Assembla home | Assembla project page

My Start Page

Context Navigation

source: trunk/platform/s5is/sub/101b/boot.c @ 521

Revision 521, 57.7 KB checked in by reyalp, 5 years ago (diff)
auto MEMISOSIZE, see http://chdk.setepontos.com/index.php/topic,2334.0.html Also platform/ixus50_sd400/sub/101a/stubs_auto.S changed for some reason :/
Property svn:eol-style set to `native`

Rev	Line
[369]	1	#include "lolevel.h"
	2	#include "platform.h"
	3	#include "core.h"
	4
[521]	5	const char * const new_sa = &_end;
[416]	6
[369]	7	/* Our stuff */
	8	extern long wrs_kernel_bss_start;
	9	extern long wrs_kernel_bss_end;
	10
	11	// Forward declarations
	12	void CreateTask_blinker();
	13	void CreateTask_PhySw();
	14	void CreateTask_spytask();
	15
	16	void boot();
	17	void __attribute__((naked,noinline)) task_blinker();
	18	void dump_chdk();
	19
	20	////////////////////////////////////////////////////////////////////////////////
	21	// Note to developers:
	22	// The code below is just somewhat annotated in an attempt to figure out what
	23	// the camera does. I left it in, it might be of some use to someone someday.
	24	// Occasionally, I added the .ltorg directive, because the compiler/assembler
	25	// isn't smart enough to place it somewhere sensible. Remember to bypass
	26	// (B new_location) that directive if you really MUST place it in the middle
	27	// of your code.
	28	////////////////////////////////////////////////////////////////////////////////
	29
	30
	31	#define DEBUG_LED 0xC02200D4 // Red led (lower-right corner) normally indicating SD read/write
	32
	33	void boot() {
	34
	35	asm volatile ("B sub_FF81000C_my\n");
	36
	37	};
	38
	39
	40	void __attribute__((naked,noinline)) sub_FF81000C_my() {
	41	asm volatile (
	42	"LDR R1, =0xC0400004\n"
	43	"LDR R2, [R1]\n"
	44	"ORR R2, R2, #2\n"
	45	"STR R2, [R1]\n"
	46	"LDR R1, =0xC0410000\n"
	47	"MOV R0, #0\n"
	48	"STR R0, [R1]\n"
	49	"MOV R1, #0x78\n"
	50	"MCR p15, 0, R1,c1,c0\n"
	51	"MOV R1, #0\n"
	52	"MCR p15, 0, R1,c7,c10, 4\n"
	53	"MCR p15, 0, R1,c7,c5\n"
	54	"MCR p15, 0, R1,c7,c6\n"
	55	"MOV R0, #0x3D\n"
	56	"MCR p15, 0, R0,c6,c0\n"
	57	"MOV R0, #0xC000002F\n"
	58	"MCR p15, 0, R0,c6,c1\n"
	59	"MOV R0, #0x33\n"
	60	"MCR p15, 0, R0,c6,c2\n"
	61	"LDR R0, =0x10000033\n"
	62	"MCR p15, 0, R0,c6,c3\n"
	63	"MOV R0, #0x40000017\n"
	64	"MCR p15, 0, R0,c6,c4\n"
	65	"LDR R0, =0xFF80002D\n"
	66	"MCR p15, 0, R0,c6,c5\n"
	67	"MOV R0, #0x34\n"
	68	"MCR p15, 0, R0,c2,c0\n"
	69	"MOV R0, #0x34\n"
	70	"MCR p15, 0, R0,c2,c0, 1\n"
	71	"MOV R0, #0x34\n"
	72	"MCR p15, 0, R0,c3,c0\n"
	73	"LDR R0, =0x3333330\n"
	74	"MCR p15, 0, R0,c5,c0, 2\n"
	75	"LDR R0, =0x3333330\n"
	76	"MCR p15, 0, R0,c5,c0, 3\n"
	77	"MRC p15, 0, R0,c1,c0\n"
	78	"ORR R0, R0, #0x1000\n"
	79	"ORR R0, R0, #4\n"
	80	"ORR R0, R0, #1\n"
	81	"MCR p15, 0, R0,c1,c0\n"
	82	"MOV R1, #0x40000006\n"
	83	"MCR p15, 0, R1,c9,c1\n"
	84	"MOV R1, #6\n"
	85	"MCR p15, 0, R1,c9,c1, 1\n"
	86	"MRC p15, 0, R1,c1,c0\n"
	87	"ORR R1, R1, #0x50000\n"
	88	"MCR p15, 0, R1,c1,c0\n"
	89	"LDR R2, =0xC0200000\n"
	90	"MOV R1, #1\n"
	91	"STR R1, [R2,#0x10C]\n"
	92	"MOV R1, #0xFF\n"
	93	"STR R1, [R2,#0xC]\n"
	94	"STR R1, [R2,#0x1C]\n"
	95	"STR R1, [R2,#0x2C]\n"
	96	"STR R1, [R2,#0x3C]\n"
	97	"STR R1, [R2,#0x4C]\n"
	98	"STR R1, [R2,#0x5C]\n"
	99	"STR R1, [R2,#0x6C]\n"
	100	"STR R1, [R2,#0x7C]\n"
	101	"STR R1, [R2,#0x8C]\n"
	102	"STR R1, [R2,#0x9C]\n"
	103	"STR R1, [R2,#0xAC]\n"
	104	"STR R1, [R2,#0xBC]\n"
	105	"STR R1, [R2,#0xCC]\n"
	106	"STR R1, [R2,#0xDC]\n"
	107	"STR R1, [R2,#0xEC]\n"
	108	"STR R1, [R2,#0xFC]\n"
	109	"LDR R1, =0xC0400008\n"
	110	"LDR R2, =0x430005\n"
	111	"STR R2, [R1]\n"
	112	"MOV R1, #1\n"
	113	"LDR R2, =0xC0243100\n"
	114	"STR R2, [R1]\n"
	115	"LDR R2, =0xC0242010\n"
	116	"LDR R1, [R2]\n"
	117	"ORR R1, R1, #1\n"
	118	"STR R1, [R2]\n"
	119	"LDR R0, =0xFFB07EB8\n"
	120	"LDR R1, =0x1900\n"
	121	"LDR R3, =0x1056C\n"
	122
	123	"loc_FF81014C:\n"
	124	"CMP R1, R3\n" // Copy code from 0xFFB07EB8(inc) onwards to 0x1900(inc) .. 0x1056C (ex)
	125	"LDRCC R2, [R0],#4\n"
	126	"STRCC R2, [R1],#4\n"
	127	"BCC loc_FF81014C\n" // loop
	128	"LDR R1, =0x9B610\n"
	129	"MOV R2, #0\n"
	130
	131	"loc_FF810164:\n"
	132	"CMP R3, R1\n" // Zerofill from 0x1056C(inc) .. 0x9B610(exc)
	133	"STRCC R2, [R3],#4\n"
	134	"BCC loc_FF810164\n" // loop
	135	// "B sub_FF8101B8\n"
	136	"B sub_FF8101B8_my\n" // +---------------------> Hook
	137	".ltorg\n"
	138	);
	139	}
	140
	141
	142	void __attribute__((naked,noinline)) sub_FF8101B8_my() {
	143	asm volatile (
	144	"loc_FF8101B8:\n"
	145	"LDR R0, =0xFF810230\n"
	146	"MOV R1, #0\n"
	147	"LDR R3, =0xFF810268\n"
	148
	149	"loc_FF8101C4:\n"
	150	"CMP R0, R3\n" // Copy code from 0xFF810230(inc) .. 0xFF810268(exc) to 0x0 .. 0x38
	151	"LDRCC R2, [R0],#4\n"
	152	"STRCC R2, [R1],#4\n"
	153	"BCC loc_FF8101C4\n" // loop
	154	"LDR R0, =0xFF810268\n"
	155	"MOV R1, #0x4B0\n"
	156	"LDR R3, =0xFF81047C\n"
	157
	158	"loc_FF8101E0:\n"
	159	"CMP R0, R3\n" // Copy code from 0xFF810268(inc) .. 0xFF81047C(exc) to 0x4B0 .. 0x6C4
	160	"LDRCC R2, [R0],#4\n"
	161	"STRCC R2, [R1],#4\n"
	162	"BCC loc_FF8101E0\n" // loop
	163	"MOV R0, #0xD2\n"
	164	"MSR CPSR_cxsf, R0\n"
	165	"MOV SP, #0x1000\n"
	166	"MOV R0, #0xD3\n"
	167	"MSR CPSR_cxsf, R0\n"
	168	"MOV SP, #0x1000\n"
	169	"LDR R0, =0x6C4\n"
	170	"LDR R2, =0xEEEEEEEE\n"
	171	"MOV R3, #0x1000\n"
	172
	173	"loc_FF810214:\n"
	174	"CMP R0, R3\n" // Fill 0x6C4 .. 0x1000 with 0xEEEEEEEE
	175	"STRCC R2, [R0],#4\n"
	176	"BCC loc_FF810214\n" // loop
	177	// "BL sub_FF810FCC\n"
	178	"BL sub_FF810FCC_my\n" // +---------------------> Hook
	179	".ltorg\n"
	180	);
	181	}
	182
	183	void __attribute__((naked,noinline)) sub_FF810FCC_my() {
	184	asm volatile (
	185	"STR LR, [SP,#-0x4]!\n"
	186	"SUB SP, SP, #0x74\n"
	187	"MOV R0, SP\n"
	188	"MOV R1, #0x74\n"
	189	"BL sub_FFA92C10\n"
	190	"MOV R0, #0x53000\n"
	191	"STR R0, [SP,#0x74-0x70]\n"
	192	// "LDR R0, =0x9B610\n"
[416]	193	);
	194	// "LDR R0, =0xDB610\n" // 0x9B610 + 0x40000 (memsize) = 0xDB610
	195	asm volatile (
	196	"LDR R0, =new_sa\n"
	197	"LDR R0, [R0]\n"
	198	);
	199	asm volatile (
[369]	200	"LDR R2, =0x2ABC00\n"
	201	"LDR R1, =0x2A4968\n"
	202	"STR R0, [SP,#0x74-0x6C]\n"
	203	"SUB R0, R1, R0\n"
	204	"ADD R3, SP, #0x74-0x68\n"
	205	"STR R2, [SP,#0x74-0x74]\n"
	206	"STMIA R3, {R0-R2}\n"
	207	"MOV R0, #0x22\n"
	208	"STR R0, [SP,#0x74-0x5C]\n"
	209	"MOV R0, #0x68\n"
	210	"STR R0, [SP,#0x74-0x58]\n"
