diff options
author | Sylvain Munaut <tnt@246tNt.com> | 2010-03-11 22:25:50 +0100 |
---|---|---|
committer | Sylvain Munaut <tnt@246tNt.com> | 2010-04-28 10:13:58 +0200 |
commit | 9ef310746309af9e25d08cebd1ddc3fabdb1a31d (patch) | |
tree | 096e944f8bcd6f07d3791a9c294542b3826b629d | |
parent | 3b5cc0824de719c9dd5e5686ec25c57cc2fc2bb8 (diff) |
target_dsp/calypso: Add some pointers to get started in IDA
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
-rw-r--r-- | src/target_dsp/calypso/ida/README.txt | 73 | ||||
-rw-r--r-- | src/target_dsp/calypso/ida/ndb.h | 294 | ||||
-rw-r--r-- | src/target_dsp/calypso/ida/tms320c54.cfg | 136 |
3 files changed, 503 insertions, 0 deletions
diff --git a/src/target_dsp/calypso/ida/README.txt b/src/target_dsp/calypso/ida/README.txt new file mode 100644 index 00000000..a7939083 --- /dev/null +++ b/src/target_dsp/calypso/ida/README.txt @@ -0,0 +1,73 @@ +Here's a few steps to get started quickly and get something readable: + + - Compile a patched for the IDA TMS320C54 module + + I made several enhancement to it to support the calypso better (the tms320c54 + module is part of the SDK and can be modded and recompiled) : + + - Add support for memory mappings so that the same memory zone can + 'appear' at several place in the address space (to handle data & code + overlay) + - Fix the section handling when loading a file: + . to set XPC properly, + . to not override section name + . to support more than 2 sections + - Fix a bug in cross reference detection when dealing with section + having selectors != 0 + - Add stub support for the type system. This allows loading of a .h + header file with the NDB structure definition + - Add definition for the IO ports so that they are symbolically + displayed + + I can't publically distribute the IDA processor module modification + because even just the patch contains some hex-rays code, so I'll handle + this on a case by case basis. (just ask me privately and we'll work it out) + + - Dump the DSP ROM + + Using the compal_dsp_dump.bin, you must create a text dump of the DSP ROM, + just piping the console output to a text file. + + - Generate COFF image + + The dump2coff.py script can convert the text dump into a usable COFF file + containing all the correct sections and addresses. + + - Load this COFF image into IDA + + In the load dialog make sure : + - Uncheck the 'Fill segment gaps (COFF)' checkbox + - Select 'TMS320C54' in 'Change processor' + - In 'Analysis Options/Processor specific analysis options' : + - 'Choose device name': CALYPSO + - 'Data segment address': 0x80000000 + - 'Add mapping' (do it several time) + - From 0x00000060 -> 0x80000060 size 0x6FA0 + - From 0x00010060 -> 0x80000060 size 0x6FA0 + - From 0x00020060 -> 0x80000060 size 0x6FA0 + - From 0x00030060 -> 0x80000060 size 0x6FA0 + - From 0x8000E000 -> 0x0000E000 size 