FreeCalypso > hg > freecalypso-reveng
view compal/c156-boot.disasm @ 310:ae39d76d5b7a
moko1-fw-disasm: simple analysis of init module
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Fri, 31 Jan 2020 22:45:18 +0000 |
parents | 5c47d916255e |
children |
line wrap: on
line source
RESET entry and exception vectors: 0: ea000011 b 0x4c 4: ea008036 b 0x200e4 8: ea008036 b 0x200e8 c: ea008036 b 0x200ec 10: ea008036 b 0x200f0 14: ea008036 b 0x200f4 18: ea008036 b 0x200f8 1c: ea008036 b 0x200fc 20: 02a102a1 24: 02a302a1 28: 00000040 2c: fffffd00 30: ffff9800 34: fffffb10 38: ffffff08 3c: 20021081 40: 00000800 44: 004000c0 48: 00000e85 ; RESET entry point ; same init as in the C139 version 4c: e51f1028 ldr r1, =0xfffffd00 ; via 0x2c 50: e1d120b2 ldrh r2, [r1, #2] 54: e51f0034 ldr r0, =0x40 ; via 0x28 58: e1800002 orr r0, r0, r2 5c: e1c100b2 strh r0, [r1, #2] ; disable PLL ; diff from C139 version: writing 2002 into FFFF:9800 instead of 2006 ; diff in the BYPASS_DIV field 60: e51f1038 ldr r1, =0xffff9800 ; via 0x30 64: e15f22be ldrh r2, =0x2002 ; via 0x3e 68: e1c120b0 strh r2, [r1] 6c: e5912000 ldr r2, [r1] 70: e2022001 and r2, r2, #1 74: e3520001 cmp r2, #1 78: 0afffffb beq 0x6c ; FFFF:FD00 write same as C139 7c: e51f1058 ldr r1, =0xfffffd00 ; via 0x2c 80: e15f24bc ldrh r2, =0x1081 ; via 0x3c 84: e1c120b0 strh r2, [r1] ; disable DU like C139 88: e51f105c ldr r1, =0xfffffb10 ; via 0x34 8c: e15f25b4 ldrh r2, =0x800 ; via 0x40 90: e1d100b0 ldrh r0, [r1] 94: e1800002 orr r0, r0, r2 98: e1c100b0 strh r0, [r1] ; ditto for MPU 9c: e51f106c ldr r1, =0xffffff08 ; via 0x38 a0: e15f26b6 ldrh r2, =0x0 ; via 0x42 a4: e1c120b0 strh r2, [r1] ; Memory timings a8: e59f1640 ldr r1, =0xfffffb00 ; via 0x6f0 ac: e15f29b4 ldrh r2, =0x2a1 ; via 0x20 b0: e1c120b0 strh r2, [r1] b4: e15f29ba ldrh r2, =0x2a1 ; via 0x22 b8: e1c120b2 strh r2, [r1, #2] bc: e15f2ab0 ldrh r2, =0x2a1 ; via 0x24 c0: e1c120b4 strh r2, [r1, #4] c4: e15f2ab6 ldrh r2, =0x2a3 ; via 0x26 c8: e1c120b6 strh r2, [r1, #6] cc: e15f28bc ldrh r2, =0xe85 ; via 0x48 d0: e1c120ba strh r2, [r1, #10] ; 0xa d4: e15f29b8 ldrh r2, =0xc0 ; via 0x44 d8: e1c120bc strh r2, [r1, #12] ; 0xc dc: e15f29be ldrh r2, =0x40 ; via 0x46 e0: e1c120b8 strh r2, [r1, #8] ; enable 8 MiB chip select regions e4: e59f3630 ldr r3, =0xfffef006 ; via 0x71c e8: e1d310b0 ldrh r1, [r3] ec: e3a02008 mov r2, #8 f0: e1811002 orr r1, r1, r2 f4: e1c310b0 strh r1, [r3] ; write 0x0110 into FFFE:F00A ; enable I/O(8) and I/O(12) f8: e59f3604 ldr r3, =0xfffef000 ; via 0x704 fc: e3a01e11 mov r1, #272 ; 0x110 100: e1c310ba strh r1, [r3, #10] ; 0xa ; FFFE:4804: set GPIOs 8 and 12 as outputs 104: e59f3604 ldr r3, =0xfffe4804 ; via 0x710 108: e5931000 ldr r1, [r3] 10c: e3a030ff mov r3, #255 ; 0xff 110: e3a02cee mov r2, #60928 ; 0xee00 114: e1822003 orr r2, r2, r3 118: e0011002 and r1, r1, r2 11c: e59f35e4 ldr r3, =0xfffe4800 ; via 0x708 120: e1c310b4 strh r1, [r3, #4] ; ARMIO_LATCH_OUT: GPIO 8 set to 0 124: e59f35e0 ldr r3, =0xfffe4802 ; via 0x70c 128: e5931000 ldr r1, [r3] 12c: e3a030ff mov r3, #255 ; 0xff 130: e3a02cfe mov r2, #65024 ; 0xfe00 134: e1822003 orr r2, r2, r3 138: e0011002 and r1, r1, r2 13c: e59f35c4 ldr r3, =0xfffe4800 ; via 0x708 140: e1c310b2 strh r1, [r3, #2] ; ... and then reset it to 0xF400 144: e3a01b3d mov r1, #62464 ; 0xf400 148: e59f35b8 ldr r3, =0xfffe4800 ; via 0x708 14c: e1c310b2 strh r1, [r3, #2] ; SVC mode, IRQ and FIQ disabled 150: e10f0000 mrs r0, CPSR 154: e3c0001f bic r0, r0, #31 ; 0x1f 158: e3800013 orr r0, r0, #19 ; 0x13 15c: e38000c0 orr r0, r0, #192 ; 0xc0 160: e129f000 msr CPSR_fc, r0 ; zero all 256 KiB IRAM except last 128 bytes 164: e3a00502 mov r0, #8388608 ; 0x800000 168: e3a02000 mov r2, #0 16c: e3a01721 mov r1, #8650752 ; 0x840000 170: e2411080 sub r1, r1, #128 ; 0x80 174: e4802004 str r2, [r0], #4 178: e1500001 cmp r0, r1 17c: 1afffffc bne 0x174 ; ditto for 2 MiB XRAM 180: e3a00401 mov r0, #16777216 ; 0x1000000 184: e3a02000 mov r2, #0 188: e3a01612 mov r1, #18874368 ; 0x1200000 18c: e2411080 sub r1, r1, #128 ; 0x80 190: e4802004 str r2, [r0], #4 194: e1500001 cmp r0, r1 198: 1afffffc bne 0x190 ; MODEM UART 19c: e59f0550 ldr r0, =0xffff5800 ; via 0x6f4 ; 0 into LCR for IER access 1a0: e3a01000 mov r1, #0 1a4: e5c01003 strb r1, [r0, #3] ; clear IER 1a8: e3a01000 mov r1, #0 1ac: e5c01001 strb r1, [r0, #1] ; BF into LCR 1b0: e3a010bf mov r1, #191 ; 0xbf 1b4: e5c01003 strb r1, [r0, #3] ; 0x10 into EFR 1b8: e3a01010 mov r1, #16 ; 0x10 1bc: e5c01002 strb r1, [r0, #2] ; set 115200 baud 1c0: e59f3534 ldr r3, =0xffff5803 ; via 0x6fc 1c4: e5931000 ldr r1, [r3] 1c8: e3811080 orr r1, r1, #128 ; 0x80 1cc: e5c31000 strb r1, [r3] 1d0: e3a01007 mov r1, #7 1d4: e5c01000 strb r1, [r0] 1d8: e3a01000 mov r1, #0 1dc: e5c01001 strb r1, [r0, #1] ; LCR will eventually get back to 03 1e0: e59f3514 ldr r3, =0xffff5803 ; via 0x6fc 1e4: e5931000 ldr r1, [r3] 1e8: e201107f and r1, r1, #127 ; 0x7f 1ec: e5c31000 strb r1, [r3] 1f0: e5931000 ldr r1, [r3] 1f4: e3811003 orr r1, r1, #3 1f8: e5c31000 strb r1, [r3] ; 0x40 into MCR: TCR/TLR access 1fc: e3a01040 mov r1, #64 ; 0x40 200: e5c01004 strb r1, [r0, #4] ; TCR=0x0F (same as default) 204: e3a0100f mov r1, #15 ; 0xf 208: e5c01006 strb r1, [r0, #6] ; BF into LCR again 20c: e3a010bf mov r1, #191 ; 0xbf 210: e5c01003 strb r1, [r0, #3] ; 0x10 into EFR again 214: e3a01010 mov r1, #16 ; 0x10 218: e5c01002 strb r1, [r0, #2] ; finally 03 into LCR 21c: e3a01003 mov r1, #3 220: e5c01003 strb r1, [r0, #3] ; clear SCR (default, all weird stuff disabled) 224: e3a01000 mov r1, #0 228: e5c01010 strb r1, [r0, #16] ; 0x10 ; FCR=06: FIFOs cleared and *disabled* 22c: e3a01006 mov r1, #6 230: e5c01002 strb r1, [r0, #2] ; MCR=0F 234: e3a0100f mov r1, #15 ; 0xf 238: e5c01004 strb r1, [r0, #4] ; FCR=F1: enable FIFOs with max trigger levels 23c: e3a010f1 mov r1, #241 ; 0xf1 240: e5c01002 strb r1, [r0, #2] ; MDR1: write 7 for reset, then 0 for UART mode 244: e3a01007 mov r1, #7 248: e5c01008 strb r1, [r0, #8] 24c: e3a01000 mov r1, #0 250: e5c01008 strb r1, [r0, #8] ; IER: enable Rx interrupt 254: e59f349c ldr r3, =0xffff5801 ; via 0x6f8 258: e5931000 ldr r1, [r3] 25c: e3811001 orr r1, r1, #1 260: e5c31000 strb r1, [r3] ; nCS0: WS=3, write enable, DC=1 264: e59f1484 ldr r1, =0xfffffb00 ; via 0x6f0 268: e59f247c ldr r2, =0x2a3 ; via 0x6ec 26c: e1c120b0 strh r2, [r1] ; FFFF:FB0E = 0x6A: adapt enabled for RHEA and API, ; all ARM7 cycles visible externally 270: e59f3488 ldr r3, =0xfffffb00 ; via 0x700 274: e3a0106a mov r1, #106 ; 0x6a 278: e1c310be strh r1, [r3, #14] ; 0xe ; dingle UART FIFOs again, same settings 27c: e59f0470 ldr r0, =0xffff5800 ; via 0x6f4 280: e3a010f7 mov r1, #247 ; 0xf7 284: e5c01002 strb r1, [r0, #2] 288: e3a010f1 mov r1, #241 ; 0xf1 28c: e5c01002 strb r1, [r0, #2] ; short delay loop 290: e3a01f4b mov r1, #300 ; 0x12c 294: e2411001 sub r1, r1, #1 298: e3510000 cmp r1, #0 29c: 1afffffc bne 0x294 ; check UART for unsolicited input? 