mzrm_createmsg and mzrm_sendmsg functions are using pointers to debug functions(see at 0xFC2FD870 on M3) that actually are NULL. Maybe we can use it?
They are too deep down and too conditional.
TakeSemaphore is right at start. It lets us skip the whole mzrm_createmsg if we chose to do so. The mzrm message functions usually check the return value of mzrm_createmsg for NULL and skip sending the message if it is indeed NULL (well, not much else could they do).
I did this on the sx280 102b:
Index: boot.c
===================================================================
--- boot.c (revision 4883)
+++ boot.c (working copy)
@@ -74,6 +74,16 @@
"cmp r0,r2\n"
"blo task_hook_loop\n"
+ "adr r0, patch_TakeSemaphore\n" // src: Patch data
+ "ldr r1, =0x010c59f8\n" // dest: Address to patch (hook_ has thumb bit off)
+ "add r2, r0, #8\n" // two words
+"ts_hook_loop:\n"
+ "ldrh r3, [r0],#2\n"
+ "strh r3, [r1],#2\n"
+ "cmp r0,r2\n"
+ "blo ts_hook_loop\n"
+
+
" ldr r0, =0x010c1000\n"
" ldr r1, =0x0001f3c4\n"
" BL sub_fc12dd3a\n" // clean data cache (on the kernel area)
@@ -99,6 +109,10 @@
"patch_CreateTask:\n"
"ldr.w pc, [pc,#0]\n" // Do jump to absolute address CreateTask_my
".long CreateTask_my + 1\n" // has to be a thumb address
+
+ "patch_TakeSemaphore:\n"
+ "ldr.w pc, [pc,#0]\n" // Do jump to absolute address
+ ".long TakeSemaphore_my + 1\n" // has to be a thumb address
);
}
@@ -590,3 +604,44 @@
}
+//*****************************************************************
+
+void __attribute__((naked,noinline)) TakeSemaphore_my() {
+asm volatile (
+ "ldr r3, =0xfc2546a7\n"
+ "cmp r3, lr\n"
+ "bne nomod\n"
+"mod1:\n"
+ "push {r0,lr}\n"
+ "mov r0, r11\n" // r2 of mzrm_create
+ "cmp r0, #0x1d\n" // ximrexe, @ FC2DC5D6
+ "bne mod1out\n" // only touch ximrexe
+ "bl mzrmmod1\n"
+ "pop {r0,lr}\n"
+ "mov r0, #0\n" // make mzrm_create return null pointer
+ "ldr pc, =0xFC254725\n" // leave mzrm_create, without doing anything
+"mod1out:\n"
+ "pop {r0,lr}\n"
+ //"b nomod\n"
+"nomod:\n"
+ "push {r2, r3, r4, r5, r6, lr}\n"
+ "mov r4, r0\n"
+ "ldr r0, =0x8154\n"
+ "mov r5, r1\n"
+ "ldr pc, =0x10c5a01\n"
+".ltorg\n"
+);
+}
+
+
+static unsigned int taskinf[20];
+static int msgsize;
+
+extern int _get_self_task_id();
+extern void _get_tcb(int tid, void* buf);
+
+void mzrmmod1() {
+}
+
+
The patch contains unnecessary parts and the asm isn't optimal.
This is just POC, it just suppresses
all Ximrexe messages. Screenshot attached (shows both framebuffers from the same session, as you can see the previous diskboot's splash has survived the few seconds while the cam was off).
Using this, framebuffers are still flipped back and forth as usual while using the camera.
Newer cameras contain more Ximr messages (for example, g7x has XimrExeGain, no idea what it does).
I only tried this on the sx280.