PDA Ramblings...

Ian Molton spyro at f2s.com
Wed Feb 12 19:07:15 PST 2003

Well, not much to report really. just starting to flesh out the reverse
engineering I already did.

the code below 0x5000 is mostly done now, as far as structure goes, and
some bits are fleshed out a bit.

theres a function at 15a4 that bears some looking at. it gets called a

other than that, not a lot doing.

heres the current stuff...

0x00000                   branch to 0x1000
0x00004 - 0x00fff         data, mostly nulls.

--early setup
0x01000 - 0x010d4         code, early setup.
      calls: 1560 1384 1370 170c 1340 1674 17a4 1788 19b0
0x010d8 - 0x01114         data.
0x01118 - 0x01204         code, setup
      calls: 194c 1360 (finally, aaa4)
--end early setup

0x01208 - 0x0133c         data

0x01340 - 0x0135c         function (reads GPIO lines)
      counter = 0x20000
      read from 0x40e00000  GPIO 31:0
      if value == 2
        reset counter
      else if counter == 0
      dec counter

0x01360 - 0x0136c         read power management GPIO edge detect status
      read 0x40f00018
      and with 0x2  (and set flags)

0x01370 - 0x01380         function
      read 0x40f00030
      and with 11
      compare with 8

0x01384 - 0x01464         function  contains MMU and CPSR stuff.
                          Reset Controller stuff too... very nice.
      read 0x40f00030
      write back to 0x40f00030
      CALL 0x0170c
      read 0x40f00032 (undocumented memory loc?)
      write 0x40e00024
      read 0x40f00036 (undoc.?)
      write 0x40e00036
      Calls: 1360 1340 1674 17a4 194c (10d4 return) (maybe e000)

0x01468 - 0x01474         call stubs? (may start at 1001464)

0x01478 - 0x0148c         function (has stack)
      calls 1490 (twice) with r0 == 0x96
0x01490 - 0x014cc         function
      calls: 14bc 14ac 14cc

0x014d0 - 0x0155c         data

0x01560 - 0x01594         function

0x01598 - 0x015a0         function. MMU, reading?
0x015a4 - 0x015f0         function
      calls: 1940 1598

0x015f4 - 0x01670         data (8 bit tables?)

0x01674 - 0x01708         function. lots of calls to 15a4
      calls: 1940 15a4

0x0170c - 0x01784         function
0x01788 - 0x017a0         function. messes with CR14
0x017a4 - 0x0186c         function. more messing with CR14
      calls: 1940 1560 181c

0x01870 - 0x0193c         data

0x01940 - 0x01948         function. set r0 to 1 the hard way
0x0194c - 0x019ac         function
      calls: 1940 (why?) 15a4
0x019b0 - 0x01a48         function
      calls: 1b7c

0x01a4c - 0x01a88         data

0x01a8c - 0x01be0         code
0x01be4 - 0x01cbc         data.
0x01cc0 - ????            alphabet bitmaps
????    - 0x04458         data, unknown
0x04458 - 0x04490         code, unknown.
0x04494 - 0x04504         table setup for 'graphics table' @ 0x90049d00
0x04508 - 0x04550         table setup for table @ 0x90049cc0. looks
0x04554 - 0x04564         data for 'graphics table' @ 0x90049d00
0x04568 - 0x04570         stub function to read r0 from 0x90048000
0x04578                   dummy stub - return (mov pc,lr)
0x0457c - 0x046a8         code, unknown, large, single function, calls a
lot, inc. indirect.
0x046ac - 0x046e4         data. all addresses in the 0x900xxxxx range.
(ie RAM?)
0x046e8 - 0x046ec         stub. returns r0=1
0x046f0 - 0x0472c         code. looks like pre-stack code. probably not
0x04730 - 0x04754         code. probably C.
      calls: 0x1468
0x04758 - 0x04760         stub. reads r0 from 0x90002238, corrupts r3.
0x04764                   data for above stub.
0x04768 - 0x04818         code. odd entry, probably C.
      calls: 0x146c
0x0481c                   constant
0x04820 - 0x049c0         large function. has embedded data.
      calls: 0x146c, 0x1a8c, 0x1478, 0x4768, 0x6340, 0x62b8
0x049c4 - 0x051fc???      very large function
      calls: a_LOT.
0x05200 - 0x05208         data
0x0520c - 0x05228         function
0x0522c - 0x05230         data
0x05234 - 0x05240         a pair of stub functions. r0=3
0x05244 - 0x05268         function
0x0526c - 0x05270         data
0x05274 - 0x05324         function
0x05328 - 0x0533c         data
0x05340 - 0x053f0         function
0x053f4 - 0x0540c         data
0x05410                   infinite loop
0x05414 - 0x05418         set r0 = 1 and jump to 0x053ec
0x0541c - 0x054fc         data (allsorts!)
0x05500 - 0x05564         function
0x05568 - 0x056a0         function, but no stacking (only uses 4 regs?)
0x056a4 - 0x05b44         colossal function.
0x05b48 - 0x05bac         data
0x05bb0 - 0x05bec         3 small functions.
0x05bf0 - 0x05cbc         function.
0x05cc0 - 0x05cd8         data
0x05cdc - 0x05d3c         code, unknown.
0x05d40 - 0x05e24         function.
0x05e28 - 0x060d4         function.
0x060d8 - 0x06128         function.
0x0612c - 0x06130         data.
0x06134 - 0x061a0         define X:Y pixel plotting routine.
0x061a4 - 0x06ce0         unknown

0x06ce4 - 0x06db8         part of string plotter
      calls: 0x6dbc, *0x90049d00
0x06dbc - 0x06ee4         part of string plotter (possibly a major one)
      calls: *0x90049d00
0x06ee8 - 0x6f30          appears to be related to string plotter.
      calls: 0x6ce4
0x06f34                   pointer to table at 0x90049d00
0x06f38 - 0x06f80         appears to be related to string plotter.
      calls: 0x6ce4 *0x90049d00
0x06f84                   pointer to table at 0x90049d00
0x06f88 - 0x07028         appears to be related to string plotter.
      calls: 0x6ee8 0x6f38 *0x90049d00
0x0702c                   pointer to table at 0x90049d00
0x07030 - 0x0706c         Not sure. probably related to surrounding
      calls: 0x6ee8
0x07070 - 0x0715c         part of string plotter
      calls: 0x6ce4
0x7060                    pointer to table at 0x90049d00
0x07164 - 0x071c4         define string plotter? (is called from other
code with string pointers).
      calls: 0x7070

0x071c8 - 0x0ffff         unknown
0x10000 - 0x23034ish      Image data and palette

Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-chat' in the subject header of the message

More information about the lfs-chat mailing list