Lots of interesting stuff can be found at certain addresses in camera RAM. The 350D/450D hacks use this approach much more than ML.
After getting some interesting addresses, use the Struct_Guessing technique to find out more about them (e.g. how to find the same addresses on other cameras).
550D[edit | edit source]
I've found the following interesting addresses on the 550D:
- 0x41d0: focus confirmation status (boolean)
- 0x2dec: display sensor (face sensor on top on the LCD, boolean)
- 0x5780, 0x39e8, 0x1bb0, 0x313c: shutter-related. May be shared with other stuff.
- 0x40D07800: start of a 720x480 YUV 4-2-2 VRAM buffer (live view image buffer maybe). Odd pixels are luma (Y).
- 0xC0220104: display sensor maybe?
- 0x1bb4: a message queue
- 1db2: orientation sensor (int8, only in LiveView): 0 - landscape (the same value for down and upside down), 1 - portrait anti-clockwise, 2 - portrait clock wise [credits goto mart]
To find relevant memory addresses, use the mem-spy tool (Debug -> Toggle mem-spy). It display the values in memory which change, but not too often (so it filters out most irrelevant results).
CONFIG_INT( "debug.mem-spy", mem_spy, 0 ); CONFIG_INT( "debug.mem-spy.start.lo", mem_spy_start_lo, 0 ); // start from here CONFIG_INT( "debug.mem-spy.start.hi", mem_spy_start_hi, 0xC022 ); // start from here CONFIG_INT( "debug.mem-spy.len", mem_spy_len, 16000 ); // look at ### int32's CONFIG_INT( "debug.mem-spy.bool", mem_spy_bool, 0 ); // only display booleans (0,1,-1) CONFIG_INT( "debug.mem-spy.small", mem_spy_small, 1 ); // only display small numbers (less than 10)
From static analysis (ARM console output):
grep -nr "*(0xc0" ./
*(0xc0238080) = BIC(MEM(3223552128), 64) ForceBackLightOff *(0xc022f200) = 0xffffffc0 AJ_guess_CF_ResetCard_related
See also: Memory map