4]\n"
"BL sub_FF819B30_my\n"
"BL capt_seq_hook_raw_here\n"
"B loc_FF819B0C\n"

"loc_FF819AF4:\n"
"LDR R3, =0x1DA0\n"
"LDR R12, [R3]\n"
"MOV R2, LR\n"
"LDR R0, =0xA\n"//aOpenConsoleSS
"LDR R1, [R12]\n"
"BL sub_FF819B30\n"

"loc_FF819B0C:\n"
"ADD SP, SP, #4\n"
"LDR PC, [SP],#4\n"
);
}

void __attribute__((naked,noinline)) capt_seq_task()
{
asm volatile (
"STMFD SP!, {R4-R7,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FF819954\n"
"MOV R7, #0\n"
"ADD R6, SP, #0x1C-0x18\n"
"B loc_FF819788\n"
"loc_FF819680:\n"
"LDR R3, [SP,#0x1C-0x18]\n"
"SUB R3, R3, #1\n"
"CMP R3, #6\n"
"LDRLS PC, [PC,R3,LSL#2]\n"
"B loc_FF95EE38\n"
".long loc_FF95ED68\n"
".long loc_FF8196B0\n"
".long loc_FF8196B0\n"
".long loc_FF8196B0\n"
".long loc_FF81972C\n"
".long loc_FF819728\n"
".long loc_FF819710\n"
".long loc_FF81973C\n"

"loc_FF8196B0:\n"
"BL sub_FF819AB4_my\n" //Our only real change
"BL shooting_expo_param_override\n" // +
"LDR R4, =0x1DA0\n"
"LDR R3, [R4]\n"
"MOV R1, #0\n"
"LDR R0, [R3,#0xC]\n"
"MOV R2, R1\n"
"LDR R3, =sub_FF81A5F4\n"
"STR R7, [SP,#0x1C-0x1C]\n"
"BL sub_FF817184\n" //GetLog
"LDR R3, [SP,#0x1C-0x18]\n"
"CMP R3, #1\n"
"BNE loc_FF8196E8\n"
"BL sub_FF819C20\n"
"B loc_FF819708\n"
"loc_FF8196E8:\n"
"CMP R3, #3\n"
"BNE loc_FF819708\n"
"LDR R3, [R4]\n"
"LDR R0, [R3,#8]\n"
"BL sub_FFB143DC\n" //GiveSemaphore
"LDR R3, =0xE534\n"
"LDR R0, [R3]\n"
"BL sub_FFB143DC\n" //GiveSemaphore

"loc_FF819708:\n"
"LDR R3, =0xE52C\n"
"B loc_FF81971C\n"

"loc_FF819710:\n"
"LDR R0, =0xE558\n"
"BL sub_FF819B68\n"
"LDR R3, =0xE530\n"

"loc_FF81971C:\n"
"LDR R0, [R3]\n"
"BL sub_FFB143DC\n" //GiveSemaphore
"B loc_FF819788\n"

"loc_FF819728:\n"
"BL sub_FF819C20\n"

"loc_FF81972C:\n"
"LDR R2, =0x1DB4\n"
"MOV R3, #1\n"
"STR R3, [R2]\n"
"B loc_FF819788\n"

"loc_FF81973C:\n"
"LDR R5, =0x1DA0\n"
"LDR R1, [R5]\n"
"LDR R3, [R1,#0x14]\n"
"LDR R2, =0x1DB4\n"
"MOV R4, #0\n"
"CMP R3, #1\n"
"STR R4, [R2]\n"
"STREQ R4, [R1,#0x14]\n"
"BEQ loc_FF819778\n"
"LDR R3, [R1,#0x18]\n"
"CMP R3, #1\n"
"BNE loc_FF819778\n"
"BL sub_FF81A524\n"
"LDR R3, [R5]\n"
"STR R4, [R3,#0x18]\n"

"loc_FF819778:\n"
"LDR R3, =0x1DA0\n"
"LDR R2, [R3]\n"
"LDR R0, [R2,#8]\n"
"BL sub_FFB143DC\n" //GiveSemaphore

"loc_FF819788:\n"
"LDR R3, =0xE528\n"
"MOV R1, R6\n"
"LDR R0, [R3]\n"
"MOV R2, #0\n"
"BL sub_FFB1360C\n" //ReceiveMessageQueue
"TST R0, #1\n"
"BNE loc_FF8197C8\n"
"LDR R3, =0x1DB0\n"
"LDR R2, [R3]\n"
"CMP R2, #1\n"
"BNE loc_FF8197C8\n"
"LDR R3, =0xE538\n"
"LDR R2, [R3]\n"
"LDR R1, [R2,#4]\n"
"CMP R1, R2\n"
"BNE loc_FF819680\n"

"loc_FF8197C8:\n"
"BL sub_FF819A0C\n"
"BL sub_FFB14BD0\n"

"ADD SP, SP, #8\n"
"LDMFD SP!, {R4-R7,PC}\n"
);
}

_________________________________________________________

lib.c

________________________________________________________

#include "platform.h"

void *hook_raw_fptr()
{
return (void*)0;
}

void *hook_raw_ret_addr()
{
return (void*)0;
}

char *hook_raw_image_addr()
{
return (char*)(0x105B8AC0);//not found
}

long hook_raw_size()
{
return 0x8CAE10; //7mpx
}

void *vid_get_viewport_live_fb()
{
return (void*)0x0;
}

void *vid_get_bitmap_fb()
{
return (void*)0x103C79A0 ;//not found}

void *vid_get_viewport_fb()
{
return (void*)0x105F17A0;//not found}

void *vid_get_viewport_fb_d()
{
return (void*)(*(int*)0x94408); //ImagePlayer.c
}

long vid_get_bitmap_width()
{
return 360;
}

long vid_get_bitmap_height()
{
return 240;
}

long vid_get_viewport_height()
{
return ((mode_get()&MODE_MASK) == MODE_PLAY)?240:230;
}

______________________________________________________

Hope this is useful for you and maybe someone can check this.
Exspecially I need help with the lib.c

greetings quietschi

Logged

Wilson

8
*float*

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #7 on: 09 / January / 2008, 22:24:44 »

I just got the SD1000 for Christmas and I absolutely love it, with the exclusion of some things that CHDK would add or change, so I'm so stoked about progress towards it.
Unfortunately I have no programming experience outside of web programming, so I can only test once binaries start to emerge, but test I will!
Also, how did you get version 1.02a firmware? Mine was bought around Christmas and has 1.01b.

Logged

- Wilson

quietschi

116
Ixus70 102a

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #8 on: 10 / January / 2008, 08:57:46 »

Hi Wilson!

I also bought my at christmas! I'm living in Austria, maybe there are difference in the production line. Where are you from? Firmware Date is Oct 15 2007.

I work also on a dump for the sd800 ixus850is vers. 100e

cheers quietschi

Logged

Wilson

8
*float*

Re: Help Dumping Firmware for SD1000/IXUS 70

« Reply #9 on: 10 / January / 2008, 17:44:38 »

Ah. I'm from Newfoundland, Canada. Firmware v1.01b, May 14 2007 09:48:23.

Logged

- Wilson