FreeCalypso > hg > freecalypso-reveng
comparison compal/c139-boot.notes @ 105:49c7cda96f04
C139 boot ROM fully cracked
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Mon, 31 Mar 2014 05:51:57 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 104:52cec4b71cfe | 105:49c7cda96f04 |
|---|---|
| 1 Download protocol, attempted first at 406250 baud, then 115200, only on the | |
| 2 MODEM UART: | |
| 3 | |
| 4 The boot code begins by transmitting 1B F6 02 00 41 01 40, then calls the | |
| 5 Rx-with-timeout function 7 times, expecting this seq: 1B F6 02 00 52 01 53. | |
| 6 Getting anything else or timeout causes the 0xbac function to return, | |
| 7 ending that download attempt. If this seq was received, the boot code then | |
| 8 sends 1B F6 02 00 41 02 43 and expects to receive 3 bytes as follows: | |
| 9 | |
| 10 * one dummy byte (stored into an automatic var, but then not used) | |
| 11 * payload length MSB | |
| 12 * payload length LSB | |
| 13 | |
| 14 The boot code then expects to receive the specified # of bytes [0,65535] | |
| 15 and stores them beginning at 0x800100. Then the Rx-with-timeout function | |
| 16 is called again to receive the XOR checksum byte, not counted in the length. | |
| 17 If the checksum fails to match, 0xbac function sends 1B F6 02 00 45 53 16 | |
| 18 and returns. If this check passes, the "1003" check is performed next: | |
| 19 the 4 bytes starting at 0x803ce0 must match. If the downloaded image was | |
| 20 shorter, the comparison will be made against pre-powerup IRAM content, | |
| 21 i.e., law of chance. Furthermore, the comparison is actually an inequality: | |
| 22 each "signature" byte in the downloaded image needs to be >= (in the signed | |
| 23 sense) than the "1003" reference. (0x7F7F7F7F thus ought to be a passing | |
| 24 value.) | |
| 25 | |
| 26 If this last check passes, the 0xbac function jumps to the downloaded image | |
| 27 instead of returning. Control is transferred to 0x800100 in the ARM state. | |
| 28 If the "1003" check fails, 0xbac function sends 1B F6 02 00 41 03 57 | |
| 29 and returns. | |
| 30 | |
| 31 If the boot process is not diverted to a successful serial download as above, | |
| 32 the boot code does one strange thing before it jumps to 0x20f8 (main app entry | |
| 33 point). The boot code unconditionally transmits "ftmtool" on the MODEM UART | |
| 34 and waits a certain time for a "yes" response. If it receives that "yes", | |
| 35 it responds with "modemerror", otherwise just "error". Either way, it then | |
| 36 proceed to jump to the main app entry point at 0x20f8! There is also a bunch | |
| 37 of "dead" code in the 8 KiB "boot block", code which does not seem to be | |
| 38 reachable from any path. There is no check for whether or not the "main app" | |
| 39 is present; if the flash contains the 8 KiB "boot block" followed by blank | |
| 40 space, the boot code will happily jumps to those FFs - but it will still | |
| 41 provide an opportunity for serial download as usual, so no real problem. | |
| 42 | |
| 43 IRAM variables used by the boot code: | |
| 44 | |
| 45 83FF00 holds UART base addr, set to FFFF5800 (MODEM) | |
| 46 83FF08 32-bit var init to 0 | |
| 47 83FF10 32-bit var init to 0 | |
| 48 83FF80 byte var init to 0 at the beginning of ftmtool function (0xdbe), | |
| 49 set to 1 if "yes" received in response to "ftmtool" |