root/tools/firmware_load.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


   1 
   2 // Firmware file handling for Canon camera firmware dumps
   3 // Note: only supports DryOS based cameras and ARM32 code.
   4 
   5 /*
   6     General Notes:
   7         uint32_t values are addresses (as seen in the Camera)
   8         int values are indexes into the 'buf' array containing the firmware dump
   9         e.g. for a firmware dump that loads at address 0xFF810000, then
  10              the 'base' value will be 0xFF810000.
  11              the corresponding 'index' value is 0.
  12              address 0xFF810004 has an index of 1, etc.
  13  
  14         Access to the firmware dump info should be via tha functions listed, not by
  15         direct access to the 'buf' array. This ensures that access is correct for
  16         cameras with and 'alt' base address, and when firmware code is copied to RAM
  17  */
  18 
  19 #define MIN(a,b) ((a) < (b) ? (a) : (b))
  20 #define MAX(a,b) ((a) > (b) ? (a) : (b))
  21 
  22 // Stores a range of valid data in the firmware dump (used to skip over empty blocks)
  23 typedef struct bufrange {
  24     uint32_t *p;
  25     int off;
  26     int len;
  27     struct bufrange* next;
  28 } BufRange;
  29 
  30 #define OS_DRYOS    0
  31 #define OS_VXWORKS  1
  32 
  33 // Firmware storage and information
  34 typedef struct {
  35     uint32_t        *buf;               // Firmware data
  36     BufRange        *br, *last;         // Valid ranges
  37 
  38     int             os_type;            // 0 = DryOS, 1 = VxWorks
  39 
  40     uint32_t        base;               // Base address of the firmware in the camera
  41     int             main_offs;          // Offset of main firmware from the start of the dump (for DIGIC 4+ cams)
  42     uint32_t        memisostart;        // Start address of the Canon heap memory (where CHDK is loaded)
  43     int             size;               // Size of the firmware (as loaded from the dump)
  44     int             fsize;              // Size of the firmware (as determined from the start address)
  45     int             cam_idx;            // Index of the camera name in the firmware
  46     uint32_t        pid_adr;            // Address of the camera ID in the firmware
  47         int                         dryos_ver;          // DryOS version number (capped at the highest known revision)
  48     int             real_dryos_ver;     // DryOS version number (the real one, warn if not equal to dryos_ver)
  49     char            *dryos_ver_str;     // DryOS version string
  50     char            *firmware_ver_str;  // Camera firmware version string
  51     char            *fw_build_date;     // Firmware build date
  52     char            *fw_build_time;     // Firmware build time
  53     int             fwver_idx;          // Index of camera firmware version string
  54     int             pid;                // Camera ID
  55     int             maxram;             // How much memory does the camera have
  56         char                *cam;               // Pointer to camera name string
  57     char            *ksys;              // Pointer to encryption key
  58     int             ksys_idx;           // Index of the encryption key in the firmware dump
  59     int             dancing_bits;       // Dancing Bits number for the encryption key
  60     int             dancing_bits_idx;   // Index of the dancing bits data in the firmware dump
  61     uint32_t        data_start;         // Start of DATA section in RAM
  62     uint32_t        data_init_start;    // Start of initialisation section for DATA in ROM
  63     int             data_len;           // Length of data section
  64     uint32_t        uncached_adr;       // Start of un-cached copy of RAM
  65     int             uncached_adr_idx;   // Index where un-cached address found
  66 
  67     // Alt copy of ROM in RAM (DryOS R50, R51)
  68     uint32_t        *buf2;          // pointer to loaded FW data that is copied
  69     uint32_t        base2;          // RAM address copied to
  70     uint32_t        base_copied;    // ROM address copied from
  71     int             size2;          // Block size copied (in words)
  72     int             lowest_idx;     // Lowest valid index
  73 
  74     // Alt copy of ROM (DryOS R51 - only seen on S110 so far)
  75     uint32_t        alt_base;       // Alternative base address
  76 
  77     // Values loaded from stubs & other files
  78     stub_values     *sv;
  79 } firmware;
  80 
  81 // Load a firmware file
