FreeCalypso > hg > freecalypso-reveng
view dsample-fw-disasm @ 214:6b40617d00e6
analysis of ultra-malicious new C123 boot code from Ajay Fuloria
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Tue, 26 Jul 2016 23:32:17 +0000 |
| parents | d12a3207b1aa |
| children | 7b679943b57d |
line wrap: on
line source
; The present work is a disassembly analysis of the 20020917 firmware image ; read out of our vintage D-Sample C05 board. 0: ea0004e7 b 0x13a4 4: ea003ffd b 0x10000 8: ea003ffd b 0x10004 c: ea003ffd b 0x10008 10: ea003ffd b 0x1000c 14: ea003ffd b 0x10010 18: ea003ffd b 0x10014 1c: ea003ffd b 0x10018 ; constant pool before _INT_Bootloader_Start matches TCS211 1378: fffffb00 137c: 02a102a1 1380: 028302a1 1384: 00c00281 1388: 002a0040 138c: fffffd00 1390: ffff9800 1394: fffffb10 1398: ffffff08 139c: 20061081 13a0: 00000800 _INT_Bootloader_Start: ; code fully matches TCS211 13a4: e51f101c ldr r1, =0xffff9800 ; via 0x1390 13a8: e15f21b2 ldrh r2, =0x2006 ; via 0x139e 13ac: e1c120b0 strh r2, [r1] 13b0: e5912000 ldr r2, [r1] 13b4: e2022001 and r2, r2, #1 13b8: e3520001 cmp r2, #1 13bc: 0afffffb beq 0x13b0 13c0: e51f103c ldr r1, =0xfffffd00 ; via 0x138c 13c4: e15f23b0 ldrh r2, =0x1081 ; via 0x139c 13c8: e1c120b0 strh r2, [r1] 13cc: e51f1040 ldr r1, =0xfffffb10 ; via 0x1394 13d0: e15f23b8 ldrh r2, =0x800 ; via 0x13a0 13d4: e1d100b0 ldrh r0, [r1] 13d8: e1800002 orr r0, r0, r2 13dc: e1c100b0 strh r0, [r1] 13e0: e51f1050 ldr r1, =0xffffff08 ; via 0x1398 13e4: e15f24ba ldrh r2, =0x0 ; via 0x13a2 13e8: e1c120b0 strh r2, [r1] 13ec: e51f107c ldr r1, =0xfffffb00 ; via 0x1378 13f0: e15f27bc ldrh r2, =0x2a1 ; via 0x137c 13f4: e1c120b0 strh r2, [r1] 13f8: e15f28b2 ldrh r2, =0x2a1 ; via 0x137e 13fc: e1c120b2 strh r2, [r1, #2] 1400: e15f28b8 ldrh r2, =0x2a1 ; via 0x1380 1404: e1c120b4 strh r2, [r1, #4] 1408: e15f28be ldrh r2, =0x283 ; via 0x1382 140c: e1c120b6 strh r2, [r1, #6] 1410: e15f29b4 ldrh r2, =0x281 ; via 0x1384 1414: e1c120ba strh r2, [r1, #10] ; 0xa 1418: e15f29ba ldrh r2, =0xc0 ; via 0x1386 141c: e1c120bc strh r2, [r1, #12] ; 0xc 1420: e15f2ab0 ldrh r2, =0x40 ; via 0x1388 1424: e1c120b8 strh r2, [r1, #8] 1428: e15f2ab6 ldrh r2, =0x2a ; via 0x138a 142c: e1c120be strh r2, [r1, #14] ; 0xe 1430: e59f0020 ldr r0, =0x107921c ; via 0x1458 1434: e3a01b01 mov r1, #1024 ; 0x400 1438: e2411004 sub r1, r1, #4 143c: e0802001 add r2, r0, r1 1440: e3c22003 bic r2, r2, #3 1444: e1a0d002 mov sp, r2 1448: e92d100f stmdb sp!, {r0, r1, r2, r3, r12} 144c: eb000046 bl 0x156c 1450: e8bd100f ldmia sp!, {r0, r1, r2, r3, r12} 1454: ea003afd b 0x10050 1458: 0107921c _sta_select_application: (ARM->Thumb veneer) 156c: e92d4000 stmdb sp!, {lr} 1570: e28fe001 add lr, pc, #1 1574: e12fff1e bx lr 1578: f7ff fd63 bl 0x1042 157c: 4778 bx pc 157e: 46c0 nop (mov r8, r8) 1580: e8bd8000 ldmia sp!, {pc} ; branch target addresses differ from TCS211 10000: ea0000bf b 0x10304 10004: ea0000c4 b 0x1031c 10008: ea0000c9 b 0x10334 1000c: ea0000ce b 0x1034c 10010: ea0000d3 b 0x10364 10014: ea0000b0 b 0x102dc 10018: ea0000b4 b 0x102f0 ; Constant pool ; Difference between this version and TCS211: the newer TCS211 version ; includes constants 0xFFFEF006 and 0x00000008 for the 8 MiB ; memory bank setup. This difference must be responsible for the ; 0x10050 vs. 0x10058 discrepancy. 1001c: 02a102a1 10020: 028302a1 10024: 02c00e85 10028: 002a0040 1002c: fffffb00 10030: fffffd00 10034: ffff9800 10038: fffffb10 1003c: ffffff08 10040: 20021081 10044: f7ff0800 10048: 00000000 1004c: 0001047c ; .cinit base _INT_Initialize: ; beginning matches TCS211 10050: e51f1024 ldr r1, =0xffff9800 ; via 0x10034 10054: e15f21ba ldrh r2, =0x2002 ; via 0x10042 10058: e1c120b0 strh r2, [r1] 1005c: e5912000 ldr r2, [r1] 10060: e2022001 and r2, r2, #1 10064: e3520001 cmp r2, #1 10068: 0afffffb beq 0x1005c 1006c: e51f1044 ldr r1, =0xfffffd00 ; via 0x10030 10070: e15f23b8 ldrh r2, =0x1081 ; via 0x10040 10074: e1c120b0 strh r2, [r1] 10078: e51f1048 ldr r1, =0xfffffb10 ; via 0x10038 1007c: e15f23be ldrh r2, =0xf7ff ; via 0x10046 10080: e1d100b0 ldrh r0, [r1] 10084: e0000002 and r0, r0, r2 10088: e1c100b0 strh r0, [r1] 1008c: e51f1058 ldr r1, =0xffffff08 ; via 0x1003c 10090: e15f25b0 ldrh r2, =0x0 ; via 0x10048 10094: e1c120b0 strh r2, [r1] 10098: e51f1074 ldr r1, =0xfffffb00 ; via 0x1002c 1009c: e15f28b8 ldrh r2, =0x2a1 ; via 0x1001c 100a0: e1c120b0 strh r2, [r1] 100a4: e15f28be ldrh r2, =0x2a1 ; via 0x1001e 100a8: e1c120b2 strh r2, [r1, #2] 100ac: e15f29b4 ldrh r2, =0x2a1 ; via 0x10020 100b0: e1c120b4 strh r2, [r1, #4] 100b4: e15f29ba ldrh r2, =0x283 ; via 0x10022 100b8: e1c120b6 strh r2, [r1, #6] 100bc: e15f2ab0 ldrh r2, =0xe85 ; via 0x10024 100c0: e1c120ba strh r2, [r1, #10] ; 0xa 100c4: e15f2ab6 ldrh r2, =0x2c0 ; via 0x10026 100c8: e1c120bc strh r2, [r1, #12] ; 0xc 100cc: e15f2abc ldrh r2, =0x40 ; via 0x10028 100d0: e1c120b8 strh r2, [r1, #8] 100d4: e15f2bb2 ldrh r2, =0x2a ; via 0x1002a 100d8: e1c120be strh r2, [r1, #14] ; 0xe ; TCS211 version does the 8 MiB memory bank setup at this point 100dc: e10f0000 mrs r0, CPSR 100e0: e3c0001f bic r0, r0, #31 ; 0x1f 100e4: e3800013 orr r0, r0, #19 ; 0x13 100e8: e38000c0 orr r0, r0, #192 ; 0xc0 100ec: e129f000 msr CPSR_fc, r0 ; bss