I think I'm going to have to dump my firmware and give porting a try just to understand everything better. I also think IDA will help me see how everything links together, especially with Touchgraph. Unfortunately my time at home is limited and my wife insists on occupying most of that available time (not a bad thing
)
I think I've figured out the flow of the assembly now... to verify/clear up confusion:
"BL sub_FF98ACEC_my \n" // patched" calls a function of our modified canon code
"BL shooting_expo_param_override\n" // added" is calling a new function we added.
Sometimes a modified canon code piece has a more thorough name (like tasks), but in general this seems to be the case.
"BL loc_FF88323C \n"" type branches are a little more confusing though. That particular example is at the end of the capt_seq_task and calls a location near the top (the big loop I was looking for). So these branches are to locations within the function.
"BL sub_FF88402C \n"" - "sub" type must call locations outside the function. these aren't relabeled, so are calling the canon firmware.
another interesting part:
"LDR R0, =0xFF882CF4 \n" // "SsShootTask.c"" I find similar comments many times in boot.c and capt_seq.c - every instance of each comment point to one address and I can find no such file, function or external reference to any of them. And there's always a "DebugAssert" afterwards. I see on the "DryOS porting" page all "DebugAssert" does is save a file if there's a fatal error. Those comments must be the name of the file saved with the value of that address. This is just for debugging?
How am I doing?