view compal/c156-boot.disasm @ 162:8d30e1722e0f

locked C139 bootloader reverse-engineered
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 20:55:39 +0000
parents e40592990516
children 5c47d916255e
line wrap: on
line source

RESET entry and exception vectors:
       0:	ea000011	b	0x4c
       4:	ea008036	b	0x200e4
       8:	ea008036	b	0x200e8
       c:	ea008036	b	0x200ec
      10:	ea008036	b	0x200f0
      14:	ea008036	b	0x200f4
      18:	ea008036	b	0x200f8
      1c:	ea008036	b	0x200fc

      20:	02a102a1
      24:	02a302a1
      28:	00000040
      2c:	fffffd00
      30:	ffff9800
      34:	fffffb10
      38:	ffffff08
      3c:	20021081
      40:	00000800
      44:	004000c0
      48:	00000e85

; RESET entry point
; same init as in the C139 version
      4c:	e51f1028	ldr	r1, =0xfffffd00	; via 0x2c
      50:	e1d120b2	ldrh	r2, [r1, #2]
      54:	e51f0034	ldr	r0, =0x40	; via 0x28
      58:	e1800002	orr	r0, r0, r2
      5c:	e1c100b2	strh	r0, [r1, #2]
; disable PLL
; diff from C139 version: writing 2002 into FFFF:9800 instead of 2006
; diff in the BYPASS_DIV field
      60:	e51f1038	ldr	r1, =0xffff9800	; via 0x30
      64:	e15f22be	ldrh	r2, =0x2002	; via 0x3e
      68:	e1c120b0	strh	r2, [r1]
      6c:	e5912000	ldr	r2, [r1]
      70:	e2022001	and	r2, r2, #1
      74:	e3520001	cmp	r2, #1
      78:	0afffffb	beq	0x6c
; FFFF:FD00 write same as C139
      7c:	e51f1058	ldr	r1, =0xfffffd00	; via 0x2c
      80:	e15f24bc	ldrh	r2, =0x1081	; via 0x3c
      84:	e1c120b0	strh	r2, [r1]
; disable DU like C139
      88:	e51f105c	ldr	r1, =0xfffffb10	; via 0x34
      8c:	e15f25b4	ldrh	r2, =0x800	; via 0x40
      90:	e1d100b0	ldrh	r0, [r1]
      94:	e1800002	orr	r0, r0, r2
      98:	e1c100b0	strh	r0, [r1]
; ditto for MPU
      9c:	e51f106c	ldr	r1, =0xffffff08	; via 0x38
      a0:	e15f26b6	ldrh	r2, =0x0	; via 0x42
      a4:	e1c120b0	strh	r2, [r1]
; Memory timings
      a8:	e59f1640	ldr	r1, =0xfffffb00	; via 0x6f0
      ac:	e15f29b4	ldrh	r2, =0x2a1	; via 0x20
      b0:	e1c120b0	strh	r2, [r1]
      b4:	e15f29ba	ldrh	r2, =0x2a1	; via 0x22
      b8:	e1c120b2	strh	r2, [r1, #2]
      bc:	e15f2ab0	ldrh	r2, =0x2a1	; via 0x24
      c0:	e1c120b4	strh	r2, [r1, #4]
      c4:	e15f2ab6	ldrh	r2, =0x2a3	; via 0x26
      c8:	e1c120b6	strh	r2, [r1, #6]
      cc:	e15f28bc	ldrh	r2, =0xe85	; via 0x48
      d0:	e1c120ba	strh	r2, [r1, #10]	; 0xa
      d4:	e15f29b8	ldrh	r2, =0xc0	; via 0x44
      d8:	e1c120bc	strh	r2, [r1, #12]	; 0xc
      dc:	e15f29be	ldrh	r2, =0x40	; via 0x46
      e0:	e1c120b8	strh	r2, [r1, #8]
; enable 8 MiB chip select regions
      e4:	e59f3630	ldr	r3, =0xfffef006	; via 0x71c
