BLOD

From S1MP3 Wiki

1 The 1st-stage bootloader
2 Execution flow chart
3 Disassembling
4 Related Pages

The 1st-stage bootloader

The 1st-stage bootstrap or bootloader code contains 8kb or 16kb (v9) of code which gets executed from Z80 (internal) address 0x8000 on every power-up. It contains two functional parts:

load the 2nd-stage bootloader, or if this fails
enter ADFU Recovery Mode

Execution flow chart

search NAND flash and load first pages (BREC) into ZRAM1
if all went right, pass execution to it (jp 0x0000), or otherwise
enter ADFU Recovery Mode on any error

Disassembling

; ---------------------------------------------------------------------------
                org     0000h
ZRAM1:          ds      4000h                     ; 0000: ZRAM1
URAM:           ds      13h                       ; 4000: ZRAM2
URAM_SUB:       ds      0EEDh                     ; 4013: SUB
URAM_STACK:                                       ; 4F00: STACK
; ---------------------------------------------------------------------------
                org     8000h
ENTRY:          jp      init                      ; ENTRYPOINT ON POWER-ON
; ---------------------------------------------------------------------------
                db 0, 30h, 0, 51h, 0Ch, 20h, 3, 3, 2, 0D6h, 10h, 51h, 0FFh
szActos:        db "Actos@Actions", 0, 0, 0
szGongee:       db "Gongee.Zhang", 0, 0, 0, 0
; ---------------------------------------------------------------------------
init:           ld      a, 0A2h                   ; enable watchdog (1.4sec)
                out     (4Eh), a                  ; .
                ld      a, 1                      ; unlock A15 (bootmode)
                out     (4), a                    ; .
                di                                ; disable interrupts
                im      1                         ; set interrupt mode 1
                xor     a                         ; mask-out interrupts
                out     (27h), a                  ; .
                ld      a, 80h                    ; enable PLL1
                out     (42h), a                  ; .
                in      a, (70h)                  ; map B1+B2 to URAM
                or      30h                       ; .
                out     (70h), a                  ; .
                ld      a, 0F7h                   ; page in ZRAM2
                out     (5), a                    ; .
                ld      sp, URAM_STACK            ; .
                ld      a, 10h                    ; select MCU clock source
                out     (0), a                    ; .

                ld      hl, brec_loader           ; memcopy (3kb)
                ld      de, URAM                  ; .
                ld      bc, 0C00h                 ; .
                ldir                              ; .
                call    URAM_SUB                  ; call copied code
                and     a                         ; returned zero/success?
                jp      z, ZRAM1                  ;   yes -> execute brec

                ld      hl, adfu_mode             ; memcopy (3kb)
                ld      de, ZRAM1                 ; .
                ld      bc, 0C00h                 ; .
                ldir                              ; .
                ld      sp, 100h                  ; init stack
                jp      ZRAM1                     ; jump into ZRAM1
; ---------------------------------------------------------------------------
                halt
; ---------------------------------------------------------------------------
                org     8100h
brec_loader:    ;...
                org     9000h
adfu_mode:      ;...
; ---------------------------------------------------------------------------