For encoding at different framerates, I think I may be onto something:
at 0xFF0EC270 in the 500d.111 firmware is the function "LVCDEV_H264EncodeStart". There is a structure at 0x49D0 which, at off_0xC, is the value for what movie mode you are in, ie: 0 for 1080p, 1 for 720p and 2 for 480p.
H264E_SetParameterH264Encode (0xFF17883C) is called with a different arg0, depending on which movie mode you are in. In SetParameterH264Encode, depending on which arg0 was passed (which depends on the video mode), a structure at 0x846C is setup with different offsets / values.
Interesting places to look at with bmp_hexdump:
- areas after 0x846C, specifically between off_0x70 and off_0xF0 (around that area)
- areas after 0x49D0.
I think I can post flow charts here, here's a flow chart of what I'm talking about (it makes it easier to see):
and a flowchart of SetparameterH264Encode to see how the structure is setup differently in each recording mode:
tl;dr
H264E_SetParameterH264Encode and the functions it calls need looking into.
---------
More analysis:
assuming 1080p videoLVCDEV_H264EncodeStart calls H264E_SetParameterH264Encode with arg0 as 0xA.
In H264E_SetParameterH264Encode, if arg0 is 0xA, the structure looks like this:
0x846C structoff_0x64 = off_0x68
off_0x74 = off_0x78
off_0x84 = off_0x88
off_0x94 = off_0x98
off_0xA4 = off_0xA8
off_0xB4 = off_0xBC
off_0xB8 = off_0xC0
off_0xD4 = off_0xDC
off_0xD8 = off_0xE0
The initial values of the offsets on the right are setup in H264E_InitializeH264Encode (0xFF177F74), and are pulled from a pointer at off_0x8 of the struct at 0x846C, though I can't check the values now. There are two other H264E_Initialize functions: one for 720p and one for VGA.
I can't test anything because i don't have my macbook back yet (ffffffuuuuuuu), but interesting areas to look would be the values of the offsets on the right, ie: values we could overwrite and trick the h264 encoder into using.