Segment 0x00000000 (CPU)

 

Image offset

Length

Mapped address

Description

N/A

0x3FF

0x0

Hardware defined direct address area. Used by DMOV(B,H) instructions. The low 0xFF is byte, the low 0x1FF is half-word sized addressing, and the full 0x3FF is used for full-words. See the Fujitsu docs p.23 for more details. It is used frequently in the CPU firmware, less in the main portion.

0x008155BA

n/a

0x000D55BA

Origin of the initial pointer to Int 00, the first code that should be executed when the camera is powered on if Fujitsu's specs are followed.

0x00800000

0x40000

0x000C0000

and

0x0(?)

The CPU firmware is located in the last 0x40000 bytes of the file. (Thanks kpsch...) It appears to be loaded in memory at two locations, with the higher locations being executed and the lower used for various data functions. The portions at 0x0 are partially overwritten by the direct address area, and other data. It is possible that only portions are copied from 0x000C0000 to 0x0.

0x0083FC00

0x400

0x000FFC00

This is the default location pointed to by tbr at startup, the default interrupt vector table. Handles a very limited number of vectors, but Int 00 should be the root entry point when the camera is powered on...


Segment 0x10000000 (DSP)

 

Image offset

Length

Mapped address

Description

0x00000000

0x840000

0x10000000

Set at firmware flash (?)

0x00003C00

0x400

0x10003C00

Another vector table (?) [kps]

0x00008000

n/a

0x10008000

Address of the first piece of code to be found in the file, and is also the function in the main firmware which sets the TBR.

0x000F0000

n/a

0x100F0000

Int00 from the vector table used by the main firmware. This may be the entry point of the program by logic, but the Fujitsu specs indicate that Int 00 will always be the value from the vector table in lower memory @(0xFFFFC), so this needs to be looked into... more.

0x00400000

N/A

0x10400000

The routine at 0x1046A27A indicates that the CPU firmware starts at 0x10400000 and possibly ends 0x40000 before EOF. The routine also indicates the DSP firmware starts at offset 0x00800000.

0x005A39D0

0x228

0x105A39D0

Table of full stop interval shutter speed values from 30s to 1/4000s, expressed as ordered pairs of half-word values in numerator, denominator order.

0x005A3BF8

0x228

0x105A3BF8

Table of half stop interval shutter speeds organized as above.

0x005A3E20

0xA2

0x105A3E20

Table of third stop ISO values containing only one of each possible value. Used for reverse lookup to the 0-82 format used as input for the functions found thus far which use the ISO tables.

0x005A3EC2

0xA2

0x105A3EC2

Table of full stop interval half-word sized ISO values from 6-6400, followed by a table for third stop values then a table for half stop values.

0x0045A63E

-

0x1045A63E

Three subroutines which look up numerical ISO values from the tables above. (Rule 34)

0x0045AD4C

-

0x1045AD4C

A subroutine to match an ISO value to a table. (Rule 34)

0x004A4D7E

-

0x104A4D7E

Three more ISO lookup subroutines. (Rule 34)

0x004F0288

-

0x104F0288

Subroutines for yet more lookup of various ISOs and strings. These look up values from 50-3200 (and AUTO) rather than 6-6400. (Rule 34)

0x004F0EEE

-

0x104F0EEE

Subroutine to print color temperature strings

0x004F1742

-

0x104F1742

Subroutine to print EV compensation strings

0x004F48CA

-

0x104F48CA

Subroutine to print a decimal string

0x004F4962

-

0x104F4962

Subroutine to print a hexadecimal string

0x005248E0

-

0x105248E0

Subroutine to print debugging information

0x005C2EBC

-

0x105C2EBC

ISO value strings

0x005C2F48

-

0x105C2F48

Color temperature value strings

0x005C3210

-

0x105C3210

Exposure compensation value strings


Segment 0x80000000 (RAM)

 

Image offset

Length

Mapped address

Description

0x000F03C0

0x000448

0x80000000

At PC 0x100F0066, a block of code (0x100F03C0-0x100F0807) is copied at runtime to address 0x80000000. At PC 0x100F0894, there is a jump to 0x80000002 (0x100F03C2) where some genuine code resides indeed.

0x00008154

0x000234

0x80000448

Found some more copying code to segment 0x80000000 (Klak).

0x00008388

0x00137E

0x8000067C

Found some more copying code to segment 0x80000000 (Klak).

0x00009708

0x0028C3

0x800019FC

Unconfirmed (Klak).


Soon all info will be updated to reflect current knowledge.

Original source: http://scratchpad.wikia.com/wiki/Memory_layout



(c) 2009 Pentax Hacking Community