FreeCalypso > hg > freecalypso-reveng
view bootrom.disasm @ 388:b99663e66660
pirelli/chg-circuit: traced the current path to the battery
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Wed, 23 Mar 2022 21:55:57 +0000 |
| parents | 2d9c927cc24b |
| children |
line wrap: on
line source
RESET entry and exception vectors: 0: ea000524 b 0x1498 4: ea200004 b 0x80001c 8: ea200004 b 0x800020 c: ea200004 b 0x800024 10: ea200004 b 0x800028 14: ea200004 b 0x80002c 18: ea200004 b 0x800030 1c: ea200004 b 0x800034 ; The following routine (starting at 0x20) is used to transfer control ; to nCS0 application images that are designed to work with no internal ; boot ROM "in the way", i.e., images identified by a 1 in the 0x2000 word. ; The present routine is copied to the internal RAM and executed there. ; ; The routine itself takes one argument in R0 and uses it to set the ; nIBOOT override bits in the FFFF:FB10 register. If R0==1, bits <9:8> ; of this register are set to 11, putting nCS0 at address 0. If R0==0, ; the bits are set to 01, putting the internal ROM at 0. Otherwise, ; the bits are set to 00, restoring the nIBOOT pin configuration. ; (In actual operation the argument passed to this function is the word ; from 0x2000, so it's equal to 1.) Then the routine causes the ; watchdog timer to go off, resetting the ARM. 20: e24dd004 sub sp, sp, #4 ; 0x4 24: e59f20b8 ldr r2, =0xFFFFFB10 ; via 0xe4 28: e1d2c0b0 ldrh r12, [r2] 2c: e20c10ff and r1, r12, #255 ; 0xff 30: e20ccb3f and r12, r12, #64512 ; 0xfc00 34: e181c00c orr r12, r1, r12 38: e1a0c80c mov r12, r12, lsl #16 3c: e1a0c82c mov r12, r12, lsr #16 40: e3500001 cmp r0, #1 ; 0x1 44: 0a000005 beq 0x60 48: e3500000 cmp r0, #0 ; 0x0 4c: 1a000006 bne 0x6c 50: e38ccc01 orr r12, r12, #256 ; 0x100 54: e1a0c80c mov r12, r12, lsl #16 58: e1a0c82c mov r12, r12, lsr #16 5c: ea000002 b 0x6c 60: e38ccc03 orr r12, r12, #768 ; 0x300 64: e1a0c80c mov r12, r12, lsl #16 68: e1a0c82c mov r12, r12, lsr #16 6c: e1c2c0b0 strh r12, [r2] 70: e3a0cfc3 mov r12, #780 ; 0x30c 74: e59f006c ldr r0, =0x80F5 ; via 0xe8 78: e10200bc strh r0, [r2, -r12] 7c: e3a0c000 mov r12, #0 ; 0x0 80: e1cdc0b0 strh r12, [sp] 84: ea000002 b 0x94 88: e1ddc0b0 ldrh r12, [sp] 8c: e28cc001 add r12, r12, #1 ; 0x1 90: e1cdc0b0 strh r12, [sp] 94: e1dd10b0 ldrh r1, [sp] 98: e3a0c902 mov r12, #32768 ; 0x8000 9c: e24ccead sub r12, r12, #2768 ; 0xad0 a0: e151000c cmp r1, r12 a4: bafffff7 blt 0x88 a8: e3a0cfc3 mov r12, #780 ; 0x30c ac: e10200bc strh r0, [r2, -r12] b0: e3a0c000 mov r12, #0 ; 0x0 b4: e1cdc0b0 strh r12, [sp] b8: ea000002 b 0xc8 bc: e1ddc0b0 ldrh r12, [sp] c0: e28cc001 add r12, r12, #1 ; 0x1 c4: e1cdc0b0 strh r12, [sp] c8: e1ddc0b0 ldrh r12, [sp] cc: e3a00902 mov r0, #32768 ; 0x8000 d0: e2400ead sub r0, r0, #2768 ; 0xad0 d4: e15c0000 cmp r12, r0 d8: bafffff7 blt 0xbc dc: e28dd004 add sp, sp, #4 ; 0x4 e0: e12fff1e bx lr ; literal pool for the above routine e4: fffffb10 e8: 000080f5 ; end of the code copied to the internal RAM for booting type 1 images ; The routine at 0xec effects the jump to the serially loaded code ; upon the final '<b' command. ec: e92d4010 stmdb sp!, {r4, lr} f0: e59fcd0c ldr r12, =0x800518 ; via 0xe04 f4: e59c4014 ldr r4, [r12, #20] f8: e59f0d08 ldr r0, =0x1FCC ; via 0xe08 fc: e5dcc008 ldrb r12, [r12, #8] 100: e790c10c ldr r12, [r0, r12, lsl #2] 104: e28c0005 add r0, r12, #5 ; 0x5 ; wait for all UART Tx to go out 108: e5d0c000 ldrb r12, [r0] 10c: e31c0040 tst r12, #64 ; 0x40 110: 0afffffc beq 0x108 ; jump! 114: eb000513 bl 0x1568 ; IND_CALL 118: eafffffe b 0x118 ; This routine handles the '<i' command - it initializes the vars ; starting at 800518. It is called with R0=0x800518. 11c: e3a0c004 mov r12, #4 ; 0x4 120: e5c0c000 strb r12, [r0] 124: e3a0c000 mov r12, #0 ; 0x0 128: e1c0c0be strh r12, [r0, #14] 12c: e1c0c1b0 strh r12, [r0, #16] 130: e580c014 str r12, [r0, #20] 134: e5c0c018 strb r12, [r0, #24] 138: e12fff1e bx lr ; This routine at 0x13c apparently generates the serial response messages ; back to the host, using the buffer at 80010C as its scratchpad. ; The argument in R0 encodes what type of message to generate: 13c: e92d4000 stmdb sp!, {lr} 140: e1a0c000 mov r12, r0 144: e59f0cc0 ldr r0, =0x80010C ; via 0xe0c 148: e3a0103e mov r1, #62 ; 0x3e 14c: e5c01000 strb r1, [r0] 150: e35c0009 cmp r12, #9 ; 0x9 154: 88bd8000 ldmhiia sp!, {pc} 158: e28f1000 add r1, pc, #0 ; 0x0 15c: e791f10c ldr pc, [r1, r12, lsl #2] ; switch table, absolute addresses 160: 000002ac 164: 00000280 168: 00000264 16c: 00000248 170: 00000224 174: 00000200 178: 000001dc 17c: 000001c0 180: 000001a4 184: 00000188 case 9: 188: e3a0c042 mov r12, #66 ; 0x42 'B' 18c: e5c0c001 strb r12, [r0, #1] 190: e3a01002 mov r1, #2 ; 0x2 194: e59fcc74 ldr r12, =0x800520 ; via 0xe10 198: e5dc2000 ldrb r2, [r12] 19c: eb000458 bl 0x1304 1a0: e8bd8000 ldmia sp!, {pc} case 8: 1a4: e3a0c062 mov r12, #98 ; 0x62 'b' 1a8: e5c0c001 strb r12, [r0, #1] 1ac: e3a01002 mov r1, #2 ; 0x2 1b0: e59fcc58 ldr r12, =0x800520 ; via 0xe10 1b4: e5dc2000 ldrb r2, [r12] 1b8: eb000451 bl 0x1304 1bc: e8bd8000 ldmia sp!, {pc} case 7: ; apparently never exercised 1c0: e3a0c061 mov r12, #97 ; 0x61 'a' 1c4: e5c0c001 strb r12, [r0, #1] 1c8: e3a01002 mov r1, #2 ; 0x2 1cc: e59fcc3c ldr r12, =0x800520 ; via 0xe10 1d0: e5dc2000 ldrb r2, [r12] 1d4: eb00044a bl 0x1304 1d8: e8bd8000 ldmia sp!, {pc} case 6: 1dc: e3a0c043 mov r12, #67 ; 0x43 'C' 1e0: e5c0c001 strb r12, [r0, #1] 1e4: e59fcc18 ldr r12, =0x800518 ; via 0xe04 1e8: e5dc1010 ldrb r1, [r12, #16] ; byte from 800528 1ec: e5c01002 strb r1, [r0, #2] 1f0: e5dc2008 ldrb r2, [r12, #8] 1f4: e3a01003 mov r1, #3 ; 0x3 1f8: eb000441 bl 0x1304 1fc: e8bd8000 ldmia sp!, {pc} case 5: 200: e3a0c063 mov r12, #99 ; 0x63 'c' 204: e5c0c001 strb r12, [r0, #1] 208: e59fcbf4 ldr r12, =0x800518 ; via 0xe04 20c: e5dc1010 ldrb r1, [r12, #16] ; byte from 800528 210: e5c01002 strb r1, [r0, #2] 214: e5dc2008 ldrb r2, [r12, #8] 218: e3a01003 mov r1, #3 ; 0x3 21c: eb000438 bl 0x1304 220: e8bd8000 ldmia sp!, {pc} case 4: 224: e3a0c057 mov r12, #87 ; 0x57 'W' 228: e5c0c001 strb r12, [r0, #1] 22c: e59fcbd0 ldr r12, =0x800518 ; via 0xe04 230: e5dc1019 ldrb r1, [r12, #25] ; read 800531 234: e5c01002 strb r1, [r0, #2] 238: e5dc2008 ldrb r2, [r12, #8] 23c: e3a01003 mov r1, #3 ; 0x3 240: eb00042f bl 0x1304 244: e8bd8000 ldmia sp!, {pc} case 3: 248: e3a0c077 mov r12, #119 ; 0x77 'w' 24c: e5c0c001 strb r12, [r0, #1] 250: e3a01002 mov r1, #2 ; 0x2 254: e59fcbb4 ldr r12, =0x800520 ; via 0xe10 258: e5dc2000 ldrb r2, [r12] 25c: eb000428 bl 0x1304 260: e8bd8000 ldmia sp!, {pc} case 2: 264: e3a0c050 mov r12, #80 ; 0x50 'P' 268: e5c0c001 strb r12, [r0, #1] 26c: e3a01002 mov r1, #2 ; 0x2 270: e59fcb98 ldr r12, =0x800520 ; via 0xe10 274: e5dc2000 ldrb r2, [r12] 278: eb000421 bl 0x1304 27c: e8bd8000 ldmia sp!, {pc} case 1: 280: e3a0c070 mov r12, #112 ; 0x70 'p' 284: e5c0c001 strb r12, [r0, #1] 288: e3a0c000 mov r12, #0 ; 0x0 28c: e5c0c002 strb r12, [r0, #2] 290: e3a0c004 mov r12, #4 ; 0x4 294: e5c0c003 strb r12, [r0, #3] 298: e3a01004 mov r1, #4 ; 0x4 29c: e59fcb6c ldr r12, =0x800520 ; via 0xe10 2a0: e5dc2000 ldrb r2, [r12] 2a4: eb000416 bl 0x1304 2a8: e8bd8000 ldmia sp!, {pc} case 0: 2ac: e3a0c069 mov r12, #105 ; 0x69 'i' 2b0: e5c0c001 strb r12, [r0, #1] 2b4: e3a01002 mov r1, #2 ; 0x2 2b8: e59fcb50 ldr r12, =0x800520 ; via 0xe10 2bc: e5dc2000 ldrb r2, [r12] 2c0: eb00040f bl 0x1304 2c4: e8bd8000 ldmia sp!, {pc} ; Routine at 0x2c8 - called from 0x1090. It receives and interprets ; the 2nd byte that comes after the '<'. It appears that this function ; only decodes the several known commands, but doesn't actually execute ; them. If a byte was received during the allowed time (set by the 800104 ; variable), this function returns 1 and sets the *R0 byte to the decoding ; result. If no byte was received, this function returns 0; ditto if a ; timeout occurred while waiting for additional bytes. ; ; Arguments: ; R0 points to a byte of RAM, an additional output ; ; *R0 return byte values: ; 00 = got nothing (timeout) or an invalid/non-understood command ; 01 = got 'i' ; 02 = got 'p', 9 additional bytes received, a bunch of vars filled ; 03 = got 'w', the rest of the command read into the buffer at ; 80010C, the flag at 800530 set ; 04 = got 'c', 1 additional byte received, extended to a half-word ; and written to 800526 ; 05 = got 'a' ; 06 = got 'b', 4 bytes written to 80052C 2c8: e92d4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr} 2cc: e24dd004 sub sp, sp, #4 ; 0x4 2d0: e1a0b000 mov r11, r0 2d4: e3a05000 mov r5, #0 ; 0x0 2d8: e5cb5000 strb r5, [r11] 2dc: e59f7b30 ldr r7, =0x800104 ; via 0xe14 2e0: e59f4b1c ldr r4, =0x800518 ; via 0xe04 2e4: e5d40008 ldrb r0, [r4, #8] ; read 800520 2e8: e5971000 ldr r1, [r7] ; read 800104 2ec: e28d2002 add r2, sp, #2 ; 0x2 2f0: eb00044c bl 0x1428 2f4: e3500000 cmp r0, #0 ; 0x0 2f8: 0a0000fc beq 0x6f0 2fc: e5ddc002 ldrb r12, [sp, #2] 300: e25cc061 subs r12, r12, #97 ; 0x61 'a' 304: 0a000104 beq 0x71c 308: e25cc001 subs r12, r12, #1 ; 0x1 'b' 30c: 0a0000ee beq 0x6cc 310: e25cc001 subs r12, r12, #1 ; 0x1 'c' 