FreeCalypso > hg > freecalypso-reveng
changeset 2:979d97fe75eb
boot ROM rev eng: progressing on the RESET code
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Mon, 15 Apr 2013 04:51:12 +0000 (2013-04-15) |
parents | 4b5e22875181 |
children | e3f8fe6a848e |
files | bootrom.disasm |
diffstat | 1 files changed, 67 insertions(+), 31 deletions(-) [+] |
line wrap: on
line diff
--- a/bootrom.disasm Mon Apr 15 04:02:55 2013 +0000 +++ b/bootrom.disasm Mon Apr 15 04:51:12 2013 +0000 @@ -1349,35 +1349,56 @@ 1490: ffff6000 swinv 0x00ff6000 1494: 00001fd4 ldreqd r1, [r0], -r4 -The RESET entry point branches here: - 1498: e59f003c ldr r0, [pc, #60] ; 0x14dc - 149c: e59f103c ldr r1, [pc, #60] ; 0x14e0 +; The RESET entry point branches here +; +; First order of business: copy the 7 vector instructions from +; 0x1FE0 to 0x80001C. + 1498: e59f003c ldr r0, =0x1FE0 ; via 0x14dc + 149c: e59f103c ldr r1, =0x80001C ; via 0x14e0 14a0: e3a02000 mov r2, #0 ; 0x0 14a4: e7903002 ldr r3, [r0, r2] 14a8: e7813002 str r3, [r1, r2] 14ac: e2822004 add r2, r2, #4 ; 0x4 14b0: e352001c cmp r2, #28 ; 0x1c 14b4: 1afffffa bne 0x14a4 - 14b8: e59f0014 ldr r0, [pc, #20] ; 0x14d4 - 14bc: e59f1014 ldr r1, [pc, #20] ; 0x14d8 +; done with that; now set up the stack + 14b8: e59f0014 ldr r0, =0x8005C0 ; via 0x14d4 + 14bc: e59f1014 ldr r1, =0x190 ; via 0x14d8 14c0: e2411004 sub r1, r1, #4 ; 0x4 14c4: e0802001 add r2, r0, r1 14c8: e3c22003 bic r2, r2, #3 ; 0x3 14cc: e1a0d002 mov sp, r2 14d0: ea000003 b 0x14e4 - 14d4: 008005c0 addeq r0, r0, r0, asr #11 - 14d8: 00000190 muleq r0, r0, r1 - 14dc: 00001fe0 andeq r1, r0, r0, ror #31 - 14e0: 0080001c addeq r0, r0, r12, lsl r0 +; literals for the above code + 14d4: 008005c0 + 14d8: 00000190 + 14dc: 00001fe0 + 14e0: 0080001c - 14e4: e59f0078 ldr r0, [pc, #120] ; 0x1564 +; continuation of the RESET entry code + 14e4: e59f0078 ldr r0, =0x1694 ; via 0x1564 14e8: e3700001 cmn r0, #1 ; 0x1 14ec: 1b000003 blne 0x1500 14f0: ebffff38 bl 0x11d8 14f4: e3a00001 mov r0, #1 ; 0x1 14f8: eb000022 bl 0x1588 14fc: eafffffe b 0x14fc + +; 0x1500: Subroutine entry +; +; This routine initializes multiple RAM areas from a single ROM init data +; table. Takes one argument in R0, which points to the ROM table. +; The ROM table consists of one or more abutted variable-length records, +; each of the following format: +; +; 1 word: number of bytes to copy (may or may not be word-aligned) +; 1 word: copy destination address (ditto) +; variable length: data to be copied +; 0 to 3 bytes of padding to put the next record on a word boundary +; +; The list is terminated by a zero word. + 1500: ea000011 b 0x154c 1504: e4901004 ldr r1, [r0], #4 1508: e3110003 tst r1, #3 ; 0x3 @@ -1402,9 +1423,10 @@ 1554: 1affffea bne 0x1504 1558: e1a0f00e mov pc, lr - 155c: 008005c0 addeq r0, r0, r0, asr #11 - 1560: 00000190 muleq r0, r0, r1 - 1564: 00001694 muleq r0, r4, r6 +; literal pool + 155c: 008005c0 ; low address of the stack - unused duplicate? + 1560: 00000190 ; size of the stack - ditto + 1564: 00001694 1568: e3140001 tst r4, #1 ; 0x1 156c: 1a000000 bne 0x1574 @@ -1414,7 +1436,9 @@ 157c: e28fe001 add lr, pc, #1 ; 0x1 1580: e12fff1c bx r12 1584: 46c04720 strmib r4, [r0], r0, lsr #14 + 1588: eafffffe b 0x1588 + 158c: e92d4010 stmdb sp!, {r4, lr} 1590: e1a04000 mov r4, r0 1594: e1b0c0a4 movs r12, r4, lsr #1 @@ -1474,6 +1498,9 @@ 166c: e2511004 subs r1, r1, #4 ; 0x4 1670: 1afffffb bne 0x1664 1674: e12fff1e bx lr + +; The soft-vector pointers at 0x800000 are initially set to point +; to the ROM addresses of the following 7 tight-loop branch instructions: 1678: eafffffe b 0x1678 167c: eafffffe b 0x167c 1680: eafffffe b 0x1680 @@ -1481,25 +1508,34 @@ 1688: eafffffe b 0x1688 168c: eafffffe b 0x168c 1690: eafffffe b 0x1690 - 1694: 0000001c andeq r0, r0, r12, lsl r0 - 1698: 00800000 addeq r0, r0, r0 - 169c: 00001678 andeq r1, r0, r8, ror r6 - 16a0: 0000167c andeq r1, r0, r12, ror r6 - 16a4: 00001680 andeq r1, r0, r0, lsl #13 - 16a8: 00001684 andeq r1, r0, r4, lsl #13 - 16ac: 00001688 andeq r1, r0, r8, lsl #13 - 16b0: 0000168c andeq r1, r0, r12, lsl #13 - 16b4: 00001690 muleq r0, r0, r6 - 16b8: 00000004 andeq r0, r0, r4 - 16bc: 00800104 addeq r0, r0, r4, lsl #2 - 16c0: 0001d4c0 andeq sp, r1, r0, asr #9 - 16c4: 00000001 andeq r0, r0, r1 - 16c8: 00800108 addeq r0, r0, r8, lsl #2 - 16cc: 00000001 andeq r0, r0, r1 - 16d0: 00000001 andeq r0, r0, r1 - 16d4: 00800534 addeq r0, r0, r4, lsr r5 -; The word at 0x16D4 appears to be the last word of the actual boot +; RAM init table for the 0x1500 subroutine +; vector init + 1694: 0000001c + 1698: 00800000 + 169c: 00001678 + 16a0: 0000167c + 16a4: 00001680 + 16a8: 00001684 + 16ac: 00001688 + 16b0: 0000168c + 16b4: 00001690 +; another record + 16b8: 00000004 + 16bc: 00800104 + 16c0: 0001d4c0 +; another record + 16c4: 00000001 + 16c8: 00800108 + 16cc: 00000001 +; another record + 16d0: 00000001 + 16d4: 00800534 + 16d8: 00000000 +; end marker + 16dc: 00000000 + +; The word at 0x16DC appears to be the last word of the actual boot ; code + data. Between here and 0x1FCC we've got what looks like ; filler: