from ghidra.program.model.symbol.SourceType import * addressFactory = currentProgram.getAddressFactory() functionManager = currentProgram.getFunctionManager() dataTypeManager = currentProgram.getDataTypeManager() listing = currentProgram.getListing() memory = currentProgram.getMemory() listing.CreateFunction("Start of region R1This is most likely the original reset vector",0x00000000) listing.CreateFunction("Undefined Instruction ",0x00000004) listing.CreateFunction("SWI ",0x00000008) listing.CreateFunction("Prefetch Abort ",0x0000000c) listing.CreateFunction("Data Abort ",0x00000010) listing.CreateFunction("Reserved ",0x00000014) listing.CreateFunction("IRQ ",0x00000018) listing.CreateFunction("FIQ ",0x0000001c) listing.CreateFunction("This is also a endless loop",0x00000024) listing.CreateFunction("Jump and put the return address in LDR",0x0000005c) listing.CreateFunction("Jump and put the return address in LDR",0x00000060) listing.CreateFunction("Jump and put the return address in LDR",0x00000064) listing.CreateFunction("r0:=0xd3",0x00000068) listing.CreateFunction("CPSR:=0xd3 /* store updated program status */",0x0000006c) listing.CreateFunction("Ensures Supervisor Mode, clears the Status Flags, Disables IRQ and FIQ Interrupts",0x00000070) listing.CreateFunction("Read SCTLR",0x00000074) listing.CreateFunction("BIC = a AND NOT b , clears bit#0",0x00000078) listing.CreateFunction("Call Hypervisor Service if status-MI (Minus or negative result)SVCMI 0xf07ff5",0x0000007c) listing.CreateFunction("It seems to verify that the change worked",0x00000080) listing.CreateFunction("SVCVS 0xf07ff5 (if overflow)",0x00000084) listing.CreateFunction("Here we start with the MPU setup. For every Region we first set the RGNR and then the individual values",0x00000088) listing.CreateFunction("RGNR (MPU Memory Region Number Register) := 0",0x0000008c) listing.CreateFunction("MPU Region Base Address Register:=0",0x00000094) listing.CreateFunction("Region access control Register := 0x1008",0x000000a4) listing.CreateFunction("Data MPU Region Size and Enable Register := 0x3F (Region Size=4GB, Enabled)",0x000000ac) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 1",0x000000b4) listing.CreateFunction("Write MPU Region Base Address Register := 0",0x000000bc) listing.CreateFunction("Write Region access control Register = 0x300|0x8",0x000000cc) listing.CreateFunction("Write Data MPU Region Size and Enable Register =0x21",0x000000d4) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 2",0x000000dc) listing.CreateFunction("Write MPU Region Base Address Register := 0x00800000",0x000000e4) listing.CreateFunction("Write Region access control Register = 0x300|0xC",0x000000f4) listing.CreateFunction("Write Data MPU Region Size and Enable Register =0x2D",0x000000fc) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 3",0x00000104) listing.CreateFunction("Write MPU Region Base Address Register := 0x10000000",0x0000010c) listing.CreateFunction("Write Region access control Register = 0x00001301 ",0x0000011c) listing.CreateFunction("Write Data MPU Region Size and Enable Register := 0x00000029",0x00000124) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 4",0x0000012c) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 5",0x00000154) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 6",0x0000017c) listing.CreateFunction("MPU Memory Region Number Register (RGNR) := 7",0x000001a4) listing.CreateFunction("Write MPU Region Base Address Register := 0xC0000000",0x000001ac) listing.CreateFunction("Write Region access control Register = 0x301",0x000001bc) listing.CreateFunction("Write Data MPU Region Size and Enable Register := 0x1DNow we are done with the MPU setup",0x000001c4) listing.CreateFunction("Read SCTLR ...",0x000001c8) listing.CreateFunction("... set the MPU Enable bit ...",0x000001cc) listing.CreateFunction("SVCMI 0xf07ff5",0x000001d0) listing.CreateFunction("... and write the SCTLR",0x000001d4) listing.CreateFunction("SVCVS0xf07ff5",0x000001d8) listing.CreateFunction("manually Switching from Supervisor Mode to IRQ mode",0x000001e0) listing.CreateFunction("This initializes the SP of IRQ mode?",0x000001e4) listing.CreateFunction("manually Switching from to FIQ mode",0x000001ec) listing.CreateFunction("manually Switching from FIQ Mode to Abort mode",0x000001f8) listing.CreateFunction("manually Switching from Abort Mode to Undefined mode",0x00000204) listing.CreateFunction("manually Switching from Undefined Mode back to Supervisor mode",0x00000210) listing.CreateFunction("Branch indirect with LinkThis also switches to Thumb mode",0x00000218) listing.CreateFunction("for(i=0x1FEA0;i<0x20000;i+=4)",0x0000021c) listing.CreateFunction("SKIP(0x00000234);",0x00000220) listing.CreateFunction("memset(0x1FEA0;i<0x20000,0);This is a bug, it actually is memset(0x1FEA0;i<=0x20000,0);",0x0000022c) listing.CreateFunction("We are done with delay(50);r15 is Code PointerThis could be a reference to R2 (BTCM)",0x00000234) listing.CreateFunction("This seems to be comparing 2 addresses straight out of Firmware, so this is likely always true",0x00000240) listing.CreateFunction("memset(0x0080FE50-0x00828000,0), off-by-one-again!",0x00000270) listing.CreateFunction("SKIP(0x00000278)",0x00000274) listing.CreateFunction("memset(0x00800000-0x00803400)",0x00000288) listing.CreateFunction("memset(0x00803400-r1=0x00808000)",0x000002a0) listing.CreateFunction("TRE TEX Remap Enable (?)",0x000002ac) listing.CreateFunction("[SCTLR] |= 0x1000000 ",0x000002b0) listing.CreateFunction("Clear all registers...",0x000002b4) listing.CreateFunction("Loading base address 0x0080FE50This is a function that is a called by most SATA requests to allocate a new buffer",0x00000574) listing.CreateFunction("r0:=[0x0080FE50]",0x00000578) listing.CreateFunction("[0x00822B7C]==0?[0x00822B7C] ist nur 0x40 und 0x39[0x00822B7C] ist nur 0x40 und 0x3f",0x00000582) listing.CreateFunction("[0x00822B7C]--",0x00000592) listing.CreateFunction("call(base_addr)",0x00000670) listing.CreateFunction("64-Bit Read from [r4] , result is split into r0 and r2",0x00000676) listing.CreateFunction("r0 likely contains the SATA PHY base address, +3 is for readingLoading the command byte from SATA request",0x0000067a) listing.CreateFunction("This is a write to an unallocated address, most likely a bug.",0x0000067e) listing.CreateFunction("This is a write to an unallocated address, most likely a bug.",0x00000682) listing.CreateFunction("Seems like loading a base address",0x00000686) listing.CreateFunction("Function(base_addr, sata_cmd_byte);",0x00000688) listing.CreateFunction("Load base address and LBA",0x00000798) listing.CreateFunction("[0x79AB5100]:=0 , but it does not exist!?!BUG",0x00000aa4) listing.CreateFunction("r0:=[[[0xC4C]]+52]",0x00000aaa) listing.CreateFunction("Loading base address 0x0081C648",0x00000aba) listing.CreateFunction("r1:=[[[0xC50]]+536][0x00800E18]This is a pointer into a 33 Element ring-buffer",0x00000abe) listing.CreateFunction("r1:=[[[0xC50]]+528]0x00800E10This is the second pointer into a 33 Element ring-buffer",0x00000ac2) listing.CreateFunction("r2 is usually r1+1, but it wraps around at r2=0x0 and r1=0x20 (which seems to be an off-by-one BUG) , and it can also be equal r1=0xE r2=0xE debugmex1queryseq.log",0x00000ac6) listing.CreateFunction("[[[0xC50]]+536]==[[[0xC50]]+528] ?",0x00000ac8) listing.CreateFunction("I think we have a corruption here: This variable is in the last 2 bytes of NCQ Buffer #33BUG!",0x00000aca) listing.CreateFunction("Each ring buffer element has 16 Bytes: 0x00800C00+(nbuf<<4)Last