Ok, I think I have figured out how to read the two first addrs. Well, I have some doubts with capture_err_time_addr, because the instructions here:
https://www.magiclantern.fm/forum/index.php?topic=12523.msg171606#msg171606and
https://www.magiclantern.fm/forum/index.php?topic=12523.msg170756#msg170756give somehow different recipes to obtain it
ff158b64: e28f2f7d add r2, pc, #500 ; ff158d60: (42736373) *"scsBulbEnd"
ff158b68: e20000ff and r0, r0, #255 ; 0xff
ff158b6c: e3a01003 mov r1, #3
ff158b70: eb3ab714 bl loc_67c8
ff158b74: e51f03c0 ldr r0, [pc, #-960] ; ff1587bc: (000760e8)
ff158b78: e3a01001 mov r1, #1
ff158b7c: e5801014 str r1, [r0, #20]
ff158b80: e5900004 ldr r0, [r0, #4]
ff158b84: e8bd8010 pop {r4, pc}
and
ff1c56a0: e28f20f4 add r2, pc, #244 ; ff1c579c: (435f4146) *"FA_CaptureTestImage(hJob:%#lx)"
ff1c56a4: e1a03004 mov r3, r4
ff1c56a8: e3a01016 mov r1, #22
ff1c56ac: e3a00090 mov r0, #144 ; 0x90
ff1c56b0: eb390444 bl loc_67c8
ff1c56b4: e1a00004 mov r0, r4
ff1c56b8: ebfc5756 bl loc_ff0db418
ff1c56bc: e51f41b8 ldr r4, [pc, #-440] ; [b]ff1c550c[/b]: (80040000)
ff1c56c0: e3a02004 mov r2, #4
ff1c56c4: e1a0100d mov r1, sp
ff1c56c8: e1a00004 mov r0, r4
ff1c56cc: ebfffbe5 bl loc_ff1c4668
ff1c56d0: e59d0000 ldr r0, [sp]
ff1c56d4: e3a02004 mov r2, #4
ff1c56d8: e3800004 orr r0, r0, #4
loc_ff1c56dc: ; 3 refs
ff1c56dc: e58d0000 str r0, [sp]
ff1c56e0: e1a0100d mov r1, sp
ff1c56e4: e1a00004 mov r0, r4
ff1c56e8: ebfffb26 bl loc_ff1c4388
ff1c56ec: e3a00014 mov r0, #20
ff1c56f0: eb390fe4 bl loc_9688
ff1c56f4: e51f11d8 ldr r1, [pc, #-472] ; ff1c5524: (ff1c52b4)
ff1c56f8: e24f0f76 sub r0, pc, #472 ; ff1c5528: (525f4146) *"FA_RegisterPostNextCBR"
ff1c56fc: ebfe044e bl loc_ff14683c
ff1c5700: ebfc5754 bl loc_ff0db458
ff1c5704: e28f00b0 add r0, pc, #176 ; ff1c57bc: (5f746873) *"sht_FA_ReleaseStart"
ff1c5708: eb05b14d bl loc_ff331c44
ff1c570c: e3a00014 mov r0, #20
ff1c5710: eb390fdc bl loc_9688
ff1c5714: ebfc5758 bl loc_ff0db47c
ff1c5718: e28f00b0 add r0, pc, #176 ; ff1c57d0: (5f746873) *"sht_FA_ReleaseData"
ff1c571c: eb05b148 bl loc_ff331c44
ff1c5720: e51f05cc ldr r0, [pc, #-1484] ; ff1c515c: (00078704)
ff1c5724: e51f11a4 ldr r1, [pc, #-420] ; ff1c5588: (00004e20)
ff1c5728: e5900010 ldr r0, [r0, #16]
ff1c572c: eb390e9e bl loc_91ac
ff1c5730: e3100001 tst r0, #1
ff1c5734: 159f2050 ldrne r2, [pc, #80] ; ff1c578c: (ff1c518c) **"ERROR TakeSemaphore"
At some point I see
ff1cab44: ebfdef3c bl loc_ff14683c
ff1cab48: e59d0044 ldr r0, [sp, #68] ; 0x44
ff1cab4c: e59011a8 ldr r1, [r0, #424] ; 0x1a8
ff1cab50: e51f0cdc ldr r0, [pc, #-3292] ; ff1c9e7c: (ff1c83f4) **"FA_SetChannelNum"
ff1cab54: ebfdef38 bl loc_ff14683c
ff1cab58: ea00000c b loc_ff1cab90
[b]ff1cab5c[/b]: 00004e20 andeq r4, r0, r0, lsr #28
ff1cab60: ff1c9dd0 ; <UNDEFINED> instruction: 0xff1c9dd0
ff1cab64: ff1c9df0 ; <UNDEFINED> instruction: 0xff1c9df0
ff1cab68: ff1c9e04 ; <UNDEFINED> instruction: 0xff1c9e04
ff1cab6c: ff1c9e24 ; <UNDEFINED> instruction: 0xff1c9e24
ff1cab70: ff1c9e40 ; <UNDEFINED> instruction: 0xff1c9e40
ff1cab74: ff1c9e58 ; <UNDEFINED> instruction: 0xff1c9e58
So, in summary, bulb_end_addr = 000760e8 + #20 (dec) = 00760FC and capture_err_time_addr = 0xFF1C550C ? (line ff1c56bc: e51f41b8 ldr r4, [pc, #-440]
or is it 0xFF1CAB5C? (line: 00004e20 andeq r4, r0, r0, lsr #28)
if (is_camera("6D", "1.1.6"))
{
bulb_end_addr = 0x760FC // or 0x760F8 ??;
capture_err_time_addr = 0xFF1C550C; // or 0xFF1CAB5C ???
frsp_tv_addr = ???; // cameras with SHOOTMODE_BULB need fake SHUTTER_BULB
}
What I don't know is how to get the frsp_tv_addr. There is a script from Greg, but I really don't know what to do with it. How do I compile it? Or is there any way to look for it directly in the BIN file like for the other two addrs?
Link to the ROM1.BIN.DIS:
https://drive.google.com/file/d/1Y9X8V07nVk2IqeodRrBkdPfgQqmX7CdK/view?usp=share_linkLink to the ROM1.BIN:
https://drive.google.com/file/d/1jwIpmLbgh9X2rajzJBLbVAu4PTywTWtb/view?usp=share_link
