A430
From CHDK Wiki
Following the example of the A530 page, everything that might be useful for a port of CHDK to A430 should be posted here.
Contents |
[edit] Firmware info
[edit] Version
The trick with the ver.req file works on the A430 as well, but we don't know the result. It should look something like this:
Canon PowerShot A430 P-ID:30F8 PAL Firmware Ver GM1.00B
Pressing DISP button again results in:
Canon PowerShot A430 P-ID:30F8 PAL Adj Ver.005.001
The number P-ID:XXXX is a hexadecimal code for the platform version id.
Platform codes for other models can be looked up under P-ID.
[edit] Hardware info
[edit] Memory map
Following information is probably generic to other models (A5xx, A6xx, A7xx series)
[edit] Firmware flash
0xff800000: firmware flash data (probably)
0xffc00000: mirror copy of firmware flash? (to be determined)
[edit] LED
0xc0220080: 0x46 enables orange focus assist LED, 0x44 disables it
0xc0220084: 0x46 enables blue print LED, 0x44 disables it
[edit] Blinker Firmware
The blinker method was used to dump the firmware.
[edit] Blinker Firmware compilation
A blinker firmware was compiled using yagarto. In the XXXX.c file, the firmware ID must be replaced by the one given obtained via ver.req (XXX). If cygwin is installed on your computer, in make.bat, replace
zero | dd bs=1k count=100 >> main
by the following two lines:
c:\cygwin\bin\dd.exe bs=1k count=100 if=/dev/zero of=main.zero
c:\cygwin\bin\cat.exe main.zero >> main
[edit] Firmware dump
It seems that the fastest speed (AF assist LED) is not an option for dumping the firmware. At that speed, the waveform is distorted and may not be decoded (see screenshot). Instead, the blue LED at the back of the camera was used to output the firmware, and an active circuit based around the YY66W phototransistor was used to read the firmware out.
You can get a dump made with udumper from here: http://www.zshare.net/download/979592221ca65e/
[edit] Phototransistor active circuit
The PC's microphone input has a 2.34V rail available on one of the channels, so I tried a few powered circuit (both photodiode and phototransistor). They give a much larger signal, but the shape of the signal still differs from the ones given as example.
The test circuit uses a small piece of breadboard. Bottom side has two rows of 3 tulip sockets. This is where I plug-in my phototransistors and filter cap. Top side has three rows of 3 tulip sockets. The one away from the cable, I plug my 1k trim in. The other two are used for bridging the circuit with the computer. These can be removed and replaced by filtering caps if needed.
 |
 |
 |
|
|
 |
 |
The trimmer (blue on the photo above) has one of its legs bent so that it doesn't make contact. The two legs making contact with the circuit are the one under the screw and the middle one. The red component is a 1μF ceramic cap used to filter the output (see screenshots below).
[edit] Firmware recording using audacity
I am now trying for the blue LED with slower transfer speed. I used my amplified circuit and tried both the S1226-8BQ photodiode, YY66W (IR) and SFH300-3 phototransistors. Surprisingly enough, the IR phototransistor is the one that gives the largest signal (see screenshots). With a lower transfer speed, I now get the waveform I was expecting.
The effect of the 1μF cap is shown in screenshot 2 (screenshot 1 is without). The signal amplitude is more constant and will (probably) result in fewer decoding errors.
All in all, it now looks like I should be able to get a firmware dump.
