1 #include "lolevel.h"
2 #include "platform.h"
3 #include "core.h"
4 #include "dryos31.h"
5
6 #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER)
7
8 const char * const new_sa = &_end;
9
10 extern void task_CaptSeq();
11 extern void task_InitFileModules();
12 extern void task_MovieRecord();
13 extern void task_ExpDrv();
14 extern void task_PhySw();
15 extern void task_FileWrite();
16
17 void taskHook(context_t **context) {
18 task_t *tcb=(task_t*)((char*)context-offsetof(task_t, context));
19
20 // Replace firmware task addresses with ours
21 if(tcb->entry == (void*)task_PhySw) tcb->entry = (void*)mykbd_task;
22 if(tcb->entry == (void*)task_CaptSeq) tcb->entry = (void*)capt_seq_task;
23 if(tcb->entry == (void*)task_InitFileModules) tcb->entry = (void*)init_file_modules_task;
24 if(tcb->entry == (void*)task_MovieRecord) tcb->entry = (void*)movie_record_task;
25 if(tcb->entry == (void*)task_ExpDrv) tcb->entry = (void*)exp_drv_task;
26 if(tcb->entry == (void*)task_FileWrite) tcb->entry = (void*)filewritetask;
27 }
28
29 void CreateTask_spytask() {
30
31 _CreateTask("SpyTask", 0x19, 0x2000, core_spytask, 0);
32 };
33
34
35 void __attribute__((naked,noinline)) boot() {
36
37 asm volatile (
38 "LDR R1, =0xC0410000\n"
39 "MOV R0, #0\n"
40 "STR R0, [R1]\n"
41 "MOV R1, #0x78\n"
42 "MCR p15, 0, R1,c1,c0\n"
43 "MOV R1, #0\n"
44 "MCR p15, 0, R1,c7,c10, 4\n"
45 " loc_FFC00028:\n"
46 "MCR p15, 0, R1,c7,c5\n"
47 "MCR p15, 0, R1,c7,c6\n"
48 "MOV R0, #0x3D\n"
49 "MCR p15, 0, R0,c6,c0\n"
50 "MOV R0, #0xC000002F\n"
51 "MCR p15, 0, R0,c6,c1\n"
52 "MOV R0, #0x33\n"
53 "MCR p15, 0, R0,c6,c2\n"
54 "MOV R0, #0x40000033\n"
55 "MCR p15, 0, R0,c6,c3\n"
56 "MOV R0, #0x80000017\n"
57 "MCR p15, 0, R0,c6,c4\n"
58 "LDR R0, =0xFFC0002B\n"
59 "MCR p15, 0, R0,c6,c5\n"
60 "MOV R0, #0x34\n"
61 "MCR p15, 0, R0,c2,c0\n"
62 "MOV R0, #0x34\n"
63 "MCR p15, 0, R0,c2,c0, 1\n"
64 "MOV R0, #0x34\n"
65 "MCR p15, 0, R0,c3,c0\n"
66 "LDR R0, =0x3333330\n"
67 "MCR p15, 0, R0,c5,c0, 2\n"
68 "LDR R0, =0x3333330\n"
69 "MCR p15, 0, R0,c5,c0, 3\n"
70 "MRC p15, 0, R0,c1,c0\n"
71 "ORR R0, R0, #0x1000\n"
72 "ORR R0, R0, #4\n"
73 "ORR R0, R0, #1\n"
74 "MCR p15, 0, R0,c1,c0\n"
75 "MOV R1, #0x80000006\n"
76 "MCR p15, 0, R1,c9,c1\n"
77 "MOV R1, #6\n"
78 "MCR p15, 0, R1,c9,c1, 1\n"
79 "MRC p15, 0, R1,c1,c0\n"
80 "ORR R1, R1, #0x50000\n"
