CH

From MILEDROPEDIA
Jump to: navigation, search

CH table

What is it?

Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).

Is it protected?

  • Cryptographic protections
  • The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the boot chain are not encouraging.
  • However, there is another kind of interpretation of the release note 's statement:
    Support for the Configuration Header (CH) within this signed image
    Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.


How does it differ between Droid and Milestone?

Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)).

Position Droid CH Milestone CH Meaning
0x125 0xb9 0xae This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [this]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.
0x1a3 0x02 0x00 This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.

In order to boot a Droid image on a Milestone (see mbmloader replacement attack) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.

The CH table parsed

Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:

  • 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position
  • 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions
  • 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions

The resulting CH looks like the following:

CH TOC

CH ITEM 1

  0000: a0 00 00 00  50 00 00 00  00 00 00 00  00 00 00 00
  0010: 00 00 00 00  43 48 53 45  54 54 49 4e  47 53 00 00
Field name Value Meaning
Start 0x000000a0 Points to start of Item 1
Size 0x00000050 Length of Item 1
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHSETTINGS" Type of Item 1

CH ITEM 2

  0020: f0 00 00 00  5c 00 00 00  00 00 00 00  00 00 00 00
  0030: 00 00 00 00  43 48 52 41  4d 00 00 00  00 00 00 00
Field name Value Meaning
Start 0x000000f0 Points to start of Item 2
Size 0x0000005c Length of Item 2
Reserved 0x00000000 0x00000000 0x00000000
Filename "CHRAM" Type of Item 2

CH TOC closing mark

  0040: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
  0050: ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff

EMPTY DATA SPACE

  0060: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0070: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0080: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0090: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

ITEM 1: CHSETTINGS BLOCK

  00a0: c1 c0 c0 c0  00 01 00 00  01 00 00 02  00 00 00 00
  00b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  00e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c1 this verifies that it's a CHSETTINGS block, ok
Valid 0x00 this block is DISABLED, so it's not used!!!
Version 0x01 correct
Reserved 0x0000
Clock settings 0x02000001 Clock configuration applied = 1 [yes]
  • Reserved = 0
  • Perform clock configuration = 0 [no]
  • Set and lock DPLL4 PER = 0 [no]
  • Set and lock DPLL1 (MPU) = 0 [no]
  • Set and lock DPLL3 (CORE) = 0 [no]
  • Bypass DPLL4 before setting clocks = 0 [no]
  • Bypass DPLL1 before setting clocks = 0 [no]
  • Bypass DPLL3 before setting clocks = 0 [no]
  • System clock ID = 0x02 [13 MHz]

ITEM 2: CHRAM BLOCK

  00f0: c2 c0 c0 c0  01 00 00 00  00 00 04 00  00 01 00 00
  0100: 08 00 00 0f  00 00 00 00  00 00 00 00  03 00 00 00
  0110: 99 80 58 03  32 00 00 00  20 00 00 00  c6 b4 9d ba
  0120: 20 22 02 00  02 ae 04 00  03 00 00 00  00 00 00 00
  0130: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0140: 00 00 00 00  00 00 00 00  01 00 00 00
Field name Value Meaning
Section key 0xc0c0c0c2 this verifies that it's a CHRAM block, ok
Valid 0x01 this block is enabled
Reserved 0x000000
SDRC_SYSCONFIG (LSB) 0x0000
SDRC_CS_CFG (LSB) 0x0004
SDRC_SHARING (LSB) 0x0100
SDRC_ERR_TYPE (LSB) 0x0000
SDRC_DLLA_CTRL (LSB) 0x0008
SDRC_DLLA_CTRL (MSB) 0x0f00
Reserved 0x0000
Reserved 0x0000
SDRC_POWER (LSB) 0x0000
SDRC_POWER (MSB) 0x0000
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_0 (LSB) 0x0008
SDRC_MCFG_0 (MSB) 0x0358
SDRC_MR_0 (LSB) 0x0000
SDRC_EMR1_0 (LSB) 0x0000
SDRC_EMR2_0 (LSB) 0x0000
SDRC_EMR3_0 (LSB) 0x0000
SDRC_ACTIM_CTRLA_0 (LSB) 0x0003
SDRC_ACTIM_CTRLA_0 (MSB) 0x0000
SDRC_ACTIM_CTRLB_0 (LSB) 0x2220
SDRC_ACTIM_CTRLB_0 (MSB) 0x0002
SDRC_RFRCTRL_0 (LSB) 0xae02 this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.
SDRC_RFRCTRL_0 (MSB) 0x0004
  • SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50
  • SDRC_RFR_CTRL_0[7:2]: Reserved = 0
  • SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0
Memory type (LSB) 0x0003 Mobile DDR
"Must be 0" 0x0000 ok
SDRC_MCFG_1 (LSB) 0x0000
SDRC_MCFG_1 (MSB) 0x0000
SDRC_MR_1 (LSB) 0x0000
SDRC_EMR1_1 (LSB) 0x0000
SDRC_EMR2_1 (LSB) 0x0000
SDRC_EMR3_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (LSB) 0x0000
SDRC_ACTIM_CTRLA_1 (MSB) 0x0000
SDRC_ACTIM_CTRLB_1 (LSB) 0x0000
SDRC_ACTIM_CTRLB_1 (MSB) 0x0000
SDRC_RFRCTRL_1 (LSB) 0x0000
SDRC_RFRCTRL_1 (MSB) 0x0000
Reserved 0x0000
Reserved 0x0000
Flags 0x0001 CS0 is configured
"Must be 0" 0x0000

