EFuse

From MILEDROPEDIA
Jump to: navigation, search

Contents

Overview

The OMAP3xxx contains (unknown value) 128-bit banks of electronically blown fuses (eFuse). This is one-time only programmable memory that is organized into N x 32-bit words - (unknown value) words are reserved by Texas Instruments and for future use. The remaining 4 words are fully user programmable, designed to allow storage of a 128-bit encryption key for secure external memory encryption.

eFuse table

TODO

Index Name Description
PRODUCTION_ID not available yet
SECURITY_ID not available yet


SWRV values

The Motorola sec driver reads 160 bit of eFuse data using the Secure Services call API_HAL_MOT_EFUSE_READ. The code names this data "SWRV" (meaning unknown). The format of this structure is mostly unknown. There are there some hints (documented below), but more data is needed to understand it in useful detail.

SWRV Description
0f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00 Defy (source)
1f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00 Defy ME525+ model with HKTW 2.3.4 sbf and MIUI rom (source)
3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 00 00 Defy+ 2.3.6 134-132 SBF (v6) (source)
3f 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e1 00 00 Defy+ after blowing SEC_CUST_CODE (source)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 Defy Chinese unlocked/eng? (source, source2)
1c 08 00 2a 18 0a 00 2a e0 fd 01 40 c4 09 00 2a 00 00 00 00 RAZR (thanks to kholk on IRC)
01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 60 00 00 Milestone XT720

The first byte is assumed to be the sbf revision based on values found on Defy (0x0f=bl4, 0x1f=bl5, 0x3f=bl6).

You can contribute SWRV values by running File:Sec swrv.c (binary File:Sec swrv.gz). The code might work on any OMAP3xxx based Motorola device. Please add a small description and note if unlocked/dev phone/replacement.

The driver code includes this check for engineering and production bits in drivers/misc/sec/sec_core.c:

  1.     iterator = data + 4;
  2.  
  3.     /*HAB_ENG : 13, HAB_PROD : 14 */
  4.     /*Engineering only if engineering blown and production not */
  5.     if (((*iterator) & (0x3 << 13)) == (0x1 << 13))
  6.         ret_val = SEC_ENGINEERING;

It also contains an enum with potential hints. The enum values are API parameters for Secure Services call API_HAL_MOT_EFUSE - and contrary to the code comment the start value does not seem to be random at all. It is unknown if there is a mapping of parameters to bits in SWRV.

Calling API_HAL_MOT_EFUSE with SEC_CUST_CODE resulted in bit 15 being set (0 -> 1).

drivers/misc/sec/sec_core.h:

  1. typedef enum {
  2.         /*Starting with random non zero value for component type */
  3.         SEC_AP_PA_PPA = 0x00000065,
  4.         SEC_BP_PPA,
  5.         SEC_BP_PA,
  6.         SEC_ML_PBRDL,
  7.         SEC_MBM,
  8.         SEC_RRDL_BRDL,
  9.         SEC_BPL,
  10.         SEC_AP_OS,
  11.         SEC_BP_OS,
  12.         SEC_BS_DIS,
  13.         SEC_ENG,
  14.         SEC_PROD,
  15.         SEC_CUST_CODE,
  16.         SEC_PKC,
  17.         SEC_MODEL_ID,
  18.         SEC_MAX
  19. } SEC_SV_COMPONENT_T;


EFUSE Power Domain

EFUSE Power Domain Clock Controls

EFUSE Power Domain Clock-Gating Control

Clock Name Reset Clock-Gating Control Gating Description
EFUSE_ALWON_FCLK Running None Active when VDD1 and VDD2 are switched on and eFuse-ready hardware signal is released

Reading

For reading eFuse you need:

  1. call 0x28 Secure Service - invalidate dcache
  2. call 0x2a Secure Service - aux write
  3. call 0x36 Secure Service with parameter eFuse index - API_HAL_MOT_EFUSE_READ

