freecalypso-reveng: bootrom.disasm comparison

comparison bootrom.disasm @ 8:a06573cacb6e

boot ROM re: trying to understand the code that runs after '<' received

author	Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date	Wed, 17 Apr 2013 06:25:19 +0000
parents	8c2621b2ed37
children	a51729642295

comparison

equal deleted inserted replaced

-:a445735685ba
+:a06573cacb6e
 c:	ea200004 	b	0x800024
 10:	ea200004 	b	0x800028
 14:	ea200004 	b	0x80002c
 18:	ea200004 	b	0x800030
 1c:	ea200004 	b	0x800034
+; The following routine (starting at 0x20) is used to transfer control
+; to nCS0 application images that are designed to work with no internal
+; boot ROM "in the way", i.e., images identified by a 1 in the 0x2000 word.
+; The present routine is copied to the internal RAM and executed there.
+;
+; The routine itself takes one argument in R0 and uses it to set the
+; nIBOOT override bits in the FFFF:FB10 register.  If R0==1, bits <9:8>
+; of this register are set to 11, putting nCS0 at address 0.  If R0==0,
+; the bits are set to 01, putting the internal ROM at 0.  Otherwise,
+; the bits are set to 00, restoring the nIBOOT pin configuration.
+; (In actual operation the argument passed to this function is the word
+; from 0x2000, so it's equal to 1.)  Then the routine causes the
+; watchdog timer to go off, resetting the ARM.
 20:	e24dd004 	sub	sp, sp, #4	; 0x4
 24:	e59f20b8 	ldr	r2, =0xFFFFFB10	; via 0xe4
 28:	e1d2c0b0 	ldrh	r12, [r2]
 2c:	e20c10ff 	and	r1, r12, #255	; 0xff
 d4:	e15c0000 	cmp	r12, r0
 d8:	bafffff7 	blt	0xbc
 dc:	e28dd004 	add	sp, sp, #4	; 0x4
 e0:	e12fff1e 	bx	lr
-; literal pool
+; literal pool for the above routine
 e4:	fffffb10
 e8:	000080f5
+; end of the code copied to the internal RAM for booting type 1 images
 ec:	e92d4010 	stmdb	sp!, {r4, lr}
 f0:	e59fcd0c 	ldr	r12, [pc, #3340]	; 0xe04
 f4:	e59c4014 	ldr	r4, [r12, #20]
 f8:	e59f0d08 	ldr	r0, [pc, #3336]	; 0xe08
 100:	e790c10c 	ldr	r12, [r0, r12, lsl #2]
 104:	e28c0005 	add	r0, r12, #5	; 0x5
 108:	e5d0c000 	ldrb	r12, [r0]
 10c:	e31c0040 	tst	r12, #64	; 0x40
 110:	0afffffc 	beq	0x108
-114:	eb000513 	bl	0x1568
+114:	eb000513 	bl	0x1568		; IND_CALL
 118:	eafffffe 	b	0x118
 11c:	e3a0c004 	mov	r12, #4	; 0x4
 120:	e5c0c000 	strb	r12, [r0]
 124:	e3a0c000 	mov	r12, #0	; 0x0
 ee4:	e1830205 	orr	r0, r3, r5, lsl #4
 ee8:	e3800cff 	orr	r0, r0, #65280	; 0xff00
 eec:	e10600bc 	strh	r0, [r6, -r12]
 ef0:	e8bd8070 	ldmia	sp!, {r4, r5, r6, pc}
+; The routine at 0xef4 gets called from main() after a '<' character
+; has been received and autoboot thereby interrupted in the
+; autoboot-enabled flash state.
 ef4:	e92d4070 	stmdb	sp!, {r4, r5, r6, lr}
-ef8:	e59fc3e4 	ldr	r12, [pc, #996]	; 0x12e4
+ef8:	e59fc3e4 	ldr	r12, =0xFFFFF900	; via 0x12e4
 efc:	e1dc40b0 	ldrh	r4, [r12]
-f00:	e59f33d0 	ldr	r3, [pc, #976]	; 0x12d8
+; original value of FFFF:F900 saved in R4
+; now set it to FF22, just like the 0xe2c init routine did
+f00:	e59f33d0 	ldr	r3, =0xFFFFFD00	; via 0x12d8
 f04:	e3a05b01 	mov	r5, #1024	; 0x400
 f08:	e3a0c801 	mov	r12, #65536	; 0x10000
 f0c:	e24cc0de 	sub	r12, r12, #222	; 0xde
 f10:	e103c0b5 	strh	r12, [r3, -r5]
-f14:	e59f63c0 	ldr	r6, [pc, #960]	; 0x12dc
+; write 0x2002 to FFFF:9800, again just like 0xe2c did
-f18:	e59fc3c0 	ldr	r12, [pc, #960]	; 0x12e0
+f14:	e59f63c0 	ldr	r6, =0xFFFF9800	; via 0x12dc
+f18:	e59fc3c0 	ldr	r12, =0x2002	; via 0x12e0
 f1c:	e1c6c0b0 	strh	r12, [r6]
 f20:	e1b05f8c 	movs	r5, r12, lsl #31
 f24:	1afffffd 	bne	0xf20
 f28:	e181c102 	orr	r12, r1, r2, lsl #2
 f2c:	e1a0c28c 	mov	r12, r12, lsl #5
 fa4:	1afffffd 	bne	0xfa0
 fa8:	e3a0cb01 	mov	r12, #1024	; 0x400
 fac:	e10340bc 	strh	r4, [r3, -r12]
 fb0:	e8bd8070 	ldmia	sp!, {r4, r5, r6, pc}
+; Routine 0xfb4 gets called from main() where the boot code is giving
+; the UARTs a chance to interrupt the autoboot process before transferring
+; control to the nCS0 image.
+;
+; Arguments: both R0 and R1 point to byte variables acting as additional
+; function outputs.
+;
+; If a '<' character is received on either UART, the function returns
+; without further fuss.  If nothing was received on either UART, it
+; also returns without further fuss.  However, if the "wrong" byte value
+; was received on either UART, the function flips the VCLKOUT_DIV2 bit
+; in the FFFF:FD02 register - it is the boot code's way of figuring out
+; whether the input clock is 13 or 26 MHz.
+;
+; Return values:
+;   In R0:  1 if '<' received, 0 otherwise
+;   In *R0: UART ID if '<' received, FF otherwise
+;   In *R1: final state of the 800534 byte variable
+;
+; The latter variable records the state of the divide-by-2.  On the first
+; try, the divide-by-2 is enabled, and the variable contains 0.  When this
+; function disables the /2, the variable is set to 1.  It keeps toggling
+; back and forth as wrong bytes come in.
 fb4:	e3a0c0ff 	mov	r12, #255	; 0xff
 fb8:	e5c0c000 	strb	r12, [r0]
-fbc:	e59fc324 	ldr	r12, [pc, #804]	; 0x12e8
+; check the MODEM UART first
+fbc:	e59fc324 	ldr	r12, =0xFFFF5000	; via 0x12e8
 fc0:	e5dc2805 	ldrb	r2, [r12, #2053]
 fc4:	e1b02f82 	movs	r2, r2, lsl #31
 fc8:	1a000001 	bne	0xfd4
 fcc:	e3a02000 	mov	r2, #0	; 0x0
 fd0:	ea000003 	b	0xfe4
 fd4:	e5dc2800 	ldrb	r2, [r12, #2048]
 fd8:	e352003c 	cmp	r2, #60	; 0x3c
 fdc:	0a000024 	beq	0x1074
 fe0:	e3a02001 	mov	r2, #1	; 0x1
+; Control gets here if no '<' was received on the MODEM UART.
+; R2 contains 1 if some other byte value was received, or 0 if nothing.
