d21c18d1f0
Nothing is correct at the moment, but basic commands are integrated into the shell, which will simplifying merging later on for files that are shared-edit. |
||
|---|---|---|
| include | ||
| scriptic | ||
| .gitignore | ||
| _divsi3.S | ||
| _udivsi3.S | ||
| bionic.c | ||
| cmd-bl.c | ||
| cmd-hex.c | ||
| cmd-irq.c | ||
| cmd-lcd.c | ||
| cmd-led.c | ||
| cmd-peekpoke.c | ||
| cmd-reboot.c | ||
| cmd-sleep.c | ||
| cmd-spi.c | ||
| emi.c | ||
| fernly-loader.c | ||
| fernvale.ld | ||
| irq.c | ||
| irqasm.S | ||
| loader.S | ||
| magic.mk | ||
| main.c | ||
| Makefile | ||
| memio.c | ||
| mkenv.mk | ||
| README.md | ||
| scriptic.c | ||
| serial.c | ||
| spi.c | ||
| spin.sh | ||
| start.S | ||
| usb-loader.S | ||
| utils.c | ||
| vectors.c | ||
| vsprintf.c | ||
Fernly - Fernvale Reversing OS
Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.
Usage
To compile, simply run "make".
To install, use radare2:
$ sudo radare2 fv://
[0x00000000]> s 0x3460
[0x00003460]> wf .//build/firmware.bin
Chip notes
The chip memory-maps SPI at offset 0x10000000.
Memory Map
+------------+------------+------------+-------------------------------------+ | 0x00000000 | 0x0fffffff | 0x0fffffff | PSRAM map, repeated and mirrored | | | | | at 0x00800000 offsets | +------------+------------+------------+-------------------------------------+ | 0x10000000 | 0x1fffffff | 0x0fffffff | Memory-mapped SPI chip | +------------+------------+------------+-------------------------------------+ | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0x70000000 | 0x7000cfff | 0xcfff | On-chip SRAM (maybe cache?) | +------------+------------+------------+-------------------------------------+ | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0x80000000 | 0x80000008 | 0x08 | Config block (chip version, etc.) | +------------+------------+------------+-------------------------------------+ | 0x82000000 | 0x82d00000 | ?????????? | Modem system stuff | +------------+------------+------------+-------------------------------------+ | 0x83000000 | 0xa3090000 | ?????????? | Modem peripheral stuff | +------------+------------+------------+-------------------------------------+ | 0xa0000000 | 0xa0000008 | 0x08 | Config block (mirror?) | +------------+------------+------------+-------------------------------------+ | 0xa0010000 | ?????????? | ?????????? | Power, config block | +------------+------------+------------+-------------------------------------+ | 0xa0020000 | 0xa0020e10 | 0x0e10 | GPIO control block | +------------+------------+------------+-------------------------------------+ | 0xa0030000 | 0xa0030040 | 0x40 | WDT block | | | | | + 0x08 -> WDT register (?) | | | | | + 0x18 -> Boot src (?) | +------------+------------+------------+-------------------------------------+ | 0xa0030800 | ?????????? | ?????????? | ???????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0040000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0050000 | ?????????? | ?????????? | External memory block | +------------+------------+------------+-------------------------------------+ | 0xa0060000 | ?????????? | ?????????? | IRQ Controller block | +------------+------------+------------+-------------------------------------+ | 0xa0070000 | ========== | ========== | DMA Controller block | +------------+------------+------------+-------------------------------------+ | 0xa0080000 | 0xa008005c | 0x5c | UART1 block | +------------+------------+------------+-------------------------------------+ | 0xa0090000 | 0xa009005c | 0x5c | UART2 block | +------------+------------+------------+-------------------------------------+ | 0xa00a0000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa00b0000 | 0xa00b006c | 0x6c | Bluetooth interface block | +------------+------------+------------+-------------------------------------+ | 0xa00c0000 | 0xa00c002c | 0x2c | General purpose timer block | +------------+------------+------------+-------------------------------------+ | 0xa00d0000 | 0xa00d0024 | 0x24 | Keypad scanner block | +------------+------------+------------+-------------------------------------+ | 0xa00e0000 | 0xa00e0008 | 0x0c | PWM1 block | +------------+------------+------------+-------------------------------------+ | 0xa00f0000 | 0xa00f00b0 | 0xb0 | SIM1 interface block | +------------+------------+------------+-------------------------------------+ | 0xa0100000 | 0xa01000b0 | 0xb0 | SIM2 interface block | +------------+------------+------------+-------------------------------------+ | 0xa0110000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0120000 | 0xa0120074 | 0x74 | I2C block | +------------+------------+------------+-------------------------------------+ | 0xa0130000 | 0xa0130098 | 0x98 | SD1 block (MSDC) | +------------+------------+------------+-------------------------------------+ | 0xa0140000 | ?????????? | ?????????? | Serial flash block | +------------+------------+------------+-------------------------------------+ | 0xa0150000 | ?????????? | ?????????? | ?? MAYBE also SPI ????