FreeCalypso > hg > freecalypso-reveng

comparison compal/boot/c156-boot.disasm @ 399:81cda18b0487

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
compal: move all bootloader analysis work into boot subdir
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 14 Jan 2023 06:17:56 +0000
parents compal/c156-boot.disasm@5c47d916255e
children
comparison
equal deleted inserted replaced
398:e5e5ed527cc1 399:81cda18b0487
1 RESET entry and exception vectors:
2 0: ea000011 b 0x4c
3 4: ea008036 b 0x200e4
4 8: ea008036 b 0x200e8
5 c: ea008036 b 0x200ec
6 10: ea008036 b 0x200f0
7 14: ea008036 b 0x200f4
8 18: ea008036 b 0x200f8
9 1c: ea008036 b 0x200fc
10
11 20: 02a102a1
12 24: 02a302a1
13 28: 00000040
14 2c: fffffd00
15 30: ffff9800
16 34: fffffb10
17 38: ffffff08
18 3c: 20021081
19 40: 00000800
20 44: 004000c0
21 48: 00000e85
22
23 ; RESET entry point
24 ; same init as in the C139 version
25 4c: e51f1028 ldr r1, =0xfffffd00 ; via 0x2c
26 50: e1d120b2 ldrh r2, [r1, #2]
27 54: e51f0034 ldr r0, =0x40 ; via 0x28
28 58: e1800002 orr r0, r0, r2
29 5c: e1c100b2 strh r0, [r1, #2]
30 ; disable PLL
31 ; diff from C139 version: writing 2002 into FFFF:9800 instead of 2006
32 ; diff in the BYPASS_DIV field
33 60: e51f1038 ldr r1, =0xffff9800 ; via 0x30
34 64: e15f22be ldrh r2, =0x2002 ; via 0x3e
35 68: e1c120b0 strh r2, [r1]
36 6c: e5912000 ldr r2, [r1]
37 70: e2022001 and r2, r2, #1
38 74: e3520001 cmp r2, #1
39 78: 0afffffb beq 0x6c
40 ; FFFF:FD00 write same as C139
41 7c: e51f1058 ldr r1, =0xfffffd00 ; via 0x2c
42 80: e15f24bc ldrh r2, =0x1081 ; via 0x3c
43 84: e1c120b0 strh r2, [r1]
44 ; disable DU like C139
45 88: e51f105c ldr r1, =0xfffffb10 ; via 0x34
46 8c: e15f25b4 ldrh r2, =0x800 ; via 0x40
47 90: e1d100b0 ldrh r0, [r1]
48 94: e1800002 orr r0, r0, r2
49 98: e1c100b0 strh r0, [r1]
50 ; ditto for MPU
51 9c: e51f106c ldr r1, =0xffffff08 ; via 0x38
52 a0: e15f26b6 ldrh r2, =0x0 ; via 0x42
53 a4: e1c120b0 strh r2, [r1]
54 ; Memory timings
55 a8: e59f1640 ldr r1, =0xfffffb00 ; via 0x6f0
56 ac: e15f29b4 ldrh r2, =0x2a1 ; via 0x20
57 b0: e1c120b0 strh r2, [r1]
58 b4: e15f29ba ldrh r2, =0x2a1 ; via 0x22
59 b8: e1c120b2 strh r2, [r1, #2]
60 bc: e15f2ab0 ldrh r2, =0x2a1 ; via 0x24
61 c0: e1c120b4 strh r2, [r1, #4]
62 c4: e15f2ab6 ldrh r2, =0x2a3 ; via 0x26
63 c8: e1c120b6 strh r2, [r1, #6]
64 cc: e15f28bc ldrh r2, =0xe85 ; via 0x48
65 d0: e1c120ba strh r2, [r1, #10] ; 0xa
66 d4: e15f29b8 ldrh r2, =0xc0 ; via 0x44
67 d8: e1c120bc strh r2, [r1, #12] ; 0xc
68 dc: e15f29be ldrh r2, =0x40 ; via 0x46
69 e0: e1c120b8 strh r2, [r1, #8]
70 ; enable 8 MiB chip select regions
71 e4: e59f3630 ldr r3, =0xfffef006 ; via 0x71c
72 e8: e1d310b0 ldrh r1, [r3]
73 ec: e3a02008 mov r2, #8
74 f0: e1811002 orr r1, r1, r2
75 f4: e1c310b0 strh r1, [r3]
76 ; write 0x0110 into FFFE:F00A
77 ; enable I/O(8) and I/O(12)
78 f8: e59f3604 ldr r3, =0xfffef000 ; via 0x704
79 fc: e3a01e11 mov r1, #272 ; 0x110
80 100: e1c310ba strh r1, [r3, #10] ; 0xa
81 ; FFFE:4804: set GPIOs 8 and 12 as outputs
82 104: e59f3604 ldr r3, =0xfffe4804 ; via 0x710
83 108: e5931000 ldr r1, [r3]
84 10c: e3a030ff mov r3, #255 ; 0xff
85 110: e3a02cee mov r2, #60928 ; 0xee00
86 114: e1822003 orr r2, r2, r3
87 118: e0011002 and r1, r1, r2
88 11c: e59f35e4 ldr r3, =0xfffe4800 ; via 0x708
89 120: e1c310b4 strh r1, [r3, #4]
90 ; ARMIO_LATCH_OUT: GPIO 8 set to 0
91 124: e59f35e0 ldr r3, =0xfffe4802 ; via 0x70c
92 128: e5931000 ldr r1, [r3]
93 12c: e3a030ff mov r3, #255 ; 0xff
94 130: e3a02cfe mov r2, #65024 ; 0xfe00
95 134: e1822003 orr r2, r2, r3
96 138: e0011002 and r1, r1, r2
97 13c: e59f35c4 ldr r3, =0xfffe4800 ; via 0x708
98 140: e1c310b2 strh r1, [r3, #2]
99 ; ... and then reset it to 0xF400
100 144: e3a01b3d mov r1, #62464 ; 0xf400
101 148: e59f35b8 ldr r3, =0xfffe4800 ; via 0x708
102 14c: e1c310b2 strh r1, [r3, #2]
103 ; SVC mode, IRQ and FIQ disabled
104 150: e10f0000 mrs r0, CPSR
105 154: e3c0001f bic r0, r0, #31 ; 0x1f
106 158: e3800013 orr r0, r0, #19 ; 0x13
107 15c: e38000c0 orr r0, r0, #192 ; 0xc0
108 160: e129f000 msr CPSR_fc, r0
109 ; zero all 256 KiB IRAM except last 128 bytes
110 164: e3a00502 mov r0, #8388608 ; 0x800000
111 168: e3a02000 mov r2, #0
112 16c: e3a01721 mov r1, #8650752 ; 0x840000
113 170: e2411080 sub r1, r1, #128 ; 0x80
114 174: e4802004 str r2, [r0], #4
115 178: e1500001 cmp r0, r1
116 17c: 1afffffc bne 0x174
117 ; ditto for 2 MiB XRAM
118 180: e3a00401 mov r0, #16777216 ; 0x1000000
119 184: e3a02000 mov r2, #0
120 188: e3a01612 mov r1, #18874368 ; 0x1200000
121 18c: e2411080 sub r1, r1, #128 ; 0x80
122 190: e4802004 str r2, [r0], #4
123 194: e1500001 cmp r0, r1
124 198: 1afffffc bne 0x190
125 ; MODEM UART
126 19c: e59f0550 ldr r0, =0xffff5800 ; via 0x6f4
127 ; 0 into LCR for IER access
128 1a0: e3a01000 mov r1, #0
129 1a4: e5c01003 strb r1, [r0, #3]
130 ; clear IER
131 1a8: e3a01000 mov r1, #0
132 1ac: e5c01001 strb r1, [r0, #1]
133 ; BF into LCR
134 1b0: e3a010bf mov r1, #191 ; 0xbf
135 1b4: e5c01003 strb r1, [r0, #3]
136 ; 0x10 into EFR
137 1b8: e3a01010 mov r1, #16 ; 0x10
138 1bc: e5c01002 strb r1, [r0, #2]
139 ; set 115200 baud
140 1c0: e59f3534 ldr r3, =0xffff5803 ; via 0x6fc
141 1c4: e5931000 ldr r1, [r3]
142 1c8: e3811080 orr r1, r1, #128 ; 0x80
