yetangitu/fernly
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
fernly/README.md
Sean Cross 5647866779 iram: work in progress
2014-07-18 15:37:19 +08:00

12 KiB
Raw Blame History

Fernly - Fernvale Reversing OS

Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.

Usage

To compile, simply run "make".

To install, use radare2:

$ sudo radare2 fv://
[0x00000000]> s 0x3460
[0x00003460]> wf .//build/firmware.bin

Chip notes

The chip memory-maps SPI at offset 0x10000000.

Memory Map

+------------+------------+------------+-------------------------------------+ | 0x00000000 | 0x0fffffff | 0x0fffffff | PSRAM map, repeated and mirrored | | | | | at 0x00800000 offsets | +------------+------------+------------+-------------------------------------+ | 0x10000000 | 0x1fffffff | 0x0fffffff | Memory-mapped SPI chip | +------------+------------+------------+-------------------------------------+ | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0x70000000 | 0x7000cfff | 0xcfff | On-chip SRAM (maybe cache?) | +------------+------------+------------+-------------------------------------+ | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0x80000000 | 0x80000008 | 0x08 | Config block (chip version, etc.) | +------------+------------+------------+-------------------------------------+ | 0x82200000 | ?????????? | ?????????? | | +------------+------------+------------+-------------------------------------+ | 0x83000000 | ?????????? | ?????????? | | +------------+------------+------------+-------------------------------------+ | 0xa0000000 | 0xa0000008 | 0x08 | Config block (mirror?) | +------------+------------+------------+-------------------------------------+ | 0xa0010000 | ?????????? | ?????????? | (?SPI mode?) ?????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0020000 | 0xa0020e10 | 0x0e10 | GPIO control block | +------------+------------+------------+-------------------------------------+ | 0xa0030000 | 0xa0030040 | 0x40 | WDT block | | | | | + 0x08 -> WDT register (?) | | | | | + 0x18 -> Boot src (?) | +------------+------------+------------+-------------------------------------+ | 0xa0030800 | ?????????? | ?????????? | ???????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0040000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0050000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0060000 | ?????????? | ?????????? | ?? Possible IRQs at 0xa0060200 ???? | +------------+------------+------------+-------------------------------------+ | 0xa0070000 | ========== | ========== | == Empty (all zeroes) ============= | +------------+------------+------------+-------------------------------------+ | 0xa0080000 | 0xa008005c | 0x5c | UART1 block | +------------+------------+------------+-------------------------------------+ | 0xa0090000 | 0xa009005c | 0x5c | UART2 block | +------------+------------+------------+-------------------------------------+ | 0xa00a0000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa00b0000 | 0xa00b006c | 0x6c | Bluetooth interface block | +------------+------------+------------+-------------------------------------+ | 0xa00c0000 | 0xa00c002c | 0x2c | General purpose timer block | +------------+------------+------------+-------------------------------------+ | 0xa00d0000 | 0xa00d0024 | 0x24 | Keypad scanner block | +------------+------------+------------+-------------------------------------+ | 0xa00e0000 | 0xa00e0008 | 0x0c | PWM1 block | +------------+------------+------------+-------------------------------------+ | 0xa00f0000 | 0xa00f00b0 | 0xb0 | SIM1 interface block | +------------+------------+------------+-------------------------------------+ | 0xa0100000 | 0xa01000b0 | 0xb0 | SIM2 interface block | +------------+------------+------------+-------------------------------------+ | 0xa0110000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0120000 | 0xa0120074 | 0x74 | I2C block | +------------+------------+------------+-------------------------------------+ | 0xa0130000 | 0xa0130098 | 0x98 | SD1 block (MSDC) | +------------+------------+------------+-------------------------------------+ | 0xa0140000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0160000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0170000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0180000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0190000 | 0xa0190310 | 0x58 | HIF (DMA) interface block | +------------+------------+------------+-------------------------------------+ | 0xa01b0000 | 0xa01b0058 | 0x58 | NLI (arbiter) interface block | +------------+------------+------------+-------------------------------------+ | 0xa01c0000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa01e0000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa01f0000 | 0xa01f0060 | 0x60 | OS timer block | +------------+------------+------------+-------------------------------------+ | 0xa0220000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0240000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0260000 | 0xa0260058 | 0x58 | FSPI (internal FM radio) block | +------------+------------+------------+-------------------------------------+ | 0xa0270000 | 0xa0270098 | 0x98 | SD2 block | +------------+------------+------------+-------------------------------------+ | 0xa0400000 | ?????????? | ?????????? | IMGDMA block | +------------+------------+------------+-------------------------------------+ | 0xa0410000 | ?????????? | ?????????? | IDP RESZ CR2 | +------------+------------+------------+-------------------------------------+ | 0xa0420000 | 0xa04201d8 | 0x01d8 | CAM interface block | +------------+------------+------------+-------------------------------------+ | 0xa0430000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0440000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0450000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0460000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0480000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0500000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0510000 | ?????????? | ?????????? | (03 00 00 00 repeated) ???????????? | +------------+------------+------------+-------------------------------------+ | 0xa0520000 | ?????????? | ?????????? | (contains 0xff at 0ffset 0x2c) ???? | +------------+------------+------------+-------------------------------------+ | 0xa0530000 | ?????????? | ?????????? | (contains smattering of bits) ????? | +------------+------------+------------+-------------------------------------+ | 0xa0540000 | ?????????? | ?????????? | (contains smattering of bits) ????? | +------------+------------+------------+-------------------------------------+ | 0xa0700000 | ?????????? | ?????????? | Power management block | | | | | Write (val & 0xfe0f | 0x140) to | | | | | 0xa0700230 to power off. | +------------+------------+------------+-------------------------------------+ | 0xa0710000 | 0xa0710078 | 0x78 | RTC block | +------------+------------+------------+-------------------------------------+ | 0xa0720000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0730104 | 0xa073104c | ?????? | GPIO mode / pull control blocks | +------------+------------+------------+-------------------------------------+ | 0xa074000c | 0xa0740014 | 0x0c | PWM2 block | +------------+------------+------------+-------------------------------------+ | 0xa0740018 | 0xa0740020 | 0x0c | PWM3 block | +------------+------------+------------+-------------------------------------+ | 0xa0750000 | 0xa075005c | 0x5c | ADCDET block | +------------+------------+------------+-------------------------------------+ | 0xa0760000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0790000 | 0xa07900d8 | 0xd8 | ADC block | +------------+------------+------------+-------------------------------------+ | 0xa0900000 | 0xa0900240 | 0x33 | USB block | +------------+------------+------------+-------------------------------------+ | 0xf00d1000 | 0xf00db000 | ?????????? | | +------------+------------+------------+-------------------------------------+ | 0xf0115500 | ?????????? | ?????????? | | +------------+------------+------------+-------------------------------------+ | 0xf0133300 | ?????????? | ?????????? | | +------------+------------+------------+-------------------------------------+ | 0xf0243c00 | 0xf0244200 | ?????????? | | +------------+------------+------------+-------------------------------------+