D7100 decoding, anyone ?

All things embedded.
*NO FEATURE REQUESTS*

Re: D7100 decoding, anyone ?

Postby Simeon » Sun Jun 22, 2014 12:54 pm

D5200 is almost pure C++. I have the class tables decoded, via the vtable setup functions, but it's a mess.
Simeon
Core Developer
 
Posts: 2604
Joined: Wed Nov 30, 2011 6:12 am
Location: Christchurch, New Zealand
Been thanked: 613 times

Re: D7100 decoding, anyone ?

Postby coderat » Sun Jun 22, 2014 1:04 pm

Simeon wrote:D5200 is almost pure C++. I have the class tables decoded, via the vtable setup functions, but it's a mess.

Meaning IDA provide no great help in reversing C++ ?
Or any example of IDA output for C++ ?

Thanks,
coderat
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby Simeon » Mon Jun 23, 2014 6:20 am

Ida was helpful in decoding the code. But the C++ is way more convoluted to follow. I didn't get my head around how to auto name stuff related to vtable before I moved back to Fr processor development.
Simeon
Core Developer
 
Posts: 2604
Joined: Wed Nov 30, 2011 6:12 am
Location: Christchurch, New Zealand
Been thanked: 613 times

Re: D7100 decoding, anyone ?

Postby forgotten » Mon Aug 25, 2014 5:04 am

Hi guys, how is going with this flawless camera, any progress?
forgotten
 
Posts: 3
Joined: Tue Jul 01, 2014 6:20 am
Been thanked: 0 time

Re: D7100 decoding, anyone ?

Postby coderat » Thu Dec 29, 2016 9:15 am

leegong wrote:Just traced GUI task0xA2 , it receives command via MailBox 0x84 ,then calls different sub_functions according to the command

In fact, address 5016BCB4 is not GUI Task. It is common method of C++ base class for GUIMAIN subclass. And it is reused by many tasks in firmware as it is general framework for "message server" pattern.
unfortunately it's difficult to trace who is responsible for sending command to task0xA2

The answer is embedded on your picture:
screenshot3extended.jpg

Each C++ object method (non static) is called with a first parameter being "this" pointer to the object itself. So in this case you have to trace usage of address 0x102F4C30 and see where it is referred in junction with sending message.
almost all of the MailBox ID in operations of sending message are dynamic

This is not correct: Nikon places most objects statically. So "this" pointer is constant and not dynamic and is well known even before start of firmware. Mailbox ID is dynamically allocated, but doesn't really matter.
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby coderat » Tue Jan 03, 2017 4:03 am

Class CGUICTask : CJAFFMessageDrivenTaskBase
Class CJAFFMessageDrivenTaskBase : CJAFFTaskBase
Class CJAFFTaskBase is simple and has no base class.

The code you showed as TaskA2_GUI_body is method of CJAFFMessageDrivenTaskBase class. There are 37 tasks derived from CJAFFMessageDrivenTaskBase base class:
Code: Select all
  1. Class CSTGCTask : CJAFFMessageDrivenTaskBase

