FreeCalypso > hg > freecalypso-reveng
changeset 109:e40592990516
C156 boot code cracked
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Mon, 31 Mar 2014 19:06:33 +0000 |
parents | 85bb35342834 |
children | e650fdc743fe |
files | compal/c156-boot.disasm |
diffstat | 1 files changed, 73 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/compal/c156-boot.disasm Mon Mar 31 16:41:21 2014 +0000 +++ b/compal/c156-boot.disasm Mon Mar 31 19:06:33 2014 +0000 @@ -20,11 +20,16 @@ 44: 004000c0 48: 00000e85 +; RESET entry point +; same init as in the C139 version 4c: e51f1028 ldr r1, =0xfffffd00 ; via 0x2c 50: e1d120b2 ldrh r2, [r1, #2] 54: e51f0034 ldr r0, =0x40 ; via 0x28 58: e1800002 orr r0, r0, r2 5c: e1c100b2 strh r0, [r1, #2] +; disable PLL +; diff from C139 version: writing 2002 into FFFF:9800 instead of 2006 +; diff in the BYPASS_DIV field 60: e51f1038 ldr r1, =0xffff9800 ; via 0x30 64: e15f22be ldrh r2, =0x2002 ; via 0x3e 68: e1c120b0 strh r2, [r1] @@ -32,17 +37,21 @@ 70: e2022001 and r2, r2, #1 74: e3520001 cmp r2, #1 78: 0afffffb beq 0x6c +; FFFF:FD00 write same as C139 7c: e51f1058 ldr r1, =0xfffffd00 ; via 0x2c 80: e15f24bc ldrh r2, =0x1081 ; via 0x3c 84: e1c120b0 strh r2, [r1] +; disable DU like C139 88: e51f105c ldr r1, =0xfffffb10 ; via 0x34 8c: e15f25b4 ldrh r2, =0x800 ; via 0x40 90: e1d100b0 ldrh r0, [r1] 94: e1800002 orr r0, r0, r2 98: e1c100b0 strh r0, [r1] +; ditto for MPU 9c: e51f106c ldr r1, =0xffffff08 ; via 0x38 a0: e15f26b6 ldrh r2, =0x0 ; via 0x42 a4: e1c120b0 strh r2, [r1] +; Memory timings a8: e59f1640 ldr r1, =0xfffffb00 ; via 0x6f0 ac: e15f29b4 ldrh r2, =0x2a1 ; via 0x20 b0: e1c120b0 strh r2, [r1] @@ -58,14 +67,18 @@ d8: e1c120bc strh r2, [r1, #12] ; 0xc dc: e15f29be ldrh r2, =0x40 ; via 0x46 e0: e1c120b8 strh r2, [r1, #8] +; enable 8 MiB chip select regions e4: e59f3630 ldr r3, =0xfffef006 ; via 0x71c e8: e1d310b0 ldrh r1, [r3] ec: e3a02008 mov r2, #8 f0: e1811002 orr r1, r1, r2 f4: e1c310b0 strh r1, [r3] +; write 0x0110 into FFFE:F00A +; enable I/O(8) and I/O(12) f8: e59f3604 ldr r3, =0xfffef000 ; via 0x704 fc: e3a01e11 mov r1, #272 ; 0x110 100: e1c310ba strh r1, [r3, #10] ; 0xa +; FFFE:4804: set GPIOs 0-8 and 12 as outputs 104: e59f3604 ldr r3, =0xfffe4804 ; via 0x710 108: e5931000 ldr r1, [r3] 10c: e3a030ff mov r3, #255 ; 0xff @@ -74,6 +87,7 @@ 118: e0011002 and r1, r1, r2 11c: e59f35e4 ldr r3, =0xfffe4800 ; via 0x708 120: e1c310b4 strh r1, [r3, #4] +; ARMIO_LATCH_OUT: 0-8 set to 0 124: e59f35e0 ldr r3, =0xfffe4802 ; via 0x70c 128: e5931000 ldr r1, [r3] 12c: e3a030ff mov r3, #255 ; 0xff @@ -82,14 +96,17 @@ 138: e0011002 and r1, r1, r2 13c: e59f35c4 ldr r3, =0xfffe4800 ; via 0x708 140: e1c310b2 strh r1, [r3, #2] +; ... and then reset it to 0xF400 144: e3a01b3d mov r1, #62464 ; 0xf400 148: e59f35b8 ldr r3, =0xfffe4800 ; via 0x708 14c: e1c310b2 strh r1, [r3, #2] +; SVC mode, IRQ and FIQ disabled 150: e10f0000 mrs r0, CPSR 154: e3c0001f bic r0, r0, #31 ; 0x1f 158: e3800013 orr r0, r0, #19 ; 0x13 15c: e38000c0 orr r0, r0, #192 ; 0xc0 160: e129f000 msr CPSR_fc, r0 +; zero all 256 KiB IRAM except last 128 bytes 164: e3a00502 mov r0, #8388608 ; 0x800000 168: e3a02000 mov r2, #0 16c: e3a01721 mov r1, #8650752 ; 0x840000 @@ -97,6 +114,7 @@ 174: e4802004 str r2, [r0], #4 178: e1500001 cmp r0, r1 17c: 1afffffc bne 0x174 +; ditto for 2 MiB XRAM 180: e3a00401 mov r0, #16777216 ; 0x1000000 184: e3a02000 mov r2, #0 188: e3a01612 mov r1, #18874368 ; 0x1200000 @@ -104,15 +122,21 @@ 190: e4802004 str r2, [r0], #4 194: e1500001 cmp r0, r1 198: 1afffffc bne 0x190 +; MODEM UART 19c: e59f0550 ldr r0, =0xffff5800 ; via 0x6f4 +; 0 into LCR for IER access 1a0: e3a01000 mov r1, #0 1a4: e5c01003 strb r1, [r0, #3] +; clear IER 1a8: e3a01000 mov r1, #0 1ac: e5c01001 strb r1, [r0, #1] +; BF into LCR 1b0: e3a010bf mov r1, #191 ; 0xbf 1b4: e5c01003 strb r1, [r0, #3] +; 0x10 into EFR 1b8: e3a01010 mov r1, #16 ; 0x10 1bc: e5c01002 strb r1, [r0, #2] +; set 115200 baud 1c0: e59f3534 ldr r3, =0xffff5803 ; via 0x6fc 1c4: e5931000 ldr r1, [r3] 1c8: e3811080 orr r1, r1, #128 ; 0x80 @@ -121,6 +145,7 @@ 1d4: e5c01000 strb r1, [r0] 1d8: e3a01000 mov r1, #0 1dc: e5c01001 strb r1, [r0, #1] +; LCR will eventually get back to 03 1e0: e59f3514 ldr r3, =0xffff5803 ; via 0x6fc 1e4: e5931000 ldr r1, [r3] 1e8: e201107f and r1, r1, #127 ; 0x7f @@ -128,47 +153,64 @@ 1f0: e5931000 ldr r1, [r3] 1f4: e3811003 orr r1, r1, #3 1f8: e5c31000 strb r1, [r3] +; 0x40 into MCR: TCR/TLR access 1fc: e3a01040 mov r1, #64 ; 0x40 200: e5c01004 strb r1, [r0, #4] +; TCR=0x0F (same as default) 204: e3a0100f mov r1, #15 ; 0xf 208: e5c01006 strb r1, [r0, #6] +; BF into LCR again 20c: e3a010bf mov r1, #191 ; 0xbf 210: e5c01003 strb r1, [r0, #3] +; 0x10 into EFR again 214: e3a01010 mov r1, #16 ; 0x10 218: e5c01002 strb r1, [r0, #2] +; finally 03 into LCR 21c: e3a01003 mov r1, #3 220: e5c01003 strb r1, [r0, #3] +; clear SCR (default, all weird stuff disabled) 224: e3a01000 mov r1, #0 228: e5c01010 strb r1, [r0, #16] ; 0x10 +; FCR=06: FIFOs cleared and *disabled* 22c: e3a01006 mov r1, #6 230: e5c01002 strb r1, [r0, #2] +; MCR=0F 234: e3a0100f mov r1, #15 ; 0xf 238: e5c01004 strb r1, [r0, #4] +; FCR=F1: enable FIFOs with max trigger levels 23c: e3a010f1 mov r1, #241 ; 0xf1 240: e5c01002 strb r1, [r0, #2] +; MDR1: write 7 for reset, then 0 for UART mode 244: e3a01007 mov r1, #7 248: e5c01008 strb r1, [r0, #8] 24c: e3a01000 mov r1, #0 250: e5c01008 strb r1, [r0, #8] +; IER: enable Rx interrupt 254: e59f349c ldr r3, =0xffff5801 ; via 0x6f8 258: e5931000 ldr r1, [r3] 25c: e3811001 orr r1, r1, #1 260: e5c31000 strb r1, [r3] +; nCS0: WS=3, write enable, DC=1 264: e59f1484 ldr r1, =0xfffffb00 ; via 0x6f0 268: e59f247c