(→Memory maps: Expanded meaning of regions) |
No edit summary |
||
(19 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | {{Attention|'''The 5D Mark II is NOT ported yet, there |
+ | {{Attention|'''The 5D Mark II is NOT ported yet, there is NO CHDK available for this camera.'''}} |
+ | <!-- this needs to be left aligned! --> |
||
− | == Technical Details == |
||
+ | {{Infobox Digicam |
||
− | + | | model = [http://en.wikipedia.org/wiki/Canon_EOS_5D_Mark_II Canon EOS 5D Mark II] |
|
− | + | | imageProcessor= '''Digic IV''' image processor |
|
− | *'''DryOS''' operating system |
||
+ | | os = [[DryOS structures|DryOS]] |
||
− | *21.1 megapixel CMOS sensor |
||
− | + | | sensor = 36x24 mm CMOS |
|
+ | | res = 21.1 megapixel |
||
+ | | lens = SLR |
||
+ | | ois = |
||
+ | | viewfinder = |
||
+ | | rearLCD = |
||
+ | | speedRange = |
||
+ | | storage = |
||
+ | | battery = |
||
+ | | dimensions = |
||
+ | | weight = |
||
+ | | usb = |
||
+ | | misc = 1080p HD video at 30 fps |
||
+ | }} |
||
+ | |||
+ | |||
⚫ | |||
+ | * The [http://magiclantern.wikia.com Magic Lantern] firmware provides many CHDK like functions for the camera. |
||
⚫ | |||
+ | * 1.1.0 Firmware has been dumped and [http://cinema5d.com/viewtopic.php?f=56&t=2841 custom init task is running] |
||
⚫ | |||
⚫ | |||
+ | * FAT16 [[bootable SD card]] does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK) |
||
+ | * Trampoline / shim code has been run through the firmware update routine to allow user task creation. <tt>TaskSleep()</tt> has not been found, so the user tasks consume all of the CPU. |
||
+ | * ''[http://cinema5d.com/viewtopic.php?f=14&t=2494 User firmware runs!]'' It doesn't do much yet, but it is a start. |
||
+ | * [[DryOS structures]] has details on internals |
||
+ | * [http://cinema5d.com/viewtopic.php?f=14&t=2619#p17356 Onscreen audio meters] are working |
||
+ | * [http://cinema5d.com/viewtopic.php?f=14&t=2664 Zebra stripes] are also working |
||
+ | |||
+ | == CPU info == |
||
* CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1 |
* CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1 |
||
* Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total |
* Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total |
||
Line 20: | Line 49: | ||
** L4 bit unset |
** L4 bit unset |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
− | * FAT16 [[bootable SD card]] does not seem to work |
||
=== Memory maps === |
=== Memory maps === |
||
− | * <tt>0xFF80_0000 - 0xFFFF_FFFF</tt>: RAM image of DryOS and code (copied from ROM0 at boot) |
+ | * <tt>0xFF80_0000 - 0xFFFF_FFFF</tt>: <s>RAM</s> ROM image of DryOS and code (copied from ROM0 at boot) |
− | * <tt>0xF800_0000 - 0xF880_0000</tt>: ROM0 image of DryOS |
+ | * <tt>0xF800_0000 - 0xF880_0000</tt>: ROM0 image of DryOS (alias of 0xFF80_0000?) |
− | * <tt>0xF000_0000 - 0xF080_0000</tt>: ROM1 image (strings and other stuff?) |
+ | * <tt>0xF000_0000 - 0xF080_0000</tt>: ROM1 image (strings, bitmaps and other stuff?) |
+ | * <tt>0x4000_0000</tt>: 32 KB Tightly-coupled memory region? |
||
* <tt>0x0080_0000</tt>: Flasher code load address |
* <tt>0x0080_0000</tt>: Flasher code load address |
