*(int*)(0x2A04 + 4) = (*(int*)0xXXXXXXXX)&1 ? 0x400000 : 0x200000;
I figured out how people found the values for the power-on trick in code_gen, but in my case, there are no obvious LDR instructions...I guess it should be something likeCode: [Select]*(int*)(0x2A04 + 4) = (*(int*)0xXXXXXXXX)&1 ? 0x400000 : 0x200000;but I don't know how to find the 0xCXXXXXXX value (see pictures).https://imgur.com/MOf19cp,K9GZh92
loc_ff86b8c4: ; 4 refsff86b8c4: b loc_ff8693a4loc_ff8693a4: ; 8 refsff8693a4: ldr r1, =0xffbc0738 ; 'GPIO + bit' tableff8693a8: ldr r2, [r1, r0, lsl #3]ff8693ac: ldr r2, [r2] ; read GPIOff8693b0: add r0, r1, r0, lsl #3ff8693b4: ldr r0, [r0, #4] ; read bitmaskff8693b8: ands r0, r0, r2 ; return bit's stateff8693bc: movne r0, #1ff8693c0: bx lrloc_ff838500: ; 3 refsff838500: mov r0, #0x80000000ff838504: ldr r0, [r0, #0xffc] ; read last word of data TCMff838508: ldr r1, =0x12345678ff83850c: cmp r0, r1 ; is it 0x12345678?, return the resultff838510: movne r0, #0ff838514: moveq r0, #1ff838518: bx lrff82d94c: push {r2, r3, r4, r5, r6, r7, r8, lr}ff82d950: mov r7, r0ff82d954: mov r5, #0ff82d958: bl loc_ff86b2e0 ; nullsubff82d95c: mov r0, #5 ; read GPIO bit (5), ON/OFF button?ff82d960: bl loc_ff86b8c4ff82d964: mov r4, #1ff82d968: bic r6, r4, r0ff82d96c: mov r0, #6 ; read GPIO bit (6)ff82d970: bl loc_ff86b8c4ff82d974: cmp r7, #0ff82d978: bic r4, r4, r0ff82d97c: beq loc_ff82d988ff82d980: orrs r0, r6, r4 ; one of the above 2 buttons has to be pressed, otherwise shutdownff82d984: beq loc_ff82d9b0loc_ff82d988:ff82d988: bl loc_ff838500 ; data TCM checkff82d98c: mov r2, r0ff82d990: mov r3, r5 ; unused argumentff82d994: mov r1, r4 ; GPIO bit (6) (PLAYBACK button?)ff82d998: mov r0, r6 ; ON/OFF button?ff82d99c: str r5, [sp] ; unused argumentff82d9a0: str r5, [sp, #4] ; unused argumentff82d9a4: bl loc_ff86b2e8 ; set startup bitsff82d9a8: bl loc_ff86b2e4 ; nullsubff82d9ac: mov r0, #1loc_ff82d9b0:ff82d9b0: pop {r2, r3, r4, r5, r6, r7, r8, pc}ff86b2e8: ldr r3, =0x2a04ff86b2ec: cmp r2, #0ff86b2f0: mov ip, #0ff86b2f4: movne r2, #0x800000 ; depends on data TCM checkff86b2f8: str ip, [r3, #4]ff86b2fc: strne r2, [r3, #4]ff86b300: cmp r0, #0ff86b304: ldrne r0, [r3, #4]ff86b308: orrne r0, r0, #0x200000 ; set this bit if ON/OFF pressedff86b30c: strne r0, [r3, #4]ff86b310: cmp r1, #0ff86b314: ldrne r0, [r3, #4]ff86b318: orrne r0, r0, #0x400000 ; set this bit if PLAYBACK? pressedff86b31c: strne r0, [r3, #4]ff86b320: bx lr'GPIO + bit' tableffbc0738: c022f484 (0)ffbc073c: 00001000ffbc0740: c022f484 (1)ffbc0744: 00002000ffbc0748: c022f484 (2)ffbc074c: 00004000ffbc0750: c022f484 (3)ffbc0754: 00008000ffbc0758: c022f484 (4)ffbc075c: 00010000ffbc0760: c022f484 (5)ffbc0764: 00020000ffbc0768: c022f484 (6)ffbc076c: 00040000
We want to be able to override this by directly replacing the bit value, effectively tricking the camera into thinking it was booted using either power or playback even if it wasn't the case.
Thus, we have no need to know the GPIO table and instead just check the button value ? (in that case, 0xc0220020)Only the 0x2A04 + 4 and 0x20000/0x40000 are key, the 0xc0220020 can be found in the stubs entries?
// { 0, KEY_POWER ,0x00000020 }, // Found @0xffbc0b10, levent 0x100
I really have no way to guess aperture values (unless they're string and I didn't see them), could someone who has the camera check:- max aperture at min focal length- max aperture at max focal length
One more thing:The guy trying to port the ixus145 reported that the sigfinder's guesses are wrong for several buttons.
Started by amavroidis « 1 2 ... 5 6 » General Discussion and Assistance
Started by STEREO_A Creative Uses of CHDK
Started by reyalp DryOS Development
Started by reyalp General Discussion and Assistance