I'm looking for assistance on trying to hook into some functions. Is it only possible to hook into 'registered, named' tasks? Using the SX10 103A as my example, when looking at the currently hooked tasks (CaptSeqTask, ExpDrvTask, etc), they appear to get 'registered' at the subroutine at address FF827D10.
These are tasks, which are somewhere similar to a thread or process in a traditional OS. If you hook the beginning of the task, you modify it's entire behavior, but you might end up having to duplicate lots of the original code. Multiple tasks frequently use the same functions, so it's quite possible to replace the functionality in one task, yet have the old function used in other tasks.
As far as can tracer back, I can't get directly into one of the named tasks that I know I can hook. Is there a way that I can hook other functions such as this? Or am I limited to the realm of named tasks and wherever they can lead me?
Not entirely, but this is how CHDK currently accesses almost everything.
Other options:
Some functions are accessed from pointers, e.g. a filesystem driver will have the read and write functions stuffed into a structure, and access them by that structure later. Many of the function pointers are in the canon initialized data segment, which is copied from ROM to RAM in the very first loop of the firmware code. You should be able to find/replace these quite easily. Others are set up by code elsewhere. Of course, a function might be called both via a pointer and via directly by it's ROM address.
Some functions are accessed as event procedures: see
http://chdk.setepontos.com/index.php/topic,4417.0.htmlThe event procedure API allows you to have a hook run before every eventproc call. Part of ExecuteEventProcedure looks something like this (taking a610 sig_ref_vxworks_1 as an example, dryos does the same thing but is slightly less clear because the eventproc hook comes from a struct):
loc_FFC06864
LDR R3, =0x102BC ; parameter for event hook
LDR R1, [SP,#0x10] ; event proc name
LDR R0, [R3]
LDR R2, =0x1E1C ; event proc hook variable
MOV LR, PC
LDR PC, [R2] ; call hook
LDR R3, [SP]
MOV R0, R5
LDR R1, [R3]
MOV LR, PC
LDR PC, [R3,#4] ; call eventproc
...
There exists functions to set and remove this hooks, and at least one example which logs the event names.
Note that this doesn't allow you to modify the behavior of the event procs, but it should allow you to see which ones are called.
If you want to modify the behavior, you should be able to unregister an existing eventproc and register your own. Be warned however that just because a function is available as an eventproc doesn't mean it is always called as one. Many are normally called directly by address, and only called as eventprocs in the debug code.
One other idea I've had is abusing the ARM MPU. There are a couple of memory regions that are not used in the default configuration, so you could install your own exception handler, and protect the region of interest against reading. When the stock firmware tries to jump there, your exception handler gets invoked, and you set it up to return to your own modified code instead. Unfortunately, the minimum size you trap this way is 4k. So you'd probably have to copy/relocate the entire 4k block, and you'd only get 1 or 2 at the most (unless you move them around.)