Changes: Step by step instructions for dump

I hope it contains usefull informations for those, who has already built there serial IR sensor device but received nothing via serial port or only corrupted piece of the firmware. The solution could be: set the correct DEL value in the main.c file.

This page was born "How I did my G9 firmware dump..." I used BPW96B sensor as my serial blinker HW.

Well, this page is still under edit. --Titan_G9 15:57, 19 January 2008 (UTC)

How to dump the G9 firmware using the 'G7 serial blinker' under Win system.

Finding the LED memory addresses

Well, it's already known for G9 but could be usefull for porting new cameras to CHDK.

• First try it with known addresses. (see other cases in the Development)
• If, it's not usefull try the followings:

• Modify the the source code of the G7 blinker:

Beacuse we do not want to dump via serial at the moment only finding the led's addresses the constant value "DEL" 1260 is OK for this case for "G7 serial blinker" in "main.c"

• You can start the LED address scan from 0xC0220060 to 0xC02200FF .
• This is the main.c what I used to do this job.
• In the "make.bat" exclude the "pakwif ...." line. It's not needed. (Or use this one)
• Compile it. (Of course you need this to do it.)

• Make SD card bootable after it copy the compiled diskboot.bin to the card.
• Don't forget to close the SD card lock.
• Turn on the device in play mode.
• Be patient. It seems to be frozen, but after a while some LEDs turn on and off.

• Start a timer when you turn on the device for blinking (play mode) and record what time which led is lighted.
• Try to decrease or split the scan address range, till you can find the correct Led address(es). (The addresses of the leds are increased by 4 bytes steps.)
• If it was successfully then you can go to further steps.
• Choose the brightest led address for firmware dumping.(Probably AF)

Calibrating the serial speed DELAY in the blinker

"main.c" uses "DEL" constant for proper serial speed (9k6) dumping. See bellow to find out what is the correct value for your camera?

• Use this main.c to get the correct DEL value for the proper speed.
  • The adventure of this source is : between the "begin" and "end" strings there will be 5 numbers in HEX format.
  • For example: 00 01 02 00 09
  • It means the value is 1209
  • This value is the current value, what the program actually sends data via the led to the serial port.

• Let start with 9600bps, if no success try to decrease your speed.
• Use for example realtermas described here to set it.

• Start file capture in the realterm program (simultaneously monitor on screen also!)
• Start blinking, when the program ends the led turns off.
• After it view the captured file with a hex editor. (You can also use "Lister" and press 3 to switch to hex mode)
• Search for the FIRST correct 20 * 0x55 beginxxxxxend. sting

0x55=U character; "xxxxx" are the values what we looking for.

• If you found it (you're lucky) memorize the xxxxx values
• Search for the LAST correct 20 * 0x55 beginxxxxxend. sting
• If you found it memorize the xxxxx values

• Now make an average of this 2 values!

!!! This value is what we looking for, you have to use this in your "main.c" as "DEL" !!!

• Now you are ready to start the real firmware blinking.

For G9 the values are : (instead of 1260 in the original G7 blinker)

DEL 1209 if you plan to dump at 9600bps

DEL 2458 if you plan to dump at 4800bps (I used the last one, because of tricky interferences)

Start the firmware dump with long dummy bytes

• Now you can compile the blinker with the correct DEL value and the LED you choose. (edit main.c)
• Place your sensor as close as possible to the led.
• If there is an error when started your dump, you have a small time (approx 10 seconds) to move your sensor to the proper place and can fix it)
• Watch it in the realterm window there is no red "error" or "break" while you dumping.
• The beginning is always U characters, so you should see it in your realterm window.

• Firmware dump should be exist 4 parts 4*2MB. (In the case of G9)

0xFF800000 + 2MB ( the first 64kbyte is 0x00 so the begin of the firmware is 0xFF810000 but we cut this 64kb when we finish)

0xFFA00000 + 2MB

0xFFC00000 + 2MB

0xFFE00000 + 2MB

• Compile the blinker with the memory block you choose.

• copy "diskboot.bin" to the SD card.
• SD Lock ON!
• Realterm settings "capture overwrite"
• Start blinking.
• View it in ascii and hex mode you should see 0x55 and character "U" first,
• After a wile (15 seconds) check the file "capture.txt" containing char UUU firstly nothing else unwanted characters

and also look for the string "begin"

• If yes, it's OK.
• Leave it to do its job.
• If the led turns off check again the file, you should see the "end." string at the end of the captured file.

2MB file dump take: 40mins @9600bps; 90 mins @4800bps

So the whole firmware dump takes minimum 4*40 minutes or more.

Be careful about increasing and decreasing the speed. Can be errors in the transmition.

• After you dumped the 4 parts of the firmware from 0xFF800000 (the first 64kbyes just 0x00 so really the firmware starts from 0xFF810000 as mentioned already above)
• Use hex-editor to cut the unwanted "0x55", "begin and "end." strings. And also the first 64kbyte "0x00"

• Copy the four parts them together with binary :

copy firmware_part1.bin /b + ....2.bin /b + ....3.bin + firmware_part4.bin /b Firmware_Canon_Device_model.bin /b

Do the whole dumping procedure again and compare those two files together.

Open a command line window (run "cmd") where the two file exist and

"fc case1.bin case2.bin"

If OK. No errors. You've done it! It can be published.

--Titan_G9 15:57, 19 January 2008 (UTC)