clearing is done inline here, whereas TCS211 version calls _INT_memset 100f0: e59f0304 ldr r0, =0x1000cf4 ; via 0x103fc 100f4: e3a02000 mov r2, #0 100f8: e59f1300 ldr r1, =0x107921c ; via 0x10400 100fc: e4802004 str r2, [r0], #4 10100: e1500001 cmp r0, r1 10104: 1afffffc bne 0x100fc 10108: e59f02f4 ldr r0, =0x819450 ; via 0x10404 1010c: e3a02000 mov r2, #0 10110: e59f12f0 ldr r1, =0x83eda0 ; via 0x10408 10114: e4802004 str r2, [r0], #4 10118: e1500001 cmp r0, r1 1011c: 1afffffc bne 0x10114 ; setting _INT_Loaded_Flag? ; code matches TCS211 0x10150 from this point onward 10120: e3a00001 mov r0, #1 10124: e59f12e4 ldr r1, =0x107916c ; via 0x10410 10128: e5810000 str r0, [r1] ; stack setup matching 0x1015c in TCS211 1012c: e59f02d8 ldr r0, =0x1079308 ; via 0x1040c 10130: e3a01b01 mov r1, #1024 ; 0x400 10134: e2411004 sub r1, r1, #4 10138: e0802001 add r2, r0, r1 1013c: e1a0a000 mov r10, r0 10140: e59f32cc ldr r3, =0x83c148 ; via 0x10414 10144: e583a000 str r10, [r3] 10148: e1a0d002 mov sp, r2 1014c: e59f32c4 ldr r3, =0x83c26c ; via 0x10418 10150: e583d000 str sp, [r3] 10154: e3a01080 mov r1, #128 ; 0x80 10158: e0822001 add r2, r2, r1 1015c: e10f0000 mrs r0, CPSR 10160: e3c0001f bic r0, r0, #31 ; 0x1f 10164: e3800012 orr r0, r0, #18 ; 0x12 10168: e129f000 msr CPSR_fc, r0 1016c: e1a0d002 mov sp, r2 10170: e3a01c02 mov r1, #512 ; 0x200 10174: e0822001 add r2, r2, r1 10178: e10f0000 mrs r0, CPSR 1017c: e3c0001f bic r0, r0, #31 ; 0x1f 10180: e3800011 orr r0, r0, #17 ; 0x11 10184: e129f000 msr CPSR_fc, r0 10188: e1a0d002 mov sp, r2 1018c: e10f0000 mrs r0, CPSR 10190: e3c0001f bic r0, r0, #31 ; 0x1f 10194: e3800017 orr r0, r0, #23 ; 0x17 10198: e129f000 msr CPSR_fc, r0 1019c: e59fd288 ldr sp, =0x1079270 ; via 0x1042c 101a0: e10f0000 mrs r0, CPSR 101a4: e3c0001f bic r0, r0, #31 ; 0x1f 101a8: e380001b orr r0, r0, #27 ; 0x1b 101ac: e129f000 msr CPSR_fc, r0 101b0: e59fd274 ldr sp, =0x1079270 ; via 0x1042c 101b4: e10f0000 mrs r0, CPSR 101b8: e3c0001f bic r0, r0, #31 ; 0x1f 101bc: e3800013 orr r0, r0, #19 ; 0x13 101c0: e129f000 msr CPSR_fc, r0 101c4: e59f3250 ldr r3, =0x83c0b0 ; via 0x1041c 101c8: e2822004 add r2, r2, #4 101cc: e5832000 str r2, [r3] 101d0: e3a01b01 mov r1, #1024 ; 0x400 101d4: e3c11003 bic r1, r1, #3 101d8: e0822001 add r2, r2, r1 101dc: e59f323c ldr r3, =0x83c134 ; via 0x10420 101e0: e5831000 str r1, [r3] 101e4: e3a01002 mov r1, #2 101e8: e59f3234 ldr r3, =0x83c144 ; via 0x10424 101ec: e5831000 str r1, [r3] 101f0: e1a04002 mov r4, r2 101f4: eb09153c bl 0x2556ec ; _f_load_int_mem 101f8: e1a02004 mov r2, r4 101fc: e59f1210 ldr r1, =0x83c148 ; via 