Wikia

CHDK Wiki

Srsa 4c/SX100 FileWriteTask

Talk0
576pages on
this wiki

< User:Srsa 4c

Revision as of 14:59, January 21, 2012 by Srsa 4c (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


The following serves as a proof-of-concept to prevent writing of files handled by this task. The message queue related function is guessed (name based on a DSLR firmware debug string).

void __attribute__((naked,noinline)) FileWriteTask(){
 asm volatile(
"		     STMFD   SP!, {R1-R5,LR}\n"
"		     LDR     R4, =0xD60C\n"
" loc_FFDDA7A0:\n"
"		     LDR     R0, [R4,#0x10]\n" // jumptable default case
"		     MOV     R2, #0\n"
"		     ADD     R1, SP, #0x08\n"
"		     BL	     sub_FFC19658\n" //ReceiveMessageQueue
"		     CMP     R0, #0\n"
"		     BNE     loc_FFDDA7D0\n"
"		     LDR     R0, [SP,#0x08]\n"
"		     LDR     R1, [R0]\n"
"		     CMP     R1, #1\n" // task exits when the message's first word is 1
"		     BNE     loc_FFDDA7D8\n"
"		     LDR     R0, [R4,#8]\n"
"		     BL	     sub_FFC0BB24\n" //GiveSemaphore
" loc_FFDDA7D0:\n"
"		     BL	     sub_FFC0BE48\n" //ExitTask
"		     LDMFD   SP!, {R1-R5,PC}\n"
" loc_FFDDA7D8:\n"
"		     SUB     R1, R1, #2\n"
"		     CMP     R1, #5\n"
"		     ADDLS   PC, PC, R1,LSL#2\n"
"		     B	     loc_FFDDA7A0\n" // default case
" loc_FFDDA7E8:\n"
"		     B	     loc_FFDDA800\n" // case 0
" loc_FFDDA7EC:\n"
"		     B	     loc_FFDDA864\n" // case 1
" loc_FFDDA7F0:\n"
"		     B	     loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7F4:\n"
"		     B	     loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7F8:\n"
"		     B	     loc_FFDDA86C\n" // cases 2-4
" loc_FFDDA7FC:\n"
"		     B	     loc_FFDDA874\n" // case 5
" loc_FFDDA800:\n"
"		     MOV     R0, #0\n" // case 0
"		     STR     R0, [SP]\n"
" loc_FFDDA808:\n"
"		     LDR     R0, [R4,#0x10]\n"
"		     MOV     R1, SP\n"
"		     BL	     sub_FFC1985C\n" //messagequeue-related function
"		     LDR     R0, [SP]\n"
"		     CMP     R0, #0\n"
"		     BEQ     loc_FFDDA834\n"
"		     LDR     R0, [R4,#0x10]\n"
"		     MOV     R2, #0\n"
"		     ADD     R1, SP, #0x04\n"
"		     BL	     sub_FFC19658\n" //ReceiveMessageQueue
"		     B	     loc_FFDDA808\n"
" loc_FFDDA834:\n"
"		     LDR     R0, [R4]\n" //file handle
"		     CMN     R0, #1\n"
"		     BEQ     loc_FFDDA858\n"
"		     BL	     sub_FFC1504C\n" //Close
"		     MVN     R0, #0\n"
"		     STR     R0, [R4]\n"
"		     LDR     R0, =0x899A0\n" //points to the filename string
"		     BL	     sub_FFC407DC\n" //check for "A/", assert if not found
"		     BL	     sub_FFC41E80\n" //filesemaphore stuff
" loc_FFDDA858:\n"
"		     LDR     R0, [R4,#0xC]\n"
"		     BL	     sub_FFC0BB24\n" // GiveSemaphore
"		     B	     loc_FFDDA7A0\n" // default case
" loc_FFDDA864:\n"
"		     BL	     sub_FFDDAA38_my\n" // case 1 (open the file)
"		     B	     loc_FFDDA7A0\n" // default case
" loc_FFDDA86C:\n"
"		     BL	     sub_FFDDAB78_my\n" // cases 2-4 (write into the file)
"		     B	     loc_FFDDA7A0\n" // default case
" loc_FFDDA874:\n"
"		     BL	     sub_FFDDAC74_my\n" // case 5 (close the file)
"		     B	     loc_FFDDA7A0\n" // default case
 );
}


void __attribute__((naked,noinline)) sub_FFDDAA38_my(){ //open
 asm volatile(
"		     STMFD   SP!, {R4-R8,LR}\n"
"		     MOV     R4, R0\n"
"		     ADD     R0, R0, #0x2C\n"
"		     SUB     SP, SP, #0x38\n"
"		     BL	     sub_FFC407DC\n" // check for "A/", assert if not found
"		     MOV     R1, #0\n"
"		     BL	     sub_FFC41E30\n" // file semaphore
"		     LDR     R0, [R4,#0xC]\n"
"		     BL	     sub_FFC42720\n" // r0 -> [0x2bfc+4]
"		     LDR     R7, [R4,#8]\n"
"		     LDR     R8, =0x1B6\n" // 666 octal
"		     ADD     R6, R4, #0x2C\n"
"		     LDR     R5, [R4,#0xC]\n"
"		     MOV     R0, R6\n" // filename starts at param0 + 0x2c
"		     MOV     R1, R7\n"
"		     MOV     R2, R8\n"

