Wikia

CHDK Wiki

A560

Talk6
565pages on
this wiki
Revision as of 12:52, December 3, 2012 by Fe50 (Talk | contribs)

Powershot A560

Notice

The latest CHDK version for the A560 with firmware 1.00A is available from the Download page


20070221 hiRes a560 front
Powershot A560 Front
LukeSAdded by LukeS
20070221 hiRes a560 back
Powershot A560 Back
LukeSAdded by LukeS

Reviews and Specifications



A small sized digital camera with a 4x optical zoom and the first with the DIGIC III chip.

Firmware Info

The ver.req trick worked. It shows the following:

Canon PowerShot A560
P-ID:314D PAL V

Firmware Ver GM1.00A
No error
Dec 14 2006 20:14:41

For Developers

Dumping the Original Firmware

Firmware for A560 1.00A extracted successfully.

Saveas64

Download location for firmware dumps:
P&S firmware dumps mirror

Step1 : Blinker

Base Code: blink_g7.rar (chdkfiles@google drive mirror)

Useful info: The A570 LED memory addresses (Rossig). Related: How to modify the source code to search the LED memory addresses (Rossig)

0xC02200C0 ~ 0xC02200C3 - AF-beam
0xC02200C4 ~ 0xC02200C7 - blue
0xC02200C8 ~ 0xC02200CX- orange (X, don't tested, presumably 0xC02200CC )

Compilation

I used a linux box, so I followed the instructions to compile the CHDK under Linux to obtain the gcc compiler for the arm architecture.

To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the

zero | dd ....

to

dd if=/dev/zero ... > main

To use the win executables, launch it using WINE.

Tips:

Baud Rate: In the original code, DEL is defined as 1260. To see it blinking in a more feasible way, change it by 126000 or more.

The memory address present in the G7 blinker does not work on the A560. Change it by 0xFFC00000.

The ranges to be dumped should be:

0xFFC00000 --> 0xFFDFFFFF ( 0xFFE00000 -1)
0xFFE00000 --> 0xFFFFFFFF (last mem address)

Check this topic and the GrAnd's answer.

Using DEL as 1260 (original value), the dumping takes 45 mins (see readme file inside the blink_g7.rar) for each step.

It should be possible to dump it in a unique step (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally.

Step2 : HW circuit

The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console.

Step3 : Dump the Original Firmware

  • It is better to dump the firmware when the camera and the circuit are cold. In this situation, exact alignment of the led and the camera are not required to get the dump. The extraction usually works even in standard lighting conditions (not in a dark place).
  • After 2 or 3 consecutive attempts, I always get a noisy dump, and it is useless. It is time to stop.
  • To get the final dump, I have dumped each part 4 times. With a hexadecimal compare utility, I found two identical copies. I copy them together to get the firmware dump, removing the 55's and the begin and end strings using and hexadecimal editor.
  • In the IDA, after the script execution, the output (log) has no errors. This could be a criteria to check if everything went ok.

Compile the CHDK Add-on

dPreview thread with porting process info

Quick tips that I followed. And when confirmed and clean up, they will be passed to the main Adding_support_of_a_new_camera article.

Using A570 rossig source as the base code.

  • Modify folder structure: change names of all the A570 dependent folders and files to A560 1.00 A
  • Copy the PRIMARY.BIN (dump of the camera)
  • Add the new camera to the Makefile.Inc (root folder)
PLATFORM=a560
PLATFORMSUB=100a
  • Modify Makefile.Inc --> at least ID of the camera
#314D
PLATFORMID=12621
  • Modify boot.c

Missing: How to discover this code parts in IDA.

In boot() function

long *canon_data_src = (void*)0xFFF182E0;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xBC40;
long *canon_bss_start = (void*)0xD540;
long canon_bss_len = 0xA6090 - 0xD540;

In h_usrInit() function

asm volatile (
 "STR     LR, [SP,#-4]!\n"
 "BL      sub_FFC01964\n"
 "MOV  R0, #2\n"
 "MOV R1, R0\n"
 "BL sub_FFCCB29C\n"
 "BL sub_FFCC0230\n"
 "BL sub_FFC011C4\n"
 "BL sub_FFC01724\n"
 "LDR LR, [SP],#4\n"
 "B h_usrKernelInit\n"
);

