|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
IriverNavigation
Function Memory MappingWhat format is the flash?DaveHooper (stripwax) has developed and published decryption & encryption tools for this. (Binary: http://www.beermex.com/@spc/ihpfirm.exe & Source: http://www.beermex.com/@spc/ihpfirm.src.zip). See the IriverToolsGuide for info on how to use this tool. Using the iHP-140 as an example -- the decoded image from the above has a 512 byte encryption header, then a 32 byte "ESTFBINR" header with nothing in it. Following this is the content of the flash, with the entry point at 0x0 as explained in "Reset Logic" below. The flash routine inits the processor, important regs and GPIO, then copies portions of the remaining FLASH data into SDRAM and SDRAM as follows (see offset 0x00001528 for details): Copy 0xD2525-0xD82C9 to 0x10000000 (Start of SRAM)Copy 0xD82C9-0xE0B35 to 0x10005DB0 Copy 0xE0B35-0xE1015 to 0x10010120 Copy 0xE1015-0xE1955 to 0x10010600 Copy 0xE1955-0xE2755 to 0x10011000 Copy 0xE2755-0xE3099 to 0x10011E00 Copy 0xE3099-0x19D2E9 to 0x31000000 (Start of SDRAM) Copy 0x19D2E9-0x1A1901 to 0x310C9418 Copy 0x1A1901-0x1A23D5 to 0x310CDA30 Copy 0x1A23D5-0x1C4355 to 0x310CFF70 A few well-constructed "dd" commands, and you'll be able to construct two images: one containing the content of the SRAM image and one containing the SDRAM image. The dd would be of the form "dd if=ihp_120.bin of=sdram_img.bin bs=1 skip=$[0xE3099] seek=$[0x0] count=$[0x19D2E9-0xE3099] conv=notrunc" -- that example copies the first block of SDRAM at offset 0x3100000 into offset 0 (seek=0) of sdram_img.bin. There are bits of executable code in both -- some speed critical routines are placed in SRAM, like memcpy(). You can add strings references to the assembly code using the attached addstrings.pl command below. This will add a surprising amount of clarity to the code since there are more than a few error messages that were built into the code (but the error function itself appears to have been ifdeffed out). Function Address infoCan we agree on a common firmware to analyze? I suggest the US firmware? But should it be 1.40 or 1.60? I'm just making up descriptive function names. -- PaulS StephanNielsen: I was wondering which tools and methods you use to analyze the firmware (extract addresses). Disassembler (objdump), A modded MCF5249 emulator, BDM, GDB??? Is it possible that you could inform other interested people about this on a separate WikiPage - unless of course you will rather do all the hard work yourself ;). PaulS: There's not a lot of magic going on here. I think there are other people (and pages) that are much better suited to give a tutorial on disassembly. The tools I've relied on the most are the disassembly tools I mentioned on the IriverPort page. I wrote a little perl code to build forward and reverse function call trees, but the results of that haven't been very useful so far. Aside from that, I spent a little time getting used to the assembly language, kept a ColdFire Programmers Reference Manual and the CF5259 User Manual by my side and curled up with some code. It didn't take long to get an intuition for loop structure and function call semantics. The important bit of code I found very early on built the Software Memory Map below, which talks about where all the peripheral interfaces are in memory. Just searching for references to the GPIO memory range (mostly in MBAR2) will get you plenty of interesting code to look at and ponder on what it's doing. Again, other people might be better at formalizing this process. Is this short bit worth a separate Wiki page? StephanNielsen: Ok, fair enough. I will make an IriverToolsGuide WikiPage then, but please forgive me for making mistakes cause inspite of your description, I am still in doubt about a few things.
Software Memory MapThe iRiver can map external peripherals in a flexible manner, using the Chip Select Module. There are also base address registers for many other facilities so devices like GPIO registers can float around based on the firmware in question. Here's an attempt to document the 1.40US firmware's setup (and coincidentally the 1.60 appears largely the same) for various important bits. Some of these registers are supervisory registers in the core, accessed by special MOVE instructions. Others, like the chip select regs are actually within the MBAR.
GPIO SignalsHere's a summary of how the ColdFire GPIO pins are used on the iRiver. These are mostly guesses that LinusNielsenFeltzing should be able to confirm or dispute based on his findings. The I/O/F column indicates whether the pin is a GPIO Input, GPIO Output or Function pin (assigned to the ColdFire's special-purpose function, or not used). Pointers are into the 1.40US SDRAM code.
Hardware Address infoA lot of documentation can be found in the ColdFire manuals. The below list refers to the most important address tables: Exception Vectors (page 98)
r35 - 02 Apr 2021 - 20:46:07 - UnknownUser
Copyright © by the contributing authors.
|