0x10414 10200: e5910000 ldr r0, [r1] 10204: e3a030fe mov r3, #254 ; 0xfe 10208: e5c03000 strb r3, [r0] 1020c: e5c03001 strb r3, [r0, #1] 10210: e5c03002 strb r3, [r0, #2] 10214: e5c03003 strb r3, [r0, #3] 10218: e4903004 ldr r3, [r0], #4 1021c: e4803004 str r3, [r0], #4 10220: e1500002 cmp r0, r2 10224: bafffffc blt 0x1021c 10228: e51f01e4 ldr r0, =0x1047c ; via 0x1004c 1022c: e3700001 cmn r0, #1 10230: 1b00007f blne 0x10434 ; _auto_init 10234: e59f01ec ldr r0, =0x1078744 ; via 0x10428 10238: ea09151f b 0x2556bc ; _INC_Initialize ; $Init_Target: 2458f0: b570 push {r4, r5, r6, lr} 2458f2: b081 sub sp, #4 ; write 0x6000 into FFFE:F008 like TCS211 2458f4: 4d62 ldr r5, =0xfffef006 ; via 0x245a80 2458f6: 2003 mov r0, #3 2458f8: 0340 lsl r0, r0, #13 2458fa: 8068 strh r0, [r5, #2] ; TM_DisableWatchdog() ? 2458fc: f006 fd03 bl 0x24c306 ; 8 MiB memory bank setup 245900: 2008 mov r0, #8 245902: 8829 ldrh r1, [r5, #0] 245904: 4308 orr r0, r1 245906: 8028 strh r0, [r5, #0] ; CNTL_CLK (FFFF:FD02) register setup ; ; TCS211 does this: ; CNTL_CLK |= 0x0005; ; CNTL_CLK &= 0xFF3F; ; CNTL_CLK |= 0x0080; ; CNTL_CLK &= 0xFFDF; ; ; The present version does this: ; CNTL_CLK = 0x0005; ; CNTL_CLK &= 0xFF3F; ; CNTL_CLK &= 0xFFDF; ; ; Difference 1: initial straight write vs. OR: it must be the effect ; of the change in the definition of the CLKM_INITCNTL() ; macro seen in the diff between MV100 and Sotovik versions. ; ; Difference 2: VTCXO_DIV2 bit setting for Clara (13 MHz) vs. Rita (26 MHz) 245908: 485e ldr r0, =0xfffffd02 ; via 0x245a84 24590a: 2105 mov r1, #5 24590c: 8001 strh r1, [r0, #0] 24590e: 495e ldr r1, =0xff3f ; via 0x245a88 245910: 8802 ldrh r2, [r0, #0] 245912: 4011 and r1, r2 245914: 8001 strh r1, [r0, #0] 245916: 495d ldr r1, =0xffdf ; via 0x245a8c 245918: 8802 ldrh r2, [r0, #0] 24591a: 4011 and r1, r2 24591c: 8001 strh r1, [r0, #0] ; RHEA_CNTL_REG setup: this version writes 0x7F00, TCS211 writes 0xFF00 24591e: 4e5c ldr r6, =0xfffff900 ; via 0x245a90 245920: 207f mov r0, #127 ; 0x7f 245922: 0200 lsl r0, r0, #8 245924: 8030 strh r0, [r6, #0] ; PLL setup: the code structure (sequence of steps) is the same as in TCS211, ; but the PLL multiplier is set to 6 instead of 8. Thus the DSP runs at ; 78 MHz and the ARM runs at 39 MHz. 245926: 4c5b ldr r4, =0xffff9800 ; via 0x245a94 245928: 485b ldr r0, =0xfff3 ; via 0x245a98 24592a: 8821 ldrh r1, [r4, #0] 24592c: 4008 and r0, r1 24592e: 8020 strh r0, [r4, #0] 245930: 8820 ldrh r0, [r4, #0] 245932: 8020 strh r0, [r4, #0] 245934: 4859 ldr r0, =0xf01f ; via 0x245a9c 245936: 8821 ldrh r1, [r4, #0] 245938: 4008 and r0, r1 