MORE EMPTY DATA SPACE

  0140:                                        00 00 00 00
  0150: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0160: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0170: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0180: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  0190: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01a0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01b0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01c0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01d0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01e0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
  01f0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

CH END

Code listings from boot ROM

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:40015A08
ROM:40015A08                 ; =============== S U B R O U T I N E =======================================
ROM:40015A08
ROM:40015A08
ROM:40015A08                 ; int __cdecl parse_CH_table(int, int, int)
ROM:40015A08                 parse_CH_table                                                        ; CODE XREF: sub_40019494+7E�p
ROM:40015A08
ROM:40015A08                 arg_8           =  8
ROM:40015A08
ROM:40015A08 000 2D E9 F0 47                 PUSH.W          {R4-R10,LR}                           ; Push registers
ROM:40015A0C 020 1D 00                       MOVS            R5, R3                                ; Rd = Op2
ROM:40015A0E 020 07 46                       MOV             R7, R0                                ; Rd = Op2
ROM:40015A10 020 88 46                       MOV             R8, R1                                ; Rd = Op2
ROM:40015A12 020 DD E9 08 A9                 LDRD.W          R10, R9, [SP,#0x20]                   ; Load pair of registers
ROM:40015A16 020 14 46                       MOV             R4, R2                                ; Rd = Op2
ROM:40015A18 020 0A 9E                       LDR             R6, [SP,#0x20+arg_8]                  ; Load from Memory
ROM:40015A1A 020 12 D0                       BEQ             parse_CHRAM                           ; Branch
ROM:40015A1A
ROM:40015A1C 020 B8 06                       LSLS            R0, R7, #0x1A                         ; Logical Shift Left
ROM:40015A1E 020 10 D4                       BMI             parse_CHRAM                           ; Branch
ROM:40015A1E
ROM:40015A20 020 28 46                       MOV             R0, R5                                ; Rd = Op2
ROM:40015A22 020 FF F7 2E E9                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015A22 020
ROM:40015A26 020 10 F1 3F 3F                 CMN.W           R0, #0x3F3F3F3F                       ; Set cond. codes on Op1 + Op2
ROM:40015A2A 020 0A D1                       BNE             parse_CHRAM                           ; Branch
ROM:40015A2A
ROM:40015A2C 020 28 79                       LDRB            R0, [R5,#4]                           ; Load from Memory
ROM:40015A2E 020 40 B1                       CBZ             R0, parse_CHRAM                       ; Compare and Branch on Zero
ROM:40015A2E
ROM:40015A30 020 05 F1 08 00                 ADD.W           R0, R5, #8                            ; Rd = Op1 + Op2
ROM:40015A34 020 00 F0 16 F9                 BL              parse_CHSETTINGS                      ; Branch with Link
ROM:40015A34 020
ROM:40015A38 020 18 B9                       CBNZ            R0, parse_CHRAM                       ; Compare and Branch on Non-Zero
ROM:40015A38
ROM:40015A3A 020 E0 79                       LDRB            R0, [R4,#7]                           ; Load from Memory
ROM:40015A3C 020 40 F0 01 00                 ORR.W           R0, R0, #1                            ; Rd = Op1 | Op2
ROM:40015A40 020 E0 71                       STRB            R0, [R4,#7]                           ; Store to Memory
ROM:40015A40
ROM:40015A42
ROM:40015A42                 parse_CHRAM                                                           ; CODE XREF: parse_CH_table+12�j
ROM:40015A42                                                                                       ; parse_CH_table+16�j ...
ROM:40015A42 020 5F EA 0A 05                 MOVS.W          R5, R10                               ; Rd = Op2
ROM:40015A46 020 12 D0                       BEQ             parse_CHFLASH                         ; Branch
ROM:40015A46
ROM:40015A48 020 78 06                       LSLS            R0, R7, #0x19                         ; Logical Shift Left
ROM:40015A4A 020 10 D4                       BMI             parse_CHFLASH                         ; Branch
ROM:40015A4A
ROM:40015A4C 020 28 46                       MOV             R0, R5                                ; Rd = Op2
ROM:40015A4E 020 FF F7 18 E9                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015A4E 020