PPA handler of EFUSE READ interrupt call

  1. ROM:86FFF06C
  2. ROM:86FFF06C     ; =============== S U B R O U T I N E =======================================
  3. ROM:86FFF06C
  4. ROM:86FFF06C
  5. ROM:86FFF06C     ; int __cdecl PPA_API_HAL_MOT_EFUSE_READ()
  6. ROM:86FFF06C     PPA_API_HAL_MOT_EFUSE_READ                                  ; DATA XREF: PPA_SMC_handler_SL+44�o
  7. ROM:86FFF06C                                                                 ; ROM:off_86FFF5B8�o
  8. ROM:86FFF06C 000                 MOV             R2, R0                      ; arg_3
  9. ROM:86FFF06E 000                 PUSH            {R4,LR}                     ; Push registers
  10. ROM:86FFF070 008                 MOVS            R1, #1                      ; arg_2
  11. ROM:86FFF072 008                 MOVS            R0, #0x64                   ; arg_1
  12. ROM:86FFF074 008                 BLX             PPA_interrupt_call          ; Branch with Link and Exchange (immediate address)
  13. ROM:86FFF074
  14. ROM:86FFF078 008                 LDR             R1, =0xAF8023D4             ; Load from Memory
  15. ROM:86FFF07A 008                 LDR             R2, [R1]                    ; Load from Memory
  16. ROM:86FFF07C 008                 UXTH            R3, R2                      ; Unsigned extend halfword to word
  17. ROM:86FFF07E 008                 ORR.W           R2, R3, R2,LSR#16           ; Rd = Op1 | Op2
  18. ROM:86FFF082 008                 STR             R2, [R0]                    ; Store to Memory
  19. ROM:86FFF084 008                 LDR             R2, [R1,#4]                 ; Load from Memory
  20. ROM:86FFF086 008                 UXTH            R3, R2                      ; Unsigned extend halfword to word
  21. ROM:86FFF088 008                 ORR.W           R2, R3, R2,LSR#16           ; Rd = Op1 | Op2
  22. ROM:86FFF08C 008                 STR             R2, [R0,#4]                 ; Store to Memory
  23. ROM:86FFF08E 008                 LDR             R2, [R1,#8]                 ; Load from Memory
  24. ROM:86FFF090 008                 UXTH            R3, R2                      ; Unsigned extend halfword to word
  25. ROM:86FFF092 008                 ORR.W           R2, R3, R2,LSR#16           ; Rd = Op1 | Op2
  26. ROM:86FFF096 008                 STR             R2, [R0,#8]                 ; Store to Memory
  27. ROM:86FFF098 008                 LDR             R2, [R1,#0xC]               ; Load from Memory
  28. ROM:86FFF09A 008                 UXTH            R3, R2                      ; Unsigned extend halfword to word
  29. ROM:86FFF09C 008                 ORR.W           R2, R3, R2,LSR#16           ; Rd = Op1 | Op2
  30. ROM:86FFF0A0 008                 STR             R2, [R0,#0xC]               ; Store to Memory
  31. ROM:86FFF0A2 008                 LDR             R1, [R1,#0x10]              ; Load from Memory
  32. ROM:86FFF0A4 008                 UXTH            R2, R1                      ; Unsigned extend halfword to word
  33. ROM:86FFF0A6 008                 ORR.W           R1, R2, R1,LSR#16           ; Rd = Op1 | Op2
  34. ROM:86FFF0AA 008                 STR             R1, [R0,#0x10]              ; Store to Memory
  35. ROM:86FFF0AC 008                 MOVS            R0, #0                      ; Rd = Op2
  36. ROM:86FFF0AE 008                 POP             {R4,PC}                     ; Pop registers
  37. ROM:86FFF0AE
  38. ROM:86FFF0AE     ; End of function PPA_API_HAL_MOT_EFUSE_READ
  39. ROM:86FFF0AE
  40. ROM:86FFF0AE     ; ---------------------------------------------------------------------------
  41. ROM:86FFF0B0     dword_86FFF0B0  DCD 0xAF8023D4                              ; DATA XREF: PPA_API_HAL_MOT_EFUSE_READ+C�r
  42. ROM:86FFF0B4

Code Listings

Fuse blowing functions

Listing 1. Fuse blowing BS_DIS ( from mbmloader )

