Ok... I have a few questions..
As I said in my previous posts, the compiled diskboot causes a panic inside the last sub in boot.c, the one that contains "DataGhost's FAT32 autodetection code" and freezes the camera.
I have tried disabling that code completely and it still froze the camera.
Today, I've decided to remove the call to this modified sub and leave the original in place and I've found that in this case, everything goes fine and the whole branch of modified functions returns in a sub involved way up in the boot process, the one with string "uAC_Boot" : sub_FFC5E72C_my
The whole SDHC thing is shown here:
// Startup -> FFC1A4C0 -> sub_FFC1A090 -> -> sub_FFC5ED64 (@FFC1A444) -> sub_FFC5E72C (uAC_Boot)(@FFC5EE08) -> FFC5FEF0 (taskCreate_InitFileModules) (@FFC5E778)
// \-> sub_FFC5FBC4 (@FFC1A37C) -> sub_FFC5FB60 ->/
// -> StartFactoryModeController =>||
//
// taskCreate_InitFileModules -> FFC5FEA0 task_InitFileModules -> sub_FFC58A54 -> sub_FFC3D588 -> sub_FFC3D3C4 -> sub_FFC3D154
Here's this sub where it happens:
"STMFD SP!, {R4-R8,LR}\n"
"LDR R7, =0x8002\n"
"LDR R4, =0x5738\n"
"CMP R0, #2\n"
"MOV R6, R1\n"
"MOV R5, #1\n"
"BEQ loc_FFC5E7B8\n"
"BGT loc_FFC5E7A0\n"
"CMP R0, #0\n"
"BEQ loc_FFC5E7E4\n"
"CMP R0, #1\n"
"BNE loc_FFC5E87C\n"
"MOV R0, #8\n"
"BL sub_FFC5DCB4\n" // uCameraConState
"BL sub_FFC5FF2C\n" // taskcreate_CommonDrivers
"BL sub_FFC609F8\n" // uDispSwLock
"\n"
"\n"
"\n"
"\n"
"LDR R1, =0xFFC5E9DC\n" // aAcBootpb ; "AC:BootPB"
"MOV R0, #0x20\n"
"BL sub_FFC5556C\n" // qCameraLog
"BL sub_FFC5FEF0_my\n" // Continue to taskcreate_InitFileModules
"BL sub_FFC5FFFC\n"
"BL sub_FFC1A5B0\n"
"LDR R0, =0x4004\n"
"BL sub_FFC19BAC\n"
"LDR R0, [R4,#0x68]\n"
"CMP R0, #0\n"
"BNE loc_FFC5E85C\n"
"BL sub_FFC19D90\n" // taskcreate_StartupImage
"B loc_FFC5E860\n"
"loc_FFC5E7A0:\n"
"CMP R0, #6\n"
"STREQ R5, [R4,#0x28]\n"
"BEQ loc_FFC5E870\n"
"SUB R12, R0, #0x2000\n"
"SUBS R12, R12, #4\n"
"BNE loc_FFC5E87C\n"
"loc_FFC5E7B8:\n"
"SUB R12, R6, #0x1100\n"
"SUBS R12, R12, #0x62\n"
"BNE loc_FFC5E7D4\n"
"MOV R1, R7\n"
"MOV R0, #0\n"
"BL sub_FFC614F4\n"
"STR R5, [R4,#0x60]\n"
"loc_FFC5E7D4:\n"
"BL sub_FFC60B90\n"
"BL sub_FFC60E28\n"
"BL sub_FFC5E2D8\n"
"B loc_FFC5E874\n"
"loc_FFC5E7E4:\n"
"MOV R0, #7\n"
"BL sub_FFC5DCB4\n" // uCameraConState
"MOV R0, R7\n"
"BL sub_FFC19BAC\n"
"BL sub_FFC5FF2C\n" // taskcreate_CommonDrivers
"BL sub_FFC609F8\n" // uDispSwLock
"\n"
"\n"
"\n"
"LDR R1, =0xFFC5E9EC\n" // aAcBootrec ; "AC:BootRec"
"MOV R0, #0x20\n"
"STR R6, [R4,#0x18]\n"
"BL sub_FFC5556C\n" // qCameraLog
"LDR R1, =0xFFC5E9F8\n" // aAcInitlens ; "AC:InitLens"
"MOV R0, #0x20\n"
"BL sub_FFC5556C\n" // qCameraLog
"STR R5, [R4,#0x28]\n"
"BL sub_FFC19D20\n"
"BL sub_FFC19C74\n"
"LDR R0, [R4,#0x1C]\n"
"LDR R1, [R4,#0x20]\n"
"ORRS R0, R0, R1\n"
"BLNE sub_FFC5F1CC\n"
"LDR R0, [R4,#0x68]\n"
"CMP R0, #0\n"
"BNE loc_FFC5E848\n"
"BL sub_FFC19D90\n" // taskcreate_StartupImage
"B loc_FFC5E850\n"
"loc_FFC5E848:\n"
"BL sub_FFC14A98\n"
"BL sub_FFC1A5E8\n"
"loc_FFC5E850:\n"
"BL sub_FFC5FEF0_my\n" // Continue to taskcreate_InitFileModules
"BL sub_FFC5FF68\n"
"B loc_FFC5E874\n"
"loc_FFC5E85C:\n"
"BL sub_FFC14A98\n"
"loc_FFC5E860:\n"
"BL sub_FFC5FF98\n"
"LDR R0, [R4,#0x30]\n"
"CMP R0, #0\n"
"BEQ loc_FFC5E874\n"
"loc_FFC5E870:\n"
"BL sub_FFC5F214\n"
"loc_FFC5E874:\n"
"MOV R0, #0\n"
"LDMFD SP!, {R4-R8,PC}\n"
"loc_FFC5E87C:\n"
"MOV R0, #1\n"
"LDMFD SP!, {R4-R8,PC}\n"
);
}; //#fe
My guess is that everything goes OK at least until task_StartupImage as the Canon splash screen shows and then it goes right away to "Card Locked", "no images" and the blue led blinks once.
If I remember correctly, somewhere the code is supposed to do something in regard to diskboot.bin, so that when rebooted the camera ignores it and the card lock... does this happen in the last sub when the FAT32 code?
what puzzles me also is that there are very minimal differences between a720 and a580... in just a couple of subs there was some code missing or a nullsub in a580 and a regular sub in a720 but in these disk related subs they're identical so I can't figure why it doesn't work.
