Cool. Awesome work.
Unfortunately it didn't seem to work on my battery drop fried camera, although it does work on a good camera.
FWIW, I looked in the disassembly of my firmware.bin and found that the one place that refers to $f20d and the two places that refer to $f209 are seen as data instead of code. What are the functions of those two registers?
BillW- 07-24-2005
Awsome work brite_eye!!!! My plan of putting the devkit out there and letting someone else do the hard work has come to fruition! :lol:
I'll have to update the devkit with examples for all the stuff we know so far... strobe control, reset register, LED and shutter control, and now SRAM->SDRAM and SDRAM->FLASH transfers! (with attribution to you on those ones, of course!)
brite_eye- 07-24-2005
zapped, that's odd they were in code in my 6410 disassembly - are you sure you disassembled a Red 6410 firmware? Actually f209 and f20d asic codes may not be necessary - more experiementation needed. I do not fully understand why it can write to flash and not read from flash - one theory is that somehow fat directory is made available in sdram once during initialization and only writes are needed after that (or I just didn't find the right asic register to set to 0 instead of 1). This is a risky painful process and I am hoping others will help - in the end we may be able to write a much better firmware than generated by SMaL's banked C routines.
zapped- 07-24-2005
I should have mentioned that I have only the 6520_28 and 6550_2B cameras and I am using the firmware from 6550_2B.
In order to make it disassemble correctly, is a change needed to the comments file or to the disassembler?
radarman- 07-24-2005
In a word, yes. I can send you a copy of my unfinished comments for the 6550. I only have banks 0 through 2 mapped.
brite_eye- 07-24-2005
Major Discovery!! data exists above $400000 in SDRAM!
I can dump SDRAM above $400000 using flash.s! And first block contains FAT ($7400) - offset by 16 FFs then a 0101. So my theory about not needing to read flash may be correct.
Can someone else verify using sdram.s (changing direction)?
Running sequential iterations of flash.s seems to corrupt flash at location in program, but a simple pv2tool format restores it to FFs.
I uploaded a newer version of flash.s, .pv2 to binary's site up above.
brite_eye- 07-24-2005
After 2 sleepless nights - I'd really appreciate it if a new "hacker" could combine both sdram.s and flash.s to dump complete 8mb sdram into last half of flash. It would also be nice to have an sram dumper to obtain bootloader code from an intentionally bootloadered camera. :idea:
morcheeba- 07-25-2005
great work!!! I never followed the sdram/flash routines.. I just figured out the calling parameters and trusted it did its stuff.
brite_eye- 08-13-2005
data exists above $400000 in SDRAM!
Wrong - Sorry. Stub seems to execute and move data without any error and so does PV2Tool when camera has been unlocked. But after several trials with PV2Tool it appears that range from 4M to 8M is a mirror of 0M to 4M. I used PV2Tool on unlocked camera with transfer size of $200000 and LUN = 4. My assumption is that ASIC (as eye see) is undressing or dressing behind the blinds.
Forumer™ is Voted #1 Free Forum Hosting provider
Build your own community today with the largest message board hosting company.
