target_dsp/calypso: Add a custom DSP patch for burst sniffing

Load it, then set gprs_install_address to 0x015c and then task
23 will be a raw sniffer.

Signed-off-by: Sylvain Munaut <tnt@246tNt.com>

3 files changed, 204 insertions, 1 deletions

diff --git a/src/target_dsp/calypso/Makefile b/src/target_dsp/calypso/Makefile
index 40ee4ec5..266da7aa 100644
--- a/src/target_dsp/calypso/Makefile
+++ b/src/target_dsp/calypso/Makefile
@@ -1,4 +1,4 @@
-all: dsp_dump.bin
+all: dsp_dump.bin dsp_sniff.bin
 
 CROSS=tic54x-coff-
 
@@ -11,5 +11,8 @@ CROSS=tic54x-coff-
 dsp_dump.coff: bl_stage3.o dsp_dump.lds
 	$(CROSS)ld --script dsp_dump.lds bl_stage3.o -o $@
 
+dsp_sniff.coff: dsp_sniff.o dsp_patch.lds
+	$(CROSS)ld --script dsp_patch.lds dsp_sniff.o -o $@
+
 clean:
 	rm -f *.o *.bin *.coff
diff --git a/src/target_dsp/calypso/dsp_patch.lds b/src/target_dsp/calypso/dsp_patch.lds
new file mode 100644
index 00000000..0695121d
--- /dev/null
+++ b/src/target_dsp/calypso/dsp_patch.lds
@@ -0,0 +1,25 @@
+OUTPUT_FORMAT("coff1-c54x")
+OUTPUT_ARCH("")
+MEMORY
+{
+	dram (RWXI)   : ORIGIN = 0x015C, LENGTH = 0x0600
+	apiram (RWXI) : ORIGIN = 0x2000, LENGTH = 0x1000
+}
+SECTIONS
+{
+	. = 0x015C;
+
+	.text :
+	{
+		*(.text)
+	} > dram
+
+
+	. = 0x2000;
+
+	.apiram :
+	{
+		PROVIDE(_api_ram = .);
+		*(.apiram)
+	} > apiram
+}
diff --git a/src/target_dsp/calypso/dsp_sniff.S b/src/target_dsp/calypso/dsp_sniff.S
new file mode 100644
index 00000000..5a323f29
--- /dev/null
+++ b/src/target_dsp/calypso/dsp_sniff.S
@@ -0,0 +1,175 @@
+; DSP Sniffing task patch
+
+;
+; (C) 2010 by Sylvain Munaut <tnt@246tNt.com>
+;
+; All Rights Reserved
+;
+; This program is free software; you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation; either version 2 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License along
+; with this program; if not, write to the Free Software Foundation, Inc.,
+; 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+;
+
+; ----------------------------------------------------------------------------
+; Known symbols
+; ----------------------------------------------------------------------------
+
+	; Variables
+patch_install_fptr	.equ	0x3F6B		; Patch install function ptr
+dsp_page		.equ	0x3FB0		; Current ndb.d_dsp_page
+task_fn_entry		.equ	0x4387 + 23	; Task 23 index in JT_4387
+
+	; Functions
+a5_setup		.equ	0xB12C
+dma_queue_setup		.equ	0xB74C
+
+jt4387_exec		.equ	0xA9EA
+
+fq_4320_push		.equ	0xAA9F
+fq_4330_push		.equ	0xAA6C
+fq_4340_push		.equ	0xAAC3
+
+
+; ----------------------------------------------------------------------------
+; Our double buffer API
+; ----------------------------------------------------------------------------
+
+			.section .apiram
+
+sniff_db0		.ds	138
+sniff_db1		.ds	138
+sniff_db_ptr		.ds	1
+sniff_burst_ptr		.ds	1
+
+
+; ----------------------------------------------------------------------------
+; The code itself
+; ----------------------------------------------------------------------------
+
+			.text
+
+;
+; Patch init
+;
+;  Called during DSP boot (around the middle)
+;
+patch_init:
+			st	#patch_install, *(patch_install_fptr)
+			ret
+
+;
+; Patch install
+;
+;  Called after DSP init. That's were the overriding of all the
+;  jump tables should be done.
+;
+patch_install:
+			st	#sniff_task, *(task_fn_entry)
+			ret
+
+;
+; New sniff task
+;
+;  Called by the dispatch code when the value 23 is found in d_task_d
+;
+sniff_task:
+			; Setup our double buffer zone ptr
+			stm	#sniff_db0, AR1
+			bitf	*(dsp_page), #1
+			bc	1f, ntc
+			stm	#sniff_db1, AR1
+1:
+
+			mvmd	AR1, @sniff_db_ptr
+
+			; Prepare the burst_ptr and burst_counter
+				; sniff_db_ptr->r_nb = 0
+			st	#0, *+AR1
+
+				; sniff_burst_ptr = sniff_db_ptr + 2;
+			mar	*AR1+
+			mvmd	AR1, @sniff_burst_ptr
+
+			; Queue A5 setup in FQ4340
+			; (needed to make sure the a5 bits are zeroed)
+			ld	#a5_setup, 0, A
+			call	fq_4340_push
+
+			; Prepare bursts reception
+			; (we queue as many many as bursts to RX)
+1:
+				; Decrement & Check counter
+			mvdm	@sniff_db_ptr, AR1
+			nop				; (pipeline conflict)
+			nop				; (pipeline conflict)
+
+			ldu	*AR1, A
+			bc	2f, aeq
+			sub	#1, A
+			stl	A, *AR1
+
+				; Queue the DMA
+			call	dma_queue_setup
+
+				; Queue Burst handler in FQ4320
+			ld	#burst_handler, 0, A
+			call	fq_4320_push
+
+				; Loop
+			b	1b
+2:
+
+			; Done
+			ret
+
+;
+; Burst data handler
+;
+;  Called once the DMA transfer is done and the IQ bits are received.
+;  Most maintenance tasks (like cleanup after DMA and inth stuff) are
+;  done for us. Only real work goes here.
+;
+burst_handler:
+			; NB demodulation
+			ld	#0x34, A
+			call	jt4387_exec
+
+			; Base burst storage address
+			mvdm	@sniff_burst_ptr, AR3
+			nop				; (pipeline conflict)
+			nop				; (pipeline conflict)
+
+			; Copy "metadata"
+			mvkd	@0x3FA4, *AR3+		; D_TOA
+			mvkd	@0x3FA5, *AR3+		; D_PM
+			mvkd	@0x3FA7, *AR3+		; D_ANGLE
+			mvkd	@0x3FA6, *AR3+		; D_SNR
+			mvkd	@0x0CCE, *AR3+		; dummy burst indicator
+
+			; Copy the softbits
+			stm	#0x0CCF, AR2		; src
+			stm	#28, AR1		; size-1  (29 words = 116 bits)
+			rpt	*(AR1)
+			mvdd	*AR2+, *AR3+
+
+			; Store the new pointer
+			mvmd	AR3, @sniff_burst_ptr
+
+			; Increment received bursts count
+			mvdm	@sniff_db_ptr, AR1
+			nop				; (pipeline conflict)
+			nop				; (pipeline conflict)
+			addm	#1, *AR1(1)
+
+			; Done
+			ret