I haven't looked at the code in detail; but I noticed a couple of things in boot.c.
...
The line:
*(int*)(0x2638) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
should be
*(int*)(0x25F4) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
...
One more idea, during ELPH300 porting I got the above hint from Phil that I have to change some more stuff.
In ELPH300 we are currently using the 0x25F4 value (according to the advice from Phil):
// replacement of sub_FF024B5C for correct power-on.
// http://chdk.setepontos.com/index.php?topic=6341.msg76409#msg76409
*(int*)(0x25F4) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
//*(int*)(0x2638) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
If I try to use the original code with value 0x2638 (which I took from ELPH500):
// replacement of sub_FF024B5C for correct power-on.
// http://chdk.setepontos.com/index.php?topic=6341.msg76409#msg76409
//*(int*)(0x25F4) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
*(int*)(0x2638) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
I fall back to the same behaviour on my ELPH300 like you see currently on ELPH310. So, my conclusion is that if we use the 0x2638 value from ELPH500 we have higher chance to see ELPH310 starting up a little bit more. In parallel I will ask Phil how he found out which value we have to use for ELPH300, then we will hopefully get to the correct ELPH310 value.
-----------------------------------------------------------------------------------------------------
Update:
You should use 0x2610 which I found at address 0xff05788c in your firmware.
You should try to use 0x2638 value because ELPH310 is probably more similar to ELPH500 than to ELPH300.I generated three different binaries which uses 0x2610 value and attached them to this and the next post. ZIP-Files contain corresponding boot.c files.
Please test.
Overview of the three versions:
Version 1 (uses 0x2610 ) (original Canon startup):
" BL sub_FF0249FC \n" // rom:ff00fc4c 0xEB00536A
//"BL CreateTask_spytask\n" // added to create the Spytask (afaik the main CHDK Task)
//"BL taskcreatePhySw_my\n" // --> patched taskcreate_PhySw() org: 0xFF0253dc but no BL-call found for this address, maybe it is FF0249FC!?
Version 2 (uses 0x2610 ) (CHDK Spytask started):
" BL sub_FF0249FC \n" // rom:ff00fc4c 0xEB00536A
"BL CreateTask_spytask\n" // added to create the Spytask (afaik the main CHDK Task)
//"BL taskcreatePhySw_my\n" // --> patched taskcreate_PhySw() org: 0xFF0253dc but no BL-call found for this address, maybe it is FF0249FC!?
Version 3 (uses 0x2610 ) (CHDK Spytask and MyKbd Task started):
//" BL sub_FF0249FC \n" // rom:ff00fc4c 0xEB00536A
"BL CreateTask_spytask\n" // added to create the Spytask (afaik the main CHDK Task)
"BL taskcreatePhySw_my\n" // --> patched taskcreate_PhySw() org: 0xFF0253dc but no BL-call found for this address, maybe it is FF0249FC!?