314: 0a0000e1 beq 0x6a0 318: e25cc006 subs r12, r12, #6 ; 0x6 'i' 31c: 0a0000dc beq 0x694 320: e25cc007 subs r12, r12, #7 ; 0x7 'p' 324: 0a0000b8 beq 0x60c 328: e25cc007 subs r12, r12, #7 ; 0x7 'w' 32c: 1a0000fc bne 0x724 ; got 'w' ; R4=0x800518, byte at 800530 used for something, init to 0 330: e5c45018 strb r5, [r4, #24] 334: e3a0a000 mov r10, #0 ; 0x0 338: e3a06000 mov r6, #0 ; 0x0 33c: ea000015 b 0x398 ; more blocks 340: e5d40008 ldrb r0, [r4, #8] 344: e5971000 ldr r1, [r7] 348: e28d2002 add r2, sp, #2 ; 0x2 34c: eb000435 bl 0x1428 350: e3500000 cmp r0, #0 ; 0x0 354: 0a0000e5 beq 0x6f0 358: e5ddc002 ldrb r12, [sp, #2] 35c: e35c003c cmp r12, #60 ; 0x3c 360: 0a000001 beq 0x36c 364: e3a0c001 mov r12, #1 ; 0x1 368: e5c4c018 strb r12, [r4, #24] 36c: e5d40008 ldrb r0, [r4, #8] 370: e5971000 ldr r1, [r7] 374: e28d2002 add r2, sp, #2 ; 0x2 378: eb00042a bl 0x1428 37c: e3500000 cmp r0, #0 ; 0x0 380: 0a0000da beq 0x6f0 384: e5ddc002 ldrb r12, [sp, #2] 388: e35c0077 cmp r12, #119 ; 0x77 38c: 0a000001 beq 0x398 390: e3a0c001 mov r12, #1 ; 0x1 394: e5c4c018 strb r12, [r4, #24] ; the entry to the 'w' handling block branches here 398: e5d40008 ldrb r0, [r4, #8] 39c: e5971000 ldr r1, [r7] 3a0: e1a0200d mov r2, sp 3a4: eb00041f bl 0x1428 3a8: e3500000 cmp r0, #0 ; 0x0 3ac: 0a0000cf beq 0x6f0 3b0: e5d40008 ldrb r0, [r4, #8] 3b4: e5971000 ldr r1, [r7] 3b8: e28d2001 add r2, sp, #1 ; 0x1 3bc: eb000419 bl 0x1428 3c0: e3500000 cmp r0, #0 ; 0x0 3c4: 0a0000c9 beq 0x6f0 3c8: e5dd0000 ldrb r0, [sp] 3cc: e5ddc001 ldrb r12, [sp, #1] 3d0: e150000c cmp r0, r12 3d4: 1a000000 bne 0x3dc 3d8: e3a0a001 mov r10, #1 ; 0x1 3dc: e5dd0000 ldrb r0, [sp] 3e0: e5ddc001 ldrb r12, [sp, #1] 3e4: e150000c cmp r0, r12 3e8: ca00007c bgt 0x5e0 3ec: e5ddc001 ldrb r12, [sp, #1] 3f0: e35c0000 cmp r12, #0 ; 0x0 3f4: 0a000079 beq 0x5e0 3f8: e5ddc000 ldrb r12, [sp] 3fc: e35c0000 cmp r12, #0 ; 0x0 400: 0a000076 beq 0x5e0 404: e3a08002 mov r8, #2 ; 0x2 408: e3a05000 mov r5, #0 ; 0x0 40c: e5d40008 ldrb r0, [r4, #8] 410: e5971000 ldr r1, [r7] 414: e28d2002 add r2, sp, #2 ; 0x2 418: eb000402 bl 0x1428 41c: e3500000 cmp r0, #0 ; 0x0 420: 0a0000b2 beq 0x6f0 424: e5ddc002 ldrb r12, [sp, #2] 428: e18cc405 orr r12, r12, r5, lsl #8 42c: e1a0c80c mov r12, r12, lsl #16 430: e1a0582c mov r5, r12, lsr #16 434: e2588001 subs r8, r8, #1 ; 0x1 438: 1afffff3 bne 0x40c 43c: e3a09004 mov r9, #4 ; 0x4 440: e3a08000 mov r8, #0 ; 0x0 444: e5d40008 ldrb r0, [r4, #8] 448: e5971000 ldr r1, [r7] 44c: e28d2002 add r2, sp, #2 ; 0x2 450: eb0003f4 bl 0x1428 454: e3500000 cmp r0, #0 ; 0x0 458: 0a0000a4 beq 0x6f0 45c: e5ddc002 ldrb r12, [sp, #2] 460: e18c8408 orr r8, r12, r8, lsl #8 464: e2599001 subs r9, r9, #1 ; 0x1 468: 1afffff5 bne 0x444 46c: e59fc9a4 ldr r12, =0x800750 ; via 0xe18 470: e158000c cmp r8, r12 474: 3a00004e bcc 0x5b4 478: e59f099c ldr r0, =0x7F8AF ; via 0xe1c 47c: e080c00c add r12, r0, r12 480: e158000c cmp r8, r12 484: 8a00004a bhi 0x5b4 488: e085c006 add r12, r5, r6 48c: e35c0ffe cmp r12, #1016 ; 0x3f8 490: aa000037 bge 0x574 494: e59fc970 ldr r12, =0x80010C ; via 0xe0c 498: e5dd0000 ldrb r0, [sp] 49c: e7c6000c strb r0, [r6, r12] 4a0: e2860001 add r0, r6, #1 ; 0x1 4a4: e1a00800 mov r0, r0, lsl #16 4a8: e1a06820 mov r6, r0, lsr #16 4ac: e5dd0001 ldrb r0, [sp, #1] 4b0: e7c6000c strb r0, [r6, r12] 4b4: e2860001 add r0, r6, #1 ; 0x1 4b8: e1a00800 mov r0, r0, lsl #16 4bc: e1a06820 mov r6, r0, lsr #16 4c0: e1a00425 mov r0, r5, lsr #8 4c4: e7c6000c strb r0, [r6, r12] 4c8: e2860001 add r0, r6, #1 ; 0x1 4cc: e1a00800 mov r0, r0, lsl #16 4d0: e1a06820 mov r6, r0, lsr #16 4d4: e7c6500c strb r5, [r6, r12] 4d8: e2860001 add r0, r6, #1 ; 0x1 4dc: e1a00800 mov r0, r0, lsl #16 4e0: e1a06820 mov r6, r0, lsr #16 4e4: e1a00c28 mov r0, r8, lsr #24 4e8: e7c6000c strb r0, [r6, r12] 4ec: e2860001 add r0, r6, #1 ; 0x1 4f0: e1a00800 mov r0, r0, lsl #16 4f4: e1a06820 mov r6, r0, lsr #16 4f8: e1a00828 mov r0, r8, lsr #16 4fc: e7c6000c strb r0, [r6, r12] 500: e2860001 add r0, r6, #1 ; 0x1 504: e1a00800 mov r0, r0, lsl #16 508: e1a06820 mov r6, r0, lsr #16 50c: e1a00428 mov r0, r8, lsr #8 510: e7c6000c strb r0, [r6, r12] 514: e2860001 add r0, r6, #1 ; 0x1 518: e1a00800 mov r0, r0, lsl #16 51c: e1a06820 mov r6, r0, lsr #16 520: e086900c add r9, r6, r12 524: e5c98000 strb r8, [r9] 528: e286c001 add r12, r6, #1 ; 0x1 52c: e1a0c80c mov r12, r12, lsl #16 530: e1a0682c mov r6, r12, lsr #16 534: e3550000 cmp r5, #0 ; 0x0 538: 0a000018 beq 0x5a0 53c: e085c006 add r12, r5, r6 540: e1a0c80c mov r12, r12, lsl #16 544: e1a0682c mov r6, r12, lsr #16 548: e2899001 add r9, r9, #1 ; 0x1 54c: e5d40008 ldrb r0, [r4, #8] 550: e5971000 ldr r1, [r7] 554: e1a02009 mov r2, r9 558: eb0003b2 bl 0x1428 55c: e3500000 cmp r0, #0 ; 0x0 560: 0a000062 beq 0x6f0 564: e2899001 add r9, r9, #1 ; 0x1 568: e2555001 subs r5, r5, #1 ; 0x1 56c: 1afffff6 bne 0x54c 570: ea00000a b 0x5a0 ; length exceeded: read and discard ; the increment of R5 looks like a bug! 574: e285c001 add r12, r5, #1 ; 0x1 578: e1a0c80c mov r12, r12, lsl #16 57c: e1a0582c mov r5, r12, lsr #16 580: e5d40008 ldrb r0, [r4, #8] 584: e5971000 ldr r1, [r7] 588: e28d2002 add r2, sp, #2 ; 0x2 58c: eb0003a5 bl 0x1428 590: e3500000 cmp r0, #0 ; 0x0 594: 0a000055 beq 0x6f0 598: e2555001 subs r5, r5, #1 ; 0x1 59c: 1afffff7 bne 0x580 5a0: e35a0000 cmp r10, #0 ; 0x0 5a4: 0affff65 beq 0x340 5a8: e3a0c003 mov r12, #3 ; 0x3 5ac: e5cbc000 strb r12, [r11] 5b0: ea00005b b 0x724 ; error path (<w load address outside of the permissible IRAM range) 5b4: e3a0c001 mov r12, #1 ; 0x1 5b8: e5c4c018 strb r12, [r4, #24] 5bc: e3a0c003 mov r12, #3 ; 0x3 5c0: e5cbc000 strb r12, [r11] 5c4: e5d40008 ldrb r0, [r4, #8] 5c8: e59f1850 ldr r1, =0xFFFFF ; via 0xe20 5cc: e28d2002 add r2, sp, #2 ; 0x2 5d0: eb000394 bl 0x1428 5d4: e3500001 cmp r0, #1 ; 0x1 5d8: 0afffff9 beq 0x5c4 5dc: ea000050 b 0x724 ; another error path (bad block number voodoo) 5e0: e3a0c001 mov r12, #1 ; 0x1 5e4: e5c4c018 strb r12, [r4, #24] 5e8: e3a0c003 mov r12, #3 ; 0x3 5ec: e5cbc000 strb r12, [r11] ; flush serial input (wait for long silence), then return 5f0: e5d40008 ldrb r0, [r4, #8] 5f4: e59f1824 ldr r1, =0xFFFFF ; via 0xe20 5f8: e28d2002 add r2, sp, #2 ; 0x2 5fc: eb000389 bl 0x1428 600: e3500001 cmp r0, #1 ; 0x1 604: 0afffff9 beq 0x5f0 608: ea000045 b 0x724 ; got 'p' ; R4=0x800518 60c: e59f67f8 ldr r6, =0x80010C ; via 0xe0c 610: e3a08009 mov r8, #9 ; 0x9 614: e5d40008 ldrb r0, [r4, #8] 618: e5971000 ldr r1, [r7] 61c: e1a02006 mov r2, r6 620: eb000380 bl 0x1428 624: e3500000 cmp r0, #0 ; 0x0 628: 0a000030 beq 0x6f0 62c: e2866001 add r6, r6, #1 ; 0x1 630: e2588001 subs r8, r8, #1 ; 0x1 634: 1afffff6 bne 0x614 638: e59fc7cc ldr r12, =0x80010C ; via 0xe0c 63c: e5dc0000 ldrb r0, [r12] 640: e5c40000 strb r0, [r4] ; into 800518 644: e5dc0001 ldrb r0, [r12, #1] 648: e5c40009 strb r0, [r4, #9] ; into 800521 64c: e1c450ba strh r5, [r4, #10] ; 16-bit 0 into 800522 650: e5dc1003 ldrb r1, [r12, #3] 654: e5dc0002 ldrb r0, [r12, #2] 658: e1810400 orr r0, r1, r0, lsl #8 65c: e1c400ba strh r0, [r4, #10] 660: e5dc0004 ldrb r0, [r12, #4] 664: e5c4000d strb r0, [r4, #13] 668: e5dc0006 ldrb r0, [r12, #6] 66c: e5dc1005 ldrb r1, [r12, #5] 670: e1801401 orr r1, r0, r1, lsl #8 674: e5dc0007 ldrb r0, [r12, #7] 678: e1800401 orr r0, r0, r1, lsl #8 67c: e5dcc008 ldrb r12, [r12, #8] 680: e18cc400 orr r12, r12, r0, lsl #8 684: e584c004 str r12, [r4, #4] 688: e3a0c002 mov r12, #2 ; 0x2 68c: e5cbc000 strb r12, [r11] 690: ea000023 b 0x724 ; got 'i' 694: e3a0c001 mov r12, #1 ; 0x1 698: e5cbc000 strb r12, [r11] 69c: ea000020 b 0x724 ; got 'c' 6a0: e5d40008 ldrb r0, [r4, #8] 6a4: e5971000 ldr r1, [r7] 6a8: e28d2002 add r2, sp, #2 ; 0x2 6ac: eb00035d bl 0x1428 6b0: e3500000 cmp r0, #0 ; 0x0 6b4: 0a00000d beq 0x6f0 6b8: e5ddc002 ldrb r12, [sp, #2] 6bc: e1c4c0be strh r12, [r4, #14] 6c0: e3a0c004 mov r12, #4 ; 0x4 6c4: e5cbc000 strb r12, [r11] 6c8: ea000015 b 0x724 ; got 'b' ; R4=0x800518 6cc: e3a0c000 mov r12, #0 ; 0x0 6d0: e584c014 str r12, [r4, #20] 6d4: e3a05004 mov r5, #4 ; 0x4 6d8: e5d40008 ldrb r0, [r4, #8] 6dc: e5971000 ldr r1, [r7] 6e0: e28d2002 add r2, sp, #2 ; 0x2 6e4: eb00034f bl 0x1428 6e8: e3500000 cmp r0, #0 ; 0x0 6ec: 1a000001 bne 0x6f8 6f0: e3a00000 mov r0, #0 ; 0x0 6f4: ea00000b b 0x728 6f8: e5dd0002 ldrb r0, [sp, #2] 6fc: e594c014 ldr r12, [r4, #20] 700: e180c40c orr r12, r0, r12, lsl #8 704: e584c014 str r12, [r4, #20] 708: e2555001 subs r5, r5, #1 ; 0x1 70c: 1afffff1 bne 0x6d8 710: e3a0c006 mov r12, #6 ; 0x6 714: e5cbc000 strb r12, [r11] 718: ea000001 b 0x724 ; got 'a' 71c: e3a0c005 mov r12, #5 ; 0x5 720: e5cbc000 strb r12, [r11] ; common return for 'got something', including invalid (non-understood) commands 724: e3a00001 mov r0, #1 ; 0x1 728: e28dd004 add sp, sp, #4 ; 0x4 72c: e8bd8ff0 ldmia sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} ; The routine at 0x730 is called from the 0x8b4 routine and handles ; '<w' commands. 