FreeCalypso > hg > freecalypso-reveng
changeset 68:6a136554378e
pirelli preboot re: figured out the triggering condition
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Mon, 10 Feb 2014 02:33:17 +0000 |
| parents | 88cf9811f97c |
| children | 10de8a00c519 |
| files | pirelli/preboot.disasm pirelli/preboot.notes |
| diffstat | 2 files changed, 1123 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/pirelli/preboot.disasm Sun Feb 09 09:36:42 2014 +0000 +++ b/pirelli/preboot.disasm Mon Feb 10 02:33:17 2014 +0000 @@ -191,6 +191,9 @@ 2f4: 4700 bx r0 2f6: 0000 +; Thumb call trampoline to 0x818f2c +; offset 0x8AA8 from start of copy +; should be at 0xAFB0 in flash 2f8: b082 sub sp, #8 2fa: 9400 str r4, [sp, #0] 2fc: 4c01 ldr r4, [pc, #4] (0x304) @@ -389,6 +392,1099 @@ 2504: ffffffff 2508: 0xAA88 bytes copied to IRAM + + ad8c: b5f0 push {r4, r5, r6, r7, lr} + ad8e: 4643 mov r3, r8 + ad90: 464c mov r4, r9 + ad92: b418 push {r3, r4} + ad94: b08b sub sp, #44 + ad96: 4690 mov r8, r2 + ad98: 1c0f mov r7, r1 (add r7, r1, #0) + ad9a: 4684 mov ip, r0 + ad9c: 1c3e mov r6, r7 (add r6, r7, #0) + ad9e: 1c31 mov r1, r6 (add r1, r6, #0) + ada0: aa09 add r2, sp, #36 + ada2: 2305 mov r3, #5 + ada4: ffdcf7ff bl 0xad60 + ada8: 2800 cmp r0, #0 + adaa: d079 beq 0xaea0 + adac: 4660 mov r0, ip + adae: 3005 add r0, #5 + adb0: 4684 mov ip, r0 + adb2: 3f05 sub r7, #5 + adb4: 2400 mov r4, #0 + adb6: 2500 mov r5, #0 + adb8: 4660 mov r0, ip + adba: 1c39 mov r1, r7 (add r1, r7, #0) + adbc: 221d mov r2, #29 + adbe: 446a add r2, sp + adc0: 2301 mov r3, #1 + adc2: ffcdf7ff bl 0xad60 + adc6: 2800 cmp r0, #0 + adc8: d06a beq 0xaea0 + adca: 4660 mov r0, ip + adcc: 3001 add r0, #1 + adce: 4684 mov ip, r0 + add0: 3f01 sub r7, #1 + add2: 4668 mov r0, sp + add4: 7f40 ldrb r0, [r0, #29] + add6: 00e9 lsl r1, r5, #3 + add8: 4088 lsl r0, r1 + adda: 1904 add r4, r0, r4 + addc: 3501 add r5, #1 + adde: 2d04 cmp r5, #4 + ade0: dbea blt 0xadb8 + ade2: 2000 mov r0, #0 + ade4: 43c0 mvn r0, r0 + ade6: 4284 cmp r4, r0 + ade8: d05a beq 0xaea0 + adea: 2504 mov r5, #4 + adec: 4660 mov r0, ip + adee: 1c39 mov r1, r7 (add r1, r7, #0) + adf0: aa07 add r2, sp, #28 + adf2: 2301 mov r3, #1 + adf4: ffb4f7ff bl 0xad60 + adf8: 2800 cmp r0, #0 + adfa: d051 beq 0xaea0 + adfc: 4668 mov r0, sp + adfe: 7f00 ldrb r0, [r0, #28] + ae00: 2800 cmp r0, #0 + ae02: d14d bne 0xaea0 + ae04: 3f01 sub r7, #1 + ae06: 4660 mov r0, ip + ae08: 3001 add r0, #1 + ae0a: 4684 mov ip, r0 + ae0c: 3d01 sub r5, #1 + ae0e: 2d00 cmp r5, #0 + ae10: d1ec bne 0xadec + ae12: 200d mov r0, #13 + ae14: 1a30 sub r0, r6, r0 + ae16: 4681 mov r9, r0 + ae18: 4660 mov r0, ip + ae1a: 2800 cmp r0, #0 + ae1c: d040 beq 0xaea0 + ae1e: a809 add r0, sp, #36 + ae20: 7802 ldrb r2, [r0, #0] + ae22: a809 add r0, sp, #36 + ae24: 7800 ldrb r0, [r0, #0] + ae26: 28e1 cmp r0, #225 + ae28: da3a bge 0xaea0 + ae2a: 4973 ldr r1, [pc, #460] (0xaff8) + ae2c: 2500 mov r5, #0 + ae2e: 2000 mov r0, #0 + ae30: 2600 mov r6, #0 + ae32: 2a2e cmp r2, #46 + ae34: db06 blt 0xae44 + ae36: 3a2d sub r2, #45 + ae38: 0612 lsl r2, r2, #24 + ae3a: 0e12 lsr r2, r2, #24 + ae3c: 3601 add r6, #1 + ae3e: 3901 sub r1, #1 + ae40: 2900 cmp r1, #0 + ae42: d1f6 bne 0xae32 + ae44: 496c ldr r1, [pc, #432] (0xaff8) + ae46: 2300 mov r3, #0 + ae48: 2a09 cmp r2, #9 + ae4a: db06 blt 0xae5a + ae4c: 3a09 sub r2, #9 + ae4e: 0612 lsl r2, r2, #24 + ae50: 0e12 lsr r2, r2, #24 + ae52: 3301 add r3, #1 + ae54: 3901 sub r1, #1 + ae56: 2900 cmp r1, #0 + ae58: d1f6 bne 0xae48 + ae5a: 1899 add r1, r3, r2 + ae5c: 2703 mov r7, #3 + ae5e: 023f lsl r7, r7, #8 + ae60: 408f lsl r7, r1 + ae62: 4966 ldr r1, [pc, #408] (0xaffc) + ae64: 19c9 add r1, r1, r7 + ae66: 0049 lsl r1, r1, #1 + ae68: 277f mov r7, #127 + ae6a: 043f lsl r7, r7, #16 + ae6c: 42bc cmp r4, r7 + ae6e: d800 bhi 0xae72 + ae70: 4d63 ldr r5, [pc, #396] (0xb000) + ae72: 2701 mov r7, #1 + ae74: 043f lsl r7, r7, #16 + ae76: 42b9 cmp r1, r7 + ae78: d801 bhi 0xae7e + ae7a: 2001 mov r0, #1 + ae7c: 0600 lsl r0, r0, #24 + ae7e: 2d00 cmp r5, #0 + ae80: d00e beq 0xaea0 + ae82: 2800 cmp r0, #0 + ae84: d00c beq 0xaea0 + ae86: 9600 str r6, [sp, #0] + ae88: 4666 mov r6, ip + ae8a: 9601 str r6, [sp, #4] + ae8c: 464e mov r6, r9 + ae8e: 9602 str r6, [sp, #8] + ae90: 9503 str r5, [sp, #12] + ae92: 9404 str r4, [sp, #16] + ae94: ac08 add r4, sp, #32 + ae96: 9405 str r4, [sp, #20] + ae98: ff1bf000 bl 0xbcd2 + ae9c: 2800 cmp r0, #0 + ae9e: d001 beq 0xaea4 + aea0: 2000 mov r0, #0 + aea2: e005 b 0xaeb0 + aea4: 4640 mov r0, r8 + aea6: 6005 str r5, [r0, #0] + aea8: 2028 mov r0, #40 + aeaa: fbbbf7f7 bl 0x2624 + aeae: 9808 ldr r0, [sp, #32] + aeb0: b00b add sp, #44 + aeb2: bc18 pop {r3, r4} + aeb4: 4698 mov r8, r3 + aeb6: 46a1 mov r9, r4 + aeb8: bdf0 pop {r4, r5, r6, r7, pc} + + aeba: b530 push {r4, r5, lr} + aebc: b09e sub sp, #120 + aebe: 2000 mov r0, #0 + aec0: 43c4 mvn r4, r0 + aec2: 2000 mov r0, #0 + aec4: a901 add r1, sp, #4 + aec6: 2201 mov r2, #1 + aec8: f8fbf000 bl 0xb0c2 + aecc: 2800 cmp r0, #0 + aece: d13c bne 0xaf4a + aed0: a801 add r0, sp, #4 + aed2: a903 add r1, sp, #12 + aed4: f93df000 bl 0xb152 + aed8: 2800 cmp r0, #0 + aeda: d132 bne 0xaf42 + aedc: 9d03 ldr r5, [sp, #12] + aede: 1c28 mov r0, r5 (add r0, r5, #0) + aee0: fd90f7ff bl 0xaa04 + aee4: 2800 cmp r0, #0 + aee6: d02c beq 0xaf42 + aee8: 9803 ldr r0, [sp, #12] + aeea: fdf6f7ff bl 0xaada + aeee: 2800 cmp r0, #0 + aef0: d027 beq 0xaf42 + aef2: 2038 mov r0, #56 + aef4: 1941 add r1, r0, r5 + aef6: 2230 mov r2, #48 + aef8: a805 add r0, sp, #20 + aefa: 780b ldrb r3, [r1, #0] + aefc: 7003 strb r3, [r0, #0] + aefe: 3101 add r1, #1 + af00: 3001 add r0, #1 + af02: 3a01 sub r2, #1 + af04: 2a00 cmp r2, #0 + af06: d1f8 bne 0xaefa + af08: 2000 mov r0, #0 + af0a: 9000 str r0, [sp, #0] + af0c: 9803 ldr r0, [sp, #12] + af0e: 30ff add r0, #255 + af10: 3079 add r0, #121 + af12: 9904 ldr r1, [sp, #16] + af14: 39ff sub r1, #255 + af16: 3979 sub r1, #121 + af18: 466a mov r2, sp + af1a: ff37f7ff bl 0xad8c + af1e: 1c03 mov r3, r0 (add r3, r0, #0) + af20: 2b00 cmp r3, #0 + af22: d00e beq 0xaf42 + af24: 20ff mov r0, #255 + af26: 3071 add r0, #113 + af28: 5940 ldr r0, [r0, r5] + af2a: fd5df7ff bl 0xa9e8 + af2e: 1c02 mov r2, r0 (add r2, r0, #0) + af30: 9800 ldr r0, [sp, #0] + af32: 1c19 mov r1, r3 (add r1, r3, #0) + af34: fbcef000 bl 0xb6d4 + af38: 2800 cmp r0, #0 + af3a: d101 bne 0xaf40 + af3c: 2400 mov r4, #0 + af3e: e000 b 0xaf42 + af40: e000 b 0xaf44 + af42: a801 add r0, sp, #4 + af44: 2100 mov r1, #0 + af46: f9d5f000 bl 0xb2f4 + af4a: 2001 mov r0, #1 + af4c: a901 add r1, sp, #4 + af4e: 2201 mov r2, #1 + af50: f8b7f000 bl 0xb0c2 + af54: 2800 cmp r0, #0 + af56: d129 bne 0xafac + af58: a801 add r0, sp, #4 + af5a: a903 add r1, sp, #12 + af5c: f8f9f000 bl 0xb152 + af60: 2800 cmp r0, #0 + af62: d123 bne 0xafac + af64: 9903 ldr r1, [sp, #12] + af66: aa11 add r2, sp, #68 + af68: 2000 mov r0, #0 + af6a: 780b ldrb r3, [r1, #0] + af6c: 5483 strb r3, [r0, r2] + af6e: 3101 add r1, #1 + af70: 3001 add r0, #1 + af72: 2834 cmp r0, #52 + af74: d3f9 bcc 0xaf6a + af76: a801 add r0, sp, #4 + af78: 2100 mov r1, #0 + af7a: f9bbf000 bl 0xb2f4 + af7e: 2001 mov r0, #1 + af80: a901 add r1, sp, #4 + af82: 2202 mov r2, #2 + af84: f89df000 bl 0xb0c2 + af88: 2800 cmp r0, #0 + af8a: d10f bne 0xafac + af8c: 2c00 cmp r4, #0 + af8e: d101 bne 0xaf94 + af90: 2003 mov r0, #3 + af92: 9011 str r0, [sp, #68] + af94: a801 add r0, sp, #4 + af96: a911 add r1, sp, #68 + af98: 2234 mov r2, #52 + af9a: f8fdf000 bl 0xb198 + af9e: a801 add r0, sp, #4 + afa0: 2100 mov r1, #0 + afa2: f9a7f000 bl 0xb2f4 + afa6: 2063 mov r0, #99 + afa8: fb3cf7f7 bl 0x2624 + afac: b01e add sp, #120 + afae: bd30 pop {r4, r5, pc} + +; This is the first function in the copied code, +; called from the boot entry code. + afb0: b510 push {r4, lr} + afb2: b084 sub sp, #16 + afb4: 2001 mov r0, #1 + afb6: 4669 mov r1, sp + afb8: 2201 mov r2, #1 + afba: f882f000 bl 0xb0c2 + afbe: 2800 cmp r0, #0 + afc0: d118 bne 0xaff4 + afc2: 4668 mov r0, sp + afc4: a902 add r1, sp, #8 + afc6: f8c4f000 bl 0xb152 + afca: 1c04 mov r4, r0 (add r4, r0, #0) + afcc: 4668 mov r0, sp + afce: 2100 mov r1, #0 + afd0: f990f000 bl 0xb2f4 + afd4: 2c00 cmp r4, #0 + afd6: d10d bne 0xaff4 + afd8: 9802 ldr r0, [sp, #8] + afda: 6800 ldr r0, [r0, #0] + afdc: 2802 cmp r0, #2 + afde: d109 bne 0xaff4 + afe0: fb70f7f7 bl 0x26c4 + afe4: fa90f7f7 bl 0x2508 + afe8: fac3f7f7 bl 0x2572 + afec: ff65f7ff bl 0xaeba + aff0: f9acf7f8 bl 0x334c + aff4: b004 add sp, #16 + aff6: bd10 pop {r4, pc} + +; This function ensures that the flash at the given address +; is not toggling. + b004: 8802 ldrh r2, [r0, #0] + b006: 8801 ldrh r1, [r0, #0] + b008: 404a eor r2, r1 + b00a: 09d1 lsr r1, r2, #7 + b00c: d2fa bcs 0xb004 + b00e: 4770 bx lr + + b010: b530 push {r4, r5, lr} + b012: 1c0c mov r4, r1 (add r4, r1, #0) + b014: 1c05 mov r5, r0 (add r5, r0, #0) + b016: fa87f000 bl 0xb528 + b01a: 0400 lsl r0, r0, #16 + b01c: 0c00 lsr r0, r0, #16 + b01e: 49e1 ldr r1, [pc, #900] (0xb3a4) + b020: 4288 cmp r0, r1 + b022: d008 beq 0xb036 + b024: 2121 mov r1, #33 + b026: 0209 lsl r1, r1, #8 + b028: 4288 cmp r0, r1 + b02a: d126 bne 0xb07a + b02c: 49ea ldr r1, [pc, #936] (0xb3d8) + b02e: 0b28 lsr r0, r5, #12 + b030: 0300 lsl r0, r0, #12 + b032: 1808 add r0, r1, r0 + b034: e003 b 0xb03e + b036: 49e8 ldr r1, [pc, #928] (0xb3d8) + b038: 0c28 lsr r0, r5, #16 + b03a: 0400 lsl r0, r0, #16 + b03c: 1808 add r0, r1, r0 + b03e: 4ae7 ldr r2, [pc, #924] (0xb3dc) + b040: 21aa mov r1, #170 + b042: 5211 strh r1, [r2, r0] + b044: 2155 mov r1, #85 + b046: 8001 strh r1, [r0, #0] + b048: 49e4 ldr r1, [pc, #912] (0xb3dc) + b04a: 22a0 mov r2, #160 + b04c: 520a strh r2, [r1, r0] + b04e: 802c strh r4, [r5, #0] + b050: 2080 mov r0, #128 + b052: 4020 and r0, r4 + b054: 8829 ldrh r1, [r5, #0] + b056: 2280 mov r2, #128 + b058: 400a and r2, r1 + b05a: 4282 cmp r2, r0 + b05c: d00d beq 0xb07a + b05e: 0989 lsr r1, r1, #6 + b060: d3f8 bcc 0xb054 + b062: 8829 ldrh r1, [r5, #0] + b064: 2280 mov r2, #128 + b066: 400a and r2, r1 + b068: 4282 cmp r2, r0 + b06a: d006 beq 0xb07a + b06c: 2090 mov r0, #144 + b06e: 8028 strh r0, [r5, #0] + b070: 2000 mov r0, #0 + b072: 8028 strh r0, [r5, #0] + b074: 48da ldr r0, [pc, #872] (0xb3e0) + b076: 2101 mov r1, #1 + b078: 7001 strb r1, [r0, #0] + b07a: bd30 pop {r4, r5, pc} + + b07c: b530 push {r4, r5, lr} + b07e: b081 sub sp, #4 + b080: 0b01 lsr r1, r0, #12 + b082: 030b lsl r3, r1, #12 + b084: 49d7 ldr r1, [pc, #860] (0xb3e4) + b086: 18c9 add r1, r1, r3 + b088: 22aa mov r2, #170 + b08a: 800a strh r2, [r1, #0] + b08c: 4cd2 ldr r4, [pc, #840] (0xb3d8) + b08e: 18e4 add r4, r4, r3 + b090: 2355 mov r3, #85 + b092: 8023 strh r3, [r4, #0] + b094: 2580 mov r5, #128 + b096: 800d strh r5, [r1, #0] + b098: 800a strh r2, [r1, #0] + b09a: 8023 strh r3, [r4, #0] + b09c: 2130 mov r1, #48 + b09e: 8001 strh r1, [r0, #0] + b0a0: 8801 ldrh r1, [r0, #0] + b0a2: 0909 lsr r1, r1, #4 + b0a4: d3fc bcc 0xb0a0 + b0a6: 4669 mov r1, sp + b0a8: 8802 ldrh r2, [r0, #0] + b0aa: 804a strh r2, [r1, #2] + b0ac: 466a mov r2, sp + b0ae: 8801 ldrh r1, [r0, #0] + b0b0: 8011 strh r1, [r2, #0] + b0b2: 4669 mov r1, sp + b0b4: 8849 ldrh r1, [r1, #2] + b0b6: 8812 ldrh r2, [r2, #0] + b0b8: 4051 eor r1, r2 + b0ba: 09c9 lsr r1, r1, #7 + b0bc: d2f3 bcs 0xb0a6 + b0be: b001 add sp, #4 + b0c0: bd30 pop {r4, r5, pc} + +; arg1: magic region number +; arg2: ptr to 8-byte buffer receiving copies of arg1 and arg3 +; arg3: mode, must be 1 or 2 +; +; Mode 