CH

From MILEDROPEDIA
Revision as of 18:49, 23 June 2011 by XVilka (Talk | contribs)

Jump to: navigation, search

CH table

What is it?

Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).

Is it protected?

  • Cryptographic protections
  • The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the boot chain are not encouraging.
  • However, there is another kind of interpretation of the release note 's statement:
    Support for the Configuration Header (CH) within this signed image
    Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.


How does it differ between Droid and Milestone?

Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)).

Position Droid CH Milestone CH Meaning
0x125 0xb9 0xae This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [this]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.
0x1a3 0x02 0x00 This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.

In order to boot a Droid image on a Milestone (see mbmloader replacement attack) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.

The CH table parsed

Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:

  • 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position
  • 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions
  • 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions

The resulting CH looks like the following:

CH TOC

CH ITEM 1

  0000: a0 00 00 00  50 00 00 00  00 00 00 00  00 00 00 00
  0010: 00 00 00 00  43 48 53 45  54 54 49 4e  47 53 00 00
Field name Value Meaning
Start 0x000000a0 Points to start of Item 1
Size 0x00000050 Length of Item 1
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHSETTINGS" Type of Item 1

CH ITEM 2

  0020: f0 00 00 00  5c 00 00 00  00 00 00 00  00 00 00 00
  0030: 00 00 00 00  43 48 52 41  4d 00 00 00  00 00 00 00
Field name Value Meaning
Start 0x000000f0 Points to start of Item 2
Size 0x0000005c Length of Item 2
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHRAM" Type of Item 2

CH TOC closing mark

  0040: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
  0050: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff

EMPTY DATA SPACE

  0060: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0070: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0080: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0090: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

ITEM 1: CHSETTINGS BLOCK

  00a0: c1 c0 c0 c0  00 01 00 00  01 00 00 02  00 00 00 00
  00b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c1 this verifies that it's a CHSETTINGS block, ok
Valid 0x00 this block is DISABLED, so it's not used!!!
Version 0x01 correct
Reserved 0x0000
Clock settings 0x02000001 Clock configuration applied = 1 [yes]
  • Reserved = 0
  • Perform clock configuration = 0 [no]
  • Set and lock DPLL4 PER = 0 [no]
  • Set and lock DPLL1 (MPU) = 0 [no]
  • Set and lock DPLL3 (CORE) = 0 [no]
  • Bypass DPLL4 before setting clocks = 0 [no]
  • Bypass DPLL1 before setting clocks = 0 [no]
  • Bypass DPLL3 before setting clocks = 0 [no]
  • System clock ID = 0x02 [13 MHz]