81 "MCR p15, 0, R1,c1,c0\n"
82 "LDR R2, =0xC0200000\n"
83 "MOV R1, #1\n"
84 "STR R1, [R2,#0x10C]\n"
85 "MOV R1, #0xFF\n"
86 "STR R1, [R2,#0xC]\n"
87 "STR R1, [R2,#0x1C]\n"
88 "STR R1, [R2,#0x2C]\n"
89 "STR R1, [R2,#0x3C]\n"
90 "STR R1, [R2,#0x4C]\n"
91 "STR R1, [R2,#0x5C]\n"
92 "STR R1, [R2,#0x6C]\n"
93 "STR R1, [R2,#0x7C]\n"
94 "STR R1, [R2,#0x8C]\n"
95 "STR R1, [R2,#0x9C]\n"
96 "STR R1, [R2,#0xAC]\n"
97 "STR R1, [R2,#0xBC]\n"
98 "STR R1, [R2,#0xCC]\n"
99 "STR R1, [R2,#0xDC]\n"
100 "STR R1, [R2,#0xEC]\n"
101 "STR R1, [R2,#0xFC]\n"
102 "LDR R1, =0xC0400008\n"
103 "LDR R2, =0x430005\n"
104 "STR R2, [R1]\n"
105 "MOV R1, #1\n"
106 "LDR R2, =0xC0243100\n"
107 "STR R2, [R1]\n"
108 "LDR R2, =0xC0242010\n"
109 "LDR R1, [R2]\n"
110 "ORR R1, R1, #1\n"
111 "STR R1, [R2]\n"
112 "LDR R0, =0xFFED53A0\n"
113 "LDR R1, =0x1900\n"
114 "LDR R3, =0xB1B0\n"
115 "loc_FFC0013C:\n"
116 "CMP R1, R3\n"
117 "LDRCC R2, [R0],#4\n"
118 "STRCC R2, [R1],#4\n"
119 "BCC loc_FFC0013C\n"
120 "LDR R1, =0x12ED1C\n"
121 "MOV R2, #0\n"
122 "loc_FFC00154:\n"
123 "CMP R3, R1\n"
124 "STRCC R2, [R3],#4\n"
125 "BCC loc_FFC00154\n"
126 // "B loc_FFC001A0\n"
127 "B sub_FFC001A0_my\n"
128 );
129 };
130
131
132 void __attribute__((naked,noinline)) sub_FFC001A0_my() {
133
134 //*(int*)0x1930=(int)taskHook;
135 *(int*)0x1934=(int)taskHook;
136 *(int*)0x1938=(int)taskHook;
137
138 *(int*)(0x2234)= (*(int*)0xC0220134)&1 ?0x200000 : 0x100000; // replacement of sub_FFC3040C for correct power-on.
139
140
141 asm volatile (
142 "LDR R0, =0xFFC00218\n"
143 "MOV R1, #0 \n"
144 "LDR R3, =0xFFC00250\n"
145 "loc_FFC001AC:\n"
146 "CMP R0, R3\n"
147 "LDRCC R2, [R0],#4\n"
148 "STRCC R2, [R1],#4\n"
149 "BCC loc_FFC001AC\n"
150 "LDR R0, =0xFFC00250\n"
151 "MOV R1, #0x4B0\n"
152 "LDR R3, =0xFFC00464\n"
153 "loc_FFC001C8:\n"
154 "CMP R0, R3\n"
155 "LDRCC R2, [R0],#4\n"
156 "STRCC R2, [R1],#4\n"
157 "BCC loc_FFC001C8\n"
158 "MOV R0, #0xD2\n"
159 "MSR CPSR_cxsf, R0\n"
160 "MOV SP, #0x1000\n"
161 "MOV R0, #0xD3\n"
162 "MSR CPSR_cxsf, R0\n"
163 "MOV SP, #0x1000\n"
164 "LDR R0, =0x6C4\n"
165 "LDR R2, =0xEEEEEEEE\n"
166 "MOV R3, #0x1000\n"
167 "loc_FFC001FC:\n"
168 "CMP R0, R3\n"
169 "STRCC R2, [R0],#4\n"
170 "BCC loc_FFC001FC\n"
171 // "BL sub_FFC00FC4\n"
172 "BL sub_FFC00FC4_my\n" //-------->
173 );
174 }