143 1cc: e5c31000 strb r1, [r3]
144 1d0: e3a01007 mov r1, #7
145 1d4: e5c01000 strb r1, [r0]
146 1d8: e3a01000 mov r1, #0
147 1dc: e5c01001 strb r1, [r0, #1]
148 ; LCR will eventually get back to 03
149 1e0: e59f3514 ldr r3, =0xffff5803 ; via 0x6fc
150 1e4: e5931000 ldr r1, [r3]
151 1e8: e201107f and r1, r1, #127 ; 0x7f
152 1ec: e5c31000 strb r1, [r3]
153 1f0: e5931000 ldr r1, [r3]
154 1f4: e3811003 orr r1, r1, #3
155 1f8: e5c31000 strb r1, [r3]
156 ; 0x40 into MCR: TCR/TLR access
157 1fc: e3a01040 mov r1, #64 ; 0x40
158 200: e5c01004 strb r1, [r0, #4]
159 ; TCR=0x0F (same as default)
160 204: e3a0100f mov r1, #15 ; 0xf
161 208: e5c01006 strb r1, [r0, #6]
162 ; BF into LCR again
163 20c: e3a010bf mov r1, #191 ; 0xbf
164 210: e5c01003 strb r1, [r0, #3]
165 ; 0x10 into EFR again
166 214: e3a01010 mov r1, #16 ; 0x10
167 218: e5c01002 strb r1, [r0, #2]
168 ; finally 03 into LCR
169 21c: e3a01003 mov r1, #3
170 220: e5c01003 strb r1, [r0, #3]
171 ; clear SCR (default, all weird stuff disabled)
172 224: e3a01000 mov r1, #0
173 228: e5c01010 strb r1, [r0, #16] ; 0x10
174 ; FCR=06: FIFOs cleared and *disabled*
175 22c: e3a01006 mov r1, #6
176 230: e5c01002 strb r1, [r0, #2]
177 ; MCR=0F
178 234: e3a0100f mov r1, #15 ; 0xf
179 238: e5c01004 strb r1, [r0, #4]
180 ; FCR=F1: enable FIFOs with max trigger levels
181 23c: e3a010f1 mov r1, #241 ; 0xf1
182 240: e5c01002 strb r1, [r0, #2]
183 ; MDR1: write 7 for reset, then 0 for UART mode
184 244: e3a01007 mov r1, #7
185 248: e5c01008 strb r1, [r0, #8]
186 24c: e3a01000 mov r1, #0
187 250: e5c01008 strb r1, [r0, #8]
188 ; IER: enable Rx interrupt
189 254: e59f349c ldr r3, =0xffff5801 ; via 0x6f8
190 258: e5931000 ldr r1, [r3]
191 25c: e3811001 orr r1, r1, #1
192 260: e5c31000 strb r1, [r3]
193 ; nCS0: WS=3, write enable, DC=1
194 264: e59f1484 ldr r1, =0xfffffb00 ; via 0x6f0
195 268: e59f247c ldr r2, =0x2a3 ; via 0x6ec
196 26c: e1c120b0 strh r2, [r1]
197 ; FFFF:FB0E = 0x6A: adapt enabled for RHEA and API,
198 ; all ARM7 cycles visible externally
199 270: e59f3488 ldr r3, =0xfffffb00 ; via 0x700
200 274: e3a0106a mov r1, #106 ; 0x6a
201 278: e1c310be strh r1, [r3, #14] ; 0xe
202 ; dingle UART FIFOs again, same settings
203 27c: e59f0470 ldr r0, =0xffff5800 ; via 0x6f4
204 280: e3a010f7 mov r1, #247 ; 0xf7
205 284: e5c01002 strb r1, [r0, #2]
206 288: e3a010f1 mov r1, #241 ; 0xf1
207 28c: e5c01002 strb r1, [r0, #2]
208 ; short delay loop
209 290: e3a01f4b mov r1, #300 ; 0x12c
210 294: e2411001 sub r1, r1, #1
211 298: e3510000 cmp r1, #0
212 29c: 1afffffc bne 0x294
213 ; check UART for unsolicited input?