  1. ROM:870048AC               ; =============== S U B R O U T I N E =======================================
  2. ROM:870048AC
  3. ROM:870048AC
  4. ROM:870048AC                 ; int __cdecl fuse_blow_BS_DIS()
  5. ROM:870048AC                 fuse_blow_BS_DIS
  6. ROM:870048AC 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  7. ROM:870048AE 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  8. ROM:870048B0 008 01 21                       MOVS    R1, #1                              ; value
  9. ROM:870048B2 008 6E 20                       MOVS    R0, #SEC_BS_DIS                     ; fuse_entry_number
  10. ROM:870048B4 008 FF F7 70 FF                 BL      fuse_blow_byte                      ; Branch with Link
  11. ROM:870048B8 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  12. ROM:870048BA 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  13. ROM:870048BC 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  14. ROM:870048BC                 ; End of function fuse_blow_BS_DIS
  15. ROM:870048BC

Listing 2. Fuse blowing CUSTOM ( from mbmloader )

  1. ROM:870048E2                 ; =============== S U B R O U T I N E =======================================
  2. ROM:870048E2
  3. ROM:870048E2
  4. ROM:870048E2                 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)
  5. ROM:870048E2                 fuse_blow_CUSTOM
  6. ROM:870048E2 000 70 B5                       PUSH    {R4-R6,LR}                          ; Push registers
  7. ROM:870048E4 010 04 46                       MOV     R4, R0                              ; Rd = Op2
  8. ROM:870048E6 010 0D 46                       MOV     R5, R1                              ; Rd = Op2
  9. ROM:870048E8 010 10 26                       MOVS    R6, #0x10                           ; Rd = Op2
  10. ROM:870048EA 010 A9 B2                       UXTH    R1, R5                              ; Unsigned extend halfword to word
  11. ROM:870048EC 010 20 46                       MOV     R0, R4                              ; fuse_entry_number
  12. ROM:870048EE 010 FF F7 53 FF                 BL      fuse_blow_byte                      ; Branch with Link
  13. ROM:870048F2 010 06 46                       MOV     R6, R0                              ; Rd = Op2
  14. ROM:870048F4 010 30 46                       MOV     R0, R6                              ; Rd = Op2
  15. ROM:870048F6 010 70 BD                       POP     {R4-R6,PC}                          ; Pop registers
  16. ROM:870048F6                 ; End of function fuse_blow_CUSTOM
  17. ROM:870048F6

Listing 3. Fuse blowing PRODUCTION ( from mbmloader )

  1. ROM:870048F8
  2. ROM:870048F8                 ; =============== S U B R O U T I N E =======================================
  3. ROM:870048F8
  4. ROM:870048F8
  5. ROM:870048F8                 ; int __cdecl fuse_blow_PRODUCTION()
  6. ROM:870048F8                 fuse_blow_PRODUCTION
  7. ROM:870048F8 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  8. ROM:870048FA 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  9. ROM:870048FC 008 01 21                       MOVS    R1, #1                              ; value
  10. ROM:870048FE 008 70 20                       MOVS    R0, #SEC_PROD                       ; fuse_entry_number
  11. ROM:87004900 008 FF F7 4A FF                 BL      fuse_blow_byte                      ; Branch with Link
  12. ROM:87004904 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  13. ROM:87004906 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  14. ROM:87004908 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  15. ROM:87004908                 ; End of function fuse_blow_PRODUCTION
  16. ROM:87004908

Listing 4. Fuse blowing ENGINEERING ( from mbmloader )

  1. ROM:8700490A
  2. ROM:8700490A                 ; =============== S U B R O U T I N E =======================================
  3. ROM:8700490A
  4. ROM:8700490A
  5. ROM:8700490A                 ; int __cdecl fuse_blow_ENGINEERING()
  6. ROM:8700490A                 fuse_blow_ENGINEERING                                       ; CODE XREF: main+20
  7. ROM:8700490A 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  8. ROM:8700490C 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  9. ROM:8700490E 008 01 21                       MOVS    R1, #1                              ; value
  10. ROM:87004910 008 6F 20                       MOVS    R0, #SEC_ENG                        ; fuse_entry_number
  11. ROM:87004912 008 FF F7 41 FF                 BL      fuse_blow_byte                      ; Branch with Link
  12. ROM:87004916 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  13. ROM:87004918 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  14. ROM:8700491A 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  15. ROM:8700491A                 ; End of function fuse_blow_ENGINEERING

Fuse reading functions

Listing 2. Fuse reading byte (from mbmloader)

