1 #include "lolevel.h"
2 #include "platform.h"
3 #include "core.h"
4
5 const char * const new_sa = &_end;
6
7 void taskCreateHook(int *p)
8 {
9 p-=16;
10 if (p[0]==(int)0xFF821ACC) p[0]=(int)mykbd_task; // OK // WORK!
11 if (p[0]==(int)0xFF859DF8) p[0]=(int)movie_record_task; // OK // WORK!
12 if (p[0]==(int)0xFF85DE30) p[0]=(int)capt_seq_task; // OK
13 if (p[0]==(int)0xFF87719C) p[0]=(int)init_file_modules_task; // OK // WORK!
14 if (p[0]==(int)0xFF8B478C) p[0]=(int)exp_drv_task; // OK
15 if (p[0]==(int)0xFFA0AFE8) p[0]=(int)filewritetask;
16 }
17
18 void CreateTask_spytask()
19 {
20 _CreateTask("SpyTask", 0x19, 0x2000, core_spytask, 0);
21 }
22
23 void boot()
24 {
25 long *canon_data_src = (void*)0xFFB15AA4;
26 long *canon_data_dst = (void*)0x1900;
27 long canon_data_len = 0xEFE4 - 0x1900; // data_end - data_start
28 long *canon_bss_start = (void*)0xEFE4; // just after data
29 long canon_bss_len = 0xCBA08 - 0xEFE4;
30
31 long i;
32
33 // enable caches and write buffer
34 asm volatile (
35 "MRC p15, 0, R0,c1,c0\n"
36 "ORR R0, R0, #0x1000\n"
37 "ORR R0, R0, #4\n"
38 "ORR R0, R0, #1\n"
39 "MCR p15, 0, R0,c1,c0\n"
40 :::"r0"
41 );
42
43 for(i=0;i<canon_data_len/4;i++)
44 canon_data_dst[i]=canon_data_src[i];
45
46 for(i=0;i<canon_bss_len/4;i++)
47 canon_bss_start[i]=0;
48
49 // Captain Hook
50 *(int*)0x1930 = (int)taskCreateHook;
51
52 // jump to init-sequence that follows the data-copy-routine
53 asm volatile ("B sub_FF8101A4_my\n");
54 }
55
56 void __attribute__((naked,noinline)) sub_FF8101A4_my() // OK
57 {
58 asm volatile (
59 "LDR R0, =0xFF81021C\n" // exception handler code
60 "MOV R1, #0\n"
61 "LDR R3, =0xFF810254\n"
62
63 "loc_FF8101B0:\n"
64 "CMP R0, R3\n" // load exception vector
65 "LDRCC R2, [R0],#4\n"
66 "STRCC R2, [R1],#4\n"
67 "BCC loc_FF8101B0\n"
68 "LDR R0, =0xFF810254\n"
69 "MOV R1, #0x4B0\n"
70 "LDR R3, =0xFF810468\n"
71
72 "loc_FF8101CC:\n"
73 "CMP R0, R3\n" // copy IRQ handler to ITCM starting at 0x4b0, 532 bytes up to 0x6C4
74 "LDRCC R2, [R0],#4\n"
75 "STRCC R2, [R1],#4\n"
76 "BCC loc_FF8101CC\n"
77 "MOV R0, #0xD2\n"
78 "MSR CPSR_cxsf, R0\n" // set CPSR mode = IRQ, ints disabled
79 "MOV SP, #0x1000\n" // irq mode SP
80 "MOV R0, #0xD3\n"
81 "MSR CPSR_cxsf, R0\n" // set CPSR mode = Super, ints disabled
82 "MOV SP, #0x1000\n" // super mode SP
83 //"LDR R0, loc_FF810210\n"
84 "LDR R0, =0x6C4\n" // +
85 "LDR R2, =0xEEEEEEEE\n"
86 "MOV R3, #0x1000\n"
87
88 "loc_FF810200:\n"
89 "CMP R0, R3\n" // clear ITCM 0x6C4-end with EEEEEEEE
90 "STRCC R2, [R0],#4\n"
