diff compal/boot/c156-boot.disasm @ 399:81cda18b0487

compal: move all bootloader analysis work into boot subdir
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 14 Jan 2023 06:17:56 +0000
parents compal/c156-boot.disasm@5c47d916255e
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/compal/boot/c156-boot.disasm	Sat Jan 14 06:17:56 2023 +0000
@@ -0,0 +1,543 @@
+RESET entry and exception vectors:
+       0:	ea000011	b	0x4c
+       4:	ea008036	b	0x200e4
+       8:	ea008036	b	0x200e8
+       c:	ea008036	b	0x200ec
+      10:	ea008036	b	0x200f0
+      14:	ea008036	b	0x200f4
+      18:	ea008036	b	0x200f8
+      1c:	ea008036	b	0x200fc
+
+      20:	02a102a1
+      24:	02a302a1
+      28:	00000040
+      2c:	fffffd00
+      30:	ffff9800
+      34:	fffffb10
+      38:	ffffff08
+      3c:	20021081
+      40:	00000800
+      44:	004000c0
+      48:	00000e85
+
+; RESET entry point
+; same init as in the C139 version
+      4c:	e51f1028	ldr	r1, =0xfffffd00	; via 0x2c
+      50:	e1d120b2	ldrh	r2, [r1, #2]
+      54:	e51f0034	ldr	r0, =0x40	; via 0x28
+      58:	e1800002	orr	r0, r0, r2
+      5c:	e1c100b2	strh	r0, [r1, #2]
+; disable PLL
+; diff from C139 version: writing 2002 into FFFF:9800 instead of 2006
+; diff in the BYPASS_DIV field
+      60:	e51f1038	ldr	r1, =0xffff9800	; via 0x30
+      64:	e15f22be	ldrh	r2, =0x2002	; via 0x3e
+      68:	e1c120b0	strh	r2, [r1]
+      6c:	e5912000	ldr	r2, [r1]
+      70:	e2022001	and	r2, r2, #1
+      74:	e3520001	cmp	r2, #1
+      78:	0afffffb	beq	0x6c
+; FFFF:FD00 write same as C139
+      7c:	e51f1058	ldr	r1, =0xfffffd00	; via 0x2c
+      80:	e15f24bc	ldrh	r2, =0x1081	; via 0x3c
+      84:	e1c120b0	strh	r2, [r1]
+; disable DU like C139
+      88:	e51f105c	ldr	r1, =0xfffffb10	; via 0x34
+      8c:	e15f25b4	ldrh	r2, =0x800	; via 0x40
+      90:	e1d100b0	ldrh	r0, [r1]
+      94:	e1800002	orr	r0, r0, r2
+      98:	e1c100b0	strh	r0, [r1]
+; ditto for MPU
+      9c:	e51f106c	ldr	r1, =0xffffff08	; via 0x38
+      a0:	e15f26b6	ldrh	r2, =0x0	; via 0x42
+      a4:	e1c120b0	strh	r2, [r1]
+; Memory timings
+      a8:	e59f1640	ldr	r1, =0xfffffb00	; via 0x6f0
+      ac:	e15f29b4	ldrh	r2, =0x2a1	; via 0x20
+      b0:	e1c120b0	strh	r2, [r1]
+      b4:	e15f29ba	ldrh	r2, =0x2a1	; via 0x22
+      b8:	e1c120b2	strh	r2, [r1, #2]
+      bc:	e15f2ab0	ldrh	r2, =0x2a1	; via 0x24
+      c0:	e1c120b4	strh	r2, [r1, #4]
+      c4:	e15f2ab6	ldrh	r2, =0x2a3	; via 0x26