element starts at 0x00800E00 and ends at 0x00800E0F ",0x00000ace) listing.CreateFunction("Writing the ring buffer element address on the Stack",0x00000ad2) listing.CreateFunction("Loading value of first pointer",0x00000ad4) listing.CreateFunction("If firstp==0x20 r1:=0else firstp++",0x00000ad8) listing.CreateFunction("Here is an off-by-one BUG",0x00000ae0) listing.CreateFunction("firstp:=(firstp==0x20)?0:firstp+1;",0x00000ae2) listing.CreateFunction("Retrieving Ring buffer Element address from stack again",0x00000ae6) listing.CreateFunction("Put 0x0081F59C on stack",0x00000aea) listing.CreateFunction("This access is redirected from r13 (which is the Stack Pointer for User-Space) to SP or SP_SVC (which is the stack pointer for Supervisor mode), since we are currently in supervisor mode",0x00000aec) listing.CreateFunction("r2:=[request+8]",0x00000af4) listing.CreateFunction("Base address of the SATA Request",0x00000af6) listing.CreateFunction("Loading SATA CMD byte",0x00000af8) listing.CreateFunction("This is a call() which will return again ;; BREAKPOINT",0x00000afa) listing.CreateFunction("Zero Extend Half-Word",0x00000f76) listing.CreateFunction("Writing out the SATA Command Byte to this unknown address",0x00000f7a) listing.CreateFunction("Saving the SATA CMD Byte again to unkown memory",0x00000f80) listing.CreateFunction("This multiplying the SATA Command Byte with a constant from the TEA(Tiny Encryption Algorithm https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm), which is likely some kind of fast hashing of the value. Afterwards we >>28 (Dont forget that TEA is a very weak hashing algorithm!!!) Some more interesting explanation: http://cstheory.stackexchange.com/questions/6193/what-is-special-about-232-phi-in-cryptography",0x00000f88) listing.CreateFunction("(SATA_CMD_BYTE * 2654435769) >> 28",0x00000f8e) listing.CreateFunction("[0x0081F59C+((((SATA_CMD_BYTE * 2654435769)&0xffffffff) >> 28)*3)<<2)] = 0x0081F59C+0x9c = 0x0081F638 https://github.com/KunBetter/MemKV",0x00000f92) listing.CreateFunction("Here we are likely looking up in a hash table, the result we are getting here is 0x0081D8B4. We should try this code for all possible command bytes and resolve the whole table. A normal lookup table would have taken 1 KB, due to the *3 here, we likely need 3 KB",0x00000f96) listing.CreateFunction("Seems to be superfluous",0x00000f9e) listing.CreateFunction("This gets loopy?!?",0x00000fa2) listing.CreateFunction("No it isnt zero we do do not jump",0x00000fa6) listing.CreateFunction("Seems like we are walking through a tree here until we hit a leaf with the right handler",0x00000fa8) listing.CreateFunction("Now we verify whether this is actually it",0x00000faa) listing.CreateFunction("Hooray we found the leaf with the right handler",0x00000fac) listing.CreateFunction("So perhaps r1 is 0?",0x00000fae) listing.CreateFunction("No, it isnt so we have to jump",0x00000fb0) listing.CreateFunction("This is for when we found the right handler",0x00000fb4) listing.CreateFunction("Now we take 32 Bits from leaf-addr+4",0x00000fb6) listing.CreateFunction("We only take Bit#9",0x00000fb8) listing.CreateFunction("And compare it with 0 so we jump",0x00000fbc) listing.CreateFunction("r4:=r1<<0 ?!?!? N and Z flags are updated, C is not updated due to <<0 (hey, they even specified this!!!)",0x00000fce) listing.CreateFunction("We do not jump .... ?",0x00000fd0) listing.CreateFunction("This seems to be some kind of bitfieldd",0x00000fd2) listing.CreateFunction("No we are checking Bit 0",0x00000fd4) listing.CreateFunction("This time it is 1, therefore no jumpThis jump is active for the commands 83h SECRET COMMAND, 85h Disable the APM feature set, 8Fh SECRET COMMAND",0x00000fd8) listing.CreateFunction("And finally we jump to the address from the table",0x00000fde) listing.CreateFunction("Here we are done with the SATA command handler, and we analyze the return value, likely a base address of the response",0x00000fe0) listing.CreateFunction("Load LBA and number of blocks requested",0x00001354) listing.CreateFunction("Caculate endLBA:=startLBA+blocks-1",0x0000135e) listing.CreateFunction("Is requested endLBA beyond end of device?",0x00001364) listing.CreateFunction("Is requested LBA beyond end of device?",0x00001368) listing.CreateFunction("LBA32k",0x000013dc) listing.CreateFunction("This is likely the SATA READ handler ;; BREAKPOINT",0x00001454) listing.CreateFunction("LBA32k",0x000014ca) listing.CreateFunction("LBA8Kmod4",0x000014ce) listing.CreateFunction("LBA32K",0x00001526) listing.CreateFunction("Load LBA",0x000021be) listing.CreateFunction("Copy LBA",0x000021c0) listing.CreateFunction("LBA32K",0x000024dc) listing.CreateFunction("Load LBA and number of blocks",0x00002700) listing.CreateFunction("Load LBA",0x000027ba) listing.CreateFunction("Looking whether the LBA is in one of the 4 caches(?) already",0x000027c4) listing.CreateFunction("We havent found the LBA in the 4 caches",0x00002836) listing.CreateFunction("DISASSEMBLER BUG IN OPENOCDCalculate endLBA",0x00002838) listing.CreateFunction("Storing the LBA",0x0000283e) listing.CreateFunction("Loading LBA",0x000028ca) listing.CreateFunction("Storing the LBA",0x000028ce) listing.CreateFunction("Loading LBA",0x00002984) listing.CreateFunction("r2:= LBA relative to 4 KB alignment",0x00002986) listing.CreateFunction("r8:= 8 - 4KB alignment",0x0000298a) listing.CreateFunction("Branch if Carry Set",0x00002990) listing.CreateFunction("r3:= r10 << (8 - 4KBalignment)",0x000029a2) listing.CreateFunction("r3:= (r10 << (8 - 4KBalignment) ) - 1 ) << (4KB-alignment)",0x000029a8) listing.CreateFunction("Store LBA and calculated value",0x000029ae) listing.CreateFunction("Calculating 4KB address",0x000029b4) listing.CreateFunction("Store 4KB addressPOTENTIAL OPENOCD DISASSEMBLING BUG",0x000029b6) listing.CreateFunction("Loading LBA4K",0x00002a74) listing.CreateFunction("Load LBA4K",0x00002a82) listing.CreateFunction("Load LBA",0x00002be2) listing.CreateFunction("Adding 4KB-alignment",0x00002be4) listing.CreateFunction("Store added LBA",0x00002be8) listing.CreateFunction("This has something to do with 4 KB alignment",0x00002e7a) listing.CreateFunction("Load LBA4K",0x00003b42) listing.CreateFunction("[0x00808008] contains the array base address 0080fe5c",0x00003b76) listing.CreateFunction("Loading into which Block we should put the data",0x00003b7e) listing.CreateFunction("Calculating the final RAM address",0x00003b80) listing.CreateFunction("Store the RAM address for the data",0x00003b84) listing.CreateFunction("LBA4K+1",0x00003d1c) listing.CreateFunction("Store LBA4K+1",0x00003d1e) listing.CreateFunction("Load LBA4K",0x00004202) listing.CreateFunction("BUG in OPENOCD DISASSEMBLY",0x00004900) listing.CreateFunction("Loading 4KBaddress",0x00004924) listing.CreateFunction("get FTLaddr",0x00005e80) listing.CreateFunction("get Divisor 0x200 = 512",0x00005e82) listing.CreateFunction("FTL9 = FTLaddr / 0x200",0x00005e86) listing.CreateFunction("Load 0x20BC = 8380, this is likely the number of blocks per zone in the NAND flash",0x00005e8a) listing.CreateFunction("8380 - 180 = 8200",0x00005e8c) listing.CreateFunction("= FTL9 / 8200",0x00005e90) listing.CreateFunction("= (FTL9 / 8200) + 1",0x00005e94) listing.CreateFunction("Memory Address",0x00005f16) listing.CreateFunction("Loading base address 0x00823D20",0x000065da) listing.CreateFunction("Never happensNo, it does.",0x000065e0) listing.CreateFunction("call_5d6e(addr=0x00824FE8)",0x000065ea) listing.CreateFunction("Is the sector TRIMmed? (0x1ffffff