Powershot A3100 - Porting thread

  • 139 Replies
  • 21617 Views
  • Publish
    Powershot A3100 - Porting thread
    « on: 16 / August / 2010, 09:20:15 »
    Advertisements
    Ok, let's start.
    Firmware:
    DUMP_FF810000_A3100_1.00B.BIN - 23.81MB
    Start adress: 0xFF810000
    Just cut it to 8mb and start to disasm
    Key/iv, as I saw, is different with the 2009th cameras

    *

    Offline c10ud

    • ***
    • 244
  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #1 on: 16 / August / 2010, 13:52:58 »

    *

    Offline fe50

    • ******
    • 3034
    • IXUS50 & 860, SX10 Star WARs-Star RAWs
      • fe50
  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #2 on: 17 / August / 2010, 01:35:00 »
    Good work; added to the dumps archive...
    Added the A3100 1.00B dump from this post (8MB full dump, by Ameglin / c10ud, dumped with reyalP's new CBasic udumper) to the drop.io - chdkdumps3 backup archive.
      http://drop.io/chdkdumps3/asset/a3100-100b-7z
    Thx to the 'dumpers' & uploaders !

    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #3 on: 17 / August / 2010, 01:59:59 »
    "DRYOS version 2.3, release #0043"

    A new one, the highest previously known was 39 (edit: for P&S, looks like EOS 550D uses this too)

    edit:
    Looks to me like the key is different by the IV is same as other d4 ?

    Also, dancingbits updated.
    « Last Edit: 17 / August / 2010, 03:00:35 by reyalp »
    Don't forget what the H stands for.


  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #4 on: 17 / August / 2010, 09:12:57 »
    Dancingbits is correct. I used it as encoder in udumper nudryos and dumped SX210IS&A3100 firmware so I suppose, that other 2010th cameras has the same dancingbits:
    http://chdk.setepontos.com/index.php/topic,5045.msg53819.html#msg53819

  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #5 on: 18 / August / 2010, 07:55:24 »
    I found all LED's using cycling code:
    Code: [Select]
    #define LED_POWER   0xC0220010
    #define LED_AF   0xC0220008
    #define LED_AF_ALT           0xC0220009
    #define LED_AF_ALT_2        0xC022000A
    #define LED_AF_ALT_3   0xC022000B
    #define WHITE_SCREEN   0xC0220007
    #define WHITE_SCREEN_ALT 0xC0220006
    #define FLASH 0xC022000C
    AF LED has 4 various adresses
    WHITE_SCREEN "LED" powers on display with just white color (has 2 various adresses)
    FLASH "LED" shoots flash once

  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #6 on: 19 / August / 2010, 09:13:32 »
    I'm now trying to boot CHDK, and  have a little problem. After executing resetcode/main.c program doesn't jump to core/entry.s
    Here some code:
    Code: [Select]
    resetcode/main.c

    void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {

            {
    char *dst = dst_void;
                    const char *src = src_void;

                    if (src < dst && dst < src + length)
                    {
                            /* Have to copy backwards */
                            src += length;
                            dst += length;
                            while (length--)
                            {
                                *--dst = *--src;
                            }
                    }
                    else
                    {
                            while (length--)
                            {
                                    *dst++ = *src++;
                            }
                    }

            }
            asm volatile (

    "MRS     R0, CPSR\n"
                     "BIC     R0, R0, #0x3F\n"
                     "ORR     R0, R0, #0xD3\n"
                     "MSR     CPSR, R0\n"
    "STM SP!,{R1,R2}\n"
    "LDM SP!,{R1,R2}\n"
                     "LDR     R1, =0xC0200000\n"
                     "MOV     R0, #0xFFFFFFFF\n"
                     "STR     R0, [R1,#0x10C]\n"
                     "STR     R0, [R1,#0xC]\n"
                     "STR     R0, [R1,#0x1C]\n"
                     "STR     R0, [R1,#0x2C]\n"
                     "STR     R0, [R1,#0x3C]\n"
                     "STR     R0, [R1,#0x4C]\n"
                     "STR     R0, [R1,#0x5C]\n"
                     "STR     R0, [R1,#0x6C]\n"
                     "STR     R0, [R1,#0x7C]\n"
                     "STR     R0, [R1,#0x8C]\n"
                     "STR     R0, [R1,#0x9C]\n"
                     "STR     R0, [R1,#0xAC]\n"
                     "STR     R0, [R1,#0xBC]\n"
                     "STR     R0, [R1,#0xCC]\n"
                     "STR     R0, [R1,#0xDC]\n"
                     "STR     R0, [R1,#0xEC]\n"
                     "CMP     R4, #7\n"
                     "STR     R0, [R1,#0xFC]\n"
                     "LDMEQFD SP!, {R4,PC}\n"
                     "MOV     R0, #0x78\n"
                     "MCR     p15, 0, R0,c1,c0\n"
                     "MOV     R0, #0\n"
                     "MCR     p15, 0, R0,c7,c10, 4\n"
                     "MCR     p15, 0, R0,c7,c5\n"
                     "MCR     p15, 0, R0,c7,c6\n"
                     "MOV     R0, #0x40000006\n"
                     "MCR     p15, 0, R0,c9,c1\n"
                     "MCR     p15, 0, R0,c9,c1, 1\n"
                     "MRC     p15, 0, R0,c1,c0\n"
                     "ORR     R0, R0, #0x50000\n"
                     "MCR     p15, 0, R0,c1,c0\n"
                     "LDR     R0, =0x12345678\n"
                     "MOV     R1, #0x40000000\n"
                     "STR     R0, [R1,#0xFFC]\n"
                     //"LDR     R0, =sub_FF810000\n"
                     "MOV     R0, #0\n"              // new jump-vector

