Srsa 4c/SX100 FileWriteTask
Talk0
538pages on
this wiki
this wiki
< User:Srsa 4c
The following serves as a proof-of-concept to prevent writing of files handled by this task. The message queue related function is guessed (name based on a DSLR firmware debug string).
void __attribute__((naked,noinline)) FileWriteTask(){
asm volatile(
" STMFD SP!, {R1-R5,LR}\n"
" LDR R4, =0xD60C\n"
" loc_FFDDA7A0:\n"
" LDR R0, [R4,#0x10]\n" // jumptable default case
" MOV R2, #0\n"
" ADD R1, SP, #0x08\n"
" BL sub_FFC19658\n" //ReceiveMessageQueue
" CMP R0, #0\n"
" BNE loc_FFDDA7D0\n"
" LDR R0, [SP,#0x08]\n"
" LDR R1, [R0]\n"
" CMP R1, #1\n" // task exits when the message's first word is 1
" BNE loc_FFDDA7D8\n"
" LDR R0, [R4,#8]\n"
" BL sub_FFC0BB24\n" //GiveSemaphore
" loc_FFDDA7D0:\n"
" BL sub_FFC0BE48\n" //ExitTask
" LDMFD SP!, {R1-R5,PC}\n"
" loc_FFDDA7D8:\n"
" SUB R1, R1, #2\n"
" CMP R1, #5\n"
" ADDLS PC, PC, R1,LSL#2\n"
" B loc_FFDDA7A0\n" // default case
" loc_FFDDA7E8:\n"
" B loc_FFDDA800\n" // case 0
" loc_FFDDA7EC:\n"
" B loc_FFDDA864\n" // case 1
" loc_FFDDA7F0:\n"
" B loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7F4:\n"
" B loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7F8:\n"
" B loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7FC:\n"
" B loc_FFDDA874\n" // case 5
" loc_FFDDA800:\n"
" MOV R0, #0\n" // case 0
" STR R0, [SP]\n"
" loc_FFDDA808:\n"
" LDR R0, [R4,#0x10]\n"
" MOV R1, SP\n"
" BL sub_FFC1985C\n" //messagequeue-related function
" LDR R0, [SP]\n"
" CMP R0, #0\n"
" BEQ loc_FFDDA834\n"
" LDR R0, [R4,#0x10]\n"
" MOV R2, #0\n"
" ADD R1, SP, #0x04\n"
" BL sub_FFC19658\n" //ReceiveMessageQueue
" B loc_FFDDA808\n"
" loc_FFDDA834:\n"
" LDR R0, [R4]\n" //file handle
" CMN R0, #1\n"
" BEQ loc_FFDDA858\n"
" BL sub_FFC1504C\n" //Close
" MVN R0, #0\n"
" STR R0, [R4]\n"
" LDR R0, =0x899A0\n" //points to the filename string
" BL sub_FFC407DC\n" //check for "A/", assert if not found
" BL sub_FFC41E80\n" //filesemaphore stuff
" loc_FFDDA858:\n"
" LDR R0, [R4,#0xC]\n"
" BL sub_FFC0BB24\n" // GiveSemaphore
" B loc_FFDDA7A0\n" // default case
" loc_FFDDA864:\n"
" BL sub_FFDDAA38_my\n" // case 1 (open the file)
" B loc_FFDDA7A0\n" // default case
" loc_FFDDA86C:\n"
" BL sub_FFDDAB78_my\n" // cases 2-4 (write into the file)
" B loc_FFDDA7A0\n" // default case
" loc_FFDDA874:\n"
" BL sub_FFDDAC74_my\n" // case 5 (close the file)
" B loc_FFDDA7A0\n" // default case
);
}
void __attribute__((naked,noinline)) sub_FFDDAA38_my(){ //open
