00 ; Originally by AlexD, annotated by wumpus <blacksphere@goliath.darktech.org> 00 ; Processor : ARMB 00 ; Target assembler: Generic assembler for ARM 00 ; Byte sex : Big endian 00 00 ; IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII 00 00 ; Segment type: Pure code 00 AREA ROM, CODE, READWRITE, ALIGN=0 00 CODE32 00 ANDEQ R0, R0, R0 04 ADR R0, (loc_C+1) 08 BX R0 0C ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0C CODE16 0C 0C loc_C ; CODE XREF: sub_70+10j 0C ; DATA XREF: 04o 0C MOV R2, #0x40 ; '@' 0E LSL R7, R2, #0xB ; R7 = 0x20000 10 MOV R6, #2 ; two retries 12 12 loc_12 ; CODE XREF: 16j 12 BL sub_70 16 BNE loc_12 ; loop until FBUS_RX(==flasher SCLK) set 16 ; Flasher Identification is SCLK High,Low,High 18 MOV R0, #3 1A STRB R0, [R7,#0x18] ; [20018] <- 0x03 1A ; unknown, possibly this sets synchronous 1A ; (clocked) serial MBUS, 1A ; and MBUS (half duplex) mode to Transmit 1C LSR R6, R7, #5 ; R6 = 0x1000 retries 1E 1E loc_1E ; CODE XREF: 22j 1E BL sub_70 22 BEQ loc_1E ; loop until FBUS_RX(==flasher SCLK) reset 24 24 loc_24 ; CODE XREF: 28j 24 BL sub_70 28 BNE loc_24 ; loop until FBUS_RX(==flasher SCLK) set 2A 2A loc_2A ; CODE XREF: 2Ej 2A BL sub_70 2E BEQ loc_2A ; loop until FBUS_RX(==flasher SCLK) reset 2E ; (flasher started bootstrap transmit) 30 STRB R2, [R7,#0x19] ; [20019] <- 0x40 (set FBUS_RX - why - clears 30 ; RXD buffer?) 32 MOV R2, #0x20 ; ' ' 34 LSR R6, R7, #9 ; R6 = 0x100 36 BL sub_58 ; R0 = read halfword length 3A LSR R4, R0, #1 ; get size in halfwords instead of bytes in R4 3C BEQ loc_7A 3E MOV R0, #0x80 ; 'ˆ' 40 STRB R0, [R7,#0x19] ; set SDA_OUT (MBUS) high 42 LSR R5, R7, #1 ; R5 = 0x10000 (origin of DSP/MCU shared ram) 44 44 loc_44 ; CODE XREF: 50j 44 LSR R6, R7, #6 ; R6 = 0x800 retries 46 BL sub_58 ; read a halfword 4A STRH R0, [R5] ; write to RAM at R5 4C ADD R5, #2 4E SUB R4, #1 50 BNE loc_44 ; loop until all is read 52 STRB R4, [R7,#0x19] ; set SDA_OUT (MBUS) low 54 LSR R0, R7, #1 56 MOV PC, R0 ; start bootloader 58 58 ; UUUUUUUUUUUUUUU S U B R O U T I N E UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU 58 ; Read a halfword from the MBUS 58 ; in: R6=retries,R2=0x20 58 ; out: R0=halfword read 58 58 sub_58 ; CODE XREF: 36p 58 ; 46p 58 MOV R8, LR 5A 5A loc_5A ; CODE XREF: sub_58+6j 5A BL sub_70 5E BEQ loc_5A ; wait for byte available 60 LDRB R0, [R7,#0x1A] 62 LSL R3, R0, #8 ; store in R3, upper halfword 64 64 loc_64 ; CODE XREF: sub_58+10j 64 BL sub_70 68 BEQ loc_64 ; wait for another byte available 6A LDRB R0, [R7,#0x1A] 6C ADD R0, R3, R0 ; store in R0, lower halfword 6E MOV PC, R8 6E ; End of function sub_58 6E 70 70 ; UUUUUUUUUUUUUUU S U B R O U T I N E UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU 70 70 ; R6 = number of retries before jumping into Flash 70 ; R2 = [20019] AND value: 0x40 is bit 6 (FBUS_RX), 0x20 is bit 5 (MBUS_RXDBYTE) 70 sub_70 ; CODE XREF: 12p 70 ; 1Ep ... 70 SUB R6, #1 ; R6 = R6-1 72 BEQ loc_7A ; jump if R6 == 0 74 LDRB R0, [R7,#0x19] ; 76 TST R2, R0 ; [20019] & R2, set flags accordingly 78 MOV PC, LR 7A ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 7A 7A loc_7A ; CODE XREF: 3Cj 7A ; sub_70+2j 7A LSL R0, R7, #4 ; R0 = 0x200000 7C LDRB R1, [R0,#1] ; R1 = [0x200001] 7E CMP R1, #0xFF 80 BEQ loc_C ; invalid - wait for flasher 82 LSL R2, R7, #1 ; R2 = 0x40000 84 STRB R1, [R2,#2] ; boot ROM maps out 86 ADD R0, #0x40 ; '@' 88 BX R0 ; Flash jump (0x200040) 88 ; End of function sub_70 88 88 ; AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA FF ; ROM ends FF FF END
Last updated: 2005-02-21 14:19
This site is the result of a great deal of assembly code reading, research, countless (mostly futile) searches for data sheets, cross-referencing and analysing. If you use this information in any way please mention wumpus <blacksphere@goliath.darktech.org> (and others in the credits section) in the credits of your program/document. And tell me :) If you have more information please contribute. If you just copy this, stick your name on it and call it yours I hope you get your genitals bitten off by a three headed monkey. Have a nice day.
No mobile phones were harmed in the production of this site.