means TRIM)",0x00006660) listing.CreateFunction("Load 0x8010F0, the address where 0x200 is stored",0x00006668) listing.CreateFunction("Load 0x200",0x0000666c) listing.CreateFunction("FTL9 = FTLaddr / 0x200 (this is >> 9 or / 512)",0x0000666e) listing.CreateFunction("Load address 8010E0",0x00006672) listing.CreateFunction("Load value 8380 (0x20BC)",0x00006674) listing.CreateFunction("8380 - 180 = 8200",0x00006676) listing.CreateFunction("= FTL9 / 8200",0x0000667a) listing.CreateFunction("= ( FTL9 / 8200 ) + 1",0x0000667e) listing.CreateFunction("= ( ( ( FTL9 / 8200 ) + 1 ) * 180 ) + FTL9",0x00006680) listing.CreateFunction("Set all GPIOs to INPUT",0x00007346) listing.CreateFunction("function sata_7480(controller=1,0xC35,0x0000FFFF,0,r0=5)",0x00007480) listing.CreateFunction("Calculate controller address (base_address+0x20*controller)",0x00007486) listing.CreateFunction("call_sata_7480(controller=1,0xC35,0x0000FFFF,0,r0=5);",0x0000752c) listing.CreateFunction("Loading 4KBaddr",0x000075b0) listing.CreateFunction("Storing 4KBaddr",0x000075b2) listing.CreateFunction("Load 4KB address",0x00007622) listing.CreateFunction("r0 := 4KBaddr / 511This looks like an off-by-one bug to me",0x0000762c) listing.CreateFunction("MLS{cond} Rd, Rn, Rm, Ra : The MLS instruction multiplies the values from Rn and Rm, subtracts the result from the value from Ra, and places the least significant 32 bits of the final result in Rd.r12:=r7-r1*r0 = 0x000BDD46 - 0x000001FF * 0x000005F1r12:= 4KB modulo 511",0x00007640) listing.CreateFunction("0x0081BDFC + (4KBmod511 << 2)",0x0000764c) listing.CreateFunction("Loading LBA4K",0x00007654) listing.CreateFunction("Compare LBA4K",0x00007656) listing.CreateFunction("==~ ?",0x00007678) listing.CreateFunction("LBA4K",0x0000768c) listing.CreateFunction("Compare LBA4K",0x000076bc) listing.CreateFunction("Loading value from a FTL MapThis is likely a hash (4KBmod511 << 2)",0x000076c4) listing.CreateFunction("Compare Value from FTL with 0xFFFF",0x000076c6) listing.CreateFunction("0x0081BDFC + (4KBmod511 << 2)",0x000076d8) listing.CreateFunction("Load LBA4K",0x000079e0) listing.CreateFunction("Copy LBA from SATA request to SATA response",0x00007cde) listing.CreateFunction("This function transfers multiple Blocks over SATA",0x00007e92) listing.CreateFunction("bDo2Blocks = [20100138] & 0x10000",0x00007eae) listing.CreateFunction("Number of blocks to be transferred",0x00007f3a) listing.CreateFunction("This function waits for SATA COMRESET and does the necessary initialisation",0x00008e18) listing.CreateFunction("Is SATA PHY unavailable?",0x00008e40) listing.CreateFunction("Checking with SATA PHY whether COMINIT is seen",0x00008e4a) listing.CreateFunction("COMINIT := [0x200000AC] & 0x1000 ",0x00008e4e) listing.CreateFunction("Jump if not COMINITThis is a busy loop waiting for a SATA connection (COMINIT)",0x00008e50) listing.CreateFunction("SATA PHY reported COMINIT signal!",0x00008e52) listing.CreateFunction("[0x20000124] &=! 1",0x00008e5c) listing.CreateFunction("[0x2000002C] := 0",0x00008e64) listing.CreateFunction("[0x200000C0] := 0xFFFFFFFF",0x00008e6a) listing.CreateFunction("[0x200000C8] := 0xFFFFFFFF",0x00008e6c) listing.CreateFunction("if(!r0=BYTE[0x0080800C])",0x00008e74) listing.CreateFunction("if([0x2000000C]<<25 ?!=?)",0x00008e86) listing.CreateFunction("Here it seems we have a problem with the disassembler",0x00009a6e) listing.CreateFunction("0x00824F3C + ( 8KBbit << 3 )",0x00009bd2) listing.CreateFunction("0x00824F40 + ( 8KBbit << 3 )",0x00009bdc) listing.CreateFunction("Load LBA4K",0x00009da8) listing.CreateFunction("LBA4K -> LBA8K",0x00009dc2) listing.CreateFunction("Storing LBA8K",0x00009dc6) listing.CreateFunction("LBA4K -> LBA4K1bit",0x00009dd8) listing.CreateFunction("Calculate 8KB address",0x00009e3a) listing.CreateFunction("Store 8KB address",0x00009e44) listing.CreateFunction("Calculate 8KBbit = 8KB & 1",0x00009e46) listing.CreateFunction("IRQ Handler starts here",0x0000aacc) listing.CreateFunction("Loading base address 0x20000000",0x0000aad0) listing.CreateFunction("r0:=[0x200000C0]Observed values: A000,A008,A009",0x0000aad4) listing.CreateFunction("r1:=[0x200000c8]",0x0000aad8) listing.CreateFunction("We should put a BREAKPOINT here to avoid any race-conditions in the LDRs directly before",0x0000aadc) listing.CreateFunction("[0x200000C0]==0xe000?",0x0000aae0) listing.CreateFunction("Here we jump to the specific Interrupt handler",0x0000aae4) listing.CreateFunction("End of the IRQ handler",0x0000aba8) listing.CreateFunction("[0x0081C63C]:=bit_16([0x20501038])",0x0000acf4) listing.CreateFunction("[0x0081C63D]:=1",0x0000acf8) listing.CreateFunction("[0x0081C63E]:=1",0x0000acfa) listing.CreateFunction("[0x0081C63F]:=1",0x0000acfc) listing.CreateFunction("[0x0081C640]:=0",0x0000acfe) listing.CreateFunction("[0x0081C641]:=1",0x0000ad00) listing.CreateFunction("This differs GOOD!=BAD",0x0000ad06) listing.CreateFunction("[0x0081C642]:=0",0x0000ad12) listing.CreateFunction("GOOD!=BAD",0x0000ad14) listing.CreateFunction("GOOD!=BAD this could be the problem",0x0000ad1e) listing.CreateFunction("[0x0081C643]:=0 this is only done on BAD[0x0081C643]:= ([0x20501038]<<7 ...)?1:0",0x0000ad26) listing.CreateFunction("Loading Base Address",0x0000ad2e) listing.CreateFunction("Disable Interrupts",0x0000ad30) listing.CreateFunction("CALL(0xcabe)",0x0000ad5c) listing.CreateFunction("[0x0081C63C] != 1 ?",0x0000ad64) listing.CreateFunction("call_ed96(0);",0x0000ad6c) listing.CreateFunction("call_d692();",0x0000ad70) listing.CreateFunction("SDRM Magic Code for SD-RAM",0x0000ad74) listing.CreateFunction("SDRM",0x0000ad7c) listing.CreateFunction("call_10908()",0x0000ad7e) listing.CreateFunction("[0x0081C63C] != 1 ?",0x0000ad86) listing.CreateFunction("DISASSEMBLER error: This is BLX 0xB4A0",0x0000ad94) listing.CreateFunction("This is different GOOD!=BAD",0x0000aec6) listing.CreateFunction("[0x0000aee2]==[0x80000024]?",0x0000aeca) listing.CreateFunction("Target address: Reset Vector of Interrupt Table",0x0000aef8) listing.CreateFunction("Endless loop instruction",0x0000aefc) listing.CreateFunction("Overwriting Reset Vector in Interrupt table to loop endless",0x0000af00) listing.CreateFunction("Return();",0x0000af04) listing.CreateFunction("Loading base address 0x2050F000",0x0000b0a2) listing.CreateFunction("Loading base address 0x20500000",0x0000b0a8) listing.CreateFunction("[0x20500000] &=! 0x00007000",0x0000b0b0) listing.CreateFunction("[0x20500020] := 0x00A00500",0x0000b0b6) listing.CreateFunction("[0x2050F038] vs. 9",0x0000b0ba) listing.CreateFunction("Branch if Carry Set",0x0000b0bc) listing.CreateFunction("Table branch byte",0x0000b0be) listing.CreateFunction("[0x20500000] |= 0x00000700",0x0000b0d4) listing.CreateFunction("[0x20500030]:=0x00000111",0x0000b0da) listing.CreateFunction("delay(1000);",0x0000b0e2) listing.CreateFunction("Loading base address 0x0081C644",0x0000b2ae) listing.CreateFunction("Loading base address 0x00800C00",0x0000b2b0) listing.CreateFunction("[0x0081C648]:=0x00800C00",0x0000b2b2) listing.CreateFunction("Change base address slightly",0x0000b2b4) listing.CreateFunction("[0x00800E18]:=0",0x0000b2bc) listing.CreateFunction("[0x00800E10]:=0",0x0000b2be) listing.CreateFunction("[0x00800E14]:=0",0x0000b2c0) listing.CreateFunction("[0x00800E1C]:=0",0x0000b2c2) listing.CreateFunction("Change base address again",0x0000b2c4) listing.CreateFunction("[0x20000124] |= 0x02000000",0x0000b2ce) listing.CreateFunction("[0x2000012C]:=0x40800C00 ",0x0000b2d2) listing.CreateFunction("[0x20000124] |= 0x08000000",0x0000b2da) listing.CreateFunction("[0x20000124] |= 0x04000000",0x0000b2e2) listing.CreateFunction("[0x20000124] |= 0x10000000",0x0000b2ea) listing.CreateFunction("[0x20000128] &=! 