175 //----------------------------------------------------------------------------------------------------------------------------------to doing
176 void __attribute__((naked,noinline)) sub_FFC00FC4_my() {
177
178 asm volatile (
179 "STR LR, [SP,#-4]!\n"
180 "SUB SP, SP, #0x74\n"
181 "MOV R0, SP\n"
182 "MOV R1, #0x74\n"
183 "BL sub_FFE6C5B0\n"
184 "MOV R0, #0x53000\n"
185 "STR R0, [SP,#4]\n"
186 #if defined(CHDK_NOT_IN_CANON_HEAP) // use original heap offset if CHDK is loaded in high memory
187 "LDR R0, =0x12ED1C\n"
188 #else
189 "LDR R0, =new_sa\n"
190 "LDR R0, [R0]\n"
191 #endif
192
193 "LDR R2, =0x2F9C00\n"
194 "LDR R1, =0x2F24A8\n"
195 "STR R0, [SP,#8]\n"
196 "SUB R0, R1, R0\n"
197 "ADD R3, SP, #0xC\n"
198 "STR R2, [SP]\n"
199 "STMIA R3, {R0-R2}\n"
200 "MOV R0, #0x22\n"
201 "STR R0, [SP,#0x18]\n"
202 "MOV R0, #0x68\n"
203 "STR R0, [SP,#0x1C]\n"
204 "LDR R0, =0x19B\n"
205 // "LDR R1, =sub_FFC04D38\n"
206 "LDR R1, =sub_FFC04D38_my\n" //--------->
207
208 "B sub_FFC01018 \n" // continue in firmware
209 );
210 }
211
212 //需要修改
213 void __attribute__((naked,noinline)) sub_FFC04D38_my() {
214
215 asm volatile (
216 "STMFD SP!, {R4,LR}\n"
217 "BL sub_FFC00954\n"
218 "BL sub_FFC090B4\n"
219 "CMP R0, #0\n"
220 // "ADRLT R0, sub_FFC04E4C\n" // ; "dmSetup"\n"
221 "LDRLT R0,=0xFFC04E4C\n"
222 "BLLT sub_FFC04E2C\n"
223 "BL sub_FFC04974\n"
224 "CMP R0, #0\n"
225 // "ADRLT R0, sub_FFC04E54\n"// ; "termDriverInit"\n"
226 "LDRLT R0,=0xFFC04E54\n"
227 "BLLT sub_FFC04E2C\n"
228 // "ADR R0, sub_FFC04E64\n" //; "/_term"
229 "LDR R0,=0xFFC04E64\n"
230 "BL sub_FFC04A5C\n"
231 "CMP R0, #0\n"
232 // "ADRLT R0, sub_FFC04E6C \n"//; "termDeviceCreate"
233 "LDRLT R0,=0xFFC04E6C\n"
234 "BLLT sub_FFC04E2C\n"
235 // "ADR R0, sub_FFC04E64 \n" // ; "/_term"
236 "LDR R0,=0xFFC04E64 \n"
237 "BL sub_FFC03578\n"
238 "CMP R0, #0\n"
239 // "ADRLT R0, sub_FFC04E80\n" //; "stdioSetup"
240 "LDRLT R0,=0xFFC04E80\n"
241 "BLLT sub_FFC04E2C\n"
242 "BL sub_FFC08BCC\n"
243 "CMP R0, #0\n"
244 // "ADRLT R0, sub_FFC04E8C\n" //; "stdlibSetup"
245 "LDRLT R0,=0xFFC04E8C\n"
246 "BLLT sub_FFC04E2C\n"
247 "BL sub_FFC014A8\n"
248 "CMP R0, #0\n"
249 // "ADRLT R0, sub_FFC04E98\n" //; "armlib_setup"
250 "LDRLT R0,=0xFFC04E98\n"
251 "BLLT sub_FFC04E2C\n"
252 "LDMFD SP!, {R4,LR}\n"
253 // "B taskcreate_Startup\n"
254 "B taskcreate_Startup_my\n" //-------->
255
256 );
257 };
