ESP8266 ROM XTOS
来自Jack's Lab
目录 |
1 逆向工程
2 探索
2.1 SYSTEM_RTC_MEM_READ
uint32 system_rtc_mem_read(int32 addr, void *buff, int32 length)
{
int32 blocks;
// validate reading a user block
//if (addr < 64) return 0;
if (buff == 0) return 0;
// validate 4 byte aligned
if (((uint32)buff & 0x3) != 0) return 0;
// validate length is multiple of 4
if ((length & 0x3) != 0) return 0;
// check valid length from specified starting point
if (length > (0x300 - (addr * 4))) return 0;
// copy the data
for (blocks = (length >> 2) - 1; blocks >= 0; blocks--) {
volatile uint32 *ram = ((uint32*)buff) + blocks;
volatile uint32 *rtc = ((uint32*)0x60001100) + addr + blocks;
*ram = *rtc;
}
return 1;
}
2.2 SYSTEM_RTC_MEM_WRITE
uint32 system_rtc_mem_write(int32 addr, void *buff, int32 length)
{
int32 blocks;
// validate reading a user block
if (addr < 64) return 0;
if (buff == 0) return 0;
// validate 4 byte aligned
if (((uint32)buff & 0x3) != 0) return 0;
// validate length is multiple of 4
if ((length & 0x3) != 0) return 0;
// check valid length from specified starting point
if (length > (0x300 - (addr * 4))) return 0;
// copy the data
for (blocks = (length >> 2) - 1; blocks >= 0; blocks--) {
volatile uint32 *ram = ((uint32*)buff) + blocks;
volatile uint32 *rtc = ((uint32*)0x60001100) + addr + blocks;
*rtc = *ram;
}
return 1;
}
2.3 SYSTEM_GET_RST_INFO
struct rst_info {
uint32 reason;
uint32 exccause;
uint32 epc1;
uint32 epc2;
uint32 epc3;
uint32 excvaddr;
uint32 depc;
};
struct rst_info system_get_rst_info()
{
struct rst_info rst;
system_rtc_mem_read(0, &rst, sizeof(struct rst_info);
if (rst.reason >= 7) {
ets_memset(&rst, 0, sizeof(struct rst_info));
}
if (rtc_get_reset_reason() == 2) {
ets_memset(&rst, 0, sizeof(struct rst_info));
rst.reason = 6;
}
return rst;
}
3 CACHE_READ_ENABLE
Cache_Read_Enable is defined in the Boot ROM (XTOS) at memory address 0x40004678
void Cache_Read_Enable(uint8 odd_even, uint8 mb_count, unt8 no_idea);
Valid values for odd_even:
0 – clears bits 24 & 25 of control register 0x3FF0000C 1 – clears bit 24, sets bit 25 other – clears bit 25, sets bit 24
Function of odd_even:
0 – allows access to even numbered mb 1 – allow access to odd numbered mb other – appears to do the same as 1, there must be a difference but I haven’t worked out what it it
Valid values for mb_count:
0-7 – set bits 16, 17 & 18 of control register 0x3FF0000C
Function of mb_count:
Which odd or even bank to map (according to odd_even option)
e.g. mb_count = 0, odd_even = 0 -> map first 8Mbit of flash e.g. mb_count = 0, odd_even = 1 -> map second 8Mbit of flash e.g. mb_count = 1, odd_even = 0 -> map third 8Mbit of flash e.g. mb_count = 1, odd_even = 1 -> map fourth 8Mbit of flash
Valid values for no_idea:
0 – sets bit 3 of 0x3FF00024 1 – sets bit 26 of 0x3FF0000C and sets bits 3 & 4 of 0x3FF00024
Function of no_idea:
The clue is in the name, I can’t work out what this does from my experiments, but the SDK always sets this to 1.
void Cache_Read_Enable(uint8 odd_even, uint8 mb_count, uint8 no_idea) {
uint32 base1 = 0x3FEFFE00;
volatile uint32 *r20c = (uint32*)(base1 + 0x20c);
volatile uint32 *r224 = (uint32*)(base1 + 0x224);
uint32 base2 = 0x60000200;
volatile uint32 *r008 = (uint32*)(base2 + 8);
while (*r20c & 0x100) {
*r20c &= 0xeff;
}
*r008 &= 0xFFFDFFFF;
*r20c &= 0x7e;
*r20c |= 0x1;
while ((*r20c & 0x2) == 0) {
}
*r20c &= 0x7e;
*r008 |= 0x20000;
if (odd_even == 0) {
*r20c &= 0xFCFFFFFF; // clear bits 24 & 25
} else if (odd_even == 1) {
*r20c &= 0xFEFFFFFF; // clear bit 24
*r20c |= 0x2000000; // set bit 25
} else {
*r20c &= 0xFDFFFFFF; // clear bit 25
*r20c |= 0x1000000; // set bit 24
}
*r20c &= 0xFBF8FFFF; // clear bits 16, 17, 18, 26
*r20c |= ((no_idea << 0x1a) | (mb_count << 0x10)); // set bits 26 & 18/17/16
// no_idea should be 0-1 (1 bit), mb_count 0-7 (3 bits)
if (no_idea == 0) {
*r224 |= 0x08; // set bit 3
} else {
*r224 |= 0x18; // set bits 3 & 4
}
while ((*r20c & 0x100) == 0) {
*r20c |= 0x100;
}
return;
}