"mov r0, #255\n" // fake handle (-1 would mean failure, cam would prohibit further shooting)
"b  loc_FFDDAADC\n" // continue as if everything's ok

"		     BL	     sub_FFC15024\n" // Open
"		     CMN     R0, #1\n"
"		     BNE     loc_FFDDAADC\n"
"		     MOV     R0, R6\n" // from here on create the probably non-existent dirs
"		     BL	     sub_FFC1552C\n"
"		     MOV     R2, #0xF\n"
"		     MOV     R1, R6\n"
"		     MOV     R0, SP\n"
"		     BL	     sub_FFE56B0C\n"
"		     LDR     R0, =0x41FF\n"
"		     MOV     R1, #0\n"
"		     STRB    R1, [SP,#0x0F]\n"
"		     STR     R0, [SP,#0x20]\n"
"		     MOV     R0, #0x10\n"
"		     ADD     R2, SP, #0x24\n"
"		     STMIA   R2, {R0,R1,R5}\n"
"		     ADD     R1, SP, #0x20\n"
"		     MOV     R0, SP\n"
"		     STR     R5, [SP,#0x30]\n"
"		     STR     R5, [SP,#0x34]\n"
"		     BL	     sub_FFC41744\n"
"		     MOV     R2, R8\n"
"		     MOV     R1, R7\n"
"		     MOV     R0, R6\n"
"		     BL	     sub_FFC15024\n" // Open (second try)
" loc_FFDDAADC:\n"
"		     LDR     R5, =0xD60C\n"
"		     CMN     R0, #1\n"
"		     STR     R0, [R5]\n" // store file handle
"		     BNE     loc_FFDDAB18\n" // file handle ok, continue
"		     ADD     R0, R4, #0x2C\n"
"		     BL	     sub_FFC407DC\n" // check for "A/", assert if not found
"		     BL	     sub_FFC41E80\n" // FileSem.c:123
"		     LDR     R1, [R5,#0x14]\n"
"		     CMP     R1, #0\n"
"		     ADDNE   SP, SP, #0x38\n"
"		     LDMNEFD SP!, {R4-R8,LR}\n"
"		     LDRNE   R0, =0x9200001\n"
"		     BXNE    R1\n"
" loc_FFDDAB10:\n"
"		     ADD     SP, SP, #0x38\n"
"		     LDMFD   SP!, {R4-R8,PC}\n"
" loc_FFDDAB18:\n"
"		     LDR     R0, =0x899A0\n"
"		     MOV     R2, #0x20\n" // filename max length
"		     ADD     R1, R4, #0x2C\n"
"		     BL	     sub_FFE56C74\n" // copies filename to 0x899a0...
"		     MOV     R1, R4\n"
"		     MOV     R0, #4\n"
"		     BL	     sub_FFDDA6F0\n" // posts msg 4 to filewritetask (write...)
"		     B	     loc_FFDDAB10\n"
".ltorg\n"
 );
}


void __attribute__((naked,noinline)) sub_FFDDAB78_my(){ //write
 asm volatile(
"		     STMFD   SP!, {R4-R10,LR}\n"
"		     MOV     R4, R0\n"
"		     LDR     R0, [R0]\n"
"		     CMP     R0, #4\n"
"		     LDREQ   R6, [R4,#0x18]\n"
"		     LDREQ   R7, [R4,#0x14]\n"
"		     BEQ     loc_FFDDABB4\n"
"		     CMP     R0, #5\n"
"		     LDREQ   R6, [R4,#0x20]\n"
"		     LDREQ   R7, [R4,#0x1C]\n"
"		     BEQ     loc_FFDDABB4\n"
"		     CMP     R0, #6\n"
"		     BNE     loc_FFDDABC8\n"
"		     LDR     R6, [R4,#0x28]\n"
"		     LDR     R7, [R4,#0x24]\n"
" loc_FFDDABB4:\n"
"		     CMP     R6, #0\n"
"		     BNE     loc_FFDDABD8\n"
" loc_FFDDABBC:\n"
"		     MOV     R1, R4\n"
"		     MOV     R0, #7\n" // will post 7 (close) to the task
"		     B	     loc_FFDDAC6C\n"
" loc_FFDDABC8:\n"
"		     LDR     R1, =0x1E2\n"
"		     LDR     R0, =0xffddab58\n" // "dwFWrite.c"
"		     BL	     sub_FFC0C090\n" // DebugAssert
"		     B	     loc_FFDDABBC\n"
" loc_FFDDABD8:\n"
"		     LDR     R9, =0xD60C\n" // file handle
"		     MOV     R5, R6\n"
" loc_FFDDABE0:\n"
"		     LDR     R0, [R4,#4]\n"
"		     CMP     R5, #0x1000000\n"
"		     MOVLS   R8, R5\n"
"		     MOVHI   R8, #0x1000000\n"
"		     BIC     R1, R0, #0xFF000000\n"
"		     CMP     R1, #0\n"
"		     BICNE   R0, R0, #0xFF000000\n"
"		     RSBNE   R0, R0, #0x1000000\n"
"		     CMPNE   R8, R0\n"
"		     MOVHI   R8, R0\n"
"		     LDR     R0, [R9]\n"
"		     MOV     R2, R8\n" // length
"		     MOV     R1, R7\n" // buffer address
//"		     BL	     sub_FFC150F8\n" // Write

