173 lines
7.4 KiB
Text
173 lines
7.4 KiB
Text
Entries in ram are processed by SMACinitfrommemory and executeentry
|
|
(which does the work). I suspect that these entries are loaded in from
|
|
the rom from the rom_data_init call in the beginning stub. For now
|
|
we'll do the simple thing of performing the actions they do, but for
|
|
real it would be better to load out from ROM and execute the entries
|
|
in a similar way. That way, if the cal data changes in the ROM, our
|
|
code should still work.
|
|
|
|
When radioinit first starts it seems to do checks for a 24MHZ clock
|
|
and if the buck should be enabled. Assuming 24MHZ and no buck the next
|
|
things it does is 5 entries in cal1 (40 bytes, 4 bytes per word, = 10
|
|
words, 2 words per entry = 5 entrys)
|
|
|
|
0x80003048
|
|
0x00000f78
|
|
|
|
0x8000304c
|
|
0x00607707
|
|
|
|
the next entry is zero addr with val 0x000161a8... this is a delay
|
|
entry. Loop here 0x000161a8 times. then return.
|
|
|
|
0x00000000
|
|
0x000161a8
|
|
|
|
Then two more memory stuffs:
|
|
|
|
0x8000a050
|
|
0x0000047b
|
|
|
|
0x8000a054
|
|
0x0000007b
|
|
|
|
then it seems like the emulator dies on the stack munging they do at
|
|
the end of InitFromMemory... but I think I've decoded the entry
|
|
enough to figure out the rest.
|
|
|
|
then they do one entry of r4 base + 48 (gRadioTOCCal2_24MHz_c[0])
|
|
|
|
0x80009000
|
|
0x80050100
|
|
|
|
then they do 11 entries in cal3 and reg replacment (first two have delays)
|
|
|
|
0x402b8c <gRadioTOCCal3_c>: 0x80009400 0x00020017 0x80009a04 0x8185a0a4
|
|
0x402b9c <gRadioTOCCal3_c+16>: 0x80009a00 0x8c900025 0x00000000 0x00011194
|
|
0x402bac <gRadioTOCCal3_c+32>: 0x80009a00 0x8c900021 0x80009a00 0x8c900027
|
|
0x402bbc <gRadioTOCCal3_c+48>: 0x00000000 0x00011194 0x80009a00 0x8c90002b
|
|
0x402bcc <gRadioTOCCal3_c+64>: 0x80009a00 0x8c90002f 0x00000000 0x00011194
|
|
0x402bdc <gRadioTOCCal3_c+80>: 0x80009a00 0x8c900000
|
|
|
|
then 4 entries from r5+24 (buffer_radio_init and cal5)
|
|
|
|
0x80009400 0x00000017
|
|
0x405230 <gRadioTOCCal5+8>: 0x8000a050 0x00000000 0x8000a054 0x00000000
|
|
0x405240 <gRadioTOCCal5+24>: 0x80003048 0x00000f00
|
|
|
|
then 43 entries from r4+152 (reg replacement)
|
|
|
|
0x402bec <gRadioInit_RegReplacement_c>: 0x80004118 0x00180012 0x80009204 0x00000605
|
|
0x402bfc <gRadioInit_RegReplacement_c+16>: 0x80009208 0x00000504 0x8000920c 0x00001111
|
|
0x402c0c <gRadioInit_RegReplacement_c+32>: 0x80009210 0x0fc40000 0x80009300 0x20046000
|
|
0x402c1c <gRadioInit_RegReplacement_c+48>: 0x80009304 0x4005580c 0x80009308 0x40075801
|
|
0x402c2c <gRadioInit_RegReplacement_c+64>: 0x8000930c 0x4005d801 0x80009310 0x5a45d800
|
|
0x402c3c <gRadioInit_RegReplacement_c+80>: 0x80009314 0x4a45d800 0x80009318 0x40044000
|
|
0x402c4c <gRadioInit_RegReplacement_c+96>: 0x80009380 0x00106000 0x80009384 0x00083806
|
|
0x402c5c <gRadioInit_RegReplacement_c+112>: 0x80009388 0x00093807 0x8000938c 0x0009b804
|
|
0x402c6c <gRadioInit_RegReplacement_c+128>: 0x80009390 0x000db800 0x80009394 0x00093802
|
|
0x402c7c <gRadioInit_RegReplacement_c+144>: 0x8000a008 0x00000015 0x8000a018 0x00000002
|
|
0x402c8c <gRadioInit_RegReplacement_c+160>: 0x8000a01c 0x0000000f 0x80009424 0x0000aaa0
|
|
0x402c9c <gRadioInit_RegReplacement_c+176>: 0x80009434 0x01002020 0x80009438 0x016800fe
|
|
0x402cac <gRadioInit_RegReplacement_c+192>: 0x8000943c 0x8e578248 0x80009440 0x000000dd
|
|
0x402cbc <gRadioInit_RegReplacement_c+208>: 0x80009444 0x00000946 0x80009448 0x0000035a
|
|
0x402ccc <gRadioInit_RegReplacement_c+224>: 0x8000944c 0x00100010 0x80009450 0x00000515
|
|
0x402cdc <gRadioInit_RegReplacement_c+240>: 0x80009460 0x00397feb 0x80009464 0x00180358
|
|
0x402cec <gRadioInit_RegReplacement_c+256>: 0x8000947c 0x00000455 0x800094e0 0x00000001
|
|
0x402cfc <gRadioInit_RegReplacement_c+272>: 0x800094e4 0x00020003 0x800094e8 0x00040014
|
|
0x402d0c <gRadioInit_RegReplacement_c+288>: 0x800094ec 0x00240034 0x800094f0 0x00440144
|
|
0x402d1c <gRadioInit_RegReplacement_c+304>: 0x800094f4 0x02440344 0x800094f8 0x04440544
|
|
0x402d2c <gRadioInit_RegReplacement_c+320>: 0x80009470 0x0ee7fc00 0x8000981c 0x00000082
|
|
0x402d3c <gRadioInit_RegReplacement_c+336>: 0x80009828 0x0000002a
|
|
|
|
then flash init. (hrmm.. this might be important)
|
|
|
|
then flyback init.
