Muttley.bd (talk | contribs) |
Muttley.bd (talk | contribs) No edit summary |
||
| Line 213: | Line 213: | ||
'''POST HERE AND IN [http://chdk.setepontos.com/index.php/topic,230.msg2900.html#msg2900 FORUM] ALL YOUR COMMENT, THANK!''' |
'''POST HERE AND IN [http://chdk.setepontos.com/index.php/topic,230.msg2900.html#msg2900 FORUM] ALL YOUR COMMENT, THANK!''' |
||
| − | ...now enjoy with your new chdk features: [http://www.zshare.net/download/ |
+ | ...now enjoy with your new chdk features: [http://www.zshare.net/download/7395778a8dcccd/ CHDK for a550.rar - 0.19MB - 10 / February / 2008] |
| − | ...and if you want help: [http://www.zshare.net/download/70214759974944/ CHDK Source for a550.rar - 0.03MB] |
+ | ...and if you want help: [http://www.zshare.net/download/70214759974944/ CHDK Source for a550.rar - 0.03MB - old] |
''Stay tuned!'' |
''Stay tuned!'' |
||
| Line 231: | Line 231: | ||
''(strike text is solved)'' |
''(strike text is solved)'' |
||
| + | |||
| + | === Would you help? === |
||
| + | I have need some help ! |
||
| + | |||
| + | There are some problem in bracketing...It's needed find factory value for: |
||
| + | *'''fl_tbl (Focallenght):''' from EXIF for each zoom step (The 'Canon distance number' can also be found in the EXIF data (Look for FocusDistanceUpper (...or Focallenght) if using Phil Harvey's Exif tool)) |
||
| + | *'''aperture_size_table:''' from EXIF and ProperyCase browser (#23 or #26) at different apertures |
||
| + | *'''shutter_speeds_table:''' from EXIF and ProperyCase browser (#264 or #262) at different shutter speeds (nearly the same for different cameras) |
||
| + | |||
| + | thanks to ewavr and [http://chdk.setepontos.com/index.php/topic,300.msg2515.html#msg2515 Porting the ixus70_sd1000 ver 102a to CHDK Post] |
||
| + | |||
| + | p.s. for see property case ALT->menu->debug->Show PropCases and set prop Case page for what you want see (ex. pag. 26 for propcases 262, 264) |
||
| + | |||
| + | thanks men! |
||
== Important Notes == |
== Important Notes == |
||
Revision as of 21:21, 16 February 2008
Firmware info
Version
The trick with the ver.req file works on the A550 as well, with the following result:
Canon PowerShot A550 P-ID:3150 PAL V firmware ver GM1.00C No error Dec 4 2006 07:46:45
Memory map
Tested on A550 with blink G7 firmware dump.
Led
0xc0220080: AF beam: (0x46 ON - 0x44 OFF) 0xc0220084: blue print: (0x46 ON - 0x44 OFF) 0xc0220088: viewfinder orange: (0x46 ON - 0x44 OFF)
Blinker Firmware compilation
Serial port download solution is the choice for dump firmware.
Blink G7 source code (main.c) must be modified in according with led memory map
long* led=(long*)0xc0220080;
The blink G7 firmware was compiled using cygwin in the pack 'ready-to-use' environment downloadable here.
Before compile must be edit the last row of the make.bat.
pakwif PS.FIR main 0x3150
where 0x3150 is the P-ID viewed with ver.req trick.
Firmware is dumped
I have made dump from 0xFFC00000 to 0xFFFFFFFF adress!
NOTE: mhhhh...I see that not any others firmware is 4 Mbyte...to think and to think... EUREKA!!! :)
Raw Firmware Dump is 4 Mbyte as 0x3FFFFF...dumped with photo-transistor.
If you do:
[0xFFEEB4D0 (data_src) + 0xB540 (data_len) - 0xFFC00000 (start firmware address)]
the result is the real firmware lenght!
0x2F6A10 - in my case
Well, I had trimmed remaining part of the file...and this is the result: Firmware A550 100c
Compile the CHDK
First of all download svn clien and then execute:
- svn checkout https://tools.assembla.com/svn/chdk/trunk chdk --> where chdk is the folder where put files
Using A560 source as the base code (platform and loader).
- Modify folder structure: change folders names of platform\a560\sub\100a in platform\a550\sub\100c and loader\a560 in loader\a550
- Copy the PRIMARY.BIN in platform\a550\sub\100c (dump of the camera)
- Modify file core\rav.h:
#elif defined (CAMERA_a620) || defined (CAMERA_a710) || defined (CAMERA_a550) || defined (CAMERA_a560)... #define ROWPIX 3152 // for 7 MP #define ROWS 2340 // for 7 MP
- Add the new camera to the Makefile.Inc (root folder)
PLATFORM=a550 PLATFORMSUB=100c
- Modify Makefile.Inc --> in platform\a550\sub\100c
#0x3150 PLATFORMID=12624
- Modify boot.c
Start from function kernelinit found with IDA and called it in h_usrKernelInit. Walk back (through XREF) in IDA until function boot...
calls flow:
boot()-->h_usrInit()-->h_usrKernelInit()-->usrRoot()-->etc...(but not interest us)
|-->kernelinit()
Rename the fuction call with your address:
ex. excVecInit => sub_FFCB6DB8
this is the final result:
void boot()
{
long *canon_data_src = (void*)0xFFEEB4D0;
long *canon_data_dst = (void*)0x1900;
long canon_data_len = 0xB540;
long *canon_bss_start = (void*)0xCE40; // just after data
long canon_bss_len = 0x9F2B0 - 0xCE40;
long i;
[...]
