#define MIN_ADDRESS 0xFF810000#define FW_SIZE 0x400000#define START_SECTOR 2048typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address int main() { int i; unsigned long sa; f_w wr; for (i=0x1900;i<0xF0000;i+=4) if ((*(unsigned int*)(i+0x34)==0) && (*(unsigned int*)(i+0x38)==0) && (*(unsigned int*)(i+0x3C)==3) && (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) && (*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) { wr=(f_w)*(unsigned int*)(i+0x50); #if defined (DRYOS) // #warning DRYOS // jeff666: fill some memory with zeroes; "simulate" large diskboot // WARNING: the starting address is a guess for (i = 0x1c00; i<0x30000; i+=4) *(int*)i=0; #elif defined (VXWORKS) // #warning VXWORKS #else #error OS type must be defined #endif sa=(unsigned long)wr>0xFFC00000 ? 0xFFC00000 : 0xFF810000; wr(0, START_SECTOR, FW_SIZE/512, sa); } while(1); return 0;}
#define MIN_ADDRESS 0xFF810000#define FW_SIZE 0x400000#define START_SECTOR 2048/* define a function type that takes 4 int params & returns a pointer to int */typedef int (*f_w)(int, int, int, int); // drive(?), start sector, number of sectors, address int main() { int i; unsigned long sa; f_w wr; /* search for the function's adress in memory using it's signature */ for (i=0x1900;i<0xF0000;i+=4) if ((*(unsigned int*)(i+0x34)==0) && (*(unsigned int*)(i+0x38)==0) && (*(unsigned int*)(i+0x3C)==3) && (*(unsigned int*)(i+0x4C)>MIN_ADDRESS) && (*(unsigned int*)(i+0x50)>MIN_ADDRESS) ) { wr=(f_w)*(unsigned int*)(i+0x50); #if defined (DRYOS) // #warning DRYOS // jeff666: fill some memory with zeroes; "simulate" large diskboot // WARNING: the starting address is a guess for (i = 0x1c00; i<0x30000; i+=4) *(int*)i=0; #elif defined (VXWORKS) // #warning VXWORKS #else #error OS type must be defined #endif sa=(unsigned long)wr>0xFFC00000 ? 0xFFC00000 : 0xFF810000; /* call the function with 4 int params to dump the firmware */ wr(0, START_SECTOR, FW_SIZE/512, sa); } /* since we don't know what happens after, an infinite loop is safest */ while(1); return 0;}
for (i=0x1900;i<0xF0000;i+=4)
Ok, one more quetion: Why is it searching in this address range:Code: [Select] for (i=0x1900;i<0xF0000;i+=4)Isn't the firmware way higher than that?
Hmm, interesting.So what else is it stored there? Is there a pointer to any function, or just some of them?
Started by jetpilot Feature Requests
Started by c2thew Script Writing
Started by LukeSkaff Feature Requests
Started by guss General Discussion and Assistance
Started by Arokas General Help and Assistance on using CHDK stable releases