Entries in ram are processed by SMACinitfrommemory and executeentry (which does the work). I suspect that these entries are loaded in from the rom from the rom_data_init call in the beginning stub. For now we'll do the simple thing of performing the actions they do, but for real it would be better to load out from ROM and execute the entries in a similar way. That way, if the cal data changes in the ROM, our code should still work. When radioinit first starts it seems to do checks for a 24MHZ clock and if the buck should be enabled. Assuming 24MHZ and no buck the next things it does is 5 entries in cal1 (40 bytes, 4 bytes per word, = 10 words, 2 words per entry = 5 entrys) 0x80003048 0x00000f78 0x8000304c 0x00607707 the next entry is zero addr with val 0x000161a8... this is a delay entry. Loop here 0x000161a8 times. then return. 0x00000000 0x000161a8 Then two more memory stuffs: 0x8000a050 0x0000047b 0x8000a054 0x0000007b then it seems like the emulator dies on the stack munging they do at the end of InitFromMemory... but I think I've decoded the entry enough to figure out the rest. then they do one entry of r4 base + 48 (gRadioTOCCal2_24MHz_c[0]) 0x80009000 0x80050100 then they do 11 entries in cal3 and reg replacment (first two have delays) 0x402b8c <gRadioTOCCal3_c>: 0x80009400 0x00020017 0x80009a04 0x8185a0a4 0x402b9c <gRadioTOCCal3_c+16>: 0x80009a00 0x8c900025 0x00000000 0x00011194 0x402bac <gRadioTOCCal3_c+32>: 0x80009a00 0x8c900021 0x80009a00 0x8c900027 0x402bbc <gRadioTOCCal3_c+48>: 0x00000000 0x00011194 0x80009a00 0x8c90002b 0x402bcc <gRadioTOCCal3_c+64>: 0x80009a00 0x8c90002f 0x00000000 0x00011194 0x402bdc <gRadioTOCCal3_c+80>: 0x80009a00 0x8c900000 then 4 entries from r5+24 (buffer_radio_init and cal5) 0x80009400 0x00000017 0x405230 <gRadioTOCCal5+8>: 0x8000a050 0x00000000 0x8000a054 0x00000000 0x405240 <gRadioTOCCal5+24>: 0x80003048 0x00000f00 then 43 entries from r4+152 (reg replacement) 0x402bec <gRadioInit_RegReplacement_c>: 0x80004118 0x00180012 0x80009204 0x00000605 0x402bfc <gRadioInit_RegReplacement_c+16>: 0x80009208 0x00000504 0x8000920c 0x00001111 0x402c0c <gRadioInit_RegReplacement_c+32>: 0x80009210 0x0fc40000 0x80009300 0x20046000 0x402c1c <gRadioInit_RegReplacement_c+48>: 0x80009304 0x4005580c 0x80009308 0x40075801 0x402c2c <gRadioInit_RegReplacement_c+64>: 0x8000930c 0x4005d801 0x80009310 0x5a45d800 0x402c3c <gRadioInit_RegReplacement_c+80>: 0x80009314 0x4a45d800 0x80009318 0x40044000 0x402c4c <gRadioInit_RegReplacement_c+96>: 0x80009380 0x00106000 0x80009384 0x00083806 0x402c5c <gRadioInit_RegReplacement_c+112>: 0x80009388 0x00093807 0x8000938c 0x0009b804 0x402c6c <gRadioInit_RegReplacement_c+128>: 0x80009390 0x000db800 0x80009394 0x00093802 0x402c7c <gRadioInit_RegReplacement_c+144>: 0x8000a008 0x00000015 0x8000a018 0x00000002 0x402c8c <gRadioInit_RegReplacement_c+160>: 0x8000a01c 0x0000000f 0x80009424 0x0000aaa0 0x402c9c <gRadioInit_RegReplacement_c+176>: 0x80009434 0x01002020 0x80009438 0x016800fe 0x402cac <gRadioInit_RegReplacement_c+192>: 0x8000943c 0x8e578248 0x80009440 0x000000dd 0x402cbc <gRadioInit_RegReplacement_c+208>: 0x80009444 0x00000946 0x80009448 0x0000035a 0x402ccc <gRadioInit_RegReplacement_c+224>: 0x8000944c 0x00100010 0x80009450 0x00000515 0x402cdc <gRadioInit_RegReplacement_c+240>: 0x80009460 0x00397feb 0x80009464 0x00180358 0x402cec <gRadioInit_RegReplacement_c+256>: 0x8000947c 0x00000455 0x800094e0 0x00000001 0x402cfc <gRadioInit_RegReplacement_c+272>: 0x800094e4 0x00020003 0x800094e8 0x00040014 0x402d0c <gRadioInit_RegReplacement_c+288>: 0x800094ec 0x00240034 0x800094f0 0x00440144 0x402d1c <gRadioInit_RegReplacement_c+304>: 0x800094f4 0x02440344 0x800094f8 0x04440544 0x402d2c <gRadioInit_RegReplacement_c+320>: 0x80009470 0x0ee7fc00 0x8000981c 0x00000082 0x402d3c <gRadioInit_RegReplacement_c+336>: 0x80009828 0x0000002a then flash init. (hrmm.. this might be important) then flyback init. then maybe buckbypass sequence... 