finished reversing interrupt. Found a very interesting magic
sequence. There is a lot here to try.
This commit is contained in:
Mariano Alvira
parent
e007f72530
commit
78f182e658
|
|
@ -713,7 +713,7 @@ Disassembly of section .text:
|
||||||
14: 6304 str r4, [r0, #48] // 0x800040c4 gets r4 (maca_clr)
|
14: 6304 str r4, [r0, #48] // 0x800040c4 gets r4 (maca_clr)
|
||||||
|
|
||||||
// if((*MACA_IRQ & 0xffff) != 0) {
|
// if((*MACA_IRQ & 0xffff) != 0) {
|
||||||
16: 0420 lsls r0, r4, #16 // r0 = r4 << 16 ; ro = (*MACA_IRQ) << 16
|
16: 0420 lsls r0, r4, #16 // r0 = r4 << 16 ; r0 = (*MACA_IRQ) << 16
|
||||||
18: d501 bpl.n 1e <MACA_Interrupt+0x1e>
|
18: d501 bpl.n 1e <MACA_Interrupt+0x1e>
|
||||||
|
|
||||||
if( *MACA_TXLEN == 0 ) {
|
if( *MACA_TXLEN == 0 ) {
|
||||||
|
|
@ -722,7 +722,7 @@ Disassembly of section .text:
|
||||||
1e: 07e0 lsls r0, r4, #31 // r4 = *(MACA_TXLEN << 31)
|
1e: 07e0 lsls r0, r4, #31 // r4 = *(MACA_TXLEN << 31)
|
||||||
20: d574 bpl.n 10c <MACA_Interrupt+0x10c>
|
20: d574 bpl.n 10c <MACA_Interrupt+0x10c>
|
||||||
|
|
||||||
*(0x80004010) swithc (*MACA_STATUS & 0xf) {
|
*(0x80004010) switch (*MACA_STATUS & 0xf) {
|
||||||
22: 486f ldr r0, [pc, #444] (1e0 <MACA_Interrupt+0x1e0>)
|
22: 486f ldr r0, [pc, #444] (1e0 <MACA_Interrupt+0x1e0>)
|
||||||
24: 6840 ldr r0, [r0, #4]
|
24: 6840 ldr r0, [r0, #4]
|
||||||
26: 0700 lsls r0, r0, #28
|
26: 0700 lsls r0, r0, #28
|
||||||
|
|
@ -859,30 +859,47 @@ Disassembly of section .text:
|
||||||
|
|
||||||
} else { // from *MACA_TXLEN == 0
|
} else { // from *MACA_TXLEN == 0
|
||||||
|
|
||||||
10c: 4839 ldr r0, [pc, #228] (1f4 <MACA_Interrupt+0x1f4>)
|
10c: 4839 ldr r0, [pc, #228] (1f4 <MACA_Interrupt+0x1f4>) // r0 = 0x1001
|
||||||
10e: 4020 ands r0, r4
|
10e: 4020 ands r0, r4 // r4 is the irq state, mask action complete and timeout
|
||||||
110: 2180 movs r1, #128
|
110: 2180 movs r1, #128 // r1 = 128
|
||||||
112: 0149 lsls r1, r1, #5
|
112: 0149 lsls r1, r1, #5 // r1 = 0x1000
|
||||||
|
|
||||||
114: 4288 cmp r0, r1
|
114: 4288 cmp r0, r1
|
||||||
116: d101 bne.n 11c <MACA_Interrupt+0x11c>
|
116: d101 bne.n 11c <MACA_Interrupt+0x11c>
|
||||||
|
|
||||||
|
// if (timeout) {
|
||||||
|
// inject(24) and return
|
||||||
118: 2018 movs r0, #24
|
118: 2018 movs r0, #24
|
||||||
11a: e7bb b.n 94 <MACA_Interrupt+0x94>
|
11a: e7bb b.n 94 <MACA_Interrupt+0x94>