ROM:40015A52 020 29 49                       LDR             R1, =CH_RAM_KEY                       ; Load from Memory
ROM:40015A54 020 88 42                       CMP             R0, R1                                ; Set cond. codes on Op1 - Op2
ROM:40015A56 020 0A D1                       BNE             parse_CHFLASH                         ; Branch
ROM:40015A56
ROM:40015A58 020 28 79                       LDRB            R0, [R5,#4]                           ; Load from Memory
ROM:40015A5A 020 40 B1                       CBZ             R0, parse_CHFLASH                     ; Compare and Branch on Zero
ROM:40015A5A
ROM:40015A5C 020 05 F1 08 00                 ADD.W           R0, R5, #8                            ; Rd = Op1 + Op2
ROM:40015A60 020 02 F0 BE F8                 BL              parse_CHRAM_block                     ; Branch with Link
ROM:40015A60 020
ROM:40015A64 020 18 B9                       CBNZ            R0, parse_CHFLASH                     ; Compare and Branch on Non-Zero
ROM:40015A64
ROM:40015A66 020 E0 79                       LDRB            R0, [R4,#7]                           ; Load from Memory
ROM:40015A68 020 40 F0 02 00                 ORR.W           R0, R0, #2                            ; Rd = Op1 | Op2
ROM:40015A6C 020 E0 71                       STRB            R0, [R4,#7]                           ; Store to Memory
ROM:40015A6C
ROM:40015A6E
ROM:40015A6E                 parse_CHFLASH                                                         ; CODE XREF: parse_CH_table+3E�j
ROM:40015A6E                                                                                       ; parse_CH_table+42�j ...
ROM:40015A6E 020 5F EA 09 05                 MOVS.W          R5, R9                                ; Rd = Op2
ROM:40015A72 020 14 D0                       BEQ             parse_CHMMCSD                         ; Branch
ROM:40015A72
ROM:40015A74 020 38 06                       LSLS            R0, R7, #0x18                         ; Logical Shift Left
ROM:40015A76 020 12 D4                       BMI             parse_CHMMCSD                         ; Branch
ROM:40015A76
ROM:40015A78 020 28 46                       MOV             R0, R5                                ; Rd = Op2
ROM:40015A7A 020 FF F7 02 E9                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015A7A 020
ROM:40015A7E 020 1E 49                       LDR             R1, =CH_RAM_KEY                       ; Load from Memory
ROM:40015A80 020 49 1C                       ADDS            R1, R1, #1                            ; Rd = Op1 + Op2
ROM:40015A82 020 88 42                       CMP             R0, R1                                ; Set cond. codes on Op1 - Op2
ROM:40015A84 020 0B D1                       BNE             parse_CHMMCSD                         ; Branch
ROM:40015A84
ROM:40015A86 020 28 79                       LDRB            R0, [R5,#4]                           ; Load from Memory
ROM:40015A88 020 48 B1                       CBZ             R0, parse_CHMMCSD                     ; Compare and Branch on Zero
ROM:40015A88
ROM:40015A8A 020 00 21                       MOVS            R1, #0                                ; arg_2
ROM:40015A8C 020 05 F1 08 00                 ADD.W           R0, R5, #8                            ; arg_1
ROM:40015A90 020 FE F7 6E FD                 BL              parse_CHFLASH                         ; Branch with Link
ROM:40015A90 020
ROM:40015A94 020 18 B9                       CBNZ            R0, parse_CHMMCSD                     ; Compare and Branch on Non-Zero
ROM:40015A94
ROM:40015A96 020 E0 79                       LDRB            R0, [R4,#7]                           ; Load from Memory
ROM:40015A98 020 40 F0 04 00                 ORR.W           R0, R0, #4                            ; Rd = Op1 | Op2
ROM:40015A9C 020 E0 71                       STRB            R0, [R4,#7]                           ; Store to Memory
ROM:40015A9C
ROM:40015A9E
ROM:40015A9E                 parse_CHMMCSD                                                         ; CODE XREF: parse_CH_table+6A�j
ROM:40015A9E                                                                                       ; parse_CH_table+6E�j ...
ROM:40015A9E 020 3E B3                       CBZ             R6, return_0                          ; Compare and Branch on Zero
ROM:40015A9E
ROM:40015AA0 020 F8 05                       LSLS            R0, R7, #0x17                         ; Logical Shift Left
ROM:40015AA2 020 25 D4                       BMI             return_0                              ; Branch
ROM:40015AA2
ROM:40015AA4 020 30 46                       MOV             R0, R6                                ; Rd = Op2
ROM:40015AA6 020 FF F7 EC E8                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015AA6 020
