Thanks for the reply.
How did you figure out that 0xC0223024 is the lock status for A1100?
Searching for the string "diskboot" finds function FUN_ffc18798, which references strings like StartDiskBoot and DISKBOOT.BIN.
The caller of that function is FUN_ffc18754, which checks several return values and calls FUN_ffc18798 or not based on the results. Two of those checks are calls to FUN_ffc30bd0 with either 0 or 1, which accesses either c022301c or c0223024 based on the result. Testing confirms that *24 is the SD lock (IIRC the other is SD card present)
Another way you could find this, in platform/a1100/sub/100.c boot.c, you'll find
// "BL sub_FFC18754\n" // //start diskboot.bin, //StartDiskboot --> removed
commenting out the call to this function to avoid a boot loop in CHDK.
Note you should be able to use the same methods to find the equivalent in SX230.
My Ghidra is showing ?? on that address
It should, since that's an MMIO address whose value is unknown to Ghidra.
(I have lots of bookmarks with errors anyhow).
It's normal to have some error bookmarks, but if you followed
https://chdk.fandom.com/wiki/Firmware_analysis_with_Ghidra there shouldn't be too many. Note there are a lot of "analysis" bookmarks which aren't errors, you can use the gear icon on that window to show just errors and warnings.
I could not figure out how to use your QEMU option while using your branch to make the SD card lock.
The command line syntax is quite obscure, it's like
-M A1100,firmware=boot=0
...
case 0x3024:
msg = "A1100: SD card lock settting";
// https://chdk.setepontos.com/index.php?topic=14826.msg150122#msg150122
// echo $(printf "0x%X\n" $((0xC0223024 & 0xFFFF)))
ret = 0;
break;
...
Nice work, you're a coder now
One thing I observed is that when I press backspace (to correct a command for example) in the QEMU serial console, it gets stuck and I have to restart QEMU. Do you also have the same problem? I am not using Putty as I am on Linux directly.
Yes, I get that too. It's quite annoying, but not so annoying I spent much time looking for a solution, maybe some qemu serial setting can avoid it. The GUI serial port interface doesn't do that, but has a worse problem (
https://github.com/reticulatedpines/qemu-eos/issues/6)
So if we had to do it for srsa_4c's cam, how would the GDB script look like?
The b address is a breakpoint, that is, where you want execution to stop to make your change. Since you want to permanently (for the duration of the QEMU session) change "ROM" this could at the very start (ffc00000 on a1100).
The MEM part is the part you want to change. In srca_4c's post, the SD lock check is at FFC2ACAC. The value you want to set is 0, which happens to be the arm instruction andeq r0,r0
So a script could look like
b *0xFFC00000
commands
set MEM(0xFFC2ACAC) = 0x0
c
end
A1100 would be the same, except the mem address would be ffc18784. From a quick test, this seems to work, booting CHDK when the card is unlocked.
Note you can also change "ROM" in qemu code, see the various patch_* functions called from eos_init_common
Also a question regarding the boot process. In your A1100 machine, I was copying the firmware dump to the DISKBOOT.BIN file in a hope that the emulator will get stuck in a boot loop but it did not. What is preventing that?
I'm not sure what you mean? The firmware dump and diskboot.bin are entirely different things. If the camera tried to boot a firmware dump, it should crash immediately because it's not encoded with dancing bits, but even if it were, the firmware is compiled to run at ffc00000, not in RAM.
If it's just completely ignoring your diskboot, your probably haven't successfully made the SD image bootable, (or maybe failing because the file is too large?). Of course, without hacking FUN_ffc18754 it will also ignore it if it thinks the SD is unlocked.