--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/moko11	Tue Nov 12 04:28:47 2013 +0000
@@ -0,0 +1,28 @@
+The Init_Target() function in the TCS211 code from Sotovik (which sits in a
+binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3.
+We would like to determine whether or not the moko11 firmware does the same
+thing.  We have no linker map file for moko11, so we have to dig around in the
+binary and try to match the code against known objects.
+
+In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of
+the function there is a BL instruction calling $CLKM_InitARMClock, and this call
+is immediately followed by the code that sets up the memory timings.
+
+Let's see what we can find in the moko11 binary image:
+
+0012D4:	RESET vector jumps here
+010000: the code here appears to fully match the .inttext section of
+	TI's int.obj
+010058:	appears to be the _INT_Initialize entry point
+	(seems to be the same for all TI firmwares of that era)
+010268:	b 0x1e8364, should be a jump to the _INC_Initialize veneer
+1D1E48:	first function called from Application_Initialize, should be
+	Init_Target()
+	Matches the Sotomodem version of Init_Target() indeed,
+	including the memory timing setup!
+1E72B0:	Expected start of $INC_Initialize, appears to match
+1E72F4:	bl 0x1e81fc, should be calling Application_Initialize()
+1E81FC:	Expected start of Application_Initialize(), contains 6 calls indeed
+1E8364:	looks like an ARM->Thumb call veneer indeed
+1E8370:	Thumb code begins, does bl 0x1e72b0
+1E8378:	back to ARM, veneer return