So, here's an interesting challenge. The address you posted for WriteSDCard versus the one I found. Different addresses - identical code except for how it uses two registers - R5 vs R6 and R6 vs R7.
WriteSDCard is tricky - there are two functions that are very similar. One is for reading the SD the other is for writing the SD.
The method I'm using to find WriteSDCard is:
- find the string "Mounter.c" in the firmware. This should be followed by five pointers to functions.
aMounter_c DCB "Mounter.c",0,0,0 ; DATA XREF: _sub_FFC506CC__Mounter.c__0+3C
; _sub_FFC507DC__Mounter.c__0+15C
off_FFC50960 DCD sub_FFCFC938 ; DATA XREF: _sub_FFC506CC__Mounter.c__0+54
off_FFC50964 DCD sub_FFCFCB1C ; DATA XREF: _sub_FFC506CC__Mounter.c__0+60
off_FFC50968 DCD sub_FFCFC888 ; DATA XREF: _sub_FFC506CC__Mounter.c__0+6C
off_FFC5096C DCD sub_FFCFCEC8 ; DATA XREF: _sub_FFC506CC__Mounter.c__0+7C
off_FFC50970 DCD sub_FFCFCF38 ; DATA XREF: _sub_FFC506CC__Mounter.c__0+84
- look at the code that is using these function pointers (in IDA you can double click the DATA XREF name). They will all be used in the same function:
_sub_FFC506CC__Mounter.c__0
STMFD SP!, {R4-R6,LR}
MOV R6, R0
LDR R0, =0x32350
.....
LDR R1, =sub_FFCFC938
STR R0, [R4,#0x3C]
STR R1, [R4,#0x50]
LDR R1, =sub_FFCFCB1C <<-------- WriteSDCard
MOV R0, #0
STR R1, [R4,#0x54] <<-------- saved to [R4 + 0x54]
LDR R1, =sub_FFCFC888
STR R0, [R4,#0x38]
STR R1, [R4,#0x58]
STR R0, [R4,#0x5C]
LDR R0, =sub_FFCFCEC8
STR R0, [R4,#0x60]
LDR R0, =sub_FFCFCF38
STR R0, [R4,#0x64]
LDMFD SP!, {R4-R6,PC}
Each of the five function addresses is loaded into R1 or R0 and then stored into the memory block pointed to by R4, each with a different offset.
The address stored into [R4,#0x54] is WriteSDCard.
FYI - the address stored into [R4,#0x50] is ReadSDCard (which we don't use).
I discovered this by examining UpdateMBROnFlash which uses these stored addresses to read a block from the SD card then write it back.
Phil.