root/platform/ixus230_elph310hs/sub/100a/boot.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. taskHook
  2. CreateTask_spytask
  3. boot
  4. sub_FF000358_my
  5. sub_FF0011B0_my
  6. sub_FF005F2C_my
  7. sub_FF00FDA0_my
  8. taskcreate_Startup_my
  9. task_Startup_my
  10. taskcreatePhySw_my
  11. init_file_modules_task
   1 #include "lolevel.h"
   2 #include "platform.h"
   3 #include "core.h"
   4 #include "dryos31.h"
   5 
   6 #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER)
   7 
   8 const char * const new_sa = &_end;
   9 
  10 // Forward declarations
  11 void CreateTask_PhySw();
  12 void CreateTask_spytask();
  13 extern void task_CaptSeq();
  14 extern void task_InitFileModules();
  15 extern void task_MovieRecord();
  16 extern void task_ExpDrv();
  17 extern void task_FileWrite();
  18 
  19 void taskHook(context_t **context)
  20 {
  21         task_t *tcb=(task_t*)((char*)context-offsetof(task_t, context));
  22 
  23         // Replace firmware task addresses with ours
  24         if(tcb->entry == (void*)task_CaptSeq)                   tcb->entry = (void*)capt_seq_task;
  25         if(tcb->entry == (void*)task_InitFileModules)   tcb->entry = (void*)init_file_modules_task;
  26         if(tcb->entry == (void*)task_MovieRecord)               tcb->entry = (void*)movie_record_task;
  27         if(tcb->entry == (void*)task_ExpDrv)                    tcb->entry = (void*)exp_drv_task;
  28     if(tcb->entry == (void*)task_FileWrite)         tcb->entry = (void*)filewritetask;
  29 }
  30 
  31 /*---------------------------------------------------------------------
  32   Memory Map:
  33         0001900     MEMBASEADDR             start of data - used for initialized vars
  34         0010797???                          end of inited data
  35         0010798???                          start of bss - used for zeroed/uninited vars
  36         016E81F???                          end of bss
  37         016E820???  MEMISOSTART             start of our data / bss
  38 
  39         0400000                             raw buffers
  40         8000000                             end of raw buffers
  41 
  42         C0xxxxxx                            I/O
  43 
  44         FF000000    ROMBASEADDR             start of rom
  45         FFFFFFFF                            end of rom
  46 ----------------------------------------------------------------------*/
  47 
  48 
  49 /*----------------------------------------------------------------------
  50         CreateTask --> core_spytask
  51 -----------------------------------------------------------------------*/
  52 void CreateTask_spytask()
  53 {
  54     _CreateTask("SpyTask", 0x19, 0x2000, core_spytask, 0);
  55 }
  56 
  57 /*----------------------------------------------------------------------
  58         boot()
  59 
  60         Main entry point for the CHDK code
  61 -----------------------------------------------------------------------*/
  62 void __attribute__((naked,noinline)) boot() {
  63     asm volatile (
  64             "   LDR     R1, =0xC0410000 \n"
  65             "   MOV     R0, #0 \n"
  66             "   STR     R0, [R1] \n"
  67             "   MOV     R1, #0x78 \n"
  68             "   MCR     p15, 0, R1, c1, c0 \n"
  69             "   MOV     R1, #0 \n"
  70             "   MCR     p15, 0, R1, c7, c10, 4 \n"
  71             "   MCR     p15, 0, R1, c7, c5 \n"
  72             "   MCR     p15, 0, R1, c7, c6 \n"
  73             "   MOV     R0, #0x3D \n"