      e8:	e1d310b0	ldrh	r1, [r3]
      ec:	e3a02008	mov	r2, #8
      f0:	e1811002	orr	r1, r1, r2
      f4:	e1c310b0	strh	r1, [r3]
; write 0x0110 into FFFE:F00A
; enable I/O(8) and I/O(12)
      f8:	e59f3604	ldr	r3, =0xfffef000	; via 0x704
      fc:	e3a01e11	mov	r1, #272	; 0x110
     100:	e1c310ba	strh	r1, [r3, #10]	; 0xa
; FFFE:4804: set GPIOs 0-8 and 12 as outputs
     104:	e59f3604	ldr	r3, =0xfffe4804	; via 0x710
     108:	e5931000	ldr	r1, [r3]
     10c:	e3a030ff	mov	r3, #255	; 0xff
     110:	e3a02cee	mov	r2, #60928	; 0xee00
     114:	e1822003	orr	r2, r2, r3
     118:	e0011002	and	r1, r1, r2
     11c:	e59f35e4	ldr	r3, =0xfffe4800	; via 0x708
     120:	e1c310b4	strh	r1, [r3, #4]
; ARMIO_LATCH_OUT: 0-8 set to 0
     124:	e59f35e0	ldr	r3, =0xfffe4802	; via 0x70c
     128:	e5931000	ldr	r1, [r3]
     12c:	e3a030ff	mov	r3, #255	; 0xff
     130:	e3a02cfe	mov	r2, #65024	; 0xfe00
     134:	e1822003	orr	r2, r2, r3
     138:	e0011002	and	r1, r1, r2
     13c:	e59f35c4	ldr	r3, =0xfffe4800	; via 0x708
     140:	e1c310b2	strh	r1, [r3, #2]
; ... and then reset it to 0xF400
     144:	e3a01b3d	mov	r1, #62464	; 0xf400
     148:	e59f35b8	ldr	r3, =0xfffe4800	; via 0x708
     14c:	e1c310b2	strh	r1, [r3, #2]
; SVC mode, IRQ and FIQ disabled
     150:	e10f0000	mrs	r0, CPSR
     154:	e3c0001f	bic	r0, r0, #31	; 0x1f
     158:	e3800013	orr	r0, r0, #19	; 0x13
     15c:	e38000c0	orr	r0, r0, #192	; 0xc0
     160:	e129f000	msr	CPSR_fc, r0
; zero all 256 KiB IRAM except last 128 bytes
     164:	e3a00502	mov	r0, #8388608	; 0x800000
     168:	e3a02000	mov	r2, #0
     16c:	e3a01721	mov	r1, #8650752	; 0x840000
     170:	e2411080	sub	r1, r1, #128	; 0x80
     174:	e4802004	str	r2, [r0], #4
     178:	e1500001	cmp	r0, r1
     17c:	1afffffc	bne	0x174
; ditto for 2 MiB XRAM
     180:	e3a00401	mov	r0, #16777216	; 0x1000000
     184:	e3a02000	mov	r2, #0
     188:	e3a01612	mov	r1, #18874368	; 0x1200000
     18c:	e2411080	sub	r1, r1, #128	; 0x80
     190:	e4802004	str	r2, [r0], #4
     194:	e1500001	cmp	r0, r1
     198:	1afffffc	bne	0x190
; MODEM UART
     19c:	e59f0550	ldr	r0, =0xffff5800	; via 0x6f4
; 0 into LCR for IER access
     1a0:	e3a01000	mov	r1, #0
     1a4:	e5c01003	strb	r1, [r0, #3]
; clear IER
     1a8:	e3a01000	mov	r1, #0
     1ac:	e5c01001	strb	r1, [r0, #1]
; BF into LCR
     1b0:	e3a010bf	mov	r1, #191	; 0xbf
     1b4:	e5c01003	strb	r1, [r0, #3]
; 0x10 into EFR
     1b8:	e3a01010	mov	r1, #16	; 0x10
     1bc:	e5c01002	strb	r1, [r0, #2]
; set 115200 baud
     1c0:	e59f3534	ldr	r3, =0xffff5803	; via 0x6fc
     1c4:	e5931000	ldr	r1, [r3]
