Cameras overview
- DIGIC II
- Axxx: A410, A430, A450, A460, A530, A540, A550, A610, A620, A630, A640, A700, A710IS
- Sx IS: S2IS, S3IS
- Sxx: S80
- SDxx: SD30
- SDxxx(IXUS): SD200, SD300, SD400, SD430, SD450, SD500, SD550, SD600, SD630, SD700IS
- DIGIC III
- Axxx: A560, A570IS, A650IS, A720IS
- Sx IS: S5IS
- SDxx: SD40
- SDxxx(IXUS): SD750, SD800IS, SD850IS, SD870IS, SD900, SD950IS, SD1000
- SXxx: SX1000IS
- Gx: G7, G9
- Legend
-
- Black - neither original firmware nor firmware dump is available
- Yellow - either original firmware or firmware dump is available; porting is needed
- Green - successfully ported
Q. What are the necessary steps to port the CHDK firmware on a DIGIC II/III cam which is currently not supported?
A. Here is a basic description to give you an idea of the procedure. For more detailed explanations see the links below, especially this one.
- First you need either the original firmware or a firmware dump of your camera.
- The firmware dump can be obtained with a special firmware dumper which has to be adjusted for your camera.
- It is a firmware update file where one of the files inside (WriterInFIR.bin) has been patched in a way that it will make a memory dump onto the SD card. Usually this is possible if another platform-dependant code is disabled (this includes but is not limited to: LCD, LEDs, sound).
- Create a platform subdirectory for a new camera model/fw version (you can just copy an existing one).
- Find the adresses of the RAW-, video- and frame-buffers.
- Modify a couple of addresses and constants.
- Check the keyboard "driver" (button constants and behaviour).
- Check the addresses of autofound functions. Manually correct/find the right addresses for some of them with a disassembler like IDA Pro.
Q. How can I get a firmware dump?
A. There are two ways known now:
Software method
- Firmwares were gotten by this method
- A620, A630, A640, A710, S2IS, S3IS
The method is to make/adapt the WIF loader from original firmware update to similar camera models. As this loader has the functions to work with files, this way allow to just save a dump of original firmware to SD-card. The main problem of this method using is you have to pass all initialization stages of original firmware in order to be able to write to flash card.
- Are the firmware dumpers for these models available? So one could start right ahead hacking away with these firmwares, and to have an example for new models. Thanks very much, PTT 02:08, 9 July 2007 (UTC)
- There is the binary for A610e - http://vitalyb.mail333.com/a610/dump/ (I don't have sources). Also there is source code of S2/S3 dumper - http://grandag.nm.ru/hdk/dumper/ . But I did not look into it. --GrAnd 14:31, 9 July 2007 (UTC)
- Are the firmware dumpers for these models available? So one could start right ahead hacking away with these firmwares, and to have an example for new models. Thanks very much, PTT 02:08, 9 July 2007 (UTC)
Hardware-software solution
- Firmwares were gotten by this method
- A610, A700, A540, G7, SD630, A570IS
This method is based on the 'blinking' of the original firmware through a led of the camera. You have to make a receiver (photodiode or phototransistor), the software to write a dump, decoder and a tiny firmware which outputs its firmware through the led. The receiver can be connected to serial port (you need to emulate the UART in the camera in this case) or to microphone input.
Using soundcard input
I used the microphone input. All necessary files (with sources) you can get here.
The scheme I used:
/ \ | | \ / +-----------+ +===+ | | |----\ | |-------+ ----*------------| | |===| ----*---------------| | | | | |----/ | |----------------+ | | phototransistor +=======+ BPW96C or analog | | 3.5mm plug to mic-in of soundcard
The transmitting protocol
- Header (3600 bytes) - "0123456789" sequence for visual control of data.
- Blocks - 4096 blocks of 1K data
- Address (4 bytes) - address of the current block
- Data (1024 bytes) - piece of firmware
- CRC16 x 2 (4 bytes) - CRC16 of block (repeated twice)
Each byte is encoded in the following way:
,where:
- Spacing between bytes
- Spacing between bits
- Wide pulse - logical "1"
- Narrow pulse - logical "0"
The usage flow:
- Connect the receiver to the microphone input of sound card.