||
− | * <tt>0x0000_0000</tt>: Reset vectors |
+ | * <tt>0x0000_0000</tt>: Reset vectors |
* <tt>0x0000_0480</tt>: Reset routine? Copied from 0xFF812B30 to 0x480 at startup |
* <tt>0x0000_0480</tt>: Reset routine? Copied from 0xFF812B30 to 0x480 at startup |
||
* <tt>0x0027_F000</tt>: Interrupt handler stack |
* <tt>0x0027_F000</tt>: Interrupt handler stack |
||
Line 39: | Line 64: | ||
* <tt>0x0000_1900, 0x1928</tt>: Last panic code? |
* <tt>0x0000_1900, 0x1928</tt>: Last panic code? |
||
* <tt>0x0000_2DC8</tt>: A kernel structure copied from the stack |
* <tt>0x0000_2DC8</tt>: A kernel structure copied from the stack |
||
+ | |||
+ | === Control registers === |
||
+ | <pre> |
||
+ | c1,c0,0: 0005107d // control register |
||
+ | c2,c0,0: 00000070 // data cache bits |
||
+ | c2,c0,1: 00000070 // inst cache bits |
||
+ | c3,c0,0: 00000070 // data buffer bits |
||
+ | c3,c0,1: 00000000 // inst buffer bits |
||
+ | c5,c0,2: 03333333 // extended data access bits |
||
+ | c5,c0,3: 03333333 // extended inst access bits |
||
+ | c6,c0,0: 0000003f // region 0 |
||
+ | c6,c1,0: 0000003d // region 1 |
||
+ | c6,c2,0: e0000039 // region 2 |
||
+ | c6,c3,0: c0000039 // region 3 |
||
+ | c6,c4,0: ff80002d // region 4 |
||
+ | c6,c5,0: 00000039 // region 5 |
||
+ | c6,c6,0: f780002d // region 6 |
||
+ | c6,c7,0: 00000000 // region 7 |
||
+ | </pre> |
||
When the flasher program is running, the c6 register map (read via |
When the flasher program is running, the c6 register map (read via |
||
− | <tt>mcr p15, 0, r0, c6, cM</tt> and interpreted based on [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0201d/I1039570.html ARM946 protection region registers]) |
+ | <tt>mcr p15, 0, r0, c6, cM</tt> and interpreted based on [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0201d/I1039570.html ARM946 protection region registers]). Data/Instr permissions (<tt>mcr p15, 0, r0, c5, c0, 2</tt> and <tt>mcr p15, 0, r0, c5, c0, 3</tt>) both eq 0x03333333, which is user and system read/write to all regions. |
+ | |||
{|border=1 |
{|border=1 |
||
|- |
|- |
||
Line 50: | Line 95: | ||
! Notes |
! Notes |
||
|- |
|- |
||
− | | c6,c0 || 0x0000003f || 0x00000000 || 4 GB (?) |
+ | | c6,c0 || 0x0000003f || 0x00000000 || 4 GB (?) || |
|- |
|- |
||
| c6,c1 || 0x0000003d || 0x00000000 || 2 GB (?) |
| c6,c1 || 0x0000003d || 0x00000000 || 2 GB (?) |
||
Line 71: | Line 116: | ||
* BSS? <tt>0x20740 - 0x47750</tt> |
* BSS? <tt>0x20740 - 0x47750</tt> |
||
− | + | == Events and properties == |
|
+ | See [[DryOS structures]] for more details. |
||
− | * Firmware Update dialog events: |
||
+ | |||
− | ** 0x6 == IDC_DBN_OK |
||
+ | |||
− | ** 0x7 == IDC_DBN_CANCEL |
||
+ | ==Available firmware dumps & updates== |
||
− | ** ? == PRESS_MENU |
||
+ | *EOS 5D Mark II fw '''1.1.0''' -- http://web.canon.jp/imaging/eosd/firm-e/eos5dmk2/firmware.html |
||
− | ** 0x805 == DELETE_DIALOG_REQUEST |
||
+ | |||
− | ** 0x820 == SUB_DIAL (spin left) |
||
+ | Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs |
||
− | ** ? == SUB_DIAL (spin right) |
||
+ | |||
− | ** 0x829 == return 1 (unknown) |
||
+ | fileLen = 0x92224c |
||
− | ** 0x82F == return 1 (unknown) |
||
+ | ---.fir header--- |
||
+ | 0x000: modelId = 0x80000218, (5D Mark II, DryOS) |
||
+ | 0x010: version = 1.1.0 |
||
+ | 0x020: checksum = 0xb7384f65 |
||
+ | 0x024: updater1 header = 0xb0 |
||
+ | 0x028: updater1 offset = 0x120 |
||
+ | 0x02c: updater2 offset = 0xffffffff |
||
+ | 0x030: firmware offset = 0x1a0cd0 |
||
+ | 0x034: 0xffffffff |
||
+ | 0x038: embedded file size = 0x92224c |
||
+ | 0x03c: 0x0 |
||
+ | 0x040: sha1 seed = 0x9d6fd907 |
||
+ | 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20 |
||
+ | 0x060: 0x1a0cd0 |
||
+ | 0x064: firmware length = 0x78157c |
||
+ | 0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea |
||
+ | 0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d |
||
+ | ---updater1 header--- |
||
+ | 0x0b0: updater1 length = 0x1a0bb0. starts at 0x120 |
||
+ | 0x0b4: 0x1a0ba4 |
||
+ | 0x0b8: 0x0 |
||
+ | 0x0bc: xor seed value = 0x348e2ce8 |
||
+ | 0x120: --- updater1 (ciphered) --- |
||
+ | ---firmware header--- |
||
+ | 0x1a0cd0: (+0x000), offset to decryption data = 0xc |
||
+ | 0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0 |
||
+ | 0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0 |
||
+ | 0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c |
||
+ | ---firmware (encrypted)--- |
||
+ | 0x1a0d4c: (+0x07c) |
||
+ | |||
+ | ==Magic Lantern support== |
||
+ | |||
+ | Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II. |
||
+ | * [http://magiclantern.wikia.com Magic Lantern Firmware] |
||
[[Category:Cameras]] |
[[Category:Cameras]] |
||
[[Category:DSLR]] |
[[Category:DSLR]] |
Latest revision as of 21:09, 12 November 2011
The 5D Mark II is NOT ported yet, there is NO CHDK available for this camera. |
Processor: | Digic IV image processor |
---|---|
OS: | DryOS |
Sensor: | 36x24 mm CMOS |
Resolution: | 21.1 megapixel |
Lens: | SLR
|
Misc: | 1080p HD video at 30 fps |
Firmware progress
- The Magic Lantern firmware provides many CHDK like functions for the camera.
- 1.0.7 Firmware updater has been decrypted with dissect_fw3.2 forum discussion
- 1.1.0 Firmware has been dumped and custom init task is running
- ROM has been dumped: forum discussion
- Many DryOS functions have been mapped
- FAT16 bootable SD card does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK)
- Trampoline / shim code has been run through the firmware update routine to allow user task creation. TaskSleep() has not been found, so the user tasks consume all of the CPU.
- User firmware runs! It doesn't do much yet, but it is a start.
- DryOS structures has details on internals
- Onscreen audio meters are working
- Zebra stripes are also working
CPU info
- CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1
- Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total
- Cache setup 0x0005107d:
- MMU enabled
- Alignment fault disables
- Cache enabled
- Big-endian operation
- System protection = 0
- ROM protection = 0
- I-cache enabled
- Exception vectors at 0x00000000
- Random cache replacement
- L4 bit unset
Memory maps
- 0xFF80_0000 - 0xFFFF_FFFF:
RAMROM image of DryOS and code (copied from ROM0 at boot) - 0xF800_0000 - 0xF880_0000: ROM0 image of DryOS (alias of 0xFF80_0000?)