214 2a0: e59f044c ldr r0, =0xffff5800 ; via 0x6f4
215 2a4: e3a02064 mov r2, #100 ; 0x64
216 2a8: e3a08801 mov r8, #65536 ; 0x10000
217 2ac: e2488001 sub r8, r8, #1
218 2b0: e3580000 cmp r8, #0
219 2b4: 0a000040 beq 0x3bc
220 2b8: e5d01005 ldrb r1, [r0, #5]
221 2bc: e2011001 and r1, r1, #1
222 2c0: e3510001 cmp r1, #1
223 2c4: 1afffff8 bne 0x2ac
224 2c8: e5d01000 ldrb r1, [r0]
225 ; unsolicited input received
226 ; repeats the whole UART init, but with /2 div for 406250 baud
227 2cc: e59f0420 ldr r0, =0xffff5800 ; via 0x6f4
228 2d0: e3a01000 mov r1, #0
229 2d4: e5c01003 strb r1, [r0, #3]
230 2d8: e3a01000 mov r1, #0
231 2dc: e5c01001 strb r1, [r0, #1]
232 2e0: e3a010bf mov r1, #191 ; 0xbf
233 2e4: e5c01003 strb r1, [r0, #3]
234 2e8: e3a01010 mov r1, #16 ; 0x10
235 2ec: e5c01002 strb r1, [r0, #2]
236 2f0: e59f3404 ldr r3, =0xffff5803 ; via 0x6fc
237 2f4: e5931000 ldr r1, [r3]
238 2f8: e3811080 orr r1, r1, #128 ; 0x80
239 2fc: e5c31000 strb r1, [r3]
240 300: e3a01002 mov r1, #2
241 304: e5c01000 strb r1, [r0]
242 308: e3a01000 mov r1, #0
243 30c: e5c01001 strb r1, [r0, #1]
244 310: e59f33e4 ldr r3, =0xffff5803 ; via 0x6fc
245 314: e5931000 ldr r1, [r3]
246 318: e201107f and r1, r1, #127 ; 0x7f
247 31c: e5c31000 strb r1, [r3]
248 320: e5931000 ldr r1, [r3]
249 324: e3811003 orr r1, r1, #3
250 328: e5c31000 strb r1, [r3]
251 32c: e3a01040 mov r1, #64 ; 0x40
252 330: e5c01004 strb r1, [r0, #4]
253 334: e3a0100f mov r1, #15 ; 0xf
254 338: e5c01006 strb r1, [r0, #6]
255 33c: e3a010bf mov r1, #191 ; 0xbf
256 340: e5c01003 strb r1, [r0, #3]
257 344: e3a01010 mov r1, #16 ; 0x10
258 348: e5c01002 strb r1, [r0, #2]
259 34c: e3a01003 mov r1, #3
260 350: e5c01003 strb r1, [r0, #3]
261 354: e3a01000 mov r1, #0
262 358: e5c01010 strb r1, [r0, #16] ; 0x10
263 35c: e3a01006 mov r1, #6
264 360: e5c01002 strb r1, [r0, #2]
265 364: e3a0100f mov r1, #15 ; 0xf
266 368: e5c01004 strb r1, [r0, #4]
267 36c: e3a010f1 mov r1, #241 ; 0xf1
268 370: e5c01002 strb r1, [r0, #2]
269 374: e3a01007 mov r1, #7
270 378: e5c01008 strb r1, [r0, #8]
271 37c: e3a01000 mov r1, #0
272 380: e5c01008 strb r1, [r0, #8]
273 384: e59f336c ldr r3, =0xffff5801 ; via 0x6f8
274 388: e5931000 ldr r1, [r3]
275 38c: e3811001 orr r1, r1, #1
276 390: e5c31000 strb r1, [r3]
277 394: e59f0358 ldr r0, =0xffff5800 ; via 0x6f4
278 398: e3a010f7 mov r1, #247 ; 0xf7
279 39c: e5c01002 strb r1, [r0, #2]
280 3a0: e3a010f1 mov r1, #241 ; 0xf1
281 3a4: e5c01002 strb r1, [r0, #2]
282 3a8: e3a01f4b mov r1, #300 ; 0x12c
283 3ac: e2411001 sub r1, r1, #1
284 3b0: e3510000 cmp r1, #0
285 3b4: 1afffffc bne 0x3ac
286 3b8: e59f0334 ldr r0, =0xffff5800 ; via 0x6f4
287 ; normal path continues
288 ; emit 1B F6 02 00 41 01 40
289 3bc: e3a0101b mov r1, #27 ; 0x1b
290 3c0: e5c01000 strb r1, [r0]
291 3c4: e3a010f6 mov r1, #246 ; 0xf6
292 3c8: e5c01000 strb r1, [r0]
293 3cc: e3a01002 mov r1, #2
294 3d0: e5c01000 strb r1, [r0]
295 3d4: e3a01000 mov r1, #0
296 3d8: e5c01000 strb r1, [r0]
297 3dc: e3a01041 mov r1, #65 ; 0x41
