00:13
<
bonda_000 >
undefined8 isp_abort_frame(int param_1,undefined4 param_2)
00:13
<
bonda_000 >
is the same for you?
00:37
<
bonda_000 >
good night, finished the isp_func_table struct
00:40
<
bonda_000 >
hopefully thats good enough for a hint for those (code *) entries
00:40
bonda_000 has quit [Quit: Leaving]
04:28
Stromeko has quit [Ping timeout: 256 seconds]
04:33
Stromeko has joined ##raspberrypi-internals
04:42
_whitelogger has joined ##raspberrypi-internals
05:42
_whitelogger has joined ##raspberrypi-internals
07:50
angerisagift has quit [Ping timeout: 268 seconds]
07:51
angerisagift has joined ##raspberrypi-internals
08:56
bonda_000 has joined ##raspberrypi-internals
09:03
<
bonda_000 >
(*pcVar12)(*(undefined4 *)(¶m_1->field_0x6500 + param_2 * 4),
09:03
<
bonda_000 >
*(undefined4 *)(¶m_1->field_0x6604 + iVar7 + -0x65d8),0,bVar2,&local_39,pcVar12);
09:04
<
bonda_000 >
that should have been replaced
09:14
<
bonda_000 >
was this supposed to be a function call
09:14
<
bonda_000 >
iVar10 = *(int *)(¶m_1->field_0x65fc + iVar7 + -0x65d8);
09:14
<
bonda_000 >
but yeah now I do find
09:18
<
bonda_000 >
line 48 call to isp_set_hresize, line 172 isp_mark_schedulable, line 190 isp_start_yuv_frame
09:18
<
bonda_000 >
line 207 something interesting
09:18
<
bonda_000 >
pwVar14 = (wordiiiiii *)param_1->field25852_0x64fc->isp_start_raw_frame;
09:19
<
bonda_000 >
it's applying one of my types lol to change it a bit
09:20
<
bonda_000 >
and see it casted it to a type with 6 params
09:55
<
bonda_000 >
<clever> because isp_mark_schedulable is being called, and ghidra imagined it took 3 args
09:55
<
bonda_000 >
<clever> and thats what caused the extraout
09:56
<
bonda_000 >
:clever that's not what's happening in my case
09:58
<
bonda_000 >
I have 11 extraouts declared, only 8 of them are being used
09:58
<
bonda_000 >
all 8 in this section, where well-defined function are being called
09:59
<
bonda_000 >
so, for instance logging_message, sets extraout_r1, extraout_r2, extraout_r5
10:05
<
bonda_000 >
logging_message(0x800,
10:05
<
bonda_000 >
"camplus_setup_isp [%d]: new isp frame, isp_frames_done=%d, prep_frames_done=%d",
10:05
<
bonda_000 >
param_2,*(undefined4 *)¶m_1->field_0x646c,
10:05
<
bonda_000 >
*(undefined4 *)¶m_1->field_0x64d8);
10:05
<
bonda_000 >
this is wrong
10:06
<
bonda_000 >
ah no nwm it has the right argument count
10:18
f_ has joined ##raspberrypi-internals
10:24
<
clever >
bonda_000: from what i learned yesterday, you want to see what consumes the extraouts, not what seems to produce them
10:25
<
clever >
so when you see an ivar4=extraout, search to see where ivar4 is used, and if its even used at all
10:27
<
bonda_000 >
local_40 = camplus_set_multichannel_isp_buffers
10:27
<
bonda_000 >
(param_1,uVar5,uVar6,*(uint *)¶m_1->field_0x4,
10:27
<
bonda_000 >
(uint)(byte)param_1->field_0x65bb,uVar11);
10:28
<
bonda_000 >
this one takes all extraouts set by logging message, camplus_set_isp_lresize
10:28
<
bonda_000 >
uvar5, uvar6, uvar11
10:29
<
bonda_000 >
ah I see
10:29
<
bonda_000 >
that function is messed up
10:35
<
bonda_000 >
undefined4 *
10:35
<
bonda_000 >
camplus_open(undefined4 param_1,undefined4 *param_2,undefined4 *param_3,code **param_4,int *param_5,
10:35
<
bonda_000 >
int param_6)
10:35
<
bonda_000 >
this one seems to be big as well
10:39
<
bonda_000 >
It seems to be right though
10:40
<
bonda_000 >
0eca4d1a it overwrites r1 with lea param_2, $S
10:41
<
bonda_000 >
that's the string argument to logging message
10:50
<
bonda_000 >
this could be the issue
10:50
<
bonda_000 >
I dont know where 800h comes from here and why it points to some macro
10:56
<
bonda_000 >
oh okay
10:57
<
bonda_000 >
:clever bingo
10:59
<
bonda_000 >
that's how Ghidra decompiled camplus_set_multichannel_isp_buffers()
11:00
<
bonda_000 >
for whatever reason with 6 parameters of which 5 latter never get used
11:01
<
bonda_000 >