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0160000 | ?????????? | ?????????? | Die-to-die master interface | +------------+------------+------------+-------------------------------------+ | 0xa0170000 | ?????????? | ?????????? | Analogue chip controller block | +------------+------------+------------+-------------------------------------+ | 0xa0180000 | ?????????? | ?????????? | TOPSM block | +------------+------------+------------+-------------------------------------+ | 0xa0190000 | 0xa0190310 | 0x58 | HIF (DMA?) interface block | +------------+------------+------------+-------------------------------------+ | 0xa01b0000 | 0xa01b0058 | 0x58 | NLI (arbiter) interface block | +------------+------------+------------+-------------------------------------+ | 0xa01c0000 | ?????????? | ?????????? | EFuse block | +------------+------------+------------+-------------------------------------+ | 0xa01e0000 | ?????????? | ?????????? | SPI block | +------------+------------+------------+-------------------------------------+ | 0xa01f0000 | 0xa01f0060 | 0x60 | OS timer block | +------------+------------+------------+-------------------------------------+ | 0xa0210000 | ?????????? | ?????????? | More analog bits | +------------+------------+------------+-------------------------------------+ | 0xa0220000 | ?????????? | ?????????? | MBist block | +------------+------------+------------+-------------------------------------+ | 0xa0240000 | ?????????? | ?????????? | NAND flash block | +------------+------------+------------+-------------------------------------+ | 0xa0260000 | 0xa0260058 | 0x58 | FSPI (internal FM radio) block | +------------+------------+------------+-------------------------------------+ | 0xa0270000 | 0xa0270098 | 0x98 | SD2 block | +------------+------------+------------+-------------------------------------+ | 0xa0400000 | ?????????? | ?????????? | IMGDMA block | +------------+------------+------------+-------------------------------------+ | 0xa0410000 | ?????????? | ?????????? | IDP RESZ CR2 | +------------+------------+------------+-------------------------------------+ | 0xa0420000 | 0xa04201d8 | 0x01d8 | CAM interface block | +------------+------------+------------+-------------------------------------+ | 0xa0430000 | ?????????? | ?????????? | Serial camera block | +------------+------------+------------+-------------------------------------+ | 0xa0440000 | ?????????? | ?????????? | 2D graphics block | +------------+------------+------------+-------------------------------------+ | 0xa0450000 | ?????????? | ?????????? | LCD interface block | +------------+------------+------------+-------------------------------------+ | 0xa0460000 | ?????????? | ?????????? | Multimedia system BIST block | +------------+------------+------------+-------------------------------------+ | 0xa0470000 | ?????????? | ?????????? | Multimedia colour config block | +------------+------------+------------+-------------------------------------+ | 0xa0480000 | ?????????? | ?????????? | Multimedia system config block | +------------+------------+------------+-------------------------------------+ | 0xa0500000 | ?????????? | ?????????? | ARM configuration block | +------------+------------+------------+-------------------------------------+ | 0xa0510000 | ?????????? | ?????????? | Boot configuration block | +------------+------------+------------+-------------------------------------+ | 0xa0520000 | ?????????? | ?????????? | Code decompression engine block | +------------+------------+------------+-------------------------------------+ | 0xa0530000 | ?????????? | ?????????? | Level 1 cache block | +------------+------------+------------+-------------------------------------+ | 0xa0540000 | ?????????? | ?????????? | MPU config block | +------------+------------+------------+-------------------------------------+ | 0xa0700000 | ?????????? | ?????????? | Power management block | | | | | Write (val & 0xfe0f | 0x140) to | | | | | 0xa0700230 to power off. | +------------+------------+------------+-------------------------------------+ | 0xa0710000 | 0xa0710078 | 0x78 | RTC block | +------------+------------+------------+-------------------------------------+ | 0xa0720000 | ?????????? | ?????????? | Analogue baseband config block | +------------+------------+------------+-------------------------------------+ | 0xa0730000 | 0xa0730100 | ?????? | Analogue die config | +------------+------------+------------+-------------------------------------+ | 0xa0730104 | 0xa073104c | ?????? | GPIO mode / pull control blocks | +------------+------------+------------+-------------------------------------+ | 0xa074000c | 0xa0740014 | 0x0c | PWM2 block | +------------+------------+------------+-------------------------------------+ | 0xa0740018 | 0xa0740020 | 0x0c | PWM3 block | +------------+------------+------------+-------------------------------------+ | 0xa0750000 | 0xa075005c | 0x5c | ADCDET block | +------------+------------+------------+-------------------------------------+ | 0xa0760000 | ?????????? | ?????????? | Analogue IRQ controller | +------------+------------+------------+-------------------------------------+ | 0xa0790000 | 0xa07900d8 | 0xd8 | ADC block | +------------+------------+------------+-------------------------------------+ | 0xa07a0000 | ?????????? | ?????????? | Analogue Die-to-die block | +------------+------------+------------+-------------------------------------+ | 0xa0900000 | 0xa0900240 | ?????????? | USB block | +------------+------------+------------+-------------------------------------+ | 0xa0910000 | ?????????? | ?????????? | ??????????????????????????????????? | +------------+------------+------------+-------------------------------------+ | 0xa0920000 | ?????????? | ?????????? | AHB DMA block | +------------+------------+------------+-------------------------------------+ | 0xa3300000 | 0xa33a0000 | ?????????? | Bluetooth things | +------------+------------+------------+-------------------------------------+