Introduction[]
Cameras based on the Digic 6 and later processor differ significantly from previous generation cameras. CHDK support is for Digic 6 cameras is a generally functional as of 2019, and preliminary support for Digic 7 exists as of 2020. The page collects information relevant to creating CHDK ports for Digic 6 and later cameras.
Significant differences from prior Digic versions[]
- The main CPU is now a Cortex R4 (armv7 architecture). Digic 7 uses a dual core Cortex A9.
- The majority of Canon firmware code is in the Thumb2 instruction set. The varying size of instructions makes disassembly significantly more difficult, and prevents existing CHDK tools from working on these firmwares.
- Several other CPUs exist, including an Xtensa core.
- The display is (probably) driven by a TAKUMI GPU, somehow connected to the Xtensa core
- Viewport and bitmap display frame buffer formats have changed significantly
Digic 6 Processors[]
As mentioned above, Digic 6 contains multiple different CPUs
Marius[]
The main ARM core where CHDK and the main Canon firmware runs.
For Digic 7, the processor the main firmware runs on has two cores, and is perhaps called Musa.
Zico[]
The Xtensa core responsible for the GPU. Strings like "mzrm" refer to Marius / Zico communication. See https://chdk.setepontos.com/index.php?topic=11316.msg128686#msg128686 and https://chdk.setepontos.com/index.php?topic=11316.msg129104#msg129104 and additional information on the Magic Lantern forum https://www.magiclantern.fm/forum/index.php?topic=26024.0
Omar[]
Another Cortex R4, running thumb2 code, initialized by Marius from Startup task. Runs its own copy of DryOS, with tasks including (depending on camera) ClockSave, OmarStop, FaceRecogTask, BA_Task and DetRecogT. Has its own connection to camera UART, which can be accessed using the "sw" command in dryshell. This only works with a physical UART, not redirection on the main core.
Code for this core is copied from the data area of the main ROM, which can confuse analysis since since valid ARM code appears at incorrect addresses. There are two chunks copied. The first is a small chunk including the reset and other exception vectors is copied to 0xdff00000, which appears to be mapped to 16 KB TCM at address 0 on the Omar core. The second chunk, comprising the main firmware code is copied main RAM at an address like 0x700000 or 0x600000 (depending on model). In the main firmware code, the uncached bit is set, like 0x4070000. The Omar code uses the address without the uncached bit.
See https://chdk.setepontos.com/index.php?topic=11316.msg119473#msg119473
Tools[]
- Ghidra - Reverse engineering tool (disassembler, decompiler and more). CHDK specific information and helper script usage can be found in Firmware analysis with Ghidra, discussion in this forum thread.
- User:Srsa_4c/GPL:disassemblev7.pl - Perl script to disassemble full digic 6 ROM.
- capdis - CHDK oriented disassembly tool, based on capstone. Useful for full dump disassembly and extracting ASM code for CHDK. See Capdis Disassembly Tool for usage information. In SVN trunk.
- Finsig thumb2 - Function / variable finder for thumb2 firmware, inspired by Signature finder. In SVN trunk.
- An interactive Disassembly viewer - GUI by User:Srsa_4c
Configuring CHDK capstone tools[]
capdis and Finsig thumb2 depend on the capstone disassembly engine, and must be enabled in the CHDK build configuration.
Capstone version 4.0.x is recommended. A windows build compatible with the CHDK compiler GUI and windows toolchain is available from https://app.box.com/s/qqooc6yuofo8c9rnwafnxiu0stism7ij
The official pre-built windows packages from the capstone download page can also used, but may require linking to the dll import library (-lcapstone_dll) rather than the static library. In this case, included capstone.dll must be on the path when capdis or finsig_thumb2 are run.
Capstone 3.x (3.0.4 or later) is deprecated and support will be removed from the CHDK source in the future. If used, a patch to avoid a serious bug related to blx instruction alignment is required. Using unpatched capstone 3.x versions will result in incorrect disassembly and incorrectly output from Finsig_thumb2. The patch & pre-built win32 capstone library are available here : capstone-mingw-chdk-3.0.4-patched-2016-01-11_1.zip
For Linux, install using your package manager if it provides capstone 4.0, or download capstone source from the capstone download link. 4.0.x can be built and used as is, while 3.0.x must be patched using one of the capstone-...blx-align.patch files found under tools/patches in the CHDK source.
Follow the instructions in the capstone COMPILE.TXT file to build the source (essentially ./make.sh and then sudo ./make.sh install ).
To build the CHDK capstone tools, the following should be set in your localbuildconf.inc. Replace /path/to/capstone with the location where the capstone library is installed.
# Define this to enable building of tools using the capstone library (http://www.capstone-engine.org/)
# Required to rebuild stubs for thumb2 / digic 6 firmware
OPT_CAPSTONE_TOOLS=1
# Set the following if capstone includes are not in the default search path
CAPSTONE_TOOLS_INC=-I/path/to/capstone/include
# Set the following to the options required to link to the capstone library.
# At a minimum, -lcapstone or similar is required. If the library is not
# on the default search path, -L/path/to/capstone is also required
CAPSTONE_TOOLS_LINK=-L/path/to/capstone -lcapstone
NOTES:
- To build capdis, you must use make extras or make capdis (capdis.exe on windows) in the CHDK build tree tools directory. It will be removed if you make clean, so you may wish to copy the executable elsewhere.
- The current CHDK build process will produce a warning message ( WARNING! Incorrect dissassembly is likely ) if the blx instruction alignment bug has not been correctly patched. It is very easy to not notice this warning as it will be buried deep the build output log.
- Some Linux distros may include pre-compiled capstone packages. If it's a 3.x version it will have the blx instruction alignment bug and must not be used. If 4.0.x is available, it should work.
ARM documentation[]
Ports[]
Known Digic 6 (and later) ports and porting attempts
Working ports[]
Ports with usable builds available
- SX270 / SX280 (also includes SX275) - Porting thread - The first Digic 6 port, by User:Srsa 4c
- G7 X - G7 X Porting thread
- EOS M10 - EOS M10 Porting thread
- EOS M3 - EOS M3 Porting thread
- SX60HS - SX60HS Porting thread
- G16 - G16 Porting thread
- SX710 - SX710 Porting thread
- SX700 - sx700 Porting thread
- G5 X - G5X Porting thread
- SX730 - sx730 Porting thread
- G7 X Mk2 - G7X II - need help finding led details - Preliminary Digic 7 work with running build in autobuild.
- EOS M100 - EOS M100 porting - Preliminary Digic 7 work with running builds in porting thread.
Partial ports[]
Other ports that were started but don't yet have published usable builds
- SX720 - sx720 Porting thread
- G1XMK2 - G1X mark ii Firmware Dump
Useful forum threads[]
General topics related to Digic 6 and later development
- chdk in the DIGIC6 world - General development, discussion of the different CPUs.
- finsig and other tools for thumb2 - Tools for disassembling and automatically detecting variables and functions in Digic 6 code
- Display (bitmap overlay) - Discussion of various issues related to Digic 6 display
- digic 6 motion detection - Development discussion related to motion detection support. Working code in SVN.
- Firmware Dumping / Canon EOS M5 - Initial investigation of Digic 7
- G7X II - need help finding led details. - More Digic 7 investigation
- Raw buffers in digic 6