Firmware info

The ver.req trick worked. It shows the following:

Canon PowerShot A560
P-ID:314D PAL V

Firmware Ver GM1.00A
No error
Dec 14 2006 20:14:41

Porting the A560 1.00A

Porting Process Phase1. Dumping the Original Firmware

In progress:

Step1 : Blinker

Base Code: blink_g7.rar

Useful info: The A570 LED memory addresses (Rossig). Related: How to modify the source code to search the LED memory addresses (Rossig)

0xC02200C0 ~ 0xC02200C3 - AF-beam
0xC02200C4 ~ 0xC02200C7 - blue
0xC02200C8 ~ 0xC02200CX- orange (X, don't tested, presumably 0xC02200CC )

Compilation

I used a linux box, so I followed the instructions to compile the CHDK under Linux to obtain the gcc compiler for the arm architecture.

To compile the blinker, I modified the make.bat accordingly to use it under linux. The most tricky think was to change the

zero | dd ....

to

dd if=/dev/zero ... > main

To use the win executables, launch it using WINE.

Tips:

Baud Rate: In the original code, DEL is defined as 1260. To see it blinking in a more feasible way, change it by 126000 or more.

The memory address present in the G7 blinker does not work on the A560. Change it by 0xFFC00000.

The ranges to be dumped should be:

0xFFC00000 --> 0xFFDFFFFF ( 0xFFE00000 -1)
0xFFE00000 --> 0xFFFFFFFF (last mem address)

Check this topic and the GrAnd's answer.

Using DEL as 1260 (original value), the dumping takes 45 mins (see readme file inside the blink_g7.rar) for each step.

It should be possible to dump it in a unique step (from 0xFFC00000 till 0xFFFFFFFF there are 0x400000 values), but the dumping time will be extended proportionally.

Step2 : HW circuit

The same circuit used for G7 has been used. The same load.exe was executed and the bytes counter appeared in the console.

Step3 : Dump the Original Firmware

Planning to use the same strategy as for the G7.

The dumping process has been repeated twice. The download link is posted in the dpreview 19 thread.

Porting Process Phase2. Porting the CHDK

dPreview thread with porting process info

Quick tips that I followed. And when confirmed and clean up, they will be passed to the main Adding_support_of_a_new_camera article.

Using A570 rossig source as the base code.

Modify folder structure: change names of all the A570 dependent folders and files to A560 1.00 A

Copy the PRIMARY.BIN (dump of the camera)

Add the new camera to the Makefile.Inc (root folder)

PLATFORM=a560
PLATFORMSUB=100a

Modify Makefile.Inc --> at least ID of the camera

#314D
PLATFORMID=12621

Modify boot.c

Missing: How to discover this code parts in IDA.

In boot() function

long *canon_data_src = (void*)0xFFF182E0;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xBC40;
long *canon_bss_start = (void*)0xD540;
long canon_bss_len = 0xA6090 - 0xD540;

In h_usrInit() function

asm volatile (
 "STR     LR, [SP,#-4]!\n"
 "BL      sub_FFC01964\n"
 "MOV  R0, #2\n"
 "MOV R1, R0\n"
 "BL sub_FFCCB29C\n"
 "BL sub_FFCC0230\n"
 "BL sub_FFC011C4\n"
 "BL sub_FFC01724\n"
 "LDR LR, [SP],#4\n"
 "B h_usrKernelInit\n"
);

