My goal with the poking was to identify the role of some calls within a lengthy function X — basically, shotgun debugging. Is there a (well established) way to do this, maybe by duplicating function X in CHDK (somewhere), and modifying it there?
It really depends. If the function is called from a specific task, you can hook the task and copy (with codegen or capdis) and modify up to the relevant calls, like we do for capt_seq etc.
If it's something you want to call from CHDK (say, you want to call your own modified version of SetVideoOutType) you can just copy the code somewhere (like boot.c) and call it. Of course, that will only affect your own calls to the function, any calls in the native firmware code will go to the original.
If it's a function called from various parts of the firmware and you want to change the behavior any time it's calld, you'd have to do something like cache hacks, or find some method specific to the function like if the Canon firmware provides a hook of some kind, or catching asserts like srsa_4c did for video out override, or modifying code the canon firmware copies to ram, like we do for CreateTask in some ports.
For the last item, you could find something common like the semaphore or eventflag functions, and modify it to detect when a specific return address is on the stack and jump to your own code instead.
FWIW, for this kind of exploration, I find it helpful to use chdkptp (
https://app.assembla.com/spaces/chdkptp/wiki)
You can read memory with rmem or peek, interactively call functions functions and see the results using call_func_ptr / call_event_proc, and can also inspect the camera log using devutil (
https://chdk.setepontos.com/index.php?topic=6231.msg142083#msg142083)