88W8388: Difference between revisions
m (re-cat) |
|||
Line 7: | Line 7: | ||
90000000 9000ffff IO memory |
90000000 9000ffff IO memory |
||
c0000000 c000ffff code, part 2 |
c0000000 c000ffff code, part 2 |
||
c0010000 |
c0010000 c0027fff heap and bss |
||
ffff0000 ffffffff boot code |
ffff0000 ffffffff boot code |
||
Revision as of 01:05, 30 August 2007
This is Marvell's wireless controller chip. Outside of this page, it is undocumented.
Gross memory map
00000000 0000ffff code, part 1 04000000 04001fff stack 80000000 8000ffff IO memory 90000000 9000ffff IO memory c0000000 c000ffff code, part 2 c0010000 c0027fff heap and bss ffff0000 ffffffff boot code
CPU
This is an little-endian ARM chip. "xscale" appears to be a good match. Mostly it is used to run thumb code, but some regular ARM code is used as well. ARM code can be spotted in hex dumps because most instructions will start (4th byte in little-endian) with the hex digit "e".
Note that objdump is completely unsuitable for disassembling this code. You need an interactive disassembler and/or one that traces code flow. Something like objdump will be unaware of the transitions between plain ARM code, thumb code, and data. It is normal for functions to be followed by constants; a good disassembler will match these up with the code instead of stupidly disassembling them.
Main firmware format
Firmware is a stream of packets like this.
le32 0x00000001 if data follows, else 0x00000004 le32 destination address le32 data length including final CRC, normally 0x200 bytes be32 header CRC (1st 12 bytes and 4 zero bytes) char[508] may be smaller for the last block be32 data CRC (the 508 bytes and 4 zero bytes)
Data length goes short at the end of a segment. After the very last block of the whole file, there is one special header. It has code 0x00000004, address zero, and length zero.
Use bin2elf.c and elf2bin.c to convert firmware files to/from ELF..
CRC
polynomial 0x04c11db7 (common CRC32) initial remainder 0 no reflections no inversion at the end stored in big-endian format! on creation, include 4 trailing zero bytes nice property: the CRC of the data with following CRC will be zero
Boot firmware format
It's just 10240 bytes of byte-swapped code. This code, known as Boot2, is flashed into the Marvell chipset. It implements the USB interface required for loading the main firmware.