Camera DryOS copies .fir file into RAM at 0x800000 and jumps into it.
The first instruction does a long jump to 0x80000c to clear some headers
The CPSR is updated to put the ARM into supervisor mode (it already is)
An initial stack is setup at 0x1900
Branch to cstart() in reboot.c
set up the memory regions for the camera version of DryOS
enable all caches and rw regions
select reboot vectors in low memory
copies the 5d-hack.bin blob to above the DryOS BSS
This is the RESTARTSTART location
End of BSS is found in _entry() where it loops to zero it
Note off by 0x120 error due to .fir header.
flushes caches
Jumps into 5d-hack.bin copy_and_restart() code at RESTARTSTART (0x48000)
copy_and_restart() must be first routine in 5d-hack.c
copy_and_restart() copies the first 64 KB of ROM to 0x50000
It then patches a few instructions to fixup some branch instructions and to return to its control before control is transfered to the cstart() routine in the firmware. It also updates the end of the BSS so that both itself and the copied portion of DryOS will be saved
It installs a task dispatch hook in the function pointer at 0x1934. This will be called when ever a new task is run, allowing our code to disable Canon tasks or re-purpose them with our own implementations.