Magic Lantern Firmware Wiki
Advertisement

DIGIC VI[]

QEMU log:

FC000008: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x0
FC000010: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0x0
FC000018: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3F
FC000020: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x320
FC000028: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- (old & ~0x20000) | 0x1 => 0x2001 (enable MPU, disable background region; hivecs is enabled)
FE020040: MCR p15,0,Rd,cr9,cr1,1:       BTCM <- (old & 0x7D) | 0x1
FE025884: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x1
FE02588C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0x0
FE025894: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE02589C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3B
FE0258A4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x2
FE0258AC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xBFE00000
FE0258B4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x324
FE0258BC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x29
FE0258C4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x4
FE0258CC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xDFE00000
FE0258D4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x324
FE0258DC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x29
FE0258E4: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x5
FE0258EC: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xEE000000
FE0258F4: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE0258FC: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x31
FE025904: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x6
FE02590C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xFE000000
FE025914: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x329
FE02591C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x31
FE025924: MCR p15,0,Rd,cr6,cr2,0:       RGNR <- 0x3
FE02592C: MCR p15,0,Rd,cr6,cr1,0:      DRBAR <- 0xC0000000
FE025934: MCR p15,0,Rd,cr6,cr1,4:      DRACR <- 0x305
FE02593C: MCR p15,0,Rd,cr6,cr1,2:       DRSR <- 0x3B
FE025944: MCR p15,0,Rd,cr15,cr5,0:       UNK <- 0x0
FE025944: MCR p15,0,Rd,cr1,cr0,0:      SCTLR <- (old & ~0x1002000) | 0x1004 => 0x1005 (clear VE, disable hivecs, enable instruction and data caches)
FE020400: MCR p15,0,Rd,cr9,cr1,0:       ATCM <- (old & 0x7D) | 0x80000001
[      init:fe237fa9 ] Memory region: start=00000000 end=00000000 flags=00000001
[      init:fe237fbf ] Memory region: start=00000000 end=00000000 flags=00000002
[      init:fe237fcb ] Memory region: start=E0000000 end=FFFFFFFF flags=00000020
[      init:fe237ffd ] Memory region: start=FE000000 end=FFFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=EE000000 end=EFFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=DFE00000 end=DFFFFFFF flags=00000004
[      init:fe237ffd ] Memory region: start=C0000000 end=FFFFFFFF flags=00000010
[      init:fe237ffd ] Memory region: start=BFE00000 end=BFFFFFFF flags=00000004
[      init:fe237ffd ] Memory region: start=00000000 end=3FFFFFFF flags=00000008
[      init:fe237ffd ] Memory region: start=00000000 end=FFFFFFFF flags=00000004
[      init:fe237e5f ] Memory region: start=00000000 end=FFFFFFFF flags=00000000

Register Description

RGNR = MPU Region Number Register 
DRBAR = Data Region Base Address Register 
DRSR = Data Region Size and Enable Register 
DRACR = Data Region Access Control Register 
SCTLR = System Control Register (?) 
ATCM = DTCMRR = Data TCM Region Register (TCM = Tightly Coupled Memory)
BTCM = ITCMRR = Instruction or unified TCM Region Register
region base size end info
0 0x0 0x100000000 (4Gb) 0x100000000 non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: inner non-cacheable, outer non-cacheable

SCTLR: V(High exception vectors (Hivecs), base address 0xFFFF0000), M(MPU enabled)

TCM: ITCMRR, (current Instruction or unified Region Register) - enabled, base address=0x0(given as the physical address of the TCM in the memory map), size=unknown

1 0x0 0x40000000 (1Gb) 0x40000000 non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate
2 0xBFE00000 0x200000 (2Mb) 0xC0000000 shareable, PL1:R/W PL0:R/W, can contain executable code, cacheable: inner non-cacheable, outer non-cacheable
3 0xC0000000 0x40000000 (1Gb) 0x100000000 shareable, can contain executable code, PL1:R/W PL0:R/W, Shareable Device (memory type: Device)

