Really good work on the recent findings! Okay I'll take a closer look to the rtos log too
Regarding the recent irungentoo findings about framerate, shutter, I made some nice structs in order to better understand and to be later added in my Fw toolkit.
Framerate mod
Looking at the 1080p address, it seems to be part of a large array of structs, starting at 0x7237C0 (1.3.11), referenced at 0x4936F0 (0r 0x493300 -> 0x7237CC - 0x8)
the struct layout is:
Code:
class CFramerate_video_setting
{
public:
int32_t sensor_frequency_hz; //0x0000 MHz = Hz / 1000000
int32_t N0000009C; //0x0004
int32_t N000000AE; //0x0008 in the right struct, 720 120 to 300 mod : without touching the freq
int32_t N0000009D; //0x000C
int32_t N0000009E; //0x0010 in the right stuct, 720 120 to 300 mod : without touching the freq
int32_t N0000009F; //0x0014
int32_t N000000A0; //0x0018
int32_t mfps; //0x001C milli frame per second fps = mfps / 1000
int32_t N000000A2; //0x0020
int32_t N000000A3; //0x0024
}; //size 0x28
class CFramerate_video
{
public:
CFramerate_video_setting framerate_video_array[55]; //0x0000
};
CFramerate_video* pFramerate_array = (CFramerate_video*)0x7237C0;
The 1080p struct is at the 20 position : 0x723AE0 - 0x7237C0 = 0x320 -> / 0x28 (struct size) = 0x14 -> 20 dec. Since there are many other entries in this big array, we could mod other resolutions too.
The third address needed to force 1080p 120fps to 150fps, it is found at the bottom of the (pal? Im not sure about the naming yet, dont have my camera to test right now) videomode table. After this struct, there's another videomode table, which should be the ntsc one.
Code:
class CVideomode_video_setting
{
public:
char resolution_full_name[24]; //0x0000
char pad_0018[40]; //0x0018
char resolution_short_name[16]; //0x0040
char pad_0050[48]; //0x0050
char fps_text[8]; //0x0080
char pad_0088[56]; //0x0088
int32_t N000000BE; //0x00C0
int32_t N000000BF; //0x00C4
int32_t N000000C0; //0x00C8
int32_t N000000C1; //0x00CC
char pad_00D0[128]; //0x00D0
}; //Size: 0x0150
class CVideomode_video
{
public:
CVideomode_video_setting pVideomode_pal_array[93]; //0x0000
char pad_7A10[2432]; //0x7A10
int32_t framerate_1080p_120_mfps; //0x8390
char pad_8394[540]; //0x8394
CVideomode_video_setting pVideomode_ntsc_array[93]; //0x85B0
};
CVideomode_video* pVidemode= (CVideomode_video*)0xA9E0D0;
here you can see the relevant disassembly, with the struct size too:
Code:
const char *__fastcall sub_86BE8(int a1)
{
int v1; // r4@1
const char *v2; // r3@2
v1 = a1;
if ( sub_147E00() == 1 ) // pal or ntsc
v2 = "3840x2160 25P 16:9";
else
v2 = "3840x2160 30P 16:9";
return &v2[0x150 * v1];
}
As you can see, around "framerate_1080p_120_mfps" there are manu unknowns, so other fps mod addresses could lay there.
Shutter mod
Pretty easy and compact struct, the layout is:
Code:
class CShutter_video_setting
{
public:
int32_t base_frame_rate; //0x0000
int32_t frame_rate_div; //0x0004
char shutter_name[8]; //0x0008
char pad_0010[120]; //0x0010
int32_t exposure; //0x0088
int32_t unknown; //0x008C
}; //Size: 0x0090
class CShutter_video
{
public:
char pad_0000[8]; //0x0000
CShutter_video_setting video_shutter_speed[8]; //0x0008
};
CShutter_video* pShutter= (CShutter_video*)0xA59634;
/*
if ( (unsigned __int16)video_shutter_speed_struct != v9 ) //0xA59634
{
v10 = 0;
v11 = 0;
while ( 1 )
{
++v11;
v10 += 0x90;
if ( v11 == v8 )
return 0;
if ( *(_WORD *)(v10 + 0xA59634) == v9 )
goto LABEL_10;
}
}
v11 = 0;
LABEL_10:
v13 = 0x90 * v11;
*/
Hope everything is clear and if you have any doubts just ask. In the next hours/day I will push an update to the Fw toolkit to support those too. This way if there arent big changes, we can quickly dump tables and addresses on new fws, and who know, maybe generating custom fw on the fly
