Powershot A3100 - Porting thread - DryOS Development

Ameglin

Powershot A3100 - Porting thread

« on: 16 / August / 2010, 09:20:15 »

Advertisements

Ok, let's start.
Firmware:
DUMP_FF810000_A3100_1.00B.BIN - 23.81MB
Start adress: 0xFF810000
Just cut it to 8mb and start to disasm
Key/iv, as I saw, is different with the 2009th cameras

Logged

c10ud

Re: Powershot A3100 - Porting thread

« Reply #1 on: 16 / August / 2010, 13:52:58 »

great find!
http://www.zshare.net/download/7941026873c6c1ed/ 8mb version

Logged

fe50

3105
IXUS50 & 860, SX10 Star WARs-Star RAWs

Re: Powershot A3100 - Porting thread

« Reply #2 on: 17 / August / 2010, 01:35:00 »

Good work; added to the dumps archive...

Quote from: fe50 on 17 / August / 2010, 01:33:32

Added the A3100 1.00B dump from this post (8MB full dump, by Ameglin / c10ud, dumped with reyalP's new CBasic udumper) to the drop.io - chdkdumps3 backup archive.
http://drop.io/chdkdumps3/asset/a3100-100b-7z
Thx to the 'dumpers' & uploaders !

Logged

-->FIRMWARE DUMPS<-- * Manual * Lua * me

reyalp

12000

Re: Powershot A3100 - Porting thread

« Reply #3 on: 17 / August / 2010, 01:59:59 »

"DRYOS version 2.3, release #0043"

A new one, the highest previously known was 39 (edit: for P&S, looks like EOS 550D uses this too)

edit:
Looks to me like the key is different by the IV is same as other d4 ?

Also, dancingbits updated.

« Last Edit: 17 / August / 2010, 03:00:35 by reyalp »

Logged

Don't forget what the H stands for.

Ameglin

Re: Powershot A3100 - Porting thread

« Reply #4 on: 17 / August / 2010, 09:12:57 »

Dancingbits is correct. I used it as encoder in udumper nudryos and dumped SX210IS&A3100 firmware so I suppose, that other 2010th cameras has the same dancingbits:
http://chdk.setepontos.com/index.php/topic,5045.msg53819.html#msg53819

Logged

Ameglin

Re: Powershot A3100 - Porting thread

« Reply #5 on: 18 / August / 2010, 07:55:24 »

I found all LED's using cycling code:

Code: [Select]

#define LED_POWER    0xC0220010
#define LED_AF    0xC0220008
#define LED_AF_ALT           0xC0220009
#define LED_AF_ALT_2        0xC022000A
#define LED_AF_ALT_3   0xC022000B
#define WHITE_SCREEN   0xC0220007
#define WHITE_SCREEN_ALT 0xC0220006
#define FLASH 0xC022000C

AF LED has 4 various adresses
WHITE_SCREEN "LED" powers on display with just white color (has 2 various adresses)
FLASH "LED" shoots flash once

Logged

Ameglin

Re: Powershot A3100 - Porting thread

« Reply #6 on: 19 / August / 2010, 09:13:32 »

I'm now trying to boot CHDK, and have a little problem. After executing resetcode/main.c program doesn't jump to core/entry.s
Here some code:

Code: [Select]

resetcode/main.c

void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {

        {
 char *dst = dst_void;
                const char *src = src_void;

                if (src < dst && dst < src + length)
                {
                        /* Have to copy backwards */
                        src += length;
                        dst += length;
                        while (length--)
                        {
                            *--dst = *--src;
                        }
                }
                else
                {
                        while (length--)
                        {
                                *dst++ = *src++;
                        }
                }

