supplierdeeply

Using eventprocs as hooks

  • 9 Replies
  • 2370 Views
*

Offline reyalp

  • ******
  • 9957
  • Publish
    Using eventprocs as hooks
    « on: 26 / September / 2010, 01:18:18 »
    Advertisements
    A while back, I noticed a number of the PT_* eventprocx just point at a
    Code: [Select]
    MOV     R0, #0
    BX      LR
    It turns out that some of these are called by the camera at various points in execution. On D10,  sub_FF85E9A0  checks a variable, and if set, calls ExecuteEventProcedure with a lookup into the first 12 PT_* functions.

    The variable is set by SS.Create, which also registers the functions.

    Theory: we call SS.Create, register our own function to replace the original that is just a return zero, we have a hook without copying a bunch of code.

    Practice:
    Code: [Select]
    int my_PT_CompletePreCapt() {
    _LogPrintf(0x120,"my_PT_CompletePreCapt");
    return 0;
    }

    int my_PT_ShootPicture() {
    _LogPrintf(0x120,"my_PT_ShootPicture");
    return 0;
    }

    int register_pt_hooks() {
    if(_ExecuteEventProcedure("System.Create") == -1) {
    return -1;
    }
    if(_ExecuteEventProcedure("SS.Create") == -1) {
    return -1;
    }
    if(_ExecuteEventProcedure("ExportToEventProcedure","PT_CompletePreCapt",my_PT_CompletePreCapt) == -1) {
    return -1;
    }
    if(_ExecuteEventProcedure("ExportToEventProcedure","PT_ShootPicture",my_PT_ShootPicture) == -1) {
    return -1;
    }
    return 0;
    }
    log:
    Code: [Select]
    00011670: PT_CompletePreCapt
    00011670: SS:my_PT_CompletePreCapt
    ...
    00011690: UI:MuteOnPhysicalScreen
    00011690: SS:Shoot
    00011690: PT_ShootPicture
    00011690: SS:my_PT_ShootPicture
    :D

    Canon "hook" event procs:
    "PT_CompletePreCapt"
    "PT_RecreviewAvailable"
    "PT_NextShootAvailable"
    "PT_CompleteStopZoom"
    "PT_CompleteStopDigZoom"
    "PT_CompleteStoreLens"
    "PT_MovieRecordStopped"
    "PT_CompleteCaptModeChange"
    "PT_CompleteSynchroWrite"
    "PT_CompleteCharge"
    "PT_CompleteFileWrite"
    "PT_ShootPicture"

    edit:
    This system also exists in vxworks. The list of functions is slightly different on a540, but it looks very similar.

    edit #2:
    Moving shooting_expo_param_override to my_PT_CompletePreCapt does Tv override correctly on d10, for non-quickpress.
    « Last Edit: 26 / September / 2010, 16:53:08 by reyalp »
    Don't forget what the H stands for.

  • Publish
    Re: Using eventprocs as hooks
    « Reply #1 on: 26 / September / 2010, 06:57:06 »
    Interesting stuff !

    What do you think 'PT' stands for ?

    While you are looking at this stuff, do you know if the movie-capture task can be paused anywhere without causing a crash ?

    (I can start a new thread about this).

    If not, is there anywhere an led can be very briefly flashed at the instant each frame is captured ?

    The idea is to try to synchronise stereo movie recording in the same way we can synchronise image capture.

    I did play with this some time ago but the camera always crashed.

    EWAVR claimed the movie recording task could be paused but never provided details when asked.

    *

    Offline dvip

    • ****
    • 451
  • Publish
    Re: Using eventprocs as hooks
    « Reply #2 on: 26 / September / 2010, 11:20:21 »
    This is very interesting but it's still a mystery for many.
    It would be nice to have some Lua examples on how to call/use some of these EventProcedure.
    It is nice to know they are there and thanks for bringing them up!

    *

    Offline fudgey

    • *****
    • 1705
    • a570is
  • Publish
    Re: Using eventprocs as hooks
    « Reply #3 on: 26 / September / 2010, 14:39:20 »
    This is quite a bit more elegant than cut & pasted disassembly :D For capt_seq, we still need all the asm for the raw hook, though? This makes me wonder if there are more such vacant eventprocs for testing or debug? Maybe some that aren't even empty like these PT* functions but contain things like console logging that doesn't really need to be done by a replacement...

    Did we previously have a way to tell when the fw has finished charging the flash (assuming that's when PT_CompleteCharge gets called)?