In h_usrKernelInit() function:

asm volatile (
 "STMFD 	SP!, {R4,LR}\n"
 "SUB 	SP, SP, #8\n"
 "BL 	sub_FFCCB79C\n" //classLibInit
 "BL 	sub_FFCDB8C8\n" //taskLibInit
 "LDR 	R3, =0x4F28\n"
 "LDR 	R2, =0xA3200\n"
 "LDR 	R1, [R3]\n"
 "LDR 	R0, =0xA3D50\n"
 "MOV 	R3, #0x100\n"
 "BL 	sub_FFCD74B8\n" //qInit
 "LDR 	R3, =0x4EE8\n"
 "LDR 	R0, =0x5288\n"
 "LDR 	R1, [R3]\n"
 "BL 	sub_FFCD74B8\n" //qInit
 "LDR 	R3, =0x4FA4\n"
 "LDR 	R0, =0xA3D24\n"
 "LDR 	R1, [R3]\n"
 "BL 	sub_FFCD74B8\n" //QInit
 "BL 	sub_FFCDFC84\n" //workQInit
 "BL 	sub_FFC012AC\n"
 "MOV 	R4, #0\n"
 "MOV 	R3, R0\n"
 "MOV 	R12, #0x800\n"
 "LDR 	R0, =h_usrRoot\n" //sub_FFC01A5C
 "MOV 	R1, #0x4000\n"
 "LDR 	R2, =0xD6090\n" //0xA6090+0x30000
 "STR 	R12, [SP]\n"
 "STR 	R4, [SP,#4]\n"
 "BL 	sub_FFCD8B08\n" //kernelInit
 "ADD 	SP, SP, #8\n"
 "LDMFD 	SP!, {R4,PC}\n"
);

In h_usrRoot() function:

asm volatile (
 "STMFD 	SP!, {R4,R5,LR}\n"
 "MOV 	R5, R0\n"
 "MOV 	R4, R1\n"
 "BL 	sub_FFC019CC\n"
 "MOV 	R1, R4\n"
 "MOV 	R0, R5\n"
 "BL 	sub_FFCD0254\n" //memInit
 "MOV 	R1, R4\n"
 "MOV 	R0, R5\n"
 "BL 	sub_FFCD0CCC\n" //memPartLibInit
 // "BL nullsub_2\n" // this is empty function, can be removed
 "BL 	sub_FFC01700\n" 
 "BL 	sub_FFC01A08\n"
 "BL 	sub_FFC019EC\n"
 "BL 	sub_FFC01A34\n"
 "BL 	sub_FFC019C0\n"
);

_taskCreateHookAdd(createHook);
_taskDeleteHookAdd(deleteHook);
   
drv_self_hide();

asm volatile (
 "LDMFD 	SP!, {R4,R5,LR}\n"
 "B 	sub_FFC01368\n\n"
);

Finish Makefile.Inc

Check boot() function in boot.c. Missing: How to discover this numbers in IDA.

MEMBASEADDR=0x1900
RESTARTSTART=0x50000
MEMISOSTART=0xA6090
MEMISOSIZE=0x30000
ROMBASEADDR=0xffc00000

Modify lib.c

Missing: How to discover this numbers in IDA.

char *hook_raw_image_addr()
{
   return (char*)0x10E6C640; //SS_DumpImgPrcssBuf
}

long hook_raw_size()
{
   return 0x8CAE10; // 7 mpx
}

void *vid_get_viewport_live_fb()
{
   return (void*)0x0; 
}

void *vid_get_bitmap_fb()
{
   return (void*)0x10361000;  //bmpdev.c
}

void *vid_get_viewport_fb()
{
   return (void*)(0x10657A00);//(0x10400000+0x1BC000+0x3C00); //0x105BFC00
}

void *vid_get_viewport_fb_d()
{
   return (void*)(*(int*)0x7BBF0); //ImagePlayer.c
}

stubs files

- In the stubs_entry.S, the autodetected functions are stored. Some of them, maybe wrong autodetected. check them in IDA - In the stubs_entry_2.S, the overriden functions or not detected functions must be added manually. Check the names in IDA. - When linking the CHDK, some of undefined sub_XXXXXXXX functions usually appears. It related the stubs_auto.S file. Check Compiling_CHDK_under_Windows#Undefined_reference_to_.60sub_....27. To solve it, open the file and add the unresolved addresses to it following the same schema

STUB(FFCB4532)

A560

Contents