        }
        asm volatile (
     
     "MRS     R0, CPSR\n"
                 "BIC     R0, R0, #0x3F\n"
                 "ORR     R0, R0, #0xD3\n"
                 "MSR     CPSR, R0\n"
  "STM  SP!,{R1,R2}\n"
  "LDM   SP!,{R1,R2}\n" 
                 "LDR     R1, =0xC0200000\n"  
                 "MOV     R0, #0xFFFFFFFF\n"
                 "STR     R0, [R1,#0x10C]\n"
                 "STR     R0, [R1,#0xC]\n"
                 "STR     R0, [R1,#0x1C]\n"
                 "STR     R0, [R1,#0x2C]\n"
                 "STR     R0, [R1,#0x3C]\n"
                 "STR     R0, [R1,#0x4C]\n"
                 "STR     R0, [R1,#0x5C]\n"
                 "STR     R0, [R1,#0x6C]\n"
                 "STR     R0, [R1,#0x7C]\n"
                 "STR     R0, [R1,#0x8C]\n"
                 "STR     R0, [R1,#0x9C]\n"
                 "STR     R0, [R1,#0xAC]\n"
                 "STR     R0, [R1,#0xBC]\n"
                 "STR     R0, [R1,#0xCC]\n"
                 "STR     R0, [R1,#0xDC]\n"
                 "STR     R0, [R1,#0xEC]\n"
                 "CMP     R4, #7\n"
                 "STR     R0, [R1,#0xFC]\n"
                 "LDMEQFD SP!, {R4,PC}\n"
                 "MOV     R0, #0x78\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "MOV     R0, #0\n"
                 "MCR     p15, 0, R0,c7,c10, 4\n"
                 "MCR     p15, 0, R0,c7,c5\n"
                 "MCR     p15, 0, R0,c7,c6\n"
                 "MOV     R0, #0x40000006\n"
                 "MCR     p15, 0, R0,c9,c1\n"
                 "MCR     p15, 0, R0,c9,c1, 1\n"
                 "MRC     p15, 0, R0,c1,c0\n"
                 "ORR     R0, R0, #0x50000\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "LDR     R0, =0x12345678\n"
                 "MOV     R1, #0x40000000\n"
                 "STR     R0, [R1,#0xFFC]\n"
                 //"LDR     R0, =sub_FF810000\n"
                 "MOV     R0, #0\n"              // new jump-vector

                 "LDMFD   SP!, {R4,LR}\n"
     
     //"STM  SP!,{R1,R2}\n"
     //"LDR     R1, =0xC0220000\n"
     //"MOV   R2, #0x46\n" //LED_On
     //"STR   R2, [R1,#0x10]\n"
     //"LDM    SP!,{R1,R2}\n" 
                 "BX      R0\n"
                 : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
        while(1);
}

I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value. I tried to light LED at the beginning of core/entry.s with this code (it works in other entry's), but had no success:

Code: [Select]

STM SP!,{R1,R2} 
LDR    R1, =0xC0220000
MOV   R2, #0x46
STR   R2, [R1,#0xA]
LDM  SP!,{R1,R2}

Has anyone ideas why it can be?

Logged

whoever

280
IXUS950

Re: Powershot A3100 - Porting thread

« Reply #7 on: 19 / August / 2010, 09:30:56 »

Quote from: Ameglin on 19 / August / 2010, 09:13:32

I don't know what exactly it can be, but I think it is because last operand "BX R0" doesn't work as it must, or R0 has wrong value.

It does have a wrong value, as you have "MOV R0, #0\n" a few lines before BX. I reckon it should be "mov R0, %0\n" instead.

Logged

Ameglin

Re: Powershot A3100 - Porting thread

« Reply #8 on: 23 / August / 2010, 06:51:33 »

Thanks! It was my mistake. After changing to MOV R0, %0 jump succeed.
Now I'm trying to adapt boot process to this camera...

Logged

Ameglin

Re: Powershot A3100 - Porting thread

« Reply #9 on: 24 / August / 2010, 05:19:00 »

For now loader works well. Here it is:

Code: [Select]

loader\a3100\resetcode\main.c:
void __attribute__((noreturn)) copy_and_restart(void *dst_void, const void *src_void, long length) {
        {
    char *dst = dst_void;
                const char *src = src_void;

                if (src < dst && dst < src + length)
                {
                        /* Have to copy backwards */
                        src += length;
                        dst += length;
                        while (length--)
                        {
                            *--dst = *--src;
                        }
                }
                else
                {
                        while (length--)
                        {
                                *dst++ = *src++;
                        }
                }
        }
        asm volatile (
     
