diff dsample-fw-disasm @ 207:d12a3207b1aa

D-Sample 20020917 firmware analysis
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Fri, 01 Jan 2016 23:24:05 +0000
parents
children 7b679943b57d
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dsample-fw-disasm	Fri Jan 01 23:24:05 2016 +0000
@@ -0,0 +1,663 @@
+; The present work is a disassembly analysis of the 20020917 firmware image
+; read out of our vintage D-Sample C05 board.
+
+       0:	ea0004e7	b	0x13a4
+       4:	ea003ffd	b	0x10000
+       8:	ea003ffd	b	0x10004
+       c:	ea003ffd	b	0x10008
+      10:	ea003ffd	b	0x1000c
+      14:	ea003ffd	b	0x10010
+      18:	ea003ffd	b	0x10014
+      1c:	ea003ffd	b	0x10018
+
+; constant pool before _INT_Bootloader_Start matches TCS211
+    1378:	fffffb00
+    137c:	02a102a1
+    1380:	028302a1
+    1384:	00c00281
+    1388:	002a0040
+    138c:	fffffd00
+    1390:	ffff9800
+    1394:	fffffb10
+    1398:	ffffff08
+    139c:	20061081
+    13a0:	00000800
+
+_INT_Bootloader_Start:	; code fully matches TCS211
+    13a4:	e51f101c	ldr	r1, =0xffff9800	; via 0x1390
+    13a8:	e15f21b2	ldrh	r2, =0x2006	; via 0x139e
+    13ac:	e1c120b0	strh	r2, [r1]
+    13b0:	e5912000	ldr	r2, [r1]
+    13b4:	e2022001	and	r2, r2, #1
+    13b8:	e3520001	cmp	r2, #1
+    13bc:	0afffffb	beq	0x13b0
+    13c0:	e51f103c	ldr	r1, =0xfffffd00	; via 0x138c
+    13c4:	e15f23b0	ldrh	r2, =0x1081	; via 0x139c
+    13c8:	e1c120b0	strh	r2, [r1]
+    13cc:	e51f1040	ldr	r1, =0xfffffb10	; via 0x1394
+    13d0:	e15f23b8	ldrh	r2, =0x800	; via 0x13a0
+    13d4:	e1d100b0	ldrh	r0, [r1]
+    13d8:	e1800002	orr	r0, r0, r2
+    13dc:	e1c100b0	strh	r0, [r1]
+    13e0:	e51f1050	ldr	r1, =0xffffff08	; via 0x1398
+    13e4:	e15f24ba	ldrh	r2, =0x0	; via 0x13a2
+    13e8:	e1c120b0	strh	r2, [r1]
+    13ec:	e51f107c	ldr	r1, =0xfffffb00	; via 0x1378
+    13f0:	e15f27bc	ldrh	r2, =0x2a1	; via 0x137c
+    13f4:	e1c120b0	strh	r2, [r1]
+    13f8:	e15f28b2	ldrh	r2, =0x2a1	; via 0x137e
+    13fc:	e1c120b2	strh	r2, [r1, #2]
+    1400:	e15f28b8	ldrh	r2, =0x2a1	; via 0x1380
+    1404:	e1c120b4	strh	r2, [r1, #4]
+    1408:	e15f28be	ldrh	r2, =0x283	; via 0x1382
+    140c:	e1c120b6	strh	r2, [r1, #6]
+    1410:	e15f29b4	ldrh	r2, =0x281	; via 0x1384
+    1414:	e1c120ba	strh	r2, [r1, #10]	; 0xa
+    1418:	e15f29ba	ldrh	r2, =0xc0	; via 0x1386
+    141c:	e1c120bc	strh	r2, [r1, #12]	; 0xc
+    1420:	e15f2ab0	ldrh	r2, =0x40	; via 0x1388
+    1424:	e1c120b8	strh	r2, [r1, #8]
+    1428:	e15f2ab6	ldrh	r2, =0x2a	; via 0x138a
+    142c:	e1c120be	strh	r2, [r1, #14]	; 0xe
+    1430:	e59f0020	ldr	r0, =0x107921c	; via 0x1458
+    1434:	e3a01b01	mov	r1, #1024	; 0x400
+    1438:	e2411004	sub	r1, r1, #4
+    143c:	e0802001	add	r2, r0, r1
+    1440:	e3c22003	bic	r2, r2, #3
+    1444:	e1a0d002	mov	sp, r2
+    1448:	e92d100f	stmdb	sp!, {r0, r1, r2, r3, r12}
+    144c:	eb000046	bl	0x156c
+    1450:	e8bd100f	ldmia	sp!, {r0, r1, r2, r3, r12}
+    1454:	ea003afd	b	0x10050
+    1458:	0107921c
+
+_sta_select_application:	(ARM->Thumb veneer)
+    156c:	e92d4000	stmdb	sp!, {lr}
+    1570:	e28fe001	add	lr, pc, #1
+    1574:	e12fff1e	bx	lr
+    1578:	f7ff fd63	bl	0x1042
+    157c:	4778		bx	pc
+    157e:	46c0		nop			(mov r8, r8)
+    1580:	e8bd8000	ldmia	sp!, {pc}
+
+; branch target addresses differ from TCS211
+   10000:	ea0000bf	b	0x10304
+   10004:	ea0000c4	b	0x1031c
+   10008:	ea0000c9	b	0x10334
+   1000c:	ea0000ce	b	0x1034c
+   10010:	ea0000d3	b	0x10364
+   10014:	ea0000b0	b	0x102dc
+   10018:	ea0000b4	b	0x102f0
+
+; Constant pool
+; Difference between this version and TCS211: the newer TCS211 version
+; includes constants 0xFFFEF006 and 0x00000008 for the 8 MiB
+; memory bank setup.  This difference must be responsible for the
+; 0x10050 vs. 0x10058 discrepancy.