0x2000 + + - Set 'stub' compiler options to allow the type system to load .h files + + In 'Options/Compiler': + - Compiler: 'GNU C++' + - Calling convention: 'Cdecl' + - Memory model: 'Code Near, Data Near' + - Pointer size: 'Near 16bit, Far 32bit' + - Include directory: '/usr/include' (or a directory with your includes + ... needs to exist) + + - Load the NDB types + + - Load the ndb.h file + - In the local types view, import all structure / enum into the database + - Then declare the following symbol and set them as struct type + appropriately. + + 0x80000800 api_w_page_0 db_mcu_to_dsp + 0x80000814 api_w_page_1 db_mcu_to_dsp + 0x80000828 api_r_page_0 db_dsp_to_mcu + 0x8000083c api_r_page_1 db_dsp_to_mcu + 0x800008d4 ndb ndb_mcu_dsp + diff --git a/src/target_dsp/calypso/ida/ndb.h b/src/target_dsp/calypso/ida/ndb.h new file mode 100644 index 00000000..ad9c1056 --- /dev/null +++ b/src/target_dsp/calypso/ida/ndb.h @@ -0,0 +1,294 @@ +typedef unsigned char API; +typedef signed char API_SIGNED; + +struct db_mcu_to_dsp +{ + API d_task_d; + API d_burst_d; + API d_task_u; + API d_burst_u; + API d_task_md; + API d_background; + API d_debug; + API d_task_ra; + API d_fn; + API d_ctrl_tch; + API hole; + API d_ctrl_abb; + API a_a5fn[2]; + API d_power_ctl; + API d_afc; + API d_ctrl_system; +}; + +struct db_dsp_to_mcu +{ + API d_task_d; + API d_burst_d; + API d_task_u; + API d_burst_u; + API d_task_md; + API d_background; + API d_debug; + API d_task_ra; + API a_serv_demod[4]; + API a_pm[3]; + API a_sch[5]; +}; + +struct param_mcu_dsp +{ + API_SIGNED d_transfer_rate; + API_SIGNED d_lat_mcu_bridge; + API_SIGNED d_lat_mcu_hom2sam; + API_SIGNED d_lat_mcu_bef_fast_access; + API_SIGNED d_lat_dsp_after_sam; + API_SIGNED d_gprs_install_address; + API_SIGNED d_misc_config; + API_SIGNED d_cn_sw_workaround; + API_SIGNED d_hole2_param[4]; + API_SIGNED d_fb_margin_beg; + API_SIGNED d_fb_margin_end; + API_SIGNED d_nsubb_idle; + API_SIGNED d_nsubb_dedic; + API_SIGNED d_fb_thr_det_iacq; + API_SIGNED d_fb_thr_det_track; + API_SIGNED d_dc_off_thres; + API_SIGNED d_dummy_thres; + API_SIGNED d_dem_pond_gewl; + API_SIGNED d_dem_pond_red; + API_SIGNED d_maccthresh1; + API_SIGNED d_mldt; + API_SIGNED d_maccthresh; + API_SIGNED d_gu; + API_SIGNED d_go; + API_SIGNED d_attmax; + API_SIGNED d_sm; + API_SIGNED d_b; + API_SIGNED d_v42b_switch_hyst; + API_SIGNED d_v42b_switch_min; + API_SIGNED d_v42b_switch_max; + API_SIGNED d_v42b_reset_delay; + API_SIGNED d_ldT_hr; + API_SIGNED d_maccthresh_hr; + API_SIGNED d_maccthresh1_hr; + API_SIGNED d_gu_hr; + API_SIGNED d_go_hr; + API_SIGNED d_b_hr; + API_SIGNED d_sm_hr; + API_SIGNED d_attmax_hr; + API_SIGNED c_mldt_efr; + API_SIGNED c_maccthresh_efr; + API_SIGNED c_maccthresh1_efr; + API_SIGNED c_gu_efr; + API_SIGNED c_go_efr; + API_SIGNED c_b_efr; + API_SIGNED c_sm_efr; + API_SIGNED c_attmax_efr; + API_SIGNED