91 "BCC loc_FF810200\n"
92 "BL sub_FF810FA0_my\n" //------------->
93 );
94 }
95
96 void __attribute__((naked,noinline)) sub_FF810FA0_my() // OK
97 {
98 asm volatile (
99 "STR LR, [SP,#-4]!\n"
100 "SUB SP, SP, #0x74\n"
101 "MOV R0, SP\n"
102 "MOV R1, #0x74\n"
103 "BL sub_FFAA6FAC\n"
104 "MOV R0, #0x53000\n"
105 "STR R0, [SP,#4]\n"
106 #if defined(CHDK_NOT_IN_CANON_HEAP)
107 "LDR R0, =0xCBA08\n"
108 #else
109 "LDR R0, =new_sa\n" // +
110 "LDR R0, [R0]\n" // +
111 #endif
112 "LDR R2, =0x279C00\n"
113 "LDR R1, =0x272968\n"
114 "STR R0, [SP,#0x74-0x6C]\n"
115 "SUB R0, R1, R0\n"
116 "ADD R3, SP, #0x74-0x68\n"
117 "STR R2, [SP,#0x74-0x74]\n"
118 "STMIA R3, {R0-R2}\n"
119 "MOV R0, #0x22\n"
120 "STR R0, [SP,#0x74-0x5C]\n"
121 "MOV R0, #0x68\n"
122 "STR R0, [SP,#0x74-0x58]\n"
123 "LDR R0, =0x19B\n"
124 "MOV R1, #0x64\n"
125 "STRD R0, [SP,#0x74-0x54]\n"
126 "MOV R0, #0x78\n"
127 "STRD R0, [SP,#0x74-0x4C]\n"
128 "MOV R0, #0\n"
129 "STR R0, [SP,#0x74-0x44]\n"
130 "STR R0, [SP,#0x74-0x40]\n"
131 "MOV R0, #0x10\n"
132 "STR R0, [SP,#0x74-0x18]\n"
133 "MOV R0, #0x800\n"
134 "STR R0, [SP,#0x74-0x14]\n"
135 "MOV R0, #0xA0\n"
136 "STR R0, [SP,#0x74-0x10]\n"
137 "MOV R0, #0x280\n"
138 "STR R0, [SP,#0x74-0xC]\n"
139 // "LDR R1, =0xFF814DA4\n"
140 "LDR R1, =uHwSetup_my\n" //------------->
141 "MOV R0, SP\n"
142 "MOV R2, #0\n"
143 "BL sub_FF812D58\n"
144 "ADD SP, SP, #0x74\n"
145 "LDR PC, [SP],#4\n"
146 );
147 }
148
149 // Extracted method: uHwSetup (FF814DA4)
150 void __attribute__((naked,noinline)) uHwSetup_my() // OK
151 {
152 asm volatile (
153 "STMFD SP!, {R4,LR}\n"
154 "BL sub_FF81094C\n"
155 "BL sub_FF819664\n"
156 "CMP R0, #0\n"
157 "LDRLT R0, =0xFF814EB8\n" // "dmSetup"
158 "BLLT sub_FF814E98\n"
159 "BL sub_FF8149C8\n"
160 "CMP R0, #0\n"
161 "LDRLT R0, =0xFF814EC0\n" // "termDriverInit"
162 "BLLT sub_FF814E98\n"
163 "LDR R0, =0xFF814ED0\n" // "/_term"
164 "BL sub_FF814AB4\n"
165 "CMP R0, #0\n"
166 "LDRLT R0, =0xFF814ED8\n" // "termDeviceCreate"
167 "BLLT sub_FF814E98\n"
168 "LDR R0, =0xFF814ED0\n" // "/_term"
169 "BL sub_FF813564\n"
170 "CMP R0, #0\n"
171 "LDRLT R0, =0xFF814EEC\n" // "stdioSetup"
172 "BLLT sub_FF814E98\n"
173 "BL sub_FF8191EC\n"
174 "CMP R0, #0\n"
175 "LDRLT R0, =0xFF814EF8\n" // "stdlibSetup"
176 "BLLT sub_FF814E98\n"
177 "BL sub_FF8114B8\n"
178 "CMP R0, #0\n"
179 "LDRLT R0, =0xFF814F04\n" // "armlib_setup"
180 "BLLT sub_FF814E98\n"
181 "LDMFD SP!, {R4,LR}\n"
182 "B taskcreate_Startup_my\n" //------------->
183 );
184 }
185
