the sx20 porting thread - page 41 - General Discussion and Assistance - CHDK Forum
« previous next »
Pages: 1 ... 36 37 38 39 40 [41] 42 43 44 45 46 ... 129   Go Down

the sx20 porting thread

  • 1286 Replies
  • 397076 Views
*

Offline viulian

  • *
  • 27
Re: the sx20 porting thread
« Reply #400 on: 04 / April / 2010, 19:30:59 »
Advertisements
I'm with 1.00f too.

Here's what I see at address FF89A8CC:

Code: [Select]
ff89a8cc: eb000c6b bl ff89da80 <_binary_H__chdk_dissasemble_dump_bin_start+0x8da80>
ff89a8d0: eb000c43 bl ff89d9e4 <_binary_H__chdk_dissasemble_dump_bin_start+0x8d9e4>
ff89a8d4: eb000a4e bl ff89d214 <_binary_H__chdk_dissasemble_dump_bin_start+0x8d214>
ff89a8d8: e28f1f5e add r1, pc, #376 ; ff89aa58: (43503242)
ff89a8dc: e3a00060 mov r0, #96 ; 0x60
ff89a8e0: e5846018 str r6, [r4, #24]
...
Just a bl ..
Let's forget a bit about SX20.

On SX10 build (1.03a), the taskCreateHook says:

Code: [Select]
if (p[0]==0xFF884AF4)  p[0]=(int)init_file_modules_task;
and, if I go to FF884AF4 in the firmware (1.03a) I find:

Code: [Select]
ff884af4: e92d4070 push {r4, r5, r6, lr}
ff884af8: ebffd546 bl ff87a018 <_binary_H__chdk_dissasemble_sx10_103a_dump_bin_start+0x6a018>
ff884afc: e59f5198 ldr r5, [pc, #408] ; ff884c9c: (00005006)
ff884b00: e1b04000 movs r4, r0
ff884b04: 13a01000 movne r1, #0 ; 0x0
ff884b08: 11a00005 movne r0, r5
which does look as a good entry to a function, saving values on the stack.

If I try to find similar code on SX20, 1.00a, I find it at address ff89c2c4 (and not FF89A8CC):

Code: [Select]
ff89c2c4: e92d4070 push {r4, r5, r6, lr}
ff89c2c8: ebffd4a1 bl ff891554 <_binary_H__chdk_dissasemble_dump_bin_start+0x81554>
ff89c2cc: e59f5198 ldr r5, [pc, #408] ; ff89c46c: (00005006)
ff89c2d0: e1b04000 movs r4, r0
ff89c2d4: 13a01000 movne r1, #0 ; 0x0
ff89c2d8: 11a00005 movne r0, r5
So this is what is puzzling me: chdk for SX10 respects the addresses that I see in its firmware, however, for SX20 - the addresses seem way off. I decompiled the firmware using gcc stuff (no IDA pro for me) and used 0xff810000 as offset. Maybe is not correct ?
« Last Edit: 04 / April / 2010, 19:36:20 by viulian »
Logged
*

Offline reyalp

  • ******
  • 13840
Re: the sx20 porting thread
« Reply #401 on: 04 / April / 2010, 21:21:56 »
It sounds like you've got your dump loaded at the wrong address somehow, or extra stuff interspersed in the dump. Some blinking tools leave which checksums in the initial dump which need to be stripped out before it can be used.

In my sx20 100f dump, I see
Code: [Select]
ROM:FF89A8CC 70 40 2D E9                 STMFD   SP!, {R4-R6,LR}
ROM:FF89A8D0 A1 D4 FF EB                 BL      sub_FF88FB5C
ROM:FF89A8D4 98 51 9F E5                 LDR     R5, =0x5006
If I search for the values you posted, I find them at FF898F28. This suggests you have "extra stuff" in your dump.
Logged
Don't forget what the H stands for.
*

Offline acid2000

  • **
  • 93
Re: the sx20 porting thread
« Reply #402 on: 04 / April / 2010, 21:31:06 »
I can get the SpyTask running on 102b but it crashes running conf_init_defaults(); or conf_load_defaults();
The card is also still locked just before SpyTask runs and any mkdir debugging fails.

Can anyone point me to the code which flips the SD card locked bit?
Logged
*

Offline reyalp

  • ******
  • 13840
Re: the sx20 porting thread
« Reply #403 on: 04 / April / 2010, 22:33:21 »
Quote from: acid2000 on 04 / April / 2010, 21:31:06
I can get the SpyTask running on 102b but it crashes running conf_init_defaults(); or conf_load_defaults();
The card is also still locked just before SpyTask runs and any mkdir debugging fails.

Can anyone point me to the code which flips the SD card locked bit?
It's in platform/<camera>/kbd.c

It should be the same for all firmware revisions of a given model.
Logged
Don't forget what the H stands for.
*

Offline viulian

  • *
  • 27
Re: the sx20 porting thread
« Reply #404 on: 05 / April / 2010, 04:39:46 »
Quote from: reyalp on 04 / April / 2010, 21:21:56
If I search for the values you posted, I find them at FF898F28. This suggests you have "extra stuff" in your dump.

Ahhhhh ..... I did not expect this - trying to make sense of something that doesn't (skewed addresses) isn't fun.
It seems that there are 3 SX20 1.00f dumps out there, but I didn't use the correct one:

a) first link in the wiki pointing to http://neszt.hu/sx20_GM1.00F_v02.dump.zip:

It has lots of 1234567890 in the beginning, and dumping it shows the init_file_modules_task code at address:

Code: [Select]
ff89d0dc: e92d4070 push {r4, r5, r6, lr}
ff89d0e0: ebffd4a1 bl ff89236c <_binary_H__chdk_dissasemble_sx20_100f_dump_bin_start+0x8236c>
ff89d0e4: e59f5198 ldr r5, [pc, #408] ; ff89d284: (00005006)
ff89d0e8: e1b04000 movs r4, r0
b) there's one .7z file here too: http://chdk.neszt.hu/bin/sx20_100f.7z (apparently newer than the first dump) which is the one that I used.

This one has the code above at address:

Code: [Select]
ff89c2c4: e92d4070 push {r4, r5, r6, lr}
ff89c2c8: ebffd4a1 bl ff891554 <_binary_H__chdk_dissasemble_sx20_100f_dump_bin_start+0x81554>
ff89c2cc: e59f5198 ldr r5, [pc, #408] ; ff89c46c: (00005006)
ff89c2d0: e1b04000 movs r4, r0
c) there's a third image it seems, here: http://drop.io/chdkdumps2

This one has the same name as the .7z file at point b), but the PRIMARY.BIN file inside is different.

The addresses here are correct:

Code: [Select]
ff89a8cc: e92d4070 push {r4, r5, r6, lr}
ff89a8d0: ebffd4a1 bl ff88fb5c <_binary_H__chdk_dissasemble_sx20_100f_dump_bin_start+0x7fb5c>
ff89a8d4: e59f5198 ldr r5, [pc, #408] ; ff89aa74: (00005006)
ff89a8d8: e1b04000 movs r4, r0.

I will keep this last one :( I'm a sad with all the mess.
Maybe somebody will propagate the last image to the first two addresses also .. of update the wiki ?

But anyway, I'm glad that the mystery was solved. Thanks reyalp.. I need few days of resting now.

PS: The address I found by monitoring taskCreateHook at runtime was correct! http://chdk.setepontos.com/index.php/topic,4348.msg48252.html#msg48252
 
In firmware at point c) indeed, the jog dial task starts at ff85f3cc:

Code: [Select]
ff85f3cc: e92d4ff0 push {r4, r5, r6, r7, r8, r9, sl, fp, lr}
ff85f3d0: e24dd024 sub sp, sp, #36 ; 0x24
ff85f3d4: e28d0004 add r0, sp, #4 ; 0x4
« Last Edit: 05 / April / 2010, 04:44:24 by viulian »
Logged
*

Offline neszt

  • ***
  • 174
Re: the sx20 porting thread
« Reply #405 on: 05 / April / 2010, 06:45:40 »
Quote from: viulian on 05 / April / 2010, 04:39:46
a) first link in the wiki pointing to http://neszt.hu/sx20_GM1.00F_v02.dump.zip:

It has lots of 1234567890 in the beginning, and dumping it shows the init_file_modules_task code at address:
That was the second version for gods to check if that is a correct dump. I Removed now.
Quote
b) there's one .7z file here too: http://chdk.neszt.hu/bin/sx20_100f.7z (apparently newer than the first dump) which is the one that I used.
.
.
.
c) there's a third image it seems, here: http://drop.io/chdkdumps2

This one has the same name as the .7z file at point b), but the PRIMARY.BIN file inside is different.

The addresses here are correct:
Thank you for pointing that out. I fixed the files right now.
Logged
*

Offline acid2000

  • **
  • 93
Re: the sx20 porting thread
« Reply #406 on: 05 / April / 2010, 07:36:02 »
Quote
It's in platform/<camera>/kbd.c

It should be the same for all firmware revisions of a given model.

Thanks found it.

At the moment i've got the init_file_modules_task running but it gives a memory card error after it completes and I have no idea why. Throughout the ASM i've updated some values that seem different on my camera, is this the correct process. For example in sub_FF86E724_my i've changed one of the very first lines to:

"LDR   R0, =0x37260\n" // changed from 0x37260


I'm still debugging mykbd_task as it crashes when its uncommented, even though my kbd symbols check out.

I'm assuming I can get the splash screen with all the tasks commented apart from init_file_modules_task? Which sets a flag to get the SpyTask going.

Currently I have just the SpyTask and init_file_modules_task and the camera doesn't crash so long as conf_restore(); is commented out. Any ideas anyone?
Logged
*

Offline krichy

  • *
  • 2
Re: the sx20 porting thread
« Reply #407 on: 05 / April / 2010, 08:25:01 »
Dear one,

I am still stuck with my sx20 102b, as I dont know how to start anything on the sd card. Please someone could tell me the needed steps to get that camera boot from sd. I've copied the blinker diskboot.bin to the root of the sd. it is a fat16 formatted partition, and BOOTDISK is written to the partition at offset 0x40. What am i missing?

regards,
Logged
*

Offline viulian

  • *
  • 27
Re: the sx20 porting thread
« Reply #408 on: 05 / April / 2010, 09:11:50 »
I've finished the JogDial task. Finally the pictures don't move anymore, when I scroll in the CHDK menu :)

However, there's a small issue with the code from SX10: while the menu is up and you navigate with the JogDial - the events are not 'consumed' once interpreted by CHDK. They are collected and dispatched once the menu is off. Meaning that the images don't flip around if you navigate the ALT menu using the JogDial, but once you close the menu, the images start flying around.

neszt: how can I commit ? Or what is the correct procedure - shall I attach some files ? I am afraid that attaching files may create a mess in the long run ..
Logged
*

Offline acid2000

  • **
  • 93
Re: the sx20 porting thread
« Reply #409 on: 05 / April / 2010, 13:12:37 »
I've found that in conf_load_defaults() if I put:

      if (i == 186)
      {
         continue;
      }

then I can boot the SpyTask and finally get something on screen. 186 seems to be:

    CONF_INFO(186, conf.curve_enable,           CONF_DEF_VALUE, i:0, NULL),

Any idea what is causing this statement to fail?
Logged
Pages: 1 ... 36 37 38 39 40 [41] 42 43 44 45 46 ... 129   Go Up
« previous next »
 

Related Topics