+      c8:	e1c120b6	strh	r2, [r1, #6]
+      cc:	e15f28bc	ldrh	r2, =0xe85	; via 0x48
+      d0:	e1c120ba	strh	r2, [r1, #10]	; 0xa
+      d4:	e15f29b8	ldrh	r2, =0xc0	; via 0x44
+      d8:	e1c120bc	strh	r2, [r1, #12]	; 0xc
+      dc:	e15f29be	ldrh	r2, =0x40	; via 0x46
+      e0:	e1c120b8	strh	r2, [r1, #8]
+; enable 8 MiB chip select regions
+      e4:	e59f3630	ldr	r3, =0xfffef006	; via 0x71c
+      e8:	e1d310b0	ldrh	r1, [r3]
+      ec:	e3a02008	mov	r2, #8
+      f0:	e1811002	orr	r1, r1, r2
+      f4:	e1c310b0	strh	r1, [r3]
+; write 0x0110 into FFFE:F00A
+; enable I/O(8) and I/O(12)
+      f8:	e59f3604	ldr	r3, =0xfffef000	; via 0x704
+      fc:	e3a01e11	mov	r1, #272	; 0x110
+     100:	e1c310ba	strh	r1, [r3, #10]	; 0xa
+; FFFE:4804: set GPIOs 8 and 12 as outputs
+     104:	e59f3604	ldr	r3, =0xfffe4804	; via 0x710
+     108:	e5931000	ldr	r1, [r3]
+     10c:	e3a030ff	mov	r3, #255	; 0xff
+     110:	e3a02cee	mov	r2, #60928	; 0xee00
+     114:	e1822003	orr	r2, r2, r3
+     118:	e0011002	and	r1, r1, r2
+     11c:	e59f35e4	ldr	r3, =0xfffe4800	; via 0x708
+     120:	e1c310b4	strh	r1, [r3, #4]
+; ARMIO_LATCH_OUT: GPIO 8 set to 0
+     124:	e59f35e0	ldr	r3, =0xfffe4802	; via 0x70c
+     128:	e5931000	ldr	r1, [r3]
+     12c:	e3a030ff	mov	r3, #255	; 0xff
+     130:	e3a02cfe	mov	r2, #65024	; 0xfe00
+     134:	e1822003	orr	r2, r2, r3
+     138:	e0011002	and	r1, r1, r2
+     13c:	e59f35c4	ldr	r3, =0xfffe4800	; via 0x708
+     140:	e1c310b2	strh	r1, [r3, #2]
+; ... and then reset it to 0xF400
+     144:	e3a01b3d	mov	r1, #62464	; 0xf400
+     148:	e59f35b8	ldr	r3, =0xfffe4800	; via 0x708
+     14c:	e1c310b2	strh	r1, [r3, #2]
+; SVC mode, IRQ and FIQ disabled
+     150:	e10f0000	mrs	r0, CPSR
+     154:	e3c0001f	bic	r0, r0, #31	; 0x1f
+     158:	e3800013	orr	r0, r0, #19	; 0x13
+     15c:	e38000c0	orr	r0, r0, #192	; 0xc0
+     160:	e129f000	msr	CPSR_fc, r0
+; zero all 256 KiB IRAM except last 128 bytes
+     164:	e3a00502	mov	r0, #8388608	; 0x800000
+     168:	e3a02000	mov	r2, #0
+     16c:	e3a01721	mov	r1, #8650752	; 0x840000
+     170:	e2411080	sub	r1, r1, #128	; 0x80
+     174:	e4802004	str	r2, [r0], #4
+     178:	e1500001	cmp	r0, r1
+     17c:	1afffffc	bne	0x174
+; ditto for 2 MiB XRAM
+     180:	e3a00401	mov	r0, #16777216	; 0x1000000
+     184:	e3a02000	mov	r2, #0
+     188:	e3a01612	mov	r1, #18874368	; 0x1200000
+     18c:	e2411080	sub	r1, r1, #128	; 0x80
