This build was tested, to a limited extent, in QEMU.
This may or may not match the behavior on real hardware - you are welcome to test and report any differences.

Latest Build (2017-10-02 13:20)

1-about.png 2-freemem.png 4-lua-hello.png 6-file_man.png 9-silent-menu.png

Free Memory test passed.

Lua Hello World test passed.

File Manager test passed.

Null pointer test passed.

Silent picture test passed.

Test results: 5 passed, 0 failed.

ca46ef4: 100D: minor typo

c08b8ae: Merged new-dryos-task-hooks into 100D_merge_fw101

4cf7015: tskmon: in null pointer check, retrieve last last task name directly, rather than calling is_taskid_valid
also fixed some possible null pointer bugs in the... null pointer checking code
(fixes crash when reporting null pointer on 100D and likely on all other cameras with new-style DryOS hooks)

Test results: 0 passed, 5 failed.

1db2345: 100D: fix MAX_ISO_BV

Test results: 4 passed, 0 failed.

d85e97b: Merged unified into 100D_merge_fw101

80501e7: installer: fix compilation

22a03ba: Merged in daniel_fort/magic-lantern/update-to-700D.115 (pull request #813)
Update to 700D.115

5e44a93: 700D: fix AbortEDmac

77e64aa: Dummy merge with dfort's unified

4ce4d28: 700D, 6D, 7D: fix AbortEDmac

b363c94: 700D: undo dialog_refresh_timer change in mlv_rec/mlv_lite
(this address is the same in 1.1.4 and 1.1.5)

7e969b4: Update sf_dump module to 700D.115

93e177a: Fixed is_taskid_valid stub.

0b141cd: Merged unified into update-to-700D.115

e228e1b: Added minimal autoexec.bin for 700D

2023513: Merged unified into update-to-700D.115

72ac881: Merged unified into update-to-700D.115

434b7eb: Incorporated pull request #842 to fix Autoexposure module

70852eb: Merged hudson/unified into unified to prevent new remote heads.

2e989b7: Update to latest exiftool

435cb10: Merged unified into update-to-700D.115

f15d607: Resolve conflicts with changes to Task info in stubs.S

1400d79: Merged unified into update-to-700D.115

2a83ae8: Added new ML-SETUP.FIR created by a1ex

fc28684: update to firmware revision 700D.115

fa90b21: hg rename 700D.114 700D.115

226838b: Merged in daniel_fort/magic-lantern/unified_silent_module_fix (pull request #854)
modify silent.c to work with commit f404e5f

0e9da39: TCC Makefile: fix minor typo

b6df56d: silent.c: there are no info bars in paused LiveView mode

d8d44a7: modify silent.c to work with commit f404e5f
Raw backend: allow displaying raw previews without conflicting with LiveView info bars

Test results: 3 passed, 1 failed.

b28cd95: Merged in nikfreak/magic-lantern/100D_merge_fw101 (pull request #867)
100D merge fw101 update

70e77de: 100D: AbortEDmac stub

a96451f: 100D: fix ADTG/CMOS_WRITE_FUNC

Test results: 3 passed, 0 failed.

c796fbb: Merged in Dannephoto/magic-lantern/100D_merge_fw101_SOUND (pull request #863)
Fix for audio issues on eos 100D, possibly other cameras too.
* Fix for audio issues on eos 100D, possibly other cameras too.
Thanks too dfort for code.
* Nikfreak found the correct stub
Approved-by: nikfreak

9f943d9: Merged unified into 100D_merge_fw101

1cfca21: fix 100D (tested, confirmed working)

3223248: fix wrong stub (thx @dfort for the note)

2029c44: manual focus: allow moving focus box

6768410: 100D: enabled CONFIG_TSKMON

4f97f4f: 100D: fix task_dispatch_hook

858a20c: 100D: enabled CONFIG_ALLOCATE_MEMORY_POOL and classic boot process
(similar to 6D, reserved 592K at the beginning of AllocateMemory pool)

5b0b23e: Merged new-dryos-task-hooks into 100D_merge_fw101
(note: 100D will not boot until fixing memory allocation)

261ca8a: 6D: 592K reserved at the beginning of AllocateMemory (simpler code)

02965e5: 100D: enabled CONFIG_EDMAC_RAW_SLURP

1762542: Merged qemu into new-dryos-task-hooks

b6468e0: Merged unified into new-dryos-task-hooks

b8f3e05: boot-hack: fix wrong comments (AllocateMemory != system memory)

fc545d1: sync FIO stub changes introduced in unified

ef01395: Merged hudson/magic-lantern/unified into 100D_merge_fw101

5afed4d: fix suggested by a1ex for

c8b7f50: use MENU button for calling zebras in playback mode.
requested and
w/o this menu button would open Canon menu and quitting playback mode anyways. If one needs to do so just press halfshutter or play button(s) to quit playback mode and afterwards the menu button.

22928a1: we indeed can switch between YUV422 addresses
also sync MOV_RES_AND_FPS_COMBINATIONS value (Digic5)

83173fc: adjust movie related consts

e902a88: Merged hudson/magic-lantern/unified into 100D_merge_fw101

744f586: remove custom symbol file handling
(leftover from fw revisioning 100D_100A/100B)

8433bca: fix curent_interrupt stub (thx @a1ex)

67cf458: add missing task related stubs

155d57f: Backout changeset 1914eafc755cad2f2ebb17a4bde35949deb5eacf

1914eaf: fix wrong stub, as suggested

bc6d41d: flexinfo refinement (switch back to COLOR_FG_NONLV)

efad6c5: adopt celsius display and apply color related adjustments

81386c6: use INFO button to disable ML during boot

25c196b: fix indentation

6694d6a: Merge unified

4a394d3: prepare for edmac_raw_slurp

08cfbd1: Merge unified

7f18e89: Merged unified into 100D_merge_fw101

60a2c84: trying to fix the version numbering for the last time ;D
must have been sleeping

48ab54d: fix faulty version numberings

0164b73: cleanup part2

0e58df5: cleanup part1

71e3947: initial ML port for FW1.0.1 -> getting rid of revision handling

d823c4c: Created new branch 100D_merge_fw101

ebd35b4: Merged backtrace into qemu

bcfbe3b: GDB scripts: comment out DebugMsg (prefer -d debugmsg instead)

0ff5205: identify DebugMsg from GDB script if not set
(moved from
also print command-line after clearing the screen

9104bf2: QEMU: GDB scripts for 50D and 6D

e4376a1: backtrace: moved sources to src/ to avoid symlinking (cross-platform issues)
and let the install script figure it out

2968edb: Merged backtrace into qemu

4a03838: Merged unified into qemu

115fe25: backtrace: brute force stack scanning as backup strategy (idea from g3gg0: gdb.c, gdb_get_callstack)

ab6d33c: backtrace: fix BKT_RANDOM_BRANCHES experiment

fbb532b: backtrace: BX LR is never encountered during tests

3db5423: backtrace: fix stack overflow

64d4726: run_ml_all_cams: fix missing quote

f3780ad: QEMU logging: backtrace test script

595b8b8: run_ml_all_cams: prefer single quotes instead of \$ for options

6b6c5c5: run_ml_all_cams: allow full customization of log file name

6400dc7: Stack traces for crash and assert logs, using the backtrace backend

b9c5214: Updated backtrace.c to work on the camera as well
(same source file for both QEMU and ML)

4e7c966: arm-mcr.h: fixed read_lr (not sure what the problem was) and added read_sp

29f6edc: QEMU logging: experimental stack trace routine (backtrace) that does not require prior instrumentation
it attempts to walk the stack, emulating instructions that change LR, SP, function returns and tail calls
some more experiments and self-tests are available as compile-time options
this method can be adapted to run on the camera as well

9a966eb: run_ml_all_cams: fix copying zip to SD/CF image

695235c: QEMU logging: fix assertion when printing callstack from interrupts on Thumb code

965584e: QEMU logging: save/restore callstack exec state for each DryOS task when handling interrupts
This fixes calls/returns that were missed if an interrupt happened exactly before the jump
(non-deterministic issue; was fairly rare and not obvious)