d_sd_min_thr_tchfs; + API_SIGNED d_ma_min_thr_tchfs; + API_SIGNED d_md_max_thr_tchfs; + API_SIGNED d_md1_max_thr_tchfs; + API_SIGNED d_sd_min_thr_tchhs; + API_SIGNED d_ma_min_thr_tchhs; + API_SIGNED d_sd_av_thr_tchhs; + API_SIGNED d_md_max_thr_tchhs; + API_SIGNED d_md1_max_thr_tchhs; + API_SIGNED d_sd_min_thr_tchefs; + API_SIGNED d_ma_min_thr_tchefs; + API_SIGNED d_md_max_thr_tchefs; + API_SIGNED d_md1_max_thr_tchefs; + API_SIGNED d_wed_fil_ini; + API_SIGNED d_wed_fil_tc; + API_SIGNED d_x_min; + API_SIGNED d_x_max; + API_SIGNED d_slope; + API_SIGNED d_y_min; + API_SIGNED d_y_max; + API_SIGNED d_wed_diff_threshold; + API_SIGNED d_mabfi_min_thr_tchhs; + API_SIGNED d_facch_thr; + API_SIGNED d_max_ovsp_ul; + API_SIGNED d_sync_thres; + API_SIGNED d_idle_thres; + API_SIGNED d_m1_thres; + API_SIGNED d_max_ovsp_dl; + API_SIGNED d_gsm_bgd_mgt; + API a_fir_holes[4]; + API a_fir31_uplink[31]; + API a_fir31_downlink[31]; +}; + +struct ndb_mcu_dsp +{ + API d_dsp_page; + API d_error_status; + API d_spcx_rif; + API d_tch_mode; + API d_debug1; + API d_dsp_test; + API d_version_number1; + API d_version_number2; + API d_debug_ptr; + API d_debug_bk; + API d_pll_config; + API p_debug_buffer; + API d_debug_buffer_size; + API d_debug_trace_type; + API d_dsp_state; + API d_hole1_ndb[2]; + API d_hole_debug_amr; + API d_hole2_ndb[1]; + API d_mcsi_select; + API d_apcdel1_bis; + API d_apcdel2_bis; + API d_apcdel2; + API d_vbctrl2; + API d_bulgcal; + API d_afcctladd; + API d_vbuctrl; + API d_vbdctrl; + API d_apcdel1; + API d_apcoff; + API d_bulioff; + API d_bulqoff; + API d_dai_onoff; + API d_auxdac; + API d_vbctrl1; + API d_bbctrl; + API d_fb_det; + API d_fb_mode; + API a_sync_demod[4]; + API a_sch26[5]; + API d_audio_gain_ul; + API d_audio_gain_dl; + API d_audio_compressor_ctrl; + API d_audio_init; + API d_audio_status; + API d_toneskb_init; + API d_toneskb_status; + API d_k_x1_t0; + API d_k_x1_t1; + API d_k_x1_t2; + API d_pe_rep; + API d_pe_off; + API d_se_off; + API d_bu_off; + API d_t0_on; + API d_t0_off; + API d_t1_on; + API d_t1_off; + API d_t2_on; + API d_t2_off; + API d_k_x1_kt0; + API d_k_x1_kt1; + API d_dur_kb; + API d_shiftdl; + API d_shiftul; + API d_aec_ctrl; + API d_es_level_api; + API d_mu_api; + API d_melo_osc_used; + API d_melo_osc_active; + API a_melo_note0[4]; + API a_melo_note1[4]; + API a_melo_note2[4]; + API a_melo_note3[4]; + API a_melo_note4[4]; + API a_melo_note5[4]; + API a_melo_note6[4]; + API a_melo_note7[4]; + API d_melody_selection; + API a_melo_holes[3]; + API d_sr_status; + API d_sr_param; + API d_sr_bit_exact_test; + API d_sr_nb_words; + API d_sr_db_level; + API d_sr_db_noise; + API d_sr_mod_size; + API a_n_best_words[4]; + API a_n_best_score[8]; + API a_dd_1[22]; + API a_du_1[22]; + API d_v42b_nego0; + API d_v42b_nego1; + API d_v42b_control; + API d_v42b_ratio_ind; + API d_mcu_control; + API