a1ex implemented MMIO trace that can be usefull for CHDK development.
(...)
This also can be used to intercept rom code execution. But the minimum MPU region size is 32 byte and there is only one unused.
Attached is a "library" that allows intercepting code, using parts of a1ex's code and other ML snippets.
It is not perfect and has not been tested for heavy usage. I think it does not handle prefetch aborts that are not handled by our code - maybe because the exception handler does not disable interrupts.
It uses the last MPU region (which is actually used by fw on newer cams such as my m10) with fixed size (32 bytes).
For exception stack, it uses an arbitrary location in the 0xbfe10000 area which is TCM on newer cameras and some unknown RAM on others. That may need to be adjusted on cameras other than m10 and sx280. See the variable
aborttrick_sp.
To use it, select a part of firmware code
that does not have a branch target inside and make a copy of it. The intercepted area needs to start at an address divisible by 32, the area is 32 bytes long.
Use the following function to register your replacement code:
install_aborttrick(uint32_t original_loc, uint32_t new_loc)where
original_loc is the start of the intercepted area and
new_loc is where code execution will continue.