|
||||||
11c: 2102 movs r1, #2
|
//}
|
||||||
|
|
||||||
|
11c: 2102 movs r1, #2 // r1 = 2
|
||||||
11e: 420c tst r4, r1
|
11e: 420c tst r4, r1
|
||||||
|
|
||||||
|
// if(poll) {
|
||||||
120: d017 beq.n 152 <MACA_Interrupt+0x152>
|
120: d017 beq.n 152 <MACA_Interrupt+0x152>
|
||||||
|
}
|
||||||
|
|
||||||
|
// do the *0x50 == 0 test
|
||||||
122: 4831 ldr r0, [pc, #196] (1e8 <MACA_Interrupt+0x1e8>)
|
122: 4831 ldr r0, [pc, #196] (1e8 <MACA_Interrupt+0x1e8>)
|
||||||
124: 7800 ldrb r0, [r0, #0]
|
124: 7800 ldrb r0, [r0, #0]
|
||||||
126: 2800 cmp r0, #0
|
126: 2800 cmp r0, #0
|
||||||
128: d109 bne.n 13e <MACA_Interrupt+0x13e>
|
128: d109 bne.n 13e <MACA_Interrupt+0x13e>
|
||||||
|
|
||||||
12a: 4833 ldr r0, [pc, #204] (1f8 <MACA_Interrupt+0x1f8>)
|
12a: 4833 ldr r0, [pc, #204] (1f8 <MACA_Interrupt+0x1f8>)
|
||||||
12c: f7ff fffe bl 0 <__aeabi_uread4>
|
12c: f7ff fffe bl 0 <__aeabi_uread4>
|
||||||
130: 2800 cmp r0, #0
|
130: 2800 cmp r0, #0
|
||||||
132: d000 beq.n 136 <MACA_Interrupt+0x136>
|
132: d000 beq.n 136 <MACA_Interrupt+0x136>
|
||||||
134: 2001 movs r0, #1
|
|
||||||
136: 492a ldr r1, [pc, #168] (1e0 <MACA_Interrupt+0x1e0>)
|
134: 2001 movs r0, #1 // r0 = 1
|
||||||
138: 6088 str r0, [r1, #8]
|
136: 492a ldr r1, [pc, #168] (1e0 <MACA_Interrupt+0x1e0>) r1 = *(0x800040b4) reserved
|
||||||
|
138: 6088 str r0, [r1, #8] *(0x800040b4) + 8 = 1;
|
||||||
|
// inject(23) and return
|
||||||
13a: 2017 movs r0, #23
|
13a: 2017 movs r0, #23
|
||||||
13c: e78a b.n 54 <MACA_Interrupt+0x54>
|
13c: e78a b.n 54 <MACA_Interrupt+0x54>
|
||||||
|
|
||||||
|
// rom != 0
|
||||||
|
// inject(14)
|
||||||
13e: 200e movs r0, #14
|
13e: 200e movs r0, #14
|
||||||
140: f7ff fffe bl 0 <SeqInjectEvent>
|
140: f7ff fffe bl 0 <SeqInjectEvent>
|
||||||
144: 482a ldr r0, [pc, #168] (1f0 <MACA_Interrupt+0x1f0>)
|
144: 482a ldr r0, [pc, #168] (1f0 <MACA_Interrupt+0x1f0>)
|
||||||
|
|
@ -890,69 +907,92 @@ Disassembly of section .text:
|
||||||
148: f7ff fffe bl 0 <CommonRxSetup>
|
148: f7ff fffe bl 0 <CommonRxSetup>
|
||||||
14c: 2800 cmp r0, #0
|
14c: 2800 cmp r0, #0
|
||||||
14e: d044 beq.n 1da <MACA_Interrupt+0x1da>
|
14e: d044 beq.n 1da <MACA_Interrupt+0x1da>
|
||||||
|
// return
|
||||||
|
|
||||||
150: e789 b.n 66 <MACA_Interrupt+0x66>
|
150: e789 b.n 66 <MACA_Interrupt+0x66>
|
||||||
|
|
||||||
|
// when poll == 1
|
||||||
152: 2104 movs r1, #4
|
152: 2104 movs r1, #4
|
||||||
154: 420c tst r4, r1
|
154: 420c tst r4, r1 // if (data_indication) {
|
||||||
156: d001 beq.n 15c <MACA_Interrupt+0x15c>
|
156: d001 beq.n 15c <MACA_Interrupt+0x15c>
|
||||||
|
} else {
|
||||||
|
// inject(14) and return
|
||||||
158: 200e movs r0, #14
|
158: 200e movs r0, #14
|
||||||
15a: e77b b.n 54 <MACA_Interrupt+0x54>
|
15a: e77b b.n 54 <MACA_Interrupt+0x54>
|
||||||
15c: 0520 lsls r0, r4, #20
|
}
|
||||||
15e: d436 bmi.n 1ce <MACA_Interrupt+0x1ce>
|
// data_indication == 1
|
||||||
|
15c: 0520 lsls r0, r4, #20 // r0 = saved irq status << 20
|
||||||
|
15e: d436 bmi.n 1ce <MACA_Interrupt+0x1ce> // branch if negative (so if irq bit 11 is set, failed filter
|
||||||
|
|
||||||
160: 0460 lsls r0, r4, #17
|
160: 0460 lsls r0, r4, #17
|
||||||
162: d506 bpl.n 172 <MACA_Interrupt+0x172>
|
162: d506 bpl.n 172 <MACA_Interrupt+0x172> // branch if !bit 14, sync detect
|
||||||
|
|
||||||
164: 4820 ldr r0, [pc, #128] (1e8 <MACA_Interrupt+0x1e8>)
|
164: 4820 ldr r0, [pc, #128] (1e8 <MACA_Interrupt+0x1e8>)
|
||||||
166: 7800 ldrb r0, [r0, #0]
|
166: 7800 ldrb r0, [r0, #0] // check if txlen is 0
|
||||||
168: 2800 cmp r0, #0
|
168: 2800 cmp r0, #0 // if not zero, return (maybe this is an ack to transmit?)
|
||||||
16a: d136 bne.n 1da <MACA_Interrupt+0x1da>
|
16a: d136 bne.n 1da <MACA_Interrupt+0x1da>
|
||||||
16c: 481d ldr r0, [pc, #116] (1e4 <MACA_Interrupt+0x1e4>)
|
|
||||||
16e: 2108 movs r1, #8
|
16c: 481d ldr r0, [pc, #116] (1e4 <MACA_Interrupt+0x1e4>) // r0 = *0x80004108
|
||||||
170: e032 b.n 1d8 <MACA_Interrupt+0x1d8>
|
16e: 2108 movs r1, #8 // r1 = 8
|
||||||
172: 01c9 lsls r1, r1, #7
|
170: e032 b.n 1d8 <MACA_Interrupt+0x1d8> // return
|
||||||
|
|
||||||
|
// sync not detectd
|
||||||
|
|
||||||
|
// return if bit 7
|
||||||
|
172: 01c9 lsls r1, r1, #7 // r1 had 4, now r1 = 4 << 7
|
||||||
174: 420c tst r4, r1
|
174: 420c tst r4, r1
|
||||||
176: d030 beq.n 1da <MACA_Interrupt+0x1da>
|
176: d030 beq.n 1da <MACA_Interrupt+0x1da> // return if fifo level
|
||||||
178: 4819 ldr r0, [pc, #100] (1e0 <MACA_Interrupt+0x1e0>)
|
|
||||||
17a: 6f40 ldr r0, [r0, #116]
|
178: 4819 ldr r0, [pc, #100] (1e0 <MACA_Interrupt+0x1e0>) r0 = *0x80004070, reserved
|
||||||
|
17a: 6f40 ldr r0, [r0, #116] r0 = *(*0x80004070 + 116)
|
||||||
17c: 4a19 ldr r2, [pc, #100] (1e4 <MACA_Interrupt+0x1e4>)
|
17c: 4a19 ldr r2, [pc, #100] (1e4 <MACA_Interrupt+0x1e4>)
|
||||||
17e: 6852 ldr r2, [r2, #4]
|
17e: 6852 ldr r2, [r2, #4] r2 = *(*0x800040F8 + 4)
|
||||||
180: 2a08 cmp r2, #8
|
180: 2a08 cmp r2, #8
|
||||||
182: d128 bne.n 1d6 <MACA_Interrupt+0x1d6>
|
182: d128 bne.n 1d6 <MACA_Interrupt+0x1d6> // branch if r2 != 8 // *0x80004094 = r1 (r1 = 0x200 here), and return
|
||||||
|
|
||||||
|
// *0x50 test
|
||||||
184: 4a18 ldr r2, [pc, #96] (1e8 <MACA_Interrupt+0x1e8>)
|
184: 4a18 ldr r2, [pc, #96] (1e8 <MACA_Interrupt+0x1e8>)
|
||||||
186: 7812 ldrb r2, [r2, #0]
|
186: 7812 ldrb r2, [r2, #0]
|
||||||
188: 2a00 cmp r2, #0
|
188: 2a00 cmp r2, #0
|
||||||
18a: d124 bne.n 1d6 <MACA_Interrupt+0x1d6>
|
18a: d124 bne.n 1d6 <MACA_Interrupt+0x1d6> //if rom == 0 return
|
||||||
18c: 7941 ldrb r1, [r0, #5]
|
|
||||||
18e: 020a lsls r2, r1, #8
|
18c: 7941 ldrb r1, [r0, #5] // r1 = *(uint8_t * )0x80004075
|
||||||
190: 7901 ldrb r1, [r0, #4]
|
18e: 020a lsls r2, r1, #8 // r2 = r1 << 8
|
||||||
192: 4311 orrs r1, r2
|
190: 7901 ldrb r1, [r0, #4] // r1 = *(uint8_t * )0x80004074
|
||||||
194: 79c2 ldrb r2, [r0, #7]
|
192: 4311 orrs r1, r2 // temp = *(uint8_t *)0x80004075 | *(uint8_t *)0x80004074
|
||||||
196: 0213 lsls r3, r2, #8
|
194: 79c2 ldrb r2, [r0, #7] // *(uint8_t * )0x80004077 = temp
|
||||||
198: 7982 ldrb r2, [r0, #6]
|
196: 0213 lsls r3, r2, #8 // r3 = temp << 8
|
||||||
|
198: 7982 ldrb r2, [r0, #6] // temp = *(uint8_t * )0x80004076
|
||||||
19a: 431a orrs r2, r3
|
19a: 431a orrs r2, r3
|
||||||
19c: 7883 ldrb r3, [r0, #2]
|
19c: 7883 ldrb r3, [r0, #2] // *(uint8_t * )0x80004072 = r3 | temp
|
||||||
19e: 021b lsls r3, r3, #8
|
19e: 021b lsls r3, r3, #8 // r3 = r3 << 8
|
||||||
1a0: 7840 ldrb r0, [r0, #1]
|
1a0: 7840 ldrb r0, [r0, #1] // r0 = *(uint8_t * )0x80004071
|
||||||
1a2: 4318 orrs r0, r3
|
1a2: 4318 orrs r0, r3 // r0 = r0 | r3
|
||||||
1a4: 23c4 movs r3, #196
|
1a4: 23c4 movs r3, #196 // r3 = 0xc4
|
||||||
1a6: 011b lsls r3, r3, #4
|
1a6: 011b lsls r3, r3, #4 // r3 = 0xc40
|
||||||
1a8: 4003 ands r3, r0
|
1a8: 4003 ands r3, r0 // r3 = 0xc40 & r0
|
||||||
1aa: 2084 movs r0, #132
|
1aa: 2084 movs r0, #132 // r0 = 0x84
|
||||||
1ac: 0100 lsls r0, r0, #4
|
1ac: 0100 lsls r0, r0, #4 // r0 = 0x840
|
||||||
1ae: 4283 cmp r3, r0
|
1ae: 4283 cmp r3, r0 // is r3 == 0x840?