ROM:40015AAA 020 13 49                       LDR             R1, =CH_RAM_KEY                       ; Load from Memory
ROM:40015AAC 020 89 1C                       ADDS            R1, R1, #2                            ; Rd = Op1 + Op2
ROM:40015AAE 020 88 42                       CMP             R0, R1                                ; Set cond. codes on Op1 - Op2
ROM:40015AB0 020 1E D1                       BNE             return_0                              ; Branch
ROM:40015AB0
ROM:40015AB2 020 30 79                       LDRB            R0, [R6,#4]                           ; Load from Memory
ROM:40015AB4 020 E0 B1                       CBZ             R0, return_0                          ; Compare and Branch on Zero
ROM:40015AB4
ROM:40015AB6 020 08 36                       ADDS            R6, #8                                ; Rd = Op1 + Op2
ROM:40015AB8 020 30 46                       MOV             R0, R6                                ; Rd = Op2
ROM:40015ABA 020 FF F7 E2 E8                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015ABA 020
ROM:40015ABE 020 41 1C                       ADDS            R1, R0, #1                            ; Rd = Op1 + Op2
ROM:40015AC0 020 08 D0                       BEQ             loc_40015AD4                          ; Branch
ROM:40015AC0
ROM:40015AC2 020 01 46                       MOV             R1, R0                                ; Rd = Op2
ROM:40015AC4 020 40 46                       MOV             R0, R8                                ; Rd = Op2
ROM:40015AC6 020 01 F0 9F FB                 BL              parse_CHMMCSD                         ; Branch with Link
ROM:40015AC6 020
ROM:40015ACA 020 18 B9                       CBNZ            R0, loc_40015AD4                      ; Compare and Branch on Non-Zero
ROM:40015ACA
ROM:40015ACC 020 E0 79                       LDRB            R0, [R4,#7]                           ; Load from Memory
ROM:40015ACE 020 40 F0 08 00                 ORR.W           R0, R0, #8                            ; Rd = Op1 | Op2
ROM:40015AD2 020 E0 71                       STRB            R0, [R4,#7]                           ; Store to Memory
ROM:40015AD2
ROM:40015AD4
ROM:40015AD4                 loc_40015AD4                                                          ; CODE XREF: parse_CH_table+B8�j
ROM:40015AD4                                                                                       ; parse_CH_table+C2�j
ROM:40015AD4 020 30 1D                       ADDS            R0, R6, #4                            ; Rd = Op1 + Op2
ROM:40015AD6 020 FF F7 D4 E8                 BLX             standard_uread4                       ; Branch with Link and Exchange (immediate address)
ROM:40015AD6 020
ROM:40015ADA 020 41 1C                       ADDS            R1, R0, #1                            ; Rd = Op1 + Op2
ROM:40015ADC 020 08 D0                       BEQ             return_0                              ; Branch
ROM:40015ADC
ROM:40015ADE 020 01 46                       MOV             R1, R0                                ; arg_2
ROM:40015AE0 020 40 46                       MOV             R0, R8                                ; arg_1
ROM:40015AE2 020 01 F0 3F FB                 BL              mmc_something_4                       ; Branch with Link
ROM:40015AE2 020
ROM:40015AE6 020 18 B9                       CBNZ            R0, return_0                          ; Compare and Branch on Non-Zero
ROM:40015AE6
ROM:40015AE8 020 E0 79                       LDRB            R0, [R4,#7]                           ; Load from Memory
ROM:40015AEA 020 40 F0 08 00                 ORR.W           R0, R0, #8                            ; Rd = Op1 | Op2
ROM:40015AEE 020 E0 71                       STRB            R0, [R4,#7]                           ; Store to Memory
ROM:40015AEE
ROM:40015AF0
ROM:40015AF0                 return_0                                                              ; CODE XREF: parse_CH_table:parse_CHMMCSD�j
ROM:40015AF0                                                                                       ; parse_CH_table+9A�j ...
ROM:40015AF0 020 00 20                       MOVS            R0, #0                                ; Rd = Op2
ROM:40015AF2 020 BD E8 F0 87                 POP.W           {R4-R10,PC}                           ; Pop registers
ROM:40015AF2 020
ROM:40015AF2                 ; End of function parse_CH_table
ROM:40015AF2
ROM:40015AF2                 ; ---------------------------------------------------------------------------
ROM:40015AF6 00 00                           DCW 0
ROM:40015AF8 C2 C0 C0 C0     dword_40015AF8  DCD CH_RAM_KEY                                        ; DATA XREF: parse_CH_table+4A�r
ROM:40015AF8                                                                                       ; parse_CH_table+76�r ...

