CHDK beta available[]
see http://chdk.setepontos.com/index.php/topic,2042.0.html this page should be updated ;)
CHDK porting to the SD300 has started![]
First you'll need a dump of the firmware (See here)
This camera seems to be slightly different than the other platforms the CHDK has been ported to. The most similar is SD500, but some of the internal firmware functions are non-existent on the SD300. Others are just similar.
Anyway, manual effort is being made in finding the equivalents for this platform.
You can contribute by dumping (or downloading) the firmware, analyzing with IDA and trying to port the SD500 version (http://ewavr.nm.ru/chdk/ixus700.htm) changing the different functions and pointers.
In particular, the keyboard routines seem to be different than A620 or SD500 (the ones I've compared it to so far).
The discussion thread at the CHDK forum is here
Changes made so far[]
boot.c[]
Most of the initialization routines and addresses have been found!
long *canon_data_src = (void*)0xFFAD7700; // This is address of "Startofdata" string on the firmware long *canon_data_dst = (void*)0x1900; // This is where the boot data is copied during firmware update long canon_data_len = 0xEB60; // This is length of data from "Startofdata" to end of firmware dump long *canon_bss_start = (void*)0x10460; // = 0xEB60 + 0x1900, just after data long canon_bss_len = 0x72DC0 - 0x10460; // The original address of h_usrKernelInit - bss start
void h_usrInit() { asm volatile ( "STR LR, [SP,#-4]!\n" "BL sub_FF811B20\n" "MOV R0, #2\n" "MOV R1, R0\n" "BL sub_FFABDC68\n" "BL sub_FFAAA238\n" "BL sub_FF81125C\n" "BL sub_FF811838\n" "LDR LR, [SP],#4\n" "B h_usrKernelInit\n" ); }
void h_usrKernelInit() { asm volatile ( "STMFD SP!, {R4,LR}\n" "SUB SP, SP, #8\n" "BL sub_FFABE168\n" "BL sub_FFAD0C28\n" "LDR R3, =0xF894\n" "LDR R2, =0x704A0\n" "LDR R1, [R3]\n" "LDR R0, =0x7278C\n" "MOV R3, #0x100\n" "BL sub_FFACC464\n" "LDR R3, =0xF854\n" "LDR R0, =0xFC74\n" "LDR R1, [R3]\n" "BL sub_FFACC464\n" "LDR R3, =0xF910\n" "LDR R0, =0x72760\n" "LDR R1, [R3]\n" "BL sub_FFACC464\n" "BL sub_FFAD57A8\n" "BL sub_FF811348\n" "MOV R4, #0\n" "MOV R3, R0\n" "MOV R12, #0x800\n" "LDR R0, =h_usrRoot\n" "MOV R1, #0x4000\n" "LDR R2, =0xA2DC0\n" // 0x72DC0 + 0x30000 "STR R12, [SP]\n" "STR R4, [SP,#4]\n" "BL sub_FFACDE68\n" "ADD SP, SP, #8\n" "LDMFD SP!, {R4,PC}\n" ); }
void h_usrRoot() { asm volatile ( "STMFD SP!, {R4,R5,LR}\n" "MOV R5, R0\n" "MOV R4, R1\n" "BL sub_FF811BA0\n" "MOV R1, R4\n" "MOV R0, R5\n" "BL sub_FFAC4450\n" // memInit "MOV R1, R4\n" "MOV R0, R5\n" "BL sub_FFAC4EC8\n" // mmPartLibInit // "BL sub_FF811928\n" // Initialize_MMU does not work and is not on SD500... "BL sub_FF811814\n" "MOV R0, #0x32\n" "BL sub_FFAC6938\n" // selectInit "BL sub_FF811BE4\n" "BL sub_FF811BC4\n" "BL sub_FF811C10\n" "BL sub_FFAC61F8\n" //selTaskDeleteHookAdd "BL sub_FF811B94\n" ); _taskCreateHookAdd(createHook); _taskDeleteHookAdd(deleteHook); drv_self_hide(); asm volatile ( "LDMFD SP!, {R4,R5,LR}\n" "B sub_FF811408\n" ); }
