# HG changeset patch
# User Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
# Date 1400145503 0
# Node ID 4e0aa166baa5cdc397b4da91f171f9512098b107
# Parent  4a92b7261e233b9f03fe55eff35b08604306453a
target-utils/tf-breakin: payload written for the TF C139 break-in attempt

diff -r 4a92b7261e23 -r 4e0aa166baa5 target-utils/tf-breakin/Makefile
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/target-utils/tf-breakin/Makefile	Thu May 15 09:18:23 2014 +0000
@@ -0,0 +1,14 @@
+CC=	arm-elf-gcc
+OBJCOPY=arm-elf-objcopy
+
+all:	payload.bin
+
+.SUFFIXES: .o .bin
+
+.o.bin:
+	${OBJCOPY} -O binary $< $@
+
+clean:
+	rm -f *.o *errs *core *.bin
+
+FRC:
diff -r 4a92b7261e23 -r 4e0aa166baa5 target-utils/tf-breakin/payload.S
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/target-utils/tf-breakin/payload.S	Thu May 15 09:18:23 2014 +0000
@@ -0,0 +1,37 @@
+	.text
+	.org	0
+	.code	32
+
+@ set CPSR like mot931c payload does
+	msr	CPSR_c, #0xd3
+@ disable the watchdog
+	ldr	r1, =0xfffff802
+	mov	r0, #0xf5
+	strh	r0, [r1, #2]
+	mov	r0, #0xa0
+	strh	r0, [r1, #2]
+@ MODEM UART
+	ldr	r6, =0xffff5800
+@ wait for any previous output to flush out
+1:	ldrb	r0, [r6, #5]
+	tst	r0, #0x20
+	beq	1b
+@ send our indication
+	adr	r1, outstr
+	mov	r2, #6
+1:	ldrb	r0, [r1], #1
+	strb	r0, [r6]
+	subs	r2, r2, #1
+	bne	1b
+@ wait for this output to go out to the TxD pin
+1:	ldrb	r0, [r6, #5]
+	tst	r0, #0x40
+	beq	1b
+@ enable the Calypso boot ROM
+	ldr	r1, =0xFFFFFB10
+	mov	r2, #0x0100
+	strh	r2, [r1]
+@ jump to it!
+	mov	pc, #0
+
+outstr:	.byte	2,2,2,'O','K',2