SD980 port - page 3 - DryOS Development - CHDK Forum

SD980 port

  • 162 Replies
  • 32356 Views
*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #20 on: 22 / September / 2009, 01:18:42 »
Advertisements
Ok, the firmware update works. I am not sure I can get that value in an easy way, maybe some other time I will blink the rest of the firmware, but I don't feel like doing it again now :)

*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #21 on: 23 / September / 2009, 04:57:54 »
Ok, I need some help now.
I finished porting everything until (including) task_Startup_my()
Now I am losing track of the program execution, where should I go next?

For example, the function taskCreateHook and taskCreateHook2, they look for some memory values and replace them with other values. How do i find the ones for my camera? And where do I find the values for the functions they call?
For example, init_file_modules_task()
There are many values in there that must be replaced, but where is the original function so that I can copy the values from there?
« Last Edit: 23 / September / 2009, 05:05:15 by RaduP »

*

Offline reyalp

  • ******
  • 12106
Re: SD980 port
« Reply #22 on: 23 / September / 2009, 05:23:48 »
Ok, I need some help now.
I finished porting everything until (including) task_Startup_my()
Now I am losing track of the program execution, where should I go next?
If you start spytask (which is added, not hijacked version of an existing task), you should get a CHDK ui. This will make debugging easier. Of course, you need the bitmap address in lib.c and some functions and variables in the stubs files for this to work.

I would work on getting spytask working first, and then work on PhySwTask (also called kbd) next.
Quote
For example, the function taskCreateHook and taskCreateHook2, they look for some memory values and replace them with other values. How do i find the ones for my camera? And where do I find the values for the functions they call?
For example, init_file_modules_task()
Look for the name of the corresponding task in the dump. You will find a call to CreateTask or KernelCreateTask which references the string and the address of the function.

As usual, you can use existing ports for references: Get the address from of the task you are looking for from taskCreateHook, search for references to that cameras address in the cameras dump.
Don't forget what the H stands for.

*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #23 on: 23 / September / 2009, 05:43:03 »
Ok, so are taskCreateHook and taskCreateHook2 sort of optional? Can I comment them out for now and still get to the GUI (after I find the frame buffer address and fix some of the broken functions in the stubs) ?


*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #24 on: 23 / September / 2009, 19:39:21 »
Ok, I got it to boot with the spytask, but it crashes a few seconds afterwards. That is not at all surprising, since a lot of functions, including malloc() are defined as 0xdeadc0de. I guess the frame buffer address is incorrect too, because I don't get any logo displayed.

The line:
Code: [Select]
"BL      sub_FF83334C\n"   // removed for correct power-on on 'on/off' button. had to be uncommented, it crashed if it was commented.

Ok, so now for some more newbie questions:
How exactly do I find the pointer for malloc and other useful functions? I could not find a stand alone string called malloc.
How do I find the magic frame buffer address?

*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #25 on: 23 / September / 2009, 21:00:25 »
BTW, I core_spytask() is loaded and working fine, but crashes in conf_restore();, due to missing functions.

*

Offline reyalp

  • ******
  • 12106
Re: SD980 port
« Reply #26 on: 23 / September / 2009, 22:03:48 »
Ok, so are taskCreateHook and taskCreateHook2 sort of optional? Can I comment them out for now and still get to the GUI (after I find the frame buffer address and fix some of the broken functions in the stubs) ?
Yes, you should be able to run spytask without running any of the other tasks. If you want to interact with CHDK using buttons, you also need PhySW/kbd. The scripting stuff also runs in kbd. captseq is used for raw and overrides, movie is used for compression override and zoom unlock, jogdial is used to interface with the jogdial control, init_file_modules_task is used for partition swapping.

Ok, I got it to boot with the spytask, but it crashes a few seconds afterwards. That is not at all surprising, since a lot of functions, including malloc() are defined as 0xdeadc0de. I guess the frame buffer address is incorrect too, because I don't get any logo displayed.
I suspect that without malloc, you'll crash before the logo is displayed. Note that most of the required entry points should be found automatically and put in stubs_entry.S

Quote
How exactly do I find the pointer for malloc and other useful functions? I could not find a stand alone string called malloc.
How do I find the magic frame buffer address?
Like I keep saying: Refer to an existing port. This is an essential skill, you won't get far without it.

As an example, if you are looking for malloc
- find the address for malloc in a known working port. Look in stubs_entry_2.S first, and if it isn't there, look in stubs_entry.S
- In that cameras firmware dump, look for references to the address you found above.
- Look through references until you find something fairly unique/identifiable that is close to one of the references. A string, proximity to a call to another known function, etc.
- Now look in your cameras firmware dump for that identifiable feature. If you find a candidate for your function, compare the code of that function to the known function. You can also make sure that similar bits of code refer to it.

Many ports have comments that you a hint as to how it was found, or something that made it identifiable. For example
Code: [Select]
NHSTUB(WriteSDCard,0xFF9210A4) // similar to SX10, search on BOOTDISK and SCRIPT
This means that
- I noticed the known function in SX10 was found near the strings BOOTDISK and SCRIPT
- I found the corresponding location on SD990 and when I compared the code, it was similar.
Don't forget what the H stands for.

*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #27 on: 24 / September / 2009, 00:33:32 »
Well, I think I kind of hit a dead end here, because for the life of me I can't find malloc. I did look at the SX10 dump and found it there (of course). I compared it with the signature finder signature, and it matched pretty well. I looked around the strings where I found malloc on the SX10 dump, but it's not there :/


*

Offline RaduP

  • *****
  • 890
Re: SD980 port
« Reply #28 on: 24 / September / 2009, 00:53:11 »
Well, after following some long and windy paths, I MIGHT have found malloc at 0xFF818D50, but I am not sure. If someone more experimented can take a look at it, in the SD980 dump and confirm it, I'd appreciate it.

*

Offline reyalp

  • ******
  • 12106
Re: SD980 port
« Reply #29 on: 24 / September / 2009, 01:04:07 »
FF8140DC IMO.

How ? I know that a function called by fopen_fut uses malloc to allocate something that is filename + <some small number>. From IDA, I have FF834ED0 Fopen_Fut (but finsig will probably find this or a few likely candidates for you). Based on other ports, I know I'm probably looking for the 3rd call (sub_FF86A44C), and that it will call strlen before calling malloc and add something small to the value. The next call should be malloc, and immediately after that it should check if the malloc failed and error.

All of this checks out suggesting malloc at sub_FF838924, but that's just a B to sub_FF8140DC. Looking at sub_FF8140DC I see that it is close to the string "mallocSem", and is called by functions similar to what calls malloc on other platforms (particularly sub_FF83892C which has an assert in memory.c)

0xFF818D50 is something completely different. It accepts at least 2 arguments, so it can't be malloc. It also is only referenced in a few places, while malloc is quite popular.
Don't forget what the H stands for.

 

Related Topics