S110 Porting thread

Nikon

« on: 01 / January / 2013, 11:32:17 »

Advertisements

Here is some early info for the PowerShot S110:

Firmware Ver GM1.01B
DRYOS version 2.3, release #0051

Firmware start adr: 0xFF000000

Write 0x21 to 0xC022C30C to turn on the green I/O LED.
Write 0x01 to 0xC022C30C to turn off the green I/O LED.
(But I suspect that bit-set / bit-clear operations are safer)

For basic command LEDDrive(), the I/O LED is at 0, the blue WiFi LED is at 8, and the AF LED is at 4-6.

Firmware dump is available here: http://www.fileswap.com/dl/UP6nP1qpio/

I suspect that the S110 is similar to the S100, so the S100 port is probably the best candidate to use as a starting point?
I have never even used CHDK, so it may take me some time to port this. If someone wants to jump in, please do.

Logged

reyalp

10566

Publish

Re: S110 Porting thread

« Reply #1 on: 01 / January / 2013, 15:22:41 »

Sound's like you are off to a good start.

Quote from: Nikon on 01 / January / 2013, 11:32:17

I suspect that the S110 is similar to the S100, so the S100 port is probably the best candidate to use as a starting point?

In general, you'll want to refer to a few different cameras. IMO, in order of importance:
1) A port done by someone who knew what they were doing. For this, I'd suggest Philmoz ports (G12, G1x, SX40 are examples)
2) Same (or closest available) DryOS release. In this case, SX50 is the only one I see in the trunk, there may be a few others in progress. Following other porting threads for similar generation cameras is a good idea.
3) Similar family / hardware configuration. S100 is the obvious choice here, but generally this is less important than being the same OS release.

Quote

I have never even used CHDK, so it may take me some time to port this. If someone wants to jump in, please do.

Many people have made ports this way, so you'll be in good company

Logged

Don't forget what the H stands for.

fe50

3067
IXUS50 & 860, SX10 Star WARs-Star RAWs

Publish

Re: S110 Porting thread

« Reply #2 on: 02 / January / 2013, 06:12:41 »

Quote from: Nikon on 01 / January / 2013, 11:32:17

Firmware dump is available here: http://www.fileswap.com/dl/UP6nP1qpio/

Hello & welcome, thanks for the dump !

Quote from: fe50 on 02 / January / 2013, 06:11:10

Added the
S110 1.01B
full 16MB dump (dumped with cBasic udumper) by Nikon from this forum post to the CHDK P&S FW dumps repository.

Logged

-->FIRMWARE DUMPS<-- * Manual * Lua * me

c10ud

Publish

Re: S110 Porting thread

« Reply #3 on: 03 / January / 2013, 08:46:50 »

I was taking a look at the firmware, but it looks like finsig_dryos chokes on this one:

Invalid firmware offset 1040246453.

Logged

Nikon

Publish

Re: S110 Porting thread

« Reply #4 on: 03 / January / 2013, 12:22:14 »

Quote from: c10ud on 03 / January / 2013, 08:46:50

I was taking a look at the firmware, but it looks like finsig_dryos chokes on this one:

Invalid firmware offset 1040246453.

Does that indicate a problem with the dump?

Logged

srsa_4c

3409

Publish

Re: S110 Porting thread

« Reply #5 on: 03 / January / 2013, 13:20:49 »

Quote from: Nikon on 03 / January / 2013, 12:22:14

Does that indicate a problem with the dump?

Yes and no. It ~~could be~~ seems that the ROM is mapped to two address ranges, which would be something new.
Can you try this modified Canon Basic dumper and upload the new dump and CBDUMPER.LOG (if it succeeds)? (original dumper is this)
The firmware (except the bootloader) appears to use the 0Xf8xxxxxx address range, as indicated by absolute addresses found in the dump.

Code: [Select]

' dump ROM to A/PRIMARY.BIN 
' log to A/CBDUMPER.LOG
 
DIM startaddr=0
DIM stopaddr=0xFFFFFFFC
DIM os="unk"
DIM lcdmsg=0
DIM msgstr=0
 
' detect start address and OS
' order must be from highest to lowest, since accessing outside of ROM may trigger an exception
private sub GetStart()
 if memcmp(0xFFC00004,"gaonisoy",8) = 0 then
  startaddr = 0xFFC00000
  os = "dry"
  exit sub
 end if
 if memcmp(0xFFC00008,"Copyrigh",8) = 0 then
  startaddr = 0xFFC00000
  os = "vx"
  exit sub
 end if
 if memcmp(0xFF810004,"gaonisoy",8) = 0 then
  startaddr = 0xFF810000
  os = "dry"
  exit sub
 end if
 if memcmp(0xFF810008,"Copyrigh",8) = 0 then
  startaddr = 0xFF810000
  os = "vx"
  exit sub
 end if
 if memcmp(0xF8000004,"gaonisoy",8) = 0 then
  startaddr = 0xF8000000
  stopaddr = 0xF8FFFFFC
  os = "dry"
  exit sub
 end if
 if memcmp(0xFF000004,"gaonisoy",8) = 0 then
  startaddr = 0xFF000000
  os = "dry"
  exit sub
 end if
end sub
 
private sub RegisterProcs()
 ' Newest cams (Dryos rel 43 and later) only have System.Create()
 ' on older dryos cams SystemEventInit is an alias for System.Create()
 ' ExecuteEventProcedure does is not registered by default on vx, 
 ' but calling an unregistered is not fatal
 if System.Create() = -1 then
  SystemEventInit()
 end if
 if ExecuteEventProcedure("UI_RegistDebugEventProc") = -1 then
  ExecuteEventProcedure("UI.CreatePublic")
 end if
end sub
 
