微電腦 - Zipit Z1 - 逆向zpm.bin
.text
reset:
mov r10, #0x80000000
add r11, r10, #0x1000
add r12, r10, #0x2000
mov r1, #0x62
str r1, [r12,#0x2c0] ; LEDFLSH = 0x62
mov r0, #0x100
str r0, [r11, #0x100] ; SYSCON2 = 0x100
ldr r0, [r11, #0x140]
mov r0, #0x60003
str r0, [r11, #0x4c0] ; UBRLCR2 = 0x60003
mov r0, #0x100000
bl delay
mov r0, #0xd
bl uart2_send_char
mov r0, #0xa
bl uart2_send_char
ldr r0, =zpm_56k
bl uart2_send_string
mov sp, #0x10009600
mov r1, #0x40100
str r1, [r10, #0x100] ; SYSCON1 = 0x40100
ldr r1, [r12, #0x200]
orr r1, r1, #6
str r1, [r12, #0x200] ; SYSCON3|= 6
nop
nop
nop
nop
nop
nop
mov r1, #0x31000000
str r1, [r12, #0x600] ; DAIFS64s = 0x31000000
nop
nop
nop
nop
mov r1, #0x60004
str r1, [r10, #0x4c0] ; UBRLCR1 = 0x60004
mrc p15, 0, r5, c1, c0, 0
bic r5, r5, #0xd
mcr p15, 0, r5, c1, c0, 0
nop
nop
nop
nop
mov r1, #0xc00000c
str r1, [r10, #0x180] ; MEMCFG1 = 0xc00000c
ldr r1, =0x29000200
str r1, [r10] ; PADR = 0x29000200
ldr r1, =0x206d707a
str r1, [r10, #0x40] ; PaddR = 0x206D707A
ldr r1, [r11, #0x100]
orr r1, r1, #4
str r1, [r11, #0x100] ; SYSCON2|= 4
mov r1, #0x542
str r1, [r12, #0x300] ; SDCONF = 0x542
mov r1, #0x168
str r1, [r12, #0x340] ; SDRFPR = 0x168
mov r2, #0xc0000000
ldr r1, =0x55aa55aa
str r1, [r2] ; SDRAM address (0xc0000000)
ldr r0, [r2]
cmp r0, r1
beq main
ldr r0, =zpm_noram
bl uart2_send_string
b loop
main:
ldr r1, [r10, #0x100]
bic r1, r1, #0x1000
str r1, [r10, #0x100] ; SYSCON1&= ~0x1000
ldr r1, =0xe03a695f
str r1, [r10, #0x2c0] ; LCDCON = 0xe03a695f
mov r1, #0xc
str r1, [r11] ; FBADDR = 0x0c
ldr r1, =0x89abcdef
str r1, [r10, #0x540] ; PALLSW = 0x89abcdef
ldr r1, =0x1234567
str r1, [r10, #0x580] ; PALMSW = 0x1234567
mov r1, #0xc0000000
mov r0, #0xffffffff
mov r2, #0x9600
1:
strb r0, [r1] ; 0xc0000000~0xc0009600 = 0xffffffff
add r1, r1, #1
subs r2, r2, #1
bne 1b
ldr r1, [r10, #0x100]
orr r1, r1, #0x1000
str r1, [r10, #0x100] ; FBADDR|= 0x1000
bl relocate
ldr r0, =zpm_loader
bl uart2_send_string
ldr r5, =0x70000000
ldr r0, [r5, #0x10]
bl print_ulong_hex
mov r0, #0x20
bl uart2_send_char
ldr r0, [r5, #0x20]
bl print_ulong_hex
ldr r0, [r5, #0x20]
ldr r1, =0xc0c90000
ldr r2, =0xC0C00000
sub r2, r2, r1
cmp r0, r2
beq print_newline
ldr r0, =zpm_newline
bl uart2_send_string
print_newline:
ldr r0, =zpm_newline
bl uart2_send_string
loop:
mov r10, #0x80000000
add r11, r10, #0x1000
add r12, r10, #0x2000
ldr r0, =zpm_ok
bl uart2_send_string
bl uart2_wait_char
cmp r0, #0x3F ; '?'