298 3e0: e5c01000 strb r1, [r0]
299 3e4: e3a01001 mov r1, #1
300 3e8: e5c01000 strb r1, [r0]
301 3ec: e3a01040 mov r1, #64 ; 0x40
302 3f0: e5c01000 strb r1, [r0]
303 ; wait for UART input
304 3f4: e3a02064 mov r2, #100 ; 0x64
305 3f8: e3a08701 mov r8, #262144 ; 0x40000
306 3fc: e2488001 sub r8, r8, #1
307 400: e3580000 cmp r8, #0
308 404: 0a0000aa beq 0x6b4
309 408: e5d01005 ldrb r1, [r0, #5]
310 40c: e2011001 and r1, r1, #1
311 410: e3510001 cmp r1, #1
312 414: 1afffff8 bne 0x3fc
313 418: e5d01000 ldrb r1, [r0]
314 41c: e3510000 cmp r1, #0
315 420: 1a000003 bne 0x434
316 424: e2422001 sub r2, r2, #1
317 428: e3520000 cmp r2, #0
318 42c: 0a0000a0 beq 0x6b4
319 430: eafffff1 b 0x3fc
320 434: e351001b cmp r1, #27 ; 0x1b
321 438: 1affffef bne 0x3fc
322 ; got 1B
323 43c: e3a08701 mov r8, #262144 ; 0x40000
324 440: e2488001 sub r8, r8, #1
325 444: e3580000 cmp r8, #0
326 448: 0a000099 beq 0x6b4
327 44c: e5d01005 ldrb r1, [r0, #5]
328 450: e2011001 and r1, r1, #1
329 454: e3510001 cmp r1, #1
330 458: 1afffff8 bne 0x440
331 45c: e5d01000 ldrb r1, [r0]
332 460: e35100f6 cmp r1, #246 ; 0xf6
333 464: 1a000092 bne 0x6b4
334 ; got F6
335 468: e3a08801 mov r8, #65536 ; 0x10000
336 46c: e2488001 sub r8, r8, #1
337 470: e3580000 cmp r8, #0
338 474: 0a00008e beq 0x6b4
339 478: e5d01005 ldrb r1, [r0, #5]
340 47c: e2011001 and r1, r1, #1
341 480: e3510001 cmp r1, #1
342 484: 1afffff8 bne 0x46c
343 488: e5d01000 ldrb r1, [r0]
344 48c: e3510002 cmp r1, #2
345 490: 1a000087 bne 0x6b4
346 ; got 02
347 494: e3a08801 mov r8, #65536 ; 0x10000
348 498: e2488001 sub r8, r8, #1
349 49c: e3580000 cmp r8, #0
350 4a0: 0a000083 beq 0x6b4
351 4a4: e5d01005 ldrb r1, [r0, #5]
352 4a8: e2011001 and r1, r1, #1
353 4ac: e3510001 cmp r1, #1
354 4b0: 1afffff8 bne 0x498
355 4b4: e5d01000 ldrb r1, [r0]
356 4b8: e3510000 cmp r1, #0
357 4bc: 1a00007c bne 0x6b4
358 ; got 00
359 4c0: e3a08801 mov r8, #65536 ; 0x10000
360 4c4: e2488001 sub r8, r8, #1
361 4c8: e3580000 cmp r8, #0
362 4cc: 0a000078 beq 0x6b4
363 4d0: e5d01005 ldrb r1, [r0, #5]
364 4d4: e2011001 and r1, r1, #1
365 4d8: e3510001 cmp r1, #1
366 4dc: 1afffff8 bne 0x4c4
367 4e0: e5d01000 ldrb r1, [r0]
368 4e4: e3510052 cmp r1, #82 ; 0x52
369 4e8: 1a000071 bne 0x6b4
370 ; got 52
371 4ec: e3a08801 mov r8, #65536 ; 0x10000
372 4f0: e2488001 sub r8, r8, #1
373 4f4: e3580000 cmp r8, #0
374 4f8: 0a00006d beq 0x6b4
375 4fc: e5d01005 ldrb r1, [r0, #5]
376 500: e2011001 and r1, r1, #1
377 504: e3510001 cmp r1, #1
378 508: 1afffff8 bne 0x4f0
379 50c: e5d01000 ldrb r1, [r0]
380 510: e3510001 cmp r1, #1
381 514: 1a000066 bne 0x6b4
382 ; got 01
383 518: e3a08801 mov r8, #65536 ; 0x10000
384 51c: e2488001 sub r8, r8, #1
385 520: e3580000 cmp r8, #0
386 524: 0a000062 beq 0x6b4
387 528: e5d01005 ldrb r1, [r0, #5]
388 52c: e2011001 and r1, r1, #1
389 530: e3510001 cmp r1, #1
390 534: 1afffff8 bne 0x51c
391 538: e59f01b4 ldr r0, =0xffff5800 ; via 0x6f4
392 53c: e5d01000 ldrb r1, [r0]
393 ; emit 1B F6 02 00 41 02 43 before checking the last Rx char!
