Fandom

Magic Lantern Firmware Wiki

Register Map/Brute Force

< Register Map

328pages on
this wiki
Add New Page
Talk0 Share

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

********************************************************************
*                                                                  *
* THIS IS VERY DANGEROUS AND CAN DAMAGE YOUR CAMERA.               *
*     IF IT BREAKS, YOU GET TO KEEP BOTH PIECES.                   *
*                                                                  *
* You will be trying new things on your camera for the FIRST time. *
* We don't know whether it's safe to do, or not. We believe it is, *
* but we (ML developers) did NOT try it on our cameras.            *
*                                                                  *
* ONLY run this test if you don't mind breaking your camera!       *
*                                                                  *
********************************************************************

GoalEdit

To find out the meaning of DIGIC registers by means of brute force.

MotivationEdit

The following functions were implemented by changing DIGIC registers:

  • FPS override
  • Highlight++ (that's full control over digital ISO)
  • Display saturation (including focus peaking with grayscale image preview)
  • Display position adjustment
  • Custom color palettes (for example, grayscale menus/overlays)
  • Image filters (grayscale recording, negative image)...

The following functions might become possible:

  • Clean HDMI out (or at least shrink the black bars a bit)
  • Moving the recorded box around in crop mode (digital panning)
  • Custom curves applied to image
  • Anamorphic preview (LiveView image can be rescaled without altering recorded image)
  • Peripheral correction for manual lenses
  • Flipped or mirrored display
  • Maybe also custom video modes (FullHD crop mode)
  • etc.

The good news is that DIGIC commands are the same on all cameras.

Many of these DIGIC commands are also used in compacts (even in DIGIC II and III) - so if you have a compact camera, you can help too! See [1] for a CHDK Lua script that changes a DIGIC register directly.

Previous workEdit

First started by g3gg0: Register_Map. Other pages with register analysis: Register Map/550D (Indy) and Register Map/60D (Alex).

How toEdit

  • Use this autoexec: http://bit.ly/ml-feb20-digic or compile latest source code with CONFIG_DIGIC_POKE defined in lv-img-engio.c.
  • Enable LiveView (manual movie mode is preferred, all auto adjustments turned off)
  • Enable 'DIGIC poke' from Debug menu, and open the submenu
  • Select register address like this:
 0xC0F01234
   ****----    register family (those usually control one device)
   ----**--    register base
   ------**    register offset (those are divided like this so you don't have to do a lot of clicks)
  • Watch the current value of the register (as configured by Canon firmware)
    • If the value looks like FFxxxxxx, stop. Don't change it. Can be dangerous. That's an address inside ROM, and it might result in arbitrary code execution (though I think it's unlikely).
    • If the value looks like xxx0xxx, or xx00xx, it probably contains two (u)int16 values.
    • If the value is 0, it's likely that the current register might be unused. That's not a rule.
    • If the value is 1 or 80000000, it might be a boolean.
    • If the value looks like FFFFFFxx, it might be a negative number.
    • Some values are fixed point (real numbers, not integers), with 1.0 being encoded as 0x400 (that's 1024).
    • Values may be 8-bit, 10-bit, 12-bit, 14-bit, 16-bit, 2 x 8-bit, 2 x 16-bit, 32-bit and probably other sorts of combinations. It's not uncommon to find a register that contains 2 or 3 values packed as an int32.
  • Change values like this:
    • Outside menu, hold the shutter button pressed halfway. The selected register will be changed once per frame.
    • Change modes: random (simply writes random values), or incremental (alters the current values in small steps.. 1,2,3,4,5.. you get the idea).
    • MF means "increment", AF means "decrement". Move autofocus to back button from CFn (*).
  • Observe the effects:
    • Some registers have effect only as long as the shutter button is held. That means, they need to be refreshed continuously.
    • Other registers have persistent effect. You set them once, and the effect remains until you go to playback mode and back.
    • Some registers will affect image pitch (you'll see some strange diagonal patterns). Write those down - these usually need to be changed in pairs.
    • Some registers will affect colors or brightness. Some operate in YUV, others in RGB, some before picture style curves, some after them...
  • If things go wrong
    • Possible side effects (that's what I've noticed on my cameras): image freezes, ERR70/80, weird image patterns / colors / whatever. Those happens when you set some invalid value.
    • In most cases, going to playback mode and back will bring things back to normal (registers will be reconfigured by Canon firmware).
    • If it's not safe to write to some register (usually, the corresponding device is not active), the camera will usually freeze.
    • If in doubt, take the battery out. Don't turn the camera off from the button, just take the battery out quickly.
  • Shortcut keys (outside menu):
    • right/left: increment/decrement current register address
    • up/down: increment/decrement current address until it finds a register with nonzero value (those are more likely to have some visible effect).
  • If you get bored, you can select a random register (last item).
    • A lot of registers are unused, so it's very likely that you may get bored quickly.
    • Try changing registers which already have nonzero values. These are probably used.
  • Post your findings on the mailing list or edit the huge pages linked below.