+; Now check the IrDA UART.
 fe4:	e5dc3005 	ldrb	r3, [r12, #5]
 fe8:	e1b03f83 	movs	r3, r3, lsl #31
 fec:	1a000002 	bne	0xffc
 ff0:	e3520001 	cmp	r2, #1	; 0x1
 ff4:	0a000003 	beq	0x1008
 ff8:	ea000015 	b	0x1054
 ffc:	e5dcc000 	ldrb	r12, [r12]
 1000:	e35c003c 	cmp	r12, #60	; 0x3c
 1004:	0a000017 	beq	0x1068
-1008:	e59fc2dc 	ldr	r12, [pc, #732]	; 0x12ec
+; control gets here if the "wrong" byte value was received on either UART
+1008:	e59fc2dc 	ldr	r12, =0x800534	; via 0x12ec
 100c:	e5dc0000 	ldrb	r0, [r12]
 1010:	e3500000 	cmp	r0, #0	; 0x0
 1014:	1a000008 	bne	0x103c
 1018:	e3a00001 	mov	r0, #1	; 0x1
 101c:	e5cc0000 	strb	r0, [r12]
-1020:	e59f02c8 	ldr	r0, [pc, #712]	; 0x12f0
+1020:	e59f02c8 	ldr	r0, =0xFFFFFD02	; via 0x12f0
 1024:	e1d0c0b0 	ldrh	r12, [r0]
 1028:	e20c20bf 	and	r2, r12, #191	; 0xbf
 102c:	e20cccff 	and	r12, r12, #65280	; 0xff00
 1030:	e182c00c 	orr	r12, r2, r12
 1034:	e1c0c0b0 	strh	r12, [r0]
 1038:	ea000005 	b	0x1054
 103c:	e3a00000 	mov	r0, #0	; 0x0
 1040:	e5cc0000 	strb	r0, [r12]
-1044:	e59fc2a4 	ldr	r12, [pc, #676]	; 0x12f0
+1044:	e59fc2a4 	ldr	r12, =0xFFFFFD02	; via 0x12f0
 1048:	e1dc00b0 	ldrh	r0, [r12]
 104c:	e3800040 	orr	r0, r0, #64	; 0x40
 1050:	e1cc00b0 	strh	r0, [r12]
-1054:	e59fc290 	ldr	r12, [pc, #656]	; 0x12ec
+1054:	e59fc290 	ldr	r12, =0x800534	; via 0x12ec
 1058:	e5dcc000 	ldrb	r12, [r12]
 105c:	e5c1c000 	strb	r12, [r1]
 1060:	e3a00000 	mov	r0, #0	; 0x0
 1064:	e12fff1e 	bx	lr
+; control gets here if a '<' character was received on the IrDA UART
 1068:	e3a0c001 	mov	r12, #1	; 0x1
 106c:	e5c0c000 	strb	r12, [r0]
 1070:	ea000001 	b	0x107c
+; control gets here if a '<' character was received on the MODEM UART
 1074:	e3a0c000 	mov	r12, #0	; 0x0
 1078:	e5c0c000 	strb	r12, [r0]
-107c:	e59fc268 	ldr	r12, [pc, #616]	; 0x12ec
+107c:	e59fc268 	ldr	r12, =0x800534	; via 0x12ec
 1080:	e5dcc000 	ldrb	r12, [r12]
 1084:	e5c1c000 	strb	r12, [r1]
 1088:	e3a00001 	mov	r0, #1	; 0x1
 108c:	e12fff1e 	bx	lr
 1238:	e38cc040 	orr	r12, r12, #64	; 0x40
 123c:	e1c6c0b0 	strh	r12, [r6]
 1240:	e59f10b0 	ldr	r1, =0x800524	; via 0x12f8
 1244:	e2415004 	sub	r5, r1, #4	; 0x4
 1248:	e59f40b0 	ldr	r4, =0x373C	; via 0x1300
+; the retry count loaded into R4 is 14140 in decimal
 124c:	e1a00005 	mov	r0, r5
+; call made with R0=0x800520, R1=0x800524
 1250:	ebffff57 	bl	0xfb4
 1254:	e3500000 	cmp	r0, #0	; 0x0
 1258:	1a000001 	bne	0x1264
 125c:	e2544001 	subs	r4, r4, #1	; 0x1
 1260:	1afffff9 	bne	0x124c
 12f4:	00800518
 12f8:	00800524
 12fc:	00800104
 1300:	0000373c
+; Routine 0x1304: emit a character string through a UART
+;
+; Arguments:
+:   R0: pointer to the string
+;   R1: number of characters (bytes) to transmit
