supplierdeeply

Powershot SX150 IS Porting Thread

  • 279 Replies
  • 44481 Views
Re: Powershot SX150 IS Porting Thread
« Reply #10 on: 29 / October / 2011, 08:02:13 »
Advertisements
Here's what I have so far.  I have use the attached addresses.txt file for the SX130 1.01f reference ROM in CHDK-PT to generate boot.c.  I tweaked the addresses.txt size values so that CHDK-PT in some instances produces a longer output due to subroutines being longer in the SX150 firmware.

I have attached an incomplete boot.c file in case others feel like helping with the patches.  I have added "TODO" comments in the sections that have not been patched yet.

I put LED blinking code in taskcreate_Startup_my() but unfortunately the camera never reaches this subroutine.  If I put the blinking code in boot() the LED flashes.  Can anyone take a quick look at the subroutines before taskcreate_Startup_my() to see if I've made a mistake in the patches?


sgtrum

*

Offline funnel

  • ****
  • 349
Re: Powershot SX150 IS Porting Thread
« Reply #11 on: 29 / October / 2011, 08:14:16 »
I guess the problem is the new_sa. I didn't check everything so it could be something else.

Code: [Select]
void __attribute__((naked,noinline)) sub_FF8111B0_my() {

//TODO: Patch code (see SX130 code example below) and add branch to return to firmware
// Note code was found manually in IDA (CHDK-PT could not find it)

asm volatile (
"STR     LR, [SP,#var_4]! \n"
"SUB     SP, SP, #0x74 \n"
"MOV     R1, #0x74 \n"
"MOV     R0, SP \n"
"BL      sub_FFB8BA64 \n"
"MOV     R0, #0x57000 \n"
"STR     R0, [SP,#0x78+var_74] \n"

//"LDR     R0, =0x175CE0 \n"
" LDR R0, =new_sa \n" // added -------------->
" LDR R0, [R0] \n" // added -------------->

"LDR     R2, =0x2EDAD0 \n"
"STR     R0, [SP,#0x78+var_70] \n"
"SUB     R0, R2, R0 \n"
"STR     R0, [SP,#0x78+var_6C] \n"
"MOV     R0, #0x22 \n"

*

Offline funnel

  • ****
  • 349
Re: Powershot SX150 IS Porting Thread
« Reply #12 on: 29 / October / 2011, 08:17:54 »
I see now you have some copy paste errors. In IDA you have to press the Q key to calculate this values:

[SP,#0x78+var_74]


Re: Powershot SX150 IS Porting Thread
« Reply #13 on: 29 / October / 2011, 10:28:01 »
I have attached an incomplete boot.c file in case others feel like helping with the patches.  I have added "TODO" comments in the sections that have not been patched yet.

I see now you have some copy paste errors. In IDA you have to press the Q key to calculate this values:

[SP,#0x78+var_74]

Code: [Select]
void __attribute__((naked,noinline)) sub_FF8111B0_my() {

//TODO: Patch code (see SX130 code example below) and add branch to return to firmware
//Note code was found manually in IDA (CHDK-PT could not find it)

asm volatile (
"STR     LR, [SP,#var_4]! \n"
"SUB     SP, SP, #0x74 \n"

Even if CHDK-PT can't translate part of the sx130 code to the sx150,  once you get this far you can simply point CHDK-PT at the appropriate address in the sx150 dump and dissassemble directly.  eg : at 0xFF8111B0. 

That way you don't have to edit IDA output to get the format into something gcc will accept - and you don't have to translate all the var_nn stuff either !





Ported : A1200  SD940  G10  Powershot N  G16*


Re: Powershot SX150 IS Porting Thread
« Reply #14 on: 29 / October / 2011, 10:39:13 »
I put LED blinking code in taskcreate_Startup_my() but unfortunately the camera never reaches this subroutine.  If I put the blinking code in boot() the LED flashes.  Can anyone take a quick look at the subroutines before taskcreate_Startup_my() to see if I've made a mistake in the patches?

The code you posted can never get as far as taskcreate_Startup_my().  It will never even get to  sub_FF815EE0_my()  as that function is not called anywhere.  You need to fixup sub_FF8111B0_my() so that it end up at sub_FF815EE0_my().
Ported : A1200  SD940  G10  Powershot N  G16*

Re: Powershot SX150 IS Porting Thread
« Reply #15 on: 29 / October / 2011, 14:36:47 »
Thanks for all of the help guys.