                     "LDMFD   SP!, {R4,LR}\n"

    //"STM SP!,{R1,R2}\n"
    //"LDR     R1, =0xC0220000\n"
    //"MOV   R2, #0x46\n" //LED_On
    //"STR   R2, [R1,#0x10]\n"
    //"LDM   SP!,{R1,R2}\n"
                     "BX      R0\n"
                     : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
            while(1);
    }
    I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value. I tried to light LED at the beginning of core/entry.s with this code (it works in other entry's), but had no success:
    Code: [Select]
    STM SP!,{R1,R2}
    LDR    R1, =0xC0220000
    MOV   R2, #0x46
    STR   R2, [R1,#0xA]
    LDM SP!,{R1,R2}
    Has anyone ideas why it can be?

    *

    Offline whoever

    • ****
    • 280
    • IXUS950
  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #7 on: 19 / August / 2010, 09:30:56 »
    I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value.
    It does have a wrong value, as you have "MOV  R0, #0\n" a few lines before BX. I reckon it should be "mov  R0, %0\n" instead.


  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #8 on: 23 / August / 2010, 06:51:33 »
    Thanks! It was my mistake. After changing to MOV R0, %0 jump succeed.
    Now I'm trying to adapt boot process to this camera...

  • Publish
    Re: Powershot A3100 - Porting thread
    « Reply #9 on: 24 / August / 2010, 05:19:00 »
    For now loader works well. Here it is:
    Code: [Select]
    loader\a3100\resetcode\main.c:
    void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {
            {
    char *dst = dst_void;
                    const char *src = src_void;

                    if (src < dst && dst < src + length)
                    {
                            /* Have to copy backwards */
                            src += length;
                            dst += length;
                            while (length--)
                            {
                                *--dst = *--src;
                            }
                    }
                    else
                    {
                            while (length--)
                            {
                                    *dst++ = *src++;
                            }
                    }
            }
            asm volatile (

    "MRS     R0, CPSR\n"
                     "BIC     R0, R0, #0x3F\n"
                     "ORR     R0, R0, #0xD3\n"
                     "MSR     CPSR, R0\n"
    //"STM   SP!,{R1,R2}\n"
    //"LDR   R1, =0xC0220000\n"
    //"MOV   R2, #0x46\n" //Debug LED_on
    //"STR   R2, [R1,#0x10]\n"                           //0x10 - Power_LED
    //"LDM   SP!,{R1,R2}\n"
                     "LDR     R1, =0xC0200000\n"
                     "MOV     R0, #0xFFFFFFFF\n"
                     "STR     R0, [R1,#0x10C]\n"
                     "STR     R0, [R1,#0xC]\n"
                     "STR     R0, [R1,#0x1C]\n"
                     "STR     R0, [R1,#0x2C]\n"
                     "STR     R0, [R1,#0x3C]\n"
                     "STR     R0, [R1,#0x4C]\n"
                     "STR     R0, [R1,#0x5C]\n"
                     "STR     R0, [R1,#0x6C]\n"
                     "STR     R0, [R1,#0x7C]\n"
                     "STR     R0, [R1,#0x8C]\n"
                     "STR     R0, [R1,#0x9C]\n"
                     "STR     R0, [R1,#0xAC]\n"
                     "STR     R0, [R1,#0xBC]\n"
                     "STR     R0, [R1,#0xCC]\n"
                     "STR     R0, [R1,#0xDC]\n"
                     "STR     R0, [R1,#0xEC]\n"
                     "CMP     R4, #7\n"
                     "STR     R0, [R1,#0xFC]\n"
                     "LDMEQFD SP!, {R4,PC}\n"
                     "MOV     R0, #0x78\n"
                     "MCR     p15, 0, R0,c1,c0\n"
                     "MOV     R0, #0\n"
                     "MCR     p15, 0, R0,c7,c10, 4\n"
                     "MCR     p15, 0, R0,c7,c5\n"
                     "MCR     p15, 0, R0,c7,c6\n"
                     "MOV     R0, #0x40000006\n"
                     "MCR     p15, 0, R0,c9,c1\n"
                     "MCR     p15, 0, R0,c9,c1, 1\n"
                     "MRC     p15, 0, R0,c1,c0\n"
                     "ORR     R0, R0, #0x50000\n"
                     "MCR     p15, 0, R0,c1,c0\n"
                     "LDR     R0, =0x12345678\n"
                     "MOV     R1, #0x40000000\n"
                     "STR     R0, [R1,#0xFFC]\n"
                     //"LDR     R0, =sub_FF810000\n"
                     "MOV     R0, %0\n"              // new jump-vector
                     "LDMFD   SP!, {R4,LR}\n"
                     "BX      R0\n"