730: e92d43f0 stmdb sp!, {r4, r5, r6, r7, r8, r9, lr} 734: e59f46c8 ldr r4, =0x800518 ; via 0xe04 738: e5d4c018 ldrb r12, [r4, #24] ; 800530 73c: e35c0001 cmp r12, #1 ; 0x1 740: 0a00004a beq 0x870 744: e59f56c0 ldr r5, =0x80010C ; via 0xe0c 748: e59f66c8 ldr r6, =0x800750 ; via 0xe18 74c: e3a07000 mov r7, #0 ; 0x0 750: e3a00000 mov r0, #0 ; 0x0 754: e080c005 add r12, r0, r5 758: e28cc001 add r12, r12, #1 ; 0x1 75c: e7d02005 ldrb r2, [r0, r5] 760: e5dc1000 ldrb r1, [r12] 764: e1520001 cmp r2, r1 768: 1a000000 bne 0x770 76c: e3a07001 mov r7, #1 ; 0x1 770: e5dc2002 ldrb r2, [r12, #2] 774: e5dc1001 ldrb r1, [r12, #1] 778: e0821401 add r1, r2, r1, lsl #8 77c: e1a01801 mov r1, r1, lsl #16 780: e1a01821 mov r1, r1, lsr #16 784: e5dc3004 ldrb r3, [r12, #4] 788: e5dc2003 ldrb r2, [r12, #3] 78c: e0832402 add r2, r3, r2, lsl #8 790: e5dc3005 ldrb r3, [r12, #5] 794: e0832402 add r2, r3, r2, lsl #8 798: e5dcc006 ldrb r12, [r12, #6] 79c: e08c2402 add r2, r12, r2, lsl #8 7a0: e202c0ff and r12, r2, #255 ; 0xff 7a4: e081300c add r3, r1, r12 7a8: e1a0c422 mov r12, r2, lsr #8 7ac: e20cc0ff and r12, r12, #255 ; 0xff 7b0: e08c3003 add r3, r12, r3 7b4: e1a0c822 mov r12, r2, lsr #16 7b8: e20cc0ff and r12, r12, #255 ; 0xff 7bc: e08cc003 add r12, r12, r3 7c0: e08ccc22 add r12, r12, r2, lsr #24 7c4: e28cc005 add r12, r12, #5 ; 0x5 7c8: e1a0c80c mov r12, r12, lsl #16 7cc: e1a0882c mov r8, r12, lsr #16 7d0: e3a03000 mov r3, #0 ; 0x0 7d4: e1520006 cmp r2, r6 7d8: 3a000003 bcc 0x7ec 7dc: e59fc638 ldr r12, =0x7F8AF ; via 0xe1c 7e0: e08cc006 add r12, r12, r6 7e4: e152000c cmp r2, r12 7e8: 9a000001 bls 0x7f4 ; error: bad load address 7ec: e383c001 orr r12, r3, #1 ; 0x1 7f0: e20c30ff and r3, r12, #255 ; 0xff 7f4: e3530000 cmp r3, #0 ; 0x0 7f8: 1a00001d bne 0x874 ; address OK 7fc: e3a09000 mov r9, #0 ; 0x0 800: e3510000 cmp r1, #0 ; 0x0 804: 0a00000b beq 0x838 808: e089c000 add r12, r9, r0 80c: e085c00c add r12, r5, r12 810: e5dcc008 ldrb r12, [r12, #8] 814: e4c2c001 strb r12, [r2], #1 818: e08cc008 add r12, r12, r8 81c: e1a0c80c mov r12, r12, lsl #16 820: e1a0882c mov r8, r12, lsr #16 824: e289c001 add r12, r9, #1 ; 0x1 828: e1a0c80c mov r12, r12, lsl #16 82c: e1a0982c mov r9, r12, lsr #16 830: e2511001 subs r1, r1, #1 ; 0x1 834: 1afffff3 bne 0x808 838: e3a0c0ff mov r12, #255 ; 0xff 83c: e1ccc008 bic r12, r12, r8 840: e1a0c80c mov r12, r12, lsl #16 844: e1a0882c mov r8, r12, lsr #16 848: e1d4c1b0 ldrh r12, [r4, #16] 84c: e088c00c add r12, r8, r12 850: e1c4c1b0 strh r12, [r4, #16] 854: e080c009 add r12, r0, r9 858: e28cc008 add r12, r12, #8 ; 0x8 85c: e1a0c80c mov r12, r12, lsl #16 860: e1a0082c mov r0, r12, lsr #16 864: e3570000 cmp r7, #0 ; 0x0 868: 0affffb9 beq 0x754 86c: ea000000 b 0x874 ; 800530 flag was set to 01 ; return error 02 870: e3a03002 mov r3, #2 ; 0x2 ; common exit path: good or bad? 874: e5c43019 strb r3, [r4, #25] 878: e3530000 cmp r3, #0 ; 0x0 87c: 0a000008 beq 0x8a4 ; good return ; nope, bad: send >W 880: e3a00004 mov r0, #4 ; 0x4 884: ebfffe2c bl 0x13c ; reset baud rate to 19200 888: e5d41008 ldrb r1, [r4, #8] 88c: e3a00004 mov r0, #4 ; 0x4 890: eb0002d0 bl 0x13d8 ; var init 894: e1a00004 mov r0, r4 898: ebfffe1f bl 0x11c 89c: e3a00001 mov r0, #1 ; 0x1 8a0: e8bd83f0 ldmia sp!, {r4, r5, r6, r7, r8, r9, pc} ; good return: send >w to host 8a4: e3a00003 mov r0, #3 ; 0x3 8a8: ebfffe23 bl 0x13c 8ac: e3a00000 mov r0, #0 ; 0x0 8b0: e8bd83f0 ldmia sp!, {r4, r5, r6, r7, r8, r9, pc} ; The routine at 0x8b4 handles the command received by the 0x2c8 routine. ; The argument in R0 is the code produced by the latter. 8b4: e92d4070 stmdb sp!, {r4, r5, r6, lr} 8b8: e24dd008 sub sp, sp, #8 ; 0x8 8bc: e59f4560 ldr r4, =0x800108 ; via 0xe24 8c0: e5d4c000 ldrb r12, [r4] 8c4: e25cc001 subs r12, r12, #1 ; 0x1 8c8: 0a000102 beq 0xcd8 8cc: e25cc001 subs r12, r12, #1 ; 0x1 8d0: 0a00008a beq 0xb00 8d4: e25cc001 subs r12, r12, #1 ; 0x1 8d8: 0a000047 beq 0x9fc 8dc: e25cc001 subs r12, r12, #1 ; 0x1 8e0: 1a000145 bne 0xdfc ; state 04 ; like in state 03, '<p' is ignored in this state 8e4: e250c001 subs r12, r0, #1 ; 0x1 8e8: 0a00003c beq 0x9e0 8ec: e25cc002 subs r12, r12, #2 ; 0x2 8f0: 0a00002f beq 0x9b4 8f4: e25cc001 subs r12, r12, #1 ; 0x1 8f8: 0a000022 beq 0x988 8fc: e25cc001 subs r12, r12, #1 ; 0x1 900: 0a000017 beq 0x964 904: e25cc001 subs r12, r12, #1 ; 0x1 908: 1a00013b bne 0xdfc ; '<b' in state 04 90c: e59f54f0 ldr r5, =0x800518 ; via 0xe04 910: e59f0500 ldr r0, =0x800750 ; via 0xe18 914: e595c014 ldr r12, [r5, #20] 918: e15c0000 cmp r12, r0 91c: 3a000006 bcc 0x93c 920: e59f14f4 ldr r1, =0x7F8AF ; via 0xe1c 924: e0810000 add r0, r1, r0 928: e15c0000 cmp r12, r0 92c: 8a000002 bhi 0x93c ; all clear - respond with '<b' 930: e3a00008 mov r0, #8 ; 0x8 934: ebfffe00 bl 0x13c ; and leap! 938: ebfffdeb bl 0xec ; address bad ; respond with >B 93c: e3a00009 mov r0, #9 ; 0x9 940: ebfffdfd bl 0x13c ; baud rate reset to 19200 944: e5d51008 ldrb r1, [r5, #8] 948: e3a00004 mov r0, #4 ; 0x4 94c: eb0002a1 bl 0x13d8 ; var reset 950: e1a00005 mov r0, r5 954: ebfffdf0 bl 0x11c ; state back to 01 958: e3a0c001 mov r12, #1 ; 0x1 95c: e5c4c000 strb r12, [r4] 960: ea000125 b 0xdfc ; '<a' in state 04 ; same handling as in states 02 and 03: ; var reset, baud rate back to 19200, state back to 01, no response msg 964: e59f5498 ldr r5, =0x800518 ; via 0xe04 968: e1a00005 mov r0, r5 96c: ebfffdea bl 0x11c 970: e5d51008 ldrb r1, [r5, #8] 974: e3a00004 mov r0, #4 ; 0x4 978: eb000296 bl 0x13d8 97c: e3a0c001 mov r12, #1 ; 0x1 980: e5c4c000 strb r12, [r4] 984: ea00011c b 0xdfc ; '<c' in state 04 ; >C error, reset everything like other errors 988: e3a00006 mov r0, #6 ; 0x6 98c: ebfffdea bl 0x13c 990: e59f546c ldr r5, =0x800518 ; via 0xe04 994: e5d51008 ldrb r1, [r5, #8] 998: e3a00004 mov r0, #4 ; 0x4 99c: eb00028d bl 0x13d8 9a0: e1a00005 mov r0, r5 9a4: ebfffddc bl 0x11c 9a8: e3a0c001 mov r12, #1 ; 0x1 9ac: e5c4c000 strb r12, [r4] 9b0: ea000111 b 0xdfc ; '<w' in state 04 ; respond with >W error 9b4: e3a00004 mov r0, #4 ; 0x4 9b8: ebfffddf bl 0x13c ; baud rate reset to 19200 9bc: e59f5440 ldr r5, =0x800518 ; via 0xe04 9c0: e5d51008 ldrb r1, [r5, #8] 9c4: e3a00004 mov r0, #4 ; 0x4 9c8: eb000282 bl 0x13d8 ; var init 9cc: e1a00005 mov r0, r5 9d0: ebfffdd1 bl 0x11c ; state back to 01 9d4: e3a0c001 mov r12, #1 ; 0x1 9d8: e5c4c000 strb r12, [r4] 9dc: ea000106 b 0xdfc ; '<i' in state 04 ; same handling as in states 02 and 03: vars reset, but UART left alone ; and the state remains 04. 9e0: e59f041c ldr r0, =0x800518 ; via 0xe04 9e4: ebfffdcc bl 0x11c 9e8: e3a00000 mov r0, #0 ; 0x0 9ec: ebfffdd2 bl 0x13c 9f0: e3a0c004 mov r12, #4 ; 0x4 9f4: e5c4c000 strb r12, [r4] 9f8: ea0000ff b 0xdfc ; state 03 ; '<p' is ignored in this state 9fc: e250c001 subs r12, r0, #1 ; 0x1 a00: 0a000037 beq 0xae4 a04: e25cc002 subs r12, r12, #2 ; 0x2 a08: 0a000031 beq 0xad4 a0c: e25cc001 subs r12, r12, #1 ; 0x1 a10: 0a000017 beq 0xa74 a14: e25cc001 subs r12, r12, #1 ; 0x1 a18: 0a00000c beq 0xa50 a1c: e25cc001 subs r12, r12, #1 ; 0x1 a20: 1a0000f5 bne 0xdfc ; got '<b' in state 03 ; send >B, same error handling as in state 02 a24: e3a00009 mov r0, #9 ; 0x9 a28: ebfffdc3 bl 0x13c a2c: e59f53d0 ldr r5, =0x800518 ; via 0xe04 a30: e5d51008 ldrb r1, [r5, #8] a34: e3a00004 mov r0, #4 ; 0x4 a38: eb000266 bl 0x13d8 a3c: e1a00005 mov r0, r5 a40: ebfffdb5 bl 0x11c a44: e3a0c001 mov r12, #1 ; 0x1 a48: e5c4c000 strb r12, [r4] a4c: ea0000ea b 0xdfc ; got '<a' in state 03 ; var reset, baud rate back to 19200, state back to 01, no response msg a50: e59f53ac ldr r5, =0x800518 ; via 0xe04 a54: e1a00005 mov r0, r5 a58: ebfffdaf bl 0x11c a5c: e5d51008 ldrb r1, [r5, #8] a60: e3a00004 mov r0, #4 ; 0x4 a64: eb00025b bl 0x13d8 a68: e3a0c001 mov r12, #1 ; 0x1 a6c: e5c4c000 strb r12, [r4] a70: ea0000e1 b 0xdfc ; got '<c' in state 03 a74: e59fc388 ldr r12, =0x800518 ; via 0xe04 a78: e3a010ff mov r1, #255 ; 0xff a7c: e1dc01b0 ldrh r0, [r12, #16] a80: e1c10000 bic r0, r1, r0 a84: e1dcc0be ldrh r12, [r12, #14] a88: e20cc0ff and r12, r12, #255 ; 0xff a8c: e150000c cmp r0, r12 a90: 1a000004 bne 0xaa8 ; checksum match - respond with >c and advance to state 04 a94: e3a00005 mov r0, #5 ; 0x5 a98: ebfffda7 bl 0x13c a9c: e3a0c004 mov r12, #4 ; 0x4 aa0: e5c4c000 strb r12, [r4] aa4: ea0000d4 b 0xdfc ; checksum mismatch: respond with >C, reset vars, reset the baud rate to 19200, ; reset the state to 01 aa8: e3a00006 mov r0, #6 ; 0x6 aac: ebfffda2 bl 0x13c ab0: e59f534c ldr r5, =0x800518 ; via 0xe04 ab4: e1a00005 mov r0, r5 ab8: ebfffd97 bl 0x11c abc: e5d51008 ldrb r1, [r5, #8] ac0: e3a00004 mov r0, #4 ; 0x4 ac4: eb000243 bl 0x13d8 ac8: e3a0c001 mov r12, #1 ; 0x1 acc: e5c4c000 strb r12, [r4] ad0: ea0000c9 b 0xdfc ; got '<w' in state 03 ad4: ebffff15 bl 0x730 ad8: e3500000 cmp r0, #0 ; 0x0 ; same outcome as in state 02 adc: 0a000038 beq 0xbc4 ; good ae0: ea00003a b 0xbd0 ; bad ; got '<i' in state 03 ; same as in state 02: the init routine is called (most notably the chksum ; accum is reset), the baud rate var is reset to 04, but the UART is not ; reprogrammed, and the state remains 03. ae4: e59f0318 ldr r0, =0x800518 ; via 0xe04 ae8: ebfffd8b bl 0x11c aec: e3a00000 mov r0, #0 ; 0x0 af0: ebfffd91 bl 0x13c af4: e3a0c003 mov r12, #3 ; 0x3 af8: e5c4c000 strb r12, [r4] afc: ea0000be b 0xdfc ; state 02 b00: e250c001 subs r12, r0, #1 ; 0x1 b04: 0a00006c beq 0xcbc b08: e25cc001 subs r12, r12, #1 ; 0x1 b0c: 0a000032 beq 0xbdc b10: e25cc001 subs r12, r12, #1 ; 0x1 b14: 0a000024 beq 0xbac b18: e25cc001 subs r12, r12, #1 ; 0x1 b1c: 0a000017 beq 0xb80 b20: e25cc001 subs r12, r12, #1 ; 0x1 b24: 0a00000c beq 0xb5c b28: e25cc001 subs r12, r12, #1 ; 0x1 b2c: 1a0000b2 bne 0xdfc ; '<b' in state 02 ; respond with >B error b30: e3a00009 mov r0, #9 ; 0x9 b34: ebfffd80 bl 0x13c b38: e59f52c4 ldr r5, =0x800518 ; via 0xe04 ; reset the baud rate to 19200 b3c: e5d51008 ldrb r1, [r5, #8] b40: e3a00004 mov r0, #4 ; 0x4 b44: eb000223 bl 0x13d8 ; var init b48: e1a00005 mov r0, r5 b4c: ebfffd72 bl 0x11c ; state back to 01 b50: e3a0c001 mov r12, #1 ; 0x1 b54: e5c4c000 strb r12, [r4] b58: ea0000a7 b 0xdfc ; '<a' in state 02 ; reset back to state 01 at 19200 baud with var init ; no response msg b5c: e59f52a0 ldr r5, =0x800518 ; via 0xe04 b60: e1a00005 mov r0, r5 b64: ebfffd6c bl 0x11c b68: e5d51008 ldrb r1, [r5, #8] b6c: e3a00004 mov r0, #4 ; 0x4 b70: eb000218 bl 0x13d8 b74: e3a0c001 mov r12, #1 ; 0x1 b78: e5c4c000 strb r12, [r4] b7c: ea00009e b 0xdfc ; '<c' in state 02 ; respond with >C error b80: e3a00006 mov r0, #6 ; 0x6 b84: ebfffd6c bl 0x13c b88: e59f5274 ldr r5, =0x800518 ; via 0xe04 ; reset baud rate to 19200 b8c: e5d51008 ldrb r1, [r5, #8] b90: e3a00004 mov r0, #4 ; 0x4 b94: eb00020f bl 0x13d8 ; var init b98: e1a00005 mov r0, r5 b9c: ebfffd5e bl 0x11c ; state back to 01 ba0: e3a0c001 mov r12, #1 ; 0x1 ba4: e5c4c000 strb r12, [r4] ba8: ea000093 b 0xdfc ; '<w' in state 02 bac: e59f0274 ldr r0, =0x800528 ; via 0xe28 bb0: e3a0c000 mov r12, #0 ; 0x0 bb4: e1c0c0b0 strh r12, [r0] bb8: ebfffedc bl 0x730 bbc: e3500000 cmp r0, #0 ; 0x0 bc0: 1a000002 bne 0xbd0 bc4: e3a0c003 mov r12, #3 ; 0x3 bc8: e5c4c000 strb r12, [r4] bcc: ea00008a b 0xdfc bd0: e3a0c001 mov r12, #1 ; 0x1 bd4: e5c4c000 strb r12, [r4] bd8: ea000087 b 0xdfc ; '<p' in state 02 bdc: e59f6220 ldr r6, =0x800518 ; via 0xe04 be0: e5d6c000 ldrb r12, [r6] be4: e35c0000 cmp r12, #0 ; 0x0 be8: 0a000011 beq 0xc34 bec: e35c0001 cmp r12, #1 ; 0x1 bf0: 0a00000f beq 0xc34 bf4: e35c0002 cmp r12, #2 ; 0x2 bf8: 0a00000d beq 0xc34 bfc: e35c0003 cmp r12, #3 ; 0x3 c00: 0a00000b beq 0xc34 c04: e35c0004 cmp r12, #4 ; 0x4 c08: 0a000009 beq 0xc34 ; bad baud rate ; respond with >P c0c: e3a00002 mov r0, #2 ; 0x2 c10: ebfffd49 bl 0x13c ; reset the baud rate to 19200 c14: e5d61008 ldrb r1, [r6, #8] c18: e3a00004 mov r0, #4 ; 0x4 c1c: eb0001ed bl 0x13d8 ; equiv of <i c20: e1a00006 mov r0, r6 c24: ebfffd3c bl 0x11c ; state machine back to 01 c28: e3a0c001 mov r12, #1 ; 0x1 c2c: e5c4c000 strb r12, [r4] c30: ea000071 b 0xdfc ; '<p' in state 02, baud rate code is good ; same handling as on the initial '<p' that got us here c34: e5d6500d ldrb r5, [r6, #13] c38: e1d6c0ba ldrh r12, [r6, #10] c3c: e20c001f and r0, r12, #31 ; 0x1f c40: e20000ff and r0, r0, #255 ; 0xff c44: e1a012ac mov r1, r12, lsr #5 c48: e201101f and r1, r1, #31 ; 0x1f c4c: e20110ff and r1, r1, #255 ; 0xff c50: e1a0c52c mov r12, r12, lsr #10 c54: e20cc01f and r12, r12, #31 ; 0x1f c58: e20c20ff and r2, r12, #255 ; 0xff c5c: e205c00f and r12, r5, #15 ; 0xf c60: e20c30ff and r3, r12, #255 ; 0xff c64: e1a0c225 mov r12, r5, lsr #4 c68: e5cdc000 strb r12, [sp] c6c: eb00006e bl 0xe2c c70: e5d6c009 ldrb r12, [r6, #9] c74: e5d6000c ldrb r0, [r6, #12] c78: e20c1003 and r1, r12, #3 ; 0x3 c7c: e20110ff and r1, r1, #255 ; 0xff c80: e1a0c12c mov r12, r12, lsr #2 c84: e20cc01f and r12, r12, #31 ; 0x1f c88: e20c20ff and r2, r12, #255 ; 0xff c8c: eb000098 bl 0xef4 c90: e3a00001 mov r0, #1 ; 0x1 c94: ebfffd28 bl 0x13c c98: e5d60000 ldrb r0, [r6] c9c: e5d61008 ldrb r1, [r6, #8] ca0: eb0001cc bl 0x13d8 ca4: e59fc168 ldr r12, =0x800104 ; via 0xe14 ca8: e5960004 ldr r0, [r6, #4] cac: e58c0000 str r0, [r12] ; new state is 02 - no change cb0: e3a0c002 mov r12, #2 ; 0x2 cb4: e5c4c000 strb r12, [r4] cb8: ea00004f b 0xdfc ; '<i' in state 02 ; same action as initially, but stay in state 02 ; the 800518 variable is reset to 04 by 0x11c, but the UART is not reprogrammed cbc: e59f0140 ldr r0, =0x800518 ; via 0xe04 cc0: ebfffd15 bl 0x11c cc4: e3a00000 mov r0, #0 ; 0x0 cc8: ebfffd1b bl 0x13c ccc: e3a0c002 mov r12, #2 ; 0x2 cd0: e5c4c000 strb r12, [r4] cd4: ea000048 b 0xdfc ; state 01 dispatch cd8: e250c001 subs r12, r0, #1 ; 0x1 cdc: 0a000040 beq 0xde4 ce0: e25cc001 subs r12, r12, #1 ; 0x1 ce4: 0a00000b beq 0xd18 ce8: e24cc001 sub r12, r12, #1 ; 0x1 cec: e35c0003 cmp r12, #3 ; 0x3 cf0: 8a000041 bhi 0xdfc ; everything other than '<i' and '<p' cf4: e59f5108 ldr r5, =0x800518 ; via 0xe04 cf8: e1a00005 mov r0, r5 cfc: ebfffd06 bl 0x11c ; set UART to 19200 baud d00: e5d51008 ldrb r1, [r5, #8] d04: e3a00004 mov r0, #4 ; 0x4 d08: eb0001b2 bl 0x13d8 ; reset state variable to 1 d0c: e3a0c001 mov r12, #1 ; 0x1 d10: e5c4c000 strb r12, [r4] d14: ea000038 b 0xdfc ; '<p' handler (state 01) d18: e59f60e4 ldr r6, =0x800518 ; via 0xe04 d1c: e5d6c000 ldrb r12, [r6] d20: e35c0000 cmp r12, #0 ; 0x0 d24: 0a00000c beq 0xd5c d28: e35c0001 cmp r12, #1 ; 0x1 d2c: 0a00000a beq 0xd5c d30: e35c0002 cmp r12, #2 ; 0x2 d34: 0a000008 beq 0xd5c d38: e35c0003 cmp r12, #3 ; 0x3 d3c: 0a000006 beq 0xd5c d40: e35c0004 cmp r12, #4 ; 0x4 d44: 0a000004 beq 0xd5c ; bad baud rate requested - respond with >P and throw FSM back to state 1 d48: e3a00002 mov r0, #2 ; 0x2 d4c: ebfffcfa bl 0x13c d50: e3a0c001 mov r12, #1 ; 0x1 d54: e5c4c000 strb r12, [r4] d58: ea000027 b 0xdfc ; <p baud rate code is good d5c: e5d6500d ldrb r5, [r6, #13] d60: e1d6c0ba ldrh r12, [r6, #10] d64: e20c001f and r0, r12, #31 ; 0x1f d68: e20000ff and r0, r0, #255 ; 0xff d6c: e1a012ac mov r1, r12, lsr #5 d70: e201101f and r1, r1, #31 ; 0x1f d74: e20110ff and r1, r1, #255 ; 0xff d78: e1a0c52c mov r12, r12, lsr #10 d7c: e20cc01f and r12, r12, #31 ; 0x1f d80: e20c20ff and r2, r12, #255 ; 0xff d84: e205c00f and r12, r5, #15 ; 0xf d88: e20c30ff and r3, r12, #255 ; 0xff d8c: e1a0c225 mov r12, r5, lsr #4 d90: e5cdc000 strb r12, [sp] d94: eb000024 bl 0xe2c d98: e5d6c009 ldrb r12, [r6, #9] d9c: e5d6000c ldrb r0, [r6, #12] da0: e20c1003 and r1, r12, #3 ; 0x3 da4: e20110ff and r1, r1, #255 ; 0xff da8: e1a0c12c mov r12, r12, lsr #2 dac: e20cc01f and r12, r12, #31 ; 0x1f db0: e20c20ff and r2, r12, #255 ; 0xff db4: eb00004e bl 0xef4 db8: e3a00001 mov r0, #1 ; 0x1 dbc: ebfffcde bl 0x13c dc0: e5d60000 ldrb r0, [r6] dc4: e5d61008 ldrb r1, [r6, #8] dc8: eb000182 bl 0x13d8 dcc: e59f0040 ldr r0, =0x800104 ; via 0xe14 dd0: e596c004 ldr r12, [r6, #4] dd4: e580c000 str r12, [r0] dd8: e3a0c002 mov r12, #2 ; 0x2 ddc: e5c4c000 strb r12, [r4] de0: ea000005 b 0xdfc ; response to '<i' is handled here (state 01) de4: e59f0018 ldr r0, =0x800518 ; via 0xe04 de8: ebfffccb bl 0x11c dec: e3a00000 mov r0, #0 ; 0x0 df0: ebfffcd1 bl 0x13c ; state machine back to the initial state df4: e3a0c001 mov r12, #1 ; 0x1 df8: e5c4c000 strb r12, [r4] dfc: e28dd008 add sp, sp, #8 ; 0x8 e00: e8bd8070 ldmia sp!, {r4, r5, r6, pc} ; literal pool e04: 00800518 e08: 00001fcc e0c: 0080010c e10: 00800520 e14: 00800104 e18: 00800750 e1c: 0007f8af e20: 000fffff e24: 00800108 e28: 00800528 ; The following routine performs basic sanity initialization ; of the memory map and clocking. ; ; Arguments: ; R0: WS setting for nCS0 (external ROM/flash) ; R1: WS setting for nCS6 (internal RAM) ; R2: WS setting for nCS7 (internal ROM) ; R3: value to be written into bits <3:0> of FFFF:F900 ; stack arg: value to be written into bits <7:4> of FFFF:F900 e2c: e92d4070 stmdb sp!, {r4, r5, r6, lr} e30: e5dd5010 ldrb r5, [sp, #16] ; mask all interrupts e34: e59fc48c ldr r12, =0xFFFF ; via 0x12c8 e38: e59f4484 ldr r4, =0xFFFFFA08 ; via 0x12c4 e3c: e1c4c0b0 strh r12, [r4] ; 1st reg e40: e59f4484 ldr r4, =0xFFFFFA0A ; via 0x12cc e44: e1c4c0b0 strh r12, [r4] ; 2nd reg ; disable the watchdog e48: e59f4480 ldr r4, =0xFFFFF804 ; via 0x12d0 e4c: e3a0c0f5 mov r12, #245 ; 0xf5 e50: e1c4c0b0 strh r12, [r4] ; 1st write e54: e3a0c0a0 mov r12, #160 ; 0xa0 e58: e1c4c0b0 strh r12, [r4] ; 2nd write ; write 0x100 into the MCU memory map EXTRA_CONF register (FFFF:FB10) ; forces the memory map to internal ROM, all other bits at ; listed reset default values e5c: e59f4470 ldr r4, =0xFFFFFB10 ; via 0x12d4 e60: e3a0cc01 mov r12, #256 ; 0x100 e64: e1c4c0b0 strh r12, [r4] ; write 0xFF22 into FFFF:F900 in a convoluted way e68: e59f6468 ldr r6, =0xFFFFFD00 ; via 0x12d8 e6c: e3a04b01 mov r4, #1024 ; 0x400 e70: e3a0c801 mov r12, #65536 ; 0x10000 e74: e24cc0de sub r12, r12, #222 ; 0xde e78: e106c0b4 strh r12, [r6, -r4] ; DPLL control register written with what looks like the reset default value e7c: e59fc45c ldr r12, 0x2002 ; via 0x12e0 e80: e59f4454 ldr r4, =0xFFFF9800 ; via 0x12dc e84: e1c4c0b0 strh r12, [r4] e88: e1b04f8c movs r4, r12, lsl #31 e8c: 1afffffd bne 0xe88 ; write 0x1083 into FFFF:FD00 ; sets the MCU clock to come directly from VTCXO, bypassing DPLL e90: e3a0c083 mov r12, #131 ; 0x83 e94: e28cca01 add r12, r12, #4096 ; 0x1000 e98: e1c6c0b0 strh r12, [r6] ; clear bit 6 of FFFF:FD02 (set VCLKOUT-FR to /1) e9c: e1d6c0b2 ldrh r12, [r6, #2] ea0: e20c40bf and r4, r12, #191 ; 0xbf ea4: e20cccff and r12, r12, #65280 ; 0xff00 ea8: e184c00c orr r12, r4, r12 eac: e1c6c0b2 strh r12, [r6, #2] ; program nCS0: WS as given by R0, 1 dummy cycle, enable writes eb0: e3a0cc02 mov r12, #512 ; 0x200 eb4: e200001f and r0, r0, #31 ; 0x1f eb8: e3800e2a orr r0, r0, #672 ; 0x2a0 ebc: e10600bc strh r0, [r6, -r12] ; program nCS6 (int RAM): WS as given by R1, common sense values for the rest ec0: e3a0cf7d mov r12, #500 ; 0x1f4 ec4: e201001f and r0, r1, #31 ; 0x1f ec8: e38000c0 orr r0, r0, #192 ; 0xc0 ecc: e10600bc strh r0, [r6, -r12] ; program nCS7 (int ROM): same as nCS6, but WS as given by R2 ed0: e3a0cf7e mov r12, #504 ; 0x1f8 ed4: e202001f and r0, r2, #31 ; 0x1f ed8: e38000c0 orr r0, r0, #192 ; 0xc0 edc: e10600bc strh r0, [r6, -r12] ; program FFFF:F900 with {FF,stack_arg,R3} ee0: e3a0cb01 mov r12, #1024 ; 0x400 ee4: e1830205 orr r0, r3, r5, lsl #4 ee8: e3800cff orr r0, r0, #65280 ; 0xff00 eec: e10600bc strh r0, [r6, -r12] ef0: e8bd8070 ldmia sp!, {r4, r5, r6, pc} ; The routine at 0xef4 gets called from main() after a '<' character ; has been received and autoboot thereby interrupted in the ; autoboot-enabled flash state. ; ; Called with: ; R0 = the byte from 800524 ; R1 = 1 (value for the PLL_DIV field) ; R2 = 2 (value for the PLL_MULT field) ef4: e92d4070 stmdb sp!, {r4, r5, r6, lr} ef8: e59fc3e4 ldr r12, =0xFFFFF900 ; via 0x12e4 efc: e1dc40b0 ldrh r4, [r12] ; original value of FFFF:F900 saved in R4 ; now set it to FF22, just like the 0xe2c init routine did f00: e59f33d0 ldr r3, =0xFFFFFD00 ; via 0x12d8 f04: e3a05b01 mov r5, #1024 ; 0x400 f08: e3a0c801 mov r12, #65536 ; 0x10000 f0c: e24cc0de sub r12, r12, #222 ; 0xde f10: e103c0b5 strh r12, [r3, -r5] ; write 0x2002 to FFFF:9800, again just like 0xe2c did f14: e59f63c0 ldr r6, =0xFFFF9800 ; via 0x12dc f18: e59fc3c0 ldr r12, =0x2002 ; via 0x12e0 f1c: e1c6c0b0 strh r12, [r6] ; the following 2 instructions would cause this code to hang ; in a tight loop if the least significant bit of the above constant (0x2002) ; were 1 - but it is 0... f20: e1b05f8c movs r5, r12, lsl #31 f24: 1afffffd bne 0xf20 ; now write the same thing into FFFF:9800, but with the PLL_DIV and ; PLL_MULT values from the function arguments ORed in f28: e181c102 orr r12, r1, r2, lsl #2 f2c: e1a0c28c mov r12, r12, lsl #5 f30: e38cc002 orr r12, r12, #2 ; 0x2 f34: e38cca02 orr r12, r12, #8192 ; 0x2000 f38: e1c6c0b0 strh r12, [r6] ; now look if we are fed with 13 or 26 MHz f3c: e3500001 cmp r0, #1 ; 0x1 f40: 0a000009 beq 0xf6c f44: e3500000 cmp r0, #0 ; 0x0 f48: 1a000006 bne 0xf68 ; 0 in R0, meaning 26 MHz in - set bit 6 in FFFF:FD02, selecting /2 f4c: e1d3c0b2 ldrh r12, [r3, #2] f50: e38cc040 orr r12, r12, #64 ; 0x40 f54: e1c3c0b2 strh r12, [r3, #2] ; write 10A1 into FFFF:FD00, setting ARM clock to DPLL_CLKOUT/2 f58: e3a0c0a1 mov r12, #161 ; 0xa1 f5c: e28cca01 add r12, r12, #4096 ; 0x1000 f60: e1c3c0b0 strh r12, [r3] f64: ea000008 b 0xf8c f68: eafffffe b 0xf68 ; 1 in R0, meaning 13 MHz in - clear bit 6 in FFFF:FD02, selecting /1 f6c: e1d3c0b2 ldrh r12, [r3, #2] f70: e20c00bf and r0, r12, #191 ; 0xbf f74: e20cccff and r12, r12, #65280 ; 0xff00 f78: e180c00c orr r12, r0, r12 f7c: e1c3c0b2 strh r12, [r3, #2] ; write 1081 into FFFF:FD00, setting ARM clock to DPLL_CLKOUT/1 f80: e3a0c081 mov r12, #129 ; 0x81 f84: e28cca01 add r12, r12, #4096 ; 0x1000 f88: e1c3c0b0 strh r12, [r3] ; the two branches rejoin ; set bit 4 in FFFF:9800 - enable PLL f8c: e1d6c0b0 ldrh r12, [r6] f90: e38cc010 orr r12, r12, #16 ; 0x10 f94: e1a0c80c mov r12, r12, lsl #16 f98: e1a0c82c mov r12, r12, lsr #16 f9c: e1c6c0b0 strh r12, [r6] ; the following 2 instructions would cause a dead hang if ; bit 0 were already set in FFFF:9800, i.e., if the PLL were ; already locked fa0: e1b00f8c movs r0, r12, lsl #31 fa4: 1afffffd bne 0xfa0 ; restore saved value of FFFF:F900 fa8: e3a0cb01 mov r12, #1024 ; 0x400 fac: e10340bc strh r4, [r3, -r12] fb0: e8bd8070 ldmia sp!, {r4, r5, r6, pc} ; Routine 0xfb4 gets called from main() where the boot code is giving ; the UARTs a chance to interrupt the autoboot process before transferring ; control to the nCS0 image. ; ; Arguments: both R0 and R1 point to byte variables acting as additional ; function outputs. ; ; If a '<' character is received on either UART, the function returns ; without further fuss. If nothing was received on either UART, it ; also returns without further fuss. However, if the "wrong" byte value ; was received on either UART, the function flips the VCLKOUT_DIV2 bit ; in the FFFF:FD02 register - it is the boot code's way of figuring out ; whether the input clock is 13 or 26 MHz. ; ; Return values: ; In R0: 1 if '<' received, 0 otherwise ; In *R0: UART ID if '<' received, FF otherwise ; In *R1: final state of the 800534 byte variable ; ; The latter variable records the state of the divide-by-2. On the first ; try, the divide-by-2 is enabled, and the variable contains 0. When this ; function disables the /2, the variable is set to 1. It keeps toggling ; back and forth as wrong bytes come in. fb4: e3a0c0ff mov r12, #255 ; 0xff fb8: e5c0c000 strb r12, [r0] ; check the MODEM UART first fbc: e59fc324 ldr r12, =0xFFFF5000 ; via 0x12e8 fc0: e5dc2805 ldrb r2, [r12, #2053] fc4: e1b02f82 movs r2, r2, lsl #31 fc8: 1a000001 bne 0xfd4 fcc: e3a02000 mov r2, #0 ; 0x0 fd0: ea000003 b 0xfe4 fd4: e5dc2800 ldrb r2, [r12, #2048] fd8: e352003c cmp r2, #60 ; 0x3c fdc: 0a000024 beq 0x1074 fe0: e3a02001 mov r2, #1 ; 0x1 ; Control gets here if no '<' was received on the MODEM UART. ; R2 contains 1 if some other byte value was received, or 0 if nothing. ; Now check the IrDA UART. fe4: e5dc3005 ldrb r3, [r12, #5] fe8: e1b03f83 movs r3, r3, lsl #31 fec: 1a000002 bne 0xffc ff0: e3520001 cmp r2, #1 ; 0x1 ff4: 0a000003 beq 0x1008 ff8: ea000015 b 0x1054 ffc: e5dcc000 ldrb r12, [r12] 1000: e35c003c cmp r12, #60 ; 0x3c 1004: 0a000017 beq 0x1068 ; control gets here if the "wrong" byte value was received on either UART 1008: e59fc2dc ldr r12, =0x800534 ; via 0x12ec 100c: e5dc0000 ldrb r0, [r12] 1010: e3500000 cmp r0, #0 ; 0x0 1014: 1a000008 bne 0x103c 1018: e3a00001 mov r0, #1 ; 0x1 101c: e5cc0000 strb r0, [r12] 1020: e59f02c8 ldr r0, =0xFFFFFD02 ; via 0x12f0 1024: e1d0c0b0 ldrh r12, [r0] 1028: e20c20bf and r2, r12, #191 ; 0xbf 102c: e20cccff and r12, r12, #65280 ; 0xff00 1030: e182c00c orr r12, r2, r12 1034: e1c0c0b0 strh r12, [r0] 1038: ea000005 b 0x1054 103c: e3a00000 mov r0, #0 ; 0x0 1040: e5cc0000 strb r0, [r12] 1044: e59fc2a4 ldr r12, =0xFFFFFD02 ; via 0x12f0 1048: e1dc00b0 ldrh r0, [r12] 104c: e3800040 orr r0, r0, #64 ; 0x40 1050: e1cc00b0 strh r0, [r12] 1054: e59fc290 ldr r12, =0x800534 ; via 0x12ec 1058: e5dcc000 ldrb r12, [r12] 105c: e5c1c000 strb r12, [r1] 1060: e3a00000 mov r0, #0 ; 0x0 1064: e12fff1e bx lr ; control gets here if a '<' character was received on the IrDA UART 1068: e3a0c001 mov r12, #1 ; 0x1 106c: e5c0c000 strb r12, [r0] 1070: ea000001 b 0x107c ; control gets here if a '<' character was received on the MODEM UART 1074: e3a0c000 mov r12, #0 ; 0x0 1078: e5c0c000 strb r12, [r0] 107c: e59fc268 ldr r12, =0x800534 ; via 0x12ec 1080: e5dcc000 ldrb r12, [r12] 1084: e5c1c000 strb r12, [r1] 1088: e3a00001 mov r0, #1 ; 0x1 108c: e12fff1e bx lr ; 0x1090 - the main routine for the UART download mode. Called with R0=0 ; if there is no valid image in flash, or with R0=1 if a valid image is ; present, but the autoboot was interrupted by '<' coming in on a UART. 1090: e92d4070 stmdb sp!, {r4, r5, r6, lr} 1094: e24dd00c sub sp, sp, #12 ; 0xc 1098: e1a05000 mov r5, r0 109c: e59f4250 ldr r4, =0x800518 ; via 0x12f4 10a0: e2846008 add r6, r4, #8 ; R6=0x800520 10a4: e3a0c000 mov r12, #0 ; 0x0 10a8: e5cdc008 strb r12, [sp, #8] ; If the argument was 0, meaning that no valid image was found in the ; flash and no wait for '<' was done, that logic is repeated here, ; exactly as in main() when the flash does contain a bootable image. 