changeset 2:979d97fe75eb

boot ROM rev eng: progressing on the RESET code
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Mon, 15 Apr 2013 04:51:12 +0000 (2013-04-15)
parents 4b5e22875181
children e3f8fe6a848e
files bootrom.disasm
diffstat 1 files changed, 67 insertions(+), 31 deletions(-) [+]
line wrap: on
line diff
--- a/bootrom.disasm	Mon Apr 15 04:02:55 2013 +0000
+++ b/bootrom.disasm	Mon Apr 15 04:51:12 2013 +0000
@@ -1349,35 +1349,56 @@
     1490:	ffff6000 	swinv	0x00ff6000
     1494:	00001fd4 	ldreqd	r1, [r0], -r4
 
-The RESET entry point branches here:
-    1498:	e59f003c 	ldr	r0, [pc, #60]	; 0x14dc
-    149c:	e59f103c 	ldr	r1, [pc, #60]	; 0x14e0
+; The RESET entry point branches here
+;
+; First order of business: copy the 7 vector instructions from
+; 0x1FE0 to 0x80001C.
+    1498:	e59f003c 	ldr	r0, =0x1FE0	; via 0x14dc
+    149c:	e59f103c 	ldr	r1, =0x80001C	; via 0x14e0
     14a0:	e3a02000 	mov	r2, #0	; 0x0
     14a4:	e7903002 	ldr	r3, [r0, r2]
     14a8:	e7813002 	str	r3, [r1, r2]
     14ac:	e2822004 	add	r2, r2, #4	; 0x4
     14b0:	e352001c 	cmp	r2, #28	; 0x1c
     14b4:	1afffffa 	bne	0x14a4
-    14b8:	e59f0014 	ldr	r0, [pc, #20]	; 0x14d4
-    14bc:	e59f1014 	ldr	r1, [pc, #20]	; 0x14d8
+; done with that; now set up the stack
+    14b8:	e59f0014 	ldr	r0, =0x8005C0	; via 0x14d4
+    14bc:	e59f1014 	ldr	r1, =0x190	; via 0x14d8
     14c0:	e2411004 	sub	r1, r1, #4	; 0x4
     14c4:	e0802001 	add	r2, r0, r1
     14c8:	e3c22003 	bic	r2, r2, #3	; 0x3
     14cc:	e1a0d002 	mov	sp, r2
     14d0:	ea000003 	b	0x14e4
 
-    14d4:	008005c0 	addeq	r0, r0, r0, asr #11
-    14d8:	00000190 	muleq	r0, r0, r1
-    14dc:	00001fe0 	andeq	r1, r0, r0, ror #31
-    14e0:	0080001c 	addeq	r0, r0, r12, lsl r0
+; literals for the above code
+    14d4:	008005c0
+    14d8:	00000190
+    14dc:	00001fe0
+    14e0:	0080001c
 
-    14e4:	e59f0078 	ldr	r0, [pc, #120]	; 0x1564
+; continuation of the RESET entry code
+    14e4:	e59f0078 	ldr	r0, =0x1694	; via 0x1564
     14e8:	e3700001 	cmn	r0, #1	; 0x1
     14ec:	1b000003 	blne	0x1500
     14f0:	ebffff38 	bl	0x11d8
     14f4:	e3a00001 	mov	r0, #1	; 0x1
     14f8:	eb000022 	bl	0x1588
     14fc:	eafffffe 	b	0x14fc
+
+; 0x1500: Subroutine entry
+;
+; This routine initializes multiple RAM areas from a single ROM init data
+; table.  Takes one argument in R0, which points to the ROM table.
+; The ROM table consists of one or more abutted variable-length records,
+; each of the following format:
+;
+; 1 word: number of bytes to copy (may or may not be word-aligned)
+; 1 word: copy destination address (ditto)
+; variable length: data to be copied
+; 0 to 3 bytes of padding to put the next record on a word boundary
+;
+; The list is terminated by a zero word.
+
     1500:	ea000011 	b	0x154c
     1504:	e4901004 	ldr	r1, [r0], #4
     1508:	e3110003 	tst	r1, #3	; 0x3
@@ -1402,9 +1423,10 @@
     1554:	1affffea 	bne	0x1504
     1558:	e1a0f00e 	mov	pc, lr
 
-    155c:	008005c0 	addeq	r0, r0, r0, asr #11
-    1560:	00000190 	muleq	r0, r0, r1
-    1564:	00001694 	muleq	r0, r4, r6
+; literal pool
+    155c:	008005c0	; low address of the stack - unused duplicate?
+    1560:	00000190	; size of the stack - ditto
+    1564:	00001694
 
     1568:	e3140001 	tst	r4, #1	; 0x1
     156c:	1a000000 	bne	0x1574
@@ -1414,7 +1436,9 @@
     157c:	e28fe001 	add	lr, pc, #1	; 0x1
     1580:	e12fff1c 	bx	r12
     1584:	46c04720 	strmib	r4, [r0], r0, lsr #14
+
     1588:	eafffffe 	b	0x1588
+
     158c:	e92d4010 	stmdb	sp!, {r4, lr}
     1590:	e1a04000 	mov	r4, r0
     1594:	e1b0c0a4 	movs	r12, r4, lsr #1
@@ -1474,6 +1498,9 @@
     166c:	e2511004 	subs	r1, r1, #4	; 0x4
     1670:	1afffffb 	bne	0x1664
     1674:	e12fff1e 	bx	lr
+
+; The soft-vector pointers at 0x800000 are initially set to point
+; to the ROM addresses of the following 7 tight-loop branch instructions:
     1678:	eafffffe 	b	0x1678
     167c:	eafffffe 	b	0x167c
     1680:	eafffffe 	b	0x1680
@@ -1481,25 +1508,34 @@
     1688:	eafffffe 	b	0x1688
     168c:	eafffffe 	b	0x168c
     1690:	eafffffe 	b	0x1690
-    1694:	0000001c 	andeq	r0, r0, r12, lsl r0
-    1698:	00800000 	addeq	r0, r0, r0
-    169c:	00001678 	andeq	r1, r0, r8, ror r6
-    16a0:	0000167c 	andeq	r1, r0, r12, ror r6
-    16a4:	00001680 	andeq	r1, r0, r0, lsl #13
-    16a8:	00001684 	andeq	r1, r0, r4, lsl #13
-    16ac:	00001688 	andeq	r1, r0, r8, lsl #13
-    16b0:	0000168c 	andeq	r1, r0, r12, lsl #13
-    16b4:	00001690 	muleq	r0, r0, r6
-    16b8:	00000004 	andeq	r0, r0, r4
-    16bc:	00800104 	addeq	r0, r0, r4, lsl #2
-    16c0:	0001d4c0 	andeq	sp, r1, r0, asr #9
-    16c4:	00000001 	andeq	r0, r0, r1
-    16c8:	00800108 	addeq	r0, r0, r8, lsl #2
-    16cc:	00000001 	andeq	r0, r0, r1
-    16d0:	00000001 	andeq	r0, r0, r1
-    16d4:	00800534 	addeq	r0, r0, r4, lsr r5
 
-; The word at 0x16D4 appears to be the last word of the actual boot
+; RAM init table for the 0x1500 subroutine
+; vector init
+    1694:	0000001c
+    1698:	00800000
+    169c:	00001678
+    16a0:	0000167c
+    16a4:	00001680
+    16a8:	00001684
+    16ac:	00001688
+    16b0:	0000168c
+    16b4:	00001690
+; another record
+    16b8:	00000004
+    16bc:	00800104
+    16c0:	0001d4c0
+; another record
+    16c4:	00000001
+    16c8:	00800108
+    16cc:	00000001
+; another record
+    16d0:	00000001
+    16d4:	00800534
+    16d8:	00000000
+; end marker
+    16dc:	00000000
+
+; The word at 0x16DC appears to be the last word of the actual boot
 ; code + data.  Between here and 0x1FCC we've got what looks like
 ; filler: