view pirelli/preboot.disasm @ 230:f5ad21985e20

pirelli/fw-disasm: beginning of proper static RE
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 21 Dec 2017 21:54:39 +0000
parents 6a136554378e
children
line wrap: on
line source

       0:	ea00004b 	b	0x134
       4:	ea00bffe 	b	0x30004
       8:	ea00bffe 	b	0x30008
       c:	ea00bffe 	b	0x3000c
      10:	ea00bffe 	b	0x30010
      14:	ea00bffe 	b	0x30014
      18:	ea00bffe 	b	0x30018
      1c:	ea00bffe 	b	0x3001c

<20-FF: all FFs>

     100:	fffffb00
     104:	02a102a1
     108:	028302a1
     10c:	00c000aa
     110:	002a0040
     114:	fffffd00
     118:	ffff9800
     11c:	fffffb10
     120:	ffffff08
     124:	fffff804
     128:	20061081
     12c:	00000800
     130:	00a000f5

; RESET vector branches here
     134:	e51f1024 	ldr	r1, [pc, #-36]	; 0x118 =0xffff9800
     138:	e15f21b6 	ldrh	r2, [pc, #-22]	; 0x12a =0x2006
     13c:	e1c120b0 	strh	r2, [r1]
     140:	e5912000 	ldr	r2, [r1]
     144:	e2022001 	and	r2, r2, #1	; 0x1
     148:	e3520001 	cmp	r2, #1	; 0x1
     14c:	0afffffb 	beq	0x140
     150:	e51f1044 	ldr	r1, [pc, #-68]	; 0x114 =0xfffffd00
     154:	e15f23b4 	ldrh	r2, [pc, #-52]	; 0x128 =0x1081
     158:	e1c120b0 	strh	r2, [r1]
     15c:	e51f1048 	ldr	r1, [pc, #-72]	; 0x11c =0xfffffb10
     160:	e15f23bc 	ldrh	r2, [pc, #-60]	; 0x12c =0x0800
     164:	e1d100b0 	ldrh	r0, [r1]
     168:	e1800002 	orr	r0, r0, r2
     16c:	e1c100b0 	strh	r0, [r1]	; DU disable
     170:	e51f1058 	ldr	r1, [pc, #-88]	; 0x120 =0xffffff08
     174:	e15f24be 	ldrh	r2, [pc, #-78]	; 0x12e =0x0000
     178:	e1c120b0 	strh	r2, [r1]	; MPU disable
     17c:	e51f1084 	ldr	r1, [pc, #-132]	; 0x100 =0xfffffb00
     180:	e51f1064 	ldr	r1, [pc, #-100]	; 0x124 =0xfffff804
     184:	e15f25bc 	ldrh	r2, [pc, #-92]	; 0x130 =0x00f5
     188:	e1c120b0 	strh	r2, [r1]	; WDOG disable cycle 1
     18c:	e51f1070 	ldr	r1, [pc, #-112]	; 0x124 =0xfffff804
     190:	e15f26b6 	ldrh	r2, [pc, #-102]	; 0x132 =0x00a0
     194:	e1c120b0 	strh	r2, [r1]	; WDOG disable cycle 2
     198:	e15f29bc 	ldrh	r2, [pc, #-156]	; 0x104
     19c:	e1c120b0 	strh	r2, [r1]
     1a0:	e15f2ab2 	ldrh	r2, [pc, #-162]	; 0x106
     1a4:	e1c120b2 	strh	r2, [r1, #2]
     1a8:	e15f2ab8 	ldrh	r2, [pc, #-168]	; 0x108
     1ac:	e1c120b4 	strh	r2, [r1, #4]
     1b0:	e15f2abe 	ldrh	r2, [pc, #-174]	; 0x10a
     1b4:	e1c120b6 	strh	r2, [r1, #6]
     1b8:	e15f2bb4 	ldrh	r2, [pc, #-180]	; 0x10c
     1bc:	e1c120ba 	strh	r2, [r1, #10]
     1c0:	e15f2bba 	ldrh	r2, [pc, #-186]	; 0x10e
     1c4:	e1c120bc 	strh	r2, [r1, #12]
     1c8:	e15f2cb0 	ldrh	r2, [pc, #-192]	; 0x110
     1cc:	e1c120b8 	strh	r2, [r1, #8]
     1d0:	e15f2cb6 	ldrh	r2, [pc, #-198]	; 0x112
     1d4:	e1c120be 	strh	r2, [r1, #14]
     1d8:	e59f0020 	ldr	r0, [pc, #32]	; 0x200 =0x81047c
     1dc:	e3a01b01 	mov	r1, #1024	; 0x400
     1e0:	e2411004 	sub	r1, r1, #4	; 0x4
     1e4:	e0802001 	add	r2, r0, r1
     1e8:	e3c22003 	bic	r2, r2, #3	; 0x3
     1ec:	e1a0d002 	mov	sp, r2
     1f0:	e92d100f 	stmdb	sp!, {r0, r1, r2, r3, ip}
     1f4:	eb00003b 	bl	0x2e8
     1f8:	e8bd100f 	ldmia	sp!, {r0, r1, r2, r3, ip}
     1fc:	ea000796 	b	0x205c

     200:	0081047c

; copy(src, len, dest)
     204:	2900      	cmp	r1, #0
     206:	d006      	beq	0x216
     208:	6803      	ldr	r3, [r0, #0]
     20a:	6013      	str	r3, [r2, #0]
     20c:	3204      	add	r2, #4
     20e:	3004      	add	r0, #4
     210:	3904      	sub	r1, #4
     212:	2900      	cmp	r1, #0
     214:	d1f8      	bne	0x208
     216:	4770      	bx	lr

; checksumming function: XOR of all 16-bit words in region
     218:	2200      	mov	r2, #0
     21a:	2900      	cmp	r1, #0
     21c:	d007      	beq	0x22e
     21e:	8803      	ldrh	r3, [r0, #0]
     220:	4053      	eor	r3, r2
     222:	041a      	lsl	r2, r3, #16
     224:	0c12      	lsr	r2, r2, #16
     226:	3002      	add	r0, #2
     228:	3902      	sub	r1, #2
     22a:	2900      	cmp	r1, #0
     22c:	d1f7      	bne	0x21e
     22e:	1c10      	mov	r0, r2		(add r0, r2, #0)
     230:	4770      	bx	lr

; 0x232 routine is bzero() with 4-byte alignment required
     232:	2900      	cmp	r1, #0
     234:	d005      	beq	0x242
     236:	2200      	mov	r2, #0
     238:	6002      	str	r2, [r0, #0]
     23a:	3004      	add	r0, #4
     23c:	3904      	sub	r1, #4
     23e:	2900      	cmp	r1, #0
     240:	d1fa      	bne	0x238
     242:	4770      	bx	lr

; 0xAA88 bytes are copied from 0x2508 to 0x810484
     244:	b5f0      	push	{r4, r5, r6, r7, lr}
     246:	4e10      	ldr	r6, [pc, #64]	(0x288) =0x800010
     248:	2000      	mov	r0, #0
     24a:	8030      	strh	r0, [r6, #0]
     24c:	4f0f      	ldr	r7, [pc, #60]	(0x28c) =0x800012
     24e:	8038      	strh	r0, [r7, #0]
     250:	480f      	ldr	r0, [pc, #60]	(0x290) =0x810480
     252:	4910      	ldr	r1, [pc, #64]	(0x294) =0x81AF0C
     254:	1a09      	sub	r1, r1, r0
     256:	3904      	sub	r1, #4
     258:	468c      	mov	ip, r1
     25a:	2104      	mov	r1, #4
     25c:	180c      	add	r4, r1, r0
     25e:	1c20      	mov	r0, r4		(add r0, r4, #0)
     260:	4661      	mov	r1, ip
     262:	ffe6f7ff 	bl	0x232		; bzero()
     266:	4d0c      	ldr	r5, [pc, #48]	(0x298) =0x2508
     268:	1c28      	mov	r0, r5		(add r0, r5, #0)
     26a:	4661      	mov	r1, ip
     26c:	ffd4f7ff 	bl	0x218
     270:	8030      	strh	r0, [r6, #0]
     272:	1c28      	mov	r0, r5		(add r0, r5, #0)
     274:	4661      	mov	r1, ip
     276:	1c22      	mov	r2, r4		(add r2, r4, #0)
     278:	ffc4f7ff 	bl	0x204
     27c:	1c20      	mov	r0, r4		(add r0, r4, #0)
     27e:	4661      	mov	r1, ip
     280:	ffcaf7ff 	bl	0x218
     284:	8038      	strh	r0, [r7, #0]
     286:	bdf0      	pop	{r4, r5, r6, r7, pc}

     288:	00800010
     28c:	00800012
     290:	00810480
     294:	0081af0c
     298:	00002508

     29c:	b500      	push	{lr}
     29e:	f82bf000 	bl	0x2f8
     2a2:	f802f000 	bl	0x2aa
     2a6:	bd00      	pop	{pc}

     2a8:	4770      	bx	lr

     2aa:	b500      	push	{lr}
     2ac:	2003      	mov	r0, #3
     2ae:	0400      	lsl	r0, r0, #16
     2b0:	f820f000 	bl	0x2f4
     2b4:	bd00      	pop	{pc}
     2b6:	0000

