Changes

Jump to navigation Jump to search
75 bytes removed ,  17:12, 18 April 2018
Fixed very stupid misconceptions based on MCU_FIRM disassembly
Line 552: Line 552:  
=MCU firmware versions=
 
=MCU firmware versions=
   −
These reside in mcu-module .rodata, are uploaded to MCU register 0x05 and are usually 0x4003 bytes in size (the actual firmware is 0x4000 bytes preceeded by a 3 byte magic header "<code>jhl</code>" which switches the I2C comms into flash write mode).   
+
These reside in mcu sysmodule .rodata, are uploaded to MCU register 0x05 and are usually 0x4003 bytes in size (the actual firmware is 0x4000 bytes preceeded by a 3 byte magic header "<code>jhl</code>" which switches the I2C comms into flash write mode).   
 
Switching requires register 0x05 (at address <code>0xFFBA9</code>) to contain 0x6A ('<code>j</code>'), register 0x06 containing 0x68 ('<code>h</code>'), and writing 0x6C ('<code>l</code>') to register 0x07. The actual flashing sequence is only signaled (code at 0x3312-0x331A) when writing register 0x07, it's skipped otherwise. Register 0x07 gets written anyways, just the actual signaling is skipped if the conditions aren't met.
 
Switching requires register 0x05 (at address <code>0xFFBA9</code>) to contain 0x6A ('<code>j</code>'), register 0x06 containing 0x68 ('<code>h</code>'), and writing 0x6C ('<code>l</code>') to register 0x07. The actual flashing sequence is only signaled (code at 0x3312-0x331A) when writing register 0x07, it's skipped otherwise. Register 0x07 gets written anyways, just the actual signaling is skipped if the conditions aren't met.
   −
Before the upload could commence, WiFi interrupts are turned off via GPIO command 0x00020080(0, 0x40000), then after the upload completed, the sysmodule waits exactly one second for the MCU to reboot, then turns WiFi interrupts back on via <code>gpio:MCU</code> command 0x00020080(0x40000, 0x40000).
+
Before the upload could commence, external MCU interrupts are turned off via GPIO command 0x00020080(0, 0x40000), then after the upload completed, the sysmodule waits exactly one second for the MCU to reboot, then turns external MCU interrupts back on via <code>gpio:MCU</code> command 0x00020080(0x40000, 0x40000).
   −
There exists an alternate code path where uploading is done using register 0x3B (if register 0x0F is zero meaning all peripherals are turned off, and 0x10 must be 1 (power button pressed/held)). This may be a "hack" around early versions of MCU? Register 0x3B is part of the RTC alarm registers on recent versions of MCU.
+
There exists an alternate code path in very old MCU_FIRM versions where uploading is done using register 0x3B (if register 0x0F is zero and 0x10 is 1). Register 0x3B is part of the RTC alarm registers on recent versions of MCU.
    
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.
 
On dev-units, the user-facing representation of this firmware version is displayed by first subtracting 0x10 from the major field (raw register 0x00). It is these user-facing versions that are displayed in the table below. It is unknown what bit4 (0x10) actually represents, but it is seemingly always set.
Trusted
225

edits

Navigation menu