The Toshiba TX19A inside most Canon DSLR Camera is the MPU, which is certainly the I/O manager.
The TX19A (TMP19A43FDXBG, in RED square) on the 50D mainboard.
550D, 600D: TMP19A43CDXBG.
See HV30_Firmware_Analysis#Processor_and_architecture
TMP19A43CDXBG/TMP19A43FDXBG[]
Specs[]
- 512K Flash
- 24K RAM
- Big endian, 16 and 32 bit ISA, MIPS 16 ASE
- 18 I/O ports
- 10-bit ADC
- 8-bit DAC
...
Memory Map[]
- 0xFFFFE000 - 0xFFFFFFFF: I/O registers (from datasheet)
- f000 - f08f: I/O ports
- f090 - f091: watchdog
- f140 - f23f: 16-bit timer
- f250 - f25f: i2c/sio
- f260 - f28f: uart/sio
- f300 - f31f: 10-bit adc
- f330 - f33f: 8-bit dac
- f360 - f38f: key on wake-up circuit
- f400 - f42f: 32-bit input capture
- f440 - f47f: 32-bit output compare
- e000 - e10f: interrupt controller
- e200 - e37f: dma controller
- e400 - e49f: cs/wait controller (?)
- e510 - e52f: flash control
- e540 - e57f: ROM correction
- e700 - e71f: clock timer
- e800 - e84f: uart/hsio
- ee00 - ee4f: clock generator
- 0xFFFF8000 - 0xFFFFDFFF: built-in RAM
- 0x00000000 - 0x0007FFFF: internal ROM? (code executes from here)
- 0xBFC00000 - 0xBFC7FFFF: internal ROM copy?
- Note: TX19A only allows using Kernel mode
Features[]
See TX19A43 features (here) including:
- High-Speed Multipoint AF
- High-speed AD converter (for processing analog signals from an AF sensor)
- High-speed multiply accumulate operation
- Large Number of External Interrupt Lines
- Motor Control with Sync Start Control
- PPG (PWM)
- High-Speed E2PROM Supported
...
Strings found in MPU code[]
In 550D 1.0.6 update, record #2 (k270_mpu.mot). See Update_records.
First column is offset in hex.
509 AE_GERO_DATA_T: 51c [AE]Read Error! ... 128b EF-S 1290 TS-E 1295 MP-E 12d5 1200 12da 10-22 12e0 16-35 12e6 17-35 12ec 17-40 12f2 17-55 ... 2860 Switch State Information 287b LockSw : 289d Lock(Off) 28a7 UnLock(On) 28b2 CardCover : 28d4 Open 28d9 Close 28df BatCover : 2901 SDDetectSw : 292a Sw1 : 294c Sw2 : 296e AELockButton : 2990 SpdnButton : 29b2 StroboPopUpButton : 29d4 StroboPopEndSw : 29f6 AFFrameSelectButton : 2a18 ISOButton : 2a3e }Button : 2a5c SetButton : 2a7e MenuButton : 2aa0 PlayButton : 2ac2 EraseButton : 2ae4 DisplayButton : 2b06 EasyDirect&QuickSetting : 2b28 RECStartButton : 2b4a CrossUp : 2b6c CrossDown : 2b8e CrossRight : 2bb0 CrossLeft : 2bd2 ModeDial : 2bf4 Program 2c02 Manual 2c09 A-DEP 2c0f Green 2c15 NightPortrait ... 301b [MAIN]:popup mech 302e [MAIN]:popend fault 3043 [MAIN]:aux popup end 305a GetJunkBvCountLiveView ERROR 3078 [MAIN]:<TIMEOUT>lv ae 308f [MAIN]:<WARNING>illegal iso data 30b4 [MAIN]:lv started mech 30cc [MAIN]:lv mirr down 30e4 [MAIN]:<TIMEOUT>rel event from mech 3109 [MAIN]:<ERR>( 311a [MAIN]:<TIMEOUT>popup event from mech 314c [MAIN]:dcdc-ic current chk err 316c [MAIN]:dcdc-ic write err 3186 [MAIN]:dcdc-ic read err [ 31a4 [MAIN]:BC 31b7 [MAIN]:BC 31ca [BC PRINT]:Vop -> 31dd (raw: 31e6 [BC PRINT]:Aop -> 31f9 [BC PRINT]:Vbc -> 320c [BC PRINT]:Abc -> 321f [BC PRINT]:Vfo1 -> 3235 [BC PRINT]:Vfo2 -> 3249 [BC PRINT]:VfoSt -> 325e [BC PRINT]:R -> 3270 [MAIN]:<TIMEOUT>mech restore ... 