*** This file is copyright Ian Molton (c) 2003. *** DO NOT redistribuute without permission *** You may not remove this header under any circumstance. 0x00000 branch to 0x1000 0x00004 - 0x00fff data, mostly nulls. --early setup 0x01000 - 0x010d4 code, early setup. calls: 1560 1384 1370 170c 1340 1674 17a4 1788 19b0 0x010d8 - 0x01114 data. 0x01118 - 0x01204 code, setup calls: 194c 1360 (finally, aaa4) --end early setup 0x01208 - 0x0133c data 0x01340 - 0x0135c function (reads GPIO lines) counter = 0x20000 read from 0x40e00000 GPIO 31:0 do{ if value == 2 reset counter else if counter == 0 return dec counter }loop 0x01360 - 0x0136c read power management GPIO edge detect status read 0x40f00018 and with 0x2 (and set flags) (ie. return 'true' if GP2 is on) 0x01370 - 0x01380 function (appears to be a test for GPIO reset) read 0x40f00030 and with 11 compare with 8 0x01384 - 0x01464 function contains MMU and CPSR stuff. interesting. Reset Controller stuff too... very nice. read 0x40f00030 write back to 0x40f00030 CALL 0x0170c read 0x40f00032 (undocumented memory loc?) write 0x40e00024 read 0x40f00036 (undoc.?) write 0x40e00036 etc. Calls: 1360 1340 1674 17a4 194c (10d4 return) (maybe e000) 0x01468 - 0x01474 call stubs? (may start at 1001464) 0x01478 - 0x0148c function (has stack) calls 1490 (twice) with r0 == 0x96 0x01490 - 0x014cc function 0x014d0 - 0x0155c data 0x01560 - 0x01594 short delay routine ------------mem_setup---------------- 0x01598 - 0x015a0 Read CPUID and return it in r0 0x015a4 - 0x015f0 lookup static memory timings. returns 0-0xf in r0 calls: 1940 1598 0x015f4 - 0x01670 data for function at 0x015a4 (tables for PXA210 and PXA255 static memory timings). 0x01674 - 0x01708 Reads data tables and programs memory timings for the system calls: 1940 15a4 ------------------------------------- 0x0170c - 0x01784 function 0x01788 - 0x017a0 function. messes with CR14 0x017a4 - 0x0186c Setup CPU and SDRAM. calls: 1940 1560 0x01870 - 0x0193c data 0x01940 - 0x01948 function. set r0 to 1 the hard way 0x0194c - 0x019ac function calls: 1940 (why?) 15a4 0x019b0 - 0x01a48 function calls: 1b7c 0x01a4c - 0x01a88 data 0x01a8c - 0x01b78 code 0x01b7c - 0x01b80 r6 = r0. weird. 0x01b84 - 0x01be0 code 0x01be4 - 0x01cbc data. 0x01cc0 - ???? alphabet bitmaps ???? - 0x04458 data, unknown 0x04458 - 0x04490 code, unknown. 0x04494 - 0x04504 table setup for 'graphics table' @ 0x90049d00 0x04508 - 0x04550 table setup for table @ 0x90049cc0. looks graphicy. 0x04554 - 0x04564 data for 'graphics table' @ 0x90049d00 0x04568 - 0x04570 stub function to read r0 from 0x90048000 0x04578 dummy stub - return (mov pc,lr) 0x0457c - 0x046a8 code, unknown, large, single function, calls a lot, inc. indirect. 0x046ac - 0x046e4 data. all addresses in the 0x900xxxxx range. (ie RAM?) 0x046e8 - 0x046ec stub. returns r0=1 0x046f0 - 0x0472c code. looks like pre-stack code. probably not C. 0x04730 - 0x04754 code. probably C. calls: 0x1468 0x04758 - 0x04760 r0 = *(90002238) = 0x90023038, corrupts r3. 0x04764 data for above stub. 0x04768 - 0x04818 used to print out numbers. maybe in hex. for debug. calls: 0x146c 0x0481c constant 0x04820 - 0x049c0 large function. has embedded data. calls: 0x146c, 0x1a8c, 0x1478, 0x4768, 0x6340, 0x62b8 0x049c4 - 0x051d0 main() - the stuff that runs once the MMU is on. calls: 4578 (146c 4768) 4820 1a8c 1464 (7534) 901c (4758) 8e90 8f64 8f80 8ea0 62b8 8d8c 88f4 5e28 5588 46f0 472c 457c 46e8 5340 7310 structure: grab 32 bytes stack call 4758 (read 0x2238) maybe == 0x90023038 sp+20 = r0 r3 = sp+20 if(r3 != 0xffffffff) goto label_1 r0 = 0x90002844 call 146c (no-op) r0 = 0x9000283c call 146c r0 = sp+20 call 4768 loop calling 4768 with increasing offsets into table at *(sp+20) call 4820 with r0 = 0x90002768 r0 = 90002738 call 1a8c call 1464 0x4ab8 Debug Port Initialized 0x4ac8 Accelent Systems Inc. Bootloader 0x4ad0 ===================================================== 0x4ad8 Relocating flash kernel writeable data sections 0x4ae0 ===================================================== Customer : %s Platform : %s Version : %s CPU Type : %s CPU Name : %s CPU Id : 0x%X Core Ver : %s Date : %s Time : %s ===================================================== ===================================================== 0x04b60 Bootloader run time error checks ===================================================== bl 4758 beq 4ba0 bl 4758 0x04b98 Warning! BOOT.BIB RAM start address (0x%X) does not match compile time memory map (0x%X) bl 4758 beq 4be8 bl 4758 bl 4758 0x04be4 Warning! BOOT.BIB RAM size (0x%X) does not match compile time memory map (0x%X) ===================================================== bl 4758 bls 4c40 bl 4758 0x04c24 Warning! Changing flash cache start address from 0x%X to 0x%X ===================================================== bl 4578 bl 8e90 bl 8f64 bl 8f80 0x049d4 ResetReason = 0x%x (0x%x = nRESET, 0x%x = software, 0x%x = watchdog, 0x%x = BATT_FAULT, 0x%x = VDD_FAULT) Current CPU Speed = %d 0x04dbc Not clearing object store, preserving some Driver Globals entries *lots of data shuffling* 0x04ee4 Clearing Driver Globals Area bl 62b8 memset(b0040000, 0, 2048) 0x05128 Calling PlatformInit() bl 5e28 0x0515c Diagnostics Failed! 0x051a8 Fatal error, looping! bl 7310 *infinite loop* 0x051d0 *end* 0x051d4 - 0x051fc function calls: 7310 9270 0x05200 - 0x05208 data 0x0520c - 0x05228 function 0x0522c - 0x05230 data 0x05234 - 0x05240 a pair of stub functions. r0=3 0x05244 - 0x05268 function 0x0526c - 0x05270 data 0x05274 - 0x05324 function 0x05328 - 0x0533c data 0x05340 - 0x053f0 Appears to be the final function before we jump to the image. 0x053f4 - 0x0540c data 0x05410 infinite loop 0x05414 - 0x05418 set r0 = 1 and jump to 0x053ec 0x0541c - 0x054cc MMU setup data table. 0x054dc - 0x054fc zero 0x05500 - 0x05564 function 0x05568 - 0x05584 function, but no stacking (only uses 4 regs?) 0x05588 - 0x055f0 virt_to_phys() (uses lookup table) 0x055f4 - 0x056a0 unknown 0x056a4 - 0x05b44 colossal function. 0x05b48 - 0x05bac data 0x05bb0 - 0x05bec 3 small functions. 0x05bf0 - 0x05cbc function. 0x05cc0 - 0x05cd8 data 0x05cdc - 0x05d3c code, unknown. 0x05d40 - 0x05e24 function. 0x05e28 - 0x060d4 PlatformInit(); 0x060d8 - 0x06128 function. 0x0612c - 0x06130 data. 0x06134 - 0x061a0 define X:Y pixel plotting routine. 0x061a4 - 0x061cc unknown 0x061d0 - 0x0625c AC97 codec init. (ACUNIT) 0x062b8 - 0x0633c memset(base, val, len) 0x06340 - 0x06500? memcpy() 0x06504 - 0x06ce0 possibly all part of memcpy() 0x06ce4 - 0x06db8 part of string plotter 0x06dbc - 0x06ee4 part of string plotter (possibly a major one) 0x06ee8 - 0x6f30 appears to be related to string plotter. 0x06f34 pointer to table at 0x90049d00 0x06f38 - 0x06f80 appears to be related to string plotter. 0x06f84 pointer to table at 0x90049d00 0x06f88 - 0x07028 appears to be related to string plotter. 0x0702c pointer to table at 0x90049d00 0x07030 - 0x0706c Not sure. probably related to surrounding stuff. 0x07070 - 0x0715c part of string plotter 0x7060 pointer to table at 0x90049d00 0x07164 - 0x071c4 define string plotter? (is called from other code with string pointers). 0x071c8 - 0x07530 debug functions 0x07310 - debug fn. takes strings in r0 (maybe others?) 0x07534 - 0x07674 debug printf 0x088f4 - 0x08c18 Print CPU status information 0x08d8c - 0x08e14 Cotulla CPU init (and jump to code? weird exit.) *init PCMCIA *setup GPIO stuff *AC97 init 0x08e94 - 0x08e98 read r0 from 0xa9300008 (virt ad. of PM scratch register) 0x08efc - 0x08f60 function to determine CPU speed setting appropriate for reset type 0x08f64 - 0x08f74 store value in PM scratch reg AND in 0x404f0 0x08f80 - 0x08f8c set rtc to r0 0x0901c - 0x09020 read cp15,0 0x0a9f0 - 0x0aa44 take r0 and multiply by 0xe66. then add r1 then do weird comparisons with data read from 0xa8e00010 return 0x0xxxx - 0x0aaa0 unknown 0x0aaa4 - 0x0aba4 MMU setup calls: 49c4 (after MMU is turned on) 0x0aba8 - 0x0abc0 unknown 0x0abc4 - 0x0dfff function. Calls BMP decoding stuff. 0x0e000 - 0x0e00c function, twiddle MMU, then jump to r2. 0x10000 - 0x23034ish Image data and palette 0x23038 Seems to be workspace. looks to be inside the image, part of a block of data. out of image stuff 90048020 (contains some value) 90048048 (no idea. used VERY late) 90048838 reset reason (1 = nReset, 2 = software, 4 = watchdog, 8 = batt fault, 16 = VDD fault) 9004883c unknown. (table???) 90049c80 address to execute binary from... (late, contains: 9000a8ac) 90049cc0 unknown. (appears to point to a table) 90049ce0 PCMCIA related? probably not. seems to be a string. 90049d00 table, graphics fns. 0xb0000000 - 0xb003ffff bootloader 0xb0040000 - 0xb0040800 'Driver Globals Area'. often cleared. 0xb0040300 Reset status 0xb0040344 result of calling 0x5588. memory address of some sort. 0xb0040364 copy of first insn in rom image. I think. 0xb00403a0 unknown. 0xb0040400 accessed just prior to booting the image. 0xb0040910 - 0xb0040a10 potentially wiped.