Muttley.bd (talk | contribs) |
Muttley.bd (talk | contribs) |
||
| Line 287: | Line 287: | ||
'''NOTE''': sorry for my english...I'm illiterate Italian man :) |
'''NOTE''': sorry for my english...I'm illiterate Italian man :) |
||
| + | == End Porting...but don't Run == |
||
| − | == [good] people == |
||
| + | I'm at the End of the porting (i think) but it don't wan't run... |
||
| − | :I own an A550, and offer my time for testing, to anyone who succeed in get the firmware... ( idleloop-at-hotmail+dot+com) |
||
| + | |||
| − | :I also own a A550, and would be glad to offer testing time on it. (jarodthelinuxguy -at- gmail -dot- com) |
||
| + | ...if someone have any idea, He will become my God and I'll be his slave! |
||
Revision as of 18:18, 14 January 2008
Firmware info
Version
The trick with the ver.req file works on the A550 as well, with the following result:
Canon PowerShot A550 P-ID:3150 PAL V firmware ver GM1.00C No error Dec 4 2006 07:46:45
Memory map
Tested on A550 with blink G7 firmware dump.
Led
0xc0220080: AF beam: (0x46 ON - 0x44 OFF) 0xc0220084: blue print: (0x46 ON - 0x44 OFF) 0xc0220088: viewfinder orange: (0x46 ON - 0x44 OFF)
Blinker Firmware compilation
Serial port download solution is the choice for dump firmware.
Blink G7 source code (main.c) must be modified in according with led memory map
long* led=(long*)0xc0220080;
The blink G7 firmware was compiled using cygwin in the pack 'ready-to-use' environment downloadable here.
Before compile must be edit the last row of the make.bat.
pakwif PS.FIR main 0x3150
where 0x3150 is the P-ID viewed with ver.req trick.
Firmware is dumped
I have made dump from 0xFFC00000 to 0xFFFFFFFF, and this is the result: Firmware A550 100c
NOTE: mhhhh...I see that not any others firmware is 4 Mbyte...to think and to think... EUREKA!!! :)
Raw Firmware Dump is 4 Mbyte as 0x3FFFFF...dumped with photo-transistor.
If you do:
[0xFFEEB4D0 (data_src) + 0xB540 (data_len) - 0xFFC00000 (start firmware address)]
the result is the real firmware lenght!
0x2F6A10 - in my case
Well, I had trimmed the last part of the file.
Compile the CHDK
First of all download svn clien and then execute:
- svn checkout http://tools.assembla.com/svn/chdk/trunk chdk --> where chdk is the folder where put files
Using A560 source as the base code (platform and loader).
- Modify folder structure: change folders names of platform\a560\sub\100a in platform\a550\sub\100c and loader\a560 in loader\a550
- Copy the PRIMARY.BIN in platform\a550\sub\100c (dump of the camera)
- Modify file core\rav.h:
#elif defined (CAMERA_a620) || defined (CAMERA_a710) || defined (CAMERA_a550) || defined (CAMERA_a560)... #define ROWPIX 3152 // for 7 MP #define ROWS 2340 // for 7 MP
- Add the new camera to the Makefile.Inc (root folder)
PLATFORM=a550 PLATFORMSUB=100c
- Modify Makefile.Inc --> in platform\a550\sub\100c
#0x3150 PLATFORMID=12624
- Modify boot.c
Start from function kernelinit found with IDA and called in h_usrKernelInit. Walk back (XREF) in IDA until function boot...
Rename the fuction call with your address:
ex. excVecInit => sub_FFCB6DB8
this (right or wrong) is the result:
void boot()
{
long *canon_data_src = (void*)0xFFEEB4D0;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xB540;
long *canon_bss_start = (void*)0xCE40; // just after data
long canon_bss_len = 0x9F2B0 - 0xCE40;
long i;
[...]
}
void h_usrInit()
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FFC01968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FFCC1CEC\n" //unknown_libname_201
"BL sub_FFCB6DB8\n" //excVecInit
"BL sub_FFC011C4\n"
"BL sub_FFC01728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n"
);
}
void h_usrKernelInit()
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FFCC21EC\n" //classLibInit
"BL sub_FFCD2318\n" //taskLibInit
"LDR R3, =0x4E60\n"
"LDR R2, =0x9C4C0\n"
"LDR R1, [R3]\n"
"LDR R0, =0x9D010\n"
"MOV R3, #0x100\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4E20\n"
"LDR R0, =0x51C0\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4EDC\n"
"LDR R0, =0x9CFE4\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"BL sub_FFCD66D4\n" //workQInit
"BL sub_FFC012B0\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n"
"MOV R1, #0x4000\n"
"LDR R2, =0xCF2B0\n" // 0x9F2B0 + 0x30000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FFCCF558\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
}
[...]