2a0: e59f044c ldr r0, =0xffff5800 ; via 0x6f4 2a4: e3a02064 mov r2, #100 ; 0x64 2a8: e3a08801 mov r8, #65536 ; 0x10000 2ac: e2488001 sub r8, r8, #1 2b0: e3580000 cmp r8, #0 2b4: 0a000040 beq 0x3bc 2b8: e5d01005 ldrb r1, [r0, #5] 2bc: e2011001 and r1, r1, #1 2c0: e3510001 cmp r1, #1 2c4: 1afffff8 bne 0x2ac 2c8: e5d01000 ldrb r1, [r0] ; unsolicited input received ; repeats the whole UART init, but with /2 div for 406250 baud 2cc: e59f0420 ldr r0, =0xffff5800 ; via 0x6f4 2d0: e3a01000 mov r1, #0 2d4: e5c01003 strb r1, [r0, #3] 2d8: e3a01000 mov r1, #0 2dc: e5c01001 strb r1, [r0, #1] 2e0: e3a010bf mov r1, #191 ; 0xbf 2e4: e5c01003 strb r1, [r0, #3] 2e8: e3a01010 mov r1, #16 ; 0x10 2ec: e5c01002 strb r1, [r0, #2] 2f0: e59f3404 ldr r3, =0xffff5803 ; via 0x6fc 2f4: e5931000 ldr r1, [r3] 2f8: e3811080 orr r1, r1, #128 ; 0x80 2fc: e5c31000 strb r1, [r3] 300: e3a01002 mov r1, #2 304: e5c01000 strb r1, [r0] 308: e3a01000 mov r1, #0 30c: e5c01001 strb r1, [r0, #1] 310: e59f33e4 ldr r3, =0xffff5803 ; via 0x6fc 314: e5931000 ldr r1, [r3] 318: e201107f and r1, r1, #127 ; 0x7f 31c: e5c31000 strb r1, [r3] 320: e5931000 ldr r1, [r3] 324: e3811003 orr r1, r1, #3 328: e5c31000 strb r1, [r3] 32c: e3a01040 mov r1, #64 ; 0x40 330: e5c01004 strb r1, [r0, #4] 334: e3a0100f mov r1, #15 ; 0xf 338: e5c01006 strb r1, [r0, #6] 33c: e3a010bf mov r1, #191 ; 0xbf 340: e5c01003 strb r1, [r0, #3] 344: e3a01010 mov r1, #16 ; 0x10 348: e5c01002 strb r1, [r0, #2] 34c: e3a01003 mov r1, #3 350: e5c01003 strb r1, [r0, #3] 354: e3a01000 mov r1, #0 358: e5c01010 strb r1, [r0, #16] ; 0x10 35c: e3a01006 mov r1, #6 360: e5c01002 strb r1, [r0, #2] 364: e3a0100f mov r1, #15 ; 0xf 368: e5c01004 strb r1, [r0, #4] 36c: e3a010f1 mov r1, #241 ; 0xf1 370: e5c01002 strb r1, [r0, #2] 374: e3a01007 mov r1, #7 378: e5c01008 strb r1, [r0, #8] 37c: e3a01000 mov r1, #0 380: e5c01008 strb r1, [r0, #8] 384: e59f336c ldr r3, =0xffff5801 ; via 0x6f8 388: e5931000 ldr r1, [r3] 38c: e3811001 orr r1, r1, #1 390: e5c31000 strb r1, [r3] 394: e59f0358 ldr r0, =0xffff5800 ; via 0x6f4 398: e3a010f7 mov r1, #247 ; 0xf7 39c: e5c01002 strb r1, [r0, #2] 3a0: e3a010f1 mov r1, #241 ; 0xf1 3a4: e5c01002 strb r1, [r0, #2] 3a8: e3a01f4b mov r1, #300 ; 0x12c 3ac: e2411001 sub r1, r1, #1 3b0: e3510000 cmp r1, #0 3b4: 1afffffc bne 0x3ac 3b8: e59f0334 ldr r0, =0xffff5800 ; via 0x6f4 ; normal path continues ; emit 1B F6 02 