CH

From MILEDROPEDIA
Revision as of 00:17, 28 December 2010 by XVilka (Talk | contribs)

Jump to: navigation, search

CH table

What is it?

Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).

Is it protected?

  • Cryptographic protections
  • The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the boot chain are not encouraging.
  • However, there is another kind of interpretation of the release note 's statement:
    Support for the Configuration Header (CH) within this signed image
    Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.


How does it differ between Droid and Milestone?

Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)).

Position Droid CH Milestone CH Meaning
0x125 0xb9 0xae This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [this]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.
0x1a3 0x02 0x00 This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.

In order to boot a Droid image on a Milestone (see mbmloader replacement attack) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.

The CH table parsed

Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:

  • 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position
  • 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions
  • 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions

The resulting CH looks like the following:

CH TOC

CH ITEM 1

  0000: a0 00 00 00  50 00 00 00  00 00 00 00  00 00 00 00
  0010: 00 00 00 00  43 48 53 45  54 54 49 4e  47 53 00 00
Field name Value Meaning
Start 0x000000a0 Points to start of Item 1
Size 0x00000050 Length of Item 1
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHSETTINGS" Type of Item 1

CH ITEM 2

  0020: f0 00 00 00  5c 00 00 00  00 00 00 00  00 00 00 00
  0030: 00 00 00 00  43 48 52 41  4d 00 00 00  00 00 00 00
Field name Value Meaning
Start 0x000000f0 Points to start of Item 2
Size 0x0000005c Length of Item 2
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHRAM" Type of Item 2

CH TOC closing mark

  0040: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
  0050: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff

EMPTY DATA SPACE

  0060: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0070: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0080: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0090: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

ITEM 1: CHSETTINGS BLOCK

  00a0: c1 c0 c0 c0  00 01 00 00  01 00 00 02  00 00 00 00
  00b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c1 this verifies that it's a CHSETTINGS block, ok
Valid 0x00 this block is DISABLED, so it's not used!!!
Version 0x01 correct
Reserved 0x0000
Clock settings 0x02000001 Clock configuration applied = 1 [yes]
  • Reserved = 0
  • Perform clock configuration = 0 [no]
  • Set and lock DPLL4 PER = 0 [no]
  • Set and lock DPLL1 (MPU) = 0 [no]
  • Set and lock DPLL3 (CORE) = 0 [no]
  • Bypass DPLL4 before setting clocks = 0 [no]
  • Bypass DPLL1 before setting clocks = 0 [no]
  • Bypass DPLL3 before setting clocks = 0 [no]
  • System clock ID = 0x02 [13 MHz]

ITEM 2: CHRAM BLOCK

  00f0: c2 c0 c0 c0  01 00 00 00  00 00 04 00  00 01 00 00
  0100: 08 00 00 0f  00 00 00 00  00 00 00 00  03 00 00 00
  0110: 99 80 58 03  32 00 00 00  20 00 00 00  c6 b4 9d ba
  0120: 20 22 02 00  02 ae 04 00  03 00 00 00  00 00 00 00
  0130: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0140: 00 00 00 00  00 00 00 00  01 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c2 this verifies that it's a CHRAM block, ok
Valid 0x01 this block is enabled
Reserved 0x000000
SDRC_SYSCONFIG (LSB) 0x0000
SDRC_CS_CFG (LSB) 0x0004
SDRC_SHARING (LSB) 0x0100
SDRC_ERR_TYPE (LSB) 0x0000
SDRC_DLLA_CTRL (LSB) 0x0008
SDRC_DLLA_CTRL (MSB) 0x0f00
Reserved 0x0000
Reserved 0x0000
SDRC_POWER (LSB) 0x0000
SDRC_POWER (MSB) 0x0000
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_0 (LSB) 0x0008
SDRC_MCFG_0 (MSB) 0x0358
SDRC_MR_0 (LSB) 0x0000
SDRC_EMR1_0 (LSB) 0x0000
SDRC_EMR2_0 (LSB) 0x0000
SDRC_EMR3_0 (LSB) 0x0000
SDRC_ACTIM_CTRLA_0 (LSB) 0x0003
SDRC_ACTIM_CTRLA_0 (MSB) 0x0000
SDRC_ACTIM_CTRLB_0 (LSB) 0x2220
SDRC_ACTIM_CTRLB_0 (MSB) 0x0002
SDRC_RFRCTRL_0 (LSB) 0xae02 this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.
SDRC_RFRCTRL_0 (MSB) 0x0004
  • SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50
  • SDRC_RFR_CTRL_0[7:2]: Reserved = 0
  • SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_1 (LSB) 0x0000
SDRC_MCFG_1 (MSB) 0x0000
SDRC_MR_1 (LSB) 0x0000
SDRC_EMR1_1 (LSB) 0x0000
SDRC_EMR2_1 (LSB) 0x0000
SDRC_EMR3_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (MSB) 0x0000
SDRC_ACTIM_CTRLB_1 (LSB) 0x0000
SDRC_ACTIM_CTRLB_1 (MSB) 0x0000
SDRC_RFRCTRL_1 (LSB) 0x0000
SDRC_RFRCTRL_1 (MSB) 0x0000
Reserved 0x0000
Reserved 0x0000
Flags 0x0001 CS0 is configured
"Must be 0" 0x0000

