S110 Porting thread - DryOS Development - CHDK Forum
supplierdeeply
« previous next »
Pages: [1] 2 3 4 5 6 ... 11   Go Down

S110 Porting thread

  • 103 Replies
  • 48463 Views
*

Offline Nikon

  • *
  • 25
S110 Porting thread
« on: 01 / January / 2013, 11:32:17 »
Advertisements
Here is some early info for the PowerShot S110:

Firmware Ver GM1.01B
DRYOS version 2.3, release #0051

Firmware start adr: 0xFF000000

Write 0x21 to 0xC022C30C to turn on the green I/O LED.
Write 0x01 to 0xC022C30C to turn off the green I/O LED.
(But I suspect that bit-set / bit-clear operations are safer)

For basic command LEDDrive(), the I/O LED is at 0, the blue WiFi LED is at 8, and the AF LED is at 4-6.

Firmware dump is available here: http://www.fileswap.com/dl/UP6nP1qpio/

I suspect that the S110 is similar to the S100, so the S100 port is probably the best candidate to use as a starting point?
I have never even used CHDK, so it may take me some time to port this. If someone wants to jump in, please do.
Logged
*

Offline reyalp

  • ******
  • 13445
Re: S110 Porting thread
« Reply #1 on: 01 / January / 2013, 15:22:41 »
Sound's like you are off to a good start.
Quote from: Nikon on 01 / January / 2013, 11:32:17
I suspect that the S110 is similar to the S100, so the S100 port is probably the best candidate to use as a starting point?
In general, you'll want to refer to a few different cameras. IMO, in order of importance:
1) A port done by someone who knew what they were doing. For this, I'd suggest Philmoz ports (G12, G1x, SX40 are examples)
2) Same (or closest available) DryOS release. In this case, SX50 is the only one I see in the trunk, there may be a few others in progress. Following other porting threads for similar generation cameras is a good idea.
3) Similar family / hardware configuration. S100 is the obvious choice here, but generally this is less important than being the same OS release.
Quote
I have never even used CHDK, so it may take me some time to port this. If someone wants to jump in, please do.
Many people have made ports this way, so you'll be in good company :D
Logged
Don't forget what the H stands for.
*

Offline fe50

  • ******
  • 3134
  • IXUS50 & 860, SX10 Star WARs-Star RAWs
    • fe50
Re: S110 Porting thread
« Reply #2 on: 02 / January / 2013, 06:12:41 »
Quote from: Nikon on 01 / January / 2013, 11:32:17
Firmware dump is available here: http://www.fileswap.com/dl/UP6nP1qpio/
Hello & welcome, thanks for the dump !

Quote from: fe50 on 02 / January / 2013, 06:11:10
Added the
  • S110 1.01B
full 16MB dump (dumped with cBasic udumper) by Nikon from this forum post to the CHDK P&S FW dumps repository.
Logged
*

Offline c10ud

  • ***
  • 245
Re: S110 Porting thread
« Reply #3 on: 03 / January / 2013, 08:46:50 »
I was taking a look at the firmware, but it looks like finsig_dryos chokes on this one:

    Invalid firmware offset 1040246453.

Logged
*

Offline Nikon

  • *
  • 25
Re: S110 Porting thread
« Reply #4 on: 03 / January / 2013, 12:22:14 »
Quote from: c10ud on 03 / January / 2013, 08:46:50
I was taking a look at the firmware, but it looks like finsig_dryos chokes on this one:

    Invalid firmware offset 1040246453.

Does that indicate a problem with the dump?
Logged
*

Offline srsa_4c

  • ******
  • 4426
Re: S110 Porting thread
« Reply #5 on: 03 / January / 2013, 13:20:49 »
Quote from: Nikon on 03 / January / 2013, 12:22:14
Does that indicate a problem with the dump?
Yes and no. It could be seems that the ROM is mapped to two address ranges, which would be something new.
Can you try this modified Canon Basic dumper and upload the new dump and CBDUMPER.LOG (if it succeeds)? (original dumper is this)
The firmware (except the bootloader) appears to use the 0Xf8xxxxxx address range, as indicated by absolute addresses found in the dump.
Code: [Select]
' dump ROM to A/PRIMARY.BIN
' log to A/CBDUMPER.LOG
 
DIM startaddr=0
DIM stopaddr=0xFFFFFFFC
DIM os="unk"
DIM lcdmsg=0
DIM msgstr=0
 
' detect start address and OS
' order must be from highest to lowest, since accessing outside of ROM may trigger an exception
private sub GetStart()
if memcmp(0xFFC00004,"gaonisoy",8) = 0 then
startaddr = 0xFFC00000
os = "dry"
exit sub
end if
if memcmp(0xFFC00008,"Copyrigh",8) = 0 then
startaddr = 0xFFC00000
os = "vx"
exit sub
end if
if memcmp(0xFF810004,"gaonisoy",8) = 0 then
startaddr = 0xFF810000
os = "dry"
exit sub
end if
if memcmp(0xFF810008,"Copyrigh",8) = 0 then
startaddr = 0xFF810000
os = "vx"
exit sub
end if
if memcmp(0xF8000004,"gaonisoy",8) = 0 then
startaddr = 0xF8000000
stopaddr = 0xF8FFFFFC
os = "dry"
exit sub
end if
if memcmp(0xFF000004,"gaonisoy",8) = 0 then
startaddr = 0xFF000000
os = "dry"
exit sub
end if
end sub
 
private sub RegisterProcs()
' Newest cams (Dryos rel 43 and later) only have System.Create()
' on older dryos cams SystemEventInit is an alias for System.Create()
' ExecuteEventProcedure does is not registered by default on vx,
' but calling an unregistered is not fatal
if System.Create() = -1 then
SystemEventInit()
end if
if ExecuteEventProcedure("UI_RegistDebugEventProc") = -1 then
ExecuteEventProcedure("UI.CreatePublic")
end if
end sub
 
private sub InitMsg()
lcdmsg = ExecuteEventProcedure("LCDMsg_Create")
msgstr = AllocateMemory(80)
' truncate log
msgfile = Fopen_Fut("A/CBDUMPER.LOG","w")
if msgfile <> 0 then
Fclose_Fut(msgfile)
end if
end sub
 
private sub PutMsg(msg)
if lcdmsg >= 0 then
LCDMsg_SetStr(lcdmsg,msg)
end if
msgfile = Fopen_Fut("A/CBDUMPER.LOG","a")
if msgfile <> 0 then
Fwrite_Fut(msg,strlen(msg),1,msgfile)
Fwrite_Fut("\n",1,1,msgfile)
Fclose_Fut(msgfile)
end if
end sub
 
private sub Initialize()
RegisterProcs()
InitMsg()
PutMsg("Started")
 
GetStart()
 
if startaddr <> 0 then
sprintf(msgstr,"%0X %s",startaddr,os)
PutMsg(msgstr)
romsize = stopaddr - startaddr
dumpfile = Fopen_Fut("A/PRIMARY.BIN","w")
if dumpfile <> 0 then
Fwrite_Fut(startaddr,romsize,1,dumpfile)
Fclose_Fut(dumpfile)
Wait(500)
PutMsg("done")
else
PutMsg("file error")
end if
else
PutMsg("not found!")
end if
FreeMemory(msgstr)
end subedit: note that the above dumper will probably crash on earlier cameras as it's just a quick hack
« Last Edit: 03 / January / 2013, 19:31:08 by srsa_4c »
Logged
*

Offline Nikon

  • *
  • 25
Re: S110 Porting thread
« Reply #6 on: 04 / January / 2013, 18:30:27 »
It succeeded:
"
Started
F8000000 dry
done
"

Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two. But I don't see any point in that, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)

Could it be that they need write-access to the flash memory during runtime, preventing them from executing any code from it, thereby creating the need to copy it all to a RAM?


I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well, or something which they have added in only this one?

Dump from adress 0xF8000000 is here:
http://www.fileswap.com/dl/JRsYg2EfeA/
Logged
*

Offline waterwingz

  • ******
  • 12092
    • Waterwingz
Re: S110 Porting thread
« Reply #7 on: 04 / January / 2013, 18:35:45 »
Quote from: Nikon on 04 / January / 2013, 18:30:27
Interestingly, the two dumps are very similar but not identical. There are a few differences.
This is normal for most CHDK camera once you get to the upper parts of the memory.

Quote
, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)
We also know they have started to do that on recent cameras, although nobody really knows why.

Logged
Ported :   A1200    SD940   G10    Powershot N    G16
*

Offline philmoz

  • *****
  • 3332
    • Photos
Re: S110 Porting thread
« Reply #8 on: 04 / January / 2013, 18:59:12 »
Quote from: Nikon on 04 / January / 2013, 18:30:27
It succeeded:
"
Started
F8000000 dry
done
"

Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two. But I don't see any point in that, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)

Could it be that they need write-access to the flash memory during runtime, preventing them from executing any code from it, thereby creating the need to copy it all to a RAM?


I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well, or something which they have added in only this one?

Dump from adress 0xF8000000 is here:
http://www.fileswap.com/dl/JRsYg2EfeA/


Differences appear to be only where the properties, params and debug log get saved (as far as I can tell), so probably just from using the camera between dumps.

If you dumped both f8000000 and ff000000 at the same time I suspect the two dumps would be identical.

Now I have to figure out how to handle this in the sig finder :)
Wonder which is the primary address for all the firmware functions (f8xxxxxx or ffxxxxxx) - it shouldn't matter to CHDK since the code is identical calling either address should work.

Phil.
Logged
CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)
*

Offline srsa_4c

  • ******
  • 4426
Re: S110 Porting thread
« Reply #9 on: 04 / January / 2013, 19:02:33 »
Quote from: Nikon on 04 / January / 2013, 18:30:27
Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two.
As waterwingz says, the differences what you see is from normal operation of the camera. The difference block in which you see CANON_DC is in the so called "flash params" area of the flash, most of the camera settings are stored there. You've also got something else in your newer dump: a recorded ROMLOG, which means you managed to crash the cam somehow.
Quote
2013:01:01 14:07:19 CtrlSrv.c
So, there's still only one flash ROM which is visible in two address ranges simultaneously. I have no idea why they changed the firmware starting address to 0xF8000000.

Quote
I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well
Yes, but only over an UART (serial) line.

So, if you want to work (get disassembly) on the cam, you'll need to use the 0xF8000000 start address for the dump. If you invoke finsig_dryos manually ( finsig_dryos PRIMARY.BIN 0xf8000000 sigs.txt ), it will mostly succeed. You get a finsig_dryos binary in the tools directory after building CHDK for any ported camera.

@philmoz: it's 0xF8xxxxxx
Logged
Pages: [1] 2 3 4 5 6 ... 11   Go Up
« previous next »
 

Related Topics