5D Mark II

598pages on
this wiki
Add New Page
Talk0 Share

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.


The 5D Mark II is NOT ported yet, there is NO CHDK available for this camera.

Canon EOS 5D Mark II
Processor: Digic IV image processor
Sensor: 36x24 mm CMOS
Resolution: 21.1 megapixel
Lens: SLR

Misc: 1080p HD video at 30 fps

Firmware progress Edit

CPU info Edit

  • CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1
  • Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total
  • Cache setup 0x0005107d:
    • MMU enabled
    • Alignment fault disables
    • Cache enabled
    • Big-endian operation
    • System protection = 0
    • ROM protection = 0
    • I-cache enabled
    • Exception vectors at 0x00000000
    • Random cache replacement
    • L4 bit unset

Memory maps Edit

  • 0xFF80_0000 - 0xFFFF_FFFF: RAM ROM image of DryOS and code (copied from ROM0 at boot)
  • 0xF800_0000 - 0xF880_0000: ROM0 image of DryOS (alias of 0xFF80_0000?)
  • 0xF000_0000 - 0xF080_0000: ROM1 image (strings, bitmaps and other stuff?)
  • 0x4000_0000: 32 KB Tightly-coupled memory region?
  • 0x0080_0000: Flasher code load address
  • 0x0000_0000: Reset vectors
  • 0x0000_0480: Reset routine? Copied from 0xFF812B30 to 0x480 at startup
  • 0x0027_F000: Interrupt handler stack
  • 0x0002_0740: Interrupt handler context buffer
  • 0x0000_0664: Some sort pointer to a kernel structure
  • 0xC000_0000: Memory mapped device?
  • 0x0000_1900, 0x1928: Last panic code?
  • 0x0000_2DC8: A kernel structure copied from the stack

Control registers Edit

c1,c0,0: 0005107d // control register
c2,c0,0: 00000070 // data cache bits
c2,c0,1: 00000070 // inst cache bits
c3,c0,0: 00000070 // data buffer bits
c3,c0,1: 00000000 // inst buffer bits
c5,c0,2: 03333333 // extended data access bits
c5,c0,3: 03333333 // extended inst access bits
c6,c0,0: 0000003f // region 0
c6,c1,0: 0000003d // region 1
c6,c2,0: e0000039 // region 2
c6,c3,0: c0000039 // region 3
c6,c4,0: ff80002d // region 4
c6,c5,0: 00000039 // region 5
c6,c6,0: f780002d // region 6
c6,c7,0: 00000000 // region 7

When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers). Data/Instr permissions (mcr p15, 0, r0, c5, c0, 2 and mcr p15, 0, r0, c5, c0, 3) both eq 0x03333333, which is user and system read/write to all regions.

Register Value Base Size Notes
c6,c0 0x0000003f 0x00000000 4 GB (?)
c6,c1 0x0000003d 0x00000000 2 GB (?)
c6,c2 0xe0000039 0xE0000000 512 MB Covers DMA area?
c6,c3 0x000000fe Not enabled --
c6,c4 0xff80002d 0xFF800000 8 MB RAM image?
c6,c5 0x00000039 0x00000000 512 MB
c6,c6 0xf780002d 0xF7800000 8 MB ROM image?
c6,c7 0x00000000 Not enabled --
  • Startup at 0xFF81_0000, jumps to 0xFF81_000C
  • Data segment or config? 0x1900 - 0x20740
  • BSS? 0x20740 - 0x47750

Events and properties Edit

See DryOS structures for more details.

Available firmware dumps & updatesEdit

Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs

fileLen = 0x92224c
---.fir header---
0x000: modelId = 0x80000218, (5D Mark II, DryOS)
0x010: version = 1.1.0
0x020: checksum = 0xb7384f65
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0xffffffff
0x030: firmware offset = 0x1a0cd0
0x034: 0xffffffff
0x038: embedded file size = 0x92224c
0x03c: 0x0
0x040: sha1 seed = 0x9d6fd907
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20
0x060: 0x1a0cd0
0x064: firmware length = 0x78157c
0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea
0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d
---updater1 header---
0x0b0: updater1 length = 0x1a0bb0. starts at 0x120
0x0b4: 0x1a0ba4
0x0b8: 0x0
0x0bc: xor seed value = 0x348e2ce8
0x120: --- updater1 (ciphered) ---
---firmware header---
0x1a0cd0: (+0x000), offset to decryption data = 0xc
0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0
0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0
0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c
---firmware (encrypted)---
0x1a0d4c: (+0x07c)

Magic Lantern supportEdit

Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II.

Also on Fandom

Random Wiki