Looking to dump SX30 IS firmware. Who can help?! - page 2 - Firmware Dumping - CHDK Forum

Looking to dump SX30 IS firmware. Who can help?!

  • 32 Replies
  • 13168 Views
*

Online philmoz

  • *****
  • 3226
    • Photos
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #10 on: 21 / November / 2010, 03:39:19 »
Advertisements
I tried changing the NEED_ENCODED_DISKBOOT to 5 but got the same result.
Also tried the D10 blink code; but no luck there either.
I guess you probably know this, but you would need anLED address valid for your camera in
   LDR     R3, =0xC0220130

Quote
Could the SX30 be using a different encoding again (the strings in the firmware say it is dryos 2.3 release #0045). If so where would I need to look in the firmware to work out what is should be.
It's possible. The function that does the decoding can be found near a reference to the string "not executable". References to "A/DISKBOOT.BIN" and "StartDiskboot" should be earlier in the same function.

Comparison to known cameras should help you find it.
Quote
Forgot to mention previously that I also added a section to camera.h for the SX30, I just copied the SX20 section without changing any values - are any of the values in this likely to affect the image build / boot (sorry if my terminology is wrong, still getting my head around the whole project).
If you can't turn on an LED in loader, none of the main CHDK code matters.

edit:
dacingbits 5 looks correct to me, @FFC31330 in sx30 100h dump.

This is what I've currently got in loader/sx30/entry.s - been a while since I've done any serious assembly coding so I may have screwed this up. Basically trying to use your D10 sample; but setting all addresses from 0xc0220000 to 0xc0220400 to see if I can get something blinking.

    .section .entry

// Turn OFF SD Card power
// to support autostart
//   LDR     R3, =0xC0220018
//   MOV     R2, #0x44
//   STR     R2, [R3]

// looks like idle cycle is required for proper shutdown
//   MOV     R3, #0xF0000
//1:
//   SUB   R3, R3, #1
//   CMP   R3, #0
//   BNE   1b
   
// for testing, blink LED 10 times at boot
   MOV      R1,#10
2:
   MOV     R2, #0x46
   MOV      R4,#0x400
   LDR     R3, =0xC0220000
3:
   STR     R2, [R3]
   ADD      R3,R3,#4
   SUB      R4,R4,#4
   CMP      R4,#0
   BNE      3b

   MOV     R0, #0x8000
4:
   SUB R0,R0,#1
   CMP R0,#0
   BNE 4b

   MOV     R2, #0x44
   MOV      R4,#0x400
   LDR     R3, =0xC0220000
5:
   STR     R2, [R3]
   ADD      R3,R3,#4
   SUB      R4,R4,#4
   CMP      R4,#0
   BNE      5b

   MOV     R0, #0x8000
6:
   SUB R0,R0,#1
   CMP R0,#0
   BNE 6b

   SUB R1,R1,#1
   CMP R1,#0
   BNE 2b
   
// ordinary startup...

   MOV     SP, #0x1900
   MOV     R11, #0
   B   my_restart
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)

*

Online reyalp

  • ******
  • 12945
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #11 on: 21 / November / 2010, 03:50:31 »
You may find it more convenient to do this in C in loader/main.c my_restart

Barring any major toolchain issues, it should be the same.

After building, you can look at main.dump in that directory if you want to see what code is being generated.
Don't forget what the H stands for.

*

Online philmoz

  • *****
  • 3226
    • Photos
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #12 on: 21 / November / 2010, 07:28:17 »
You may find it more convenient to do this in C in loader/main.c my_restart

Barring any major toolchain issues, it should be the same.

After building, you can look at main.dump in that directory if you want to see what code is being generated.

Some success - found the Power LED address = 0xC0220134
Can now blink this in the loader.

Now the fun begins.  :)

Phil.
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)

*

Online reyalp

  • ******
  • 12945
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #13 on: 21 / November / 2010, 14:27:08 »
You may find it more convenient to do this in C in loader/main.c my_restart

Barring any major toolchain issues, it should be the same.

After building, you can look at main.dump in that directory if you want to see what code is being generated.

Some success - found the Power LED address = 0xC0220134
Can now blink this in the loader.

Now the fun begins.  :)

Phil.

Great! If you haven't already, be sure to check out http://chdk.wikia.com/wiki/Adding_support_for_a_new_camera and http://chdk.wikia.com/wiki/For_Developers

You will want to refer to several cameras in different situations.  The development threads of other newer cameras, like sx210, s95, ixus300 should be helpful.

I'm not fan of copying a port (e.g. sx20) and trying to "fix" it. Some thoughts on that here: http://chdk.setepontos.com/index.php?topic=3977.msg37430#msg37430
Don't forget what the H stands for.


Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #14 on: 22 / November / 2010, 23:38:50 »
I've got at least 50 bucks with your name on it Phil, if you can successfully port CHDK to the SX30.  I appreciate the work you do too reyalp.  All I need is the stupid intervalometer script, so I can set the camera up to take pictures automatically every x seconds. Wish I could help more!

*

Online philmoz

  • *****
  • 3226
    • Photos
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #15 on: 23 / November / 2010, 05:01:22 »

Great! If you haven't already, be sure to check out http://chdk.wikia.com/wiki/Adding_support_for_a_new_camera and http://chdk.wikia.com/wiki/For_Developers

You will want to refer to several cameras in different situations.  The development threads of other newer cameras, like sx210, s95, ixus300 should be helpful.

I'm not fan of copying a port (e.g. sx20) and trying to "fix" it. Some thoughts on that here: http://chdk.setepontos.com/index.php?topic=3977.msg37430#msg37430


Thanks for all the info and guidance so far.

I now have the boot working without any hooks or spytask, and the camera boots normally after going through the CHDK startup (I have my led blinker in there so I know it's working).

When I enable the core_spytask the camera starts, the canon splash screen shows, and after a second or so the camera shuts down.

I presume I'm missing some critical function mappings; but not sure where to start.
I updated stubs_entry_2.s from the values in stubs_entry_ida.s where I could find a match.
Everything else in stubs_entry_2.s I pointed to a null subroutine (BX LR).
Haven't modified stubs_min.s yet.

Any suggestions on the best approach at this point would be welcome.
I'm going to try adding led blinking to the core_spytask code to try and trace how far it gets.

Regards,
Phil.
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)

Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #16 on: 23 / November / 2010, 09:56:59 »

When I enable the core_spytask the camera starts, the canon splash screen shows, and after a second or so the camera shuts down.


philmoz :  I'm slightly ahead of you in the process on a different camera.  The spy_task does not do much once it gets running - at least not until some other task causes it to take action.  If you have the rest of the tasks commented out still, then one thing to look at is the logo code (called through gui_redraw() in the loop at the bottom of main.c).    The logo code (in gui.c) is called by gui_handle_splash() - which counts down each time its called and eventually calls draw_restore() to clear the logo.  (I'm having trouble with draw_restore() too).

If the logo draws and then clear a few seconds later (i.e. before the camera shuts down) then draw_restore() probably is okay.  If the camera shuts down before clearing the logo, then draw_restore() a good place to look?

Using the LED blinker is smart.  Once you get the screen running,  you can also help debugging by setting up a small global array for writing values to that you just display all the time on the screen.  Handy  when you want more than on/off info from an LED. I put my debug display code in the spy_task main loop. I can post code if its not obvious how to do this from my description.

WW
Ported :   A1200    SD940   G10    Powershot N    G16

Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #17 on: 23 / November / 2010, 10:50:56 »
I should have suggested you point RefreshPhysicalScreen to a null subroutine  That's what eventually gets called to make the logo graphic dissappear and thus may be where you are crashing.
Ported :   A1200    SD940   G10    Powershot N    G16


*

Online reyalp

  • ******
  • 12945
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #18 on: 23 / November / 2010, 13:08:19 »
You may find a ROMLOG useful http://chdk.wikia.com/wiki/Canon_Basic/Scripts/Romlog

core/main.dump is disassembly of your CHDK code, so you can look up any CHDK RAM addresses you find in the registers or stack dump there.

You have to actually verify function addresses, neither ida nor the sig finder are perfect. I generally don't look at things that have a 100% match in the sig finder, but everything else needs to be checked against disassembly, comparing to a known good camera.

Some of the items in stubs_min are fairly important. At a minimum, physw_status.

There are some functions that can't safely be replaced with a BX LR, for example anything that is expected to return a value ;)
Don't forget what the H stands for.

*

Online philmoz

  • *****
  • 3226
    • Photos
Re: Looking to dump SX30 IS firmware. Who can help?!
« Reply #19 on: 23 / November / 2010, 13:50:49 »
Thanks again guys.

I've found that the call to 'rbf_load_symbol' in 'conf_change_menu_symbol_rbf_file' (conf.c) causes the camera to shutdown without drawing anything.

If I comment that out I get the logo without any colour. It doesn't erase so I'll check the draw_restore code next. Also I don't get any text displayed with the logo - it looks like there should be some.

Sounds like another pass through the stubs files is needed as well, was hoping to at least get the screen and keyboard working before I had to do that, oh well.

Have to say this is fun, takes me back to my early programming days :-)

Phil.
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)

 

Related Topics