Parent: 2.0.4 AJ
Ref: 2.0.4 Top Level Routines.
--- UNDER CONSTRUCTION --
Yes - there is information about bootstrap all over the place.
What I list here is what Canons 2.0.4 Dryos does ... and highlight where ML's 5d-hack.c updates the DryOs code.
Dryos bootstrap code - as it is stored at 0xFF810000 .. ie before it is copied from ROM[]
[0xFF810000] AJ_guess_bootstrap() LDR PC, =AJ_sub1_bootstrap
.
[0xFF81000C] AJ_sub1_bootstrap() -> Initialize DIGIC structures [0xC0000000 -> 0xC0000100],[0xC0200000],[0xC0400008],[0xC0243100],[0xC0242010] Create a STACK at 0x1900 -> 0x21C48. Copy data from 0xFFCD15B0 memcpy( 0x1900_rw_data_start, 0xFFCD15B0_rwdata_copy , 0x21C48 - 0x1900 ) Initialise to end of BSS segment 0x21C48 -> 0x4D458 memset( 0x21C48_bss_start, #0, 0x4D458_bss_end - 0x21C48_bss_start) B AJ_sub2_bootstrap
ML works by hijacking the first line of the AJ_sub2_bootstrap() ... and once complete .. jumping back.
[0xFF812A98] AJ_sub2_bootstrap() +-------------------------------------------------+ | BEFORE ML: LDR R0, =AJ_bss_start_SetupRelated | | AFTER ML: INSTR( 0xFF812AE8 ) = RET_INSTR; | +-------------------------------------------------+ First memcpy -> [0x0000] = zero page <--WRITES BSS RELATED DATA HERE--> [0x04B0] -> [0x????????] = AJ_bss_start_SetupRelated memcpy( 0x0000, AJ_bss_start_SetupRelated , 0x4B0) AJAJ: Need to replace 'TH_interrupt_0x4b0' with actual address Second memcpy -> [0x4B0] <--WRITES HERE--> [0x????] -> [0xFF812D34] = ?? Not sure what this is : AJAJ ... have a look at at IDA memcpy( 0x4B0, TH_interrupt_0x4b0, 0xFF812D34 - TH_interrupt_0x4b0) "CPSR is updated to put the ARM into supervisor mode" MOV SP, #0x1000 BL TH_cstart
.
[0xFF810894] TH_cstart() .. LDR R1, =TH_init_task .. BL TH_create_init_task .. LDR PC, [SP],#4
and if you wonder what does "magiclantern.lds.S"
here is the start page to read: http://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_6.html
i'll come back...
Indy: see also http://magiclantern.wikia.com/wiki/Autoexec