     2b8:	e92d4000 	stmdb	sp!, {lr}
     2bc:	e28fe001 	add	lr, pc, #1	; 0x1
     2c0:	e12fff1e 	bx	lr
     2c4:	ffeaf7ff 	bl	0x29c
     2c8:	4778      	bx	pc
     2ca:	46c0      	nop			(mov r8, r8)
     2cc:	e8bd8000 	ldmia	sp!, {pc}

     2d0:	e92d4000 	stmdb	sp!, {lr}
     2d4:	e28fe001 	add	lr, pc, #1	; 0x1
     2d8:	e12fff1e 	bx	lr
     2dc:	ffb2f7ff 	bl	0x244
     2e0:	4778      	bx	pc
     2e2:	46c0      	nop			(mov r8, r8)
     2e4:	e8bd8000 	ldmia	sp!, {pc}

     2e8:	e59fc000 	ldr	ip, [pc, #0]	; 0x2f0
     2ec:	e12fff1c 	bx	ip
     2f0:	000002a9

     2f4:	4700      	bx	r0
     2f6:	0000

; Thumb call trampoline to 0x818f2c
; offset 0x8AA8 from start of copy
; should be at 0xAFB0 in flash
     2f8:	b082      	sub	sp, #8
     2fa:	9400      	str	r4, [sp, #0]
     2fc:	4c01      	ldr	r4, [pc, #4]	(0x304)
     2fe:	9401      	str	r4, [sp, #4]
     300:	bd10      	pop	{r4, pc}
     302:	0000
     304:	00818f2c

<308-1FFF: all FFs>

    2000:	00000001	; magic word for the Calypso boot ROM

    2004:	ea0000be 	b	0x2304
    2008:	ea0000c0 	b	0x2310
    200c:	ea0000c2 	b	0x231c
    2010:	ea0000c4 	b	0x2328
    2014:	ea0000c6 	b	0x2334
    2018:	ea0000b0 	b	0x22e0
    201c:	ea0000b6 	b	0x22fc

    2020:	02a102a4
    2024:	02a402a1
    2028:	02c0009c
    202c:	002a0040
    2030:	fffffb00
    2034:	fffef006
    2038:	00000008
    203c:	fffffd00
    2040:	ffff9800
    2044:	fffffb10
    2048:	ffffff08
    204c:	20021081
    2050:	f7ff0800
    2054:	00000000
    2058:	0001fa00

; COME FROM 0x1fc
    205c:	e51f1024 	ldr	r1, [pc, #-36]	; 0x2040 =0xffff9800
    2060:	e15f21ba 	ldrh	r2, [pc, #-26]	; 0x204e =0x2002
    2064:	e1c120b0 	strh	r2, [r1]
    2068:	e5912000 	ldr	r2, [r1]
    206c:	e2022001 	and	r2, r2, #1	; 0x1
    2070:	e3520001 	cmp	r2, #1	; 0x1
    2074:	0afffffb 	beq	0x2068
    2078:	e51f1044 	ldr	r1, [pc, #-68]	; 0x203c =0xfffffd00
    207c:	e15f23b8 	ldrh	r2, [pc, #-56]	; 0x204c =0x1081
    2080:	e1c120b0 	strh	r2, [r1]
    2084:	e51f1048 	ldr	r1, [pc, #-72]	; 0x2044 =0xfffffb10
    2088:	e15f23be 	ldrh	r2, [pc, #-62]	; 0x2052 =0xf7ff
    208c:	e1d100b0 	ldrh	r0, [r1]
    2090:	e0000002 	and	r0, r0, r2
    2094:	e1c100b0 	strh	r0, [r1]	; enable DU
    2098:	e51f1058 	ldr	r1, [pc, #-88]	; 0x2048 =0xffffff08
    209c:	e15f25b0 	ldrh	r2, [pc, #-80]	; 0x2054 =0x0000
    20a0:	e1c120b0 	strh	r2, [r1]
    20a4:	e51f107c 	ldr	r1, [pc, #-124]	; 0x2030 =0xfffffb00
    20a8:	e15f29b0 	ldrh	r2, [pc, #-144]	; 0x2020 =0x02a4
    20ac:	e1c120b0 	strh	r2, [r1]
    20b0:	e15f29b6 	ldrh	r2, [pc, #-150]	; 0x2022 =0x02a1
    20b4:	e1c120b2 	strh	r2, [r1, #2]
    20b8:	e15f29bc 	ldrh	r2, [pc, #-156]	; 0x2024 =0x02a1
    20bc:	e1c120b4 	strh	r2, [r1, #4]
    20c0:	e15f2ab2 	ldrh	r2, [pc, #-162]	; 0x2026 =0x02a4
    20c4:	e1c120b6 	strh	r2, [r1, #6]
    20c8:	e15f2ab8 	ldrh	r2, [pc, #-168]	; 0x2028 =0x009c
    20cc:	e1c120ba 	strh	r2, [r1, #10]
    20d0:	e15f2abe 	ldrh	r2, [pc, #-174]	; 0x202a =0x02c0
    20d4:	e1c120bc 	strh	r2, [r1, #12]
    20d8:	e15f2bb4 	ldrh	r2, [pc, #-180]	; 0x202c =0x0040
    20dc:	e1c120b8 	strh	r2, [r1, #8]
    20e0:	e15f2bba 	ldrh	r2, [pc, #-186]	; 0x202e =0x002a
    20e4:	e1c120be 	strh	r2, [r1, #14]
    20e8:	e51f10bc 	ldr	r1, [pc, #-188]	; 0x2034 =0xfffef006
    20ec:	e1d120b0 	ldrh	r2, [r1]
    20f0:	e51f00c0 	ldr	r0, [pc, #-192]	; 0x2038 =0x00000008
    20f4:	e1800002 	orr	r0, r0, r2
    20f8:	e1c100b0 	strh	r0, [r1]	; enable A22
    20fc:	e10f0000 	mrs	r0, CPSR
    2100:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    2104:	e3800013 	orr	r0, r0, #19	; 0x13
    2108:	e38000c0 	orr	r0, r0, #192	; 0xc0
    210c:	e129f000 	msr	CPSR_fc, r0	; SVC, all ints disabled
    2110:	e59f02e0 	ldr	r0, [pc, #736]	; 0x23f8 =0x800004
    2114:	e3a02000 	mov	r2, #0	; 0x0
    2118:	e59f12dc 	ldr	r1, [pc, #732]	; 0x23fc =0x81047c
    211c:	e1500001 	cmp	r0, r1
    2120:	0a000000 	beq	0x2128
    2124:	e4802004 	str	r2, [r0], #4
    2128:	e1500001 	cmp	r0, r1
    212c:	1afffffc 	bne	0x2124
    2130:	e59f02c8 	ldr	r0, [pc, #712]	; 0x2400 =0x800000
    2134:	e3a02000 	mov	r2, #0	; 0x0
    2138:	e59f12c4 	ldr	r1, [pc, #708]	; 0x2404 =0x81047c
    213c:	e1500001 	cmp	r0, r1
    2140:	0a000000 	beq	0x2148
    2144:	e4802004 	str	r2, [r0], #4
    2148:	e1500001 	cmp	r0, r1
    214c:	1afffffc 	bne	0x2144
    2150:	e3a00001 	mov	r0, #1	; 0x1
    2154:	e59f12b0 	ldr	r1, [pc, #688]	; 0x240c =0x800004
    2158:	e5810000 	str	r0, [r1]
    215c:	e59f02a4 	ldr	r0, [pc, #676]	; 0x2408 =0x81aff8
    2160:	e3a01e46 	mov	r1, #1120	; 0x460
    2164:	e2411004 	sub	r1, r1, #4	; 0x4
    2168:	e0802001 	add	r2, r0, r1
    216c:	e1a0a000 	mov	sl, r0
    2170:	e59f3298 	ldr	r3, [pc, #664]	; 0x2410 =0x800008
    2174:	e583a000 	str	sl, [r3]
    2178:	e1a0d002 	mov	sp, r2
    217c:	e59f3290 	ldr	r3, [pc, #656]	; 0x2414 =0x80000c
    2180:	e583d000 	str	sp, [r3]
    2184:	e3a01080 	mov	r1, #128	; 0x80
    2188:	e0822001 	add	r2, r2, r1
    218c:	e10f0000 	mrs	r0, CPSR
    2190:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    2194:	e3800012 	orr	r0, r0, #18	; 0x12
    2198:	e129f000 	msr	CPSR_fc, r0	; IRQ
    219c:	e1a0d002 	mov	sp, r2
    21a0:	e3a01c02 	mov	r1, #512	; 0x200
    21a4:	e0822001 	add	r2, r2, r1
    21a8:	e10f0000 	mrs	r0, CPSR
    21ac:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    21b0:	e3800011 	orr	r0, r0, #17	; 0x11
    21b4:	e129f000 	msr	CPSR_fc, r0	; FIQ
    21b8:	e1a0d002 	mov	sp, r2
    21bc:	e10f0000 	mrs	r0, CPSR
    21c0:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    21c4:	e3800017 	orr	r0, r0, #23	; 0x17
    21c8:	e129f000 	msr	CPSR_fc, r0	; Abort
    21cc:	e59fd244 	ldr	sp, [pc, #580]	; 0x2418 =0x81AF60
    21d0:	e10f0000 	mrs	r0, CPSR
    21d4:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    21d8:	e380001b 	orr	r0, r0, #27	; 0x1b
    21dc:	e129f000 	msr	CPSR_fc, r0	; Undef
    21e0:	e59fd230 	ldr	sp, [pc, #560]	; 0x2418 =0x81AF60
    21e4:	e10f0000 	mrs	r0, CPSR
    21e8:	e3c0001f 	bic	r0, r0, #31	; 0x1f
    21ec:	e3800013 	orr	r0, r0, #19	; 0x13
    21f0:	e129f000 	msr	CPSR_fc, r0	; SVC
    21f4:	e1a04002 	mov	r4, r2
    21f8:	ebfff834 	bl	0x2d0		; 0x244 via veneer
    21fc:	e1a02004 	mov	r2, r4
    2200:	e59f1208 	ldr	r1, [pc, #520]	; 0x2410 =0x800008
    2204:	e5910000 	ldr	r0, [r1]
    2208:	e3a030fe 	mov	r3, #254	; 0xfe
    220c:	e5c03000 	strb	r3, [r0]
    2210:	e5c03001 	strb	r3, [r0, #1]
    2214:	e5c03002 	strb	r3, [r0, #2]
    2218:	e5c03003 	strb	r3, [r0, #3]
    221c:	e4903004 	ldr	r3, [r0], #4
    2220:	e4803004 	str	r3, [r0], #4
    2224:	e1500002 	cmp	r0, r2
    2228:	bafffffc 	blt	0x2220
    222c:	e51f01dc 	ldr	r0, [pc, #-476]	; 0x2058 =0x1FA00
    2230:	e3700001 	cmn	r0, #1	; 0x1
    2234:	1b000079 	blne	0x2420
    2238:	e1a00002 	mov	r0, r2
    223c:	ebfff81d 	bl	0x2b8