	211	"LDR R0, =0x19B\n"
	212	"MOV R1, #0x64\n"
	213	// "STRD R0, [SP,#0x74-0x54]\n" // WORKSFORME, configure gcc WITHOUT --with-cpu=arm9
	214	"STR R0, [SP,#0x74-0x54]\n" // Though use the old, 2-line version
	215	"STR R1, [SP,#0x74-0x50]\n" // for the final until everyone uses 'new' gcc
	216	"MOV R0, #0x78\n"
	217	// "STRD R0, [SP,#0x74-0x4C]\n" // Idem
	218	"STR R0, [SP,#0x74-0x4C]\n" // Idem
	219	"STR R1, [SP,#0x74-0x48]\n" // Idem
	220	"MOV R0, #0\n"
	221	"STR R0, [SP,#0x74-0x44]\n"
	222	"STR R0, [SP,#0x74-0x40]\n"
	223	"MOV R0, #0x10\n"
	224	"STR R0, [SP,#0x74-0x18]\n"
	225	"MOV R0, #0x800\n"
	226	"STR R0, [SP,#0x74-0x14]\n"
	227	"MOV R0, #0xA0\n"
	228	"STR R0, [SP,#0x74-0x10]\n"
	229	"MOV R0, #0x280\n"
	230	"STR R0, [SP,#0x74-0xC]\n"
	231	// "LDR R1, =sub_FF814E0C\n"
	232	"LDR R1, =sub_FF814E0C_my\n" // +---------------------> Hook
	233	"MOV R0, SP\n"
	234	"MOV R2, #0\n"
	235	"BL sub_FF812D84\n"
	236	"ADD SP, SP, #0x74\n"
	237	"LDR PC, [SP],#4\n"
	238	".ltorg\n"
	239	);
	240	}
	241
	242
	243	void __attribute__((naked,noinline)) sub_FF814E0C_my() {
	244	asm volatile (
	245	"STMFD SP!, {R4,LR}\n"
	246	"BL sub_FF810970\n"
	247	"BL sub_FF8197D0\n" // dmSetup
	248	"CMP R0, #0\n"
	249	// "ADRLT R0, aDmsetup\n"
	250	"LDRLT R0, =0xFF814F20\n"
	251	"BLLT sub_FF814F00\n" // err_init_task
	252	"BL sub_FF814A30\n" // termDriverInit
	253	"CMP R0, #0\n"
	254	// "ADRLT R0, aTermdriverinit\n"
	255	"LDRLT R0, =0xFF814F28\n"
	256	"BLLT sub_FF814F00\n" // err_init_task
	257	// "ADR R0, a_term\n"
	258	"LDR R0, =0xFF814F38\n"
	259	"BL sub_FF814B1C\n" // termDeviceCreate
	260	"CMP R0, #0\n"
	261	// "ADRLT R0, aTermdevicecrea\n"
	262	"LDRLT R0, =0xFF814F40\n"
	263	"BLLT sub_FF814F00\n" // err_init_task
	264	// "ADR R0, a_term\n"
	265	"LDR R0, =0xFF814F38\n"
	266	"BL sub_FF813594\n" // stdioSetup
	267	"CMP R0, #0\n"
	268	// "ADRLT R0, aStdiosetup\n"
	269	"LDRLT R0, =0xFF814F54\n"
	270	"BLLT sub_FF814F00\n" // err_init_task
	271	"BL sub_FF8194B8\n" // stdlibSetup
	272	"CMP R0, #0\n"
	273	// "ADRLT R0, aStdlibsetup\n"
	274	"LDRLT R0, =0xFF814F60\n"
	275	"BLLT sub_FF814F00\n" // err_init_task
	276	"BL sub_FF8114E4\n" // armlib_setup
	277	"CMP R0, #0\n"
	278	// "ADRLT R0, aArmlib_setup\n"
	279	"LDRLT R0, =0xFF814F6C\n"
	280	"BLLT sub_FF814F00\n" // err_init_task
	281	"LDMFD SP!, {R4,LR}\n"
	282	//"B sub_FF81D9F0\n" // CreateTaskStartup
	283	"B sub_FF81D9F0_my\n" // +---------------------> Hook
	284	".ltorg\n"
	285	);
	286	};
	287
	288
	289	void __attribute__((naked,noinline)) sub_FF81D9F0_my() {
	290	asm volatile (
	291	"STMFD SP!, {R3,LR}\n"
	292	"BL sub_FF82CE28\n"
	293	"CMP R0, #0\n"
	294	"BNE loc_FF81DA2C\n"
	295	"BL sub_FF824D04\n"
	296	"CMP R0, #0\n"
	297	"LDREQ R2, =0xC0220000\n"
	298	"LDREQ R0, [R2,#0x10C]\n"
	299	"LDREQ R1, [R2,#0x108]\n"
	300	"ORREQ R0, R0, R1\n"
	301	"TSTEQ R0, #1\n"
	302	"BNE loc_FF81DA2C\n"
	303	"MOV R0, #0x44\n"
	304	"STR R0, [R2,#0x4C]\n"
	305
	306	"loc_FF81DA28:\n"
	307	"B loc_FF81DA28\n"
	308
	309
	310	"loc_FF81DA2C:\n"
	311	"BL sub_FF823630\n"
	312	"BL sub_FF82A9D0\n"
	313	"MOV R1, #0x300000\n"
	314	"MOV R0, #0\n"
	315	"BL sub_FF82AC18\n"
	316	"BL sub_FF82ABC4\n"
	317	"MOV R3, #0\n"
	318	"STR R3, [SP,#8-8]\n"
	319	// "LDR R3, sub_FF81D950\n" // Startup, 0xFF81D950
	320	"LDR R3, =sub_FF81D950_my\n" // +---------------------> Hook
	321	"MOV R2, #0\n"
	322	"MOV R1, #0x19\n"
	323	// "ADR R0, aStartup\n"
	324	"LDR R0, =0xFF81DA7C\n"
	325	"BL sub_FF81B8FC\n" // CreateTask
	326	"MOV R0, #0\n"
	327	"LDMFD SP!, {R12,PC}\n"
	328	".ltorg\n"
	329	);
	330	}
	331
	332	void __attribute__((naked,noinline)) sub_FF81D950_my() {
	333	asm volatile (
	334	"STMFD SP!, {R4,LR}\n"
	335	"BL sub_FF8151CC\n"
	336	"BL sub_FF824778\n"
	337	"BL sub_FF820D4C\n"
	338	//"BL j_nullsub_163\n"
	339	"BL sub_FF82D018\n"
	340	// "BL sub_FF82CF00\n" // Apparently responsible for
	341	// diskboot. Bypassing it does
	342	// not seem to affect the camera
	343	// negatively.
	344	);
	345
	346	CreateTask_spytask();
	347
	348	asm volatile (
	349	"LDR R4, =0x66A8\n"
	350	"B loc_FF81D97C\n"
	351
	352	"loc_FF81D974:\n"
	353	"SUBS R4, R4, #1\n"
	354	"BEQ loc_FF81D98C\n"
	355
	356	"loc_FF81D97C:\n"
	357	"MOV R0, #5\n"
	358	"BL sub_FF820E54\n"
	359	"CMP R0, #1\n"
	360	"BEQ loc_FF81D974\n"
	361
	362	"loc_FF81D98C:\n"
	363	"MOV R0, #5\n"
	364	"BL sub_FF82124C\n"
	365	"SUBS R12, R0, #0x300\n"
	366	"SUBGES R12, R12, #0xF6\n"
	367	"BLE loc_FF81D9B0\n"
	368	"BL sub_FF829F0C\n"
	369	"MOV R1, #0xB5\n"
	370	// "ADR R0, aStartup_c\n"
	371	"LDR R0, =0xFF81DA6C\n"
	372	"BL sub_FF81BCCC\n" // Assert, 0xFF81BCCC
	373
	374	"loc_FF81D9B0:\n"
	375	"BL sub_FF82DABC\n"
	376	"BL sub_FF82D068\n"
	377	"BL sub_FF829F0C\n"
	378	"BL sub_FF82DACC\n"
	379	//"BL sub_FF8235D4\n" // PhySw, bypass and create own
	380	);
	381
	382	CreateTask_PhySw();
	383
	384	asm volatile (
	385	// "BL sub_FF826988\n" // CaptSeqTask and lots of other stuff
	386	"BL sub_FF826988_my\n" // +---------------------> Hook (in capt_seq.c)
	387	"BL sub_FF82DAEC\n"
	388	//"BL nullsub_2\n"
	389	"BL sub_FF822998\n"
	390	"BL sub_FF82CBF4\n"
	391	"BL sub_FF8230C0\n"
	392	"BL sub_FF8228A4\n"
	393	//"BL sub_FF82E570\n"
	394	"BL sub_FF82E570_my\n" // +---> MAJOR HOOK (SDHC boot)
	395	"BL sub_FF822728\n"
	396	"LDMFD SP!, {R4,LR}\n"
	397	"B sub_FF8150D8\n"
	398	".ltorg\n"
	399	);
	400	}
	401
	402
	403	/////////////////////////////////////////////////////////////////////////////////////
	404	// Major SDHC boot fix hook starts here
	405	//
	406	// Paths that certainly do not (by itself) get the SDHC booting going:
	407	// sub_FF82E570 -> sub_FF824D18 -> sub_FF824A60 -> sub_FF87BF78 (entire 'right subtree')
	408	// sub_FF82E570 -> sub_FF82E120 -> sub_FF87AC88 -> sub_FF87A340 -> sub_FF87BF78 (shortest path (subroutine-count-wise) through 'left subtree')
	409	// sub_FF82E570 -> sub_FF82E120 -> sub_FF87AC88 -> sub_FF87A80C -> sub_FF87A340 -> sub_FF87BF78 (sub_FF87A80C does not appear to be called)
	410	//
	411	// Unexplored:
	412	// sub_FF82E570 -> sub_FF82E120 -> sub_FF87BD48 -> sub_FF87BB94 -> sub_FF87AC88 -> -> sub_FF87A340 -> sub_FF87BF78
	413	// -> sub_FF87A80C ->
	414	//
	415	// Final, working path:
	416	// sub_FF82E570 -> sub_FF82E120 -> sub_FF87BD48 -> sub_FF87BB94 -> sub_FF87AC88 -> sub_FF87A340 -> sub_FF87BF78
	417	//
	418	// That's the 'tree'-part, the rest of the subroutines are just straight on down, no junctions.
