FreeCalypso > hg > freecalypso-reveng

changeset 57:277fd7b971f0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
some success in finding familiar TI code in moko11 and Pirelli fw binary images
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Tue, 12 Nov 2013 04:28:47 +0000
parents fdfb57a1c5fe
children d05b2e790e6b
files moko11 pirelli/firmware
diffstat 2 files changed, 51 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/moko11	Tue Nov 12 04:28:47 2013 +0000
@@ -0,0 +1,28 @@
+The Init_Target() function in the TCS211 code from Sotovik (which sits in a
+binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3.
+We would like to determine whether or not the moko11 firmware does the same
+thing.  We have no linker map file for moko11, so we have to dig around in the
+binary and try to match the code against known objects.
+
+In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of
+the function there is a BL instruction calling $CLKM_InitARMClock, and this call
+is immediately followed by the code that sets up the memory timings.
+
+Let's see what we can find in the moko11 binary image:
+
+0012D4:	RESET vector jumps here
+010000: the code here appears to fully match the .inttext section of
+	TI's int.obj
+010058:	appears to be the _INT_Initialize entry point
+	(seems to be the same for all TI firmwares of that era)
+010268:	b 0x1e8364, should be a jump to the _INC_Initialize veneer
+1D1E48:	first function called from Application_Initialize, should be
+	Init_Target()
+	Matches the Sotomodem version of Init_Target() indeed,
+	including the memory timing setup!
+1E72B0:	Expected start of $INC_Initialize, appears to match
+1E72F4:	bl 0x1e81fc, should be calling Application_Initialize()
+1E81FC:	Expected start of Application_Initialize(), contains 6 calls indeed
+1E8364:	looks like an ARM->Thumb call veneer indeed
+1E8370:	Thumb code begins, does bl 0x1e72b0
+1E8378:	back to ARM, veneer return
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pirelli/firmware	Tue Nov 12 04:28:47 2013 +0000
@@ -0,0 +1,23 @@
+Following on the success of our match of moko11 disassembly against some known
+objects (see ../moko11), let's try doing the same thing with Pirelli's fw.
+
+Let's see if the code in Pirelli's fw at 0x40000 matches .inttext from TI's
+int.obj: so far, so good!  Let's see how far we can get:
+
+040000:	beginning of match with .inttext in TI's int.obj
+040268:	b 0x3f6b40, should be a jump to the _INC_Initialize veneer
+3BB7D4:	first function called from Application_Initialize()
+	the logic of Init_Target() is recognizable, but it's a modified
+	version, not the same object blob as we have
+	the setup of memory timings matches that done by OsmocomBB!
+3F11F8:	this should be Application_Initialize()
+	differences begin: instead of 6 function calls, there are 12,
+	with one of them conditionalized on the return value of the previous
+3F3E74:	expecting to see $INC_Initialize here - yes!
+3F6B40:	looks like an ARM->Thumb call veneer indeed
+3F6B4C:	Thumb code begins, does bl 0x3f3e74
+3F6B54:	back to ARM, veneer return
+
+data objects:
+
+01775048:	INC_Initialize state variable