Yes, this is somewhat tricky, owing to the fact that it is not described in any sort of comprehensible way anywhere I know.
So I try to guide you, although I don’t remember/know the fine details (and they may’ve changed over time). If you don’t manage, I’ll try to look deeper, find old notes, etc.
You need the keys to enter, of course
The encoding keys, as FI2 is encoded.
You should’ve already learned the “dancing bits” for your camera, needed to encode diskboot. (CHDK is already ported to A2200, isn’t it?)
The quotes below are from my old notes, unchanged.
Getting FI2 keys and producing FI2 http://chdk.wikia.com/wiki/For_Developers/fi2offsets
To create your own CHDK ps.fi2 files (e.g. with the CHDK-Shell), the OPT_FI2 option in /buildconf.inc must be turned on and the file /platform/fi2.inc must hold the keys (they are always 16 bytes long, written without any delimiter). Example:
# ifeq ($(KEYSYS), d3g) # not needed if compiling only a single cam
How to find keys:
Firstly, in stubs_entry.s, it may show KEYSYS such as:
// KEYSYS = d4g // Found @ 0xff812968
This is the address of the FI2KEY, with dancingbits immediately following
Or, back to the basics (this is quite old, but I believe still works, at least for your camera):https://chdk.setepontos.com/index.php?topic=2995.msg28117#msg28117
It is very easy, reference to first key located at beginning of ROMStarter (0xFFFF0004), to find second key search "RSBNE R1, R1, #0x10" instruction in code and next function uses second key.
(NOTE: "RSBNE R1, R1, #0x10" opcode is 0x10106112 so you may use binary search)
(for instance, in ixus170 this instruction is at FFB9CBD4, the key at FFCC48AC)