ITEM 2: CHRAM BLOCK

  00f0: c2 c0 c0 c0  01 00 00 00  00 00 04 00  00 01 00 00
  0100: 08 00 00 0f  00 00 00 00  00 00 00 00  03 00 00 00
  0110: 99 80 58 03  32 00 00 00  20 00 00 00  c6 b4 9d ba
  0120: 20 22 02 00  02 ae 04 00  03 00 00 00  00 00 00 00
  0130: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0140: 00 00 00 00  00 00 00 00  01 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c2 this verifies that it's a CHRAM block, ok
Valid 0x01 this block is enabled
Reserved 0x000000
SDRC_SYSCONFIG (LSB) 0x0000
SDRC_CS_CFG (LSB) 0x0004
SDRC_SHARING (LSB) 0x0100
SDRC_ERR_TYPE (LSB) 0x0000
SDRC_DLLA_CTRL (LSB) 0x0008
SDRC_DLLA_CTRL (MSB) 0x0f00
Reserved 0x0000
Reserved 0x0000
SDRC_POWER (LSB) 0x0000
SDRC_POWER (MSB) 0x0000
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_0 (LSB) 0x0008
SDRC_MCFG_0 (MSB) 0x0358
SDRC_MR_0 (LSB) 0x0000
SDRC_EMR1_0 (LSB) 0x0000
SDRC_EMR2_0 (LSB) 0x0000
SDRC_EMR3_0 (LSB) 0x0000
SDRC_ACTIM_CTRLA_0 (LSB) 0x0003
SDRC_ACTIM_CTRLA_0 (MSB) 0x0000
SDRC_ACTIM_CTRLB_0 (LSB) 0x2220
SDRC_ACTIM_CTRLB_0 (MSB) 0x0002
SDRC_RFRCTRL_0 (LSB) 0xae02 this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.
SDRC_RFRCTRL_0 (MSB) 0x0004
  • SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50
  • SDRC_RFR_CTRL_0[7:2]: Reserved = 0
  • SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_1 (LSB) 0x0000
SDRC_MCFG_1 (MSB) 0x0000
SDRC_MR_1 (LSB) 0x0000
SDRC_EMR1_1 (LSB) 0x0000
SDRC_EMR2_1 (LSB) 0x0000
SDRC_EMR3_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (MSB) 0x0000
SDRC_ACTIM_CTRLB_1 (LSB) 0x0000
SDRC_ACTIM_CTRLB_1 (MSB) 0x0000
SDRC_RFRCTRL_1 (LSB) 0x0000
SDRC_RFRCTRL_1 (MSB) 0x0000
Reserved 0x0000
Reserved 0x0000
Flags 0x0001 CS0 is configured
"Must be 0" 0x0000

MORE EMPTY DATA SPACE

  0140:                                        00 00 00 00
  0150: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0160: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0170: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0180: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0190: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01a0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01f0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