258
259 void __attribute__((naked,noinline)) taskcreate_Startup_my() {
260
261 asm volatile (
262 "STMFD SP!, {R3,LR}\n"
263 // "BL j_nullsub_178\n"
264 "BL sub_FFC18680\n"
265 "CMP R0, #0\n"
266 "BNE loc_FFC0C29C\n"
267 "BL sub_FFC117B0\n"
268 "CMP R0, #0\n"
269 "BNE loc_FFC0C29C\n"
270 "BL sub_FFC10E84\n"
271 "LDR R1, =0xC0220000\n"
272 "MOV R0, #0x44\n"
273 "STR R0, [R1,#0x84]\n"
274 "STR R0, [R1,#0x80]\n"
275 "BL sub_FFC11074\n"
276 "loc_FFC0C298:\n"
277 "B loc_FFC0C298\n"
278 "loc_FFC0C29C:\n"
279 // "BL sub_FFC117BC\n" // removed for correct power-on on 'on/off' button.
280 // "BL j_nullsub_179\n"
281 "BL sub_FFC1693C\n"
282 "LDR R1, =0x34E000\n"
283 "MOV R0, #0\n"
284 "BL sub_FFC16D84\n"
285 "BL sub_FFC16B30\n"
286 "MOV R3, #0\n"
287 "STR R3, [SP]\n"
288 // "ADR R3, task_Startup\n"
289 "LDR R3, =task_Startup_my\n" //-------->
290 "MOV R2, #0\n"
291 "MOV R1, #0x19\n"
292 // "ADR R0, aStartup\n" ; "Startup"
293 "LDR R0,=0xFFC0C2E4\n"
294 "BL sub_FFC0AFAC\n"
295 "MOV R0, #0\n"
296 "LDMFD SP!, {R12,PC}\n"
297 );
298 }
299
300 void __attribute__((naked,noinline)) task_Startup_my() {
301
302 asm volatile (
303 "STMFD SP!, {R4,LR}\n"
304 "BL sub_FFC05394\n"
305 "BL sub_FFC128A0\n"
306 "BL sub_FFC10B28\n"
307 // "BL j_nullsub_182\n"
308 "BL sub_FFC188A4\n"
309 // "BL sub_FFC18754\n" // //start diskboot.bin, //StartDiskboot --> removed
310 "BL sub_FFC18A40\n"
311 "BL sub_FFC0FB94\n"
312 "BL sub_FFC188D4\n"
313 "BL sub_FFC15F3C\n"
314 "BL sub_FFC18A44\n"
315 "BL CreateTask_spytask\n" // <--- function added
316 "BL sub_FFC116B0\n" //taskcreate_PhySw
317 "BL sub_FFC146BC\n"
318 "BL sub_FFC18A5C\n"
319 // "BL nullsub_2\n"
320 "BL sub_FFC104B0\n"
321 "BL sub_FFC18464\n"
322 "BL sub_FFC10AD8\n"
323 "BL sub_FFC103D4\n"
324 "BL sub_FFC0FBC8\n"
325 "BL sub_FFC194A4\n"
326 "BL sub_FFC103AC\n"
327 "LDMFD SP!, {R4,LR}\n"
328 "B sub_FFC054B4\n"
329 );
330 }
331
332 /*******************************************************************/
333
334 void __attribute__((naked,noinline)) init_file_modules_task() {
335 asm volatile(
336 "STMFD SP!, {R4-R6,LR}\n"
337 "BL sub_FFC59C9C\n"
338 "LDR R5, =0x5006\n"
339 "MOVS R4, R0\n"
340 "MOVNE R1, #0\n"
341 "MOVNE R0, R5\n"
342 "BLNE sub_FFC5C35C\n"
343 "BL sub_FFC59CC8_my\n" //------------->
344 // "BL sub_FFC59CC8\n"
