350d boot from cf card - page 33 - DSLR Hack development - CHDK Forum  

350d boot from cf card

  • 510 Replies
Re: 350d boot from cf card
« Reply #320 on: 25 / October / 2010, 05:29:46 »
Hi, All! It is possible to disable the preflash in mode M?


Offline Sergei

  • ***
  • 114
Re: 350d boot from cf card
« Reply #321 on: 04 / November / 2010, 14:31:20 »
    Can anybody post a short video with info screen in action.



Re: 350d boot from cf card
« Reply #322 on: 05 / November / 2010, 01:12:14 »
Can someone please post the code to dump the firmware.



Re: 350d boot from cf card
« Reply #323 on: 12 / November / 2010, 13:08:42 »
Is all this work done with only the firmware update decrypted with decrypt20d?

Re: 350d boot from cf card
« Reply #324 on: 14 / November / 2010, 11:07:44 »
I'm happy I discovered this hack some days ago so I can keep using my old 350D for little more time. So after reading all theses posts I decide to install the version 350D-20101011.zip by crazyklaus. I had no problem at all to make it work but the intervalometer option. I can set the number of shots and the delay time with Menu/Info/Jump buttons, but the SET button does nothing when I pressed. I don't know how to start the series of shots. Am I missing something??

By the way I think it would be a good idea to use a wiki to keep the relevant info of versions and instructions available for reference. I wouldn't mind to contribute in that wiki.

Thanks for your work!

Re: 350d boot from cf card
« Reply #325 on: 15 / November / 2010, 04:56:45 »
yes, you're missing something ;) but it's actually quite simple to get it work, you have to set custom function 1 to a value 1, 2 or 3. with values 0 (standard value) and 4 the code won't recognize the set button.
there is also the option to change the functionality of the SET and JUMP buttons eg if you want to have the custom function set to 4 but of course you will lose the function that was on the jump button.

Re: 350d boot from cf card
« Reply #326 on: 15 / November / 2010, 15:31:36 »
Thanks a lot! I could make it work with your help :)

Re: 350d boot from cf card
« Reply #327 on: 16 / November / 2010, 12:28:07 »
I'd like to work on making the boot flag modifier .fir program somewhat more bulletproof, but the first step of that is to see if I can compile the original scanled.c or bootflag.c and come up with the identical .bin and .fir files.  Back in the day I did MASM, but know nothing about C compilers.

I found gcc346.zip, which appears to be the compiler, but also has a "myproject" folder with 350D related stuff in it.  But just for scanled.c, could someone tell me how to compile it?  I have all the original files including the Makefile, build.bat, clean.bat and entry.s, but I need to know how to run the compile, assuming gcc346 will do that.  I'm on Windows XP.

In looking through the decrypted firmware updates for 1.0.2 and 1.0.3, I find these strings at the locations indicated:

v1.0.2 - 30cea8  ""
v1.0.3 - 311fb0  ""

Further, the string "1.0.3" doesn't appear anywhere in the 1.0.2 firmware, and "1.0.3" doesn't appear anywhere in the 1.0.2 firmware.  Of course at this point I don't know where these strings are located in the camera, or if they are there at all, but maybe someone knows how to find that out.  Seems like the .fir could check for that "1.0.3" before changing the boot flag, and maybe prevent bricking.

[Edit:  I figured out the compiling part, and by adding the appropriate Path statement was able to compile and get the identical output.  So then does anybody know how to find where the "1.0.3" string is located in the camera's firmware, or where it should be?]

« Last Edit: 17 / November / 2010, 11:00:18 by peabody »

Re: 350d boot from cf card
« Reply #328 on: 18 / November / 2010, 04:46:36 »
can you give a link to the source code?

Re: 350d boot from cf card
« Reply #329 on: 18 / November / 2010, 12:38:02 »
The bootflag.fir and scanled.fir files are located here:


This file has bootflag:   bootflag-20090921.zip
and this file has scanled:   350d_bootflag_update_20090914.zip

But I've made a bit of progress in figuring out exactly what these files do, and so far the result is a bit disturbing.  So I gave up on trying to figure out the C, and did an object file dump to look at the actual assembler code, which is what my programming background is.  And I found some helpful pdf's on the arm instruction set and register structure.

So here's one thing I found so far.  This is the bootflag C code for a subroutine called Zero:

// zero memory
void Zero(int* buf, int size) {
   int i = 0;
   for (; i < size; i++)
      buf = 0;

And here is how that was compiled:

00000060 <Zero>:
  60:   e3a03000    mov   r3, #0   ; 0x0
  64:   e1530001    cmp   r3, r1
  68:   a1a0f00e    movge   pc, lr
  6c:   e2833001    add   r3, r3, #1   ; 0x1
  70:   e1530001    cmp   r3, r1
  74:   bafffffc    blt   6c <Zero+0xc>
  78:   e1a0f00e    mov   pc, lr

So, in assembler, you enter the routine with the pointer to the block in r0 and the count in r1.  You then go into a loop incrementing  r3 from zero to the value in r1, then you return from the routine (mov  pc,lr).  But, at no point does anything in memory get zeroed.  So the C entry "buf = 0" appears to do nothing.  It's the same in scanled.fir.  The OP who gave us these boot flag programs isn't around anymore to ask about this, so it's hard to know whether anything needs to be zeroed at all.  It seems to work for most people without that, but then we have these cases of bricked cameras.  So I don't know whether to fix it or not.

What I'm trying to figure out now, in bootflag.c, is exactly what is being compared in this line:

   if (buf1[0] != boot_flag[0] || buf1[1] != boot_flag[1] || buf1[2] != boot_flag[2]) {
   } else {

but it's hard going trying to make sure I understand the assembler.

I'd still like to add the v1.0.3 test if that's possible.


Related Topics