private sub InitMsg()
 lcdmsg = ExecuteEventProcedure("LCDMsg_Create")
 msgstr = AllocateMemory(80)
 ' truncate log
 msgfile = Fopen_Fut("A/CBDUMPER.LOG","w")
 if msgfile <> 0 then
  Fclose_Fut(msgfile)
 end if
end sub
 
private sub PutMsg(msg)
 if lcdmsg >= 0 then
  LCDMsg_SetStr(lcdmsg,msg)
 end if
 msgfile = Fopen_Fut("A/CBDUMPER.LOG","a")
 if msgfile <> 0 then
  Fwrite_Fut(msg,strlen(msg),1,msgfile)
  Fwrite_Fut("\n",1,1,msgfile)
  Fclose_Fut(msgfile)
 end if
end sub
 
private sub Initialize()
 RegisterProcs()
 InitMsg()
 PutMsg("Started")
 
 GetStart()
 
 if startaddr <> 0 then
  sprintf(msgstr,"%0X %s",startaddr,os)
  PutMsg(msgstr)
  romsize = stopaddr - startaddr
  dumpfile = Fopen_Fut("A/PRIMARY.BIN","w")
  if dumpfile <> 0 then
   Fwrite_Fut(startaddr,romsize,1,dumpfile)
   Fclose_Fut(dumpfile)
   Wait(500)
   PutMsg("done")
  else
   PutMsg("file error")
  end if
 else
  PutMsg("not found!")
 end if
 FreeMemory(msgstr)
end sub

edit: note that the above dumper will probably crash on earlier cameras as it's just a quick hack

« Last Edit: 03 / January / 2013, 19:31:08 by srsa_4c »

Logged

CHDK builds: EOS M10
Menu jumping on M10?

Nikon

Publish

Re: S110 Porting thread

« Reply #6 on: 04 / January / 2013, 18:30:27 »

It succeeded:
"
Started
F8000000 dry
done
"

Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two. But I don't see any point in that, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)

Could it be that they need write-access to the flash memory during runtime, preventing them from executing any code from it, thereby creating the need to copy it all to a RAM?

I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well, or something which they have added in only this one?

Dump from adress 0xF8000000 is here:
http://www.fileswap.com/dl/JRsYg2EfeA/

Logged

waterwingz

10994

Publish

Re: S110 Porting thread

« Reply #7 on: 04 / January / 2013, 18:35:45 »

Quote from: Nikon on 04 / January / 2013, 18:30:27

Interestingly, the two dumps are very similar but not identical. There are a few differences.

This is normal for most CHDK camera once you get to the upper parts of the memory.

Quote

, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)

We also know they have started to do that on recent cameras, although nobody really knows why.

Logged

Ported : A1200 SD940 G10 Powershot N G16*

philmoz

2959

Publish

Re: S110 Porting thread

« Reply #8 on: 04 / January / 2013, 18:59:12 »

Quote from: Nikon on 04 / January / 2013, 18:30:27

It succeeded:
"
Started
F8000000 dry
done
"

Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two. But I don't see any point in that, so perhaps they put one flash memory and one RAM into the device, and then copy the content from flash to RAM at startup? (with a few differences)

Could it be that they need write-access to the flash memory during runtime, preventing them from executing any code from it, thereby creating the need to copy it all to a RAM?

I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well, or something which they have added in only this one?

Dump from adress 0xF8000000 is here:
http://www.fileswap.com/dl/JRsYg2EfeA/

Differences appear to be only where the properties, params and debug log get saved (as far as I can tell), so probably just from using the camera between dumps.

If you dumped both f8000000 and ff000000 at the same time I suspect the two dumps would be identical.

Now I have to figure out how to handle this in the sig finder

Wonder which is the primary address for all the firmware functions (f8xxxxxx or ffxxxxxx) - it shouldn't matter to CHDK since the code is identical calling either address should work.

Phil.

Logged

CHDK ports:
sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
g12 (1.00c, 1.00e, 1.00f & 1.00g)
sx130is (1.01d & 1.01f)
ixus310hs (1.00a & 1.01a)
sx40hs (1.00d, 1.00g & 1.00i)
g1x (1.00e, 1.00f & 1.00g)

srsa_4c

3409

Publish

Re: S110 Porting thread

« Reply #9 on: 04 / January / 2013, 19:02:33 »

Quote from: Nikon on 04 / January / 2013, 18:30:27

Interestingly, the two dumps are very similar but not identical. There are a few differences.
So it seems Canon for some reason put either two flash memories in the device and loaded almost the same content to the two.

As waterwingz says, the differences what you see is from normal operation of the camera. The difference block in which you see CANON_DC is in the so called "flash params" area of the flash, most of the camera settings are stored there. You've also got something else in your newer dump: a recorded ROMLOG, which means you managed to crash the cam somehow.

Quote

2013:01:01 14:07:19 CtrlSrv.c

So, there's still only one flash ROM which is visible in two address ranges simultaneously. I have no idea why they changed the firmware starting address to 0xF8000000.

Quote

I find a lot of strings in the dump which indicates that this camera has some sort of console or terminal support. Judging from the strings, the terminal interface supports commands for reading and writing any adress. It also supports TCP/IP related commands such as ping. Is a terminal available in other cameras as well

Yes, but only over an UART (serial) line.

So, if you want to work (get disassembly) on the cam, you'll need to use the 0xF8000000 start address for the dump. If you invoke finsig_dryos manually ( finsig_dryos PRIMARY.BIN 0xf8000000 sigs.txt ), it will mostly succeed. You get a finsig_dryos binary in the tools directory after building CHDK for any ported camera.

@philmoz: it's 0xF8xxxxxx

Logged

CHDK builds: EOS M10
Menu jumping on M10?