24593a: 8020 strh r0, [r4, #0] 24593c: 2003 mov r0, #3 24593e: 0200 lsl r0, r0, #8 245940: 8821 ldrh r1, [r4, #0] 245942: 4308 orr r0, r1 245944: 8020 strh r0, [r4, #0] ; ARM clock setup: divide by 2 like in TCS211 245946: 2000 mov r0, #0 245948: 2102 mov r1, #2 24594a: 2200 mov r2, #0 24594c: f007 fe00 bl 0x24d550 ; Memory timings: definitely peculiar 245950: 4953 ldr r1, =0xfffffb00 ; via 0x245aa0 245952: 20a5 mov r0, #165 ; 0xa5 245954: 8008 strh r0, [r1, #0] 245956: 8048 strh r0, [r1, #2] 245958: 20a2 mov r0, #162 ; 0xa2 24595a: 8088 strh r0, [r1, #4] 24595c: 2085 mov r0, #133 ; 0x85 24595e: 80c8 strh r0, [r1, #6] 245960: 2080 mov r0, #128 ; 0x80 245962: 8148 strh r0, [r1, #10] ; 0xa 245964: 200b mov r0, #11 ; 0xb 245966: 0180 lsl r0, r0, #6 245968: 8188 strh r0, [r1, #12] ; 0xc 24596a: 2040 mov r0, #64 ; 0x40 24596c: 8108 strh r0, [r1, #8] ; FFFF:F902 and FFFF:F904 registers set up exactly the same as in TCS211 24596e: 2020 mov r0, #32 ; 0x20 245970: 8070 strh r0, [r6, #2] 245972: 2000 mov r0, #0 245974: 80b0 strh r0, [r6, #4] ; PLL turn-on just like in TCS211 245976: 2010 mov r0, #16 ; 0x10 245978: 8821 ldrh r1, [r4, #0] 24597a: 4308 orr r0, r1 24597c: 8020 strh r0, [r4, #0] ; remaining Target_Init() code not studied yet 24597e: 4849 ldr r0, =0xfffffa08 ; via 0x245aa4 245980: 4949 ldr r1, =0xffff ; via 0x245aa8 245982: 8001 strh r1, [r0, #0] 245984: 241f mov r4, #31 ; 0x1f 245986: 8044 strh r4, [r0, #2] 245988: 2103 mov r1, #3 24598a: 8181 strh r1, [r0, #12] ; 0xc 24598c: f005 fc28 bl 0x24b1e0 245990: 4846 ldr r0, =0xfffffc00 ; via 0x245aac 245992: 2124 mov r1, #36 ; 0x24 245994: 8001 strh r1, [r0, #0] 245996: 210d mov r1, #13 ; 0xd 245998: 8041 strh r1, [r0, #2] 24599a: 2300 mov r3, #0 24599c: 4844 ldr r0, =0xfffe2016 ; via 0x245ab0 24599e: 8003 strh r3, [r0, #0] 2459a0: 4844 ldr r0, =0xfffe2014 ; via 0x245ab4 2459a2: 2102 mov r1, #2 2459a4: 8001 strh r1, [r0, #0] 2459a6: 4844 ldr r0, =0xfffe2002 ; via 0x245ab8 2459a8: 2184 mov r1, #132 ; 0x84 2459aa: 8001 strh r1, [r0, #0] 2459ac: 4943 ldr r1, =0xfffe2000 ; via 0x245abc 2459ae: 4844 ldr r0, =0x3de0 ; via 0x245ac0 2459b0: 8008 strh r0, [r1, #0] 2459b2: 4a44 ldr r2, =0xfffe2022 ; via 0x245ac4 2459b4: 2009 mov r0, #9 2459b6: 8010 strh r0, [r2, #0] 2459b8: 4843 ldr r0, =0xfffe2020 ; via 0x245ac8 2459ba: 4a44 ldr r2, =0x45a ; via 0x245acc 2459bc: 8002 strh r2, [r0, #0] 2459be: 4844 ldr r0, =0xfffe201e ; via 0x245ad0 2459c0: 22b4 mov r2, #180 ; 0xb4 2459c2: 8002 strh r2, [r0, #0] 2459c4: 4843 ldr r0, =0xfffe201c ; via 0x245ad4 2459c6: 8004 strh r4, [r0, #0] 2459c8: 1c1c add r4, r3, #0 2459ca: 