+     190:	e4802004	str	r2, [r0], #4
+     194:	e1500001	cmp	r0, r1
+     198:	1afffffc	bne	0x190
+; MODEM UART
+     19c:	e59f0550	ldr	r0, =0xffff5800	; via 0x6f4
+; 0 into LCR for IER access
+     1a0:	e3a01000	mov	r1, #0
+     1a4:	e5c01003	strb	r1, [r0, #3]
+; clear IER
+     1a8:	e3a01000	mov	r1, #0
+     1ac:	e5c01001	strb	r1, [r0, #1]
+; BF into LCR
+     1b0:	e3a010bf	mov	r1, #191	; 0xbf
+     1b4:	e5c01003	strb	r1, [r0, #3]
+; 0x10 into EFR
+     1b8:	e3a01010	mov	r1, #16	; 0x10
+     1bc:	e5c01002	strb	r1, [r0, #2]
+; set 115200 baud
+     1c0:	e59f3534	ldr	r3, =0xffff5803	; via 0x6fc
+     1c4:	e5931000	ldr	r1, [r3]
+     1c8:	e3811080	orr	r1, r1, #128	; 0x80
+     1cc:	e5c31000	strb	r1, [r3]
+     1d0:	e3a01007	mov	r1, #7
+     1d4:	e5c01000	strb	r1, [r0]
+     1d8:	e3a01000	mov	r1, #0
+     1dc:	e5c01001	strb	r1, [r0, #1]
+; LCR will eventually get back to 03
+     1e0:	e59f3514	ldr	r3, =0xffff5803	; via 0x6fc
+     1e4:	e5931000	ldr	r1, [r3]
+     1e8:	e201107f	and	r1, r1, #127	; 0x7f
+     1ec:	e5c31000	strb	r1, [r3]
+     1f0:	e5931000	ldr	r1, [r3]
+     1f4:	e3811003	orr	r1, r1, #3
+     1f8:	e5c31000	strb	r1, [r3]
+; 0x40 into MCR: TCR/TLR access
+     1fc:	e3a01040	mov	r1, #64	; 0x40
+     200:	e5c01004	strb	r1, [r0, #4]
+; TCR=0x0F (same as default)
+     204:	e3a0100f	mov	r1, #15	; 0xf
+     208:	e5c01006	strb	r1, [r0, #6]
+; BF into LCR again
+     20c:	e3a010bf	mov	r1, #191	; 0xbf
+     210:	e5c01003	strb	r1, [r0, #3]
+; 0x10 into EFR again
+     214:	e3a01010	mov	r1, #16	; 0x10
+     218:	e5c01002	strb	r1, [r0, #2]
+; finally 03 into LCR
+     21c:	e3a01003	mov	r1, #3
+     220:	e5c01003	strb	r1, [r0, #3]
+; clear SCR (default, all weird stuff disabled)
+     224:	e3a01000	mov	r1, #0
+     228:	e5c01010	strb	r1, [r0, #16]	; 0x10
+; FCR=06: FIFOs cleared and *disabled*
+     22c:	e3a01006	mov	r1, #6
+     230:	e5c01002	strb	r1, [r0, #2]
+; MCR=0F
+     234:	e3a0100f	mov	r1, #15	; 0xf
+     238:	e5c01004	strb	r1, [r0, #4]
+; FCR=F1: enable FIFOs with max trigger levels
+     23c:	e3a010f1	mov	r1, #241	; 0xf1
+     240:	e5c01002	strb	r1, [r0, #2]
+; MDR1: write 7 for reset, then 0 for UART mode
+     244:	e3a01007	mov	r1, #7
+     248:	e5c01008	strb	r1, [r0, #8]
+     24c:	e3a01000	mov	r1, #0
+     250:	e5c01008	strb	r1, [r0, #8]
+; IER: enable Rx interrupt
+     254:	e59f349c	ldr	r3, =0xffff5801	; via 0x6f8
+     258:	e5931000	ldr	r1, [r3]
+     25c:	e3811001	orr	r1, r1, #1
+     260:	e5c31000	strb	r1, [r3]
+; nCS0: WS=3, write enable, DC=1
+     264:	e59f1484	ldr	r1, =0xfffffb00	; via 0x6f0
+     268:	e59f247c	ldr	r2, =0x2a3	; via 0x6ec
+     26c:	e1c120b0	strh	r2, [r1]
+; FFFF:FB0E = 0x6A: adapt enabled for RHEA and API,
+; all ARM7 cycles visible externally
+     270:	e59f3488	ldr	r3, =0xfffffb00	; via 0x700
+     274:	e3a0106a	mov	r1, #106	; 0x6a
+     278:	e1c310be	strh	r1, [r3, #14]	; 0xe
+; dingle UART FIFOs again, same settings
+     27c:	e59f0470	ldr	r0, =0xffff5800	; via 0x6f4
+     280:	e3a010f7	mov	r1, #247	; 0xf7
+     284:	e5c01002	strb	r1, [r0, #2]
+     288:	e3a010f1	mov	r1, #241	; 0xf1
+     28c:	e5c01002	strb	r1, [r0, #2]
+; short delay loop
+     290:	e3a01f4b	mov	r1, #300	; 0x12c
+     294:	e2411001	sub	r1, r1, #1
+     298:	e3510000	cmp	r1, #0
+     29c:	1afffffc	bne	0x294
+; check UART for unsolicited input?
+     2a0:	e59f044c	ldr	r0, =0xffff5800	; via 0x6f4
+     2a4:	e3a02064	mov	r2, #100	; 0x64
+     2a8:	e3a08801	mov	r8, #65536	; 0x10000
+     2ac:	e2488001	sub	r8, r8, #1
+     2b0:	e3580000	cmp	r8, #0
+     2b4:	0a000040	beq	0x3bc
+     2b8:	e5d01005	ldrb	r1, [r0, #5]
+     2bc:	e2011001	and	r1, r1, #1
+     2c0:	e3510001	cmp	r1, #1
+     2c4:	1afffff8	bne	0x2ac
+     2c8:	e5d01000	ldrb	r1, [r0]
+; unsolicited input received
+; repeats the whole UART init, but with /2 div for 406250 baud
+     2cc:	e59f0420	ldr	r0, =0xffff5800	; via 0x6f4
+     2d0:	e3a01000	mov	r1, #0
+     2d4:	e5c01003	strb	r1, [r0, #3]
+     2d8:	e3a01000	mov	r1, #0
+     2dc:	e5c01001	strb	r1, [r0, #1]
+     2e0:	e3a010bf	mov	r1, #191	; 0xbf
+     2e4:	e5c01003	strb	r1, [r0, #3]
+     2e8:	e3a01010	mov	r1, #16	; 0x10
+     2ec:	e5c01002	strb	r1, [r0, #2]
+     2f0:	e59f3404	ldr	r3, =0xffff5803	; via 0x6fc
+     2f4:	e5931000	ldr	r1, [r3]
+     2f8:	e3811080	orr	r1, r1, #128	; 0x80
+     2fc:	e5c31000	strb	r1, [r3]
+     300:	e3a01002	mov	r1, #2
+     304:	e5c01000	strb	r1, [r0]
+     308:	e3a01000	mov	r1, #0
+     30c:	e5c01001	strb	r1, [r0, #1]
+     310:	e59f33e4	ldr	r3, =0xffff5803	; via 0x6fc
+     314:	e5931000	ldr	r1, [r3]
+     318:	e201107f	and	r1, r1, #127	; 0x7f
+     31c:	e5c31000	strb	r1, [r3]
+     320:	e5931000	ldr	r1, [r3]
+     324:	e3811003	orr	r1, r1, #3
+     328:	e5c31000	strb	r1, [r3]
+     32c:	e3a01040	mov	r1, #64	; 0x40
+     330:	e5c01004	strb	r1, [r0, #4]