345 "BL core_spytask_can_start\n" // + set "it's safe to start" flag for spytask
346 "CMP R4, #0\n"
347 "MOVEQ R0, R5\n"
348 "LDMEQFD SP!, {R4-R6,LR}\n"
349 "MOVEQ R1, #0\n"
350 "BEQ sub_FFC5C35C\n"
351 "LDMFD SP!, {R4-R6,PC}\n"
352 );
353 }
354
355 void __attribute__((naked,noinline)) sub_FFC59CC8_my() {
356
357 asm volatile(
358 "STMFD SP!, {R4,LR}\n"
359 "MOV R0, #3\n"
360 //"BL sub_FFC3E9BC\n"
361 "BL sub_FFC3E9BC_my\n" //---------->
362 // "BL nullsub_64\n"
363 "LDR R4, =0x2B70\n"
364 "LDR R0, [R4,#4]\n"
365 "CMP R0, #0\n"
366 "BNE loc_FFC59D00\n"
367 "BL sub_FFC3DD80\n"
368 "BL sub_FFCCF594\n"
369 "BL sub_FFC3DD80\n"
370 "BL sub_FFC3A1E4\n"
371 "BL sub_FFC3DC80\n"
372 "BL sub_FFCCF658\n"
373 "loc_FFC59D00:\n" // ; CODE XREF: sub_FFC59CC8+1C
374 "MOV R0, #1\n"
375 "STR R0, [R4]\n"
376 "LDMFD SP!, {R4,PC}\n"
377
378 );
379 }
380
381
382 void __attribute__((naked,noinline)) sub_FFC3E9BC_my() {
383 asm volatile(
384 "STMFD SP!, {R4-R8,LR}\n"
385 "MOV R6, R0\n"
386 "BL sub_FFC3E924\n"
387 "LDR R1, =0xE5D8\n"
388 "MOV R5, R0\n"
389 "ADD R4, R1, R0,LSL#7\n"
390 "LDR R0, [R4,#0x70]\n"
391 "CMP R0, #4\n"
392 "LDREQ R1, =0x6D8\n"
393 // "ADREQ R0, aMounter_c\n"// ; "Mounter.c"
394 "LDREQ R0,=0xFFC3E448\n"
395 "BLEQ sub_FFC0B284\n"
396 "MOV R1, R6\n"
397 "MOV R0, R5\n"
398 "BL sub_FFC3E390\n"
399 "LDR R0, [R4,#0x38]\n"
400 "BL sub_FFC3EEE8\n"
401 "CMP R0, #0\n"
402 "STREQ R0, [R4,#0x70]\n"
403 "MOV R0, R5\n"
404 "BL sub_FFC3E468\n"
405 "MOV R0, R5\n"
406 // "BL sub_FFC3E75C\n"
407 "BL sub_FFC3E75C_my\n" //--------->
408
409 "B sub_FFC3EA14 \n" // continue in firmware
410 );
411 }
412
413 void __attribute__((naked,noinline)) sub_FFC3E75C_my() {
414 asm volatile(
415 "STMFD SP!, {R4-R6,LR}\n"
416 "MOV R5, R0\n"
417 "LDR R0, =0xE5D8\n"
418 "ADD R4, R0, R5,LSL#7\n"
419 "LDR R0, [R4,#0x70]\n"
420 "TST R0, #2\n"
421 "MOVNE R0, #1\n"
422 "LDMNEFD SP!, {R4-R6,PC}\n"
423 "LDR R0, [R4,#0x38]\n"
424 "MOV R1, R5\n"
425 // "BL sub_FFC3E4EC\n"
426 "BL sub_FFC3E4EC_my\n" //--------->
427
428 "B sub_FFC3E788 \n" // Continue in firmware
429 );
430 }
431
432 void __attribute__((naked,noinline)) sub_FFC3E4EC_my() {
433 asm volatile(
434 "STMFD SP!, {R4-R8,LR}\n"
435 "MOV R8, R0\n"
436 "LDR R0, =0xE5D8\n"
437 "MOV R7, #0\n"
438 "ADD R5, R0, R1,LSL#7\n"
439 "LDR R0, [R5,#0x3C]\n"
440 "MOV R6, #0\n"
441 "CMP R0, #7\n"
442 "ADDLS PC, PC, R0,LSL#2\n"