4 entries from r4+16 0x402b64 <gBuckByPass_c>: 0x80003000 0x00000018 0x80003048 0x00000f04 0x402b74 <gBuckByPass_c+16>: 0x00000000 0x000161a8 0x80003048 0x00000ffc RadioInit is (roughly): SMAC_InitFromMemory(gRadioTOCCal1,40); SMAC_InitFromMemory(gRadioTOCCal2_24MHz_c,8); SMAC_InitFromMemory(gRadioTOCCal3_c,88); SMAC_InitFromMemory(gRadioTOCCal5,32); SMAC_InitFromMemory(gRadioInit_RegReplacement_c,344); SMAC_InitFromFlash(0x1F000); SMAC_InitFlybackSettings(); SMAC_InitFromMemory(gBuckByPass_c,16); fill_ram_struct(&u8RamValues); uint8_t i; uint8_t buffer_radio_init[16]; for(i=0; i<16; i++) { buffer_radio_init[i] = get_ctov(i,u8RamValues[3]); } Some kind of success! This replacment works: // RadioInit(PLATFORM_CLOCK, gDigitalClock_PN_c, u32LoopDiv); // need this to work /* my replacment for RadioInit, flyback and vreg have been separated out */ radio_init(); // SMAC_InitFromMemory(gRadioTOCCal1,40); // *(volatile uint32_t *)0x80009000 = 0x80050100; // SMAC_InitFromMemory(gRadioTOCCal2_24MHz_c,8); // SMAC_InitFromMemory(gRadioTOCCal3_c,88); // SMAC_InitFromMemory(gRadioTOCCal5,32); // SMAC_InitFromMemory(gRadioInit_RegReplacement_c,344); // SMAC_InitFromFlash(0x1F000); // SMAC_InitFlybackSettings(); flyback_init(); // SMAC_InitFromMemory(gBuckByPass_c,16); vreg_init(); *((uint32_t *)&u8RamValues) = 0x4c20030a; fill_ram_struct(&u8RamValues); for(j=0; j<16; j++) { // buffer_radio_init[j] = get_ctov(j,u8RamValues[3]); buffer_radio_init[j] = get_ctov(j,0x4c); //0x4c loads the right values into buffer_radio_init... but why isn't RamValues correct? } Which means my radio_init, and vreg_init are good. It also means that my intreprtation of buffer_radio_init is correct. It may also mean that u8RamValues isn't important since I just set it's value. That means I only have InitFromFlash to replace now! Actually, I should test if that is necessary --- I still find it a little hard to believe that they put essential data on NVM --- except they could set codeprotect so that clods won't erase it on accident. See PLM/LibInterface/NVM.h for some docs. Looks like they put a standard SST, ST, or Atmel spi flash in there (note the comment about continuous read mode). MACPHY.a might use a ROM service for the flash init: 0000f97c g F *ABS* 00000000 InitFromFlash ac: 4668 mov r0, sp ae: f7ff fffe bl 0 <GetInitTranslationTablePtr> b2: 4669 mov r1, sp b4: 780a ldrb r2, [r1, #0] b6: 0001 lsls r1, r0, #0 b8: 20f8 movs r0, #248 ba: 0240 lsls r0, r0, #9 bc: f7ff fffe bl 0 <InitFromFlash> uint32_t InitFromFlash(uint32_t nvmAddress, uint32_t nLength); Which looks like InitFromFlash(0x1F00,?); Good news! It doesn't look like InitFromFlash is necessary. It might just be a hook for them to patch the init that is grabbed from rom or something. Checking if buffer_radio_init is important. If so, then I need to figure out how it's used and, preferably, what it means. So buffer_radio_init is necessary for their code to work. I'm not sure if it is necessary for the radio of if it's necessary for there app. Now I need to figure these out: (void)MLMEPAOutputAdjust(gu8CurrentPowerLevel); MLMESetChannelRequest((channel_num_t)gu8CurrentChannel); #define gPowerLevel_m30dBm_c 0x00 #define gPowerLevel_m28dBm_c 0x01 #define gPowerLevel_m26dBm_c 0x02 #define gPowerLevel_m24dBm_c 0x03 #define gPowerLevel_m22dBm_c 0x04 #define gPowerLevel_m20dBm_c 0x05 #define gPowerLevel_m18dBm_c 0x06 #define gPowerLevel_m16dBm_c 0x07 #define gPowerLevel_m14dBm_c 0x08 #define gPowerLevel_m12dBm_c 0x09 #define gPowerLevel_m10dBm_c 0x0a #define gPowerLevel_m8dBm_c 0x0b #define gPowerLevel_m6dBm_c 0x0c #define gPowerLevel_m4dBm_c 0x0d #define gPowerLevel_m2dBm_c 0x0e #define gPowerLevel_0dBm_c 0x0f #define gPowerLevel_2dBm_c 0x10 #define gPowerLevel_4dBm_c 0x11 #define gPowerLevel_6dBm_c 0x12 gu8CurrentPowerLevel is set to gPowerLevel_0dBm_c = 0x0f some kind of look-up table for setpower 004037e4 <gPSMVAL_c>: 4037e4: 0000080f .word 0x0000080f 4037e8: 0000080f .word 0x0000080f 4037ec: 0000080f .word 0x0000080f 4037f0: 0000080f .word 0x0000080f 4037f4: 0000081f .word 0x0000081f 4037f8: 0000081f .word 0x0000081f 4037fc: 0000081f .word 0x0000081f 403800: 0000080f .word 0x0000080f 403804: 0000080f .word 0x0000080f 403808: 0000080f .word 0x0000080f 40380c: 0000001f .word 0x0000001f 403810: 0000000f .word 0x0000000f 403814: 0000000f .word 0x0000000f 403818: 00000816 .word 0x00000816 40381c: 0000001b .word 0x0000001b 403820: 0000000b .word 0x0000000b 403824: 00000802 .word 0x00000802 403828: 00000817 .word 0x00000817 40382c: 00000003 .word 0x00000003 00403830 <gPAVAL_c>: 403830: 000022c0 .word 0x000022c0 403834: 000022c0 .word 0x000022c0 403838: 000022c0 .word 0x000022c0 40383c: 00002280 .word 0x00002280 403840: 00002303 .word 0x00002303 403844: 000023c0 .word 0x000023c0 403848: 00002880 .word 0x00002880 40384c: 000029f0 .word 0x000029f0 403850: 000029f0 .word 0x000029f0 403854: 000029f0 .word 0x000029f0 403858: 000029c0 .word 0x000029c0 40385c: 00002bf0 .word 0x00002bf0 403860: 000029f0 .word 0x000029f0 403864: 000028a0 .word 0x000028a0 403868: 00002800 .word 0x00002800 40386c: 00002ac0 .word 0x00002ac0 403870: 00002880 .word 0x00002880 403874: 00002a00 .word 0x00002a00 403878: 00002b00 .word 0x00002b00 0040387c <gAIMVAL_c>: 40387c: 000123a0 .word 0x000123a0 403880: 000163a0 .word 0x000163a0 403884: 0001a3a0 .word 0x0001a3a0 403888: 0001e3a0 .word 0x0001e3a0 40388c: 000223a0 .word 0x000223a0 403890: 000263a0 .word 0x000263a0 403894: 0002a3a0 .word 0x0002a3a0 403898: 0002e3a0 .word 0x0002e3a0 40389c: 000323a0 .word 0x000323a0 4038a0: 000363a0 .word 0x000363a0 4038a4: 0003a3a0 .word 0x0003a3a0 4038a8: 0003a3a0 .word 0x0003a3a0 4038ac: 0003e3a0 .word 0x0003e3a0 4038b0: 000423a0 .word 0x000423a0 4038b4: 000523a0 .word 0x000523a0 4038b8: 000423a0 .word 0x000423a0 4038bc: 0004e3a0 .word 0x0004e3a0 4038c0: 0004e3a0 .word 0x0004e3a0 4038c4: 0004e3a0 .word 0x0004e3a0 Ok, rftest-rx and tx are working but the range isn't very good. I suspect that InitFromFlash is a factory trim for each part. Since I'm not doing that then the range and reliability are suffering. Getting the NVM to work should probably be my next step. Debugging with JLink has shown there absolutely is init entries in the flash set in the factory that are important. e.g. this is where the 0x00607707 number get turned into something more like 0x00685...