    For a570 list of empty PT_* eventprocs is
    PT_CompletePreCapt
    PT_RecreviewAvailable
    PT_NextShootAvailable
    PT_CompleteStopZoom
    PT_CompleteStopDigZoom
    PT_CompleteStoreLens
    PT_CompletePrepareLens
    PT_MovieRecordStopped
    PT_CompleteCaptModeChange
    PT_CompleteSynchroWrite
    PT_CompleteCharge
    edit: these are empty as well:
    PT_BatLvChange_PreWeak
    PT_BatLvChange_Weak
    PT_BatLvChange_Low
    PT_BatLvChange_SysLow


    Microfunguy:
    PT==ProductionTest?

    dvip:
     For Lua examples on event procedure calls, search the forum for "call_event_proc" (optionally by user reyalp) or see
    http://chdk.setepontos.com/index.php/topic,5295.msg54097.html#msg54097
    (actually, the first version is a better example for eventproc stuff since it also had an eventproc call with a pointer argument that needs a malloc: http://chdk.setepontos.com/index.php/topic,5295.msg54076.html#msg54076). Note that to experiment with eventprocs you typically need to study the disassembly first to find out what it if anything it expects as arguments and to figure out how to get it registered if it isn't registered by default.

    « Last Edit: 26 / September / 2010, 15:12:34 by fudgey »


    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: Using eventprocs as hooks
    « Reply #4 on: 26 / September / 2010, 16:26:57 »
    What do you think 'PT' stands for ?
    I'd say Product Test, since a540 has a function "RegisterProductTestEvent"

    Quote
    While you are looking at this stuff, do you know if the movie-capture task can be paused anywhere without causing a crash ?

    (I can start a new thread about this).
    Probably better in a new thread (or the previous one we talked about this in). I don't know myself.

    Quote
    If not, is there anywhere an led can be very briefly flashed at the instant each frame is captured ?
    This seems like it ought to be possible, but again, I don't know anything specific.

    For capt_seq, we still need all the asm for the raw hook, though?
    Yes, unfortunately it seems so.
    Quote
    This makes me wonder if there are more such vacant eventprocs for testing or debug?
    Worth looking for. One way to do this is to work backwards from calls to ExecuteEventProcedure. The thing you need to do is find was that are called automatically in operation. I believe a lot of the eventprocs just exist to be called from cbasic or development or service code. In many cases the normal camera code calls the C function directly instead of going through event proc interface. So replacing Fopen_Fut doesn't let you hook everywhere the camera opens a file.
    Quote
    Maybe some that aren't even empty like these PT* functions but contain things like console logging that doesn't really need to be done by a replacement...
    Another approach would be to figure out how to find the address of a currently registered eventproc, then you could would truly 'hook' it instead of replacing. I haven't seen an obvious way to do this, but event procs seem to be handled by something called "nameservice". It should be possible to get the proper lookup code from ExecuteEventProcedure, but it looks like it would have to be found manually or done with sigs.

    There is also CreateProxyOfEventProcedure and DeleteProxyOfEventProcedure which sound interesting but I don't understand what they do.
    Quote
    edit: these are empty as well:
    PT_BatLvChange_PreWeak
    PT_BatLvChange_Weak
    PT_BatLvChange_Low
    PT_BatLvChange_SysLow
    Are they called by the camera in normal operation ? From a quick look on a540, it appears they would be called from PT_BatTestTask.

    To find ones that can be used in hooks, you need to look find ones that are called automatically. In a570, the function that "dispatches" the PT_ hooks is  sub_FFEB5A60, and it only looks at the first 10. Looking for similar functions might be productive.

    There is another interesting set of event procs that look like they might do something like this. On a570 100e, sub_FFC04BE0 loads an event proc name from 0xD970 and executes it. There are a bunch of similar ones that use offsets from this address. These functions (sub_FFC04BE0 etc) are themselves in a table in that gets copied to camera RAM, starting at FFF2D72C. On a540, the contents of the corresponding address (0xD310) seems to be null by default.

    Edit: these are somehow used by CreateProxyOfEventProcedure and DeleteProxyOfEventProcedure

    One thing that should help hunting these is that whenever an eventproc is called, the name is sent to the camera log. Of course, there may be other pre-conditions that need to be present before they are called at all (like the variable set by SS.Create in D10)

    edit:
    Two more likely candidates on d10, not on older cameras like a570
    UIFS_ChangeShootState called by sub_FF9317E4
    UIFS_ShootSeqToUI called by sub_FF931808. This one looks interesting, it is called from PostEventShootSeqToUI. Calls to this go into the camera log as "ShootSeqToUI:0x%04x:adr:%p,Para:%ld"
    « Last Edit: 27 / September / 2010, 01:28:39 by reyalp »
    Don't forget what the H stands for.

    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: Using eventprocs as hooks
    « Reply #5 on: 26 / September / 2010, 16:57:43 »
    This is very interesting but it's still a mystery for many.
    It would be nice to have some Lua examples on how to call/use some of these EventProcedure.
    It is nice to know they are there and thanks for bringing them up!
    This isn't something you can use from lua. Instead, it lets us make C code that is automatically called from canon firmware (without copying all the asm up to where they need to be called). The lua system would need quite a bit of hacking to allow us to implement these hooks in lua.