+     334:	e3a0100f	mov	r1, #15	; 0xf
+     338:	e5c01006	strb	r1, [r0, #6]
+     33c:	e3a010bf	mov	r1, #191	; 0xbf
+     340:	e5c01003	strb	r1, [r0, #3]
+     344:	e3a01010	mov	r1, #16	; 0x10
+     348:	e5c01002	strb	r1, [r0, #2]
+     34c:	e3a01003	mov	r1, #3
+     350:	e5c01003	strb	r1, [r0, #3]
+     354:	e3a01000	mov	r1, #0
+     358:	e5c01010	strb	r1, [r0, #16]	; 0x10
+     35c:	e3a01006	mov	r1, #6
+     360:	e5c01002	strb	r1, [r0, #2]
+     364:	e3a0100f	mov	r1, #15	; 0xf
+     368:	e5c01004	strb	r1, [r0, #4]
+     36c:	e3a010f1	mov	r1, #241	; 0xf1
+     370:	e5c01002	strb	r1, [r0, #2]
+     374:	e3a01007	mov	r1, #7
+     378:	e5c01008	strb	r1, [r0, #8]
+     37c:	e3a01000	mov	r1, #0
+     380:	e5c01008	strb	r1, [r0, #8]
+     384:	e59f336c	ldr	r3, =0xffff5801	; via 0x6f8
+     388:	e5931000	ldr	r1, [r3]
+     38c:	e3811001	orr	r1, r1, #1
+     390:	e5c31000	strb	r1, [r3]
+     394:	e59f0358	ldr	r0, =0xffff5800	; via 0x6f4
+     398:	e3a010f7	mov	r1, #247	; 0xf7
+     39c:	e5c01002	strb	r1, [r0, #2]
+     3a0:	e3a010f1	mov	r1, #241	; 0xf1
+     3a4:	e5c01002	strb	r1, [r0, #2]
+     3a8:	e3a01f4b	mov	r1, #300	; 0x12c
+     3ac:	e2411001	sub	r1, r1, #1
+     3b0:	e3510000	cmp	r1, #0
+     3b4:	1afffffc	bne	0x3ac
+     3b8:	e59f0334	ldr	r0, =0xffff5800	; via 0x6f4
+; normal path continues
+; emit 1B F6 02 00 41 01 40
+     3bc:	e3a0101b	mov	r1, #27	; 0x1b
+     3c0:	e5c01000	strb	r1, [r0]
+     3c4:	e3a010f6	mov	r1, #246	; 0xf6
+     3c8:	e5c01000	strb	r1, [r0]
+     3cc:	e3a01002	mov	r1, #2
+     3d0:	e5c01000	strb	r1, [r0]
+     3d4:	e3a01000	mov	r1, #0
+     3d8:	e5c01000	strb	r1, [r0]
+     3dc:	e3a01041	mov	r1, #65	; 0x41
+     3e0:	e5c01000	strb	r1, [r0]
+     3e4:	e3a01001	mov	r1, #1
+     3e8:	e5c01000	strb	r1, [r0]
+     3ec:	e3a01040	mov	r1, #64	; 0x40
+     3f0:	e5c01000	strb	r1, [r0]
+; wait for UART input
+     3f4:	e3a02064	mov	r2, #100	; 0x64
+     3f8:	e3a08701	mov	r8, #262144	; 0x40000
+     3fc:	e2488001	sub	r8, r8, #1
+     400:	e3580000	cmp	r8, #0
+     404:	0a0000aa	beq	0x6b4
+     408:	e5d01005	ldrb	r1, [r0, #5]
+     40c:	e2011001	and	r1, r1, #1
+     410:	e3510001	cmp	r1, #1
+     414:	1afffff8	bne	0x3fc
+     418:	e5d01000	ldrb	r1, [r0]
+     41c:	e3510000	cmp	r1, #0
+     420:	1a000003	bne	0x434
+     424:	e2422001	sub	r2, r2, #1
+     428:	e3520000	cmp	r2, #0
+     42c:	0a0000a0	beq	0x6b4
+     430:	eafffff1	b	0x3fc
+     434:	e351001b	cmp	r1, #27	; 0x1b
