Ok, so are taskCreateHook and taskCreateHook2 sort of optional? Can I comment them out for now and still get to the GUI (after I find the frame buffer address and fix some of the broken functions in the stubs) ?
Yes, you should be able to run spytask without running any of the other tasks. If you want to interact with CHDK using buttons, you also need PhySW/kbd. The scripting stuff also runs in kbd. captseq is used for raw and overrides, movie is used for compression override and zoom unlock, jogdial is used to interface with the jogdial control, init_file_modules_task is used for partition swapping.
Ok, I got it to boot with the spytask, but it crashes a few seconds afterwards. That is not at all surprising, since a lot of functions, including malloc() are defined as 0xdeadc0de. I guess the frame buffer address is incorrect too, because I don't get any logo displayed.
I suspect that without malloc, you'll crash before the logo is displayed. Note that most of the required entry points should be found automatically and put in stubs_entry.S
How exactly do I find the pointer for malloc and other useful functions? I could not find a stand alone string called malloc.
How do I find the magic frame buffer address?
Like I keep saying: Refer to an existing port. This is an essential skill, you won't get far without it.
As an example, if you are looking for malloc
- find the address for malloc in a known working port. Look in stubs_entry_2.S first, and if it isn't there, look in stubs_entry.S
- In that cameras firmware dump, look for references to the address you found above.
- Look through references until you find something fairly unique/identifiable that is close to one of the references. A string, proximity to a call to another known function, etc.
- Now look in your cameras firmware dump for that identifiable feature. If you find a candidate for your function, compare the code of that function to the known function. You can also make sure that similar bits of code refer to it.
Many ports have comments that you a hint as to how it was found, or something that made it identifiable. For example
NHSTUB(WriteSDCard,0xFF9210A4) // similar to SX10, search on BOOTDISK and SCRIPT
This means that
- I noticed the known function in SX10 was found near the strings BOOTDISK and SCRIPT
- I found the corresponding location on SD990 and when I compared the code, it was similar.