00 41 01 40 3bc: e3a0101b mov r1, #27 ; 0x1b 3c0: e5c01000 strb r1, [r0] 3c4: e3a010f6 mov r1, #246 ; 0xf6 3c8: e5c01000 strb r1, [r0] 3cc: e3a01002 mov r1, #2 3d0: e5c01000 strb r1, [r0] 3d4: e3a01000 mov r1, #0 3d8: e5c01000 strb r1, [r0] 3dc: e3a01041 mov r1, #65 ; 0x41 3e0: e5c01000 strb r1, [r0] 3e4: e3a01001 mov r1, #1 3e8: e5c01000 strb r1, [r0] 3ec: e3a01040 mov r1, #64 ; 0x40 3f0: e5c01000 strb r1, [r0] ; wait for UART input 3f4: e3a02064 mov r2, #100 ; 0x64 3f8: e3a08701 mov r8, #262144 ; 0x40000 3fc: e2488001 sub r8, r8, #1 400: e3580000 cmp r8, #0 404: 0a0000aa beq 0x6b4 408: e5d01005 ldrb r1, [r0, #5] 40c: e2011001 and r1, r1, #1 410: e3510001 cmp r1, #1 414: 1afffff8 bne 0x3fc 418: e5d01000 ldrb r1, [r0] 41c: e3510000 cmp r1, #0 420: 1a000003 bne 0x434 424: e2422001 sub r2, r2, #1 428: e3520000 cmp r2, #0 42c: 0a0000a0 beq 0x6b4 430: eafffff1 b 0x3fc 434: e351001b cmp r1, #27 ; 0x1b 438: 1affffef bne 0x3fc ; got 1B 43c: e3a08701 mov r8, #262144 ; 0x40000 440: e2488001 sub r8, r8, #1 444: e3580000 cmp r8, #0 448: 0a000099 beq 0x6b4 44c: e5d01005 ldrb r1, [r0, #5] 450: e2011001 and r1, r1, #1 454: e3510001 cmp r1, #1 458: 1afffff8 bne 0x440 45c: e5d01000 ldrb r1, [r0] 460: e35100f6 cmp r1, #246 ; 0xf6 464: 1a000092 bne 0x6b4 ; got F6 468: e3a08801 mov r8, #65536 ; 0x10000 46c: e2488001 sub r8, r8, #1 470: e3580000 cmp r8, #0 474: 0a00008e beq 0x6b4 478: e5d01005 ldrb r1, [r0, #5] 47c: e2011001 and r1, r1, #1 480: e3510001 cmp r1, #1 484: 1afffff8 bne 0x46c 488: e5d01000 ldrb r1, [r0] 48c: e3510002 cmp r1, #2 490: 1a000087 bne 0x6b4 ; got 02 494: e3a08801 mov r8, #65536 ; 0x10000 498: e2488001 sub r8, r8, #1 49c: e3580000 cmp r8, #0 4a0: 0a000083 beq 0x6b4 4a4: e5d01005 ldrb r1, [r0, #5] 4a8: e2011001 and r1, r1, #1 4ac: e3510001 cmp r1, #1 4b0: 1afffff8 bne 0x498 4b4: e5d01000 ldrb r1, [r0] 4b8: e3510000 cmp r1, #0 4bc: 1a00007c bne 0x6b4 ; got 00 4c0: e3a08801 mov r8, #65536 ; 0x10000 4c4: e2488001 sub r8, r8, #1 4c8: e3580000 cmp r8, #0 4cc: 0a000078 beq 0x6b4 4d0: e5d01005 ldrb r1, [r0, #5] 4d4: e2011001 and r1, r1, #1 4d8: e3510001 cmp r1, #1 4dc: 1afffff8 bne 0x4c4 4e0: e5d01000 ldrb r1, [r0] 4e4: e3510052 cmp r1, #82 ; 0x52 4e8: 1a000071 bne 0x6b4 ; got 52 4ec: e3a08801 mov r8, #65536 ; 0x10000 4f0: e2488001 sub r8, r8, #1 4f4: e3580000 cmp r8, #0 4f8: 0a00006d