After i analysing some dumps of other cameras, i find out that allmost allways a pointer to the SD-CARD write function is below of the "BOOTDISK" string in flash. In most cases it is the second flash address (in one dump i checked, it was the first one, but for the G11 it was allways the second).
ROM:FF86F360 aBootdisk DCB "BOOTDISK",0 ; DATA XREF: sub_FF86EE64+22CoROM:FF86F360 ; sub_FF86FB80+18oROM:FF86F369 DCB 0ROM:FF86F36A DCB 0ROM:FF86F36B DCB 0ROM:FF86F36C aScript DCB "SCRIPT",0 ; DATA XREF: sub_FF86EE64+248oROM:FF86F36C ; sub_FF86FBAC+18oROM:FF86F373 DCB 0ROM:FF86F374 dword_FF86F374 DCD 0x4D2 ; DATA XREF: sub_FF86F0CC+34rROM:FF86F378 unk_FF86F378 DCB 0x4D ; M ; DATA XREF: sub_FF86F0CC+3CoROM:FF86F378 ; sub_FF86F1DC+15Co ...ROM:FF86F379 DCB 0x6F ; oROM:FF86F37A DCB 0x75 ; uROM:FF86F37B DCB 0x6E ; nROM:FF86F37C DCB 0x74 ; tROM:FF86F37D DCB 0x65 ; eROM:FF86F37E DCB 0x72 ; rROM:FF86F37F DCB 0x2E ; .ROM:FF86F380 DCB 0x63 ; cROM:FF86F381 DCB 0ROM:FF86F382 DCB 0ROM:FF86F383 DCB 0ROM:FF86F384 off_FF86F384 DCD sub_FF94B61C ; DATA XREF: sub_FF86F0CC+54rROM:FF86F388 off_FF86F388 DCD sub_FF94B804 ; DATA XREF: sub_FF86F0CC+60rROM:FF86F38C off_FF86F38C DCD sub_FF94B504 ; DATA XREF: sub_FF86F0CC+6CrROM:FF86F390 off_FF86F390 DCD unk_FF94BBD8 ; DATA XREF: sub_FF86F0CC+7CrROM:FF86F394 off_FF86F394 DCD sub_FF94BC48 ; DATA XREF: sub_FF86F0CC+84rROM:FF86F398 dword_FF86F398 DCD 0x568 ; DATA XREF: sub_FF86F1DC:loc_FF86F334rROM:FF86F39CROM:FF86F39C ; =============== S U B R O U T I N E =======================================ROM:FF86F39CROM:FF86F39CROM:FF86F39C sub_FF86F39C ; CODE XREF: sub_FF86F4E0+38pROM:FF86F39C STMFD SP!, {R4-R8,LR}ROM:FF86F3A0 MOV R6, R0ROM:FF86F3A4 LDR R0, =0x375F0ROM:FF86F3A8 MOV R7, R1ROM:FF86F3AC ADD R4, R0, R1,LSL#7ROM:FF86F3B0 LDR R0, [R4,#0x3C]ROM:FF86F3B4 MOV R5, #0ROM:FF86F3B8 CMP R0, #6ROM:FF86F3BC ADDLS PC, PC, R0,LSL#2ROM:FF86F3C0 B loc_FF86F42CROM:FF86F3C4 ; ---------------------------------------------------------------------------ROM:FF86F3C4<...>
ROM:FFC3E430 aBootdisk DCB "BOOTDISK",0 ; DATA XREF: sub_FFC3E02C+21CoROM:FFC3E439 DCB 0ROM:FFC3E43A DCB 0ROM:FFC3E43B DCB 0ROM:FFC3E43C aScript DCB "SCRIPT",0 ; DATA XREF: sub_FFC3E02C+238oROM:FFC3E443 DCB 0ROM:FFC3E444 dword_FFC3E444 DCD 0x53A ; DATA XREF: sub_FFC3E390+34rROM:FFC3E448 unk_FFC3E448 DCB 0x4D ; M ; DATA XREF: sub_FFC3E390+3CoROM:FFC3E448 ; sub_FFC3E4EC+154o ...ROM:FFC3E449 DCB 0x6F ; oROM:FFC3E44A DCB 0x75 ; uROM:FFC3E44B DCB 0x6E ; nROM:FFC3E44C DCB 0x74 ; tROM:FFC3E44D DCB 0x65 ; eROM:FFC3E44E DCB 0x72 ; rROM:FFC3E44F DCB 0x2E ; .ROM:FFC3E450 DCB 0x63 ; cROM:FFC3E451 DCB 0ROM:FFC3E452 DCB 0ROM:FFC3E453 DCB 0ROM:FFC3E454 off_FFC3E454 DCD sub_FFCE4560 ; DATA XREF: sub_FFC3E390+54rROM:FFC3E458 off_FFC3E458 DCD sub_FFCE4748 ; DATA XREF: sub_FFC3E390+60rROM:FFC3E45C off_FFC3E45C DCD sub_FFCE44AC ; DATA XREF: sub_FFC3E390+6CrROM:FFC3E460 off_FFC3E460 DCD sub_FFCE4AFC ; DATA XREF: sub_FFC3E390+7CrROM:FFC3E464 off_FFC3E464 DCD sub_FFCE4B6C ; DATA XREF: sub_FFC3E390+84rROM:FFC3E468ROM:FFC3E468 ; =============== S U B R O U T I N E =======================================ROM:FFC3E468ROM:FFC3E468ROM:FFC3E468 sub_FFC3E468 ; CODE XREF: sub_FFC3E9BC+4CpROM:FFC3E468 ; sub_FFC3EB1C+34pROM:FFC3E468 LDR R1, =0xE5D8ROM:FFC3E46C STMFD SP!, {R4-R6,LR}ROM:FFC3E470 ADD R4, R1, R0,LSL#7ROM:FFC3E474 LDR R0, [R4,#0x70]ROM:FFC3E478 TST R0, #1ROM:FFC3E47C LDMNEFD SP!, {R4-R6,PC}ROM:FFC3E480 LDR R6, [R4,#0x38]ROM:FFC3E484 BL sub_FFC3B85CROM:FFC3E488 LDR R0, [R4,#0x38]ROM:FFC3E48C BL sub_FFC3EEE8ROM:FFC3E490 CMP R0, #0ROM:FFC3E494 MOV R5, #5ROM:FFC3E498 STREQ R5, [R4,#0x3C]ROM:FFC3E49C BEQ loc_FFC3E4E4ROM:FFC3E4A0 BL sub_FFC3F6B8ROM:FFC3E4A4 BL sub_FFC3F7A0ROM:FFC3E4A8 CMP R0, #0ROM:FFC3E4AC STREQ R5, [R4,#0x3C]ROM:FFC3E4B0 BEQ loc_FFC3E4D8ROM:FFC3E4B4 LDR R1, [R4,#0x5C]ROM:FFC3E4B8 MOV R0, R6ROM:FFC3E4BC BLX R1ROM:FFC3E4C0 CMP R0, #0ROM:FFC3E4C4 STR R0, [R4,#0x3C]ROM:FFC3E4C8 LDRNE R0, [R4,#0x70]ROM:FFC3E4CC ORRNE R0, R0, #1ROM:FFC3E4D0 STRNE R0, [R4,#0x70]ROM:FFC3E4D4 LDMNEFD SP!, {R4-R6,PC}ROM:FFC3E4D8ROM:FFC3E4D8 loc_FFC3E4D8 ; CODE XREF: sub_FFC3E468+48jROM:FFC3E4D8 LDR R0, [R4,#0x60]ROM:FFC3E4DC CMP R0, #0ROM:FFC3E4E0 BLXNE R0ROM:FFC3E4E4ROM:FFC3E4E4 loc_FFC3E4E4 ; CODE XREF: sub_FFC3E468+34jROM:FFC3E4E4 LDMFD SP!, {R4-R6,LR}ROM:FFC3E4E8 B sub_FFC3F748ROM:FFC3E4E8 ; End of function sub_FFC3E468ROM:FFC3E4E8ROM:FFC3E4EC
Thanks for information... I thought that cameras with 1.00a firmware have slightly different hardware configuration (and that's why 1.00C-based chdk doesn't work) and so, may have different LED addresses.
wr=(f_w)*(unsigned int*)(j+4);
wr=(f_w)*(unsigned int*)(0xFFCE4748);
Started by DaSchop General Discussion and Assistance
Started by rlyon « 1 2 ... 7 8 » Firmware Dumping
Started by MrSpoon « 1 2 » Firmware Dumping
Started by dsuchter AllBest's Builds
Started by PowerA620 General Discussion and Assistance