10ac: e3550000 cmp r5, #0 ; 0x0 10b0: 1a000009 bne 0x10dc 10b4: e59f123c ldr r1, =0x800524 ; via 0x12f8 10b8: e1a00006 mov r0, r6 10bc: ebffffbc bl 0xfb4 10c0: e3500001 cmp r0, #1 ; 0x1 10c4: 1a000004 bne 0x10dc 10c8: e5d4000c ldrb r0, [r4, #12] 10cc: e3a01001 mov r1, #1 ; 0x1 10d0: e3a02002 mov r2, #2 ; 0x2 10d4: ebffff86 bl 0xef4 10d8: ea000001 b 0x10e4 10dc: e3550001 cmp r5, #1 ; 0x1 10e0: 1afffff1 bne 0x10ac ; no-image and interrupt-boot code paths merge here 10e4: e28d0008 add r0, sp, #8 ; 0x8 10e8: ebfffc76 bl 0x2c8 10ec: e5ddc008 ldrb r12, [sp, #8] 10f0: e35c0000 cmp r12, #0 ; 0x0 10f4: 0a00000d beq 0x1130 10f8: e5dd0008 ldrb r0, [sp, #8] 10fc: ebfffdec bl 0x8b4 1100: ea00000a b 0x1130 1104: e5d4000c ldrb r0, [r4, #12] 1108: e3a01001 mov r1, #1 ; 0x1 110c: e3a02002 mov r2, #2 ; 0x2 1110: ebffff77 bl 0xef4 1114: e3a0c002 mov r12, #2 ; 0x2 1118: e5cdc000 strb r12, [sp] 111c: e3a00004 mov r0, #4 ; 0x4 1120: e3a01000 mov r1, #0 ; 0x0 1124: e3a02000 mov r2, #0 ; 0x0 1128: e3a03002 mov r3, #2 ; 0x2 112c: ebffff3e bl 0xe2c 1130: e5d40008 ldrb r0, [r4, #8] 1134: e59fc1c0 ldr r12, =0x800104 ; via 0x12fc 1138: e59c1000 ldr r1, [r12] 113c: e28d2009 add r2, sp, #9 ; 0x9 1140: eb0000b8 bl 0x1428 1144: e3500001 cmp r0, #1 ; 0x1 1148: 1afffff8 bne 0x1130 114c: e5ddc009 ldrb r12, [sp, #9] 1150: e35c003c cmp r12, #60 ; 0x3c 1154: 1afffff5 bne 0x1130 1158: e28d0008 add r0, sp, #8 ; 0x8 115c: ebfffc59 bl 0x2c8 1160: e3500001 cmp r0, #1 ; 0x1 1164: 1affffe6 bne 0x1104 1168: e5ddc008 ldrb r12, [sp, #8] 116c: e35c0000 cmp r12, #0 ; 0x0 1170: 1affffe0 bne 0x10f8 1174: eaffffed b 0x1130 ; This function takes a few peeks at the external boot memory on nCS0. ; It appears that the intent is to return 1 if a valid image is present ; in the external flash, or 0 otherwise. ; ; The first check is the 32-bit word at 0x2000. If that word equals 0, ; the function returns 1. Otherwise, that word is expected to equal 1: ; if it doesn't, the function returns 0. ; ; If the word at 2000 is 00000001 (like it is on Closedmoko phones, ; for example), the IRQ vector in the flash image (where the ARM core ; would vector if the Calypso register were flipped to put nCS0 at 0x0) ; is checked. If the vector location contains an unconditional branch ; instruction (0xEAxxxxxx) and the 32-bit instruction word at the target ; of that branch is something other than 0xFFFFFFFF, the function ; returns 1; otherwise it returns 0. 1178: e3a0ca02 mov r12, #8192 ; 0x2000 117c: e59cc000 ldr r12, [r12] 1180: e35c0000 cmp r12, #0 ; 0x0 1184: 0a000011 beq 0x11d0 ; return 1 1188: e35c0001 cmp r12, #1 ; 0x1 118c: 1a00000d bne 0x11c8 ; return 0 1190: e3a0c018 mov r12, #24 ; 0x18 1194: e28cc403 add r12, r12, #50331648 ; 0x3000000 1198: e59cc000 ldr r12, [r12] 119c: e20c04ff and r0, r12, #-16777216 ; 0xff000000 11a0: e3700416 cmn r0, #369098752 ; 0x16000000 11a4: 1a000007 bne 0x11c8 ; return 0 11a8: e3a00018 mov r0, #24 ; 0x18 11ac: e2800403 add r0, r0, #50331648 ; 0x3000000 11b0: e28cc002 add r12, r12, #2 ; 0x2 11b4: e1a0c10c mov r12, r12, lsl #2 11b8: e3ccc4ff bic r12, r12, #-16777216 ; 0xff000000 11bc: e790c00c ldr r12, [r0, r12] 11c0: e37c0001 cmn r12, #1 ; 0x1 11c4: 1a000001 bne 0x11d0 ; return 1 11c8: e3a00000 mov r0, #0 ; 0x0 11cc: e1a0f00e mov pc, lr 11d0: e3a00001 mov r0, #1 ; 0x1 11d4: e1a0f00e mov pc, lr ; main() entry point 11d8: e92d4070 stmdb sp!, {r4, r5, r6, lr} 11dc: e24dd008 sub sp, sp, #8 ; 0x8 ; 0xe2c basic memmap/clock init routine called with the following ; values: WS=4 for nCS0, WS=0 for nCS6 and nCS7, FF22 into FFFF:F900 11e0: e3a0c002 mov r12, #2 ; 0x2 11e4: e5cdc000 strb r12, [sp] 11e8: e3a00004 mov r0, #4 ; 0x4 11ec: e3a01000 mov r1, #0 ; 0x0 11f0: e3a02000 mov r2, #0 ; 0x0 11f4: e3a03002 mov r3, #2 ; 0x2 11f8: ebffff0b bl 0xe2c 11fc: eb00004f bl 0x1340 ; init UARTs ; write 0x1D4C0 into 800104 - even though it was already done by the ; bulk RAM init routine at 0x1500 1200: e59f00f4 ldr r0, =0x800104 ; via 0x12fc 1204: e3a0c802 mov r12, #131072 ; 0x20000 1208: e24ccdad sub r12, r12, #11072 ; 0x2b40 120c: e580c000 str r12, [r0] ; set bit 6 in FFFF:FD02 (set VCLKOUT-FR to /2) 1210: e59f60d8 ldr r6, =0xFFFFFD02 ; via 0x12f0 1214: e1d6c0b0 ldrh r12, [r6] 1218: e38cc040 orr r12, r12, #64 ; 0x40 121c: e1c6c0b0 strh r12, [r6] ; Check for a valid image in flash. If there doesn't seem to be one, ; call the 0x1090 routine. The latter seems to never return, so it is ; probably the endless wait for UART download function. 1220: ebffffd4 bl 0x1178 ; check for valid img in flash 1224: e3500000 cmp r0, #0 ; 0x0 1228: 1a000001 bne 0x1234 122c: e3a00000 mov r0, #0 ; 0x0 1230: ebffff96 bl 0x1090 ; A valid image is present. ; set bit 6 in FFFF:FD02 again 1234: e1d6c0b0 ldrh r12, [r6] 1238: e38cc040 orr r12, r12, #64 ; 0x40 123c: e1c6c0b0 strh r12, [r6] 1240: e59f10b0 ldr r1, =0x800524 ; via 0x12f8 1244: e2415004 sub r5, r1, #4 ; 0x4 1248: e59f40b0 ldr r4, =0x373C ; via 0x1300 ; the retry count loaded into R4 is 14140 in decimal 124c: e1a00005 mov r0, r5 ; call made with R0=0x800520, R1=0x800524 1250: ebffff57 bl 0xfb4 1254: e3500000 cmp r0, #0 ; 0x0 1258: 1a000001 bne 0x1264 125c: e2544001 subs r4, r4, #1 ; 0x1 1260: 1afffff9 bne 0x124c 1264: e3500001 cmp r0, #1 ; 0x1 1268: 0a00000c beq 0x12a0 ; clear bit 6 in FFFF:FD02 126c: e1d6c0b0 ldrh r12, [r6] 1270: e20c00bf and r0, r12, #191 ; 0xbf 1274: e20cccff and r12, r12, #65280 ; 0xff00 1278: e180c00c orr r12, r0, r12 127c: e1c6c0b0 strh r12, [r6] ; transfer control to the flash image? 1280: e3a0ca02 mov r12, #8192 ; 0x2000 1284: e59c0000 ldr r0, [r12] 1288: e1b010a0 movs r1, r0, lsr #1 128c: 1a000002 bne 0x129c 1290: e59c1004 ldr r1, [r12, #4] 1294: eb0000bc bl 0x158c 1298: eafffffe b 0x1298 129c: eafffffe b 0x129c ; interactive mode entry? 12a0: e59fc050 ldr r12, =0x800524 ; via 0x12f8 12a4: e5dc0000 ldrb r0, [r12] 12a8: e3a01001 mov r1, #1 ; 0x1 12ac: e3a02002 mov r2, #2 ; 0x2 12b0: ebffff0f bl 0xef4 12b4: e3a00001 mov r0, #1 ; 0x1 12b8: ebffff74 bl 0x1090 12bc: e28dd008 add sp, sp, #8 ; 0x8 12c0: e8bd8070 ldmia sp!, {r4, r5, r6, pc} ; literal pool 12c4: fffffa08 12c8: 0000ffff 12cc: fffffa0a 12d0: fffff804 12d4: fffffb10 12d8: fffffd00 12dc: ffff9800 12e0: 00002002 12e4: fffff900 12e8: ffff5000 12ec: 00800534 12f0: fffffd02 12f4: 00800518 12f8: 00800524 12fc: 00800104 1300: 0000373c ; Routine 0x1304: emit a character string through a UART ; ; Arguments: : R0: pointer to the string ; R1: number of characters (bytes) to transmit ; R2: UART ID (0=MODEM, 1=IrDA) 1304: e3510000 cmp r1, #0 ; 0x0 1308: 012fff1e bxeq lr 130c: e59fc178 ldr r12, =0x1FCC ; via 0x148c 1310: e79cc102 ldr r12, [r12, r2, lsl #2] 1314: e28c3005 add r3, r12, #5 ; 0x5 1318: e5d32000 ldrb r2, [r3] 131c: e3120020 tst r2, #32 ; 0x20 1320: 0afffffc beq 0x1318 1324: e4d02001 ldrb r2, [r0], #1 1328: e5cc2000 strb r2, [r12] 132c: e2411001 sub r1, r1, #1 ; 0x1 1330: e1a01801 mov r1, r1, lsl #16 1334: e1b01821 movs r1, r1, lsr #16 1338: 1afffff6 bne 0x1318 133c: e12fff1e bx lr ; The following routine initializes both UARTs with a fixed set of ; parameters (the same for both UARTs). 1340: e92d4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr} ; UIR fiddling: connect the MODEM UART to the MCU ; and restore normal operation (interrupts NOT masked at UIR level) 1344: e59fc144 ldr r12, =0xFFFF6000 ; via 0x1490 1348: e5dc0000 ldrb r0, [r12] 134c: e3800002 orr r0, r0, #2 ; 0x2 1350: e5cc0000 strb r0, [r12] 1354: e5dc0000 ldrb r0, [r12] 1358: e20000fe and r0, r0, #254 ; 0xfe 135c: e5cc0000 strb r0, [r12] 1360: e5dc0000 ldrb r0, [r12] 1364: e20000fd and r0, r0, #253 ; 0xfd 1368: e5cc0000 strb r0, [r12] ; actual UART register diddling: prepare the values for both UARTs 136c: e3a0b003 mov r11, #3 ; 0x3 1370: e3a05000 mov r5, #0 ; 0x0 1374: e3a0a02a mov r10, #42 ; 0x2a 1378: e3a09080 mov r9, #128 ; 0x80 137c: e3a070bf mov r7, #191 ; 0xbf 1380: e3a04007 mov r4, #7 ; 0x7 1384: e3a02002 mov r2, #2 ; 0x2 ; loop over the 2 UART base addresses 1388: e59f60fc ldr r6, =0x1FCC ; via 0x148c 138c: e496c004 ldr r12, [r6], #4 1390: e28c3008 add r3, r12, #8 ; 0x8 ; R3 points to register 8 (MDR1) ; write 07 into it: reset mode 1394: e5c34000 strb r4, [r3] 1398: e28c0003 add r0, r12, #3 ; 0x3 ; R0 points to register 3 (LCR) ; write BF into it: map in the extended registers 139c: e5c07000 strb r7, [r0] 13a0: e28c1002 add r1, r12, #2 ; 0x2 ; R1 points to register 2: EFR under current mapping ; set bit 4: enable enhanced functions 13a4: e5d18000 ldrb r8, [r1] 13a8: e3888010 orr r8, r8, #16 ; 0x10 13ac: e5c18000 strb r8, [r1] ; write 80 into LCR: map in the baud rate divisor registers 13b0: e5c09000 strb r9, [r0] ; reg 2 (pointed to by R1) is now IIR/FCR ; write 07 into FCR: FIFOs enabled and cleared, no DMA 13b4: e5c14000 strb r4, [r1] ; write BF into LCR again 13b8: e5c07000 strb r7, [r0] ; load baud rate divisor /42 13bc: e5cca000 strb r10, [r12] 13c0: e5cc5001 strb r5, [r12, #1] ; write 03 into LCR: restore normal registers, 8N1 13c4: e5c0b000 strb r11, [r0] ; write 00 into MDR1: plain UART mode 13c8: e5c35000 strb r5, [r3] 13cc: e2522001 subs r2, r2, #1 ; 0x1 13d0: 1affffed bne 0x138c 13d4: e8bd8ff0 ldmia sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} ; The following routine switches a UART to a different baud rate. ; Arguments: ; R0: baud rate index from the table at 0x1FD4 ; R1: UART ID (0=MODEM, 1=IrDA) 13d8: e59fc0ac ldr r12, =0x1FCC ; via 0x148c 13dc: e79c2101 ldr r2, [r12, r1, lsl #2] 13e0: e282c005 add r12, r2, #5 ; 0x5 13e4: e5dc1000 ldrb r1, [r12] 13e8: e3110040 tst r1, #64 ; 0x40 13ec: 0afffffc beq 0x13e4 13f0: e282c003 add r12, r2, #3 ; 0x3 13f4: e5dc1000 ldrb r1, [r12] 13f8: e3811080 orr r1, r1, #128 ; 0x80 13fc: e5cc1000 strb r1, [r12] 1400: e59f108c ldr r1, =0x1FD4 ; via 0x1494 1404: e7d13080 ldrb r3, [r1, r0, lsl #1] 1408: e5c23001 strb r3, [r2, #1] 140c: e0810080 add r0, r1, r0, lsl #1 1410: e5d00001 ldrb r0, [r0, #1] 1414: e5c20000 strb r0, [r2] 1418: e5dc0000 ldrb r0, [r12] 141c: e200007f and r0, r0, #127 ; 0x7f 1420: e5cc0000 strb r0, [r12] 1424: e12fff1e bx lr ; 0x1428 - UART read Rx character routine ; ; Arguments: ; R0: UART ID (0=MODEM, 1=IrDA) ; R1: poll repeat count, 0 means wait forever ; R2: pointer to buffer where the received