FreeCalypso > hg > freecalypso-reveng
annotate bootrom.notes @ 10:b0f7481efc8b
Pirelli PCB rev eng: finally have something worthy to report:
traced out the 3 chip selects for the RAM/flash MCP.
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Sat, 20 Apr 2013 00:56:45 +0000 |
| parents | a06573cacb6e |
| children | 25b016d16602 |
| rev | line source |
|---|---|
|
7
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
1 Application images in flash: |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
2 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
3 In order for the nCS0 flash content to be considered a valid bootable image |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
4 (i.e., for the boot ROM to transfer control to it, rather than wait forever |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
5 for a UART download), the 32-bit word at address 0x2000 (the first word |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
6 after the ROM-overlaid portion) must contain either 0 or 1, corresponding |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
7 to two supported environment options: |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
8 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
9 * If the word at 0x2000 equals 0, it signifies an application image that is |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
10 designed to run with the boot ROM still mapped at 0, with ARM exceptions |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
11 vectoring through the 7 magic RAM locations at 0x80001C, and possibly |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
12 through the 2nd level ("user-friendly") vector table at 0x800000 as well. |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
13 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
14 If the word at 0x2000 equals 0, the following word at 0x2004 must contain |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
15 the absolute address of the boot entry point; the boot ROM will transfer |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
16 control to that address with the FFFF:FB10 register set to explicitly map |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
17 the internal boot ROM at 0. It is a BX-style address: setting the least |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
18 significant bit will result in control being transferred in the Thumb state. |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
19 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
20 * If the word at 0x2000 equals 1, it signifies an application image that is |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
21 at least conceptually independent of the Calypso boot ROM - one that would, |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
22 at least in theory, function correctly with nIBOOT tied/pulled/driven HIGH, |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
23 or even on an older DBB chip with no internal boot ROM. |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
24 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
25 When the boot ROM code sees a 1 in the 0x2000 word, it copies a little piece |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
26 of code into the internal ROM and runs it there; this code sets the FFFF:FB10 |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
27 register to disable the internal boot ROM (map the external nCS0 memory at 0, |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
28 as if nIBOOT were high) and causes the watchdog timer to go off, resetting |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
29 the ARM core and causing it to execute the external nCS0 reset vector. |
|
a445735685ba
boot ROM re: flash application image interface documented
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
3
diff
changeset
|
30 |
|
3
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 RAM layout: |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 800000 7 words: |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 soft-vector pointers: by default the following 7 words at |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
35 80001C are filled with ldr-jump instructions, which read |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 from these 7 words and load them into PC |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
37 80001C 7 words: |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
38 hard vectors: the physical vector locations in the ROM |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
39 contain branch instructions to these 7 RAM addresses |
|
8
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
40 800038: The helper routine for transferring control to type 1 flash images |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
41 is copied to and run here. |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
42 800100: the last word of the above routine |
|
3
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
43 800104: word initialized to 0x0001D4C0 |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
44 800108: byte initialized to 0x01 |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
45 |
|
8
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
46 800520: byte variable filled every time the 0xfb4 routine is called |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
47 holds the ID of the UART on which '<' came in, or FF if none |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
48 800524: byte variable filled every time the 0xfb4 routine is called |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
49 filled with a copy of 800534 |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
50 |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
51 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4 |
|
a06573cacb6e
boot ROM re: trying to understand the code that runs after '<' received
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
7
diff
changeset
|
52 routine if it selects /1 clock mode. |
|
3
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
53 |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 8005C0: appears to be the intended low address (bottom) of the stack |
|
e3f8fe6a848e
boot ROM re: started on main() and the 0xe2c routine
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
55 80074C: top of the stack (initial value loaded into SP) |