  1. ROM:8F31DB0A
  2. ROM:8F31DB0A     ; =============== S U B R O U T I N E =======================================
  3. ROM:8F31DB0A
  4. ROM:8F31DB0A
  5. ROM:8F31DB0A     ; int __cdecl moto_efuse_read(__int32 fuse_entry)
  6. ROM:8F31DB0A     moto_efuse_read                                             ; CODE XREF: fuse_read_SEC_MODEL_ID+6�p
  7. ROM:8F31DB0A                                                                 ; fuse_read_SEC_BS_DIS+6�p ...
  8. ROM:8F31DB0A 000                 PUSH            {R4-R6,LR}                  ; Push registers
  9. ROM:8F31DB0C 010                 MOV             R4, R0                      ; Rd = Op2
  10. ROM:8F31DB0E 010                 LDR             R5, =0xDEADBEEF             ; Load from Memory
  11. ROM:8F31DB10 010                 SUB.W           R0, R4, #0x65               ; switch 16 cases
  12. ROM:8F31DB14 010                 CMP             R0, #0x10                   ; Set cond. codes on Op1 - Op2
  13. ROM:8F31DB16 010                 BCS             return_                     ; do nothing
  14. ROM:8F31DB16
  15. ROM:8F31DB18
  16. ROM:8F31DB18     fuse_table                                                  ; switch jump
  17. ROM:8F31DB18 010                 TBB.W           [PC,R0]
  18. ROM:8F31DB18
  19. ROM:8F31DB18     ; ---------------------------------------------------------------------------
  20. ROM:8F31DB1C 010 fuse_choice     DCB 8                                       ; jump table for switch statement
  21. ROM:8F31DB1D 010                 DCB 0x52
  22. ROM:8F31DB1E 010                 DCB 0x52
  23. ROM:8F31DB1F 010                 DCB 0x11
  24. ROM:8F31DB20 010                 DCB 0x1A
  25. ROM:8F31DB21 010                 DCB 0x22
  26. ROM:8F31DB22 010                 DCB 0x52
  27. ROM:8F31DB23 010                 DCB 0x2A
  28. ROM:8F31DB24 010                 DCB 0x52
  29. ROM:8F31DB25 010                 DCB 0x32
  30. ROM:8F31DB26 010                 DCB 0x37
  31. ROM:8F31DB27 010                 DCB 0x3D
  32. ROM:8F31DB28 010                 DCB 0x43
  33. ROM:8F31DB29 010                 DCB 0x52
  34. ROM:8F31DB2A 010                 DCB 0x4D
  35. ROM:8F31DB2B 010                 DCB 0x51
  36. ROM:8F31DB2C     ; ---------------------------------------------------------------------------
  37. ROM:8F31DB2C
  38. ROM:8F31DB2C     is_SEC_APP_PA_PPA                                           ; CODE XREF: moto_efuse_read:fuse_table�j
  39. ROM:8F31DB2C 010                 MOVS            R0, #3                      ; jumptable 8F31DB18 case 101
  40. ROM:8F31DB2E 010                 BL              efuse_read                  ; Branch with Link
  41. ROM:8F31DB2E
  42. ROM:8F31DB32 010                 ASRS            R6, R0, #8                  ; Arithmetic Shift Right
  43. ROM:8F31DB34 010                 MOV             R0, R6                      ; count
  44. ROM:8F31DB36 010                 BL              standard_efuse_count        ; Branch with Link
  45. ROM:8F31DB36
  46. ROM:8F31DB3A 010                 MOV             R5, R0                      ; Rd = Op2
  47. ROM:8F31DB3C 010                 B               return                      ; Branch
  48. ROM:8F31DB3C
  49. ROM:8F31DB3E     ; ---------------------------------------------------------------------------
  50. ROM:8F31DB3E
  51. ROM:8F31DB3E     is_SEC_ML_PBRDL                                             ; CODE XREF: moto_efuse_read:fuse_table�j
  52. ROM:8F31DB3E 010                 MOVS            R0, #3                      ; jumptable 8F31DB18 case 104
  53. ROM:8F31DB40 010                 BL              efuse_read                  ; Branch with Link
  54. ROM:8F31DB40
  55. ROM:8F31DB44 010                 UXTB            R6, R0                      ; Unsigned extend byte to word
  56. ROM:8F31DB46 010                 MOV             R0, R6                      ; count
  57. ROM:8F31DB48 010                 BL              standard_efuse_count        ; Branch with Link
  58. ROM:8F31DB48
