Zipit Z1
逆向zpm.bin
整理如下:
.text reset: mov r10, #0x80000000 add r11, r10, #0x1000 add r12, r10, #0x2000 mov r1, #0x62 str r1, [r12,#0x2c0] ; LEDFLSH = 0x62 mov r0, #0x100 str r0, [r11, #0x100] ; SYSCON2 = 0x100 ldr r0, [r11, #0x140] mov r0, #0x60003 str r0, [r11, #0x4c0] ; UBRLCR2 = 0x60003 mov r0, #0x100000 bl delay mov r0, #0xd bl uart2_send_char mov r0, #0xa bl uart2_send_char ldr r0, =zpm_56k bl uart2_send_string mov sp, #0x10009600 mov r1, #0x40100 str r1, [r10, #0x100] ; SYSCON1 = 0x40100 ldr r1, [r12, #0x200] orr r1, r1, #6 str r1, [r12, #0x200] ; SYSCON3|= 6 nop nop nop nop nop nop mov r1, #0x31000000 str r1, [r12, #0x600] ; DAIFS64s = 0x31000000 nop nop nop nop mov r1, #0x60004 str r1, [r10, #0x4c0] ; UBRLCR1 = 0x60004 mrc p15, 0, r5, c1, c0, 0 bic r5, r5, #0xd mcr p15, 0, r5, c1, c0, 0 nop nop nop nop mov r1, #0xc00000c str r1, [r10, #0x180] ; MEMCFG1 = 0xc00000c ldr r1, =0x29000200 str r1, [r10] ; PADR = 0x29000200 ldr r1, =0x206d707a str r1, [r10, #0x40] ; PaddR = 0x206D707A ldr r1, [r11, #0x100] orr r1, r1, #4 str r1, [r11, #0x100] ; SYSCON2|= 4 mov r1, #0x542 str r1, [r12, #0x300] ; SDCONF = 0x542 mov r1, #0x168 str r1, [r12, #0x340] ; SDRFPR = 0x168 mov r2, #0xc0000000 ldr r1, =0x55aa55aa str r1, [r2] ; SDRAM address (0xc0000000) ldr r0, [r2] cmp r0, r1 beq main ldr r0, =zpm_noram bl uart2_send_string b loop main: ldr r1, [r10, #0x100] bic r1, r1, #0x1000 str r1, [r10, #0x100] ; SYSCON1&= ~0x1000 ldr r1, =0xe03a695f str r1, [r10, #0x2c0] ; LCDCON = 0xe03a695f mov r1, #0xc str r1, [r11] ; FBADDR = 0x0c ldr r1, =0x89abcdef str r1, [r10, #0x540] ; PALLSW = 0x89abcdef ldr r1, =0x1234567 str r1, [r10, #0x580] ; PALMSW = 0x1234567 mov r1, #0xc0000000 mov r0, #0xffffffff mov r2, #0x9600 1: strb r0, [r1] ; 0xc0000000~0xc0009600 = 0xffffffff add r1, r1, #1 subs r2, r2, #1 bne 1b ldr r1, [r10, #0x100] orr r1, r1, #0x1000 str r1, [r10, #0x100] ; FBADDR|= 0x1000 bl relocate ldr r0, =zpm_loader bl uart2_send_string ldr r5, =0x70000000 ldr r0, [r5, #0x10] bl print_ulong_hex mov r0, #0x20 bl uart2_send_char ldr r0, [r5, #0x20] bl print_ulong_hex ldr r0, [r5, #0x20] ldr r1, =0xc0c90000 ldr r2, =0xC0C00000 sub r2, r2, r1 cmp r0, r2 beq print_newline ldr r0, =zpm_newline bl uart2_send_string print_newline: ldr r0, =zpm_newline bl uart2_send_string loop: mov r10, #0x80000000 add r11, r10, #0x1000 add r12, r10, #0x2000 ldr r0, =zpm_ok bl uart2_send_string bl uart2_wait_char cmp r0, #0x3F ; '?' beq cmd_info cmp r0, #0x50 ; 'P' beq cmd_p cmp r0, #0x6b ; 'k' beq cmd_k cmp r0, #0x75 ; 'u' beq cmd_u cmp r0, #0x61 ; 'a' beq cmd_a cmp r0, #0x41 ; 'A' beq cmd_a cmp r0, #0x57 ; 'W' beq cmd_w cmp r0, #0x5a ; 'Z' beq cmd_z cmp r0, #0x52 ; 'R' beq cmd_r cmp r0, #0x52 ; 'R' beq cmd_r ldr r0, =zpm_cmderr bl uart2_send_string b loop cmd_k: ldr r5, =0xc0c02000 b fill_mem cmd_u: ldr r5, =0xc0c90000 b fill_mem cmd_a: ldr r5, =0xc0c00000 fill_mem: bl uart2_get_ulong mov r6, r0 ldr r0, =zpm_beg bl uart2_send_string mov r0, r6 bl print_ulong_hex mov r4, #0 1: bl uart2_wait_char strb r0, [r5] add r4, r4, r0 add r5, r5, #1 subs r6, r6, #1 bne 1b ldr r0, =zpm_end bl uart2_send_string mov r0, r4 bl print_byte_hex b loop uart2_get_ulong: mov r2, lr bl uart2_wait_char mov r1, r0 bl uart2_wait_char orr r1, r1, r0, lsl#8 bl uart2_wait_char orr r1, r1, r0, lsl#16 bl uart2_wait_char orr r0, r1, r0, lsl#24 bx r2 delay: sub r0, r0, #1 cmp r0, #0 bne delay bx lr uart2_send_string: mov r2, lr mov r1, r0 1: ldrb r0, [r1] add r1, r1, #1 cmp r0, #0 bxeq r2 bl uart2_send_char b 1b print_ulong_hex: mov r3, lr mov r4, r0 mov r0, r4, lsr#24 bl print_byte_hex mov r0, r4, lsr#16 bl print_byte_hex mov r0, r4, lsr#8 bl print_byte_hex mov r0, r4 bl print_byte_hex bx r3 print_byte_hex: mov r1, r0 mov r2, lr mov r0, r1, lsr#4 bl 1f mov lr, r2 mov r0, r1 1: and r0, r0, #0xf cmp r0, #0xa add r0, r0, #0x30 addge r0, r0, #7 uart2_send_char: str r0, [r11, #0x480] ; UARTDR2 1: ldr r0, [r11, #0x140] ; SYSFLG2.UTXFF2 tst r0, #0x800000 bne 1b bx lr uart2_wait_char: ldr r0, [r11, #0x140] ; SYSFLG2.URXFE2 tst r0, #0x400000 bne uart2_wait_char ldr r0, [r11, #0x480] ; UARTDR2 and r0, r0, #0xff bx lr cmd_r: ldr r5, =0x70000000 mov r4, #0x200000 1: ldrb r0, [r5] bl uart2_send_char add r5, r5, #1 subs r4, r4, #1 bne 1b b loop cmd_info: ldr r0, =zpm_gpio bl uart2_send_string ldrb r0, [r10] bl print_byte_hex mov r0, #0x20 bl uart2_send_char ldrb r0, [r10, #1] bl print_byte_hex mov r0, #0x20 bl uart2_send_char ldrb r0, [r10, #3] bl print_byte_hex mov r0, #0x20 bl uart2_send_char ldrb r0, [r10, #0x80] bl print_byte_hex ldr r0, =zpm_uniqid bl uart2_send_string ldr r0, [r12, #0x440] bl print_ulong_hex ldr r0, =zpm_randid bl uart2_send_string ldr r0, [r12, #0x70c] bl print_ulong_hex ldr r0, [r12, #0x708] bl print_ulong_hex ldr r0, [r12, #0x704] bl print_ulong_hex ldr r0, [r12, #0x700] bl print_ulong_hex ldr r0, =zpm_flashrom bl uart2_send_string ldr r5, =0x70000000 bl print_checksum ldr