Project Blacksphere Intro Hardware 331x/3330 ARM Boot ROM Building GCC DSP Phone models Peripherals Nokia OS Software Glossary of Terms Todo Credits Forum Guestbook

Boot ROM

This is the first thing executed on poweron or reset (courtesy of AlexD).
00 ; Originally by AlexD, annotated by wumpus <blacksphere@goliath.darktech.org>
00 ; Processor       : ARMB
00 ; Target assembler: Generic assembler for ARM
00 ; Byte sex        : Big endian
00
00 ; IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
00
00 ; Segment type: Pure code
00                 AREA ROM, CODE, READWRITE, ALIGN=0
00                 CODE32
00                 ANDEQ   R0, R0, R0
04                 ADR     R0, (loc_C+1)
08                 BX      R0
0C ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0C                 CODE16
0C
0C loc_C                                   ; CODE XREF: sub_70+10j
0C                                         ; DATA XREF: 04o
0C                 MOV     R2, #0x40 ; '@'
0E                 LSL     R7, R2, #0xB    ; R7 = 0x20000
10                 MOV     R6, #2          ; two retries
12
12 loc_12                                  ; CODE XREF: 16j
12                 BL      sub_70
16                 BNE     loc_12          ; loop until FBUS_RX(==flasher SCLK) set
16                                         ; Flasher Identification is SCLK High,Low,High
18                 MOV     R0, #3
1A                 STRB    R0, [R7,#0x18]  ; [20018] <- 0x03 
1A                                         ; unknown, possibly this sets synchronous 
1A                                         ; (clocked) serial MBUS,
1A                                         ; and MBUS (half duplex) mode to Transmit
1C                 LSR     R6, R7, #5      ; R6 = 0x1000 retries
1E
1E loc_1E                                  ; CODE XREF: 22j
1E                 BL      sub_70
22                 BEQ     loc_1E          ; loop until FBUS_RX(==flasher SCLK) reset
24
24 loc_24                                  ; CODE XREF: 28j
24                 BL      sub_70
28                 BNE     loc_24          ; loop until FBUS_RX(==flasher SCLK) set
2A
2A loc_2A                                  ; CODE XREF: 2Ej
2A                 BL      sub_70
2E                 BEQ     loc_2A          ; loop until FBUS_RX(==flasher SCLK) reset 
2E                                         ; (flasher started bootstrap transmit)
30                 STRB    R2, [R7,#0x19]  ; [20019] <- 0x40 (set FBUS_RX - why - clears 
30                                         ; RXD buffer?)
32                 MOV     R2, #0x20 ; ' '
34                 LSR     R6, R7, #9      ; R6 = 0x100
36                 BL      sub_58          ; R0 = read halfword length
3A                 LSR     R4, R0, #1      ; get size in halfwords instead of bytes in R4
3C                 BEQ     loc_7A
3E                 MOV     R0, #0x80 ; 'ˆ'
40                 STRB    R0, [R7,#0x19]  ; set SDA_OUT (MBUS) high
42                 LSR     R5, R7, #1      ; R5 = 0x10000 (origin of DSP/MCU shared ram)
44
44 loc_44                                  ; CODE XREF: 50j
44                 LSR     R6, R7, #6      ; R6 = 0x800 retries
46                 BL      sub_58          ; read a halfword
4A                 STRH    R0, [R5]        ; write to RAM at R5
4C                 ADD     R5, #2
4E                 SUB     R4, #1
50                 BNE     loc_44          ; loop until all is read
52                 STRB    R4, [R7,#0x19]  ; set SDA_OUT (MBUS) low
54                 LSR     R0, R7, #1
56                 MOV     PC, R0          ; start bootloader
58
58 ; UUUUUUUUUUUUUUU S U B R O U T I N E UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
58 ; Read a halfword from the MBUS
58 ; in: R6=retries,R2=0x20
58 ; out: R0=halfword read
58
58 sub_58                                  ; CODE XREF: 36p
58                                         ; 46p
58                 MOV     R8, LR
5A
5A loc_5A                                  ; CODE XREF: sub_58+6j
5A                 BL      sub_70
5E                 BEQ     loc_5A          ; wait for byte available
60                 LDRB    R0, [R7,#0x1A]
62                 LSL     R3, R0, #8      ; store in R3, upper halfword
64
64 loc_64                                  ; CODE XREF: sub_58+10j
64                 BL      sub_70
68                 BEQ     loc_64          ; wait for another byte available
6A                 LDRB    R0, [R7,#0x1A]
6C                 ADD     R0, R3, R0      ; store in R0, lower halfword
6E                 MOV     PC, R8
6E ; End of function sub_58
6E
70
70 ; UUUUUUUUUUUUUUU S U B R O U T I N E UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
70
70 ; R6 = number of retries before jumping into Flash
70 ; R2 = [20019] AND value: 0x40 is bit 6 (FBUS_RX), 0x20 is bit 5 (MBUS_RXDBYTE)
70 sub_70                                  ; CODE XREF: 12p
70                                         ; 1Ep ...
70                 SUB     R6, #1          ; R6 = R6-1
72                 BEQ     loc_7A          ; jump if R6 == 0
74                 LDRB    R0, [R7,#0x19]  ;
76                 TST     R2, R0          ; [20019] & R2, set flags accordingly
78                 MOV     PC, LR
7A ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
7A
7A loc_7A                                  ; CODE XREF: 3Cj
7A                                         ; sub_70+2j
7A                 LSL     R0, R7, #4      ; R0 = 0x200000
7C                 LDRB    R1, [R0,#1]     ; R1 = [0x200001]
7E                 CMP     R1, #0xFF
80                 BEQ     loc_C           ; invalid - wait for flasher
82                 LSL     R2, R7, #1      ; R2 = 0x40000
84                 STRB    R1, [R2,#2]     ; boot ROM maps out
86                 ADD     R0, #0x40 ; '@'
88                 BX      R0              ; Flash jump (0x200040)
88 ; End of function sub_70
88
88 ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FF ; ROM           ends
FF
FF                 END

Last updated: 2005-02-21 14:19

This site is the result of a great deal of assembly code reading, research, countless (mostly futile) searches for data sheets, cross-referencing and analysing. If you use this information in any way please mention wumpus <blacksphere@goliath.darktech.org> (and others in the credits section) in the credits of your program/document. And tell me :) If you have more information please contribute. If you just copy this, stick your name on it and call it yours I hope you get your genitals bitten off by a three headed monkey. Have a nice day.

No mobile phones were harmed in the production of this site.