# HG changeset patch # User Michael Spacefalcon # Date 1366042733 0 # Node ID e3f8fe6a848e9ba70e1e4a8bb8172916b0c9ae7c # Parent 979d97fe75eb47c855c6034eb4f1d743eb88571d boot ROM re: started on main() and the 0xe2c routine diff -r 979d97fe75eb -r e3f8fe6a848e bootrom.disasm --- a/bootrom.disasm Mon Apr 15 04:51:12 2013 +0000 +++ b/bootrom.disasm Mon Apr 15 16:18:53 2013 +0000 @@ -928,37 +928,48 @@ e2c: e92d4070 stmdb sp!, {r4, r5, r6, lr} e30: e5dd5010 ldrb r5, [sp, #16] - e34: e59fc48c ldr r12, [pc, #1164] ; 0x12c8 - e38: e59f4484 ldr r4, [pc, #1156] ; 0x12c4 - e3c: e1c4c0b0 strh r12, [r4] - e40: e59f4484 ldr r4, [pc, #1156] ; 0x12cc - e44: e1c4c0b0 strh r12, [r4] - e48: e59f4480 ldr r4, [pc, #1152] ; 0x12d0 +; mask all interrupts + e34: e59fc48c ldr r12, =0xFFFF ; via 0x12c8 + e38: e59f4484 ldr r4, =0xFFFFFA08 ; via 0x12c4 + e3c: e1c4c0b0 strh r12, [r4] ; 1st reg + e40: e59f4484 ldr r4, =0xFFFFFA0A ; via 0x12cc + e44: e1c4c0b0 strh r12, [r4] ; 2nd reg +; disable the watchdog + e48: e59f4480 ldr r4, =0xFFFFF804 ; via 0x12d0 e4c: e3a0c0f5 mov r12, #245 ; 0xf5 - e50: e1c4c0b0 strh r12, [r4] + e50: e1c4c0b0 strh r12, [r4] ; 1st write e54: e3a0c0a0 mov r12, #160 ; 0xa0 - e58: e1c4c0b0 strh r12, [r4] - e5c: e59f4470 ldr r4, [pc, #1136] ; 0x12d4 + e58: e1c4c0b0 strh r12, [r4] ; 2nd write +; write 0x100 into the MCU memory map EXTRA_CONF register (FFFF:FB10) +; forces the memory map to internal ROM, all other bits at +; listed reset default values + e5c: e59f4470 ldr r4, =0xFFFFFB10 ; via 0x12d4 e60: e3a0cc01 mov r12, #256 ; 0x100 e64: e1c4c0b0 strh r12, [r4] - e68: e59f6468 ldr r6, [pc, #1128] ; 0x12d8 +; write 0xFF22 into FFFF:F900 in a convoluted way + e68: e59f6468 ldr r6, =0xFFFFFD00 ; via 0x12d8 e6c: e3a04b01 mov r4, #1024 ; 0x400 e70: e3a0c801 mov r12, #65536 ; 0x10000 e74: e24cc0de sub r12, r12, #222 ; 0xde e78: e106c0b4 strh r12, [r6, -r4] - e7c: e59fc45c ldr r12, [pc, #1116] ; 0x12e0 - e80: e59f4454 ldr r4, [pc, #1108] ; 0x12dc +; DPLL control register written with what looks like the reset default value + e7c: e59fc45c ldr r12, 0x2002 ; via 0x12e0 + e80: e59f4454 ldr r4, =0xFFFF9800 ; via 0x12dc e84: e1c4c0b0 strh r12, [r4] e88: e1b04f8c movs r4, r12, lsl #31 e8c: 1afffffd bne 0xe88 +; write 0x1083 into FFFF:FD00 +; sets the MCU clock to come directly from VTCXO, bypassing DPLL e90: e3a0c083 mov r12, #131 ; 0x83 e94: e28cca01 add r12, r12, #4096 ; 0x1000 e98: e1c6c0b0 strh r12, [r6] +; clear bit 6 of FFFF:FD02 (set VCLKOUT-FR to /1) e9c: e1d6c0b2 ldrh r12, [r6, #2] ea0: e20c40bf and r4, r12, #191 ; 0xbf ea4: e20cccff and r12, r12, #65280 ; 0xff00 ea8: e184c00c orr r12, r4, r12 eac: e1c6c0b2 strh r12, [r6, #2] + eb0: e3a0cc02 mov r12, #512 ; 0x200 eb4: e200001f and r0, r0, #31 ; 0x1f eb8: e3800e2a orr r0, r0, #672 ; 0x2a0 @@ -1166,6 +1177,7 @@ 11d0: e3a00001 mov r0, #1 ; 0x1 11d4: e1a0f00e mov pc, lr +; main() entry point 11d8: e92d4070 stmdb sp!, {r4, r5, r6, lr} 11dc: e24dd008 sub sp, sp, #8 ; 0x8 11e0: e3a0c002 mov r12, #2 ; 0x2 @@ -1226,22 +1238,23 @@ 12bc: e28dd008 add sp, sp, #8 ; 0x8 12c0: e8bd8070 ldmia sp!, {r4, r5, r6, pc} - 12c4: fffffa08 swinv 0x00fffa08 - 12c8: 0000ffff streqd pc, [r0], -pc - 12cc: fffffa0a swinv 0x00fffa0a - 12d0: fffff804 swinv 0x00fff804 - 12d4: fffffb10 swinv 0x00fffb10 - 12d8: fffffd00 swinv 0x00fffd00 - 12dc: ffff9800 swinv 0x00ff9800 - 12e0: 00002002 andeq r2, r0, r2 - 12e4: fffff900 swinv 0x00fff900 - 12e8: ffff5000 swinv 0x00ff5000 - 12ec: 00800534 addeq r0, r0, r4, lsr r5 - 12f0: fffffd02 swinv 0x00fffd02 - 12f4: 00800518 addeq r0, r0, r8, lsl r5 - 12f8: 00800524 addeq r0, r0, r4, lsr #10 - 12fc: 00800104 addeq r0, r0, r4, lsl #2 - 1300: 0000373c andeq r3, r0, r12, lsr r7 +; literal pool + 12c4: fffffa08 + 12c8: 0000ffff + 12cc: fffffa0a + 12d0: fffff804 + 12d4: fffffb10 + 12d8: fffffd00 + 12dc: ffff9800 + 12e0: 00002002 + 12e4: fffff900 + 12e8: ffff5000 + 12ec: 00800534 + 12f0: fffffd02 + 12f4: 00800518 + 12f8: 00800524 + 12fc: 00800104 + 1300: 0000373c 1304: e3510000 cmp r1, #0 ; 0x0 1308: 012fff1e bxeq lr @@ -1380,7 +1393,8 @@ 14e4: e59f0078 ldr r0, =0x1694 ; via 0x1564 14e8: e3700001 cmn r0, #1 ; 0x1 14ec: 1b000003 blne 0x1500 - 14f0: ebffff38 bl 0x11d8 + 14f0: ebffff38 bl 0x11d8 ; main() +; only tight-loop halts from here on 14f4: e3a00001 mov r0, #1 ; 0x1 14f8: eb000022 bl 0x1588 14fc: eafffffe b 0x14fc @@ -1428,6 +1442,8 @@ 1560: 00000190 ; size of the stack - ditto 1564: 00001694 +; The following looks like the TI compiler's IND_CALL library helper + 1568: e3140001 tst r4, #1 ; 0x1 156c: 1a000000 bne 0x1574 1570: e12fff14 bx r4 @@ -1435,7 +1451,8 @@ 1578: e1a0400e mov r4, lr 157c: e28fe001 add lr, pc, #1 ; 0x1 1580: e12fff1c bx r12 - 1584: 46c04720 strmib r4, [r0], r0, lsr #14 + 1584: 4720 bx r4 + 1586: 46c0 nop (mov r8, r8) 1588: eafffffe b 0x1588 @@ -1468,8 +1485,11 @@ 15f4: e1a00004 mov r0, r4 15f8: eb1ffa8e bl 0x800038 15fc: e8bd8010 ldmia sp!, {r4, pc} - 1600: fffffb10 swinv 0x00fffb10 - 1604: 00800038 addeq r0, r0, r8, lsr r0 + +; literal pool + 1600: fffffb10 + 1604: 00800038 + 1608: e92d4000 stmdb sp!, {lr} 160c: e24dd008 sub sp, sp, #8 ; 0x8 1610: e3500001 cmp r0, #1 ; 0x1 @@ -1491,6 +1511,17 @@ 1650: 3afffff9 bcc 0x163c 1654: e28dd008 add sp, sp, #8 ; 0x8 1658: e8bd8000 ldmia sp!, {pc} + +; The following is a bcopy/memcpy-like routine, but with arguments +; in the wrong order (matching neither bcopy nor memcpy): +; +; R0: source address +; R1: # of bytes to copy +; R2: dest address +; +; The addresses must be word-aligned, the length must be a multiple of 4. +; Zero length is OK (no-op). + 165c: e3510000 cmp r1, #0 ; 0x0 1660: 012fff1e bxeq lr 1664: e490c004 ldr r12, [r0], #4 diff -r 979d97fe75eb -r e3f8fe6a848e bootrom.notes --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/bootrom.notes Mon Apr 15 16:18:53 2013 +0000 @@ -0,0 +1,17 @@ +RAM layout: + +800000 7 words: + soft-vector pointers: by default the following 7 words at + 80001C are filled with ldr-jump instructions, which read + from these 7 words and load them into PC +80001C 7 words: + hard vectors: the physical vector locations in the ROM + contain branch instructions to these 7 RAM addresses + +800104: word initialized to 0x0001D4C0 +800108: byte initialized to 0x01 + +800534: byte initialized to 0x00 + +8005C0: appears to be the intended low address (bottom) of the stack +80074C: top of the stack (initial value loaded into SP)