changeset 254:f3f9dd04567e

pirelli/fw-disasm: started proper analysis of pwr_cust code
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 25 Dec 2017 23:32:08 +0000
parents 6f9969cf55a1
children 0f5a24acde3a
files pirelli/fw-disasm
diffstat 1 files changed, 222 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/pirelli/fw-disasm	Mon Dec 25 21:15:23 2017 +0000
+++ b/pirelli/fw-disasm	Mon Dec 25 23:32:08 2017 +0000
@@ -737,8 +737,11 @@
   32af92:	b001		add	sp, #4
   32af94:	bd00		pop	{pc}
 
+; pwr_cust module seems to start here
+
 ; The following function takes a raw ADC VBAT measurement
 ; as input (R0) and returns the mV value per the calibration.
+$pwr_adc_to_mvolt:
   32dae8:	498b		ldr	r1, =0x801734	; via 0x32dd18
   32daea:	880a		ldrh	r2, [r1, #0]
   32daec:	4342		mul	r2, r0
@@ -749,6 +752,8 @@
   32daf6:	0c00		lsr	r0, r0, #16
   32daf8:	4770		bx	lr
 
+$pwr_adc_to_mA:
+; diff from MV100 version: this version subtracts i2v_madc_offset first
   32dafa:	b500		push	{lr}
   32dafc:	49c2		ldr	r1, =0x1774e70	; via 0x32de08
   32dafe:	6809		ldr	r1, [r1, #0]
@@ -762,11 +767,19 @@
   32db0e:	4348		mul	r0, r1
   32db10:	217d		mov	r1, #125	; 0x7d
   32db12:	00c9		lsl	r1, r1, #3
-  32db14:	f0c9 fb8a	bl	0x3f722c
+  32db14:	f0c9 fb8a	bl	0x3f722c	; I$DIV
   32db18:	0408		lsl	r0, r1, #16
   32db1a:	0c00		lsr	r0, r0, #16
   32db1c:	bd00		pop	{pc}
 
+$pwr_bat_temp_within_limits:
+; the limits are the same as in MV100 version: 0 to 50 deg C
+; 1st diff: if the byte var at offset 0x48 is set to 1, then
+; out-of-range T is ignored with a warning trace
+; 2nd diff: if T is out of range and no ignore-with-warning flag is set,
+; the return code is FALSE like in TI's original, but an additional code
+; indicating whether T is too high or too low is written into 16-bit var
+; at 0x1774b78
   32db1e:	b510		push	{r4, lr}
   32db20:	b082		sub	sp, #8
   32db22:	1c04		add	r4, r0, #0
@@ -822,6 +835,212 @@
   32db8c:	b002		add	sp, #8
   32db8e:	bd10		pop	{r4, pc}
 
+$pwr_madc_to_Celsius_conv:
+; MV100 version uses 10 uA and 50 uA test currents,
+; this version uses 30 uA and 80 uA instead
+; not analysed further
+  32db90:	b5f0		push	{r4, r5, r6, r7, lr}
+  32db92:	b082		sub	sp, #8
+  32db94:	2351		mov	r3, #81	; 0x51
+  32db96:	1ac0		sub	r0, r0, r3
+  32db98:	2800		cmp	r0, #0
+  32db9a:	d008		beq	0x32dbae
+  32db9c:	3828		sub	r0, #40	; 0x28
+  32db9e:	2800		cmp	r0, #0
+  32dba0:	d001		beq	0x32dba6
+  32dba2:	2000		mov	r0, #0
+  32dba4:	e04a		b	0x32dc3c
+  32dba6:	4ed2		ldr	r6, =0x52e308	; via 0x32def0
+  32dba8:	4dd2		ldr	r5, =0x52e2e4	; via 0x32def4
+  32dbaa:	200a		mov	r0, #10	; 0xa
+  32dbac:	e002		b	0x32dbb4
+  32dbae:	4ed2		ldr	r6, =0x52e2f8	; via 0x32def8
+  32dbb0:	4dd2		ldr	r5, =0x52e2d4	; via 0x32defc
+  32dbb2:	2008		mov	r0, #8
+  32dbb4:	8833		ldrh	r3, [r6, #0]
+  32dbb6:	4299		cmp	r1, r3
+  32dbb8:	dc05		bgt	0x32dbc6
+  32dbba:	0043		lsl	r3, r0, #1
+  32dbbc:	18f3		add	r3, r6, r3
+  32dbbe:	3b02		sub	r3, #2
+  32dbc0:	881b		ldrh	r3, [r3, #0]
+  32dbc2:	4299		cmp	r1, r3
+  32dbc4:	da08		bge	0x32dbd8
+  32dbc6:	1c0a		add	r2, r1, #0
+  32dbc8:	4890		ldr	r0, =0xa0020	; via 0x32de0c
+  32dbca:	9000		str	r0, [sp, #0]
+  32dbcc:	a0c1		add	r0, pc, #772	; 0x304
+  32dbce:	211a		mov	r1, #26	; 0x1a
+  32dbd0:	2305		mov	r3, #5
+  32dbd2:	f0ad f82f	bl	0x3dac34
+  32dbd6:	e7e4		b	0x32dba2
+  32dbd8:	2800		cmp	r0, #0
+  32dbda:	d00d		beq	0x32dbf8
+  32dbdc:	2300		mov	r3, #0
+  32dbde:	005c		lsl	r4, r3, #1
+  32dbe0:	19a7		add	r7, r4, r6
+  32dbe2:	1ebf		sub	r7, r7, #2
+  32dbe4:	46bc		mov	r12, r7
+  32dbe6:	5b37		ldrh	r7, [r6, r4]
+  32dbe8:	42b9		cmp	r1, r7
+  32dbea:	da0a		bge	0x32dc02
+  32dbec:	1c5b		add	r3, r3, #1
+  32dbee:	061b		lsl	r3, r3, #24
+  32dbf0:	0e1b		lsr	r3, r3, #24
+  32dbf2:	3801		sub	r0, #1
+  32dbf4:	2800		cmp	r0, #0
+  32dbf6:	d1f2		bne	0x32dbde
+  32dbf8:	49c1		ldr	r1, =0x1774b80	; via 0x32df00
+  32dbfa:	2001		mov	r0, #1
+  32dbfc:	0280		lsl	r0, r0, #10
+  32dbfe:	8008		strh	r0, [r1, #0]
+  32dc00:	e7cf		b	0x32dba2
+  32dc02:	2b00		cmp	r3, #0
+  32dc04:	d014		beq	0x32dc30
+  32dc06:	886b		ldrh	r3, [r5, #2]
+  32dc08:	8828		ldrh	r0, [r5, #0]
+  32dc0a:	1a18		sub	r0, r3, r0
+  32dc0c:	0400		lsl	r0, r0, #16
+  32dc0e:	0c00		lsr	r0, r0, #16
+  32dc10:	1bc9		sub	r1, r1, r7
+  32dc12:	0409		lsl	r1, r1, #16
+  32dc14:	0c09		lsr	r1, r1, #16
+  32dc16:	4348		mul	r0, r1
+  32dc18:	4661		mov	r1, r12
+  32dc1a:	8809		ldrh	r1, [r1, #0]
+  32dc1c:	1bc9		sub	r1, r1, r7
+  32dc1e:	0409		lsl	r1, r1, #16
+  32dc20:	0c09		lsr	r1, r1, #16