CH END

Code listings from boot ROM

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


40015A08                 ; =============== S U B R O U T I N E =======================================
40015A08
40015A08
40015A08                 ; int __cdecl parse_CH_table(int arg_1, int arg_2, int arg_3, int arg_4)
40015A08                 parse_CH_table                                                        ; CODE XREF: sub_ROM_40019494+7E�p
40015A08
40015A08                 arg_8     =  8
40015A08
40015A08 000 2D E9 F0 47           PUSH.W {R4-R10,LR}                                          ; Push registers
40015A0C 020 1D 00                 MOVS  R5, R3                                                ; Rd = Op2
40015A0E 020 07 46                 MOV   R7, R0                                                ; Rd = Op2
40015A10 020 88 46                 MOV   R8, R1                                                ; Rd = Op2
40015A12 020 DD E9 08 A9           LDRD.W R10, R9, [SP,#0x20]                                  ; Load pair of registers
40015A16 020 14 46                 MOV   R4, R2                                                ; Rd = Op2
40015A18 020 0A 9E                 LDR   R6, [SP,#0x20+arg_8]                                  ; Load from Memory
40015A1A 020 12 D0                 BEQ   parse_CHRAM                                           ; Branch
40015A1A
40015A1C 020 B8 06                 LSLS  R0, R7, #0x1A                                         ; Logical Shift Left
40015A1E 020 10 D4                 BMI   parse_CHRAM                                           ; Branch
40015A1E
40015A20 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
40015A22 020 FF F7 2E E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015A22 020
40015A26 020 10 F1 3F 3F           CMN.W R0, #0x3F3F3F3F                                       ; Set cond. codes on Op1 + Op2
40015A2A 020 0A D1                 BNE   parse_CHRAM                                           ; Branch
40015A2A
40015A2C 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
40015A2E 020 40 B1                 CBZ   R0, parse_CHRAM                                       ; Compare and Branch on Zero
40015A2E
40015A30 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
40015A34 020 00 F0 16 F9           BL    parse_CHSETTINGS                                      ; Branch with Link
40015A34 020
40015A38 020 18 B9                 CBNZ  R0, parse_CHRAM                                       ; Compare and Branch on Non-Zero
40015A38
40015A3A 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
40015A3C 020 40 F0 01 00           ORR.W R0, R0, #1                                            ; Rd = Op1 | Op2
40015A40 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
40015A40
40015A42
40015A42                 parse_CHRAM                                                           ; CODE XREF: parse_CH_table+12�j
40015A42                                                                                       ; parse_CH_table+16�j
40015A42                                                                                       ; parse_CH_table+22�j
40015A42                                                                                       ; parse_CH_table+26�j
40015A42                                                                                       ; parse_CH_table+30�j
40015A42 020 5F EA 0A 05           MOVS.W R5, R10                                              ; Rd = Op2
40015A46 020 12 D0                 BEQ   parse_CHFLASH                                         ; Branch
40015A46
40015A48 020 78 06                 LSLS  R0, R7, #0x19                                         ; Logical Shift Left
40015A4A 020 10 D4                 BMI   parse_CHFLASH                                         ; Branch
40015A4A
40015A4C 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
40015A4E 020 FF F7 18 E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015A4E 020
40015A52 020 29 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
40015A54 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
40015A56 020 0A D1                 BNE   parse_CHFLASH                                         ; Branch
40015A56
40015A58 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
40015A5A 020 40 B1                 CBZ   R0, parse_CHFLASH                                     ; Compare and Branch on Zero
40015A5A
40015A5C 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
40015A60 020 02 F0 BE F8           BL    parse_CHRAM_block                                     ; Branch with Link
40015A60 020
40015A64 020 18 B9                 CBNZ  R0, parse_CHFLASH                                     ; Compare and Branch on Non-Zero
40015A64
40015A66 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
40015A68 020 40 F0 02 00           ORR.W R0, R0, #2                                            ; Rd = Op1 | Op2
40015A6C 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
40015A6C
40015A6E
40015A6E                 parse_CHFLASH                                                         ; CODE XREF: parse_CH_table+3E�j
40015A6E                                                                                       ; parse_CH_table+42�j
40015A6E                                                                                       ; parse_CH_table+4E�j
40015A6E                                                                                       ; parse_CH_table+52�j
40015A6E                                                                                       ; parse_CH_table+5C�j
40015A6E 020 5F EA 09 05           MOVS.W R5, R9                                               ; Rd = Op2
40015A72 020 14 D0                 BEQ   parse_CHMMCSD                                         ; Branch
40015A72
40015A74 020 38 06                 LSLS  R0, R7, #0x18                                         ; Logical Shift Left
40015A76 020 12 D4                 BMI   parse_CHMMCSD                                         ; Branch
40015A76
40015A78 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
40015A7A 020 FF F7 02 E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015A7A 020
40015A7E 020 1E 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
40015A80 020 49 1C                 ADDS  R1, R1, #1                                            ; Rd = Op1 + Op2
40015A82 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
40015A84 020 0B D1                 BNE   parse_CHMMCSD                                         ; Branch
40015A84
40015A86 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
40015A88 020 48 B1                 CBZ   R0, parse_CHMMCSD                                     ; Compare and Branch on Zero
40015A88
40015A8A 020 00 21                 MOVS  R1, #0                                                ; Rd = Op2
40015A8C 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
40015A90 020 FE F7 6E FD           BL    parse_CHFLASH                                         ; Branch with Link
40015A90 020
40015A94 020 18 B9                 CBNZ  R0, parse_CHMMCSD                                     ; Compare and Branch on Non-Zero
40015A94
40015A96 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
40015A98 020 40 F0 04 00           ORR.W R0, R0, #4                                            ; Rd = Op1 | Op2
40015A9C 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
40015A9C
40015A9E
40015A9E                 parse_CHMMCSD                                                         ; CODE XREF: parse_CH_table+6A�j
40015A9E                                                                                       ; parse_CH_table+6E�j
40015A9E                                                                                       ; parse_CH_table+7C�j
40015A9E                                                                                       ; parse_CH_table+80�j
40015A9E                                                                                       ; parse_CH_table+8C�j
40015A9E 020 3E B3                 CBZ   R6, return_0                                          ; Compare and Branch on Zero
40015A9E
40015AA0 020 F8 05                 LSLS  R0, R7, #0x17                                         ; Logical Shift Left
40015AA2 020 25 D4                 BMI   return_0                                              ; Branch
40015AA2
40015AA4 020 30 46                 MOV   R0, R6                                                ; Rd = Op2
40015AA6 020 FF F7 EC E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015AA6 020
40015AAA 020 13 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
40015AAC 020 89 1C                 ADDS  R1, R1, #2                                            ; Rd = Op1 + Op2
40015AAE 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
40015AB0 020 1E D1                 BNE   return_0                                              ; Branch
40015AB0
40015AB2 020 30 79                 LDRB  R0, [R6,#4]                                           ; Load from Memory
40015AB4 020 E0 B1                 CBZ   R0, return_0                                          ; Compare and Branch on Zero
40015AB4
40015AB6 020 08 36                 ADDS  R6, #8                                                ; Rd = Op1 + Op2
40015AB8 020 30 46                 MOV   R0, R6                                                ; Rd = Op2
40015ABA 020 FF F7 E2 E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015ABA 020
40015ABE 020 41 1C                 ADDS  R1, R0, #1                                            ; Rd = Op1 + Op2
40015AC0 020 08 D0                 BEQ   loc_ROM_40015AD4                                      ; Branch
40015AC0
40015AC2 020 01 46                 MOV   R1, R0                                                ; Rd = Op2
40015AC4 020 40 46                 MOV   R0, R8                                                ; Rd = Op2
40015AC6 020 01 F0 9F FB           BL    parse_CHMMCSD                                         ; Branch with Link
40015AC6 020
40015ACA 020 18 B9                 CBNZ  R0, loc_ROM_40015AD4                                  ; Compare and Branch on Non-Zero
40015ACA
40015ACC 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
40015ACE 020 40 F0 08 00           ORR.W R0, R0, #8                                            ; Rd = Op1 | Op2
40015AD2 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
40015AD2
40015AD4
40015AD4                 loc_ROM_40015AD4                                                      ; CODE XREF: parse_CH_table+B8�j
40015AD4                                                                                       ; parse_CH_table+C2�j
40015AD4 020 30 1D                 ADDS  R0, R6, #4                                            ; Rd = Op1 + Op2
40015AD6 020 FF F7 D4 E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
40015AD6 020
40015ADA 020 41 1C                 ADDS  R1, R0, #1                                            ; Rd = Op1 + Op2
40015ADC 020 08 D0                 BEQ   return_0                                              ; Branch
40015ADC
40015ADE 020 01 46                 MOV   R1, R0                                                ; arg_2
40015AE0 020 40 46                 MOV   R0, R8                                                ; arg_1
40015AE2 020 01 F0 3F FB           BL    mmc_something_4                                       ; Branch with Link
40015AE2 020
40015AE6 020 18 B9                 CBNZ  R0, return_0                                          ; Compare and Branch on Non-Zero
40015AE6
40015AE8 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
40015AEA 020 40 F0 08 00           ORR.W R0, R0, #8                                            ; Rd = Op1 | Op2
40015AEE 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
40015AEE
40015AF0
40015AF0                 return_0                                                              ; CODE XREF: parse_CH_table:parse_CHMMCSD�j
40015AF0                                                                                       ; parse_CH_table+9A�j
40015AF0                                                                                       ; parse_CH_table+A8�j
40015AF0                                                                                       ; parse_CH_table+AC�j
40015AF0                                                                                       ; parse_CH_table+D4�j
40015AF0                                                                                       ; parse_CH_table+DE�j
40015AF0 020 00 20                 MOVS  R0, #0                                                ; Rd = Op2
40015AF2 020 BD E8 F0 87           POP.W {R4-R10,PC}                                           ; Pop registers
40015AF2 020
40015AF2                 ; End of function parse_CH_table
40015AF2
40015AF2                 ; ---------------------------------------------------------------------------
40015AF6 00 00                     DCW 0
40015AF8 C2 C0 C0 C0     dword_ROM_40015AF8 DCD CH_RAM_KEY                                     ; DATA XREF: parse_CH_table+4A�r
40015AF8                                                                                       ; parse_CH_table+76�r
40015AF8                                                                                       ; parse_CH_table+A2�r
40015AFC