443 "B loc_FFC3E63C\n"
444 "loc_FFC3E514:\n"
445 "B loc_FFC3E54C\n"
446 "loc_FFC3E518:\n"
447 "B loc_FFC3E534\n"
448 "loc_FFC3E51C:\n"
449 "B loc_FFC3E534\n"
450 "loc_FFC3E520:\n"
451 "B loc_FFC3E534\n"
452 "loc_FFC3E524:\n"
453 "B loc_FFC3E534\n"
454 "loc_FFC3E528:\n"
455 "B loc_FFC3E634\n"
456 "loc_FFC3E52C:\n"
457 "B loc_FFC3E534\n"
458 "loc_FFC3E530:\n"
459 "B loc_FFC3E534\n"
460 "loc_FFC3E534:\n"
461 "MOV R2, #0\n"
462 "MOV R1, #0x200\n"
463 "MOV R0, #2\n"
464 "BL sub_FFC53D0C\n"
465 "MOVS R4, R0\n"
466 "BNE loc_FFC3E554\n"
467 "loc_FFC3E54C:\n"
468 "MOV R0, #0\n"
469 "LDMFD SP!, {R4-R8,PC}\n"
470 "loc_FFC3E554:\n"
471 "LDR R12, [R5,#0x4C]\n"
472 "MOV R3, R4\n"
473 "MOV R2, #1\n"
474 "MOV R1, #0\n"
475 "MOV R0, R8\n"
476 "BLX R12\n"
477 "CMP R0, #1\n"
478 "BNE loc_FFC3E580\n"
479 "MOV R0, #2\n"
480 "BL sub_FFC53E58\n"
481 "B loc_FFC3E54C\n"
482 "loc_FFC3E580:\n"
483 "LDR R1, [R5,#0x68]\n"
484 "MOV R0, R8\n"
485 "BLX R1\n"
486
487 "MOV R1, R4\n" // + pointer to MBR in R1
488 "BL mbr_read_dryos\n" // + total sectors count in R0 before and after call 需要修改
489
490 // Start of DataGhost's FAT32 autodetection code
491 // Policy: If there is a partition which has type W95 FAT32, use the first one of those for image storage
492 // According to the code below, we can use R1, R2, R3 and R12.
493 // LR wasn't really used anywhere but for storing a part of the partition signature. This is the only thing
494 // that won't work with an offset, but since we can load from LR+offset into LR, we can use this to do that :)
495 "MOV R12, R4\n" // Copy the MBR start address so we have something to work with
496 "MOV LR, R4\n" // Save old offset for MBR signature
497 "MOV R1, #1\n" // Note the current partition number
498 "B dg_sd_fat32_enter\n" // We actually need to check the first partition as well, no increments yet!
499 "dg_sd_fat32:\n"
500 "CMP R1, #4\n" // Did we already see the 4th partition?
501 "BEQ dg_sd_fat32_end\n" // Yes, break. We didn't find anything, so don't change anything.
502 "ADD R12, R12, #0x10\n" // Second partition
503 "ADD R1, R1, #1\n" // Second partition for the loop
504 "dg_sd_fat32_enter:\n"
505 "LDRB R2, [R12, #0x1BE]\n" // Partition status
506 "LDRB R3, [R12, #0x1C2]\n" // Partition type (FAT32 = 0xB)
507 "CMP R3, #0xB\n" // Is this a FAT32 partition?
