@philmoz : I think we need a new thread for your tool. Or paste it on the end of the CHDK-PT thread ?
So, here's an interesting challenge. The address you posted for WriteSDCard versus the one I found. Different addresses - identical code except for how it uses two registers - R5 vs R6 and R6 vs R7.
void __attribute__((naked,noinline)) sub_FFCFCBCC_my( ) {
asm volatile (
" STMFD SP!, {R0-R11,LR} \n"
" LDR R0, =0x5118 \n"
" SUB SP, SP, #0xC \n"
" MOV R11, R2 \n"
" LDR R2, [SP, #0xC] \n"
" LDR R0, [R0, #8] \n"
" MOV R9, #0 \n"
" CMP R2, R0 \n"
" MOV R5, #2 \n"
" BEQ loc_FFCFCC24 \n"
" MOV R0, #0x80 \n"
" BL sub_FFC06084 \n"
" LDR R0, [SP, #0xC] \n"
" BL sub_FFCFC31C \n"
" MOV R4, R0 \n"
" MOV R0, #0x80 \n"
" BL sub_FFC0602C \n"
" CMP R4, #0 \n"
" BEQ loc_FFCFCC5C \n"
" LDR R0, =0x5118 \n"
" LDR R2, [SP, #0xC] \n"
" STR R2, [R0, #8] \n"
"loc_FFCFCC24:\n"
" LDR R1, =0x6CE80 \n"
" LDR R2, [SP, #0xC] \n"
" LDR R6, [SP, #0x10] \n"
" ADD R10, R1, R2, LSL #5 \n"
" LDR R1, [R10, #0x14] \n"
" ADD R0, R6, R11 \n"
" CMP R0, R1 \n"
" BHI loc_FFCFCC5C \n"
" LDR R1, [R10, #0x10] \n"
" CMP R1, #1 \n"
" LDREQ R6, [SP, #0x10] \n"
" BEQ sub_FFCFCC70 \n"
" CMP R0, #0x800000 \n"
" BLS loc_FFCFCC68 \n"
"loc_FFCFCC5C:\n"
" MOV R0, #1 \n"
" ADD SP, SP, #0x1C \n"
" LDMFD SP!, {R4-R11,PC} \n"
);
}
void __attribute__((naked,noinline)) sub_FFCFC9E8_my( ) {
asm volatile (
" STMFD SP!, {R0-R11,LR} \n"
" LDR R0, =0x5118 \n"
" SUB SP, SP, #0xC \n"
" MOV R11, R2 \n"
" LDR R2, [SP, #0xC] \n"
" LDR R0, [R0, #8] \n"
" MOV R9, #0 \n"
" CMP R2, R0 \n"
" MOV R6, #2 \n"
" BEQ loc_FFCFCA40 \n"
" MOV R0, #0x80 \n"
" BL sub_FFC06084 \n"
" LDR R0, [SP, #0xC] \n"
" BL sub_FFCFC31C \n"
" MOV R4, R0 \n"
" MOV R0, #0x80 \n"
" BL sub_FFC0602C \n"
" CMP R4, #0 \n"
" BEQ loc_FFCFCA78 \n"
" LDR R0, =0x5118 \n"
" LDR R2, [SP, #0xC] \n"
" STR R2, [R0, #8] \n"
"loc_FFCFCA40:\n"
" LDR R1, =0x6CE80 \n"
" LDR R2, [SP, #0xC] \n"
" LDR R7, [SP, #0x10] \n"
" ADD R10, R1, R2, LSL #5 \n"
" LDR R1, [R10, #0x14] \n"
" ADD R0, R7, R11 \n"
" CMP R0, R1 \n"
" BHI loc_FFCFCA78 \n"
" LDR R1, [R10, #0x10] \n"
" CMP R1, #1 \n"
" LDREQ R7, [SP, #0x10] \n"
" BEQ sub_FFCFCA8C \n"
" CMP R0, #0x800000 \n"
" BLS loc_FFCFCA84 \n"
"loc_FFCFCA78:\n"
" MOV R0, #1 \n"
" ADD SP, SP, #0x1C \n"
" LDMFD SP!, {R4-R11,PC} \n"
);
}
EDIT : Never mind - it gets more interesting if you blow the routines out for more than 400 words.