870370f: QEMU logging: indent now public (eos_indent); larger buffer

f7a8977: QEMU logging: CALL_LOCATION for eos_callstack_get_caller_param; fix CALL_DEPTH

dfa8c40: QEMU logging: overriding LR no longer needed in call_stack_push

aaa41f3: run_ml_all_cams: fix copying zip to SD/CF image

cd37857: QEMU logging: do not report jumps from tight loops
otherwise, some loops would print a huge amount of jumps (unnecessary)
these would slow down certain tests a lot, e.g. 5D3 callstack on fromutility

1edb651: QEMU logging: record direct jumps to function calls (many such calls in DIGIC 6)

8b90df8: QEMU logging: log task switches before other items
otherwise, consistency errors may appear - see
minor differences in VxWorks tests

dea9a09: QEMU: ignore CBZ (on Thumb-2 code)

d9d4d65: run_ml_all_cams: use multi-line QEMU_SCRIPT's (nicer formatting)

fee11f9: run_ml_all_cams: fix BOOT=0

0b67e0c: run_ml_all_cams: fix ML_PLATFORMS when not specified

8ebfcc8: QEMU: 650D GUI

67deddd: QEMU: 650D GUI (including tests)

3049e97: QEMU: 1300D updates
- SD interrupts (DCIM test passed)
- HDMI status (minor)
- GDB script updated for latest firmware
- patch JPCORE (fixes assert)

2facd3e: QEMU tests: removed MENU_CAMS (all GUI_CAMS are now able to browse Canon menu)

47994c3: QEMU: 70D menu tests (format test not working)

08dde97: QEMU tests: only print ROMCPY messages before the first interrupt

a2ad3bd: QEMU: options for to compile and run a given set of ML platforms, from any HG changeset

efb2dcf: QEMU: updated as discussed on EOS M2 thread

70592bd: QEMU: flush after qprintn, so the output will appear right away

a5b489e: QEMU logging: handle %c with -debugmsg

225c660: QEMU logging: minor fixes for -d autoexec

6968862: QEMU: updated 5D4 GDB script and tests for 1.0.4

2773fc1: QEMU logging: workaround to handle some missing return from interrupts
(updated 600D and 1100D unique function tests - they differ by one function)

b8a0b80: QEMU: EOS M2 tests + patches.gdb

5fa8899: QEMU: OOB fix from

6b3b4d5: Merged in daniel_fort/magic-lantern/qemu-EOSM2-wip_1 (pull request #835)
QEMU EOSM2 preliminary setup.

1de8d88: Updates to debugmsg.gdb

5bddd34: Found correct values by checking against 1.0.2 firmware.

078d3b5: I’m pretty sure “set *(int*)0xFF356DE8 = 0xe12fff1e” is wrong but everything else should be good.

aa849bb: Added EOSM2 to mph.c

76097c1: Updated EOSM2 debugmsg.gdb file.

2b8378e: Added EOSM2.h file, copied from 100D.

2a61375: Copied button codes from 100D to EOSM2.

f69e35f: Added EOSM2 in supported cameras list.

3d14927: Added mpu registers to EOSM2 in model_list.c

d0028cf: Merged qemu into qemu-EOSM2-wip-1

bdd3ae2: Merged latest qemu commits

af3e5b8: Merged in qemu commits

23a8c2d: Added items from ML on EOS-M2 forum post:

6099a11: EOSM2 preliminary setup.

3124887: Merged in daniel_fort/magic-lantern/qemu-build-tweaks-2 (pull request #836)
Qemu build tweaks 2
Approved-by: Daniel Fort

e7bb2c9: -s option not needed with uname.

576af0a: Check for mounted EOS_DIGITAL disk image handled differently on OS X.

f8a0b00: Merged qemu into qemu-build-tweaks-2

f33c089: Merged qemu into qemu to prevent multiple heads.

d09f1b9: Changed shebang for portability. Missed these two scripts in my last pull request.

830451b: OS X doesn’t require root permissions to mount disk image.

4a991e5: Use hdiutil on OS X systems.

f3506bd: Merged in daniel_fort/magic-lantern/qemu-build-tweaks-1 (pull request #834)

9912f99: QEMU: updated reference data for sorted IDC tests on some models
(100D, 700D, EOSM, 5D)

53384d7: QEMU: 80D patches.gdb
(required to run the stack trace check on a DIGIC 6 model with DryOS task switches)

2801b8d: QEMU logging: fix some rarely missed jumps
(usually in return from interrupt)

2c0ee53: QEMU logging: fix Thumb PC in call stack traces (for DIGIC 6)

8400e34: QEMU test suite: check callstack consistency
(whether verbose stack trace matches the call/return trace)
(also checks context info, such as current task or interrupt)

6b2ce04: QEMU: do not log UART messages when it's redirected to a file
(-serial file:out.log)

49b5e9e: QEMU: with -d calls, always align location information
(insert a newline on very long lines)
(updated tests)

a1d759c: QEMU: also log interrupt ID when using -d calls

90f73ee: QEMU: use verbose stack trace for DebugMsg and GDB scripts
(each call on its own line - much more readable)
to get callstack for every single DebugMsg, use "-d debugmsg,callstack,v"
or, for GDB scripts: "-d callstack -s -S" for QEMU, "macro define PRINT_CALLSTACK 1" in the GDB script, without quotes)

a23f3fe: QEMU: option to log DebugMsg calls natively, without GDB scripts
(much faster; very similar to nkls' initial implementation)

0782bfb: QEMU: redirect the monitor console to qemu.monitor unix socket
(to restore the old behavior, run with -monitor vc)

0e2ff63: Merged in daniel_fort/magic-lantern/qemu-build-tweaks-1 (pull request #834)
(fixes for building QEMU on Mac)
QEMU build tweaks 1
Approved-by: Daniel Fort

0e7529c: Merged in latest qemu commits

9d6000c: QEMU: parameterized MPU spells for PROP_CARDn_STATUS;
updated WriteProtect handling on most DIGIC 4/5 models
(otherwise, these GUIs would show the card write-protected dialog)

46711f9: QEMU: use timestamps to decide the relationship between MPU spells
(only messages received shortly after a mpu_send call should be considered replies)

d9d06e7: QEMU: warning about duplicate MPU spells
(they will show where the communication may depend on state)

dba399a: QEMU: include a description for each input MPU spell
(updated with definitions for some known spells)

4217f46: Suppress printing an error message if the command isn’t found.

293fd54: Changed shebang in bash scripts. This should make them more portable. An issue came up because the Macintosh uses an older version of bash in /bin/bash and we want to use a newer Homebrew installed version in /user/local/bin/bash without breaking other setups.

dfe7530: QEMU: parameterized MPU spells for UILock and NotifyGUIEVent

9dad505: QEMU: parameterized MPU spells (experimental)

a55cd40: QEMU: incomplete half-shutter emulation
(fixme: it should show the metering indicator or close menus/dialogs)

575c170: QEMU: menu navigation works on 5D3 1.1.3

c1a7c47: QEMU logging: minor cleanups

c70e94c: QEMU logging: moved ABI checking in its own routine (minor refactor)

e764ef2: QEMU logging: moved -tasks in its own routine (much faster)
note: task switching locations differ on VxWorks models after this change
(they are approximate anyway)

0784cd2: QEMU logging: option to enable verbosity only when autoexec.bin is loaded
(useful for new ports; bootloader can be very verbose with certain logging settings)

eedf340: QEMU: exposed callstack to GDB and ML guest code
based on nkls' first implementation of DebugMsg helper
assert in gdb scripts now always prints the call stack

24f1e46: GDB scrips: task switch logging helper (pure GDB)

313f7ad: QEMU logging: stronger test for ML stubs
(fixes some non-function symbols that appear when compiling ML with -ggdb)

896a1f5: Experimental debug info in magiclantern elf file
it allows mapping from code address to source line
(example: eu-addr2line -s -S -e magiclantern 0x50d60)
it should not end up in autoexec.bin or affect it in any way

5f0db05: QEMU logging: attempt to guess strings and named functions in call/return trace
(adapted from dm-spy-experiments)
(self-test results updated)

43885e0: qemu-util now always available (in dryos.h)
(these functions are only compiled with CONFIG_QEMU=y; otherwise they are just type-checked and optimized out)

7cb9756: boot-hack: fix boot with CONFIG_QEMU on some models
(qprintf/vsnprintf reboots the camera because it's not yet initialized)
also added a safeguard to prevent such mistakes

90cb9be: QEMU test suite: fix PowerShot tests using wrong debugmsg.gdb

2ce28c8: QEMU logging: fix copy/paste error in ROM block autodetection

3726245: QEMU logging: explicit option to show task switches
(rather than hijacking callstack)

c8351c4: QEMU test suite: list memory blocks copied from ROM during bootloader tests
(both EOS and PowerShot firmwares)

932f224: QEMU logging: allow ROM block copying in arbitrary increments, up to 128-bit
mixing memory access sizes is allowed too
the block must be copied sequentially, from left to right or from right to left or mixed, with no gaps at any moment during the copy operation
copying e.g. 16 bytes from/to offset 0, 16 bytes f/t 0x10, 4 bytes f/t 0x20 and 1 byte f/t 0x24 will be considered a 0x25-byte block
but copying 16 bytes f/t offset 0, 4 bytes f/t 0x14 and then 4 bytes f/t 0x10 will be treated as 2 adjacent blocks (16 bytes and 8 bytes); that's because of the gap during the copy operation
only blocks larger than 0x40 bytes are printed

1b8c321: QEMU logging: experimental option for finding memory blocks copied from ROM to RAM
(only 32-bit sequential copies for now)

d1af24b: QEMU logging: fix memory logging selection in complex cases
e.g. romr,ramw should only log ROM reads and RAM writes
in simple cases (such as just romr or just ramw), hooks are installed only for the selected operation (read or write)
in these cases, additional checks will be redundant
however, with complex cases such as romr,ramw, hooks are installed for all reads and and all writes
so we can no longer rely on the hooks (being installed or not) for filtering the results

33ea5e4: QEMU logging: fix task info on Eeko

cf0f2ea: QEMU logging: quiet some jumps that are not function calls (frequently used on Thumb-2)

51af2a7: QEMU: fix CSS in HTML logs from subdirectories

d92f5b3: QEMU scripts: allow loading symbols from any ML target (e.g. minimal, installer)

8867df0: QEMU: .current_task_addr for most models
(where it was already known - copied from ML stubs or from debugmsg.gdb)

dfa166b: QEMU logging: experimental task switch detection (DIGIC 2-6)

582f32e: QEMU logging: attempt to fix a rare crash when returning from interrupt

5e7dc4d: QEMU logging: fix VxWorks return from interrupt; refactored interrupt detection on DIGIC 6

4fe5ddf: QEMU test suite: fix call/return trace logs being trimmed way before the first interrupt
(the deterministic part is usually much larger than previously covered)

4d8dbe0: QEMU test suite: also report nested interrupts

0e6ee38: QEMU: fix minor regression in DIGIC 6 bootloader
(introduced in 7f1ba92; some tests changed)

195b998: QEMU logging: minor rename

06aecd4: QEMU test suite: workaround for the non-determinism in the sorted IDC test
(retry up to 5 times until it succeeds)

3941fd9: QEMU test suite: more tests for call/return trace and IDC scripts (including Thumb, interrupts, secondary cores)
Not all models are passing.

6ed53d7: QEMU: fix cache lockdown printf's (they should go to stderr)

0c628a4: QEMU: fix handling UART interrupts with serial redirected

89cd3a1: QEMU: fine-tuned verbsity of various components
(interrupts, digic timer, DMA, serial flash, CFATA)

52b2428: QEMU logging: fix call identification on Thumb (eeko)

749068b: QEMU logging: fix crash on 5D3 eeko

b8a71e7: QEMU: changed REG_PRINT_NUM so it no longer includes a newline; updated boot-hack and fixed regression in boot-check logs

43e3d51: QEMU: warn on ROM size mismatch

9fbba7a: QEMU clear screen on each run

24a9c1b: QEMU logging: experimental symbol name loading from ML object files
example (bash): . ./ 500D.111; ./ 500D,firmware="boot=1" ...
fixme: QEMU elf loader patched in a not very clean way

2bad7cd: QEMU logging: simplified function call detection a bit more
(results should be unchanged)

42cb918: QEMU logging: always guess function arguments located on the stack
(-d calls now implies -d ramr)

1c55172: QEMU logging: explicit option to export to IDC
(-d idc)

6eed828: QEMU logging: check R4-R11 and SP when returning from function calls
(all registers now stored on the call stack)

1417f37: QEMU logging: in IDC comments, record task name when available and drop prev_sp

608645a: QEMU logging: basic test for IDC (function list only)
(useful when formatting changes)

814fa8f: QEMU test suite: nicer way to interrupt our background QEMU process

5b7bc89: QEMU logging: simplified function call detection
(results should be unchanged)

056b4f8: QEMU logging: indent callstack locations at 80 chars
indent amount configurable at compile time
tests updated

4c3f62f: QEMU: 1300D current_task_addr

5fb4fac: QEMU: initial GDB script for 1300D; display test

970d607: QEMU: initial support for Mac and clang in install scripts (to be tested)

77f8c0c: QEMU: fix compiling with clang

dbbd3bc: QEMU test suite: removed basic GUI test (redundant)

8c13efd: QEMU test suite: tests for callstack and call/return trace

758e5ef: QEMU: disable gray noise that appeared until GUI initialization (faster)

96c0c0d: QEMU logging: minor callstack speed optimization

b9d26fc: QEMU logging: in call/return trace, print caller (from call stack) instead of raw LR

2e31be4: QEMU logging: callstack speed optimization

469a5bf: QEMU logging: fix handling nested interrupts in callstack

65e8a49: QEMU logging: initial call stack support for Thumb-2 (DIGIC 6)

5cbf495: QEMU logging: attempt to guess additional function arguments from RAM tracing
(use -d calls,ram to enable this)

3de9a10: QEMU logging: print first 4 arguments and return value for all function calls
(with -d calls)

3ee28fd: QEMU: get stack limits of current DryOS task and print them on the call stack
new API: eos_get_current_task_stack

511c988: QEMU logging: API for retrieving various parameters from the call stack
(SP, stack frame size, call depth, function arguments)
note: R0-R3 stored on the call stack
API name: eos_callstack_get_caller_param

31a8bfb: QEMU logging: fine-tune options; auto-enable dependencies

a7f5369: QEMU: indent memcheck and io_log messages according to call depth
new API: eos_callstack_get_indent

6238b07: QEMU memcheck: fix line wrapping in verbose messages about multitasked free calls
(minor; visible with -d memchk,v)

c614583: QEMU logging: generic print_location; refactored memcheck to use it

0221262: QEMU logging: simple call stack printing API, used in memcheck when reporting errors

9d51d21: QEMU logging: experimental call stack reconstruction
ideas from
fixme: requires -d calls,nochain -singlestep
new APIs: eos_get_current_task_id, eos_callstack_indent

fbf5f53: QEMU logging: refactored to split IDC and call logic

5d109f9: QEMU memcheck: split exec hook into components
(malloc and memcpy for now; non-functional change)

38caf78: QEMU memcheck: refactored with CPU env (easier to get register values; non-functional)

d33e262: QEMU memcheck: refactored malloc list with a data structure (non-functional)

00fb273: QEMU memcheck: identify blocks affected by heap errors (messages similar to valgrind)

1a4005e: QEMU memcheck: fix memcpy handling
(do not copy allocation flags, only initialization; fix copying from ROM)

8e46838: QEMU: AbortEDmac emulation

021bc58: QEMU: basic model of EDMAC transfer delay

5d8419d: QEMU: gui/menu tests for 5D2 and 50D

42fe886: QEMU: force line-buffered output for our messages

a4b1a88: QEMU: a few more assertions for memcheck

0da32ad: QEMU: fix card formatting on 50D and 5D2; menu tests for 5D2

66506c0: QEMU: fix CURRENT_CPU outside MMIO handlers
(defaults to cpu0; fixes CF routines crashing when used with -d memchk)
(may need to be changed for EOS M5, when its time comes)

fe3dddc: QEMU: updated 5D2 MPU spells, thanks Ilia. Menu works!

f777356: QEMU: GDB script for 5D2

faee6f5: QEMU: 50D menu navigation tests

9caf786: QEMU: 50D menu navigation works!

bbacfc8: QEMU: 50D button codes

ae595d3: QEMU: fix 50D CFATA and HDMI; GUI boots!

