Well, some progress made ... I guess ...
void h_usrInit() // Orig. starts at FF81198C
{
asm volatile (
"STR LR, [SP,#-4]!\n"
"BL sub_FF811968\n"
"MOV R0, #2\n"
"MOV R1, R0\n"
"BL sub_FF925020\n" // unknown_libname_231
"BL sub_FF918F9C\n" // excVecInit
"BL sub_FF8111C4\n"
"BL sub_FF811728\n"
"LDR LR, [SP],#4\n"
"B h_usrKernelInit\n"
);
}
void h_usrKernelInit() // Orig. starts at FF811744
{
asm volatile (
"STMFD SP!, {R4,LR}\n"
"SUB SP, SP, #8\n"
"BL sub_FF925520\n" // classLibInit
"BL sub_FF93564C\n" // taskLibInit
"LDR R3, =0x5720\n"
"LDR R2, =0xB4A80\n"
"LDR R1, [R3]\n"
"LDR R0, =0xB56D0\n"
"MOV R3, #0x100\n"
"BL sub_FF93123C\n" // qInit
"LDR R3, =0x56E0\n"
"LDR R0, =0x5A80\n"
"LDR R1, [R3]\n"
"BL sub_FF93123C\n" // qInit
"LDR R3, =0x579C\n"
"LDR R0, =0xB56A4\n"
"LDR R1, [R3]\n"
"BL sub_FF93123C\n" // qInit
"BL sub_FF939A08\n" // workQInit
"BL sub_FF8112AC\n"
"MOV R4, #0\n"
"MOV R3, R0\n"
"MOV R12, #0x800\n"
"LDR R0, =h_usrRoot\n" // Orig. starts at FF811A60
"MOV R1, #0x4000\n"
"LDR R2, =0xEA4D0\n" // 0xB84D0 + 0x32000
"STR R12, [SP]\n"
"STR R4, [SP,#4]\n"
"BL sub_FF93288C\n" // kernelInit
"ADD SP, SP, #8\n"
"LDMFD SP!, {R4,PC}\n"
);
};
void h_usrRoot() // Orig. starts at FF811A60
{
asm volatile (
"STMFD SP!, {R4,R5,LR}\n"
"MOV R5, R0\n"
"MOV R4, R1\n"
"BL sub_FF8119D0\n"
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF929FD8\n" // memInit
"MOV R1, R4\n"
"MOV R0, R5\n"
"BL sub_FF92AA50\n" // memPartLibInit
"BL sub_FF8117E8\n" // nullsub_1
"BL sub_FF811704\n"
"BL sub_FF811A0C\n"
"BL sub_FF8119F0\n"
"BL sub_FF811A38\n"
"BL sub_FF8119C4\n"
"LDMFD SP!, {R4,R5,LR}\n"
"B sub_FF81136C\n" // IsEmptyWriteCache_2
);
void *vid_get_bitmap_fb()
{
return (void*)0x10361000; // (found on aBmpddev_c)
}
void *vid_get_viewport_fb()
{
return (void*)0x10D295E0; // found at aImgddev_c
}
void *vid_get_viewport_fb_d()
{
return (void*)(*(int*)0x8D558); // found on aImageplayer_c, not sure if correct
}
In stubs_entry_2.s :-
NHSTUB(Mount_FileSystem, 0xFFAAE000)
NHSTUB(MoveZoomLensWithPoint, 0xFFAFF6D8)
NHSTUB(Remove, 0xFFAAECEC)
NHSTUB(Write, 0xFFAAED7C)
NHSTUB(Close, 0xFFAAECDC)
NHSTUB(Read, 0xFFAAED70)
It does not load of course, neither does it crash.
The LED's are operated the same as on the s2is, s3is and ixus700.
So, we need to find the led_table adddress before we can control the LED's.
I have not altered capt_seq yet.
David