+     438:	1affffef	bne	0x3fc
+; got 1B
+     43c:	e3a08701	mov	r8, #262144	; 0x40000
+     440:	e2488001	sub	r8, r8, #1
+     444:	e3580000	cmp	r8, #0
+     448:	0a000099	beq	0x6b4
+     44c:	e5d01005	ldrb	r1, [r0, #5]
+     450:	e2011001	and	r1, r1, #1
+     454:	e3510001	cmp	r1, #1
+     458:	1afffff8	bne	0x440
+     45c:	e5d01000	ldrb	r1, [r0]
+     460:	e35100f6	cmp	r1, #246	; 0xf6
+     464:	1a000092	bne	0x6b4
+; got F6
+     468:	e3a08801	mov	r8, #65536	; 0x10000
+     46c:	e2488001	sub	r8, r8, #1
+     470:	e3580000	cmp	r8, #0
+     474:	0a00008e	beq	0x6b4
+     478:	e5d01005	ldrb	r1, [r0, #5]
+     47c:	e2011001	and	r1, r1, #1
+     480:	e3510001	cmp	r1, #1
+     484:	1afffff8	bne	0x46c
+     488:	e5d01000	ldrb	r1, [r0]
+     48c:	e3510002	cmp	r1, #2
+     490:	1a000087	bne	0x6b4
+; got 02
+     494:	e3a08801	mov	r8, #65536	; 0x10000
+     498:	e2488001	sub	r8, r8, #1
+     49c:	e3580000	cmp	r8, #0
+     4a0:	0a000083	beq	0x6b4
+     4a4:	e5d01005	ldrb	r1, [r0, #5]
+     4a8:	e2011001	and	r1, r1, #1
+     4ac:	e3510001	cmp	r1, #1
+     4b0:	1afffff8	bne	0x498
+     4b4:	e5d01000	ldrb	r1, [r0]
+     4b8:	e3510000	cmp	r1, #0
+     4bc:	1a00007c	bne	0x6b4
+; got 00
+     4c0:	e3a08801	mov	r8, #65536	; 0x10000
+     4c4:	e2488001	sub	r8, r8, #1
+     4c8:	e3580000	cmp	r8, #0
+     4cc:	0a000078	beq	0x6b4
+     4d0:	e5d01005	ldrb	r1, [r0, #5]
+     4d4:	e2011001	and	r1, r1, #1
+     4d8:	e3510001	cmp	r1, #1
+     4dc:	1afffff8	bne	0x4c4
+     4e0:	e5d01000	ldrb	r1, [r0]
+     4e4:	e3510052	cmp	r1, #82	; 0x52
+     4e8:	1a000071	bne	0x6b4
+; got 52
+     4ec:	e3a08801	mov	r8, #65536	; 0x10000
+     4f0:	e2488001	sub	r8, r8, #1
+     4f4:	e3580000	cmp	r8, #0
+     4f8:	0a00006d	beq	0x6b4
+     4fc:	e5d01005	ldrb	r1, [r0, #5]
+     500:	e2011001	and	r1, r1, #1
+     504:	e3510001	cmp	r1, #1
+     508:	1afffff8	bne	0x4f0
+     50c:	e5d01000	ldrb	r1, [r0]
+     510:	e3510001	cmp	r1, #1
+     514:	1a000066	bne	0x6b4
+; got 01
+     518:	e3a08801	mov	r8, #65536	; 0x10000
+     51c:	e2488001	sub	r8, r8, #1
+     520:	e3580000	cmp	r8, #0
+     524:	0a000062	beq	0x6b4
+     528:	e5d01005	ldrb	r1, [r0, #5]
+     52c:	e2011001	and	r1, r1, #1
+     530:	e3510001	cmp	r1, #1
+     534:	1afffff8	bne	0x51c
+     538:	e59f01b4	ldr	r0, =0xffff5800	; via 0x6f4
+     53c:	e5d01000	ldrb	r1, [r0]
+; emit 1B F6 02 00 41 02 43 before checking the last Rx char!
