CHDK Wiki
Register
Advertisement
Attention

The 5D Mark II is NOT ported yet, there is NO CHDK available for this camera.

Canon EOS 5D Mark II
Processor: Digic IV image processor
OS: DryOS
Sensor: 36x24 mm CMOS
Resolution: 21.1 megapixel
Lens: SLR






Misc: 1080p HD video at 30 fps


Firmware progress[]

CPU info[]

  • CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1
  • Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total
  • Cache setup 0x0005107d:
    • MMU enabled
    • Alignment fault disables
    • Cache enabled
    • Big-endian operation
    • System protection = 0
    • ROM protection = 0
    • I-cache enabled
    • Exception vectors at 0x00000000
    • Random cache replacement
    • L4 bit unset


Memory maps[]

  • 0xFF80_0000 - 0xFFFF_FFFF: RAM ROM image of DryOS and code (copied from ROM0 at boot)
  • 0xF800_0000 - 0xF880_0000: ROM0 image of DryOS (alias of 0xFF80_0000?)
  • 0xF000_0000 - 0xF080_0000: ROM1 image (strings, bitmaps and other stuff?)
  • 0x4000_0000: 32 KB Tightly-coupled memory region?
  • 0x0080_0000: Flasher code load address
  • 0x0000_0000: Reset vectors
  • 0x0000_0480: Reset routine? Copied from 0xFF812B30 to 0x480 at startup
  • 0x0027_F000: Interrupt handler stack
  • 0x0002_0740: Interrupt handler context buffer
  • 0x0000_0664: Some sort pointer to a kernel structure
  • 0xC000_0000: Memory mapped device?
  • 0x0000_1900, 0x1928: Last panic code?
  • 0x0000_2DC8: A kernel structure copied from the stack

Control registers[]

c1,c0,0: 0005107d // control register
c2,c0,0: 00000070 // data cache bits
c2,c0,1: 00000070 // inst cache bits
c3,c0,0: 00000070 // data buffer bits
c3,c0,1: 00000000 // inst buffer bits
c5,c0,2: 03333333 // extended data access bits
c5,c0,3: 03333333 // extended inst access bits
c6,c0,0: 0000003f // region 0
c6,c1,0: 0000003d // region 1
c6,c2,0: e0000039 // region 2
c6,c3,0: c0000039 // region 3
c6,c4,0: ff80002d // region 4
c6,c5,0: 00000039 // region 5
c6,c6,0: f780002d // region 6
c6,c7,0: 00000000 // region 7

When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers). Data/Instr permissions (mcr p15, 0, r0, c5, c0, 2 and mcr p15, 0, r0, c5, c0, 3) both eq 0x03333333, which is user and system read/write to all regions.

Register Value Base Size Notes
c6,c0 0x0000003f 0x00000000 4 GB (?)
c6,c1 0x0000003d 0x00000000 2 GB (?)
c6,c2 0xe0000039 0xE0000000 512 MB Covers DMA area?
c6,c3 0x000000fe Not enabled --
c6,c4 0xff80002d 0xFF800000 8 MB RAM image?
c6,c5 0x00000039 0x00000000 512 MB
c6,c6 0xf780002d 0xF7800000 8 MB ROM image?
c6,c7 0x00000000 Not enabled --
  • Startup at 0xFF81_0000, jumps to 0xFF81_000C
  • Data segment or config? 0x1900 - 0x20740
  • BSS? 0x20740 - 0x47750

Events and properties[]

See DryOS structures for more details.


Available firmware dumps & updates[]

Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs

fileLen = 0x92224c
---.fir header---
0x000: modelId = 0x80000218, (5D Mark II, DryOS)
0x010: version = 1.1.0
0x020: checksum = 0xb7384f65
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0xffffffff
0x030: firmware offset = 0x1a0cd0
0x034: 0xffffffff
0x038: embedded file size = 0x92224c
0x03c: 0x0
0x040: sha1 seed = 0x9d6fd907
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20
0x060: 0x1a0cd0
0x064: firmware length = 0x78157c
0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea
0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d
---updater1 header---
0x0b0: updater1 length = 0x1a0bb0. starts at 0x120
0x0b4: 0x1a0ba4
0x0b8: 0x0
0x0bc: xor seed value = 0x348e2ce8
0x120: --- updater1 (ciphered) ---
---firmware header---
0x1a0cd0: (+0x000), offset to decryption data = 0xc
0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0
0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0
0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c
---firmware (encrypted)---
0x1a0d4c: (+0x07c)

Magic Lantern support[]

Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II.

Advertisement