+;   R2: UART ID (0=MODEM, 1=IrDA)
 1304:	e3510000 	cmp	r1, #0	; 0x0
 1308:	012fff1e 	bxeq	lr
-130c:	e59fc178 	ldr	r12, [pc, #376]	; 0x148c
+130c:	e59fc178 	ldr	r12, =0x1FCC	; via 0x148c
 1310:	e79cc102 	ldr	r12, [r12, r2, lsl #2]
 1314:	e28c3005 	add	r3, r12, #5	; 0x5
 1318:	e5d32000 	ldrb	r2, [r3]
 131c:	e3120020 	tst	r2, #32	; 0x20
 1320:	0afffffc 	beq	0x1318
 13c8:	e5c35000 	strb	r5, [r3]
 13cc:	e2522001 	subs	r2, r2, #1	; 0x1
 13d0:	1affffed 	bne	0x138c
 13d4:	e8bd8ff0 	ldmia	sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc}
-13d8:	e59fc0ac 	ldr	r12, [pc, #172]	; 0x148c
+; The following routine switches a UART to a different baud rate.
+; Arguments:
+;   R0: baud rate index from the table at 0x1FD4
+;   R1: UART ID (0=MODEM, 1=IrDA)
+13d8:	e59fc0ac 	ldr	r12, =0x1FCC	; via 0x148c
 13dc:	e79c2101 	ldr	r2, [r12, r1, lsl #2]
 13e0:	e282c005 	add	r12, r2, #5	; 0x5
 13e4:	e5dc1000 	ldrb	r1, [r12]
 13e8:	e3110040 	tst	r1, #64	; 0x40
 13ec:	0afffffc 	beq	0x13e4
 13f0:	e282c003 	add	r12, r2, #3	; 0x3
 13f4:	e5dc1000 	ldrb	r1, [r12]
 13f8:	e3811080 	orr	r1, r1, #128	; 0x80
 13fc:	e5cc1000 	strb	r1, [r12]
-1400:	e59f108c 	ldr	r1, [pc, #140]	; 0x1494
+1400:	e59f108c 	ldr	r1, =0x1FD4	; via 0x1494
 1404:	e7d13080 	ldrb	r3, [r1, r0, lsl #1]
 1408:	e5c23001 	strb	r3, [r2, #1]
 140c:	e0810080 	add	r0, r1, r0, lsl #1
 1410:	e5d00001 	ldrb	r0, [r0, #1]
 1414:	e5c20000 	strb	r0, [r2]
 1418:	e5dc0000 	ldrb	r0, [r12]
 141c:	e200007f 	and	r0, r0, #127	; 0x7f
 1420:	e5cc0000 	strb	r0, [r12]
 1424:	e12fff1e 	bx	lr
+; 0x1428 - UART read Rx character routine
+;
+; Arguments:
+;   R0: UART ID (0=MODEM, 1=IrDA)
+;   R1: poll repeat count, 0 means wait forever
+;   R2: pointer to buffer where the received booty is stored
+;
+; Return value: 1 if a character was received, 0 otherwise
 1428:	e3510000 	cmp	r1, #0	; 0x0
 142c:	1a000006 	bne	0x144c
-1430:	e59fc054 	ldr	r12, [pc, #84]	; 0x148c
+1430:	e59fc054 	ldr	r12, =0x1FCC	; via 0x148c
 1434:	e79cc100 	ldr	r12, [r12, r0, lsl #2]
 1438:	e28c1005 	add	r1, r12, #5	; 0x5
 143c:	e5d10000 	ldrb	r0, [r1]
 1440:	e1b00f80 	movs	r0, r0, lsl #31
 1444:	0afffffc 	beq	0x143c
 1448:	ea000009 	b	0x1474
-144c:	e59fc038 	ldr	r12, [pc, #56]	; 0x148c
+144c:	e59fc038 	ldr	r12, =0x1FCC	; via 0x148c
 1450:	e79cc100 	ldr	r12, [r12, r0, lsl #2]
 1454:	e28c3005 	add	r3, r12, #5	; 0x5
 1458:	e5d30000 	ldrb	r0, [r3]
 145c:	e1b00f80 	movs	r0, r0, lsl #31
 1460:	1a000001 	bne	0x146c
 1584:	4720      	bx	r4
 1586:	46c0      	nop			(mov r8, r8)
 1588:	eafffffe 	b	0x1588
+; This routine effects the transfer of control to the flash (nCS0)
+; application image of the type indicated by the argument in R0.