                     : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
            while(1);
    }
    Code: [Select]
    loader\a3100\resetcode\entry.s:
                  .section .entry
    MOV     SP, #0x1900
    MOV     R11, #0
    B copy_and_restart
    Code: [Select]
    loader\a3100\main.c:
    static void __attribute__((noreturn)) shutdown();
    static void __attribute__((noreturn)) panic(int cnt);

    extern long *blob_chdk_core;
    extern long *blob_copy_and_reset;
    extern long blob_chdk_core_size;
    extern long blob_copy_and_reset_size;


    void __attribute__((noreturn)) my_restart()
    {
        void __attribute__((noreturn)) (*copy_and_restart)(char *dst, char *src, long length);
        int i;

        for (i=0; i<(blob_copy_and_reset_size/sizeof(long)); i++){
    ((long*)(RESTARTSTART))[i] = blob_copy_and_reset[i];
        }

        copy_and_restart = (void*)RESTARTSTART;
        copy_and_restart((void*)MEMISOSTART, (char*)blob_chdk_core, blob_chdk_core_size);
    //LED_power_on_short();
    //LED_power_off();
    }

    #define LED_PR 0xC0220010


    static void __attribute__((noreturn)) shutdown()
    {
        volatile long *p = (void*)LED_PR;       // turned off later, so assumed to be power
           
        asm(
             "MRS     R1, CPSR\n"
             "AND     R0, R1, #0x80\n"
             "ORR     R1, R1, #0x80\n"
             "MSR     CPSR_cf, R1\n"
             :::"r1","r0");
           
        *p = 0x44;  // led off.

        while(1);
    }


    static void __attribute__((noreturn)) panic(int cnt)
    {
    volatile long *p=(void*)LED_PR;
    int i;

    for(;cnt>0;cnt--){
    p[0]=0x46;

    for(i=0;i<0x200000;i++){
    asm ("nop\n");
    asm ("nop\n");
    }
    p[0]=0x44;
    for(i=0;i<0x200000;i++){
    asm ("nop\n");
    asm ("nop\n");
    }
    }
    shutdown();
    }
    Code: [Select]
    loader\a3100\entry.s:
    MOV     R3, #0x8000   
    1:
    SUB R3, R3, #1
    CMP R3, #0
    BNE 1b

    // ordinary startup...

    MOV     SP, #0x1900
    MOV     R11, #0
    B my_restart
    Code: [Select]
    loader\a3100\blobs.s:
        .globl blob_copy_and_reset, blob_copy_and_reset_size
        .globl blob_chdk_core, blob_chdk_core_size

        .section .blob_copy_and_reset
    blob_copy_and_reset_start:
        .incbin RESET_FILE
    blob_copy_and_reset_end:

        .section .blob_chdk_core
    blob_chdk_core_start:
        .incbin CORE_FILE
    blob_chdk_core_end:

        .text
    blob_chdk_core_size:
        .long blob_chdk_core_end - blob_chdk_core_start
    blob_chdk_core:
        .long blob_chdk_core_start

    blob_copy_and_reset_size:
        .long blob_copy_and_reset_end - blob_copy_and_reset_start
    blob_copy_and_reset:
        .long blob_copy_and_reset_start
    And I modified boot.c, so camera now starts normally with spytask, but all hooks don't work yet. My next step will be founding right func addresses (stubs_entry_2.s) and making all hooks work properly.

     

    Related Topics