booty is stored ; ; Return value: 1 if a character was received, 0 otherwise 1428: e3510000 cmp r1, #0 ; 0x0 142c: 1a000006 bne 0x144c 1430: e59fc054 ldr r12, =0x1FCC ; via 0x148c 1434: e79cc100 ldr r12, [r12, r0, lsl #2] 1438: e28c1005 add r1, r12, #5 ; 0x5 143c: e5d10000 ldrb r0, [r1] 1440: e1b00f80 movs r0, r0, lsl #31 1444: 0afffffc beq 0x143c 1448: ea000009 b 0x1474 144c: e59fc038 ldr r12, =0x1FCC ; via 0x148c 1450: e79cc100 ldr r12, [r12, r0, lsl #2] 1454: e28c3005 add r3, r12, #5 ; 0x5 1458: e5d30000 ldrb r0, [r3] 145c: e1b00f80 movs r0, r0, lsl #31 1460: 1a000001 bne 0x146c 1464: e2511001 subs r1, r1, #1 ; 0x1 1468: 1afffffa bne 0x1458 146c: e3510000 cmp r1, #0 ; 0x0 1470: 0a000003 beq 0x1484 1474: e5dcc000 ldrb r12, [r12] 1478: e5c2c000 strb r12, [r2] 147c: e3a00001 mov r0, #1 ; 0x1 1480: e12fff1e bx lr 1484: e3a00000 mov r0, #0 ; 0x0 1488: e12fff1e bx lr ; literal pool 148c: 00001fcc 1490: ffff6000 1494: 00001fd4 ; The RESET entry point branches here ; ; First order of business: copy the 7 vector instructions from ; 0x1FE0 to 0x80001C. 1498: e59f003c ldr r0, =0x1FE0 ; via 0x14dc 149c: e59f103c ldr r1, =0x80001C ; via 0x14e0 14a0: e3a02000 mov r2, #0 ; 0x0 14a4: e7903002 ldr r3, [r0, r2] 14a8: e7813002 str r3, [r1, r2] 14ac: e2822004 add r2, r2, #4 ; 0x4 14b0: e352001c cmp r2, #28 ; 0x1c 14b4: 1afffffa bne 0x14a4 ; done with that; now set up the stack 14b8: e59f0014 ldr r0, =0x8005C0 ; via 0x14d4 14bc: e59f1014 ldr r1, =0x190 ; via 0x14d8 14c0: e2411004 sub r1, r1, #4 ; 0x4 14c4: e0802001 add r2, r0, r1 14c8: e3c22003 bic r2, r2, #3 ; 0x3 14cc: e1a0d002 mov sp, r2 14d0: ea000003 b 0x14e4 ; literals for the above code 14d4: 008005c0 14d8: 00000190 14dc: 00001fe0 14e0: 0080001c ; continuation of the RESET entry code 14e4: e59f0078 ldr r0, =0x1694 ; via 0x1564 14e8: e3700001 cmn r0, #1 ; 0x1 14ec: 1b000003 blne 0x1500 14f0: ebffff38 bl 0x11d8 ; main() ; only tight-loop halts from here on 14f4: e3a00001 mov r0, #1 ; 0x1 14f8: eb000022 bl 0x1588 14fc: eafffffe b 0x14fc ; 0x1500: Subroutine entry ; ; This routine initializes multiple RAM areas from a single ROM init data ; table. Takes one argument in R0, which points to the ROM table. ; The ROM table consists of one or more abutted variable-length records, ; each of the following format: ; ; 1 word: number of bytes to copy (may or may not be word-aligned) ; 1 word: copy destination address (ditto) ; variable length: data to be copied ; 0 to 3 bytes of padding to put the next record on a word boundary ; ; The list is terminated by a zero word. 1500: ea000011 b 0x154c 1504: e4901004 ldr r1, [r0], #4 1508: e3110003 tst r1, #3 ; 0x3 150c: 1a000007 bne 0x1530 1510: e2522004 subs r2, r2, #4 ; 0x4 1514: 4a000003 bmi 0x1528 1518: e4903004 ldr r3, [r0], #4 151c: e4813004 str r3, [r1], #4 1520: e2522004 subs r2, r2, #4 ; 0x4 1524: 5afffffb bpl 0x1518 1528: e2922004 adds r2, r2, #4 ; 0x4 152c: 0a000003 beq 0x1540 1530: e4d03001 ldrb r3, [r0], #1 1534: e4c13001 strb r3, [r1], #1 1538: e2522001 subs r2, r2, #1 ; 0x1 153c: 1afffffb bne 0x1530 1540: e3100003 tst r0, #3 ; 0x3 1544: 13c00003 bicne r0, r0, #3 ; 0x3 1548: 12800004 addne r0, r0, #4 ; 0x4 154c: e4902004 ldr r2, [r0], #4 1550: e3520000 cmp r2, #0 ; 0x0 1554: 1affffea bne 0x1504 1558: e1a0f00e mov pc, lr ; literal pool 155c: 008005c0 ; low address of the stack - unused duplicate? 1560: 00000190 ; size of the stack - ditto 1564: 00001694 ; The following looks like the TI compiler's IND_CALL library helper 1568: e3140001 tst r4, #1 ; 0x1 156c: 1a000000 bne 0x1574 1570: e12fff14 bx r4 1574: e1a0c004 mov r12, r4 1578: e1a0400e mov r4, lr 157c: e28fe001 add lr, pc, #1 ; 0x1 1580: e12fff1c bx r12 1584: 4720 bx r4 1586: 46c0 nop (mov r8, r8) 1588: eafffffe b 0x1588 ; This routine effects the transfer of control to the flash (nCS0) ; application image of the type indicated by the argument in R0. ; The latter argument is the word read from 0x2000. ; R1 contains the word read from 0x2004. 158c: e92d4010 stmdb sp!, {r4, lr} 1590: e1a04000 mov r4, r0 1594: e1b0c0a4 movs r12, r4, lsr #1 1598: 0a000001 beq 0x15a4 159c: e3a00001 mov r0, #1 ; 0x1 15a0: e8bd8010 ldmia sp!, {r4, pc} 15a4: e59f0054 ldr r0, =0xFFFFFB10 ; via 0x1600 15a8: e1d0c0b0 ldrh r12, [r0] 15ac: e20c20ff and r2, r12, #255 ; 0xff 15b0: e20ccb3f and r12, r12, #64512 ; 0xfc00 15b4: e182c00c orr r12, r2, r12 15b8: e1a0c80c mov r12, r12, lsl #16 15bc: e1a0c82c mov r12, r12, lsr #16 15c0: e3540000 cmp r4, #0 ; 0x0 15c4: 1a000004 bne 0x15dc 15c8: e38ccc01 orr r12, r12, #256 ; 0x100 15cc: e1c0c0b0 strh r12, [r0] 15d0: e1a04001 mov r4, r1 15d4: ebffffe3 bl 0x1568 ; IND_CALL 15d8: e8bd8010 ldmia sp!, {r4, pc} 15dc: e3540001 cmp r4, #1 ; 0x1 15e0: 18bd8010 ldmneia sp!, {r4, pc} 15e4: e3a00020 mov r0, #32 ; 0x20 15e8: e3a010cc mov r1, #204 ; 0xcc 15ec: e59f2010 ldr r2, =0x800038 ; via 0x1604 15f0: eb000019 bl 0x165c 15f4: e1a00004 mov r0, r4 15f8: eb1ffa8e bl 0x800038 15fc: e8bd8010 ldmia sp!, {r4, pc} ; literal pool 1600: fffffb10 1604: 00800038 ; This routine computes a simple word-wise (16 bits at a time) sum of ; the present internal boot ROM code (ignoring carry-outs), and returns ; it in R0. The upper 16 bits of the R0 return value will always be 0. ; ; If the argument in R0 equals 1, a call to the 0xe2c memmap/clock init ; function is made first, with the same arguments as at the beginning ; of main(). ; ; Note that this routine is not called from anywhere in the boot ROM ; itself - but its address is listed in the CAL228 document. 1608: e92d4000 stmdb sp!, {lr} 160c: e24dd008 sub sp, sp, #8 ; 0x8 1610: e3500001 cmp r0, #1 ; 0x1 1614: 1a000006 bne 0x1634 ; 0xe2c routine is called with the same arguments as at the beginning ; of main() 1618: e3a0c002 mov r12, #2 ; 0x2 161c: e5cdc000 strb r12, [sp] 1620: e3a00004 mov r0, #4 ; 0x4 1624: e3a01000 mov r1, #0 ; 0x0 1628: e3a02000 mov r2, #0 ; 0x0 162c: e3a03002 mov r3, #2 ; 0x2 1630: ebfffdfd bl 0xe2c 1634: e3a00000 mov r0, #0 ; 0x0 1638: e3a0c000 mov r12, #0 ; 0x0 163c: e0dc10b2 ldrh r1, [r12], #2 1640: e0810000 add r0, r1, r0 1644: e1a00800 mov r0, r0, lsl #16 1648: e1a00820 mov r0, r0, lsr #16 164c: e35c0a02 cmp r12, #8192 ; 0x2000 1650: 3afffff9 bcc 0x163c 1654: e28dd008 add sp, sp, #8 ; 0x8 1658: e8bd8000 ldmia sp!, {pc} ; The following is a bcopy/memcpy-like routine, but with arguments ; in the wrong order (matching neither bcopy nor memcpy): ; ; R0: source address ; R1: # of bytes to copy ; R2: dest address ; ; The addresses must be word-aligned, the length must be a multiple of 4. ; Zero length is OK (no-op). 165c: e3510000 cmp r1, #0 ; 0x0 1660: 012fff1e bxeq lr 1664: e490c004 ldr r12, [r0], #4 1668: e482c004 str r12, [r2], #4 166c: e2511004 subs r1, r1, #4 ; 0x4 1670: 1afffffb bne 0x1664 1674: e12fff1e bx lr ; The soft-vector pointers at 0x800000 are initially set to point ; to the ROM addresses of the following 7 tight-loop branch instructions: 1678: eafffffe b 0x1678 167c: eafffffe b 0x167c 1680: eafffffe b 0x1680 1684: eafffffe b 0x1684 1688: eafffffe b 0x1688 168c: eafffffe b 0x168c 1690: eafffffe b 0x1690 ; RAM init table for the 0x1500 subroutine ; vector init 1694: 0000001c 1698: 00800000 169c: 00001678 16a0: 0000167c 16a4: 00001680 16a8: 00001684 16ac: 00001688 16b0: 0000168c 16b4: 00001690 ; another record 16b8: 00000004 16bc: 00800104 16c0: 0001d4c0 ; another record 16c4: 00000001 16c8: 00800108 16cc: 00000001 ; another record 16d0: 00000001 16d4: 00800534 16d8: 00000000 ; end marker 16dc: 00000000 ; The word at 0x16DC appears to be the last word of the actual boot ; code + data. Between here and 0x1FCC we've got what looks like ; filler: 000016C0: C0 D4 01 00 01 00 00 00 08 01 80 00 01 00 00 00 ................ 000016D0: 01 00 00 00 34 05 80 00 00 00 00 00 00 00 00 00 ....4........... 