beq cmd_info
cmp r0, #0x50 ; 'P'
beq cmd_p
cmp r0, #0x6b ; 'k'
beq cmd_k
cmp r0, #0x75 ; 'u'
beq cmd_u
cmp r0, #0x61 ; 'a'
beq cmd_a
cmp r0, #0x41 ; 'A'
beq cmd_a
cmp r0, #0x57 ; 'W'
beq cmd_w
cmp r0, #0x5a ; 'Z'
beq cmd_z
cmp r0, #0x52 ; 'R'
beq cmd_r
cmp r0, #0x52 ; 'R'
beq cmd_r
ldr r0, =zpm_cmderr
bl uart2_send_string
b loop
cmd_k:
ldr r5, =0xc0c02000
b fill_mem
cmd_u:
ldr r5, =0xc0c90000
b fill_mem
cmd_a:
ldr r5, =0xc0c00000
fill_mem:
bl uart2_get_ulong
mov r6, r0
ldr r0, =zpm_beg
bl uart2_send_string
mov r0, r6
bl print_ulong_hex
mov r4, #0
1:
bl uart2_wait_char
strb r0, [r5]
add r4, r4, r0
add r5, r5, #1
subs r6, r6, #1
bne 1b
ldr r0, =zpm_end
bl uart2_send_string
mov r0, r4
bl print_byte_hex
b loop
uart2_get_ulong:
mov r2, lr
bl uart2_wait_char
mov r1, r0
bl uart2_wait_char
orr r1, r1, r0, lsl#8
bl uart2_wait_char
orr r1, r1, r0, lsl#16
bl uart2_wait_char
orr r0, r1, r0, lsl#24
bx r2
delay:
sub r0, r0, #1
cmp r0, #0
bne delay
bx lr
uart2_send_string:
mov r2, lr
mov r1, r0
1:
ldrb r0, [r1]
add r1, r1, #1
cmp r0, #0
bxeq r2
bl uart2_send_char
b 1b
print_ulong_hex:
mov r3, lr
mov r4, r0
mov r0, r4, lsr#24
bl print_byte_hex
mov r0, r4, lsr#16
bl print_byte_hex
mov r0, r4, lsr#8
bl print_byte_hex
mov r0, r4
bl print_byte_hex
bx r3
print_byte_hex:
mov r1, r0
mov r2, lr
mov r0, r1, lsr#4
bl 1f
mov lr, r2
mov r0, r1
1:
and r0, r0, #0xf
cmp r0, #0xa
add r0, r0, #0x30
addge r0, r0, #7
uart2_send_char:
str r0, [r11, #0x480] ; UARTDR2
1:
ldr r0, [r11, #0x140] ; SYSFLG2.UTXFF2
tst r0, #0x800000
bne 1b
bx lr
uart2_wait_char:
ldr r0, [r11, #0x140] ; SYSFLG2.URXFE2
tst r0, #0x400000
bne uart2_wait_char
ldr r0, [r11, #0x480] ; UARTDR2
and r0, r0, #0xff
bx lr
cmd_r:
ldr r5, =0x70000000
mov r4, #0x200000
1:
ldrb r0, [r5]
bl uart2_send_char
add r5, r5, #1
subs r4, r4, #1
bne 1b
b loop
cmd_info:
ldr r0, =zpm_gpio
bl uart2_send_string
ldrb r0, [r10]
bl print_byte_hex
mov r0, #0x20
bl uart2_send_char
ldrb r0, [r10, #1]
bl print_byte_hex
mov r0, #0x20
bl uart2_send_char
ldrb r0, [r10, #3]
bl print_byte_hex
mov r0, #0x20
bl uart2_send_char
ldrb r0, [r10, #0x80]
bl print_byte_hex
ldr r0, =zpm_uniqid
bl uart2_send_string
ldr r0, [r12, #0x440]
bl print_ulong_hex
ldr r0, =zpm_randid
bl uart2_send_string
ldr r0, [r12, #0x70c]
bl print_ulong_hex
ldr r0, [r12, #0x708]
bl print_ulong_hex
ldr r0, [r12, #0x704]
bl print_ulong_hex
ldr r0, [r12, #0x700]
bl print_ulong_hex
ldr r0, =zpm_flashrom
bl uart2_send_string
ldr r5, =0x70000000
bl print_checksum
