Finding AE sensors

Started by pravdomil, August 31, 2013, 07:50:28 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

pravdomil

Well I need some help with reverse engineering.
I want to find brightness sensors in viewfinder.
If we found it we can implement ETTR in shooting mode or "auto exposure compensation" as I call it. I will describe it later.

There is a few ways how to find it. I choose debug flag.
After some research with nanomad I found that AE_VALUE is probably set in function copyOlcDataToStorage.
Nanomad says that function copies computed AE_VALUE from Toshiba MCU.
So my first step is find the address from is the data copied. I tried to set debug flag here, but it doest work, my flag wasn't triggered. There is some reasons why:
I spy wrong address (maybe I have ROM image wrong loaded)
AE_VALUE is set somewhere else
g3gg0 iirc some cameras permanently cleared the ICACHE in PwrMgr task, not sure if this is the case on 5D2

So please could anybody spy this?

LDRB            R0, [R8,#2]      ; R8 is what we need
STRB            R0, [R9,#0x1D]   ; 0x1D is struct offset of AE_VALUE


use this https://bitbucket.org/hudson/magic-lantern/pull-request/193/debugger-module

1%

All I see is:


ROM:FF9C6624                 CMP     R6, R4
ROM:FF9C6628                 BLT     loc_FF9C6600
ROM:FF9C662C                 LDR     R9, =0x13008


Maybe you need to decompile this function?

I think R8 comes from the stack pointer.


ROM:FF9C65D0                 LDMIB   R5, {R0,R4}
ROM:FF9C65D4                 LDRB    R7, [R0]
ROM:FF9C65D8                 LDRB    R10, [R0,#1]
ROM:FF9C65DC                 LDR     R8, [R5]



ROM:FF89143C                 STMIA   R0, {R4,R5,R9}
ROM:FF891440                 ADD     R0, SP, #0x40+var_34
ROM:FF891444                 BL      str_copyOlcDataToStorage
ROM:FF891448                 MOV     R0, R5
ROM:FF89144C                 BL      sub_FF86F4FC
ROM:FF891450                 LDR     R1, [SP,#0x40+var_28+4]
ROM:FF891454                 LDR     R0, =0x10000095


1%

It looks like its passed into the function when its called from that big jump table.
FF891444

Break point that and see?

pravdomil

not triggered anywhere
ADD             R0, SP, #0xC ; jumptable FF8A02B0 case 59
STMIA           R0, {R4,R5,R9}
ADD             R0, SP, #0xC
BL              sub_FF9D65B0 ; copyOlcDataToStorage

pravdomil

maybe we can use mem_spy but where it can be stored? what address?

1%

Possible to step through the function with GDB and look at all register addresses/contents?


1%

Well you set a breakpoint/watchpoint at some address.. or you can cache hack and take over the copyolcdata function and read out its parameters then send it on its way? Somehow this is done for the cmos/adtg functions?


pravdomil

I tried gdb_add_watchpoint into copyOlcDataToStorage func and to jump table, but it wasn't triggered.

Quote from: 1% on September 01, 2013, 06:23:36 PM
or you can cache hack and take over the copyolcdata function and read out its parameters then send it on its way?
well this is too hard for me, I take a look at cache hack functions

pravdomil

Quote from: 1% on September 01, 2013, 06:23:36 PM
you can cache hack and take over the copyolcdata function and read out its parameters then send it on its way? Somehow this is done for the cmos/adtg functions?

could please you send me some hints how to do it?