lib.c[]
void *hook_raw_fptr() { return (void*)0x2F490; // NOT FOUND YET!!! 0x2F490 is from SD500... } void *hook_raw_ret_addr() { return (void*)0xFF8D0824; } char *hook_raw_image_addr() { return (char*)0x10A795A8; // extracted from sub_FF8B6C4C } long hook_raw_size() { return 0x50D750; // extracted from sub_FF8B6C4C } void *vid_get_viewport_live_fb() { return (void*)0x10B02560; } void *vid_get_bitmap_fb() { return (void*)0x108CEB20; } void *vid_get_viewport_fb() { return (void*)0x10A6A760; //return (void*)0x10B02560; //return (void*)0x109CBD20; } void *vid_get_viewport_fb_d() { //return (void*)0x10A6A760; //return (void*)0x10B02560; return (void*)0x109CBD20; } long vid_get_bitmap_width() { return 360; } long vid_get_bitmap_height() { return 240; } long vid_get_viewport_height() { return ((mode_get()&MODE_MASK) == MODE_PLAY)?240:230; }
stubs_entry_2.S[]
These are functions not automatically found. I looked at what was defined for SD500 and tried to find the same function on SD300 firmware dump. Here's what I think are the right values (please correct it if I'm wrong and mark it appropriately!!)
#include "stubs_asm.h" //Manually entered NHSTUB(AllocateMemory, 0xFF81F56C) NHSTUB(Close, 0xFF871688) NHSTUB(CreatePhysicalVram, 0xFF927B0C) NHSTUB(DisplayImagePhysicalScreen, 0xFF927098) NHSTUB(ExecuteEventProcedure, 0xFF81756C) NHSTUB(FreeMemory, 0xFF81F578) NHSTUB(FreeUncacheableMemory, 0xFF8152BC) NHSTUB(GetPropertyCase, 0xFF82CB54) NHSTUB(Mount_FileSystem, 0xFF8702E4) NHSTUB(Open, 0xFF87167C) NHSTUB(Read, 0xFF8716E8) NHSTUB(Remove, 0xFF871694) NHSTUB(SetPropertyCase, 0xFF82CAD0) NHSTUB(VbattGet, 0xFFA5BCC4) NHSTUB(Write, 0xFF8716F4) NHSTUB(free, 0xFFAC5900) //Keyboard stuff - Check it, not very similar to SD500 NHSTUB(kbd_p1_f_cont, 0xFF830AB4) NHSTUB(platformsub_kbd_fetch_data, 0xFF830E90) NHSTUB(kbd_p1_1, 0xFF830A80) NHSTUB(kbd_p1_2, 0xFF830AE8) NHSTUB(kbd_p1_3, 0xFF829848) // Hmmm... look similar but not exactly the same NHSTUB(GetParameterData, 0xFF95A55C) NHSTUB(SetParameterData, 0xFF95A49C) //NHSTUB(GetFocusLensSubjectDistance, 0xFFA5FA64) // Add redefinitions of auto-found functions present on SD500.... NHSTUB(GetZoomLensCurrentPoint, 0xFFA52174) NHSTUB(GetCurrentAvValue, 0xFFA69300) NHSTUB(GetZoomLensCurrentPosition, 0xFFA52180) NHSTUB(GetFocusLensSubjectDistance, 0xFFA49E8C) NHSTUB(MoveFocusLensToDistance, 0xFFA6B0EC) //null stub NHSTUB(PhySw_testgpio, 0xFFAAAED0) NHSTUB(SetZoomActuatorSpeedPercent, 0xFFAAAED0) NHSTUB(kbd_p1_f, 0xFFAAAED0) NHSTUB(kbd_p2_f, 0xFFAAAED0) NHSTUB(kbd_read_keys_r2, 0xFFAAAED0) NHSTUB(IsStrobeChargeCompleted, 0xFFAAAED0) NHSTUB(UniqueLedOn, 0xFFAAAED0) NHSTUB(UniqueLedOff, 0xFFAAAED0)