186 // Extracted method: taskcreate_Startup (FF81CCBC)
187 void __attribute__((naked,noinline)) taskcreate_Startup_my() // OK
188 {
189 asm volatile (
190 "STMFD SP!, {R3,LR}\n"
191 "BL sub_FF821BEC\n" // j_nullsub_214
192 "BL sub_FF829EDC\n"
193 "CMP R0, #0\n"
194 "BNE loc_FF81CCEC\n"
195 "BL sub_FF821BE8\n"
196 "CMP R0, #0\n"
197 "BNE loc_FF81CCEC\n"
198 "LDR R1, =0xC0220000\n"
199 "MOV R0, #0x44\n"
200 "STR R0, [R4,#0x4C]\n"
201
202 "loc_FF81CCE8:\n"
203 "B loc_FF81CCE8\n"
204
205 "loc_FF81CCEC:\n"
206 "BL sub_FF821BF4\n"
207 "BL sub_FF821BF0\n"
208 "BL sub_FF828264\n"
209 "LDR R1, =0x2CE000\n"
210 "MOV R0, #0\n"
211 "BL sub_FF8284AC\n"
212 "BL sub_FF828458\n" // LOCATION: KerSys.c:548
213 "MOV R3, #0\n"
214 "STR R3, [SP,#0x8-0x8]\n"
215 // "ADR R3, 0xFF81CC60\n" // task_Startup
216 "LDR R3, =task_Startup_my\n" //------------->
217 "MOV R2, #0\n"
218 "MOV R1, #0x19\n"
219 "LDR R0, =0xFF81CD34\n" // "Startup"
220 "BL sub_FF81B818\n" // eventproc_export_CreateTask
221 "MOV R0, #0\n"
222 "LDMFD SP!, {R12,PC}\n"
223 );
224 }
225
226 // Extracted method: task_Startup (FF81CC60) // OK
227 void __attribute__((naked,noinline)) task_Startup_my()
228 {
229 asm volatile (
230 "STMFD SP!, {R4,LR}\n"
231 "BL sub_FF81516C\n" // taskcreate_ClockSave
232 "BL sub_FF822D50\n"
233 "BL sub_FF81FDF0\n"
234 "BL sub_FF829F1C\n"
235 "BL sub_FF82A0E4\n"
236 // "BL sub_FF829FA4\n" // StartDiskBoot
237 "BL CreateTask_spytask\n" // +
238 "BL sub_FF82A298\n"
239 "BL sub_FF82A134\n"
240 "BL sub_FF8277A4\n"
241 "BL sub_FF82A29C\n"
242 "BL sub_FF821B00\n" // taskcreate_PhySw
243 "BL sub_FF824CB4\n" // task_ShootSeqTask
244 "BL sub_FF82A2B4\n"
245 "BL sub_FF81FB10\n" // nullsub_2
246 "BL sub_FF820FBC\n"
247 "BL sub_FF829CA4\n" // taskcreate_Bye
248 "BL sub_FF821630\n"
249 "BL sub_FF820EAC\n" // taskcreate_TempCheck
250 "BL sub_FF82ABFC\n"
251 "BL sub_FF820E68\n"
252 "LDMFD SP!, {R4,PC}\n"
253 "BL sub_FF815070\n" // LOCATION: ClkEnabler.c:144
254 );
255 }
256
257 //Extracted method: task_InitFileModules (FF87719C)
258 void __attribute__((naked,noinline)) init_file_modules_task() // OK
259 {
260 asm volatile (
261 "STMFD SP!, {R4-R6,LR}\n"
262 "BL sub_FF86D668\n"
263 "LDR R5, =0x5006\n"
264 "MOVS R4, R0\n"
265 "MOVNE R1, #0\n"
266 "MOVNE R0, R5\n"
267 "BLNE sub_FF872FAC\n" // PostLogicalEventToUI
268 // "BL sub_FF86D694\n"
269 "BL sub_FF86D694_my\n" //------------->
270 "BL core_spytask_can_start\n" // + safe to start spytask
271 "CMP R4, #0\n"
272 "MOVEQ R0, R5\n"
273 "LDMEQFD SP!, {R4-R6,LR}\n"
274 "MOVEQ R1, #0\n"
