Parent: 2.0.4 AJ

Ref: 2.0.4 Top Level Routines.


Yes - there is information about bootstrap all over the place.

What I list here is what Canons 2.0.4 Dryos does ... and highlight where ML's 5d-hack.c updates the DryOs code.

Dryos bootstrap code - as it is stored at 0xFF810000 .. ie before it is copied from ROM[edit | edit source]

[0xFF810000] AJ_guess_bootstrap()    
LDR PC, =AJ_sub1_bootstrap


[0xFF81000C] AJ_sub1_bootstrap()
-> Initialize DIGIC structures [0xC0000000 -> 0xC0000100],[0xC0200000],[0xC0400008],[0xC0243100],[0xC0242010]

Create a STACK at 0x1900 -> 0x21C48.  Copy data from 0xFFCD15B0
memcpy( 0x1900_rw_data_start,  0xFFCD15B0_rwdata_copy , 0x21C48 - 0x1900 ) 

Initialise to end of BSS segment    0x21C48 -> 0x4D458
memset( 0x21C48_bss_start,  #0,  0x4D458_bss_end - 0x21C48_bss_start) 

B AJ_sub2_bootstrap

ML works by hijacking the first line of the AJ_sub2_bootstrap() ... and once complete .. jumping back.

[0xFF812A98] AJ_sub2_bootstrap()

| BEFORE ML: LDR R0, =AJ_bss_start_SetupRelated   |
| AFTER  ML: INSTR( 0xFF812AE8 ) = RET_INSTR;     |

First memcpy    
-> [0x0000] = zero page <--WRITES BSS RELATED DATA HERE--> [0x04B0]
-> [0x????????] = AJ_bss_start_SetupRelated 

memcpy( 0x0000,  AJ_bss_start_SetupRelated , 0x4B0)

AJAJ:  Need to replace  'TH_interrupt_0x4b0'  with actual address

Second memcpy    
-> [0x4B0]  <--WRITES HERE--> [0x????]
-> [0xFF812D34] = ?? Not sure what this is :  AJAJ ... have a look at at IDA

memcpy( 0x4B0, TH_interrupt_0x4b0, 0xFF812D34 - TH_interrupt_0x4b0)

"CPSR is updated to put the ARM into supervisor mode"

MOV SP, #0x1000

BL TH_cstart


[0xFF810894] TH_cstart() 

LDR     R1, =TH_init_task
BL      TH_create_init_task
LDR     PC, [SP],#4

and if you wonder what does ""

here is the start page to read:

i'll come back...

Indy: see also

Community content is available under CC-BY-SA unless otherwise noted.