+     540:	e3a0201b	mov	r2, #27	; 0x1b
+     544:	e5c02000	strb	r2, [r0]
+     548:	e3a020f6	mov	r2, #246	; 0xf6
+     54c:	e5c02000	strb	r2, [r0]
+     550:	e3a02002	mov	r2, #2
+     554:	e5c02000	strb	r2, [r0]
+     558:	e3a02000	mov	r2, #0
+     55c:	e5c02000	strb	r2, [r0]
+     560:	e3a02041	mov	r2, #65	; 0x41
+     564:	e5c02000	strb	r2, [r0]
+     568:	e3a02002	mov	r2, #2
+     56c:	e5c02000	strb	r2, [r0]
+     570:	e3a02043	mov	r2, #67	; 0x43
+     574:	e5c02000	strb	r2, [r0]
+; now check for 53
+; if not 53, go back to wait for 01-53
+     578:	e3510053	cmp	r1, #83	; 0x53
+     57c:	0a000000	beq	0x584
+     580:	eaffffda	b	0x4f0
+; got 53
+     584:	e3a02000	mov	r2, #0
+     588:	e59f3190	ldr	r3, =0x800100	; via 0x720
+     58c:	e3a04000	mov	r4, #0
+     590:	e3a05001	mov	r5, #1
+; endless wait for Rx byte
+     594:	e5d01005	ldrb	r1, [r0, #5]
+     598:	e2011001	and	r1, r1, #1
+     59c:	e3510001	cmp	r1, #1
+     5a0:	1afffffb	bne	0x594
+     5a4:	e5d01000	ldrb	r1, [r0]
+; state machine dispatch
+     5a8:	e3520000	cmp	r2, #0
+     5ac:	0a000008	beq	0x5d4
+     5b0:	e3520001	cmp	r2, #1
+     5b4:	0a00000b	beq	0x5e8
+     5b8:	e3520002	cmp	r2, #2
+     5bc:	0a00000d	beq	0x5f8
+     5c0:	e3520003	cmp	r2, #3
+     5c4:	0a00000f	beq	0x608
+     5c8:	e3520004	cmp	r2, #4
+     5cc:	0a000015	beq	0x628
+     5d0:	ea000037	b	0x6b4
+; R2=0: must receive 02 first
+     5d4:	e3510002	cmp	r1, #2
+     5d8:	1affffed	bne	0x594
+     5dc:	e1a06001	mov	r6, r1
+     5e0:	e2822001	add	r2, r2, #1
+     5e4:	eaffffea	b	0x594
+; R2=1: got MSB of length
+     5e8:	e1a04401	mov	r4, r1, lsl #8
+     5ec:	e0266001	eor	r6, r6, r1
+     5f0:	e2822001	add	r2, r2, #1
+     5f4:	eaffffe6	b	0x594
+; R2=2: got LSB of length
+     5f8:	e0844001	add	r4, r4, r1
+     5fc:	e0266001	eor	r6, r6, r1
+     600:	e2822001	add	r2, r2, #1
+     604:	eaffffe2	b	0x594
+; R2=3: payload
+     608:	e5c31000	strb	r1, [r3]
+     60c:	e0266001	eor	r6, r6, r1
+     610:	e2833001	add	r3, r3, #1
+     614:	e2444001	sub	r4, r4, #1
+     618:	e3540000	cmp	r4, #0
+     61c:	1affffdc	bne	0x594
+     620:	e2822001	add	r2, r2, #1
+     624:	eaffffda	b	0x594
+; R2=4: checksum expected
+     628:	e1560001	cmp	r6, r1
+     62c:	1a000012	bne	0x67c
+; checksum good
+; emit 1B F6 02 00 41 03 42
+     630:	e3a0101b	mov	r1, #27	; 0x1b
+     634:	e5c01000	strb	r1, [r0]
+     638:	e3a010f6	mov	r1, #246	; 0xf6
+     63c:	e5c01000	strb	r1, [r0]
