(A560 100a ported!) |
|||
| (22 intermediate revisions by 13 users not shown) | |||
| Line 1: | Line 1: | ||
| + | '''Powershot A560''' |
||
| ⚫ | |||
| + | {{Notice|'''The latest CHDK version for the A560 with firmware '''1.00A''' is available from the [[Downloads|Download page]]}} |
||
| ⚫ | |||
| + | |||
| + | {| align="right" style="border-collapse:collapse; font-size: x-small;" |
||
| + | | __TOC__ |
||
| + | |} |
||
| + | [[Image:20070221_hiRes_a560_front.jpg|thumb|250px|Powershot A560 Front]] |
||
| + | [[Image:20070221_hiRes_a560_back.jpg|thumb|250px|Powershot A560 Back]] |
||
| + | |||
| + | == Reviews and Specifications == |
||
| + | |||
| + | * [http://www.canon.com/camera-museum/camera/dcc/data/2007-2008/2007_ps_a560.html Canon] |
||
| + | * [http://www.usa.canon.com/cusa/support/consumer/digital_cameras/powershot_a_series/powershot_a560 Canon USA Support and Drivers Powershot A560] |
||
| + | * [http://www.steves-digicams.com/2007_reviews/a560.html Steve's DigiCams] |
||
| + | * [http://www.imaging-resource.com/PRODS/A560/A560A.HTM Imaging Resource] |
||
| + | * [http://en.wikipedia.org/wiki/Canon_PowerShot_A Wikipedia] |
||
| + | * [http://www.dpreview.com/products/canon/compacts/canon_a560 DPreview] |
||
| + | * 35-140mm (equiv.) |
||
| + | |||
| + | |||
| + | |||
| + | |||
| + | A small sized digital camera with a 4x optical zoom and the first with the [http://en.wikipedia.org/wiki/DIGIC#DIGIC_III DIGIC III] chip. |
||
| + | |||
| ⚫ | |||
The '''ver.req''' trick worked. It shows the following: |
The '''ver.req''' trick worked. It shows the following: |
||
| Line 11: | Line 34: | ||
Dec 14 2006 20:14:41 |
Dec 14 2006 20:14:41 |
||
| + | == For Developers == |
||
| − | = Dumping the Original Firmware = |
+ | === Dumping the Original Firmware === |
Firmware for A560 1.00A extracted successfully. |
Firmware for A560 1.00A extracted successfully. |
||
| + | {{DL dumps}} |
||
| ⚫ | |||
| + | |||
| ⚫ | |||
| ⚫ | |||
| + | |||
| ⚫ | |||
Useful info: [http://forums.dpreview.com/forums/read.asp?forum=1010&message=24992555 The A570 LED memory addresses (Rossig)]. Related: [http://forums.dpreview.com/forums/read.asp?forum=1010&message=24988142 How to modify the source code to search the LED memory addresses (Rossig)] |
Useful info: [http://forums.dpreview.com/forums/read.asp?forum=1010&message=24992555 The A570 LED memory addresses (Rossig)]. Related: [http://forums.dpreview.com/forums/read.asp?forum=1010&message=24988142 How to modify the source code to search the LED memory addresses (Rossig)] |
||
| Line 28: | Line 55: | ||
I used a linux box, so I followed the [[Compiling_CHDK_under_Linux | instructions to compile the CHDK under Linux]] to obtain the gcc compiler for the arm architecture. |
I used a linux box, so I followed the [[Compiling_CHDK_under_Linux | instructions to compile the CHDK under Linux]] to obtain the gcc compiler for the arm architecture. |
||
| − | To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the |
+ | To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the |
zero | dd .... |
zero | dd .... |
||
| Line 41: | Line 68: | ||
Baud Rate: In the original code, DEL is defined as '''1260'''. To see it blinking in a more feasible way, change it by '''126000''' or more. |
Baud Rate: In the original code, DEL is defined as '''1260'''. To see it blinking in a more feasible way, change it by '''126000''' or more. |
||
| − | The memory address present in the |
+ | The memory address present in the G7 blinker does not work on the A560. Change it by '''0xFFC00000'''. |
The ranges to be dumped should be: |
The ranges to be dumped should be: |
||
| Line 53: | Line 80: | ||
It should be possible to dump it in a '''unique step''' (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally. |
It should be possible to dump it in a '''unique step''' (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally. |
||
| − | == Step2 : HW circuit == |
+ | ==== Step2 : HW circuit ==== |
The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console. |
The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console. |
||
| − | == Step3 : Dump the Original Firmware == |
+ | ==== Step3 : Dump the Original Firmware ==== |
| − | * It is better to dump the firmware when '''the camera and the circuit are cold'''. In this situation, |
+ | * It is better to dump the firmware when '''the camera and the circuit are cold'''. In this situation, exact alignment of the led and the camera are not required to get the dump. The extraction usually works even in standard lighting conditions (not in a dark place). |
| − | * After 2 or 3 consecutive attempts, I always get a |
+ | * After 2 or 3 consecutive attempts, I always get a noisy dump, and it is useless. It is time to stop. |
| − | * To get the final dump, I have dumped 4 times |
+ | * To get the final dump, I have dumped each part 4 times. With a '''hexadecimal compare utility''', I found two identical copies. I''' copy them together''' to get the firmware dump, '''removing the 55's and the begin and end''' strings using and hexadecimal editor. |
* In the IDA, after the script execution, '''the output (log) has no errors'''. This could be a criteria to check if everything went ok. |
* In the IDA, after the script execution, '''the output (log) has no errors'''. This could be a criteria to check if everything went ok. |
||
| − | = Compile the CHDK Add-on= |
+ | === Compile the CHDK Add-on === |
| − | |||
[http://forums.dpreview.com/forums/read.asp?forum=1010&message=25259749 dPreview thread with porting process info] |
[http://forums.dpreview.com/forums/read.asp?forum=1010&message=25259749 dPreview thread with porting process info] |
||
| − | |||
Quick tips that I followed. And when confirmed and clean up, they will be passed to the main [[Adding_support_of_a_new_camera]] article. |
Quick tips that I followed. And when confirmed and clean up, they will be passed to the main [[Adding_support_of_a_new_camera]] article. |
||
| Line 82: | Line 107: | ||
PLATFORMSUB=100a |
PLATFORMSUB=100a |
||
| − | *'''Modify Makefile.Inc''' --> at least ID of the camera |
+ | *'''Modify Makefile.Inc''' --> at least ID of the camera |
#314D |
#314D |
||
PLATFORMID=12621 |
PLATFORMID=12621 |
||
| Line 223: | Line 248: | ||
STUB(FFCB4532) |
STUB(FFCB4532) |
||
| ⚫ | |||
| + | * Porting is completed, the latest sources are available from the trunk. |
||
| + | Thanks to EWAVR, GrAnd and rossig sources, the CHDK has been ported to the A560 1.00A camera. It is based on the rossig source code for A570. |
||
| ⚫ | |||
| + | [[Category:Cameras]] |
||
| − | |||
| ⚫ | |||
| − | [http://www.zshare.net/download/4695777b0315c2/ CHDK A560 1.00A] |
||
Latest revision as of 18:18, 3 January 2013
Powershot A560
|
The latest CHDK version for the A560 with firmware 1.00A is available from the Download page |
Powershot A560 Front
Powershot A560 Back
Reviews and Specifications
- Canon
- Canon USA Support and Drivers Powershot A560
- Steve's DigiCams
- Imaging Resource
- Wikipedia
- DPreview
- 35-140mm (equiv.)
A small sized digital camera with a 4x optical zoom and the first with the DIGIC III chip.
Firmware Info
The ver.req trick worked. It shows the following:
Canon PowerShot A560 P-ID:314D PAL V Firmware Ver GM1.00A No error Dec 14 2006 20:14:41
For Developers
Dumping the Original Firmware
Firmware for A560 1.00A extracted successfully.
|
Download location for firmware dumps: |
Step1 : Blinker
Base Code: blink_g7.rar (chdkfiles@google drive mirror)
Useful info: The A570 LED memory addresses (Rossig). Related: How to modify the source code to search the LED memory addresses (Rossig)
0xC02200C0 ~ 0xC02200C3 - AF-beam 0xC02200C4 ~ 0xC02200C7 - blue 0xC02200C8 ~ 0xC02200CX- orange (X, don't tested, presumably 0xC02200CC )
Compilation
I used a linux box, so I followed the instructions to compile the CHDK under Linux to obtain the gcc compiler for the arm architecture.
To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the
zero | dd ....
to
dd if=/dev/zero ... > main
To use the win executables, launch it using WINE.
Tips:
Baud Rate: In the original code, DEL is defined as 1260. To see it blinking in a more feasible way, change it by 126000 or more.
The memory address present in the G7 blinker does not work on the A560. Change it by 0xFFC00000.
The ranges to be dumped should be:
0xFFC00000 --> 0xFFDFFFFF ( 0xFFE00000 -1) 0xFFE00000 --> 0xFFFFFFFF (last mem address)
Check this topic and the GrAnd's answer.
Using DEL as 1260 (original value), the dumping takes 45 mins (see readme file inside the blink_g7.rar) for each step.
It should be possible to dump it in a unique step (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally.
Step2 : HW circuit
The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console.
Step3 : Dump the Original Firmware
- It is better to dump the firmware when the camera and the circuit are cold. In this situation, exact alignment of the led and the camera are not required to get the dump. The extraction usually works even in standard lighting conditions (not in a dark place).
- After 2 or 3 consecutive attempts, I always get a noisy dump, and it is useless. It is time to stop.
