Editing Talk:Baryon

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 8: Line 8:


* https://www.sendspace.com/file/7gue6e (Pages 100, 104, 105)
* https://www.sendspace.com/file/7gue6e (Pages 100, 104, 105)
* https://github.com/janvdherrewegen/bootl-attacks


= Table =
= Table =
Line 22: Line 21:
| <abbr title="TA-085, TA-088">07/2007</abbr> Frodo || - || B40''x'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin)
| <abbr title="TA-085, TA-088">07/2007</abbr> Frodo || - || B40''x'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin)
|-
|-
| <abbr title="TA-090, TA-092">07/2008</abbr> Samwise || - || 3A''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin)
| <abbr title="TA-090, TA-092">07/2008</abbr> || - || 3A''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin)
|-
|-
| <abbr title="TA-093, TA-095, TA-096, TA-097">03/2009</abbr> Samwise VA2 || - || 3B''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin)
| <abbr title="TA-093, TA-095, TA-096, TA-097">03/2009</abbr> || - || 3B''xx'' || - || - || - || NEC D79F???? / D78F0534 (78K0/KE2, 64 pin)
|-
|-
| <abbr title="TA-091, TA-094">05/2009</abbr> Strider || - || 40''xx'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin)
| <abbr title="TA-091, TA-094">05/2009</abbr> || - || 40''xx'' || - || - || - || NEC D79F???? / D78F0544 (78K0/KF2, 84 pin)
|-
|-
|}
|}
Line 34: Line 33:
* Codename BAR/B30/3A/3B is associated with 64 pin COTS BGA  
* Codename BAR/B30/3A/3B is associated with 64 pin COTS BGA  
* Likewise, B40/40 is associated with 84 pin Custom BGA
* Likewise, B40/40 is associated with 84 pin Custom BGA
== Bootrom List of Commands ==
<pre>
External (0x8522-0x854B):
00 0x80F3 Reset
20 0x93FF Chip Erase
22 0x942F Block Erase
13 0x9379 Verify
32 0x9609 Block Blank Check
40 0x969F Programming
90 0x9994 Oscillating Frequency Set
9E 0x99ED Set Config For Delays
C0 0x9B08 Silicon Signature
C5 0x9B71 Version Get
70 0x9A5B Status
B0 0x9A79 Checksum
A0 0x9C04 Security Set
A4 0x9B97 EA Read (Reads Only first 0x400 bytes)
Internal (0x9FC9 - 0x9FE6):
17 0x8218 EEPROMWrite
0F 0x84B3 EA Read (Reads Everything)
0E 0x84A8 CheckFLMD
0A 0x8475 FlashSetInfo
09 0x8399 FlashGetInfo
08 0x835D FlashBlockBlankCheck
06 0x8321 FlashBlockVerify
04 0x8252 FlashWordWrite
03 0x81DD FlashBlockErase
00 0x81BD FlashEnv
</pre>
== Disasm of EA Read ==
<pre>
Disassembling switch table from 0x0A1F: case 0xA4 at 0x1B97
Disassembling Function 0x1B97
> 0x1B97 - [0x713AC5]  - set1 0xFFC5.3
<  0x1B9A - [0x9A930F]  - call !0x0F93 (prepare_byte_STATUS_BUSY_for_response_packet_02)
  0x1B9D - [0x1611FD]  - movw HL, #0xFD11
  0x1BA0 - [0xAE00]    - mov A, [HL+0x00]
  0x1BA2 - [0x4D00]    - cmp A, #0x00
v  0x1BA4 - [0xBD06]    - bnz $0x1BAC
  0x1BA6 - [0xAE01]    - mov A, [HL+0x01]
  0x1BA8 - [0x4D00]    - cmp A, #0x00
v  0x1BAA - [0xAD08]    - bz $0x1BB4
<> 0x1BAC - [0x9AA70F]  - call !0x0FA7 (prepare_byte_STATUS_PARAM_ERROR_for_response_packet_02)
<  0x1BAF - [0x9A260F]  - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03)
v  0x1BB2 - [0xFA4C]    - br $0x1C00
<> 0x1BB4 - [0x9A6D0F]  - call !0x0F6D (check_status_success_for_response_packet_02)
<  0x1BB7 - [0x9A260F]  - call !0x0F26 (receive_packet_01_70_and_send_response_packets_02_and_03)
  0x1BBA - [0x710BC7]  - clr1 0xFFC7.0
<  0x1BBD - [0x9AF706]  - call !0x06F7 (set_FFCA_to_01)
  0x1BC0 - [0x112000]  - mov 0xFE20, #0x00 ; <= Starting at address 0x000000
  0x1BC3 - [0x112100]  - mov 0xFE21, #0x00
  0x1BC6 - [0x112200]  - mov 0xFE22, #0x00
<  0x1BC9 - [0x9A6906]  - call !0x0669 (small_delay)
<  0x1BCC - [0x9AFE05]  - call !0x05FE (set_secure_flash_operation_read_with_delay_variable)
  0x1BCF - [0xA304]    - mov B, #0x04 ; <= Looping for 4 times 256 bytes
> 0x1BD1 - [0xA240]    - mov C, #0x40 ; <= Looping for 64 times 4 bytes
  0x1BD3 - [0x1410FD]  - movw DE, #0xFD10
<> 0x1BD6 - [0x9A2712]  - call !0x1227 (read32_secure_flash_to_DE) ; <= Reading 4 bytes
<  0x1BD9 - [0x9AB811]  - call !0x11B8 (increase_address_range)
^  0x1BDC - [0x8AF8]    - dbnz C, $0x1BD6 ; <= End of loop on C
  0x1BDE - [0x63]      - mov A, B
  0x1BDF - [0x4D01]    - cmp A, #0x01
v  0x1BE1 - [0xAD0C]    - bz $0x1BEF
  0x1BE3 - [0xB3]      - push BC
  0x1BE4 - [0x1410FD]  - movw DE, #0xFD10
  0x1BE7 - [0xA200]    - mov C, #0x00 ; <= Packet data size (0x00 means 256 bytes)
<  0x1BE9 - [0x9AA40E]  - call !0x0EA4 (send_response_packet_02_and_17) ; <= Sending back packet of 256 bytes data
  0x1BEC - [0xB2]      - pop BC
^  0x1BED - [0x8BE2]    - dbnz B, $0x1BD1 ; <= End of loop on B
> 0x1BEF - [0xA200]    - mov C, #0x00
  0x1BF1 - [0x1410FD]  - movw DE, #0xFD10
<  0x1BF4 - [0x9AAD0E]  - call !0x0EAD (send_response_packet_02_and_03)
  0x1BF7 - [0x711BC5]  - clr1 0xFFC5.1
<  0x1BFA - [0x9AF305]  - call !0x05F3 (set_secure_flash_operation_read_with_delay_3)
<  0x1BFD - [0x9A1907]  - call !0x0719 (set_FFCA_to_00)
> 0x1C00 - [0x713BC5]  - clr1 0xFFC5.3
  0x1C03 - [0xAF]      - ret
</pre>
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)