This is my attempt to provide a simple guide for finding the needed addresses of frame buffer array and it's index without disassembly skills & tools.
requirements
hardware: if you use CHDK, you should have them... (cam, SD, card reader, computer...)
software: OS capable of running the .exes and .bats needed (I guess at least any version of Windows), a text editor
other: some common sense, possibly (a lot of) patience
- First download the file attached. It's pretty much the same as mx3's md_speedup.rar. Unzip somewhere (with at least 65MB of free space).
- In debug menu, enable "Dump RAM on ALT +/- press".
- Dump RAM twice: once with the display overexposed (point at something bright/select long exposure/...), once underexposed (put a cap on the lens/select short exposure/...). (Dumping is done with +/- key in ALT.)
(- Disable ram dumping.)
- Move the dumps (e.g. I had CRW_0001.JPG and CRW_0002.JPG in DCIM/100CANON, ~32MB each) from SD to the same folder you unzipped md_speedup_mod.zip to.
- Open regions.bat with a text editor. It should have the dump names, e.g. the aforementioned. Modify if necessary, run regions.bat.
- Open (the newly created) regions.txt. It should have 3 lines with a bigger (5-digit) value after "bytes:", they look something like this:
(0x005F0CE0 + 0x1900 = 0x005F25E0) bytes: 3CA50
(0x0066F5E0 + 0x1900 = 0x00670EE0) bytes: 3CA50
(0x006EDEE0 + 0x1900 = 0x006EF7E0) bytes: 3CA50
(addresses and/or size will be different)
(- See a710.regions.txt.)
(yvesson had a little different case: his regions.txt had a lot of "bytes: 420" with spacing of 0x438 and two bigger gaps. Those ranges were divided into three groups. Then the first address of each group was used.)
- Open refs.bat. It should have the name of one of the dumps (e.g. CRW_0001.JPG). Also you'll need to replace all 6 of the 8-digit addresses with the addresses from regions.txt, first 3 just copied without 0x (e.g. 005F25E0), last 3 with the first 0 replaced with 1 (e.g. 105F25E0). Run refs.bat.
- Open refs.txt. Find 3 adjacent rows that have values in the first column with uniform spacing (possibly 0x4) and have a different value in the second column. e.g.
[0x0000522C] : 105F25E0
[0x00005230] : 10670EE0
[0x00005234] : 106EF7E0
Here 0x522C would be the array address. For some cameras (VxWorks?) the index address is array address +0x10, e.g. 0x522C+0x10=0x523C.
(- See a710.refs.txt.)
(yvesson had only one group of two addresses that looked promising (see below (0x5288 and 0x5290)), so those values were used. Also the index was found at 0x5288+0x10.)
- Check if the index address is array address +0x10. Use memory viewer (in debug menu). Make sure the values are auto-updated (toggle with up). Use left/right to decrease/increase address value, zoom rocker to change increment modifier. The value of the index address is constantly changed between 0, 1 and 2. If it's not... well... then you'll have to find it. Save some of the patience for this. Index may be near or far, for A720 it's array-0x14C. You can start with e.g. array-0x200. Go with 0x4 increments.
(- Once found, the values go to vid_get_viewport_live_fb() in platform/model/sub/version/lib.c:
void **fb=(void **)0x522C;
unsigned char buff = *((unsigned char*)0x523C);
if (buff == 0) {
buff = 2;
}
else {
buff--;
}
return fb[buff];
where 0x522C is the array address and 0x523C is the index address.)
If you find the addresses, please share them. ;)
If you need further assistance, ask.
(Should this be in a separate thread?)