  82 void load_firmware(firmware *fw, const char *filename, const char *base_addr, const char *alt_base_addr, int os_type);
  83 
  84 // Functions for analysing a firmware dump
  85 
  86 // Check if index value is valid
  87 int idx_valid(firmware *fw, int i);
  88 
  89 // Convert index to address and vice-versa
  90 uint32_t idx2adr(firmware *fw, int idx);
  91 int adr2idx(firmware *fw, uint32_t adr);
  92 char* adr2ptr(firmware *fw, uint32_t adr);
  93 
  94 // index correction for cams with RAM code
  95 int idxcorr(firmware *fw, int idx);
  96 
  97 void set_ignore_errors(int n);
  98 uint32_t* fwadr(firmware *fw, int i);
  99 // Get a 32 bit value from the dump at the specified index
 100 uint32_t fwval(firmware *fw, int i);
 101 // Extract the source register, destination register or operand2 from the instruction at the specified index
 102 int fwRd(firmware *fw, int i);
 103 int fwRn(firmware *fw, int i);
 104 int fwRnMOV(firmware *fw, int i);
 105 int fwOp2(firmware *fw, int i);
 106 
 107 // Follow a branch (or BL) instruction to get to the called address
 108 int idxFollowBranch(firmware *fw, int fidx, int offset);
 109 uint32_t followBranch(firmware *fw, uint32_t fadr, int offset);
 110 uint32_t followBranch2(firmware *fw, uint32_t fadr, int offset);
 111 
 112 // Extract operand from LDR, ADR, or data processing instructions
 113 uint32_t LDR2adr(firmware *fw, int offset);
 114 uint32_t LDR2idx(firmware *fw, int offset);
 115 uint32_t LDR2val(firmware *fw, int offset);
 116 uint32_t ADR2adr(firmware *fw, int offset);
 117 uint32_t ALUop2(firmware *fw, int offset);
 118 uint32_t ALUop2a(firmware *fw, int offset);
 119 
 120 // Test instruction at specfied index
 121 int isLDR_PC(firmware *fw, int offset);
 122 int isLDR_SP(firmware *fw, int offset);
 123 int isLDR_PC_cond(firmware *fw, int offset);
 124 int isADR_PC(firmware *fw, int offset);
 125 int isADR_PC_cond(firmware *fw, int offset);
 126 int isLDMFD(firmware *fw, int offset);
 127 int isLDMFD_PC(firmware *fw, int offset);
 128 int isLDR(firmware *fw, int offset);
 129 int isLDR_cond(firmware *fw, int offset);
 130 int isADR(firmware *fw, int offset);
 131 int isSTMFD(firmware *fw, int offset);
 132 int isSTMFD_LR(firmware *fw, int offset);
 133 int isSTR(firmware *fw, int offset);
 134 int isSTR_cond(firmware *fw, int offset);
 135 int isBX(firmware *fw, int offset);
 136 int isBX_LR(firmware *fw, int offset);
 137 int isBLX(firmware *fw, int offset);
 138 int isBL(firmware *fw, int offset);
 139 int isBL_cond(firmware *fw, int offset);
 140 int isBLEQ(firmware *fw, int offset);
 141 int isB(firmware *fw, int offset);
 142 int isBorBL(firmware *fw, int offset);
 143 int isCMP(firmware *fw, int offset);
 144 int isMOV(firmware *fw, int offset);
 145 int isMOV_immed(firmware *fw, int offset);
 146 int isORR(firmware *fw, int offset);
 147 int isADD(firmware *fw, int offset);
 148 int isSUB(firmware *fw, int offset);
 149 
 150 int isASCIIstring(firmware *fw, uint32_t adr);
 151 
 152 // Find a string in the firmware dump
 153 int find_str(firmware *fw, char *str);
 154 int find_Nth_str(firmware *fw, char *str, int N);
 155 // Find the next instruction of a specified type starting at idx within len instructions
 156 int find_inst(firmware *fw, int (*inst)(firmware*,int), int idx, int len);
 157 // Find the previous instruction of a specified type starting at idx within len instructions
 158 int find_inst_rev(firmware *fw, int (*inst)(firmware*,int), int idx, int len);
 159 // Find the Nth instruction of a specified type starting at idx within len instructions
 160 int find_Nth_inst(firmware *fw, int (*inst)(firmware*,int), int idx, int len, int N);
 161 // Find the Nth previous instruction of a specified type starting at idx within len instructions
 162 int find_Nth_inst_rev(firmware *fw, int (*inst)(firmware*,int), int idx, int len, int N);
 163 
 164 // Find the first or next reference to a specified string in the dump
 165 int find_strptr_ref(firmware *fw, char *str);
 166 int find_str_ref(firmware *fw, char *str);
 167 int find_nxt_str_ref(firmware *fw, int str_adr, int ofst);
 168 
 169 // Find a B or BL instruction that calls/jumps to the 'v1' address
 170 int find_BL(firmware *fw, int k, uint32_t v1, uint32_t v2);
 171 int find_B(firmware *fw, int k, uint32_t v1, uint32_t v2);
 172 
 173 // Search the firmware dump calling the 'func' code to see if the current location matches what we are looking for
 174 int search_fw(firmware *fw, int (*func)(firmware*, int, uint32_t, uint32_t), uint32_t v1, uint32_t v2, int len);
 175 int search_fw_bytes(firmware *fw, int (*func)(firmware*, int));

/* [<][>][^][v][top][bottom][index][help] */