Common for all models is the entry point on processor reset 0xFFFF0000.
Also the basic boot procedure is the same on the most recent models.
Example how startup works on 600D v1.0.1:[]
- After the processor was reset, it jumps to 0xFFFF0000 where the bootloader (BL) is
- [BL] initalizes some HW module at 0xC0300000
- [BL] loads stack pointer for every processor mode (0x4000067C and up)
- [BL] initalizes a lot registers around 0xC0000000, 0xC0400000, 0xC0300000, ...
- [BL] (MCR/MRC) sets up instruction TCM (tightly-coupled memory), part of I-SRAM, to 4 KiB size at address 0x00000000
- [BL] (MCR/MRC) enables I-SRAM
- [BL] copies interrupt vector table to 0x00000000. Pointers still point to addresses at 0xFFFF0000
- [BL] (MCR/MRC) disables ICache
- [BL] sets up data TCM (tightly-coupled memory), part of D-SRAM, to 4 KiB size at address 0x40000000
- [BL] (MCR/MRC) enables D-SRAM
- [BL] copies FROM-Utility from 0xFFFF2A38 to 0x100000 (1MB)
- [BL] erases data right behind FROM-Utility (lets call it .from_bss)
- [BL] executes FROM-Utility at 0x100000
- [FU] makes the text "imgtest.bin" uppercase... how unnecessary...
- [FU] initializes some hardware at 0xC022D000, 0xC022F000 and 0xC0223000
- [FU] checks 0xF800000C for 0xFFFFFFFF
- if matches: check GPIO at 0xC02200DC for being high -
- if matches:
- check 0xF8000004 == 0xFFFFFFFF || 0xF8000008 != 0xFFFFFFFF
- if it matches
- run autoexec
- if return code of autoexec is != 1, check 0xF8000010 for 0x00000000
- if matches, exec IMGTEST.BIN , then FROM-Utility
- else exec FROM-Utility
- else check 0xF8000000 for 0xFFFFFFFF
- if matches: search for .FIR and try to load it, then check 0xF8000010 again and load IMGTEST.BIN, then FROM-Utility
- else: return 1, which signals the [BL] to execute main firmware
- if not: return 2, which signals the [BL] to run "K286 System & Display Check & Adjustment program"
- if matches:
- if not: search for .FIR and try to load it
- if matches: check GPIO at 0xC02200DC for being high -
- [FU] returns back to [BL] with result in R10
- [BL] checks returncode in R10
- 1: run main firmware at 0xF8010000, that jumps to 0xFF01000C, which is an alias for 0xF801000C
- 2: run "K286 System & Display Check & Adjustment program"
- any other: run boot loader shell
5DMk3 has a similar boot procedure with these differences:
- D-SRAM is initalized before I-SRAM
- FROM-Utility in ROM is at 0xFFFE0000
- Main firmware is at 0xF80C0000 / 0xFF0C0000
- right after D-SRAM init some MPU stuff is initialized