- 0xF000_0000 - 0xF080_0000: ROM1 image (strings, bitmaps and other stuff?)
- 0x4000_0000: 32 KB Tightly-coupled memory region?
- 0x0080_0000: Flasher code load address
- 0x0000_0000: Reset vectors
- 0x0000_0480: Reset routine? Copied from 0xFF812B30 to 0x480 at startup
- 0x0027_F000: Interrupt handler stack
- 0x0002_0740: Interrupt handler context buffer
- 0x0000_0664: Some sort pointer to a kernel structure
- 0xC000_0000: Memory mapped device?
- 0x0000_1900, 0x1928: Last panic code?
- 0x0000_2DC8: A kernel structure copied from the stack
Control registers
c1,c0,0: 0005107d // control register c2,c0,0: 00000070 // data cache bits c2,c0,1: 00000070 // inst cache bits c3,c0,0: 00000070 // data buffer bits c3,c0,1: 00000000 // inst buffer bits c5,c0,2: 03333333 // extended data access bits c5,c0,3: 03333333 // extended inst access bits c6,c0,0: 0000003f // region 0 c6,c1,0: 0000003d // region 1 c6,c2,0: e0000039 // region 2 c6,c3,0: c0000039 // region 3 c6,c4,0: ff80002d // region 4 c6,c5,0: 00000039 // region 5 c6,c6,0: f780002d // region 6 c6,c7,0: 00000000 // region 7
When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers). Data/Instr permissions (mcr p15, 0, r0, c5, c0, 2 and mcr p15, 0, r0, c5, c0, 3) both eq 0x03333333, which is user and system read/write to all regions.
Register | Value | Base | Size | Notes |
---|---|---|---|---|
c6,c0 | 0x0000003f | 0x00000000 | 4 GB (?) | |
c6,c1 | 0x0000003d | 0x00000000 | 2 GB (?) | |
c6,c2 | 0xe0000039 | 0xE0000000 | 512 MB | Covers DMA area? |
c6,c3 | 0x000000fe | Not enabled | -- | |
c6,c4 | 0xff80002d | 0xFF800000 | 8 MB | RAM image? |
c6,c5 | 0x00000039 | 0x00000000 | 512 MB | |
c6,c6 | 0xf780002d | 0xF7800000 | 8 MB | ROM image? |
c6,c7 | 0x00000000 | Not enabled | -- |
- Startup at 0xFF81_0000, jumps to 0xFF81_000C
- Data segment or config? 0x1900 - 0x20740
- BSS? 0x20740 - 0x47750
Events and properties
See DryOS structures for more details.
Available firmware dumps & updates
- EOS 5D Mark II fw 1.1.0 -- http://web.canon.jp/imaging/eosd/firm-e/eos5dmk2/firmware.html
Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs
fileLen = 0x92224c ---.fir header--- 0x000: modelId = 0x80000218, (5D Mark II, DryOS) 0x010: version = 1.1.0 0x020: checksum = 0xb7384f65 0x024: updater1 header = 0xb0 0x028: updater1 offset = 0x120 0x02c: updater2 offset = 0xffffffff 0x030: firmware offset = 0x1a0cd0 0x034: 0xffffffff 0x038: embedded file size = 0x92224c 0x03c: 0x0 0x040: sha1 seed = 0x9d6fd907 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20 0x060: 0x1a0cd0 0x064: firmware length = 0x78157c 0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea 0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d ---updater1 header--- 0x0b0: updater1 length = 0x1a0bb0. starts at 0x120 0x0b4: 0x1a0ba4 0x0b8: 0x0 0x0bc: xor seed value = 0x348e2ce8 0x120: --- updater1 (ciphered) --- ---firmware header--- 0x1a0cd0: (+0x000), offset to decryption data = 0xc 0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0 0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0 0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c ---firmware (encrypted)--- 0x1a0d4c: (+0x07c)
Magic Lantern support
Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II.