FreeCalypso > hg > freecalypso-reveng
changeset 12:25b016d16602
boot ROM re: making inroads into the 0x2c8 routine
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Wed, 24 Apr 2013 19:32:45 +0000 |
parents | a51729642295 |
children | e0ce45f043c0 |
files | bootrom.disasm bootrom.notes |
diffstat | 2 files changed, 86 insertions(+), 21 deletions(-) [+] |
line wrap: on
line diff
--- a/bootrom.disasm Sun Apr 21 21:48:50 2013 +0000 +++ b/bootrom.disasm Wed Apr 24 19:32:45 2013 +0000 @@ -209,32 +209,55 @@ 2c0: eb00040f bl 0x1304 2c4: e8bd8000 ldmia sp!, {pc} +; Routine at 0x2c8 - called from 0x1090. It receives and interprets +; the 2nd byte that comes after the '<'. It appears that this function +; only decodes the several known commands, but doesn't actually execute +; them. If a byte was received during the allowed time (set by the 800104 +; variable), this function returns 1 and sets the *R0 byte to the decoding +; result. If no byte was received, this function returns 0; ditto if a +; timeout occurred while waiting for additional bytes. +; +; Arguments: +; R0 points to a byte of RAM, an additional output +; +; *R0 return byte values: +; 00 = got nothing (timeout) or an invalid/non-understood command +; 01 = got 'i' +; 02 = +; 03 = +; 04 = got 'c', 1 additional byte received, extended to a half-word +; and written to 80052C +; 05 = got 'a' +; 06 = got 'b', 4 bytes written to 800538 + 2c8: e92d4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr} 2cc: e24dd004 sub sp, sp, #4 ; 0x4 2d0: e1a0b000 mov r11, r0 2d4: e3a05000 mov r5, #0 ; 0x0 2d8: e5cb5000 strb r5, [r11] - 2dc: e59f7b30 ldr r7, [pc, #2864] ; 0xe14 - 2e0: e59f4b1c ldr r4, [pc, #2844] ; 0xe04 - 2e4: e5d40008 ldrb r0, [r4, #8] - 2e8: e5971000 ldr r1, [r7] + 2dc: e59f7b30 ldr r7, =0x800104 ; via 0xe14 + 2e0: e59f4b1c ldr r4, =0x800518 ; via 0xe04 + 2e4: e5d40008 ldrb r0, [r4, #8] ; read 800520 + 2e8: e5971000 ldr r1, [r7] ; read 800104 2ec: e28d2002 add r2, sp, #2 ; 0x2 2f0: eb00044c bl 0x1428 2f4: e3500000 cmp r0, #0 ; 0x0 2f8: 0a0000fc beq 0x6f0 2fc: e5ddc002 ldrb r12, [sp, #2] - 300: e25cc061 subs r12, r12, #97 ; 0x61 + 300: e25cc061 subs r12, r12, #97 ; 0x61 'a' 304: 0a000104 beq 0x71c - 308: e25cc001 subs r12, r12, #1 ; 0x1 + 308: e25cc001 subs r12, r12, #1 ; 0x1 'b' 30c: 0a0000ee beq 0x6cc - 310: e25cc001 subs r12, r12, #1 ; 0x1 + 310: e25cc001 subs r12, r12, #1 ; 0x1 'c' 314: 0a0000e1 beq 0x6a0 - 318: e25cc006 subs r12, r12, #6 ; 0x6 + 318: e25cc006 subs r12, r12, #6 ; 0x6 'i' 31c: 0a0000dc beq 0x694 - 320: e25cc007 subs r12, r12, #7 ; 0x7 + 320: e25cc007 subs r12, r12, #7 ; 0x7 'p' 324: 0a0000b8 beq 0x60c - 328: e25cc007 subs r12, r12, #7 ; 0x7 + 328: e25cc007 subs r12, r12, #7 ; 0x7 'w' 32c: 1a0000fc bne 0x724 +; got 'w' +; R4=0x800518, byte at 80053C used for something, init to 0 330: e5c45018 strb r5, [r4, #24] 334: e3a0a000 mov r10, #0 ; 0x0 338: e3a06000 mov r6, #0 ; 0x0 @@ -418,6 +441,7 @@ 600: e3500001 cmp r0, #1 ; 0x1 604: 0afffff9 beq 0x5f0 608: ea000045 b 0x724 +; got 'p' 60c: e59f67f8 ldr r6, [pc, #2040] ; 0xe0c 610: e3a08009 mov r8, #9 ; 0x9 614: e5d40008 ldrb r0, [r4, #8] @@ -452,9 +476,11 @@ 688: e3a0c002 mov r12, #2 ; 0x2 68c: e5cbc000 strb r12, [r11] 690: ea000023 b 0x724 +; got 'i' 694: e3a0c001 mov r12, #1 ; 0x1 698: e5cbc000 strb r12, [r11] 69c: ea000020 b 0x724 +; got 'c' 6a0: e5d40008 ldrb r0, [r4, #8] 6a4: e5971000 ldr r1, [r7] 6a8: e28d2002 add r2, sp, #2 ; 0x2 @@ -466,6 +492,8 @@ 6c0: e3a0c004 mov r12, #4 ; 0x4 6c4: e5cbc000 strb r12, [r11] 6c8: ea000015 b 0x724 +; got 'b' +; R4=0x800518 6cc: e3a0c000 mov r12, #0 ; 0x0 6d0: e584c014 str r12, [r4, #20] 6d4: e3a05004 mov r5, #4 ; 0x4 @@ -486,11 +514,14 @@ 710: e3a0c006 mov r12, #6 ; 0x6 714: e5cbc000 strb r12, [r11] 718: ea000001 b 0x724 +; got 'a' 71c: e3a0c005 mov r12, #5 ; 0x5 720: e5cbc000 strb r12, [r11] +; common return for 'got something', including invalid (non-understood) commands 724: e3a00001 mov r0, #1 ; 0x1 728: e28dd004 add sp, sp, #4 ; 0x4 72c: e8bd8ff0 ldmia sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} + 730: e92d43f0 stmdb sp!, {r4, r5, r6, r7, r8, r9, lr} 734: e59f46c8 ldr r4, [pc, #1736] ; 0xe04 738: e5d4c018 ldrb r12, [r4, #24] @@ -931,16 +962,17 @@ dfc: e28dd008 add sp, sp, #8 ; 0x8 e00: e8bd8070 ldmia sp!, {r4, r5, r6, pc} - e04: 00800518 addeq r0, r0, r8, lsl r5 - e08: 00001fcc andeq r1, r0, r12, asr #31 - e0c: 0080010c addeq r0, r0, r12, lsl #2 - e10: 00800520 addeq r0, r0, r0, lsr #10 - e14: 00800104 addeq r0, r0, r4, lsl #2 - e18: 00800750 addeq r0, r0, r0, asr r7 - e1c: 0007f8af andeq pc, r7, pc, lsr #17 - e20: 000fffff streqd pc, [pc], -pc - e24: 00800108 addeq r0, r0, r8, lsl #2 - e28: 00800528 addeq r0, r0, r8, lsr #10 +; literal pool + e04: 00800518 + e08: 00001fcc + e0c: 0080010c + e10: 00800520 + e14: 00800104 + e18: 00800750 + e1c: 0007f8af + e20: 000fffff + e24: 00800108 + e28: 00800528 ; The following routine performs basic sanity initialization ; of the memory map and clocking.
--- a/bootrom.notes Sun Apr 21 21:48:50 2013 +0000 +++ b/bootrom.notes Wed Apr 24 19:32:45 2013 +0000 @@ -28,6 +28,34 @@ as if nIBOOT were high) and causes the watchdog timer to go off, resetting the ARM core and causing it to execute the external nCS0 reset vector. +UART protocol + +The external host initiates every operation by sending a command to the +Calypso target running the boot ROM code. Every command begins with '<' and +a lowercase ASCII letter; just the initial '<' is sufficient to interrupt +the flash image autoboot. The external host shound send these commands at +19200 baud, 8N1, and the boot ROM will intuit whether the Calypso is being +clocked with 13 or 26 MHz by trying the two possible clocking setups +alternately, with the UART baud rate registers set to /42 in both cases, +until a clean '<' is received. + +Commands: + +<a + +<b + +Followed by 4 bytes, giving a 32-bit value in MSB-first order. The value is +written to 800538, and the 0x2c8 function returns code 6. + +<c + +<i + +<p + +<w + RAM layout: 800000 7 words: @@ -40,7 +68,8 @@ 800038: The helper routine for transferring control to type 1 flash images is copied to and run here. 800100: the last word of the above routine -800104: word initialized to 0x0001D4C0 +800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine + how long to wait for a character 800108: byte initialized to 0x01 800520: byte variable filled every time the 0xfb4 routine is called @@ -48,8 +77,12 @@ 800524: byte variable filled every time the 0xfb4 routine is called filled with a copy of 800534 +80052C: byte following the '<c' command is extended to a half-word and + written here + 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4 routine if it selects /1 clock mode. +800538: word holds the argument of the '<b' command 8005C0: appears to be the intended low address (bottom) of the stack 80074C: top of the stack (initial value loaded into SP)