  74             "   MCR     p15, 0, R0, c6, c0 \n"
  75             "   MOV     R0, #0xC000002F \n"
  76             "   MCR     p15, 0, R0, c6, c1 \n"
  77             "   MOV     R0, #0x35 \n"
  78             "   MCR     p15, 0, R0, c6, c2 \n"
  79             "   MOV     R0, #0x40000035 \n"
  80             "   MCR     p15, 0, R0, c6, c3 \n"
  81             "   MOV     R0, #0x80000017 \n"
  82             "   MCR     p15, 0, R0, c6, c4 \n"
  83             "   LDR     R0, =0xFF00002F \n"
  84             "   MCR     p15, 0, R0, c6, c5 \n"
  85             "   MOV     R0, #0x34 \n"
  86             "   MCR     p15, 0, R0, c2, c0 \n"
  87             "   MOV     R0, #0x34 \n"
  88             "   MCR     p15, 0, R0, c2, c0, 1 \n"
  89             "   MOV     R0, #0x34 \n"
  90             "   MCR     p15, 0, R0, c3, c0 \n"
  91             "   LDR     R0, =0x3333330 \n"
  92             "   MCR     p15, 0, R0, c5, c0, 2 \n"
  93             "   LDR     R0, =0x3333330 \n"
  94             "   MCR     p15, 0, R0, c5, c0, 3 \n"
  95             "   MRC     p15, 0, R0, c1, c0 \n"
  96             "   ORR     R0, R0, #0x1000 \n"
  97             "   ORR     R0, R0, #4 \n"
  98             "   ORR     R0, R0, #1 \n"
  99             "   MCR     p15, 0, R0, c1, c0 \n"
 100             "   MOV     R1, #0x80000006 \n"
 101             "   MCR     p15, 0, R1, c9, c1 \n"
 102             "   MOV     R1, #6 \n"
 103             "   MCR     p15, 0, R1, c9, c1, 1 \n"
 104             "   MRC     p15, 0, R1, c1, c0 \n"
 105             "   ORR     R1, R1, #0x50000 \n"
 106             "   MCR     p15, 0, R1, c1, c0 \n"
 107             "   LDR     R2, =0xC0200000 \n"
 108             "   MOV     R1, #1 \n"
 109             "   STR     R1, [R2, #0x10C] \n"
 110             "   MOV     R1, #0xFF \n"
 111             "   STR     R1, [R2, #0xC] \n"
 112             "   STR     R1, [R2, #0x1C] \n"
 113             "   STR     R1, [R2, #0x2C] \n"
 114             "   STR     R1, [R2, #0x3C] \n"
 115             "   STR     R1, [R2, #0x4C] \n"
 116             "   STR     R1, [R2, #0x5C] \n"
 117             "   STR     R1, [R2, #0x6C] \n"
 118             "   STR     R1, [R2, #0x7C] \n"
 119             "   STR     R1, [R2, #0x8C] \n"
 120             "   STR     R1, [R2, #0x9C] \n"
 121             "   STR     R1, [R2, #0xAC] \n"
 122             "   STR     R1, [R2, #0xBC] \n"
 123             "   STR     R1, [R2, #0xCC] \n"
 124             "   STR     R1, [R2, #0xDC] \n"
 125             "   STR     R1, [R2, #0xEC] \n"
 126             "   STR     R1, [R2, #0xFC] \n"
 127             "   LDR     R1, =0xC0400008 \n"
 128             "   LDR     R2, =0x430005 \n"
 129             "   STR     R2, [R1] \n"
 130             "   MOV     R1, #1 \n"
 131             "   LDR     R2, =0xC0243100 \n"
 132             "   STR     R2, [R1] \n"
 133             "   LDR     R2, =0xC0242010 \n"
 134             "   LDR     R1, [R2] \n"
 135             "   ORR     R1, R1, #1 \n"
 136             "   STR     R1, [R2] \n"
 137             "   LDR R0, =0xFF4973F0 \n" // diff from 100b - 0xFF497420
 138             "   LDR     R1, =0x1900 \n"
 139             "   LDR     R3, =0x102DC \n"
 140             "loc_FF00013C:\n"
 141             "   CMP     R1, R3 \n"
 142             "   LDRCC   R2, [R0], #4 \n"
 143             "   STRCC   R2, [R1], #4 \n"
 144             "   BCC     loc_FF00013C \n"
 145             "   LDR     R1, =0x181A9C \n"
 146             "   MOV     R2, #0 \n"
 147             "loc_FF000154:\n"
