CHDK/A430

Following the example of the CHDK/A530 page, everything that might be useful for a port of CHDK to A430 should be posted here.

Version
The trick with the ver.req file works on the A430 as well, with the following result: Canon PowerShot A430 P-ID:XXXX PAL Firmware Ver GM1.XXXXXX

Pressing button again results in: Canon PowerShot A430

The number P-ID:XXXX is a hexadecimal code for the platform version id.

Platform codes for other models:
 * S2IS: 30F0
 * A620: 30FC
 * A610: 30FD
 * A700: 3117
 * S3IS: 311A
 * A540: 311B
 * A530: 3126
 * A710: 3138
 * A640: 3139
 * A630: 313A

Memory map
Following information is probably generic to other models (A5xx, A6xx, A7xx series)

Firmware flash
0xff800000: firmware flash data (probably) 0xffc00000: mirror copy of firmware flash? (to be determined)

LED
0xc0220080: 0x46 enables orange focus assist LED, 0x44 disables it 0xc0220084: 0x46 enables blue print LED, 0x44 disables it

Blinker Firmware
The blinker method was used to dump the firmware.

Blinker Firmware compilation
A blinker firmware was compiled using yagarto. In the XXXX.c file, the firmware ID must be replaced by the one given obtained via ver.req (XXX). If cygwin is installed on your computer, in make.bat, replace zero | dd bs=1k count=100 >> main

by the following two lines: c:\cygwin\bin\dd.exe bs=1k count=100 if=/dev/zero of=main.zero c:\cygwin\bin\cat.exe main.zero >> main

Firmware dump
It seems that the fastest speed (AF assist LED) is not an option for dumping the firmware. Instead, the blue LED was used to output the firmware, and an active circuit based around the YY66W phototransistor was used to read the firmware out.

Phototransistor active circuit
The PC's microphone input has a 2.34V rail available on one of the channels, so I tried a few powered circuit (both photodiode and phototransistor). They gives a much larger signal, but the shape of the signal still differs from the ones given as example.

The test circuit uses a small piece of breadboard. Bottom side has two rows of 3 tulip sockets. This is where I plug-in my phototransistors and filter cap. Top side has three rows of 3 tulip sockets. The one away from the cable, I plug my 1k trim in. The other two are used for bridging the circuit with the computer. These can be removed and replaced by filtering caps if needed.

The trimmer (blue on the photo above) has one of its legs bent. The two legs making contact with the circuit are the one under the screw and the middle one. The red component is a 1μF ceramic cap.

Firmware recording using audacity
I am now trying for the blue LED with slower transfer speed. I used my amplified circuit and tried both the S1226-8BQ photodiode, YY66W (IR) and SFH300-3 phototransistors. Surprisingly enough, the IR phototransistor is the one that gives the largest signal (see screenshots). With a lower transfer speed, I now get the waveform I was expecting.

The effect of the 1μF cap is shown in screenshot 2 (screenshot 1 is without). The signal amplitude is more constant and will (probably) result in fewer decoding errors.

All in all, it now looks like I should be able to get a firmware dump.