The Toshiba TX19A inside most Canon DSLR Camera is the MPU, which is certainly the I/O manager.
The TX19A (TMP19A43FDXBG, in RED square) on the 50D mainboard.
550D, 600D: TMP19A43CDXBG.
See HV30_Firmware_Analysis#Processor_and_architecture
TMP19A43CDXBG/TMP19A43FDXBG[]
Specs[]
- 512K Flash
- 24K RAM
- Big endian, 16 and 32 bit ISA, MIPS 16 ASE
- 18 I/O ports
- 10-bit ADC
- 8-bit DAC
...
Memory Map[]
- 0xFFFFE000 - 0xFFFFFFFF: I/O registers (from datasheet)
- f000 - f08f: I/O ports
- f090 - f091: watchdog
- f140 - f23f: 16-bit timer
- f250 - f25f: i2c/sio
- f260 - f28f: uart/sio
- f300 - f31f: 10-bit adc
- f330 - f33f: 8-bit dac
- f360 - f38f: key on wake-up circuit
- f400 - f42f: 32-bit input capture
- f440 - f47f: 32-bit output compare
- e000 - e10f: interrupt controller
- e200 - e37f: dma controller
- e400 - e49f: cs/wait controller (?)
- e510 - e52f: flash control
- e540 - e57f: ROM correction
- e700 - e71f: clock timer
- e800 - e84f: uart/hsio
- ee00 - ee4f: clock generator
- 0xFFFF8000 - 0xFFFFDFFF: built-in RAM
- 0x00000000 - 0x0007FFFF: internal ROM? (code executes from here)
- 0xBFC00000 - 0xBFC7FFFF: internal ROM copy?
- Note: TX19A only allows using Kernel mode
Features[]
See TX19A43 features (here) including:
- High-Speed Multipoint AF
- High-speed AD converter (for processing analog signals from an AF sensor)
- High-speed multiply accumulate operation
- Large Number of External Interrupt Lines
- Motor Control with Sync Start Control
- PPG (PWM)
- High-Speed E2PROM Supported
...
Strings found in MPU code[]
In 550D 1.0.6 update, record #2 (k270_mpu.mot). See Update_records.
First column is offset in hex.
509 AE_GERO_DATA_T:
51c [AE]Read Error!
...
128b EF-S
1290 TS-E
1295 MP-E
12d5 1200
12da 10-22
12e0 16-35
12e6 17-35
12ec 17-40
12f2 17-55
...
2860 Switch State Information
287b LockSw :
289d Lock(Off)
28a7 UnLock(On)
28b2 CardCover :
28d4 Open
28d9 Close
28df BatCover :
2901 SDDetectSw :
292a Sw1 :
294c Sw2 :
296e AELockButton :
2990 SpdnButton :
29b2 StroboPopUpButton :
29d4 StroboPopEndSw :
29f6 AFFrameSelectButton :
2a18 ISOButton :
2a3e }Button :
2a5c SetButton :
2a7e MenuButton :
2aa0 PlayButton :
2ac2 EraseButton :
2ae4 DisplayButton :
2b06 EasyDirect&QuickSetting :
2b28 RECStartButton :
2b4a CrossUp :
2b6c CrossDown :
2b8e CrossRight :
2bb0 CrossLeft :
2bd2 ModeDial :
2bf4 Program
2c02 Manual
2c09 A-DEP
2c0f Green
2c15 NightPortrait
...
301b [MAIN]:popup mech
302e [MAIN]:popend fault
3043 [MAIN]:aux popup end
305a GetJunkBvCountLiveView ERROR
3078 [MAIN]:<TIMEOUT>lv ae
308f [MAIN]:<WARNING>illegal iso data
30b4 [MAIN]:lv started mech
30cc [MAIN]:lv mirr down
30e4 [MAIN]:<TIMEOUT>rel event from mech
3109 [MAIN]:<ERR>(
311a [MAIN]:<TIMEOUT>popup event from mech
314c [MAIN]:dcdc-ic current chk err
316c [MAIN]:dcdc-ic write err
3186 [MAIN]:dcdc-ic read err [
31a4 [MAIN]:BC
31b7 [MAIN]:BC
31ca [BC PRINT]:Vop ->
31dd (raw:
31e6 [BC PRINT]:Aop ->
31f9 [BC PRINT]:Vbc ->
320c [BC PRINT]:Abc ->
321f [BC PRINT]:Vfo1 ->
3235 [BC PRINT]:Vfo2 ->
3249 [BC PRINT]:VfoSt ->
325e [BC PRINT]:R ->
3270 [MAIN]:<TIMEOUT>mech restore
...
4038 DUMPB
403e DUMPW
4044 DUMPL
...
40ee MPU Ver...0x
40fd MPU code area check sum...0x
4126 LgSelSw :
414f BatSelSw0 :
4171 BatSelSw1 :
4196 Too Long!
41a6 SERVO
41b6 parameter err
41c6 ---power info---
41d8 bat kind
41e3 (Grip)
41ea level
41f2 vbat(noload)
4201 vbat(bcon)
420e mech pwm
4219 tchk ad
4230 ---temperature info---
4248 aeic
424f efic
4256 Atemp(
4261 AtempAD:
426a LVTIME:
4272 MovieTime:
...
4415 MON>>
4420 E1ON
4425 MON>>
442c E1OFF
4447 T-----------------------------------------------------------
4484 K270 Debug Monitor (Ver 1.00)
44c0 Copyright(C) CANON INC. 2007 All Rights Reserved.
44fc -----------------------------------------------------------
...
1d52c MDUMP
1d552 .QMDUMPB
1d57a .QMDUMPW
1d5a2 .QMDUMPL
1d5ca .QMMOT
1d5f2 1)FCBDUMP
1d61c FCBR
1d644 FCBW
1d694 TITLE
1d6bc ABOUT
1d734 S00F00006B3237305F6565702E6D6F74D5
1d75a E-S00F00006B3237305F6565702E6D6F74D5
1d782 BQEEPR
1d7ac EEPW
1d7d2 BQMLOAD
1d7fa E-MRESET
1d822 FQEXEC
1d84a :ESW
1d872 3yON
1d8c4 DISPALLON
1d8ea 4UDISPALLOFF
1d912 4eDISPBLINK
1d93a 4uDISPTEST
1d964 TESTBUZZER
1d98c TESTEL
1d9b4 TESTSELFLED
1d9dc TESTFLED
1da02 6ATESTSIDUTY
1da2c TESTSI
1da54 TESTRELEASE
1da7a 7!TESTPWROFF
1daa4 BCINFO
1dacc BATKIND
1daf4 TEMPINFO
1db1a 9-PRINTLEVEL
1db44 UPBNY
1db6a P5SENDICU
...
Disassembling[]
Requirements to disassemble TX19a code:
- IDA Pro 6.2 with MIPS support + TX19A plug-in (Done by JollyRogerXP from CHDK forum)
- IDA Pro 6.3 with TX19A support
to compile JollyRogerXP's plug-in use this documentation: http://www.binarypool.com/idapluginwriting/idapw.pdf and settings in section 3.1
In IDA:
- chooses MIPS big endian processor
- loading address is 0xffff8000 for file k250_mpu.mot_ffff8000.bin, for example
- activate the tx19A plug-in
- Alt-G to set the MIPS16 virtual register to 1
- Hit C for Code
it looks like this
ROM:FFFF8000 # Processor : mipsb ROM:FFFF8000 # Target assembler: GNU assembler ROM:FFFF8000 # Byte sex : Big endian ROM:FFFF8000 ROM:FFFF8000 .set noreorder ROM:FFFF8000 .set noat ROM:FFFF8000 ROM:FFFF8000 ROM:FFFF8000 # =========================================================================== ROM:FFFF8000 ROM:FFFF8000 # Segment type: Pure code ROM:FFFF8000 .text # ROM ROM:FFFF8000 .set mips16 ROM:FFFF8000 save 0x10 ROM:FFFF8004 mov32r $s1, $a1 ROM:FFFF8006 mov32r $s2, $a2 ROM:FFFF8008 lui $a2, 0 ROM:FFFF800C addiu8 $a2, 0x8E88 ROM:FFFF8010 lw $a1, 0($a2) ROM:FFFF8012 li $v0, 0xFF ROM:FFFF8014 sb $v0, 0($a1) ROM:FFFF8016 li $v0, 0x80 ROM:FFFF8018 and $v0, $a0 ROM:FFFF801A bnez $v0, loc_FFFF8020 ROM:FFFF801C li $v0, 0 ROM:FFFF801E sb $v0, 0($a1) ROM:FFFF8020 ROM:FFFF8020 loc_FFFF8020:
See also: SIO3_MREQ, Update_records, Datasheets