<2240-23F7: not yet analyzed>

    23f8:	00800004
    23fc:	0081047c
    2400:	00800000
    2404:	0081047c
    2408:	0081aff8
    240c:	00800004
    2410:	00800008
    2414:	0080000c
    2418:	0081af60
    241c:	0081af60

; TI's initialized data function
    2420:	ea00000c 	b	0x2458
    2424:	e4901004 	ldr	r1, [r0], #4
    2428:	e3530003 	cmp	r3, #3	; 0x3
    242c:	84904004 	ldrhi	r4, [r0], #4
    2430:	84814004 	strhi	r4, [r1], #4
    2434:	82433004 	subhi	r3, r3, #4	; 0x4
    2438:	94d04001 	ldrlsb	r4, [r0], #1
    243c:	94c14001 	strlsb	r4, [r1], #1
    2440:	92433001 	subls	r3, r3, #1	; 0x1
    2444:	e3530000 	cmp	r3, #0	; 0x0
    2448:	1afffff6 	bne	0x2428
    244c:	e2103003 	ands	r3, r0, #3	; 0x3
    2450:	12633004 	rsbne	r3, r3, #4	; 0x4
    2454:	10800003 	addne	r0, r0, r3
    2458:	e4903004 	ldr	r3, [r0], #4
    245c:	e3530000 	cmp	r3, #0	; 0x0
    2460:	1affffef 	bne	0x2424
    2464:	e1a0f00e 	mov	pc, lr

<2468-24FF: all FFs>

    2500:	00000000
    2504:	ffffffff

2508: 0xAA88 bytes copied to IRAM

    ad8c:	b5f0      	push	{r4, r5, r6, r7, lr}
    ad8e:	4643      	mov	r3, r8
    ad90:	464c      	mov	r4, r9
    ad92:	b418      	push	{r3, r4}
    ad94:	b08b      	sub	sp, #44
    ad96:	4690      	mov	r8, r2
    ad98:	1c0f      	mov	r7, r1		(add r7, r1, #0)
    ad9a:	4684      	mov	ip, r0
    ad9c:	1c3e      	mov	r6, r7		(add r6, r7, #0)
    ad9e:	1c31      	mov	r1, r6		(add r1, r6, #0)
    ada0:	aa09      	add	r2, sp, #36
    ada2:	2305      	mov	r3, #5
    ada4:	ffdcf7ff 	bl	0xad60
    ada8:	2800      	cmp	r0, #0
    adaa:	d079      	beq	0xaea0
    adac:	4660      	mov	r0, ip
    adae:	3005      	add	r0, #5
    adb0:	4684      	mov	ip, r0
    adb2:	3f05      	sub	r7, #5
    adb4:	2400      	mov	r4, #0
    adb6:	2500      	mov	r5, #0
    adb8:	4660      	mov	r0, ip
    adba:	1c39      	mov	r1, r7		(add r1, r7, #0)
    adbc:	221d      	mov	r2, #29
    adbe:	446a      	add	r2, sp
    adc0:	2301      	mov	r3, #1
    adc2:	ffcdf7ff 	bl	0xad60
    adc6:	2800      	cmp	r0, #0
    adc8:	d06a      	beq	0xaea0
    adca:	4660      	mov	r0, ip
    adcc:	3001      	add	r0, #1
    adce:	4684      	mov	ip, r0
    add0:	3f01      	sub	r7, #1
    add2:	4668      	mov	r0, sp
    add4:	7f40      	ldrb	r0, [r0, #29]
    add6:	00e9      	lsl	r1, r5, #3
    add8:	4088      	lsl	r0, r1
    adda:	1904      	add	r4, r0, r4
    addc:	3501      	add	r5, #1
    adde:	2d04      	cmp	r5, #4
    ade0:	dbea      	blt	0xadb8
    ade2:	2000      	mov	r0, #0
    ade4:	43c0      	mvn	r0, r0
    ade6:	4284      	cmp	r4, r0
    ade8:	d05a      	beq	0xaea0
    adea:	2504      	mov	r5, #4
    adec:	4660      	mov	r0, ip
    adee:	1c39      	mov	r1, r7		(add r1, r7, #0)
    adf0:	aa07      	add	r2, sp, #28
    adf2:	2301      	mov	r3, #1
    adf4:	ffb4f7ff 	bl	0xad60
    adf8:	2800      	cmp	r0, #0
    adfa:	d051      	beq	0xaea0
    adfc:	4668      	mov	r0, sp
    adfe:	7f00      	ldrb	r0, [r0, #28]
    ae00:	2800      	cmp	r0, #0
    ae02:	d14d      	bne	0xaea0
    ae04:	3f01      	sub	r7, #1
    ae06:	4660      	mov	r0, ip
    ae08:	3001      	add	r0, #1
    ae0a:	4684      	mov	ip, r0
    ae0c:	3d01      	sub	r5, #1
    ae0e:	2d00      	cmp	r5, #0
    ae10:	d1ec      	bne	0xadec
    ae12:	200d      	mov	r0, #13
    ae14:	1a30      	sub	r0, r6, r0
    ae16:	4681      	mov	r9, r0
    ae18:	4660      	mov	r0, ip
    ae1a:	2800      	cmp	r0, #0
    ae1c:	d040      	beq	0xaea0
    ae1e:	a809      	add	r0, sp, #36
    ae20:	7802      	ldrb	r2, [r0, #0]
    ae22:	a809      	add	r0, sp, #36
    ae24:	7800      	ldrb	r0, [r0, #0]
    ae26:	28e1      	cmp	r0, #225
    ae28:	da3a      	bge	0xaea0
    ae2a:	4973      	ldr	r1, [pc, #460]	(0xaff8)
    ae2c:	2500      	mov	r5, #0
    ae2e:	2000      	mov	r0, #0
    ae30:	2600      	mov	r6, #0
    ae32:	2a2e      	cmp	r2, #46
    ae34:	db06      	blt	0xae44
    ae36:	3a2d      	sub	r2, #45
    ae38:	0612      	lsl	r2, r2, #24
    ae3a:	0e12      	lsr	r2, r2, #24
    ae3c:	3601      	add	r6, #1
    ae3e:	3901      	sub	r1, #1
    ae40:	2900      	cmp	r1, #0
    ae42:	d1f6      	bne	0xae32
    ae44:	496c      	ldr	r1, [pc, #432]	(0xaff8)
    ae46:	2300      	mov	r3, #0
    ae48:	2a09      	cmp	r2, #9
    ae4a:	db06      	blt	0xae5a
    ae4c:	3a09      	sub	r2, #9
    ae4e:	0612      	lsl	r2, r2, #24
    ae50:	0e12      	lsr	r2, r2, #24
    ae52:	3301      	add	r3, #1
    ae54:	3901      	sub	r1, #1
    ae56:	2900      	cmp	r1, #0
    ae58:	d1f6      	bne	0xae48
    ae5a:	1899      	add	r1, r3, r2
    ae5c:	2703      	mov	r7, #3
    ae5e:	023f      	lsl	r7, r7, #8
    ae60:	408f      	lsl	r7, r1
    ae62:	4966      	ldr	r1, [pc, #408]	(0xaffc)
    ae64:	19c9      	add	r1, r1, r7
    ae66:	0049      	lsl	r1, r1, #1
    ae68:	277f      	mov	r7, #127
    ae6a:	043f      	lsl	r7, r7, #16
    ae6c:	42bc      	cmp	r4, r7
    ae6e:	d800      	bhi	0xae72
    ae70:	4d63      	ldr	r5, [pc, #396]	(0xb000)
    ae72:	2701      	mov	r7, #1
    ae74:	043f      	lsl	r7, r7, #16
    ae76:	42b9      	cmp	r1, r7
    ae78:	d801      	bhi	0xae7e
    ae7a:	2001      	mov	r0, #1
    ae7c:	0600      	lsl	r0, r0, #24
    ae7e:	2d00      	cmp	r5, #0
    ae80:	d00e      	beq	0xaea0
    ae82:	2800      	cmp	r0, #0
    ae84:	d00c      	beq	0xaea0
    ae86:	9600      	str	r6, [sp, #0]
    ae88:	4666      	mov	r6, ip
    ae8a:	9601      	str	r6, [sp, #4]
    ae8c:	464e      	mov	r6, r9
    ae8e:	9602      	str	r6, [sp, #8]
    ae90:	9503      	str	r5, [sp, #12]
    ae92:	9404      	str	r4, [sp, #16]
    ae94:	ac08      	add	r4, sp, #32
    ae96:	9405      	str	r4, [sp, #20]
    ae98:	ff1bf000 	bl	0xbcd2
    ae9c:	2800      	cmp	r0, #0
    ae9e:	d001      	beq	0xaea4
    aea0:	2000      	mov	r0, #0
    aea2:	e005      	b	0xaeb0
    aea4:	4640      	mov	r0, r8
    aea6:	6005      	str	r5, [r0, #0]
    aea8:	2028      	mov	r0, #40
    aeaa:	fbbbf7f7 	bl	0x2624
    aeae:	9808      	ldr	r0, [sp, #32]
    aeb0:	b00b      	add	sp, #44
    aeb2:	bc18      	pop	{r3, r4}
    aeb4:	4698      	mov	r8, r3
    aeb6:	46a1      	mov	r9, r4
    aeb8:	bdf0      	pop	{r4, r5, r6, r7, pc}

    aeba:	b530      	push	{r4, r5, lr}
    aebc:	b09e      	sub	sp, #120
    aebe:	2000      	mov	r0, #0
    aec0:	43c4      	mvn	r4, r0
    aec2:	2000      	mov	r0, #0
    aec4:	a901      	add	r1, sp, #4
    aec6:	2201      	mov	r2, #1
    aec8:	f8fbf000 	bl	0xb0c2
    aecc:	2800      	cmp	r0, #0
    aece:	d13c      	bne	0xaf4a
    aed0:	a801      	add	r0, sp, #4
    aed2:	a903      	add	r1, sp, #12
    aed4:	f93df000 	bl	0xb152
    aed8:	2800      	cmp	r0, #0
    aeda:	d132      	bne	0xaf42
    aedc:	9d03      	ldr	r5, [sp, #12]
    aede:	1c28      	mov	r0, r5		(add r0, r5, #0)
    aee0:	fd90f7ff 	bl	0xaa04
    aee4:	2800      	cmp	r0, #0
    aee6:	d02c      	beq	0xaf42
    aee8:	9803      	ldr	r0, [sp, #12]
    aeea:	fdf6f7ff 	bl	0xaada
    aeee:	2800      	cmp	r0, #0
    aef0:	d027      	beq	0xaf42
    aef2:	2038      	mov	r0, #56
    aef4:	1941      	add	r1, r0, r5
    aef6:	2230      	mov	r2, #48
    aef8:	a805      	add	r0, sp, #20
    aefa:	780b      	ldrb	r3, [r1, #0]
    aefc:	7003      	strb	r3, [r0, #0]
    aefe:	3101      	add	r1, #1
    af00:	3001      	add	r0, #1
    af02:	3a01      	sub	r2, #1
    af04:	2a00      	cmp	r2, #0
    af06:	d1f8      	bne	0xaefa
    af08:	2000      	mov	r0, #0
    af0a:	9000      	str	r0, [sp, #0]
    af0c:	9803      	ldr	r0, [sp, #12]
    af0e:	30ff      	add	r0, #255
    af10:	3079      	add	r0, #121
    af12:	9904      	ldr	r1, [sp, #16]
    af14:	39ff      	sub	r1, #255
    af16:	3979      	sub	r1, #121
    af18:	466a      	mov	r2, sp
    af1a:	ff37f7ff 	bl	0xad8c
    af1e:	1c03      	mov	r3, r0		(add r3, r0, #0)
    af20:	2b00      	cmp	r3, #0
    af22:	d00e      	beq	0xaf42
    af24:	20ff      	mov	r0, #255
    af26:	3071      	add	r0, #113
    af28:	5940      	ldr	r0, [r0, r5]
    af2a:	fd5df7ff 	bl	0xa9e8
    af2e:	1c02      	mov	r2, r0		(add r2, r0, #0)
    af30:	9800      	ldr	r0, [sp, #0]
    af32:	1c19      	mov	r1, r3		(add r1, r3, #0)
    af34:	fbcef000 	bl	0xb6d4
    af38:	2800      	cmp	r0, #0
    af3a:	d101      	bne	0xaf40
    af3c:	2400      	mov	r4, #0
    af3e:	e000      	b	0xaf42
    af40:	e000      	b	0xaf44
    af42:	a801      	add	r0, sp, #4
    af44:	2100      	mov	r1, #0
    af46:	f9d5f000 	bl	0xb2f4
    af4a:	2001      	mov	r0, #1
    af4c:	a901      	add	r1, sp, #4
    af4e:	2201      	mov	r2, #1
    af50:	f8b7f000 	bl	0xb0c2
    af54:	2800      	cmp	r0, #0
    af56:	d129      	bne	0xafac
    af58:	a801      	add	r0, sp, #4
    af5a:	a903      	add	r1, sp, #12
    af5c:	f8f9f000 	bl	0xb152
    af60:	2800      	cmp	r0, #0
    af62:	d123      	bne	0xafac
    af64:	9903      	ldr	r1, [sp, #12]
    af66:	aa11      	add	r2, sp, #68
    af68:	2000      	mov	r0, #0
    af6a:	780b      	ldrb	r3, [r1, #0]
    af6c:	5483      	strb	r3, [r0, r2]
    af6e:	3101      	add	r1, #1
    af70:	3001      	add	r0, #1
    af72:	2834      	cmp	r0, #52
    af74:	d3f9      	bcc	0xaf6a
    af76:	a801      	add	r0, sp, #4
    af78:	2100      	mov	r1, #0
    af7a:	f9bbf000 	bl	0xb2f4
    af7e:	2001      	mov	r0, #1
    af80:	a901      	add	r1, sp, #4
    af82:	2202      	mov	r2, #2
    af84:	f89df000 	bl	0xb0c2
    af88:	2800      	cmp	r0, #0
    af8a:	d10f      	bne	0xafac
    af8c:	2c00      	cmp	r4, #0
    af8e:	d101      	bne	0xaf94
    af90:	2003      	mov	r0, #3
    af92:	9011      	str	r0, [sp, #68]
    af94:	a801      	add	r0, sp, #4
    af96:	a911      	add	r1, sp, #68
    af98:	2234      	mov	r2, #52
    af9a:	f8fdf000 	bl	0xb198
    af9e:	a801      	add	r0, sp, #4
    afa0:	2100      	mov	r1, #0
    afa2:	f9a7f000 	bl	0xb2f4
    afa6:	2063      	mov	r0, #99
    afa8:	fb3cf7f7 	bl	0x2624
    afac:	b01e      	add	sp, #120
    afae:	bd30      	pop	{r4, r5, pc}

; This is the first function in the copied code,
; called from the boot entry code.
    afb0:	b510      	push	{r4, lr}
    afb2:	b084      	sub	sp, #16
    afb4:	2001      	mov	r0, #1
    afb6:	4669      	mov	r1, sp
    afb8:	2201      	mov	r2, #1
    afba:	f882f000 	bl	0xb0c2
    afbe:	2800      	cmp	r0, #0
    afc0:	d118      	bne	0xaff4
    afc2:	4668      	mov	r0, sp
    afc4:	a902      	add	r1, sp, #8
    afc6:	f8c4f000 	bl	0xb152
    afca:	1c04      	mov	r4, r0		(add r4, r0, #0)
    afcc:	4668      	mov	r0, sp
    afce:	2100      	mov	r1, #0
    afd0:	f990f000 	bl	0xb2f4
    afd4:	2c00      	cmp	r4, #0
    afd6:	d10d      	bne	0xaff4
    afd8:	9802      	ldr	r0, [sp, #8]
    afda:	6800      	ldr	r0, [r0, #0]
    afdc:	2802      	cmp	r0, #2
    afde:	d109      	bne	0xaff4
    afe0:	fb70f7f7 	bl	0x26c4
    afe4:	fa90f7f7 	bl	0x2508
    afe8:	fac3f7f7 	bl	0x2572
    afec:	ff65f7ff 	bl	0xaeba
    aff0:	f9acf7f8 	bl	0x334c
    aff4:	b004      	add	sp, #16
    aff6:	bd10      	pop	{r4, pc}

