First, a warning: altering the camera's flash ROM can render the camera inoperable (aka brick). If you're not absolutely sure what this is about then do not even think about trying it on real hardware.
The firmware routine exists in all PowerShot firmwares. It is also exported as an event procedure.
Its prototype is
int WriteToRom(char *addr, char *buf, int length)addr is the destination address in ROM
buf points to a buffer with the bytes to write
length is the number of bytes to be written
The flash in our cameras is NOR flash. It can be written, but the camera normally does not permit writing into flash - that's what this function is for. The smallest unit that can be written is one byte.
When the flash is erased, the erased region will consist of 0xff bytes (all bits set to '1'). Writing can change bits that are '1', but zero bits can't be changed. Erasing the flash can only be done in larger units (sectors) - these are multiples on kbytes, starting on sector boundary. I did not attempt doing this as erasing into the code area of flash does not sound safe at all.
I used WriteToRom to do the following:
- I fixed corrupted bytes in the flash. One or more bits of those bytes was faded into '1'. I did this using chdkptp.
- On a DryOS camera, calling WriteToRom by its address succeeded immediately and the corrupted byte got fixed (I compared ROM dumps afterwards).
- On a VxWorks camera, calling WriteToRom by its address froze the PTP connection and the camera. Fortunately, the camera could be turned on afterwards and the byte I targeted was no longer corrupted.
- After the success on the DryOS camera, I decided to disable the bootdisk signature check - I turned a conditional branch instruction into a harmless andeq (that's a zero word on ARM). That camera now boots from any file system, without requiring the BOOTDISK signature on card. This change, however, can't be undone easily.