asm volatile(
" STMFD SP!, {R4-R8,LR}\n"
" MOV R4, R0\n"
" ADD R0, R0, #0x2C\n"
" SUB SP, SP, #0x38\n"
" BL sub_FFC407DC\n" // check for "A/", assert if not found
" MOV R1, #0\n"
" BL sub_FFC41E30\n" // file semaphore
" LDR R0, [R4,#0xC]\n"
" BL sub_FFC42720\n" // r0 -> [0x2bfc+4]
" LDR R7, [R4,#8]\n"
" LDR R8, =0x1B6\n" // 666 octal
" ADD R6, R4, #0x2C\n"
" LDR R5, [R4,#0xC]\n"
" MOV R0, R6\n" // filename starts at param0 + 0x2c
" MOV R1, R7\n"
" MOV R2, R8\n"
"mov r0, #255\n" // fake handle (-1 would mean failure, cam would prohibit further shooting)
"b loc_FFDDAADC\n" // continue as if everything's ok
" BL sub_FFC15024\n" // Open
" CMN R0, #1\n"
" BNE loc_FFDDAADC\n"
" MOV R0, R6\n" // from here on create the probably non-existent dirs
" BL sub_FFC1552C\n"
" MOV R2, #0xF\n"
" MOV R1, R6\n"
" MOV R0, SP\n"
" BL sub_FFE56B0C\n"
" LDR R0, =0x41FF\n"
" MOV R1, #0\n"
" STRB R1, [SP,#0x0F]\n"
" STR R0, [SP,#0x20]\n"
" MOV R0, #0x10\n"
" ADD R2, SP, #0x24\n"
" STMIA R2, {R0,R1,R5}\n"
" ADD R1, SP, #0x20\n"
" MOV R0, SP\n"
" STR R5, [SP,#0x30]\n"
" STR R5, [SP,#0x34]\n"
" BL sub_FFC41744\n"
" MOV R2, R8\n"
" MOV R1, R7\n"
" MOV R0, R6\n"
" BL sub_FFC15024\n" // Open (second try)
" loc_FFDDAADC:\n"
" LDR R5, =0xD60C\n"
" CMN R0, #1\n"
" STR R0, [R5]\n" // store file handle
" BNE loc_FFDDAB18\n" // file handle ok, continue
" ADD R0, R4, #0x2C\n"
" BL sub_FFC407DC\n" // check for "A/", assert if not found
" BL sub_FFC41E80\n" // FileSem.c:123
" LDR R1, [R5,#0x14]\n"
" CMP R1, #0\n"
" ADDNE SP, SP, #0x38\n"
" LDMNEFD SP!, {R4-R8,LR}\n"
" LDRNE R0, =0x9200001\n"
" BXNE R1\n"
" loc_FFDDAB10:\n"
" ADD SP, SP, #0x38\n"
" LDMFD SP!, {R4-R8,PC}\n"
" loc_FFDDAB18:\n"
" LDR R0, =0x899A0\n"
" MOV R2, #0x20\n" // filename max length
" ADD R1, R4, #0x2C\n"
" BL sub_FFE56C74\n" // copies filename to 0x899a0...
" MOV R1, R4\n"
" MOV R0, #4\n"
" BL sub_FFDDA6F0\n" // posts msg 4 to filewritetask (write...)
" B loc_FFDDAB10\n"
".ltorg\n"
);
}
void __attribute__((naked,noinline)) sub_FFDDAB78_my(){ //write
asm volatile(
" STMFD SP!, {R4-R10,LR}\n"
" MOV R4, R0\n"
" LDR R0, [R0]\n"
" CMP R0, #4\n"
" LDREQ R6, [R4,#0x18]\n"
" LDREQ R7, [R4,#0x14]\n"
" BEQ loc_FFDDABB4\n"
" CMP R0, #5\n"
" LDREQ R6, [R4,#0x20]\n"
" LDREQ R7, [R4,#0x1C]\n"
" BEQ loc_FFDDABB4\n"
" CMP R0, #6\n"
" BNE loc_FFDDABC8\n"
" LDR R6, [R4,#0x28]\n"
" LDR R7, [R4,#0x24]\n"
" loc_FFDDABB4:\n"
" CMP R6, #0\n"
" BNE loc_FFDDABD8\n"
" loc_FFDDABBC:\n"