	419	// -> sub_FF87BF28 -> sub_FF874FDC -> sub_FF856910 -> sub_FF85674C -> sub_FF8565E4
	420	/////////////////////////////////////////////////////////////////////////////////////
	421
	422	void __attribute__((naked,noinline)) sub_FF82E570_my() {
	423	asm volatile (
	424	"STMFD SP!, {R4,LR}\n"
	425	"BL sub_FF878D88\n"
	426	"BL sub_FF824CD8\n"
	427	"CMP R0, #1\n"
	428	"BNE loc_FF82E590\n"
	429	"BL sub_FF87C08C\n"
	430	"LDMFD SP!, {R4,LR}\n"
	431	"B sub_FF824D18\n"
	432
	433	"loc_FF82E590:\n"
	434	"BL sub_FF87AF30\n"
	435	"LDR R4, =0x1E80\n"
	436	"LDR R0, [R4,#4]\n"
	437	"CMP R0, #0\n"
	438	"LDMNEFD SP!, {R4,PC}\n"
	439	"MOV R1, #0\n"
	440	//"LDR R0, =0xFF82E120\n"
	441	"LDR R0, =sub_FF82E120_my\n" // +----> Hook for SDHC booting
	442	"BL sub_FF875938\n"
	443	"STR R0, [R4,#4]\n"
	444	"LDMFD SP!, {R4,PC}\n"
	445	);
	446	}
	447
	448	void __attribute__((naked,noinline)) sub_FF82E120_my() {
	449	asm volatile (
	450	"STMFD SP!, {R3-R11,LR}\n"
	451	"LDR R6, =0x1E80\n"
	452	"MOV R5, R1\n"
	453	"LDR R0, [R6,#0x14]\n"
	454	"MOV R4, R3\n"
	455	"CMP R0, #1\n"
	456	"BNE loc_FF82E144\n"
	457	"BL sub_FF8795E0\n"
	458	"B loc_FF82E1C8\n"
	459
	460	"loc_FF82E144:\n"
	461	"LDR R12, =0x1162\n"
	462	"LDR R10, =0x1005\n"
	463	"CMP R5, R12\n"
	464	"MOV R7, #0\n"
	465	"MOV R8, #1\n"
	466	"BEQ loc_FF82E4C4\n"
	467	"BGT loc_FF82E28C\n"
	468	"LDR R12, =0x1062\n"
	469	"CMP R5, R12\n"
	470	"BEQ loc_FF82E54C\n"
	471	"BGT loc_FF82E1F8\n"
	472	"CMP R5, R10\n"
	473	"BEQ loc_FF82E248\n"
	474	"BGT loc_FF82E1D0\n"
	475	"SUB R12, R5, #0x800\n"
	476	"SUBS R12, R12, #3\n"
	477	"BEQ loc_FF82E3CC\n"
	478	"SUB R12, R5, #0x800\n"
	479	"SUBS R12, R12, #0x158\n"
	480	"BEQ loc_FF82E554\n"
	481	"LDR R4, =0x9A3\n"
	482	"CMP R5, R4\n"
	483	"ADD R7, R4, #2\n"
	484	"CMPNE R5, R7\n"
	485	"BNE loc_FF82E4B4\n"
	486	"LDR R0, [R6,#0xC]\n"
	487	"SUB R12, R0, #0x8000\n"
	488	"SUBS R12, R12, #2\n"
	489	"BEQ loc_FF82E1C8\n"
	490	"LDR R0, =0x10A5\n"
	491	"BL sub_FF877A7C\n"
	492	"CMP R0, #0\n"
	493	"BEQ loc_FF82E4A0\n"
	494
	495	"loc_FF82E1C8:\n"
	496	"MOV R0, #0\n"
	497	"LDMFD SP!, {R3-R11,PC}\n"
	498
	499	"loc_FF82E1D0:\n"
	500	"SUB R12, R5, #0x1000\n"
	501	"SUBS R12, R12, #0x56\n"
	502	"SUBNE R12, R5, #0x1000\n"
	503	"SUBNES R12, R12, #0x5B\n"
	504	"SUBNE R12, R5, #0x1000\n"
	505	"SUBNES R12, R12, #0x5E\n"
	506	"SUBNE R12, R5, #0x1000\n"
	507	"SUBNES R12, R12, #0x61\n"
	508	"BNE loc_FF82E4B4\n"
	509	"B loc_FF82E54C\n"
	510
	511	"loc_FF82E1F8:\n"
	512	"LDR R12, =0x10AD\n"
	513	"CMP R5, R12\n"
	514	"BEQ loc_FF82E4EC\n"
	515	"BGT loc_FF82E250\n"
	516	"SUB R12, R5, #0x1000\n"
	517	"SUBS R12, R12, #0x63\n"
	518	"SUBNE R12, R5, #0x1000\n"
	519	"SUBNES R12, R12, #0x65\n"
	520	"BEQ loc_FF82E54C\n"
	521	"SUB R12, R5, #0x1000\n"
	522	"LDR R0, =0x10A3\n"
	523	"SUBS R12, R12, #0xA9\n"
	524	"BEQ loc_FF82E4E0\n"
	525	"SUB R12, R5, #0x1000\n"
	526	"SUBS R12, R12, #0xAA\n"
	527	"BNE loc_FF82E4B4\n"
	528	"BL sub_FF877A7C\n"
	529	"CMP R0, #0\n"
	530	"BNE loc_FF82E1C8\n"
	531
	532	"loc_FF82E244:\n"
	533	"BL sub_FF82EB04\n"
	534
	535	"loc_FF82E248:\n"
	536	"MOV R1, R4\n"
	537	"B loc_FF82E4B8\n"
	538
	539	"loc_FF82E250:\n"
	540	"SUB R12, R5, #0x1000\n"
	541	"SUBS R12, R12, #0xAE\n"
	542	"BEQ loc_FF82E244\n"
	543	"SUB R12, R5, #0x1000\n"
	544	"SUBS R12, R12, #0xAF\n"
	545	"BEQ loc_FF82E4EC\n"
	546	"SUB R12, R5, #0x1000\n"
	547	"SUBS R12, R12, #0xB0\n"
	548	"BEQ loc_FF82E244\n"
	549	"SUB R12, R5, #0x1000\n"
	550	"SUBS R12, R12, #0xB2\n"
	551	"BNE loc_FF82E4B4\n"
	552	"LDR R0, =0x1008\n"
	553	"MOV R1, R4\n"
	554	"B loc_FF82E4BC\n"
	555
	556	"loc_FF82E28C:\n"
	557	"LDR R11, =0x201B\n"
	558	"LDR R0, =0x1E80\n"
	559	"CMP R5, R11\n"
	560	"LDR R2, [R0,#0x10]!\n"
	561	"LDR R1, [R0,#0x10]\n"
	562	"SUB R9, R11, #0x17\n"
	563	"BEQ loc_FF82E480\n"
	564	"BGT loc_FF82E354\n"
	565	"LDR R11, =0x116A\n"
	566	"CMP R5, R11\n"
	567	"BEQ loc_FF82E46C\n"
	568	"BGT loc_FF82E308\n"
	569	"SUB R12, R5, #0x1100\n"
	570	"SUBS R12, R12, #0x63\n"
	571	"MOVEQ R1, #0\n"
	572	"MOVEQ R0, #0x82\n"
	573	"BEQ loc_FF82E498\n"
	574	"SUB R12, R5, #0x1100\n"
	575	"SUBS R12, R12, #0x65\n"
	576	"BEQ loc_FF82E490\n"
	577	"LDR R4, =0x1168\n"
	578	"SUB R12, R5, #0x1100\n"
	579	"SUBS R12, R12, #0x67\n"
	580	"CMPNE R5, R4\n"
	581	"BNE loc_FF82E4B4\n"
	582	"STR R8, [R6,#0x10]\n"
	583	"LDR R6, =0x4508\n"
	584	"CMP R1, #0\n"
	585	"BEQ loc_FF82E45C\n"
	586	"BL sub_FF879614\n"
	587	"B loc_FF82E460\n"
	588
	589	"loc_FF82E308:\n"
	590	"SUB R12, R5, #0x2000\n"
	591	"SUBS R12, R12, #2\n"
	592	"BEQ loc_FF82E518\n"
	593	"CMP R5, R9\n"
	594	"MOV R0, R9\n"
	595	"BEQ loc_FF82E524\n"
	596	"SUB R12, R5, #0x2000\n"
	597	"SUBS R12, R12, #5\n"
	598	"BEQ loc_FF82E518\n"
	599	"SUB R12, R5, #0x2000\n"
	600	"SUBS R12, R12, #0x19\n"
	601	"BNE loc_FF82E4B4\n"
	602	"CMP R1, #0\n"
	603	"BEQ loc_FF82E1C8\n"
	604	"CMP R2, #0\n"
	605	"BNE loc_FF82E1C8\n"
	606
	607	"loc_FF82E348:\n"
	608	"MOV R1, #0\n"
	609
	610	"loc_FF82E34C:\n"
	611	"BL sub_FF87AC88\n"
	612	"B loc_FF82E1C8\n"
	613
	614	"loc_FF82E354:\n"
	615	"LDR R12, =0x3110\n"
	616	"CMP R5, R12\n"
	617	"BEQ loc_FF82E248\n"
	618	"BGT loc_FF82E39C\n"
	619	"SUB R12, R5, #0x2000\n"
	620	"SUBS R12, R12, #0x1D\n"
	621	"BEQ loc_FF82E518\n"
	622	"LDR R0, =0x2027\n"
	623	"CMP R5, R0\n"
	624	"BEQ loc_FF82E4F8\n"
	625	"SUB R12, R5, #0x3000\n"
	626	"SUBS R12, R12, #6\n"
	627	"BEQ loc_FF82E248\n"
	628	"SUB R12, R5, #0x3000\n"
	629	"SUBS R12, R12, #0x10\n"
	630	"BNE loc_FF82E4B4\n"
	631	"BL sub_FF89A628\n"
	632	"B loc_FF82E1C8\n"
	633
	634	"loc_FF82E39C:\n"
	635	"SUB R12, R5, #0x3100\n"
	636	"SUBS R12, R12, #0x11\n"
	637	"BEQ loc_FF82E248\n"
	638	"CMP R5, #0x3140\n"
	639	"BEQ loc_FF82E540\n"
	640	"SUB R12, R5, #0x3200\n"
	641	"SUBS R12, R12, #1\n"
	642	"BEQ loc_FF82E4B4\n"
	643	"SUB R12, R5, #0x3200\n"
