Pseudocode for low-level boot of S-Gold CPU

When the S-Gold is reset, the ROM mask enable bit is set and the lower 0x8000 bytes of memory comes from the ROM mask. The reset vector in ROM jumps to 0x400000, what we're calling the S-Gold “bootrom”. The following is pseudocode for the decisions made by the bootrom following a reset – whether to simply run the existing bootloader by jumping to the address contained at 0xA0000038 or whether to accept a serial payload and execute that instead.

Notes:

  • The pseudocode at one point calls the checkblank() routine, discussed here
  • Getting the bootrom to execute your “serial payload” is the key goal here. Geo's “testcode.bb” payload from his August 2007 hardware unlock is one example of the serial payload being used. So is the “main-hldl.c” payload from his February 2008 gbootloader package.
boot_based_on_reset_type() {
  if (SCU_SNUM2[24]==1) {  // special HWID
    boot_special_iphone();
    /*NOTREACHED*/
  }
  if (*watchdog reset*) {
    boot_flag1 = 2;
    set_watchdog_timer_value(3000);
    run_bl_if_cjkt();
  } else if (*software reset*) {
    boot_flag1 = 1;
    set_watchdog_timer_value(3000);
    run_bl_if_cjkt();
  } else if (*external reset*) {
    boot_flag1 = 0;
    run_bl_or_bldl();
  } else {
    while (1);  // loop forever
  }
}
static int beenhere = 0;
run_bl_if_cjkt() {
  if (beenhere==1)
    while (1); // loop forever
  beenhere = 1;
  ebu_setup_bl_memory();  // can be nor or flash or even sdram
  bl_start = readbl(0xA0000038);
  bl_cjkt  = readbl(0xA000003C);
  if ( bl_start&0x3 || bl_cjkt!="CJKT")
    run_bl_or_bldl();
  else
    jump to bl_start;
  /*NOTREACHED*/
}
external char *serialbuf;
run_bl_or_bldl() {
  if (*serial port does not have "AT" waiting*) {
    run_bl_if_cjkt();
    /*NOTREACHED*/
  }
  while (*serial port still being spammed with "AT"*)
    ; // wait for final AT
  serial_tx(0xC0);     // hello
  while (serial_rx() != 0x30)
    ; // wait for 0x30 (helloACK)
  while(load_from_serial(serialbuf)==0) {
    serial_tx(0x1C);  // failed XOR checksum
    // try again
  }
  serial_tx(0xC1);  // passed XOR checksum
  if (SCU_SNUM3[24]==1) {  // special HWID
    jump to serialbuf;     // excecute serial payload without further checks
  }
  int cb = checkblank();
  if (cb==-1) {        // bootloader is intact
    while (1);         // loop forever
  } else if (cb==0) {  // bootloader is "empty"
    jump to serialbuf; // execcute serial payload
  } else if (cb==1) {  // bootloader is "special"
    jump to (readbl(0xA0000030));
  }
}   
sgold_bootrom/pseudocode.txt · Last modified: 2008/02/20 08:52 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki