Some findings (but no solution).
- The startup flags (@0x2cfc) are ORed into physw_status[2] in kbd_read_keys_r2.
- The firmware's kbd_read_keys function zeroes all physw_status words before calling GetKbdState and the rest (this is not new behaviour, earlier cams also do this). The CHDK replacement does not seem to do this. I have no idea if clearing is actually needed or not.
Here's what's in physw_status[2] (@0x1a64c) in the dumps I have:
044003F4 no chdk good card
044003F4 no chdk bad card
044003F4 no chdk good card
044003F4 no chdk bad card
044003F4 no chdk bad card
044003F4 no chdk good card
044003F4 good w chdk
162003F4 bad, chdk, ptp
144003F4 good, chdk, ptp
In all but one case, the startup flag is 0x400000, which is the correct playback mode flag. The "bad card + chdk + ptp" combination has 0x200000 (which should be the rec mode start flag).
The leading digit is the USB bit. The "bad card + chdk + ptp" combination also has the SD card read-only flag (0x2000000), wonder why. IMHO it should not be there.
@blackhole
Can you rmem the word at 0x1a64c a few times using a bad and a good card? I don't need dumps, just that word. Make sure you're using
*(int*)(0x2cf4+0x8) = (*(int*)0xc022f48c) & 0x80000 ? 0x400000 : 0x200000;
in boot.c and you start in playback mode (and leave the cam in playback mode).
WriteSDCard is sub_6ba7ec (this is needed for the "make card bootable" menu entry to function).