Official Firmware Update Edit
Canon has released an update to version 126.96.36.199.
Where and how to get the firmware and a serial number:
File Structure Edit
The basic firmware update file structure is the same as for the HF10/100, see HF10/100 File Structure.
The differences are:
- 4 bytes at 0x10004, which need to match VEFX
- 2 bytes at 0x10008 (???)
Version 188.8.131.52 Edit
This update consists of 1 section only, although it contains code for at least two different targets.
Content Overview Edit
- 0x0 - 0x600000 First and only section, including the first unencrypted 0x10010 bytes
- 0x200000 TMP19A64C1DXBG (TX19A Core) (CCM MI-COM)
- 0x400000 FR71 (FR MI-COM)
- 0x2C footer
Interesting Addresses Edit
- 8bit monochromatic bitmaps
These bitmaps consist of a 2-byte header containing the bitmap width (first byte) and the width that the bitmaps gets stretched to when displayed. The bitmaps are always 18 pixels high and aligned to 2 bytes (probably, can't remember). All fonts are included as well.
- 0x49EC00 - 0x52719E
- bitmaps of variable size
There's a second type of bitmap with a 4-byte header, with the first 2 bytes being the bitmap width and the other 2 bytes the bitmap height. There are probably more bitmaps / bitmap sections than listed here, unfortunately it's not one continuous section.
- 0x35441A to ?? (a few ones) 1byte align
- 0x357FAC - 0x3A917F 1byte align (includes e.g. the transition effects animations)
Update Process Edit
The update process is basically the same as the HF10/100 Update Process.
The differences are:
- The filename has to be VEF[0-9].FIM
- The firmware searches for a file in descending order from 9 to 0. On the HF10/100 its 9 to 1.
IMPORTANT: the update process only updates the low 2MB of the TX19A core firmware, updating the high 2MB is a prerequisite to get full control of the camera; no known procedure exists for updating the high 2MB of the TX19A core firmware yet.
UPDATE: a hidden firmware update procedure exists that updates the camera firmware using unencrypted binary files. While it is not known how to trigger the procedure without modifying the firmware, the supposed effects are described here.
On the SD card, a special folder is used to contain these unencrypted binaries: "D:/CANON/CEV/UPDATE"
If placed in this folder three types of files are used to perform the firmware update:
"120FXXXX.APP" -> Unencrypted FR71 core 4MB firmware binary
"120TXXXX.APP" -> Unencrypted TX19A core low 2MB firmware binary (external flash)
"120ZXXXX.APP" -> Unencrypted TX19A core full 4MB firmware binary (external flash + internal flash)
Processor and architecture Edit
Fujitsu FR71 core (FR MI-COM)
FR FAMILY INSTRUCTION MANUAL http://edevice.fujitsu.com/fj/MANUAL/MANUALp/en-pdf/CM71-00101-5E.pdf
Toshiba TMP19A64C1DXBG TX19A MIPS core (CCM MI-COM)
Toshiba TX19A contained in a TMP19A64C1DXBG ASIC, a full MIPS32 capable core, with support for the MIPS16e extensions and the proprietary MIPS16e-TX extensions.
TOSHIBA TMP19A64C1 Hardware Manual http://www.semicon.toshiba.co.jp/docs/datasheet/en/MicroController/TMP19A64C1DXBG_en_datasheet_070316.pdf
TOSHIBA TMP19A64F20 Hardware Manual http://www.toshiba.com/taec/components2/Datasheet_Sync//134/26203.pdf
MIPS INSTRUCTION MANUAL http://www.cs.tau.ac.il/~afek/MipsInstructionSetReference.pdf
MIPS16 EXTENSION MANUAL http://www.weblearn.hs-bremen.de/risse/RST/docs/MIPS/MD00076-2B-MIPS1632-AFP-00.96.pdf
TX19A Core memory map Edit
0x06800036 - 0x0680003A MMIO maybe USB port
0xBFA00000 - 0xBFBFFFFF External FLASH (2MB). This is the lower 2MB block of DATA/CODE where the first block (0x000000 - 0x200000) of the FW update file is mapped to.
0xBFC00000 - 0xBFDFFFFF TMP19A64C1DXBG Internal ROM (2MB). This is another block of 2MB ROM containing additional code/data for the MIPS core, not present in the FW update file, because it is static ROM.
0xBFCA4EC8 - 0xBD0B546 this block contains MIPS16 code, more specifically code that requires the Toshiba MIPS16e-TX extension to the MIPS16 instruction set.
0xFFFD0000 - 0xFFFDFFFF RAM
- 0xFFFDAEC8 - 0xFFFDAED8 : System filesystem drivers pointers (5)
- 0xFFFDB408 - 0xFFFDB473 : I2C buffers and flags
- 0xFFFDC0C4 - 0xFFFDC282 : copy of Backup RAM
- 0xFFFDC0C7 : Backup RAM byte 3 / bit0: service mode available
- 0xFFFDCB10 : cpuif2_VIC_to_CCM_buf
- 0xFFFDCCA0 : cpuif2_CCM_to_VIC_buf
- 0xFFFD2000: Copy of low block of FLASH 0xBFA00000 (0x450 bytes) The data seem to remain constant between RAM and FLASH
- 0xFFFD2450: Copy of low block of FLASH 0xBFA04000 (0x16B0 bytes) The data seem to remain constant between RAM and FLASH
- 0xFFFD6AC4: Copy of low block of FLASH 0xBFA00450 (0x4B0 bytes) The data seems to change in RAM and differ from FLASH
- 0xFFFE0000 - 0xFFFFFFFF MMIO registers
- 0xFFFFE800 - 0xFFFFE9FC : 3V battery backed Backup RAM
For further information about the ASIC's registers, consult a combination of the Toshiba TMP19A64C1 and TMP19A64F20 Manuals.
FR71 Core memory map Edit
0x0003E000 - 0x00047FFF RAM block 0
0x00045FC0 : cpuif2_CCM_to_VIC_buf
0x00046150 : cpuif2_VIC_to_CCM_buf
0x000F0000 - 0x000FFFFF RAM block where part of the ROM code is copied to
0x00100000 - VIC processor MMIO Data Registers
0x001000F8 - VIC processor MMIO Control Register
0x00120000 - 0x00120FFF 4KB RAM - replicated every 0x1000
0x00130000 - 0x0013FFFF MMIO Likely
0x00140000 - 0x0014FFFF RAM
0x00150000 - 0x0015003F RAM Camera configuration?
0x00160000 - 0x0016FFFF RAM
0x001D0000 - 0x001D003F Copy of RAM Camera configuration?
0x002C0000 - 0x002DFFFF RAM: FR71 ROM copy from last block of the firmware update file (0x043D0000)
0x00400000 - 0x0047FFFF SRAM: 512KB
0x01000000 - 0x015FFFFF RAM: LCD Picture/Video Framebuffers (Looks like 768 x 480 x 2Bpp)
0x016C0000 - 0x016DFFFF RAM: Copy of 0x002C0000
0x01710000 - RAM shared with 1394 processor?
0x01725E00 - ???????? RAM: global data for IEEE 1394 (Firewire) communication
0x01725ED4 - 0x01725FA4 RAM: IEEE 1394 Control ROM Storage
0x01800000 - 0x0183FFFF RAM: LCD OSD Framebuffer ?
0x01840000 - 0x0187FFFF RAM: LCD OSD Framebuffer ?
0x01900000 - 0x0193FFFF RAM: LCD OSD Framebuffer 1 RAM (Looks like 512 x 288)
0x01940000 - 0x0197FFFF RAM: LCD OSD Framebuffer 2 RAM (Looks like 512 x 288)
0x01980000 - 0x0193FFFF RAM: LCD OSD Framebuffer 1 Output (64 bytes blocks?)
0x019C0000 - 0x0197FFFF RAM: LCD OSD Framebuffer 2 Output (64 bytes blocks?)
0x01A00000 - ???????? RAM: Seems to be a storage for outgoing packet in response to IEEE 1394 CSR read requests
0x02000000 - 0x02090074 MMIO: Triplet control MMIO
0x021D0000 - ???????? MMIO: Basil control MMIO
0x021E0000 - ???????? MMIO
0x021F2000 - ???????? MMIO
0x05000000 - ???????? MMIO Firewire port controls
0x04000000 - 0x043FFFFF ROM: this is the main 4MB block of DATA/CODE where the second block (0x200000 - 0x600000) of the FW update file is mapped to.
0x0420E478 - 0x0429E552 ROM: Triplets firmware (triplet_firm.V04_050722_2200.hex)
Things TODO Edit