<bonda_000>
that's camera_subsystem_attached_devices() at 0ec9b65c
<bonda_000>
it says, subtract one, compare with 0, and if equals, branch?
wael has joined ##raspberrypi-internals
Bitweasil has quit [Read error: Connection reset by peer]
Bitweasil- has joined ##raspberrypi-internals
pavelow has quit [Ping timeout: 268 seconds]
pavelow has joined ##raspberrypi-internals
bonda_000 has quit [Ping timeout: 272 seconds]
bonda_000 has joined ##raspberrypi-internals
jcea has joined ##raspberrypi-internals
<bonda_000>
clever: u still here dude?
<bonda_000>
Been messaging you for the past few days but the place seems to be dead
jcea has quit [Ping timeout: 240 seconds]
jcea has joined ##raspberrypi-internals
<clever>
bonda_000: sleep schedule is out of sync with you
<bonda_000>
oh I was just gonna ask are you still doing this thing or no
<bonda_000>
the decompiling of start_x.elf
<bonda_000>
I've dug pretty deep into camera stuff but some key parts are missing that I cannot find
<bonda_000>
some offsets into cdi_struct that are referenced but I can't see them being instantiated anywhere
<bonda_000>
I've identified all the function tables that are being used
<bonda_000>
camera_ril creates a ca_process_thread, that loads a cdi, cdi talks to the camera_driver (ov5647 stuff), cdi also starts unicam, then ca_thread starts camplus that has access to both cdi and isp
<bonda_000>
and then ca_thread checks _tx_event_flags and calls different functions
<bonda_000>
I've found where the actual hardware signal to start capture is
<bonda_000>
so puVar13 + 0x31 holds a pointer to something
<clever>
so puVar13 is a struct pointer, and offset 0x31*4 within it is a pointer
<bonda_000>
puVar13 could point to anything 4 byte aligned
<bonda_000>
actually it could be
<clever>
this is just how decompiling goes, you have to guess when something is a struct, and make a struct
<bonda_000>
pointer undefined4
<bonda_000>
no in my window its uint *puVar13; but I don't think it truly matters
<clever>
the decompile is a mess because ghidra incorrectly guessed `uint*`
<clever>
you need to create a struct, and change the type to a struct pointer
<bonda_000>
I did
<bonda_000>
param_1 is a big struct
<clever>
2024-05-22 19:01:00 < bonda_000> it takes an offset +0x18 from the beginning of param_1 and calls it "puVar13"
<clever>
2024-05-22 19:01:12 < clever> that is a second struct within the struct
<bonda_000>
cdi_struct of size 0x784c
<clever>
so you need to create a second struct, and make offset +0x18 of the first struct into that second struct
<bonda_000>
I know
<bonda_000>
whatever is at cdi_struct + 0xDC
<bonda_000>
all references I find it grabs data from there
<bonda_000>
as if it is already instantiated somewhere
<bonda_000>
so for example
<bonda_000>
cdi_struct + 0x10 is camera_subsystem_state global table
<bonda_000>
so if I pass cdi_struct to a function that accesses that table
<bonda_000>
it can make a variable puVar = cdi_struct+0x10
<bonda_000>
it usually means that the assembly did something like
<bonda_000>
mov r10, param_1 (cdi_struct is param_1)
<bonda_000>
add r10, 0x10
<bonda_000>
and that r10 is what it will refer to as puVar
<bonda_000>
so yeah it is an address, a pointer
<bonda_000>
for example
<bonda_000>
int open_camera_driver(cdi_camera_ctrl_struct *param_1,int param_2,int *param_3)
<bonda_000>
it takes camera_subsystem_get_func_table()
<bonda_000>
then it calls functions 3, 5, and 4 from that function table, which is camera_subsystem_open, camera_subsystem_get_attached_devices, and camera_subsystem_close
<bonda_000>
here it passes cdi_struct + 0x10 as param_1, so an offset into the big struct