+
+   1001c:	02a102a1
+   10020:	028302a1
+   10024:	02c00e85
+   10028:	002a0040
+   1002c:	fffffb00
+   10030:	fffffd00
+   10034:	ffff9800
+   10038:	fffffb10
+   1003c:	ffffff08
+   10040:	20021081
+   10044:	f7ff0800
+   10048:	00000000
+   1004c:	0001047c	; .cinit base
+
+_INT_Initialize:
+; beginning matches TCS211
+   10050:	e51f1024	ldr	r1, =0xffff9800	; via 0x10034
+   10054:	e15f21ba	ldrh	r2, =0x2002	; via 0x10042
+   10058:	e1c120b0	strh	r2, [r1]
+   1005c:	e5912000	ldr	r2, [r1]
+   10060:	e2022001	and	r2, r2, #1
+   10064:	e3520001	cmp	r2, #1
+   10068:	0afffffb	beq	0x1005c
+   1006c:	e51f1044	ldr	r1, =0xfffffd00	; via 0x10030
+   10070:	e15f23b8	ldrh	r2, =0x1081	; via 0x10040
+   10074:	e1c120b0	strh	r2, [r1]
+   10078:	e51f1048	ldr	r1, =0xfffffb10	; via 0x10038
+   1007c:	e15f23be	ldrh	r2, =0xf7ff	; via 0x10046
+   10080:	e1d100b0	ldrh	r0, [r1]
+   10084:	e0000002	and	r0, r0, r2
+   10088:	e1c100b0	strh	r0, [r1]
+   1008c:	e51f1058	ldr	r1, =0xffffff08	; via 0x1003c
+   10090:	e15f25b0	ldrh	r2, =0x0	; via 0x10048
+   10094:	e1c120b0	strh	r2, [r1]
+   10098:	e51f1074	ldr	r1, =0xfffffb00	; via 0x1002c
+   1009c:	e15f28b8	ldrh	r2, =0x2a1	; via 0x1001c
+   100a0:	e1c120b0	strh	r2, [r1]
+   100a4:	e15f28be	ldrh	r2, =0x2a1	; via 0x1001e
+   100a8:	e1c120b2	strh	r2, [r1, #2]
+   100ac:	e15f29b4	ldrh	r2, =0x2a1	; via 0x10020
+   100b0:	e1c120b4	strh	r2, [r1, #4]
+   100b4:	e15f29ba	ldrh	r2, =0x283	; via 0x10022
+   100b8:	e1c120b6	strh	r2, [r1, #6]
+   100bc:	e15f2ab0	ldrh	r2, =0xe85	; via 0x10024
+   100c0:	e1c120ba	strh	r2, [r1, #10]	; 0xa
+   100c4:	e15f2ab6	ldrh	r2, =0x2c0	; via 0x10026
+   100c8:	e1c120bc	strh	r2, [r1, #12]	; 0xc
+   100cc:	e15f2abc	ldrh	r2, =0x40	; via 0x10028
+   100d0:	e1c120b8	strh	r2, [r1, #8]
+   100d4:	e15f2bb2	ldrh	r2, =0x2a	; via 0x1002a
+   100d8:	e1c120be	strh	r2, [r1, #14]	; 0xe
+; TCS211 version does the 8 MiB memory bank setup at this point
+   100dc:	e10f0000	mrs	r0, CPSR
+   100e0:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   100e4:	e3800013	orr	r0, r0, #19	; 0x13
+   100e8:	e38000c0	orr	r0, r0, #192	; 0xc0
+   100ec:	e129f000	msr	CPSR_fc, r0
+; bss clearing is done inline here, whereas TCS211 version calls _INT_memset
+   100f0:	e59f0304	ldr	r0, =0x1000cf4	; via 0x103fc
+   100f4:	e3a02000	mov	r2, #0
+   100f8:	e59f1300	ldr	r1, =0x107921c	; via 0x10400
+   100fc:	e4802004	str	r2, [r0], #4
+   10100:	e1500001	cmp	r0, r1
+   10104:	1afffffc	bne	0x100fc
+   10108:	e59f02f4	ldr	r0, =0x819450	; via 0x10404
+   1010c:	e3a02000	mov	r2, #0
+   10110:	e59f12f0	ldr	r1, =0x83eda0	; via 0x10408
+   10114:	e4802004	str	r2, [r0], #4
+   10118:	e1500001	cmp	r0, r1
+   1011c:	1afffffc	bne	0x10114
+; setting _INT_Loaded_Flag?