	644	"SUBS R12, R12, #2\n"
	645	"BEQ loc_FF82E248\n"
	646	"B loc_FF82E4B4\n"
	647
	648	"loc_FF82E3CC:\n"
	649	"MOV R4, #1\n"
	650	"MOV R0, #2\n"
	651	"BL sub_FF878E1C\n"
	652	"CMP R0, #1\n"
	653	"MOVEQ R4, #2\n"
	654	"MOV R0, R4\n"
	655	"BL sub_FF822CC4\n"
	656	"CMP R0, #0\n"
	657	"STRNE R8, [R6,#0x14]\n"
	658	"BNE loc_FF82E428\n"
	659	"BL sub_FF87F814\n"
	660	"BL sub_FF87CD38\n"
	661	"BL sub_FF87DBD8\n"
	662	"BL sub_FF87E0E8\n"
	663	"BL sub_FF87C310\n"
	664	"BL sub_FF87E4E4\n"
	665	"CMP R0, #0\n"
	666	"BEQ loc_FF82E430\n"
	667	"BL sub_FF82DE8C\n"
	668	"BL sub_FF87E4D8\n"
	669	"MOV R1, R0\n"
	670	"LDR R0, =0x1167\n"
	671	"BL sub_FF876100\n"
	672
	673	"loc_FF82E428:\n"
	674	"MOV R0, R7\n"
	675	"LDMFD SP!, {R3-R11,PC}\n"
	676
	677	"loc_FF82E430:\n"
	678	"BL sub_FF826FA0\n"
	679	"CMP R0, #1\n"
	680	"LDRNE R0, =0x310B\n"
	681	"LDREQ R0, =0x310C\n"
	682	"MOV R1, #0\n"
	683	"BL sub_FF876100\n"
	684	//"BL sub_FF87BD48\n"
	685	"BL sub_FF87BD48_my\n" // +----> Hook for SDHC booting
	686	"B loc_FF82E428\n"
	687
	688	"loc_FF82E450:\n"
	689	"MOV R0, R6\n"
	690	"BL sub_FF8641A8\n"
	691	"B loc_FF82E1C8\n"
	692
	693	"loc_FF82E45C:\n"
	694	"BL sub_FF826C98\n"
	695
	696	"loc_FF82E460:\n"
	697	"CMP R5, R4\n"
	698	"BNE loc_FF82E1C8\n"
	699	"B loc_FF82E450\n"
	700
	701	"loc_FF82E46C:\n"
	702	"MOV R0, #1\n"
	703	"BL sub_FF87972C\n"
	704	"MOV R1, R11\n"
	705	"MOV R0, R10\n"
	706	"B loc_FF82E4BC\n"
	707
	708	"loc_FF82E480:\n"
	709	"CMP R2, #1\n"
	710	"BNE loc_FF82E248\n"
	711	"BL sub_FF879614\n"
	712	"B loc_FF82E1C8\n"
	713
	714	"loc_FF82E490:\n"
	715	"MOV R1, #0\n"
	716	"MOV R0, #0x83\n"
	717
	718	"loc_FF82E498:\n"
	719	"BL sub_FF87E1BC\n"
	720	"B loc_FF82E1C8\n"
	721
	722	"loc_FF82E4A0:\n"
	723	"CMP R5, R4\n"
	724	"STREQ R8, [R6,#0x34]\n"
	725	"BEQ loc_FF82E4B4\n"
	726	"CMP R5, R7\n"
	727	"STREQ R8, [R6,#0x30]\n"
	728
	729	"loc_FF82E4B4:\n"
	730	"MOV R1, #0\n"
	731
	732	"loc_FF82E4B8:\n"
	733	"MOV R0, R5\n"
	734
	735	"loc_FF82E4BC:\n"
	736	"BL sub_FF87AC88\n"
	737	"LDMFD SP!, {R3-R11,PC}\n"
	738
	739	"loc_FF82E4C4:\n"
	740	"BL sub_FF882260\n"
	741	"CMP R0, #0\n"
	742	"BEQ loc_FF82E248\n"
	743	"BL sub_FF882B70\n"
	744	"CMP R0, #0\n"
	745	"BLEQ sub_FF880F94\n"
	746	"B loc_FF82E248\n"
	747
	748	"loc_FF82E4E0:\n"
	749	"BL sub_FF877A7C\n"
	750	"CMP R0, #0\n"
	751	"BNE loc_FF82E1C8\n"
	752
	753	"loc_FF82E4EC:\n"
	754	"MOV R0, R5\n"
	755	"BL sub_FF82DFAC\n"
	756	"LDMFD SP!, {R3-R11,PC}\n"
	757
	758	"loc_FF82E4F8:\n"
	759	"MOV R1, #0\n"
	760	"BL sub_FF87AC88\n"
	761	"MOV R1, #0\n"
	762	"MOV R0, R11\n"
	763	"BL sub_FF87AC88\n"
	764	"MOV R1, #0\n"
	765	"MOV R0, R9\n"
	766	"B loc_FF82E34C\n"
	767
	768	"loc_FF82E518:\n"
	769	"STR R7, [R6,#0x20]\n"
	770	"BL sub_FF82E7A4\n"
	771	"B loc_FF82E248\n"
	772
	773	"loc_FF82E524:\n"
	774	"STR R7, [R6,#0x20]\n"
	775	"BL sub_FF82E7A4\n"
	776	"LDR R0, [R6,#0x10]\n"
	777	"CMP R0, #1\n"
	778	"BNE loc_FF82E248\n"
	779	"BL sub_FF879640\n"
	780	"B loc_FF82E1C8\n"
	781
	782	"loc_FF82E540:\n"
	783	"CMP R1, #0\n"
	784	"BLEQ sub_FF82E7A4\n"
	785	"B loc_FF82E1C8\n"
	786
	787	"loc_FF82E54C:\n"
	788	"MVN R0, #0\n"
	789	"B loc_FF82E348\n"
	790
	791	"loc_FF82E554:\n"
	792	"TST R4, #0x80000000\n"
	793	"MOVNE R0, #1\n"
	794	"LDMNEFD SP!, {R3-R11,PC}\n"
	795	"BL sub_FF883D08\n"
	796	"CMP R0, #0\n"
	797	"BLEQ sub_FF829CD8\n"
	798	"B loc_FF82E1C8\n"
	799	);
	800	}
	801
	802	void __attribute__((naked,noinline)) sub_FF87BD48_my() {
	803	asm volatile (
	804	"STMFD SP!, {R4,LR}\n"
	805	"BL sub_FF82E770\n"
	806	"MOV R4, R0\n"
	807	"BL sub_FF87BE64\n"
	808	"MOV R0, R4\n"
	809	"BL sub_FF87BBF8\n"
	810	"BL sub_FF82E770\n"
	811	"MOV R4, R0\n"
	812	"LDR R0, =0x6374\n"
	813	"LDR R0, [R0]\n"
	814	"TST R0, #1\n"
	815	"BEQ loc_FF87BD84\n"
	816
	817	"loc_FF87BD78:\n"
	818	"MOV R1, R4\n"
	819	"MOV R0, #2\n"
	820	"B loc_FF87BDEC\n"
	821
	822	"loc_FF87BD84:\n"
	823	"TST R0, #0x2000\n"
	824	"BEQ loc_FF87BDA0\n"
	825	"TST R0, #0x200\n"
	826	"LDREQ R1, =0x4004\n"
	827	"LDRNE R1, =0x8002\n"
	828	"MOV R0, #3\n"
	829	"B loc_FF87BDEC\n"
	830
	831	"loc_FF87BDA0:\n"
	832	"TST R0, #0x10\n"
	833	"BNE loc_FF87BD78\n"
	834	"TST R0, #0x40\n"
	835	"BEQ loc_FF87BDBC\n"
	836
	837	"loc_FF87BDB0:\n"
	838	"MOV R1, R4\n"
	839	"MOV R0, #1\n"
	840	"B loc_FF87BDEC\n"
	841
	842	"loc_FF87BDBC:\n"
	843	"TST R0, #0x20\n"
	844	"BEQ loc_FF87BDD8\n"
	845	"TST R0, #0x4000\n"
	846	"BNE loc_FF87BDD8\n"
	847
	848	"loc_FF87BDCC:\n"
	849	"MOV R1, R4\n"
	850	"MOV R0, #0\n"
	851	"B loc_FF87BDEC\n"
	852
	853	"loc_FF87BDD8:\n"
	854	"LDR R1, =0x102\n"
	855	"BICS R1, R1, R0\n"
	856	"BNE loc_FF87BDF4\n"
	857	"MOV R1, R4\n"
	858	"MOV R0, #6\n"
	859
	860	"loc_FF87BDEC:\n"
	861	"LDMFD SP!, {R4,LR}\n"
	862	//"B sub_FF87BB94\n"
	863	"B sub_FF87BB94_my\n" // +----> Hook for SDHC booting
	864
	865	"loc_FF87BDF4:\n"
	866	"TST R0, #0x100\n"
	867	"BNE loc_FF87BD78\n"
	868	"TST R0, #0x4000\n"
	869	"TSTEQ R0, #0x400\n"
	870	"BNE loc_FF87BDB0\n"
	871	"TST R0, #0x200\n"
	872	"TSTEQ R0, #2\n"
	873	"BNE loc_FF87BDCC\n"
	874	"TST R0, #0x40000\n"
	875	"BEQ loc_FF87BD78\n"
	876	"TST R0, #0x200000\n"
	877	"MOVEQ R1, R4\n"
	878	"MOVEQ R0, #1\n"
	879	//"BLEQ sub_FF87BB94\n"
	880	"BLEQ sub_FF87BB94_my\n" // +----> Hook for SDHC booting
	881	"B loc_FF87BD78\n"
	882	);
	883	}
	884
	885
	886	void __attribute__((naked,noinline)) sub_FF87BB94_my() {
	887	asm volatile (
	888	"STMFD SP!, {R4-R6,LR}\n"
	889	"MOVS R4, R0\n"
	890	"MOV R0, #1\n"
	891	"MOV R5, R1\n"
	892	"BNE loc_FF87BBD4\n"
	893	"MOV R1, #0\n"
	894	"MOV R0, #0\n"
	895	"BL sub_FF878DAC\n"
	896	"BL sub_FF82E770\n"
	897	"SUB R12, R0, #0x1000\n"
	898	"SUBS R12, R12, #0x5B\n"
	899	"BNE loc_FF87BBCC\n"
	900
	901	"loc_FF87BBC4:\n"
	902	"BL sub_FF87BADC\n"
	903	"B loc_FF87BBDC\n"
	904
	905	"loc_FF87BBCC:\n"
	906	"BL sub_FF87BB1C\n"
	907	"B loc_FF87BBDC\n"
	908
	909	"loc_FF87BBD4:\n"
	910	"CMP R4, #5\n"
	911	"BEQ loc_FF87BBC4\n"
	912
	913	"loc_FF87BBDC:\n"
	914	"CMP R0, #0\n"
	915	"LDREQ R5, =0x1162\n"
	916	"MOVEQ R4, #2\n"
	917	"MOV R0, R4\n"
	918	"MOV R1, R5\n"
	919	"LDMFD SP!, {R4-R6,LR}\n"
	920	//"B sub_FF87AC88\n"
	921	"B sub_FF87AC88_my\n" // +----> Hook for SDHC booting
	922	);
	923	}
	924
	925	void __attribute__((naked,noinline)) sub_FF87AC88_my() {
	926	asm volatile (
	927	"STMFD SP!, {R4-R8,LR}\n"
	928	"MOV R8, R1\n"
	929	"MOV R4, R0\n"
	930	"BL sub_FF879928\n"
	931	"LDR R5, =0x62AC\n"
	932	"MOV R7, #1\n"
	933	"LDR R0, [R5,#0x10]\n"
	934	"MOV R6, #0\n"
	935	"CMP R0, #0x15\n"
	936	"ADDLS PC, PC, R0,LSL#2\n"
	937	"B loc_FF87AF28\n"
	938
	939	"loc_FF87ACB4:\n"
	940	"B loc_FF87AD0C\n"
	941
	942	"loc_FF87ACB8:\n"
	943	"B loc_FF87AD34\n"
	944
	945	"loc_FF87ACBC:\n"
	946	"B loc_FF87AD78\n"
	947
	948	"loc_FF87ACC0:\n"
	949	"B loc_FF87ADEC\n"
	950
	951	"loc_FF87ACC4:\n"
	952	"B loc_FF87ADFC\n"
	953
	954	"loc_FF87ACC8:\n"
	955	"B loc_FF87AE08\n"
	956
	957	"loc_FF87ACCC:\n"
	958	"B loc_FF87AE78\n"
	959
	960	"loc_FF87ACD0:\n"
	961	"B loc_FF87AE88\n"
	962
	963	"loc_FF87ACD4:\n"
	964	"B loc_FF87AD1C\n"
	965
	966	"loc_FF87ACD8:\n"
	967	"B loc_FF87AD28\n"
	968
	969	"loc_FF87ACDC:\n"
	970	"B loc_FF87AE88\n"
	971
	972	"loc_FF87ACE0:\n"
	973	"B loc_FF87AD6C\n"
	974
	975	"loc_FF87ACE4:\n"
	976	"B loc_FF87AF28\n"
	977
	978	"loc_FF87ACE8:\n"
	979	"B loc_FF87AF28\n"
	980
	981	"loc_FF87ACEC:\n"
	982	"B loc_FF87AD84\n"
	983
	984	"loc_FF87ACF0:\n"
	985	"B loc_FF87AD90\n"
	986
	987	"loc_FF87ACF4:\n"
	988	"B loc_FF87ADC4\n"
	989
	990	"loc_FF87ACF8:\n"
	991	"B loc_FF87AD40\n"
	992
	993	"loc_FF87ACFC:\n"
	994	"B loc_FF87AF10\n"
	995
	996	"loc_FF87AD00:\n"
	997	"B loc_FF87AE94\n"
	998
	999	"loc_FF87AD04:\n"
	1000	"B loc_FF87AEC4\n"
	1001
	1002	"loc_FF87AD08:\n"
	1003	"B loc_FF87AEC4\n"
	1004
	1005	"loc_FF87AD0C:\n"
	1006	"MOV R1, R8\n"
	1007	"MOV R0, R4\n"
	1008	"LDMFD SP!, {R4-R8,LR}\n"
	1009	//"B sub_FF87A340\n"
	1010	"B sub_FF87A340_my\n" // +----> Hook for SDHC booting
	1011
	1012	"loc_FF87AD1C:\n"
	1013	"MOV R0, R4\n"
	1014	"LDMFD SP!, {R4-R8,LR}\n"
	1015	"B sub_FF87B658\n"
	1016
	1017	"loc_FF87AD28:\n"
	1018	"MOV R0, R4\n"
	1019	"LDMFD SP!, {R4-R8,LR}\n"
	1020	"B sub_FF87A80C\n"
	1021
	1022	"loc_FF87AD34:\n"
	1023	"MOV R0, R4\n"
	1024	"LDMFD SP!, {R4-R8,LR}\n"
	1025	"B sub_FF879F08\n"
	1026
	1027	"loc_FF87AD40:\n"
	1028	"SUB R12, R4, #0x1000\n"
	1029	"SUBS R12, R12, #0xA5\n"
	1030	"STREQ R7, [R5,#0x84]\n"
	1031	"BEQ loc_FF87AF20\n"
	1032	"SUB R12, R4, #0x3000\n"
	1033	"SUBS R12, R12, #6\n"
	1034	"BNE loc_FF87AF28\n"
	1035	"MOV R0, #0\n"
	1036	"BL sub_FF82DCE4\n"
	1037	"BL sub_FF87B57C\n"
	1038	"B loc_FF87AF20\n"
	1039
	1040	"loc_FF87AD6C:\n"
	1041	"MOV R0, R4\n"
	1042	"LDMFD SP!, {R4-R8,LR}\n"
	1043	"B sub_FF87B5B8\n"
	1044
	1045	"loc_FF87AD78:\n"
	1046	"MOV R0, R4\n"
	1047	"LDMFD SP!, {R4-R8,LR}\n"
	1048	"B sub_FF87A104\n"
	1049
	1050	"loc_FF87AD84:\n"
	1051	"MOV R0, R4\n"
	1052	"LDMFD SP!, {R4-R8,LR}\n"
	1053	"B sub_FF87A9B8\n"
	1054
	1055	"loc_FF87AD90:\n"
	1056	"SUB R12, R4, #0x3200\n"
	1057	"SUBS R12, R12, #2\n"
	1058	"BNE loc_FF87AF28\n"
	1059	"MOV R0, #3\n"
	1060	"BL sub_FF87980C\n"
	1061	"MOV R0, #8\n"
	1062	"BL sub_FF82DC50\n"
	1063	"MOV R0, #6\n"
	1064	"BL sub_FF84239C\n"
	1065	"BL sub_FF87D148\n"
	1066	"BL sub_FF87CFA4\n"
	1067	"BL sub_FF87C380\n"
	1068	"B loc_FF87AF20\n"
	1069
	1070	"loc_FF87ADC4:\n"
	1071	"SUB R12, R4, #0x3300\n"
	1072	"SUBS R12, R12, #1\n"
	1073	"BNE loc_FF87AF28\n"
	1074	"LDR R0, =0x4010\n"
	1075	"BL sub_FF82DC50\n"
	1076	"BL sub_FF89EF88\n"
	1077	"BL sub_FF87C380\n"
	1078	"MOV R0, #4\n"
	1079	"BL sub_FF87980C\n"
	1080	"B loc_FF87AF20\n"
	1081
	1082	"loc_FF87ADEC:\n"
	1083	"MOV R1, R8\n"
	1084	"MOV R0, R4\n"
	1085	"LDMFD SP!, {R4-R8,LR}\n"
	1086	"B sub_FF87AB20\n"
	1087
	1088	"loc_FF87ADFC:\n"
	1089	"MOV R0, R4\n"
	1090	"LDMFD SP!, {R4-R8,LR}\n"
	1091	"B sub_FF87B788\n"
	1092
	1093	"loc_FF87AE08:\n"
	1094	"LDR R8, =0x1182\n"
	1095	"CMP R4, R8\n"
	1096	"STREQ R7, [R5,#0xB0]\n"
	1097	"BEQ loc_FF87AF20\n"
	1098	"SUB R12, R4, #0x1100\n"
	1099	"SUBS R12, R12, #0x86\n"
	1100	"BEQ loc_FF87AE60\n"
	1101	"SUB R12, R4, #0x3200\n"
	1102	"SUBS R12, R12, #0x16\n"
	1103	"BNE loc_FF87AF28\n"
	1104	"MOV R0, #8\n"
	1105	"BL sub_FF82DC50\n"
	1106	"MOV R0, #3\n"
	1107	"BL sub_FF87980C\n"
	1108	"STR R6, [R5,#0xB4]\n"
	1109	"LDR R0, [R5,#0xB0]\n"
	1110	"CMP R0, #0\n"
	1111	"MOVNE R1, #0\n"
	1112	"MOVNE R0, R8\n"
	1113	"STRNE R6, [R5,#0xB0]\n"
	1114	"BLNE sub_FF87AB20\n"
	1115	"B loc_FF87AF20\n"
	1116
	1117	"loc_FF87AE60:\n"
	1118	"LDR R0, [R5,#0xB4]\n"
	1119	"CMP R0, #0\n"
	1120	"BNE loc_FF87AF20\n"
	1121	"BL sub_FF89C658\n"
	1122	"STR R7, [R5,#0xB4]\n"
	1123	"B loc_FF87AF20\n"
	1124
	1125	"loc_FF87AE78:\n"
	1126	"MOV R1, R8\n"
	1127	"MOV R0, R4\n"
	1128	"LDMFD SP!, {R4-R8,LR}\n"
	1129	"B sub_FF87B868\n"
	1130
	1131	"loc_FF87AE88:\n"
	1132	"MOV R0, R4\n"
	1133	"LDMFD SP!, {R4-R8,LR}\n"
	1134	"B sub_FF87A704\n"
	1135
	1136	"loc_FF87AE94:\n"
	1137	"LDR R12, =0x10B0\n"
	1138	"CMP R4, R12\n"
	1139	"BEQ loc_FF87AEC0\n"
	1140	"BGT loc_FF87AECC\n"
	1141	"CMP R4, #4\n"
	1142	"BEQ loc_FF87AEF4\n"
	1143	"SUB R12, R4, #0x1000\n"
	1144	"SUBS R12, R12, #0xAA\n"
	1145	"SUBNE R12, R4, #0x1000\n"
	1146	"SUBNES R12, R12, #0xAE\n"
	1147	"BNE loc_FF87AF28\n"
	1148
	1149	"loc_FF87AEC0:\n"
	1150	"BL sub_FF879508\n"
	1151
	1152	"loc_FF87AEC4:\n"
	1153	"MOV R0, R6\n"
	1154	"LDMFD SP!, {R4-R8,PC}\n"
	1155
	1156	"loc_FF87AECC:\n"
	1157	"SUB R12, R4, #0x2000\n"
	1158	"SUBS R12, R12, #4\n"
	1159	"BEQ loc_FF87AF08\n"
	1160	"SUB R12, R4, #0x5000\n"
	1161	"SUBS R12, R12, #1\n"
	1162	"SUBNE R12, R4, #0x5000\n"
	1163	"SUBNES R12, R12, #6\n"
	1164	"BNE loc_FF87AF28\n"
