Trying to figure out how to disable the touch wheel display on the SD870IS, the one that overwrites the CHDK menu. Here's what I've discovered so far... this is on SD870IS firmware version 100c.
* The touch wheel (and buttons) are monitored by a kernel task called TouchW. The task function starts at FF8E6DC0.
* There's a data structure that maintains the wheel state starting at 0x9C10. It looks something like this:
0x9C10 +
0x00: 1 = PrintTouchWheel mode (qPrints status messages to console)
0x04: debug level (at least 10)
0x08: 1 if TouchW task already started, 0 otherwise
0x10:
0x14:
0x18:
0x1C:
0x20:
0x24: event or state, gets shifted <<4 to look up address in jump table
0x28: event or state, gets shifted <<2 to look up address in jump table
0x2C: idle timer? counts down from X
0x30:
0x9C60 seems to store button state in 5 consecutive bytes
* There's a jump table to handle touch wheel events, at 0xFFAA0D8C. There are 12 possible events, and my guess is they're organized 3x4 in a state machine, where there are 3 internal touch wheel states, and 4 possible incoming events (or vice versa).
event 0: ff8e7778; [0x2c]=0x14; checks 0x429F4 (touch_keys_angle), prints "PRESS " and "UNPRESS" messages
event 1: ff8e73c0; puts 0 in 0x28, [0x2c]=0x14; prints "TOPRESS "
event 2: ff8e73f4; prints "INACTIVE ", then goes to ff837188
event 3: ff8e73f4; prints "INACTIVE ", then goes to ff837188
event 4: ff8376fc; counts down [0x2C], calls FF8E7188 if zero (some button processing, then message "IDLE ")
event 5: no-op
event 6: ff8e6b8; counts down [0x2C], prints "INACTIVE " when it hits zero
event 7: ff8e6b8; counts down [0x2C], prints "INACTIVE " when it hits zero
event 8: ff8e7724; counts down [0x2C], does some processing if zero (FF8E7188)
event 9: ff8e71f4; touch event; [0x2C]=0x14, [0x28]=2, prints "ACTIVE" and "TOUCH[%d] " where %d=0...4
event 10: ff8e784c; [0x2C]=0x14; prints "TOROTATE "
event 11: ff8e78f4; [0x2C]=0x14; prints "ROTATE%d[%d] "
* It's possible to turn off the TouchW task by adding the following line to task_Startup_my(). However, it entirely disables the wheel including the buttons, so it makes the camera a bit useless.
*((int*)0x9C18) = 1; // this completely disables the wheel and buttons
Unknowns:
* Where do the events originate from?
* Where is the code that draws the OSD? I don't know enough about the DryOs GUI code to know how to find this.
Possible hacks to disable the OSD:
* various possibilities
-> manipulate the internal state at 0x9C10 from kbd.c
-> manipulate the button state, e.g. at 0x429F4
* could disable the touch messages but leave the press messages intact (this would prevent using the wheel, but the buttons would still work)
* figure out where the OSD is being drawn and kill that method somehow when CHDK is active