beq 0x6b4 4fc: e5d01005 ldrb r1, [r0, #5] 500: e2011001 and r1, r1, #1 504: e3510001 cmp r1, #1 508: 1afffff8 bne 0x4f0 50c: e5d01000 ldrb r1, [r0] 510: e3510001 cmp r1, #1 514: 1a000066 bne 0x6b4 ; got 01 518: e3a08801 mov r8, #65536 ; 0x10000 51c: e2488001 sub r8, r8, #1 520: e3580000 cmp r8, #0 524: 0a000062 beq 0x6b4 528: e5d01005 ldrb r1, [r0, #5] 52c: e2011001 and r1, r1, #1 530: e3510001 cmp r1, #1 534: 1afffff8 bne 0x51c 538: e59f01b4 ldr r0, =0xffff5800 ; via 0x6f4 53c: e5d01000 ldrb r1, [r0] ; emit 1B F6 02 00 41 02 43 before checking the last Rx char! 540: e3a0201b mov r2, #27 ; 0x1b 544: e5c02000 strb r2, [r0] 548: e3a020f6 mov r2, #246 ; 0xf6 54c: e5c02000 strb r2, [r0] 550: e3a02002 mov r2, #2 554: e5c02000 strb r2, [r0] 558: e3a02000 mov r2, #0 55c: e5c02000 strb r2, [r0] 560: e3a02041 mov r2, #65 ; 0x41 564: e5c02000 strb r2, [r0] 568: e3a02002 mov r2, #2 56c: e5c02000 strb r2, [r0] 570: e3a02043 mov r2, #67 ; 0x43 574: e5c02000 strb r2, [r0] ; now check for 53 ; if not 53, go back to wait for 01-53 578: e3510053 cmp r1, #83 ; 0x53 57c: 0a000000 beq 0x584 580: eaffffda b 0x4f0 ; got 53 584: e3a02000 mov r2, #0 588: e59f3190 ldr r3, =0x800100 ; via 0x720 58c: e3a04000 mov r4, #0 590: e3a05001 mov r5, #1 ; endless wait for Rx byte 594: e5d01005 ldrb r1, [r0, #5] 598: e2011001 and r1, r1, #1 59c: e3510001 cmp r1, #1 5a0: 1afffffb bne 0x594 5a4: e5d01000 ldrb r1, [r0] ; state machine dispatch 5a8: e3520000 cmp r2, #0 5ac: 0a000008 beq 0x5d4 5b0: e3520001 cmp r2, #1 5b4: 0a00000b beq 0x5e8 5b8: e3520002 cmp r2, #2 5bc: 0a00000d beq 0x5f8 5c0: e3520003 cmp r2, #3 5c4: 0a00000f beq 0x608 5c8: e3520004 cmp r2, #4 5cc: 0a000015 beq 0x628 5d0: ea000037 b 0x6b4 ; R2=0: must receive 02 first 5d4: e3510002 cmp r1, #2 5d8: 1affffed bne 0x594 5dc: e1a06001 mov r6, r1 5e0: e2822001 add r2, r2, #1 5e4: eaffffea b 0x594 ; R2=1: got MSB of length 5e8: e1a04401 mov r4, r1, lsl #8 5ec: e0266001 eor r6, r6, r1 5f0: e2822001 add r2, r2, #1 5f4: eaffffe6 b 0x594 ; R2=2: got LSB of length 5f8: e0844001 add r4, r4, r1 5fc: e0266001 eor r6, r6, r1 600: e2822001 add r2, r2, #1 604: eaffffe2 b 0x594 ; R2=3: payload 608: e5c31000 strb r1, [r3] 60c: e0266001 eor r6, r6, r1 610: e2833001 add r3, r3, #1 614: e2444001 sub r4, r4, #1 618: e3540000 cmp r4, #0 61c: 1affffdc bne 0x594 620: e2822001 