+; code matches TCS211 0x10150 from this point onward
+   10120:	e3a00001	mov	r0, #1
+   10124:	e59f12e4	ldr	r1, =0x107916c	; via 0x10410
+   10128:	e5810000	str	r0, [r1]
+; stack setup matching 0x1015c in TCS211
+   1012c:	e59f02d8	ldr	r0, =0x1079308	; via 0x1040c
+   10130:	e3a01b01	mov	r1, #1024	; 0x400
+   10134:	e2411004	sub	r1, r1, #4
+   10138:	e0802001	add	r2, r0, r1
+   1013c:	e1a0a000	mov	r10, r0
+   10140:	e59f32cc	ldr	r3, =0x83c148	; via 0x10414
+   10144:	e583a000	str	r10, [r3]
+   10148:	e1a0d002	mov	sp, r2
+   1014c:	e59f32c4	ldr	r3, =0x83c26c	; via 0x10418
+   10150:	e583d000	str	sp, [r3]
+   10154:	e3a01080	mov	r1, #128	; 0x80
+   10158:	e0822001	add	r2, r2, r1
+   1015c:	e10f0000	mrs	r0, CPSR
+   10160:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   10164:	e3800012	orr	r0, r0, #18	; 0x12
+   10168:	e129f000	msr	CPSR_fc, r0
+   1016c:	e1a0d002	mov	sp, r2
+   10170:	e3a01c02	mov	r1, #512	; 0x200
+   10174:	e0822001	add	r2, r2, r1
+   10178:	e10f0000	mrs	r0, CPSR
+   1017c:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   10180:	e3800011	orr	r0, r0, #17	; 0x11
+   10184:	e129f000	msr	CPSR_fc, r0
+   10188:	e1a0d002	mov	sp, r2
+   1018c:	e10f0000	mrs	r0, CPSR
+   10190:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   10194:	e3800017	orr	r0, r0, #23	; 0x17
+   10198:	e129f000	msr	CPSR_fc, r0
+   1019c:	e59fd288	ldr	sp, =0x1079270	; via 0x1042c
+   101a0:	e10f0000	mrs	r0, CPSR
+   101a4:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   101a8:	e380001b	orr	r0, r0, #27	; 0x1b
+   101ac:	e129f000	msr	CPSR_fc, r0
+   101b0:	e59fd274	ldr	sp, =0x1079270	; via 0x1042c
+   101b4:	e10f0000	mrs	r0, CPSR
+   101b8:	e3c0001f	bic	r0, r0, #31	; 0x1f
+   101bc:	e3800013	orr	r0, r0, #19	; 0x13
+   101c0:	e129f000	msr	CPSR_fc, r0
+   101c4:	e59f3250	ldr	r3, =0x83c0b0	; via 0x1041c
+   101c8:	e2822004	add	r2, r2, #4
+   101cc:	e5832000	str	r2, [r3]
+   101d0:	e3a01b01	mov	r1, #1024	; 0x400
+   101d4:	e3c11003	bic	r1, r1, #3
+   101d8:	e0822001	add	r2, r2, r1
+   101dc:	e59f323c	ldr	r3, =0x83c134	; via 0x10420
+   101e0:	e5831000	str	r1, [r3]
+   101e4:	e3a01002	mov	r1, #2
+   101e8:	e59f3234	ldr	r3, =0x83c144	; via 0x10424
+   101ec:	e5831000	str	r1, [r3]
+   101f0:	e1a04002	mov	r4, r2
+   101f4:	eb09153c	bl	0x2556ec	; _f_load_int_mem
+   101f8:	e1a02004	mov	r2, r4
+   101fc:	e59f1210	ldr	r1, =0x83c148	; via 0x10414
+   10200:	e5910000	ldr	r0, [r1]
+   10204:	e3a030fe	mov	r3, #254	; 0xfe
+   10208:	e5c03000	strb	r3, [r0]
+   1020c:	e5c03001	strb	r3, [r0, #1]
+   10210:	e5c03002	strb	r3, [r0, #2]
+   10214:	e5c03003	strb	r3, [r0, #3]
+   10218:	e4903004	ldr	r3, [r0], #4
+   1021c:	e4803004	str	r3, [r0], #4
+   10220:	e1500002	cmp	r0, r2
+   10224:	bafffffc	blt	0x1021c
+   10228:	e51f01e4	ldr	r0, =0x1047c	; via 0x1004c
+   1022c:	e3700001	cmn	r0, #1
+   10230:	1b00007f	blne	0x10434		; _auto_init
+   10234:	e59f01ec	ldr	r0, =0x1078744	; via 0x10428
+   10238:	ea09151f	b	0x2556bc	; _INC_Initialize
+
+; $Init_Target:
+  2458f0:	b570		push	{r4, r5, r6, lr}
+  2458f2:	b081		sub	sp, #4
+; write 0x6000 into FFFE:F008 like TCS211
+  2458f4:	4d62		ldr	r5, =0xfffef006	; via 0x245a80
+  2458f6:	2003		mov	r0, #3
+  2458f8:	0340		lsl	r0, r0, #13
+  2458fa:	8068		strh	r0, [r5, #2]
+; TM_DisableWatchdog() ?
+  2458fc:	f006 fd03	bl	0x24c306
+; 8 MiB memory bank setup
+  245900:	2008		mov	r0, #8
+  245902:	8829		ldrh	r1, [r5, #0]
+  245904:	4308		orr	r0, r1
+  245906:	8028		strh	r0, [r5, #0]
+
+; CNTL_CLK (FFFF:FD02) register setup
+;
+; TCS211 does this:
+;	CNTL_CLK |= 0x0005;
+;	CNTL_CLK &= 0xFF3F;
+;	CNTL_CLK |= 0x0080;
+;	CNTL_CLK &= 0xFFDF;
+;
+; The present version does this:
+;	CNTL_CLK  = 0x0005;
+;	CNTL_CLK &= 0xFF3F;
+;	CNTL_CLK &= 0xFFDF;
+;
+; Difference 1: initial straight write vs. OR: it must be the effect
+;		of the change in the definition of the CLKM_INITCNTL()
+;		macro seen in the diff between MV100 and Sotovik versions.
+;
+; Difference 2: VTCXO_DIV2 bit setting for Clara (13 MHz) vs. Rita (26 MHz)
+
+  245908:	485e		ldr	r0, =0xfffffd02	; via 0x245a84
+  24590a:	2105		mov	r1, #5
+  24590c:	8001		strh	r1, [r0, #0]
+  24590e:	495e		ldr	r1, =0xff3f	; via 0x245a88
+  245910:	8802		ldrh	r2, [r0, #0]
+  245912:	4011		and	r1, r2
+  245914:	8001		strh	r1, [r0, #0]
+  245916:	495d		ldr	r1, =0xffdf	; via 0x245a8c
+  245918:	8802		ldrh	r2, [r0, #0]
+  24591a:	4011		and	r1, r2
+  24591c:	8001		strh	r1, [r0, #0]
+
+; RHEA_CNTL_REG setup: this version writes 0x7F00, TCS211 writes 0xFF00
+  24591e:	4e5c		ldr	r6, =0xfffff900	; via 0x245a90
+  245920:	207f		mov	r0, #127	; 0x7f
+  245922:	0200		lsl	r0, r0, #8
+  245924:	8030		strh	r0, [r6, #0]
+
+; PLL setup: the code structure (sequence of steps) is the same as in TCS211,
+; but the PLL multiplier is set to 6 instead of 8.  Thus the DSP runs at
+; 78 MHz and the ARM runs at 39 MHz.