394 540: e3a0201b mov r2, #27 ; 0x1b
395 544: e5c02000 strb r2, [r0]
396 548: e3a020f6 mov r2, #246 ; 0xf6
397 54c: e5c02000 strb r2, [r0]
398 550: e3a02002 mov r2, #2
399 554: e5c02000 strb r2, [r0]
400 558: e3a02000 mov r2, #0
401 55c: e5c02000 strb r2, [r0]
402 560: e3a02041 mov r2, #65 ; 0x41
403 564: e5c02000 strb r2, [r0]
404 568: e3a02002 mov r2, #2
405 56c: e5c02000 strb r2, [r0]
406 570: e3a02043 mov r2, #67 ; 0x43
407 574: e5c02000 strb r2, [r0]
408 ; now check for 53
409 ; if not 53, go back to wait for 01-53
410 578: e3510053 cmp r1, #83 ; 0x53
411 57c: 0a000000 beq 0x584
412 580: eaffffda b 0x4f0
413 ; got 53
414 584: e3a02000 mov r2, #0
415 588: e59f3190 ldr r3, =0x800100 ; via 0x720
416 58c: e3a04000 mov r4, #0
417 590: e3a05001 mov r5, #1
418 ; endless wait for Rx byte
419 594: e5d01005 ldrb r1, [r0, #5]
420 598: e2011001 and r1, r1, #1
421 59c: e3510001 cmp r1, #1
422 5a0: 1afffffb bne 0x594
423 5a4: e5d01000 ldrb r1, [r0]
424 ; state machine dispatch
425 5a8: e3520000 cmp r2, #0
426 5ac: 0a000008 beq 0x5d4
427 5b0: e3520001 cmp r2, #1
428 5b4: 0a00000b beq 0x5e8
429 5b8: e3520002 cmp r2, #2
430 5bc: 0a00000d beq 0x5f8
431 5c0: e3520003 cmp r2, #3
432 5c4: 0a00000f beq 0x608
433 5c8: e3520004 cmp r2, #4
434 5cc: 0a000015 beq 0x628
435 5d0: ea000037 b 0x6b4
436 ; R2=0: must receive 02 first
437 5d4: e3510002 cmp r1, #2
438 5d8: 1affffed bne 0x594
439 5dc: e1a06001 mov r6, r1
440 5e0: e2822001 add r2, r2, #1
441 5e4: eaffffea b 0x594
442 ; R2=1: got MSB of length
443 5e8: e1a04401 mov r4, r1, lsl #8
444 5ec: e0266001 eor r6, r6, r1
445 5f0: e2822001 add r2, r2, #1
446 5f4: eaffffe6 b 0x594
447 ; R2=2: got LSB of length
448 5f8: e0844001 add r4, r4, r1
449 5fc: e0266001 eor r6, r6, r1
450 600: e2822001 add r2, r2, #1
451 604: eaffffe2 b 0x594
452 ; R2=3: payload
453 608: e5c31000 strb r1, [r3]
454 60c: e0266001 eor r6, r6, r1
455 610: e2833001 add r3, r3, #1
456 614: e2444001 sub r4, r4, #1
457 618: e3540000 cmp r4, #0
458 61c: 1affffdc bne 0x594
459 620: e2822001 add r2, r2, #1
460 624: eaffffda b 0x594
461 ; R2=4: checksum expected
462 628: e1560001 cmp r6, r1
463 62c: 1a000012 bne 0x67c
464 ; checksum good
465 ; emit 1B F6 02 00 41 03 42
466 630: e3a0101b mov r1, #27 ; 0x1b
467 634: e5c01000 strb r1, [r0]
468 638: e3a010f6 mov r1, #246 ; 0xf6
469 63c: e5c01000 strb r1, [r0]