4843 ldr r0, =0xfffe2024 ; via 0x245ad8 2459cc: 8004 strh r4, [r0, #0] 2459ce: 4b43 ldr r3, =0xfffe2010 ; via 0x245adc 2459d0: 2002 mov r0, #2 2459d2: 881a ldrh r2, [r3, #0] 2459d4: 4310 orr r0, r2 2459d6: 8018 strh r0, [r3, #0] 2459d8: 4840 ldr r0, =0xfffe2010 ; via 0x245adc 2459da: 2304 mov r3, #4 2459dc: 8802 ldrh r2, [r0, #0] 2459de: 4313 orr r3, r2 2459e0: 8003 strh r3, [r0, #0] 2459e2: 2027 mov r0, #39 ; 0x27 2459e4: 80e8 strh r0, [r5, #6] 2459e6: 8a08 ldrh r0, [r1, #16] ; 0x10 2459e8: 0840 lsr r0, r0, #1 2459ea: d310 bcc 0x245a0e 2459ec: 8a08 ldrh r0, [r1, #16] ; 0x10 2459ee: 0400 lsl r0, r0, #16 2459f0: 0c40 lsr r0, r0, #17 2459f2: 0040 lsl r0, r0, #1 2459f4: 8208 strh r0, [r1, #16] ; 0x10 2459f6: 2001 mov r0, #1 2459f8: 9000 str r0, [sp, #0] 2459fa: e002 b 0x245a02 2459fc: 9800 ldr r0, [sp, #0] 2459fe: 3001 add r0, #1 245a00: 9000 str r0, [sp, #0] 245a02: 9800 ldr r0, [sp, #0] 245a04: 2832 cmp r0, #50 ; 0x32 245a06: d3f9 bcc 0x2459fc 245a08: 8a48 ldrh r0, [r1, #18] ; 0x12 245a0a: 2800 cmp r0, #0 245a0c: d0fc beq 0x245a08 245a0e: f006 fdbf bl 0x24c590 245a12: f006 fdc3 bl 0x24c59c 245a16: 2027 mov r0, #39 ; 0x27 245a18: 0500 lsl r0, r0, #20 245a1a: 8004 strh r4, [r0, #0] 245a1c: 2001 mov r0, #1 245a1e: f006 fc80 bl 0x24c322 245a22: 2002 mov r0, #2 245a24: f006 fc7d bl 0x24c322 245a28: b001 add sp, #4 245a2a: bd70 pop {r4, r5, r6, pc} ; $Init_Drivers: 245a2c: b500 push {lr} 245a2e: f7ce f9b0 bl 0x213d92 245a32: f7af fb41 bl 0x1f50b8 245a36: f7da fd20 bl 0x22047a 245a3a: f755 fc4f bl 0x19b2dc 245a3e: bd00 pop {pc} ; $Init_Serial_Flows: 245a40: b500 push {lr} 245a42: 4827 ldr r0, =0x10786fc ; via 0x245ae0 245a44: f795 f98e bl 0x1dad64 245a48: 2000 mov r0, #0 245a4a: 2102 mov r1, #2 245a4c: 2200 mov r2, #0 245a4e: f795 fbdc bl 0x1db20a 245a52: f795 fc51 bl 0x1db2f8 245a56: bd00 pop {pc} ; $Init_Unmask_IT: 245a58: b500 push {lr} 245a5a: 2004 mov r0, #4 245a5c: f005 fc21 bl 0x24b2a2 245a60: 2012 mov r0, #18 ; 0x12 245a62: f005 fc1e bl 0x24b2a2 245a66: 2007 mov r0, #7 245a68: f005 fc1b bl 0x24b2a2 245a6c: 2008 mov r0, #8 245a6e: f005 fc18 bl 0x24b2a2 245a72: bd00 pop {pc} ; The following BX LR instructions must be empty functions in the same init ; module as the recognizable functions above, as they lie between the previous ; code and its associated literal pool. 245a74: 4770 bx lr 245a76: 4770 bx lr 245a78: 4770 bx lr 245a7a: 4770 bx lr 245a7c: 4770 bx lr 245a7e: 4770 bx lr ; Appears to the old Thumb implementation of f_load_int_mem(), ; differs from TCS211 version which is ARM and appears to be assembly 250408: b5f0 push {r4, r5, r6, r7, lr} 