+  245926:	4c5b		ldr	r4, =0xffff9800	; via 0x245a94
+  245928:	485b		ldr	r0, =0xfff3	; via 0x245a98
+  24592a:	8821		ldrh	r1, [r4, #0]
+  24592c:	4008		and	r0, r1
+  24592e:	8020		strh	r0, [r4, #0]
+  245930:	8820		ldrh	r0, [r4, #0]
+  245932:	8020		strh	r0, [r4, #0]
+  245934:	4859		ldr	r0, =0xf01f	; via 0x245a9c
+  245936:	8821		ldrh	r1, [r4, #0]
+  245938:	4008		and	r0, r1
+  24593a:	8020		strh	r0, [r4, #0]
+  24593c:	2003		mov	r0, #3
+  24593e:	0200		lsl	r0, r0, #8
+  245940:	8821		ldrh	r1, [r4, #0]
+  245942:	4308		orr	r0, r1
+  245944:	8020		strh	r0, [r4, #0]
+
+; ARM clock setup: divide by 2 like in TCS211
+  245946:	2000		mov	r0, #0
+  245948:	2102		mov	r1, #2
+  24594a:	2200		mov	r2, #0
+  24594c:	f007 fe00	bl	0x24d550
+
+; Memory timings: definitely peculiar
+  245950:	4953		ldr	r1, =0xfffffb00	; via 0x245aa0
+  245952:	20a5		mov	r0, #165	; 0xa5
+  245954:	8008		strh	r0, [r1, #0]
+  245956:	8048		strh	r0, [r1, #2]
+  245958:	20a2		mov	r0, #162	; 0xa2
+  24595a:	8088		strh	r0, [r1, #4]
+  24595c:	2085		mov	r0, #133	; 0x85
+  24595e:	80c8		strh	r0, [r1, #6]
+  245960:	2080		mov	r0, #128	; 0x80
+  245962:	8148		strh	r0, [r1, #10]	; 0xa
+  245964:	200b		mov	r0, #11	; 0xb
+  245966:	0180		lsl	r0, r0, #6
+  245968:	8188		strh	r0, [r1, #12]	; 0xc
+  24596a:	2040		mov	r0, #64	; 0x40
+  24596c:	8108		strh	r0, [r1, #8]
+
+; FFFF:F902 and FFFF:F904 registers set up exactly the same as in TCS211
+  24596e:	2020		mov	r0, #32	; 0x20
+  245970:	8070		strh	r0, [r6, #2]
+  245972:	2000		mov	r0, #0
+  245974:	80b0		strh	r0, [r6, #4]
+
+; PLL turn-on just like in TCS211
+  245976:	2010		mov	r0, #16	; 0x10
+  245978:	8821		ldrh	r1, [r4, #0]
+  24597a:	4308		orr	r0, r1
+  24597c:	8020		strh	r0, [r4, #0]
+
+; remaining Target_Init() code not studied yet
+  24597e:	4849		ldr	r0, =0xfffffa08	; via 0x245aa4
+  245980:	4949		ldr	r1, =0xffff	; via 0x245aa8
+  245982:	8001		strh	r1, [r0, #0]
+  245984:	241f		mov	r4, #31	; 0x1f
+  245986:	8044		strh	r4, [r0, #2]
+  245988:	2103		mov	r1, #3
+  24598a:	8181		strh	r1, [r0, #12]	; 0xc
+  24598c:	f005 fc28	bl	0x24b1e0
+  245990:	4846		ldr	r0, =0xfffffc00	; via 0x245aac
+  245992:	2124		mov	r1, #36	; 0x24
+  245994:	8001		strh	r1, [r0, #0]
+  245996:	210d		mov	r1, #13	; 0xd
+  245998:	8041		strh	r1, [r0, #2]
+  24599a:	2300		mov	r3, #0
+  24599c:	4844		ldr	r0, =0xfffe2016	; via 0x245ab0
+  24599e:	8003		strh	r3, [r0, #0]
+  2459a0:	4844		ldr	r0, =0xfffe2014	; via 0x245ab4
+  2459a2:	2102		mov	r1, #2
+  2459a4:	8001		strh	r1, [r0, #0]
+  2459a6:	4844		ldr	r0, =0xfffe2002	; via 0x245ab8
+  2459a8:	2184		mov	r1, #132	; 0x84
+  2459aa:	8001		strh	r1, [r0, #0]
+  2459ac:	4943		ldr	r1, =0xfffe2000	; via 0x245abc
+  2459ae:	4844		ldr	r0, =0x3de0	; via 0x245ac0
+  2459b0:	8008		strh	r0, [r1, #0]
+  2459b2:	4a44		ldr	r2, =0xfffe2022	; via 0x245ac4
+  2459b4:	2009		mov	r0, #9
+  2459b6:	8010		strh	r0, [r2, #0]
+  2459b8:	4843		ldr	r0, =0xfffe2020	; via 0x245ac8
