annotate compal/c139-boot.notes @ 303:3baaefa1e229

dsample-fw-disasm: Rx up/down functions located and analysed
author Mychaela Falconia <falcon@freecalypso.org>
date Sun, 06 Oct 2019 00:36:11 +0000
parents 49c7cda96f04
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
105
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 Download protocol, attempted first at 406250 baud, then 115200, only on the
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2 MODEM UART:
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4 The boot code begins by transmitting 1B F6 02 00 41 01 40, then calls the
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
5 Rx-with-timeout function 7 times, expecting this seq: 1B F6 02 00 52 01 53.
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
6 Getting anything else or timeout causes the 0xbac function to return,
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7 ending that download attempt. If this seq was received, the boot code then
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 sends 1B F6 02 00 41 02 43 and expects to receive 3 bytes as follows:
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
10 * one dummy byte (stored into an automatic var, but then not used)
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11 * payload length MSB
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
12 * payload length LSB
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14 The boot code then expects to receive the specified # of bytes [0,65535]
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 and stores them beginning at 0x800100. Then the Rx-with-timeout function
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16 is called again to receive the XOR checksum byte, not counted in the length.
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17 If the checksum fails to match, 0xbac function sends 1B F6 02 00 45 53 16
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18 and returns. If this check passes, the "1003" check is performed next:
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 the 4 bytes starting at 0x803ce0 must match. If the downloaded image was
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20 shorter, the comparison will be made against pre-powerup IRAM content,
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 i.e., law of chance. Furthermore, the comparison is actually an inequality:
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 each "signature" byte in the downloaded image needs to be >= (in the signed
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 sense) than the "1003" reference. (0x7F7F7F7F thus ought to be a passing
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24 value.)
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26 If this last check passes, the 0xbac function jumps to the downloaded image
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 instead of returning. Control is transferred to 0x800100 in the ARM state.
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 If the "1003" check fails, 0xbac function sends 1B F6 02 00 41 03 57
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 and returns.
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31 If the boot process is not diverted to a successful serial download as above,
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32 the boot code does one strange thing before it jumps to 0x20f8 (main app entry
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 point). The boot code unconditionally transmits "ftmtool" on the MODEM UART
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34 and waits a certain time for a "yes" response. If it receives that "yes",
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
35 it responds with "modemerror", otherwise just "error". Either way, it then
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
36 proceed to jump to the main app entry point at 0x20f8! There is also a bunch
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
37 of "dead" code in the 8 KiB "boot block", code which does not seem to be
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
38 reachable from any path. There is no check for whether or not the "main app"
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
39 is present; if the flash contains the 8 KiB "boot block" followed by blank
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
40 space, the boot code will happily jumps to those FFs - but it will still
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
41 provide an opportunity for serial download as usual, so no real problem.
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
42
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
43 IRAM variables used by the boot code:
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
44
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
45 83FF00 holds UART base addr, set to FFFF5800 (MODEM)
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
46 83FF08 32-bit var init to 0
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
47 83FF10 32-bit var init to 0
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
48 83FF80 byte var init to 0 at the beginning of ftmtool function (0xdbe),
49c7cda96f04 C139 boot ROM fully cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
49 set to 1 if "yes" received in response to "ftmtool"