+     640:	e3a01002	mov	r1, #2
+     644:	e5c01000	strb	r1, [r0]
+     648:	e3a01000	mov	r1, #0
+     64c:	e5c01000	strb	r1, [r0]
+     650:	e3a01041	mov	r1, #65	; 0x41
+     654:	e5c01000	strb	r1, [r0]
+     658:	e3a01003	mov	r1, #3
+     65c:	e5c01000	strb	r1, [r0]
+     660:	e3a01042	mov	r1, #66	; 0x42
+     664:	e5c01000	strb	r1, [r0]
+; SP=0x803FFC
+     668:	e59f00b4	ldr	r0, =0x803ffc	; via 0x724
+     66c:	e1a0d000	mov	sp, r0
+; jump to 0x800100 in Thumb state
+     670:	e59f00a8	ldr	r0, =0x800100	; via 0x720
+     674:	e280e001	add	lr, r0, #1
+     678:	e12fff1e	bx	lr
+; checksum mismatch
+; emit 1B F6 02 00 45 53 16
+     67c:	e3a0101b	mov	r1, #27	; 0x1b
+     680:	e5c01000	strb	r1, [r0]
+     684:	e3a010f6	mov	r1, #246	; 0xf6
+     688:	e5c01000	strb	r1, [r0]
+     68c:	e3a01002	mov	r1, #2
+     690:	e5c01000	strb	r1, [r0]
+     694:	e3a01000	mov	r1, #0
+     698:	e5c01000	strb	r1, [r0]
+     69c:	e3a01045	mov	r1, #69	; 0x45
+     6a0:	e5c01000	strb	r1, [r0]
+     6a4:	e3a01053	mov	r1, #83	; 0x53
+     6a8:	e5c01000	strb	r1, [r0]
+     6ac:	e3a01016	mov	r1, #22	; 0x16
+     6b0:	e5c01000	strb	r1, [r0]
+; bail out path
+; ARMIO_LATCH_OUT: set GPIO 9 low
+     6b4:	e59f3050	ldr	r3, =0xfffe4802	; via 0x70c
+     6b8:	e5931000	ldr	r1, [r3]
+     6bc:	e3a030ff	mov	r3, #255	; 0xff
+     6c0:	e3a02cfd	mov	r2, #64768	; 0xfd00
+     6c4:	e1822003	orr	r2, r2, r3
+     6c8:	e0011002	and	r1, r1, r2
+     6cc:	e59f3034	ldr	r3, =0xfffe4800	; via 0x708
+     6d0:	e1c310b2	strh	r1, [r3, #2]
+; switch GPIO12 back to input
+     6d4:	e59f3034	ldr	r3, =0xfffe4804	; via 0x710
+     6d8:	e5931000	ldr	r1, [r3]
+     6dc:	e3811a01	orr	r1, r1, #4096	; 0x1000
+     6e0:	e59f3020	ldr	r3, =0xfffe4800	; via 0x708
+     6e4:	e1c310b4	strh	r1, [r3, #4]
+     6e8:	ea007e7c	b	0x200e0
+
+     6ec:	000002a3
+     6f0:	fffffb00
+     6f4:	ffff5800
+     6f8:	ffff5801
+     6fc:	ffff5803
+     700:	fffffb00
+     704:	fffef000
+     708:	fffe4800
+     70c:	fffe4802
+     710:	fffe4804
+     714:	fffe480c
+     718:	fffe480a
+     71c:	fffef006
+     720:	00800100
+     724:	00803ffc
+
+<728-7FF: all FFs>
+
+00000800:  42 4F 4F 54 2E 39 30 2E  30 35 00 00 00 00 00 00  BOOT.90.05......
+00000810:  31 30 30 33 01 02 00 00  FF FF FF FF FF FF FF FF  1003............
+00000820:  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  ................
+
+blank flash from here onward, until the main fw image starts at 0x20000