- To get the final dump, I have dumped each part 4 times. With a hexadecimal compare utility, I found two identical copies. I copy them together to get the firmware dump, removing the 55's and the begin and end strings using and hexadecimal editor.
- In the IDA, after the script execution, the output (log) has no errors. This could be a criteria to check if everything went ok.
Compile the CHDK Add-on
dPreview thread with porting process info
Quick tips that I followed. And when confirmed and clean up, they will be passed to the main Adding_support_of_a_new_camera article.
Using A570 rossig source as the base code.
- Modify folder structure: change names of all the A570 dependent folders and files to A560 1.00 A
- Copy the PRIMARY.BIN (dump of the camera)
- Add the new camera to the Makefile.Inc (root folder)
PLATFORM=a560 PLATFORMSUB=100a
- Modify Makefile.Inc --> at least ID of the camera
#314D PLATFORMID=12621
- Modify boot.c
Missing: How to discover this code parts in IDA.
In boot() function
long *canon_data_src = (void*)0xFFF182E0; long *canon_data_dst = (void*)0x1900; long canon_data_len = 0xBC40; long *canon_bss_start = (void*)0xD540; long canon_bss_len = 0xA6090 - 0xD540;
In h_usrInit() function
asm volatile ( "STR LR, [SP,#-4]!\n" "BL sub_FFC01964\n" "MOV R0, #2\n" "MOV R1, R0\n" "BL sub_FFCCB29C\n" "BL sub_FFCC0230\n" "BL sub_FFC011C4\n" "BL sub_FFC01724\n" "LDR LR, [SP],#4\n" "B h_usrKernelInit\n" );
In h_usrKernelInit() function:
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FFCCB79C\n" //classLibInit
"BL sub_FFCDB8C8\n" //taskLibInit
"LDR R3, =0x4F28\n"
"LDR R2, =0xA3200\n"
"LDR R1, [R3]\n"
"LDR R0, =0xA3D50\n"
"MOV R3, #0x100\n"
"BL sub_FFCD74B8\n" //qInit
"LDR R3, =0x4EE8\n"
"LDR R0, =0x5288\n"
"LDR R1, [R3]\n"
"BL sub_FFCD74B8\n" //qInit
"LDR R3, =0x4FA4\n"
"LDR R0, =0xA3D24\n"
"LDR R1, [R3]\n"
"BL sub_FFCD74B8\n" //QInit
"BL sub_FFCDFC84\n" //workQInit
"BL sub_FFC012AC\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n" //sub_FFC01A5C
"MOV R1, #0x4000\n"
"LDR R2, =0xD6090\n" //0xA6090+0x30000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FFCD8B08\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
In h_usrRoot() function:
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FFC019CC\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCD0254\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCD0CCC\n" //memPartLibInit
// "BL nullsub_2\n" // this is empty function, can be removed
"BL sub_FFC01700\n"
"BL sub_FFC01A08\n"
"BL sub_FFC019EC\n"
"BL sub_FFC01A34\n"
"BL sub_FFC019C0\n"
);
_taskCreateHookAdd(createHook);
_taskDeleteHookAdd(deleteHook);
drv_self_hide();
asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FFC01368\n\n"
);
- Finish Makefile.Inc
Check boot() function in boot.c. Missing: How to discover this numbers in IDA.
MEMBASEADDR=0x1900 RESTARTSTART=0x50000 MEMISOSTART=0xA6090 MEMISOSIZE=0x30000 ROMBASEADDR=0xffc00000
- Modify lib.c
Missing: How to discover this numbers in IDA.
char *hook_raw_image_addr()
{
return (char*)0x10E6C640; //SS_DumpImgPrcssBuf
}
long hook_raw_size()
{
return 0x8CAE10; // 7 mpx
}
void *vid_get_viewport_live_fb()
{
return (void*)0x0;
}
void *vid_get_bitmap_fb()
{
return (void*)0x10361000; //bmpdev.c
}
void *vid_get_viewport_fb()
{
return (void*)(0x10657A00);//(0x10400000+0x1BC000+0x3C00); //0x105BFC00
}
void *vid_get_viewport_fb_d()
{
return (void*)(*(int*)0x7BBF0); //ImagePlayer.c
}
- stubs files
- In the stubs_entry.S, the autodetected functions are stored. Some of them, maybe wrong autodetected. check them in IDA - In the stubs_entry_2.S, the overriden functions or not detected functions must be added manually. Check the names in IDA. - When linking the CHDK, some of undefined sub_XXXXXXXX functions usually appears. It related the stubs_auto.S file. Check Compiling_CHDK_under_Windows#Undefined_reference_to_.60sub_....27. To solve it, open the file and add the unresolved addresses to it following the same schema
STUB(FFCB4532)
CHDK Ported Successfully
- Porting is completed, the latest sources are available from the trunk.
Thanks to EWAVR, GrAnd and rossig sources, the CHDK has been ported to the A560 1.00A camera. It is based on the rossig source code for A570.