	1165	"BL sub_FF879EA8\n"
	1166	"B loc_FF87AF20\n"
	1167
	1168	"loc_FF87AEF4:\n"
	1169	"LDR R0, [R5,#0x2C]\n"
	1170	"CMP R0, #0\n"
	1171	"BNE loc_FF87AF08\n"
	1172	"BL sub_FF826C50\n"
	1173	"B loc_FF87AF20\n"
	1174
	1175	"loc_FF87AF08:\n"
	1176	"BL sub_FF879540\n"
	1177	"B loc_FF87AF20\n"
	1178
	1179	"loc_FF87AF10:\n"
	1180	"SUB R12, R4, #0x3000\n"
	1181	"SUBS R12, R12, #0x130\n"
	1182	"BNE loc_FF87AF28\n"
	1183	"BL sub_FF8795E0\n"
	1184
	1185	"loc_FF87AF20:\n"
	1186	"MOV R0, #0\n"
	1187	"LDMFD SP!, {R4-R8,PC}\n"
	1188
	1189	"loc_FF87AF28:\n"
	1190	"MOV R0, #1\n"
	1191	"LDMFD SP!, {R4-R8,PC}\n"
	1192	);
	1193	}
	1194
	1195	void __attribute__((naked,noinline)) sub_FF87A340_my() {
	1196	asm volatile (
	1197	"STMFD SP!, {R4-R8,LR}\n"
	1198	"LDR R7, =0x8002\n"
	1199	"LDR R4, =0x62AC\n"
	1200	"CMP R0, #3\n"
	1201	"MOV R6, R1\n"
	1202	"MOV R5, #1\n"
	1203	"BEQ loc_FF87A4B4\n"
	1204	"BGT loc_FF87A37C\n"
	1205	"CMP R0, #0\n"
	1206	"BEQ loc_FF87A3C0\n"
	1207	"CMP R0, #1\n"
	1208	"BEQ loc_FF87A444\n"
	1209	"CMP R0, #2\n"
	1210	"BNE loc_FF87A53C\n"
	1211	"B loc_FF87A394\n"
	1212
	1213	"loc_FF87A37C:\n"
	1214	"CMP R0, #6\n"
	1215	"STREQ R5, [R4,#0x28]\n"
	1216	"BEQ loc_FF87A4AC\n"
	1217	"SUB R12, R0, #0x2000\n"
	1218	"SUBS R12, R12, #4\n"
	1219	"BNE loc_FF87A53C\n"
	1220
	1221	"loc_FF87A394:\n"
	1222	"SUB R12, R6, #0x1100\n"
	1223	"SUBS R12, R12, #0x62\n"
	1224	"BNE loc_FF87A3B0\n"
	1225	"MOV R1, R7\n"
	1226	"MOV R0, #0\n"
	1227	"BL sub_FF87E1BC\n"
	1228	"STR R5, [R4,#0x60]\n"
	1229
	1230	"loc_FF87A3B0:\n"
	1231	"BL sub_FF87D148\n"
	1232	"BL sub_FF87CFA4\n"
	1233	"BL sub_FF879E48\n"
	1234	"B loc_FF87A534\n"
	1235
	1236	"loc_FF87A3C0:\n"
	1237	"MOV R0, #7\n"
	1238	"BL sub_FF87980C\n"
	1239	"MOV R0, R7\n"
	1240	"BL sub_FF82DC50\n"
	1241	"BL sub_FF87BFB4\n"
	1242	"BL sub_FF87CE1C\n"
	1243	"MOV R1, R7\n"
	1244	"MOV R0, #0\n"
	1245	"BL sub_FF87E1BC\n"
	1246	//"ADR R1, aAcBootrec\n" // \"AC:BootRec\"
	1247	"LDR R1, =0xFF87A574\n" // \"AC:BootRec\"
	1248	"MOV R0, #0x20\n"
	1249	"STR R6, [R4,#0x18]\n"
	1250	"BL sub_FF872A58\n"
	1251	//"ADR R1, aAcInitlens\n" // \"AC:InitLens\"
	1252	"LDR R1, =0xFF87A580\n" // \"AC:InitLens\"
	1253	"MOV R0, #0x20\n"
	1254	"BL sub_FF872A58\n"
	1255	"STR R5, [R4,#0x28]\n"
	1256	"BL sub_FF82DDF8\n"
	1257	"BL sub_FF82DD3C\n"
	1258	"LDR R0, [R4,#0x1C]\n"
	1259	"LDR R1, [R4,#0x20]\n"
	1260	"ORRS R0, R0, R1\n"
	1261	"BLNE sub_FF87B0E4\n"
	1262	"LDR R0, [R4,#0x68]\n"
	1263	"CMP R0, #0\n"
	1264	"BNE loc_FF87A430\n"
	1265	"BL sub_FF82DE68\n"
	1266	"B loc_FF87A438\n"
	1267
	1268	"loc_FF87A430:\n"
	1269	"BL sub_FF8269E8\n"
	1270	"BL sub_FF82E700\n"
	1271
	1272	"loc_FF87A438:\n"
	1273	//"BL sub_FF87BF78\n"
	1274	"BL sub_FF87BF78_my\n" // +----> Hook for SDHC booting
	1275	"BL sub_FF87BFF0\n"
	1276	"B loc_FF87A534\n"
	1277
	1278	"loc_FF87A444:\n"
	1279	"MOV R0, #8\n"
	1280	"BL sub_FF87980C\n"
	1281	"BL sub_FF87BFB4\n"
	1282	"BL sub_FF87CE1C\n"
	1283	"LDR R5, =0x4004\n"
	1284	"MOV R0, #0\n"
	1285	"MOV R1, R5\n"
	1286	"BL sub_FF87E1BC\n"
	1287	//"ADR R1, aAcBootpb\n" // \"AC:BootPB\"
	1288	"LDR R1, =0xFF87A590\n" // \"AC:BootPB\"
	1289	"MOV R0, #0x20\n"
	1290	"BL sub_FF872A58\n"
	1291	//"BL sub_FF87BF78\n"
	1292	"BL sub_FF87BF78_my\n" // +----> Hook for SDHC booting
	1293	"BL sub_FF87C08C\n"
	1294	"BL sub_FF82E690\n"
	1295	"MOV R0, R5\n"
	1296	"BL sub_FF82DC50\n"
	1297	"LDR R0, [R4,#0x68]\n"
	1298	"CMP R0, #0\n"
	1299	"BNE loc_FF87A498\n"
	1300	"BL sub_FF82DE68\n"
	1301	"B loc_FF87A49C\n"
	1302
	1303	"loc_FF87A498:\n"
	1304	"BL sub_FF8269E8\n"
	1305
	1306	"loc_FF87A49C:\n"
	1307	"BL sub_FF87C020\n"
	1308	"LDR R0, [R4,#0x30]\n"
	1309	"CMP R0, #0\n"
	1310	"BEQ loc_FF87A534\n"
	1311
	1312	"loc_FF87A4AC:\n"
	1313	"BL sub_FF87B108\n"
	1314	"B loc_FF87A534\n"
	1315
	1316	"loc_FF87A4B4:\n"
	1317	"MOV R1, R6\n"
	1318	"MOV R0, #0\n"
	1319	"BL sub_FF87E1BC\n"
	1320	//"ADR R1, aAcBootclock\n" // \"AC:BootClock\"
	1321	"LDR R1, =0xFF87A59C\n" // \"AC:BootClock\"
	1322	"MOV R0, #0x20\n"
	1323	"BL sub_FF872A58\n"
	1324	"STR R5, [R4,#0x68]\n"
	1325	"BL sub_FF87C08C\n"
	1326	"BL sub_FF82E690\n"
	1327	"BL sub_FF87B0B4\n"
	1328	"BL sub_FF82E764\n"
	1329	"CMP R0, #0\n"
	1330	"LDRNE R0, =0x8045\n"
	1331	"MOVNE R1, #0\n"
	1332	"BLNE sub_FF8789D4\n"
	1333	"BL sub_FF87DFD0\n"
	1334	"MOV R0, #0x80\n"
	1335	"BL sub_FF82DC50\n"
	1336	"BL sub_FF87D2D8\n"
	1337	"BL sub_FF8B0EB4\n"
	1338	"BL sub_FF973218\n"
	1339	"BL sub_FF8AF708\n"
	1340	"BL sub_FF87C9E4\n"
	1341	"BL sub_FF87D180\n"
	1342	"MOV R0, #9\n"
	1343	"BL sub_FF87980C\n"
	1344	"LDR R0, =0x300E\n"
	1345	"MOV R1, R6\n"
	1346	"BL sub_FF876100\n"
	1347	"MOV R1, #0\n"
	1348	"MOV R0, #1\n"
	1349	"BL sub_FF87E1BC\n"
	1350
	1351	"loc_FF87A534:\n"
	1352	"MOV R0, #0\n"
	1353	"LDMFD SP!, {R4-R8,PC}\n"
	1354
	1355	"loc_FF87A53C:\n"
	1356	"MOV R0, #1\n"
	1357	"LDMFD SP!, {R4-R8,PC}\n"
	1358	);
	1359	}
	1360
	1361	void __attribute__((naked,noinline)) sub_FF87BF78_my() {
	1362	asm volatile (
	1363
	1364	"LDR R0, =0x6380\n"
	1365	"STMFD SP!, {R3,LR}\n"
	1366	"LDR R1, [R0,#0x10]\n"
	1367	"CMP R1, #1\n"
	1368	"BEQ locret_FF87BFB0\n"
	1369	"MOV R1, #1\n"
	1370	"STR R1, [R0,#0x10]\n"
	1371	"MOV R3, #0\n"
	1372	"STR R3, [SP,#8-8]\n"
	1373	//"LDR R3, =sub_FF87BF28\n"
	1374	"LDR R3, =sub_FF87BF28_my\n" // +----> Hook for SDHC booting
	1375	"MOV R1, #0x19\n"
	1376	//"LDR R0, =aInitfilemodule\n" // \"InitFileModules\"
	1377	"LDR R0, =0xFF87C0F8\n"
	1378	"MOV R2, #0x1000\n"
	1379	"BL sub_FF81B8FC\n"
	1380
	1381	"locret_FF87BFB0:\n"
	1382	"LDMFD SP!, {R12,PC}\n"
	1383	);
	1384	}
	1385
	1386	void __attribute__((naked,noinline)) sub_FF87BF28_my() {
	1387	asm volatile (
	1388	"STMFD SP!, {R4-R6,LR}\n"
	1389	"BL sub_FF874FB0\n"
	1390	"LDR R5, =0x5006\n"
	1391	"MOVS R4, R0\n"
	1392	"MOVNE R1, #0\n"