void h_usrRoot()
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FFC019D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC6CA4\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC771C\n" //memPartLibInit
//"BL sub_FFC017E8\n" //nullsub_1
"BL sub_FFC01704\n"
"BL sub_FFC01A0C\n"
"BL sub_FFC019F0\n"
"BL sub_FFC01A38\n"
"BL sub_FFC019C4\n"
);
[...]
asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FFC0136C\n" //IsEmptyWriteCache_2
);
}
I'm not sure this is the correct boot.c, If anyone view some error (in code or procedure), report me....thanks!
- Finish Makefile.Inc --> in platform\a550\sub\100c
MEMBASEADDR=0x1900 RESTARTSTART=0x50000 MEMISOSTART=0x9F2B0 // find in original h_usrKernelInit() MEMISOSIZE=0x30000 ROMBASEADDR=0xffc00000
I know how to find the missing fuction in lib.c and stubs_entry_2.S. It's enought compare a precedent porting CHDK (firmware/source) and find with IDA text search missing fuction in my firmware dump.
- stubs_entry_2.S
NHSTUB(Close, 0xFFE221A0) //sync with a560 NHSTUB(Read, 0xFFE22234) //sync with a560 NHSTUB(Write, 0xFFE22240) //sync with a560 NHSTUB(Remove, 0xFFE221C0) //sync with a560 NHSTUB(Mount_FileSystem, 0xFFE214C4) //sync with a560 NHSTUB(kbd_read_keys_r2, 0xFFDCB384) //sync with a560 NHSTUB(DisplayImagePhysicalScreen, 0xFFDC0374) //sync with a560 NHSTUB(free, 0xFFCC8154) //sync with a560 NHSTUB(SetZoomActuatorSpeedPercent, 0xFFDCD668) //nullsub_130
#overwrite incorrect in stubs_entry.s NHSTUB(SetPropertyCase, 0xFFC0B68C) //sync with a560 NHSTUB(FreeMemory, 0xFFC0819C) //sync with a560 NHSTUB(GetFocusLensSubjectDistance, 0xFFE458AC) //sync with a560 NHSTUB(GetDrive_ClusterSize, 0xFFE2198C) //sync with a560 NHSTUB(GetDrive_TotalClusters, 0xFFE219C8) //sync with a560
same procedure:
- lib.c:
void *hook_raw_fptr()
{
return (void*)0x42990; //sync with a630
}
void *hook_raw_ret_addr()
{
return (void*)0x0;
}
char *hook_raw_image_addr()
{
return (char*)0x10E6C640; //sync with a630
}
long hook_raw_size() //sync with a560 (on wiki page)
{
return 0x8CAE10;
}
void *vid_get_viewport_live_fb()
{
return (void*)0x0;
}
void *vid_get_bitmap_fb()
{
return (void*)(0x10360000); //sync with a540
}
void *vid_get_viewport_fb()
{
return (void*)0x105F0000; //sync with a540
}
void *vid_get_viewport_fb_d()
{
return (void*)(*(int*)0x3C2E0); //sync with a540
}
long vid_get_bitmap_width()
{
return 360;
}
long vid_get_bitmap_height()
{
return 240;
}
long vid_get_viewport_height()
{
return 240;
}
and also the same for:
- stubs_min.S:
DEF(physw_status, 0x44818) // sync with a560 and a630 DEF(physw_run, 0x7980) // sync with a560 and a630 DEF(zoom_busy, 0x776E0) // sync with a560 and a630 DEF(focus_busy, 0x76F6C) // sync with a630 but not sure DEF(playrec_mode, 0xBC3C) // sync with a560 DEF(FlashParamsTable,0xFFEAC254) // sync with a560 and a630 DEF(canon_menu_active,0x2E18) // sync with a560 and a630 DEF(canon_shoot_menu_active,0x2795) // not found DEF(recreview_hold, 0x2588) // sync with a560 and a630
pack of my modified files for a550: http://www.zshare.net/download/6508102fc9112b/
point of contact: http://chdk.setepontos.com/index.php/topic,230.0.html
NOTE: sorry for my english...I'm illiterate Italian man :)
End Porting...but don't Run
I'm at the End of the porting (i think) but it don't wan't run...
...if someone have any idea, He will become my God and I'll be his slave!