In h_usrKernelInit() function:

asm volatile (
 "STMFD 	SP!, {R4,LR}\n"
 "SUB 	SP, SP, #8\n"
 "BL 	sub_FFCCB79C\n" //classLibInit
 "BL 	sub_FFCDB8C8\n" //taskLibInit
 "LDR 	R3, =0x4F28\n"
 "LDR 	R2, =0xA3200\n"
 "LDR 	R1, [R3]\n"
 "LDR 	R0, =0xA3D50\n"
 "MOV 	R3, #0x100\n"
 "BL 	sub_FFCD74B8\n" //qInit
 "LDR 	R3, =0x4EE8\n"
 "LDR 	R0, =0x5288\n"
 "LDR 	R1, [R3]\n"
 "BL 	sub_FFCD74B8\n" //qInit
 "LDR 	R3, =0x4FA4\n"
 "LDR 	R0, =0xA3D24\n"
 "LDR 	R1, [R3]\n"
 "BL 	sub_FFCD74B8\n" //QInit
 "BL 	sub_FFCDFC84\n" //workQInit
 "BL 	sub_FFC012AC\n"
 "MOV 	R4, #0\n"
 "MOV 	R3, R0\n"
 "MOV 	R12, #0x800\n"
 "LDR 	R0, =h_usrRoot\n" //sub_FFC01A5C
 "MOV 	R1, #0x4000\n"
 "LDR 	R2, =0xD6090\n" //0xA6090+0x30000
 "STR 	R12, [SP]\n"
 "STR 	R4, [SP,#4]\n"
 "BL 	sub_FFCD8B08\n" //kernelInit
 "ADD 	SP, SP, #8\n"
 "LDMFD 	SP!, {R4,PC}\n"
);

In h_usrRoot() function:

asm volatile (
 "STMFD 	SP!, {R4,R5,LR}\n"
 "MOV 	R5, R0\n"
 "MOV 	R4, R1\n"
 "BL 	sub_FFC019CC\n"
 "MOV 	R1, R4\n"
 "MOV 	R0, R5\n"
 "BL 	sub_FFCD0254\n" //memInit
 "MOV 	R1, R4\n"
 "MOV 	R0, R5\n"
 "BL 	sub_FFCD0CCC\n" //memPartLibInit
 // "BL nullsub_2\n" // this is empty function, can be removed
 "BL 	sub_FFC01700\n" 
 "BL 	sub_FFC01A08\n"
 "BL 	sub_FFC019EC\n"
 "BL 	sub_FFC01A34\n"
 "BL 	sub_FFC019C0\n"
);

_taskCreateHookAdd(createHook);
_taskDeleteHookAdd(deleteHook);
   
drv_self_hide();

asm volatile (
 "LDMFD 	SP!, {R4,R5,LR}\n"
 "B 	sub_FFC01368\n\n"
);
  • Finish Makefile.Inc

Check boot() function in boot.c. Missing: How to discover this numbers in IDA.

MEMBASEADDR=0x1900
RESTARTSTART=0x50000
MEMISOSTART=0xA6090
MEMISOSIZE=0x30000
ROMBASEADDR=0xffc00000
  • Modify lib.c

Missing: How to discover this numbers in IDA.

char *hook_raw_image_addr()
{
   return (char*)0x10E6C640; //SS_DumpImgPrcssBuf
}

long hook_raw_size()
{
   return 0x8CAE10; // 7 mpx
}

void *vid_get_viewport_live_fb()
{
   return (void*)0x0; 
}

void *vid_get_bitmap_fb()
{
   return (void*)0x10361000;  //bmpdev.c
}

void *vid_get_viewport_fb()
{
   return (void*)(0x10657A00);//(0x10400000+0x1BC000+0x3C00); //0x105BFC00
}

void *vid_get_viewport_fb_d()
{
   return (void*)(*(int*)0x7BBF0); //ImagePlayer.c
}
  • stubs files

- In the stubs_entry.S, the autodetected functions are stored. Some of them, maybe wrong autodetected. check them in IDA - In the stubs_entry_2.S, the overriden functions or not detected functions must be added manually. Check the names in IDA. - When linking the CHDK, some of undefined sub_XXXXXXXX functions usually appears. It related the stubs_auto.S file. Check Compiling_CHDK_under_Windows#Undefined_reference_to_.60sub_....27. To solve it, open the file and add the unresolved addresses to it following the same schema

STUB(FFCB4532)

CHDK Ported Successfully

  • Porting is completed, the latest sources are available from the trunk.

Thanks to EWAVR, GrAnd and rossig sources, the CHDK has been ported to the A560 1.00A camera. It is based on the rossig source code for A570.

Advertisement | Your ad here

Around Wikia's network

Random Wiki