|
||||||
1b0: d113 bne.n 1da <MACA_Interrupt+0x1da>
|
1b0: d113 bne.n 1da <MACA_Interrupt+0x1da> // branch if r3 != 0x840
|
||||||
1b2: 4b0c ldr r3, [pc, #48] (1e4 <MACA_Interrupt+0x1e4>)
|
1b2: 4b0c ldr r3, [pc, #48] (1e4 <MACA_Interrupt+0x1e4>) // r3 = *(0x80040c4) *maca_clrirq
|
||||||
1b4: 6f1b ldr r3, [r3, #112]
|
1b4: 6f1b ldr r3, [r3, #112] // r3 = *maca_irq + 112
|
||||||
1b6: 429a cmp r2, r3
|
1b6: 429a cmp r2, r3
|
||||||
1b8: d002 beq.n 1c0 <MACA_Interrupt+0x1c0>
|
1b8: d002 beq.n 1c0 <MACA_Interrupt+0x1c0> // branch if r2 == r3
|
||||||
1ba: 4810 ldr r0, [pc, #64] (1fc <MACA_Interrupt+0x1fc>)
|
|
||||||
|
1ba: 4810 ldr r0, [pc, #64] (1fc <MACA_Interrupt+0x1fc>) // r0 = 0xffff + 64
|
||||||
1bc: 4282 cmp r2, r0
|
1bc: 4282 cmp r2, r0
|
||||||
1be: d10c bne.n 1da <MACA_Interrupt+0x1da>
|
|
||||||
1c0: 4a08 ldr r2, [pc, #32] (1e4 <MACA_Interrupt+0x1e4>)
|
1be: d10c bne.n 1da <MACA_Interrupt+0x1da> // return if some rom location == r0
|
||||||
1c2: 6ed2 ldr r2, [r2, #108]
|
|
||||||
|
1c0: 4a08 ldr r2, [pc, #32] (1e4 <MACA_Interrupt+0x1e4>) r2 = *(0x800040b4)
|
||||||
|
1c2: 6ed2 ldr r2, [r2, #108] r2 = *(0x800040b4) + 108
|
||||||
1c4: 4291 cmp r1, r2
|
1c4: 4291 cmp r1, r2
|
||||||
1c6: d008 beq.n 1da <MACA_Interrupt+0x1da>
|
1c6: d008 beq.n 1da <MACA_Interrupt+0x1da> // return if r1 == r2
|
||||||
1c8: 480c ldr r0, [pc, #48] (1fc <MACA_Interrupt+0x1fc>)
|
|
||||||
|
1c8: 480c ldr r0, [pc, #48] (1fc <MACA_Interrupt+0x1fc>) r0 = *(0xffff + 48)
|
||||||
1ca: 4281 cmp r1, r0
|
1ca: 4281 cmp r1, r0
|
||||||
1cc: d005 beq.n 1da <MACA_Interrupt+0x1da>
|
1cc: d005 beq.n 1da <MACA_Interrupt+0x1da> // return if r1 == r0 or resumemacasync, inject(20), and return.
|
||||||
|
|
||||||
// if(code = 2, channel_busy) {
|
// if(code = 2, channel_busy) {
|
||||||
1ce: f7ff fffe bl 0 <ResumeMACASync>
|
1ce: f7ff fffe bl 0 <ResumeMACASync>
|
||||||
|
|
@ -960,8 +1000,10 @@ Disassembly of section .text:
|
||||||
1d2: 2014 movs r0, #20
|
1d2: 2014 movs r0, #20
|
||||||
1d4: e73e b.n 54 <MACA_Interrupt+0x54>
|
1d4: e73e b.n 54 <MACA_Interrupt+0x54>
|
||||||
|
|
||||||
|
// *0x80004094 = r1, and return
|
||||||
1d6: 4803 ldr r0, [pc, #12] (1e4 <MACA_Interrupt+0x1e4>)
|
1d6: 4803 ldr r0, [pc, #12] (1e4 <MACA_Interrupt+0x1e4>)
|
||||||
1d8: 6001 str r1, [r0, #0]
|
1d8: 6001 str r1, [r0, #0]
|
||||||
|
|
||||||
1da: bc1c pop {r2, r3, r4}
|
1da: bc1c pop {r2, r3, r4}
|
||||||
1dc: bc01 pop {r0}
|
1dc: bc01 pop {r0}
|
||||||
1de: 4700 bx r0
|
1de: 4700 bx r0
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue