Muttley.bd (talk | contribs) |
No edit summary |
||
| Line 16: | Line 16: | ||
=== Led === |
=== Led === |
||
| − | 0xc0220080: ''AF beam:'' (0x46 ON - 0x44 OFF) |
+ | 0xc0220080: ''AF beam:'' (0x46 ON - 0x44 OFF) |
| − | + | 0xc0220084: ''blue print:'' (0x46 ON - 0x44 OFF) |
|
| + | 0xc0220088: ''viewfinder orange:'' (0x46 ON - 0x44 OFF) |
||
== Blinker Firmware compilation == |
== Blinker Firmware compilation == |
||
Revision as of 21:23, 13 January 2008
Firmware info
Version
The trick with the ver.req file works on the A550 as well, with the following result:
Canon PowerShot A550 P-ID:3150 PAL V firmware ver GM1.00C No error Dec 4 2006 07:46:45
Memory map
Tested on A550 with blink G7 firmware dump.
Led
0xc0220080: AF beam: (0x46 ON - 0x44 OFF) 0xc0220084: blue print: (0x46 ON - 0x44 OFF) 0xc0220088: viewfinder orange: (0x46 ON - 0x44 OFF)
Blinker Firmware compilation
Serial port download solution is the choice for dump firmware.
Blink G7 source code (main.c) must be modified in according with led memory map
long* led=(long*)0xc0220080;
The blink G7 firmware was compiled using cygwin in the pack 'ready-to-use' environment downloadable here.
Before compile must be edit the last row of the make.bat.
pakwif PS.FIR main 0x3150
where 0x3150 is the P-ID viewed with ver.req trick.
Firmware is dumped
I have made dump from 0xFFC00000 to 0xFFFFFFFF, and this is the result: Firmware A550 100c
Compile the CHDK
First of all download svn clien and then execute:
- svn checkout http://tools.assembla.com/svn/chdk/trunk chdk --> where chdk is the folder where put files
Using A560 source as the base code.
- Modify folder structure: change folders names of platform\a560\sub\100a in platform\a550\sub\100c and loader\a560 in loader\a550
- Copy the PRIMARY.BIN in platform\a550\sub\100c (dump of the camera)
- Modify file core\rav.h:
#elif defined (CAMERA_a620) || defined (CAMERA_a710) || defined (CAMERA_a550) || defined (CAMERA_a560)... #define ROWPIX 3152 // for 7 MP #define ROWS 2340 // for 7 MP
- Add the new camera to the Makefile.Inc (root folder)
PLATFORM=a550 PLATFORMSUB=100c
- Modify Makefile.Inc --> in platform\a550\sub\100c
#0x3150 PLATFORMID=12624
- Modify boot.c
Start from function kernelinit found with IDA and called in h_usrKernelInit. Walk back (XREF) in IDA until function boot...
Rename the fuction call with your address:
ex. excVecInit => sub_FFCB6DB8
this (right or wrong) is the result:
void boot()
{
long *canon_data_src = (void*)0xFFEEB4D0;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xB540;
long *canon_bss_start = (void*)0xCE40; // just after data
long canon_bss_len = 0x9F2B0 - 0xCE40;
long i;
[...]
}
void h_usrInit()
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FFC01968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FFCC1CEC\n" //unknown_libname_201
"BL sub_FFCB6DB8\n" //excVecInit
"BL sub_FFC011C4\n"
"BL sub_FFC01728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n"
);
}
void h_usrKernelInit()
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FFCC21EC\n" //classLibInit
"BL sub_FFCD2318\n" //taskLibInit
"LDR R3, =0x4E60\n"
"LDR R2, =0x9C4C0\n"
"LDR R1, [R3]\n"
"LDR R0, =0x9D010\n"
"MOV R3, #0x100\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4E20\n"
"LDR R0, =0x51C0\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4EDC\n"
"LDR R0, =0x9CFE4\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"BL sub_FFCD66D4\n" //workQInit
"BL sub_FFC012B0\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n"
"MOV R1, #0x4000\n"
"LDR R2, =0xCF2B0\n" // 0x9F2B0 + 0x30000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FFCCF558\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
}
[...]
void h_usrRoot()
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FFC019D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC6CA4\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC771C\n" //memPartLibInit
//"BL sub_FFC017E8\n" //nullsub_1
"BL sub_FFC01704\n"
"BL sub_FFC01A0C\n"
"BL sub_FFC019F0\n"
"BL sub_FFC01A38\n"
"BL sub_FFC019C4\n"
);
[...]
asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FFC0136C\n" //IsEmptyWriteCache_2
);
}
I'm not sure this is the correct boot.c, If anyone view some error (in code or procedure), report me....thanks!
- Finish Makefile.Inc --> in platform\a550\sub\100c
MEMBASEADDR=0x1900 RESTARTSTART=0x50000 MEMISOSTART=0x9F2B0 // find in original h_usrKernelInit() MEMISOSIZE=0x30000 ROMBASEADDR=0xffc00000
HELP
I don't know how to find the missing fuction in lib.c and stubs_entry_2.S.
- stubs_entry_2.S
#find in IDA NHSTUB(Close, 0xFFCC5108) NHSTUB(Remove, 0xFFCC549C) #near unmount NHSTUB(Mount_FileSystem, 0xFFE214C4)
#there are readv and writev?! ...is it the same? NHSTUB(Read, 0xFFCC5334) NHSTUB(Write, 0xFFCC53B0)
#I don't know where are they... NHSTUB(kbd_read_keys_r2, 0xFF?) NHSTUB(DisplayImagePhysicalScreen, 0xFF?) NHSTUB(free, 0xFF?) NHSTUB(SetZoomActuatorSpeedPercent, 0xFF?)
- lib.c: alone in the dark ;)
point of contact: http://chdk.setepontos.com/index.php/topic,230.0.html
NOTE: sorry for my english...I'm illiterate Italian man :)
[good] people
- I own an A550, and offer my time for testing, to anyone who succeed in get the firmware... ( idleloop-at-hotmail+dot+com)
- I also own a A550, and would be glad to offer testing time on it. (jarodthelinuxguy -at- gmail -dot- com)