    I wonder if a cbasic sub will be called ?
    Don't forget what the H stands for.

    *

    Offline dvip

    • ****
    • 451
  • Publish
    Re: Using eventprocs as hooks
    « Reply #6 on: 27 / September / 2010, 10:38:01 »
    Thanks for the clarification reyalp.

    I was ready to call _ExecuteEventProcedure("ExportToEventProcedure","PT_ShootPicture",my_PT_ShootPicture)

    and use pointers from Lua :)
     

    *

    Offline fudgey

    • *****
    • 1705
    • a570is
  • Publish
    Re: Using eventprocs as hooks
    « Reply #7 on: 27 / September / 2010, 15:53:09 »
    Two more likely candidates on d10, not on older cameras like a570
    UIFS_ChangeShootState called by sub_FF9317E4
    UIFS_ShootSeqToUI called by sub_FF931808. This one looks interesting, it is called from PostEventShootSeqToUI. Calls to this go into the camera log as "ShootSeqToUI:0x%04x:adr:%p,Para:%ld"
    Things like
    00040800: ShootState:0x4
    00040870: ShootSeqToUI:0x2001:adr:0xffd5db18,Para:-2761960
    do get written to a570 romlog a lot, though...


    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: Using eventprocs as hooks
    « Reply #8 on: 13 / October / 2012, 23:43:56 »
    Some further investigation. On A540, the function that calls these is sub_FFD4F7F0, (which I've named call_PT_hook)

    There are 10 hooks available on A540, as seen by the check in this function. Prior to calling call_PT_hook, the Canon firmware frequently calls sub_FFD41024, which in turn calls PostEventShootSeqToUI. The event numbers are noted below.

    NumNameCalled atEvent
    0PT_CompletePreCapt
    FFD421D0
    0x2006
    1
    PT_RecreviewAvailable
    FFD4223C
    0x2008
    2
    PT_NextShootAvailable
    FFD42220
    0x2007
    3
    PT_CompleteStopZoom
    FFD417280x200b, 0x200d*, 0x200c*
    4PT_CompleteStopDigZoom
    FFD41880
    0x200e, 0x2010*, 0x200f*
    5PT_CompleteStoreLensFFD414A80x2004
    6PT_CompletePrepareLens
    ?-
    7PT_MovieRecordStoppedFFD424E00x200a
    8PT_CompleteCaptModeChangeFFD41A3C **-
    9PT_CompleteSynchroWrite?-
    10PT_CompleteChargeFFD410580x2001
    * called conditionally
    ** immediately followed by ref to log string "SS:CompleteCaptureModeChange"
    « Last Edit: 14 / October / 2012, 00:11:50 by reyalp »
    Don't forget what the H stands for.

    *

    Offline reyalp

    • ******
    • 9957
  • Publish
    Re: Using eventprocs as hooks
    « Reply #9 on: 14 / October / 2012, 00:11:33 »
    D10
    call_PT_hook = sub_FF85E9A0, total hooks = 11 event func sub_FF826754
    Note that unlike a540, PT_CompletePrepareLens is not present, while PT_CompleteFileWrite and PT_ShootPicture are added. Where defined, the event numbers seem to match.
    NumNameCalled atEvent
    0PT_CompletePreCapt
    FF8249D0
    0x2006
    1
    PT_RecreviewAvailable
    FF824A10
    0x2008
    2
    PT_NextShootAvailableFF8249F40x2007
    3PT_CompleteStopZoomFF8248A40x200b, 0x200d*, 0x200c*
    4PT_CompleteStopDigZoom
    FF824914
    0x200e, 0x2010*, 0x200f*
    5PT_CompleteStoreLensFF8248340x2004
    6PT_MovieRecordStopped
    FF824AB00x200a
    7PT_CompleteCaptModeChangeFF8252F4  **-
    8PT_CompleteSynchroWrite?-
    9PT_CompleteChargeFF8247940x2001
    10PT_CompleteFileWriteFF90D488-
    11PT_ShootPictureFF825EDC ***-
    * called conditionally
    ** immediately followed by log string "ModChg*"
    *** preceded by log string "Shoot"

    edit:
    As noted earlier
    Quote
    UIFS_ShootSeqToUI called by sub_FF931808. This one looks interesting, it is called from PostEventShootSeqToUI. Calls to this go into the camera log as "ShootSeqToUI:0x%04x:adr:%p,Para:%ld"
    This looks like it can be used to hook all events posted with PostEventShootSeqToUI. It is registered by  UI_Create which also sets a flag at 0x6208 to 1, which allows the hook to be called.  The same function registers all named levents as eventprocs, which probably consumes a significant amount of memory.
    « Last Edit: 14 / October / 2012, 00:34:40 by reyalp »
    Don't forget what the H stands for.

     

    Related Topics