The Calypso chip includes an on-die boot ROM that allows the boot process to be
interrupted and diverted by an external host sending some special characters
into either of the two UARTs; this mechanism is what allows us to load code into
RAM and to reload the flash on Calypso GSM devices without having to resort to
JTAG or chip desoldering or other extreme measures.  In normal operation, when
the boot path is NOT being diverted by an external serial download, the boot ROM
transfers control to the regular firmware in the flash - but there are two
different modes in which the flash fw image may be booted.

In order for the flash fw image to be considered bootable by the Calypso boot
ROM, the 32-bit word at flash address 0x2000 must equal either 0 or 1; if it
equals any other value, the boot ROM will consider the flash fw image to be
invalid (e.g., blank flash) and will wait forever for a serial download instead
of proceeding with flash boot.  Depending on whether this word at 0x2000 equals
0 or 1, the flash fw image will be booted in one of two very different ways;
we shall call them flash boot mode 0 and flash boot mode 1, respectively.

In flash boot mode 0 the following 32-bit word at flash address 0x2004 must
contain the address of the flash fw image entry point (ARM/Thumb selection in
the least-significant bit); the boot ROM will simply jump to this address with
a BX instruction.  When the flash fw image is booted in this manner, the boot
ROM is still mapped at address 0 and the first 8 KiB of flash are inaccessible
except via the 0x03000000 alternate mapping, unless the firmware later changes
the FFFF:FB10 register.  This boot mode is intended for flash fw images that
use the interrupt and exception vectors in the ROM (branching to IRAM addresses
0x80001C-0x800034) for their interrupt and exception handling.

Flash boot mode 1 is different: instead of jumping directly to the flash fw
image, the boot ROM copies a small piece of its code into IRAM and jumps to that
code; the copied code disables the boot ROM via the FFFF:FB10 register (puts
the external flash at address 0) and induces a processor reset through the
watchdog timer.  It is not clear to us exactly what blocks are affected by the
watchdog reset, but bits 9:8 of the FFFF:FB10 register are not reset, hence
the ARM processor now boots from the reset vector in the flash as if the boot
ROM weren't there - and the latter really is not there after having disabled
itself.

Flash boot mode 0 is only usable on Calypso C035 silicon (the "new" kind);
while all commercial Calypso GSM devices targeted by FreeCalypso feature Calypso
chips of the correct "new" kind, the people at TI who wrote and maintained their
official firmware also had to work with older Calypso C05 chips featured on the
early D-Sample and Leonardo boards.  The earlier boot ROM code version in those
early Calypso chips also implements the two boot modes which we call mode 0 and
mode 1, but its implementation of mode 0 is broken and unusable, therefore TI's
firmware people only used flash boot mode 1.  On the other hand, newer firmware
designs made for current rather than historical hardware will probably find
mode 0 to be cleaner, more intuitive and more convenient.

All TI official firmwares use flash boot mode 1, our FreeCalypso Magnetite
firmware does likewise, being a direct derivative of TI's TCS211 fw, but our
gcc-built FC Selenite firmware uses flash boot mode 0, as the assembly code
pieces and linker script magic are entirely new (our own original design) in
the gcc-built version.