275 "BEQ sub_FF872FAC\n" // PostLogicalEventToUI
276 "LDMFD SP!, {R4-R6,PC}\n"
277 );
278 }
279
280 void __attribute__((naked,noinline)) sub_FF86D694_my() // OK
281 {
282 asm volatile (
283 "STMFD SP!, {R4,LR}\n"
284 // "BL sub_FF84ECF4\n"
285 "BL sub_FF84ECF4_my\n" //------------->
286 "LDR R4, =0x57A8\n"
287 "LDR R0, [R4,#4]\n"
288 "CMP R0, #0\n"
289 "BNE loc_FF86D6C4\n"
290 "BL sub_FF87FBB0\n"
291 "BL sub_FF902FEC\n"
292 "BL sub_FF87FBB0\n"
293 "BL sub_FF84C6E4\n"
294 "BL sub_FF87FBC0\n"
295 "BL sub_FF9030B8\n"
296
297 "loc_FF86D6C4:\n"
298 "MOV R0, #1\n"
299 "STR R0, [R4]\n"
300 "LDMFD SP!, {R4,PC}\n"
301 );
302 }
303
304 void __attribute__((naked,noinline)) sub_FF84ECF4_my() // OK
305 {
306 asm volatile (
307 "STMFD SP!, {R4-R6,LR}\n"
308 "MOV R6, #0\n"
309 "MOV R0, R6\n"
310 "BL sub_FF84E7B4\n"
311 "LDR R4, =0x11750\n"
312 "MOV R5, #0\n"
313 "LDR R0, [R4,#0x38]\n"
314 "BL sub_FF84F1E8\n"
315 "CMP R0, #0\n"
316 "LDREQ R0, =0x29AC\n"
317 "STREQ R5, [R0,#0x10]\n"
318 "STREQ R5, [R0,#0x14]\n"
319 "STREQ R5, [R0,#0x18]\n"
320 "MOV R0, R6\n"
321 "BL sub_FF84E7F4\n" // LOCATION: Mounter.c:0
322 "MOV R0, R6\n"
323 // "BL sub_FF84EB30"
324 "BL sub_FF84EB30_my\n" //------------->
325 "MOV R5, R0\n"
326 "MOV R0, R6\n"
327 "BL sub_FF84EB9C\n" // LOCATION: Mounter.c:8
328 "LDR R1, [R4,#0x3C]\n"
329 "AND R2, R5, R0\n"
330 "CMP R1, #0\n"
331 "MOV R0, #0\n"
332 "MOVEQ R0, #0x80000001\n"
333 "BEQ loc_FF84ED88\n"
334 "LDR R3, [R4,#0x2C]\n"
335 "CMP R3, #2\n"
336 "MOVEQ R0, #4\n"
337 "CMP R1, #5\n"
338 "ORRNE R0, R0, #1\n"
339 "BICEQ R0, R0, #1\n"
340 "CMP R2, #0\n"
341 "BICEQ R0, R0, #2\n"
342 "ORREQ R0, R0, #0x80000000\n"
343 "BICNE R0, R0, #0x80000000\n"
344 "ORRNE R0, R0, #2\n"
345
346 "loc_FF84ED88:\n"
347 "STR R0, [R4,#0x40]\n"
348 "LDMFD SP!, {R4-R6,PC}\n"
349 );
350 }
351
352 void __attribute__((naked,noinline)) sub_FF84EB30_my() // OK
353 {
354 asm volatile (
355 "STMFD SP!, {R4-R6,LR}\n"
356 "LDR R5, =0x29AC\n"
357 "MOV R6, R0\n"
358 "LDR R0, [R5,#0x14]\n"
359 "CMP R0, #0\n"
360 "MOVNE R0, #1\n"
361 "LDMNEFD SP!, {R4-R6,PC}\n"
362 "MOV R0, #0x17\n"
363 "MUL R1, R0, R6\n"
364 "LDR R0, =0x11750\n"
365 "ADD R4, R0, R1,LSL#2\n"
366 "LDR R0, [R4,#0x38]\n"
367 "MOV R1, R6\n"
368 // "BL sub_FF84E8C0\n" // LOCATION: Mounter.c:884
369 "BL sub_FF84E8C0_my\n" //------------->
370 "CMP R0, #0\n"
371 "LDMEQFD SP!, {R4-R6,PC}\n"
372 "LDR R0, [R4,#0x38]\n"
373 "MOV R1, R6\n"
374 "BL sub_FF84EA28\n" // LOCATION: Mounter.c:0
375 "CMP R0, #0\n"
376 "LDMEQFD SP!, {R4-R6,PC}\n"
