Finding SleepTask() in a ROM dump - DryOS Development - CHDK Forum
« previous next »
Pages: [1]   Go Down

Finding SleepTask() in a ROM dump

  • 7 Replies
  • 5718 Views
*

Offline hudson

  • *
  • 43
Finding SleepTask() in a ROM dump
« on: 12 / May / 2009, 00:36:48 »
Advertisements
After a bunch of hacking, I can trampoline through the firmware update routine to get my camera to run my startup code and can create a new task after creating the DryOS initial task.  I haven't found SleepTask(), however, so unless my task exits it will consume all of the CPU.  finsig (using signatures_dryos.h) did not find it in the firmware dump.

What is the best way to try to locate the routine to yield the CPU?  I've located what appears to be the task list and found several routines that appears to grab the first item off of it and do a context switch, but none of them yield the CPU in my tests.
Logged
*

Offline reyalp

  • ******
  • 14134
Re: Finding SleepTask() in a ROM dump
« Reply #1 on: 12 / May / 2009, 02:09:17 »
In the P&S cams, you can easily find SleepTask from the PhySw task (search for "PhysSw" near a call to createtask. It's main loop is quite short, and includes a sleep(10).

No idea if this carries over to DSLRs.
Logged
Don't forget what the H stands for.
*

Offline hudson

  • *
  • 43
Re: Finding SleepTask() in a ROM dump
« Reply #2 on: 12 / May / 2009, 07:22:23 »
There doesn't appear to be a "PhySw" task in the firmware.  I see it in the SX110 DryOS dump, but not in the 5D.  The initial tasks that are created are "init" (which calls all of the setup routines) and "idle" (which does a tight busy loop).

I'll keep looking; perhaps I'm missing something obvious.
Logged
*

Offline reyalp

  • ******
  • 14134
Re: Finding SleepTask() in a ROM dump
« Reply #3 on: 14 / May / 2009, 00:41:22 »
On the 40D (which is vxworks) what looks like sleeptask (at  FFD44314 based on the string "SleepTask : call from interrupt handler")  appears to be called as the second to last instruction in a function (starting at FF812CB0) that refers to strings like "[HotPlug] USB Connect    ->->->-> O", "[Sw Detect] JUMP SW ON", "[Sw Detect] Detect Secret sw." (ooh secret switch ?).

The last instruction is branch back to near the start of the function, i.e. the main loop.

Maybe some of this code caries over the later DSLRs.

Note, when search for strings, use "search for sequence of bytes", not just searching the strings window. This will find strings that aren't correctly found by ida.
Logged
Don't forget what the H stands for.
*

Offline hudson

  • *
  • 43
Re: Finding SleepTask() in a ROM dump
« Reply #4 on: 14 / May / 2009, 11:49:26 »
The 40D "Secret sw" sounds interesting...  The 5D Mark 2 has a similar one: "[MC] Enter Secret mode !!!" at 0xff87923b.  I'm searching for strings with 'strings -t x ROM0.bin | grep -i ...', which isn't quite as easy as IDA.

I've found a "ps" like task as part of the drysh routine that detects which tasks are sleeping.  Perhaps this evening I'll be able to determine which field and value it is using to represent task state and then find the routine that sets it.

Do any of the DryOS cameras use timer interrupts for multitasking, or are all of them cooperative?  The reason I ask is that the idle task appears to do a tight loop rather than calls to any sort of sleep routine.  It does enable interrupts in the CPSR just before going into the loop, which makes me think that it will be interrupted by a timer.


Logged
*

Offline hudson

  • *
  • 43
Re: Finding SleepTask() in a ROM dump
« Reply #5 on: 14 / May / 2009, 22:40:35 »
I still haven't found SleepTask(), but I have a work-around.  I can call add_timer() repeatedly to reschedule my "task":
Code: (c) [Select]
void my_task( void * arg )
{
    add_timer( 1<<10, my_task, my_task, arg );
    /* .... */
}

/*... */
void init_task( void )
{
   firmware_init_task();
   my_task();
}Now to see if I can do file I/O in a timer call back!
Logged
*

Offline hudson

  • *
  • 43
File I/O from a timer callback
« Reply #6 on: 15 / May / 2009, 00:26:16 »
Quote from: hudson on 14 / May / 2009, 22:40:35
Now to see if I can do file I/O in a timer call back!

It doesn't seem to work.  I'm not sure why.
Code: (c) [Select]
void my_task( void * arg )
{
    add_timer( 1<<10, my_task, my_task, arg );
    static int count;
    if( count++ < 10 )
        return; // let the camera finish booting before trying file I/O
    int fd = open( "A:/test.log", O_CREAT | O_EXCL | O_WRONLY, 0644 );
    if( fd < 0 )
        while(1);
    /* ... */
}

/*... */
void init_task( void )
{
   firmware_init_task();
   my_task();
}

But... the call to open() always returns -1 so the routine isn't able to write any data to the CF card.  I'm not sure if it is due to running from a non-task context or something else.  I know the my_task() loop is running since I can have it go into a tight-loop after some number of calls, which causes the camera to lock up, or it can ignore the failure result from open() and the camera operates fine.

Might there be a function before file I/O can be done to the cards?
Logged
*

Offline hudson

  • *
  • 43
Re: Finding SleepTask() in a ROM dump
« Reply #7 on: 15 / May / 2009, 13:08:34 »
Quote from: hudson on 14 / May / 2009, 22:40:35
I still haven't found SleepTask()
Found it!  msleep() == 0xFF869C94.  And calls to FIO_CreateFIle() work!  No longer will I be limited to a single bit of data (camera locked up == success) per reboot; I can actually write out useful things.
Logged
Pages: [1]   Go Up
« previous next »
 

Related Topics


SimplePortal © 2008-2014, SimplePortal