a9096f2: QEMU: 50D MPU spells, thanks jrm21

f571fe2: QEMU: minor speed optimization in serial_flash

98e94f1: QEMU: speed up test suite
(large delays no longer needed)

36ece09: QEMU: CFDMA write works on 5D2 (DCIM test passed!)

f9a6a47: QEMU: fix CFDMA on 5D2 (only read works)

8b68fd2: QEMU: made MPU/SF/SD/CF logging macros generic (in eos.h)
-d sdcf for logging SD/CF messages

d2245b0: QEMU: configurable resolution for digic timer

80169f4: QEMU: updated tests for faster card formatting
(BUSY dialog no longer caught)

9bd3474: QEMU: trigger SDIO interrupt on errors as well
(fixes semaphore timeout after CMD1; to be tested for side effects)

3401f3f: mpu: refactored verbosity; most messages now hidden by default
(-d mpu or -d mpu,verbose or -d io,mpu etc to show them)

80deb63: serial_flash: refactored verbosity; most messages now hidden by default (-d sflash shows them)

98569f7: QEMU: fix memory logging on models with serial flash

47134ac: QEMU: minor fixes in scripts

49aa93c: QEMU memcheck: fix printf's
(should go to stderr)

13d3d12: QEMU memcheck: get ML stubs from environment variables

26a3fce: QEMU memchk: experimental TCM checking
(catches even more null pointer bugs)

1b020f8: QEMU memchk: moved stubs in a data structure, for easier porting

1f6a52c: QEMU: highly experimental memory checking tool (-d memchk)
(stubs hardcoded for 500D)

62f8fca: Memory logging: fine-tuned messages

35a8497: QEMU: moved our memory logging routines to logging.c

540bb08: QEMU: moved our calls logging hook to separate file; preparing to add more tools

53f8679: QEMU: hook called when execution a TranslationBlock
(todo: move the hardcoded analysis tools from cpu-exec)

ab614b1: QEMU: use 64 bits for qemu_loglevel; renumbered and defined some more options for future use

70ea686: QEMU: output all our messages to stderr
(should fix colors getting mixed up)

f3286de: QEMU: use macros for ANSI colors

8b4d4cb: QEMU: minor fix in UILock.h
(todo: parameterized MPU messages)

ce3cde7: QEMU: compile with code coverage (gcov); helper script for lcov

d5b43fa: QEMU test suite: updated portable ROM dumper link; added 1300D

611711b: QEMU: log DMA memory accesses as well; self-test to make sure all writes are logged
(the test works by rebuilding a second copy of the RAM from the write trace, and comparing with QEMU's copy)

f31088f: QEMU: experimental logging of guest memory accesses (LDR/STR, RAM or ROM)
didn't call it "memory tracing" as it doesn't use QEMU tracing API
removed old TRACE_MEM code

4815be6: QEMU: fix apparently random lock-up (interrupts no longer triggering, for no apparent reason)
(bug introduced in 24909946bb90)

d2463b7: QEMU: fix io_log crash on get_current_task_name
(to reproduce: 450D with -d io)

f695185: QEMU: experimental MPU support for 1300D
(it seems to work, to some extent, but we need a startup log from a real camera to get further)

486a568: QEMU: flash model ID for 1300D (fixes startup assertion)

cbf042b: QEMU: initial support for 1300D, thanks adamnock

ae248f7: QEMU: model ROM as ROM device, rather than RAM
(writes are allowed and logged)

ede93ed: QEMU: support for multiple firmware versions (e.g. 5D3 1.1.3 and 1.2.3)
example: ./ 5D3,firmware="113;boot=0"

93a3e27: QEMU: minor fixes for helper scripts

ef5e720: QEMU: allow arbitrary targets in (e.g. minimal); small fixes

a9e7221: QEMU: minor fixes for helper scripts

b474ef0: QEMU: save HTML logs to subdirectory

1aa445d: QEMU: helper scripts for automated tests on all ML cameras

f6450e4: QEMU: fix compiling HPTimer test (requires CONFIG_QEMU)

2ffdd0d: QEMU: script to clean up redundant ANSI escape sequences from logs

6192929: boot-hack: more debug messages with CONFIG_QEMU

3f09215: QEMU: guest API for disassembling code at any address

6c2908d: boot-hack: debug messages when compiling with CONFIG_QEMU
(useful for new ports or for troubleshooting non-booting situations)

4cf806e: qemu-util: helper to print numbers to QEMU console very early in the boot process

cc309c9: qemu-util: allow using qprintf without guarding every call by CONFIG_QEMU
(dummy inline functions on regular builds; simplified console.c)

5c78942: QEMU: fix signed EDMAC off2 on DIGIC 4

1fc73e1: QEMU: disabled battery cover emulation on 60D and 100D
(interferes with some GUI tests)

5ac5156: QEMU: non-deterministic lock-ups solved, thanks nkls!
(retries no longer needed in the test suite)

855a2f2: QEMU: mutexes no longer needed after refactoring

56f8d13: QEMU: refactored interrupt thread using QEMUTimer
(credits: nkls, )

94a1997: GDB scripts: helper to log the return value of any function

fe3dfbb: QEMU: GDB scripts and task address for 100D

9cff2f9: QEMU: battery cover emulation
(with various degrees of success)

cc113f0: QEMU: another fix for gcc 4.x/6.x
(amend commit 242d6f1)

cdb42ea: QEMU: updated instructions regarding CONFIG_QEMU (it's no longer required)

242d6f1: QEMU: updated configure script to fix compilation with gcc 4.x and 6.x

41e331c: QEMU test suite: always wait after terminating qemu-system-arm
(might fix some intermittent VNC issues)

e9e3ed7: QEMU: skip a few tests on 1100D and 1200D, that are very sensitive to timing (processing speed)

6957508: QEMU: updated help in install script

0693628: QEMU: updated 60D tests

1d5511a: GDB scripts: 700D patches (required for GUI emulation)

c4e6358: QEMU: fix commit b36254 (missing files)

b362541: QEMU: menu navigation and card format tests for 60D, 550D, 600D, 700D, 100D, 1100D, 1200D

d29dbdb: QEMU: updated GUI test result for 60D, 100D, 1100D, 1200D
(after GUI emulation, they boot to date/time menu rather than info screen, but you may now click OK to bypass it)

0b35f5c: QEMU: ported 500D GUIMode/UILock/format spells on 550D, 60D/1200D/1100D, 600D, 700D, 100D.
Canon menu navigation and card formatting works on all these models!

805b084: MPU spells: comment out button events

8af0189: QEMU: updated formatting of MPU spells to make them self-contained
(easier to copy/paste around)

5645a69: QEMU: fix 100D lockup

c881ba2: QEMU: fix display waiting routine (EnableBitmapVBufferForPlayBackAndWait)
This unlocks menu navigation on many models!

d37de6c: QEMU: initial support for 7D (slave core only, IPC disabled)

e70e0cd: QEMU test suite: minor speed-up when waiting for specific text in the log file

d6454bf: QEMU: moved HPTimer test from qemu-util to a minimal test binary;
added a test for current task name and current interrupt ID;
should work on all models that can load autoexec.bin and start a few tasks (no need for GUI)

2575c0c: QEMU: aggressive LED redraw

bf41cb1: QEMU: better handle double-buffered displays (minor)

69fc2d2: 7D: fix minimal target
(also removed some custom installer settings)

c905f43: 6D: fix minimal target

ba2f322: Merged task_name into qemu

ac20d58: qemu-util: moved register definitions to header

43c11d8: QEMU: restoring ML after format works too (500D)
This test requires patched vncdotool (patch included).

20b5b68: QEMU: formatting the virtual card works! (500D)

7aa5fa6: QEMU: run all tests with custom card images
(fixes false error on 500D menu test - free space reported in menu should not depend on user card contents)

3a97582: QEMU: fix ML helper MMIO (regression from M5, 7534423f)

cf96ee7: QEMU: fix USB connect on DIGIC 4 models

bdbd3e9: QEMU: more dialogs working on 500D!

