FreeCalypso > hg > freecalypso-reveng

comparison moko11 @ 57:277fd7b971f0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
some success in finding familiar TI code in moko11 and Pirelli fw binary images
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Tue, 12 Nov 2013 04:28:47 +0000
parents
children
comparison
equal deleted inserted replaced
56:fdfb57a1c5fe 57:277fd7b971f0
1 The Init_Target() function in the TCS211 code from Sotovik (which sits in a
2 binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3.
3 We would like to determine whether or not the moko11 firmware does the same
4 thing. We have no linker map file for moko11, so we have to dig around in the
5 binary and try to match the code against known objects.
6
7 In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of
8 the function there is a BL instruction calling $CLKM_InitARMClock, and this call
9 is immediately followed by the code that sets up the memory timings.
10
11 Let's see what we can find in the moko11 binary image:
12
13 0012D4: RESET vector jumps here
14 010000: the code here appears to fully match the .inttext section of
15 TI's int.obj
16 010058: appears to be the _INT_Initialize entry point
17 (seems to be the same for all TI firmwares of that era)
18 010268: b 0x1e8364, should be a jump to the _INC_Initialize veneer
19 1D1E48: first function called from Application_Initialize, should be
20 Init_Target()
21 Matches the Sotomodem version of Init_Target() indeed,
22 including the memory timing setup!
23 1E72B0: Expected start of $INC_Initialize, appears to match
24 1E72F4: bl 0x1e81fc, should be calling Application_Initialize()
25 1E81FC: Expected start of Application_Initialize(), contains 6 calls indeed
26 1E8364: looks like an ARM->Thumb call veneer indeed
27 1E8370: Thumb code begins, does bl 0x1e72b0
28 1E8378: back to ARM, veneer return