"mov r0, r8\n" //pretend everything's written

"		     LDR     R1, [R4,#4]\n"
"		     CMP     R8, R0\n" // compare bytes written
"		     ADD     R1, R1, R0\n"
"		     STR     R1, [R4,#4]\n"
"		     BEQ     loc_FFDDAC40\n" // everything written
"		     LDR     R0, =0x10B1\n"
"		     BL	     sub_FFC5F410\n" // IsControlEventActive
"		     LDR     R1, =0x9200005\n"
"		     STR     R1, [R4,#0x10]\n"
"		     B	     loc_FFDDABBC\n"
" loc_FFDDAC40:\n"
"		     SUB     R5, R5, R0\n"
"		     CMP     R5, R6\n"
"		     ADD     R7, R7, R0\n"
"		     LDRCS   R1, =0x211\n"
"		     LDRCS   R0, =0xffddab58\n" // "dwFWrite.c"
"		     BLCS    sub_FFC0C090\n" // DebugAssert
"		     CMP     R5, #0\n"
"		     BNE     loc_FFDDABE0\n"
"		     LDR     R0, [R4]\n"
"		     MOV     R1, R4\n"
"		     ADD     R0, R0, #1\n" // will post msg (current state+1) to the task
" loc_FFDDAC6C:\n"
"		     LDMFD   SP!, {R4-R10,LR}\n"
"		     B	     sub_FFDDA6F0\n"
 );
}



void __attribute__((naked,noinline)) sub_FFDDAC74_my(){ //close
 asm volatile(
"		     STMFD   SP!, {R4,R5,LR}\n"
"		     LDR     R5, =0xD60C\n"
"		     MOV     R4, R0\n"
"		     LDR     R0, [R5]\n"
"		     SUB     SP, SP, #0x1C\n"
"		     CMN     R0, #1\n"
"		     BEQ     loc_FFDDACA8\n"
//"		     BL	     sub_FFC1504C\n" // Close

"mov r0, #0\n" //pretend it's ok

"		     CMP     R0, #0\n"
"		     LDRNE   R0, =0x9200003\n"
"		     STRNE   R0, [R4,#0x10]\n"
"		     MVN     R0, #0\n"
"		     STR     R0, [R5]\n"
" loc_FFDDACA8:\n"
"		     LDR     R0, [R4,#0x10]\n"
"		     TST     R0, #1\n"
"		     BNE     loc_FFDDACF0\n"
"		     LDR     R0, =0x81FF\n"
"		     ADD     R1, SP, #0x04\n"
"		     STR     R0, [SP,#0x04]\n"
"		     MOV     R0, #0x20\n"
"		     STR     R0, [SP,#0x08]\n"
"		     LDR     R0, [R4,#4]\n"
"		     STR     R0, [SP,#0x0C]\n"
"		     LDR     R0, [R4,#0xC]\n"
"		     STR     R0, [SP,#0x10]\n"
"		     LDR     R0, [R4,#0xC]\n"
"		     STR     R0, [SP,#0x14]\n"
"		     LDR     R0, [R4,#0xC]\n"
"		     STR     R0, [SP,#0x18]\n"
"		     ADD     R0, R4, #0x2C\n"
"		     BL	     sub_FFC41744\n"
" loc_FFDDACF0:\n"
"		     ADD     R0, R4, #0x2C\n"
"		     BL	     sub_FFC407DC\n" // check for "A/", assert if not found
"		     BL	     sub_FFC41E80\n" // FileSem.c:123
"		     LDR     R1, [R5,#0x14]\n"
"		     CMP     R1, #0\n"
"		     LDRNE   R0, [R4,#0x10]\n"
"		     BLXNE   R1\n"
"		     ADD     SP, SP, #0x1C\n"
"		     LDMFD   SP!, {R4,R5,PC}\n"
 );
}

Around Wikia's network

Random Wiki