+; The latter argument is the word read from 0x2000.
+; R1 contains the word read from 0x2004.
 158c:	e92d4010 	stmdb	sp!, {r4, lr}
 1590:	e1a04000 	mov	r4, r0
 1594:	e1b0c0a4 	movs	r12, r4, lsr #1
 1598:	0a000001 	beq	0x15a4
 159c:	e3a00001 	mov	r0, #1	; 0x1
 15c0:	e3540000 	cmp	r4, #0	; 0x0
 15c4:	1a000004 	bne	0x15dc
 15c8:	e38ccc01 	orr	r12, r12, #256	; 0x100
 15cc:	e1c0c0b0 	strh	r12, [r0]
 15d0:	e1a04001 	mov	r4, r1
-15d4:	ebffffe3 	bl	0x1568
+15d4:	ebffffe3 	bl	0x1568		; IND_CALL
 15d8:	e8bd8010 	ldmia	sp!, {r4, pc}
 15dc:	e3540001 	cmp	r4, #1	; 0x1
 15e0:	18bd8010 	ldmneia	sp!, {r4, pc}
 15e4:	e3a00020 	mov	r0, #32	; 0x20
 15e8:	e3a010cc 	mov	r1, #204	; 0xcc
 ; literal pool
 1600:	fffffb10
 1604:	00800038
+; This routine computes a simple word-wise (16 bits at a time) sum of
+; the present internal boot ROM code (ignoring carry-outs), and returns
+; it in R0.  The upper 16 bits of the R0 return value will always be 0.
+;
+; If the argument in R0 equals 1, a call to the 0xe2c memmap/clock init
+; function is made first, with the same arguments as at the beginning
+; of main().
 1608:	e92d4000 	stmdb	sp!, {lr}
 160c:	e24dd008 	sub	sp, sp, #8	; 0x8
 1610:	e3500001 	cmp	r0, #1	; 0x1
 1614:	1a000006 	bne	0x1634
+; 0xe2c routine is called with the same arguments as at the beginning
+; of main()
 1618:	e3a0c002 	mov	r12, #2	; 0x2
 161c:	e5cdc000 	strb	r12, [sp]
 1620:	e3a00004 	mov	r0, #4	; 0x4
 1624:	e3a01000 	mov	r1, #0	; 0x0
 1628:	e3a02000 	mov	r2, #0	; 0x0
 ; The filler ends at 0x1FCC.  Then we've got some data words:
 ; base addresses of the two UARTs
 1fcc:	ffff5800
 1fd0:	ffff5000
-; ???
+; UART baud rates
-1fd4:	0e000700 	cdpeq	7, 0, cr0, cr0, cr0, {0}
+1fd4:	0700	; /7	(115200?)
-1fd8:	1c001500 	cfstr32ne	mvfx1, [r0]
+1fd6:	0e00	; /14	(57600?)
-1fdc:	00002a00 	andeq	r2, r0, r0, lsl #20
+1fd8:	1500	; /21	(38400?)
+1fda:	1c00	; /28	(28800?)
+1fdc:	2a00	; /42	(19200?)
+1fde:	0000
 ; These ldr-jump instructions get copied to the 7 internal RAM words
 ; starting at 0x80001C.  They have the effect of defining the preceding
 ; 7 words (0x800000-0x800018 inclusive) as address-type vectors for the
 ; exceptions, such that one can hook an exception either by replacing

FreeCalypso > hg > freecalypso-reveng

comparison bootrom.disasm @ 8:a06573cacb6e