25040a: 4640 mov r0, r8 25040c: 4649 mov r1, r9 25040e: 4652 mov r2, r10 250410: 465b mov r3, r11 250412: b40f push {r0, r1, r2, r3} 250414: 4f22 ldr r7, =0x1079168 ; via 0x2504a0 250416: 2000 mov r0, #0 250418: 8038 strh r0, [r7, #0] 25041a: 4922 ldr r1, =0x107916a ; via 0x2504a4 25041c: 4688 mov r8, r1 25041e: 8008 strh r0, [r1, #0] 250420: 4821 ldr r0, =0x800000 ; via 0x2504a8 250422: 4922 ldr r1, =0x81944c ; via 0x2504ac 250424: 1a09 sub r1, r1, r0 250426: 3904 sub r1, #4 250428: 468c mov r12, r1 25042a: 2104 mov r1, #4 25042c: 180e add r6, r1, r0 25042e: 1c30 add r0, r6, #0 250430: 4661 mov r1, r12 250432: f7ff ffe0 bl 0x2503f6 250436: 4c1e ldr r4, =0x83eda4 ; via 0x2504b0 250438: 481e ldr r0, =0x83f294 ; via 0x2504b4 25043a: 1b05 sub r5, r0, r4 25043c: 1c20 add r0, r4, #0 25043e: 1c29 add r1, r5, #0 250440: f7ff ffd9 bl 0x2503f6 250444: 481c ldr r0, =0x20508 ; via 0x2504b8 250446: 4681 mov r9, r0 250448: 4661 mov r1, r12 25044a: f7ff ffc7 bl 0x2503dc 25044e: 4682 mov r10, r0 250450: 8038 strh r0, [r7, #0] 250452: 481a ldr r0, =0x155e8 ; via 0x2504bc 250454: 4683 mov r11, r0 250456: 1c29 add r1, r5, #0 250458: f7ff ffc0 bl 0x2503dc 25045c: 4651 mov r1, r10 25045e: 1808 add r0, r1, r0 250460: 8038 strh r0, [r7, #0] 250462: 4648 mov r0, r9 250464: 4661 mov r1, r12 250466: 1c32 add r2, r6, #0 250468: f7ff ffae bl 0x2503c8 25046c: 4658 mov r0, r11 25046e: 1c29 add r1, r5, #0 250470: 1c22 add r2, r4, #0 250472: f7ff ffa9 bl 0x2503c8 250476: 1c30 add r0, r6, #0 250478: 4661 mov r1, r12 25047a: f7ff ffaf bl 0x2503dc 25047e: 1c06 add r6, r0, #0 250480: 4640 mov r0, r8 250482: 8006 strh r6, [r0, #0] 250484: 1c20 add r0, r4, #0 250486: 1c29 add r1, r5, #0 250488: f7ff ffa8 bl 0x2503dc 25048c: 1830 add r0, r6, r0 25048e: 4641 mov r1, r8 250490: 8008 strh r0, [r1, #0] 250492: bc0f pop {r0, r1, r2, r3} 250494: 4680 mov r8, r0 250496: 4689 mov r9, r1 250498: 4692 mov r10, r2 25049a: 469b mov r11, r3 25049c: bdf0 pop {r4, r5, r6, r7, pc} ; $INC_Initialize: 254654: b530 push {r4, r5, lr} 254656: 1c05 add r5, r0, #0 254658: 4c13 ldr r4, =0x1079150 ; via 0x2546a8 25465a: 2001 mov r0, #1 25465c: 6020 str r0, [r4, #0] 25465e: f001 f9eb bl 0x255a38 254662: f001 f9ed bl 0x255a40 254666: f001 f9ad bl 0x2559c4 25466a: f000 fd45 bl 0x2550f8 25466e: f7fb ffa3 bl 0x2505b8 254672: f000 ff0d bl 0x255490 254676: f000 fedb bl 0x255430 25467a: f000 fef9 bl 0x255470 25467e: f000 fec7 bl 0x255410 254682: f000 ff25 bl 0x2554d0 254686: f000 fee3 bl 0x255450 25468a: f000 ff31 bl 0x2554f0 25468e: f7fe faef bl 0x252c70 254692: f000 ff0d bl 0x2554b0 254696: 1c28 add r0, r5, #0 254698: f000 fda5 bl 0x2551e6 ; app init 25469c: 2002 mov r0, #2 25469e: 6020 str r0, [r4, #0] 2546a0: f001 fefa bl 0x256498 ; $TCT_Schedule veneer 2546a4: bd30 pop {r4, r5, pc} ; $Application_Initialize: 2551e6: b500 push {lr} 2551e8: f7f0 fb82 bl 0x2458f0 ; $Init_Target 2551ec: f7f0 fc1e bl 0x245a2c ; $Init_Drivers 2551f0: f001 fa82 bl 0x2566f8 ; $Cust_Init_Layer1 2551f4: f7f0 fc24 bl 0x245a40 ; $Init_Serial_Flows 2551f8: f7a0 fba6 bl 0x1f5948 ; $StartFrame 2551fc: f7f0 fc2c bl 0x245a58 ; $Init_Unmask_IT 255200: bd00 pop {pc} 2556a4: e58de004 str lr, [sp, #4] 2556a8: e28fe001 add lr, pc, #1 2556ac: e12fff1e bx lr 2556b0: f7e8 f8e6 bl 0x23d880 2556b4: 4778 bx pc 2556b6: 46c0 nop (mov r8, r8) 2556b8: e59df004 ldr pc, [sp, #4] ; _INC_Initialize call veneer 2556bc: e92d4000 stmdb sp!, {lr} 2556c0: e28fe001 add lr, pc, #1 2556c4: e12fff1e bx lr 2556c8: f7fe ffc4 bl 0x254654 2556cc: 4778 bx pc 2556ce: 46c0 nop (mov r8, r8) 2556d0: e8bd8000 ldmia sp!, {pc} 2556d4: e92d4000 stmdb sp!, {lr} 2556d8: e28fe001 add lr, pc, #1 2556dc: e12fff1e bx lr 2556e0: f7e7 fb27 bl 0x23cd32 2556e4: 4778 bx pc 2556e6: 46c0 nop (mov r8, r8) 2556e8: e8bd8000 ldmia sp!, {pc} ; _f_load_int_mem call veneer 2556ec: e92d4000 stmdb sp!, {lr} 2556f0: e28fe001 add lr, pc, #1 2556f4: e12fff1e bx lr 2556f8: f7fa fe86 bl 0x250408 2556fc: 4778 bx pc 2556fe: 46c0 nop (mov r8, r8) 255700: e8bd8000 ldmia sp!, {pc} 255704: e92d4000 stmdb sp!, {lr} 255708: e28fe001 add lr, pc, #1 25570c: e12fff1e bx lr 255710: f7ff fd69 bl 0x2551e6 255714: 4778 bx pc 255716: 46c0 nop (mov r8, r8) 255718: e8bd8000 ldmia sp!, {pc} 25571c: e92d4000 stmdb sp!, {lr} 255720: e28fe001 add lr, pc, #1 255724: e12fff1e bx lr 255728: f76e f932 bl 0x1c3990 25572c: 4778 bx pc 25572e: 46c0 nop (mov r8, r8) 255730: e8bd8000 ldmia sp!, {pc} 255734: e92d4000 stmdb sp!, {lr} 255738: e28fe001 add lr, pc, #1 25573c: e12fff1e bx lr 255740: f7a6 fe10 bl 0x1fc364 255744: 4778 bx pc 255746: 46c0 nop (mov r8, r8) 255748: e8bd8000 ldmia sp!, {pc} 25574c: e92d4000 stmdb sp!, {lr} 255750: e28fe001 add lr, pc, #1 255754: e12fff1e bx lr 255758: f6f4 fa10 bl 0x149b7c 25575c: 4778 bx pc 25575e: 46c0 nop (mov r8, r8) 255760: e8bd8000 ldmia sp!, {pc} 255764: e92d4000 stmdb sp!, {lr} 255768: e28fe001 add lr, pc, #1 25576c: e12fff1e bx lr 255770: f785 ff3b bl 0x1db5ea 255774: 4778 bx pc 255776: 46c0 nop (mov r8, r8) 255778: e8bd8000 ldmia sp!, {pc} 25577c: e92d4000 stmdb sp!, {lr} 255780: e28fe001 add lr, pc, #1 255784: e12fff1e bx lr 255788: f785 ff10 bl 0x1db5ac 25578c: 4778 bx pc 25578e: 46c0 nop (mov r8, r8) 255790: e8bd8000 ldmia sp!, {pc}