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


40015C64                 ; =============== S U B R O U T I N E =======================================
40015C64
40015C64
40015C64                 ; int __fastcall parse_CHSETTINGS()
40015C64                 parse_CHSETTINGS                                                      ; CODE XREF: parse_CH_table+2C�p
40015C64                                                                                       ; sub_ROM_40015BC8+8A�p
40015C64                                                                                       ; DATA XREF: non_GP:40014200�o
40015C64 000 01 68                 LDR   R1, [R0]                                              ; Load from Memory
40015C66 000 CA 07                 LSLS  R2, R1, #0x1F                                         ; Logical Shift Left
40015C68 000 01 D1                 BNE   loc_ROM_40015C6E                                      ; Branch
40015C68
40015C6A 000 01 20                 MOVS  R0, #1                                                ; Rd = Op2
40015C6C 000 70 47                 BX    LR                                                    ; Branch to/from Thumb mode
40015C6C
40015C6E                 ; ---------------------------------------------------------------------------
40015C6E
40015C6E                 loc_ROM_40015C6E                                                      ; CODE XREF: parse_CHSETTINGS+4�j
40015C6E 000 0A 0E                 LSRS  R2, R1, #0x18                                         ; Logical Shift Right
40015C70 000 06 2A                 CMP   R2, #6                                                ; Set cond. codes on Op1 - Op2
40015C72 000 01 D8                 BHI   loc_ROM_40015C78                                      ; Branch
40015C72
40015C74 000 46 4B                 LDR   R3, =(dword_RAM_RESERVED_4020FCB0+0x2C)               ; Load from Memory
40015C76 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
40015C76
40015C78
40015C78                 loc_ROM_40015C78                                                      ; CODE XREF: parse_CHSETTINGS+E�j
40015C78 000 CA 05                 LSLS  R2, R1, #0x17                                         ; Logical Shift Left
40015C7A 000 46 49                 LDR   R1, =CM_IVA2                                          ; Load from Memory
40015C7C 000 06 D5                 BPL   loc_ROM_40015C8C                                      ; Branch
40015C7C
40015C7E 000 D1 F8 00 2D           LDR.W R2, [R1,#0xD00]                                       ; Load from Memory
40015C82 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
40015C86 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
40015C88 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
40015C88 000
40015C8C
40015C8C                 loc_ROM_40015C8C                                                      ; CODE XREF: parse_CHSETTINGS+18�j
40015C8C 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
40015C8E 000 52 06                 LSLS  R2, R2, #0x19                                         ; Logical Shift Left
40015C90 000 07 D5                 BPL   loc_ROM_40015CA2                                      ; Branch
40015C90
40015C92 000 D1 F8 00 2D           LDR.W R2, [R1,#0xD00]                                       ; Load from Memory
40015C96 000 22 F4 E0 22           BIC.W R2, R2, #0x70000                                      ; Rd = Op1 & ~Op2
40015C9A 000 42 F4 80 32           ORR.W R2, R2, #0x10000                                      ; Rd = Op1 | Op2
40015C9E 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
40015C9E 000
40015CA2
40015CA2                 loc_ROM_40015CA2                                                      ; CODE XREF: parse_CHSETTINGS+2C�j
40015CA2 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
40015CA4 000 12 06                 LSLS  R2, R2, #0x18                                         ; Logical Shift Left
40015CA6 000 06 D5                 BPL   loc_ROM_40015CB6                                      ; Branch
40015CA6
