I've changed the version check conditional to get around it, but haven't tested it yet.
( ( *(int*)0xfc142898 != 0x4232302e ) &&
( *(int*)0xfc142898 != 0x4332302e ) )
The distant goal is to implement
this somehow. That method, however, depends on the sigfinder which does not yet exist for Thumb firmware.
Started working on the sub/102c/stubs_min.S, but hit a few issues:
DEF(active_raw_buffer ,0x0000a08c) // Found @0xfc13fa6c, 0xffffffff when uninited...
DEF(physw_sleep_delay ,0x00008330) // Found @0xfc0601f6
DEF(FlashParamsTable ,0xfc7313a0) // 0xfc730610 -> 0xfc7313a0
I can't make sense of what's going on at those addresses in the 102b dump...
In general, you should find the equivalent piece of code in both dumps. Since most parts of the firmware are unchanged, equivalent parts of the code will look very similar (you can watch neighbouring strings, references to strings, calls to certain routines, code patterns, ...). If they modified or added some code, that will add an offset to all code that is located after the modified spot. Addresses preceding the first modified spot will be (mostly?) unchanged.
Also note that the disassembly you get from that Perl script can't be used for everything. objdump will try to interpret everything as code. Due to the variable instruction length of Thumb, objdump will sometimes lose 'sync' and misinterpret a few instructions, which often includes the first instruction of some fw functions.
You also can't use this disassembly to find 'tables' of function name / function pointer pairs, and other tables like FlashParamsTable will also make no sense. You can use a hex viewer/editor for these.
This code is the same in both 102b and 102c (except for subroutine addresses):
loc_fc13fa6c: ; 2 refs
fc13fa6c: b510 push {r4, lr}
fc13fa6e: 4cdf ldr r4, [pc, #892] ; 0xfc13fdec: (0000a080) ; ****** base address
fc13fa70: 69a0 ldr r0, [r4, #24]
fc13fa72: b928 cbnz r0, loc_fc13fa80
fc13fa74: 2000 movs r0, #0
fc13fa76: f240 123c movw r2, #316 ; 0x13c
fc13fa7a: a1d8 add r1, pc, #864 ; 0xfc13fddc: (6d497353) *"SsImgProcBuf.c"
fc13fa7c: f112 e94a blx loc_fc251d14 ; <DebugAssert>
loc_fc13fa80:
fc13fa80: 69a0 ldr r0, [r4, #24]
fc13fa82: f112 e838 blx loc_fc251af4
fc13fa86: 07c0 lsls r0, r0, #31
fc13fa88: d005 beq.n loc_fc13fa96
fc13fa8a: 2000 movs r0, #0
fc13fa8c: f240 1242 movw r2, #322 ; 0x142
fc13fa90: a1d2 add r1, pc, #840 ; 0xfc13fddc: (6d497353) *"SsImgProcBuf.c"
fc13fa92: f112 e940 blx loc_fc251d14 ; <DebugAssert>
loc_fc13fa96:
fc13fa96: 6860 ldr r0, [r4, #4]
fc13fa98: f02d fca3 bl loc_fc16d3e2
fc13fa9c: 68e1 ldr r1, [r4, #12] ; ****** +0xc offset
fc13fa9e: 1e40 subs r0, r0, #1
fc13faa0: 4288 cmp r0, r1
fc13faa2: d102 bne.n loc_fc13faaa
fc13faa4: 2000 movs r0, #0
fc13faa6: 60e0 str r0, [r4, #12]
fc13faa8: bd10 pop {r4, pc}
This is also the same:
NSTUB(task_PhySw, 0xfc0601f4):
fc0601f4: b510 push {r4, lr}
fc0601f6: 4c16 ldr r4, [pc, #88] ; 0xfc060250: (00008328) **** base address
fc0601f8: e008 b.n loc_fc06020c
loc_fc0601fa:
fc0601fa: 68a0 ldr r0, [r4, #8] ; **** offset
fc0601fc: f1f1 ed5a blx loc_fc251cb4 ; <SleepTask>
except for SleepTask's address:
fc0601f4: b510 push {r4, lr}
fc0601f6: 4c16 ldr r4, [pc, #88] ; 0xfc060250: (00008328)
fc0601f8: e008 b.n loc_fc06020c
loc_fc0601fa:
fc0601fa: 68a0 ldr r0, [r4, #8]
fc0601fc: f1f1 ed9e blx loc_fc251d3c ; SleepTask
I have attached my work-in-progress csv file of 102b functions (lots of made up names toward its end), can be used with
this script.
An additional note: There are signs of 'size optimized' compilation in the fw which may lead to more differences than 'usual'.
edit: csv updated