" MOV R1, R4\n"
" MOV R0, #7\n" // will post 7 (close) to the task
" B loc_FFDDAC6C\n"
" loc_FFDDABC8:\n"
" LDR R1, =0x1E2\n"
" LDR R0, =0xffddab58\n" // "dwFWrite.c"
" BL sub_FFC0C090\n" // DebugAssert
" B loc_FFDDABBC\n"
" loc_FFDDABD8:\n"
" LDR R9, =0xD60C\n" // file handle
" MOV R5, R6\n"
" loc_FFDDABE0:\n"
" LDR R0, [R4,#4]\n"
" CMP R5, #0x1000000\n"
" MOVLS R8, R5\n"
" MOVHI R8, #0x1000000\n"
" BIC R1, R0, #0xFF000000\n"
" CMP R1, #0\n"
" BICNE R0, R0, #0xFF000000\n"
" RSBNE R0, R0, #0x1000000\n"
" CMPNE R8, R0\n"
" MOVHI R8, R0\n"
" LDR R0, [R9]\n"
" MOV R2, R8\n" // length
" MOV R1, R7\n" // buffer address
//" BL sub_FFC150F8\n" // Write
"mov r0, r8\n" //pretend everything's written
" LDR R1, [R4,#4]\n"
" CMP R8, R0\n" // compare bytes written
" ADD R1, R1, R0\n"
" STR R1, [R4,#4]\n"
" BEQ loc_FFDDAC40\n" // everything written
" LDR R0, =0x10B1\n"
" BL sub_FFC5F410\n" // IsControlEventActive
" LDR R1, =0x9200005\n"
" STR R1, [R4,#0x10]\n"
" B loc_FFDDABBC\n"
" loc_FFDDAC40:\n"
" SUB R5, R5, R0\n"
" CMP R5, R6\n"
" ADD R7, R7, R0\n"
" LDRCS R1, =0x211\n"
" LDRCS R0, =0xffddab58\n" // "dwFWrite.c"
" BLCS sub_FFC0C090\n" // DebugAssert
" CMP R5, #0\n"
" BNE loc_FFDDABE0\n"
" LDR R0, [R4]\n"
" MOV R1, R4\n"
" ADD R0, R0, #1\n" // will post msg (current state+1) to the task
" loc_FFDDAC6C:\n"
" LDMFD SP!, {R4-R10,LR}\n"
" B sub_FFDDA6F0\n"
);
}
void __attribute__((naked,noinline)) sub_FFDDAC74_my(){ //close
asm volatile(
" STMFD SP!, {R4,R5,LR}\n"
" LDR R5, =0xD60C\n"
" MOV R4, R0\n"
" LDR R0, [R5]\n"
" SUB SP, SP, #0x1C\n"
" CMN R0, #1\n"
" BEQ loc_FFDDACA8\n"
//" BL sub_FFC1504C\n" // Close
"mov r0, #0\n" //pretend it's ok
" CMP R0, #0\n"
" LDRNE R0, =0x9200003\n"
" STRNE R0, [R4,#0x10]\n"
" MVN R0, #0\n"
" STR R0, [R5]\n"
" loc_FFDDACA8:\n"
" LDR R0, [R4,#0x10]\n"
" TST R0, #1\n"
" BNE loc_FFDDACF0\n"
" LDR R0, =0x81FF\n"
" ADD R1, SP, #0x04\n"
" STR R0, [SP,#0x04]\n"
" MOV R0, #0x20\n"
" STR R0, [SP,#0x08]\n"
" LDR R0, [R4,#4]\n"
" STR R0, [SP,#0x0C]\n"
" LDR R0, [R4,#0xC]\n"
" STR R0, [SP,#0x10]\n"
" LDR R0, [R4,#0xC]\n"
" STR R0, [SP,#0x14]\n"
" LDR R0, [R4,#0xC]\n"
" STR R0, [SP,#0x18]\n"
" ADD R0, R4, #0x2C\n"
" BL sub_FFC41744\n"
" loc_FFDDACF0:\n"
" ADD R0, R4, #0x2C\n"
" BL sub_FFC407DC\n" // check for "A/", assert if not found
" BL sub_FFC41E80\n" // FileSem.c:123
" LDR R1, [R5,#0x14]\n"
" CMP R1, #0\n"
" LDRNE R0, [R4,#0x10]\n"
" BLXNE R1\n"
" ADD SP, SP, #0x1C\n"
" LDMFD SP!, {R4,R5,PC}\n"
);
}
