Introduction[]
With the 5Dm2, it was "easy" to run code on it using a custom updater (.fir file) because no real protection was applied. Since the 7D, the .fir file is digitally signed, and with with version 1.1.0, a 'max update counter' does exist to block further update (See this discussion anyway). Signature is understood since January 2010.
With 550D/T2i/Kiss X4, the updater part of the .fir file is no more ciphered using the 512/513 keys XOR scheme, but encrypted like the update payload with AES.
In July 2010, the 550D keys were found see the announce and dedicated page.
So a bootstrap "magiclantern.fir" (for 550D/1.0.8) is supplied, to be run once (using firmware update). This custom update does nothing but allowing the later boot using "autoexec.bin" file.
All MagicLantern features are in this file which can be recompiled.
But you can not build the "magiclantern.fir" as non public AES keys are required.
Development[]
See the main 550D page to to get the source code. The source code is the best source of information.
Then use the search feature of the mail-list, which contains a LOT of information, for example Trammel had released an IDA Pro database dump for the 1.0.8 dump.
Be sure to explore the Wiki: Aj Newmann is doing an amazing work by documenting the important elements and functions of the firmware for 5Dm2 2.0.4, most information are relevant for the 550D.
As this is a reverse engineering project, you've got to find the missing information by yourself. You may ask on the list if you really had searched by yourself before.
I'll post a dump of my 550d/1.0.8 database as soon as I finished the code/data separation and naming most functions.
This ARM tool chain
has been tested succefully on a fresh Ubuntu:
http://www.vmware.com/appliances/directory/542303
Trammel is really busy, so do not ask him if it is not REALLY required.
Remember that you can damage your camera (be careful of the FA_ (Factory) functions for example).
Stay tuned, follow the mail-list, more information is coming.
550D/T2i 1.0.8 and 1.0.9 start to differ at FF355F48, before functions address are equal.
Arm.Indy
Development pages[]
Working with Magic Lantern source:
- Build instructions/550D
- Extending Magic Lantern
- Debugging Magic Lantern
- Magic Lantern API
- VRAM
- Cropmarks
- Focus distance
- Auto-generated docs for Magic Lantern code (with this Doxyfile):
- AlexanderKond550D new developer joined ML team :)
- CHDK Coding Guidelines (lots of useful info)
- Focus Assist
ASM related:
- Memory Addresses
- DryOS API
- ASM introduction
- ASM Dictionary
- GPL Tools
- GPL Tools/ARM console for firmware analysis
- Emulation (qemu)
- Gensig finsig
- Properties
- Call by name
- 550d 108 StateObjects
- 550D StateObjects
- GUI Events/550D (handling key presses and other cool stuff)
- GUI menus
- GUI StringIDs
- IDAPython (obsolete, but might be useful; everything ported to GPL Tools/ARM console)
- IDAPython/Tracing_calls (obsolete, ported to GPL Tools/ARM console)