     1c8:	e3811080	orr	r1, r1, #128	; 0x80
     1cc:	e5c31000	strb	r1, [r3]
     1d0:	e3a01007	mov	r1, #7
     1d4:	e5c01000	strb	r1, [r0]
     1d8:	e3a01000	mov	r1, #0
     1dc:	e5c01001	strb	r1, [r0, #1]
; LCR will eventually get back to 03
     1e0:	e59f3514	ldr	r3, =0xffff5803	; via 0x6fc
     1e4:	e5931000	ldr	r1, [r3]
     1e8:	e201107f	and	r1, r1, #127	; 0x7f
     1ec:	e5c31000	strb	r1, [r3]
     1f0:	e5931000	ldr	r1, [r3]
     1f4:	e3811003	orr	r1, r1, #3
     1f8:	e5c31000	strb	r1, [r3]
; 0x40 into MCR: TCR/TLR access
     1fc:	e3a01040	mov	r1, #64	; 0x40
     200:	e5c01004	strb	r1, [r0, #4]
; TCR=0x0F (same as default)
     204:	e3a0100f	mov	r1, #15	; 0xf
     208:	e5c01006	strb	r1, [r0, #6]
; BF into LCR again
     20c:	e3a010bf	mov	r1, #191	; 0xbf
     210:	e5c01003	strb	r1, [r0, #3]
; 0x10 into EFR again
     214:	e3a01010	mov	r1, #16	; 0x10
     218:	e5c01002	strb	r1, [r0, #2]
; finally 03 into LCR
     21c:	e3a01003	mov	r1, #3
     220:	e5c01003	strb	r1, [r0, #3]
; clear SCR (default, all weird stuff disabled)
     224:	e3a01000	mov	r1, #0
     228:	e5c01010	strb	r1, [r0, #16]	; 0x10
; FCR=06: FIFOs cleared and *disabled*
     22c:	e3a01006	mov	r1, #6
     230:	e5c01002	strb	r1, [r0, #2]
; MCR=0F
     234:	e3a0100f	mov	r1, #15	; 0xf
     238:	e5c01004	strb	r1, [r0, #4]
; FCR=F1: enable FIFOs with max trigger levels
     23c:	e3a010f1	mov	r1, #241	; 0xf1
     240:	e5c01002	strb	r1, [r0, #2]
; MDR1: write 7 for reset, then 0 for UART mode
     244:	e3a01007	mov	r1, #7
     248:	e5c01008	strb	r1, [r0, #8]
     24c:	e3a01000	mov	r1, #0
     250:	e5c01008	strb	r1, [r0, #8]
; IER: enable Rx interrupt
     254:	e59f349c	ldr	r3, =0xffff5801	; via 0x6f8
     258:	e5931000	ldr	r1, [r3]
     25c:	e3811001	orr	r1, r1, #1
     260:	e5c31000	strb	r1, [r3]
; nCS0: WS=3, write enable, DC=1
     264:	e59f1484	ldr	r1, =0xfffffb00	; via 0x6f0
     268:	e59f247c	ldr	r2, =0x2a3	; via 0x6ec
     26c:	e1c120b0	strh	r2, [r1]
; FFFF:FB0E = 0x6A: adapt enabled for RHEA and API,
; all ARM7 cycles visible externally
     270:	e59f3488	ldr	r3, =0xfffffb00	; via 0x700
     274:	e3a0106a	mov	r1, #106	; 0x6a
     278:	e1c310be	strh	r1, [r3, #14]	; 0xe
; dingle UART FIFOs again, same settings
     27c:	e59f0470	ldr	r0, =0xffff5800	; via 0x6f4
     280:	e3a010f7	mov	r1, #247	; 0xf7
     284:	e5c01002	strb	r1, [r0, #2]
     288:	e3a010f1	mov	r1, #241	; 0xf1
     28c:	e5c01002	strb	r1, [r0, #2]
; short delay loop
     290:	e3a01f4b	mov	r1, #300	; 0x12c
     294:	e2411001	sub	r1, r1, #1
     298:	e3510000	cmp	r1, #0
     29c:	1afffffc	bne	0x294
; check UART for unsolicited input?
