FreeCalypso > hg > freecalypso-reveng
changeset 16:383a4ef12551
boot ROM re: getting the download state machine, <p parsed
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Thu, 25 Apr 2013 03:16:17 +0000 |
| parents | 2e3cecd6716c |
| children | d2206cb5f8b4 |
| files | bootrom.disasm bootrom.notes |
| diffstat | 2 files changed, 88 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/bootrom.disasm Thu Apr 25 00:08:51 2013 +0000 +++ b/bootrom.disasm Thu Apr 25 03:16:17 2013 +0000 @@ -154,7 +154,7 @@ 1dc: e3a0c043 mov r12, #67 ; 0x43 'C' 1e0: e5c0c001 strb r12, [r0, #1] 1e4: e59fcc18 ldr r12, =0x800518 ; via 0xe04 - 1e8: e5dc1010 ldrb r1, [r12, #16] + 1e8: e5dc1010 ldrb r1, [r12, #16] ; byte from 800528 1ec: e5c01002 strb r1, [r0, #2] 1f0: e5dc2008 ldrb r2, [r12, #8] 1f4: e3a01003 mov r1, #3 ; 0x3 @@ -653,6 +653,7 @@ 8d8: 0a000047 beq 0x9fc 8dc: e25cc001 subs r12, r12, #1 ; 0x1 8e0: 1a000145 bne 0xdfc +; state 04 8e4: e250c001 subs r12, r0, #1 ; 0x1 8e8: 0a00003c beq 0x9e0 8ec: e25cc002 subs r12, r12, #2 ; 0x2 @@ -723,6 +724,7 @@ 9f0: e3a0c004 mov r12, #4 ; 0x4 9f4: e5c4c000 strb r12, [r4] 9f8: ea0000ff b 0xdfc +; state 03 9fc: e250c001 subs r12, r0, #1 ; 0x1 a00: 0a000037 beq 0xae4 a04: e25cc002 subs r12, r12, #2 ; 0x2 @@ -788,6 +790,7 @@ af4: e3a0c003 mov r12, #3 ; 0x3 af8: e5c4c000 strb r12, [r4] afc: ea0000be b 0xdfc +; state 02 b00: e250c001 subs r12, r0, #1 ; 0x1 b04: 0a00006c beq 0xcbc b08: e25cc001 subs r12, r12, #1 ; 0x1 @@ -800,18 +803,26 @@ b24: 0a00000c beq 0xb5c b28: e25cc001 subs r12, r12, #1 ; 0x1 b2c: 1a0000b2 bne 0xdfc +; '<b' in state 02 +; respond with >B error b30: e3a00009 mov r0, #9 ; 0x9 b34: ebfffd80 bl 0x13c - b38: e59f52c4 ldr r5, [pc, #708] ; 0xe04 + b38: e59f52c4 ldr r5, =0x800518 ; via 0xe04 +; reset the baud rate to 19200 b3c: e5d51008 ldrb r1, [r5, #8] b40: e3a00004 mov r0, #4 ; 0x4 b44: eb000223 bl 0x13d8 +; var init b48: e1a00005 mov r0, r5 b4c: ebfffd72 bl 0x11c +; state back to 01 b50: e3a0c001 mov r12, #1 ; 0x1 b54: e5c4c000 strb r12, [r4] b58: ea0000a7 b 0xdfc - b5c: e59f52a0 ldr r5, [pc, #672] ; 0xe04 +; '<a' in state 02 +; reset back to state 01 at 19200 baud with var init +; no response msg + b5c: e59f52a0 ldr r5, =0x800518 ; via 0xe04 b60: e1a00005 mov r0, r5 b64: ebfffd6c bl 0x11c b68: e5d51008 ldrb r1, [r5, #8] @@ -820,18 +831,24 @@ b74: e3a0c001 mov r12, #1 ; 0x1 b78: e5c4c000 strb r12, [r4] b7c: ea00009e b 0xdfc +; '<c' in state 02 +; respond with >C error b80: e3a00006 mov r0, #6 ; 0x6 b84: ebfffd6c bl 0x13c - b88: e59f5274 ldr r5, [pc, #628] ; 0xe04 + b88: e59f5274 ldr r5, =0x800518 ; via 0xe04 +; reset baud rate to 19200 b8c: e5d51008 ldrb r1, [r5, #8] b90: e3a00004 mov r0, #4 ; 0x4 b94: eb00020f bl 0x13d8 +; var init b98: e1a00005 mov r0, r5 b9c: ebfffd5e bl 0x11c +; state back to 01 ba0: e3a0c001 mov r12, #1 ; 0x1 ba4: e5c4c000 strb r12, [r4] ba8: ea000093 b 0xdfc - bac: e59f0274 ldr r0, [pc, #628] ; 0xe28 +; '<w' in state 02 + bac: e59f0274 ldr r0, =0x800528 ; via 0xe28 bb0: e3a0c000 mov r12, #0 ; 0x0 bb4: e1c0c0b0 strh r12, [r0] bb8: ebfffedc bl 0x730 @@ -843,7 +860,8 @@ bd0: e3a0c001 mov r12, #1 ; 0x1 bd4: e5c4c000 strb r12, [r4] bd8: ea000087 b 0xdfc - bdc: e59f6220 ldr r6, [pc, #544] ; 0xe04 +; '<p' in state 02 + bdc: e59f6220 ldr r6, =0x800518 ; via 0xe04 be0: e5d6c000 ldrb r12, [r6] be4: e35c0000 cmp r12, #0 ; 0x0 be8: 0a000011 beq 0xc34 @@ -855,16 +873,23 @@ c00: 0a00000b beq 0xc34 c04: e35c0004 cmp r12, #4 ; 0x4 c08: 0a000009 beq 0xc34 +; bad baud rate +; respond with >P c0c: e3a00002 mov r0, #2 ; 0x2 c10: ebfffd49 bl 0x13c +; reset the baud rate to 19200 c14: e5d61008 ldrb r1, [r6, #8] c18: e3a00004 mov r0, #4 ; 0x4 c1c: eb0001ed bl 0x13d8 +; equiv of <i c20: e1a00006 mov r0, r6 c24: ebfffd3c bl 0x11c +; state machine back to 01 c28: e3a0c001 mov r12, #1 ; 0x1 c2c: e5c4c000 strb r12, [r4] c30: ea000071 b 0xdfc +; '<p' in state 02, baud rate code is good +; same handling as on the initial '<p' that got us here c34: e5d6500d ldrb r5, [r6, #13] c38: e1d6c0ba ldrh r12, [r6, #10] c3c: e20c001f and r0, r12, #31 ; 0x1f @@ -893,13 +918,17 @@ c98: e5d60000 ldrb r0, [r6] c9c: e5d61008 ldrb r1, [r6, #8] ca0: eb0001cc bl 0x13d8 - ca4: e59fc168 ldr r12, [pc, #360] ; 0xe14 + ca4: e59fc168 ldr r12, =0x800104 ; via 0xe14 ca8: e5960004 ldr r0, [r6, #4] cac: e58c0000 str r0, [r12] +; new state is 02 - no change cb0: e3a0c002 mov r12, #2 ; 0x2 cb4: e5c4c000 strb r12, [r4] cb8: ea00004f b 0xdfc - cbc: e59f0140 ldr r0, [pc, #320] ; 0xe04 +; '<i' in state 02 +; same action as initially, but stay in state 02 +; the 800518 variable is reset to 04 by 0x11c, but the UART is not reprogrammed + cbc: e59f0140 ldr r0, =0x800518 ; via 0xe04 cc0: ebfffd15 bl 0x11c cc4: e3a00000 mov r0, #0 ; 0x0 cc8: ebfffd1b bl 0x13c @@ -914,16 +943,19 @@ ce8: e24cc001 sub r12, r12, #1 ; 0x1 cec: e35c0003 cmp r12, #3 ; 0x3 cf0: 8a000041 bhi 0xdfc - cf4: e59f5108 ldr r5, [pc, #264] ; 0xe04 + cf4: e59f5108 ldr r5, =0x800518 ; via 0xe04 cf8: e1a00005 mov r0, r5 cfc: ebfffd06 bl 0x11c +; set UART to 19200 baud d00: e5d51008 ldrb r1, [r5, #8] d04: e3a00004 mov r0, #4 ; 0x4 d08: eb0001b2 bl 0x13d8 +; reset state variable to 1 d0c: e3a0c001 mov r12, #1 ; 0x1 d10: e5c4c000 strb r12, [r4] d14: ea000038 b 0xdfc - d18: e59f60e4 ldr r6, [pc, #228] ; 0xe04 +; '<p' handler ([800108]==1) + d18: e59f60e4 ldr r6, =0x800518 ; via 0xe04 d1c: e5d6c000 ldrb r12, [r6] d20: e35c0000 cmp r12, #0 ; 0x0 d24: 0a00000c beq 0xd5c @@ -935,11 +967,13 @@ d3c: 0a000006 beq 0xd5c d40: e35c0004 cmp r12, #4 ; 0x4 d44: 0a000004 beq 0xd5c +; bad baud rate requested - respond with >P and throw FSM back to state 1 d48: e3a00002 mov r0, #2 ; 0x2 d4c: ebfffcfa bl 0x13c d50: e3a0c001 mov r12, #1 ; 0x1 d54: e5c4c000 strb r12, [r4] d58: ea000027 b 0xdfc +; <p baud rate code is good d5c: e5d6500d ldrb r5, [r6, #13] d60: e1d6c0ba ldrh r12, [r6, #10] d64: e20c001f and r0, r12, #31 ; 0x1f @@ -968,17 +1002,18 @@ dc0: e5d60000 ldrb r0, [r6] dc4: e5d61008 ldrb r1, [r6, #8] dc8: eb000182 bl 0x13d8 - dcc: e59f0040 ldr r0, [pc, #64] ; 0xe14 + dcc: e59f0040 ldr r0, =0x800104 ; via 0xe14 dd0: e596c004 ldr r12, [r6, #4] dd4: e580c000 str r12, [r0] dd8: e3a0c002 mov r12, #2 ; 0x2 ddc: e5c4c000 strb r12, [r4] de0: ea000005 b 0xdfc -; response to '<i' is handled here +; response to '<i' is handled here (state 01) de4: e59f0018 ldr r0, =0x800518 ; via 0xe04 de8: ebfffccb bl 0x11c dec: e3a00000 mov r0, #0 ; 0x0 df0: ebfffcd1 bl 0x13c +; state machine back to the initial state df4: e3a0c001 mov r12, #1 ; 0x1 df8: e5c4c000 strb r12, [r4] dfc: e28dd008 add sp, sp, #8 ; 0x8
--- a/bootrom.notes Thu Apr 25 00:08:51 2013 +0000 +++ b/bootrom.notes Thu Apr 25 03:16:17 2013 +0000 @@ -39,6 +39,11 @@ alternately, with the UART baud rate registers set to /42 in both cases, until a clean '<' is received. +Once the initial '<' has been received on either UART, the boot ROM only +listens on that port from there onward. There is a timeout between the +successive bytes of a single command, but the ROM will wait forever +for another '<'. + Commands: <a @@ -46,20 +51,43 @@ <b Followed by 4 bytes, giving a 32-bit value in MSB-first order. The value is -written to 800538, and the 0x2c8 function returns code 6. +written to 80052C, and the 0x2c8 function returns code 6. <c <i +Calls the 0x11c routine, then responds with '>i'. + <p Followed by 9 bytes: - 1 byte: goes into var at 800518 - 1 byte: goes into var at 800521 + 1 byte: goes into var at 800518, selects the baud rate: + 0: 115200 + 1: 57600 + 2: 38400 + 3: 28800 + 4: 19200 + 1 byte: goes into var at 800521, controls the 0xef4 routine: + bits <6:2>: R2 arg (PLL_MULT field) + bits <1:0>: R1 arg (PLL_DIV field) 2 bytes: 16-bit MSB-first value goes into var at 800522 + word gives arguments to 0xe2c routine, breaks down as follows: + bit 15: unused + <14:10> arg3 + <9:5> arg2 + <4:0> arg1 1 byte: goes into var at 800525 + remaining arguments to 0xe2c: + <7:4> arg5 + <3:0> arg4 4 bytes: 32-bit MSG-first value goes into var at 80051C + reloads the UART timeout variable 800104 + +Good response: >p 00 04 (4 bytes total) +The baud rate is switched after the above response is sent. + +Error response: >P <w @@ -88,6 +116,10 @@ 800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine how long to wait for a character 800108: byte initialized to 0x01 + state variable for the serial command interface + in the initial state of 01, only <i and <p are accepted + state 02: after successful <p, <w is allowed + state 03: after first successful <w? 80010C: all bytes of a '<w' command after these two command chars are stored starting here this buffer is also used for other scratchpad functions: <p @@ -98,19 +130,25 @@ as a struct - see the routine at 0x11c: 800518: byte variable receives the first parameter byte after '<p' + baud rate code ([0,4] range) init to 04 by '<i' 80051C: 32-bit var set by the '<p' command + reloads the UART timeout variable 800104 800520: byte variable filled every time the 0xfb4 routine is called holds the ID of the UART on which '<' came in, or FF if none 800521: byte variable receives the 2nd parameter byte after '<p' + PLL config 800522: 16-bit var set by the '<p' command + chip select wait state config 800524: byte variable filled every time the 0xfb4 routine is called filled with a copy of 800534 800525: byte var set by the '<p' command + config for the FFFF:F900 register (0xe2c routine) 800526: 16-bit var init to 0 by 0x11c ('<i' handler) byte following the '<c' command is extended to a half-word and written here 800528: 16-bit var init to 0 by 0x11c ('<i' handler) + checksum accum? 80052C: 32-bit var init to 0 by 0x11c ('<i' handler) word holds the argument of the '<b' command