boot0:FFFF0000 ; Segment type: Pure code boot0:FFFF0000 AREA boot0, CODE, READWRITE, ALIGN=0 boot0:FFFF0000 LDR PC, =_reset boot0:FFFF0004 ; --------------------------------------------------------------------------- boot0:FFFF0004 LDR PC, =__arm_undefined boot0:FFFF0008 ; --------------------------------------------------------------------------- boot0:FFFF0008 LDR PC, =__arm_syscall boot0:FFFF000C ; --------------------------------------------------------------------------- boot0:FFFF000C LDR PC, =__arm_prefetch_abort boot0:FFFF0010 ; --------------------------------------------------------------------------- boot0:FFFF0010 LDR PC, =__arm_data_abort boot0:FFFF0014 ; --------------------------------------------------------------------------- boot0:FFFF0014 LDR PC, =__arm_reserved boot0:FFFF0018 ; --------------------------------------------------------------------------- boot0:FFFF0018 LDR PC, =__arm_irq boot0:FFFF001C ; --------------------------------------------------------------------------- boot0:FFFF001C LDR PC, =__arm_fiq boot0:FFFF001C ; --------------------------------------------------------------------------- boot0:FFFF0020 off_FFFF0020 DCD _reset ; DATA XREF: boot0:FFFF0000r boot0:FFFF0024 off_FFFF0024 DCD __arm_undefined ; DATA XREF: boot0:FFFF0004r boot0:FFFF0028 off_FFFF0028 DCD __arm_syscall ; DATA XREF: boot0:FFFF0008r boot0:FFFF002C off_FFFF002C DCD __arm_prefetch_abort ; DATA XREF: boot0:FFFF000Cr boot0:FFFF0030 off_FFFF0030 DCD __arm_data_abort ; DATA XREF: boot0:FFFF0010r boot0:FFFF0034 off_FFFF0034 DCD __arm_reserved ; DATA XREF: boot0:FFFF0014r boot0:FFFF0038 off_FFFF0038 DCD __arm_irq ; DATA XREF: boot0:FFFF0018r boot0:FFFF003C off_FFFF003C DCD __arm_fiq ; DATA XREF: boot0:FFFF001Cr boot0:FFFF0040 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0040 _reset ; CODE XREF: boot0:FFFF0000j boot0:FFFF0040 ; boot0:FFFF001Cj boot0:FFFF0040 ; DATA XREF: boot0:off_FFFF0020o boot0:FFFF0040 MOV R1, #0 boot0:FFFF0044 MOV R4, #0 boot0:FFFF0048 MOV R11, #0 boot0:FFFF004C MOV R11, #0 boot0:FFFF0050 MOV LR, #0 boot0:FFFF0054 LDR SP, =0xD417C00 boot0:FFFF0058 BL j_boot0_main boot0:FFFF005C BL panic boot0:FFFF0060 __arm_undefined ; CODE XREF: boot0:FFFF0000j boot0:FFFF0060 ; boot0:FFFF0004j boot0:FFFF001Cj ... boot0:FFFF0060 B __arm_undefined boot0:FFFF0060 ; End of function _reset boot0:FFFF0064 ; --------------------------------------------------------------------------- boot0:FFFF0064 __arm_syscall ; CODE XREF: boot0:FFFF0000j boot0:FFFF0064 ; boot0:FFFF0004j boot0:FFFF0008j ... boot0:FFFF0064 B __arm_syscall boot0:FFFF0068 ; --------------------------------------------------------------------------- boot0:FFFF0068 __arm_prefetch_abort ; CODE XREF: boot0:FFFF0000j boot0:FFFF0068 ; boot0:FFFF0004j boot0:FFFF0008j ... boot0:FFFF0068 B __arm_prefetch_abort boot0:FFFF006C ; --------------------------------------------------------------------------- boot0:FFFF006C __arm_data_abort ; CODE XREF: boot0:FFFF0000j boot0:FFFF006C ; boot0:FFFF0004j boot0:FFFF0008j ... boot0:FFFF006C B __arm_data_abort boot0:FFFF0070 ; --------------------------------------------------------------------------- boot0:FFFF0070 __arm_reserved ; CODE XREF: boot0:FFFF0000j boot0:FFFF0070 ; boot0:FFFF0004j boot0:FFFF0014j ... boot0:FFFF0070 B __arm_reserved boot0:FFFF0074 ; --------------------------------------------------------------------------- boot0:FFFF0074 __arm_irq ; CODE XREF: boot0:FFFF0000j boot0:FFFF0074 ; boot0:FFFF0004j boot0:FFFF0018j ... boot0:FFFF0074 B __arm_irq boot0:FFFF0078 ; --------------------------------------------------------------------------- boot0:FFFF0078 __arm_fiq ; CODE XREF: boot0:FFFF0000j boot0:FFFF0078 ; boot0:FFFF0004j boot0:FFFF001Cj ... boot0:FFFF0078 B __arm_fiq boot0:FFFF007C ; =============== S U B R O U T I N E ======================================= boot0:FFFF007C ; Attributes: thunk boot0:FFFF007C j_boot0_main ; CODE XREF: _reset+18p boot0:FFFF007C B boot0_main boot0:FFFF007C ; End of function j_boot0_main boot0:FFFF007C ; --------------------------------------------------------------------------- boot0:FFFF0080 boot0_stack DCD 0xD417C00 ; DATA XREF: _reset+14r boot0:FFFF0084 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0084 ; Attributes: bp-based frame boot0:FFFF0084 debug_port_output ; CODE XREF: panic+14p panic+28p boot0:FFFF0084 ; boot0_main+170p ... boot0:FFFF0084 oldR4 = -0x10 boot0:FFFF0084 oldR11 = -0xC boot0:FFFF0084 oldSP = -8 boot0:FFFF0084 oldLR = -4 boot0:FFFF0084 MOV R3, #0xD800000 boot0:FFFF0088 LDR R2, [R3,#0xE0] boot0:FFFF008C MOV R0, R0,LSL#16 boot0:FFFF0090 BIC R2, R2, #0xFF0000 boot0:FFFF0094 AND R0, R0, #0xFF0000 boot0:FFFF0098 ORR R2, R2, R0 boot0:FFFF009C STR R2, [R3,#0xE0] boot0:FFFF00A0 BX LR boot0:FFFF00A0 ; End of function debug_port_output boot0:FFFF00A4 ; =============== S U B R O U T I N E ======================================= boot0:FFFF00A4 ; Attributes: bp-based frame boot0:FFFF00A4 ; int __stdcall panic(unsigned __int8 error) boot0:FFFF00A4 panic ; CODE XREF: _reset+1Cp boot0:FFFF00A4 ; boot0_main+3B8p boot0_main+3D4p boot0:FFFF00A4 oldR4 = -0x10 boot0:FFFF00A4 oldR11 = -0xC boot0:FFFF00A4 oldSP = -8 boot0:FFFF00A4 oldLR = -4 boot0:FFFF00A4 MOV R12, SP boot0:FFFF00A8 STMFD SP!, {R4,R11,R12,LR,PC} boot0:FFFF00AC SUB R11, R12, #4 boot0:FFFF00B0 MOV R4, R0 boot0:FFFF00B4 loc_FFFF00B4 ; CODE XREF: panic+38j boot0:FFFF00B4 MOV R0, R4 ; alternate between 0 and the error code boot0:FFFF00B8 BL debug_port_output boot0:FFFF00BC MOVL R0, 1000000 boot0:FFFF00C4 BL delay boot0:FFFF00C8 MOV R0, #0 boot0:FFFF00CC BL debug_port_output boot0:FFFF00D0 MOVL R0, 1000000 boot0:FFFF00D8 BL delay boot0:FFFF00DC B loc_FFFF00B4 boot0:FFFF00DC ; End of function panic boot0:FFFF00E0 ; =============== S U B R O U T I N E ======================================= boot0:FFFF00E0 init_gpio_direction ; CODE XREF: boot0_main+104p boot0:FFFF00E0 MOV R3, #0xD800000 boot0:FFFF00E4 LDR R2, [R3,#0xDC] boot0:FFFF00E8 AND R2, R2, #0xFF000000 boot0:FFFF00EC ORR R2, R2, #0xFF0000 ; D8000DC = (D8000DC & 0xff000000) | 0x00ff0000 boot0:FFFF00F0 STR R2, [R3,#0xDC] boot0:FFFF00F4 LDR R2, [R3,#0xE4] boot0:FFFF00F8 AND R2, R2, #0xFF000000 boot0:FFFF00FC ORR R2, R2, #0xFF0000 boot0:FFFF0100 STR R2, [R3,#0xE4] ; D8000E4 = (D8000E4 & 0xff000000) | 0x00ff0000 boot0:FFFF0104 BX LR boot0:FFFF0104 ; End of function init_gpio_direction boot0:FFFF0108 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0108 ; Attributes: bp-based frame boot0:FFFF0108 boot0_main ; CODE XREF: j_boot0_mainj boot0:FFFF0108 oldR4 = -0x28 boot0:FFFF0108 oldR5 = -0x24 boot0:FFFF0108 oldR6 = -0x20 boot0:FFFF0108 oldR7 = -0x1C boot0:FFFF0108 oldR8 = -0x18 boot0:FFFF0108 oldR9 = -0x14 boot0:FFFF0108 oldR10 = -0x10 boot0:FFFF0108 oldR11 = -0xC boot0:FFFF0108 oldSP = -8 boot0:FFFF0108 oldLR = -4 boot0:FFFF0108 MOV R12, SP boot0:FFFF010C STMFD SP!, {R4-R12,LR,PC} boot0:FFFF0110 MOV R3, #0xD000000 boot0:FFFF0114 SUB R11, R12, #4 boot0:FFFF0118 ADD R3, R3, #0x20000 ; R3 = 0D020000 = AES command reg boot0:FFFF011C MOV R9, #0 boot0:FFFF0120 MOV R1, #7 boot0:FFFF0124 MOV R2, #0xD800000 boot0:FFFF0128 SUB SP, SP, #0x2C boot0:FFFF012C STR R1, [R2,#0x60] ; 0D800060 = 7 boot0:FFFF0130 SUB R2, R11, #0x54 boot0:FFFF0134 STR R9, [R3] boot0:FFFF0138 LDR R1, =boot1_key boot0:FFFF013C STR R9, [R2] boot0:FFFF0140 MOV R0, R3 boot0:FFFF0144 MOV LR, #0xD400000 boot0:FFFF0148 MOV R2, #3 boot0:FFFF014C set_AES_key ; CODE XREF: boot0_main+50j boot0:FFFF014C LDR R3, [R1],#4 ; use hardcoded boot1 key boot0:FFFF0150 SUBS R2, R2, #1 boot0:FFFF0154 STR R3, [R0,#0xC] boot0:FFFF0158 BPL set_AES_key boot0:FFFF015C MOV R12, #0xD000000 boot0:FFFF0160 LDR R1, =boot1_iv ; boot1_iv is all zeroes boot0:FFFF0164 ADD R12, R12, #0x20000 boot0:FFFF0168 MOV R2, #3 boot0:FFFF016C set_AES_iv ; CODE XREF: boot0_main+70j boot0:FFFF016C LDR R3, [R1],#4 boot0:FFFF0170 SUBS R2, R2, #1 boot0:FFFF0174 STR R3, [R12,#0x10] boot0:FFFF0178 BPL set_AES_iv boot0:FFFF017C LDR R3, =0x67452301 ; set initial SHA context boot0:FFFF0180 MOVL R1, 0xD030000 boot0:FFFF0188 MOV R0, #0 boot0:FFFF018C LDR R2, =0xEFCDAB89 boot0:FFFF0190 STR LR, [R12,#4] boot0:FFFF0194 STR LR, [R12,#8] boot0:FFFF0198 STR R0, [R1] boot0:FFFF019C STR R3, [R1,#8] boot0:FFFF01A0 LDR R3, =0x98BADCFE boot0:FFFF01A4 STR R2, [R1,#0xC] boot0:FFFF01A8 LDR R2, =0x10325476 boot0:FFFF01AC STR R3, [R1,#0x10] boot0:FFFF01B0 LDR R3, =0xC3D2E1F0 boot0:FFFF01B4 STR R2, [R1,#0x14] boot0:FFFF01B8 MOV R2, #0xD400000 boot0:FFFF01BC STR R3, [R1,#0x18] boot0:FFFF01C0 STR R2, [R1,#4] boot0:FFFF01C4 MOVL R3, 0xD010000 boot0:FFFF01CC LDR R2, [R3,#4] boot0:FFFF01D0 MOVL R1, 0x80FF0000 boot0:FFFF01D8 ORR R2, R2, #0x8000000 boot0:FFFF01DC ADD R1, R1, #0x8000 boot0:FFFF01E0 STR R2, [R3,#4] boot0:FFFF01E4 MOV R4, #0xD800000 boot0:FFFF01E8 STR R0, [R3,#0x10] boot0:FFFF01EC STR R0, [R3,#0x14] boot0:FFFF01F0 STR R0, [R3,#8] boot0:FFFF01F4 STR R0, [R3,#0xC] boot0:FFFF01F8 STR R1, [R3] boot0:FFFF01FC MOV R3, #0x80000000 boot0:FFFF0200 MOV R6, R0 boot0:FFFF0204 STR R3, [R4,#0x1EC] ; 0D8001EC = 0x80000000 boot0:FFFF0208 SUB R5, R11, #0x3C boot0:FFFF020C BL init_gpio_direction boot0:FFFF0210 MOV R1, R6 ; c boot0:FFFF0214 MOV R0, R5 ; dest boot0:FFFF0218 MOV R2, #20 ; len boot0:FFFF021C BL memset ; zero out hash buffer boot0:FFFF0220 MOV R1, #16 ; read 20 bytes of OTP data into *R5 boot0:FFFF0224 get_otp_hash ; CODE XREF: boot0_main+138j boot0:FFFF0224 AND R3, R6, #0x1F boot0:FFFF0228 ORR R3, R3, #0x80000000 boot0:FFFF022C STR R3, [R4,#0x1EC] ; *starlet_otp_addr = (R6 & 0x1f) | 0x80000000; boot0:FFFF0230 LDR R2, [R4,#0x1F0] ; R2 = *starlet_otp_data boot0:FFFF0234 SUBS R1, R1, #4 boot0:FFFF0238 STR R2, [R5],#4 boot0:FFFF023C ADD R6, R6, #1 ; R6++ boot0:FFFF0240 BPL get_otp_hash boot0:FFFF0244 MOV R1, #0 boot0:FFFF0248 SUB R2, R11, #0x28 boot0:FFFF024C is_otp_hash_empty_ ; CODE XREF: boot0_main+15Cj boot0:FFFF024C LDR R3, [R2,#-0x14] ; if OTP hash is all zeroes, then we're still boot0:FFFF0250 CMP R3, #0 ; in the factory with a blank OTP, so boot0:FFFF0254 ADD R1, R1, #1 ; don't verify the hash against boot1 boot0:FFFF0258 ADD R2, R2, #4 boot0:FFFF025C BNE otp_hash_not_empty boot0:FFFF0260 CMP R1, #4 boot0:FFFF0264 BLS is_otp_hash_empty_ boot0:FFFF0268 loc_FFFF0268 ; CODE XREF: boot0_main+3CCj boot0:FFFF0268 MOVL R8, 0xD010000 boot0:FFFF0270 MOV R4, #0 ; R4 = flash page number boot0:FFFF0274 boot1_read_loop ; CODE XREF: boot0_main+2F0j boot0:FFFF0274 MOV R0, R4 ; as we read in the flash pages, output boot0:FFFF0278 BL debug_port_output ; each page number to the debug port boot0:FFFF027C ORR R0, R4, #0x80 ; hi bit is a strobe bit boot0:FFFF0280 BL debug_port_output boot0:FFFF0284 loc_FFFF0284 ; CODE XREF: boot0_main+184j boot0:FFFF0284 LDR R3, [R8] ; R3 = *0D100000 = NAND status boot0:FFFF0288 CMP R3, #0 boot0:FFFF028C BLT loc_FFFF0284 boot0:FFFF0290 CMP R4, #47 ; pageno > 47? boot0:FFFF0294 BCS done_reading_flash boot0:FFFF0298 MOV R3, #0x9F000000 boot0:FFFF029C STR R4, [R8,#0xC] boot0:FFFF02A0 STR R3, [R8] boot0:FFFF02A4 MOVL R0, 0xD010000 ; D010000 = NAND Flash HW boot0:FFFF02AC read_flash_page ; CODE XREF: boot0_main+1ACj boot0:FFFF02AC LDR R3, [R0] ; wait for non-busy status from NAND flash boot0:FFFF02B0 CMP R3, #0 boot0:FFFF02B4 BLT read_flash_page