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


ROM:40015C64
ROM:40015C64                 ; =============== S U B R O U T I N E =======================================
ROM:40015C64
ROM:40015C64
ROM:40015C64                 parse_CHSETTINGS                                                      ; CODE XREF: parse_CH_table+2C�p
ROM:40015C64                                                                                       ; something_with_scratchpad+8A�p
ROM:40015C64 000 01 68                       LDR             R1, [R0]                              ; Load from Memory
ROM:40015C66 000 CA 07                       LSLS            R2, R1, #0x1F                         ; Logical Shift Left
ROM:40015C68 000 01 D1                       BNE             continue                              ; Branch
ROM:40015C68
ROM:40015C6A 000 01 20                       MOVS            R0, #1                                ; Rd = Op2
ROM:40015C6C 000 70 47                       BX              LR                                    ; Branch to/from Thumb mode
ROM:40015C6C
ROM:40015C6E                 ; ---------------------------------------------------------------------------
ROM:40015C6E
ROM:40015C6E                 continue                                                              ; CODE XREF: parse_CHSETTINGS+4�j
ROM:40015C6E 000 0A 0E                       LSRS            R2, R1, #0x18                         ; Logical Shift Right
ROM:40015C70 000 06 2A                       CMP             R2, #6                                ; Set cond. codes on Op1 - Op2
ROM:40015C72 000 01 D8                       BHI             loc_40015C78                          ; Branch
ROM:40015C72
ROM:40015C74 000 46 4B                       LDR             R3, =dword_4020FCDC                   ; Load from Memory
ROM:40015C76 000 1A 60                       STR             R2, [R3]                              ; Store to Memory
ROM:40015C76
ROM:40015C78
ROM:40015C78                 loc_40015C78                                                          ; CODE XREF: parse_CHSETTINGS+E�j
ROM:40015C78 000 CA 05                       LSLS            R2, R1, #0x17                         ; Logical Shift Left
ROM:40015C7A 000 46 49                       LDR             R1, =OMAP3430_reg_CM_FCLKEN_IVA2      ; This register controls the IVA2 domain functional clock activity
ROM:40015C7C 000 06 D5                       BPL             loc_40015C8C                          ; Branch
ROM:40015C7C
ROM:40015C7E 000 D1 F8 00 2D                 LDR.W           R2, [R1,#0xD00]                       ; Load from Memory
ROM:40015C82 000 22 F0 07 02                 BIC.W           R2, R2, #7                            ; Rd = Op1 & ~Op2
ROM:40015C86 000 52 1D                       ADDS            R2, R2, #5                            ; Rd = Op1 + Op2
ROM:40015C88 000 C1 F8 00 2D                 STR.W           R2, [R1,#0xD00]                       ; Store to Memory
ROM:40015C88 000
ROM:40015C8C
ROM:40015C8C                 loc_40015C8C                                                          ; CODE XREF: parse_CHSETTINGS+18�j
ROM:40015C8C 000 02 68                       LDR             R2, [R0]                              ; Load from Memory
ROM:40015C8E 000 52 06                       LSLS            R2, R2, #0x19                         ; Logical Shift Left
ROM:40015C90 000 07 D5                       BPL             loc_40015CA2                          ; Branch
ROM:40015C90
ROM:40015C92 000 D1 F8 00 2D                 LDR.W           R2, [R1,#0xD00]                       ; Load from Memory
ROM:40015C96 000 22 F4 E0 22                 BIC.W           R2, R2, #0x70000                      ; Rd = Op1 & ~Op2
ROM:40015C9A 000 42 F4 80 32                 ORR.W           R2, R2, #0x10000                      ; Rd = Op1 | Op2
ROM:40015C9E 000 C1 F8 00 2D                 STR.W           R2, [R1,#0xD00]                       ; Store to Memory
ROM:40015C9E 000
ROM:40015CA2
ROM:40015CA2                 loc_40015CA2                                                          ; CODE XREF: parse_CHSETTINGS+2C�j
ROM:40015CA2 000 02 68                       LDR             R2, [R0]                              ; Load from Memory
ROM:40015CA4 000 12 06                       LSLS            R2, R2, #0x18                         ; Logical Shift Left
ROM:40015CA6 000 06 D5                       BPL             loc_40015CB6                          ; Branch
ROM:40015CA6
ROM:40015CA8 000 D1 F8 04 29                 LDR.W           R2, [R1,#0x904]                       ; Load from Memory
ROM:40015CAC 000 22 F0 07 02                 BIC.W           R2, R2, #7                            ; Rd = Op1 & ~Op2
