Hi everyone. I'd thought I'd chime in on how I got those LED addresses. I started without any CHDK experience, but I gathered a lot of information and ideas from the CHDK wikia and the DPReview forum, particularly the "CHDK for S5"
http://forums.dpreview.com/forums/readflat.asp?forum=1010&thread=24983823&page=1 and the "CHDK firmware hack discussion" threads. For my work, I used the supplied 32mb SD card, card readers and a Linux environment.
After identifying the firmware version using ver.req, I tried loading the G7-1.00g build onto the camera. It didn't load, and there was no "Firmware Update" prompt in the menu.
So the next task was to make the card bootable. Unfortunately there wasn't much info on doing that outside a CHDK-enabled camera. Eventually, I found some info on DPReview, especially the "CHDK for S5" thread. I had to locate the first partition's boot sector and add the BOOTDISK string to it so it looks like the G7 sector, followed by locking the SD card. Originally I thought that the boot sector meant the master boot record, or the first sector, but that was wrong, won't work and forced me to format the card in the camera. So finally after reformatting the card, remodifying the boot sector (now at offset 0x6600), adding the "preblinker" files and locking the card, the camera responded - by locking up completely when the power button is pressed. Same happened when G7 files were booted - nothing happens.
Now that the camera has responded to some code, it was time to find the LED addresses. I went through various camera models on the wikia to get an idea of where the LEDs exist within the 32-bit address space. All models had them in the range of about 0xC022 00
80 to 0xC022 00
E0. I then modified the G7 blinker and tried turning everything >=80 to <FF on/off. Initially every LED turned on, so I progressively halved the range until I got single LEDs turning on. As I've found, LEDs only needed to be turned on and not blinked. Incidentally, the addresses were the same as the A720IS.
With the LED addresses and process of making an SD card bootable now known, a firmware blinker could be modified to blink out the firmware provided the correct firmware starting address is coded in.
======
As a side note, I bought the A650 not long ago, as my first digital camera. No, I didn't buy it purposely to hack, but to take photos with its nice features and likeness to the G9. I tossed up between buying the A650 or S5, both of which I wanted to hack (and use). I leaned towards the A650 because it was smaller and no one was hacking it until about now.