  59. ROM:8F31DB4C 010                 MOV             R5, R0                      ; Rd = Op2
  60. ROM:8F31DB4E 010                 B               return                      ; Branch
  61. ROM:8F31DB4E
  62. ROM:8F31DB50     ; ---------------------------------------------------------------------------
  63. ROM:8F31DB50
  64. ROM:8F31DB50     is_SEC_MBM                                                  ; CODE XREF: moto_efuse_read:fuse_table�j
  65. ROM:8F31DB50 010                 MOVS            R0, #2                      ; jumptable 8F31DB18 case 105
  66. ROM:8F31DB52 010                 BL              efuse_read                  ; Branch with Link
  67. ROM:8F31DB52
  68. ROM:8F31DB56 010                 MOV             R6, R0                      ; Rd = Op2
  69. ROM:8F31DB58 010                 BL              standard_efuse_count        ; Branch with Link
  70. ROM:8F31DB58
  71. ROM:8F31DB5C 010                 MOV             R5, R0                      ; Rd = Op2
  72. ROM:8F31DB5E 010                 B               return                      ; Branch
  73. ROM:8F31DB5E
  74. ROM:8F31DB60     ; ---------------------------------------------------------------------------
  75. ROM:8F31DB60
  76. ROM:8F31DB60     is_SEC_RRDL_BRDL                                            ; CODE XREF: moto_efuse_read:fuse_table�j
  77. ROM:8F31DB60 010                 MOVS            R0, #1                      ; jumptable 8F31DB18 case 106
  78. ROM:8F31DB62 010                 BL              efuse_read                  ; Branch with Link
  79. ROM:8F31DB62
  80. ROM:8F31DB66 010                 MOV             R6, R0                      ; Rd = Op2
  81. ROM:8F31DB68 010                 BL              standard_efuse_count        ; Branch with Link
  82. ROM:8F31DB68
  83. ROM:8F31DB6C 010                 MOV             R5, R0                      ; Rd = Op2
  84. ROM:8F31DB6E 010                 B               return                      ; Branch
  85. ROM:8F31DB6E
  86. ROM:8F31DB70     ; ---------------------------------------------------------------------------
  87. ROM:8F31DB70
  88. ROM:8F31DB70     is_SEC_AP_OS                                                ; CODE XREF: moto_efuse_read:fuse_table�j
  89. ROM:8F31DB70 010                 MOVS            R0, #0                      ; jumptable 8F31DB18 case 108
  90. ROM:8F31DB72 010                 BL              efuse_read                  ; Branch with Link
  91. ROM:8F31DB72
  92. ROM:8F31DB76 010                 MOV             R6, R0                      ; Rd = Op2
  93. ROM:8F31DB78 010                 BL              standard_efuse_count        ; Branch with Link
  94. ROM:8F31DB78
  95. ROM:8F31DB7C 010                 MOV             R5, R0                      ; Rd = Op2
  96. ROM:8F31DB7E 010                 B               return                      ; Branch
  97. ROM:8F31DB7E
  98. ROM:8F31DB80     ; ---------------------------------------------------------------------------
  99. ROM:8F31DB80
  100. ROM:8F31DB80     is_SEC_BS_DIS                                               ; CODE XREF: moto_efuse_read:fuse_table�j
  101. ROM:8F31DB80 010                 MOVS            R0, #4                      ; jumptable 8F31DB18 case 110
  102. ROM:8F31DB82 010                 BL              efuse_read                  ; Branch with Link
  103. ROM:8F31DB82
  104. ROM:8F31DB86 010                 ASRS            R5, R0, #0xF                ; Arithmetic Shift Right
  105. ROM:8F31DB88 010                 B               return                      ; Branch
  106. ROM:8F31DB88
  107. ROM:8F31DB8A     ; ---------------------------------------------------------------------------
  108. ROM:8F31DB8A
  109. ROM:8F31DB8A     is_SEC_ENG                                                  ; CODE XREF: moto_efuse_read:fuse_table�j
  110. ROM:8F31DB8A 010                 MOVS            R0, #4                      ; jumptable 8F31DB18 case 111
  111. ROM:8F31DB8C 010                 BL              efuse_read                  ; Branch with Link
  112. ROM:8F31DB8C
  113. ROM:8F31DB90 010                 UBFX.W          R5, R0, #0xD, #1            ; Unsigned Bit Field Extract
  114. ROM:8F31DB94 010                 B               return                      ; Branch
  115. ROM:8F31DB94
  116. ROM:8F31DB96     ; ---------------------------------------------------------------------------
  117. ROM:8F31DB96
  118. ROM:8F31DB96     is_SEC_PROD                                                 ; CODE XREF: moto_efuse_read:fuse_table�j
  119. ROM:8F31DB96 010                 MOVS            R0, #4                      ; jumptable 8F31DB18 case 112
  120. ROM:8F31DB98 010                 BL              efuse_read                  ; Branch with Link
  121. ROM:8F31DB98
  122. ROM:8F31DB9C 010                 UBFX.W          R5, R0, #0xE, #1            ; Unsigned Bit Field Extract
  123. ROM:8F31DBA0 010                 B               return                      ; Branch
  124. ROM:8F31DBA0
  125. ROM:8F31DBA2     ; ---------------------------------------------------------------------------
  126. ROM:8F31DBA2
  127. ROM:8F31DBA2     is_SEC_CUST_CODE                                            ; CODE XREF: moto_efuse_read:fuse_table�j
  128. ROM:8F31DBA2 010                 MOVS            R0, #4                      ; jumptable 8F31DB18 case 113
  129. ROM:8F31DBA4 010                 BL              efuse_read                  ; Branch with Link
  130. ROM:8F31DBA4
  131. ROM:8F31DBA8 010                 UBFX.W          R6, R0, #8, #5              ; Unsigned Bit Field Extract
  132. ROM:8F31DBAC 010                 MOV             R0, R6                      ; count
  133. ROM:8F31DBAE 010                 BL              standard_efuse_count        ; Branch with Link
  134. ROM:8F31DBAE
  135. ROM:8F31DBB2 010                 MOV             R5, R0                      ; Rd = Op2
  136. ROM:8F31DBB4 010                 B               return                      ; Branch
  137. ROM:8F31DBB4
  138. ROM:8F31DBB6     ; ---------------------------------------------------------------------------
  139. ROM:8F31DBB6
  140. ROM:8F31DBB6     is_SEC_MODEL_ID                                             ; CODE XREF: moto_efuse_read:fuse_table�j
  141. ROM:8F31DBB6 010                 LDR             R0, =OMAP3430_MSV_ADRESS    ; jumptable 8F31DB18 case 115
  142. ROM:8F31DBB8 010                 LDR             R0, [R0]                    ; Load from Memory
  143. ROM:8F31DBBA 010                 UXTH            R5, R0                      ; Unsigned extend halfword to word
  144. ROM:8F31DBBC 010                 B               return                      ; Branch
  145. ROM:8F31DBBC
  146. ROM:8F31DBBE     ; ---------------------------------------------------------------------------
  147. ROM:8F31DBBE
  148. ROM:8F31DBBE     return__                                                    ; CODE XREF: moto_efuse_read:fuse_table�j
  149. ROM:8F31DBBE 010                 NOP                                         ; jumptable 8F31DB18 case 116
  150. ROM:8F31DBBE
  151. ROM:8F31DBC0
  152. ROM:8F31DBC0     return_                                                     ; CODE XREF: moto_efuse_read+C�j
  153. ROM:8F31DBC0                                                                 ; moto_efuse_read:fuse_table�j
  154. ROM:8F31DBC0 010                 NOP                                         ; do nothing
  155. ROM:8F31DBC0
  156. ROM:8F31DBC2
  157. ROM:8F31DBC2     return                                                      ; CODE XREF: moto_efuse_read+32�j
  158. ROM:8F31DBC2                                                                 ; moto_efuse_read+44�j ...
  159. ROM:8F31DBC2 010                 NOP                                         ; No Operation
  160. ROM:8F31DBC4 010                 MOV             R0, R5                      ; Rd = Op2
  161. ROM:8F31DBC6 010                 POP             {R4-R6,PC}                  ; Pop registers
  162. ROM:8F31DBC6
  163. ROM:8F31DBC6     ; End of function moto_efuse_read
  164. ROM:8F31DBC6