ROM:40015CB0 000 52 1D                       ADDS            R2, R2, #5                            ; Rd = Op1 + Op2
ROM:40015CB2 000 C1 F8 04 29                 STR.W           R2, [R1,#0x904]                       ; Store to Memory
ROM:40015CB2 000
ROM:40015CB6
ROM:40015CB6                 loc_40015CB6                                                          ; CODE XREF: parse_CHSETTINGS+42�j
ROM:40015CB6 000 38 4B                       LDR             R3, =OMAP3430_reg_PRM_CLKSRC_CTRL     ; This register provides control over the device source clock
ROM:40015CB8 000 42 68                       LDR             R2, [R0,#4]                           ; Load from Memory
ROM:40015CBA 000 1A 60                       STR             R2, [R3]                              ; Store to Memory
ROM:40015CBC 000 37 4B                       LDR             R3, =OMAP3430_reg_PRM_CLKSEL          ; This register controls the selection of the system clock frequency. This register is reset on power-up only
ROM:40015CBE 000 82 68                       LDR             R2, [R0,#8]                           ; Load from Memory
ROM:40015CC0 000 1A 60                       STR             R2, [R3]                              ; Store to Memory
ROM:40015CC2 000 37 4B                       LDR             R3, =OMAP3430_reg_CM_CLKSEL1_EMU      ; Modules clock selection
ROM:40015CC4 000 C2 68                       LDR             R2, [R0,#0xC]                         ; Load from Memory
ROM:40015CC6 000 1A 60                       STR             R2, [R3]                              ; Store to Memory
ROM:40015CC8 000 02 68                       LDR             R2, [R0]                              ; Load from Memory
ROM:40015CCA 000 52 07                       LSLS            R2, R2, #0x1D                         ; Logical Shift Left
ROM:40015CCC 000 05 D5                       BPL             loc_40015CDA                          ; Branch
ROM:40015CCC
ROM:40015CCE 000 02 69                       LDR             R2, [R0,#0x10]                        ; Load from Memory
ROM:40015CD0 000 C1 F8 40 2A                 STR.W           R2, [R1,#0xA40]                       ; Store to Memory
ROM:40015CD4 000 42 69                       LDR             R2, [R0,#0x14]                        ; Load from Memory
ROM:40015CD6 000 C1 F8 40 2C                 STR.W           R2, [R1,#0xC40]                       ; Store to Memory
ROM:40015CD6 000
ROM:40015CDA
ROM:40015CDA                 loc_40015CDA                                                          ; CODE XREF: parse_CHSETTINGS+68�j
ROM:40015CDA 000 02 68                       LDR             R2, [R0]                              ; Load from Memory
ROM:40015CDC 000 13 07                       LSLS            R3, R2, #0x1C                         ; Logical Shift Left
ROM:40015CDE 000 31 4A                       LDR             R2, =0x7FF00                          ; Load from Memory
ROM:40015CE0 000 17 D5                       BPL             loc_40015D12                          ; Branch
ROM:40015CE0
ROM:40015CE2 000 43 6A                       LDR             R3, [R0,#0x24]                        ; Load from Memory
ROM:40015CE4 000 01 F5 50 61                 ADD.W           R1, R1, #0xD00                        ; Rd = Op1 + Op2
ROM:40015CE8 000 23 F4 E0 23                 BIC.W           R3, R3, #0x70000                      ; Rd = Op1 & ~Op2
ROM:40015CEC 000 43 F4 80 33                 ORR.W           R3, R3, #0x10000                      ; Rd = Op1 | Op2
ROM:40015CF0 000 0B 60                       STR             R3, [R1]                              ; Store to Memory
ROM:40015CF2 000 83 6A                       LDR             R3, [R0,#0x28]                        ; Load from Memory
ROM:40015CF4 000 0B 63                       STR             R3, [R1,#0x30]                        ; Store to Memory
ROM:40015CF6 000 C3 6A                       LDR             R3, [R0,#0x2C]                        ; Load from Memory
ROM:40015CF8 000 4B 64                       STR             R3, [R1,#0x44]                        ; Store to Memory
ROM:40015CFA 000 03 6B                       LDR             R3, [R0,#0x30]                        ; Load from Memory
ROM:40015CFC 000 8B 64                       STR             R3, [R1,#0x48]                        ; Store to Memory
ROM:40015CFE 000 4B 6C                       LDR             R3, [R1,#0x44]                        ; Load from Memory
ROM:40015D00 000 A1 F5 50 61                 SUB.W           R1, R1, #0xD00                        ; Rd = Op1 - Op2
