Entries in ram are processed by SMACinitfrommemory and executeentry (which does the work). I suspect that these entries are loaded in from the rom from the rom_data_init call in the beginning stub. For now we'll do the simple thing of performing the actions they do, but for real it would be better to load out from ROM and execute the entries in a similar way. That way, if the cal data changes in the ROM, our code should still work. When radioinit first starts it seems to do checks for a 24MHZ clock and if the buck should be enabled. Assuming 24MHZ and no buck the next things it does is 5 entries in cal1 (40 bytes, 4 bytes per word, = 10 words, 2 words per entry = 5 entrys) 0x80003048 0x00000f78 0x8000304c 0x00607707 the next entry is zero addr with val 0x000161a8... this is a delay entry. Loop here 0x000161a8 times. then return. 0x00000000 0x000161a8 Then two more memory stuffs: 0x8000a050 0x0000047b 0x8000a054 0x0000007b then it seems like the emulator dies on the stack munging they do at the end of InitFromMemory... but I think I've decoded the entry enough to figure out the rest. then they do one entry of r4 base + 48 (gRadioTOCCal2_24MHz_c[0]) 0x80009000 0x80050100 then they do 11 entries in cal3 and reg replacment (first two have delays) 0x402b8c : 0x80009400 0x00020017 0x80009a04 0x8185a0a4 0x402b9c : 0x80009a00 0x8c900025 0x00000000 0x00011194 0x402bac : 0x80009a00 0x8c900021 0x80009a00 0x8c900027 0x402bbc : 0x00000000 0x00011194 0x80009a00 0x8c90002b 0x402bcc : 0x80009a00 0x8c90002f 0x00000000 0x00011194 0x402bdc : 0x80009a00 0x8c900000 then 4 entries from r5+24 (buffer_radio_init and cal5) 0x80009400 0x00000017 0x405230 : 0x8000a050 0x00000000 0x8000a054 0x00000000 0x405240 : 0x80003048 0x00000f00 then 43 entries from r4+152 (reg replacement) 0x402bec : 0x80004118 0x00180012 0x80009204 0x00000605 0x402bfc : 0x80009208 0x00000504 0x8000920c 0x00001111 0x402c0c : 0x80009210 0x0fc40000 0x80009300 0x20046000 0x402c1c : 0x80009304 0x4005580c 0x80009308 0x40075801 0x402c2c : 0x8000930c 0x4005d801 0x80009310 0x5a45d800 0x402c3c : 0x80009314 0x4a45d800 0x80009318 0x40044000 0x402c4c : 0x80009380 0x00106000 0x80009384 0x00083806 0x402c5c : 0x80009388 0x00093807 0x8000938c 0x0009b804 0x402c6c : 0x80009390 0x000db800 0x80009394 0x00093802 0x402c7c : 0x8000a008 0x00000015 0x8000a018 0x00000002 0x402c8c : 0x8000a01c 0x0000000f 0x80009424 0x0000aaa0 0x402c9c : 0x80009434 0x01002020 0x80009438 0x016800fe 0x402cac : 0x8000943c 0x8e578248 0x80009440 0x000000dd 0x402cbc : 0x80009444 0x00000946 0x80009448 0x0000035a 0x402ccc : 0x8000944c 0x00100010 0x80009450 0x00000515 0x402cdc : 0x80009460 0x00397feb 0x80009464 0x00180358 0x402cec : 0x8000947c 0x00000455 0x800094e0 0x00000001 0x402cfc : 0x800094e4 0x00020003 0x800094e8 0x00040014 0x402d0c : 0x800094ec 0x00240034 0x800094f0 0x00440144 0x402d1c : 0x800094f4 0x02440344 0x800094f8 0x04440544 0x402d2c : 0x80009470 0x0ee7fc00 0x8000981c 0x00000082 0x402d3c : 0x80009828 0x0000002a then flash init. (hrmm.. this might be important) then flyback init. then maybe buckbypass sequence... 4 entries from r4+16 0x402b64 : 0x80003000 0x00000018 0x80003048 0x00000f04 0x402b74 : 0x00000000 0x000161a8 0x80003048 0x00000ffc RadioInit is (roughly): SMAC_InitFromMemory(gRadioTOCCal1,40); SMAC_InitFromMemory(gRadioTOCCal2_24MHz_c,8); SMAC_InitFromMemory(gRadioTOCCal3_c,88); SMAC_InitFromMemory(gRadioTOCCal5,32); SMAC_InitFromMemory(gRadioInit_RegReplacement_c,344); SMAC_InitFromFlash(0x1F000); SMAC_InitFlybackSettings(); uint8_t i; uint8_t buffer_radio_init[16]; for(i=0; i<16; i++) { buffer_radio_init[i] = get_ctov(i,u8RamValues[3]); } /* After init from flash and flyback settings ram_init_val - 004055d0 004055d0 base +0 +4 +8 +c +10 +14 +18 +1c 0000 00000000 00000000 00000000 00000000 00000000 00000000 80009400 00000017 u8RamValues 00405424 base +0 +4 +8 +c +10 +14 +18 +1c 0000 0400009b 00000000 00000000 00010000 ff000000 00000000 00000000 00000000 */ /* 40308e: f000 f86d bl 40316c //get_ctov(0,0x9b) 403092: 1929 adds r1, r5, r4 // r4 = 0, r5 is &ram_init_val 403094: 7208 strb r0, [r1, #8] 403096: 1c64 adds r4, r4, #1 // r4=1 403098: 0620 lsls r0, r4, #24 40309a: 0e00 lsrs r0, r0, #24 40309c: 2810 cmp r0, #16 // 40309e: d3f3 bcc.n 403088 // branch if higher 4030a0: b001 add sp, #4 4030a2: 9804 ldr r0, [sp, #16] 4030a4: bcf0 pop {r4, r5, r6, r7} 4030a6: b001 add sp, #4 4030a8: 4700 bx r0 4030aa: 46c0 nop (mov r8, r8) */