deleting and making it a function again cleared all extraouts
11:09
<
bonda_000 >
I feel like all the extraouts due to this function not explicitly being called anywhere so it writes some "one-size-fits-all" as it has no use cases
11:54
<
bonda_000 >
oh s**t dude
11:55
<
bonda_000 >
look at 0ef22ee8
11:55
<
bonda_000 >
that's another function table
11:58
<
bonda_000 >
there's also a camera_info_table at 0ef22d34 that's probably within that huge struct we are passing around
11:59
<
bonda_000 >
according to the logic of things that's also being passed around somewhere in upper layers of the OS
12:03
jcea has joined ##raspberrypi-internals
12:03
<
bonda_000 >
there are
12:04
<
bonda_000 >
get_X_func_table strings
12:05
<
bonda_000 >
0ef19666 67 65 74 ds "get_isp_func_table"
12:05
<
bonda_000 >
5f 69 73
12:05
<
bonda_000 >
70 5f 66
12:05
<
bonda_000 >
but such function is not in the symbol tree
12:24
<
bonda_000 >
my bad, it is
12:24
<
bonda_000 >
it has two names
12:24
<
bonda_000 >
get_isp_module and get_isp_func_table
12:24
<
bonda_000 >
get_isp_module appears in the symbol tree. but no xrefs
14:08
f_ is now known as f_`
14:09
f_` is now known as f_
14:42
<
bonda_000 >
logging_message(unaff_r6,
14:42
<
bonda_000 >
"cameraRIL:try_update_and_start_capture:AWAIT_CAPTURE_END. stop parallel cam plus to resume viewfinder/encode"
14:43
<
bonda_000 >
logging_message(unaff_r6,
14:43
<
bonda_000 >
"cameraRIL:try_update_and_start_capture:VIEWFINDER. stop parallel camplus to r esume viewfinder/encode"
14:44
<
bonda_000 >
this is a function void FUN_0ee2cf76(void) at 0ee2cf76 for some reason without any name given to it
15:09
bonda_000 has quit [Remote host closed the connection]
15:09
bonda_000 has joined ##raspberrypi-internals
15:13
<
bonda_000 >
logging_message(0x40,"cameraRIL: starting camplus after either RECV_SINGLE or memory compaction"
15:13
<
bonda_000 >
void try_frame_start(int param_1,int param_2)
15:14
<
bonda_000 >
0ee2c484 ff 9f d2 8f bl start_camplus undefined4 start_camplus(int par
15:15
<
bonda_000 >
pcVar2 = *(code **)(*(int *)(param_1 + 0x1b6c) + 0x14); so start_camplus also picks up some function pointer from a struct at that offset param_1 + 0x1b6c
15:15
<
bonda_000 >
let's see
15:17
<
bonda_000 >
yeah at offset +0x14 within camplus module sits the camplus_start
15:17
<
bonda_000 >
so param_1 + 0x1b6c is the camplus_func_table
15:21
<
bonda_000 >
undefined4 ca_process_thread(uint *param_1) this seems to be the camera thread
15:32
<
bonda_000 >
:clever yeah FUN_0ee2d0fc() and FUN_0ee2cf76() seem to be camera module functions that for some reason don't have a name in my decompile
15:34
<
bonda_000 >
undefined4 __stdcall open_camplus(int param_1) that's also a big one right here at 0eddaa7c
15:34
<
bonda_000 >
same calls to (**(code **)(*(int *)(param_1 + 0x1b6c) + 0x3c)) camplus_func table
15:37
<
bonda_000 >
but how you caught the exact size of the struct yesterday I'm still oblivious, I haven't seen such a memset yet
15:38
<
bonda_000 >
so as of right now: ? -> camera(cameraRIL)->camplus->isp and we need to work our way up
15:54
<
bonda_000 >
look at camplus_open
15:54
<
bonda_000 >
pcVar3 = (code *)dlshared_get_vll_symbol(iVar2,"get_isp_func_table");
15:54
<
bonda_000 >
that's where it gets the function table from
16:01
<
bonda_000 >
camplus_setup_isp that I was looking at yesterday is a baby child compared to this beast camplus_open
16:02
<
bonda_000 >
I kind of worked backwards but now seem to get at the results you got yesterday
16:30
<
clever >
bonda_000: yep, i found vll yesterday, ive heard mention of it years ago
16:30
<
clever >
basically think of it like dll's on windows
16:31
<
clever >
originally, there was a way to pass a vll file to the firmware, after booting, to add features to it
16:42
bonda_000 has quit [Ping timeout: 260 seconds]
17:33
bonda_000 has joined ##raspberrypi-internals
17:38
<
bonda_000 >
but do you have those two functions also without a proper name tag? :clever
17:38
<
bonda_000 >
FUN_0ee2d0fc() and FUN_0ee2cf76()
17:48
<
bonda_000 >
I only hope that the camera interface and some way up is not discriminating against particular camera attachment
17:48
<
bonda_000 >
and doesn't cling way too much to CAM0/CAM1 peripheral which seems to be tied to the CSI interface
18:14
<
bonda_000 >
and I am not able to find a function table with these start_camplus() and try_frame_start() functions
18:26
<
bonda_000 >
0eeaf7b0 67 65 74 ds "get_camera_func_table"
18:26
<
bonda_000 >
5f 63 61
18:26
<
bonda_000 >
6d 65 72
18:26
<
bonda_000 >
there is a "camera_subsystem_func_table" but it is the unicam CAM0/CAM1 stuff
18:35
<
bonda_000 >
I suspect this one is a part of the "camera" block and could be within some function table
18:36
<
bonda_000 >
the (code *) pointer is calling the top "camplus" function
18:40
<
bonda_000 >
almost as in some kind of creepy videogame
18:41
<
bonda_000 >
it all tracks down to these two nameless FUN's
18:41
<
bonda_000 >
FUN_0ee2d0fc() and FUN_0ee2cf76()
18:41
<
bonda_000 >
tracks up* to be precise
18:49
<
bonda_000 >
and I think it's just a hickup on my side
18:49
<
bonda_000 >
because of the switch that precedes
18:50
<
bonda_000 >
it all seems to be a part of a very big function called
18:50
<
bonda_000 >
int try_update_and_start_capture(int param_1)
19:23
bonda_000 has quit [Read error: Connection reset by peer]
19:30
bonda_000 has joined ##raspberrypi-internals
20:59
f_ has quit [Ping timeout: 260 seconds]
21:02
<
bonda_000 >
found this just as a string
21:02
<
bonda_000 >
0ef191a1 63 61 6d ds "camera_ilc.vll"
21:02
<
bonda_000 >
65 72 61
21:02
<
bonda_000 >
5f 69 6c
21:02
<
bonda_000 >
0ef191bb 63 61 6d ds "camplus.vll"
21:02
<
bonda_000 >
70 6c 75
21:02
<
bonda_000 >
73 2e 76
21:02
<
bonda_000 >
is that the .dll you mentioned?
21:05
<
bonda_000 >
it does seem to do some vll loading:
21:05
<
bonda_000 >
undefined4 mmal_vll_load(uint *param_1,char *param_2,int param_3,uint **param_4)
21:07
<
bonda_000 >
pcVar5 = (code *)dlsym(puVar12[1],&$S,uVar7,uVar8,uVar10,uVar11); in mmal_vll_load
21:08
<
bonda_000 >
int sym_lookup_value(int param_1,byte *param_2) this hashes the elf for a vll string
21:10
<
clever >
bonda_000: yeah thats it
21:11
<
clever >
because this was originally its own os with apps and drivers, it has the ability to load modules from the disk
21:12
<
bonda_000 >
I don't think there is any VC4 on the raspberry pi linux side
21:12
<
bonda_000 >
like load a binary to run as program?
21:14
<
bonda_000 >
it's just strange that I can't find a function table for the cameraRIL stuff
21:16
<
bonda_000 >
elf weighs 5 MB though
22:06
<
bonda_000 >
this is a neat looking one
22:06
<
bonda_000 >
void compact_timeout_task(void)
22:07
<
bonda_000 >
finally something that I can understand how it works in this code
22:09
<
bonda_000 >
this is the biggest one I've seen so far
22:09
<
bonda_000 >
int compact_internal(uint param_1,uint param_2,int param_3)
22:09
<
bonda_000 >
its doing some memory operations for the RTOS
22:16
<
bonda_000 >
pcVar5 = "get_record_buffer_driver_func_table";
22:16
<
bonda_000 >
pcVar7 = (code *)dlsym(iVar4,(byte *)pcVar5,extraout_r2,extraout_r3,extraout_r4,extraout_r5);
22:21
<
bonda_000 >
this one is causing a lot of extraouts and it seems to just put all the regs on the stack
22:21
<
bonda_000 >
undefined8
22:21
<
bonda_000 >
logging_assert_dump(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,
22:21
<
bonda_000 >
undefined4 param_5,undefined4 param_6)
22:22
<
bonda_000 >
and then it just puts all the params and r6 through r31 on the stack and it doesn't seem to use these params in any other way
22:22
<
bonda_000 >
probably going to override the signature and make it zero args
22:37
bonda_000 has quit [Quit: Leaving]
22:49
inara has quit [Quit: Leaving]
22:58
inara has joined ##raspberrypi-internals