SCTLR: I(Instruction caches enabled), C(Data and unified caches enabled), M(MPU enabled)

TCM: DTCMRR, (current Data TCM Region Register) - enabled, base address=0x80000 (given as the physical address of the TCM in the memory map), size=unknown

4 0xDFE00000 0x200000 (2Mb) 0xE0000000 shareable, PL1:R/W PL0:R/W, can contain executable code, cacheable: inner non-cacheable, outer non-cacheable
5 0xEE000000 0x2000000 (32Mb) 0xF0000000 non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate
6 0xFE000000 0x2000000 (32Mb) 0x100000000 non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate


Here is a tentative to describe memory usage of the firmware

Digic IV[]

start length name description
0x800000 updater location
0xf0010000 0x540000? copy of 0xff010000
0xf8000000 0x10000 Flags and config area*. copy of 0xff800000
.0xf8000000 4? 0=enableMainFirmware, -1=disableMainFirmware
.0xf8000004 4? 0=disableBootdisk, -1=enableBootdisk
.0xf800000c 4? 0=disableFirmware, -1=enableFirmware
0xf8010000 0x540000 with single Digic? Main firmware. copy of 0xff810000 for dual Digic camera, a second and shorter firmware (<0x1c0000 bytes) is targeted at 0xf8010000.
0xf8300000 about 0x35000 FixData. only for 2nd Digic with shorter firmware? seen in 7d 121 update. 1st patch. Identical to data targeted to 0xf8910000
0xf85b0000 about 0x1f0000 ? seen in 7d 121 update
0xf8760000 0x60000 or 0x30000 FPGA config*.
0xf8790000 0x60000 or 0x30000 FPGA config? seen with 1dm4 106. same length as 0xf8760000 content. only for dual digic.
0xf87c0000 0x20000 Bind resource*
0xf87e0000 0x10000 Bootrom cipher extension*
0xf87f0000 0x10000 Bootloader (bootrom)*
0xf88f0000 0x20000 RingData
0xf8910000 0x40000 FixData
0xf8950000 0x20000?
0xf8970000 0x30000 RasenData
0xf8a00000 0x2c0000 TuneData
.0xf8eb0000 ? LensData.
0xf8cc0000 ? ?
0xff010000 0x540000? Main firmware (500D/T1i, 7D)

(*) from this message on CHDK forum : 5D Mark II by memset (14Mar2009)

Digic IV EOS ROM map

0xF8000000 - ROM0 (64Mb)
0xF0000000 - ROM1 (32Mb)

0xF8000000 - 0xF0010000 - Flags & config area
0xF8010000 - 0xF874FFFF - User area
0xF8760000 - 0xF87BFFFF - FPGA config
0xF87C0000 - 0xF7DFFFFF - Bind resource 
0xF87E0000 - 0xF87EFFFF - Bootrom cipher extension
0xF87F0000 - 0xF87FFFFF - Bootloader (bootrom)

FPGA config area: byte-by-byte interleaved bitstreams: 
bitstream 0: Xilinx Spartan-3E XC3S250E 
bitstream 1: Xilinx Spartan-3E XC3S100E


See also Setting up memory maps hudson (9May2009)

below for 5DMark II 1.0.7 and 7D 1.1.0:


5d Mark II, 1.0.7[]