508 "CMPNE R3, #0xC\n" // Not 0xB, is it 0xC (FAT32 LBA) then?
509 "BNE dg_sd_fat32\n" // No, it isn't. Loop again.
510 "CMP R2, #0x00\n" // It is, check the validity of the partition type
511 "CMPNE R2, #0x80\n"
512 "BNE dg_sd_fat32\n" // Invalid, go to next partition
513 // This partition is valid, it's the first one, bingo!
514 "MOV R4, R12\n" // Move the new MBR offset for the partition detection.
515
516 "dg_sd_fat32_end:\n"
517 // End of DataGhost's FAT32 autodetection code
518
519 "LDRB R1, [R4,#0x1C9]\n"
520 "LDRB R3, [R4,#0x1C8]\n"
521 "LDRB R12, [R4,#0x1CC]\n"
522 "MOV R1, R1,LSL#24\n"
523 "ORR R1, R1, R3,LSL#16\n"
524 "LDRB R3, [R4,#0x1C7]\n"
525 "LDRB R2, [R4,#0x1BE]\n"
526 // "LDRB LR, [R4,#0x1FF]\n"
527 "ORR R1, R1, R3,LSL#8\n"
528 "LDRB R3, [R4,#0x1C6]\n"
529 "CMP R2, #0\n"
530 "CMPNE R2, #0x80\n"
531 "ORR R1, R1, R3\n"
532 "LDRB R3, [R4,#0x1CD]\n"
533 "MOV R3, R3,LSL#24\n"
534 "ORR R3, R3, R12,LSL#16\n"
535 "LDRB R12, [R4,#0x1CB]\n"
536 "ORR R3, R3, R12,LSL#8\n"
537 "LDRB R12, [R4,#0x1CA]\n"
538 "ORR R3, R3, R12\n"
539 // "LDRB R12, [R4,#0x1FE]\n"
540 "LDRB R12, [LR,#0x1FE]\n" // + First MBR signature byte (0x55), LR is original offset.
541 "LDRB LR, [LR,#0x1FF]\n" // + Last MBR signature byte (0xAA), LR is original offset.
542 "MOV R4, #0\n"
543 "BNE loc_FFC3E60C\n"
544 "CMP R0, R1\n"
545 "BCC loc_FFC3E60C\n"
546 "ADD R2, R1, R3\n"
547 "CMP R2, R0\n"
548 "CMPLS R12, #0x55\n"
549 "CMPEQ LR, #0xAA\n"
550 "MOVEQ R7, R1\n"
551 "MOVEQ R6, R3\n"
552 "MOVEQ R4, #1\n"
553 "loc_FFC3E60C:\n"
554 "MOV R0, #2\n"
555 "BL sub_FFC53E58\n"
556 "CMP R4, #0\n"
557 "BNE loc_FFC3E648\n"
558 "LDR R1, [R5,#0x68]\n"
559 "MOV R7, #0\n"
560 "MOV R0, R8\n"
561 "BLX R1\n"
562 "MOV R6, R0\n"
563 "B loc_FFC3E648\n"
564 "loc_FFC3E634:\n"
565 "MOV R6, #0x40\n"
566 "B loc_FFC3E648\n"
567 "loc_FFC3E63C:\n"
568 "LDR R1, =0x5C9\n"
569 // "ADR R0, aMounter_c\n" ; "Mounter.c"
570 "LDR R0,=0xFFC3E448\n"
571 "BL sub_FFC0B284\n"
572 "loc_FFC3E648:\n"
573 "STR R7, [R5,#0x44]!\n"
574 "MOV R0, #1\n"
575 "STR R6, [R5,#4]\n"
576 "LDMFD SP!, {R4-R8,PC}\n"
577 );
578 }
579
580
581