I have fixed the IDA paste mistakes and have added the jump to taskcreate_Startup_my().  The LEDs now flash.

I can't seem to figure out where to place the next patch in taskcreate_Startup_my() to jump to task_Startup_my().  I have attached the modified boot.c file (previous version had an incorrect task_Startup_my() start address.

Also, do I need the "power on (hold pwr button for rec)" patch that is in the sx130 code?  Not sure where to apply that either.

Any ideas?


sgtrum

Re: Powershot SX150 IS Porting Thread
« Reply #16 on: 29 / October / 2011, 15:29:26 »
Also, do I need the "power on (hold pwr button for rec)" patch that is in the sx130 code?  Not sure where to apply that either.
Sorry - don't have time to work on this right now.  If you are still stuck later tonight I'll take a look.

Meanwhile,  the "power on (hold pwr button for rec)" patch is not strictly needed.  What it does is allow the camera to startup in record / shooting mode if you hold down the On/Off button during startup.   Without it,  the camera starts in Playback mode and you have to "half press" the shutter button to get into shooting mode.

Ported : A1200  SD940  G10  Powershot N  G16*

*

Offline funnel

  • ****
  • 349
Re: Powershot SX150 IS Porting Thread
« Reply #17 on: 29 / October / 2011, 17:01:44 »
I took a look right now. Every port is different and you need to make the appropriate changes. In your case there's a jump to another function before the taskcreate_Startup_my().

You do it like this

Code: [Select]
//** sub_FF815F2C_my  @ 0xFF815F2C
void __attribute__((naked,noinline)) sub_FF815F2C_my() {
asm volatile (

" STMFD SP!, {R4,LR} \n"                   
" BL sub_FF810B28 \n"                     
" BL sub_FF81A384 \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF816040 \n"               
" BLLT sub_FF816020 \n"                   
" BL sub_FF815B64 \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF816048 \n"               
" BLLT sub_FF816020 \n"                   
" LDR R0, =0xFF816058 \n"                 
" BL sub_FF815C4C \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF816060 \n"               
" BLLT sub_FF816020 \n"                   
" LDR R0, =0xFF816058 \n"                 
" BL sub_FF813CA8 \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF816074 \n"               
" BLLT sub_FF816020 \n"                   
" BL sub_FF819CEC \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF816080 \n"               
" BLLT sub_FF816020 \n"                   
" BL sub_FF811690 \n"                     
" CMP R0, #0 \n"                           
" LDRLT R0, =0xFF81608C \n"               
" BLLT sub_FF816020 \n"                   
" LDMFD SP!, {R4,LR} \n"                   
" B sub_FF81FD8C_my\n" //patched

);
}

void __attribute__((naked,noinline)) sub_FF81FD8C_my(  ) {
asm volatile (
" STMFD SP!, {R4,LR} \n"                   
" BL sub_FF8342BC \n"                     
//" BL sub_FF81FDA0 \n"                     
" B taskcreate_Startup_my \n" //patched
" MOV R0, #0 \n"                           
" LDMFD SP!, {R4,PC} \n"                   
);
}


Re: Powershot SX150 IS Porting Thread
« Reply #18 on: 30 / October / 2011, 04:50:26 »
I fixed a bunch of mistakes in my boot.c file.  The boot process now reaches task_Startup_my() but doesn't end up in CreateTask_PhySw().  Can you guys spot the mistake?


sgtrum

*

Offline funnel

  • ****
  • 349
Re: Powershot SX150 IS Porting Thread
« Reply #19 on: 30 / October / 2011, 08:19:17 »
I would suggest you to comment out the task hooks for now and later in the port proccess reenable them.

Code: [Select]
void taskCreateHook(context_t **context) {
task_t *tcb=(task_t*)((char*)context-offsetof(task_t, context));

// Replace firmware task addresses with ours
//if(tcb->entry == (void*)task_CaptSeq) tcb->entry = (void*)capt_seq_task;
//if(tcb->entry == (void*)task_InitFileModules) tcb->entry = (void*)init_file_modules_task;
//if(tcb->entry == (void*)task_RotaryEncoder) tcb->entry = (void*)JogDial_task_my;
//if(tcb->entry == (void*)task_MovieRecord) tcb->entry = (void*)movie_record_task;
//if(tcb->entry == (void*)task_ExpDrv) tcb->entry = (void*)exp_drv_task;
}

 

Related Topics