1: check the region (which must be in a state other than 2) for +; a checksum-passing image, and advance to state 1 if found. If already +; in state 1, increment the byte at offset 8 in struct. +; +; Mode 2: put the region (which must be in state 0) into state 2. +; +; Returns: +; 0 = success +; 1 = region in the wrong state for mode +; 2 = called with bad arguments +; 3 = mode 1: no checksum-passing image found + + b0c2: b5f0 push {r4, r5, r6, r7, lr} + b0c4: 1c15 mov r5, r2 (add r5, r2, #0) + b0c6: 1c0e mov r6, r1 (add r6, r1, #0) + b0c8: 1c04 mov r4, r0 (add r4, r0, #0) + b0ca: 4fe5 ldr r7, [pc, #916] (0xb460) =0x810020 + b0cc: 7838 ldrb r0, [r7, #0] + b0ce: 2800 cmp r0, #0 + b0d0: d103 bne 0xb0da + b0d2: f969f000 bl 0xb3a8 + b0d6: 2001 mov r0, #1 + b0d8: 7038 strb r0, [r7, #0] + b0da: 2c03 cmp r4, #3 + b0dc: da07 bge 0xb0ee + b0de: 2d03 cmp r5, #3 + b0e0: da05 bge 0xb0ee + b0e2: 1e68 sub r0, r5, #1 + b0e4: 2800 cmp r0, #0 + b0e6: d019 beq 0xb11c + b0e8: 3801 sub r0, #1 + b0ea: 2800 cmp r0, #0 + b0ec: d001 beq 0xb0f2 +; return 2; means invalid invokation? + b0ee: 2002 mov r0, #2 + b0f0: bdf0 pop {r4, r5, r6, r7, pc} +; goes here if 3rd arg == 2 + b0f2: 2018 mov r0, #24 + b0f4: 4360 mul r0, r4 + b0f6: 49db ldr r1, [pc, #876] (0xb464) =0x810024 + b0f8: 1809 add r1, r1, r0 + b0fa: 2004 mov r0, #4 + b0fc: 1840 add r0, r0, r1 + b0fe: 6802 ldr r2, [r0, #0] + b100: 2a00 cmp r2, #0 + b102: d112 bne 0xb12a ; return 1; + b104: 2202 mov r2, #2 + b106: 6002 str r2, [r0, #0] + b108: 2000 mov r0, #0 + b10a: 8288 strh r0, [r1, #20] + b10c: 6108 str r0, [r1, #16] + b10e: 4aea ldr r2, [pc, #936] (0xb4b8) =0x81006C + b110: 00a3 lsl r3, r4, #2 + b112: 58d2 ldr r2, [r2, r3] + b114: 6892 ldr r2, [r2, #8] + b116: 600a str r2, [r1, #0] + b118: 7248 strb r0, [r1, #9] + b11a: e016 b 0xb14a +; goes here if 3rd arg == 1 + b11c: 2018 mov r0, #24 + b11e: 4360 mul r0, r4 + b120: 49d1 ldr r1, [pc, #836] (0xb468) =0x810028 + b122: 180f add r7, r1, r0 + b124: 6838 ldr r0, [r7, #0] + b126: 2802 cmp r0, #2 + b128: d101 bne 0xb12e +; return 1; + b12a: 2001 mov r0, #1 + b12c: bdf0 pop {r4, r5, r6, r7, pc} +; continuation of operation with arg3 == 1 + b12e: 2800 cmp r0, #0 + b130: d108 bne 0xb144 + b132: 1c20 mov r0, r4 (add r0, r4, #0) + b134: f99af000 bl 0xb46c + b138: 2800 cmp r0, #0 + b13a: d001 beq 0xb140 + b13c: 2003 mov r0, #3 + b13e: bdf0 pop {r4, r5, r6, r7, pc} + b140: 2001 mov r0, #1 + b142: 6038 str r0, [r7, #0] + b144: 7938 ldrb r0, [r7, #4] + b146: 3001 add r0, #1 + b148: 7138 strb r0, [r7, #4] + b14a: 6034 str r4, [r6, #0] + b14c: 6075 str r5, [r6, #4] + b14e: 2000 mov r0, #0 + b150: bdf0 pop {r4, r5, r6, r7, pc} + +; arg1: points to buffer filled by successful 0xb0c2 in mode 1 +; arg2: 8-byte buffer filled as: +; 0: points to start of image +; 4: image length + b152: b530 push {r4, r5, lr} + b154: 1c0c mov r4, r1 (add r4, r1, #0) + b156: 1c01 mov r1, r0 (add r1, r0, #0) + b158: 48c1 ldr r0, [pc, #772] (0xb460) =0x810020 + b15a: 7800 ldrb r0, [r0, #0] + b15c: 2800 cmp r0, #0 + b15e: d010 beq 0xb182 + b160: 6808 ldr r0, [r1, #0] + b162: 4ad5 ldr r2, [pc, #852] (0xb4b8) =0x81006C + b164: 0083 lsl r3, r0, #2 + b166: 18d5 add r5, r2, r3 + b168: 2803 cmp r0, #3 + b16a: da02 bge 0xb172 + b16c: 6849 ldr r1, [r1, #4] + b16e: 2903 cmp r1, #3 + b170: db01 blt 0xb176 + b172: 2002 mov r0, #2 + b174: bd30 pop {r4, r5, pc} + b176: 2118 mov r1, #24 + b178: 4341 mul r1, r0 + b17a: 4abb ldr r2, [pc, #748] (0xb468) =0x810028 + b17c: 5851 ldr r1, [r2, r1] + b17e: 2901 cmp r1, #1 + b180: d001 beq 0xb186 + b182: 2005 mov r0, #5 + b184: bd30 pop {r4, r5, pc} + b186: f95ff000 bl 0xb448 + b18a: 6840 ldr r0, [r0, #4] + b18c: 6060 str r0, [r4, #4] + b18e: 6828 ldr r0, [r5, #0] + b190: 6880 ldr r0, [r0, #8] + b192: 6020 str r0, [r4, #0] + b194: 2000 mov r0, #0 + b196: bd30 pop {r4, r5, pc} + + b2f4: b570 push {r4, r5, r6, lr} + b2f6: 1c04 mov r4, r0 (add r4, r0, #0) + b2f8: 4859 ldr r0, [pc, #356] (0xb460) =0x810020 + b2fa: 7800 ldrb r0, [r0, #0] + b2fc: 2800 cmp r0, #0 + b2fe: d00f beq 0xb320 + b300: 6820 ldr r0, [r4, #0] + b302: 2803 cmp r0, #3 + b304: da14 bge 0xb330 + b306: 6866 ldr r6, [r4, #4] + b308: 2e03 cmp r6, #3 + b30a: da11 bge 0xb330 + b30c: 2902 cmp r1, #2 + b30e: da0f bge 0xb330 + b310: 4d54 ldr r5, [pc, #336] (0xb464) =0x810024 + b312: 2218 mov r2, #24 + b314: 4342 mul r2, r0 + b316: 18aa add r2, r5, r2 + b318: 3204 add r2, #4 + b31a: 6813 ldr r3, [r2, #0] + b31c: 2b00 cmp r3, #0 + b31e: d101 bne 0xb324 + b320: 2005 mov r0, #5 + b322: bd70 pop {r4, r5, r6, pc} + b324: 1e73 sub r3, r6, #1 + b326: 2b00 cmp r3, #0 + b328: d010 beq 0xb34c + b32a: 3b01 sub r3, #1 + b32c: 2b00 cmp r3, #0 + b32e: d001 beq 0xb334 + b330: 2002 mov r0, #2 + b332: bd70 pop {r4, r5, r6, pc} + b334: 2900 cmp r1, #0 + b336: d106 bne 0xb346 + b338: f856f000 bl 0xb3e8 + b33c: 2018 mov r0, #24 + b33e: 6821 ldr r1, [r4, #0] + b340: 4348 mul r0, r1 + b342: 182a add r2, r5, r0 + b344: 3204 add r2, #4 + b346: 2000 mov r0, #0 + b348: 6010 str r0, [r2, #0] + b34a: e00c b 0xb366 + b34c: 7910 ldrb r0, [r2, #4] + b34e: 3801 sub r0, #1 + b350: 0600 lsl r0, r0, #24 + b352: 0e00 lsr r0, r0, #24 + b354: 7110 strb r0, [r2, #4] + b356: 2800 cmp r0, #0 + b358: d105 bne 0xb366 + b35a: 2018 mov r0, #24 + b35c: 6821 ldr r1, [r4, #0] + b35e: 4348 mul r0, r1 + b360: 1828 add r0, r5, r0 + b362: 2100 mov r1, #0 + b364: 6041 str r1, [r0, #4] + b366: 2000 mov r0, #0 + b368: bd70 pop {r4, r5, r6, pc} + +; This function adjusts the flash region pointers +; in the table @81006C depending on the chip revision. + b36a: b500 push {lr} + b36c: f8dcf000 bl 0xb528 + b370: 0400 lsl r0, r0, #16 + b372: 0c00 lsr r0, r0, #16 + b374: 2121 mov r1, #33 + b376: 0209 lsl r1, r1, #8 + b378: 4288 cmp r0, r1 + b37a: d00a beq 0xb392 + b37c: 4909 ldr r1, [pc, #36] (0xb3a4) + b37e: 4288 cmp r0, r1 + b380: d10e bne 0xb3a0 + b382: 484d ldr r0, [pc, #308] (0xb4b8) + b384: 4981 ldr r1, [pc, #516] (0xb58c) + b386: 6001 str r1, [r0, #0] + b388: 4981 ldr r1, [pc, #516] (0xb590) + b38a: 6041 str r1, [r0, #4] + b38c: 4981 ldr r1, [pc, #516] (0xb594) + b38e: 6081 str r1, [r0, #8] + b390: bd00 pop {pc} + b392: 4849 ldr r0, [pc, #292] (0xb4b8) + b394: 4980 ldr r1, [pc, #512] (0xb598) + b396: 6001 str r1, [r0, #0] + b398: 4980 ldr r1, [pc, #512] (0xb59c) + b39a: 6041 str r1, [r0, #4] + b39c: 4980 ldr r1, [pc, #512] (0xb5a0) + b39e: 6081 str r1, [r0, #8] + b3a0: bd00 pop {pc} + b3a2: 46c0 nop (mov r8, r8) + b3a4: 00002101 + + b3a8: b530 push {r4, r5, lr} + b3aa: ffdef7ff bl 0xb36a + b3ae: 2100 mov r1, #0 + b3b0: 4d7c ldr r5, [pc, #496] (0xb5a4) =0x12345678 + b3b2: 2303 mov r3, #3 + b3b4: 4a40 ldr r2, [pc, #256] (0xb4b8) + b3b6: 482b ldr r0, [pc, #172] (0xb464) =0x810024 + b3b8: 6814 ldr r4, [r2, #0] + b3ba: 68a4 ldr r4, [r4, #8] + b3bc: 6004 str r4, [r0, #0] + b3be: 60c5 str r5, [r0, #12] + b3c0: 8281 strh r1, [r0, #20] + b3c2: 6101 str r1, [r0, #16] + b3c4: 6041 str r1, [r0, #4] + b3c6: 7201 strb r1, [r0, #8] + b3c8: 7241 strb r1, [r0, #9] + b3ca: 3204 add r2, #4 + b3cc: 3018 add r0, #24 + b3ce: 3b01 sub r3, #1 + b3d0: 2b00 cmp r3, #0 + b3d2: d1f1 bne 0xb3b8 + b3d4: bd30 pop {r4, r5, pc} + b3d6: 46c0 nop (mov r8, r8) + +; This function ensures that the flash in the last sector of the +; specified magic region is not toggling, and then returns +; the address of where 0x12345678 is expected. + b448: b500 push {lr} + b44a: 491b ldr r1, [pc, #108] (0xb4b8) =0x81006C + b44c: 0080 lsl r0, r0, #2 + b44e: 5808 ldr r0, [r1, r0] + b450: 7901 ldrb r1, [r0, #4] + b452: 0089 lsl r1, r1, #2 + b454: 1840 add r0, r0, r1 + b456: 6880 ldr r0, [r0, #8] + b458: 380c sub r0, #12 + b45a: fdd3f7ff bl 0xb004 + b45e: bd00 pop {pc} + + b460: 00810020 + b464: 00810024 + b468: 00810028 + +; This function checks whether the magic region specified by the argument +; contains a checksum-passing image or not. Returns 0 if pass, 3 otherwise. + b46c: b530 push {r4, r5, lr} + b46e: 1c04 mov r4, r0 (add r4, r0, #0) + b470: ffeaf7ff bl 0xb448 + b474: 1c02 mov r2, r0 (add r2, r0, #0) + b476: 2105 mov r1, #5 + b478: 2300 mov r3, #0 + b47a: 8815 ldrh r5, [r2, #0] + b47c: 18eb add r3, r5, r3 + b47e: 041b lsl r3, r3, #16 + b480: 0c1b lsr r3, r3, #16 + b482: 3202 add r2, #2 + b484: 3901 sub r1, #1 + b486: 2900 cmp r1, #0 + b488: d1f7 bne 0xb47a + b48a: 8941 ldrh r1, [r0, #10] + b48c: 428b cmp r3, r1 + b48e: d11e bne 0xb4ce + b490: 4909 ldr r1, [pc, #36] (0xb4b8) =0x81006C + b492: 00a2 lsl r2, r4, #2 + b494: 5889 ldr r1, [r1, r2] + b496: 688b ldr r3, [r1, #8] + b498: 6842 ldr r2, [r0, #4] + b49a: 2400 mov r4, #0 + b49c: 0851 lsr r1, r2, #1 + b49e: 2900 cmp r1, #0 + b4a0: d007 beq 0xb4b2 + b4a2: 881d ldrh r5, [r3, #0] + b4a4: 192c add r4, r5, r4 + b4a6: 0424 lsl r4, r4, #16 + b4a8: 0c24 lsr r4, r4, #16 + b4aa: 3302 add r3, #2 + b4ac: 3901 sub r1, #1 + b4ae: 2900 cmp r1, #0 + b4b0: d1f7 bne 0xb4a2 + b4b2: 0851 lsr r1, r2, #1 + b4b4: d308 bcc 0xb4c8 + b4b6: e001 b 0xb4bc +; interspersed literal + b4b8: 0081006c +; function continues + b4bc: 8819 ldrh r1, [r3, #0] + b4be: 0609 lsl r1, r1, #24 + b4c0: 0e09 lsr r1, r1, #24 + b4c2: 1909 add r1, r1, r4 + b4c4: 0409 lsl r1, r1, #16 + b4c6: 0c0c lsr r4, r1, #16 + b4c8: 8900 ldrh r0, [r0, #8] + b4ca: 4284 cmp r4, r0 + b4cc: d001 beq 0xb4d2 + b4ce: 2003 mov r0, #3 + b4d0: bd30 pop {r4, r5, pc} + b4d2: 2000 mov r0, #0 + b4d4: bd30 pop {r4, r5, pc} + +; This function reads flash ID from the chip. +; R0 needs to point to a 2-byte buffer into which the read manuf ID is stored. +; R1 needs to point to an 8-byte buffer (4 16-bit words) filled as follows: +; 0: word read from 0x02 in autoselect mode +; 2: word read from 0x1C "" +; 4: word read from 0x1E "" +; 6: revision number word from CFI + b4d6: b5f0 push {r4, r5, r6, r7, lr} + b4d8: 2303 mov r3, #3 + b4da: 2200 mov r2, #0 + b4dc: 0114 lsl r4, r2, #4 + b4de: 4314 orr r4, r2 + b4e0: 220a mov r2, #10 + b4e2: 4322 orr r2, r4 + b4e4: 3b01 sub r3, #1 + b4e6: 2b00 cmp r3, #0 + b4e8: d1f8 bne 0xb4dc + b4ea: 24aa mov r4, #170 + b4ec: 8014 strh r4, [r2, #0] + b4ee: 1056 asr r6, r2, #1 + b4f0: 2555 mov r5, #85 + b4f2: 8035 strh r5, [r6, #0] + b4f4: 2390 mov r3, #144 + b4f6: 8013 strh r3, [r2, #0] + b4f8: 2300 mov r3, #0 + b4fa: 881f ldrh r7, [r3, #0] + b4fc: 8007 strh r7, [r0, #0] + b4fe: 8858 ldrh r0, [r3, #2] + b500: 8008 strh r0, [r1, #0] + b502: 8b98 ldrh r0, [r3, #28] + b504: 8048 strh r0, [r1, #2] + b506: 8bd8 ldrh r0, [r3, #30] + b508: 8088 strh r0, [r1, #4] + b50a: 2098 mov r0, #152 + b50c: 8010 strh r0, [r2, #0] + b50e: 2086 mov r0, #134 + b510: 8847 ldrh r7, [r0, #2] + b512: 8800 ldrh r0, [r0, #0] + b514: 0200 lsl r0, r0, #8 + b516: 4307 orr r7, r0 + b518: 80cf strh r7, [r1, #6] + b51a: 20ff mov r0, #255 + b51c: 8018 strh r0, [r3, #0] + b51e: 8014 strh r4, [r2, #0] + b520: 8035 strh r5, [r6, #0] + b522: 20f0 mov r0, #240 + b524: 8010 strh r0, [r2, #0] + b526: bdf0 pop {r4, r5, r6, r7, pc} + +; This function computes a single-word flash device ID. The algorithm is +; as follows: +; - if the manuf is other than 01 or 04, return the autoselect word from 0x02 +; - ditto autosel[0x02] != 0x227E +; - in the case of our expected S71PL129NC0, return value will be +; 0x2100 or 0x2101 depending on the chip rev indicated in CFI table + + b528: b500 push {lr} + b52a: b083 sub sp, #12 + b52c: 4668 mov r0, sp + b52e: a901 add r1, sp, #4 + b530: ffd1f7ff bl 0xb4d6 + b534: 4668 mov r0, sp + b536: 8800 ldrh r0, [r0, #0] + b538: 2801 cmp r0, #1 + b53a: d003 beq 0xb544 + b53c: 4668 mov r0, sp + b53e: 8800 ldrh r0, [r0, #0] + b540: 2804 cmp r0, #4 + b542: d11e bne 0xb582 + b544: 4668 mov r0, sp + b546: 8881 ldrh r1, [r0, #4] + b548: 4817 ldr r0, [pc, #92] (0xb5a8) + b54a: 4281 cmp r1, r0 + b54c: d119 bne 0xb582 + b54e: 4668 mov r0, sp + b550: 7a00 ldrb r0, [r0, #8] + b552: 4669 mov r1, sp + b554: 88c9 ldrh r1, [r1, #6] + b556: 0209 lsl r1, r1, #8 + b558: 4308 orr r0, r1 + b55a: 0400 lsl r0, r0, #16 + b55c: 0c00 lsr r0, r0, #16 + b55e: 4669 mov r1, sp + b560: 88c9 ldrh r1, [r1, #6] + b562: 4a12 ldr r2, [pc, #72] (0xb5ac) + b564: 4291 cmp r1, r2 + b566: d10e bne 0xb586 + b568: 4669 mov r1, sp + b56a: 890a ldrh r2, [r1, #8] + b56c: 2111 mov r1, #17 + b56e: 0249 lsl r1, r1, #9 + b570: 428a cmp r2, r1 + b572: d108 bne 0xb586 + b574: 4669 mov r1, sp + b576: 8949 ldrh r1, [r1, #10] + b578: 4a0d ldr r2, [pc, #52] (0xb5b0) + b57a: 4291 cmp r1, r2 + b57c: d003 beq 0xb586 + b57e: 480d ldr r0, [pc, #52] (0xb5b4) + b580: e001 b 0xb586 + b582: 4668 mov r0, sp + b584: 8880 ldrh r0, [r0, #4] + b586: b003 add sp, #12 + b588: bd00 pop {pc} + b58a: 46c0 nop (mov r8, r8) + +; written into table @81006C for one chip rev + b58c: 0081a61c + b590: 0081a8b4 + b594: 0081ab4c +; written into table @81006C for the other chip rev + b598: 0081a4d0 + b59c: 0081a768 + b5a0: 0081aa00 +; looks like 6 records of 0x14C bytes each, starting at 0x81a4d0 +; that's offset 0xA04C from the start of copy, 0xC554 in flash + + b5a4: 12345678 + b5a8: 0000227e + b5ac: 00002221 + b5b0: 00003133 + b5b4: 00002101 + + c554: 00000000 + c558: 00000036 + c55c: 02480000 + c560: 02490000 + c564: 024a0000 + c568: 024b0000 + c56c: 024c0000 + c570: 024d0000 + c574: 024e0000 + c578: 024f0000 + c57c: 02500000 + c580: 02510000 + c584: 02520000 + c588: 02530000 + c58c: 02540000 + c590: 02550000 + c594: 02560000 + c598: 02570000 + c59c: 02580000 + c5a0: 02590000 + c5a4: 025a0000 + c5a8: 025b0000 + c5ac: 025c0000 + c5b0: 025d0000 + c5b4: 025e0000 + c5b8: 025f0000 + c5bc: 02600000 + c5c0: 02610000 + c5c4: 02620000 + c5c8: 02630000 + c5cc: 02640000 + c5d0: 02650000 + c5d4: 02660000 + c5d8: 02670000 + c5dc: 02680000 + c5e0: 02690000 + c5e4: 026a0000 + c5e8: 026b0000 + c5ec: 026c0000 + c5f0: 026d0000 + c5f4: 026e0000 + c5f8: 026f0000 + c5fc: 02700000 + c600: 02710000 + c604: 02720000 + c608: 02730000 + c60c: 02740000 + c610: 02750000 + c614: 02760000 + c618: 02770000 + c61c: 02780000 + c620: 02790000 + c624: 027a0000 + c628: 027b0000 + c62c: 027c0000 + c630: 027d0000 + c634: 027e0000 + ... + c6a4: 0000000f + c6a8: 02480000 + c6ac: 024c0000 + c6b0: 02500000 + c6b4: 02540000 + c6b8: 02580000 + c6bc: 025c0000 + c6c0: 02600000 + c6c4: 02640000 + c6c8: 02680000 + c6cc: 026c0000 + c6d0: 02700000 + c6d4: 02740000 + c6d8: 02780000 + c6dc: 027c0000 + c6e0: 027d0000 + c6e4: 027e0000 + ... + c7ec: 00000001 + c7f0: 00000001 + c7f4: 027e0000 + c7f8: 027f0000 + ... + c938: 00000001 + c93c: 00000001 + c940: 027e0000 + c944: 027f0000 + ... + ca84: 00000002 + ca88: 00000008 + ca8c: 027f0000 + ca90: 027f2000 + ca94: 027f4000 + ca98: 027f6000 + ca9c: 027f8000 + caa0: 027fa000 + caa4: 027fc000 + caa8: 027fe000 + caac: 02800000 + ... + cbd0: 00000002 + cbd4: 00000001 + cbd8: 027f0000 + cbdc: 02800000 + ... + cd1c: 00030000 + cd20: 00040000 + cd24: 00050000 + cd28: 00060000 + cd2c: 00070000 + cd30: 00080000 + cd34: 00090000 + cd38: 000a0000 + cd3c: 000b0000 + cd40: 000c0000 + cd44: 000d0000 + cd48: 000e0000 + cd4c: 000f0000 + cd50: 00100000 + cd54: 00110000 + cd58: 00120000 + cd5c: 00130000 + cd60: 00140000 + cd64: 00150000 + cd68: 00160000 + cd6c: 00170000 + cd70: 00180000 + cd74: 00190000 + cd78: 001a0000 + cd7c: 001b0000 + cd80: 001c0000 + cd84: 001d0000 + cd88: 001e0000 + cd8c: 001f0000 + cd90: 00200000 + cd94: 00210000 + cd98: 00220000 + cd9c: 