784580e: QEMU: fix handling INFO and PLAY (typo)

71563c9: QEMU: fix IDC output for large runs

2efe1a0: QEMU: fix typo in extract_init_spells

978e6be: QEMU: use unix sockets for menu test

d373382: QEMU: menu navigation test
(500D for now)

8145cf2: QEMU: fix race condition in key handling
(very fast clicks are OK now)

a4b8fe9: GDB scripts: initial 1100D support (DebugMsg, task_create, SetEDmac)

9d50cd9: GDB scripts: date/time patches for 500D, 550D, 600D, 60D, 70D

bf092df: qemu-frsp: fix compilation for 5D3 (use 1.1.3)

39164cf: Merged unified into qemu

46bd96d: QEMU: 500D MPU spells (menu navigation works, thanks Greg)

679028e: QEMU: current_task_addr for 500D, 550D and 600D

4aa69e9: QEMU: fix LED not redrawing properly

0436581: QEMU, annotate some more properties; fix minor quirks (comments only)

9e5b512: QEMU: experimental multi-core emulation for M5

7534423: QEMU: initial support for EOS M5 (first core only; starts a few tasks)

7f1ba92: QEMU: initial support for EOS M10 (starts a few tasks and mounts the SD card)

32d3908: QEMU: option to log function calls and export them to IDA (-d calls -singlestep)

0319ffb: QEMU: 500D GUI test

7a7f858: QEMU: refactored 8-bit palette handling
(removed duplicate code)

f739333: QEMU: handle 8-bit BMP palette menu mode

36084dc: QEMU: GDB scripts 500D

d583374: QEMU: GDB scripts 500D

ac8dadc: QEMU: disable JPCORE (fixes DCIM test regression on EOSM)

279666c: QEMU: 100D boots Canon GUI, 70D shows date/time screen!

4a3d468: QEMU: fix hotplug events on EOS M

4192b7f: QEMU: first steps for JPCORE emulation

12369bb: QEMU: attempt to follow the MPU spell sequence even if some messages are repeated

df741f8: QEMU: use larger delays before tail in

b35c551: QEMU: allow retries in some tests, until successful
(there are some nondeterministic bugs in the emulation)

b57afe1: QEMU: workaround for MPU communication sometimes getting out of sync

8299cc8: QEMU: updated 700D and EOSM display test checksums to match dumps from dfort

dd961b6: QEMU: fix eeko path

e0124e8: QEMU: allow arbitrary working directory via $QEMU_EOS_WORKDIR

4fc69b3: QEMU: EOSM passes the DCIM directory test

e3bd1d8: GDB scripts: EOSM patches (startup sequence works)

68413b3: QEMU: some definitions for 700D and EOSM

135a6ee: QEMU: current_task_addr for 1100D

c10d86c: QEMU: first steps for handling 5D3 eeko communication with main CPU

852127f: QEMU: minor update to 5D3 eeko memory map

a317356: GDB scripts: 5D3 eeko interrupts

87f08fa: QEMU: handle EDMAC offset 0x40

16ea5c1: GDB scripts: initial support for EOS M; minor fix for 700D

b2ae50b: QEMU: MPU spells for 700D and EOSM (logs from dfort)

f4ef5e6: QEMU: updated 1000D support for 1.0.7
(GDB script, display test checksum, fix current task address)

7ac7415: QEMU: Eeko DryOS timer (not sure it actually works)

74ba3ae: QEMU: run Eeko from RAM dumps; minor updates

6940830: QEMU: quiet cache maintenance registers

8d2c628: QEMU: print description of some MPU registers as they are set (reveals memory map)

22a753d: QEMU: option to enable UART debug logging (-d uart); mark "-d io" option as EOS-specific

f41ca66: QEMU: Eeko UART emulation (can navigate the debug menu)

4c858e5: QEMU: Eeko interrupt registers

aded9e3: QEMU: initial support for 5D3 Eeko (a small DryOS core running Thumb-2 code)
credits: g3gg0 for identifying it

c1fc7e7: QEMU: fix SDIO regression on M3

8822a3b: QEMU: include LR in MMIO logs

e323fdd: QEMU: fix CHSW assert on M3

e3a5d5c: QEMU: emulate photo capture process on 5D3
- more DMA channels (EekoBltDmac = DMA5)
- Eeko WakeUp
- MMIO size 0x20000000
- image data on connection 35
- the test requires some patching, because 5D3 does not initialize the YUV buffer at startup

5e91ed8: QEMU: DCIM test appears to work on 450D as well
... given enough retries :)

a3b80e3: QEMU: code for listing EDMAC interrupt names (for dm-spy-experiments)

8a35400: QEMU: emulate all EDMAC size configurations!
(xn,yn,xa,ya,xb,yb,off1a,off1b,off2a,off2b,off3 for both read and write transfers)
Also included a function to pretty-print an EDMAC configuration.
Test code and details will follow.

679d301: QEMU: 450D MPU spells and button codes

4282e53: QEMU: fix 5D4 ram_manufacturer_id; updated display test result for latest ROM

88d8588: QEMU: fix EDMAC off1 for DIGIC 3

aa6eb59: QEMU: handle EDMAC "pop" operation

d5cc0c5: QEMU: refactored MMIO registers with macros for direct mapping to variables (less verbose)

b4485f5: QEMU: dummy Furikake emulation for 60D (just copy the data from input to output)

378cd8c: QEMU: partial EDMAC transfers (incomplete)

a0dc54e: QEMU: fix EDMAC connection count; asserts

ad0483c: QEMU: full-res silent picture test (working on 60D and 1200D)

f7b1c5e: 550D: fix compiling minimal target

00a3f1e: Minimal test binary for taking and previewing a full-res silent picture, for QEMU test suite

89c0cd0: Merged cleanup into qemu

b60c973: Merged unified into qemu

38b1392: QEMU: reordered tests

3159ea0: QEMU: file I/O test from main firmware (creating DCIM directory if missing); only works on a few models for now

1ce10ee: QEMU: portable ROM dumper test (works on most SD models)

7c8067f: QEMU: PIO SD transfers (450D mounts the SD image)

3139894: QEMU: always print SDIO errors

506411c: QEMU: fix SD interrupts on 450D (attempts to mount the card, but fails at sdPIOReadBlk)

4e4f87d: QEMU: current_task_addr for some VxWorks models (for MMIO registers)

50e1d62: GDB scripts: ignore %R in DebugMsg (40D: "%RegisterCBRSetupRequest")

1cfceb8: QEMU: initial MPU support for 450D, with 60D spells

f76bb1c: QEMU: fix VxWorks heartbeat (including HPTimer workaround)

d5f80c5: QEMU: handle extended HPTimers (VxWorks heartbeat seems to work)

9e1271e: QEMU: EDMAC interrupts for DIGIC 5

9cf1533: QEMU: 550D shows date/time screen (EDMAC fix)

629b279: QEMU: emulate the picture taking process (can take a full-res silent picture on 60D and save it as DNG)
- EDMAC transfers: handle xa, ya, xb, yb, xn, off1a, off1b
- dummy head timer emulation (just triggering an interrupt)
- dummy emulation of the HIV image processing module ("consuming" row/column correction data)
- note: the code from silent.c and raw.c must be patched to avoid GUI mode changes (patch not included)

b526534: QEMU: dummy emulation of image preprocessing modules (ADKIZ also triggers interrupt on 60D => evfInit succeeds)

e04be24: QEMU: partial EDMAC transfer emulation

810b761: GDB scripts: log some EDMAC calls (60D stubs)

acdaf2c: QEMU: updated 40D and 100D display tests for latest firmware versions

3e4002f: also copy test scripts

ad535bd: QEMU: UART support borrowed from hw/arm/digic.c (cc frantony)
To use it: "View -> Serial0" or "-serial stdio" or "-nographic"
Also updated test script.