}
void h_usrInit()
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FFC01968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FFCC1CEC\n" //unknown_libname_201
"BL sub_FFCB6DB8\n" //excVecInit
"BL sub_FFC011C4\n"
"BL sub_FFC01728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n"
);
}
void h_usrKernelInit()
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FFCC21EC\n" //classLibInit
"BL sub_FFCD2318\n" //taskLibInit
"LDR R3, =0x4E60\n"
"LDR R2, =0x9C4C0\n"
"LDR R1, [R3]\n"
"LDR R0, =0x9D010\n"
"MOV R3, #0x100\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4E20\n"
"LDR R0, =0x51C0\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"LDR R3, =0x4EDC\n"
"LDR R0, =0x9CFE4\n"
"LDR R1, [R3]\n"
"BL sub_FFCCDF08\n" //qInit
"BL sub_FFCD66D4\n" //workQInit
"BL sub_FFC012B0\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n"
"MOV R1, #0x4000\n"
"LDR R2, =0xCF2B0\n" // 0x9F2B0 + 0x30000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FFCCF558\n" //kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
}
[...]
void h_usrRoot()
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FFC019D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC6CA4\n" //memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FFCC771C\n" //memPartLibInit
//"BL sub_FFC017E8\n" //nullsub_1
"BL sub_FFC01704\n"
"BL sub_FFC01A0C\n"
"BL sub_FFC019F0\n"
"BL sub_FFC01A38\n"
"BL sub_FFC019C4\n"
);
[...]
asm volatile (
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FFC0136C\n" //IsEmptyWriteCache_2
);
}
- Finish Makefile.Inc --> in platform\a550\sub\100c
MEMBASEADDR=0x1900 RESTARTSTART=0x50000 MEMISOSTART=0x9F2B0 // find in original h_usrKernelInit() MEMISOSIZE=0x30000 ROMBASEADDR=0xffc00000
I know how to find the missing fuction in lib.c and stubs_entry_2.S.
It's enought compare a precedent CHDK porting near and similar our cam.
Find in IDA (key G) address function read in source.
And with many patience (...and lucky) find in our firmware similar function, using IDA text search, hierarchic call function or some trick (ex. often after o before the missing function there are string/DCD istance)
Chaotic process, sorry :)
note: some function discover with automatic procedure are wrong...well, you must check all function in stubs_entry.S, and if you find error it's enough reinstance it in stubs_entry_2.S.
Download my source if you are interesting to commented source of: stubs_entry_2.S, lib.c and stubs_min.S.
Guide must be continued (Working in progress):
- modify/create capt_seq.c (needed for boot chdk)
- modify/create movie_rec.c
- verify keyboard map/ property case/etc..
- add some #if defined(CAMERA_XXX) around the source (out the platform folder)
- and if you are lucky man and I haven't forgot anything...this is the time for test and correct bugs!
Release (beta)
The time is come!!
IT'S VERY IMPORTANT YOUR UTILIZATION REPORT FOR FIND BUGS, PROBLEM AND STRANGE BEHAVIORS!
POST HERE AND IN FORUM ALL YOUR COMMENT, THANK!
...now enjoy with your new chdk features: CHDK for a550.rar - 0.19MB - 10 / February / 2008
...and if you want help: CHDK Source for a550.rar - 0.03MB - old
Stay tuned!
Bugs Report
Write here all your comment, bug, problem and strange behaviors:
- Error on top that says "uBasic:1 Unk stmt" whenever I try some of the bracketing scripts on the wiki and on those that work, the exposure and focus aren't changed.
Zebra mode stripes are shifted to the right (not properly aligned) and the edge is cut off and looped to the other side of the screen.Dof calculator ...i always get S/R1/R2: inf/inf/infAdd: Mode Screen Rotated / Flashlight LCD (enable it's in misc, rotate 270 in alt mode)Add Support: USB Remote Button
(strike text is solved)
Would you help?
I have need some help !
There are some problem in bracketing...It's needed find factory value for:
- fl_tbl (Focallenght): from EXIF for each zoom step (The 'Canon distance number' can also be found in the EXIF data (Look for FocusDistanceUpper (...or Focallenght) if using Phil Harvey's Exif tool))
- aperture_size_table: from EXIF and ProperyCase browser (#23 or #26) at different apertures
- shutter_speeds_table: from EXIF and ProperyCase browser (#264 or #262) at different shutter speeds (nearly the same for different cameras)
thanks to ewavr and Porting the ixus70_sd1000 ver 102a to CHDK Post
p.s. for see property case ALT->menu->debug->Show PropCases and set prop Case page for what you want see (ex. pag. 26 for propcases 262, 264)
thanks men!
Important Notes
- first of all: sorry for my english...I'm illiterate Italian man :) (if you don't find my CHDK port error...you can enjoy to correct my english grammar error)
- write me here: point of contact: http://chdk.setepontos.com/index.php/topic,230.msg2900.html#msg2900 or muttmail(AT)gmail.com
- porting is out: porting now run...I hope to find time for complete my wiki page with full porting process.
- special regards: to Rossig for all support, the only man that help ...and bear with me, thanks a lot!
- thanks: to my Babylon Translator...If you don't understand what i write, now you know!