Here you will find my discoveries, thoughts and tips, as I dive into the 550D firmware. This will start out very rough, as I barely know what I'm doing, but hopefully this page will take shape over time. Everything written here applies to firmware 1.0.9.

Using IDA to load firmware dump[edit | edit source]

Firstly, to obtain a Canon firmware dump, just run the magic lantern firmware update .fir file, and it should end up on the SD card. Please don't distribute this, as it is Canon's copyrighted code.

Follow along this CHDK guide to load the .bin into IDA. To get the ROM address (it will be different than in the CHDK guide), I used the ROMBASEADDR defined in the Makefile of the magic lantern source (should be 0xFF010000). You will be greeted with lots of ARM assembler! IDA will recognize what are subroutines etc., but without knowing the names of these it will be difficult to understand what is going on. Load this IDC database to get a lot of the function names. This DryOS Porting Guide by CHDK has some great tips on how to "discover" function names through debug messages and the like.

Reading ARM Assembler[edit | edit source]

Read this great course page to get familiar with how the ARM instruction set works, and make sure to print this handy quick reference PDF with all the possible commands.

Adventures to discover Bulb mode[edit | edit source]

So, my first goal was to figure out how to get Bulb mode working, to use for accurate exposure times for time lapses. One of the great features of Magic Lantern is the ability to dump debug logs, which include a lot messages from the canon firmware- if one can find the relevant messages in the log, one can then find these strings in the firmware dump, cross reference to a subroutine that uses it, and have a good starting point where to start looking! This is my first "tactic" so far.

So, for starters I switched on my camera rotated the dial in manual mode till I got to Bulb mode, and then dumped the debug logs- just to see if I could switch to bulb mode through code. In the logs I found the following lines:

  1335:  6832.802 [BIND] bindReceiveSwitch (13, 0)
  1336:  6832.831 [BIND] MAIN DIAL RIGHT (0)

Since the dial hasnt been figured out yet, I decided to investigate. I searched for "bindReceiveSwitch" in IDA, (it looked like 13, 0 were arguments), and found a subroutine that cross-referenced it, and contained a jump-table (i guess an equivalent to a switch statement), and one of the entries lead to "MAIN DIAL RIGHT" being printed.

Community content is available under CC-BY-SA unless otherwise noted.