No edit summary |
|||
(6 intermediate revisions by 4 users not shown) | |||
Line 22: | Line 22: | ||
== Firmware progress == |
== Firmware progress == |
||
+ | * The [http://magiclantern.wikia.com Magic Lantern] firmware provides many CHDK like functions for the camera. |
||
− | * Firmware |
+ | * 1.0.7 Firmware updater has been decrypted with dissect_fw3.2 [http://chdk.setepontos.com/index.php/topic,111.msg27417.html#msg27417 forum discussion] |
+ | * 1.1.0 Firmware has been dumped and [http://cinema5d.com/viewtopic.php?f=56&t=2841 custom init task is running] |
||
* ROM has been dumped: [http://chdk.setepontos.com/index.php/topic,2750.msg30372.html#msg30372 forum discussion] |
* ROM has been dumped: [http://chdk.setepontos.com/index.php/topic,2750.msg30372.html#msg30372 forum discussion] |
||
* Many DryOS functions have been mapped |
* Many DryOS functions have been mapped |
||
* FAT16 [[bootable SD card]] does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK) |
* FAT16 [[bootable SD card]] does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK) |
||
− | * Trampoline / shim code has been run through the firmware update routine to allow user task creation. |
+ | * Trampoline / shim code has been run through the firmware update routine to allow user task creation. <tt>TaskSleep()</tt> has not been found, so the user tasks consume all of the CPU. |
− | * ''[http://cinema5d.com/viewtopic.php?f=14&t=2494 User firmware runs!]'' |
+ | * ''[http://cinema5d.com/viewtopic.php?f=14&t=2494 User firmware runs!]'' It doesn't do much yet, but it is a start. |
* [[DryOS structures]] has details on internals |
* [[DryOS structures]] has details on internals |
||
− | * [http://cinema5d.com/viewtopic.php?f=14&t=2619#p17356 Onscreen audio meters] are working |
+ | * [http://cinema5d.com/viewtopic.php?f=14&t=2619#p17356 Onscreen audio meters] are working |
+ | * [http://cinema5d.com/viewtopic.php?f=14&t=2664 Zebra stripes] are also working |
||
== CPU info == |
== CPU info == |
||
Line 82: | Line 85: | ||
When the flasher program is running, the c6 register map (read via |
When the flasher program is running, the c6 register map (read via |
||
− | <tt>mcr p15, 0, r0, c6, cM</tt> and interpreted based on [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0201d/I1039570.html ARM946 protection region registers]). |
+ | <tt>mcr p15, 0, r0, c6, cM</tt> and interpreted based on [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0201d/I1039570.html ARM946 protection region registers]). Data/Instr permissions (<tt>mcr p15, 0, r0, c5, c0, 2</tt> and <tt>mcr p15, 0, r0, c5, c0, 3</tt>) both eq 0x03333333, which is user and system read/write to all regions. |
{|border=1 |
{|border=1 |
||
Line 92: | Line 95: | ||
! Notes |
! Notes |
||
|- |
|- |
||
− | | c6,c0 || 0x0000003f || 0x00000000 || 4 GB (?) || |
+ | | c6,c0 || 0x0000003f || 0x00000000 || 4 GB (?) || |
|- |
|- |
||
| c6,c1 || 0x0000003d || 0x00000000 || 2 GB (?) |
| c6,c1 || 0x0000003d || 0x00000000 || 2 GB (?) |
||
Line 118: | Line 121: | ||
==Available firmware dumps & updates== |
==Available firmware dumps & updates== |
||
− | *EOS 5D Mark II fw ''' |
+ | *EOS 5D Mark II fw '''1.1.0''' -- http://web.canon.jp/imaging/eosd/firm-e/eos5dmk2/firmware.html |
− | Firmware |
+ | Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs |
+ | |||
− | *http://www.dpreview.com/news/0905/09052701canon5dmarkiifirmware.asp |
||
+ | fileLen = 0x92224c |
||
− | *http://www.canonrumors.com/2009/05/canon-announces-update-for-eos-5d-mark-ii/ |
||
+ | ---.fir header--- |
||
+ | 0x000: modelId = 0x80000218, (5D Mark II, DryOS) |
||
+ | 0x010: version = 1.1.0 |
||
+ | 0x020: checksum = 0xb7384f65 |
||
+ | 0x024: updater1 header = 0xb0 |
||
+ | 0x028: updater1 offset = 0x120 |
||
+ | 0x02c: updater2 offset = 0xffffffff |
||
+ | 0x030: firmware offset = 0x1a0cd0 |
||
+ | 0x034: 0xffffffff |
||
+ | 0x038: embedded file size = 0x92224c |
||
+ | 0x03c: 0x0 |
||
+ | 0x040: sha1 seed = 0x9d6fd907 |
||
+ | 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20 |
||
+ | 0x060: 0x1a0cd0 |
||
+ | 0x064: firmware length = 0x78157c |
||
+ | 0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea |
||
+ | 0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d |
||
+ | ---updater1 header--- |
||
+ | 0x0b0: updater1 length = 0x1a0bb0. starts at 0x120 |
||
+ | 0x0b4: 0x1a0ba4 |
||
+ | 0x0b8: 0x0 |
||
+ | 0x0bc: xor seed value = 0x348e2ce8 |
||
+ | 0x120: --- updater1 (ciphered) --- |
||
+ | ---firmware header--- |
||
+ | 0x1a0cd0: (+0x000), offset to decryption data = 0xc |
||
+ | 0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0 |
||
+ | 0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0 |
||
+ | 0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c |
||
+ | ---firmware (encrypted)--- |
||
+ | 0x1a0d4c: (+0x07c) |
||
+ | |||
+ | ==Magic Lantern support== |
||
+ | |||
+ | Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II. |
||
+ | * [http://magiclantern.wikia.com Magic Lantern Firmware] |
||
[[Category:Cameras]] |
[[Category:Cameras]] |
||
[[Category:DSLR]] |
[[Category:DSLR]] |
Latest revision as of 21:09, 12 November 2011
The 5D Mark II is NOT ported yet, there is NO CHDK available for this camera. |
Processor: | Digic IV image processor |
---|---|
OS: | DryOS |
Sensor: | 36x24 mm CMOS |
Resolution: | 21.1 megapixel |
Lens: | SLR
|
Misc: | 1080p HD video at 30 fps |
Firmware progress
- The Magic Lantern firmware provides many CHDK like functions for the camera.
- 1.0.7 Firmware updater has been decrypted with dissect_fw3.2 forum discussion
- 1.1.0 Firmware has been dumped and custom init task is running
- ROM has been dumped: forum discussion
- Many DryOS functions have been mapped
- FAT16 bootable SD card does not seem to work -- perhaps volume must be EOS_DEVELOP? (0xffff50d0 compares against it and BOOTDISK)
- Trampoline / shim code has been run through the firmware update routine to allow user task creation. TaskSleep() has not been found, so the user tasks consume all of the CPU.
- User firmware runs! It doesn't do much yet, but it is a start.
- DryOS structures has details on internals
- Onscreen audio meters are working
- Zebra stripes are also working
CPU info
- CPU ID 0x41059461: "A", variant 0, arch 5, part 946 rev 1
- Cache type 0x0f112112: unified cache, isize/dsize 32 byte cache lines, 4 way associative, 8 KB total
- Cache setup 0x0005107d:
- MMU enabled
- Alignment fault disables
- Cache enabled
- Big-endian operation
- System protection = 0
- ROM protection = 0
- I-cache enabled
- Exception vectors at 0x00000000
- Random cache replacement
- L4 bit unset
Memory maps
- 0xFF80_0000 - 0xFFFF_FFFF:
RAMROM image of DryOS and code (copied from ROM0 at boot) - 0xF800_0000 - 0xF880_0000: ROM0 image of DryOS (alias of 0xFF80_0000?)
- 0xF000_0000 - 0xF080_0000: ROM1 image (strings, bitmaps and other stuff?)
- 0x4000_0000: 32 KB Tightly-coupled memory region?
- 0x0080_0000: Flasher code load address
- 0x0000_0000: Reset vectors
- 0x0000_0480: Reset routine? Copied from 0xFF812B30 to 0x480 at startup
- 0x0027_F000: Interrupt handler stack
- 0x0002_0740: Interrupt handler context buffer
- 0x0000_0664: Some sort pointer to a kernel structure
- 0xC000_0000: Memory mapped device?
- 0x0000_1900, 0x1928: Last panic code?
- 0x0000_2DC8: A kernel structure copied from the stack
Control registers
c1,c0,0: 0005107d // control register c2,c0,0: 00000070 // data cache bits c2,c0,1: 00000070 // inst cache bits c3,c0,0: 00000070 // data buffer bits c3,c0,1: 00000000 // inst buffer bits c5,c0,2: 03333333 // extended data access bits c5,c0,3: 03333333 // extended inst access bits c6,c0,0: 0000003f // region 0 c6,c1,0: 0000003d // region 1 c6,c2,0: e0000039 // region 2 c6,c3,0: c0000039 // region 3 c6,c4,0: ff80002d // region 4 c6,c5,0: 00000039 // region 5 c6,c6,0: f780002d // region 6 c6,c7,0: 00000000 // region 7
When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers). Data/Instr permissions (mcr p15, 0, r0, c5, c0, 2 and mcr p15, 0, r0, c5, c0, 3) both eq 0x03333333, which is user and system read/write to all regions.
Register | Value | Base | Size | Notes |
---|---|---|---|---|
c6,c0 | 0x0000003f | 0x00000000 | 4 GB (?) | |
c6,c1 | 0x0000003d | 0x00000000 | 2 GB (?) | |
c6,c2 | 0xe0000039 | 0xE0000000 | 512 MB | Covers DMA area? |
c6,c3 | 0x000000fe | Not enabled | -- | |
c6,c4 | 0xff80002d | 0xFF800000 | 8 MB | RAM image? |
c6,c5 | 0x00000039 | 0x00000000 | 512 MB | |
c6,c6 | 0xf780002d | 0xF7800000 | 8 MB | ROM image? |
c6,c7 | 0x00000000 | Not enabled | -- |
- Startup at 0xFF81_0000, jumps to 0xFF81_000C
- Data segment or config? 0x1900 - 0x20740
- BSS? 0x20740 - 0x47750
Events and properties
See DryOS structures for more details.
Available firmware dumps & updates
- EOS 5D Mark II fw 1.1.0 -- http://web.canon.jp/imaging/eosd/firm-e/eos5dmk2/firmware.html
Firmware version 1.1.0 adds full manual control to video shooting and fixes a few bugs
fileLen = 0x92224c ---.fir header--- 0x000: modelId = 0x80000218, (5D Mark II, DryOS) 0x010: version = 1.1.0 0x020: checksum = 0xb7384f65 0x024: updater1 header = 0xb0 0x028: updater1 offset = 0x120 0x02c: updater2 offset = 0xffffffff 0x030: firmware offset = 0x1a0cd0 0x034: 0xffffffff 0x038: embedded file size = 0x92224c 0x03c: 0x0 0x040: sha1 seed = 0x9d6fd907 0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x001a0c20 0x060: 0x1a0cd0 0x064: firmware length = 0x78157c 0x068: updater1 hmac-sha1 = 628b5312662b43592dd23ade1e93e0cf922d8aea 0x088: firmware hmac-sha1 = 63447a6a31673aff18d2ef0fe76afead2635ce6d ---updater1 header--- 0x0b0: updater1 length = 0x1a0bb0. starts at 0x120 0x0b4: 0x1a0ba4 0x0b8: 0x0 0x0bc: xor seed value = 0x348e2ce8 0x120: --- updater1 (ciphered) --- ---firmware header--- 0x1a0cd0: (+0x000), offset to decryption data = 0xc 0x1a0cd4: (+0x004), offset to encrypted data = 0x7c. starts at 0x1a0cd0 0x1a0cd8: (+0x008), total firmware length (including header) = 0x78157c. starts at 0x1a0cd0 0x1a0cdc: (+0x00c), firmware length (encrypted part) = 0x781500. starts at 0x1a0d4c ---firmware (encrypted)--- 0x1a0d4c: (+0x07c)
Magic Lantern support
Magic Lantern is now widely accepted as the replacement for CHDK on the 5D mark II.