 148             "   CMP     R3, R1 \n"
 149             "   STRCC   R2, [R3], #4 \n"
 150             "   BCC     loc_FF000154 \n"
 151             //" B       sub_FF000358 \n" // original
 152             "   B       sub_FF000358_my \n" // patched
 153     );
 154 }
 155 
 156 /*----------------------------------------------------------------------
 157         sub_FF000358_my
 158 -----------------------------------------------------------------------*/
 159 // FF000358
 160 void __attribute__((naked,noinline)) sub_FF000358_my() {
 161 
 162     //http://chdk.setepontos.com/index.php/topic,4194.0.html
 163     *(int*)0x1938=(int)taskHook;
 164     *(int*)0x193C=(int)taskHook;
 165     //*(int*)0x1930=(int)taskHook;
 166     //*(int*)0x1934=(int)taskHook;
 167 
 168     // replacement of sub_FF025560 for correct power-on.
 169     *(int*)(0x2610) = (*(int*)0xC0220130)&1 ? 0x200000 : 0x100000;
 170 
 171     asm volatile (
 172             "   LDR     R0, =0xFF0003D0 \n"
 173             "   MOV     R1, #0 \n"
 174             "   LDR     R3, =0xFF000408 \n"
 175             "loc_FF000364:\n"
 176             "   CMP     R0, R3 \n"
 177             "   LDRCC   R2, [R0], #4 \n"
 178             "   STRCC   R2, [R1], #4 \n"
 179             "   BCC     loc_FF000364 \n"
 180             "   LDR     R0, =0xFF000408 \n"
 181             "   MOV     R1, #0x4B0 \n"
 182             "   LDR     R3, =0xFF00061C \n"
 183             "loc_FF000380:\n"
 184             "   CMP     R0, R3 \n"
 185             "   LDRCC   R2, [R0], #4 \n"
 186             "   STRCC   R2, [R1], #4 \n"
 187             "   BCC     loc_FF000380 \n"
 188             "   MOV     R0, #0xD2 \n"
 189             "   MSR     CPSR_cxsf, R0 \n"
 190             "   MOV     SP, #0x1000 \n"
 191             "   MOV     R0, #0xD3 \n"
 192             "   MSR     CPSR_cxsf, R0 \n"
 193             "   MOV     SP, #0x1000 \n"
 194             "   LDR     R0, =0x6C4 \n"
 195             "   LDR     R2, =0xEEEEEEEE \n"
 196             "   MOV     R3, #0x1000 \n"
 197             "loc_FF0003B4:\n"
 198             "   CMP     R0, R3 \n"
 199             "   STRCC   R2, [R0], #4 \n"
 200             "   BCC     loc_FF0003B4 \n"
 201             //" BL      sub_FF0011B0 \n" // original
 202             "   BL      sub_FF0011B0_my \n" // patched
 203     );
 204 }
 205 
 206 /*----------------------------------------------------------------------
 207         sub_FF0011B0_my
 208 -----------------------------------------------------------------------*/
 209 // FF0011B0
 210 void __attribute__((naked,noinline)) sub_FF0011B0_my() {
 211     asm volatile (
 212             "   STR     LR, [SP, #-4]! \n"
 213             "   SUB     SP, SP, #0x74 \n"
 214             "   MOV     R1, #0x74 \n"
 215             "   MOV     R0, SP \n"
 216             "   BL  sub_FF3A2D24 \n" // diff from 100b - sub_FF3A2D58
 217             "   MOV     R0, #0x57000 \n"
 218             "   STR     R0, [SP, #4] \n"
 219 #if defined(CHDK_NOT_IN_CANON_HEAP)
 220             "   LDR     R0, =0x181A9C \n" // use original heap offset since CHDK is loaded in high memory
 221 #else
 222             "   LDR     R0, =new_sa \n" // otherwise use patched value
 223             "   LDR     R0, [R0] \n"
 224 #endif
 225             "   LDR     R2, =0x36D788 \n"
 226             "   STR     R0, [SP, #8] \n"
 227             "   SUB     R0, R2, R0 \n"
 228             "   STR     R0, [SP, #0xC] \n"
 229             "   MOV     R0, #0x22 \n"