MORE EMPTY DATA SPACE

  0140:                                        00 00 00 00
  0150: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0160: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0170: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0180: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0190: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01a0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01f0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

CH END

Code listings from boot ROM

  1. 40015A08                 ; =============== S U B R O U T I N E =======================================
  2. 40015A08
  3. 40015A08
  4. 40015A08                 ; int __cdecl parse_CH_table(int arg_1, int arg_2, int arg_3, int arg_4)
  5. 40015A08                 parse_CH_table                                                        ; CODE XREF: sub_ROM_40019494+7E�p
  6. 40015A08
  7. 40015A08                 arg_8     =  8
  8. 40015A08
  9. 40015A08 000 2D E9 F0 47           PUSH.W {R4-R10,LR}                                          ; Push registers
  10. 40015A0C 020 1D 00                 MOVS  R5, R3                                                ; Rd = Op2
  11. 40015A0E 020 07 46                 MOV   R7, R0                                                ; Rd = Op2
  12. 40015A10 020 88 46                 MOV   R8, R1                                                ; Rd = Op2
  13. 40015A12 020 DD E9 08 A9           LDRD.W R10, R9, [SP,#0x20]                                  ; Load pair of registers
  14. 40015A16 020 14 46                 MOV   R4, R2                                                ; Rd = Op2
  15. 40015A18 020 0A 9E                 LDR   R6, [SP,#0x20+arg_8]                                  ; Load from Memory
  16. 40015A1A 020 12 D0                 BEQ   parse_CHRAM                                           ; Branch
  17. 40015A1A
  18. 40015A1C 020 B8 06                 LSLS  R0, R7, #0x1A                                         ; Logical Shift Left
  19. 40015A1E 020 10 D4                 BMI   parse_CHRAM                                           ; Branch
  20. 40015A1E
  21. 40015A20 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
  22. 40015A22 020 FF F7 2E E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  23. 40015A22 020
  24. 40015A26 020 10 F1 3F 3F           CMN.W R0, #0x3F3F3F3F                                       ; Set cond. codes on Op1 + Op2
  25. 40015A2A 020 0A D1                 BNE   parse_CHRAM                                           ; Branch
  26. 40015A2A
  27. 40015A2C 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
  28. 40015A2E 020 40 B1                 CBZ   R0, parse_CHRAM                                       ; Compare and Branch on Zero
  29. 40015A2E
  30. 40015A30 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
  31. 40015A34 020 00 F0 16 F9           BL    parse_CHSETTINGS                                      ; Branch with Link
  32. 40015A34 020
  33. 40015A38 020 18 B9                 CBNZ  R0, parse_CHRAM                                       ; Compare and Branch on Non-Zero
  34. 40015A38
  35. 40015A3A 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
  36. 40015A3C 020 40 F0 01 00           ORR.W R0, R0, #1                                            ; Rd = Op1 | Op2
  37. 40015A40 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
  38. 40015A40
  39. 40015A42
  40. 40015A42                 parse_CHRAM                                                           ; CODE XREF: parse_CH_table+12�j
  41. 40015A42                                                                                       ; parse_CH_table+16�j
  42. 40015A42                                                                                       ; parse_CH_table+22�j
  43. 40015A42                                                                                       ; parse_CH_table+26�j
  44. 40015A42                                                                                       ; parse_CH_table+30�j
  45. 40015A42 020 5F EA 0A 05           MOVS.W R5, R10                                              ; Rd = Op2
  46. 40015A46 020 12 D0                 BEQ   parse_CHFLASH                                         ; Branch
  47. 40015A46
  48. 40015A48 020 78 06                 LSLS  R0, R7, #0x19                                         ; Logical Shift Left
  49. 40015A4A 020 10 D4                 BMI   parse_CHFLASH                                         ; Branch
  50. 40015A4A
  51. 40015A4C 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
  52. 40015A4E 020 FF F7 18 E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  53. 40015A4E 020
