How does that happen? With these?
NHSTUB(DisableNotificationPTP, 0xFFE4D6E4)
NHSTUB(EnableNotificationPTP, 0xFFE4D6F8)
Not here. DisableNotificationPTP() prohibits the "black camera screen" on USB transfer.
See usb_controller_magic camera variable:
if (get_usb_power()) usb_controller_magic=0; // when camera switched to record mode
if (get_usb_power()) usb_controller_magic=1; // when camera switched to playback mode
For A570 address of this variable is 0x53B20.
They are laid out similarly in a570 1.00e but could you educate me how to deduce those those entry points from the disassembly?
In generally, these functions can be found as follows (my example for a570 1.01a. Why not 1.00e explained below):
- search in "string window" for function name:
ROM:FFD8E11C aEnablenotificationptp DCB "EnableNotificationPTP",0 ; DATA XREF: ROM:FFD8E0C8
Jump to reference (ROM:FFD8E0C8):
ROM:FFD8E0C8 DCD aEnablenotificationptp ; "EnableNotificationPTP"
ROM:FFD8E0CC DCD loc_FFD8DF8C
Here at FFD8E0C8 pointer to function name, at FFD8E0CC pointer to entry point. So, address of EnableNotificationPTP is
FFD8DF8C:
ROM:FFD8DF8C loc_FFD8DF8C ; DATA XREF: ROM:FFD8E0CCo
ROM:FFD8DF8C LDR R2, =0x53B28 ; "Canon A-Series Firmware"
ROM:FFD8DF90 MOV R3, #1 ; Rd = Op2
ROM:FFD8DF94 MOV R0, #0 ; Rd = Op2
ROM:FFD8DF98 STR R3, [R2] ; Store to Memory
ROM:FFD8DF9C MOV PC, LR ; Rd = Op2
But very starange thing. In my dump of a570 1.00e I see:
ROM:FFD8E054 DCD aEnablenotificationptp ; "EnableNotificationPTP"
ROM:FFD8E058 DCD loc_FFD8DF18
and....
ROM:FFD8DF18 LDR R8, [SP,#0x18] ; Load from Memory
ROM:FFD8DF1C TST R1, R8 ; Set cond. codes on Op1 & Op2
ROM:FFD8DF20 BNE sub_FFD8DF44 ; Branch
ROM:FFD8DF24 B loc_FFD8DF2C ; Branch
Maybe dump of A570 1.00E is broken. Dump from drop.io have same error. Maybe error was made at dump blinking.
Can you make new dump of your camera (using universal dumper or modified dump_memory() function in core/main.c)?