 230             "   STR     R0, [SP, #0x18] \n"
 231             "   MOV     R0, #0x72 \n"
 232             "   STR     R0, [SP, #0x1C] \n"
 233             "   LDR     R1, =0x375C00 \n"
 234             "   LDR     R0, =0x1CD \n"
 235             "   STR     R1, [SP] \n"
 236             "   STR     R0, [SP, #0x20] \n"
 237             "   MOV     R0, #0x96 \n"
 238             "   STR     R2, [SP, #0x10] \n"
 239             "   STR     R1, [SP, #0x14] \n"
 240             "   STR     R0, [SP, #0x24] \n"
 241             "   STR     R0, [SP, #0x28] \n"
 242             "   MOV     R0, #0x64 \n"
 243             "   STR     R0, [SP, #0x2C] \n"
 244             "   MOV     R0, #0 \n"
 245             "   STR     R0, [SP, #0x30] \n"
 246             "   STR     R0, [SP, #0x34] \n"
 247             "   MOV     R0, #0x10 \n"
 248             "   STR     R0, [SP, #0x5C] \n"
 249             "   MOV     R0, #0x800 \n"
 250             "   STR     R0, [SP, #0x60] \n"
 251             "   MOV     R0, #0xA0 \n"
 252             "   STR     R0, [SP, #0x64] \n"
 253             "   MOV     R0, #0x280 \n"
 254             "   STR     R0, [SP, #0x68] \n"
 255             //" LDR     R1, =0xFF005F2C \n" // original
 256             "   LDR     R1, =sub_FF005F2C_my \n" // patched
 257             "   B       sub_FF00124C \n" // continue in firmware
 258     );
 259 }
 260 
 261 /*----------------------------------------------------------------------
 262         sub_FF005F2C_my
 263 -----------------------------------------------------------------------*/
 264 // FF005F2C
 265 void __attribute__((naked,noinline)) sub_FF005F2C_my() {
 266     asm volatile (
 267             "   STMFD   SP!, {R4,LR} \n"
 268             "   BL      sub_FF000B28 \n"
 269             "   BL      sub_FF00A384 \n"
 270             "   CMP     R0, #0 \n"
 271             "   LDRLT   R0, =0xFF006040 \n" // *"dmSetup"
 272             "   BLLT    _err_init_task \n"
 273             "   BL      sub_FF005B64 \n"
 274             "   CMP     R0, #0 \n"
 275             "   LDRLT   R0, =0xFF006048 \n" // *"termDriverInit"
 276             "   BLLT    _err_init_task \n"
 277             "   LDR     R0, =0xFF006058 \n" // *"/_term"
 278             "   BL      sub_FF005C4C \n"
 279             "   CMP     R0, #0 \n"
 280             "   LDRLT   R0, =0xFF006060 \n" // *"termDeviceCreate"
 281             "   BLLT    _err_init_task \n"
 282             "   LDR     R0, =0xFF006058 \n" // *"/_term"
 283             "   BL      sub_FF003CA8 \n"
 284             "   CMP     R0, #0 \n"
 285             "   LDRLT   R0, =0xFF006074 \n" // *"stdioSetup"
 286             "   BLLT    _err_init_task \n"
 287             "   BL      sub_FF009CEC \n"
 288             "   CMP     R0, #0 \n"
 289             "   LDRLT   R0, =0xFF006080 \n" // *"stdlibSetup"
 290             "   BLLT    _err_init_task \n"
 291             "   BL      sub_FF001690 \n"
 292             "   CMP     R0, #0 \n"
 293             "   LDRLT   R0, =0xFF00608C \n" // *"armlib_setup"
 294             "   BLLT    _err_init_task \n"
 295             "   LDMFD   SP!, {R4,LR} \n"
 296             //" B       sub_FF00FDA0 \n" // original
 297             "   B       sub_FF00FDA0_my \n" // patched
 298     );
 299 }
 300 
 301 /*----------------------------------------------------------------------
 302         sub_FF00FDA0_my
 303 -----------------------------------------------------------------------*/
 304 // FF00FDA0
 305 void __attribute__((naked,noinline)) sub_FF00FDA0_my() {