  54. 40015A52 020 29 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
  55. 40015A54 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
  56. 40015A56 020 0A D1                 BNE   parse_CHFLASH                                         ; Branch
  57. 40015A56
  58. 40015A58 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
  59. 40015A5A 020 40 B1                 CBZ   R0, parse_CHFLASH                                     ; Compare and Branch on Zero
  60. 40015A5A
  61. 40015A5C 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
  62. 40015A60 020 02 F0 BE F8           BL    parse_CHRAM_block                                     ; Branch with Link
  63. 40015A60 020
  64. 40015A64 020 18 B9                 CBNZ  R0, parse_CHFLASH                                     ; Compare and Branch on Non-Zero
  65. 40015A64
  66. 40015A66 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
  67. 40015A68 020 40 F0 02 00           ORR.W R0, R0, #2                                            ; Rd = Op1 | Op2
  68. 40015A6C 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
  69. 40015A6C
  70. 40015A6E
  71. 40015A6E                 parse_CHFLASH                                                         ; CODE XREF: parse_CH_table+3E�j
  72. 40015A6E                                                                                       ; parse_CH_table+42�j
  73. 40015A6E                                                                                       ; parse_CH_table+4E�j
  74. 40015A6E                                                                                       ; parse_CH_table+52�j
  75. 40015A6E                                                                                       ; parse_CH_table+5C�j
  76. 40015A6E 020 5F EA 09 05           MOVS.W R5, R9                                               ; Rd = Op2
  77. 40015A72 020 14 D0                 BEQ   parse_CHMMCSD                                         ; Branch
  78. 40015A72
  79. 40015A74 020 38 06                 LSLS  R0, R7, #0x18                                         ; Logical Shift Left
  80. 40015A76 020 12 D4                 BMI   parse_CHMMCSD                                         ; Branch
  81. 40015A76
  82. 40015A78 020 28 46                 MOV   R0, R5                                                ; Rd = Op2
  83. 40015A7A 020 FF F7 02 E9           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  84. 40015A7A 020
  85. 40015A7E 020 1E 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
  86. 40015A80 020 49 1C                 ADDS  R1, R1, #1                                            ; Rd = Op1 + Op2
  87. 40015A82 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
  88. 40015A84 020 0B D1                 BNE   parse_CHMMCSD                                         ; Branch
  89. 40015A84
  90. 40015A86 020 28 79                 LDRB  R0, [R5,#4]                                           ; Load from Memory
  91. 40015A88 020 48 B1                 CBZ   R0, parse_CHMMCSD                                     ; Compare and Branch on Zero
  92. 40015A88
  93. 40015A8A 020 00 21                 MOVS  R1, #0                                                ; Rd = Op2
  94. 40015A8C 020 05 F1 08 00           ADD.W R0, R5, #8                                            ; Rd = Op1 + Op2
  95. 40015A90 020 FE F7 6E FD           BL    parse_CHFLASH                                         ; Branch with Link
  96. 40015A90 020
  97. 40015A94 020 18 B9                 CBNZ  R0, parse_CHMMCSD                                     ; Compare and Branch on Non-Zero
  98. 40015A94
  99. 40015A96 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
  100. 40015A98 020 40 F0 04 00           ORR.W R0, R0, #4                                            ; Rd = Op1 | Op2
  101. 40015A9C 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
  102. 40015A9C
  103. 40015A9E
  104. 40015A9E                 parse_CHMMCSD                                                         ; CODE XREF: parse_CH_table+6A�j
  105. 40015A9E                                                                                       ; parse_CH_table+6E�j
  106. 40015A9E                                                                                       ; parse_CH_table+7C�j
  107. 40015A9E                                                                                       ; parse_CH_table+80�j
  108. 40015A9E                                                                                       ; parse_CH_table+8C�j
  109. 40015A9E 020 3E B3                 CBZ   R6, return_0                                          ; Compare and Branch on Zero
  110. 40015A9E
