Firmware info
The ver.req trick worked. It shows the following:
Canon PowerShot A560 P-ID:314D PAL V Firmware Ver GM1.00A No error Dec 14 2006 20:14:41
Porting the A560 1.00A
Porting Process Phase1. Dumping the Original Firmware
In progress:
Step1 : Blinker
Base Code: blink_g7.rar
Useful info: The A570 LED memory addresses (Rossig). Related: How to modify the source code to search the LED memory addresses (Rossig)
0xC02200C0 ~ 0xC02200C3 - AF-beam 0xC02200C4 ~ 0xC02200C7 - blue 0xC02200C8 ~ 0xC02200CX- orange (X, don't tested, presumably 0xC02200CC )
Compilation
I used a linux box, so I followed the instructions to compile the CHDK under Linux to obtain the gcc compiler for the arm architecture.
To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the
zero | dd ....
to
dd if=/dev/zero ... > main
To use the win executables, launch it using WINE.
Tips:
Baud Rate: In the original code, DEL is defined as 1260. To see it blinking in a more feasible way, change it by 126000 or more.
The memory address present in the G7 blinker does not work on the A560. Change it by 0xFFC00000.
The ranges to be dumped should be:
0xFFC00000 --> 0xFFDFFFFF ( 0xFFE00000 -1) 0xFFE00000 --> 0xFFFFFFFF (last mem address)
Check this topic and the GrAnd's answer.
Using DEL as 1260 (original value), the dumping takes 45 mins (see readme file inside the blink_g7.rar) for each step.
It should be possible to dump it in a unique step (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally.
Step2 : HW circuit
The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console.
Step3 : Dump the Original Firmware
Planning to use the same strategy as for the G7.
Preliminary results: [1]