General Notes[]
These are some interesting locations I have noticed while looking through the 500d/T1i dump, specifically in the idle handler. These appear to be button press related, I will update this page as I find more.
Breaking down GUI Events[]
I've been spending some time now breaking down IDLE Handler and figuring out what events trigger what events. Below is my list of events and their corresponding locations in the firmware dump. arg1 seems to be the current event id being processed by IDLE Handler, as it fits the gui events we know so far (from what's been seen in event spy).
IF arg1 == 0x800 --> loc_FF1CC990 "IDLEHandler GOT_TOP_OF_CONTROL" IF arg1 == 0x802 --> loc_FF1CC16C "IDLEHandler INITIALIZE_CONTROLLER" IF arg1 == 0x807 --> loc_FF1CC16C "IDLEHandler PRESS_RIGHT_BUTTON" IF arg1 == 0x809 --> loc_FF1CCDB0 "IDLEHandler PRESS_LEFT_BUTTON" IF arg1 == 0x80B --> loc_FF1CCE24 "IDLEHandler PRESS_UP_BUTTON" IF arg1 == 0x80D --> loc_FF1CC3CC "IDLEHandler PRESS_DOWN_BUTTON" IF arg1 == 0x80F --> loc_FF1CC9B4 "IDLEHandler PRESS_MENU_BUTTON" IF arg1 == 0x812 --> loc_FF1CCB54 "GuiMainEventHandlerKeyEvent.c PRESS_SET_BUTTON GUI_SHOOT_LV Requ" IF arg1 == 0x829 --> sub_FF2DDDB8 "GuiMainEventHandlerKeyEvent.c PRESS_INFO_BUTTON" IF arg1 == 0x10000000 --> loc_FF1CCBB0 "IDLEHandler PRESS_DISP_BUTTON" IF arg1 == 0x10000003 --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON[%d]" IF arg1 == 0x10000005 --> sub_FF2DDA54 "GuiMainEventHandlerKeyEvent.c PRESS_DIRECT_PRINT_BUTTON" IF arg1 == 0x10000007 --> loc_FF1CCB84 "GuiMainEventHandlerKeyEvent.c PRESS_FUNC_BUTTON" IF arg1 == 0x10000009 --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON[%d]" IF arg1 == 0x1000000A --> loc_FF1CCC08 "IDLEHandler PRESS_ PICTURE_STYLE or PROTECTMIC _BUTTON[%d]" IF arg1 == 0x1000000B --> loc_FF1CC4D8 "DlgLiveView.c PRESS_FEL_BUTTON" IF arg1 == 0x1000000D --> loc_FF1CC4E0 "GuiMainEventHandlerKeyEvent.c PRESS_LV_MOVIE_START_BUTTON" IF arg1 == 0x1000000E --> loc_FF1CC4E4 "IDLEHandler OPEN_SLOT_COVER " IF arg1 == 0x1000000F --> loc_FF1CC4E8 "IDLEHandler CLOSE_SLOT_COVER " IF arg1 == 0x10000012 --> loc_FF1CC4F4 "IDLEHandler START_IDLE_MODE" IF arg1 == 0x10000013 --> loc_FF1CC4F8 "IDLEHandler START_MENU_MODE" IF arg1 == 0x10000014 --> loc_FF1CC4FC "IDLEHandler START_PLAY_MODE" IF arg1 == 0x10000015 --> loc_FF1CC500 "IDLEHandler START_RTCSET_MODE" IF arg1 == 0x10000016 --> loc_FF1CC504 "IDLEHandler START_DIRECTTRANSFER_MODE" IF arg1 == 0x10000017 --> loc_FF1CC508 "IDLEHandler START_PICTURESTYLE_MODE" IF arg1 == 0x10000018 --> loc_FF1CC50C "IDLEHandler START_MENU_WB_MODE" IF arg1 == 0x10000019 --> loc_FF1CDCB0 "IDLEHandler START_MENU_IMAGESIZE_MODE" IF arg1 == 0x1000001A --> loc_FF1CC524 "IDLEHandler START_MENU_MEDIA_FOLDER_MODE" IF arg1 == 0x1000001B --> loc_FF1CC528 "IDLEHandler START_MENU_DRIVE_MODE" IF arg1 == 0x1000001C --> loc_FF1CC52C "IDLEHandler START_MENU_AF_MODE" IF arg1 == 0x1000001D --> loc_FF1CC530 "IDLEHandler START_MENU_FECOMP_MODE" IF arg1 == 0x1000001E --> loc_FF1CC534 "IDLEHandler START_FUNC_MENU_MODE" IF arg1 == 0x1000001F --> loc_FF1CC538 "IDLEHandler START_MENU_BATTERY_MODE" IF