	1393	"MOVNE R0, R5\n"
	1394	"BLNE sub_FF876100\n"
	1395	//"BL sub_FF874FDC\n"
	1396	"BL sub_FF874FDC_my\n" // +----> Hook for SDHC booting
	1397
	1398	"BL core_spytask_can_start\n" // +----> CHDK: Set "it's-safe-to-start"-Flag for spytask
	1399
	1400	"CMP R4, #0\n"
	1401	"MOVEQ R0, R5\n"
	1402	"LDMEQFD SP!, {R4-R6,LR}\n"
	1403	"MOVEQ R1, #0\n"
	1404	"BEQ sub_FF876100\n"
	1405	"LDMFD SP!, {R4-R6,PC}\n"
	1406	);
	1407	}
	1408
	1409	void __attribute__((naked,noinline)) sub_FF874FDC_my() {
	1410	asm volatile (
	1411	"STMFD SP!, {R4,LR}\n"
	1412	//"BL sub_FF856910\n"
	1413	"BL sub_FF856910_my\n" // +----> Hook for SDHC booting
	1414	"LDR R4, =0x5C88\n"
	1415	"LDR R0, [R4,#4]\n"
	1416	"CMP R0, #0\n"
	1417	"BNE loc_FF87500C\n"
	1418	"BL sub_FF888178\n"
	1419	"BL sub_FF9274EC\n"
	1420	"BL sub_FF888178\n"
	1421	"BL sub_FF933CC0\n"
	1422	"BL sub_FF888188\n"
	1423	"BL sub_FF927594\n"
	1424
	1425	"loc_FF87500C:\n"
	1426	"MOV R0, #1\n"
	1427	"STR R0, [R4]\n"
	1428	"LDMFD SP!, {R4,PC}\n"
	1429	);
	1430	}
	1431
	1432	void __attribute__((naked,noinline)) sub_FF856910_my() {
	1433	asm volatile (
	1434	"STMFD SP!, {R4-R6,LR}\n"
	1435	"MOV R6, #0\n"
	1436	"MOV R0, R6\n"
	1437	"BL sub_FF8564E0\n"
	1438	"LDR R4, =0x131E4\n"
	1439	"MOV R5, #0\n"
	1440	"LDR R0, [R4,#0x38]\n"
	1441	"BL sub_FF856EA8\n"
	1442	"CMP R0, #0\n"
	1443	"LDREQ R0, =0x2EB4\n"
	1444	"STREQ R5, [R0,#0xC]\n"
	1445	"STREQ R5, [R0,#0x10]\n"
	1446	"STREQ R5, [R0,#0x14]\n"
	1447	"MOV R0, R6\n"
	1448	"BL sub_FF856520\n"
	1449	"MOV R0, R6\n"
	1450	//"BL sub_FF85674C\n"
	1451	"BL sub_FF85674C_my\n" // +----> Hook for SDHC booting
	1452	"MOV R5, R0\n"
	1453	"MOV R0, R6\n"
	1454	"BL sub_FF8567B8\n"
	1455	"LDR R1, [R4,#0x3C]\n"
	1456	"AND R2, R5, R0\n"
	1457	"CMP R1, #0\n"
	1458	"MOV R0, #0\n"
	1459	"MOVEQ R0, #0x80000001\n"
	1460	"BEQ loc_FF8569A4\n"
	1461	"LDR R3, [R4,#0x2C]\n"
	1462	"CMP R3, #2\n"
	1463	"MOVEQ R0, #4\n"
	1464	"CMP R1, #5\n"
	1465	"ORRNE R0, R0, #1\n"
	1466	"BICEQ R0, R0, #1\n"
	1467	"CMP R2, #0\n"
	1468	"BICEQ R0, R0, #2\n"
	1469	"ORREQ R0, R0, #0x80000000\n"
	1470	"BICNE R0, R0, #0x80000000\n"
	1471	"ORRNE R0, R0, #2\n"
	1472
	1473	"loc_FF8569A4:\n"
	1474	"STR R0, [R4,#0x40]\n"
	1475	"LDMFD SP!, {R4-R6,PC}\n"
	1476	);
	1477	}
	1478
	1479	void __attribute__((naked,noinline)) sub_FF85674C_my() {
	1480	asm volatile (
	1481	"STMFD SP!, {R4-R6,LR}\n"
	1482	"LDR R5, =0x2EB4\n"
	1483	"MOV R6, R0\n"
	1484	"LDR R0, [R5,#0x10]\n"
	1485	"CMP R0, #0\n"
	1486	"MOVNE R0, #1\n"
	1487	"LDMNEFD SP!, {R4-R6,PC}\n"
	1488	"MOV R0, #0x17\n"
	1489	"MUL R1, R0, R6\n"
	1490	"LDR R0, =0x131E4\n"
	1491	"ADD R4, R0, R1,LSL#2\n"
	1492	"LDR R0, [R4,#0x38]\n"
	1493	"MOV R1, R6\n"
	1494	//"BL sub_FF8565E4\n"
	1495	"BL sub_FF8565E4_my\n" // +----> Hook for SDHC booting
	1496	"CMP R0, #0\n"
	1497	"LDMEQFD SP!, {R4-R6,PC}\n"
	1498	"LDR R0, [R4,#0x38]\n"
	1499	"MOV R1, R6\n"
	1500	"BL sub_FF856FC0\n"
	1501	"CMP R0, #0\n"
	1502	"LDMEQFD SP!, {R4-R6,PC}\n"
	1503	"MOV R0, R6\n"
	1504	"BL sub_FF856100\n"
	1505	"CMP R0, #0\n"
	1506	"MOVNE R1, #1\n"
	1507	"STRNE R1, [R5,#0x10]\n"
	1508	"LDMFD SP!, {R4-R6,PC}\n"
	1509	);
	1510	}
	1511
	1512	void __attribute__((naked,noinline)) sub_FF8565E4_my() {
	1513	asm volatile (
	1514	"STMFD SP!, {R4-R8,LR}\n"
	1515	"MOV R8, R0\n"
	1516	"MOV R0, #0x17\n"
	1517	"MUL R1, R0, R1\n"
	1518	"LDR R0, =0x131E4\n"
	1519	"MOV R6, #0\n"
	1520	"ADD R7, R0, R1,LSL#2\n"
	1521	"LDR R0, [R7,#0x3C]\n"
	1522	"MOV R5, #0\n"
	1523	"CMP R0, #6\n"
	1524	"ADDLS PC, PC, R0,LSL#2\n"
	1525	"B loc_FF856730\n"
	1526
	1527	"loc_FF856614:\n"
	1528	"B loc_FF856648\n"
	1529
	1530	"loc_FF856618:\n"
	1531	"B loc_FF856630\n"
	1532
	1533	"loc_FF85661C:\n"
	1534	"B loc_FF856630\n"
	1535
	1536	"loc_FF856620:\n"
	1537	"B loc_FF856630\n"
	1538
	1539	"loc_FF856624:\n"
	1540	"B loc_FF856630\n"
	1541
	1542	"loc_FF856628:\n"
	1543	"B loc_FF856728\n"
	1544
	1545	"loc_FF85662C:\n"
	1546	"B loc_FF856630\n"
	1547
	1548	"loc_FF856630:\n"
	1549	"MOV R2, #0\n"
	1550	"MOV R1, #0x200\n"
	1551	"MOV R0, #3\n"
	1552	"BL sub_FF8716C4\n"
	1553	"MOVS R4, R0\n"
	1554	"BNE loc_FF856650\n"
	1555
	1556	"loc_FF856648:\n"
	1557	"MOV R0, #0\n"
	1558	"LDMFD SP!, {R4-R8,PC}\n"
	1559
	1560	"loc_FF856650:\n"
	1561	"LDR R12, [R7,#0x4C]\n"
	1562	"MOV R3, R4\n"
	1563	"MOV R2, #1\n"
	1564	"MOV R1, #0\n"
	1565	"MOV R0, R8\n"
	1566	//"BLX R12\n" // WORKSFORME, configure gcc WITHOUT --with-cpu=arm9
	1567	"MOV LR, PC\n" // 2-op workaround for 'normal' compiler
	1568	"MOV PC, R12\n" // Does the same thing, effectively, because PC is always 8 bytes ahead.
	1569	"CMP R0, #1\n"
	1570	"BNE loc_FF85667C\n"
	1571	"MOV R0, #3\n"
	1572	"BL sub_FF871544\n"
	1573	"B loc_FF856648\n"
	1574
	1575	///////
	1576	// Offsets are fixed from here on, everything +0x10 for the second entry
	1577	///////
	1578
	1579	"loc_FF85667C:\n"
	1580	"MOV R0, R8\n"
	1581	"BL sub_FF94450C\n"
	1582
	1583	// Start of DataGhost's FAT32 autodetection code
	1584	// Policy: If there is a partition which has type W95 FAT32, use the first one of those for image storage
	1585	// According to the code below, we can use R1, R2, R3 and R12.
	1586	// LR wasn't really used anywhere but for storing a part of the partition signature. This is the only thing
	1587	// that won't work with an offset, but since we can load from LR+offset into LR, we can use this to do that :)
	1588	"MOV R12, R4\n" // Copy the MBR start address so we have something to work with
	1589	"MOV LR, R4\n" // Save old offset for MBR signature
	1590	"MOV R1, #1\n" // Note the current partition number
	1591	"B dg_sd_fat32_enter\n" // We actually need to check the first partition as well, no increments yet!
	1592	"dg_sd_fat32:\n"
	1593	"CMP R1, #4\n" // Did we already see the 4th partition?