ROM:40015D04 000 13 42                       TST             R3, R2                                ; Set cond. codes on Op1 & Op2
ROM:40015D06 000 04 D0                       BEQ             loc_40015D12                          ; Branch
ROM:40015D06
ROM:40015D08 000 43 6A                       LDR             R3, [R0,#0x24]                        ; Load from Memory
ROM:40015D0A 000 43 F4 E0 23                 ORR.W           R3, R3, #0x70000                      ; Rd = Op1 | Op2
ROM:40015D0E 000 C1 F8 00 3D                 STR.W           R3, [R1,#0xD00]                       ; Store to Memory
ROM:40015D0E 000
ROM:40015D12
ROM:40015D12                 loc_40015D12                                                          ; CODE XREF: parse_CHSETTINGS+7C�j
ROM:40015D12                                                                                       ; parse_CHSETTINGS+A2�j
ROM:40015D12 000 03 68                       LDR             R3, [R0]                              ; Load from Memory
ROM:40015D14 000 DB 06                       LSLS            R3, R3, #0x1B                         ; Logical Shift Left
ROM:40015D16 000 1C D5                       BPL             loc_40015D52                          ; Branch
ROM:40015D16
ROM:40015D18 000 43 6B                       LDR             R3, [R0,#0x34]                        ; Load from Memory
ROM:40015D1A 000 01 F6 04 11                 ADDW            R1, R1, #0x904                        ; Rd = Op1 + Op2
ROM:40015D1E 000 23 F0 07 03                 BIC.W           R3, R3, #7                            ; Rd = Op1 & ~Op2
ROM:40015D22 000 5B 1D                       ADDS            R3, R3, #5                            ; Rd = Op1 + Op2
ROM:40015D24 000 0B 60                       STR             R3, [R1]                              ; Store to Memory
ROM:40015D26 000 83 6B                       LDR             R3, [R0,#0x38]                        ; Load from Memory
ROM:40015D28 000 0B 63                       STR             R3, [R1,#0x30]                        ; Store to Memory
ROM:40015D2A 000 C3 6B                       LDR             R3, [R0,#0x3C]                        ; Load from Memory
ROM:40015D2C 000 CB 63                       STR             R3, [R1,#0x3C]                        ; Store to Memory
ROM:40015D2E 000 03 6C                       LDR             R3, [R0,#0x40]                        ; Load from Memory
ROM:40015D30 000 0B 64                       STR             R3, [R1,#0x40]                        ; Store to Memory
ROM:40015D32 000 43 6C                       LDR             R3, [R0,#0x44]                        ; Load from Memory
ROM:40015D34 000 4B 64                       STR             R3, [R1,#0x44]                        ; Store to Memory
ROM:40015D36 000 CB 6B                       LDR             R3, [R1,#0x3C]                        ; Load from Memory
ROM:40015D38 000 A1 F6 04 11                 SUBW            R1, R1, #0x904                        ; Rd = Op1 - Op2
ROM:40015D3C 000 13 42                       TST             R3, R2                                ; Set cond. codes on Op1 & Op2
ROM:40015D3E 000 08 D0                       BEQ             loc_40015D52                          ; Branch
ROM:40015D3E
ROM:40015D40 000 42 6B                       LDR             R2, [R0,#0x34]                        ; Load from Memory
ROM:40015D42 000 42 F0 07 02                 ORR.W           R2, R2, #7                            ; Rd = Op1 | Op2
ROM:40015D46 000 C1 F8 04 29                 STR.W           R2, [R1,#0x904]                       ; Store to Memory
ROM:40015D46 000
ROM:40015D4A
ROM:40015D4A                 loc_40015D4A                                                          ; CODE XREF: parse_CHSETTINGS+EC�j
ROM:40015D4A 000 D1 F8 24 29                 LDR.W           R2, [R1,#0x924]                       ; Load from Memory
ROM:40015D4E 000 D2 07                       LSLS            R2, R2, #0x1F                         ; Logical Shift Left
ROM:40015D50 000 FB D0                       BEQ             loc_40015D4A                          ; Branch
ROM:40015D50
ROM:40015D52
ROM:40015D52                 loc_40015D52                                                          ; CODE XREF: parse_CHSETTINGS+B2�j
ROM:40015D52                                                                                       ; parse_CHSETTINGS+DA�j
ROM:40015D52 000 02 68                       LDR             R2, [R0]                              ; Load from Memory
ROM:40015D54 000 92 06                       LSLS            R2, R2, #0x1A                         ; Logical Shift Left
ROM:40015D56 000 19 D5                       BPL             return_0                              ; Branch
