Magic Lantern Firmware Wiki
Register
Advertisement

Lots of interesting stuff can be found at certain addresses in camera RAM. The 350D/450D hacks use this approach much more than ML.

After getting some interesting addresses, use the Struct_Guessing technique to find out more about them (e.g. how to find the same addresses on other cameras).

550D[]

I've found the following interesting addresses on the 550D:

  • 0x41d0: focus confirmation status (boolean)
  • 0x2dec: display sensor (face sensor on top on the LCD, boolean)
  • 0x5780, 0x39e8, 0x1bb0, 0x313c: shutter-related. May be shared with other stuff.
  • 0x40D07800: start of a 720x480 YUV 4-2-2 VRAM buffer (live view image buffer maybe). Odd pixels are luma (Y).
  • 0xC0220104: display sensor maybe?
  • 0x1bb4: a message queue
  • 1db2: orientation sensor (int8, only in LiveView): 0 - landscape (the same value for down and upside down), 1 - portrait anti-clockwise, 2 - portrait clock wise [credits goto mart]

To find relevant memory addresses, use the mem-spy tool (Debug -> Toggle mem-spy). It display the values in memory which change, but not too often (so it filters out most irrelevant results).

Config options:

CONFIG_INT( "debug.mem-spy",		mem_spy, 0 );
CONFIG_INT( "debug.mem-spy.start.lo",	mem_spy_start_lo,	0 ); // start from here
CONFIG_INT( "debug.mem-spy.start.hi",	mem_spy_start_hi,	0xC022 ); // start from here
CONFIG_INT( "debug.mem-spy.len",	mem_spy_len,	16000 );         // look at ### int32's
CONFIG_INT( "debug.mem-spy.bool",	mem_spy_bool,	0 );        // only display booleans (0,1,-1)
CONFIG_INT( "debug.mem-spy.small",	mem_spy_small,	1 );        // only display small numbers (less than 10)

From static analysis (ARM console output):

grep -nr "*(0xc0" ./
*(0xc0238080) = BIC(MEM(3223552128), 64)      ForceBackLightOff
*(0xc022f200) = 0xffffffc0                    AJ_guess_CF_ResetCard_related


See also: Memory map

Advertisement