boot0:FFFF02B8 AND R3, R4, #1 boot0:FFFF02BC MOV R3, R3,LSL#7 boot0:FFFF02C0 MOV R1, #0x80000000 boot0:FFFF02C4 ADD R3, R3, #0xD400000 boot0:FFFF02C8 ADD R1, R1, #0x308000 boot0:FFFF02CC MOV R2, R4,LSL#11 boot0:FFFF02D0 ADD R2, R2, #0xD400000 boot0:FFFF02D4 ADD R3, R3, #0x17800 boot0:FFFF02D8 ADD R1, R1, #0x3840 boot0:FFFF02DC STR R2, [R0,#0x10] boot0:FFFF02E0 STR R3, [R0,#0x14] boot0:FFFF02E4 STR R1, [R0] boot0:FFFF02E8 done_reading_flash ; CODE XREF: boot0_main+18Cj boot0:FFFF02E8 MOVL R2, 0xD020000 ; D020000 = AES hw boot0:FFFF02F0 loc_FFFF02F0 ; CODE XREF: boot0_main+1F0j boot0:FFFF02F0 LDR R3, [R2] boot0:FFFF02F4 CMP R3, #0 ; wait for non-busy status from AES boot0:FFFF02F8 BLT loc_FFFF02F0 boot0:FFFF02FC CMP R4, #0 boot0:FFFF0300 BEQ loc_FFFF03D0 boot0:FFFF0304 CMP R4, #47 boot0:FFFF0308 BHI loc_FFFF03D0 boot0:FFFF030C SUB R2, R4, #1 boot0:FFFF0310 AND R3, R2, #1 boot0:FFFF0314 MOV R3, R3,LSL#7 boot0:FFFF0318 ADD R6, R3, #0xD400000 boot0:FFFF031C MOV R2, R2,LSL#11 boot0:FFFF0320 MOV R10, #0xFF0 boot0:FFFF0324 ADD R6, R6, #0x17800 boot0:FFFF0328 ADD R10, R10, #0xF boot0:FFFF032C ADD R5, R2, #0xD400000 boot0:FFFF0330 MOV R7, #0 boot0:FFFF0334 calc_ecc ; CODE XREF: boot0_main+2A4j boot0:FFFF0334 MOV R2, R7,LSL#2 ; all I can do is guess that this mess of code boot0:FFFF0338 ADD R3, R6, #0x30 ; here is calculating the ECC of each flash boot0:FFFF033C LDR R12, [R3,R2] ; page, and then verifying it against the boot0:FFFF0340 ADD R0, R6, R2 ; data in each page's spare area. boot0:FFFF0344 AND R1, R12, #0xFF0000 ; or something. boot0:FFFF0348 LDR R2, [R0,#0x40] boot0:FFFF034C MOV R1, R1,LSR#8 boot0:FFFF0350 AND R3, R12, #0xFF00 boot0:FFFF0354 ORR R1, R1, R12,LSR#24 boot0:FFFF0358 ORR R1, R1, R3,LSL#8 boot0:FFFF035C AND R3, R2, #0xFF0000 boot0:FFFF0360 MOV R3, R3,LSR#8 boot0:FFFF0364 ORR R3, R3, R2,LSR#24 boot0:FFFF0368 AND R0, R2, #0xFF00 boot0:FFFF036C ORR R3, R3, R0,LSL#8 boot0:FFFF0370 CMP R12, R2 boot0:FFFF0374 ORR R12, R1, R12,LSL#24 boot0:FFFF0378 ORR R2, R3, R2,LSL#24 boot0:FFFF037C EOR R12, R12, R2 boot0:FFFF0380 SUB R1, R12, #1 boot0:FFFF0384 BEQ loc_FFFF03A0 boot0:FFFF0388 MOV R3, R12,LSL#20 boot0:FFFF038C MOV R3, R3,LSR#20 boot0:FFFF0390 MOV R2, R12,LSR#16 boot0:FFFF0394 TST R1, R12 boot0:FFFF0398 EOR R3, R2, R3 boot0:FFFF039C BNE loc_FFFF0494 boot0:FFFF03A0 loc_FFFF03A0 ; CODE XREF: boot0_main+27Cj boot0:FFFF03A0 ; boot0_main+3B4j boot0_main+3BCj boot0:FFFF03A0 ADD R7, R7, #1 boot0:FFFF03A4 CMP R7, #4 boot0:FFFF03A8 ADD R5, R5, #0x200 boot0:FFFF03AC BCC calc_ecc boot0:FFFF03B0 MOV R1, #0x98000000 boot0:FFFF03B4 ADD R2, R1, #0x1040 boot0:FFFF03B8 MOV R3, #0xD000000 boot0:FFFF03BC CMP R4, #1 boot0:FFFF03C0 ADD R2, R2, #0x3F boot0:FFFF03C4 ADD R3, R3, #0x20000 boot0:FFFF03C8 ADDEQ R2, R1, #0x7F boot0:FFFF03CC STR R2, [R3] boot0:FFFF03D0 loc_FFFF03D0 ; CODE XREF: boot0_main+1F8j boot0:FFFF03D0 ; boot0_main+200j boot0:FFFF03D0 MOVL R2, 0xD030000 ; D030000 = SHA1 HW boot0:FFFF03D8 loc_FFFF03D8 ; CODE XREF: boot0_main+2D8j boot0:FFFF03D8 LDR R3, [R2] boot0:FFFF03DC CMP R3, #0 ; wait for SHA1 non-busy status boot0:FFFF03E0 BLT loc_FFFF03D8 boot0:FFFF03E4 CMP R4, #1 boot0:FFFF03E8 MOVHI R3, #0x8000001F boot0:FFFF03EC ADD R4, R4, #1 boot0:FFFF03F0 STRHI R3, [R2] boot0:FFFF03F4 CMP R4, #0x30 ; '0' boot0:FFFF03F8 BLS boot1_read_loop boot0:FFFF03FC MOVL R2, 0xD030000 boot0:FFFF0404 loc_FFFF0404 ; CODE XREF: boot0_main+304j boot0:FFFF0404 LDR R3, [R2] boot0:FFFF0408 CMP R3, #0 ; wait for SHA1 non-busy status boot0:FFFF040C BLT loc_FFFF0404 boot0:FFFF0410 SUB R3, R11, #0x54 ; Was OTP hash zero? boot0:FFFF0414 LDR R3, [R3] boot0:FFFF0418 CMP R3, #0 boot0:FFFF041C BEQ jump_boot1 boot0:FFFF0420 MOVL R0, 0xD030000 boot0:FFFF0428 ADD R0, R0, #8 boot0:FFFF042C MOV R1, #0 boot0:FFFF0430 SUB R2, R11, #0x28 boot0:FFFF0434 loc_FFFF0434 ; CODE XREF: boot0_main+340j boot0:FFFF0434 LDR R3, [R0,R1,LSL#2] boot0:FFFF0438 ADD R1, R1, #1 boot0:FFFF043C CMP R1, #4 boot0:FFFF0440 STR R3, [R2,#-0x28] boot0:FFFF0444 ADD R2, R2, #4 boot0:FFFF0448 BLS loc_FFFF0434 boot0:FFFF044C SUB R0, R11, #0x28 boot0:FFFF0450 MOV R1, #4 boot0:FFFF0454 compare_hashes ; CODE XREF: boot0_main+364j boot0:FFFF0454 LDR R2, [R0,#-0x14] boot0:FFFF0458 LDR R3, [R0,#-0x28] boot0:FFFF045C CMP R2, R3 boot0:FFFF0460 MOVNE R9, #1 boot0:FFFF0464 SUBS R1, R1, #1 boot0:FFFF0468 ADD R0, R0, #4 boot0:FFFF046C BPL compare_hashes boot0:FFFF0470 CMP R9, #0 boot0:FFFF0474 BNE hash_fail boot0:FFFF0478 jump_boot1 ; CODE XREF: boot0_main+314j boot0:FFFF0478 ; boot0_main+3D8j boot0:FFFF0478 MOV R0, #0xA boot0:FFFF047C BL debug_port_output boot0:FFFF0480 MOV R0, #0x88 ; 'ê' boot0:FFFF0484 BL debug_port_output boot0:FFFF0488 LDR PC, =0xFFF00000 ; jump to BOOT1 boot0:FFFF048C ; --------------------------------------------------------------------------- boot0:FFFF048C SUB SP, R11, #0x28 boot0:FFFF0490 LDMFD SP, {R4-R11,SP,PC} boot0:FFFF0494 ; --------------------------------------------------------------------------- boot0:FFFF0494 loc_FFFF0494 ; CODE XREF: boot0_main+294j boot0:FFFF0494 BIC R1, R2, #7 boot0:FFFF0498 MOV R1, R1,LSL#20 boot0:FFFF049C CMP R3, R10 boot0:FFFF04A0 MOV R1, R1,LSR#20 boot0:FFFF04A4 AND R12, R2, #7 boot0:FFFF04A8 LDREQB R2, [R5,R1,ASR#3] boot0:FFFF04AC MOVEQ R3, #1 boot0:FFFF04B0 EOREQ R2, R2, R3,LSL R12 boot0:FFFF04B4 MOV R0, #0xF1 ; '±' ; error boot0:FFFF04B8 STREQB R2, [R5,R1,ASR#3] boot0:FFFF04BC BEQ loc_FFFF03A0 boot0:FFFF04C0 BL panic boot0:FFFF04C4 B loc_FFFF03A0 boot0:FFFF04C8 ; --------------------------------------------------------------------------- boot0:FFFF04C8 otp_hash_not_empty ; CODE XREF: boot0_main+154j boot0:FFFF04C8 MOV R2, #1 