TX-1 - loading to IDA and porting... - page 3 - General Discussion and Assistance - CHDK Forum

TX-1 - loading to IDA and porting...

  • 88 Replies
  • 30049 Views
Re: TX-1 - loading to IDA and porting...
« Reply #20 on: 13 / March / 2008, 06:23:29 »
Advertisements
That's correct. Or you expected the dump till 0xffffffff?

No, but in EWAVR's post these addresses are quoted :-

ROM:FFF666C7                 DCB 0x49 ; I
ROM:FFF666C8 aMage       DCB "mage",0


Also, where are strings (UniqueLedOn()/UniqueLedOff(), IDA does not find them ?


Product code of the TX1 is 3100, product code of ixus55 is 30FF .. should we use platform and loader code of ixus55 as starting point ?  :-)


So, the first task is too look at boot.c.

I guess I can find the address of some functions from text-strings in the disassembly.
For the video buffers, I can compare my A620 disassembly with the known video addresses to see how they were discovered.

Others have asked the same question on the WIKI ... how do I find the other values needed in boot.c ?

*

Offline GrAnd

  • ****
  • 916
  • [A610, S3IS]
    • CHDK
Re: TX-1 - loading to IDA and porting...
« Reply #21 on: 13 / March / 2008, 06:36:57 »
No, but in EWAVR's post these addresses are quoted :-

ROM:FFF666C7                 DCB 0x49 ; I
ROM:FFF666C8 aMage       DCB "mage",0

I think that was a generic example, not from the TX1 firmware.

For the other questions I have no answers. I have not ported any camera by myself yet.  ::)
CHDK Developer.

Re: TX-1 - loading to IDA and porting...
« Reply #22 on: 13 / March / 2008, 06:49:09 »
I have not ported any camera by myself yet.  ::)

In that case, I am in good company   :)

*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: TX-1 - loading to IDA and porting...
« Reply #23 on: 13 / March / 2008, 07:15:30 »
No, but in EWAVR's post these addresses are quoted :-
ROM:FFF666C7                 DCB 0x49 ; I
ROM:FFF666C8 aMage       DCB "mage",0

This was example for S5IS (large 8 Mb dump with resources from DataGhost).

Also, where are strings (UniqueLedOn()/UniqueLedOff(), IDA does not find them ?

No such strings. UniqueLedOn (@0xFFA42C08) and UniqueLedOff(@0xFFA42CB0 ) are found by analogy with S3IS.

Product code of the TX1 is 3100, product code of ixus55 is 30FF .. should we use platform and loader code of ixus55 as starting point ?  :-)

If code for ixus55 is bug free - yes.

Re: TX-1 - loading to IDA and porting...
« Reply #24 on: 13 / March / 2008, 08:52:18 »
I do not expect to be told every single step, but some guidance would be useful to myself and others.

1. Copied ixus55 platform and loader folders and renamed 'tx1'.
2. Added 'tx1' to root Make and Make.inc
3. platform\tx1\sub\101b\makefile.inc  PLATFORMID=12544 (0x3100)
4. platform\tx1\sub\101b\boot.c
 
   Have found following addresses from text strings in IDA :-

excVecInit
classLibInit
taskLibInit
qInit
workQInit
kernelInit
memInit
memPartLibInit


The WIKI A550 porting suggests that we need to set the address of excVecInit by starting at kernelinit() and walking back (through XREF) in IDA until function boot...
Then 'Rename the fuction call with your address'.

Could you please explain this and suggest how I obtain the other parameters required in boot.c ?


David

*

Offline bondo

  • *
  • 42
  • Saluti from Italy!
Re: TX-1 - loading to IDA and porting...
« Reply #25 on: 13 / March / 2008, 12:56:14 »
Hi David!
here's some suggestions...

at 0xFF8100E0 you have the boot() function: the very first parameter you find is canon_data_len 0xCEA0, after few instructions you'll find the canon_data_src pointer, which is 0xFFBBE590 and next the canon_data_dst (0x1900, equal to other cameras).
at this point you can calculate canon_bss_start as canon_data_dst+canon_data_len.
last but not least you find canon_bss_len as 0xB84D0 - 0xE7A0

at this point, you have to copy h_usrInit() from the dump to the code changing last line in order to call *your* h_usrKernelInit() and not the firmware's one.
find out the relative h_usrKernelInit() and h_usrRoot() and copy them into boot.c.
note that h_usrKernelInit() needs a change before kernelInit: you have to change 0xB84D0 to 0xB84D0+0x30000

you'll find by yourself that it's more diffucult to explain that doing this

hope this could be useful to you  ;)

If you need some more help, tell me!
« Last Edit: 13 / March / 2008, 12:57:58 by bondo »

Re: TX-1 - loading to IDA and porting...
« Reply #26 on: 15 / March / 2008, 08:24:53 »
Well, some progress made ... I guess  ...

void h_usrInit() // Orig. starts at FF81198C
{
    asm volatile (
   "STR     LR, [SP,#-4]!\n"
   "BL      sub_FF811968\n"
   "MOV     R0, #2\n"
   "MOV     R1, R0\n"
   "BL      sub_FF925020\n" // unknown_libname_231
   "BL      sub_FF918F9C\n" // excVecInit
   "BL      sub_FF8111C4\n"
   "BL      sub_FF811728\n"
   "LDR     LR, [SP],#4\n"
   "B       h_usrKernelInit\n"
    );
}

void  h_usrKernelInit() // Orig. starts at FF811744
{
    asm volatile (
                 "STMFD   SP!, {R4,LR}\n"
                 "SUB     SP, SP, #8\n"
                 "BL      sub_FF925520\n" // classLibInit
                 "BL      sub_FF93564C\n" // taskLibInit
                 "LDR     R3, =0x5720\n"
                 "LDR     R2, =0xB4A80\n"
                 "LDR     R1, [R3]\n"
                 "LDR     R0, =0xB56D0\n"
                 "MOV     R3, #0x100\n"
                 "BL      sub_FF93123C\n" // qInit
                 "LDR     R3, =0x56E0\n"
                 "LDR     R0, =0x5A80\n"
                 "LDR     R1, [R3]\n"
                 "BL      sub_FF93123C\n" // qInit
                 "LDR     R3, =0x579C\n"
                 "LDR     R0, =0xB56A4\n"
                 "LDR     R1, [R3]\n"
                 "BL      sub_FF93123C\n" // qInit
                 "BL      sub_FF939A08\n" // workQInit
                 "BL      sub_FF8112AC\n"
                 "MOV     R4, #0\n"
                 "MOV     R3, R0\n"
                 "MOV     R12, #0x800\n"
                 "LDR     R0, =h_usrRoot\n" // Orig. starts at FF811A60
                 "MOV     R1, #0x4000\n"
                 "LDR     R2, =0xEA4D0\n" // 0xB84D0 + 0x32000
                 "STR     R12, [SP]\n"
                 "STR     R4, [SP,#4]\n"
                 "BL      sub_FF93288C\n" // kernelInit
                 "ADD     SP, SP, #8\n"
                 "LDMFD   SP!, {R4,PC}\n"
    );
};

void  h_usrRoot() // Orig. starts at FF811A60
{
    asm volatile (
                 "STMFD   SP!, {R4,R5,LR}\n"
                 "MOV     R5, R0\n"
                 "MOV     R4, R1\n"
                 "BL      sub_FF8119D0\n"
                 "MOV     R1, R4\n"
                 "MOV     R0, R5\n"
                 "BL      sub_FF929FD8\n" // memInit
                 "MOV     R1, R4\n"
                 "MOV     R0, R5\n"
                 "BL      sub_FF92AA50\n" // memPartLibInit
                 "BL      sub_FF8117E8\n" // nullsub_1
                 "BL      sub_FF811704\n"
                 "BL      sub_FF811A0C\n"
                 "BL      sub_FF8119F0\n"
                 "BL      sub_FF811A38\n"
                 "BL      sub_FF8119C4\n"
                 "LDMFD   SP!, {R4,R5,LR}\n"
                 "B       sub_FF81136C\n" // IsEmptyWriteCache_2
    );

void *vid_get_bitmap_fb()
{
    return (void*)0x10361000; // (found on aBmpddev_c)
}

void *vid_get_viewport_fb()
{
   return (void*)0x10D295E0; // found at aImgddev_c
}

void *vid_get_viewport_fb_d()
{
    return (void*)(*(int*)0x8D558); // found on aImageplayer_c, not sure if correct
}


In stubs_entry_2.s :-

NHSTUB(Mount_FileSystem, 0xFFAAE000)
NHSTUB(MoveZoomLensWithPoint, 0xFFAFF6D8)
NHSTUB(Remove, 0xFFAAECEC)
NHSTUB(Write, 0xFFAAED7C)
NHSTUB(Close, 0xFFAAECDC)
NHSTUB(Read, 0xFFAAED70)


It does not load of course, neither does it crash.

The LED's are operated the same as on the s2is, s3is and ixus700.
So, we need to find the led_table adddress before we can control the LED's.

I have not altered capt_seq yet.



David

*

Offline bondo

  • *
  • 42
  • Saluti from Italy!
Re: TX-1 - loading to IDA and porting...
« Reply #27 on: 15 / March / 2008, 09:33:05 »
h_usrRoot should be as follows:

Code: [Select]
void  h_usrRoot() // Orig. starts at FF811A60
{
    asm volatile (
                 "STMFD   SP!, {R4,R5,LR}\n"
                 "MOV     R5, R0\n"
                 "MOV     R4, R1\n"
                 "BL      sub_FF8119D0\n"
                 "MOV     R1, R4\n"
                 "MOV     R0, R5\n"
                 "BL      sub_FF929FD8\n" // memInit
                 "MOV     R1, R4\n"
                 "MOV     R0, R5\n"
                 "BL      sub_FF92AA50\n" // memPartLibInit
                 "BL      sub_FF8117E8\n" // nullsub_1
                 "BL      sub_FF811704\n"
                 "BL      sub_FF811A0C\n"
                 "BL      sub_FF8119F0\n"
                 "BL      sub_FF811A38\n"
                 "BL      sub_FF8119C4\n"
    );
   
    _taskCreateHookAdd(createHook);
    _taskDeleteHookAdd(deleteHook);
   
    drv_self_hide();

    asm volatile (
                 "LDMFD   SP!, {R4,R5,LR}\n"
                 "B       sub_FF81136C\n" // IsEmptyWriteCache_2
    );

probably is due to this that chdk neither crash or loads.

Re: TX-1 - loading to IDA and porting...
« Reply #28 on: 15 / March / 2008, 09:48:51 »
probably is due to this that chdk neither crash or loads.


Thanks  .. let us see if it works.


David

Re: TX-1 - loading to IDA and porting...
« Reply #29 on: 15 / March / 2008, 11:05:35 »
Thanks  .. let us see if it works.


To quote the tester  :-

"Power LED blinks twice. Camera shuts down."

Maybe that is progress ?   :)


Bondo, did you check the subroutine addresses in the posted code or did you just notice the error in h_usrRoot() ?

 

Related Topics


SimplePortal © 2008-2014, SimplePortal