0653508: QEMU: initial support for 5D4 AE processor (K349AE)

f04d4db: QEMU: test for GDB scripts (not all models working; fixed 7D2 and M3)

ea50ca5: QEMU: refactor to avoid duplicate camera lists

9576f15: QEMU: fix 400D startup messages

09d70ee: QEMU: quiet 60D hotplug activity

2c1e96c: QEMU: refuse to run if any of the card images is mounted

04b1397: QEMU: fix 5D4 display emulation; updated SD image with new display test

b9a749d: QEMU: initial support for 5D4 (SD image updated too with latest display test)

d44e953: QEMU: initial support for 40D, 400D and 450D (display test working)

337cfac: QEMU: 5D runs the display test

cc8ef08: QEMU: experimental CFDMA support (5D loads autoexec)

7dd8ec7: QEMU: fix 50D (display test works)

32309d7: GDB scripts: increase tcp connect timeout

43f130d: QEMU: initial support for 5D (no autoexec yet)

dad0b0a: QEMU: initial support for A1100 (proof of concept, CC frantony)

a07d2ab: GDB scripts: 1000D task info

3aad46d: GDB scripts: check CURRENT_TASK before dereferencing (to avoid nonprintable output when invalid)

afccd7d: Updated SD image with display test updated for VxWorks
Also updated screenshots' MD5 (the new test prints an extra line)

8303a4a: QEMU: 1000D display from bootloader

2490994: QEMU: initial support for 1000D (DIGIC 3)

f5399e7: QEMU: moved RAM and TCM parameters to model_list.c; fixed TCM size on DIGIC 6

1c30060: QEMU: assume 80D bootloader on 7D2 for now

493db1c: QEMU test suite: also prepare a temporary CF card image

0aada94: QEMU test suite: more robust handling of temporary SD card image
(previous image is restored even if you press CTRL-C while preparing the new one)

3461ad7: QEMU test suite: custom test for EOS M3

99d05c4: QEMU: testing scripts (first attempt to write a test suite), covering:
- bootloader jumping to main firmware: works on most models, except 7D (50D not tested)
- portable display test from bootloader: works on most models, except 7D (50D not tested)
- Canon GUI test (screenshot): works on 60D, 5D3, 1200D, 1100D, and - to some extent - 600D
- SD/CF read/write tests (bootloader ROM dumpers, startup on formatted card, minimal file I/O from ML)
- tests for gdb scripts (e.g. does it display task_create calls? does the GUI boot under the debugger?)
- various device tests (timers, EDMAC, LED blinking, serial console...)
- tests for Magic Lantern binaries, to be run on the nightly build server

c1d5a86: QEMU: fix LED emulation on most models

be762db: QEMU: fix LED emulation on 5D3

eda2afd: QEMU: fix SDDMA handling on DIGIC 6 (EOS M3 now loads DISKBOOT.BIN from the card)

3a74515: GDB scripts: log more register_interrupt calls on EOS M3

f65d41b: GDB scripts: log more DebugMsg calls on EOS M3

5600f9e: GDB scripts: refactored DebugMsg to allow code reuse

ec3a565: QEMU: revised sound patch EOS M3 (was patching a generic semaphore routine; fixes SD init)

6fd673a: QEMU: card LED emulation (not all models tested)

60bf4f3: QEMU: battery patch no longer needed on EOS M3 (Ant123)

727e31b: QEMU: load ROM0 (aka SECONDARY16.BIN) on EOS M3

3b1e6d0: QEMU: moved rom[01]_addr to model_list.c; fix ROM1 address for D6

dc3dc61: QEMU: initial support for 750D and 760D

4a7e2b2: QEMU: moved RAM manufacturer ID to model_list.c (80D)

021c9b4: QEMU: experimental cache hack emulation (very incomplete; 60D dm-spy works!)

8f8e95d: QEMU: updated Makefile options and comments

a088788: QEMU: 700D serial flash + GDB scripts

5f2fb31: 100D: fix divide-by-zero caused by Set_AVS.

7233fed: QEMU: Fix serial flash, add 100D spells.

83ddccc: QEMU: 5D3 1.1.3 boots Canon GUI!

289e7f4: QEMU: fix a display init lockup on 5D3. Canon GUI runs on 1.1.3!

0d1f11a: QEMU: hotplug registers for 5D3

4431c83: QEMU: fix SDIO response bytes order (fixes SD identification; now works on DIGIC 5 too)

3e4f2ad: QEMU: minor display fix

d19a4ba: QEMU: dummy EDMAC emulation (experiment)

e294a7a: QEMU: moved ROM files under camera subdirectory; you no longer need to concatenate them; they can be made optional (for cameras with only one ROM)

c4a6850: QEMU: better CPU model for DIGIC 6; removed Thumb interrupts hack

bffa4eb: GDB scripts: minor speed optimization for DebugMsg

1074dc6: QEMU: disabling signature check at startup no longer needed

ed49a71: QEMU: P15 patch no longer needed on M3

a15d244: QEMU: SD write protect (boot) switch for M3

240a20a: QEMU: SD1stInit appears to work on EOS M3

d8e3324: GDB scripts: print SD1stInit messages

2a8246b: QEMU: battery level for EOS M3, from Ant123

3e340a4: QEMU: PhySw values for EOS M3, from Ant123

9fe42ad: QEMU: ADC values for EOS M3, from Ant123

09b48a2: QEMU: also log CP registers ignored during emulation (ARM_CP_NOP, LOG_ALL_CP_READS/WRITES)

b183fd0: QEMU: fix use after free when using LOG_ALL_CP_READS

a7fc585: GDB scripts: 80D patch (tasks starting now)

6f73770: QEMU: log all CP register reads

d8f9ec6: GDB scripts: list 80D memory regions

a9d933e: QEMU: updated usage examples in

952aecc: QEMU: hijack machine option "firmware" to pass machine-specific parameters via command line
for example, to enable the boot flag: ./run_canon_fw 60D,firmware="boot=1"

2ccff7d: QEMU: moved HPTimer interrupt to model_list

3b7b762: QEMU: moved bootflags address to model_list

35c71dc: QEMU: bootloader display working on 80D!

a967d76: QEMU: clock enable register on DIGIC 6

3bc2816: GDB scripts: 80D DebugMsg, tasks, interrupts

fb99f82: QEMU: fix crash when bootloader display buffer is not set

43093ec: QEMU: 6D patches no longer needed

72d8e01: QEMU: fix some button codes

1d4c8a3: QEMU: most patches no longer needed for 7D2 either (it runs with 80D bootloader)

f606914: QEMU: CP15 patches no longer needed for EOS M3

d25df1e: QEMU 80D: initial support for SDIO/SDDMA; loading autoexec.bin works!

4142c1b: QEMU 80D: bootloader emulation works!

920787c: QEMU: initial support for 80D

7a9bf1e: QEMU: removed old key handling code and other hacks that are no longer needed (at least on those models that can boot the GUI)

6751c99: QEMU: fix install

c3b5617: QEMU: fix 100D scrollwheel codes

2065ec8: QEMU: cleaned up some button code names

a691bb6: QEMU: make MPU init spells static

c90ea4f: QEMU: a few more button codes

7765da8: QEMU: refactored MPU key handling to remove duplicate button codes

99413e5: QEMU: print help regarding available keys

d40c4d9: QEMU: script to extract MPU button codes from ROMs
(it emulates bindReceiveSwitch using unicorn)

788f025: QEMU: proof of concept: key handling via MPU spells.
Can adjust date/time on 600D, can navigate ML menu without CONFIG_QEMU on 1200D with scrollwheels (PgUp,PgDn,[,]) and SET (spacebar)

f2fdb5a: QEMU: refactored MPU code to allow sending arbitrary messages

f2e6d82: QEMU, MPU spells: recognize button codes from gui.h (comments only)

e9f3d75: QEMU, MPU spells: mark bindReceiveSwitch messages (comment only)

1584c8c: QEMU, MPU spells: mark NotifyGUIEvent messages (comment only)

2248bd5: QEMU: script to manage MPU spells (autogenerated version + patches with manual modifications)

99f9374: QEMU: updated 5D2 MPU spells

523a1b5: QEMU: moved MPU spells to separate files, one for each camera

e2c0456: QEMU, get camera model name from log file name

6bef295: QEMU: use "-d int" for showing interrupt messages

08074f0: QEMU: use "-d io" for showing MMIO activity

f058d4b: GDB scripts: log semaphores, message queues and interrupts for EOS M3

022de0f: QEMU: better patch for battery checks on EOS M3

ab641b9: QEMU: handle ADC on EOS M3 (print channel ID only)

a050d15: GDB scripts: comments update

cc6b994: GDB scripts: increase timeout for connection to qemu

6209c4d: GDB scripts: patch RTC init function for 550D and 600D

7fefb7e: GDB scripts: only output should be hex by default, not input

9a38692: GDB scripts: log message queues (600D stubs)

d881e57: GDB scripts: 600D DebugMsg, tasks, MPU messages

3202863: QEMU: MPU spells for 600D

656093d: GDB scripts: log resource locks (stubs for 550D)

43e62d9: GDB scripts: log eventprocs (stubs for 550D and 5D3)

af455e3: GDB scripts: 550D DebugMsg, tasks, semaphores, MPU

0440b95: QEMU: merged eos_handle_serial_flash.[ch] into serial_flash.[ch]

394a704: QEMU: removed debug_message_helper (now implemented with pure GDB scripts)

0b3fcad: QEMU: check access type for EDMAC CHSW registers (only writes implemented)

6172489: QEMU: emulate power control registers (dummy)

8cb2c00: QEMU: 550D MPU spells (not yet working)

e18a99d: GDB scripts: track semaphores (create, delete, take, give)

9646ca6: QEMU: 1100D boots Canon GUI with 60D MPU spells as well :)

fa09908: QEMU: all DIGIC 4 cameras appear to use the same MPU request register

fb0c2cb: QEMU: fix typo

008aaa6: QEMU: 1200D boots Canon GUI with... 60D MPU spells!!!