  2. Class CAINFTask : CJAFFMessageDrivenTaskBase

  3. Class CMOVRAudioTask : CJAFFMessageDrivenTaskBase

  4. Class CMOVPAudioTask : CJAFFMessageDrivenTaskBase

  5. Class CMOVRControllerTask : CJAFFMessageDrivenTaskBase

  6. Class CUIFAControllerBase : CJAFFMessageDrivenTaskBase, IUIFAActionIF

  7. Class CMOVPFrameTask : CJAFFMessageDrivenTaskBase, IDPCNLayerUpdateObserver

  8. Class CPBSCTask : CJAFFMessageDrivenTaskBase

  9. Class CPEIBBackground : CJAFFMessageDrivenTaskBase

  10. Class CSIRCPcRecordTask : CJAFFMessageDrivenTaskBase

  11. Class CJFBSTask : CJAFFMessageDrivenTaskBase

  12. Class CSTMAInformationTask : CJAFFMessageDrivenTaskBase

  13. Class CAUCLMsgDrivenTask : CJAFFMessageDrivenTaskBase

  14. Class CMOVRFrameTask : CJAFFMessageDrivenTaskBase

  15. Class CSIRCPostProcessTask : CJAFFMessageDrivenTaskBase

  16. Class CDPCNTask : CJAFFMessageDrivenTaskBase

  17. Class CPBCCTask : CJAFFMessageDrivenTaskBase

  18. Class CAUEPMsgDrivenTask : CJAFFMessageDrivenTaskBase

  19. Class CMOVPControllerTask : CJAFFMessageDrivenTaskBase

  20. Class CINFOManagerMsgDrivenTask : CJAFFMessageDrivenTaskBase

  21. Class CPEIBBuilder : IPEIBBuilderInterface, CJAFFMessageDrivenTaskBase, IPEIBPlayImageObserver, IPEIPProcObserver

  22. Class CSYSCControlMain : ISYSCInterface, CJAFFMessageDrivenTaskBase

  23. Class CTTLPProcedure : ITTLPInterface, CJAFFMessageDrivenTaskBase

  24. Class CUIFMJAppManager : CJAFFMessageDrivenTaskBase, IUIFMMessageEventListener

  25. Class CPTPCMessageReceiver : CJAFFMessageDrivenTaskBase, IPTPCMessageInterface

  26. Class CPOSMPostureManager : CJAFFMessageDrivenTaskBase, IPOSMOperation

  27. Class COPNOManagerBase : CJAFFMessageDrivenTaskBase, IOPNOOperationReceiveObserver

  28. Class CAUBPMsgDrivenTask : CJAFFMessageDrivenTaskBase, IAUCLOutputLineObserver

  29. Class CSIRCImageRecMessageDrivenTask : CJAFFMessageDrivenTaskBase

  30. Class CSIRCWriteInfoTask : CJAFFMessageDrivenTaskBase

  31. Class CCIPBResponseController : CJAFFMessageDrivenTaskBase

  32. Class CDPOFManager : IDPOFInterface, CJAFFMessageDrivenTaskBase

  33. Class CFWUPProcedure : IFWUPInterface, CJAFFMessageDrivenTaskBase, IKRCCFirmUpdateObserver, INETCObserver

  34. Class CGUICTask : CJAFFMessageDrivenTaskBase

  35. Class CKRCCMessageParser : CJAFFMessageDrivenTaskBase

  36. Class CIEFUTask : CJAFFMessageDrivenTaskBase

  37. Class CIENUTask : CJAFFMessageDrivenTaskBase

coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby coderat » Sat Jan 07, 2017 4:52 pm

Sending message to GUICMAIN task is done via virtual function offset +4 in vtable of CJAFFMessageComPort class. Indeed not easy to find.
Receiving is virtual function offset +28 in vtable of CJAFFMessageComPort class.
Initialization of GUI task is hidden in another virtual function of CGUICStartUp -> CGUICEntry classes.
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby coderat » Sun Mar 12, 2017 8:57 am

call_writing00_device from post in fact doesn't call write. It calls device::ioctl.
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby coderat » Sun Mar 12, 2017 7:39 pm

D7100 engages GV330 vector graphic accelerator from Takumi
Attachments
GVscreenshot3.gif
GVscreenshot3.gif (5.91 KiB) Viewed 1294 times
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Re: D7100 decoding, anyone ?

Postby coderat » Sun Mar 25, 2018 1:15 am

Milbeaut 2D graphic accelerator demystified. openEGL block base address is 0x2DE00000.
Attachments
screenshot10openegl.PNG
coderat
Core Developer
 
Posts: 2273
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 448 times

Previous

Return to Firmware

Who is online

Users browsing this forum: Google Feedfetcher and 4 guests