Listing 2. Fuse reading word (from mbm)

  1. ROM:8F31DA9C
  2. ROM:8F31DA9C                 ; =============== S U B R O U T I N E =======================================
  3. ROM:8F31DA9C
  4. ROM:8F31DA9C
  5. ROM:8F31DA9C                 ; __int16 __fastcall fuse_read_word(int fuse_entry)
  6. ROM:8F31DA9C                 fuse_read_word                                              ; CODE XREF: fuse_read+24�p
  7. ROM:8F31DA9C                                                                             ; fuse_read+36�p ...
  8. ROM:8F31DA9C
  9. ROM:8F31DA9C                 var_30          = -0x30
  10. ROM:8F31DA9C                 var_28          = -0x28
  11. ROM:8F31DA9C
  12. ROM:8F31DA9C 000 F0 B5                       PUSH    {R4-R7,LR}                          ; Push registers
  13. ROM:8F31DA9E 014 87 B0                       SUB     SP, SP, #0x1C                       ; Rd = Op1 - Op2
  14. ROM:8F31DAA0 030 04 46                       MOV     R4, R0                              ; Rd = Op2
  15. ROM:8F31DAA2 030 00 25                       MOVS    R5, #0                              ; Rd = Op2
  16. ROM:8F31DAA4 030 4F F6 FF 77                 MOVW    R7, #0xFFFF                         ; Rd = Op2
  17. ROM:8F31DAA8 030 00 BF                       NOP                                         ; No Operation
  18. ROM:8F31DAAA 030 04 E0                       B       loop_count                          ; Branch
  19. ROM:8F31DAAC                 ; ---------------------------------------------------------------------------
  20. ROM:8F31DAAC
  21. ROM:8F31DAAC                 loop_body                                                   ; CODE XREF: fuse_read_word+1C�j
  22. ROM:8F31DAAC 030 00 20                       MOVS    R0, #0                              ; Rd = Op2
  23. ROM:8F31DAAE 030 02 A9                       ADD     R1, SP, #0x30+var_28                ; Rd = Op1 + Op2
  24. ROM:8F31DAB0 030 41 F8 25 00                 STR.W   R0, [R1,R5,LSL#2]                   ; Store to Memory
  25. ROM:8F31DAB4 030 6D 1C                       ADDS    R5, R5, #1                          ; Rd = Op1 + Op2
  26. ROM:8F31DAB6
  27. ROM:8F31DAB6                 loop_count                                                  ; CODE XREF: fuse_read_word+E�j
  28. ROM:8F31DAB6 030 04 2D                       CMP     R5, #4                              ; Set cond. codes on Op1 - Op2
  29. ROM:8F31DAB8 030 F8 DD                       BLE     loop_body                           ; Branch
  30. ROM:8F31DABA 030 00 BF                       NOP                                         ; No Operation
  31. ROM:8F31DABC 030 04 2C                       CMP     R4, #4                              ; Set cond. codes on Op1 - Op2
  32. ROM:8F31DABE 030 08 D8                       BHI     is_higher                           ; Branch
  33. ROM:8F31DAC0 030 02 AB                       ADD     R3, SP, #0x30+var_28                ; Rd = Op1 + Op2
  34. ROM:8F31DAC2 030 00 93                       STR     R3, [SP,#0x30+var_30]               ; Store to Memory
  35. ROM:8F31DAC4 030 01 23                       MOVS    R3, #1                              ; Rd = Op2
  36. ROM:8F31DAC6 030 07 22                       MOVS    R2, #7                              ; Rd = Op2
  37. ROM:8F31DAC8 030 00 21                       MOVS    R1, #0                              ; SEC_ENTRY
  38. ROM:8F31DACA 030 36 20                       MOVS    R0, #0x36                           ; param
  39. ROM:8F31DACC 030 04 F0 F2 FD                 BL      security_handler                    ; API_HAL_MOT_EFUSE_READ
  40. ROM:8F31DAD0 030 06 46                       MOV     R6, R0                              ; Rd = Op2
  41. ROM:8F31DAD2
  42. ROM:8F31DAD2                 is_higher                                                   ; CODE XREF: fuse_read_word+22�j
  43. ROM:8F31DAD2 030 1E B9                       CBNZ    R6, return                          ; Compare and Branch on Non-Zero
  44. ROM:8F31DAD4 030 02 A8                       ADD     R0, SP, #0x30+var_28                ; Rd = Op1 + Op2
  45. ROM:8F31DAD6 030 50 F8 24 00                 LDR.W   R0, [R0,R4,LSL#2]                   ; Load from Memory
  46. ROM:8F31DADA 030 87 B2                       UXTH    R7, R0                              ; Unsigned extend halfword to word
  47. ROM:8F31DADC
  48. ROM:8F31DADC                 return                                                      ; CODE XREF: fuse_read_word:is_higher�j
  49. ROM:8F31DADC 030 38 46                       MOV     R0, R7                              ; Rd = Op2
  50. ROM:8F31DADE 030 07 B0                       ADD     SP, SP, #0x1C                       ; Rd = Op1 + Op2
  51. ROM:8F31DAE0 014 F0 BD                       POP     {R4-R7,PC}                          ; Pop registers
  52. ROM:8F31DAE0                 ; End of function fuse_read_word
  53. ROM:8F31DAE0
  54. ROM:8F31DAE0                 ; ---------------------------------------------------------------------------
  55. ROM:8F31DAE2 00 20                           DCW 0x2000
  56. ROM:8F31DAE4 70 47                           DCW 0x4770
  57. ROM:8F31DAE6

Listing 2. Fuse reading BS_DIS (from mbmloader)

  1. ROM:870048BE
  2. ROM:870048BE                 ; =============== S U B R O U T I N E =======================================
  3. ROM:870048BE
  4. ROM:870048BE
  5. ROM:870048BE                 ; int __cdecl fuse_read_BS_DIS()
  6. ROM:870048BE                 fuse_read_BS_DIS                                            ; CODE XREF: check_BS_DIS+4
  7. ROM:870048BE 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  8. ROM:870048C0 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  9. ROM:870048C2 008 6E 20                       MOVS    R0, #SEC_BS_DIS                     ; fuse_entry_number
  10. ROM:870048C4 008 FF F7 09 FF                 BL      fuse_read_byte                      ; Branch with Link
  11. ROM:870048C8 008 00 B9                       CBNZ    R0, return                          ; Compare and Branch on Non-Zero
  12. ROM:870048CA 008 00 24                       MOVS    R4, #0                              ; Rd = Op2
  13. ROM:870048CC
  14. ROM:870048CC                 return                                                      ; CODE XREF: fuse_read_BS_DIS+A
  15. ROM:870048CC 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  16. ROM:870048CE 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  17. ROM:870048CE                 ; End of function fuse_read_BS_DIS
  18. ROM:870048CE
  19. ROM:870048D0
  20. ROM:870048D0                 ; =============== S U B R O U T I N E =======================================
  21. ROM:870048D0
  22. ROM:870048D0
  23. ROM:870048D0                 ; int __cdecl fuse_read_SECVER(int entry_number)
  24. ROM:870048D0                 fuse_read_SECVER                                            ; CODE XREF: check_secure_version+14
  25. ROM:870048D0 000 70 B5                       PUSH    {R4-R6,LR}                          ; Push registers
  26. ROM:870048D2 010 04 46                       MOV     R4, R0                              ; Rd = Op2
  27. ROM:870048D4 010 00 25                       MOVS    R5, #0                              ; Rd = Op2
  28. ROM:870048D6 010 20 46                       MOV     R0, R4                              ; fuse_entry_number
  29. ROM:870048D8 010 FF F7 FF FE                 BL      fuse_read_byte                      ; Branch with Link
  30. ROM:870048DC 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  31. ROM:870048DE 010 28 46                       MOV     R0, R5                              ; Rd = Op2
  32. ROM:870048E0 010 70 BD                       POP     {R4-R6,PC}                          ; Pop registers
  33. ROM:870048E0                 ; End of function fuse_read_SECVER
  34. ROM:870048E0
  35. ROM:870048E2
Personal tools
Namespaces
Variants
Actions
Navigation
see also
Toolbox