in one of my experiments, i somehow found the pointer to the current jpg.
here's a snippet of the things i found i.e. in g12 100c, it was a while ago, but i saved this text snippet:
ROM:FF96C1D0 LDREQ R1, =0x77D
ROM:FF96C1D4 LDREQ R0, =aWrcachemgr_c
ROM:FF96C1D8 BLEQ DebugAssert
ROM:FF96C1DC LDR R0, =0x47109800
ROM:FF96C1E0 LDR R1, =0xAF718 --->points to jpg buffer base? 0x47109800
ROM:FF96C1E4 LDR R7, =0x6CD0 -> points to actual buffer* +exifdatalen(?)
so, in this case, the pointer to the data was something like
(char*)(*((int*)0x6cd0)-0x3E00);
i found that 0x3E00 by printing the current buffer* and having a look in the whole jpg buffer area, i assumed it was some sort of exif data.
In order to find where the jpg finishes, i searched for the end-jpg marker:
(*jpg == 0xFF && *(jpg+1) == 0xD9)
have fun hacking