507c96e: QEMU: model HPCopy DMA transfer delays (fixes assert in 1200D)

60225f0: GDB scripts: 1200D experiments

7241ce6: QEMU: current_task_addr and mpu_request_register for 1200D

918af56: Merge qemu-nkls into qemu

3ea3344: QEMU: autodetect MPU spell set from camera model

84b3f86: QEMU: include a small SD/CF card image during installation

f5d3ba9: QEMU: fix serial flash transfers via DMA, thanks nkls

6a2c25d: QEMU: moved firmware_start = 0xFF010000 to digic 4 defaults in model_list.c

a6fc0c3: QEMU: fix SDIO interrupt for DIGIC 5 cameras

506f322: QEMU: moved I/O memory size to model_list

a1531f7: QEMU: moved DryOS timer interrupt and ID to model_list

98751f2: QEMU: removed unused Q_HELPER_ADDR

ddf1f1b: QEMU: moved ROM[01]_SIZE to model_list (note: digic 6 dumps must be 64MB now)

3963d66: QEMU: generic parameters in model_list, for all cameras with the same digic version

dcae9f5: QEMU: renamed rom_start to firmware_start

853c4ba: QEMU: moved serial flash size into model_list (refactor)

79b24d9: QEMU: moved MPU request register into model_list (refactor)

060fca1: QEMU: moved current_task_addr into model_list (refactor)

f29445e: QEMU: link struct eos_model_desc into EOSState, rather than copying individual fields (refactor)

8172130: QEMU: reformatted model_list for easier expansion

c131f87: QEMU: 5D3 MPU spells

6cf9b52: QEMU: WFI emulation via CP15 (5D3, maybe others)

11d26dd: GDB scripts: log DebugMsg and task_create on 5D3

403d5dd: QEMU: patch battery init on EOS M3

ef6e454: QEMU: TIO fix for EOS M3

7111606: QEMU: print task name for I/O register accesses (experimental)

eaaac22: GDB scripts: misc stubs for 70D

12358d8: GDB scripts: log timer routines (70D stubs)

11e52d2: QEMU: don't format strings containing " (gdb fails at eval printf)

9032a25: GDB scripts: log try_post_event calls (70D)

959d5b8: GDB scripts: nicer way to log return value for take_semaphore

0761a01: QEMU: MPU init spell workaround for 70D

234b27c: QEMU: don't delete unmatched mpu_send lines

bb42715: QEMU: link mpu_send lines with "Complete WaitID" lines (updated 60D and 70D, comments only)

097d66e: QEMU: fix serial flash transfers via DMA

f1b9ca5: QEMU: moved eos_handle_sio3/mreq to mpu.c/h

8781bfd: QEMU: fix last two chars from last MPU spell

e5d7ab0: QEMU: fix warnings about SD/CF card images

9df3ae7: QEMU: fix very short HPTimer delays (timer overrun)

2df82f2: GDB scripts: log assert and register_interrupt on 70D

1cc3cee: GDB scripts: print interrupt ID when not running a regular task (print_current_location)

c1a7920: QEMU: output all characters via TIO

c97f6f3: QEMU: make sure all interrupt requests are valid

26d8b52: QEMU: stop emulator when GDB quits; also reset colors

48bec55: GDB scripts: log mpu_send/mpu_recv calls

47e4769: QEMU: 70D card write protect register

996c877: QEMU: log all coprocessor register writes

df47d64: QEMU: fix HPTimers on 7D2

985e7a1: GDB scripts: register_interrupt log

3b167a0: QEMU: DebugMsg logs implemented as pure gdb scripts!

c57fd1e: QEMU: patched some more functions on EOSM3

d5e3337: QEMU: interrupts on EOS M3 require Thumb mode (maybe on 7D2 as well, to be tested)

8357bed: QEMU: DryOS task scheduling appears to work on EOSM3 (experimental)

1151b11: QEMU: gdb script for EOSM3

6a47909: QEMU: patch two init functions on EOSM3

1598a34: QEMU: patch usleep on EOSM3 (workaround)

bf9144e: QEMU: fix disassembly when patching 7D2/EOSM3 (broken by qemu upgrade)

2cab1bc: QEMU: initial support for EOS M3

ac8ddee: QEMU: 7D2 autoexec experiment

b2a5753: QEMU: some gdb scripts (60D, 70D, 7D2)

f525b1d: QEMU: patch two functions in 7D2 master (emulation goes much further now)

2e00ae0: QEMU: cleanup model detection for serial flash

b54e9aa: QEMU: enabled 7D2 patches by default (autodetected from model name)

2213bbd: QEMU: give higher priority to interrupts with higher ID (SIO3/MREQ should have higher priority than DryOS timer)

747da6d: QEMU: fix MPU request/status register on different cameras (60D, 5D2, 100D and 70D for now)

c1b3498: QEMU: refactored eos_init_common/eos_common_init into a single function

dda0163: QEMU: store camera model and digic version in EOSState

adb19d7: QEMU: fine-tuned debug messages in eos_load_image

fd1db4c: QEMU: 70D init spells, not yet working

da9b33e: QEMU: enabled serial flash for 70D, to be tested

3f7e4f5: QEMU: save SIO mode for serial flash (minor)

4227770: QEMU: fix indentation in eos_handle_sio_serialflash.c

755a452: QEMU: serial flash image is now mandatory for models that use one at startup

b34a93f: QEMU: fix indentation in serial_flash.c

c8c677f: QEMU: fix SIO messages

f7b60d8: QEMU: ignore %S format for DebugMsg
(used incorrectly in Canon code, e.g. %SetUSBLowPowerModeHook - causes segfault)

0eee6e2: QEMU: DebugMsg color macros a little more generic

ec68dad: QEMU: align DebugMsg messages with io_log ones and print call location

5e626ad: QEMU: fix segfault with uninitialized bmp_vram

853e451: QEMU: fix compilation

4aa2b2b: QEMU: merged 1de3d07

ea5dccb: QEMU: fix false MPU receive request (e.g. in 5D2 bootloader)

fe2f881: QEMU: fix false positive when interpreting MPU messages

31f8428: QEMU: merged ee5defb

46efd17: QEMU: adapted ee5defb
QEMU: 5D2 MPU spells, not tested (not there yet)

a85ec37: QEMU: re-enabled 7D2 experiments (to be tested)

29fdfa8: QEMU: merged 63e7324 (hopefully)

423ae8d: QEMU: adapted 63e7324
Removed old hacks (including from emulator

1de398f: Init testing branch (serial flash).

339e558: Fixes for 100D.

3e99392: QEMU: fix installation

0db9ad0: Add workspace scripts.

76a89fd: Updates to semaphore tracker.

5d1f223: Add bufcon GPIO names.

075e981: Add serial flash code.

b4d0559: Separate mpu and eos_ml helpers from main eos.c file.

e84f8b3: Add debug message helper.

1a948b7: Dynamic initialization of camera models.

af50a1e: QEMU exit on errors

7847bc0: QEMU only init git repo if not already there

68db2c4: Fixed a segmentation fault, it's now running!

baa7f9d: Hacked to compile.