377 "MOV R0, R6\n"
378 "BL sub_FF84E3BC\n"
379 "CMP R0, #0\n"
380 "MOVNE R1, #1\n"
381 "STRNE R1, [R5,#0x14]\n"
382 "LDMFD SP!, {R4-R6,PC}\n"
383 );
384 }
385
386 void __attribute__((naked,noinline)) sub_FF84E8C0_my() // OK
387 {
388 asm volatile (
389 "STMFD SP!, {R4-R8,LR}\n"
390 "MOV R8, R0\n"
391 "MOV R0, #0x17\n"
392 "MUL R1, R0, R1\n"
393 "LDR R0, =0x11750\n"
394 "MOV R6, #0\n"
395 "ADD R7, R0, R1,LSL#2\n"
396 "LDR R0, [R7,#0x3C]\n"
397 "MOV R5, #0\n"
398 "CMP R0, #6\n"
399 "ADDLS PC, PC, R0,LSL#2\n"
400 "B loc_FF84EA0C\n"
401
402 "loc_FF84E8F0:\n"
403 "B loc_FF84E924\n"
404
405 "loc_FF84E8F4:\n"
406 "B loc_FF84E90C\n"
407
408 "loc_FF84E8F8:\n"
409 "B loc_FF84E90C\n"
410
411 "loc_FF84E8FC:\n"
412 "B loc_FF84E90C\n"
413
414 "loc_FF84E900:\n"
415 "B loc_FF84E90C\n"
416
417 "loc_FF84E904:\n"
418 "B loc_FF84EA04\n"
419
420 "loc_FF84E908:\n"
421 "B loc_FF84E90C\n"
422
423 "loc_FF84E90C:\n"
424 // jumptable FF858EAC entries 1-4,6
425 "MOV R2, #0\n"
426 "MOV R1, #0x200\n"
427 "MOV R0, #3\n"
428 "BL sub_FF867814\n"
429 "MOVS R4, R0\n"
430 "BNE loc_FF84E92C\n"
431
432 "loc_FF84E924:\n"
433 // jumptable FF858EAC entry 0
434 "MOV R0, #0\n"
435 "LDMFD SP!, {R4-R8,PC}\n"
436
437 "loc_FF84E92C:\n"
438 "LDR R12, [R7,#0x4C]\n"
439 "MOV R3, R4\n"
440 "MOV R2, #1\n"
441 "MOV R1, #0\n"
442 "MOV R0, R8\n"
443 "BLX R12\n"
444 "CMP R0, #1\n"
445 "BNE loc_FF84E958\n"
446 "MOV R0, #3\n"
447 "BL sub_FF867954\n" // LOCATION: ExMemMan.c:0
448 "B loc_FF84E924\n"
449
450 "loc_FF84E958:\n"
451 "MOV R0, R8\n"
452 "BL sub_FF920814\n"
453
454 "MOV R1, R4\n" // pointer to MBR in R1
455 "BL mbr_read_dryos\n" // total sectors count in R0 before and after call
456
457 // Start of DataGhost's FAT32 autodetection code
458 // Policy: If there is a partition which has type W95 FAT32, use the first one of those for image storage
459 // According to the code below, we can use R1, R2, R3 and R12.
460 // LR wasn't really used anywhere but for storing a part of the partition signature. This is the only thing
461 // that won't work with an offset, but since we can load from LR+offset into LR, we can use this to do that :)
462 "MOV R12, R4\n" // Copy the MBR start address so we have something to work with
463 "MOV LR, R4\n" // Save old offset for MBR signature
464 "MOV R1, #1\n" // Note the current partition number
465 "B dg_sd_fat32_enter\n" // We actually need to check the first partition as well, no increments yet!
466
467 "dg_sd_fat32:\n"
468 "CMP R1, #4\n" // Did we already see the 4th partition?
