CHDK Wiki
Register
Line 131: Line 131:
   
 
* Startup at <tt>0xFF01_0000</tt>, jumps to <tt>0xFF01_000C</tt>
 
* Startup at <tt>0xFF01_0000</tt>, jumps to <tt>0xFF01_000C</tt>
* Data segment or config? <tt>0x1900 - 0x20740</tt>
 
* BSS? <tt>0x20740 - 0x47750</tt>
 
   
 
= Credits =
 
= Credits =

Revision as of 18:30, 13 May 2010

Available firmware dumps & updates

  • EOS 7D fw 1.0.9 (19 Oct 2009)
  • EOS 7D fw 1.1.0 (5 Nov 2009)

-- http://web.canon.jp/imaging/eosd/firm-e/eos7d/firmware.html

.fir file format

(7d000110.fir)
---.fir header---
0x000: modelId = 0x80000250, (7D, DryOS)
0x010: version = 1.1.0
0x020: checksum = 0x9e567c55
0x024: updater1 header = 0xb0
0x028: updater1 offset = 0x120
0x02c: updater2 offset = 0x1c0990
0x030: firmware offset = 0x22e220
0x034: 0xffffffff
0x038: embedded file size = 0xc41dac
0x03c: 0x0
0x040: seed = 0xdf820045
0x044: 0x00000004 0x00000000 0x00000020 0x00000024 0x00000044 0x000000b0 0x0022e170
0x060: 0x22e220
0x064: firmware length = 0xa13b8c
0x068: updater1 hmac-sha1 = 57a68fcbf5782d9c66cb43e270e1277c80ca7a58
0x088: firmware hmac-sha1 = bb800392221fc64d4a4751ec2b625c167ab96a2e
---updater1 header---
0x0b0: updater1 length = 0x1c0870. starts at 0x120
0x0b4: 0x1c086c
0x0b8: 0x0
0x0bc: xor seed value = 0x4106d571
0x120: --- updater1 (ciphered) ---
---updater2 header---
0x1c0990: (+0x000), modelId = 0x80000250, (7D, DryOS)
0x1c09a0: (+0x010), version = 1.1.0
0x1c09b0: (+0x020), checksum? = 0xfd568ee7
0x1c09b4: (+0x024), 0xb0
0x1c09b8: (+0x028), 0x120
0x1c09bc: (+0x02c), ffffffff ffffffff ffffffff
0x1c09c8: (+0x038), updater length (including header) = 0x6d890. starts at 0x1c0990
0x1c0a40: (+0x0b0), updater length = 0x6d770. starts at 0x1c0ab0
0x1c0a44: (+0x0b4), 0x6d764
0x1c0a48: (+0x0b8), 0x0
0x1c0b6c: (+0x0bc), xor seed value = 0x6a9e6180
0x1c0ab0: (+0x120), --- updater2 (ciphered) ---
---firmware header---
0x22e220: (+0x000), 0xc
0x22e224: (+0x004), offset to encrypted data = 0x7c. starts at 0x22e220
0x22e228: (+0x008), total firmware length (including header) = 0xa13b8c. starts at 0x22e220
0x22e22c: (+0x00c), firmware length (encrypted part) = 0xa13b10. starts at 0x22e29c
---firmware (encrypted)---
0x22e29c: (+0x07c)

Memory settings

c1,c0,0: c1,c0,0 OR c000107d // control register
c2,c0,0: 00000030 // data cache bits (enable on area 4, area 5)
c2,c0,1: 00000030 // inst cache bits (enable on area 4, area 5)
c3,c0,0: 00000030 // data buffer bits (enable on area 4, area 5)
c5,c0,0: 00003fff // standard data access bits (read/write access for all area)
c5,c0,1: 00003fff // standard instruction access bits (read/write access for all area)
c6,c0,0: 0000003f // region 0
c6,c1,0: 0000003d // region 1
c6,c2,0: e0000039 // region 2
c6,c3,0: c0000000 // region 3
c6,c4,0: ff80002f // region 4
c6,c5,0: 00000039 // region 5
c6,c6,0: 80000000 // region 6

Control register bits:

bit value meaning
31:20 1100 0000 0000 Reserved (SBZ)
19 0 Instruction RAM load mode
18 0 Instruction RAM enable
17 0 Data RAM load mode
16 0 Data RAM enable
15 0 Configure disable loading TBIT
14 0 Round-robin replacement
13 0 Alternate vector select
12 1 ICache enable
11:8 0000 Reserved (SBZ)
7 0 Big-endian
6:3 1111 Reserved (SBO)
2 1 DCache enable
1 0 Reserved (SBZ)
0 1 Protection unit enable

When the flasher program is running, the c6 register map (read via mcr p15, 0, r0, c6, cM and interpreted based on ARM946 protection region registers).

Register Value Base Size Notes
c6,c0 0x0000003F 0x00000000 4 GB (?)
c6,c1 0x0000003D 0x00000000 2 GB (?)
c6,c2 0xE0000039 0xE0000000 512 MB Covers DMA area?
c6,c3 0xc0000000 Not enabled --
c6,c4 0xFF80002F 0xFF800000 16 MB (?)
c6,c5 0x00000039 0x00000000 512 MB
c6,c6 0x80000000 Not enabled --
  • Startup at 0xFF01_0000, jumps to 0xFF01_000C

Credits

Previous credits must go to

"emklap" from CHDK:

and to "canondigicamhacking" people (as seen here)