+  2459ba:	4a44		ldr	r2, =0x45a	; via 0x245acc
+  2459bc:	8002		strh	r2, [r0, #0]
+  2459be:	4844		ldr	r0, =0xfffe201e	; via 0x245ad0
+  2459c0:	22b4		mov	r2, #180	; 0xb4
+  2459c2:	8002		strh	r2, [r0, #0]
+  2459c4:	4843		ldr	r0, =0xfffe201c	; via 0x245ad4
+  2459c6:	8004		strh	r4, [r0, #0]
+  2459c8:	1c1c		add	r4, r3, #0
+  2459ca:	4843		ldr	r0, =0xfffe2024	; via 0x245ad8
+  2459cc:	8004		strh	r4, [r0, #0]
+  2459ce:	4b43		ldr	r3, =0xfffe2010	; via 0x245adc
+  2459d0:	2002		mov	r0, #2
+  2459d2:	881a		ldrh	r2, [r3, #0]
+  2459d4:	4310		orr	r0, r2
+  2459d6:	8018		strh	r0, [r3, #0]
+  2459d8:	4840		ldr	r0, =0xfffe2010	; via 0x245adc
+  2459da:	2304		mov	r3, #4
+  2459dc:	8802		ldrh	r2, [r0, #0]
+  2459de:	4313		orr	r3, r2
+  2459e0:	8003		strh	r3, [r0, #0]
+  2459e2:	2027		mov	r0, #39	; 0x27
+  2459e4:	80e8		strh	r0, [r5, #6]
+  2459e6:	8a08		ldrh	r0, [r1, #16]	; 0x10
+  2459e8:	0840		lsr	r0, r0, #1
+  2459ea:	d310		bcc	0x245a0e
+  2459ec:	8a08		ldrh	r0, [r1, #16]	; 0x10
+  2459ee:	0400		lsl	r0, r0, #16
+  2459f0:	0c40		lsr	r0, r0, #17
+  2459f2:	0040		lsl	r0, r0, #1
+  2459f4:	8208		strh	r0, [r1, #16]	; 0x10
+  2459f6:	2001		mov	r0, #1
+  2459f8:	9000		str	r0, [sp, #0]
+  2459fa:	e002		b	0x245a02
+  2459fc:	9800		ldr	r0, [sp, #0]
+  2459fe:	3001		add	r0, #1
+  245a00:	9000		str	r0, [sp, #0]
+  245a02:	9800		ldr	r0, [sp, #0]
+  245a04:	2832		cmp	r0, #50	; 0x32
+  245a06:	d3f9		bcc	0x2459fc
+  245a08:	8a48		ldrh	r0, [r1, #18]	; 0x12
+  245a0a:	2800		cmp	r0, #0
+  245a0c:	d0fc		beq	0x245a08
+  245a0e:	f006 fdbf	bl	0x24c590
+  245a12:	f006 fdc3	bl	0x24c59c
+  245a16:	2027		mov	r0, #39	; 0x27
+  245a18:	0500		lsl	r0, r0, #20
+  245a1a:	8004		strh	r4, [r0, #0]
+  245a1c:	2001		mov	r0, #1
+  245a1e:	f006 fc80	bl	0x24c322
+  245a22:	2002		mov	r0, #2
+  245a24:	f006 fc7d	bl	0x24c322
+  245a28:	b001		add	sp, #4
+  245a2a:	bd70		pop	{r4, r5, r6, pc}
+
+; $Init_Drivers:
+  245a2c:	b500		push	{lr}
+  245a2e:	f7ce f9b0	bl	0x213d92
+  245a32:	f7af fb41	bl	0x1f50b8
+  245a36:	f7da fd20	bl	0x22047a
+  245a3a:	f755 fc4f	bl	0x19b2dc
+  245a3e:	bd00		pop	{pc}
+
+; $Init_Serial_Flows:
+  245a40:	b500		push	{lr}
+  245a42:	4827		ldr	r0, =0x10786fc	; via 0x245ae0
+  245a44:	f795 f98e	bl	0x1dad64
+  245a48:	2000		mov	r0, #0
+  245a4a:	2102		mov	r1, #2
+  245a4c:	2200		mov	r2, #0
+  245a4e:	f795 fbdc	bl	0x1db20a
+  245a52:	f795 fc51	bl	0x1db2f8
+  245a56:	bd00		pop	{pc}
+
+; $Init_Unmask_IT:
+  245a58:	b500		push	{lr}
+  245a5a:	2004		mov	r0, #4
+  245a5c:	f005 fc21	bl	0x24b2a2
+  245a60:	2012		mov	r0, #18	; 0x12
+  245a62:	f005 fc1e	bl	0x24b2a2
+  245a66:	2007		mov	r0, #7
+  245a68:	f005 fc1b	bl	0x24b2a2
+  245a6c:	2008		mov	r0, #8
+  245a6e:	f005 fc18	bl	0x24b2a2
+  245a72:	bd00		pop	{pc}
+
+; The following BX LR instructions must be empty functions in the same init
+; module as the recognizable functions above, as they lie between the previous
+; code and its associated literal pool.