8b4f1ea: QEMU: upgraded to 2.5.0

1bd3c11: QEMU: adapted "Restructure of EOS code." from

1de3d07: QEMU: EDMAC registers (print only)

5a81483: QEMU: fix false MPU receive request (e.g. in 5D2 bootloader)

a77c37b: QEMU: fix false positive when interpreting MPU messages

98a624c: QEMU: experimental CF card emulation (5D2 loads autoexec.bin from CF image!)

a6b9c77: QEMU: a few more CF registers

e7c288e: QEMU: script to parse MPU log files and extract the "init spells"

ee5defb: QEMU: 5D2 MPU spells, not tested (not there yet)

3a64d3c: QEMU: handle more CFDMA address ranges, including 5D2

aeeb0d0: QEMU: handle 5D2 VSW_STATUS (thanks ROS)

bcaf460: Merged unified into qemu

c9f18c4: qemu-util: fix warnings

ce1b83f: qemu-util: fix HPTimer warnings

e5ff088: qemu-util: added qprint

d4d329d: qemu: hide help after user opens ML menu

b311bc3: QEMU: refactored SIO messages with io_log

7c0eb75: QEMU: remove SD emulation messages

ed731fc: QEMU: updated scripts to run ML from a sdcard image

4110b99: QEMU: minor fix (reported by nikfreak)

63e7324: Removed old hacks (including from emulator

e110a0b: Removed qemu-helper from ML source

591b82d: Removed most QEMU hacks from ML source, so ML is now able to boot from autoexec.bin via bootloader (at least on 60D). Lua working as well!

453a446: AllocMem patch: sync caches before executing the patched code

23d8a54: 6D AllocMem patch: do not change the start address, to prevent shifting address of certain constants (e.g. dual iso)

b3396be: assert handler: print program counter in crash logs

f9dff60: boot-hack: some self-checks for AllocateMemory patching

f42d15b: new task hooks: updated comments, debug info, code formatting

f604659: boot-hack: better comments for 6D AllocMem

381a5bf: Found the new task_dispatch_hook (for 6D, will also work on newer cameras). Does it work?
- refactored my_task_dispatch_hook to work on both old and new DryOS (tested in QEMU)
- 6D: switched to classic boot process (limited testing in QEMU)
- tskmon: small refactoring, hopefully works on new DryOS too (not tested)

41a22d6: boot-hack: minor cleanups

91e1ed5: QEMU: use SD card emulation from hw/sd/sd.c. Working not only in bootloader, but in main firmware as well!

88b3d20: QEMU: only allow 32-bit access to MMIO registers (simpler code)

c05db36: QEMU: removed old screenshot code

195cdc4: QEMU: grouped keyboard state variables into a structure

7565007: QEMU: grouped display state variables into a structure

4744439: QEMU: handle 8-bit BMP palette

5a94edb: QEMU: some more GPIO registers for 60D. Canon GUI runs!

217cf86: QEMU: experimental MPU emulation (60D)

f70ed3c: QEMU: ignore SCTLR bit 30 (hack; see 8ab96de)

c5205a9: QEMU: renamed EOSState *ws to EOSState *s

fdcae4d: QEMU: trace target ASM code during execution (-d exec -singlestep)

8825744: QEMU: emulate cache lockdown for DIGIC 4/5 (NOP)

548678f: QEMU: use built-in disassembler for patching messages

dd3f953: QEMU: emulate both master and slave from 7D2 (not both at the same time though)

e124a79: QEMU: better DIGIC 6 emulation. TODO: find out how to enable interrupts

12015a9: QEMU: log ASM code (-d in_asm) without additional lines

3b7d2ba: QEMU: upgraded to version 2.3.0

73d4515: QEMU: first steps towards DIGIC 6 / 7D2 emulation

91cfae7: QEMU: fix error handling when SD image is not present

222b98d: QEMU: HPTimer emulation (man, that was hard...)

17ed162: QEMU: don't reset irq_id when writing to 0xC0201010

9256833: QEMU: also reset interrupt request flag when reading 0xC0201004

259fd82: QEMU: disable interrupt when triggered (so an interrupt can't be interrupted by the same interrupt)

0aa963e: QEMU: minor cleanup

ca4ae11: QEMU: register 0xC0201004 resets on read (interrupt engine)

be8e51c: QEMU: fix DMA copying

f2f49a3: QEMU: use a mutex for interrupt variables

8ab96de: QEMU: don't switch to Thumb mode on exceptions on arm946eos, even if SCTLR bit 30 is enabled
TODO: discuss with QEMU devs (comments suggest it might be a bug in QEMU, not sure)

37101c4: QEMU: log ARM coprocessor register writes

32b3f59: QEMU: modified install script to create a git repo, for tracking changes to QEMU source

972c6b4: QEMU: fix valgrind warnings

be1e8af: QEMU: recognize ATA registers (5D3)

cf6d96f: QEMU: SD emulation working on 5D3

0d1d45b: QEMU: dropped run_ml_*.sh (maintenance burden; just use instead)

f3e46b8: QEMU: handle SD emulation on 70D

d741b90: QEMU: force bootflag enabled (for new ports)

f6e9f48: QEMU: definitions for 70D, 700D, 1100D, 1200D and EOS M

9f27382: QEMU: move Basic2 registers to GPIO (and fix them, since Basic2 was not called)

3854f45: QEMU: handle SD emulation on 6D

86c46eb: QEMU: handle 4-bit palette registers (for bootloader)

5f1240c: QEMU: check for card access past the end of the card

27cfc69: QEMU: small fixes

2d05ece: QEMU: make bootloader configuration default

1f78083: QEMU: SDIO emulation working in bootloader! (tested on 60D ROM, loads the "recovery" autoexec.bin and dumps the ROM to SD card image)

596f989: QEMU: print SDIO register names, from

7f913c5: QEMU: print REG_PRINT_CHAR (including DebugMsg's) in blue and REG_PRINT_NUM in green

55e87b9: QEMU: wrap timers around when reaching reload value

885ed5b: QEMU: fix bootloader palette (black and white colors) and disable YUV handling

ac8d80e: QEMU: patch 6D bootloader so it thinks it can load autoexec.bin (disabled by default; bootloader display test works!)

5bfa96e: QEMU: patch some MCR instructions that can't be emulated (6D/5D3)

495545d: QEMU: fix some 6D bootloader GPIOs; verbose messages for other boot GPIOs

fbf7c88: QEMU: handle 6D SDIO

ba4dada: Autoexec is executed from 0x800000, not 0x40800000 (updated both Makefile and QEMU)

ec930a4: QEMU: lower stack pointer before loading autoexec

fc48ffc: QEMU: trace RAM reads + writes in a given range (define TRACE_MEM_START in eos.h to enable it)

af3a46f: QEMU: handle bootloader display (can't recognize it yet, need to edit source to enable it)

59d654b: QEMU: handle all 3 timers, not just timer #2 (incomplete)

b5a524b: QEMU: fix TIO text color

3a4c0bf: QEMU: handle CLOCK_ENABLE register (incomplete)

9aba3cc: QEMU: load autoexec at 0x40800000 (fixes debug symbols in reboot.c)

be854c3: QEMU: fix interrupts triggered while another interrupt is running

cca2305: QEMU: more accurate timer handling (tested with msleep + get_ms_clock_value + PC clock)

c44cb9e: QEMU: highlight TIO messages in red; quiet 0xC0800008

c3cd03f: QEMU: handle 5D2 CF LED

dc93322: QEMU: more verbose DMA messages

83f22a8: QEMU: fix tabs

462b9bf: QEMU: fix warning

b8e97b2: QEMU: refactored register-related messages to be a little more consistent and reduce duplicate code (io_log)

c0df1b6: QEMU scripts: minor cleanups

2017-10-02 13:20 - Build failed!

  1. Format the card from the camera.
  2. Make sure you are running Canon firmware 1.0.1.
  3. Copy ML files on the card and run Firmware Update.


  1. Run Firmware Update from your ML card.
  2. Follow the on-screen instructions.

Magic Lantern is not approved nor endorsed by Canon in any way, and using it will probably void your warranty.
We are not responsible for any damages to your camera.

Copyright (C) 2009-2017 Magic Lantern Development Team

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.