40015CA8 000 D1 F8 04 29           LDR.W R2, [R1,#0x904]                                       ; Load from Memory
40015CAC 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
40015CB0 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
40015CB2 000 C1 F8 04 29           STR.W R2, [R1,#0x904]                                       ; Store to Memory
40015CB2 000
40015CB6
40015CB6                 loc_ROM_40015CB6                                                      ; CODE XREF: parse_CHSETTINGS+42�j
40015CB6 000 38 4B                 LDR   R3, =PRM_CLKSRC_CTRL                                  ; Load from Memory
40015CB8 000 42 68                 LDR   R2, [R0,#4]                                           ; Load from Memory
40015CBA 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
40015CBC 000 37 4B                 LDR   R3, =0x48306D40                                       ; Load from Memory
40015CBE 000 82 68                 LDR   R2, [R0,#8]                                           ; Load from Memory
40015CC0 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
40015CC2 000 37 4B                 LDR   R3, =0x48005140                                       ; Load from Memory
40015CC4 000 C2 68                 LDR   R2, [R0,#0xC]                                         ; Load from Memory
40015CC6 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
40015CC8 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
40015CCA 000 52 07                 LSLS  R2, R2, #0x1D                                         ; Logical Shift Left
40015CCC 000 05 D5                 BPL   loc_ROM_40015CDA                                      ; Branch
40015CCC
40015CCE 000 02 69                 LDR   R2, [R0,#0x10]                                        ; Load from Memory
40015CD0 000 C1 F8 40 2A           STR.W R2, [R1,#0xA40]                                       ; Store to Memory
40015CD4 000 42 69                 LDR   R2, [R0,#0x14]                                        ; Load from Memory
40015CD6 000 C1 F8 40 2C           STR.W R2, [R1,#0xC40]                                       ; Store to Memory
40015CD6 000
40015CDA
40015CDA                 loc_ROM_40015CDA                                                      ; CODE XREF: parse_CHSETTINGS+68�j
40015CDA 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
40015CDC 000 13 07                 LSLS  R3, R2, #0x1C                                         ; Logical Shift Left
40015CDE 000 31 4A                 LDR   R2, =0x7FF00                                          ; Load from Memory
40015CE0 000 17 D5                 BPL   loc_ROM_40015D12                                      ; Branch
40015CE0
40015CE2 000 43 6A                 LDR   R3, [R0,#0x24]                                        ; Load from Memory
40015CE4 000 01 F5 50 61           ADD.W R1, R1, #0xD00                                        ; Rd = Op1 + Op2
40015CE8 000 23 F4 E0 23           BIC.W R3, R3, #0x70000                                      ; Rd = Op1 & ~Op2
40015CEC 000 43 F4 80 33           ORR.W R3, R3, #0x10000                                      ; Rd = Op1 | Op2
40015CF0 000 0B 60                 STR   R3, [R1]                                              ; Store to Memory
40015CF2 000 83 6A                 LDR   R3, [R0,#0x28]                                        ; Load from Memory
40015CF4 000 0B 63                 STR   R3, [R1,#0x30]                                        ; Store to Memory
40015CF6 000 C3 6A                 LDR   R3, [R0,#0x2C]                                        ; Load from Memory
40015CF8 000 4B 64                 STR   R3, [R1,#0x44]                                        ; Store to Memory
40015CFA 000 03 6B                 LDR   R3, [R0,#0x30]                                        ; Load from Memory
40015CFC 000 8B 64                 STR   R3, [R1,#0x48]                                        ; Store to Memory
40015CFE 000 4B 6C                 LDR   R3, [R1,#0x44]                                        ; Load from Memory
40015D00 000 A1 F5 50 61           SUB.W R1, R1, #0xD00                                        ; Rd = Op1 - Op2
40015D04 000 13 42                 TST   R3, R2                                                ; Set cond. codes on Op1 & Op2
40015D06 000 04 D0                 BEQ   loc_ROM_40015D12                                      ; Branch
40015D06
40015D08 000 43 6A                 LDR   R3, [R0,#0x24]                                        ; Load from Memory
40015D0A 000 43 F4 E0 23           ORR.W R3, R3, #0x70000                                      ; Rd = Op1 | Op2
40015D0E 000 C1 F8 00 3D           STR.W R3, [R1,#0xD00]                                       ; Store to Memory
40015D0E 000
40015D12
40015D12                 loc_ROM_40015D12                                                      ; CODE XREF: parse_CHSETTINGS+7C�j
40015D12                                                                                       ; parse_CHSETTINGS+A2�j
40015D12 000 03 68                 LDR   R3, [R0]                                              ; Load from Memory
40015D14 000 DB 06                 LSLS  R3, R3, #0x1B                                         ; Logical Shift Left
40015D16 000 1C D5                 BPL   loc_ROM_40015D52                                      ; Branch
40015D16
40015D18 000 43 6B                 LDR   R3, [R0,#0x34]                                        ; Load from Memory
40015D1A 000 01 F6 04 11           ADDW  R1, R1, #0x904                                        ; Rd = Op1 + Op2
40015D1E 000 23 F0 07 03           BIC.W R3, R3, #7                                            ; Rd = Op1 & ~Op2
40015D22 000 5B 1D                 ADDS  R3, R3, #5                                            ; Rd = Op1 + Op2
40015D24 000 0B 60                 STR   R3, [R1]                                              ; Store to Memory
40015D26 000 83 6B                 LDR   R3, [R0,#0x38]                                        ; Load from Memory
40015D28 000 0B 63                 STR   R3, [R1,#0x30]                                        ; Store to Memory
40015D2A 000 C3 6B                 LDR   R3, [R0,#0x3C]                                        ; Load from Memory
40015D2C 000 CB 63                 STR   R3, [R1,#0x3C]                                        ; Store to Memory
40015D2E 000 03 6C                 LDR   R3, [R0,#0x40]                                        ; Load from Memory
40015D30 000 0B 64                 STR   R3, [R1,#0x40]                                        ; Store to Memory
40015D32 000 43 6C                 LDR   R3, [R0,#0x44]                                        ; Load from Memory
40015D34 000 4B 64                 STR   R3, [R1,#0x44]                                        ; Store to Memory
40015D36 000 CB 6B                 LDR   R3, [R1,#0x3C]                                        ; Load from Memory
40015D38 000 A1 F6 04 11           SUBW  R1, R1, #0x904                                        ; Rd = Op1 - Op2
40015D3C 000 13 42                 TST   R3, R2                                                ; Set cond. codes on Op1 & Op2
40015D3E 000 08 D0                 BEQ   loc_ROM_40015D52                                      ; Branch
40015D3E
40015D40 000 42 6B                 LDR   R2, [R0,#0x34]                                        ; Load from Memory
40015D42 000 42 F0 07 02           ORR.W R2, R2, #7                                            ; Rd = Op1 | Op2
40015D46 000 C1 F8 04 29           STR.W R2, [R1,#0x904]                                       ; Store to Memory
40015D46 000
40015D4A
40015D4A                 loc_ROM_40015D4A                                                      ; CODE XREF: parse_CHSETTINGS+EC�j
40015D4A 000 D1 F8 24 29           LDR.W R2, [R1,#0x924]                                       ; Load from Memory
40015D4E 000 D2 07                 LSLS  R2, R2, #0x1F                                         ; Logical Shift Left
40015D50 000 FB D0                 BEQ   loc_ROM_40015D4A                                      ; Branch
40015D50
40015D52
40015D52                 loc_ROM_40015D52                                                      ; CODE XREF: parse_CHSETTINGS+B2�j
40015D52                                                                                       ; parse_CHSETTINGS+DA�j
40015D52 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
40015D54 000 92 06                 LSLS  R2, R2, #0x1A                                         ; Logical Shift Left
40015D56 000 19 D5                 BPL   loc_ROM_40015D8C                                      ; Branch
40015D56
40015D58 000 82 69                 LDR   R2, [R0,#0x18]                                        ; Load from Memory
40015D5A 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
40015D5E 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
40015D60 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
40015D64 000 C2 69                 LDR   R2, [R0,#0x1C]                                        ; Load from Memory
40015D66 000 C1 F8 30 2D           STR.W R2, [R1,#0xD30]                                       ; Store to Memory
40015D6A 000 02 6A                 LDR   R2, [R0,#0x20]                                        ; Load from Memory
40015D6C 000 C1 F8 40 2D           STR.W R2, [R1,#0xD40]                                       ; Store to Memory
40015D70 000 D1 F8 40 2D           LDR.W R2, [R1,#0xD40]                                       ; Load from Memory
40015D74 000 0C 4B                 LDR   R3, =0x7FF0000                                        ; Load from Memory
40015D76 000 1A 42                 TST   R2, R3                                                ; Set cond. codes on Op1 & Op2
40015D78 000 08 D0                 BEQ   loc_ROM_40015D8C                                      ; Branch
40015D78
40015D7A 000 80 69                 LDR   R0, [R0,#0x18]                                        ; Load from Memory
40015D7C 000 40 F0 07 00           ORR.W R0, R0, #7                                            ; Rd = Op1 | Op2
40015D80 000 C1 F8 00 0D           STR.W R0, [R1,#0xD00]                                       ; Store to Memory
40015D80 000
40015D84
40015D84                 loc_ROM_40015D84                                                      ; CODE XREF: parse_CHSETTINGS+126�j
40015D84 000 D1 F8 20 0D           LDR.W R0, [R1,#0xD20]                                       ; Load from Memory
40015D88 000 C0 07                 LSLS  R0, R0, #0x1F                                         ; Logical Shift Left
40015D8A 000 FB D0                 BEQ   loc_ROM_40015D84                                      ; Branch
40015D8A
40015D8C
40015D8C                 loc_ROM_40015D8C                                                      ; CODE XREF: parse_CHSETTINGS+F2�j
40015D8C                                                                                       ; parse_CHSETTINGS+114�j
40015D8C 000 00 20                 MOVS  R0, #0                                                ; Rd = Op2
40015D8E 000 70 47                 BX    LR                                                    ; Branch to/from Thumb mode
40015D8E
40015D8E                 ; End of function parse_CHSETTINGS
40015D8E
40015D8E                 ; ---------------------------------------------------------------------------
40015D90 DC FC 20 40     off_ROM_40015D90 DCD dword_RAM_RESERVED_4020FCB0+0x2C                 ; DATA XREF: parse_CHSETTINGS+10�r
40015D94 00 40 00 48     dword_ROM_40015D94 DCD CM_IVA2                                        ; DATA XREF: parse_CHSETTINGS+16�r
40015D98 70 72 30 48     dword_ROM_40015D98 DCD PRM_CLKSRC_CTRL                                ; DATA XREF: parse_CHSETTINGS:loc_ROM_40015CB6�r
40015D9C 40 6D 30 48     dword_ROM_40015D9C DCD 0x48306D40                                     ; DATA XREF: parse_CHSETTINGS+58�r
40015DA0 40 51 00 48     dword_ROM_40015DA0 DCD 0x48005140                                     ; DATA XREF: parse_CHSETTINGS+5E�r
40015DA4 00 FF 07 00     dword_ROM_40015DA4 DCD 0x7FF00                                        ; DATA XREF: parse_CHSETTINGS+7A�r
40015DA8 00 00 FF 07     dword_ROM_40015DA8 DCD 0x7FF0000                                      ; DATA XREF: parse_CHSETTINGS+110�r
40015DAC