+  32dc22:	f0c9 fb03	bl	0x3f722c
+  32dc26:	5b60		ldrh	r0, [r4, r5]
+  32dc28:	1a40		sub	r0, r0, r1
+  32dc2a:	0400		lsl	r0, r0, #16
+  32dc2c:	1400		asr	r0, r0, #16
+  32dc2e:	e001		b	0x32dc34
+  32dc30:	2000		mov	r0, #0
+  32dc32:	5e28		ldrsh	r0, [r5, r0]
+  32dc34:	49b2		ldr	r1, =0x1774b80	; via 0x32df00
+  32dc36:	8010		strh	r0, [r2, #0]
+  32dc38:	8008		strh	r0, [r1, #0]
+  32dc3a:	2001		mov	r0, #1
+  32dc3c:	b002		add	sp, #8
+  32dc3e:	bdf0		pop	{r4, r5, r6, r7, pc}
+
+$pwr_get_battery_temperature:
+  32dc40:	b500		push	{lr}
+; setting BCICTL1 to THEN_80uA
+  32dc42:	2001		mov	r0, #1
+  32dc44:	2138		mov	r1, #56	; 0x38
+  32dc46:	2279		mov	r2, #121	; 0x79
+  32dc48:	f01b fae0	bl	0x34920c	; $ABB_Write_Register_on_page
+; setting pwr_env_ctrl_blk->timer0_state, same code as in MV100 version
+  32dc4c:	486e		ldr	r0, =0x1774e70	; via 0x32de08
+  32dc4e:	6800		ldr	r0, [r0, #0]
+  32dc50:	2103		mov	r1, #3
+  32dc52:	6301		str	r1, [r0, #48]	; 0x30
+; setting TIMER0 to 65 ticks (300 ms)
+  32dc54:	2000		mov	r0, #0
+  32dc56:	2141		mov	r1, #65	; 0x41
+  32dc58:	2200		mov	r2, #0
+  32dc5a:	f7fd f90d	bl	0x32ae78	; $rvf_start_timer
+  32dc5e:	bd00		pop	{pc}
+
+$pwr_bat_50uA_temp_test_timer_process:
+  32dc60:	b510		push	{r4, lr}
+  32dc62:	b082		sub	sp, #8
+; test if we are in CHARGE_STOPPED state
+  32dc64:	4868		ldr	r0, =0x1774e70	; via 0x32de08
+  32dc66:	6800		ldr	r0, [r0, #0]
+  32dc68:	6840		ldr	r0, [r0, #4]
+  32dc6a:	2800		cmp	r0, #0
+  32dc6c:	d105		bne	0x32dc7a
+; CHARGE_STOPPED state: write 1 (just MESBAT) into BCICTL1
+  32dc6e:	2001		mov	r0, #1
+  32dc70:	2138		mov	r1, #56	; 0x38
+  32dc72:	2201		mov	r2, #1
+  32dc74:	f01b faca	bl	0x34920c
+  32dc78:	e04b		b	0x32dd12	; return
+; not in CHARGE_STOPPED state
+  32dc7a:	f000 fb0b	bl	0x32e294
+  32dc7e:	2800		cmp	r0, #0
+  32dc80:	d147		bne	0x32dd12	; return
+; mystery function above must return 0 for normal path to continue
+; "TIMER0: Battery coarse temp test" trace emitted here
+  32dc82:	4862		ldr	r0, =0xa0020	; via 0x32de0c
+  32dc84:	9000		str	r0, [sp, #0]
+  32dc86:	a0d1		add	r0, pc, #836	; 0x344
+  32dc88:	2120		mov	r1, #32	; 0x20
+  32dc8a:	2200		mov	r2, #0
+  32dc8c:	43d2		mvn	r2, r2
+  32dc8e:	2302		mov	r3, #2
+  32dc90:	f0ac ffd0	bl	0x3dac34
+; pwr_env_ctrl_blk->bat_celsius_temp = (INT16)(0xFFFF);
+  32dc94:	4c5c		ldr	r4, =0x1774e70	; via 0x32de08
+  32dc96:	6821		ldr	r1, [r4, #0]
+  32dc98:	2000		mov	r0, #0
+  32dc9a:	43c0		mvn	r0, r0
+  32dc9c:	8708		strh	r0, [r1, #56]	; 0x38
+; write 0 into ADIN2REG
+  32dc9e:	2001		mov	r0, #1
+  32dca0:	2128		mov	r1, #40	; 0x28
+  32dca2:	2200		mov	r2, #0
+  32dca4:	f01b fab2	bl	0x34920c	; $ABB_Write_Register_on_page
+; delay 2 ticks
+  32dca8:	2002		mov	r0, #2
+  32dcaa:	f783 fdf8	bl	0x2b189e	; rvf_delay()
+; now read ADIN2REG
+  32dcae:	2001		mov	r0, #1
+  32dcb0:	2128		mov	r1, #40	; 0x28
+  32dcb2:	f01b fad2	bl	0x34925a	; $ABB_Read_Register_on_page
+  32dcb6:	1c01		add	r1, r0, #0
+  32dcb8:	6822		ldr	r2, [r4, #0]
+  32dcba:	3238		add	r2, #56	; 0x38
+  32dcbc:	2079		mov	r0, #121	; 0x79
+  32dcbe:	f7ff ff67	bl	0x32db90	; $pwr_madc_to_Celsius_conv
+  32dcc2:	2800		cmp	r0, #0
+  32dcc4:	d10d		bne	0x32dce2
+; outside of the "coarse" range
+; set pwr_env_ctrl_blk->timer0_state to the "fine" code, same as in MV100
+  32dcc6:	6821		ldr	r1, [r4, #0]
+  32dcc8:	2004		mov	r0, #4
+  32dcca:	6308		str	r0, [r1, #48]	; 0x30
+; set 30 uA current
+  32dccc:	2001		mov	r0, #1
+  32dcce:	2138		mov	r1, #56	; 0x38
+  32dcd0:	2251		mov	r2, #81	; 0x51
+  32dcd2:	f01b fa9b	bl	0x34920c
+; same 65 ticks (300 ms) as before
+  32dcd6:	2000		mov	r0, #0
+  32dcd8:	2141		mov	r1, #65	; 0x41
+  32dcda:	2200		mov	r2, #0
+  32dcdc:	f7fd f8cc	bl	0x32ae78
+  32dce0:	e017		b	0x32dd12	; return
+; T inside the "coarse" range
+; write 1 (just MESBAT) into BCICTL1
+  32dce2:	2001		mov	r0, #1
+  32dce4:	2138		mov	r1, #56	; 0x38
+  32dce6:	2201		mov	r2, #1
+  32dce8:	f01b fa90	bl	0x34920c
+; dispatch by state
+  32dcec:	6820		ldr	r0, [r4, #0]
+  32dcee:	6840		ldr	r0, [r0, #4]
+  32dcf0:	2802		cmp	r0, #2
+  32dcf2:	d00c		beq	0x32dd0e
+  32dcf4:	2803		cmp	r0, #3
+  32dcf6:	d007		beq	0x32dd08
+  32dcf8:	2801		cmp	r0, #1
+  32dcfa:	d002		beq	0x32dd02
+  32dcfc:	f083 fce0	bl	0x3b16c0	; $pwr_get_bat_info
+  32dd00:	e007		b	0x32dd12
+  32dd02:	f7b4 fb2b	bl	0x2e235c	; $pwr_calibration_process
+  32dd06:	e004		b	0x32dd12
+  32dd08:	f7b4 ff04	bl	0x2e2b14	; $pwr_CV_charge_process
+  32dd0c:	e001		b	0x32dd12
+  32dd0e:	f7b4 fd93	bl	0x2e2838	; $pwr_CI_charge_process
+  32dd12:	b002		add	sp, #8
+  32dd14:	bd10		pop	{r4, pc}
+  32dd16:	46c0		nop			(mov r8, r8)
+
 ; The following function computes the battery remaining % number
 ; from the battery mV passed in R0.  It first increases the mV value
 ; by a factor that depends on the system current draw (it appears
@@ -3783,6 +4002,8 @@
 
 0x17741e0:	abb_sem
 
+0x1774b78:	16-bit var, gets -4 written into it if the battery T
+		is too high, or -5 if it is too low
 0x1774b7c:	16-bit var battery voltage in mV
 
 0x1774ccc:	16-bit var initial battery % is stored here