Powershot SX150 IS Porting Thread

  • 279 Replies
  • 42048 Views
  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #10 on: 29 / October / 2011, 08:02:13 »
    Advertisements
    Here's what I have so far.  I have use the attached addresses.txt file for the SX130 1.01f reference ROM in CHDK-PT to generate boot.c.  I tweaked the addresses.txt size values so that CHDK-PT in some instances produces a longer output due to subroutines being longer in the SX150 firmware.

    I have attached an incomplete boot.c file in case others feel like helping with the patches.  I have added "TODO" comments in the sections that have not been patched yet.

    I put LED blinking code in taskcreate_Startup_my() but unfortunately the camera never reaches this subroutine.  If I put the blinking code in boot() the LED flashes.  Can anyone take a quick look at the subroutines before taskcreate_Startup_my() to see if I've made a mistake in the patches?


    sgtrum

    *

    Offline funnel

    • ****
    • 349
  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #11 on: 29 / October / 2011, 08:14:16 »
    I guess the problem is the new_sa. I didn't check everything so it could be something else.

    Code: [Select]
    void __attribute__((naked,noinline)) sub_FF8111B0_my() {

    //TODO: Patch code (see SX130 code example below) and add branch to return to firmware
    // Note code was found manually in IDA (CHDK-PT could not find it)

    asm volatile (
    "STR     LR, [SP,#var_4]! \n"
    "SUB     SP, SP, #0x74 \n"
    "MOV     R1, #0x74 \n"
    "MOV     R0, SP \n"
    "BL      sub_FFB8BA64 \n"
    "MOV     R0, #0x57000 \n"
    "STR     R0, [SP,#0x78+var_74] \n"

    //"LDR     R0, =0x175CE0 \n"
    " LDR R0, =new_sa \n" // added -------------->
    " LDR R0, [R0] \n" // added -------------->

    "LDR     R2, =0x2EDAD0 \n"
    "STR     R0, [SP,#0x78+var_70] \n"
    "SUB     R0, R2, R0 \n"
    "STR     R0, [SP,#0x78+var_6C] \n"
    "MOV     R0, #0x22 \n"

    *

    Offline funnel

    • ****
    • 349
  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #12 on: 29 / October / 2011, 08:17:54 »
    I see now you have some copy paste errors. In IDA you have to press the Q key to calculate this values:

    [SP,#0x78+var_74]


  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #13 on: 29 / October / 2011, 10:28:01 »
    I have attached an incomplete boot.c file in case others feel like helping with the patches.  I have added "TODO" comments in the sections that have not been patched yet.

    I see now you have some copy paste errors. In IDA you have to press the Q key to calculate this values:

    [SP,#0x78+var_74]

    Code: [Select]
    void __attribute__((naked,noinline)) sub_FF8111B0_my() {

    //TODO: Patch code (see SX130 code example below) and add branch to return to firmware
    //Note code was found manually in IDA (CHDK-PT could not find it)

    asm volatile (
    "STR     LR, [SP,#var_4]! \n"
    "SUB     SP, SP, #0x74 \n"

    Even if CHDK-PT can't translate part of the sx130 code to the sx150,  once you get this far you can simply point CHDK-PT at the appropriate address in the sx150 dump and dissassemble directly.  eg : at 0xFF8111B0. 

    That way you don't have to edit IDA output to get the format into something gcc will accept - and you don't have to translate all the var_nn stuff either !





    Ported : A1200  SD940  G10  Powershot N  G16*


  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #14 on: 29 / October / 2011, 10:39:13 »
    I put LED blinking code in taskcreate_Startup_my() but unfortunately the camera never reaches this subroutine.  If I put the blinking code in boot() the LED flashes.  Can anyone take a quick look at the subroutines before taskcreate_Startup_my() to see if I've made a mistake in the patches?

    The code you posted can never get as far as taskcreate_Startup_my().  It will never even get to  sub_FF815EE0_my()  as that function is not called anywhere.  You need to fixup sub_FF8111B0_my() so that it end up at sub_FF815EE0_my().
    Ported : A1200  SD940  G10  Powershot N  G16*

  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #15 on: 29 / October / 2011, 14:36:47 »
    Thanks for all of the help guys.

    I have fixed the IDA paste mistakes and have added the jump to taskcreate_Startup_my().  The LEDs now flash.

    I can't seem to figure out where to place the next patch in taskcreate_Startup_my() to jump to task_Startup_my().  I have attached the modified boot.c file (previous version had an incorrect task_Startup_my() start address.

    Also, do I need the "power on (hold pwr button for rec)" patch that is in the sx130 code?  Not sure where to apply that either.

    Any ideas?


    sgtrum

  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #16 on: 29 / October / 2011, 15:29:26 »
    Also, do I need the "power on (hold pwr button for rec)" patch that is in the sx130 code?  Not sure where to apply that either.
    Sorry - don't have time to work on this right now.  If you are still stuck later tonight I'll take a look.

    Meanwhile,  the "power on (hold pwr button for rec)" patch is not strictly needed.  What it does is allow the camera to startup in record / shooting mode if you hold down the On/Off button during startup.   Without it,  the camera starts in Playback mode and you have to "half press" the shutter button to get into shooting mode.

    Ported : A1200  SD940  G10  Powershot N  G16*

    *

    Offline funnel

    • ****
    • 349
  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #17 on: 29 / October / 2011, 17:01:44 »
    I took a look right now. Every port is different and you need to make the appropriate changes. In your case there's a jump to another function before the taskcreate_Startup_my().

    You do it like this

    Code: [Select]
    //** sub_FF815F2C_my  @ 0xFF815F2C
    void __attribute__((naked,noinline)) sub_FF815F2C_my() {
    asm volatile (

    " STMFD SP!, {R4,LR} \n"                   
    " BL sub_FF810B28 \n"                     
    " BL sub_FF81A384 \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF816040 \n"               
    " BLLT sub_FF816020 \n"                   
    " BL sub_FF815B64 \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF816048 \n"               
    " BLLT sub_FF816020 \n"                   
    " LDR R0, =0xFF816058 \n"                 
    " BL sub_FF815C4C \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF816060 \n"               
    " BLLT sub_FF816020 \n"                   
    " LDR R0, =0xFF816058 \n"                 
    " BL sub_FF813CA8 \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF816074 \n"               
    " BLLT sub_FF816020 \n"                   
    " BL sub_FF819CEC \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF816080 \n"               
    " BLLT sub_FF816020 \n"                   
    " BL sub_FF811690 \n"                     
    " CMP R0, #0 \n"                           
    " LDRLT R0, =0xFF81608C \n"               
    " BLLT sub_FF816020 \n"                   
    " LDMFD SP!, {R4,LR} \n"                   
    " B sub_FF81FD8C_my\n" //patched

    );
    }

    void __attribute__((naked,noinline)) sub_FF81FD8C_my(  ) {
    asm volatile (
    " STMFD SP!, {R4,LR} \n"                   
    " BL sub_FF8342BC \n"                     
    //" BL sub_FF81FDA0 \n"                     
    " B taskcreate_Startup_my \n" //patched
    " MOV R0, #0 \n"                           
    " LDMFD SP!, {R4,PC} \n"                   
    );
    }


  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #18 on: 30 / October / 2011, 04:50:26 »
    I fixed a bunch of mistakes in my boot.c file.  The boot process now reaches task_Startup_my() but doesn't end up in CreateTask_PhySw().  Can you guys spot the mistake?


    sgtrum

    *

    Offline funnel

    • ****
    • 349
  • Publish
    Re: Powershot SX150 IS Porting Thread
    « Reply #19 on: 30 / October / 2011, 08:19:17 »
    I would suggest you to comment out the task hooks for now and later in the port proccess reenable them.

    Code: [Select]
    void taskCreateHook(context_t **context) {
    task_t *tcb=(task_t*)((char*)context-offsetof(task_t, context));

    // Replace firmware task addresses with ours
    //if(tcb->entry == (void*)task_CaptSeq) tcb->entry = (void*)capt_seq_task;
    //if(tcb->entry == (void*)task_InitFileModules) tcb->entry = (void*)init_file_modules_task;
    //if(tcb->entry == (void*)task_RotaryEncoder) tcb->entry = (void*)JogDial_task_my;
    //if(tcb->entry == (void*)task_MovieRecord) tcb->entry = (void*)movie_record_task;
    //if(tcb->entry == (void*)task_ExpDrv) tcb->entry = (void*)exp_drv_task;
    }

     

    Related Topics