I'd attach the script I used, but I seem to have left the SD card with it at home. I basically just looped through prop_id 1-500, stored the values in one array, and then looped through them again and compared each current value with the previous value, then printed the prop# and value if a change was detected. I saw several prop_ids in the 200 range pop up, but they were all gibberish since I didn't have the lengths wrong.
My observation is that the canon firmware will truncate or pad with null bytes if the length is wrong. Propcase values are generally not readable strings, they are binary values that can be single bytes, 16 or 32 bit numbers etc. They can contain embedded nulls. Generally, you'd want to look at a hex dump of the value, unless you have some other information about how it should be interpreted.
I did most of my testing using
chdkptp (shameless self promotion), like this:
!status,s=con:execwait([[return get_prop_str(9,0x9c)]]); print(util.hexdump(s))
For looking at memory values, you can use the rmem command, or send peek()
I find being able to interactively look at values like this from my PC very useful, compared to trying to do it with scripts uploaded to the camera or changing code, recompiling etc.
FaceFrame
DispFace
ChaceFace
Where do you find these log messages?
These are task names found in in disassembly of the firmware dump. I know they are task names because they are passed to one of the task creation functions. A task is like a process or thread on a PC.
That seems to be exactly what we're looking for!! I will have to dig on both cameras to see if there are equivalents. How did you figure out the memory address to look at?
Searching the firmware dump for strings containing "Face". The ROM:FFDA5E74 lines are the address in the dump.
For the SX110, you can look code quoted above and get some addresses to try with peek.
LDR R6, =0x54D9C
gives you the starting address of the structure. The lines like
FFDA5E48 LDRH R2, [R6,#4]
gives you the offset into it. If the insturction is LDRH, that means it's a half word (16 bit int). A full 32 bit word be LDR, and a single byte would be LDRB. The equivalent of the above in lua would be
peek(0x54D9C+4,2)
The 2 tells peek to load a half word.
The string following the LDR instructions may give you some hint about the meaning of the value., e.g. Num_Of_Result = %u could be the number of faces ?