     "MRS     R0, CPSR\n"
                 "BIC     R0, R0, #0x3F\n"
                 "ORR     R0, R0, #0xD3\n"
                 "MSR     CPSR, R0\n"
     //"STM   SP!,{R1,R2}\n"
     //"LDR   R1, =0xC0220000\n"
     //"MOV   R2, #0x46\n"   //Debug LED_on
     //"STR   R2, [R1,#0x10]\n"                           //0x10 - Power_LED
     //"LDM   SP!,{R1,R2}\n" 
                 "LDR     R1, =0xC0200000\n"   
                 "MOV     R0, #0xFFFFFFFF\n"
                 "STR     R0, [R1,#0x10C]\n"
                 "STR     R0, [R1,#0xC]\n"
                 "STR     R0, [R1,#0x1C]\n"
                 "STR     R0, [R1,#0x2C]\n"
                 "STR     R0, [R1,#0x3C]\n"
                 "STR     R0, [R1,#0x4C]\n"
                 "STR     R0, [R1,#0x5C]\n"
                 "STR     R0, [R1,#0x6C]\n"
                 "STR     R0, [R1,#0x7C]\n"
                 "STR     R0, [R1,#0x8C]\n"
                 "STR     R0, [R1,#0x9C]\n"
                 "STR     R0, [R1,#0xAC]\n"
                 "STR     R0, [R1,#0xBC]\n"
                 "STR     R0, [R1,#0xCC]\n"
                 "STR     R0, [R1,#0xDC]\n"
                 "STR     R0, [R1,#0xEC]\n"
                 "CMP     R4, #7\n"
                 "STR     R0, [R1,#0xFC]\n"
                 "LDMEQFD SP!, {R4,PC}\n"
                 "MOV     R0, #0x78\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "MOV     R0, #0\n"
                 "MCR     p15, 0, R0,c7,c10, 4\n"
                 "MCR     p15, 0, R0,c7,c5\n"
                 "MCR     p15, 0, R0,c7,c6\n"
                 "MOV     R0, #0x40000006\n"
                 "MCR     p15, 0, R0,c9,c1\n"
                 "MCR     p15, 0, R0,c9,c1, 1\n"
                 "MRC     p15, 0, R0,c1,c0\n"
                 "ORR     R0, R0, #0x50000\n"
                 "MCR     p15, 0, R0,c1,c0\n"
                 "LDR     R0, =0x12345678\n"
                 "MOV     R1, #0x40000000\n"
                 "STR     R0, [R1,#0xFFC]\n"
                 //"LDR     R0, =sub_FF810000\n"
                 "MOV     R0, %0\n"              // new jump-vector
                 "LDMFD   SP!, {R4,LR}\n"
                 "BX      R0\n"

                 : : "r"(dst_void) : "memory","r0","r1","r2","r3","r4");
        while(1);
}

Code: [Select]

loader\a3100\resetcode\entry.s:
              .section .entry
 MOV     SP, #0x1900
 MOV     R11, #0
 B copy_and_restart

Code: [Select]

loader\a3100\main.c:
static void __attribute__((noreturn)) shutdown();
static void __attribute__((noreturn)) panic(int cnt);

extern long *blob_chdk_core;
extern long *blob_copy_and_reset;
extern long blob_chdk_core_size;
extern long blob_copy_and_reset_size;


void __attribute__((noreturn)) my_restart() 
{
    void __attribute__((noreturn)) (*copy_and_restart)(char *dst, char *src, long length);
    int i;

    for (i=0; i<(blob_copy_and_reset_size/sizeof(long)); i++){
 ((long*)(RESTARTSTART))[i] = blob_copy_and_reset[i];
    }

    copy_and_restart = (void*)RESTARTSTART;
    copy_and_restart((void*)MEMISOSTART, (char*)blob_chdk_core, blob_chdk_core_size);
 //LED_power_on_short();
 //LED_power_off();
}

#define LED_PR 0xC0220010


static void __attribute__((noreturn)) shutdown()
{
    volatile long *p = (void*)LED_PR;       // turned off later, so assumed to be power
        
    asm(
         "MRS     R1, CPSR\n"
         "AND     R0, R1, #0x80\n"
         "ORR     R1, R1, #0x80\n"
         "MSR     CPSR_cf, R1\n"
         :::"r1","r0");
        
    *p = 0x44;  // led off.

    while(1);
}


static void __attribute__((noreturn)) panic(int cnt)
{
 volatile long *p=(void*)LED_PR;
 int i;

 for(;cnt>0;cnt--){
  p[0]=0x46;

  for(i=0;i<0x200000;i++){
   asm ("nop\n");
   asm ("nop\n");
  }
  p[0]=0x44;
  for(i=0;i<0x200000;i++){
   asm ("nop\n");
   asm ("nop\n");
  }
 }
 shutdown();
}

Code: [Select]

loader\a3100\entry.s:
MOV     R3, #0x8000   
1:
 SUB R3, R3, #1
 CMP R3, #0
 BNE 1b

// ordinary startup...

 MOV     SP, #0x1900
 MOV     R11, #0
 B my_restart

Code: [Select]

loader\a3100\blobs.s:
    .globl blob_copy_and_reset, blob_copy_and_reset_size
    .globl blob_chdk_core, blob_chdk_core_size

    .section .blob_copy_and_reset
blob_copy_and_reset_start:
    .incbin RESET_FILE
blob_copy_and_reset_end:

    .section .blob_chdk_core
blob_chdk_core_start:
    .incbin CORE_FILE
blob_chdk_core_end:

    .text
blob_chdk_core_size:
    .long blob_chdk_core_end - blob_chdk_core_start
blob_chdk_core:
    .long blob_chdk_core_start

blob_copy_and_reset_size:
    .long blob_copy_and_reset_end - blob_copy_and_reset_start
blob_copy_and_reset:
    .long blob_copy_and_reset_start

And I modified boot.c, so camera now starts normally with spytask, but all hooks don't work yet. My next step will be founding right func addresses (stubs_entry_2.s) and making all hooks work properly.

Logged