arg1 == 0x10000020 --> loc_FF1CC53C "IDLEHandler START_MENU_BATTERY_HISTORY_MODE" IF arg1 == 0x10000021 --> loc_FF1CC540 "IDLEHandler START_USB_ERR" IF arg1 == 0x10000022 --> loc_FF1CC544 "IDLEHandler START_QR_MODE" IF arg1 == 0x10000023 --> loc_FF1CC548 "IDLEHandler START_QR_ERASE_MODE" IF arg1 == 0x10000024 --> loc_FF1CC54C "IDLEHandler START_INFO_MODE" IF arg1 == 0x10000025 --> loc_FF1CC550 "IDLEHandler START_INFO_LEVEL_MODE" IF arg1 == 0x10000026 --> loc_FF1CC554 "IDLEHandler START_WARNING_CRYPTO" IF arg1 == 0x10000027 --> loc_FF1CC558 "IDLEHandler START_WARNING_SW1OFF" IF arg1 == 0x10000028 --> loc_FF1CC55C "IDLEHandler START_WARNING_RECBUSY" IF arg1 == 0x10000029 --> loc_FF1CC560 "IDLEHandler START_WARNING_DISABLE_LV" IF arg1 == 0x1000002A --> loc_FF1CC564 "IDLEHandler START_WARNING_DISABLE_RELEASE" IF arg1 == 0x1000002B --> loc_FF1CC568 "IDLEHandler START_WARNING_NR_BUSY_FOR_LV" IF arg1 == 0x1000002C --> loc_FF1CC56C "IDLEHandler START_WARNING_CAMERA_ERR" IF arg1 == 0x1000002D --> loc_FF1CC570 "IDLEHandler START_WARNING_LENSLESS_MOVIE_MODE" IF arg1 == 0x1000002E --> loc_FF1CC574 "IDLEHandler START_WARNING_MISC_MOVIE_MODE" IF arg1 == 0x1000002F --> loc_FF1CC578 "***** IDLEHandler START_OLC_MODE" IF arg1 == 0x10000030 --> loc_FF1CC57C "IDLEHandler START_UNAVI_MODE" IF arg1 == 0x10000031 --> loc_FF1CC580 "IDLEHandler START_UNAVI_ISO_MODE" IF arg1 == 0x10000032 --> loc_FF1CE22C "IDLEHandler START_UNAVI_COMP_AEB_MODE" IF arg1 == 0x10000033 --> loc_FF1CC5B8 "IDLEHandler START_UNAVI_EFCOMP_MODE" IF arg1 == 0x10000034 --> loc_FF1CC5BC "IDLEHandler START_UNAVI_AFFRAME_MODE" IF arg1 == 0x10000035 --> loc_FF1CC5C0 "IDLEHandler START_UNAVI_PS_MODE" IF arg1 == 0x10000036 --> loc_FF1CC5C4 "IDLEHandler START_UNAVI_WB_MODE" IF arg1 == 0x10000037 --> loc_FF1CC5C8 "IDLEHandler START_UNAVI_METERING_MODE" IF arg1 == 0x10000038 --> loc_FF1CC5CC "IDLEHandler START_UNAVI_QUALITY_MODE" IF arg1 == 0x10000039 --> loc_FF1CC5D0 "IDLEHandler START_UNAVI_AF_MODE" IF arg1 == 0x1000003A --> loc_FF1CC5D4 "IDLEHandler START_UNAVI_DRIVE_MODE" IF arg1 == 0x1000003C --> loc_FF1CC5DC "***** IDLEHandler START_LV_MODE" IF arg1 == 0x1000003D --> loc_FF1CC5E0 "IDLEHandler START_LV_PS_SETTING_MODE" IF arg1 == 0x1000003E --> loc_FF1CC5E4 "IDLEHandler START_SERVICE_MENU" IF arg1 == 0x1000003F --> loc_FF1CC5E8 "IDLEHandler POST_QR_IMAGE (0x%x,%d)" IF arg1 == 0x10000040 --> loc_FF1CEA30 "IDLEHandler.c POST_MADE_FILE(0x%x)" IF arg1 == 0x10000041 --> loc_FF1CCF88 "IDLEHandler PRESS_SW1_BUTTON" IF arg1 == 0x10000042 --> loc_FF1CC5EC "IDLEHandler UNPRESS_SW1_BUTTON" IF arg1 == 0x10000043 --> loc_FF1CC5EC "IDLEHandler PRESS_SW2_BUTTON" IF arg1 == 0x10000044 --> loc_FF1CC7BC "IDLEHandler UNPRESS_SW2_BUTTON" IF arg1 == 0x10000050 --> loc_FF1CC7BC "IDLEHandler LOCAL_ERASEALL_PROGRESS(%d)" IF arg1 == 0x10000054 --> loc_FF1CC828 "IDLEHandler: LOCAL_CANCEL_COPYFILE" IF arg1 == 0x10000055 --> loc_FF1CEC24 "IDLEHandler LOCAL_FINISH_MRK_WRITE" IF arg1 == 0x10000058 --> loc_FF1CCFF4 "IDLEHandler LOCAL_DATETIME_NOTHING" IF arg1 == 0x10000059 --> loc_FF1CD024 "IDLEHandler LOCAL_REFRESH_BATTERIESHISTORY" IF arg1 == 0x1000005C --> loc_FF1CEF70 "IDLEHandler LOCAL_FILEHANDLE_CLEAR " IF arg1 == 0x1000005D --> loc_FF1CEF8C "IDLEHandler LOCAL_FINISH_PROTECT(%d)" IF arg1 == 0x1000006F --> loc_FF1CECB8 "IDLEHandler LOCAL_TURNBACK_DCIM_FOLDER" IF arg1 == 0x10000079 --> loc_FF1CEE4C "IDLEHandler LOCAL_AEMODE_CHECK " IF arg1 == 0x10000081 --> loc_FF1CEFBC "IDLEHandler LOCAL_MOVIE_RECORD_STOP" IF arg1 == 0x10000088 --> loc_FF1CC860 "IDLEHandler OTHER_NOTIFY_JOB_STATE" IF arg1 == 0x10000089 --> loc_FF1CEA8C "IDLEHandler OTHER_DO_COPY_JOB_STATE" IF arg1 == 0x1000008B --> loc_FF1CEBEC "IDLEHandler OTHER_DO_COPY_DEVICE_STATE" IF arg1 == 0x1000008C --> loc_FF1CC8DC "IDLEHandler OTHER_LARGE_MEMORY_STATE" IF arg1 == 0x10000090 --> loc_FF1CFAD0 ??? IF arg1 == 0x10000091 --> loc_FF1CE564 "IDLEHandler START_SHOOT_NORMAL" IF arg1 == 0x10000092 --> loc_FF1CE704 "IDLEHandler START_SHOOT_DDD" IF arg1 == 0x10000093 --> loc_FF1CE834 "IDLEHandler START_SHOOT_MWB" IF arg1 == 0x10000094 --> loc_FF1CE858 "IDLEHandler START_SHOOT_LV" IF arg1 == 0x10000095 --> loc_FF1CE900 "IDLEHandler START_SHOOT_MOVIE" IF arg1 == 0x100000A0 --> loc_FF1CF5C8 "IDLEHandler START_OLC_BULB" IF arg1 == 0x100000A1 --> loc_FF1CF7E0 "IDLEHandler OTHER_DISCONNECT_LAN_CABLE" IF arg1 == 0x100000A6 --> loc_FF1CF62C "IDLEHandler OTHER_ERROR_LAN_STATUS" IF arg1 == 0x100000A7 --> loc_FF1CF820 "IDLEHandler OTHER_LAN_NETWORK_STATUS[%ld]" IF arg1 == 0x100000A9 --> loc_FF1CF848 "IDLEHandler OTHER_LAN_DEVICE_DOWN" IF arg1 == 0x100000AB --> loc_FF1CF878 "IDLEHandler OTHER_REMOTE_OLC_OFF(%d)" IF arg1 == 0x100000AC --> loc_FF1CF19C "IDLEHandler OTHER_SUSPEND bLockOff(%d)" IF arg1 == 0x100000AD --> loc_FF1CF228 "IDLEHandler UI_OK" IF arg1 == 0x100000AE --> loc_FF1CF4DC "IDLEHandler START_AS_CHECK[%d]" IF arg1 == 0x100000AF --> loc_FF1CEE6C "IDLEHandler GUI_LOCK_OFF " IF arg1 == 0x100000B0 --> loc_FF1CEEAC "IDLEHandler GUI_LOCK_ON " IF arg1 == 0x100000B1 --> loc_FF1CF9AC "IDLEHandler SERVICE_MENU"
Structures in Memory[]
I was looking through Idle Handler in IDA when I noticed a lot of calls / references to one location, 0x3A64, with different offsets being referenced. I decided to do a bmp_hexdump() and see what was there. Dumping 20 lines of 32-bytes of memory starting from 0x3A64:
bmp_hexdump(FONT_SMALL, 0, 50, 0x3a64, 32*20);
I noticed that 0x3AD8 was updating with a 0 or 1 depending if I had the shutter pressed half way or not, so, it looks like this location (among many others) holds information about the shutter button being pressed halfway or not.
0x3A64 (struct?)[]
0x3a64
...
...
0x3ad8 - 0 or 1 for half shutter press also for zoom out press (in live view / shoot mode / movie mode as well)
...
...
0x3bac - counts by 1 for each left / right button press only - doesn't increment if left or right are held down, only on each successive press/unpress.
...
...
0x3bcc - 0x41 idle -- 0x39 press left / 0x3b up / 0x37 right / 0x3d down
...
...
0x3d70 - some kind of counter - counts faster than a second, only in live view / movie mode.
...
...
Todo:[]
Finish breaking down idle handler.
Figure out how IDLE Handler is called, specifically where arg0-arg3 come from