- Run a recording application (I used Adobe Audition) with the following parameters: 96KHz (it's adjustable), 8 bit, mono.
- Direct 'blinking' led to the receiver.
- Start the recording. Start the 'blinking' firmware.
- Wait for process is finished (1-7 hours depends on speed chosen). The camera will be switched off at the end.
- Save the data to the PCM-file (8-bit unsigned raw data, not WAV!).
- Process the file by 'adc.exe <filename>'. You will get 'dump'-file.
- Run 'dec.exe'. You will get 'dump.dat'-file. This file is the firmware.
Speed/signal adjusting:
I may be required to some adjustments in depend on camera/led/receiver used. The main idea is to get 'readable' signal as shown on the picture above.
Here the values for certain speeds and leds for A610.
A610 - AF beam, FAST (9230 bod) [96KHz] -------------------------- fw: #define DELAY_SYNC 45 #define DELAY_SPACE 50 #define DELAY0 1 #define DELAY1 25 decode: #define LEVEL_THRES_HI 0xA0 #define LEVEL_THRES_LO 0x80 #define LEN_SYNC 5 #define LEN_SPACE 1 #define LEN_0 1 #define LEN_1 6 A610 - AF beam, SLOW (2500 bod ) [96KHz] ------------------------- fw: #define DELAY_SYNC 400 #define DELAY_SPACE 100 #define DELAY0 100 #define DELAY1 200 decode: #define LEVEL_THRES_HI 0xA0 #define LEVEL_THRES_LO 0x80 #define LEN_SYNC 40 #define LEN_SPACE 5 #define LEN_0 12 #define LEN_1 24 A610 - BLUE_led (1600 bod) [11KHz] ------------------------- fw: #define DELAY_SYNC 400 #define DELAY_SPACE 175 #define DELAY0 150 #define DELAY1 350 decode: #define LEVEL_THRES_HI 0x90 #define LEVEL_THRES_LO 0x70 #define LEN_SYNC 7 #define LEN_SPACE 1 #define LEN_0 1 #define LEN_1 4
Serial port download solution
You can download (blink) the firmware using your computer's serial port instead of sound card as input device. You may need a serial port connected photodiode according to the following schematics:
The photodiode used is a generic one. You may need to test the distance to the camera's AF LED which fits you better, mine worked properly at about 20cm (8 inches) away, YMMV.
You also need the camera blinker and serial port loader you can find here. This is two parts:
- PS1.fir and PS2.fir which are the camera's blinkers for Canon Powershot G7. This has been split in two to ease downloading in case of failure, it takes around 40 minutes each to download (for G7). I guess you can use your camera's own blinker here instead.
- load.exe which is the serial receiver program for your PC. The syntax is
load <serial port #> <dump filename>
Alternatively to load.exe you can use realterm for both monitoring the serial port and capturing the file at the same time. Make sure you configure it like this...
- Display tab: Hex + Ascii, set "Scrollback" for 2000 lines or so, increase the rows count too.
- Port tab: 9600 8N1, set your serial port number and don't forget to click on "Change".
- Capture tab: the filename you want to dump to, untick "Direct Capture" if you want to watch it going.
- Pins tab: Make sure to "Clear" DTR(4).
While capturing you can see the file grow and the speed rate in the status line at the bottom. It should be a figure around 800CPS.
The real action:
- Connect the photoreceiver to the computer's serial port.
- Properly align AF led and the receiver photodiode.
- Start load.exe. in a DOS terminal. You have 10 seconds to start blinker or it will timeout. Alternatively Press on "start overwriting" to start capture in realterm, there is no timeout here.
- start the blinker "firmware" in the camera following the usual firmware update procedure. You should see the AF light turn on and load.exe writing out to terminal...
c:> load com1 firmware.fir Received1kbyte. Received2kbyte. ... Received2048kbyte.
load.exe will finish after 10 seconds timeout at blink's end, for realterm you'll need to manually stop capturing when the AF led comes off. For G7 you may need to repeat the above procedure using PS2.fir to get the firmware's second part.
Links
Instruction
Vitaly's FAQ
Compiling CHDK under Linux
List of Property Cases
List of Property Cases