changeset 12:25b016d16602

boot ROM re: making inroads into the 0x2c8 routine
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Wed, 24 Apr 2013 19:32:45 +0000
parents a51729642295
children e0ce45f043c0
files bootrom.disasm bootrom.notes
diffstat 2 files changed, 86 insertions(+), 21 deletions(-) [+]
line wrap: on
line diff
--- a/bootrom.disasm	Sun Apr 21 21:48:50 2013 +0000
+++ b/bootrom.disasm	Wed Apr 24 19:32:45 2013 +0000
@@ -209,32 +209,55 @@
      2c0:	eb00040f 	bl	0x1304
      2c4:	e8bd8000 	ldmia	sp!, {pc}
 
+; Routine at 0x2c8 - called from 0x1090.  It receives and interprets
+; the 2nd byte that comes after the '<'.  It appears that this function
+; only decodes the several known commands, but doesn't actually execute
+; them.  If a byte was received during the allowed time (set by the 800104
+; variable), this function returns 1 and sets the *R0 byte to the decoding
+; result.  If no byte was received, this function returns 0; ditto if a
+; timeout occurred while waiting for additional bytes.
+;
+; Arguments:
+;   R0 points to a byte of RAM, an additional output
+;
+; *R0 return byte values:
+;   00 = got nothing (timeout) or an invalid/non-understood command
+;   01 = got 'i'
+;   02 =
+;   03 =
+;   04 = got 'c', 1 additional byte received, extended to a half-word
+;		  and written to 80052C
+;   05 = got 'a'
+;   06 = got 'b', 4 bytes written to 800538
+
      2c8:	e92d4ff0 	stmdb	sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
      2cc:	e24dd004 	sub	sp, sp, #4	; 0x4
      2d0:	e1a0b000 	mov	r11, r0
      2d4:	e3a05000 	mov	r5, #0	; 0x0
      2d8:	e5cb5000 	strb	r5, [r11]
-     2dc:	e59f7b30 	ldr	r7, [pc, #2864]	; 0xe14
-     2e0:	e59f4b1c 	ldr	r4, [pc, #2844]	; 0xe04
-     2e4:	e5d40008 	ldrb	r0, [r4, #8]
-     2e8:	e5971000 	ldr	r1, [r7]
+     2dc:	e59f7b30 	ldr	r7, =0x800104	; via 0xe14
+     2e0:	e59f4b1c 	ldr	r4, =0x800518	; via 0xe04
+     2e4:	e5d40008 	ldrb	r0, [r4, #8]	; read 800520
+     2e8:	e5971000 	ldr	r1, [r7]	; read 800104
      2ec:	e28d2002 	add	r2, sp, #2	; 0x2
      2f0:	eb00044c 	bl	0x1428
      2f4:	e3500000 	cmp	r0, #0	; 0x0
      2f8:	0a0000fc 	beq	0x6f0
      2fc:	e5ddc002 	ldrb	r12, [sp, #2]
-     300:	e25cc061 	subs	r12, r12, #97	; 0x61
+     300:	e25cc061 	subs	r12, r12, #97	; 0x61	'a'
      304:	0a000104 	beq	0x71c
-     308:	e25cc001 	subs	r12, r12, #1	; 0x1
+     308:	e25cc001 	subs	r12, r12, #1	; 0x1	'b'
      30c:	0a0000ee 	beq	0x6cc
-     310:	e25cc001 	subs	r12, r12, #1	; 0x1
+     310:	e25cc001 	subs	r12, r12, #1	; 0x1	'c'
      314:	0a0000e1 	beq	0x6a0
-     318:	e25cc006 	subs	r12, r12, #6	; 0x6
+     318:	e25cc006 	subs	r12, r12, #6	; 0x6	'i'
      31c:	0a0000dc 	beq	0x694
-     320:	e25cc007 	subs	r12, r12, #7	; 0x7
+     320:	e25cc007 	subs	r12, r12, #7	; 0x7	'p'
      324:	0a0000b8 	beq	0x60c
-     328:	e25cc007 	subs	r12, r12, #7	; 0x7
+     328:	e25cc007 	subs	r12, r12, #7	; 0x7	'w'
      32c:	1a0000fc 	bne	0x724
+; got 'w'
+; R4=0x800518, byte at 80053C used for something, init to 0
      330:	e5c45018 	strb	r5, [r4, #24]
      334:	e3a0a000 	mov	r10, #0	; 0x0
      338:	e3a06000 	mov	r6, #0	; 0x0
@@ -418,6 +441,7 @@
      600:	e3500001 	cmp	r0, #1	; 0x1
      604:	0afffff9 	beq	0x5f0
      608:	ea000045 	b	0x724
+; got 'p'
      60c:	e59f67f8 	ldr	r6, [pc, #2040]	; 0xe0c
      610:	e3a08009 	mov	r8, #9	; 0x9
      614:	e5d40008 	ldrb	r0, [r4, #8]
@@ -452,9 +476,11 @@
      688:	e3a0c002 	mov	r12, #2	; 0x2
      68c:	e5cbc000 	strb	r12, [r11]
      690:	ea000023 	b	0x724
+; got 'i'
      694:	e3a0c001 	mov	r12, #1	; 0x1
      698:	e5cbc000 	strb	r12, [r11]
      69c:	ea000020 	b	0x724
+; got 'c'
      6a0:	e5d40008 	ldrb	r0, [r4, #8]
      6a4:	e5971000 	ldr	r1, [r7]
      6a8:	e28d2002 	add	r2, sp, #2	; 0x2
@@ -466,6 +492,8 @@
      6c0:	e3a0c004 	mov	r12, #4	; 0x4
      6c4:	e5cbc000 	strb	r12, [r11]
      6c8:	ea000015 	b	0x724
+; got 'b'
+; R4=0x800518
      6cc:	e3a0c000 	mov	r12, #0	; 0x0
      6d0:	e584c014 	str	r12, [r4, #20]
      6d4:	e3a05004 	mov	r5, #4	; 0x4
@@ -486,11 +514,14 @@
      710:	e3a0c006 	mov	r12, #6	; 0x6
      714:	e5cbc000 	strb	r12, [r11]
      718:	ea000001 	b	0x724
+; got 'a'
      71c:	e3a0c005 	mov	r12, #5	; 0x5
      720:	e5cbc000 	strb	r12, [r11]
+; common return for 'got something', including invalid (non-understood) commands
      724:	e3a00001 	mov	r0, #1	; 0x1
      728:	e28dd004 	add	sp, sp, #4	; 0x4
      72c:	e8bd8ff0 	ldmia	sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc}
+
      730:	e92d43f0 	stmdb	sp!, {r4, r5, r6, r7, r8, r9, lr}
      734:	e59f46c8 	ldr	r4, [pc, #1736]	; 0xe04
      738:	e5d4c018 	ldrb	r12, [r4, #24]
@@ -931,16 +962,17 @@
      dfc:	e28dd008 	add	sp, sp, #8	; 0x8
      e00:	e8bd8070 	ldmia	sp!, {r4, r5, r6, pc}
 
-     e04:	00800518 	addeq	r0, r0, r8, lsl r5
-     e08:	00001fcc 	andeq	r1, r0, r12, asr #31
-     e0c:	0080010c 	addeq	r0, r0, r12, lsl #2
-     e10:	00800520 	addeq	r0, r0, r0, lsr #10
-     e14:	00800104 	addeq	r0, r0, r4, lsl #2
-     e18:	00800750 	addeq	r0, r0, r0, asr r7
-     e1c:	0007f8af 	andeq	pc, r7, pc, lsr #17
-     e20:	000fffff 	streqd	pc, [pc], -pc
-     e24:	00800108 	addeq	r0, r0, r8, lsl #2
-     e28:	00800528 	addeq	r0, r0, r8, lsr #10
+; literal pool
+     e04:	00800518
+     e08:	00001fcc
+     e0c:	0080010c
+     e10:	00800520
+     e14:	00800104
+     e18:	00800750
+     e1c:	0007f8af
+     e20:	000fffff
+     e24:	00800108
+     e28:	00800528
 
 ; The following routine performs basic sanity initialization
 ; of the memory map and clocking.
--- a/bootrom.notes	Sun Apr 21 21:48:50 2013 +0000
+++ b/bootrom.notes	Wed Apr 24 19:32:45 2013 +0000
@@ -28,6 +28,34 @@
   as if nIBOOT were high) and causes the watchdog timer to go off, resetting
   the ARM core and causing it to execute the external nCS0 reset vector.
 
+UART protocol
+
+The external host initiates every operation by sending a command to the
+Calypso target running the boot ROM code.  Every command begins with '<' and
+a lowercase ASCII letter; just the initial '<' is sufficient to interrupt
+the flash image autoboot.  The external host shound send these commands at
+19200 baud, 8N1, and the boot ROM will intuit whether the Calypso is being
+clocked with 13 or 26 MHz by trying the two possible clocking setups
+alternately, with the UART baud rate registers set to /42 in both cases,
+until a clean '<' is received.
+
+Commands:
+
+<a
+
+<b
+
+Followed by 4 bytes, giving a 32-bit value in MSB-first order.  The value is
+written to 800538, and the 0x2c8 function returns code 6.
+
+<c
+
+<i
+
+<p
+
+<w
+
 RAM layout:
 
 800000 7 words:
@@ -40,7 +68,8 @@
 800038:	The helper routine for transferring control to type 1 flash images
 	is copied to and run here.
 800100:	the last word of the above routine
-800104: word initialized to 0x0001D4C0
+800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine
+	how long to wait for a character
 800108: byte initialized to 0x01
 
 800520: byte variable filled every time the 0xfb4 routine is called
@@ -48,8 +77,12 @@
 800524: byte variable filled every time the 0xfb4 routine is called
 	filled with a copy of 800534
 
+80052C: byte following the '<c' command is extended to a half-word and
+	written here
+
 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4
 	routine if it selects /1 clock mode.
+800538: word holds the argument of the '<b' command
 
 8005C0: appears to be the intended low address (bottom) of the stack
 80074C: top of the stack (initial value loaded into SP)