Hardcoding data into unused channels?

[chupocro]

Hi,

this is awesome!! :-) It would be very interesting if you would document the process of how exactly you made the patch and if you would explain the syntax used in .ld and makefile. I am assuming you used IDA or Ghidra to reverse the firmware and when you located the function for processing the incoming data and the address of the call of the function you named prepare_ppm_buf(buf) then you replaced the call address with the address of your code from inject_rssi.c. From the code I can see you located the address of the get_signal_strength() too and deciphered how the value should be calculated. Of course, for writing the code you had to decipher the prepare_ppm_buf(buf)'s function signature as well.

Seems as you located the free space at 0x0800392A where you assembled the code to be injected and you patched the CRC check with nop.

I wonder how much free space is at 0x0800392A and if it would be possible to hardcode the bytes to a few unused channels so that data could be read via iBUS.

For example, I'd like to hardcode bytes e.g. 0xc9 0xa8 to channels 10 and 11 to be able to identify the receiver by reading the iBUS data via a microcontroller.