view moko11 @ 162:8d30e1722e0f

locked C139 bootloader reverse-engineered
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 20:55:39 +0000
parents 277fd7b971f0
children
line wrap: on
line source

The Init_Target() function in the TCS211 code from Sotovik (which sits in a
binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3.
We would like to determine whether or not the moko11 firmware does the same
thing.  We have no linker map file for moko11, so we have to dig around in the
binary and try to match the code against known objects.

In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of
the function there is a BL instruction calling $CLKM_InitARMClock, and this call
is immediately followed by the code that sets up the memory timings.

Let's see what we can find in the moko11 binary image:

0012D4:	RESET vector jumps here
010000: the code here appears to fully match the .inttext section of
	TI's int.obj
010058:	appears to be the _INT_Initialize entry point
	(seems to be the same for all TI firmwares of that era)
010268:	b 0x1e8364, should be a jump to the _INC_Initialize veneer
1D1E48:	first function called from Application_Initialize, should be
	Init_Target()
	Matches the Sotomodem version of Init_Target() indeed,
	including the memory timing setup!
1E72B0:	Expected start of $INC_Initialize, appears to match
1E72F4:	bl 0x1e81fc, should be calling Application_Initialize()
1E81FC:	Expected start of Application_Initialize(), contains 6 calls indeed
1E8364:	looks like an ARM->Thumb call veneer indeed
1E8370:	Thumb code begins, does bl 0x1e72b0
1E8378:	back to ARM, veneer return