Latest revision as of 22:31, 31 May 2011

Available firmware dumps & updates

EOS 7D fw 1.0.9 (19 Oct 2009)
EOS 7D fw 1.1.0 (5 Nov 2009)
EOS 7D fw 1.2.2 (27 Jul 2010)
EOS 7D fw 1.2.3 (25 Nov 2010)
EOS 7D fw 1.2.5 (26 Apr 2011)

-- http://web.canon.jp/imaging/eosd/firm-e/eos7d/firmware.html

-- http://www.usa.canon.com/cusa/consumer/products/cameras/slr_cameras/eos_7d#DriversAndSoftware

-- All older fw updates: http://pel.hu/down

.fir file format

(7d000110.fir)
---.fir header---
0x000: modelId = 0x80000250, (7D, DryOS)
0x010: version = 1.1.0
0x020: checksum = 0x9e567c55
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0x1c0990
0x030: firmware offset = 0x22e220
0x034: 0xffffffff
0x038: embedded file size = 0xc41dac
0x03c: 0x0
0x040: seed = 0xdf820045
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x0022e170
0x060: 0x22e220
0x064: firmware length = 0xa13b8c
0x068: updater1 hmac-sha1 = 57a68fcbf5782d9c66cb43e270e1277c80ca7a58
0x088: firmware hmac-sha1 = bb800392221fc64d4a4751ec2b625c167ab96a2e
---updater1 header---
0x0b0: updater1 length = 0x1c0870. starts at 0x120
0x0b4: 0x1c086c
0x0b8: 0x0
0x0bc: xor seed value = 0x4106d571
0x120: --- updater1 (ciphered) ---
---updater2 header---
0x1c0990: (+0x000), modelId = 0x80000250, (7D, DryOS)
0x1c09a0: (+0x010), version = 1.1.0
0x1c09b0: (+0x020), checksum? = 0xfd568ee7
0x1c09b4: (+0x024), 0xb0
0x1c09b8: (+0x028), 0x120
0x1c09bc: (+0x02c), ffffffff ffffffff ffffffff
0x1c09c8: (+0x038), updater length (including header) = 0x6d890. starts at 0x1c0990
0x1c0a40: (+0x0b0), updater length = 0x6d770. starts at 0x1c0ab0
0x1c0a44: (+0x0b4), 0x6d764
0x1c0a48: (+0x0b8), 0x0
0x1c0b6c: (+0x0bc), xor seed value = 0x6a9e6180
0x1c0ab0: (+0x120), --- updater2 (ciphered) ---
---firmware header---
0x22e220: (+0x000), 0xc
0x22e224: (+0x004), offset to encrypted data = 0x7c. starts at 0x22e220
0x22e228: (+0x008), total firmware length (including header) = 0xa13b8c. starts at 0x22e220
0x22e22c: (+0x00c), firmware length (encrypted part) = 0xa13b10. starts at 0x22e29c
---firmware (encrypted)---
0x22e29c: (+0x07c)

Memory settings

FFFF0000 starts some initialization:

c1,c0,0: c005107d // control register
c2,c0,0: 00000030 // data cache bits (enable on area 4, area 5)
c2,c0,1: 00000030 // inst cache bits (enable on area 4, area 5)
c3,c0,0: 00000030 // data buffer bits (enable on area 4, area 5)
c5,c0,0: 00003fff // standard data access bits (read/write access for all area)
c5,c0,1: 00003fff // standard instruction access bits (read/write access for all area)
c6,c0,0: 0000003f // region 0
c6,c1,0: 0000003d // region 1
c6,c2,0: e0000039 // region 2
c6,c3,0: c0000000 // region 3
c6,c4,0: ff80002f // region 4
c6,c5,0: 00000039 // region 5
c6,c6,0: 80000000 // region 6

Control register bits:

bit	value	meaning
31:20	1100 0000 0000	Reserved (SBZ)
19	0	Instruction RAM load mode
18	1	Instruction RAM enable
17	0	Data RAM load mode
16	1	Data RAM enable
15	0	Configure disable loading TBIT
14	0	Round-robin replacement
13	0	Alternate vector select
12	1	ICache enable
11:8	0000	Reserved (SBZ)
7	0	Big-endian
6:3	1111	Reserved (SBO)
2	1	DCache enable
1	0	Reserved (SBZ)
0	1	Protection unit enable

The c6 register map (read via&nbsp mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers).