ldr r0, =zpm_burnsrc
bl uart2_send_string
ldr r5, =0xc0c00000
bl print_checksum
b print_newline
cmd_p:
ldr r0, =0x701f0000
bl uart2_send_string
b loop
print_checksum:
mov r9, lr
mov r4, #0x200000
mov r8, #0
1:
ldr r0, [r5]
add r5, r5, #4
add r8, r8, r0
subs r4, r4, #4
bne 1b
mov r0, r8
bl print_ulong_hex
bx r9
relocate:
ldr r1, =0x70000000
ldr r2, =0xc0c00000
mov r4, #0x200000
1:
ldr r0, [r1]
add r1, r1, #4
str r0, [r2]
add r2, r2, #4
subs r4, r4, #4
bne 1b
bx lr
print_no:
ldr r0, =zpm_no
bl uart2_send_string
b loop
cmd_w:
ldr r0, =zpm_pwd
bl uart2_send_string
bl uart2_wait_char
cmp r0, #0x59 ; 'Y'
bne print_no
bl uart2_wait_char
cmp r0, #0x65 ; 'e'
bne print_no
bl uart2_wait_char
cmp r0, #0x73 ; 's'
bne print_no
ldr r0, =zpm_earsing
bl uart2_send_string
ldr r5, =0x70000555
ldr r6, =0x70000aaa
mov r0, #0xaa
mov r1, #0x55
mov r2, #0x80
mov r3, #0x10
strb r0, [r6]
strb r1, [r5]
strb r2, [r6]
strb r0, [r6]
strb r1, [r5]
strb r3, [r6]
ldr r1, =0x70000000
1:
ldrb r0, [r1]
cmp r0, #0xff
bne 1b
ldr r0, =zpm_earsed
bl uart2_send_string
ldr r5, =0x70000555
ldr r6, =0x70000aaa
ldr r4, =0x70000000
ldr r8, =0xc0c00000
mov r9, #0x200000
mov r0, #0xaa
mov r1, #0x55
mov r2, #0xa0
2:
ldrh r3, [r8]
strb r0, [r6]
strb r1, [r5]
strb r2, [r6]
strh r3, [r4]
add r8, r8, #2
3:
ldrh r3, [r4]
ldrh r7, [r4]
cmp r3, r7
bne 3b
add r4, r4, #2
subs r9, r9, #2
bne 2b
ldr r0, =zpm_written
bl uart2_send_string
b print_newline
cmd_z:
ldr r5, =0x70000555
ldr r6, =0x70000aaa
ldr r4, =0x701f0000
mov r0, #0xaa
mov r1, #0x55
mov r2, #0xa0
mov r3, #0
strb r0, [r6]
strb r1, [r5]
strb r2, [r6]
strh r3, [r4]
1:
ldrh r3, [r4]
ldrh r7, [r4]
cmp r3, r7
bne 1b
ldr r0, =zpm_zapped
bl uart2_send_string
b print_newline
.align
zpm_56k: .asciz "ZPM .02 - 57.6Kbps new cmds\r\n"; .align
zpm_noram: .asciz "NORAM!\r\n"; .align
zpm_loader: .asciz " Loader addresses: \r\n"; .align
zpm_newline: .asciz "\r\n"; .align
zpm_ok: .asciz "OK >\r\n"; .align
zpm_cmderr: .asciz "CMD ERR\r\n"; .align
zpm_gpio: .asciz "GPIO: "; .align
zpm_uniqid: .asciz "\r\nUNIQID: "; .align
zpm_randid: .asciz "\r\nRANDID: "; .align
zpm_flashrom: .asciz "\r\nFLASHROM: "; .align
zpm_burnsrc: .asciz "\r\nBURN_SRC: "; .align
zpm_beg: .asciz "BEG:"; .align
zpm_end: .asciz "END:"; .align
zpm_no: .asciz "NO"; .align
zpm_pwd: .asciz "E+W PWD?"; .align
zpm_earsing: .asciz "ERASING,"; .align
zpm_earsed: .asciz "ERASED,"; .align
zpm_zapped: .asciz "Properties zapped!"; .align
zpm_written: .asciz "WRITTEN!"; .align
.end