0x00000f00",0x0000b2f2) listing.CreateFunction("[0x20000128] |= 0x00000200",0x0000b2fa) listing.CreateFunction("[0x20000124] |= 0x40000000",0x0000b30a) listing.CreateFunction("return();",0x0000b30e) listing.CreateFunction("[0x80000024]==0x29135201 ?",0x0000b5b8) listing.CreateFunction("[0x0081C658]:=0x81C00000This could be the initialisation of a PHY with a memory address",0x0000b5cc) listing.CreateFunction("[0x0081C668]:=0x81C00000 ",0x0000b5d0) listing.CreateFunction("[0x0081C660]:=([0x0081C638]>>9)<<4",0x0000b5e0) listing.CreateFunction("r0:=1 if([0x0081C660])",0x0000b5e4) listing.CreateFunction("Size:=16 MB",0x0000b5f4) listing.CreateFunction("memset(0x81C00000,0,16MB);",0x0000b5f8) listing.CreateFunction("Loading base address 0x20102000",0x0000b600) listing.CreateFunction("[0x20102018]:=0x81BF7FF0",0x0000b608) listing.CreateFunction("[0x0081C63F]==0 ?",0x0000b610) listing.CreateFunction("[0x0081C63F]==0 ? { [0x20102000]&=!0x10000 } : { [0x20102000]|=0x10000 }",0x0000b620) listing.CreateFunction("[0x20102010] |= 0x2000",0x0000b62c) listing.CreateFunction("[0x20102010] |= 0x400000",0x0000b638) listing.CreateFunction("[0x20102010] |= 0x1000",0x0000b644) listing.CreateFunction("[0x20102000] |= 0x20000",0x0000b65c) listing.CreateFunction("[0x20102000] |= 0x400000",0x0000b668) listing.CreateFunction("[0x20102008] := 0x00A00000",0x0000b670) listing.CreateFunction("Loading base address 0x20000000",0x0000b68c) listing.CreateFunction("[0x20000120] &=! 0x100000",0x0000b698) listing.CreateFunction("Loading base address 0x20100000 by doing (0x20100000 | (0x20100000>>9))",0x0000b69c) listing.CreateFunction("[0x20100000] &=! 8",0x0000b6a8) listing.CreateFunction("[0x20100100] &=! 0xC",0x0000b6b4) listing.CreateFunction("[0x20100100] |= 0x800",0x0000b6c0) listing.CreateFunction("[0x20100104] |= 0x500 ",0x0000b6cc) listing.CreateFunction("[0x20100104] |= 0x0F",0x0000b6d8) listing.CreateFunction("[0x0081C63E] == 0 ?",0x0000b6e0) listing.CreateFunction("[0x20100100] |= 0x40",0x0000b6f0) listing.CreateFunction("[0x20100100] |= 0x20",0x0000b6fc) listing.CreateFunction("[0x20102010] |= 0x2d0000",0x0000b708) listing.CreateFunction("[0x2000009C] |= 0x880000",0x0000b714) listing.CreateFunction("[0x20102014] := 0x00040000 ",0x0000b748) listing.CreateFunction("[0x20100100] |= 0x80",0x0000b754) listing.CreateFunction("[0x20100340] := 0",0x0000b75c) listing.CreateFunction("[0x20100380] := 0",0x0000b760) listing.CreateFunction("[0x20100384] := 0xFFFFFFFF",0x0000b768) listing.CreateFunction("Loading base address 0x20104000",0x0000b770) listing.CreateFunction("[0x20104000] := 0x01005006 ",0x0000b774) listing.CreateFunction("Loading base address 0x10050000",0x0000bd0e) listing.CreateFunction("Loading base address 0x80000000",0x0000bd12) listing.CreateFunction("[0x10050018]:=8",0x0000bd16) listing.CreateFunction("[0x10050018]:=0",0x0000bd20) listing.CreateFunction("It seems that this 0x80000000 memtest happens only on BAD, not on GOOD. Why?",0x0000bd28) listing.CreateFunction("[0x80000000]=0x80000000",0x0000bd2a) listing.CreateFunction("Reading [0x80000000] twice and comparing results",0x0000bd32) listing.CreateFunction("return(0);",0x0000bd40) listing.CreateFunction("return(0);",0x0000bd42) listing.CreateFunction("Loading base address 0x20500000",0x0000bd60) listing.CreateFunction("[0x20500004] &=! 5",0x0000bd68) listing.CreateFunction("Loading base address 0x20500000",0x0000bd70) listing.CreateFunction("[0x20500004] |= 5",0x0000bd78) listing.CreateFunction("Loading base address 0x10050000",0x0000be5c) listing.CreateFunction("Now we are toggling Bit 0x8 in [0x10050018]:GOOD!=BADGOOD=0x1F000000 BAD=0",0x0000be5e) listing.CreateFunction("[0x10050018] |= 0x8",0x0000be64) listing.CreateFunction("[0x10050018] &=! 0x8",0x0000be6c) listing.CreateFunction("return();",0x0000be6e) listing.CreateFunction("return();",0x0000c0f2) listing.CreateFunction("Loading base address 0x10050000",0x0000c424) listing.CreateFunction("[0x10050000] := [0x10050000] & ! 0x0000f000 | 0x00002000 ",0x0000c430) listing.CreateFunction("return();",0x0000c432) listing.CreateFunction("SKIP(0x0000c4f0)",0x0000c4ea) listing.CreateFunction("Loading base address 0x10050000 again",0x0000c5da) listing.CreateFunction("param==2 ?",0x0000c5de) listing.CreateFunction("[0x10050004]:=0x00202510 ",0x0000c5e2) listing.CreateFunction("delay(100);",0x0000c5e4) listing.CreateFunction("delay(100);",0x0000c5e8) listing.CreateFunction("Loading base address 0x10050000",0x0000c5f8) listing.CreateFunction("Unless some code changes r0 and jumps here directly, r0 will never be anything but 1",0x0000c5fc) listing.CreateFunction("[0x10050004]-=0x10",0x0000c60e) listing.CreateFunction("[0x10050014]:=0xFF000000",0x0000c628) listing.CreateFunction("[0x10050028]:=0xFFFF00FF",0x0000c62e) listing.CreateFunction("[0x1005010C]:=0x008007E0",0x0000c642) listing.CreateFunction("[0x10050008]:=0x1323",0x0000c646) listing.CreateFunction("for(i=0;i<10;i++)",0x0000c64a) listing.CreateFunction("delay(10);",0x0000c64e) listing.CreateFunction("Loading base address 0x1004F010",0x0000c658) listing.CreateFunction("[0x1004F010]:=0x08080808",0x0000c65e) listing.CreateFunction("[0x1004F018]:=0x08080808",0x0000c660) listing.CreateFunction("[0x1004F028]:=0x8",0x0000c666) listing.CreateFunction("[0x1004F080]:=0 ",0x0000c66c) listing.CreateFunction("[0x1004F084]:=0",0x0000c66e) listing.CreateFunction("[0x1004F088]:=0",0x0000c670) listing.CreateFunction("[0x1004F030] &= 0x10100070",0x0000c67a) listing.CreateFunction("[0x1004F030] |= 0x20",0x0000c682) listing.CreateFunction("Changing base address slightly. Why is this a common practice?!?",0x0000c684) listing.CreateFunction("delay(20);",0x0000c688) listing.CreateFunction("delay(20);",0x0000c690) listing.CreateFunction("[0x1004F030] &=! 0x00000040",0x0000c69a) listing.CreateFunction("delay(20);",0x0000c69c) listing.CreateFunction("delay(20);",0x0000c6a0) listing.CreateFunction("[0x1004F030] |= 0x40",0x0000c6aa) listing.CreateFunction("delay(20);",0x0000c6ac) listing.CreateFunction("delay(20);",0x0000c6b0) listing.CreateFunction("Loading base address 0x10050000",0x0000c6b4) listing.CreateFunction("[0x10050040]<<28",0x0000c6b8) listing.CreateFunction("Loading base address 0x1004F010",0x0000c6c4) listing.CreateFunction("[0x1004F010]:=0x7F7F7F7F",0x0000c6cc) listing.CreateFunction("[0x1004F018]:=0x7F7F7F7F",0x0000c6ce) listing.CreateFunction("[0x1004F028]:=0x7F",0x0000c6d4) listing.CreateFunction("[0x1004F080]:=0x0C183060",0x0000c6d8) listing.CreateFunction("[0x1004F084]:=0xC183060C",0x0000c6dc) listing.CreateFunction("[0x1004F088]:=0x30 (This register reads something else than what is written into it)",0x0000c6e2) listing.CreateFunction("[0x1004F030]:=0x10107F30",0x0000c6e6) listing.CreateFunction("for(i=0;i<20;i++)",0x0000c6ec) listing.CreateFunction("A short delay(20);",0x0000c6f0) listing.CreateFunction("[0x1004F030]:= 0x10107F30 - 0x20",0x0000c6fc) listing.CreateFunction("for(i=0;i<20;i++)",0x0000c6fe) listing.CreateFunction("Another delay(20);",0x0000c702) listing.CreateFunction("call_be5c();",0x0000c706) listing.CreateFunction("call_bd60();",0x0000c70a) listing.CreateFunction("Loading base address 0x10050000",0x0000c70e) listing.CreateFunction("delay(10);",0x0000c712) listing.CreateFunction("[0x10050000]<<23 >= 0 ?",0x0000c71c) listing.CreateFunction("[0x10050048]<<30",0x0000c720) listing.CreateFunction("[0x10050048]<<30 == 0 ?",0x0000c722) listing.CreateFunction("Loading base address 0x10050000",0x0000c75a) listing.CreateFunction("[0x10050030]:=0xF6",0x0000c75e) listing.CreateFunction("[0x10050034]:=0x2347648D",0x0000c762) listing.CreateFunction("[0x10050038]:=0x24203408",0x0000c766) listing.CreateFunction("[0x1005003C]:=0x38260235",0x0000c76a) listing.CreateFunction("return();",0x0000c76c) listing.CreateFunction("Loading base address 0x1004F010",0x0000c76e) listing.CreateFunction("[0x1004F000]:=0x17021200",0x0000c774) listing.CreateFunction("[0x1004F068]:=0x105E000E",0x0000c778) listing.CreateFunction("[0x1004F06c]:=0x0005000F",0x0000c77c) listing.CreateFunction("[0x1004F0ac]:=0x408",0x0000c782) listing.CreateFunction("[0x1004F040]:=0x0F080304",0x0000c788) listing.CreateFunction("[0x1004F040] |= 0x00040000",0x0000c790) listing.CreateFunction("[0x1004F040] |= 2",0x0000c798) listing.CreateFunction("([0x1004F048]<<31)==0 ?",0x0000c79e) listing.CreateFunction("[0x1004F040] &=! 