	1594	"BEQ dg_sd_fat32_end\n" // Yes, break. We didn't find anything, so don't change anything.
	1595	"ADD R12, R12, #0x10\n" // Second partition
	1596	"ADD R1, R1, #1\n" // Second partition for the loop
	1597	"dg_sd_fat32_enter:\n"
	1598	"LDRB R2, [R12, #0x1BE]\n" // Partition status
	1599	"LDRB R3, [R12, #0x1C2]\n" // Partition type (FAT32 = 0xB)
	1600	"CMP R3, #0xB\n" // Is this a FAT32 partition?
	1601	"CMPNE R3, #0xC\n" // Not 0xB, is it 0xC (FAT32 LBA) then?
	1602	"BNE dg_sd_fat32\n" // No, it isn't. Loop again.
	1603	"CMP R2, #0x00\n" // It is, check the validity of the partition type
	1604	"CMPNE R2, #0x80\n"
	1605	"BNE dg_sd_fat32\n" // Invalid, go to next partition
	1606	// This partition is valid, it's the first one, bingo!
	1607	"MOV R4, R12\n" // Move the new MBR offset for the partition detection.
	1608
	1609	"dg_sd_fat32_end:\n"
	1610	// End of DataGhost's FAT32 autodetection code
	1611
	1612	"LDRB R1, [R4,#0x1C9]\n" // 4th byte of LBA
	1613	"LDRB R3, [R4,#0x1C8]\n" // 3rd byte of LBA
	1614	"LDRB R12, [R4,#0x1CC]\n" // 3rd byte of partition length
	1615	"MOV R1, R1,LSL#24\n" // Shift and...
	1616	"ORR R1, R1, R3,LSL#16\n" // combine LBA bytes (endianness fix)
	1617	"LDRB R3, [R4,#0x1C7]\n" // 2nd byte of LBA
	1618	"LDRB R2, [R4,#0x1BE]\n" // Partition status (0x00=nonboot, 0x80=boot, other=bad)
	1619	// "LDRB LR, [R4,#0x1FF]\n" // Last MBR signature byte (0xAA)
	1620	"ORR R1, R1, R3,LSL#8\n" // Combine more LBA bytes
	1621	"LDRB R3, [R4,#0x1C6]\n" // 1st byte of LBA
	1622	"CMP R2, #0\n" // Check partition status
	1623	"CMPNE R2, #0x80\n" // and again
	1624	"ORR R1, R1, R3\n" // Combine LBA into final value
	1625	"LDRB R3, [R4,#0x1CD]\n" // 4th byte of partition length
	1626	"MOV R3, R3,LSL#24\n" // Shift and...
	1627	"ORR R3, R3, R12,LSL#16\n" // combine partition length bytes
	1628	"LDRB R12, [R4,#0x1CB]\n" // 2nd byte of partition length
	1629	"ORR R3, R3, R12,LSL#8\n" // Combine partition length bytes
	1630	"LDRB R12, [R4,#0x1CA]\n" // 1st byte of partition length
	1631	"ORR R3, R3, R12\n" // Combine partition length bytes into final value
	1632	// "LDRB R12, [R4,#0x1FE]\n" // First MBR signature byte (0x55)
	1633	"LDRB R12, [LR,#0x1FE]\n" // + First MBR signature byte (0x55), LR is original offset.
	1634	"LDRB LR, [LR,#0x1FF]\n" // + Last MBR signature byte (0xAA), LR is original offset.
	1635	"MOV R4, #0\n" // This value previously held a pointer to the partition table :(
	1636	"BNE loc_FF856704\n" // Jump out if the partition is malformed (partition status \'other\')
	1637	"CMP R0, R1\n"
	1638	"BCC loc_FF856704\n" // Jump out if R0 < R1 (probably checking for a valid LBA addr)
	1639	"ADD R2, R1, R3\n" // R2 = partition start address + length = partition end address
	1640	"CMP R2, R0\n" // Guess: CMPLS is used to check for an overflow, the partition end address cannot be negative.
	1641	"CMPLS R12, #0x55\n" // Check MBR signature with original offset
	1642	"CMPEQ LR, #0xAA\n" // Check MBR signature with original offset
	1643	"MOVEQ R6, R1\n"
	1644	"MOVEQ R5, R3\n"
	1645	"MOVEQ R4, #1\n"
	1646
	1647	"loc_FF856704:\n"
	1648	"MOV R0, #3\n"
	1649	"BL sub_FF871544\n"
	1650	"CMP R4, #0\n"
	1651	"BNE loc_FF85673C\n"
	1652	"MOV R6, #0\n"
	1653	"MOV R0, R8\n"
	1654	"BL sub_FF94450C\n"
	1655	"MOV R5, R0\n"
	1656	"B loc_FF85673C\n"
	1657
	1658	"loc_FF856728:\n"
	1659	"MOV R5, #0x40\n"
	1660	"B loc_FF85673C\n"
	1661
	1662	"loc_FF856730:\n"
	1663	"LDR R1, =0x365\n"
	1664	//"ADR R0, aMounter_c\n" // \"Mounter.c\"
	1665	"LDR R0, =0xFF8565D8\n"
	1666	//"BL Assert\n"
	1667	"BL sub_FF81BCCC\n"
	1668
	1669	"loc_FF85673C:\n"
	1670	"STR R6, [R7,#0x44]!\n"
	1671	"MOV R0, #1\n"
	1672	"STR R5, [R7,#4]\n"
	1673	"LDMFD SP!, {R4-R8,PC}\n"
	1674	);
	1675	}
	1676
	1677	////////////////////////////////////////////////////////////////////////////////
	1678	// SDHC HOOK ENDS HERE
	1679	////////////////////////////////////////////////////////////////////////////////
	1680
	1681
	1682	// I could not manually find this function in the S5IS firmware, possibly signatures
	1683	// might find it. Until that moment, I hooked it here (copied from another camera)
	1684	unsigned long __attribute__((naked,noinline)) _time(unsigned long *timer) {
	1685	asm volatile (
	1686	"STMFD SP!, {R3-R5,LR}\n"
	1687	"MOV R4, R0\n"
	1688	"MVN R0, #0\n"
	1689	"STR R0, [SP,#0x10-0x10]\n"
	1690	"MOV R0, SP\n"
	1691	"BL sub_FF870BB8\n" // _GetTimeOfSystem\n"
	1692	"CMP R0, #0\n"
	1693	"BNE loc_FFC55F38\n"
	1694	"CMP R4, #0\n"
	1695	"LDRNE R0, [SP,#0x10-0x10]\n"
	1696	"STRNE R0, [R4]\n"
	1697
	1698	"loc_FFC55F38:\n"
	1699	"LDR R0, [SP,#0x10-0x10]\n"
	1700	"LDMFD SP!, {R3-R5,PC}\n"
	1701	);
	1702	}
	1703
	1704
	1705
	1706	void CreateTask_blinker() {
	1707	_CreateTask("Blinker", 0x1, 0x200, task_blinker, 0);
	1708	};
	1709
	1710
	1711	void __attribute__((naked,noinline)) task_blinker() {
	1712	int ledstate;
	1713
	1714	int counter = 0;
	1715
	1716	long led = (void) 0xC02200E0; // AF led
	1717
	1718	long *anypointer; // multi-purpose pointer to poke around in memory
	1719	long v1, v2, v3, v4; // multi-purpose vars
	1720
	1721	ledstate = 0; // init: led off
	1722	*led = 0x46; // led on
	1723
	1724	while (1) {
	1725	counter++;
	1726
	1727	if (ledstate == 1) { // toggle LED
	1728	ledstate = 0;
	1729	*led = 0x44; // LED off
	1730	//core_test(1);
	1731	} else {
	1732	ledstate = 1;
	1733	*led = 0x46; // LED on
	1734	//core_test(0);
	1735	}
	1736
	1737	if (counter == 2) {
	1738	//dump_chdk();
	1739	//gui_init();
	1740	//_ExecuteEventProcedure("UIFS_WriteFirmInfoToFile");
	1741	//_UIFS_WriteFirmInfoToFile(0);
	1742	}
	1743
	1744	if (counter == 10) {
	1745	//draw_txt_string(2, 2, "test");
	1746	}
	1747
	1748	msleep(500);
	1749	}
	1750	};
	1751
	1752
	1753	void CreateTask_spytask() {
	1754	_CreateTask("SpyTask", 0x19, 0x2000, core_spytask, 0);
	1755	};
	1756
	1757
	1758	void CreateTask_PhySw() {
	1759	_CreateTask("PhySw", 0x17, 0x800, mykbd_task, 0);
	1760	};
	1761
	1762
	1763	//extern long _Fopen_Fut(const char filename, const char mode);
	1764	//extern void _Fclose_Fut(long file);
	1765	//extern long _Fwrite_Fut(const void *buf, long elsize, long count, long f);
	1766	//extern long Fread_Fut(void *buf, long elsize, long count, long f);
	1767	//extern long Fseek_Fut(long file, long offset, long whence);
	1768	//extern long _qDump(char* filename, long unused, long write_p2, long write_p3);
	1769	void dump_chdk() { //#fs
	1770	int fd;
	1771	long dirnum;
	1772
	1773	volatile long led = (void) 0xC02200D0; // yellow led
	1774
	1775	*led = 0x46; //on
	1776
	1777	// _qDump("A/qdump", 0, (void*) 0x01900, 0xb0000);
	1778	//_qDump("A/firmdump", 0, (void*) 0xffc00000, 0x00400000);
	1779	//_qDump("A/firmlower", 0, (void*) 0xff800000, 0x00400000); // identical to 0xfc000000
	1780
	1781	//started();
	1782
	1783	//dirnum = get_target_dir_num();
	1784	//sprintf(fn, FN_RAWDIR, dirnum);
	1785	//mkdir(fn);
	1786
	1787	//sprintf(fn, FN_RAWDIR "/" "DMP_%04d.JPG", dirnum, ++ramdump_num);
	1788
	1789	//fd = _Fopen_Fut("A/dump", "w");
	1790	//if (fd >= 0) {
	1791	//write(fd, (void*)0, 0x1900);
	1792	//write(fd, (void)0x1900, 321024*1024-0x1900);
	1793	//_Fwrite_Fut((void*)0x9D000, 0x20000, 0x20000, fd);
	1794	//_Fclose_Fut(fd);
	1795	//}
	1796	*led = 0x44; //off
	1797	//finished();
	1798	} //#fe

Note: See TracBrowser for help on using the repository browser.

Download in other formats: