Please check if the file contains everything that is needed.
Now I have a disassembly with a lot of "loc_*" labels, but I'm lost here
Added theG3X 1.00Cfull 32MB dump by Nippey from this forum post to the CHDK P&S FW dumps repository.
Hey,I think this isn't enough to start a separate G3 X porting thread, but I managed to find stunning 14 pointers! ;DI'll attach them here as I'm on vacation now and won't be online the next month.(Based on srsa's csv file.)
In the meantime I found about 50% of the function calls, whose references I know for the SX280 firmware
All by finding similarities and visual diffing between the G3X and the SX280 code. Ugh.@srsa: How did you manage to find ALL references in an appropriate amount of time??
fc028420: 499b ldr r1, [pc, #620] ; 0xfc028690: (fc15a7e5) <AllocateUncacheableMemory>fc028422: 64c1 str r1, [r0, #0x4c]fc028424: 499b ldr r1, [pc, #620] ; 0xfc028694: (fc15a811) <FreeUncacheableMemory>fc028426: 6501 str r1, [r0, #0x50]fc028428: 499b ldr r1, [pc, #620] ; 0xfc028698: (fc29aabf) <RegisterEventProcedure_arg3_equals_zero_>fc02842a: 6541 str r1, [r0, #0x54]fc02842c: 499b ldr r1, [pc, #620] ; 0xfc02869c: (fc29aa6d) <RegisterEventProcedure>fc02842e: 6581 str r1, [r0, #0x58]fc028430: 499b ldr r1, [pc, #620] ; 0xfc0286a0: (fc29aac3) <UnRegisterEvntProc>fc028432: 65c1 str r1, [r0, #0x5c]
fc3e234e: 49ff ldr r1, [pc, #1020] ; 0xfc3e274c: (fc29aa6d) <RegisterEventProcedure>fc3e2350: 6581 str r1, [r0, #0x58]fc3e2352: 49ff ldr r1, [pc, #1020] ; 0xfc3e2750: (fc29aac3) <UnRegisterEvntProc>fc3e2354: 65c1 str r1, [r0, #0x5c]fc3e2356: 49ff ldr r1, [pc, #1020] ; 0xfc3e2754: (fc29abc7) <register_eventproctable>fc3e2358: 6601 str r1, [r0, #0x60]fc3e235a: 49ff ldr r1, [pc, #1020] ; 0xfc3e2758: (fc29abdd) <unregister_eventproctable>fc3e235c: 6641 str r1, [r0, #0x64]fc3e235e: 49ff ldr r1, [pc, #1020] ; 0xfc3e275c: (fc28fd87) <Fopen_Fut>fc3e2360: 6681 str r1, [r0, #0x68]fc3e2362: 49ff ldr r1, [pc, #1020] ; 0xfc3e2760: (fc28fdaf) <Fclose_Fut>fc3e2364: 66c1 str r1, [r0, #0x6c]
fc0283d4: a199 add r1, pc, #612 ; 0xfc02863c: (30302e30) *"0.001"fc0283d6: 6001 str r1, [r0, #0]
table_ptr = 0xBAC8 'Global Pointer to LEDTabletable_addr = *table_ptr 'Address of LEDTableFwrite_Fut(table_addr, 7*36*4, 1, dumpfile) 'Dump LEDTable
I first wanted to find the LED addresses and blink them.So I identified the functions "task_LEDCon" and "LEDTable_Init".The Base Address of the LEDs was easy to find.After tearing apart both functions, I still have no clue about the individual offset addresses.Both functions share a set of global variables (pointers).One SemaphoreOne MsgQueueThree dynamically allocated memoriesOne of these memories is an array of a struct.The array size is 7 elements and the struct has a size of 36 Words.The uin32_t with Offset 0x8 contains the offset that is read by "task_LEDCon".But "LEDTable_Init" sets it to zero.So regardless of what LED Number comes out of the MsgQueue, and what array element is chosen, the uint32_t at 0x8 is always zero.This doesn't make sense.It seems like there must be another function called after "LEDTable_Init" to populate the offset address of the respective LED.
How do I use and dereference pointers in Canon Basic?
Started by yukia10 Firmware Dumping
Started by alvm Firmware Dumping
Started by alvm « 1 2 3 » Firmware Dumping
Started by blueSTAR Firmware Dumping