4038 DUMPB 403e DUMPW 4044 DUMPL ... 40ee MPU Ver...0x 40fd MPU code area check sum...0x 4126 LgSelSw : 414f BatSelSw0 : 4171 BatSelSw1 : 4196 Too Long! 41a6 SERVO 41b6 parameter err 41c6 ---power info--- 41d8 bat kind 41e3 (Grip) 41ea level 41f2 vbat(noload) 4201 vbat(bcon) 420e mech pwm 4219 tchk ad 4230 ---temperature info--- 4248 aeic 424f efic 4256 Atemp( 4261 AtempAD: 426a LVTIME: 4272 MovieTime: ... 4415 MON>> 4420 E1ON 4425 MON>> 442c E1OFF 4447 T----------------------------------------------------------- 4484 K270 Debug Monitor (Ver 1.00) 44c0 Copyright(C) CANON INC. 2007 All Rights Reserved. 44fc ----------------------------------------------------------- ... 1d52c MDUMP 1d552 .QMDUMPB 1d57a .QMDUMPW 1d5a2 .QMDUMPL 1d5ca .QMMOT 1d5f2 1)FCBDUMP 1d61c FCBR 1d644 FCBW 1d694 TITLE 1d6bc ABOUT 1d734 S00F00006B3237305F6565702E6D6F74D5 1d75a E-S00F00006B3237305F6565702E6D6F74D5 1d782 BQEEPR 1d7ac EEPW 1d7d2 BQMLOAD 1d7fa E-MRESET 1d822 FQEXEC 1d84a :ESW 1d872 3yON 1d8c4 DISPALLON 1d8ea 4UDISPALLOFF 1d912 4eDISPBLINK 1d93a 4uDISPTEST 1d964 TESTBUZZER 1d98c TESTEL 1d9b4 TESTSELFLED 1d9dc TESTFLED 1da02 6ATESTSIDUTY 1da2c TESTSI 1da54 TESTRELEASE 1da7a 7!TESTPWROFF 1daa4 BCINFO 1dacc BATKIND 1daf4 TEMPINFO 1db1a 9-PRINTLEVEL 1db44 UPBNY 1db6a P5SENDICU ...
Disassembling[]
Requirements to disassemble TX19a code:
- IDA Pro 6.2 with MIPS support + TX19A plug-in (Done by JollyRogerXP from CHDK forum)
- IDA Pro 6.3 with TX19A support
to compile JollyRogerXP's plug-in use this documentation: http://www.binarypool.com/idapluginwriting/idapw.pdf and settings in section 3.1
In IDA:
- chooses MIPS big endian processor
- loading address is 0xffff8000 for file k250_mpu.mot_ffff8000.bin, for example
- activate the tx19A plug-in
- Alt-G to set the MIPS16 virtual register to 1
- Hit C for Code
it looks like this
ROM:FFFF8000 # Processor : mipsb ROM:FFFF8000 # Target assembler: GNU assembler ROM:FFFF8000 # Byte sex : Big endian ROM:FFFF8000 ROM:FFFF8000 .set noreorder ROM:FFFF8000 .set noat ROM:FFFF8000 ROM:FFFF8000 ROM:FFFF8000 # =========================================================================== ROM:FFFF8000 ROM:FFFF8000 # Segment type: Pure code ROM:FFFF8000 .text # ROM ROM:FFFF8000 .set mips16 ROM:FFFF8000 save 0x10 ROM:FFFF8004 mov32r $s1, $a1 ROM:FFFF8006 mov32r $s2, $a2 ROM:FFFF8008 lui $a2, 0 ROM:FFFF800C addiu8 $a2, 0x8E88 ROM:FFFF8010 lw $a1, 0($a2) ROM:FFFF8012 li $v0, 0xFF ROM:FFFF8014 sb $v0, 0($a1) ROM:FFFF8016 li $v0, 0x80 ROM:FFFF8018 and $v0, $a0 ROM:FFFF801A bnez $v0, loc_FFFF8020 ROM:FFFF801C li $v0, 0 ROM:FFFF801E sb $v0, 0($a1) ROM:FFFF8020 ROM:FFFF8020 loc_FFFF8020:
See also: SIO3_MREQ, Update_records, Datasheets