470 640: e3a01002 mov r1, #2
471 644: e5c01000 strb r1, [r0]
472 648: e3a01000 mov r1, #0
473 64c: e5c01000 strb r1, [r0]
474 650: e3a01041 mov r1, #65 ; 0x41
475 654: e5c01000 strb r1, [r0]
476 658: e3a01003 mov r1, #3
477 65c: e5c01000 strb r1, [r0]
478 660: e3a01042 mov r1, #66 ; 0x42
479 664: e5c01000 strb r1, [r0]
480 ; SP=0x803FFC
481 668: e59f00b4 ldr r0, =0x803ffc ; via 0x724
482 66c: e1a0d000 mov sp, r0
483 ; jump to 0x800100 in Thumb state
484 670: e59f00a8 ldr r0, =0x800100 ; via 0x720
485 674: e280e001 add lr, r0, #1
486 678: e12fff1e bx lr
487 ; checksum mismatch
488 ; emit 1B F6 02 00 45 53 16
489 67c: e3a0101b mov r1, #27 ; 0x1b
490 680: e5c01000 strb r1, [r0]
491 684: e3a010f6 mov r1, #246 ; 0xf6
492 688: e5c01000 strb r1, [r0]
493 68c: e3a01002 mov r1, #2
494 690: e5c01000 strb r1, [r0]
495 694: e3a01000 mov r1, #0
496 698: e5c01000 strb r1, [r0]
497 69c: e3a01045 mov r1, #69 ; 0x45
498 6a0: e5c01000 strb r1, [r0]
499 6a4: e3a01053 mov r1, #83 ; 0x53
500 6a8: e5c01000 strb r1, [r0]
501 6ac: e3a01016 mov r1, #22 ; 0x16
502 6b0: e5c01000 strb r1, [r0]
503 ; bail out path
504 ; ARMIO_LATCH_OUT: set GPIO 9 low
505 6b4: e59f3050 ldr r3, =0xfffe4802 ; via 0x70c
506 6b8: e5931000 ldr r1, [r3]
507 6bc: e3a030ff mov r3, #255 ; 0xff
508 6c0: e3a02cfd mov r2, #64768 ; 0xfd00
509 6c4: e1822003 orr r2, r2, r3
510 6c8: e0011002 and r1, r1, r2
511 6cc: e59f3034 ldr r3, =0xfffe4800 ; via 0x708
512 6d0: e1c310b2 strh r1, [r3, #2]
513 ; switch GPIO12 back to input
514 6d4: e59f3034 ldr r3, =0xfffe4804 ; via 0x710
515 6d8: e5931000 ldr r1, [r3]
516 6dc: e3811a01 orr r1, r1, #4096 ; 0x1000
517 6e0: e59f3020 ldr r3, =0xfffe4800 ; via 0x708
518 6e4: e1c310b4 strh r1, [r3, #4]
519 6e8: ea007e7c b 0x200e0
520
521 6ec: 000002a3
522 6f0: fffffb00
523 6f4: ffff5800
524 6f8: ffff5801
525 6fc: ffff5803
526 700: fffffb00
527 704: fffef000
528 708: fffe4800
529 70c: fffe4802
530 710: fffe4804
531 714: fffe480c
532 718: fffe480a
533 71c: fffef006
534 720: 00800100
535 724: 00803ffc
536
537 <728-7FF: all FFs>
538
539 00000800: 42 4F 4F 54 2E 39 30 2E 30 35 00 00 00 00 00 00 BOOT.90.05......
540 00000810: 31 30 30 33 01 02 00 00 FF FF FF FF FF FF FF FF 1003............
541 00000820: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
542
543 blank flash from here onward, until the main fw image starts at 0x20000