+  245a74:	4770		bx	lr
+  245a76:	4770		bx	lr
+  245a78:	4770		bx	lr
+  245a7a:	4770		bx	lr
+  245a7c:	4770		bx	lr
+  245a7e:	4770		bx	lr
+
+; Appears to the old Thumb implementation of f_load_int_mem(),
+; differs from TCS211 version which is ARM and appears to be assembly
+  250408:	b5f0		push	{r4, r5, r6, r7, lr}
+  25040a:	4640		mov	r0, r8
+  25040c:	4649		mov	r1, r9
+  25040e:	4652		mov	r2, r10
+  250410:	465b		mov	r3, r11
+  250412:	b40f		push	{r0, r1, r2, r3}
+  250414:	4f22		ldr	r7, =0x1079168	; via 0x2504a0
+  250416:	2000		mov	r0, #0
+  250418:	8038		strh	r0, [r7, #0]
+  25041a:	4922		ldr	r1, =0x107916a	; via 0x2504a4
+  25041c:	4688		mov	r8, r1
+  25041e:	8008		strh	r0, [r1, #0]
+  250420:	4821		ldr	r0, =0x800000	; via 0x2504a8
+  250422:	4922		ldr	r1, =0x81944c	; via 0x2504ac
+  250424:	1a09		sub	r1, r1, r0
+  250426:	3904		sub	r1, #4
+  250428:	468c		mov	r12, r1
+  25042a:	2104		mov	r1, #4
+  25042c:	180e		add	r6, r1, r0
+  25042e:	1c30		add	r0, r6, #0
+  250430:	4661		mov	r1, r12
+  250432:	f7ff ffe0	bl	0x2503f6
+  250436:	4c1e		ldr	r4, =0x83eda4	; via 0x2504b0
+  250438:	481e		ldr	r0, =0x83f294	; via 0x2504b4
+  25043a:	1b05		sub	r5, r0, r4
+  25043c:	1c20		add	r0, r4, #0
+  25043e:	1c29		add	r1, r5, #0
+  250440:	f7ff ffd9	bl	0x2503f6
+  250444:	481c		ldr	r0, =0x20508	; via 0x2504b8
+  250446:	4681		mov	r9, r0
+  250448:	4661		mov	r1, r12
+  25044a:	f7ff ffc7	bl	0x2503dc
+  25044e:	4682		mov	r10, r0
+  250450:	8038		strh	r0, [r7, #0]
+  250452:	481a		ldr	r0, =0x155e8	; via 0x2504bc
+  250454:	4683		mov	r11, r0
+  250456:	1c29		add	r1, r5, #0
+  250458:	f7ff ffc0	bl	0x2503dc
+  25045c:	4651		mov	r1, r10
+  25045e:	1808		add	r0, r1, r0
+  250460:	8038		strh	r0, [r7, #0]
+  250462:	4648		mov	r0, r9
+  250464:	4661		mov	r1, r12
+  250466:	1c32		add	r2, r6, #0
+  250468:	f7ff ffae	bl	0x2503c8
+  25046c:	4658		mov	r0, r11
+  25046e:	1c29		add	r1, r5, #0
+  250470:	1c22		add	r2, r4, #0
+  250472:	f7ff ffa9	bl	0x2503c8
+  250476:	1c30		add	r0, r6, #0
+  250478:	4661		mov	r1, r12
+  25047a:	f7ff ffaf	bl	0x2503dc
+  25047e:	1c06		add	r6, r0, #0
+  250480:	4640		mov	r0, r8
+  250482:	8006		strh	r6, [r0, #0]
+  250484:	1c20		add	r0, r4, #0
+  250486:	1c29		add	r1, r5, #0
+  250488:	f7ff ffa8	bl	0x2503dc
+  25048c:	1830		add	r0, r6, r0
+  25048e:	4641		mov	r1, r8
+  250490:	8008		strh	r0, [r1, #0]
+  250492:	bc0f		pop	{r0, r1, r2, r3}
+  250494:	4680		mov	r8, r0
+  250496:	4689		mov	r9, r1
+  250498:	4692		mov	r10, r2
+  25049a:	469b		mov	r11, r3
+  25049c:	bdf0		pop	{r4, r5, r6, r7, pc}
+
+; $INC_Initialize:
+  254654:	b530		push	{r4, r5, lr}
+  254656:	1c05		add	r5, r0, #0
+  254658:	4c13		ldr	r4, =0x1079150	; via 0x2546a8
+  25465a:	2001		mov	r0, #1
+  25465c:	6020		str	r0, [r4, #0]
+  25465e:	f001 f9eb	bl	0x255a38
+  254662:	f001 f9ed	bl	0x255a40
+  254666:	f001 f9ad	bl	0x2559c4
+  25466a:	f000 fd45	bl	0x2550f8
+  25466e:	f7fb ffa3	bl	0x2505b8
+  254672:	f000 ff0d	bl	0x255490
+  254676:	f000 fedb	bl	0x255430
+  25467a:	f000 fef9	bl	0x255470
+  25467e:	f000 fec7	bl	0x255410
+  254682:	f000 ff25	bl	0x2554d0
