I need some deeper file-by-file, line-by-line execution flow understanding.
I'll try to answer some specific questions below, but IMO, you only really get this kind of understanding from actually going through the code.
1. PLATFORMID
http://chdk.wikia.com/wiki/P-ID_(Table)
In CHDK, this is relevant because
1) It's required to generate a usable firmware update file
2) It's used in the CHDK compatibility check.
2. MAXRAMADDR
Physical memory size. Used for sanity checks, doesn't have to be set correctly right away. Grep the source.
3. MEMISOSTART
The final location where the CHDK code is loaded in memory.
4. KEYSYS
An arbitrary identifier for the firmware update file encoding. See platform/fi2.inc.txt
5. MEMBASEADDR
The address where Canon firmware code initially loads the CHDK binary from DISKBOOT.BIN or PS.FI2. 0x1900 on pre-digic 6 platforms.
6. ROMBASEADDR
The start of ROM code.
7. NEED_ENCODED_DISKBOOT
A number identifying the encoding used for DISKBOOT.BIN. See tools/dancingbits.c
and why some of them are missing from my stubs_entry.S:
The tool generates this file (finsig) doesn't find them, either because they aren't values it is intended to find, or because it isn't able to find them for your camera. Note, you need to have ROMBASEADDR set correctly for finsig to work correctly.
The content of diskboot.bin is unscrambled and is copied to MEMBASEADDR (that's 0x1900 on DIGIC II...5).
What's the code performing that? Built-in program? Then how does this code is aware that "if a file named exactly 'diskboot.bin' is present on the card, it must be loaded to some memory address"? Why to MEMBASEADDR - what so special about this address - why not to the very first byte address?
This is all done by the Canon firmware, so we have no control over it.
Which code exactly? What function exactly in this code? How about line-by-line analysis in this function (at least generally)?
CHDK begins execution in loader entry.S.
But I don't understand what these line do:
MOV SP, #0x1900
MOV R11, #0
MOV SP, #0x1900 means that the stack top is set to 0x1900 address, but why?
Canon startup code uses it, so we have good reason to believe it's safe.
I don't understand what core_copy does and why, but I suppose that after comes the camera restart code (which I probably have to substitute from ixus160 to ixus190?)
It does what it says on the tin: It copies the CHDK main code from the location it was loaded by the Canon firmware (near MEMBASEADDR, after the loader code, see blobs.S) to it's final location. This copy needs to be done because the original firmware keeps it kernel data around MEMBASEADDR.
This line seems interesting:
: : "r"(MEMISOSTART) : "memory","r0","r1","r2","r3","r4"
but I also don't understand what does it do and why.
See the gcc inline asm documentation
https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Extended-AsmThe important part happens before that:
"mov R0, %0\n"
"BX R0\n"
%0 refers to the MEMISOSTART value, as described in the doc linked above.
while(1);
why infinite loop here? So this function is a some kind of "master thread"?
The inline assembly above that jumps into the main boot code which should never return, so it's really just there to make execution not wander off into memory if something goes badly wrong.
I suppose that the next step - some code (which one?) calls startup() function in platform/<camera>/main.c, which then calls boot() function from platform/<camera>/sub/<version>/boot.c (?) And what next?
Correct. Follow the code in boot.c
Am I understanding right that the diskboot.bin utilizes 2 independent memory regions on the camera RAM:
a. some memory region where diskboot.bin (ISO actually) is loaded from the card. Is MEMBASEADDR the value that points to its start?
Yes, the CHDK binary is initially loaded at MEMBASEADDR
b. some completely another memory region used as a malloc heap for (a) region (loaded ISO). Is MEMISOSTART the value that points to its start?
Yes, MEMISOSTART points to final, safe location where the main CHDK binary runs.
The important part is the Canon firmware loads the code only at MEMBASEADDR, and starts executing it. We need the CHDK code at a different location, because we need to be able to re-run the Canon boot sequence and the Canon firmware itself uses memory around MEMBASEADDR. This is also part of why we need to re-run the Canon boot sequence in the first place: when the Canon firmware loads a binary like DISKBOOT.BIn, it trashes it's own kernel memory.
which probably means that we have to scramble the compiled CHDK sources in order to comply with the camera craziness?
Yes, that's what dancingbits does.
PS I can't proceed to whatever disassembling until I have a clear understanding of the whole boot-up process in enough details.
I would suggest familiarizing yourself with the firmware disassembly. Understanding the Canon firmware can help you understand why CHDK does the things it does.