     2a0:	e59f044c	ldr	r0, =0xffff5800	; via 0x6f4
     2a4:	e3a02064	mov	r2, #100	; 0x64
     2a8:	e3a08801	mov	r8, #65536	; 0x10000
     2ac:	e2488001	sub	r8, r8, #1
     2b0:	e3580000	cmp	r8, #0
     2b4:	0a000040	beq	0x3bc
     2b8:	e5d01005	ldrb	r1, [r0, #5]
     2bc:	e2011001	and	r1, r1, #1
     2c0:	e3510001	cmp	r1, #1
     2c4:	1afffff8	bne	0x2ac
     2c8:	e5d01000	ldrb	r1, [r0]
; unsolicited input received
; repeats the whole UART init, but with /2 div for 406250 baud
     2cc:	e59f0420	ldr	r0, =0xffff5800	; via 0x6f4
     2d0:	e3a01000	mov	r1, #0
     2d4:	e5c01003	strb	r1, [r0, #3]
     2d8:	e3a01000	mov	r1, #0
     2dc:	e5c01001	strb	r1, [r0, #1]
     2e0:	e3a010bf	mov	r1, #191	; 0xbf
     2e4:	e5c01003	strb	r1, [r0, #3]
     2e8:	e3a01010	mov	r1, #16	; 0x10
     2ec:	e5c01002	strb	r1, [r0, #2]
     2f0:	e59f3404	ldr	r3, =0xffff5803	; via 0x6fc
     2f4:	e5931000	ldr	r1, [r3]
     2f8:	e3811080	orr	r1, r1, #128	; 0x80
     2fc:	e5c31000	strb	r1, [r3]
     300:	e3a01002	mov	r1, #2
     304:	e5c01000	strb	r1, [r0]
     308:	e3a01000	mov	r1, #0
     30c:	e5c01001	strb	r1, [r0, #1]
     310:	e59f33e4	ldr	r3, =0xffff5803	; via 0x6fc
     314:	e5931000	ldr	r1, [r3]
     318:	e201107f	and	r1, r1, #127	; 0x7f
     31c:	e5c31000	strb	r1, [r3]
     320:	e5931000	ldr	r1, [r3]
     324:	e3811003	orr	r1, r1, #3
     328:	e5c31000	strb	r1, [r3]
     32c:	e3a01040	mov	r1, #64	; 0x40
     330:	e5c01004	strb	r1, [r0, #4]
     334:	e3a0100f	mov	r1, #15	; 0xf
     338:	e5c01006	strb	r1, [r0, #6]
     33c:	e3a010bf	mov	r1, #191	; 0xbf
     340:	e5c01003	strb	r1, [r0, #3]
     344:	e3a01010	mov	r1, #16	; 0x10
     348:	e5c01002	strb	r1, [r0, #2]
     34c:	e3a01003	mov	r1, #3
     350:	e5c01003	strb	r1, [r0, #3]
     354:	e3a01000	mov	r1, #0
     358:	e5c01010	strb	r1, [r0, #16]	; 0x10
     35c:	e3a01006	mov	r1, #6
     360:	e5c01002	strb	r1, [r0, #2]
     364:	e3a0100f	mov	r1, #15	; 0xf
     368:	e5c01004	strb	r1, [r0, #4]
     36c:	e3a010f1	mov	r1, #241	; 0xf1
     370:	e5c01002	strb	r1, [r0, #2]
     374:	e3a01007	mov	r1, #7
     378:	e5c01008	strb	r1, [r0, #8]
     37c:	e3a01000	mov	r1, #0
     380:	e5c01008	strb	r1, [r0, #8]
     384:	e59f336c	ldr	r3, =0xffff5801	; via 0x6f8
     388:	e5931000	ldr	r1, [r3]
     38c:	e3811001	orr	r1, r1, #1
     390:	e5c31000	strb	r1, [r3]
     394:	e59f0358	ldr	r0, =0xffff5800	; via 0x6f4
     398:	e3a010f7	mov	r1, #247	; 0xf7
     39c:	e5c01002	strb	r1, [r0, #2]
     3a0:	e3a010f1	mov	r1, #241	; 0xf1
     3a4:	e5c01002	strb	r1, [r0, #2]
     3a8:	e3a01f4b	mov	r1, #300	; 0x12c
     3ac:	e2411001	sub	r1, r1, #1
     3b0:	e3510000	cmp	r1, #0
     3b4:	1afffffc	bne	0x3ac
     3b8:	e59f0334	ldr	r0, =0xffff5800	; via 0x6f4
; normal path continues
; emit 1B F6 02 00 41 01 40
     3bc:	e3a0101b	mov	r1, #27	; 0x1b
     3c0:	e5c01000	strb	r1, [r0]
     3c4:	e3a010f6	mov	r1, #246	; 0xf6
     3c8:	e5c01000	strb	r1, [r0]
     3cc:	e3a01002	mov	r1, #2
     3d0:	e5c01000	strb	r1, [r0]
     3d4:	e3a01000	mov	r1, #0
     3d8:	e5c01000	strb	r1, [r0]
     3dc:	e3a01041	mov	r1, #65	; 0x41
     3e0:	e5c01000	strb	r1, [r0]
     3e4:	e3a01001	mov	r1, #1
     3e8:	e5c01000	strb	r1, [r0]
     3ec:	e3a01040	mov	r1, #64	; 0x40
     3f0:	e5c01000	strb	r1, [r0]
; wait for UART input
     3f4:	e3a02064	mov	r2, #100	; 0x64
     3f8:	e3a08701	mov	r8, #262144	; 0x40000
     3fc:	e2488001	sub	r8, r8, #1
     400:	e3580000	cmp	r8, #0
     404:	0a0000aa	beq	0x6b4
     408:	e5d01005	ldrb	r1, [r0, #5]
     40c:	e2011001	and	r1, r1, #1
     410:	e3510001	cmp	r1, #1
     414:	1afffff8	bne	0x3fc
     418:	e5d01000	ldrb	r1, [r0]
     41c:	e3510000	cmp	r1, #0
     420:	1a000003	bne	0x434
     424:	e2422001	sub	r2, r2, #1
     428:	e3520000	cmp	r2, #0
     42c:	0a0000a0	beq	0x6b4
     430:	eafffff1	b	0x3fc
     434:	e351001b	cmp	r1, #27	; 0x1b
     438:	1affffef	bne	0x3fc
; got 1B
     43c:	e3a08701	mov	r8, #262144	; 0x40000
     440:	e2488001	sub	r8, r8, #1
     444:	e3580000	cmp	r8, #0
     448:	0a000099	beq	0x6b4
     44c:	e5d01005	ldrb	r1, [r0, #5]
     450:	e2011001	and	r1, r1, #1
     454:	e3510001	cmp	r1, #1
     458:	1afffff8	bne	0x440
     45c:	e5d01000	ldrb	r1, [r0]
     460:	e35100f6	cmp	r1, #246	; 0xf6
     464:	1a000092	bne	0x6b4
; got F6
     468:	e3a08801	mov	r8, #65536	; 0x10000
     46c:	e2488001	sub	r8, r8, #1
     470:	e3580000	cmp	r8, #0
     474:	0a00008e	beq	0x6b4
     478:	e5d01005	ldrb	r1, [r0, #5]
     47c:	e2011001	and	r1, r1, #1
     480:	e3510001	cmp	r1, #1
     484:	1afffff8	bne	0x46c
     488:	e5d01000	ldrb	r1, [r0]
     48c:	e3510002	cmp	r1, #2
     490:	1a000087	bne	0x6b4
; got 02
     494:	e3a08801	mov	r8, #65536	; 0x10000
     498:	e2488001	sub	r8, r8, #1
     49c:	e3580000	cmp	r8, #0
     4a0:	0a000083	beq	0x6b4
     4a4:	e5d01005	ldrb	r1, [r0, #5]
     4a8:	e2011001	and	r1, r1, #1
     4ac:	e3510001	cmp	r1, #1
     4b0:	1afffff8	bne	0x498
     4b4:	e5d01000	ldrb	r1, [r0]
     4b8:	e3510000	cmp	r1, #0
     4bc:	1a00007c	bne	0x6b4
; got 00
     4c0:	e3a08801	mov	r8, #65536	; 0x10000
     4c4:	e2488001	sub	r8, r8, #1
     4c8:	e3580000	cmp	r8, #0
     4cc:	0a000078	beq	0x6b4
     4d0:	e5d01005	ldrb	r1, [r0, #5]
     4d4:	e2011001	and	r1, r1, #1
     4d8:	e3510001	cmp	r1, #1
     4dc:	1afffff8	bne	0x4c4
     4e0:	e5d01000	ldrb	r1, [r0]
     4e4:	e3510052	cmp	r1, #82	; 0x52
     4e8:	1a000071	bne	0x6b4
; got 52
     4ec:	e3a08801	mov	r8, #65536	; 0x10000
     4f0:	e2488001	sub	r8, r8, #1
     4f4:	e3580000	cmp	r8, #0
     4f8:	0a00006d	beq	0x6b4
     4fc:	e5d01005	ldrb	r1, [r0, #5]
     500:	e2011001	and	r1, r1, #1
     504:	e3510001	cmp	r1, #1
     508:	1afffff8	bne	0x4f0
     50c:	e5d01000	ldrb	r1, [r0]
     510:	e3510001	cmp	r1, #1
     514:	1a000066	bne	0x6b4
; got 01
     518:	e3a08801	mov	r8, #65536	; 0x10000
     51c:	e2488001	sub	r8, r8, #1
     520:	e3580000	cmp	r8, #0
     524:	0a000062	beq	0x6b4
     528:	e5d01005	ldrb	r1, [r0, #5]
     52c:	e2011001	and	r1, r1, #1
     530:	e3510001	cmp	r1, #1
     534:	1afffff8	bne	0x51c
     538:	e59f01b4	ldr	r0, =0xffff5800	; via 0x6f4
     53c:	e5d01000	ldrb	r1, [r0]
; emit 1B F6 02 00 41 02 43 before checking the last Rx char!
     540:	e3a0201b	mov	r2, #27	; 0x1b
     544:	e5c02000	strb	r2, [r0]
     548:	e3a020f6	mov	r2, #246	; 0xf6
     54c:	e5c02000	strb	r2, [r0]
     550:	e3a02002	mov	r2, #2
     554:	e5c02000	strb	r2, [r0]
     558:	e3a02000	mov	r2, #0
     55c:	e5c02000	strb	r2, [r0]
     560:	e3a02041	mov	r2, #65	; 0x41
     564:	e5c02000	strb	r2, [r0]
     568:	e3a02002	mov	r2, #2
     56c:	e5c02000	strb	r2, [r0]
     570:	e3a02043	mov	r2, #67	; 0x43
     574:	e5c02000	strb	r2, [r0]
; now check for 53
; if not 53, go back to wait for 01-53
     578:	e3510053	cmp	r1, #83	; 0x53
     57c:	0a000000	beq	0x584
     580:	eaffffda	b	0x4f0
; got 53
     584:	e3a02000	mov	r2, #0
     588:	e59f3190	ldr	r3, =0x800100	; via 0x720
     58c:	e3a04000	mov	r4, #0
     590:	e3a05001	mov	r5, #1
; endless wait for Rx byte
     594:	e5d01005	ldrb	r1, [r0, #5]
     598:	e2011001	and	r1, r1, #1
     59c:	e3510001	cmp	r1, #1
     5a0:	1afffffb	bne	0x594
     5a4:	e5d01000	ldrb	r1, [r0]
; state machine dispatch
     5a8:	e3520000	cmp	r2, #0
     5ac:	0a000008	beq	0x5d4
     5b0:	e3520001	cmp	r2, #1
     5b4:	0a00000b	beq	0x5e8
     5b8:	e3520002	cmp	r2, #2
     5bc:	0a00000d	beq	0x5f8
     5c0:	e3520003	cmp	r2, #3
     5c4:	0a00000f	beq	0x608
     5c8:	e3520004	cmp	r2, #4
     5cc:	0a000015	beq	0x628
     5d0:	ea000037	b	0x6b4
; R2=0: must receive 02 first
     5d4:	e3510002	cmp	r1, #2
     5d8:	1affffed	bne	0x594
     5dc:	e1a06001	mov	r6, r1
     5e0:	e2822001	add	r2, r2, #1
     5e4:	eaffffea	b	0x594
; R2=1: got MSB of length
     5e8:	e1a04401	mov	r4, r1, lsl #8
     5ec:	e0266001	eor	r6, r6, r1
     5f0:	e2822001	add	r2, r2, #1
     5f4:	eaffffe6	b	0x594
; R2=2: got LSB of length
     5f8:	e0844001	add	r4, r4, r1
     5fc:	e0266001	eor	r6, r6, r1
     600:	e2822001	add	r2, r2, #1
     604:	eaffffe2	b	0x594
; R2=3: payload
     608:	e5c31000	strb	r1, [r3]
     60c:	e0266001	eor	r6, r6, r1
     610:	e2833001	add	r3, r3, #1
     614:	e2444001	sub	r4, r4, #1
     618:	e3540000	cmp	r4, #0
     61c:	1affffdc	bne	0x594
     620:	e2822001	add	r2, r2, #1
     624:	eaffffda	b	0x594
; R2=4: checksum expected
     628:	e1560001	cmp	r6, r1
     62c:	1a000012	bne	0x67c
; checksum good
; emit 1B F6 02 00 41 03 42
     630:	e3a0101b	mov	r1, #27	; 0x1b
     634:	e5c01000	strb	r1, [r0]
     638:	e3a010f6	mov	r1, #246	; 0xf6
     63c:	e5c01000	strb	r1, [r0]
     640:	e3a01002	mov	r1, #2
     644:	e5c01000	strb	r1, [r0]
     648:	e3a01000	mov	r1, #0
     64c:	e5c01000	strb	r1, [r0]
     650:	e3a01041	mov	r1, #65	; 0x41
     654:	e5c01000	strb	r1, [r0]
     658:	e3a01003	mov	r1, #3
     65c:	e5c01000	strb	r1, [r0]
     660:	e3a01042	mov	r1, #66	; 0x42
     664:	e5c01000	strb	r1, [r0]
; SP=0x803FFC
     668:	e59f00b4	ldr	r0, =0x803ffc	; via 0x724
     66c:	e1a0d000	mov	sp, r0
; jump to 0x800100 in Thumb state
     670:	e59f00a8	ldr	r0, =0x800100	; via 0x720
     674:	e280e001	add	lr, r0, #1
     678:	e12fff1e	bx	lr
; checksum mismatch
; emit 1B F6 02 00 45 53 16
     67c:	e3a0101b	mov	r1, #27	; 0x1b
     680:	e5c01000	strb	r1, [r0]
     684:	e3a010f6	mov	r1, #246	; 0xf6
     688:	e5c01000	strb	r1, [r0]
     68c:	e3a01002	mov	r1, #2
     690:	e5c01000	strb	r1, [r0]
     694:	e3a01000	mov	r1, #0
     698:	e5c01000	strb	r1, [r0]
     69c:	e3a01045	mov	r1, #69	; 0x45
     6a0:	e5c01000	strb	r1, [r0]
     6a4:	e3a01053	mov	r1, #83	; 0x53
     6a8:	e5c01000	strb	r1, [r0]
     6ac:	e3a01016	mov	r1, #22	; 0x16
     6b0:	e5c01000	strb	r1, [r0]
; bail out path
; ARMIO_LATCH_OUT: 0-7 and 11 set low
     6b4:	e59f3050	ldr	r3, =0xfffe4802	; via 0x70c
     6b8:	e5931000	ldr	r1, [r3]
     6bc:	e3a030ff	mov	r3, #255	; 0xff
     6c0:	e3a02cfd	mov	r2, #64768	; 0xfd00
     6c4:	e1822003	orr	r2, r2, r3
     6c8:	e0011002	and	r1, r1, r2
     6cc:	e59f3034	ldr	r3, =0xfffe4800	; via 0x708
     6d0:	e1c310b2	strh	r1, [r3, #2]
; switch GPIO12 back to input
     6d4:	e59f3034	ldr	r3, =0xfffe4804	; via 0x710
     6d8:	e5931000	ldr	r1, [r3]
     6dc:	e3811a01	orr	r1, r1, #4096	; 0x1000
     6e0:	e59f3020	ldr	r3, =0xfffe4800	; via 0x708
     6e4:	e1c310b4	strh	r1, [r3, #4]
     6e8:	ea007e7c	b	0x200e0

     6ec:	000002a3
     6f0:	fffffb00
     6f4:	ffff5800
     6f8:	ffff5801
     6fc:	ffff5803
     700:	fffffb00
     704:	fffef000
     708:	fffe4800
     70c:	fffe4802
     710:	fffe4804
     714:	fffe480c
     718:	fffe480a
     71c:	fffef006
     720:	00800100
     724:	00803ffc

<728-7FF: all FFs>

00000800:  42 4F 4F 54 2E 39 30 2E  30 35 00 00 00 00 00 00  BOOT.90.05......
00000810:  31 30 30 33 01 02 00 00  FF FF FF FF FF FF FF FF  1003............
00000820:  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  ................

blank flash from here onward, until the main fw image starts at 0x20000