00230000 + cda0: 00240000 + cda4: 00250000 + cda8: 00260000 + cdac: 00270000 + cdb0: 00280000 + cdb4: 00290000 + cdb8: 002a0000 + cdbc: 002b0000 + cdc0: 002c0000 + cdc4: 002d0000 + cdc8: 002e0000 + cdcc: 002f0000 + cdd0: 00300000 + cdd4: 00310000 + cdd8: 00320000 + cddc: 00330000 + cde0: 00340000 + cde4: 00350000 + cde8: 00360000 + cdec: 00370000 + cdf0: 00380000 + cdf4: 00390000 + cdf8: 003a0000 + cdfc: 003b0000 + ce00: 003c0000 + ce04: 003d0000 + ce08: 003e0000 + ce0c: 003f0000 + ce10: 00400000 + ce14: 00410000 + ce18: 00420000 + ce1c: 00430000 + ce20: 00440000 + ce24: 00450000 + ce28: 00460000 + ce2c: 00470000 + ce30: 00480000 + ce34: 00490000 + ce38: 004a0000 + ce3c: 004b0000 + ce40: 004c0000 + ce44: 004d0000 + ce48: 004e0000 + ce4c: 004f0000 + ce50: 00500000 + ce54: 00510000 + ce58: 00520000 + ce5c: 00530000 + ce60: 00540000 + ce64: 00550000 + ce68: 00560000 + ce6c: 00570000 + ce70: 00580000 + ce74: 00590000 + ce78: 005a0000 + ce7c: 005b0000 + ce80: 005c0000 + ce84: 005d0000 + ce88: 005e0000 + ce8c: 005f0000 + ce90: 00600000 + ce94: 00610000 + ce98: 00620000 + ce9c: 00630000 + cea0: 00640000 + cea4: 00650000 + cea8: 00660000 + ceac: 00670000 + ceb0: 00680000 + ceb4: 00690000 + ceb8: 006a0000 + cebc: 006b0000 + cec0: 006c0000 + cec4: 006d0000 + cec8: 006e0000 + cecc: 006f0000 + ced0: 00700000 + ced4: 00710000 + ced8: 00720000 + cedc: 00730000 + cee0: 00740000 + cee4: 00750000 + cee8: 00760000 + ceec: 00770000 + cef0: 00780000 + cef4: 00790000 + cef8: 007a0000 + cefc: 007b0000 + cf00: 007c0000 + cf04: 007d0000 + cf08: 007e0000 + cf0c: 007f0000 + + cf10: 00030000 + cf14: 00040000 + cf18: 00080000 + cf1c: 000c0000 + cf20: 00100000 + cf24: 00140000 + cf28: 00180000 + cf2c: 001c0000 + cf30: 00200000 + cf34: 00240000 + cf38: 00280000 + cf3c: 002c0000 + cf40: 00300000 + cf44: 00340000 + cf48: 00380000 + cf4c: 003c0000 + cf50: 00400000 + cf54: 00440000 + cf58: 00480000 + cf5c: 004c0000 + cf60: 00500000 + cf64: 00540000 + cf68: 00580000 + cf6c: 005c0000 + cf70: 00600000 + cf74: 00640000 + cf78: 00680000 + cf7c: 006c0000 + cf80: 00700000 + cf84: 00740000 + cf88: 00780000 + cf8c: 007c0000 + CF8F: last copied byte <CF90-1F9FF: all FFs>
--- a/pirelli/preboot.notes Sun Feb 09 09:36:42 2014 +0000 +++ b/pirelli/preboot.notes Mon Feb 10 02:33:17 2014 +0000 @@ -3,12 +3,39 @@ IRAM usage: 800000: everything from here to 81047C is zeroed out +800000: byte var, init to 0 800004: 1 written here 800008: var set to bottom of SVC stack 80000C: var set to top of SVC stack 800010: 16-bit checksum of copy-to-RAM block, before copy 800012: 16-bit checksum of copy-to-RAM block, after copy +810014: 16-bit var, init to 0 +810016: 16-bit var, init to 0 +810018: byte var, init to 0x00 +810019: byte var, init to 0xBC +81001C: 32-bit var, init to 0 +810020: byte var, init to 0x00, apparently flag indicating that the array + at 0x810024 has been initialized +810021: byte var, init to 0x00 +810024: 32-bit var, init to 0 +810024: array of 3 structs, 24 (0x18) bytes each, one for each flash region + init by routine at 0xb3a8 + offset 00: ptr to start of flash region + offset 04: 32-bit init to 0, appears to be a state in the [0,2] range: + 0: initial + 1: checked and found to contain an image + 2: result of calling 0xb0c2 in mode 2 + offset 08: byte init to 0, incremented each time 0xb0c2 in mode 1 + succeeds + offset 09: byte init to 0 + offset 0C: init to 0x12345678 + offset 10: 32-bit init to 0 + offset 14: 16-bit init to 0 +81006C: table of 3 32-bit words, pointers to structures describing + 3 flash2 regions, init to {0081a4d0, 0081a768, 0081aa00} +810078: 32-bit var, init to 0 81047C: bottom of init stack (0x400 bytes) +81047C: byte var, init to 0 810484: first byte used by copied code block 81AF0B: last byte "" 81AF60: initial SP for abort and undef