A2400 porting thread

  • 96 Replies
  • 8020 Views
  • Publish
    A2400 porting thread
    « on: 01 / March / 2013, 21:23:07 »
    Advertisements
    Bought this camera a few days ago, have started porting CHDK to it. Based off the A2300 & A3400 port. Using IDA and OS X. First time porting, long time since I've done any ASM.

    Camera info:
       DRYOS R50 (DRYOS version 2.3, release #0050)
       Firmware Ver GM1.00D
       Canon PowerShot A2400 IS
       PLATFORMID=12873
       MEMBASEADDR=0x1900
       EXMEM_HEAP_SKIP=0x2DB400
       MEMISOSTART=0x158080

    Firmware dump: http://www.sendspace.com/file/mzdvy3

    Loader: runs
    boot(): runs
    First jump after boot(): runs. Power button detection appears to be at 0x24B0 not 0x24B8 like its siblings (a810,a2300,etc)
    Second jump after boot(): runs.
    Third jump after boot(): function does not appear to run.

    Adding some inline ASM to turn on the LED, I see that it bails out in this function:
    Code: [Select]
    void __attribute__((naked,noinline)) sub_FF8111D8_my(  ) {
    asm volatile (
          "STR     LR, [SP, #-4]! \n"
          ...
          "STR     R0, [SP, #4] \n"
    #if defined(OPT_CHDK_IN_EXMEM)
          "LDR     R0, =0x158080 \n"      // MEMISOSTART: Use original heap offset since CHDK is loaded in high memory
    #else
          "LDR     R0, =new_sa\n"     //otherwise use patched value
          "LDR     R0, [R0]\n"
    #endif
          ....
          "STR     R0, [SP, #0x68] \n" // execution reaches here
        //"LDR     R1, =sub_FF814288 \n"  //original
          "LDR     R1, =sub_FF814288_my \n" //patched
          "MOV     R2, #0 \n"
          "MOV     R0, SP \n" // this runs
          "BL      sub_003F2778 \n" //RAM
          "ADD     SP, SP, #0x74 \n" // this doesn't
          "LDR     PC, [SP], #4 \n"
    );
    }

    If I'm reading my ASM right, at the end of sub_FF8111D8_my it loads R1 with address of sub_FF814288_my, sets up a couple of arguments, then jumps into RAM. Adding the LED ASM to the start of sub_FF814288_my shows that it never gets there. What does the BL to RAM do?

    I saw that stubs_auto.S didn't have an entry for FF814288, however I regenerated this file and compiled again and still no joy.

    Does anyone have any pointers or suggestions of where I'm going wrong? a2300/100e and a2400/100d are pretty close matches and very few addresses have changed in the code executed up to this point, so I'm a bit stumped why it does execute.

    Thanks for any assistance,
    --Michael

    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: A2400 porting thread
    « Reply #1 on: 01 / March / 2013, 22:50:54 »
    Quote
    If I'm reading my ASM right, at the end of sub_FF8111D8_my it loads R1 with address of sub_FF814288_my, sets up a couple of arguments, then jumps into RAM. Adding the LED ASM to the start of sub_FF814288_my shows that it never gets there. What does the BL to RAM do?
    Recent dryos versions (>=50)  copy some kernel code to RAM. We don't know why. The call to sub_003F2778 is never expected to return, it's starting up the OS. The epilogue on that function is may just be a byproduct of canon's compiler. It should end up calling your sub_FF814288_my at some point.

    edit:
    If you want more 'real time' assistance, you can sometimes find some of us in the irc channel, #chdk on freenode
    Don't forget what the H stands for.

  • Publish
    Re: A2400 porting thread
    « Reply #2 on: 01 / March / 2013, 23:55:09 »
    Recent dryos versions (>=50)  copy some kernel code to RAM. We don't know why. The call to sub_003F2778 is never expected to return, it's starting up the OS.

    Ahh, thanks, that makes more sense then. Went back and double checked the path-to-RAM, found a typo. Getting further now, crashing somewhere between CreateTask_spytask and StartFactoryModeController in the task_Startup_my method. Time for some more LED flashing...

    *

    Offline nafraf

    • *****
    • 1257
  • Publish
    Re: A2400 porting thread
    « Reply #3 on: 02 / March / 2013, 05:02:00 »
    a2400 has IS, for capt_seq.c porting it would be better to use A3400IS or A4000IS as reference.
    Those models are in alpha, there are some features that were not fully tested.

    You can use chdk-pt for porting a2400, you can obtain address file from a3400 101b:

    capt_seq.c
    Code: [Select]
    capt_seq_task 0xFF872424 225
    sub_FF968D38_my 0xFF968D38 50
    sub_FFA87D48_my 0xFFA87D48 145
    exp_drv_task 0xFF8B1AD0 467
    sub_FF8AE740_my 0xFF8AE740 54
    sub_FF89E38C_my 0xFF89E38C 28

    movie_rec.c
    Code: [Select]
    movie_record_task 0xFF9632F4 107
    sub_FF9562C2C_my 0xFF962CB8 442
    I know that chdk-pt is recommended to port a new firmware version of the same camera, but in some cases it works to port a new model using a similar camera as reference :)
    « Last Edit: 02 / March / 2013, 05:05:42 by nafraf »


  • Publish
    Re: A2400 porting thread
    « Reply #4 on: 02 / March / 2013, 17:28:59 »
    Alright, booting and taking photos now :) Working ultra-alpha port is available at: http://www.sendspace.com/file/x1r7r8

    a2400 has IS, for capt_seq.c porting it would be better to use A3400IS or A4000IS as reference.
    Those models are in alpha, there are some features that were not fully tested.

    Yeah that was my thinking too, they seem a pretty good match.

    So far:
    • Menus work
    • RAW doesn't
    • Movie mode doesn't

    And the reason why my code kept crashing in odd places and I couldn't boot past the battery task in task_Startup_my? Ha, extremely flat battery. Lol.

  • Publish
    Re: A2400 porting thread
    « Reply #5 on: 02 / March / 2013, 19:50:40 »
    Ok...
    * Camera works
    * RAW works, DNG files are readable
    * Movie mode works, including quality overrides and optical zoom

    Had a bit of a play around in menus, everything seems to work, no crashes so far.

    Working DISKBOOT.BIN: http://www.sendspace.com/file/9rkzun

    So now that I have a working port, what next???

    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: A2400 porting thread
    « Reply #6 on: 02 / March / 2013, 20:00:23 »
    Ok...
    * Camera works
    * RAW works, DNG files are readable
    * Movie mode works, including quality overrides and optical zoom

    Had a bit of a play around in menus, everything seems to work, no crashes so far.

    Working DISKBOOT.BIN: http://www.sendspace.com/file/9rkzun

    So now that I have a working port, what next???
    Nice work.

    If you haven't already, you can try the test scripts listed in http://chdk.wikia.com/wiki/Testing

    If you think it's ready to be included in svn, you can create a patch and post it in  http://chdk.setepontos.com/index.php?topic=650.1020

    We can add it as an alpha or beta in the autobuild, or just add the source and leave it disabled.


    Don't forget what the H stands for.

    *

    Offline nafraf

    • *****
    • 1257
  • Publish
    Re: A2400 porting thread
    « Reply #7 on: 02 / March / 2013, 20:11:43 »
    @madleech
    Some other suggestions:
    * Are you using custom palette? check CHDK colors in PLAY and REC mode.
    * Motion detection test?
    * Did you test chdk + chdkptp liveview?  8)



    *

    Offline fe50

    • ******
    • 3034
    • IXUS50 & 860, SX10 Star WARs-Star RAWs
      • fe50
  • Publish
    Re: A2400 porting thread
    « Reply #8 on: 03 / March / 2013, 15:06:48 »
    Added the
    • A2400 1.00D
    full 8MB dump (dumped with cBasic udumper) by madleech from this forum post to the CHDK P&S FW dumps repository.

  • Publish
    Re: A2400 porting thread
    « Reply #9 on: 12 / March / 2013, 09:05:30 »
    Hi, I just bought an A2400

    However, cannot make the ver.req or vers.req to work.

    And I can only see a diskboot.bin download here, any other file I should download in order to make it work?

    I used EOScard to make my SD card bootable already.

    thank a lots for your help

    Larrycafe

     

    Related Topics