; This function ensures that the flash at the given address
; is not toggling.
    b004:	8802      	ldrh	r2, [r0, #0]
    b006:	8801      	ldrh	r1, [r0, #0]
    b008:	404a      	eor	r2, r1
    b00a:	09d1      	lsr	r1, r2, #7
    b00c:	d2fa      	bcs	0xb004
    b00e:	4770      	bx	lr

    b010:	b530      	push	{r4, r5, lr}
    b012:	1c0c      	mov	r4, r1		(add r4, r1, #0)
    b014:	1c05      	mov	r5, r0		(add r5, r0, #0)
    b016:	fa87f000 	bl	0xb528
    b01a:	0400      	lsl	r0, r0, #16
    b01c:	0c00      	lsr	r0, r0, #16
    b01e:	49e1      	ldr	r1, [pc, #900]	(0xb3a4)
    b020:	4288      	cmp	r0, r1
    b022:	d008      	beq	0xb036
    b024:	2121      	mov	r1, #33
    b026:	0209      	lsl	r1, r1, #8
    b028:	4288      	cmp	r0, r1
    b02a:	d126      	bne	0xb07a
    b02c:	49ea      	ldr	r1, [pc, #936]	(0xb3d8)
    b02e:	0b28      	lsr	r0, r5, #12
    b030:	0300      	lsl	r0, r0, #12
    b032:	1808      	add	r0, r1, r0
    b034:	e003      	b	0xb03e
    b036:	49e8      	ldr	r1, [pc, #928]	(0xb3d8)
    b038:	0c28      	lsr	r0, r5, #16
    b03a:	0400      	lsl	r0, r0, #16
    b03c:	1808      	add	r0, r1, r0
    b03e:	4ae7      	ldr	r2, [pc, #924]	(0xb3dc)
    b040:	21aa      	mov	r1, #170
    b042:	5211      	strh	r1, [r2, r0]
    b044:	2155      	mov	r1, #85
    b046:	8001      	strh	r1, [r0, #0]
    b048:	49e4      	ldr	r1, [pc, #912]	(0xb3dc)
    b04a:	22a0      	mov	r2, #160
    b04c:	520a      	strh	r2, [r1, r0]
    b04e:	802c      	strh	r4, [r5, #0]
    b050:	2080      	mov	r0, #128
    b052:	4020      	and	r0, r4
    b054:	8829      	ldrh	r1, [r5, #0]
    b056:	2280      	mov	r2, #128
    b058:	400a      	and	r2, r1
    b05a:	4282      	cmp	r2, r0
    b05c:	d00d      	beq	0xb07a
    b05e:	0989      	lsr	r1, r1, #6
    b060:	d3f8      	bcc	0xb054
    b062:	8829      	ldrh	r1, [r5, #0]
    b064:	2280      	mov	r2, #128
    b066:	400a      	and	r2, r1
    b068:	4282      	cmp	r2, r0
    b06a:	d006      	beq	0xb07a
    b06c:	2090      	mov	r0, #144
    b06e:	8028      	strh	r0, [r5, #0]
    b070:	2000      	mov	r0, #0
    b072:	8028      	strh	r0, [r5, #0]
    b074:	48da      	ldr	r0, [pc, #872]	(0xb3e0)
    b076:	2101      	mov	r1, #1
    b078:	7001      	strb	r1, [r0, #0]
    b07a:	bd30      	pop	{r4, r5, pc}

    b07c:	b530      	push	{r4, r5, lr}
    b07e:	b081      	sub	sp, #4
    b080:	0b01      	lsr	r1, r0, #12
    b082:	030b      	lsl	r3, r1, #12
    b084:	49d7      	ldr	r1, [pc, #860]	(0xb3e4)
    b086:	18c9      	add	r1, r1, r3
    b088:	22aa      	mov	r2, #170
    b08a:	800a      	strh	r2, [r1, #0]
    b08c:	4cd2      	ldr	r4, [pc, #840]	(0xb3d8)
    b08e:	18e4      	add	r4, r4, r3
    b090:	2355      	mov	r3, #85
    b092:	8023      	strh	r3, [r4, #0]
    b094:	2580      	mov	r5, #128
    b096:	800d      	strh	r5, [r1, #0]
    b098:	800a      	strh	r2, [r1, #0]
    b09a:	8023      	strh	r3, [r4, #0]
    b09c:	2130      	mov	r1, #48
    b09e:	8001      	strh	r1, [r0, #0]
    b0a0:	8801      	ldrh	r1, [r0, #0]
    b0a2:	0909      	lsr	r1, r1, #4
    b0a4:	d3fc      	bcc	0xb0a0
    b0a6:	4669      	mov	r1, sp
    b0a8:	8802      	ldrh	r2, [r0, #0]
    b0aa:	804a      	strh	r2, [r1, #2]
    b0ac:	466a      	mov	r2, sp
    b0ae:	8801      	ldrh	r1, [r0, #0]
    b0b0:	8011      	strh	r1, [r2, #0]
    b0b2:	4669      	mov	r1, sp
    b0b4:	8849      	ldrh	r1, [r1, #2]
    b0b6:	8812      	ldrh	r2, [r2, #0]
    b0b8:	4051      	eor	r1, r2
    b0ba:	09c9      	lsr	r1, r1, #7
    b0bc:	d2f3      	bcs	0xb0a6
    b0be:	b001      	add	sp, #4
    b0c0:	bd30      	pop	{r4, r5, pc}

; arg1: magic region number
; arg2: ptr to 8-byte buffer receiving copies of arg1 and arg3
; arg3: mode, must be 1 or 2
;
; Mode 1: check the region (which must be in a state other than 2) for
; a checksum-passing image, and advance to state 1 if found.  If already
; in state 1, increment the byte at offset 8 in struct.
;
; Mode 2: put the region (which must be in state 0) into state 2.
;
; Returns:
; 0 = success
; 1 = region in the wrong state for mode
; 2 = called with bad arguments
; 3 = mode 1: no checksum-passing image found

    b0c2:	b5f0      	push	{r4, r5, r6, r7, lr}
    b0c4:	1c15      	mov	r5, r2		(add r5, r2, #0)
    b0c6:	1c0e      	mov	r6, r1		(add r6, r1, #0)
    b0c8:	1c04      	mov	r4, r0		(add r4, r0, #0)
    b0ca:	4fe5      	ldr	r7, [pc, #916]	(0xb460) =0x810020
    b0cc:	7838      	ldrb	r0, [r7, #0]
    b0ce:	2800      	cmp	r0, #0
    b0d0:	d103      	bne	0xb0da
    b0d2:	f969f000 	bl	0xb3a8
    b0d6:	2001      	mov	r0, #1
    b0d8:	7038      	strb	r0, [r7, #0]
    b0da:	2c03      	cmp	r4, #3
    b0dc:	da07      	bge	0xb0ee
    b0de:	2d03      	cmp	r5, #3
    b0e0:	da05      	bge	0xb0ee
    b0e2:	1e68      	sub	r0, r5, #1
    b0e4:	2800      	cmp	r0, #0
    b0e6:	d019      	beq	0xb11c
    b0e8:	3801      	sub	r0, #1
    b0ea:	2800      	cmp	r0, #0
    b0ec:	d001      	beq	0xb0f2
; return 2; means invalid invokation?
    b0ee:	2002      	mov	r0, #2
    b0f0:	bdf0      	pop	{r4, r5, r6, r7, pc}
; goes here if 3rd arg == 2
    b0f2:	2018      	mov	r0, #24
    b0f4:	4360      	mul	r0, r4
    b0f6:	49db      	ldr	r1, [pc, #876]	(0xb464) =0x810024
    b0f8:	1809      	add	r1, r1, r0
    b0fa:	2004      	mov	r0, #4
    b0fc:	1840      	add	r0, r0, r1
    b0fe:	6802      	ldr	r2, [r0, #0]
    b100:	2a00      	cmp	r2, #0
    b102:	d112      	bne	0xb12a		; return 1;
    b104:	2202      	mov	r2, #2
    b106:	6002      	str	r2, [r0, #0]
    b108:	2000      	mov	r0, #0
    b10a:	8288      	strh	r0, [r1, #20]
    b10c:	6108      	str	r0, [r1, #16]
    b10e:	4aea      	ldr	r2, [pc, #936]	(0xb4b8) =0x81006C
    b110:	00a3      	lsl	r3, r4, #2
    b112:	58d2      	ldr	r2, [r2, r3]
    b114:	6892      	ldr	r2, [r2, #8]
    b116:	600a      	str	r2, [r1, #0]
    b118:	7248      	strb	r0, [r1, #9]
    b11a:	e016      	b	0xb14a
; goes here if 3rd arg == 1
    b11c:	2018      	mov	r0, #24
    b11e:	4360      	mul	r0, r4
    b120:	49d1      	ldr	r1, [pc, #836]	(0xb468) =0x810028
    b122:	180f      	add	r7, r1, r0
    b124:	6838      	ldr	r0, [r7, #0]
    b126:	2802      	cmp	r0, #2
    b128:	d101      	bne	0xb12e
; return 1;
    b12a:	2001      	mov	r0, #1
    b12c:	bdf0      	pop	{r4, r5, r6, r7, pc}
; continuation of operation with arg3 == 1
    b12e:	2800      	cmp	r0, #0
    b130:	d108      	bne	0xb144
    b132:	1c20      	mov	r0, r4		(add r0, r4, #0)
    b134:	f99af000 	bl	0xb46c
    b138:	2800      	cmp	r0, #0
    b13a:	d001      	beq	0xb140
    b13c:	2003      	mov	r0, #3
    b13e:	bdf0      	pop	{r4, r5, r6, r7, pc}
    b140:	2001      	mov	r0, #1
    b142:	6038      	str	r0, [r7, #0]
    b144:	7938      	ldrb	r0, [r7, #4]
    b146:	3001      	add	r0, #1
    b148:	7138      	strb	r0, [r7, #4]
    b14a:	6034      	str	r4, [r6, #0]
    b14c:	6075      	str	r5, [r6, #4]
    b14e:	2000      	mov	r0, #0
    b150:	bdf0      	pop	{r4, r5, r6, r7, pc}

; arg1: points to buffer filled by successful 0xb0c2 in mode 1
; arg2: 8-byte buffer filled as:
; 0: points to start of image
; 4: image length
    b152:	b530      	push	{r4, r5, lr}
    b154:	1c0c      	mov	r4, r1		(add r4, r1, #0)
    b156:	1c01      	mov	r1, r0		(add r1, r0, #0)
    b158:	48c1      	ldr	r0, [pc, #772]	(0xb460) =0x810020
    b15a:	7800      	ldrb	r0, [r0, #0]
    b15c:	2800      	cmp	r0, #0
    b15e:	d010      	beq	0xb182
    b160:	6808      	ldr	r0, [r1, #0]
    b162:	4ad5      	ldr	r2, [pc, #852]	(0xb4b8) =0x81006C
    b164:	0083      	lsl	r3, r0, #2
    b166:	18d5      	add	r5, r2, r3
    b168:	2803      	cmp	r0, #3
    b16a:	da02      	bge	0xb172
    b16c:	6849      	ldr	r1, [r1, #4]
    b16e:	2903      	cmp	r1, #3
    b170:	db01      	blt	0xb176
    b172:	2002      	mov	r0, #2
    b174:	bd30      	pop	{r4, r5, pc}
    b176:	2118      	mov	r1, #24
    b178:	4341      	mul	r1, r0
    b17a:	4abb      	ldr	r2, [pc, #748]	(0xb468) =0x810028
    b17c:	5851      	ldr	r1, [r2, r1]
    b17e:	2901      	cmp	r1, #1
    b180:	d001      	beq	0xb186
    b182:	2005      	mov	r0, #5
    b184:	bd30      	pop	{r4, r5, pc}
    b186:	f95ff000 	bl	0xb448
    b18a:	6840      	ldr	r0, [r0, #4]
    b18c:	6060      	str	r0, [r4, #4]
    b18e:	6828      	ldr	r0, [r5, #0]
    b190:	6880      	ldr	r0, [r0, #8]
    b192:	6020      	str	r0, [r4, #0]
    b194:	2000      	mov	r0, #0
    b196:	bd30      	pop	{r4, r5, pc}

    b2f4:	b570      	push	{r4, r5, r6, lr}
    b2f6:	1c04      	mov	r4, r0		(add r4, r0, #0)
    b2f8:	4859      	ldr	r0, [pc, #356]	(0xb460) =0x810020
    b2fa:	7800      	ldrb	r0, [r0, #0]
    b2fc:	2800      	cmp	r0, #0
    b2fe:	d00f      	beq	0xb320
    b300:	6820      	ldr	r0, [r4, #0]
    b302:	2803      	cmp	r0, #3
    b304:	da14      	bge	0xb330
    b306:	6866      	ldr	r6, [r4, #4]
    b308:	2e03      	cmp	r6, #3
    b30a:	da11      	bge	0xb330
    b30c:	2902      	cmp	r1, #2
    b30e:	da0f      	bge	0xb330
    b310:	4d54      	ldr	r5, [pc, #336]	(0xb464) =0x810024
    b312:	2218      	mov	r2, #24
    b314:	4342      	mul	r2, r0
    b316:	18aa      	add	r2, r5, r2
    b318:	3204      	add	r2, #4
    b31a:	6813      	ldr	r3, [r2, #0]
    b31c:	2b00      	cmp	r3, #0
    b31e:	d101      	bne	0xb324
    b320:	2005      	mov	r0, #5
    b322:	bd70      	pop	{r4, r5, r6, pc}
    b324:	1e73      	sub	r3, r6, #1
    b326:	2b00      	cmp	r3, #0
    b328:	d010      	beq	0xb34c
    b32a:	3b01      	sub	r3, #1
    b32c:	2b00      	cmp	r3, #0
    b32e:	d001      	beq	0xb334
    b330:	2002      	mov	r0, #2
    b332:	bd70      	pop	{r4, r5, r6, pc}
    b334:	2900      	cmp	r1, #0
    b336:	d106      	bne	0xb346
    b338:	f856f000 	bl	0xb3e8
    b33c:	2018      	mov	r0, #24
    b33e:	6821      	ldr	r1, [r4, #0]
    b340:	4348      	mul	r0, r1
    b342:	182a      	add	r2, r5, r0
    b344:	3204      	add	r2, #4
    b346:	2000      	mov	r0, #0
    b348:	6010      	str	r0, [r2, #0]
    b34a:	e00c      	b	0xb366
    b34c:	7910      	ldrb	r0, [r2, #4]
    b34e:	3801      	sub	r0, #1
    b350:	0600      	lsl	r0, r0, #24
    b352:	0e00      	lsr	r0, r0, #24
    b354:	7110      	strb	r0, [r2, #4]
    b356:	2800      	cmp	r0, #0
    b358:	d105      	bne	0xb366
    b35a:	2018      	mov	r0, #24
    b35c:	6821      	ldr	r1, [r4, #0]
    b35e:	4348      	mul	r0, r1
    b360:	1828      	add	r0, r5, r0
    b362:	2100      	mov	r1, #0
    b364:	6041      	str	r1, [r0, #4]
    b366:	2000      	mov	r0, #0
    b368:	bd70      	pop	{r4, r5, r6, pc}

; This function adjusts the flash region pointers
; in the table @81006C depending on the chip revision.
    b36a:	b500      	push	{lr}
    b36c:	f8dcf000 	bl	0xb528
    b370:	0400      	lsl	r0, r0, #16
    b372:	0c00      	lsr	r0, r0, #16
    b374:	2121      	mov	r1, #33
    b376:	0209      	lsl	r1, r1, #8
    b378:	4288      	cmp	r0, r1
    b37a:	d00a      	beq	0xb392
    b37c:	4909      	ldr	r1, [pc, #36]	(0xb3a4)
    b37e:	4288      	cmp	r0, r1
    b380:	d10e      	bne	0xb3a0
    b382:	484d      	ldr	r0, [pc, #308]	(0xb4b8)
    b384:	4981      	ldr	r1, [pc, #516]	(0xb58c)
    b386:	6001      	str	r1, [r0, #0]
    b388:	4981      	ldr	r1, [pc, #516]	(0xb590)
    b38a:	6041      	str	r1, [r0, #4]
    b38c:	4981      	ldr	r1, [pc, #516]	(0xb594)
    b38e:	6081      	str	r1, [r0, #8]
    b390:	bd00      	pop	{pc}
    b392:	4849      	ldr	r0, [pc, #292]	(0xb4b8)
    b394:	4980      	ldr	r1, [pc, #512]	(0xb598)
    b396:	6001      	str	r1, [r0, #0]
    b398:	4980      	ldr	r1, [pc, #512]	(0xb59c)
    b39a:	6041      	str	r1, [r0, #4]
    b39c:	4980      	ldr	r1, [pc, #512]	(0xb5a0)
    b39e:	6081      	str	r1, [r0, #8]
    b3a0:	bd00      	pop	{pc}
    b3a2:	46c0      	nop			(mov r8, r8)
    b3a4:	00002101

    b3a8:	b530      	push	{r4, r5, lr}
    b3aa:	ffdef7ff 	bl	0xb36a
    b3ae:	2100      	mov	r1, #0
    b3b0:	4d7c      	ldr	r5, [pc, #496]	(0xb5a4) =0x12345678
    b3b2:	2303      	mov	r3, #3
    b3b4:	4a40      	ldr	r2, [pc, #256]	(0xb4b8)
    b3b6:	482b      	ldr	r0, [pc, #172]	(0xb464) =0x810024
    b3b8:	6814      	ldr	r4, [r2, #0]
    b3ba:	68a4      	ldr	r4, [r4, #8]
    b3bc:	6004      	str	r4, [r0, #0]
    b3be:	60c5      	str	r5, [r0, #12]
    b3c0:	8281      	strh	r1, [r0, #20]
    b3c2:	6101      	str	r1, [r0, #16]
    b3c4:	6041      	str	r1, [r0, #4]
    b3c6:	7201      	strb	r1, [r0, #8]
    b3c8:	7241      	strb	r1, [r0, #9]
    b3ca:	3204      	add	r2, #4
    b3cc:	3018      	add	r0, #24
    b3ce:	3b01      	sub	r3, #1
    b3d0:	2b00      	cmp	r3, #0
    b3d2:	d1f1      	bne	0xb3b8
    b3d4:	bd30      	pop	{r4, r5, pc}
    b3d6:	46c0      	nop			(mov r8, r8)

; This function ensures that the flash in the last sector of the
; specified magic region is not toggling, and then returns
; the address of where 0x12345678 is expected.
    b448:	b500      	push	{lr}
    b44a:	491b      	ldr	r1, [pc, #108]	(0xb4b8) =0x81006C
    b44c:	0080      	lsl	r0, r0, #2
    b44e:	5808      	ldr	r0, [r1, r0]
    b450:	7901      	ldrb	r1, [r0, #4]
    b452:	0089      	lsl	r1, r1, #2
    b454:	1840      	add	r0, r0, r1
    b456:	6880      	ldr	r0, [r0, #8]
    b458:	380c      	sub	r0, #12
    b45a:	fdd3f7ff 	bl	0xb004
    b45e:	bd00      	pop	{pc}

    b460:	00810020
    b464:	00810024
    b468:	00810028

; This function checks whether the magic region specified by the argument
; contains a checksum-passing image or not.  Returns 0 if pass, 3 otherwise.
    b46c:	b530      	push	{r4, r5, lr}
    b46e:	1c04      	mov	r4, r0		(add r4, r0, #0)
    b470:	ffeaf7ff 	bl	0xb448
    b474:	1c02      	mov	r2, r0		(add r2, r0, #0)
    b476:	2105      	mov	r1, #5
    b478:	2300      	mov	r3, #0
    b47a:	8815      	ldrh	r5, [r2, #0]
    b47c:	18eb      	add	r3, r5, r3
    b47e:	041b      	lsl	r3, r3, #16
    b480:	0c1b      	lsr	r3, r3, #16
    b482:	3202      	add	r2, #2
    b484:	3901      	sub	r1, #1
    b486:	2900      	cmp	r1, #0
    b488:	d1f7      	bne	0xb47a
    b48a:	8941      	ldrh	r1, [r0, #10]
    b48c:	428b      	cmp	r3, r1
    b48e:	d11e      	bne	0xb4ce
    b490:	4909      	ldr	r1, [pc, #36]	(0xb4b8) =0x81006C
    b492:	00a2      	lsl	r2, r4, #2
    b494:	5889      	ldr	r1, [r1, r2]
    b496:	688b      	ldr	r3, [r1, #8]
    b498:	6842      	ldr	r2, [r0, #4]
    b49a:	2400      	mov	r4, #0
    b49c:	0851      	lsr	r1, r2, #1
    b49e:	2900      	cmp	r1, #0
    b4a0:	d007      	beq	0xb4b2
    b4a2:	881d      	ldrh	r5, [r3, #0]
    b4a4:	192c      	add	r4, r5, r4
    b4a6:	0424      	lsl	r4, r4, #16
    b4a8:	0c24      	lsr	r4, r4, #16
    b4aa:	3302      	add	r3, #2
    b4ac:	3901      	sub	r1, #1
    b4ae:	2900      	cmp	r1, #0
    b4b0:	d1f7      	bne	0xb4a2
    b4b2:	0851      	lsr	r1, r2, #1
    b4b4:	d308      	bcc	0xb4c8
    b4b6:	e001      	b	0xb4bc
; interspersed literal
    b4b8:	0081006c
; function continues
    b4bc:	8819      	ldrh	r1, [r3, #0]
    b4be:	0609      	lsl	r1, r1, #24
    b4c0:	0e09      	lsr	r1, r1, #24
    b4c2:	1909      	add	r1, r1, r4
    b4c4:	0409      	lsl	r1, r1, #16
    b4c6:	0c0c      	lsr	r4, r1, #16
    b4c8:	8900      	ldrh	r0, [r0, #8]
    b4ca:	4284      	cmp	r4, r0
    b4cc:	d001      	beq	0xb4d2
    b4ce:	2003      	mov	r0, #3
    b4d0:	bd30      	pop	{r4, r5, pc}
    b4d2:	2000      	mov	r0, #0
    b4d4:	bd30      	pop	{r4, r5, pc}

; This function reads flash ID from the chip.
; R0 needs to point to a 2-byte buffer into which the read manuf ID is stored.
; R1 needs to point to an 8-byte buffer (4 16-bit words) filled as follows:
; 0: word read from 0x02 in autoselect mode
; 2: word read from 0x1C ""
; 4: word read from 0x1E ""
; 6: revision number word from CFI
    b4d6:	b5f0      	push	{r4, r5, r6, r7, lr}
    b4d8:	2303      	mov	r3, #3
    b4da:	2200      	mov	r2, #0
    b4dc:	0114      	lsl	r4, r2, #4
    b4de:	4314      	orr	r4, r2
    b4e0:	220a      	mov	r2, #10
    b4e2:	4322      	orr	r2, r4
    b4e4:	3b01      	sub	r3, #1
    b4e6:	2b00      	cmp	r3, #0
    b4e8:	d1f8      	bne	0xb4dc
    b4ea:	24aa      	mov	r4, #170
    b4ec:	8014      	strh	r4, [r2, #0]
    b4ee:	1056      	asr	r6, r2, #1
    b4f0:	2555      	mov	r5, #85
    b4f2:	8035      	strh	r5, [r6, #0]
    b4f4:	2390      	mov	r3, #144
    b4f6:	8013      	strh	r3, [r2, #0]
    b4f8:	2300      	mov	r3, #0
    b4fa:	881f      	ldrh	r7, [r3, #0]
    b4fc:	8007      	strh	r7, [r0, #0]
    b4fe:	8858      	ldrh	r0, [r3, #2]
    b500:	8008      	strh	r0, [r1, #0]
    b502:	8b98      	ldrh	r0, [r3, #28]
    b504:	8048      	strh	r0, [r1, #2]
    b506:	8bd8      	ldrh	r0, [r3, #30]
    b508:	8088      	strh	r0, [r1, #4]
    b50a:	2098      	mov	r0, #152
    b50c:	8010      	strh	r0, [r2, #0]
    b50e:	2086      	mov	r0, #134
    b510:	8847      	ldrh	r7, [r0, #2]
    b512:	8800      	ldrh	r0, [r0, #0]
    b514:	0200      	lsl	r0, r0, #8
    b516:	4307      	orr	r7, r0
    b518:	80cf      	strh	r7, [r1, #6]
    b51a:	20ff      	mov	r0, #255
    b51c:	8018      	strh	r0, [r3, #0]
    b51e:	8014      	strh	r4, [r2, #0]
    b520:	8035      	strh	r5, [r6, #0]
    b522:	20f0      	mov	r0, #240
    b524:	8010      	strh	r0, [r2, #0]
    b526:	bdf0      	pop	{r4, r5, r6, r7, pc}

; This function computes a single-word flash device ID.  The algorithm is
; as follows:
; - if the manuf is other than 01 or 04, return the autoselect word from 0x02
; - ditto autosel[0x02] != 0x227E
; - in the case of our expected S71PL129NC0, return value will be
;   0x2100 or 0x2101 depending on the chip rev indicated in CFI table

    b528:	b500      	push	{lr}
    b52a:	b083      	sub	sp, #12
    b52c:	4668      	mov	r0, sp
    b52e:	a901      	add	r1, sp, #4
    b530:	ffd1f7ff 	bl	0xb4d6
    b534:	4668      	mov	r0, sp
    b536:	8800      	ldrh	r0, [r0, #0]
    b538:	2801      	cmp	r0, #1
    b53a:	d003      	beq	0xb544
    b53c:	4668      	mov	r0, sp
    b53e:	8800      	ldrh	r0, [r0, #0]
    b540:	2804      	cmp	r0, #4
    b542:	d11e      	bne	0xb582
    b544:	4668      	mov	r0, sp
    b546:	8881      	ldrh	r1, [r0, #4]
    b548:	4817      	ldr	r0, [pc, #92]	(0xb5a8)
    b54a:	4281      	cmp	r1, r0
    b54c:	d119      	bne	0xb582
    b54e:	4668      	mov	r0, sp
    b550:	7a00      	ldrb	r0, [r0, #8]
    b552:	4669      	mov	r1, sp
    b554:	88c9      	ldrh	r1, [r1, #6]
    b556:	0209      	lsl	r1, r1, #8
    b558:	4308      	orr	r0, r1
    b55a:	0400      	lsl	r0, r0, #16
    b55c:	0c00      	lsr	r0, r0, #16
    b55e:	4669      	mov	r1, sp
    b560:	88c9      	ldrh	r1, [r1, #6]
    b562:	4a12      	ldr	r2, [pc, #72]	(0xb5ac)
    b564:	4291      	cmp	r1, r2
    b566:	d10e      	bne	0xb586
    b568:	4669      	mov	r1, sp
    b56a:	890a      	ldrh	r2, [r1, #8]
    b56c:	2111      	mov	r1, #17
    b56e:	0249      	lsl	r1, r1, #9
    b570:	428a      	cmp	r2, r1
    b572:	d108      	bne	0xb586
    b574:	4669      	mov	r1, sp
    b576:	8949      	ldrh	r1, [r1, #10]
    b578:	4a0d      	ldr	r2, [pc, #52]	(0xb5b0)
    b57a:	4291      	cmp	r1, r2
    b57c:	d003      	beq	0xb586
    b57e:	480d      	ldr	r0, [pc, #52]	(0xb5b4)
    b580:	e001      	b	0xb586
    b582:	4668      	mov	r0, sp
    b584:	8880      	ldrh	r0, [r0, #4]
    b586:	b003      	add	sp, #12
    b588:	bd00      	pop	{pc}
    b58a:	46c0      	nop			(mov r8, r8)

; written into table @81006C for one chip rev
    b58c:	0081a61c
    b590:	0081a8b4
    b594:	0081ab4c
; written into table @81006C for the other chip rev
    b598:	0081a4d0
    b59c:	0081a768
    b5a0:	0081aa00
; looks like 6 records of 0x14C bytes each, starting at 0x81a4d0
; that's offset 0xA04C from the start of copy, 0xC554 in flash

    b5a4:	12345678
    b5a8:	0000227e
    b5ac:	00002221
    b5b0:	00003133
    b5b4:	00002101

    c554:	00000000
    c558:	00000036
    c55c:	02480000
    c560:	02490000
    c564:	024a0000
    c568:	024b0000
    c56c:	024c0000
    c570:	024d0000
    c574:	024e0000
    c578:	024f0000
    c57c:	02500000
    c580:	02510000
    c584:	02520000
    c588:	02530000
    c58c:	02540000
    c590:	02550000
    c594:	02560000
    c598:	02570000
    c59c:	02580000
    c5a0:	02590000
    c5a4:	025a0000
    c5a8:	025b0000
    c5ac:	025c0000
    c5b0:	025d0000
    c5b4:	025e0000
    c5b8:	025f0000
    c5bc:	02600000
    c5c0:	02610000
    c5c4:	02620000
    c5c8:	02630000
    c5cc:	02640000
    c5d0:	02650000
    c5d4:	02660000
    c5d8:	02670000
    c5dc:	02680000
    c5e0:	02690000
    c5e4:	026a0000
    c5e8:	026b0000
    c5ec:	026c0000
    c5f0:	026d0000
    c5f4:	026e0000
    c5f8:	026f0000
    c5fc:	02700000
    c600:	02710000
    c604:	02720000
    c608:	02730000
    c60c:	02740000
    c610:	02750000
    c614:	02760000
    c618:	02770000
    c61c:	02780000
    c620:	02790000
    c624:	027a0000
    c628:	027b0000
    c62c:	027c0000
    c630:	027d0000
    c634:	027e0000
	...
    c6a4:	0000000f
    c6a8:	02480000
    c6ac:	024c0000
    c6b0:	02500000
    c6b4:	02540000
    c6b8:	02580000
    c6bc:	025c0000
    c6c0:	02600000
    c6c4:	02640000
    c6c8:	02680000
    c6cc:	026c0000
    c6d0:	02700000
    c6d4:	02740000
    c6d8:	02780000
    c6dc:	027c0000
    c6e0:	027d0000
    c6e4:	027e0000
	...
    c7ec:	00000001
    c7f0:	00000001
    c7f4:	027e0000
    c7f8:	027f0000
	...
    c938:	00000001
    c93c:	00000001
    c940:	027e0000
    c944:	027f0000
	...
    ca84:	00000002
    ca88:	00000008
    ca8c:	027f0000
    ca90:	027f2000
    ca94:	027f4000
    ca98:	027f6000
    ca9c:	027f8000
    caa0:	027fa000
    caa4:	027fc000
    caa8:	027fe000
    caac:	02800000
	...
    cbd0:	00000002
    cbd4:	00000001
    cbd8:	027f0000
    cbdc:	02800000
	...
    cd1c:	00030000
    cd20:	00040000
    cd24:	00050000
    cd28:	00060000
    cd2c:	00070000
    cd30:	00080000
    cd34:	00090000
    cd38:	000a0000
    cd3c:	000b0000
    cd40:	000c0000
    cd44:	000d0000
    cd48:	000e0000
    cd4c:	000f0000
    cd50:	00100000
    cd54:	00110000
    cd58:	00120000
    cd5c:	00130000
    cd60:	00140000
    cd64:	00150000
    cd68:	00160000
    cd6c:	00170000
    cd70:	00180000
    cd74:	00190000
    cd78:	001a0000
    cd7c:	001b0000
    cd80:	001c0000
    cd84:	001d0000
    cd88:	001e0000
    cd8c:	001f0000
    cd90:	00200000
    cd94:	00210000
    cd98:	00220000
    cd9c:	00230000
    cda0:	00240000
    cda4:	00250000
    cda8:	00260000
    cdac:	00270000
    cdb0:	00280000
    cdb4:	00290000
    cdb8:	002a0000
    cdbc:	002b0000
    cdc0:	002c0000
    cdc4:	002d0000
    cdc8:	002e0000
    cdcc:	002f0000
    cdd0:	00300000
    cdd4:	00310000
    cdd8:	00320000
    cddc:	00330000
    cde0:	00340000
    cde4:	00350000
    cde8:	00360000
    cdec:	00370000
    cdf0:	00380000
    cdf4:	00390000
    cdf8:	003a0000
    cdfc:	003b0000
    ce00:	003c0000
    ce04:	003d0000
    ce08:	003e0000
    ce0c:	003f0000
    ce10:	00400000
    ce14:	00410000
    ce18:	00420000
    ce1c:	00430000
    ce20:	00440000
    ce24:	00450000
    ce28:	00460000
    ce2c:	00470000
    ce30:	00480000
    ce34:	00490000
    ce38:	004a0000
    ce3c:	004b0000
    ce40:	004c0000
    ce44:	004d0000
    ce48:	004e0000
    ce4c:	004f0000
    ce50:	00500000
    ce54:	00510000
    ce58:	00520000
    ce5c:	00530000
    ce60:	00540000
    ce64:	00550000
    ce68:	00560000
    ce6c:	00570000
    ce70:	00580000
    ce74:	00590000
    ce78:	005a0000
    ce7c:	005b0000
    ce80:	005c0000
    ce84:	005d0000
    ce88:	005e0000
    ce8c:	005f0000
    ce90:	00600000
    ce94:	00610000
    ce98:	00620000
    ce9c:	00630000
    cea0:	00640000
    cea4:	00650000
    cea8:	00660000
    ceac:	00670000
    ceb0:	00680000
    ceb4:	00690000
    ceb8:	006a0000
    cebc:	006b0000
    cec0:	006c0000
    cec4:	006d0000
    cec8:	006e0000
    cecc:	006f0000
    ced0:	00700000
    ced4:	00710000
    ced8:	00720000
    cedc:	00730000
    cee0:	00740000
    cee4:	00750000
    cee8:	00760000
    ceec:	00770000
    cef0:	00780000
    cef4:	00790000
    cef8:	007a0000
    cefc:	007b0000
    cf00:	007c0000
    cf04:	007d0000
    cf08:	007e0000
    cf0c:	007f0000

    cf10:	00030000
    cf14:	00040000
    cf18:	00080000
    cf1c:	000c0000
    cf20:	00100000
    cf24:	00140000
    cf28:	00180000
    cf2c:	001c0000
    cf30:	00200000
    cf34:	00240000
    cf38:	00280000
    cf3c:	002c0000
    cf40:	00300000
    cf44:	00340000
    cf48:	00380000
    cf4c:	003c0000
    cf50:	00400000
    cf54:	00440000
    cf58:	00480000
    cf5c:	004c0000
    cf60:	00500000
    cf64:	00540000
    cf68:	00580000
    cf6c:	005c0000
    cf70:	00600000
    cf74:	00640000
    cf78:	00680000
    cf7c:	006c0000
    cf80:	00700000
    cf84:	00740000
    cf88:	00780000
    cf8c:	007c0000

CF8F: last copied byte

<CF90-1F9FF: all FFs>

; initialized data table
   1fa00:	00000001
   1fa04:	00810020
   1fa08:	c046c000

   1fa0c:	00000001
   1fa10:	00810021
   1fa14:	c046c000

   1fa18:	00000004
   1fa1c:	00810024
   1fa20:	00000000

   1fa24:	0000000c
   1fa28:	0081006c
   1fa2c:	0081a4d0
   1fa30:	0081a768
   1fa34:	0081aa00

   1fa38:	00000002
   1fa3c:	00810014
   1fa40:	46c00000

   1fa44:	00000002
   1fa48:	00810016
   1fa4c:	46c00000

   1fa50:	00000001
   1fa54:	00810018
   1fa58:	c046c000

   1fa5c:	00000001
   1fa60:	00810019
   1fa64:	000000bc

   1fa68:	00000001
   1fa6c:	00800000
   1fa70:	a0000000

   1fa74:	00000001
   1fa78:	0081047c
   1fa7c:	00000000

   1fa80:	00000004
   1fa84:	00810078
   1fa88:	00000000

   1fa8c:	00000004
   1fa90:	0081001c
   1fa94:	00000000
   1fa98:	00000000

<1FA9C-2FFBF: all FFs>

0002FFC0:  42 43 5F 44 39 31 30 2E  30 2E 31 36 00 00 00 00  BC_D910.0.16....
0002FFD0:  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  ................
*