2",0x0000c7a6) listing.CreateFunction("[0x1004F040] &=! 0x08000000",0x0000c7ae) listing.CreateFunction("LBA32K%128",0x0000c7b0) listing.CreateFunction("[0x1004F040] &=! 0x00040000",0x0000c7b6) listing.CreateFunction("[0x1004F038]:=0xf",0x0000c7ba) listing.CreateFunction("Change base address",0x0000c7bc) listing.CreateFunction("[0x10050000] |= 0x10000000",0x0000c7c4) listing.CreateFunction("[0x10050040]<<28GOOD!=BAD",0x0000c7c6) listing.CreateFunction("SKIP(0x0000c7cc);GOOD!=BADOn GOOD we run into an endless loop here waiting for this bit to come, which is likely due to it being initialized already. On Bad this bit comes and we continue ...GOTO(0x0000c7cc); // this directly changes the pc when reached, and does not execute code in between",0x0000c7ca) listing.CreateFunction("[0x10050000] &=! 0x10000000",0x0000c7d2) listing.CreateFunction("return();",0x0000c7d4) listing.CreateFunction("Loading base address",0x0000c7d6) listing.CreateFunction("[0x1004F000]:=0x17020A40",0x0000c7dc) listing.CreateFunction("[0x1004F004]:=0x09210100",0x0000c7e0) listing.CreateFunction("[0x1004F008]:=0x00010004",0x0000c7e4) listing.CreateFunction("[0x1004F010]:=08080808",0x0000c7ea) listing.CreateFunction("[0x1004F018]:=0x08080808 ",0x0000c7ec) listing.CreateFunction("[0x1004F028]:=0x00000008",0x0000c7f0) listing.CreateFunction("[0x1004F030]:=0x10100070",0x0000c7f4) listing.CreateFunction("[0x1004F038]:=0x001F0000",0x0000c7fa) listing.CreateFunction("[0x1004F040]:=0x08000304",0x0000c7fe) listing.CreateFunction("[0x1004F048]:=0x00000000This instruction does not seem to do what it should?",0x0000c802) listing.CreateFunction("[0x1004F05C]:=0x00000208",0x0000c808) listing.CreateFunction("[0x1004F068]:=0x105E107E",0x0000c80c) listing.CreateFunction("[0x1004F06C]:=0x0008107F",0x0000c810) listing.CreateFunction("[0x1004F0AC]:=0",0x0000c812) listing.CreateFunction("[0x1004F080]:=0",0x0000c816) listing.CreateFunction("[0x1004F084]:=0",0x0000c81a) listing.CreateFunction("[0x1004F088]:=0",0x0000c81e) listing.CreateFunction("[0x1004F160]:=0xFFFFFFFF",0x0000c824) listing.CreateFunction("return();",0x0000c828) listing.CreateFunction("Division factor",0x0000c8ca) listing.CreateFunction("LBA32K/3760",0x0000c8d0) listing.CreateFunction("LBA32K%3760",0x0000c8d4) listing.CreateFunction("LBA32K/3760 * 3",0x0000c8d8) listing.CreateFunction("Loading base address 0x10050000",0x0000c980) listing.CreateFunction("[0x10050010]:=0x07000000",0x0000c988) listing.CreateFunction("[0x10050010]:=0x07100000",0x0000c98e) listing.CreateFunction("delay(100);",0x0000c990) listing.CreateFunction("delay(100);",0x0000c996) listing.CreateFunction("[0x10050010]:=0x00071c00",0x0000c99a) listing.CreateFunction("[0x10050010]:=0x00171C00",0x0000c99e) listing.CreateFunction("for(i=0;i<10;i++)",0x0000c9a0) listing.CreateFunction("Calculating FTLaddr",0x0000c9ba) listing.CreateFunction("This is the first store after the firmware realized, whether the page exists or is TRIMmed",0x0000c9ca) listing.CreateFunction("LBA32K/3760",0x0000c9e8) listing.CreateFunction("LBA32K%3760",0x0000c9ec) listing.CreateFunction("LBA32_3760 * 3",0x0000ca00) listing.CreateFunction("0x84C1F000 + LBA32_3760 * 3",0x0000ca06) listing.CreateFunction("delay(10);",0x0000ca1c) listing.CreateFunction("[0x10050010]:=0x00010BFC",0x0000ca20) listing.CreateFunction("[0x10050010]:=0x00110BFC",0x0000ca24) listing.CreateFunction("delay(10);",0x0000ca26) listing.CreateFunction("delay(10);",0x0000ca2c) listing.CreateFunction("[0x10050010]:=0x00000708",0x0000ca32) listing.CreateFunction("[0x10050010]:=0x00100708",0x0000ca36) listing.CreateFunction("[0x10050010]:=0x00000818",0x0000ca3c) listing.CreateFunction("[0x10050010]:=0x00100818",0x0000ca40) listing.CreateFunction("[0x10050010]:=0x00000c04",0x0000ca46) listing.CreateFunction("[0x10050010]:=0x00100c04",0x0000ca4a) listing.CreateFunction("delay(50);",0x0000ca4c) listing.CreateFunction("delay(50);",0x0000ca52) listing.CreateFunction("[0x10050010]:=0x09000000",0x0000ca58) listing.CreateFunction("[0x10050054]<<31 == 0 ?",0x0000ca60) listing.CreateFunction("[0x10050010]:=0x09100000",0x0000ca68) listing.CreateFunction("[0x10050010]:=0x09010000",0x0000ca76) listing.CreateFunction("[0x10050010]:=0x09110000",0x0000ca80) listing.CreateFunction("[0x10050054]=00000018 == 0x14 ?",0x0000ca88) listing.CreateFunction("[0x10050054]=00000018 == 0x14 ?",0x0000ca8c) listing.CreateFunction("[0x10050054]=00000018 == 0x18 ?",0x0000ca90) listing.CreateFunction("[0x10050054] == 0x18 ?",0x0000ca9e) listing.CreateFunction("return(-1);",0x0000caa4) listing.CreateFunction("[0x0081C638]:=0x20000000",0x0000cab8) listing.CreateFunction("return(1);",0x0000cabc) listing.CreateFunction("Function without parameters",0x0000cabe) listing.CreateFunction("Loading base address 0x10050000 ",0x0000cac0) listing.CreateFunction("[0x10050000] &=! 0x20",0x0000cae4) listing.CreateFunction("[0x10050004] &=! 0x10",0x0000caec) listing.CreateFunction("call(0xc7d6);",0x0000caee) listing.CreateFunction("call(0x0000c76e);",0x0000caf2) listing.CreateFunction("call_c5f2(1);",0x0000caf8) listing.CreateFunction("call_0xC75A()",0x0000cafc) listing.CreateFunction("call_0xc6c4();",0x0000cb00) listing.CreateFunction("call_c980();",0x0000cb04) listing.CreateFunction("GOOD!=BAD",0x0000cb08) listing.CreateFunction("call_c5da(1);",0x0000cb16) listing.CreateFunction("[0x10050000] |= 0x20",0x0000cb20) listing.CreateFunction("[0x10050004] |= 0x10",0x0000cb28) listing.CreateFunction("r6++",0x0000cb34) listing.CreateFunction("return();",0x0000cb3c) listing.CreateFunction("r2:=[0x0000D1F8]",0x0000ce20) listing.CreateFunction("[0x10010060]:=0[0x10010070]:=0[0x10010080]:=0",0x0000ce30) listing.CreateFunction("3 times could be CPU-Core related",0x0000ce38) listing.CreateFunction("return();",0x0000ce40) listing.CreateFunction("Loading base address 0x0081C674",0x0000ce44) listing.CreateFunction("[0x0081C678]:=0",0x0000ce4c) listing.CreateFunction("[0x0081C674]:=0",0x0000ce50) listing.CreateFunction("return();",0x0000ce54) listing.CreateFunction("This is likely the final command to send the reply for the SATA Read command",0x0000d424) listing.CreateFunction("Loading value 0x40801000",0x0000d49c) listing.CreateFunction("[0x20100204] := 0x40801000",0x0000d49e) listing.CreateFunction("Loading base address 0x0081C67C",0x0000d4aa) listing.CreateFunction("[0x0081C680]:=0x20101800",0x0000d4ae) listing.CreateFunction("Loading base address 0x20101000",0x0000d4b0) listing.CreateFunction("[0x20101098] := -1 (READ!=WRITE)",0x0000d4b2) listing.CreateFunction("[0x2010109C] := -1 (READ!=WRITE)",0x0000d4b6) listing.CreateFunction("Loading base address 0x20102000",0x0000d4c2) listing.CreateFunction("[0x20102004]:=0",0x0000d4c4) listing.CreateFunction("[0x0081C67C]:=0x00801000 ",0x0000d4d6) listing.CreateFunction("Calculating block address: 0x00801000+block*0x20",0x0000d4de) listing.CreateFunction("block[8]:=blocknum",0x0000d4e2) listing.CreateFunction("block[4] := -1",0x0000d4e4) listing.CreateFunction("block[2]:=0",0x0000d4e8) listing.CreateFunction("block[0x20]:=-1 (isnt this a overflow again?!?)",0x0000d4ea) listing.CreateFunction("block[0x18]:=0",0x0000d4ee) listing.CreateFunction("block[0x1A]:=0",0x0000d4f0) listing.CreateFunction("block[0x10]:=0",0x0000d4f2) listing.CreateFunction("block[0xC]:=0",0x0000d4f4) listing.CreateFunction("block[0xE]:=0",0x0000d4f6) listing.CreateFunction("block[1] &=! 4",0x0000d4fe) listing.CreateFunction("block[1] |= 1",0x0000d508) listing.CreateFunction("block[0x1C] := -1",0x0000d50a) listing.CreateFunction("There is another related array: 0x20101C00+blocknum*4",0x0000d510) listing.CreateFunction("Loading block address again?!?",0x0000d518) listing.CreateFunction("So we have 255/256 Blocks here, end address would be 0x00803000",0x0000d558) listing.CreateFunction("To break out of the 256x loop SKIP(0x0000d55C)",0x0000d55a) listing.CreateFunction("Loading base adddress 0x81BF7FF0",0x0000d638) listing.CreateFunction("for(r0=0;r0<8;r0++)",0x0000d63a) listing.CreateFunction("Loading base address 0x20340000",0x0000d63c) listing.CreateFunction("r1:=r0<<30",0x0000d63e) listing.CreateFunction("r1:=(r0<<30)>>14",0x0000d640) listing.CreateFunction("r3:=r0>>2",0x0000d642) listing.CreateFunction("r1:= ((r0<<30)>>14) + ((r0>>2)<<20)",0x0000d644) listing.CreateFunction("Generating base address [0x20340000]-[0x20470000]",0x0000d648) listing.CreateFunction("[0x203x0004] |= 4",0x0000d650) listing.CreateFunction("r0++;",0x0000d652) listing.CreateFunction("r0<8?",0x0000d656) listing.CreateFunction("Loading base address 0x20200000, we have segments with size 0x10000 each here",0x0000d65a) listing.CreateFunction("for(r2=0;r2<2;r2++){ for(r1=0;r1<8;r1++)...",0x0000d660) listing.CreateFunction("r1:=0",0x0000d664) listing.CreateFunction("[0x202x0010] := 0x81BF7FF0 ",0x0000d66e) listing.CreateFunction("[0x202x0000] := [0x202x0000] &! 0x1ff | da",0x0000d67a) listing.CreateFunction("[0x20200008]:=0x000000FF (This register gives always 0x100 when read)",0x0000d67c) listing.CreateFunction("[0x202x0004]:=0000001E",0x0000d67e) listing.CreateFunction("[0x202x0014]=00000000 ",0x0000d682) listing.CreateFunction("r2++;",0x0000d68a) listing.CreateFunction("...while(r2<2)",0x0000d68e) listing.CreateFunction("return();",0x0000d690) listing.CreateFunction("Loading base address 0x0081C638",0x0000d692) listing.CreateFunction("[0x0081C63E] == 1 ?",0x0000d698) listing.CreateFunction("Loading base address",0x0000d744) listing.CreateFunction("[0x20501014]:=0xFFFF",0x0000d74a) listing.CreateFunction("[0x20501000]:=0",0x0000d74e) listing.CreateFunction("[0x20501008]:=0",0x0000d750) listing.CreateFunction("[0x20501008]:=[0x20501008] ?!?",0x0000d754) listing.CreateFunction("[0x20501008] |= 4",0x0000d75c) listing.CreateFunction("[0x20501008] |= 0x1000",0x0000d764) listing.CreateFunction("[0x20501008] |= 0x4000",0x0000d76c) listing.CreateFunction("[0x20501008]:=[0x20501008] (perhaps these are sleep cycles to wait for activation",0x0000d770) listing.CreateFunction("[0x20501008]:=[0x20501008] (perhaps these are sleep cycles to wait for activation",0x0000d774) listing.CreateFunction("[0x20501008] |= 0x04000000",0x0000d77c) listing.CreateFunction("[0x20501008]:=[0x20501008] (perhaps these are sleep cycles to wait for activation",0x0000d780) listing.CreateFunction("[0x20501000] &=! 1",0x0000d788) listing.CreateFunction("[0x20501000] &=! 2",0x0000d790) listing.CreateFunction("[0x20501000] &=! 0x40",0x0000d798) listing.CreateFunction("[0x20501000] &=! 0x80",0x0000d7a0) listing.CreateFunction("[0x20501000] |= 0x1000",0x0000d7a8) listing.CreateFunction("[0x20501000] |= 0x2000",0x0000d7b0) listing.CreateFunction("[0x20501000] &=! 0x4000",0x0000d7b8) listing.CreateFunction("RETURN();",0x0000d7ba) listing.CreateFunction("Function which returns a byte from [0x0081C688]",0x0000d86c) listing.CreateFunction("return ( [0x0081C688] );",0x0000d870) listing.CreateFunction("Loading base address 0x0081C688",0x0000d89e) listing.CreateFunction("return( [0x0081C68B] );",0x0000d8a2) listing.CreateFunction("[0x0081C684] += 10",0x0000d902) listing.CreateFunction("This is just a sleep counter",0x0000d994) listing.CreateFunction("This just limits it to 16 bits",0x0000d9da) listing.CreateFunction("WriteI2Cbyte",0x0000d9f8) listing.CreateFunction("Another sleep counter",0x0000da42) listing.CreateFunction("GetTemperatureFromI2C()",0x0000dbd0) listing.CreateFunction("Loading base address 0x20000000",0x0000e91c) listing.CreateFunction("[0x200000B0]==0x044213D6 ?",0x0000e92c) listing.CreateFunction("return(0);",0x0000e9bc) listing.CreateFunction("Loading base address 0x200000AC",0x0000ea5a) listing.CreateFunction("[0x20000128] |= 8",0x0000ea62) listing.CreateFunction("[0x20000120] |= 0x30000000",0x0000ea6a) listing.CreateFunction("[0x20000120] |= 0x08000000",0x0000ea72) listing.CreateFunction("[0x20000120] |= 0x04000000",0x0000ea7a) listing.CreateFunction("[0x20000120] |= 0x02000000",0x0000ea82) listing.CreateFunction("[0x20000120] |= 0x01000000",0x0000ea8a) listing.CreateFunction("[0x20000120] |= 0x00020000",0x0000ea92) listing.CreateFunction("[0x2000009C] := 0x80890A3F",0x0000ea9c) listing.CreateFunction("[0x20000008] |= 0x00001000",0x0000eaa8) listing.CreateFunction("[0x20000120] &=! 0x00000040",0x0000eab2) listing.CreateFunction("[0x20000124] |= 0x00800000",0x0000eaba) listing.CreateFunction("Loading base address 0x2050F000",0x0000eabc) listing.CreateFunction("Changing base address",0x0000eabe) listing.CreateFunction("[0x2050F038] == 6 ?",0x0000eac4) listing.CreateFunction("[0x20000124] |= 0x00020000",0x0000ead6) listing.CreateFunction("Changing base address",0x0000eada) listing.CreateFunction("[0x200000A8] = [0x200000B4] | 0x00000c00",0x0000eae6) listing.CreateFunction("[0x20000128] |= 0x40",0x0000eaf0) listing.CreateFunction("[0x20000128] |= 0x00080000",0x0000eaf8) listing.CreateFunction("[0x20000128] |= 0x00000020",0x0000eb00) listing.CreateFunction("[0x20000130] |= 0x80000000",0x0000eb08) listing.CreateFunction("[0x20000130] &=! 0x00ff0000",0x0000eb10) listing.CreateFunction("[0x20000130] |= 0x00230000",0x0000eb18) listing.CreateFunction("[0x20000124] |= 1",0x0000eb20) listing.CreateFunction("[0x20000128] &=! 0x20000000",0x0000eb28) listing.CreateFunction("[0x20000128] |= 0x03a00000",0x0000eb30) listing.CreateFunction("[0x20000128] &=! 0x80",0x0000eb38) listing.CreateFunction("[0x20000128] &=! 0x80000000",0x0000eb40) listing.CreateFunction("[0x20000128] &=! 0x40000000",0x0000eb48) listing.CreateFunction("[0x20000128] &=! 0x04000000",0x0000eb50) listing.CreateFunction("[0x20000128] &=! 0x08000000",0x0000eb58) listing.CreateFunction("[0x200000BC] := 0x7FA06000 ",0x0000eb5c) listing.CreateFunction("[0x200000C4] := 0x4BFF ",0x0000eb62) listing.CreateFunction("return();",0x0000eb64) listing.CreateFunction("[0x20000008] &=! 8",0x0000ef92) listing.CreateFunction("[0x2000000C] := 0x00000080",0x0000ef96) listing.CreateFunction("[0x20000050] := 0x00000001",0x0000ef9a) listing.CreateFunction("[0x20000048] := 0x00000001",0x0000ef9c) listing.CreateFunction("[0x2000004C] := 0x00000000",0x0000efa0) listing.CreateFunction("[0x2000003C] := 0x00000001",0x0000efa2) listing.CreateFunction("[0x20000054] := 0x00000000",0x0000efa4) listing.CreateFunction("[0x2000000C] := 0x40",0x0000efa8) listing.CreateFunction("[0x20000038] |= 5",0x0000efb0) listing.CreateFunction("[0x20000008] |= 8",0x0000efb8) listing.CreateFunction("This is a called FunctionLoading Base Address of Function Block 0x20504000",0x0000f94a) listing.CreateFunction("[0x20504000] |= 0x100",0x0000f952) listing.CreateFunction("RETURN()return(1);",0x0000f956) listing.CreateFunction("Seems to be loading another base address of a function block",0x0000f986) listing.CreateFunction("[0x20504000]:=000001e7 ",0x0000f98e) listing.CreateFunction("[0x20504004]:=0x10 ",0x0000f992) listing.CreateFunction("[0x2050400C]:=(r0<<1) =0x60 ",0x0000f998) listing.CreateFunction("[0x20504004]:=0xf0 ",0x0000f99c) listing.CreateFunction("r0:=[0x20504000]<<27",0x0000f9a0) listing.CreateFunction("Branch if positive or zeroThis is a loop until a bit is set, likely waiting for proper initialisation",0x0000f9a2) listing.CreateFunction("[0x2050400C]:=00000008 ",0x0000f9a4) listing.CreateFunction("CALL(), return address is stored in R14",0x0000f9a6) listing.CreateFunction("r0:=[0x20504000]<<27",0x0000f9ac) listing.CreateFunction("This is the second loop until a bit is set, likely waiting for proper initialisation",0x0000f9ae) listing.CreateFunction("[0x2050400C]:=>00000005",0x0000f9b0) listing.CreateFunction("r0:=[0x20504000]<<27",0x0000f9b8) listing.CreateFunction("This is the third loop until a bit is set, likely waiting for proper initialisation",0x0000f9ba) listing.CreateFunction("RETURN()",0x0000f9be) listing.CreateFunction("Loading the base address again",0x0000f9fe) listing.CreateFunction("[0x20504004]:=000000f0 ",0x0000fa02) listing.CreateFunction("[0x2050400C]:=00000002 ",0x0000fa06) listing.CreateFunction("[0x20504000] |= 0x10",0x0000fa0e) listing.CreateFunction("[0x20504004]:=00000000 ",0x0000fa12) listing.CreateFunction("delay(50);",0x0000fa14) listing.CreateFunction("start of delay() loop",0x0000fa16) listing.CreateFunction("r1:=0x31",0x0000fa18) listing.CreateFunction("end of delay() loop",0x0000fa1c) listing.CreateFunction("RETURN()",0x0000fa1e) listing.CreateFunction("This is a Init() Function for a function block",0x0000fb60) listing.CreateFunction("RETURN(1);",0x0000fb6a) listing.CreateFunction("Loading the base address of a function block?",0x0000fb6c) listing.CreateFunction("[0x20501008] |= 0x5000",0x0000fb76) listing.CreateFunction("Here seem to be base addresses of function blocks",0x0000fbc0) listing.CreateFunction("Loading base address 0x00808020",0x0000fd1e) listing.CreateFunction("r2:=[0x00808020]+0x20",0x0000fd26) listing.CreateFunction("[0x20506034] := 0x00000c35",0x0000fd2a) listing.CreateFunction("[0x20506020] := 0x0000ffff",0x0000fd2c) listing.CreateFunction("[0x20506028] &=! 4",0x0000fd34) listing.CreateFunction("[0x20506028] |= 3",0x0000fd3c) listing.CreateFunction("0xFFFF-[0x20506024]",0x0000fd40) listing.CreateFunction("r0 > (0xFFFF-[0x20506024])<<2 ? (r0=0x000001C2)CORRECTION: >> instead of <<",0x0000fd42) listing.CreateFunction("[0x20506028] &=! 2",0x0000fd4e) listing.CreateFunction("Loading base address 0x20501200",0x0000fd50) listing.CreateFunction("[0x20501208] &=! 7Seems not to work?!?",0x0000fd58) listing.CreateFunction("[0x2050120C] |= 1Seems not to work?!?",0x0000fd60) listing.CreateFunction("[0x20501200]:=0xffffffff ",0x0000fd66) listing.CreateFunction("[0x20501214]:=000004e1 ",0x0000fd6c) listing.CreateFunction("Loading base address 0x20500000",0x0000fd6e) listing.CreateFunction("[0x20500058] |= 0xc0",0x0000fd76) listing.CreateFunction("[0x20501208] |= 3",0x0000fd7e) listing.CreateFunction("Loading base address 0x00808020",0x0000fd82) listing.CreateFunction("This function could be the CPU mex2 and mex3 bootstrapping",0x0000fd86) listing.CreateFunction("Loading different base address 0x20506000",0x0000fd88) listing.CreateFunction("[0x2050600C]:=0",0x0000fd8a) listing.CreateFunction("[0x20506008] &=! 2",0x0000fd92) listing.CreateFunction("[0x20506014]:=0xc34 ",0x0000fd9a) listing.CreateFunction("[0x20506000]:=00000003",0x0000fd9c) listing.CreateFunction("[0x20506008] |= 4",0x0000fda4) listing.CreateFunction("[0x20506008] |= 3",0x0000fdac) listing.CreateFunction("[0x2050604C]:=0",0x0000fdb2) listing.CreateFunction("[0x20506048] &=! 2",0x0000fdba) listing.CreateFunction("[0x20506054]:=0xC34 ",0x0000fdc0) listing.CreateFunction("[0x20506040]:=0xffffffff",0x0000fdc2) listing.CreateFunction("[0x20506048] &=! 4",0x0000fdca) listing.CreateFunction("[0x20506048] |= 3 ",0x0000fdd2) listing.CreateFunction("Another IRQ Handler starts hereSATA Request IRQ Handler",0x0000ff2c) listing.CreateFunction("Loading base address",0x0000ff30) listing.CreateFunction("0x00808020 and 0x20506000 are related blocks",0x0000ff34) listing.CreateFunction("[0x20506008]==8? (perhaps &8)",0x0000ff40) listing.CreateFunction("Controller:=0",0x0000ff44) listing.CreateFunction("call_1e670(0);",0x0000ff48) listing.CreateFunction("Loading base address",0x0000ff4c) listing.CreateFunction("[0x0081C718]++",0x0000ff58) listing.CreateFunction("Never happened to be equal yet",0x0000ff60) listing.CreateFunction("if ([0x0081C724]++ < 10)if ([0x0081C724]++ >= 10) [0x0081C724]-= 10;",0x0000ff8c) listing.CreateFunction("[0x0081C724]-=10",0x0000ff94) listing.CreateFunction("Why is the codepath deviating so much?",0x0000ff9c) listing.CreateFunction("if (return()==1) continue normal codepath",0x0000ffa4) listing.CreateFunction("call()",0x0000ffa8) listing.CreateFunction("r0 := ([0x0081C688] != 0) ? 10 : 0",0x0000ffb0) listing.CreateFunction("if (([0x0081C688] != 0) call_1e4c0()",0x0000ffb4) listing.CreateFunction("The result seems to be always 7",0x0000ffbc) listing.CreateFunction("call_107e2();",0x0000ffcc) listing.CreateFunction("End of interrupt handler",0x0000ffd4) listing.CreateFunction("LIKELY AN OPENOCD DISASSEMBLY BUG",0x00010070) listing.CreateFunction("Loading base address 0x20100000",0x00010108) listing.CreateFunction("r1 := 0",0x0001010a) listing.CreateFunction("[0x20100210]:=0x40800000",0x00010112) listing.CreateFunction("[0x20100214]:=0x00000020",0x00010118) listing.CreateFunction("[0x20100000] |= 0x30",0x00010122) listing.CreateFunction("Loading base address 0x20000124",0x00010128) listing.CreateFunction("[0x20000124] |= 0x00040000",0x00010130) listing.CreateFunction("[0x20000124] |= 0x80000000",0x00010138) listing.CreateFunction("Loading base address 0x0081C7C4",0x0001013a) listing.CreateFunction("Loading base address 0x00800800",0x00010140) listing.CreateFunction("[0x0081C7C8]:= 0x00800000 ",0x00010142) listing.CreateFunction("[0x00800800] := 0x40 ",0x00010148) listing.CreateFunction("[0x00800802] := 0x40 ",0x0001014e) listing.CreateFunction("Start of loop to initialize an arrayLoading base address 0x00800000",0x00010160) listing.CreateFunction("This is an array of 64 Blocks with 32 Bytes per Block starting at 0x00800000and ending at 0x00800800 ",0x00010162) listing.CreateFunction("r0:= 0x00800000 + (r1<<5) #r1 is most likely 0",0x00010164) listing.CreateFunction("[0x008000x0] := r1",0x00010168) listing.CreateFunction("[0x008000x3]:=0xFF ",0x0001016a) listing.CreateFunction("[0x008000x2] := 0xFF ",0x0001016c) listing.CreateFunction("[0x008000x0] := 0xFFFF",0x0001016e) listing.CreateFunction("[0x008000x4] := 0xFFFFFFFF",0x00010170) listing.CreateFunction("[0x008000xA] := 0x0000",0x00010172) listing.CreateFunction("[0x008000xA]=0x0000 ",0x00010174) listing.CreateFunction("[0x008000xC] := 0x00",0x00010176) listing.CreateFunction("[0x008000xE] := 0x00FF",0x00010178) listing.CreateFunction("[0x00800014] := 