Application Processor Boot ROM

Revision as of 01:11, 9 August 2010 by Wikiadmin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Public part of AP Boot ROM

Interesting concurrency loop

It is eventually found that in do_something_with_mmc@40016f88, a short loop expect changes in memory by external means.

R4 is never updated in the loop loc_ROM_40016FC0 but [R4+0x130] is expected to change by the following logics. So it is suspected that there is multi-thread operation or parallel operation with other processor like DSP or the like.

Since concurrency could be tricky, loops with this pattern should be found and further analysed.

40016FC0                 loc_ROM_40016FC0                                            ; CODE XREF: do_something_with_mmc+3E�j
40016FC0                                                                             ; do_something_with_mmc+4A�j
40016FC0 00C D4 F8 30 21                 LDR.W   R2, [R4,#0x130]                     ; Load from Memory
40016FC4 00C 00 2A                       CMP     R2, #0                              ; Set cond. codes on Op1 - Op2
40016FC6 00C FB D0                       BEQ     loc_ROM_40016FC0                    ; Branch
40016FC8 00C 15 04                       LSLS    R5, R2, #0x10                       ; Logical Shift Left
40016FCA 00C 01 D5                       BPL     loc_ROM_40016FD0                    ; Branch
40016FCC 00C 01 20                       MOVS    R0, #1                              ; Rd = Op2
40016FCE 00C 30 BD                       POP     {R4,R5,PC}                          ; Pop registers
40016FD0                 ; ---------------------------------------------------------------------------
40016FD0                 loc_ROM_40016FD0                                            ; CODE XREF: do_something_with_mmc+42�j

comment: in this example LDR.W R2, [R4,#0x130] really read not from memory, but from registers of mmc peripherals, so it can change as the state of that peripheral changes.. but there are also irq handlers, that interrupts the main thread and perform some actions that can change memory.

How to locate this kind of loop?

 - Open rom3.idb, set "number of opcode bytes" to 4 then copy all the text and save as a text file.
 - Use this RE to locate short loops(adjust the parameters as necessary):grep -B 6 -E "[0-9]{3} F. D." rom3.txt

Sample snippet grep'ed

400144DE 000 01 61                       STR     R1, [R0,#0x10]
400144E0                 loc_ROM_400144E0
400144E0 000 41 69                       LDR     R1, [R0,#0x14]
400144E2 000 C9 07                       LSLS    R1, R1, #0x1F
400144E4 000 FC D0                       BEQ     loc_ROM_400144E0
400145F8 004 81 40                       LSLS    R1, R0
400145FA                 loc_ROM_400145FA
400145FA 004 50 6D                       LDR     R0, [R2,#0x54]
400145FC 004 08 42                       TST     R0, R1
400145FE 004 FC D0                       BEQ     loc_ROM_400145FA
Secure part of AP Boot ROM

impossible to dump - fully hardware implemented in cortex-a8 core; used by some handlers in BootROM/mbmloader for SVC/SMC calling. and some wrappers for secure coprocessor operations