r0, =zpm_burnsrc bl uart2_send_string ldr r5, =0xc0c00000 bl print_checksum b print_newline cmd_p: ldr r0, =0x701f0000 bl uart2_send_string b loop print_checksum: mov r9, lr mov r4, #0x200000 mov r8, #0 1: ldr r0, [r5] add r5, r5, #4 add r8, r8, r0 subs r4, r4, #4 bne 1b mov r0, r8 bl print_ulong_hex bx r9 relocate: ldr r1, =0x70000000 ldr r2, =0xc0c00000 mov r4, #0x200000 1: ldr r0, [r1] add r1, r1, #4 str r0, [r2] add r2, r2, #4 subs r4, r4, #4 bne 1b bx lr print_no: ldr r0, =zpm_no bl uart2_send_string b loop cmd_w: ldr r0, =zpm_pwd bl uart2_send_string bl uart2_wait_char cmp r0, #0x59 ; 'Y' bne print_no bl uart2_wait_char cmp r0, #0x65 ; 'e' bne print_no bl uart2_wait_char cmp r0, #0x73 ; 's' bne print_no ldr r0, =zpm_earsing bl uart2_send_string ldr r5, =0x70000555 ldr r6, =0x70000aaa mov r0, #0xaa mov r1, #0x55 mov r2, #0x80 mov r3, #0x10 strb r0, [r6] strb r1, [r5] strb r2, [r6] strb r0, [r6] strb r1, [r5] strb r3, [r6] ldr r1, =0x70000000 1: ldrb r0, [r1] cmp r0, #0xff bne 1b ldr r0, =zpm_earsed bl uart2_send_string ldr r5, =0x70000555 ldr r6, =0x70000aaa ldr r4, =0x70000000 ldr r8, =0xc0c00000 mov r9, #0x200000 mov r0, #0xaa mov r1, #0x55 mov r2, #0xa0 2: ldrh r3, [r8] strb r0, [r6] strb r1, [r5] strb r2, [r6] strh r3, [r4] add r8, r8, #2 3: ldrh r3, [r4] ldrh r7, [r4] cmp r3, r7 bne 3b add r4, r4, #2 subs r9, r9, #2 bne 2b ldr r0, =zpm_written bl uart2_send_string b print_newline cmd_z: ldr r5, =0x70000555 ldr r6, =0x70000aaa ldr r4, =0x701f0000 mov r0, #0xaa mov r1, #0x55 mov r2, #0xa0 mov r3, #0 strb r0, [r6] strb r1, [r5] strb r2, [r6] strh r3, [r4] 1: ldrh r3, [r4] ldrh r7, [r4] cmp r3, r7 bne 1b ldr r0, =zpm_zapped bl uart2_send_string b print_newline .align zpm_56k: .asciz "ZPM .02 - 57.6Kbps new cmds\r\n"; .align zpm_noram: .asciz "NORAM!\r\n"; .align zpm_loader: .asciz " Loader addresses: \r\n"; .align zpm_newline: .asciz "\r\n"; .align zpm_ok: .asciz "OK >\r\n"; .align zpm_cmderr: .asciz "CMD ERR\r\n"; .align zpm_gpio: .asciz "GPIO: "; .align zpm_uniqid: .asciz "\r\nUNIQID: "; .align zpm_randid: .asciz "\r\nRANDID: "; .align zpm_flashrom: .asciz "\r\nFLASHROM: "; .align zpm_burnsrc: .asciz "\r\nBURN_SRC: "; .align zpm_beg: .asciz "BEG:"; .align zpm_end: .asciz "END:"; .align zpm_no: .asciz "NO"; .align zpm_pwd: .asciz "E+W PWD?"; .align zpm_earsing: .asciz "ERASING,"; .align zpm_earsed: .asciz "ERASED,"; .align zpm_zapped: .asciz "Properties zapped!"; .align zpm_written: .asciz "WRITTEN!"; .align .end