Changes: A550

== Firmware info ==

=== Version ===

The trick with the '''ver.req''' file works on the A550 as well, with the following result:

Canon PowerShot A550

P-ID:3150 PAL V

firmware ver GM1.00C

No error

Dec 4 2006 07:46:45

== Memory map ==

Tested on A550 with blink G7 firmware dump.

=== Led ===

0xc0220080: ''AF beam:'' (0x46 ON - 0x44 OFF)

0xc0220084: ''blue print:'' (0x46 ON - 0x44 OFF)

0xc0220088: ''viewfinder orange:'' (0x46 ON - 0x44 OFF)

== Blinker Firmware compilation ==

''Serial port download solution'' is the choice for dump firmware.<br>

Blink G7 source code (main.c) must be modified in according with led memory map

long* led=(long*)0xc0220080;

The blink G7 firmware was compiled using cygwin in the pack 'ready-to-use' environment downloadable [http://www.zshare.net/download/gcc_env_for_hdk-3-4-6-rar.html here].<br>

Before compile must be edit the last row of the ''make.bat''.

pakwif PS.FIR main 0x3150

where 0x3150 is the P-ID viewed with ver.req trick.

== Firmware is dumped ==

I have made dump from 0xFFC00000 to 0xFFFFFFFF, and this is the result:

[http://rapidshare.com/files/81300076/dump0xFFC00000.rar.html Firmware A550 100c]

'''NOTE:'''

mhhhh...I see that not any others firmware is 4 Mbyte...to think and to think... EUREKA!!! :)

Raw Firmware Dump is 4 Mbyte as 0x3FFFFF...dumped with photo-transistor.

If you do:

[0xFFEEB4D0 (data_src) + 0xB540 (data_len) - 0xFFC00000 (start firmware address)]

the result is the real firmware lenght!

0x2F6A10 - in my case

Well, I had trimmed remaining part of the file.

== Compile the CHDK ==

First of all download svn clien and then execute:

*'''svn checkout http://tools.assembla.com/svn/chdk/trunk chdk''' --> where ''chdk'' is the folder where put files

Using '''A560 source''' as the base code (platform and loader).

*'''Modify folder structure''': change folders names of platform\a560\sub\100a in platform\a550\sub\100c and loader\a560 in loader\a550

*'''Copy the PRIMARY.BIN in platform\a550\sub\100c''' (dump of the camera)

*'''Modify file core\rav.h''':

#elif defined (CAMERA_a620) || defined (CAMERA_a710) || '''defined (CAMERA_a550) ||''' defined (CAMERA_a560)...

#define ROWPIX 3152 // for 7 MP

#define ROWS 2340 // for 7 MP

*Add the new camera to the '''Makefile.Inc''' (root folder)

PLATFORM=a550

PLATFORMSUB=100c

*'''Modify Makefile.Inc''' --> in platform\a550\sub\100c

#0x3150

PLATFORMID=12624

*'''Modify boot.c'''

Start from function ''kernelinit'' found with IDA and called it in h_usrKernelInit.

Walk back (through XREF) in IDA until function ''boot''...

calls flow:

boot()-->h_usrInit()-->h_usrKernelInit()-->usrRoot()-->etc...(but not interest us)

|-->kernelinit()

Rename the fuction call with your address:

ex. excVecInit => sub_FFCB6DB8

this (right or wrong) is the result:

void boot()

{

long *canon_data_src = (void*)0xFFEEB4D0;

long *canon_data_dst = (void*)0x1900;

long canon_data_len = 0xB540;

long *canon_bss_start = (void*)0xCE40; // just after data

long canon_bss_len = 0x9F2B0 - 0xCE40;

long i;

[...]

}

void h_usrInit()

{

asm volatile (

"STR LR, [SP,#-4]!\n"

"BL sub_FFC01968\n"

"MOV R0, #2\n"

"MOV R1, R0\n"

"BL sub_FFCC1CEC\n" //unknown_libname_201

"BL sub_FFCB6DB8\n" //excVecInit

"BL sub_FFC011C4\n"

"BL sub_FFC01728\n"

"LDR LR, [SP],#4\n"

"B h_usrKernelInit\n"

);

}

void h_usrKernelInit()

{

asm volatile (

"STMFD SP!, {R4,LR}\n"

"SUB SP, SP, #8\n"

"BL sub_FFCC21EC\n" //classLibInit

"BL sub_FFCD2318\n" //taskLibInit

"LDR R3, =0x4E60\n"

"LDR R2, =0x9C4C0\n"

"LDR R1, [R3]\n"

"LDR R0, =0x9D010\n"

"MOV R3, #0x100\n"

"BL sub_FFCCDF08\n" //qInit

"LDR R3, =0x4E20\n"

"LDR R0, =0x51C0\n"

"LDR R1, [R3]\n"

"BL sub_FFCCDF08\n" //qInit

"LDR R3, =0x4EDC\n"

"LDR R0, =0x9CFE4\n"

"LDR R1, [R3]\n"

"BL sub_FFCCDF08\n" //qInit

"BL sub_FFCD66D4\n" //workQInit

"BL sub_FFC012B0\n"

"MOV R4, #0\n"

"MOV R3, R0\n"

"MOV R12, #0x800\n"

"LDR R0, =h_usrRoot\n"

"MOV R1, #0x4000\n"

