--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pirelli/flash2-chksum	Sun Dec 25 23:48:16 2016 +0000
@@ -0,0 +1,33 @@
+Pirelli's flash usage scheme allocates 3 "magic" areas in the flash2 bank:
+
+offset 0x480000 thru 0x7DFFFF: staging area for high-level fw updates
+offset 0x7E0000 thru 0x7EFFFF: fw update control/state structure
+offset 0x7F0000 thru 0x7FFFFF: factory record with IMEI and RF calibration
+
+The image or record stored in each of these "magic" areas ends with the
+following 12-byte signature and checksum structure:
+
+Offset[1]	Type[2]		Contains
+xxFFF4		32-bit word	0x12345678
+xxFFF8		32-bit word	Length of the fw update image or factory or
+				fw update state record
+xxFFFC		16-bit word	Checksum 1
+xxFFFE		16-bit word	Checksum 2
+
+[1] The offset is from the beginning of the flash partition in question, the
+    xx digits will be 35 in the case of the 0x360000 byte fw update staging
+    area partition or 00 in the case of the two 64 KiB sectors.
+
+[2] All 16-bit and 32-bit values are in little-endian byte order.
+
+Checksum computation
+====================
+
+The checksum is computed in two stages.  First all 16-bit words in the main
+body of the image (using the image length from the xxFFF8 word) are added
+together as a ripple-carry sum, and this 16-bit sum is written into the 0xFFFC
+word.  Then the 5 16-bit words from xxFFF4 through xxFFFC (inclusive) are added
+together (again as a ripple-carry sum), and this sum is written into the xxFFFE
+word.  Remember the little-endian byte order throughout!
+
+The ../miscprog/pircksum2.c program verifies this checksum computation scheme.