000016E0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 000016F0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001700: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001710: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001720: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001730: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001740: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001750: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001760: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001770: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001780: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001790: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 000017A0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 000017B0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 000017C0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 000017D0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 000017E0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 000017F0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001800: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001810: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001820: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001830: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001840: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001850: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001860: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001870: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001880: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001890: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 000018A0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 000018B0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 000018C0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 000018D0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 000018E0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 000018F0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001900: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001910: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001920: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001930: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001940: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001950: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001960: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001970: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001980: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001990: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 000019A0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 000019B0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 000019C0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 000019D0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 000019E0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 000019F0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001A00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001A10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001A20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001A30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001A40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001A50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001A60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001A70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001A80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001A90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001AA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001AB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001AC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 00001AD0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 00001AE0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 00001AF0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001B00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001B10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001B20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001B30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001B40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001B50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001B60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001B70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001B80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001B90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001BA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001BB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001BC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 00001BD0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 00001BE0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 00001BF0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001C00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001C10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001C20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001C30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001C40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001C50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001C60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001C70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001C80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001C90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001CA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001CB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001CC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 00001CD0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 00001CE0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 00001CF0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001D00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001D10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001D20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001D30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001D40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001D50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001D60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001D70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001D80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001D90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001DA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001DB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001DC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 00001DD0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 00001DE0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 00001DF0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001E00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001E10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001E20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001E30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001E40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001E50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001E60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001E70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001E80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001E90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001EA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001EB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001EC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 FF FE FD ................ 00001ED0: FC FB FA F9 F8 F7 F6 F5 F4 F3 F2 F1 F0 EF EE ED ................ 00001EE0: EC EB EA E9 E8 E7 E6 E5 E4 E3 E2 E1 E0 DF DE DD ................ 00001EF0: DC DB DA D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF CE CD ................ 00001F00: CC CB CA C9 C8 C7 C6 C5 C4 C3 C2 C1 C0 BF BE BD ................ 00001F10: BC BB BA B9 B8 B7 B6 B5 B4 B3 B2 B1 B0 AF AE AD ................ 00001F20: AC AB AA A9 A8 A7 A6 A5 A4 A3 A2 A1 A0 9F 9E 9D ................ 00001F30: 9C 9B 9A 99 98 97 96 95 94 93 92 91 90 8F 8E 8D ................ 00001F40: 8C 8B 8A 89 88 87 86 85 84 83 82 81 80 7F 7E 7D ..............~} 00001F50: 7C 7B 7A 79 78 77 76 75 74 73 72 71 70 6F 6E 6D |{zyxwvutsrqponm 00001F60: 6C 6B 6A 69 68 67 66 65 64 63 62 61 60 5F 5E 5D lkjihgfedcba`_^] 00001F70: 5C 5B 5A 59 58 57 56 55 54 53 52 51 50 4F 4E 4D \[ZYXWVUTSRQPONM 00001F80: 4C 4B 4A 49 48 47 46 45 44 43 42 41 40 3F 3E 3D LKJIHGFEDCBA@?>= 00001F90: 3C 3B 3A 39 38 37 36 35 34 33 32 31 30 2F 2E 2D <;:9876543210/.- 00001FA0: 2C 2B 2A 29 28 27 26 25 24 23 22 21 20 1F 1E 1D ,+*)('&%$#"! ... 00001FB0: 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 0F 0E 0D ................ 00001FC0: 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 58 FF FF .............X.. 00001FD0: 00 50 FF FF 00 07 00 0E 00 15 00 1C 00 2A 00 00 .P...........*.. 00001FE0: 24 F0 1F E5 24 F0 1F E5 24 F0 1F E5 24 F0 1F E5 $...$...$...$... 00001FF0: 24 F0 1F E5 24 F0 1F E5 24 F0 1F E5 00 00 00 03 $...$...$....... ; The filler ends at 0x1FCC. Then we've got some data words: ; base addresses of the two UARTs 1fcc: ffff5800 ; MODEM 1fd0: ffff5000 ; IrDA ; UART baud rates 1fd4: 0700 ; /7 (115200?) 1fd6: 0e00 ; /14 (57600?) 1fd8: 1500 ; /21 (38400?) 1fda: 1c00 ; /28 (28800?) 1fdc: 2a00 ; /42 (19200?) 1fde: 0000 ; These ldr-jump instructions get copied to the 7 internal RAM words ; starting at 0x80001C. They have the effect of defining the preceding ; 7 words (0x800000-0x800018 inclusive) as address-type vectors for the ; exceptions, such that one can hook an exception either by replacing ; the ldr-jump instruction in the 0x80001C-0x800034 window with a branch ; to the desired handler, or by sticking the absolute address of that ; desired handler into the 0x800000-0x800018 window. 1fe0: e51ff024 ldr pc, [pc, #-36] ; 0x1fc4 1fe4: e51ff024 ldr pc, [pc, #-36] ; 0x1fc8 1fe8: e51ff024 ldr pc, [pc, #-36] ; 0x1fcc 1fec: e51ff024 ldr pc, [pc, #-36] ; 0x1fd0 1ff0: e51ff024 ldr pc, [pc, #-36] ; 0x1fd4 1ff4: e51ff024 ldr pc, [pc, #-36] ; 0x1fd8 1ff8: e51ff024 ldr pc, [pc, #-36] ; 0x1fdc ; CAL228 document identifies the last 16-bit word as the version number ; The version we've got appears to be a perfect match for what that ; document describes. 1ffc: 03000000