|
|
|
|
then maybe buckbypass sequence... 4 entries from r4+16
|
|
|
|
0x402b64 <gBuckByPass_c>: 0x80003000 0x00000018 0x80003048 0x00000f04
|
|
0x402b74 <gBuckByPass_c+16>: 0x00000000 0x000161a8 0x80003048 0x00000ffc
|
|
|
|
RadioInit is (roughly):
|
|
|
|
SMAC_InitFromMemory(gRadioTOCCal1,40);
|
|
SMAC_InitFromMemory(gRadioTOCCal2_24MHz_c,8);
|
|
SMAC_InitFromMemory(gRadioTOCCal3_c,88);
|
|
SMAC_InitFromMemory(gRadioTOCCal5,32);
|
|
SMAC_InitFromMemory(gRadioInit_RegReplacement_c,344);
|
|
SMAC_InitFromFlash(0x1F000);
|
|
SMAC_InitFlybackSettings();
|
|
SMAC_InitFromMemory(gBuckByPass_c,16);
|
|
|
|
fill_ram_struct(&u8RamValues);
|
|
|
|
uint8_t i;
|
|
uint8_t buffer_radio_init[16];
|
|
for(i=0; i<16; i++) {
|
|
buffer_radio_init[i] = get_ctov(i,u8RamValues[3]);
|
|
}
|
|
|
|
|
|
Some kind of success!
|
|
|
|
This replacment works:
|
|
|
|
|
|
// RadioInit(PLATFORM_CLOCK, gDigitalClock_PN_c, u32LoopDiv); // need this to work
|
|
|
|
/* my replacment for RadioInit, flyback and vreg have been separated out */
|
|
radio_init();
|
|
// SMAC_InitFromMemory(gRadioTOCCal1,40);
|
|
// *(volatile uint32_t *)0x80009000 = 0x80050100;
|
|
// SMAC_InitFromMemory(gRadioTOCCal2_24MHz_c,8);
|
|
// SMAC_InitFromMemory(gRadioTOCCal3_c,88);
|
|
// SMAC_InitFromMemory(gRadioTOCCal5,32);
|
|
// SMAC_InitFromMemory(gRadioInit_RegReplacement_c,344);
|
|
SMAC_InitFromFlash(0x1F000);
|
|
// SMAC_InitFlybackSettings();
|
|
flyback_init();
|
|
// SMAC_InitFromMemory(gBuckByPass_c,16);
|
|
vreg_init();
|
|
|
|
*((uint32_t *)&u8RamValues) = 0x4c20030a;
|
|
fill_ram_struct(&u8RamValues);
|
|
|
|
for(j=0; j<16; j++) {
|
|
// buffer_radio_init[j] = get_ctov(j,u8RamValues[3]);
|
|
buffer_radio_init[j] = get_ctov(j,0x4c); //0x4c loads the right values into buffer_radio_init... but why isn't RamValues correct?
|
|
}
|
|
|
|
|
|
Which means my radio_init, and vreg_init are good. It also means that
|
|
my intreprtation of buffer_radio_init is correct. It may also mean
|
|
that u8RamValues isn't important since I just set it's value.
|
|
|
|
That means I only have InitFromFlash to replace now!
|
|
|
|
Actually, I should test if that is necessary --- I still find it a
|
|
little hard to believe that they put essential data on NVM --- except
|
|
they could set codeprotect so that clods won't erase it on accident.
|
|
|
|
See PLM/LibInterface/NVM.h for some docs. Looks like they put a
|
|
standard SST, ST, or Atmel spi flash in there (note the comment about
|
|
continuous read mode).
|
|
|
|
MACPHY.a might use a ROM service for the flash init:
|
|
|
|
0000f97c g F *ABS* 00000000 InitFromFlash
|
|
|
|
ac: 4668 mov r0, sp
|
|
ae: f7ff fffe bl 0 <GetInitTranslationTablePtr>
|
|
b2: 4669 mov r1, sp
|
|
b4: 780a ldrb r2, [r1, #0]
|
|
b6: 0001 lsls r1, r0, #0
|
|
b8: 20f8 movs r0, #248
|
|
ba: 0240 lsls r0, r0, #9
|
|
bc: f7ff fffe bl 0 <InitFromFlash>
|
|
|
|
uint32_t InitFromFlash(uint32_t nvmAddress, uint32_t nLength);
|
|
|
|
Which looks like InitFromFlash(0x1F00,?);
|
|
|
|
|