 306     asm volatile (
 307             "   STMFD   SP!, {R4,LR} \n"
 308             "   BL      sub_FF025558 \n"
 309             //" BL      sub_FF00FDB4 \n" // original taskcreate_Startup
 310             "   BL      taskcreate_Startup_my \n" // patched taskcreate_Startup
 311             "   MOV     R0, #0 \n"
 312             "   LDMFD   SP!, {R4,PC} \n"
 313     );
 314 }
 315 
 316 /*----------------------------------------------------------------------
 317         taskcreate_Startup_my
 318 -----------------------------------------------------------------------*/
 319 // FF00FDB4
 320 void __attribute__((naked,noinline)) taskcreate_Startup_my() {
 321     asm volatile (
 322             "   STMFD   SP!, {R3-R9,LR} \n"
 323             "   MOV     R6, #0 \n"
 324             "   BL      sub_FF02D710 \n"
 325             "   LDR     R9, =0xC0220000 \n"
 326             "   MOVS    R7, R0 \n"
 327             "   MOV     R8, #1 \n"
 328             "   BNE     loc_FF00FE18 \n"
 329             "   BL      sub_FF026F24 \n"
 330             "   CMP     R0, #0 \n"
 331             "   BEQ     loc_FF00FE18 \n"
 332             "   LDR     R0, [R9, #0x128] \n"
 333             "   BIC     R5, R8, R0 \n"
 334             "   LDR     R0, [R9, #0x12C] \n"
 335             "   BIC     R4, R8, R0 \n"
 336             "   BL      sub_FF02396C \n"
 337             "   CMP     R0, #1 \n"
 338             "   MOVEQ   R6, #1 \n"
 339             "   ORR     R0, R4, R5 \n"
 340             "   ORRS    R0, R0, R6 \n"
 341             "   BNE     loc_FF00FE28 \n"
 342             "   BL      sub_FF024634 \n"
 343             "   MOV     R0, #0x44 \n"
 344             "   STR     R0, [R9, #0x1C] \n"
 345             "   BL      sub_FF024824 \n"
 346             "loc_FF00FE14:\n"
 347             "   B       loc_FF00FE14 \n"
 348             "loc_FF00FE18:\n"
 349             "   LDR     R0, [R9, #0x12C] \n"
 350             "   BIC     R4, R8, R0 \n"
 351             "   LDR     R0, [R9, #0x128] \n"
 352             "   BIC     R5, R8, R0 \n"
 353             "loc_FF00FE28:\n"
 354             "   MOV     R3, R6 \n"
 355             "   MOV     R2, R7 \n"
 356             "   MOV     R1, R5 \n"
 357             "   MOV     R0, R4 \n"
 358             "   BL      sub_FF025560 \n" // see begining of sub_FF000358_my
 359             "   BL      sub_FF02555C \n"
 360             "   BL      sub_FF02B8DC \n"
 361             "   LDR     R1, =0x3CE000 \n"
 362             "   MOV     R0, #0 \n"
 363             "   BL      sub_FF02BD4C \n"
 364             "   BL      sub_FF02BAF4 \n"
 365             "   MOV     R3, #0 \n"
 366             "   STR     R3, [SP] \n"
 367             //" LDR     R3, =0xFF00FD28 \n" // original
 368             "   LDR     R3, =task_Startup_my \n" // patched
 369             "   B       sub_FF00FE60 \n" // continue in firmware
 370     );
 371 }
 372 
 373 /*----------------------------------------------------------------------
 374         task_Startup_my
 375 -----------------------------------------------------------------------*/
 376 // FF00FD28
 377 void __attribute__((naked,noinline)) task_Startup_my() {
 378     asm volatile (
 379             "   STMFD   SP!, {R4,LR} \n"
 380             "   BL      sub_FF0065DC \n"
 381             "   BL      sub_FF026668 \n"
 382             "   BL      sub_FF023EF0 \n"
 383             "   BL      sub_FF024270 \n"
 384             //" BL      sub_FF02D758 \n"    // j_nullsub_???
 385             "   BL      sub_FF02D944 \n"
 386             "   BL      sub_FF024954 \n"
 387             "   BL      sub_FF02397C \n"
 388             "   MOV     R0, #1 \n"
 389             "   BL      sub_FF023E64 \n"
 390             //" BL      sub_FF02D7EC \n" // skip starting diskboot.bin again
 391             "   BL      sub_FF02DAFC \n"
 392             "   BL      sub_FF022378 \n"
 393             "   BL      sub_FF02D974 \n"
 394             "   BL      sub_FF02B080 \n"
 395             "   BL      sub_FF02DB00 \n"
 396             //" BL      sub_FF0253DC \n" // original *PhySw*
 397             "   BL      CreateTask_spytask \n" // added to create the Spytask
 398             "   BL      taskcreatePhySw_my \n" // patched taskcreate_PhySw()
 399             "   B       sub_FF00FD70 \n" // continue in firmware
 400     );
 401 }
 402 
 403 /*----------------------------------------------------------------------
 404         taskcreatePhySw_my ff0253dc
 405 -----------------------------------------------------------------------*/
 406 // FF0253DC
 407 void __attribute__((naked,noinline)) taskcreatePhySw_my() {
 408     asm volatile (
 409             "   STMFD   SP!, {R3-R5,LR} \n"
 410             "   LDR     R4, =0x1C4C \n"
 411             "   LDR     R0, [R4, #4] \n"
 412             "   CMP     R0, #0 \n"
 413             "   BNE     sub_FF025410 \n"
 414             "   MOV     R3, #0 \n"
 415             "   STR     R3, [SP] \n"
 416             //" LDR     R3, =0xFF0253A8 \n" // original
 417             "   LDR     R3, =mykbd_task \n" // patched
 418             //" MOV     R2, #0x800 \n" // original
 419             "   MOV     R2, #0x2000 \n" // stack size for new task_PhySw so we don't have to do stack switch
 420             "   B       sub_FF025400 \n" // continue in firmware
 421     );
 422 }
 423 
 424 
 425 /*----------------------------------------------------------------------
 426         init_file_modules_task
 427 -----------------------------------------------------------------------*/
 428 // FF09301C
 429 void __attribute__((naked,noinline)) init_file_modules_task() {
 430     asm volatile (
 431             "   STMFD   SP!, {R4-R6,LR} \n"
 432             "   BL      sub_FF08ABA0 \n"
 433             "   LDR     R5, =0x5006 \n"
 434             "   MOVS    R4, R0 \n"
 435             "   MOVNE   R1, #0 \n"
 436             "   MOVNE   R0, R5 \n"
 437             "   BLNE    sub_FF08EDF0 \n"
 438             "   BL      sub_FF08ABCC \n"
 439             "   BL      core_spytask_can_start\n" // added CHDK: Set "it's-safe-to-start"-Flag for spytask
 440             "   B       sub_FF09303C \n" // continue in firmware
 441     );
 442 }
/* [<][>][^][v][top][bottom][index][help] */