FreeCalypso > hg > freecalypso-reveng
changeset 13:e0ce45f043c0
boot ROM re: continuing plowing through the serial protocol code
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Wed, 24 Apr 2013 22:48:12 +0000 |
parents | 25b016d16602 |
children | 3443b1b08af4 |
files | bootrom.disasm bootrom.notes |
diffstat | 2 files changed, 52 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/bootrom.disasm Wed Apr 24 19:32:45 2013 +0000 +++ b/bootrom.disasm Wed Apr 24 22:48:12 2013 +0000 @@ -223,8 +223,9 @@ ; *R0 return byte values: ; 00 = got nothing (timeout) or an invalid/non-understood command ; 01 = got 'i' -; 02 = -; 03 = +; 02 = got 'p', 9 additional bytes received, a bunch of vars filled +; 03 = got 'w', the rest of the command read into the buffer at +; 80010C, the flag at 80053C set ; 04 = got 'c', 1 additional byte received, extended to a half-word ; and written to 80052C ; 05 = got 'a' @@ -262,6 +263,7 @@ 334: e3a0a000 mov r10, #0 ; 0x0 338: e3a06000 mov r6, #0 ; 0x0 33c: ea000015 b 0x398 +; more blocks 340: e5d40008 ldrb r0, [r4, #8] 344: e5971000 ldr r1, [r7] 348: e28d2002 add r2, sp, #2 ; 0x2 @@ -284,6 +286,7 @@ 38c: 0a000001 beq 0x398 390: e3a0c001 mov r12, #1 ; 0x1 394: e5c4c018 strb r12, [r4, #24] +; the entry to the 'w' handling block branches here 398: e5d40008 ldrb r0, [r4, #8] 39c: e5971000 ldr r1, [r7] 3a0: e1a0200d mov r2, sp @@ -337,17 +340,17 @@ 460: e18c8408 orr r8, r12, r8, lsl #8 464: e2599001 subs r9, r9, #1 ; 0x1 468: 1afffff5 bne 0x444 - 46c: e59fc9a4 ldr r12, [pc, #2468] ; 0xe18 + 46c: e59fc9a4 ldr r12, =0x800750 ; via 0xe18 470: e158000c cmp r8, r12 474: 3a00004e bcc 0x5b4 - 478: e59f099c ldr r0, [pc, #2460] ; 0xe1c + 478: e59f099c ldr r0, =0x7F8AF ; via 0xe1c 47c: e080c00c add r12, r0, r12 480: e158000c cmp r8, r12 484: 8a00004a bhi 0x5b4 488: e085c006 add r12, r5, r6 48c: e35c0ffe cmp r12, #1016 ; 0x3f8 490: aa000037 bge 0x574 - 494: e59fc970 ldr r12, [pc, #2416] ; 0xe0c + 494: e59fc970 ldr r12, =0x80010C ; via 0xe0c 498: e5dd0000 ldrb r0, [sp] 49c: e7c6000c strb r0, [r6, r12] 4a0: e2860001 add r0, r6, #1 ; 0x1 @@ -403,6 +406,8 @@ 568: e2555001 subs r5, r5, #1 ; 0x1 56c: 1afffff6 bne 0x54c 570: ea00000a b 0x5a0 +; length exceeded: read and discard +; the increment of R5 looks like a bug! 574: e285c001 add r12, r5, #1 ; 0x1 578: e1a0c80c mov r12, r12, lsl #16 57c: e1a0582c mov r5, r12, lsr #16 @@ -419,30 +424,34 @@ 5a8: e3a0c003 mov r12, #3 ; 0x3 5ac: e5cbc000 strb r12, [r11] 5b0: ea00005b b 0x724 +; error path (<w load address outside of the permissible IRAM range) 5b4: e3a0c001 mov r12, #1 ; 0x1 5b8: e5c4c018 strb r12, [r4, #24] 5bc: e3a0c003 mov r12, #3 ; 0x3 5c0: e5cbc000 strb r12, [r11] 5c4: e5d40008 ldrb r0, [r4, #8] - 5c8: e59f1850 ldr r1, [pc, #2128] ; 0xe20 + 5c8: e59f1850 ldr r1, =0xFFFFF ; via 0xe20 5cc: e28d2002 add r2, sp, #2 ; 0x2 5d0: eb000394 bl 0x1428 5d4: e3500001 cmp r0, #1 ; 0x1 5d8: 0afffff9 beq 0x5c4 5dc: ea000050 b 0x724 +; another error path (bad block number voodoo) 5e0: e3a0c001 mov r12, #1 ; 0x1 5e4: e5c4c018 strb r12, [r4, #24] 5e8: e3a0c003 mov r12, #3 ; 0x3 5ec: e5cbc000 strb r12, [r11] +; flush serial input (wait for long silence), then return 5f0: e5d40008 ldrb r0, [r4, #8] - 5f4: e59f1824 ldr r1, [pc, #2084] ; 0xe20 + 5f4: e59f1824 ldr r1, =0xFFFFF ; via 0xe20 5f8: e28d2002 add r2, sp, #2 ; 0x2 5fc: eb000389 bl 0x1428 600: e3500001 cmp r0, #1 ; 0x1 604: 0afffff9 beq 0x5f0 608: ea000045 b 0x724 ; got 'p' - 60c: e59f67f8 ldr r6, [pc, #2040] ; 0xe0c +; R4=0x800518 + 60c: e59f67f8 ldr r6, =0x80010C ; via 0xe0c 610: e3a08009 mov r8, #9 ; 0x9 614: e5d40008 ldrb r0, [r4, #8] 618: e5971000 ldr r1, [r7] @@ -453,12 +462,12 @@ 62c: e2866001 add r6, r6, #1 ; 0x1 630: e2588001 subs r8, r8, #1 ; 0x1 634: 1afffff6 bne 0x614 - 638: e59fc7cc ldr r12, [pc, #1996] ; 0xe0c + 638: e59fc7cc ldr r12, =0x80010C ; via 0xe0c 63c: e5dc0000 ldrb r0, [r12] - 640: e5c40000 strb r0, [r4] + 640: e5c40000 strb r0, [r4] ; into 800518 644: e5dc0001 ldrb r0, [r12, #1] - 648: e5c40009 strb r0, [r4, #9] - 64c: e1c450ba strh r5, [r4, #10] + 648: e5c40009 strb r0, [r4, #9] ; into 800521 + 64c: e1c450ba strh r5, [r4, #10] ; 16-bit 0 into 800522 650: e5dc1003 ldrb r1, [r12, #3] 654: e5dc0002 ldrb r0, [r12, #2] 658: e1810400 orr r0, r1, r0, lsl #8 @@ -621,6 +630,9 @@ 8ac: e3a00000 mov r0, #0 ; 0x0 8b0: e8bd83f0 ldmia sp!, {r4, r5, r6, r7, r8, r9, pc} +; The routine at 0x8b4 handles the command received by the 0x2c8 routine. +; The argument in R0 is the code produced by the latter. + 8b4: e92d4070 stmdb sp!, {r4, r5, r6, lr} 8b8: e24dd008 sub sp, sp, #8 ; 0x8 8bc: e59f4560 ldr r4, [pc, #1376] ; 0xe24
--- a/bootrom.notes Wed Apr 24 19:32:45 2013 +0000 +++ b/bootrom.notes Wed Apr 24 22:48:12 2013 +0000 @@ -54,8 +54,25 @@ <p +Followed by 9 bytes: + 1 byte: goes into var at 800518 + 1 byte: goes into var at 800521 + 2 bytes: 16-bit MSB-first value goes into var at 800522 + 1 byte: goes into var at 800525 + 4 bytes: 32-bit MSG-first value goes into var at 80051C + <w +Followed by: + 1 byte: block number (of this block) + 1 byte: total # of blocks + 2 bytes: # of payload bytes in this block (MSB first) + 4 bytes: load address for this block (MSB first) + data + +for a single block (both bytes after <w set to 01), the maximum allowed +payload length is 1015 (0x3F7) bytes. + RAM layout: 800000 7 words: @@ -71,11 +88,19 @@ 800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine how long to wait for a character 800108: byte initialized to 0x01 +80010C: all bytes of a '<w' command after these two command chars + are stored starting here +80050B: the above buffer ends here +800518: byte variable receives the first parameter byte after '<p' +80051C: 32-bit var set by the '<p' command 800520: byte variable filled every time the 0xfb4 routine is called holds the ID of the UART on which '<' came in, or FF if none +800521: byte variable receives the 2nd parameter byte after '<p' +800522: 16-bit var set by the '<p' command 800524: byte variable filled every time the 0xfb4 routine is called filled with a copy of 800534 +800525: byte var set by the '<p' command 80052C: byte following the '<c' command is extended to a half-word and written here @@ -83,6 +108,9 @@ 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4 routine if it selects /1 clock mode. 800538: word holds the argument of the '<b' command +80053C: byte indicates validity of the received '<w' command: + 0 means valid, 1 means something bad 8005C0: appears to be the intended low address (bottom) of the stack 80074C: top of the stack (initial value loaded into SP) +800750: lowest address at which user code may be loaded