Replacement of IRQ handler - General Chat - CHDK Forum supplierdeeply
« previous next »
Pages: [1]   Go Down

Replacement of IRQ handler

  • 3 Replies
  • 3937 Views
*

Offline Deamon

  • *
  • 7
Replacement of IRQ handler
« on: 14 / May / 2012, 08:36:16 »
Advertisements
Hi.

I have SX40 and for debugging purposes I want to temporally replace IRQ handler. But as far as I understand, the address 0xC(or some another address, dont remember it exactly) is persistent memory and my value will remain after the reboot. This potentially can turn the camera into a brick.

My investigations showed, that there is an emergency mode in Romstarter, which resides at 0xFFFF0000. This mode makes a call of function at 0xFF000000, and that function rewrites vector at 0x0 address with initial values from firmware.

But I didn't managed to figure out what actions are necessary to perform to enter that mode.

Does anyone have some extra information about this? Also, does code at 0xFFFF0000 is first to execute after system start?
Logged
*

Offline srsa_4c

  • ******
  • 4451
Re: Replacement of IRQ handler
« Reply #1 on: 15 / May / 2012, 11:43:46 »
I won't be able to help you much, but:
- after the CPU has been set up, a special RAM area (instruction TCM) is set to the start of the address range (from 0x0) , so I don't think its content will survive a power loss (and RAM starts from address zero anyway)
- if you want to experiment with potentially risky stuff like this, just get a used/partly broken Canon camera (DIGIC II-III-4)
- if you want to replace an interrupt handler, you probably won't find it very hard to reverse the boot process  ;)
- the Magic Lantern guys have documented the boot process of some DSLRs http://magiclantern.wikia.com/wiki/Boot_procedure which might give you some ideas (the point&shoots do many things differently though)
- search this site with your keywords (irq, boot, etc.)

Logged
*

Offline reyalp

  • ******
  • 13938
Re: Replacement of IRQ handler
« Reply #2 on: 16 / May / 2012, 23:51:29 »
Quote from: Deamon on 14 / May / 2012, 08:36:16
I have SX40 and for debugging purposes I want to temporally replace IRQ handler. But as far as I understand, the address 0xC(or some another address, dont remember it exactly) is persistent memory and my value will remain after the reboot. This potentially can turn the camera into a brick.
This isn't really correct.

The ARM CPU has a "high exception vector" setting. As configured on the cameras, this is always set at boot which means FFFF0000 is the exception vector. Booting arm is actually a "reset" exception, so the boot process always begins at FFFF0000

In the boot process, the CPU is reconfigured to use the low exception vector, which is located at 0. As srsa_4c says, this is TCM, which is a kind of RAM.

The "ARM Architecture Reference Manual" section A2.6 Exceptions covers this. You can get this from the ARM site. See http://chdk.wikia.com/wiki/Developer_Technical_Documents for links.

In any case, you cannot re-write ROM by just doing *(addr) = value. You'd have to use the flash writing functions, so there's really no risk of doing that by accident.
« Last Edit: 16 / May / 2012, 23:58:49 by reyalp »
Logged
Don't forget what the H stands for.
*

Offline Deamon

  • *
  • 7
Re: Replacement of IRQ handler
« Reply #3 on: 18 / May / 2012, 08:23:50 »
Oh, thank you very much for clarification. I think now I can proceed with my experiments.
Logged
Pages: [1]   Go Up
« previous next »
 

Related Topics