CHDK Wiki
Register
Advertisement

Available firmware dumps & updates[]

  • EOS 7D fw 1.0.9 (19 Oct 2009)
  • EOS 7D fw 1.1.0 (5 Nov 2009)
  • EOS 7D fw 1.2.2 (27 Jul 2010)
  • EOS 7D fw 1.2.3 (25 Nov 2010)
  • EOS 7D fw 1.2.5 (26 Apr 2011)

-- http://web.canon.jp/imaging/eosd/firm-e/eos7d/firmware.html

-- http://www.usa.canon.com/cusa/consumer/products/cameras/slr_cameras/eos_7d#DriversAndSoftware


-- All older fw updates: http://pel.hu/down

.fir file format[]

(7d000110.fir)
---.fir header---
0x000: modelId = 0x80000250, (7D, DryOS)
0x010: version = 1.1.0
0x020: checksum = 0x9e567c55
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0x1c0990
0x030: firmware offset = 0x22e220
0x034: 0xffffffff
0x038: embedded file size = 0xc41dac
0x03c: 0x0
0x040: seed = 0xdf820045
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x0022e170
0x060: 0x22e220
0x064: firmware length = 0xa13b8c
0x068: updater1 hmac-sha1 = 57a68fcbf5782d9c66cb43e270e1277c80ca7a58
0x088: firmware hmac-sha1 = bb800392221fc64d4a4751ec2b625c167ab96a2e
---updater1 header---
0x0b0: updater1 length = 0x1c0870. starts at 0x120
0x0b4: 0x1c086c
0x0b8: 0x0
0x0bc: xor seed value = 0x4106d571
0x120: --- updater1 (ciphered) ---
---updater2 header---
0x1c0990: (+0x000), modelId = 0x80000250, (7D, DryOS)
0x1c09a0: (+0x010), version = 1.1.0
0x1c09b0: (+0x020), checksum? = 0xfd568ee7
0x1c09b4: (+0x024), 0xb0
0x1c09b8: (+0x028), 0x120
0x1c09bc: (+0x02c), ffffffff ffffffff ffffffff
0x1c09c8: (+0x038), updater length (including header) = 0x6d890. starts at 0x1c0990
0x1c0a40: (+0x0b0), updater length = 0x6d770. starts at 0x1c0ab0
0x1c0a44: (+0x0b4), 0x6d764
0x1c0a48: (+0x0b8), 0x0
0x1c0b6c: (+0x0bc), xor seed value = 0x6a9e6180
0x1c0ab0: (+0x120), --- updater2 (ciphered) ---
---firmware header---
0x22e220: (+0x000), 0xc
0x22e224: (+0x004), offset to encrypted data = 0x7c. starts at 0x22e220
0x22e228: (+0x008), total firmware length (including header) = 0xa13b8c. starts at 0x22e220
0x22e22c: (+0x00c), firmware length (encrypted part) = 0xa13b10. starts at 0x22e29c
---firmware (encrypted)---
0x22e29c: (+0x07c)

Memory settings[]

FFFF0000 starts some initialization:

c1,c0,0: c005107d // control register
c2,c0,0: 00000030 // data cache bits (enable on area 4, area 5)
c2,c0,1: 00000030 // inst cache bits (enable on area 4, area 5)
c3,c0,0: 00000030 // data buffer bits (enable on area 4, area 5)
c5,c0,0: 00003fff // standard data access bits (read/write access for all area)
c5,c0,1: 00003fff // standard instruction access bits (read/write access for all area)
c6,c0,0: 0000003f // region 0
c6,c1,0: 0000003d // region 1
c6,c2,0: e0000039 // region 2
c6,c3,0: c0000000 // region 3
c6,c4,0: ff80002f // region 4
c6,c5,0: 00000039 // region 5
c6,c6,0: 80000000 // region 6

Control register bits:

bit value meaning
31:20 1100 0000 0000 Reserved (SBZ)
19 0 Instruction RAM load mode
18 1 Instruction RAM enable
17 0 Data RAM load mode
16 1 Data RAM enable
15 0 Configure disable loading TBIT
14 0 Round-robin replacement
13 0 Alternate vector select
12 1 ICache enable
11:8 0000 Reserved (SBZ)
7 0 Big-endian
6:3 1111 Reserved (SBO)
2 1 DCache enable
1 0 Reserved (SBZ)
0 1 Protection unit enable

The c6 register map (read via&nbsp mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers).

Register Value Base Size Notes
c6,c0 0x0000003F 0x00000000 4 GB (?)
c6,c1 0x0000003D 0x00000000 2 GB (?)
c6,c2 0xE0000039 0xE0000000 512 MB Covers DMA area?
c6,c3 0xC0000000 Not enabled --
c6,c4 0xFF80002F 0xFF800000 16 MB (?)
c6,c5 0x00000039 0x00000000 512 MB
c6,c6 0x80000000 Not enabled --
  • Startup at 0xFF01_0000, jumps to 0xFF01_000C

Credits[]

.Fir file format[]

Previous credits must go to

"emklap" from CHDK:

and to "canondigicamhacking" people (as seen here)


Memory Map[]

Advertisement