ROM:40015D56
ROM:40015D58 000 82 69                       LDR             R2, [R0,#0x18]                        ; Load from Memory
ROM:40015D5A 000 22 F0 07 02                 BIC.W           R2, R2, #7                            ; Rd = Op1 & ~Op2
ROM:40015D5E 000 52 1D                       ADDS            R2, R2, #5                            ; Rd = Op1 + Op2
ROM:40015D60 000 C1 F8 00 2D                 STR.W           R2, [R1,#0xD00]                       ; Store to Memory
ROM:40015D64 000 C2 69                       LDR             R2, [R0,#0x1C]                        ; Load from Memory
ROM:40015D66 000 C1 F8 30 2D                 STR.W           R2, [R1,#0xD30]                       ; Store to Memory
ROM:40015D6A 000 02 6A                       LDR             R2, [R0,#0x20]                        ; Load from Memory
ROM:40015D6C 000 C1 F8 40 2D                 STR.W           R2, [R1,#0xD40]                       ; Store to Memory
ROM:40015D70 000 D1 F8 40 2D                 LDR.W           R2, [R1,#0xD40]                       ; Load from Memory
ROM:40015D74 000 0C 4B                       LDR             R3, =0x7FF0000                        ; Load from Memory
ROM:40015D76 000 1A 42                       TST             R2, R3                                ; Set cond. codes on Op1 & Op2
ROM:40015D78 000 08 D0                       BEQ             return_0                              ; Branch
ROM:40015D78
ROM:40015D7A 000 80 69                       LDR             R0, [R0,#0x18]                        ; Load from Memory
ROM:40015D7C 000 40 F0 07 00                 ORR.W           R0, R0, #7                            ; Rd = Op1 | Op2
ROM:40015D80 000 C1 F8 00 0D                 STR.W           R0, [R1,#0xD00]                       ; Store to Memory
ROM:40015D80 000
ROM:40015D84
ROM:40015D84                 loc_40015D84                                                          ; CODE XREF: parse_CHSETTINGS+126�j
ROM:40015D84 000 D1 F8 20 0D                 LDR.W           R0, [R1,#0xD20]                       ; Load from Memory
ROM:40015D88 000 C0 07                       LSLS            R0, R0, #0x1F                         ; Logical Shift Left
ROM:40015D8A 000 FB D0                       BEQ             loc_40015D84                          ; Branch
ROM:40015D8A
ROM:40015D8C
ROM:40015D8C                 return_0                                                              ; CODE XREF: parse_CHSETTINGS+F2�j
ROM:40015D8C                                                                                       ; parse_CHSETTINGS+114�j
ROM:40015D8C 000 00 20                       MOVS            R0, #0                                ; Rd = Op2
ROM:40015D8E 000 70 47                       BX              LR                                    ; Branch to/from Thumb mode
ROM:40015D8E
ROM:40015D8E                 ; End of function parse_CHSETTINGS
ROM:40015D8E
ROM:40015D8E                 ; ---------------------------------------------------------------------------
ROM:40015D90 DC FC 20 40     off_40015D90    DCD dword_4020FCDC                                    ; DATA XREF: parse_CHSETTINGS+10�r
ROM:40015D94 00 40 00 48     off_40015D94    DCD OMAP3430_reg_CM_FCLKEN_IVA2                       ; DATA XREF: parse_CHSETTINGS+16�r
ROM:40015D94                                                                                       ; This register controls the IVA2 domain functional clock activity
ROM:40015D98 70 72 30 48     off_40015D98    DCD OMAP3430_reg_PRM_CLKSRC_CTRL                      ; DATA XREF: parse_CHSETTINGS:loc_40015CB6�r
ROM:40015D98                                                                                       ; This register provides control over the device source clock
ROM:40015D9C 40 6D 30 48     off_40015D9C    DCD OMAP3430_reg_PRM_CLKSEL                           ; DATA XREF: parse_CHSETTINGS+58�r
ROM:40015D9C                                                                                       ; This register controls the selection of the system clock frequency. This register is reset on power-up only
ROM:40015DA0 40 51 00 48     off_40015DA0    DCD OMAP3430_reg_CM_CLKSEL1_EMU                       ; DATA XREF: parse_CHSETTINGS+5E�r
ROM:40015DA0                                                                                       ; Modules clock selection
ROM:40015DA4 00 FF 07 00     dword_40015DA4  DCD 0x7FF00                                           ; DATA XREF: parse_CHSETTINGS+7A�r
ROM:40015DA8 00 00 FF 07     dword_40015DA8  DCD 0x7FF0000                                         ; DATA XREF: parse_CHSETTINGS+110�r
ROM:40015DAC