Is it safe? Edit

  • I hope so. I've scanned hundreds of registers on my own cameras, without any permanent side effect. That's NOT a guarantee that it's actually safe.
  • To the best of my knowledge, all these changes are peformed in RAM (unlike Properties, which are used to change most shooting settings, and are stored in a persistent memory - NVRAM).
  • The following sequence of events CAN result in permanent damage:
    • You configure the image processor to write to some address in the middle of general-purpose memory. There's NO PROTECTION against this.
    • Canon code may decide to write some of this data to settings memory (NVRAM). This means it will probably no longer boot.
  • I don't know how to revive the camera if things go wrong. See Unbricking, but it probably won't apply here.
  • I don't recommend running this test on expensive cameras. If you have a disposable 500D and you don't mind risking it, that's the way to go. The DIGIC chip is the same, so the findings will apply to all cameras in most cases (so far, all DIGIC commands worked in the same way on all ML cameras).
  • I'm running these tests on my own cameras without thinking twice. I wouldn't do this if I had only one camera.

Where to start? Edit

  • Start by analyzing some registers which are already documented. Those are the safest things to try - someone else already tried them.
  • Then try values in the nearby registers. It's likely that their functionality is related.

Are there any other hints? Edit

Yes. For some registers, you can find some cryptic names like HIV_POS_V_OFST or SHAD_KZMK_SAV. Those are probably the names used in Canon code. You need to look in the firmware, disassemble it, decompile it, understand what things do etc.

Ready? Let's go!Edit

How to fill the tablesEdit

  • First checkbox: check it if the register seems to not be used (no effects noticed). That's in order to prevent others from trying registers known to do nothing.
  • Second checkbox: write Y if that register affects recording, N if it doesn't. If unsure, leave it blank.
  • Description: a short description of the effect of changing the register you have tested. Valid values are also welcome.
Register|N/U|REC| Description      // N/U = not used, REC = affects recorded image.|
-----------------------------------------------------------------------------------|
C0F1abcd [X] [ ]
C0F1efgh [ ] [Y] makes the image upside down
C0F1ijkl [ ] [N] display becomes monochrome

Register Map/Brute Force/C0F14xxx - configures display deviceEdit

Register Map/Brute Force/C0F0xxxx - LiveView image processor? Edit

Register Map/Brute Force/C0F1xxxx - also LiveView related? Edit

Register Map/Brute Force/C0F2xxxx - also LiveView related? Edit

Register Map/Brute Force/C0E0xxxx - JPEG engine?Edit

Register Map/Brute Force/C0E1xxxx - H264 engine?Edit

How to add a new tableEdit

Use this script:

for i in range(0xC0F00000,0xC0F0FFFF,4):
    if i & 0xFFF == 0:
        print ""
        print "== %sxxx ==" % hex(i)[:-3]
        print ""
    if i & 0xFF == 0:
        print ""
        print "=== %sxx ===" % hex(i)[:-2]
        print ""
        print " Register|N/U|REC| Description      // N/U = not used, REC = affects recorded image.|"
        print " -----------------------------------------------------------------------------------|"
    print " %s [ ] [ ]" % hex(i)

If you identify some register range that configures particular device (like C0F14xxx = display), it's probably a good idea to move things to a separate page.

Also on Fandom

Random Wiki