ldr r2, =0x2a3 ; via 0x6ec 26c: e1c120b0 strh r2, [r1] +; FFFF:FB0E = 0x6A: adapt enabled for RHEA and API, +; all ARM7 cycles visible externally 270: e59f3488 ldr r3, =0xfffffb00 ; via 0x700 274: e3a0106a mov r1, #106 ; 0x6a 278: e1c310be strh r1, [r3, #14] ; 0xe +; dingle UART FIFOs again, same settings 27c: e59f0470 ldr r0, =0xffff5800 ; via 0x6f4 280: e3a010f7 mov r1, #247 ; 0xf7 284: e5c01002 strb r1, [r0, #2] 288: e3a010f1 mov r1, #241 ; 0xf1 28c: e5c01002 strb r1, [r0, #2] +; short delay loop 290: e3a01f4b mov r1, #300 ; 0x12c 294: e2411001 sub r1, r1, #1 298: e3510000 cmp r1, #0 29c: 1afffffc bne 0x294 +; check UART for unsolicited input? 2a0: e59f044c ldr r0, =0xffff5800 ; via 0x6f4 2a4: e3a02064 mov r2, #100 ; 0x64 2a8: e3a08801 mov r8, #65536 ; 0x10000 @@ -180,6 +222,8 @@ 2c0: e3510001 cmp r1, #1 2c4: 1afffff8 bne 0x2ac 2c8: e5d01000 ldrb r1, [r0] +; unsolicited input received +; repeats the whole UART init, but with /2 div for 406250 baud 2cc: e59f0420 ldr r0, =0xffff5800 ; via 0x6f4 2d0: e3a01000 mov r1, #0 2d4: e5c01003 strb r1, [r0, #3] @@ -240,6 +284,8 @@ 3b0: e3510000 cmp r1, #0 3b4: 1afffffc bne 0x3ac 3b8: e59f0334 ldr r0, =0xffff5800 ; via 0x6f4 +; normal path continues +; emit 1B F6 02 00 41 01 40 3bc: e3a0101b mov r1, #27 ; 0x1b 3c0: e5c01000 strb r1, [r0] 3c4: e3a010f6 mov r1, #246 ; 0xf6 @@ -254,6 +300,7 @@ 3e8: e5c01000 strb r1, [r0] 3ec: e3a01040 mov r1, #64 ; 0x40 3f0: e5c01000 strb r1, [r0] +; wait for UART input 3f4: e3a02064 mov r2, #100 ; 0x64 3f8: e3a08701 mov r8, #262144 ; 0x40000 3fc: e2488001 sub r8, r8, #1 @@ -272,6 +319,7 @@ 430: eafffff1 b 0x3fc 434: e351001b cmp r1, #27 ; 0x1b 438: 1affffef bne 0x3fc +; got 1B 43c: e3a08701 mov r8, #262144 ; 0x40000 440: e2488001 sub r8, r8, #1 444: e3580000 cmp r8, #0 @@ -283,6 +331,7 @@ 45c: e5d01000 ldrb r1, [r0] 460: e35100f6 cmp r1, #246 ; 0xf6 464: 1a000092 bne 0x6b4 +; got F6 468: e3a08801 mov r8, #65536 ; 0x10000 46c: e2488001 sub r8, r8, #1 470: e3580000 cmp r8, #0 @@ -294,6 +343,7 @@ 488: e5d01000 ldrb r1, [r0] 48c: e3510002 cmp r1, #2 490: 1a000087 bne 0x6b4 +; got 02 494: e3a08801 mov r8, #65536 ; 0x10000 498: e2488001 sub r8, r8, #1 49c: e3580000 cmp r8, #0 @@ -305,6 +355,7 @@ 4b4: e5d01000 ldrb r1, [r0] 4b8: e3510000 cmp r1, #0 4bc: 1a00007c bne 0x6b4 +; got 00 4c0: e3a08801 mov r8, #65536 ; 0x10000 4c4: e2488001 sub r8, r8, #1 4c8: e3580000 cmp r8, #0 @@ -316,6 +367,7 @@ 4e0: e5d01000 ldrb r1, [r0] 4e4: e3510052 cmp r1, #82 ; 0x52 4e8: 1a000071 bne 0x6b4 +; got 52 4ec: e3a08801 mov r8, #65536 ; 0x10000 4f0: e2488001 sub r8, r8, #1 4f4: e3580000 cmp r8, #0 @@ -327,6 +379,7 @@ 50c: e5d01000 ldrb r1, [r0] 510: e3510001 cmp r1, #1 514: 1a000066 bne 0x6b4 +; got 01 518: e3a08801 mov r8, #65536 ; 0x10000 51c: e2488001 sub r8, r8, #1 520: e3580000 cmp r8, #0 @@ -337,6 +390,7 @@ 534: 1afffff8 bne 0x51c 538: e59f01b4 ldr r0, =0xffff5800 ; via 0x6f4 53c: e5d01000 ldrb r1, [r0] +; emit 1B F6 02 00 41 02 43 before checking the last Rx char! 540: e3a0201b mov r2, #27 ; 0x1b 544: e5c02000 strb r2, [r0] 548: e3a020f6 mov r2, #246 ; 0xf6 @@ -351,18 +405,23 @@ 56c: e5c02000 strb r2, [r0] 570: e3a02043 mov r2, #67 ; 0x43 574: e5c02000 strb r2, [r0] +; now check for 53 +; if not 53, go back to wait for 01-53 578: e3510053 cmp r1, #83 ; 0x53 57c: 0a000000 beq 0x584 580: eaffffda b 0x4f0 +; got 53 584: e3a02000 mov r2, #0 588: e59f3190 ldr r3, =0x800100 ; via 0x720 58c: e3a04000 mov r4, #0 590: e3a05001 mov r5, #1 +; endless wait for Rx byte 594: e5d01005 ldrb r1, [r0, #5] 598: e2011001 and r1, r1, #1 59c: e3510001 cmp r1, #1 5a0: 1afffffb bne 0x594 5a4: e5d01000 ldrb r1, [r0] +; state machine dispatch 5a8: e3520000 cmp r2, #0 5ac: 0a000008 beq 0x5d4 5b0: e3520001 cmp r2, #1 @@ -374,19 +433,23 @@ 5c8: e3520004 cmp r2, #4 5cc: 0a000015 beq 0x628 5d0: ea000037 b 0x6b4 +; R2=0: must receive 02 first 5d4: e3510002 cmp r1, #2 5d8: 1affffed bne 0x594 5dc: e1a06001 mov r6, r1 5e0: e2822001 add r2, r2, #1 5e4: eaffffea b 0x594 +; R2=1: got MSB of length 5e8: e1a04401 mov r4, r1, lsl #8 5ec: e0266001 eor r6, r6, r1 5f0: e2822001 add r2, r2, #1 5f4: eaffffe6 b 0x594 +; R2=2: got LSB of length 5f8: e0844001 add r4, r4, r1 5fc: e0266001 eor r6, r6, r1 600: e2822001 add r2, r2, #1 604: eaffffe2 b 0x594 +; R2=3: payload 608: e5c31000 strb r1, [r3] 60c: e0266001 eor r6, r6, r1 610: e2833001 add r3, r3, #1 @@ -395,8 +458,11 @@ 61c: 1affffdc bne 0x594 620: e2822001 add r2, r2, #1 624: eaffffda b 0x594 +; R2=4: checksum expected 628: e1560001 cmp r6, r1 62c: 1a000012 bne 0x67c +; checksum good +; emit 1B F6 02 00 41 03 42 630: e3a0101b mov r1, #27 ; 0x1b 634: e5c01000 strb r1, [r0] 638: e3a010f6 mov r1, #246 ; 0xf6 @@ -411,11 +477,15 @@ 65c: e5c01000 strb r1, [r0] 660: e3a01042 mov r1, #66 ; 0x42 664: e5c01000 strb r1, [r0] +; SP=0x803FFC 668: e59f00b4 ldr r0, =0x803ffc ; via 0x724 66c: e1a0d000 mov sp, r0 +; jump to 0x800100 in Thumb state 670: e59f00a8 ldr r0, =0x800100 ; via 0x720 674: e280e001 add lr, r0, #1 678: e12fff1e bx lr +; checksum mismatch +; emit 1B F6 02 00 45 53 16 67c: e3a0101b mov r1, #27 ; 0x1b 680: e5c01000 strb r1, [r0] 684: e3a010f6 mov r1, #246 ; 0xf6 @@ -430,6 +500,8 @@ 6a8: e5c01000 strb r1, [r0] 6ac: e3a01016 mov r1, #22 ; 0x16 6b0: e5c01000 strb r1, [r0] +; bail out path +; ARMIO_LATCH_OUT: 0-7 and 11 set low 6b4: e59f3050 ldr r3, =0xfffe4802 ; via 0x70c 6b8: e5931000 ldr r1, [r3] 6bc: e3a030ff mov r3, #255 ; 0xff @@ -438,6 +510,7 @@ 6c8: e0011002 and r1, r1, r2 6cc: e59f3034 ldr r3, =0xfffe4800 ; via 0x708 6d0: e1c310b2 strh r1, [r3, #2] +; switch GPIO12 back to input 6d4: e59f3034 ldr r3, =0xfffe4804 ; via 0x710 6d8: e5931000 ldr r1, [r3] 6dc: e3811a01 orr r1, r1, #4096 ; 0x1000