"LDR R2, =0xCF2B0\n" // 0x9F2B0 + 0x30000

"STR R12, [SP]\n"

"STR R4, [SP,#4]\n"

"BL sub_FFCCF558\n" //kernelInit

"ADD SP, SP, #8\n"

"LDMFD SP!, {R4,PC}\n"

);

}

[...]

void h_usrRoot()

{

asm volatile (

"STMFD SP!, {R4,R5,LR}\n"

"MOV R5, R0\n"

"MOV R4, R1\n"

"BL sub_FFC019D0\n"

"MOV R1, R4\n"

"MOV R0, R5\n"

"BL sub_FFCC6CA4\n" //memInit

"MOV R1, R4\n"

"MOV R0, R5\n"

"BL sub_FFCC771C\n" //memPartLibInit

//"BL sub_FFC017E8\n" //nullsub_1

"BL sub_FFC01704\n"

"BL sub_FFC01A0C\n"

"BL sub_FFC019F0\n"

"BL sub_FFC01A38\n"

"BL sub_FFC019C4\n"

);

[...]

asm volatile (

"LDMFD SP!, {R4,R5,LR}\n"

"B sub_FFC0136C\n" //IsEmptyWriteCache_2

);

}

I'm not sure this is the correct boot.c, If anyone view some error (in code or procedure), report me....thanks!

*'''Finish Makefile.Inc''' --> in platform\a550\sub\100c

MEMBASEADDR=0x1900

RESTARTSTART=0x50000

MEMISOSTART=0x9F2B0 // find in original h_usrKernelInit()

MEMISOSIZE=0x30000

ROMBASEADDR=0xffc00000

I know how to find the missing fuction in lib.c and stubs_entry_2.S.

It's enought compare a precedent porting CHDK (firmware/source) and find with IDA text search missing fuction in my firmware dump.

*'''stubs_entry_2.S'''

NHSTUB(Close, 0xFFE221A0) //sync with a560

NHSTUB(Read, 0xFFE22234) //sync with a560

NHSTUB(Write, 0xFFE22240) //sync with a560

NHSTUB(Remove, 0xFFE221C0) //sync with a560

NHSTUB(Mount_FileSystem, 0xFFE214C4) //sync with a560

NHSTUB(kbd_read_keys_r2, 0xFFDCB384) //sync with a560

NHSTUB(DisplayImagePhysicalScreen, 0xFFDC0374) //sync with a560

NHSTUB(free, 0xFFCC8154) //sync with a560

NHSTUB(SetZoomActuatorSpeedPercent, 0xFFDCD668) //nullsub_130

#overwrite incorrect in stubs_entry.s

NHSTUB(SetPropertyCase, 0xFFC0B68C) //sync with a560

NHSTUB(FreeMemory, 0xFFC0819C) //sync with a560

NHSTUB(GetFocusLensSubjectDistance, 0xFFE458AC) //sync with a560

NHSTUB(GetDrive_ClusterSize, 0xFFE2198C) //sync with a560

NHSTUB(GetDrive_TotalClusters, 0xFFE219C8) //sync with a560

I did't test all address function in stubs_entry.s (too much), only a560 function report as incorrect.

same procedure:

*'''lib.c''':

void *hook_raw_fptr()

{

return (void*)0x42990; //sync with a630

}

void *hook_raw_ret_addr()

{

return (void*)0x0;

}

char *hook_raw_image_addr()

{

return (char*)0x10E6C640; //sync with a630

}

long hook_raw_size() //sync with a560 (on wiki page)

{

return 0x8CAE10;

}

void *vid_get_viewport_live_fb()

{

return (void*)0x0;

}

void *vid_get_bitmap_fb()

{

return (void*)(0x10360000); //sync with a540

}

void *vid_get_viewport_fb()

{

return (void*)0x105F0000; //sync with a540

}

void *vid_get_viewport_fb_d()

{

return (void*)(*(int*)0x3C2E0); //sync with a540

}

long vid_get_bitmap_width()

{

return 360;

}

long vid_get_bitmap_height()

{

return 240;

}

long vid_get_viewport_height()

{

return 240;

}

and also the same for:

*'''stubs_min.S''':

DEF(physw_status, 0x44818) // sync with a560 and a630

DEF(physw_run, 0x7980) // sync with a560 and a630

DEF(zoom_busy, 0x776E0) // sync with a560 and a630

DEF(focus_busy, 0x76F6C) // sync with a630 but not sure

DEF(playrec_mode, 0xBC3C) // sync with a560

DEF(FlashParamsTable,0xFFEAC254) // sync with a560 and a630

DEF(canon_menu_active,0x2E18) // sync with a560 and a630

DEF(canon_shoot_menu_active,0x2795) // not found

DEF(recreview_hold, 0x2588) // sync with a560 and a630

pack of my modified files for a550: http://www.zshare.net/download/6508102fc9112b/

== End Porting...but don't Run ==

I'm at the End of porting (i think) but it don't want run...

my camera switch off, without led blinking, when i start ''firmware update''

...if someone have any idea, He will become my God and I'll be his slave!

== Important Notes ==

*'''first of all''': sorry for my english...I'm illiterate Italian man :) (if you don't find my CHDK port error...you can enjoy to correct my english grammar error)

*'''write me here''': point of contact: http://chdk.setepontos.com/index.php/topic,230.0.html or muttmail(AT)gmail.com