FreeCalypso > hg > freecalypso-reveng
changeset 254:f3f9dd04567e
pirelli/fw-disasm: started proper analysis of pwr_cust code
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Mon, 25 Dec 2017 23:32:08 +0000 |
parents | 6f9969cf55a1 |
children | 0f5a24acde3a |
files | pirelli/fw-disasm |
diffstat | 1 files changed, 222 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/pirelli/fw-disasm Mon Dec 25 21:15:23 2017 +0000 +++ b/pirelli/fw-disasm Mon Dec 25 23:32:08 2017 +0000 @@ -737,8 +737,11 @@ 32af92: b001 add sp, #4 32af94: bd00 pop {pc} +; pwr_cust module seems to start here + ; The following function takes a raw ADC VBAT measurement ; as input (R0) and returns the mV value per the calibration. +$pwr_adc_to_mvolt: 32dae8: 498b ldr r1, =0x801734 ; via 0x32dd18 32daea: 880a ldrh r2, [r1, #0] 32daec: 4342 mul r2, r0 @@ -749,6 +752,8 @@ 32daf6: 0c00 lsr r0, r0, #16 32daf8: 4770 bx lr +$pwr_adc_to_mA: +; diff from MV100 version: this version subtracts i2v_madc_offset first 32dafa: b500 push {lr} 32dafc: 49c2 ldr r1, =0x1774e70 ; via 0x32de08 32dafe: 6809 ldr r1, [r1, #0] @@ -762,11 +767,19 @@ 32db0e: 4348 mul r0, r1 32db10: 217d mov r1, #125 ; 0x7d 32db12: 00c9 lsl r1, r1, #3 - 32db14: f0c9 fb8a bl 0x3f722c + 32db14: f0c9 fb8a bl 0x3f722c ; I$DIV 32db18: 0408 lsl r0, r1, #16 32db1a: 0c00 lsr r0, r0, #16 32db1c: bd00 pop {pc} +$pwr_bat_temp_within_limits: +; the limits are the same as in MV100 version: 0 to 50 deg C +; 1st diff: if the byte var at offset 0x48 is set to 1, then +; out-of-range T is ignored with a warning trace +; 2nd diff: if T is out of range and no ignore-with-warning flag is set, +; the return code is FALSE like in TI's original, but an additional code +; indicating whether T is too high or too low is written into 16-bit var +; at 0x1774b78 32db1e: b510 push {r4, lr} 32db20: b082 sub sp, #8 32db22: 1c04 add r4, r0, #0 @@ -822,6 +835,212 @@ 32db8c: b002 add sp, #8 32db8e: bd10 pop {r4, pc} +$pwr_madc_to_Celsius_conv: +; MV100 version uses 10 uA and 50 uA test currents, +; this version uses 30 uA and 80 uA instead +; not analysed further + 32db90: b5f0 push {r4, r5, r6, r7, lr} + 32db92: b082 sub sp, #8 + 32db94: 2351 mov r3, #81 ; 0x51 + 32db96: 1ac0 sub r0, r0, r3 + 32db98: 2800 cmp r0, #0 + 32db9a: d008 beq 0x32dbae + 32db9c: 3828 sub r0, #40 ; 0x28 + 32db9e: 2800 cmp r0, #0 + 32dba0: d001 beq 0x32dba6 + 32dba2: 2000 mov r0, #0 + 32dba4: e04a b 0x32dc3c + 32dba6: 4ed2 ldr r6, =0x52e308 ; via 0x32def0 + 32dba8: 4dd2 ldr r5, =0x52e2e4 ; via 0x32def4 + 32dbaa: 200a mov r0, #10 ; 0xa + 32dbac: e002 b 0x32dbb4 + 32dbae: 4ed2 ldr r6, =0x52e2f8 ; via 0x32def8 + 32dbb0: 4dd2 ldr r5, =0x52e2d4 ; via 0x32defc + 32dbb2: 2008 mov r0, #8 + 32dbb4: 8833 ldrh r3, [r6, #0] + 32dbb6: 4299 cmp r1, r3 + 32dbb8: dc05 bgt 0x32dbc6 + 32dbba: 0043 lsl r3, r0, #1 + 32dbbc: 18f3 add r3, r6, r3 + 32dbbe: 3b02 sub r3, #2 + 32dbc0: 881b ldrh r3, [r3, #0] + 32dbc2: 4299 cmp r1, r3 + 32dbc4: da08 bge 0x32dbd8 + 32dbc6: 1c0a add r2, r1, #0 + 32dbc8: 4890 ldr r0, =0xa0020 ; via 0x32de0c + 32dbca: 9000 str r0, [sp, #0] + 32dbcc: a0c1 add r0, pc, #772 ; 0x304 + 32dbce: 211a mov r1, #26 ; 0x1a + 32dbd0: 2305 mov r3, #5 + 32dbd2: f0ad f82f bl 0x3dac34 + 32dbd6: e7e4 b 0x32dba2 + 32dbd8: 2800 cmp r0, #0 + 32dbda: d00d beq 0x32dbf8 + 32dbdc: 2300 mov r3, #0 + 32dbde: 005c lsl r4, r3, #1 + 32dbe0: 19a7 add r7, r4, r6 + 32dbe2: 1ebf sub r7, r7, #2 + 32dbe4: 46bc mov r12, r7 + 32dbe6: 5b37 ldrh r7, [r6, r4] + 32dbe8: 42b9 cmp r1, r7 + 32dbea: da0a bge 0x32dc02 + 32dbec: 1c5b add r3, r3, #1 + 32dbee: 061b lsl r3, r3, #24 + 32dbf0: 0e1b lsr r3, r3, #24 + 32dbf2: 3801 sub r0, #1 + 32dbf4: 2800 cmp r0, #0 + 32dbf6: d1f2 bne 0x32dbde + 32dbf8: 49c1 ldr r1, =0x1774b80 ; via 0x32df00 + 32dbfa: 2001 mov r0, #1 + 32dbfc: 0280 lsl r0, r0, #10 + 32dbfe: 8008 strh r0, [r1, #0] + 32dc00: e7cf b 0x32dba2 + 32dc02: 2b00 cmp r3, #0 + 32dc04: d014 beq 0x32dc30 + 32dc06: 886b ldrh r3, [r5, #2] + 32dc08: 8828 ldrh r0, [r5, #0] + 32dc0a: 1a18 sub r0, r3, r0 + 32dc0c: 0400 lsl r0, r0, #16 + 32dc0e: 0c00 lsr r0, r0, #16 + 32dc10: 1bc9 sub r1, r1, r7 + 32dc12: 0409 lsl r1, r1, #16 + 32dc14: 0c09 lsr r1, r1, #16 + 32dc16: 4348 mul r0, r1 + 32dc18: 4661 mov r1, r12 + 32dc1a: 8809 ldrh r1, [r1, #0] + 32dc1c: 1bc9 sub r1, r1, r7 + 32dc1e: 0409 lsl r1, r1, #16 + 32dc20: 0c09 lsr r1, r1, #16 + 32dc22: f0c9 fb03 bl 0x3f722c + 32dc26: 5b60 ldrh r0, [r4, r5] + 32dc28: 1a40 sub r0, r0, r1 + 32dc2a: 0400 lsl r0, r0, #16 + 32dc2c: 1400 asr r0, r0, #16 + 32dc2e: e001 b 0x32dc34 + 32dc30: 2000 mov r0, #0 + 32dc32: 5e28 ldrsh r0, [r5, r0] + 32dc34: 49b2 ldr r1, =0x1774b80 ; via 0x32df00 + 32dc36: 8010 strh r0, [r2, #0] + 32dc38: 8008 strh r0, [r1, #0] + 32dc3a: 2001 mov r0, #1 + 32dc3c: b002 add sp, #8 + 32dc3e: bdf0 pop {r4, r5, r6, r7, pc} + +$pwr_get_battery_temperature: + 32dc40: b500 push {lr} +; setting BCICTL1 to THEN_80uA + 32dc42: 2001 mov r0, #1 + 32dc44: 2138 mov r1, #56 ; 0x38 + 32dc46: 2279 mov r2, #121 ; 0x79 + 32dc48: f01b fae0 bl 0x34920c ; $ABB_Write_Register_on_page +; setting pwr_env_ctrl_blk->timer0_state, same code as in MV100 version + 32dc4c: 486e ldr r0, =0x1774e70 ; via 0x32de08 + 32dc4e: 6800 ldr r0, [r0, #0] + 32dc50: 2103 mov r1, #3 + 32dc52: 6301 str r1, [r0, #48] ; 0x30 +; setting TIMER0 to 65 ticks (300 ms) + 32dc54: 2000 mov r0, #0 + 32dc56: 2141 mov r1, #65 ; 0x41 + 32dc58: 2200 mov r2, #0 + 32dc5a: f7fd f90d bl 0x32ae78 ; $rvf_start_timer + 32dc5e: bd00 pop {pc} + +$pwr_bat_50uA_temp_test_timer_process: + 32dc60: b510 push {r4, lr} + 32dc62: b082 sub sp, #8 +; test if we are in CHARGE_STOPPED state + 32dc64: 4868 ldr r0, =0x1774e70 ; via 0x32de08 + 32dc66: 6800 ldr r0, [r0, #0] + 32dc68: 6840 ldr r0, [r0, #4] + 32dc6a: 2800 cmp r0, #0 + 32dc6c: d105 bne 0x32dc7a +; CHARGE_STOPPED state: write 1 (just MESBAT) into BCICTL1 + 32dc6e: 2001 mov r0, #1 + 32dc70: 2138 mov r1, #56 ; 0x38 + 32dc72: 2201 mov r2, #1 + 32dc74: f01b faca bl 0x34920c + 32dc78: e04b b 0x32dd12 ; return +; not in CHARGE_STOPPED state + 32dc7a: f000 fb0b bl 0x32e294 + 32dc7e: 2800 cmp r0, #0 + 32dc80: d147 bne 0x32dd12 ; return +; mystery function above must return 0 for normal path to continue +; "TIMER0: Battery coarse temp test" trace emitted here + 32dc82: 4862 ldr r0, =0xa0020 ; via 0x32de0c + 32dc84: 9000 str r0, [sp, #0] + 32dc86: a0d1 add r0, pc, #836 ; 0x344 + 32dc88: 2120 mov r1, #32 ; 0x20 + 32dc8a: 2200 mov r2, #0 + 32dc8c: 43d2 mvn r2, r2 + 32dc8e: 2302 mov r3, #2 + 32dc90: f0ac ffd0 bl 0x3dac34 +; pwr_env_ctrl_blk->bat_celsius_temp = (INT16)(0xFFFF); + 32dc94: 4c5c ldr r4, =0x1774e70 ; via 0x32de08 + 32dc96: 6821 ldr r1, [r4, #0] + 32dc98: 2000 mov r0, #0 + 32dc9a: 43c0 mvn r0, r0 + 32dc9c: 8708 strh r0, [r1, #56] ; 0x38 +; write 0 into ADIN2REG + 32dc9e: 2001 mov r0, #1 + 32dca0: 2128 mov r1, #40 ; 0x28 + 32dca2: 2200 mov r2, #0 + 32dca4: f01b fab2 bl 0x34920c ; $ABB_Write_Register_on_page +; delay 2 ticks + 32dca8: 2002 mov r0, #2 + 32dcaa: f783 fdf8 bl 0x2b189e ; rvf_delay() +; now read ADIN2REG + 32dcae: 2001 mov r0, #1 + 32dcb0: 2128 mov r1, #40 ; 0x28 + 32dcb2: f01b fad2 bl 0x34925a ; $ABB_Read_Register_on_page + 32dcb6: 1c01 add r1, r0, #0 + 32dcb8: 6822 ldr r2, [r4, #0] + 32dcba: 3238 add r2, #56 ; 0x38 + 32dcbc: 2079 mov r0, #121 ; 0x79 + 32dcbe: f7ff ff67 bl 0x32db90 ; $pwr_madc_to_Celsius_conv + 32dcc2: 2800 cmp r0, #0 + 32dcc4: d10d bne 0x32dce2 +; outside of the "coarse" range +; set pwr_env_ctrl_blk->timer0_state to the "fine" code, same as in MV100 + 32dcc6: 6821 ldr r1, [r4, #0] + 32dcc8: 2004 mov r0, #4 + 32dcca: 6308 str r0, [r1, #48] ; 0x30 +; set 30 uA current + 32dccc: 2001 mov r0, #1 + 32dcce: 2138 mov r1, #56 ; 0x38 + 32dcd0: 2251 mov r2, #81 ; 0x51 + 32dcd2: f01b fa9b bl 0x34920c +; same 65 ticks (300 ms) as before + 32dcd6: 2000 mov r0, #0 + 32dcd8: 2141 mov r1, #65 ; 0x41 + 32dcda: 2200 mov r2, #0 + 32dcdc: f7fd f8cc bl 0x32ae78 + 32dce0: e017 b 0x32dd12 ; return +; T inside the "coarse" range +; write 1 (just MESBAT) into BCICTL1 + 32dce2: 2001 mov r0, #1 + 32dce4: 2138 mov r1, #56 ; 0x38 + 32dce6: 2201 mov r2, #1 + 32dce8: f01b fa90 bl 0x34920c +; dispatch by state + 32dcec: 6820 ldr r0, [r4, #0] + 32dcee: 6840 ldr r0, [r0, #4] + 32dcf0: 2802 cmp r0, #2 + 32dcf2: d00c beq 0x32dd0e + 32dcf4: 2803 cmp r0, #3 + 32dcf6: d007 beq 0x32dd08 + 32dcf8: 2801 cmp r0, #1 + 32dcfa: d002 beq 0x32dd02 + 32dcfc: f083 fce0 bl 0x3b16c0 ; $pwr_get_bat_info + 32dd00: e007 b 0x32dd12 + 32dd02: f7b4 fb2b bl 0x2e235c ; $pwr_calibration_process + 32dd06: e004 b 0x32dd12 + 32dd08: f7b4 ff04 bl 0x2e2b14 ; $pwr_CV_charge_process + 32dd0c: e001 b 0x32dd12 + 32dd0e: f7b4 fd93 bl 0x2e2838 ; $pwr_CI_charge_process + 32dd12: b002 add sp, #8 + 32dd14: bd10 pop {r4, pc} + 32dd16: 46c0 nop (mov r8, r8) + ; The following function computes the battery remaining % number ; from the battery mV passed in R0. It first increases the mV value ; by a factor that depends on the system current draw (it appears @@ -3783,6 +4002,8 @@ 0x17741e0: abb_sem +0x1774b78: 16-bit var, gets -4 written into it if the battery T + is too high, or -5 if it is too low 0x1774b7c: 16-bit var battery voltage in mV 0x1774ccc: 16-bit var initial battery % is stored here