Register	Value	Base	Size	Notes
c6,c0	0x0000003F	0x00000000	4 GB (?)
c6,c1	0x0000003D	0x00000000	2 GB (?)
c6,c2	0xE0000039	0xE0000000	512 MB	Covers DMA area?
c6,c3	0xC0000000	Not enabled	--
c6,c4	0xFF80002F	0xFF800000	16 MB	(?)
c6,c5	0x00000039	0x00000000	512 MB
c6,c6	0x80000000	Not enabled	--

Startup at 0xFF01_0000, jumps to 0xFF01_000C

Credits

.Fir file format

Previous credits must go to

Trammell "MasterYoda" Hudson (31Oct2009)

"emklap" from CHDK:

and to "canondigicamhacking" people (as seen here)

Memory Map

Memory Map page on Magic Lantern Wiki (Arm.Indy, 12May2010)
MagicLantern 7D Firmware Support

@@ Line 2: / Line 2: @@
 *EOS 7D fw '''1.0.9''' (19 Oct 2009)
 *EOS 7D fw '''1.1.0''' (5 Nov 2009)
+*EOS 7D fw '''1.2.2''' (27 Jul 2010)
+*EOS 7D fw '''1.2.3''' (25 Nov 2010)
+*EOS 7D fw '''1.2.5''' (26 Apr 2011)
 -- http://web.canon.jp/imaging/eosd/firm-e/eos7d/firmware.html
+-- http://www.usa.canon.com/cusa/consumer/products/cameras/slr_cameras/eos_7d#DriversAndSoftware
+-- All older fw updates: http://pel.hu/down
 = .fir file format =
@@ Line 52: / Line 61: @@
 = Memory settings =
+FFFF0000 starts some initialization:
 <pre>
-c1,c0,0: c1,c0,0 OR c000107d // control register
+c1,c0,0: c005107d // control register
-c2,c0,0: 00000030 // data cache bits
+c2,c0,0: 00000030 // data cache bits (enable on area 4, area 5)
-c2,c0,1: 00000030 // inst cache bits
+c2,c0,1: 00000030 // inst cache bits (enable on area 4, area 5)
-c3,c0,0: 00000030 // data buffer bits
+c3,c0,0: 00000030 // data buffer bits (enable on area 4, area 5)
-c5,c0,0: 00003fff // extended data access bits
+c5,c0,0: 00003fff // standard data access bits (read/write access for all area)
-c5,c0,1: 00003fff // extended inst access bits
+c5,c0,1: 00003fff // standard instruction access bits (read/write access for all area)
 c6,c0,0: 0000003f // region 0
 c6,c1,0: 0000003d // region 1
@@ Line 79: / Line 90: @@
 | 19 || 0 || Instruction RAM load mode
 |-
-| 18 || 0 || Instruction RAM enable
+| 18 || 1 || '''Instruction RAM enable'''
 |-
 | 17 || 0 || Data RAM load mode
 |-
-| 16 || 0 || Data RAM enable
+| 16 || 1 || '''Data RAM enable'''
 |-
 | 15 || 0 || Configure disable loading TBIT
@@ Line 105: / Line 116: @@
 | 0 || 1 || '''Protection unit enable'''
 |}
-When the flasher program is running, the c6 register map (read via
+The c6 register map (read via&nbsp
 <tt>mcr p15, 0, r0, c6, cM</tt> and interpreted based on [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0201d/I1039570.html ARM946 protection region registers]).
@@ Line 121: / Line 132: @@
 | c6,c2 || 0xE0000039 || 0xE0000000 || 512 MB || Covers DMA area?
 |-
-| c6,c3 || 0xc0000000 || Not enabled || --
+| c6,c3 || 0xC0000000 || Not enabled || --
 |-
 | c6,c4 || 0xFF80002F || 0xFF800000 || 16 MB || (?)
@@ Line 131: / Line 142: @@
 * Startup at <tt>0xFF01_0000</tt>, jumps to <tt>0xFF01_000C</tt>
-* Data segment or config? <tt>0x1900 - 0x20740</tt>
-* BSS? <tt>0x20740 - 0x47750</tt>
 = Credits =
+===.Fir file format===
 Previous credits must go to
@@ Line 145: / Line 155: @@
 * [http://tech.groups.yahoo.com/group/canondigicamhacking/message/5726 20d encryption (31 may 2005, alex_polushin)]
 * [http://tech.groups.yahoo.com/group/canondigicamhacking/message/7883 40D firmware decryption (20 dec 2007, soldeersmurfje)]
+===Memory Map===
+*[http://magiclantern.wikia.com/wiki/Memory_map Memory Map page on Magic Lantern Wiki] (Arm.Indy, 12May2010)
+*[http://magiclantern.wikia.com/wiki/7D_support MagicLantern 7D Firmware Support]
+[[Category:Cameras]]
+[[Category:DSLR]]

Changes: 7D