469 "BEQ dg_sd_fat32_end\n" // Yes, break. We didn't find anything, so don't change anything.
470 "ADD R12, R12, #0x10\n" // Second partition
471 "ADD R1, R1, #1\n" // Second partition for the loop
472
473 "dg_sd_fat32_enter:\n"
474 "LDRB R2, [R12, #0x1BE]\n" // Partition status
475 "LDRB R3, [R12, #0x1C2]\n" // Partition type (FAT32 = 0xB)
476 "CMP R3, #0xB\n" // Is this a FAT32 partition?
477 "CMPNE R3, #0xC\n" // Not 0xB, is it 0xC (FAT32 LBA) then?
478 "BNE dg_sd_fat32\n" // No, it isn't. Loop again.
479 "CMP R2, #0x00\n" // It is, check the validity of the partition type
480 "CMPNE R2, #0x80\n"
481 "BNE dg_sd_fat32\n" // Invalid, go to next partition
482 // This partition is valid, it's the first one, bingo!
483 "MOV R4, R12\n" // Move the new MBR offset for the partition detection.
484
485 "dg_sd_fat32_end:\n"
486 // End of DataGhost's FAT32 autodetection code
487
488 "LDRB R1, [R4,#0x1C9]\n"
489 "LDRB R3, [R4,#0x1C8]\n"
490 "LDRB R12, [R4,#0x1CC]\n"
491 "MOV R1, R1,LSL#24\n"
492 "ORR R1, R1, R3,LSL#16\n"
493 "LDRB R3, [R4,#0x1C7]\n"
494 "LDRB R2, [R4,#0x1BE]\n"
495 //"LDRB LR, [R4,#0x1FF]\n" // -
496 "ORR R1, R1, R3,LSL#8\n"
497 "LDRB R3, [R4,#0x1C6]\n"
498 "CMP R2, #0\n"
499 "CMPNE R2, #0x80\n"
500 "ORR R1, R1, R3\n"
501 "LDRB R3, [R4,#0x1CD]\n"
502 "MOV R3, R3,LSL#24\n"
503 "ORR R3, R3, R12,LSL#16\n"
504 "LDRB R12, [R4,#0x1CB]\n"
505 "ORR R3, R3, R12,LSL#8\n"
506 "LDRB R12, [R4,#0x1CA]\n"
507 "ORR R3, R3, R12\n"
508 //"LDRB R12, [R4,#0x1FE]\n" // -
509 "LDRB R12, [LR,#0x1FE]\n" // +
510 "LDRB LR, [LR,#0x1FF]\n" // +
511 "MOV R4, #0\n"
512 "BNE loc_FF84E9E0\n"
513 "CMP R0, R1\n"
514 "BCC loc_FF84E9E0\n"
515 "ADD R2, R1, R3\n"
516 "CMP R2, R0\n"
517 "CMPLS R12, #0x55\n"
518 "CMPEQ LR, #0xAA\n"
519 "MOVEQ R6, R1\n"
520 "MOVEQ R5, R3\n"
521 "MOVEQ R4, #1\n"
522
523 "loc_FF84E9E0:\n"
524 "MOV R0, #3\n"
525 "BL sub_FF867954\n" // LOCATION: ExMemMan.c:0
526 "CMP R4, #0\n"
527 "BNE loc_FF84EA18\n"
528 "MOV R6, #0\n"
529 "MOV R0, R8\n"
530 "BL sub_FF920814\n"
531 "MOV R5, R0\n"
532 "B loc_FF84EA18\n"
533
534 "loc_FF84EA04:\n"
535 // jumptable FF858EAC entry 5
536 "MOV R5, #0x40\n"
537 "B loc_FF84EA18\n"
538
539 "loc_FF84EA0C:\n"
540 // jumptable FF858EAC default entry
541 "LDR R1, =0x374\n"
542 "LDR R0, =0xFF858E78\n" // "Mounter.c"
543 "BL _DebugAssert\n"
544
545 "loc_FF84EA18:\n"
546 "STR R6, [R7,#0x44]!\n"
547 "MOV R0, #1\n"
548 "STR R5, [R7,#4]\n"
549 "LDMFD SP!, {R4-R8,PC}\n"
550 );
551 }
552