88W8388

From OLPC
Revision as of 16:48, 26 August 2007 by Iprouser (talk | contribs) (document the damn thing)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This is Marvell's wireless controller chip. Outside of this page, it is undocumented.

Gross memory map

00000000 0000ffff code, part 1
04000000 04001fff stack
80000000 8000ffff IO memory
90000000 9000ffff IO memory
c0000000 c000ffff code, part 2
c0010000 c0028000 heap and bss
ffff0000 ffffffff boot code

CPU

This is an little-endian ARM chip. "xscale" appears to be a good match. Mostly it is used to run thumb code, but some regular ARM code is used as well. ARM code can be spotted in hex dumps because most instructions will start (4th bye in little-endian) with the hex digit "e".

Main firmware format

Firmware is a stream of packets like this.

le32      0x00000001 if data follows, else 0x00000004
le32      destination address
le32      data length including final CRC, normally 0x200 bytes
be32      header CRC (1st 12 bytes and 4 zero bytes)
char[508] may be smaller for the last block
be32      data CRC (the 508 bytes and 4 zero bytes)

Data length goes short at the end of a segment. After the very last block of the whole file, there is one special header. It has code 0x00000004, address zero, and length zero.

CRC

polynomial 0x04c11db7 (common CRC32)
initial remainder 0
no reflections
no inversion at the end
stored in big-endian format!
on creation, include 4 trailing zero bytes
nice property: the CRC of the data with following CRC will be zero

Boot firmware format

It's just 10240 bytes of byte-swapped code. This code, known as Boot2, is flashed into the Marvell chipset. It implements the USB interface required for loading the main firmware.