Some research on DIGIC 6 overlay (sx280).
I have managed to log all messages sent to the 'graphic core'. Also logged the messages' content.
Unfortunately, none of this did uncover anything usable.Sending messages consists of two phases:
- creating the message (uses a message ID (3rd argument in the sx280 version), message length, a handle (or pointer) and a message type(?) ).
I named the function that is used to do this 'mzrm_createmsg'. It can be recognized by the "[Mzrm]CreateWait" debug string.
The function allocates the requested message area and returns a pointer to it.
The returned area starts with a mandatory header, 3 words: ID, type(?), length, which adds to the requested size.
- sending the message (uses the same handle as 'mzrm_createmsg' plus the pointer returned by 'mzrm_createmsg')
Can be identified by looking for "[Mzrm]SendWait". I named it 'mzrm_sendmsg'.
It also returns a value (I'm not sure yet how longer responses are retrieved).
All messaging functions call the above 2 functions.
The message ID - message name translation requires the message name table from the Xtensa blob - related post is
https://chdk.setepontos.com/index.php?topic=11316.msg129104#msg129104 .
sx280 version is attached here:
https://chdk.setepontos.com/index.php?topic=11316.msg129051#msg129051g7x version is here:
https://chdk.setepontos.com/index.php?topic=11316.msg129344#msg129344Both mzrm_createmsg and mzrm_sendmsg start with a call to TakeSemaphore, which is located in RAM - can be hacked.
My current guess on the MZRM acronym is: [M]arius (main ARM core), [Z]ico (graphic core), [R]?, [M]essaging
Captures are attached, showing the sx280 booting up to playback mode with a photo displayed, plus CHDK activity caused by its (Un)DisplayBusyOnScreen calls.
Both captures include a USB cable insertion which erases the screen without showing "ScreenLock" and its friends in the camera log.
Line structure of the basic (shorter) capture is: system tick, message, LR (return address), task name
The longer capture adds more info (call stack, message content).
Messages have more and less obvious parts.
Framebuffer addresses and dimensions (640, 480) are recognizable. ROM addresses are also present, which may indicate that the Xtensa also sees the ROM.
A stream of messages usually ends with these 3 messages:
GraphicSystemCoreFinish, JediFinish, XimrExe
Unless I missed something, the addresses of 'our' overlay buffers (YUV+opacity) only show up in XimrExe messages. That X might mean 'transfer'.
Camera log during the detailed capture:
00000320: UI:LogicalEvent:0x5006:adr:0,Para:0
00000400: UI:Initialized WindowSystem.
00000400: UI:ScreenLock
00000400: UI:ScreenUnLock
00000410: UI:LogicalEvent:0x300a:adr:0,Para:0
00000410: UI:DispSwCon_TurnOnBackLight
00000410: UI:TurnOnBackLight
00000420: UI:CECConnectCnt
00000420: UI:HDMIConnectCnt
00000420: UI:MuteOffPhysicalScreen
00000420: UI:LogicalEvent:0x3139:adr:0,Para:0
00000460: UI:PB.Create
00000640: UI:LogicalEvent:0x301c:adr:0,Para:0
00000650: UI:PB.CreateE
00000650: UI:AC:StartPB
00000650: UI:DispSwCon_TurnOnDisplayDevice
00000650: UI:AC:EBtn
00000650: UI:PB.Start
00000650: UI:ScreenLock
00000650: UI:DSIC:47,0
00000650: UI:CC_CompFlhJpg
00000650: UI:_CompFlhJpg
00000650: UI:PB.Flash
00000650: UI:PB.S_Meta
00000650: UI:DSIC:47,0
00000650: UI:LogicalEvent:0x3201:adr:0,Para:0
00000650: UI:ScreenUnLock
00000660: UI:LogicalEvent:0x320b:adr:0,Para:0
00000660: UI:PB.StartE
00000660: UI:DisplayPhysicalScreenCBR
00000660: UI:DispSw: Unlock
00000660: UI:DispSwCon:Unlock
00000660: UI:DispSwCon_TurnOnBackLight
00000660: UI:DispSwCon_MuteOffPhysicalScreen
00000660: UI:Window MuteOff
00000660: UI:MuteOffPhysicalScreen
00000660: UI:DSIC:ed,0
00000660: UI:AC:EnryPB
00000660: UI:AP:ChkCnctUSB
00000660: UI:PB.DPOF
00000660: UI:DisplayPhysicalScreenCBR
00000670: UI:LogicalEvent:0x3221:adr:0x194b080,Para:26521728
00000670: UI:PB.MAX_ID
00000670: UI:PB.RefPB
00000670: UI:ScreenLock
00000670: UI:DSIC:47,0
00001060: UI:PB.DrawI
00001120: UI:LogicalEvent:0x3220:adr:0,Para:0
00001120: UI:PB.CTG
00001190: UI:LogicalEvent:0x666f:adr:0,Para:0
00001250: UI:LogicalEvent:0x3204:adr:0,Para:0
00001250: UI:PB.Check
00001260: UI:PB.DcdCBR
00001260: UI:DSIC:48,0
00001260: UI:PB.RfrsI
00001260: UI:PB.F_Dec
00001260: UI:LogicalEvent:0x3202:adr:0,Para:0
00001260: UI:ScreenUnLock
00001330: UI:DSIC:48,0
00001330: UI:DispSw: Unlock
00001330: UI:DispSwCon_TurnOnBackLight
00001330: UI:DispSwCon_MuteOffPhysicalScreen
00001330: UI:Window MuteOff
00001330: UI:MuteOffPhysicalScreen
00001330: UI:DisplayPhysicalScreenCBR
00002300: UI:ScreenLock
00002320: UI:ScreenUnLock
00002370: UI:DisplayPhysicalScreenCBR
00004140: UI:Button:0x000010B3:ConnectUSBCable
00004140: UI:IsWirelessConnect?:0
00004140: UI:ChkStoreLens
00004140: UI:IntPcCnct
00004140: UI:DlvrUSBCnct
00004140: UI:_CnctUSBCBR
00004190: UI:LogicalEvent:0x3138:adr:0,Para:0
00004200: UI:LogicalEvent:0x5005:adr:0,Para:0
00004200: PTPRspnd.StartUpPTPFrameworkClient
00007570: UI:ScreenLock
00007590: UI:ScreenUnLock
00007650: UI:DisplayPhysicalScreenCBR
00008220: UI:ScreenLock
00008240: UI:ScreenUnLock
00008300: UI:DisplayPhysicalScreenCBR
00009210: System.Create
00009210: StartRedirectUART
00009230: Printf
00009230: ShowCameraLog