+  254686:	f000 fee3	bl	0x255450
+  25468a:	f000 ff31	bl	0x2554f0
+  25468e:	f7fe faef	bl	0x252c70
+  254692:	f000 ff0d	bl	0x2554b0
+  254696:	1c28		add	r0, r5, #0
+  254698:	f000 fda5	bl	0x2551e6	; app init
+  25469c:	2002		mov	r0, #2
+  25469e:	6020		str	r0, [r4, #0]
+  2546a0:	f001 fefa	bl	0x256498	; $TCT_Schedule veneer
+  2546a4:	bd30		pop	{r4, r5, pc}
+
+; $Application_Initialize:
+  2551e6:	b500		push	{lr}
+  2551e8:	f7f0 fb82	bl	0x2458f0	; $Init_Target
+  2551ec:	f7f0 fc1e	bl	0x245a2c	; $Init_Drivers
+  2551f0:	f001 fa82	bl	0x2566f8	; $Cust_Init_Layer1
+  2551f4:	f7f0 fc24	bl	0x245a40	; $Init_Serial_Flows
+  2551f8:	f7a0 fba6	bl	0x1f5948	; $StartFrame
+  2551fc:	f7f0 fc2c	bl	0x245a58	; $Init_Unmask_IT
+  255200:	bd00		pop	{pc}
+
+  2556a4:	e58de004	str	lr, [sp, #4]
+  2556a8:	e28fe001	add	lr, pc, #1
+  2556ac:	e12fff1e	bx	lr
+  2556b0:	f7e8 f8e6	bl	0x23d880
+  2556b4:	4778		bx	pc
+  2556b6:	46c0		nop			(mov r8, r8)
+  2556b8:	e59df004	ldr	pc, [sp, #4]
+
+; _INC_Initialize call veneer
+  2556bc:	e92d4000	stmdb	sp!, {lr}
+  2556c0:	e28fe001	add	lr, pc, #1
+  2556c4:	e12fff1e	bx	lr
+  2556c8:	f7fe ffc4	bl	0x254654
+  2556cc:	4778		bx	pc
+  2556ce:	46c0		nop			(mov r8, r8)
+  2556d0:	e8bd8000	ldmia	sp!, {pc}
+
+  2556d4:	e92d4000	stmdb	sp!, {lr}
+  2556d8:	e28fe001	add	lr, pc, #1
+  2556dc:	e12fff1e	bx	lr
+  2556e0:	f7e7 fb27	bl	0x23cd32
+  2556e4:	4778		bx	pc
+  2556e6:	46c0		nop			(mov r8, r8)
+  2556e8:	e8bd8000	ldmia	sp!, {pc}
+
+; _f_load_int_mem call veneer
+  2556ec:	e92d4000	stmdb	sp!, {lr}
+  2556f0:	e28fe001	add	lr, pc, #1
+  2556f4:	e12fff1e	bx	lr
+  2556f8:	f7fa fe86	bl	0x250408
+  2556fc:	4778		bx	pc
+  2556fe:	46c0		nop			(mov r8, r8)
+  255700:	e8bd8000	ldmia	sp!, {pc}
+
+  255704:	e92d4000	stmdb	sp!, {lr}
+  255708:	e28fe001	add	lr, pc, #1
+  25570c:	e12fff1e	bx	lr
+  255710:	f7ff fd69	bl	0x2551e6
+  255714:	4778		bx	pc
+  255716:	46c0		nop			(mov r8, r8)
+  255718:	e8bd8000	ldmia	sp!, {pc}
+
+  25571c:	e92d4000	stmdb	sp!, {lr}
+  255720:	e28fe001	add	lr, pc, #1
+  255724:	e12fff1e	bx	lr
+  255728:	f76e f932	bl	0x1c3990
+  25572c:	4778		bx	pc
+  25572e:	46c0		nop			(mov r8, r8)
+  255730:	e8bd8000	ldmia	sp!, {pc}
+
+  255734:	e92d4000	stmdb	sp!, {lr}
+  255738:	e28fe001	add	lr, pc, #1
+  25573c:	e12fff1e	bx	lr
+  255740:	f7a6 fe10	bl	0x1fc364
+  255744:	4778		bx	pc
+  255746:	46c0		nop			(mov r8, r8)
+  255748:	e8bd8000	ldmia	sp!, {pc}
+
+  25574c:	e92d4000	stmdb	sp!, {lr}
+  255750:	e28fe001	add	lr, pc, #1
+  255754:	e12fff1e	bx	lr
+  255758:	f6f4 fa10	bl	0x149b7c
+  25575c:	4778		bx	pc
+  25575e:	46c0		nop			(mov r8, r8)
+  255760:	e8bd8000	ldmia	sp!, {pc}
+
+  255764:	e92d4000	stmdb	sp!, {lr}
+  255768:	e28fe001	add	lr, pc, #1
+  25576c:	e12fff1e	bx	lr
+  255770:	f785 ff3b	bl	0x1db5ea
+  255774:	4778		bx	pc
+  255776:	46c0		nop			(mov r8, r8)
+  255778:	e8bd8000	ldmia	sp!, {pc}
+
+  25577c:	e92d4000	stmdb	sp!, {lr}
+  255780:	e28fe001	add	lr, pc, #1
+  255784:	e12fff1e	bx	lr
+  255788:	f785 ff10	bl	0x1db5ac
+  25578c:	4778		bx	pc
+  25578e:	46c0		nop			(mov r8, r8)
+  255790:	e8bd8000	ldmia	sp!, {pc}