0x00000000",0x0001017a) listing.CreateFunction("[0x00800013] := 0xFF",0x0001017c) listing.CreateFunction("[0x0080001F] := 0xFF",0x0001017e) listing.CreateFunction("r1 == 0x3F ?",0x00010180) listing.CreateFunction("Loading base address 0x00800000",0x00010182) listing.CreateFunction("r0:=r1+1;",0x00010184) listing.CreateFunction("r7 += r1<<5",0x00010186) listing.CreateFunction("[0x00800011] := r0 (e.g. 1)",0x0001018a) listing.CreateFunction("r1++;",0x0001018c) listing.CreateFunction("r1 <= 0x40 ?",0x00010192) listing.CreateFunction("Loading base address 0x00800000",0x00010194) listing.CreateFunction("Loading base address 0x00800804",0x00010196) listing.CreateFunction("Loading base address 0x0081C7C4",0x000101a0) listing.CreateFunction("[0x0081C7C4] := [0x0001032E] + 8",0x000101a4) listing.CreateFunction("[0x0081C7CC] := 0x0000",0x000101a6) listing.CreateFunction("[0x0081C7CE] := 0x0000",0x000101a8) listing.CreateFunction("for(r0=0;r0<=64;r0++)Practically this is a memset(0x0081C7D4,0,64*4);",0x000101aa) listing.CreateFunction("r2 := r1+(r0<<2)",0x000101ac) listing.CreateFunction("r0++;",0x000101b0) listing.CreateFunction("r0 <= 64 ?",0x000101b4) listing.CreateFunction("[0x0081C7D4++] := 0",0x000101b6) listing.CreateFunction("return();",0x000101ba) listing.CreateFunction("Loading base address 0x0081C9E8 ",0x0001068e) listing.CreateFunction("Begin of a sleep loop SKIP(0x0001069a)",0x00010692) listing.CreateFunction("[0x0081C9E8]:=0",0x00010694) listing.CreateFunction("Now sleep(10000)",0x00010696) listing.CreateFunction("Sleep has finished",0x00010698) listing.CreateFunction("return();",0x0001069a) listing.CreateFunction("Loading base address 0x10020190",0x000107e2) listing.CreateFunction("[0x10020190]:=0",0x000107e6) listing.CreateFunction("return();",0x000107e8) listing.CreateFunction("0x9997F44B is non executable memory ?!?",0x000108c0) listing.CreateFunction("LOOP BAD",0x000108dc) listing.CreateFunction("LOOP BAD",0x000108de) listing.CreateFunction("SKIP(0x000108e4)LOOP BAD",0x000108e0) listing.CreateFunction("(a1==mex3?[10020810]:[1002080C]):=a2",0x00010908) listing.CreateFunction("4d435442=>4d524453 BTCM=>SDRM[0x1002080C]:=SDRM",0x0001090e) listing.CreateFunction("return();",0x00010910) listing.CreateFunction("Loading base address 0x10020804",0x00010912) listing.CreateFunction("SATA Code Handler: DATA SET MANAGEMENT",0x00011313) listing.CreateFunction("This could be the loading from SATA and a signature check ",0x00011e3a) listing.CreateFunction("45524944=DIRE454E4F44=DONE454E4F5A=ZONE",0x0001205c) listing.CreateFunction("LBA32K/3760",0x0001206c) listing.CreateFunction("LBA32K/3760/32",0x00012070) listing.CreateFunction("LBA32K/3760%32",0x00012072) listing.CreateFunction("LBA32K",0x000120c2) listing.CreateFunction("Calculating FTL9 (FTLaddr >> 9)",0x000120ce) listing.CreateFunction("LBA32K",0x000120d8) listing.CreateFunction("Calculating LPA",0x000120e0) listing.CreateFunction("FTL, interesting",0x000120ee) listing.CreateFunction("FTL, interesting",0x00012100) listing.CreateFunction("PBN=LPA%8380",0x0001210a) listing.CreateFunction("PBN/152=MB2432",0x00012112) listing.CreateFunction("SATA Command Handler: NOP",0x00012621) listing.CreateFunction("PBN=LPA%8380",0x00012f18) listing.CreateFunction("MB2432=PBN/152",0x00012f20) listing.CreateFunction("SATA Request Handler for 3Ch IDENTIFY DEVICE starts here",0x00013c2c) listing.CreateFunction("This is soo superfluous. At first it loads 32 Bit with LDR (instead of LDRH), then it uses UXTH, and then it shifts left and right again. One simple LDRH would have been sufficient I think.",0x000151b8) listing.CreateFunction("Loading flash channel",0x00015bb8) listing.CreateFunction("mex2: Store PBPN to FLASH",0x00016388) listing.CreateFunction("Which 512-Byte Blocks out of the 8KB Block to read",0x000163e6) listing.CreateFunction("Store the RAM-address where the data is read to/from flash",0x000163f0) listing.CreateFunction("Writing the PhysicalBlock+PageNumber to Flash PHY",0x00016578) listing.CreateFunction("Likely selecting which pages in the Block to Read/Write",0x0001658a) listing.CreateFunction("Writing the Memory Address where the data should be read to Flash PHY",0x00016590) listing.CreateFunction("[0x10020590]:=0",0x00018018) listing.CreateFunction("4D435442=BTCM 4D524453=SDRM",0x000180fe) listing.CreateFunction("SKIP(0x00018122)",0x00018120) listing.CreateFunction("Loading base address for all 4 channels",0x00019030) listing.CreateFunction("Calculating channel specific base address",0x00019036) listing.CreateFunction("Retrieving channel status from 0x20XX000C (+12)",0x0001903c) listing.CreateFunction("Loading the status again?!?",0x0001904c) listing.CreateFunction("Write to Flash register",0x00019056) listing.CreateFunction("FLASH_READ(channel,block,request,zerocount,page)",0x00019076) listing.CreateFunction("Loading base MEX3 Flash base address",0x0001907a) listing.CreateFunction("Calculating flash channel specific base address",0x00019082) listing.CreateFunction("This is a Flash read command",0x000190c2) listing.CreateFunction("This is the Page address to be read",0x000190c4) listing.CreateFunction("This could cause an interrupt",0x000190cc) listing.CreateFunction("Destination 3F->XXXX3CXX",0x000190e6) listing.CreateFunction("2xxx=Zone, 6xx=Write,7xx=Read",0x000190e8) listing.CreateFunction("Writing 1 activates the FLASH PHY",0x000190f0) listing.CreateFunction("Likely an OpenOCD Disassembler Bug",0x00019378) listing.CreateFunction("This is a function prologueParameters: base_addr and sata_command_byte",0x000193e4) listing.CreateFunction("Store LBA",0x00019420) listing.CreateFunction("Perhaps stcllo p3, c15, [sb], 0x3dc",0x0001b69e) listing.CreateFunction("Loading base address 0x00823D20",0x0001b6a2) listing.CreateFunction("Compare",0x0001b6e6) listing.CreateFunction("call_b0a2();",0x0001b6f8) listing.CreateFunction("This function calls the SATA COMRESET waiter",0x0001bf40) listing.CreateFunction("Loading base address 0x20000000",0x0001cabc) listing.CreateFunction("[0x200000C0] (again)",0x0001cac2) listing.CreateFunction("[0x200000C0]<<11",0x0001caca) listing.CreateFunction("[0x200000C0]<<11 >= 0 ?",0x0001cacc) listing.CreateFunction("[0x200000C0]:=0x8000",0x0001cad6) listing.CreateFunction("[0x200000C0]:=-1",0x0001caf2) listing.CreateFunction("[0x200000C8]:=-1",0x0001caf6) listing.CreateFunction("Loading base address 0x00823D20",0x0001cafc) listing.CreateFunction("Loading base address",0x0001d2ac) listing.CreateFunction("Function(base_addr);",0x0001d2b0) listing.CreateFunction("",0x0001d2d0) listing.CreateFunction("Load Total number of LBAs written value",0x0001dcc0) listing.CreateFunction("Storing 8KB alignment to 0x418004B0and to 0x428005D0",0x0001e354) listing.CreateFunction("Is this disassembly correct?",0x0001e40a) listing.CreateFunction("memset(0x81C00000,0,16MB);",0x0001e40e) listing.CreateFunction("Problem with Disassembler",0x0001e434) listing.CreateFunction("Loading base address 0x00808020",0x0001e670) listing.CreateFunction("Loading base address 0x20506000",0x0001e674) listing.CreateFunction("0x20506000+Controller*0x20Controller has always been 0, perhaps it would only use different controllers under high load?",0x0001e676) listing.CreateFunction("Acknowledging the interrupt (?)",0x0001e67a) listing.CreateFunction("Return();",0x0001e67c) listing.CreateFunction("function ?(base_addr)",0x0001e954) listing.CreateFunction("[0x008222C8]==1?",0x0001e95a) listing.CreateFunction("[0x008222CB]!=1 ?",0x0001e962) listing.CreateFunction("return([0x00800C2A]);",0x0001e966)