boot0:FFFF04CC SUB R3, R11, #0x54 boot0:FFFF04D0 STR R2, [R3] ; set a flag indicating that the otp hash is valid boot0:FFFF04D4 B loc_FFFF0268 boot0:FFFF04D8 ; --------------------------------------------------------------------------- boot0:FFFF04D8 hash_fail ; CODE XREF: boot0_main+36Cj boot0:FFFF04D8 MOV R0, #0xF2 ; '=' ; error boot0:FFFF04DC BL panic boot0:FFFF04E0 B jump_boot1 boot0:FFFF04E0 ; --------------------------------------------------------------------------- boot0:FFFF04E4 off_FFFF04E4 DCD boot1_key ; DATA XREF: boot0_main+30r boot0:FFFF04E8 off_FFFF04E8 DCD boot1_iv ; DATA XREF: boot0_main+58r boot0:FFFF04EC kSHA1_0 DCD 0x67452301 ; DATA XREF: boot0_main+74r boot0:FFFF04F0 kSHA1_1 DCD 0xEFCDAB89 ; DATA XREF: boot0_main+84r boot0:FFFF04F4 kSHA1_2 DCD 0x98BADCFE ; DATA XREF: boot0_main+98r boot0:FFFF04F8 kSHA1_3 DCD 0x10325476 ; DATA XREF: boot0_main+A0r boot0:FFFF04FC kSHA1_4 DCD 0xC3D2E1F0 ; DATA XREF: boot0_main+A8r boot0:FFFF0500 boot1_entrypt ; DATA XREF: boot0_main+380r boot0:FFFF0500 DCD 0xFFF00000 boot0:FFFF0500 ; End of function boot0_main boot0:FFFF0504 DCB 0 boot0:FFFF0505 a_GCCGNU3_4_3 DCB "GCC: (GNU) 3.4.3",0 boot0:FFFF0516 DCW 0 boot0:FFFF0518 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0518 unused1 boot0:FFFF0518 BIC R0, R0, #0x35000000 boot0:FFFF051C BIC R0, R0, #0x10000 boot0:FFFF0520 MOVL R3, 0xFFFFFFC boot0:FFFF0524 SUB R3, R3, #0x2BC0000 boot0:FFFF0528 ORR R0, R0, #0xCA000000 boot0:FFFF052C SUB R3, R3, #0x28000 boot0:FFFF0530 ORR R0, R0, #0xFE0000 boot0:FFFF0534 STR R0, [R3] boot0:FFFF0538 MOV R0, #0 boot0:FFFF053C B unused11 boot0:FFFF053C ; End of function unused1 boot0:FFFF0540 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0540 unused2 boot0:FFFF0540 BIC R0, R0, #0x45000000 boot0:FFFF0544 BIC R0, R0, #0x2F0000 boot0:FFFF0548 MOVL R3, 0xFFFFFFC boot0:FFFF054C SUB R3, R3, #0x2BC0000 boot0:FFFF0550 ORR R0, R0, #0xBA000000 boot0:FFFF0554 SUB R3, R3, #0x28000 boot0:FFFF0558 ORR R0, R0, #0xD00000 boot0:FFFF055C STR R0, [R3] boot0:FFFF0560 MOV R0, #1 boot0:FFFF0564 B unused12 boot0:FFFF0564 ; End of function unused2 boot0:FFFF0568 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0568 unused3 boot0:FFFF0568 STR R1, [R0] boot0:FFFF056C BX LR boot0:FFFF056C ; End of function unused3 boot0:FFFF0570 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0570 unused4 boot0:FFFF0570 LDR R0, [R0] boot0:FFFF0574 BX LR boot0:FFFF0574 ; End of function unused4 boot0:FFFF0578 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0578 unused5 boot0:FFFF0578 STRH R1, [R0] boot0:FFFF057C BX LR boot0:FFFF057C ; End of function unused5 boot0:FFFF0580 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0580 unused6 boot0:FFFF0580 LDRH R0, [R0] boot0:FFFF0584 BX LR boot0:FFFF0584 ; End of function unused6 boot0:FFFF0588 ; =============== S U B R O U T I N E ======================================= boot0:FFFF0588 delay ; CODE XREF: panic+20p panic+34p boot0:FFFF0588 CMP R0, #0 boot0:FFFF058C BXEQ LR boot0:FFFF0590 loc_FFFF0590 ; CODE XREF: delay+Cj boot0:FFFF0590 SUBS R0, R0, #1 boot0:FFFF0594 BNE loc_FFFF0590 boot0:FFFF0598 BX LR boot0:FFFF0598 ; End of function delay boot0:FFFF059C ; =============== S U B R O U T I N E ======================================= boot0:FFFF059C unused7 boot0:FFFF059C STMFD SP!, {R0-R3} boot0:FFFF05A0 ADD SP, SP, #0x10 boot0:FFFF05A4 RET boot0:FFFF05A4 ; End of function unused7 boot0:FFFF05A8 ; =============== S U B R O U T I N E ======================================= boot0:FFFF05A8 unused8 boot0:FFFF05A8 STMFD SP!, {R0-R3} boot0:FFFF05AC ADD SP, SP, #0x10 boot0:FFFF05B0 RET boot0:FFFF05B0 ; End of function unused8 boot0:FFFF05B4 ; =============== S U B R O U T I N E ======================================= boot0:FFFF05B4 unused9 boot0:FFFF05B4 STMFD SP!, {R0-R3} boot0:FFFF05B8 ADD SP, SP, #0x10 boot0:FFFF05BC RET boot0:FFFF05BC ; End of function unused9 boot0:FFFF05C0 ; =============== S U B R O U T I N E ======================================= boot0:FFFF05C0 ; int __stdcall memset(void *dest, int c, int len) boot0:FFFF05C0 memset ; CODE XREF: boot0_main+114p boot0:FFFF05C0 SUB R2, R2, #1 boot0:FFFF05C4 CMN R2, #1 boot0:FFFF05C8 MOV R3, R0 boot0:FFFF05CC BXEQ LR boot0:FFFF05D0 loc_FFFF05D0 ; CODE XREF: memset+1Cj boot0:FFFF05D0 SUB R2, R2, #1 boot0:FFFF05D4 CMN R2, #1 boot0:FFFF05D8 STRB R1, [R3],#1 boot0:FFFF05DC BNE loc_FFFF05D0 boot0:FFFF05E0 BX LR boot0:FFFF05E0 ; End of function memset boot0:FFFF05E4 ; =============== S U B R O U T I N E ======================================= boot0:FFFF05E4 ; Attributes: noreturn boot0:FFFF05E4 unused10 ; CODE XREF: unused11+4p boot0:FFFF05E4 ; unused12+4p boot0:FFFF05E4 MCR p15, 0, R0,c7,c0, 4 boot0:FFFF05E8 hang ; CODE XREF: unused10:hangj boot0:FFFF05E8 B hang boot0:FFFF05E8 ; End of function unused10 boot0:FFFF05EC ; =============== S U B R O U T I N E ======================================= boot0:FFFF05EC unused11 ; CODE XREF: unused1+24j boot0:FFFF05EC MOV R0, #0 boot0:FFFF05F0 BL unused10 boot0:FFFF05F0 ; End of function unused11 boot0:FFFF05F4 ; =============== S U B R O U T I N E ======================================= boot0:FFFF05F4 unused12 ; CODE XREF: unused2+24j boot0:FFFF05F4 MOV R0, #1 boot0:FFFF05F8 BL unused10 boot0:FFFF05F8 ; End of function unused12 boot0:FFFF05F8 ; --------------------------------------------------------------------------- boot0:FFFF05FC boot1_key DCD 0x9258A752,0x64960D82,0x676F9044,0x56882A73 boot0:FFFF05FC ; DATA XREF: boot0_main:off_FFFF04E4o boot0:FFFF060C boot1_iv DCD 0, 0, 0, 0 ; DATA XREF: boot0_main:off_FFFF04E8o boot0:FFFF1FFC DCD 0xABAB0101 boot0:FFFF1FFC ; boot0 ends