add r2, r2, #1 624: eaffffda b 0x594 ; R2=4: checksum expected 628: e1560001 cmp r6, r1 62c: 1a000012 bne 0x67c ; checksum good ; emit 1B F6 02 00 41 03 42 630: e3a0101b mov r1, #27 ; 0x1b 634: e5c01000 strb r1, [r0] 638: e3a010f6 mov r1, #246 ; 0xf6 63c: e5c01000 strb r1, [r0] 640: e3a01002 mov r1, #2 644: e5c01000 strb r1, [r0] 648: e3a01000 mov r1, #0 64c: e5c01000 strb r1, [r0] 650: e3a01041 mov r1, #65 ; 0x41 654: e5c01000 strb r1, [r0] 658: e3a01003 mov r1, #3 65c: e5c01000 strb r1, [r0] 660: e3a01042 mov r1, #66 ; 0x42 664: e5c01000 strb r1, [r0] ; SP=0x803FFC 668: e59f00b4 ldr r0, =0x803ffc ; via 0x724 66c: e1a0d000 mov sp, r0 ; jump to 0x800100 in Thumb state 670: e59f00a8 ldr r0, =0x800100 ; via 0x720 674: e280e001 add lr, r0, #1 678: e12fff1e bx lr ; checksum mismatch ; emit 1B F6 02 00 45 53 16 67c: e3a0101b mov r1, #27 ; 0x1b 680: e5c01000 strb r1, [r0] 684: e3a010f6 mov r1, #246 ; 0xf6 688: e5c01000 strb r1, [r0] 68c: e3a01002 mov r1, #2 690: e5c01000 strb r1, [r0] 694: e3a01000 mov r1, #0 698: e5c01000 strb r1, [r0] 69c: e3a01045 mov r1, #69 ; 0x45 6a0: e5c01000 strb r1, [r0] 6a4: e3a01053 mov r1, #83 ; 0x53 6a8: e5c01000 strb r1, [r0] 6ac: e3a01016 mov r1, #22 ; 0x16 6b0: e5c01000 strb r1, [r0] ; bail out path ; ARMIO_LATCH_OUT: set GPIO 9 low 6b4: e59f3050 ldr r3, =0xfffe4802 ; via 0x70c 6b8: e5931000 ldr r1, [r3] 6bc: e3a030ff mov r3, #255 ; 0xff 6c0: e3a02cfd mov r2, #64768 ; 0xfd00 6c4: e1822003 orr r2, r2, r3 6c8: e0011002 and r1, r1, r2 6cc: e59f3034 ldr r3, =0xfffe4800 ; via 0x708 6d0: e1c310b2 strh r1, [r3, #2] ; switch GPIO12 back to input 6d4: e59f3034 ldr r3, =0xfffe4804 ; via 0x710 6d8: e5931000 ldr r1, [r3] 6dc: e3811a01 orr r1, r1, #4096 ; 0x1000 6e0: e59f3020 ldr r3, =0xfffe4800 ; via 0x708 6e4: e1c310b4 strh r1, [r3, #4] 6e8: ea007e7c b 0x200e0 6ec: 000002a3 6f0: fffffb00 6f4: ffff5800 6f8: ffff5801 6fc: ffff5803 700: fffffb00 704: fffef000 708: fffe4800 70c: fffe4802 710: fffe4804 714: fffe480c 718: fffe480a 71c: fffef006 720: 00800100 724: 00803ffc <728-7FF: all FFs> 00000800: 42 4F 4F 54 2E 39 30 2E 30 35 00 00 00 00 00 00 BOOT.90.05...... 00000810: 31 30 30 33 01 02 00 00 FF FF FF FF FF FF FF FF 1003............ 00000820: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ blank flash from here onward, until the main fw image starts at 0x20000