@ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

ewavr

1057
A710IS

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #10 on: 08 / March / 2008, 14:45:31 »

Advertisements

Quote from: whim on 08 / March / 2008, 14:19:15

Well, as a result I now replaced the address to jump to from FFC0 0000 to FFC1 27E0, recompiled, loaded, and.....
it WORKS ! I got a reliable cold reboot 10 times out of 10 !

As GrAnd wrote, modified copy of this procedure CHDK uses for camera reboot (see loader/<camera model>/resetcode/main.c/copy_and_restart())

Logged

whim

2020
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #11 on: 08 / March / 2008, 14:53:49 »

@ewavr

I'm aware of that, but that routine reboots into a relocated CHDK, as far as I can tell (and that's not far at all -
the couple of pages of ARM assembly guide that I read already made my head spin

)

wim

« Last Edit: 08 / March / 2008, 14:56:19 by whim »

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

ewavr

1057
A710IS

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #12 on: 08 / March / 2008, 16:18:24 »

Wow, I found where shutdown() (platform/generic||other/lib.c) function located in original firmware (for A620 @ 0xFFC124CC)

It seems that DIGIC3 (checked for G7 and A720) uses 0xC022004C and 0xC0410000 power-off port addresses instead of 0xC02200A0 for DIGIC2.

« Last Edit: 08 / March / 2008, 16:22:08 by ewavr »

Logged

whim

2020
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #13 on: 08 / March / 2008, 17:26:02 »

Thanks, but most cams have a button to shutdown, but none to restart

wim

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

PhyrePhoX

2254
make RAW not WAR

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #14 on: 09 / March / 2008, 13:53:14 »

Quote from: whim on 08 / March / 2008, 14:19:15

As usual, help came from totally unexpected side

After answering in this topic Where are the strings for menus in original fw? I browsed the resulting text file
and searched 'Restart called'. (Jef666 refers to this in the DryOS porting topic)
Well, as a result I now replaced the address to jump to from FFC0 0000 to FFC1 27E0, recompiled, loaded, and.....

it WORKS ! I got a reliable cold reboot 10 times out of 10 !

Gonna have myself a nice beer to celebrate first, then I'm gonna hunt for the addresses in the other cam's binaries.

wim

great, very nice find!

Logged

Flickr*
www.PhyreWorX.de
CHDK News @ Twitter

whim

2020
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #15 on: 09 / March / 2008, 14:51:50 »

@PhyrePhox

Thanks. I'm now busy getting the addresses from all other cams. I'm happy it worked this way, the
'overhead cost' for adding cold_reboot was only 54 bytes. And by the way, I've hardly had a chance
to look at it, but judging from your (and wontolla, Barney, & Jucifer's) posts, you guys really
souped up the interface, looking forward to play with it.

see you,

wim

edit: 10/03/08 VxWorks addresses done

« Last Edit: 10 / March / 2008, 05:22:38 by whim »

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

whim

2020
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #16 on: 11 / March / 2008, 07:02:36 »

Hi ! After a lot (40+) IDA sessions I think I got all addresses needed for the NHSTUB.

I compiled a little overview, including the necessary source changes & addresses above,
for you people who would like to check it. It does not do much at the moment, just reboots,
but should be adequate to test the addresses for all (?) cams.

-- Implements 'Cold Reboot'
-- Works only with diskboot.bin
(although, should be able to load a ps.fir first and then swap to diskboot.bin)
-- Should be applicable to any recent trunk (if working before

)

please report if it does/doesn't work for you !

source + comment attached edit: removed, see 2 posts further for corrected version

wim

« Last Edit: 11 / March / 2008, 11:55:43 by whim »

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

GrAnd

916
[A610, S3IS]

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #17 on: 11 / March / 2008, 08:05:01 »

@whim

Quote

A460-100d.......... 0xFFB0B250 (VxWorks,4 MB @ FFB0 0000)
A530-100a.......... 0xFFB12774 (VxWorks,4 MB @ FFB0 0000)
...

0xFFB##### ??

There are no cameras with that starting address. 4MB dumps are loaded from 0xFFC00000 also.
There is a bug (feature?) in the IDA that prevents loading of such images "as is" with 0xFFC00000 as starting address. But there is a workaround: you have to decrease load file size by 1 byte while setting the addresses in IDA load dialog window.
See DryOS Porting - CHDK Wiki, #5.

« Last Edit: 11 / March / 2008, 08:09:30 by GrAnd »

Logged

CHDK Developer.

whim

2020
A495/590/620/630 ixus70/115/220/230/300/870 S95

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #18 on: 11 / March / 2008, 08:24:45 »

Thanks GrAnd

wim

« Last Edit: 12 / March / 2008, 06:48:21 by whim »

Logged

*Wikia FAQ *GCC Compiler Shell for Windows

wontolla

413
S3 & G9 & A720

Re: @ARM assembly gurus: How can we do a "cold reboot" from CHDK ?

« Reply #19 on: 11 / March / 2008, 08:48:33 »

Thanks whim, I will try this on the S3 tonight, 10 tests right?

What behaviour is expected? restart or shutdown?

Let me see if I get the overall idea. When you execute "cold_reboot" the program pointer jumps to the address you found and the camera shutsdown?
So normally, when you push the "off" button, Canon's firmware jumps to the same address too?

Cheers!

Note that in step number 5 it should be void cold_reboot(); instead of cold_reboot();. Otherwise the compiler gives this error:

gui.c:1836: warning: type defaults to `int' in declaration of `cold_reboot'
gui.c:1836: error: conflicting types for 'cold_reboot'

Logged