  111. 40015AA0 020 F8 05                 LSLS  R0, R7, #0x17                                         ; Logical Shift Left
  112. 40015AA2 020 25 D4                 BMI   return_0                                              ; Branch
  113. 40015AA2
  114. 40015AA4 020 30 46                 MOV   R0, R6                                                ; Rd = Op2
  115. 40015AA6 020 FF F7 EC E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  116. 40015AA6 020
  117. 40015AAA 020 13 49                 LDR   R1, =CH_RAM_KEY                                       ; Load from Memory
  118. 40015AAC 020 89 1C                 ADDS  R1, R1, #2                                            ; Rd = Op1 + Op2
  119. 40015AAE 020 88 42                 CMP   R0, R1                                                ; Set cond. codes on Op1 - Op2
  120. 40015AB0 020 1E D1                 BNE   return_0                                              ; Branch
  121. 40015AB0
  122. 40015AB2 020 30 79                 LDRB  R0, [R6,#4]                                           ; Load from Memory
  123. 40015AB4 020 E0 B1                 CBZ   R0, return_0                                          ; Compare and Branch on Zero
  124. 40015AB4
  125. 40015AB6 020 08 36                 ADDS  R6, #8                                                ; Rd = Op1 + Op2
  126. 40015AB8 020 30 46                 MOV   R0, R6                                                ; Rd = Op2
  127. 40015ABA 020 FF F7 E2 E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  128. 40015ABA 020
  129. 40015ABE 020 41 1C                 ADDS  R1, R0, #1                                            ; Rd = Op1 + Op2
  130. 40015AC0 020 08 D0                 BEQ   loc_ROM_40015AD4                                      ; Branch
  131. 40015AC0
  132. 40015AC2 020 01 46                 MOV   R1, R0                                                ; Rd = Op2
  133. 40015AC4 020 40 46                 MOV   R0, R8                                                ; Rd = Op2
  134. 40015AC6 020 01 F0 9F FB           BL    parse_CHMMCSD                                         ; Branch with Link
  135. 40015AC6 020
  136. 40015ACA 020 18 B9                 CBNZ  R0, loc_ROM_40015AD4                                  ; Compare and Branch on Non-Zero
  137. 40015ACA
  138. 40015ACC 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
  139. 40015ACE 020 40 F0 08 00           ORR.W R0, R0, #8                                            ; Rd = Op1 | Op2
  140. 40015AD2 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
  141. 40015AD2
  142. 40015AD4
  143. 40015AD4                 loc_ROM_40015AD4                                                      ; CODE XREF: parse_CH_table+B8�j
  144. 40015AD4                                                                                       ; parse_CH_table+C2�j
  145. 40015AD4 020 30 1D                 ADDS  R0, R6, #4                                            ; Rd = Op1 + Op2
  146. 40015AD6 020 FF F7 D4 E8           BLX   standard_uread4                                       ; Branch with Link and Exchange (immediate address)
  147. 40015AD6 020
  148. 40015ADA 020 41 1C                 ADDS  R1, R0, #1                                            ; Rd = Op1 + Op2
  149. 40015ADC 020 08 D0                 BEQ   return_0                                              ; Branch
  150. 40015ADC
  151. 40015ADE 020 01 46                 MOV   R1, R0                                                ; arg_2
  152. 40015AE0 020 40 46                 MOV   R0, R8                                                ; arg_1
  153. 40015AE2 020 01 F0 3F FB           BL    mmc_something_4                                       ; Branch with Link
  154. 40015AE2 020
  155. 40015AE6 020 18 B9                 CBNZ  R0, return_0                                          ; Compare and Branch on Non-Zero
  156. 40015AE6
  157. 40015AE8 020 E0 79                 LDRB  R0, [R4,#7]                                           ; Load from Memory
  158. 40015AEA 020 40 F0 08 00           ORR.W R0, R0, #8                                            ; Rd = Op1 | Op2
  159. 40015AEE 020 E0 71                 STRB  R0, [R4,#7]                                           ; Store to Memory
  160. 40015AEE
  161. 40015AF0
  162. 40015AF0                 return_0                                                              ; CODE XREF: parse_CH_table:parse_CHMMCSD�j
  163. 40015AF0                                                                                       ; parse_CH_table+9A�j
  164. 40015AF0                                                                                       ; parse_CH_table+A8�j
  165. 40015AF0                                                                                       ; parse_CH_table+AC�j
  166. 40015AF0                                                                                       ; parse_CH_table+D4�j
  167. 40015AF0                                                                                       ; parse_CH_table+DE�j
  168. 40015AF0 020 00 20                 MOVS  R0, #0                                                ; Rd = Op2
  169. 40015AF2 020 BD E8 F0 87           POP.W {R4-R10,PC}                                           ; Pop registers
  170. 40015AF2 020
  171. 40015AF2                 ; End of function parse_CH_table
  172. 40015AF2
  173. 40015AF2                 ; ---------------------------------------------------------------------------
  174. 40015AF6 00 00                     DCW 0
  175. 40015AF8 C2 C0 C0 C0     dword_ROM_40015AF8 DCD CH_RAM_KEY                                     ; DATA XREF: parse_CH_table+4A�r
  176. 40015AF8                                                                                       ; parse_CH_table+76�r
  177. 40015AF8                                                                                       ; parse_CH_table+A2�r
  178. 40015AFC
  1. 40015C64                 ; =============== S U B R O U T I N E =======================================
  2. 40015C64
  3. 40015C64
  4. 40015C64                 ; int __fastcall parse_CHSETTINGS()
  5. 40015C64                 parse_CHSETTINGS                                                      ; CODE XREF: parse_CH_table+2C�p
  6. 40015C64                                                                                       ; sub_ROM_40015BC8+8A�p
  7. 40015C64                                                                                       ; DATA XREF: non_GP:40014200�o
  8. 40015C64 000 01 68                 LDR   R1, [R0]                                              ; Load from Memory
  9. 40015C66 000 CA 07                 LSLS  R2, R1, #0x1F                                         ; Logical Shift Left
  10. 40015C68 000 01 D1                 BNE   loc_ROM_40015C6E                                      ; Branch
  11. 40015C68
  12. 40015C6A 000 01 20                 MOVS  R0, #1                                                ; Rd = Op2
  13. 40015C6C 000 70 47                 BX    LR                                                    ; Branch to/from Thumb mode
  14. 40015C6C
  15. 40015C6E                 ; ---------------------------------------------------------------------------
  16. 40015C6E
  17. 40015C6E                 loc_ROM_40015C6E                                                      ; CODE XREF: parse_CHSETTINGS+4�j
  18. 40015C6E 000 0A 0E                 LSRS  R2, R1, #0x18                                         ; Logical Shift Right
  19. 40015C70 000 06 2A                 CMP   R2, #6                                                ; Set cond. codes on Op1 - Op2
  20. 40015C72 000 01 D8                 BHI   loc_ROM_40015C78                                      ; Branch
  21. 40015C72
  22. 40015C74 000 46 4B                 LDR   R3, =(dword_RAM_RESERVED_4020FCB0+0x2C)               ; Load from Memory
  23. 40015C76 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
  24. 40015C76
  25. 40015C78
  26. 40015C78                 loc_ROM_40015C78                                                      ; CODE XREF: parse_CHSETTINGS+E�j
  27. 40015C78 000 CA 05                 LSLS  R2, R1, #0x17                                         ; Logical Shift Left
  28. 40015C7A 000 46 49                 LDR   R1, =CM_IVA2                                          ; Load from Memory
  29. 40015C7C 000 06 D5                 BPL   loc_ROM_40015C8C                                      ; Branch
  30. 40015C7C
  31. 40015C7E 000 D1 F8 00 2D           LDR.W R2, [R1,#0xD00]                                       ; Load from Memory
  32. 40015C82 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
  33. 40015C86 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
  34. 40015C88 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
  35. 40015C88 000
  36. 40015C8C
  37. 40015C8C                 loc_ROM_40015C8C                                                      ; CODE XREF: parse_CHSETTINGS+18�j
  38. 40015C8C 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
  39. 40015C8E 000 52 06                 LSLS  R2, R2, #0x19                                         ; Logical Shift Left
  40. 40015C90 000 07 D5                 BPL   loc_ROM_40015CA2                                      ; Branch
  41. 40015C90
  42. 40015C92 000 D1 F8 00 2D           LDR.W R2, [R1,#0xD00]                                       ; Load from Memory
  43. 40015C96 000 22 F4 E0 22           BIC.W R2, R2, #0x70000                                      ; Rd = Op1 & ~Op2
  44. 40015C9A 000 42 F4 80 32           ORR.W R2, R2, #0x10000                                      ; Rd = Op1 | Op2
  45. 40015C9E 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
  46. 40015C9E 000
  47. 40015CA2
  48. 40015CA2                 loc_ROM_40015CA2                                                      ; CODE XREF: parse_CHSETTINGS+2C�j
  49. 40015CA2 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
  50. 40015CA4 000 12 06                 LSLS  R2, R2, #0x18                                         ; Logical Shift Left
  51. 40015CA6 000 06 D5                 BPL   loc_ROM_40015CB6                                      ; Branch
  52. 40015CA6
  53. 40015CA8 000 D1 F8 04 29           LDR.W R2, [R1,#0x904]                                       ; Load from Memory
  54. 40015CAC 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
  55. 40015CB0 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
  56. 40015CB2 000 C1 F8 04 29           STR.W R2, [R1,#0x904]                                       ; Store to Memory
  57. 40015CB2 000
  58. 40015CB6
  59. 40015CB6                 loc_ROM_40015CB6                                                      ; CODE XREF: parse_CHSETTINGS+42�j
  60. 40015CB6 000 38 4B                 LDR   R3, =PRM_CLKSRC_CTRL                                  ; Load from Memory
  61. 40015CB8 000 42 68                 LDR   R2, [R0,#4]                                           ; Load from Memory
  62. 40015CBA 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
  63. 40015CBC 000 37 4B                 LDR   R3, =0x48306D40                                       ; Load from Memory
  64. 40015CBE 000 82 68                 LDR   R2, [R0,#8]                                           ; Load from Memory
  65. 40015CC0 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
  66. 40015CC2 000 37 4B                 LDR   R3, =0x48005140                                       ; Load from Memory
  67. 40015CC4 000 C2 68                 LDR   R2, [R0,#0xC]                                         ; Load from Memory
  68. 40015CC6 000 1A 60                 STR   R2, [R3]                                              ; Store to Memory
  69. 40015CC8 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
  70. 40015CCA 000 52 07                 LSLS  R2, R2, #0x1D                                         ; Logical Shift Left
  71. 40015CCC 000 05 D5                 BPL   loc_ROM_40015CDA                                      ; Branch
  72. 40015CCC
  73. 40015CCE 000 02 69                 LDR   R2, [R0,#0x10]                                        ; Load from Memory
  74. 40015CD0 000 C1 F8 40 2A           STR.W R2, [R1,#0xA40]                                       ; Store to Memory
  75. 40015CD4 000 42 69                 LDR   R2, [R0,#0x14]                                        ; Load from Memory
  76. 40015CD6 000 C1 F8 40 2C           STR.W R2, [R1,#0xC40]                                       ; Store to Memory
  77. 40015CD6 000
  78. 40015CDA
  79. 40015CDA                 loc_ROM_40015CDA                                                      ; CODE XREF: parse_CHSETTINGS+68�j
  80. 40015CDA 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
  81. 40015CDC 000 13 07                 LSLS  R3, R2, #0x1C                                         ; Logical Shift Left
  82. 40015CDE 000 31 4A                 LDR   R2, =0x7FF00                                          ; Load from Memory
  83. 40015CE0 000 17 D5                 BPL   loc_ROM_40015D12                                      ; Branch
  84. 40015CE0
  85. 40015CE2 000 43 6A                 LDR   R3, [R0,#0x24]                                        ; Load from Memory
  86. 40015CE4 000 01 F5 50 61           ADD.W R1, R1, #0xD00                                        ; Rd = Op1 + Op2
  87. 40015CE8 000 23 F4 E0 23           BIC.W R3, R3, #0x70000                                      ; Rd = Op1 & ~Op2
  88. 40015CEC 000 43 F4 80 33           ORR.W R3, R3, #0x10000                                      ; Rd = Op1 | Op2
  89. 40015CF0 000 0B 60                 STR   R3, [R1]                                              ; Store to Memory
  90. 40015CF2 000 83 6A                 LDR   R3, [R0,#0x28]                                        ; Load from Memory
  91. 40015CF4 000 0B 63                 STR   R3, [R1,#0x30]                                        ; Store to Memory
  92. 40015CF6 000 C3 6A                 LDR   R3, [R0,#0x2C]                                        ; Load from Memory
  93. 40015CF8 000 4B 64                 STR   R3, [R1,#0x44]                                        ; Store to Memory
  94. 40015CFA 000 03 6B                 LDR   R3, [R0,#0x30]                                        ; Load from Memory
  95. 40015CFC 000 8B 64                 STR   R3, [R1,#0x48]                                        ; Store to Memory
  96. 40015CFE 000 4B 6C                 LDR   R3, [R1,#0x44]                                        ; Load from Memory
  97. 40015D00 000 A1 F5 50 61           SUB.W R1, R1, #0xD00                                        ; Rd = Op1 - Op2
  98. 40015D04 000 13 42                 TST   R3, R2                                                ; Set cond. codes on Op1 & Op2
  99. 40015D06 000 04 D0                 BEQ   loc_ROM_40015D12                                      ; Branch
  100. 40015D06
  101. 40015D08 000 43 6A                 LDR   R3, [R0,#0x24]                                        ; Load from Memory
  102. 40015D0A 000 43 F4 E0 23           ORR.W R3, R3, #0x70000                                      ; Rd = Op1 | Op2
  103. 40015D0E 000 C1 F8 00 3D           STR.W R3, [R1,#0xD00]                                       ; Store to Memory
  104. 40015D0E 000
  105. 40015D12
  106. 40015D12                 loc_ROM_40015D12                                                      ; CODE XREF: parse_CHSETTINGS+7C�j
  107. 40015D12                                                                                       ; parse_CHSETTINGS+A2�j
  108. 40015D12 000 03 68                 LDR   R3, [R0]                                              ; Load from Memory
  109. 40015D14 000 DB 06                 LSLS  R3, R3, #0x1B                                         ; Logical Shift Left
  110. 40015D16 000 1C D5                 BPL   loc_ROM_40015D52                                      ; Branch
  111. 40015D16
  112. 40015D18 000 43 6B                 LDR   R3, [R0,#0x34]                                        ; Load from Memory
  113. 40015D1A 000 01 F6 04 11           ADDW  R1, R1, #0x904                                        ; Rd = Op1 + Op2
  114. 40015D1E 000 23 F0 07 03           BIC.W R3, R3, #7                                            ; Rd = Op1 & ~Op2
  115. 40015D22 000 5B 1D                 ADDS  R3, R3, #5                                            ; Rd = Op1 + Op2
  116. 40015D24 000 0B 60                 STR   R3, [R1]                                              ; Store to Memory
  117. 40015D26 000 83 6B                 LDR   R3, [R0,#0x38]                                        ; Load from Memory
  118. 40015D28 000 0B 63                 STR   R3, [R1,#0x30]                                        ; Store to Memory
  119. 40015D2A 000 C3 6B                 LDR   R3, [R0,#0x3C]                                        ; Load from Memory
  120. 40015D2C 000 CB 63                 STR   R3, [R1,#0x3C]                                        ; Store to Memory
  121. 40015D2E 000 03 6C                 LDR   R3, [R0,#0x40]                                        ; Load from Memory
  122. 40015D30 000 0B 64                 STR   R3, [R1,#0x40]                                        ; Store to Memory
  123. 40015D32 000 43 6C                 LDR   R3, [R0,#0x44]                                        ; Load from Memory
  124. 40015D34 000 4B 64                 STR   R3, [R1,#0x44]                                        ; Store to Memory
  125. 40015D36 000 CB 6B                 LDR   R3, [R1,#0x3C]                                        ; Load from Memory
  126. 40015D38 000 A1 F6 04 11           SUBW  R1, R1, #0x904                                        ; Rd = Op1 - Op2
  127. 40015D3C 000 13 42                 TST   R3, R2                                                ; Set cond. codes on Op1 & Op2
  128. 40015D3E 000 08 D0                 BEQ   loc_ROM_40015D52                                      ; Branch
  129. 40015D3E
  130. 40015D40 000 42 6B                 LDR   R2, [R0,#0x34]                                        ; Load from Memory
  131. 40015D42 000 42 F0 07 02           ORR.W R2, R2, #7                                            ; Rd = Op1 | Op2
  132. 40015D46 000 C1 F8 04 29           STR.W R2, [R1,#0x904]                                       ; Store to Memory
  133. 40015D46 000
  134. 40015D4A
  135. 40015D4A                 loc_ROM_40015D4A                                                      ; CODE XREF: parse_CHSETTINGS+EC�j
  136. 40015D4A 000 D1 F8 24 29           LDR.W R2, [R1,#0x924]                                       ; Load from Memory
  137. 40015D4E 000 D2 07                 LSLS  R2, R2, #0x1F                                         ; Logical Shift Left
  138. 40015D50 000 FB D0                 BEQ   loc_ROM_40015D4A                                      ; Branch
  139. 40015D50
  140. 40015D52
  141. 40015D52                 loc_ROM_40015D52                                                      ; CODE XREF: parse_CHSETTINGS+B2�j
  142. 40015D52                                                                                       ; parse_CHSETTINGS+DA�j
  143. 40015D52 000 02 68                 LDR   R2, [R0]                                              ; Load from Memory
  144. 40015D54 000 92 06                 LSLS  R2, R2, #0x1A                                         ; Logical Shift Left
  145. 40015D56 000 19 D5                 BPL   loc_ROM_40015D8C                                      ; Branch
  146. 40015D56
  147. 40015D58 000 82 69                 LDR   R2, [R0,#0x18]                                        ; Load from Memory
  148. 40015D5A 000 22 F0 07 02           BIC.W R2, R2, #7                                            ; Rd = Op1 & ~Op2
  149. 40015D5E 000 52 1D                 ADDS  R2, R2, #5                                            ; Rd = Op1 + Op2
  150. 40015D60 000 C1 F8 00 2D           STR.W R2, [R1,#0xD00]                                       ; Store to Memory
  151. 40015D64 000 C2 69                 LDR   R2, [R0,#0x1C]                                        ; Load from Memory
  152. 40015D66 000 C1 F8 30 2D           STR.W R2, [R1,#0xD30]                                       ; Store to Memory
  153. 40015D6A 000 02 6A                 LDR   R2, [R0,#0x20]                                        ; Load from Memory
  154. 40015D6C 000 C1 F8 40 2D           STR.W R2, [R1,#0xD40]                                       ; Store to Memory
  155. 40015D70 000 D1 F8 40 2D           LDR.W R2, [R1,#0xD40]                                       ; Load from Memory
  156. 40015D74 000 0C 4B                 LDR   R3, =0x7FF0000                                        ; Load from Memory
  157. 40015D76 000 1A 42                 TST   R2, R3                                                ; Set cond. codes on Op1 & Op2
  158. 40015D78 000 08 D0                 BEQ   loc_ROM_40015D8C                                      ; Branch
  159. 40015D78
  160. 40015D7A 000 80 69                 LDR   R0, [R0,#0x18]                                        ; Load from Memory
  161. 40015D7C 000 40 F0 07 00           ORR.W R0, R0, #7                                            ; Rd = Op1 | Op2
  162. 40015D80 000 C1 F8 00 0D           STR.W R0, [R1,#0xD00]                                       ; Store to Memory
  163. 40015D80 000
  164. 40015D84
  165. 40015D84                 loc_ROM_40015D84                                                      ; CODE XREF: parse_CHSETTINGS+126�j
  166. 40015D84 000 D1 F8 20 0D           LDR.W R0, [R1,#0xD20]                                       ; Load from Memory
  167. 40015D88 000 C0 07                 LSLS  R0, R0, #0x1F                                         ; Logical Shift Left
  168. 40015D8A 000 FB D0                 BEQ   loc_ROM_40015D84                                      ; Branch
  169. 40015D8A
  170. 40015D8C
  171. 40015D8C                 loc_ROM_40015D8C                                                      ; CODE XREF: parse_CHSETTINGS+F2�j
  172. 40015D8C                                                                                       ; parse_CHSETTINGS+114�j
  173. 40015D8C 000 00 20                 MOVS  R0, #0                                                ; Rd = Op2
  174. 40015D8E 000 70 47                 BX    LR                                                    ; Branch to/from Thumb mode
  175. 40015D8E
  176. 40015D8E                 ; End of function parse_CHSETTINGS
  177. 40015D8E
  178. 40015D8E                 ; ---------------------------------------------------------------------------
  179. 40015D90 DC FC 20 40     off_ROM_40015D90 DCD dword_RAM_RESERVED_4020FCB0+0x2C                 ; DATA XREF: parse_CHSETTINGS+10�r
  180. 40015D94 00 40 00 48     dword_ROM_40015D94 DCD CM_IVA2                                        ; DATA XREF: parse_CHSETTINGS+16�r
  181. 40015D98 70 72 30 48     dword_ROM_40015D98 DCD PRM_CLKSRC_CTRL                                ; DATA XREF: parse_CHSETTINGS:loc_ROM_40015CB6�r
  182. 40015D9C 40 6D 30 48     dword_ROM_40015D9C DCD 0x48306D40                                     ; DATA XREF: parse_CHSETTINGS+58�r
  183. 40015DA0 40 51 00 48     dword_ROM_40015DA0 DCD 0x48005140                                     ; DATA XREF: parse_CHSETTINGS+5E�r
  184. 40015DA4 00 FF 07 00     dword_ROM_40015DA4 DCD 0x7FF00                                        ; DATA XREF: parse_CHSETTINGS+7A�r
  185. 40015DA8 00 00 FF 07     dword_ROM_40015DA8 DCD 0x7FF0000                                      ; DATA XREF: parse_CHSETTINGS+110�r
  186. 40015DAC