;http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/I1039570.html
;Register 6, Protection Region Base and Size Registers
 ROM:FFFF2368
 MOV     R0, #0x3F          ;region0, 0x3f=0011 1111 : base=0, size=4Gb (0xffff ffff)
 MCR     p15, 0, R0,c6,c0
 MOV     R0, #0x3D          ;region1, 0x3d=0011 1101 : base=0, size=2Gb (0x8000 0000)
 MCR     p15, 0, R0,c6,c1
 LDR     R0, =0xE0000039    ;region2, 0x39=0011 1001 : base=0xe000 0000, size=512Mb (0x2000 0000)
 MCR     p15, 0, R0,c6,c2
 MOV     R0, #0xC0000039    ;region3, 0x39=0011 1001 : base=0xc000 0000, size=512Mb (0x2000 0000)
 MCR     p15, 0, R0,c6,c3
 LDR     R0, =unk_FF80002D  ;region4, 0x2D=0010 1101 : base=0xff80 0000, size=8Mb (0x0080 0000)
 MCR     p15, 0, R0,c6,c4
 MOV     R0, #0x39          ;region5, 0x39=0011 1001 : base=0, size=512Mb (0x2000 0000)
 MCR     p15, 0, R0,c6,c5
 LDR     R0, =0xF780002D    ;region6, 0x2d=0010 1101 : base=0xf780 0000, size=8Mb (0x0080 0000)
 MCR     p15, 0, R0,c6,c6

7D, 1.1.0[]

ROM:FFFF2364                 MOV     R0, #0x3F          ;region0, 0x3f=0011 1111 : base=0, size=4Gb (0xffff ffff)
ROM:FFFF2368                 MCR     p15, 0, R0,c6,c0
ROM:FFFF236C                 MOV     R0, #0x3D          ;region1, 0x3d=0011 1101 : base=0, size=2Gb (0x8000 0000)
ROM:FFFF2370                 MCR     p15, 0, R0,c6,c1
ROM:FFFF2374                 LDR     R0, =0xE0000039    ;region2, 0x39=0011 1001 : base=0xe000 0000, size=512Mb (0x2000 0000)
ROM:FFFF2378                 MCR     p15, 0, R0,c6,c2
ROM:FFFF237C                 MOV     R0, #0xC0000039    ;region3, 0x39=0011 1001 : base=0xc000 0000, size=512Mb (0x2000 0000)
ROM:FFFF2380                 MCR     p15, 0, R0,c6,c3
ROM:FFFF2384                 LDR     R0, =unk_FF80002F  ;region4, 0x2F=0010 1111 : base=0xff80 0000, size=16Mb (0x0100 0000)
ROM:FFFF2388                 MCR     p15, 0, R0,c6,c4
ROM:FFFF238C                 MOV     R0, #0x39          ;region5, 0x39=0011 1001 : base=0, size=512Mb (0x2000 0000)
ROM:FFFF2390                 MCR     p15, 0, R0,c6,c5
ROM:FFFF2394                 MOV     R0, #0x8000002F    ;region6, 0x2F=0010 1111 : base=0x8000 0000, size=16Mb (0x0100 0000)
ROM:FFFF2398                 MCR     p15, 0, R0,c6,c6

550D 1.0.8[]

ROM:F8FF22B0 sub_F8FF22B0                            ; CODE XREF: ROM:F8FF0608�p
ROM:F8FF22B0                 MOV     R0, #0x3F
ROM:F8FF22B4                 MCR     p15, 0, R0,c6,c0
ROM:F8FF22B8                 MOV     R0, #0x3D
ROM:F8FF22BC                 MCR     p15, 0, R0,c6,c1
ROM:F8FF22C0                 LDR     R0, =0xE0000039
ROM:F8FF22C4                 MCR     p15, 0, R0,c6,c2
ROM:F8FF22C8                 MOV     R0, #0xC0000039
ROM:F8FF22CC                 MCR     p15, 0, R0,c6,c3
ROM:F8FF22D0                 LDR     R0, =0xFF00002F
ROM:F8FF22D4                 MCR     p15, 0, R0,c6,c4
ROM:F8FF22D8                 MOV     R0, #0x39
ROM:F8FF22DC                 MCR     p15, 0, R0,c6,c5
ROM:F8FF22E0                 LDR     R0, =0xF780002D
ROM:F8FF22E4                 MCR     p15, 0, R0,c6,c6
ROM:F8FF22E8                 MOV     R0, #0x70
ROM:F8FF22EC                 MCR     p15, 0, R0,c2,c0
ROM:F8FF22F0                 MCR     p15, 0, R0,c3,c0
ROM:F8FF22F4                 MCR     p15, 0, R0,c2,c0, 1
ROM:F8FF22F8                 LDR     R0, =0x3FFF
ROM:F8FF22FC                 MCR     p15, 0, R0,c5,c0
ROM:F8FF2300                 MCR     p15, 0, R0,c5,c0, 1
ROM:F8FF2304                 MRC     p15, 0, R0,c1,c0
ROM:F8FF2308                 ORR     R0, R0, #1
ROM:F8FF230C                 ORR     R0, R0, #0x1000
ROM:F8FF2310                 ORR     R0, R0, #4
ROM:F8FF2314                 ORR     R0, R0, #0xC0000000
ROM:F8FF2318                 ORR     R0, R0, #8
ROM:F8FF231C                 ORR     R0, R0, #0x10
ROM:F8FF2320                 ORR     R0, R0, #0x20
ROM:F8FF2324                 ORR     R0, R0, #0x40
ROM:F8FF2328                 MCR     p15, 0, R0,c1,c0
ROM:F8FF232C                 RET
ROM:F8FF232C ; End of function sub_F8FF22B0


Based on this ARM code :

base length end usage
0x00000000 0x20000000 (512Mb) 0x20000000 5D and 7D
0x00000000 0x80000000 (2Gb) 0x80000000 5D and 7D
0x80000000 0x01000000 (16Mb) 0x81000000 7D only (dual digic)
0xc0000000 0x20000000 (512Mb) 0xe0000000
0xe0000000 0x20000000 (512Mb) 0xffffffff
0xf7800000 5D Mark II: 0x00800000 (8Mb) 0xf8000000 5dm2 only (single digic)
0xff800000 7D: 0x01000000 (16Mb) >0xfffffffff !!
0xff800000 5D Mark II: 0x00800000 (8Mb) 0xffffffff

Digic III[]

start length name description
0x00000000 0x40000000 (1Gb)
0xC0000000 0x20000000 (512Mb)
0xF8000000 0x00400000 (4Mb)
0xFF800000 0x00800000 (8Mb)

from ARM memory protection code of

  • 1000d boot code (0xFFFF1C8C in 1.0.5 [1]msg34042.html#msg34042%7C dump)
  • and 40D boot code (0xFFFF1CCC in 1.0.8 dump)


Hardware registers[]

Registers start at 0xc0220000.

QEMU[]

00000000 - 3FFFFFFF: eos.ram
40000000 - 7FFFFFFF: eos.ram_uncached
F0000000 - F0FFFFFF: eos.rom0
F1000000 - F1FFFFFF: eos.rom0_mirror_F1
F2000000 - F2FFFFFF: eos.rom0_mirror_F2
F3000000 - F3FFFFFF: eos.rom0_mirror_F3
F4000000 - F4FFFFFF: eos.rom0_mirror_F4
F5000000 - F5FFFFFF: eos.rom0_mirror_F5
F6000000 - F6FFFFFF: eos.rom0_mirror_F6
F7000000 - F7FFFFFF: eos.rom0_mirror_F7
F8000000 - F8FFFFFF: eos.rom1
F9000000 - F9FFFFFF: eos.rom1_mirror_F9
FA000000 - FAFFFFFF: eos.rom1_mirror_FA
FB000000 - FBFFFFFF: eos.rom1_mirror_FB
FC000000 - FCFFFFFF: eos.rom1_mirror_FC
FD000000 - FDFFFFFF: eos.rom1_mirror_FD
FE000000 - FEFFFFFF: eos.rom1_mirror_FE
FF000000 - FFFFFFFF: eos.rom1_mirror_FF
C0000000 - CFFFFFFF: eos.iomem
Advertisement