d_mcu_control_sema; + API d_background_enable; + API d_background_abort; + API d_background_state; + API d_max_background; + API a_background_tasks[16]; + API a_back_task_io[16]; + API d_gea_mode_ovly; + API a_gea_kc_ovly[4]; + API d_hole3_ndb[7]; + API d_thr_usf_detect; + API d_a5mode; + API d_sched_mode_gprs_ovly; + API d_hole4_ndb[5]; + API a_ramp[16]; + API a_cd[15]; + API a_fd[15]; + API a_dd_0[22]; + API a_cu[15]; + API a_fu[15]; + API a_du_0[22]; + API d_rach; + API a_kc[4]; + API d_ra_conf; + API d_ra_act; + API d_ra_test; + API d_ra_statu; + API d_ra_statd; + API d_fax; + API a_data_buf_ul[21]; + API a_data_buf_dl[37]; + API a_tty_holes[8]; + API a_sr_holes0[414]; + API a_new_aec_holes[12]; + // API a_sr_holes1[145]; + struct param_mcu_dsp params; + API d_cport_init; + API d_cport_ctrl; + API a_cport_cfr[2]; + API d_cport_tcl_tadt; + API d_cport_tdat; + API d_cport_tvs; + API d_cport_status; + API d_cport_reg_value; + API a_cport_holes[1011]; + API a_model[1041]; + API a_eotd_holes[22]; + API a_amr_config[4]; + API a_ratscch_ul[6]; + API a_ratscch_dl[6]; + API d_amr_snr_est; + API a_voice_memo_amr_holes[1]; + API d_thr_onset_afs; + API d_thr_sid_first_afs; + API d_thr_ratscch_afs; + API d_thr_update_afs; + API d_thr_onset_ahs; + API d_thr_sid_ahs; + API d_thr_ratscch_marker; + API d_thr_sp_dgr; + API d_thr_soft_bits; + API d_holes[61]; +}; + +enum dsp_error { + DSP_ERR_RHEA = 0x0001, + DSP_ERR_IQ_SAMPLES = 0x0004, + DSP_ERR_DMA_PROG = 0x0008, + DSP_ERR_DMA_TASK = 0x0010, + DSP_ERR_DMA_PEND = 0x0020, + DSP_ERR_VM = 0x0080, + DSP_ERR_DMA_UL_TASK = 0x0100, + DSP_ERR_DMA_UL_PROG = 0x0200, + DSP_ERR_DMA_UL_PEND = 0x0400, + DSP_ERR_STACK_OV = 0x0800, +}; diff --git a/src/target_dsp/calypso/ida/tms320c54.cfg b/src/target_dsp/calypso/ida/tms320c54.cfg new file mode 100644 index 00000000..7962bee2 --- /dev/null +++ b/src/target_dsp/calypso/ida/tms320c54.cfg @@ -0,0 +1,136 @@ +; Append this to the tms320c54.cfg shipped with IDA
+
+.CALYPSO
+
+; entry _reset 0xff80 Reset vector
+
+; RIF
+RIF_DXR 0x0000
+RIF_DRR 0x0001
+RIF_SPCX 0x0002
+RIF_SPCR 0x0003
+
+; CYPHER
+CYPHER_CNTL 0x2800
+CYPHER_CNTL.START 0
+CYPHER_CNTL.RESETSW 1
+CYPHER_CNTL.MODE0 2
+CYPHER_CNTL.MODE1 3
+CYPHER_CNTL.CLK_EN 4
+CYPHER_CNTL.CYPHER_ONLY 5
+
+CYPHER_STATUS_IRQ 0x2801
+CYPHER_STATUS_IRQ.LT_FIN 0
+
+CYPHER_STATUS_WORK 0x2802
+CYPHER_STATUS_WORK.WORKING 0
+
+CYPHER_KC_1 0x2803
+CYPHER_KC_2 0x2804
+CYPHER_KC_3 0x2805
+CYPHER_KC_4 0x2806
+CYPHER_COUNT_1 0x2807
+CYPHER_COUNT_2 0x2808
+CYPHER_DECI_1 0x2809
+CYPHER_DECI_2 0x280A
+CYPHER_DECI_3 0x280B
+CYPHER_DECI_4 0x280C
+CYPHER_DECI_5 0x280D
+CYPHER_DECI_6 0x280E
+CYPHER_DECI_7 0x280F
+CYPHER_DECI_8 0x2810
+CYPHER_ENCI_1 0x2811
+CYPHER_ENCI_2 0x2812
+CYPHER_ENCI_3 0x2813
+CYPHER_ENCI_4 0x2814
+CYPHER_ENCI_5 0x2815
+CYPHER_ENCI_6 0x2816
+CYPHER_ENCI_7 0x2817
+CYPHER_ENCI_8 0x2818
+
+; MCSI
+MCSI_CONTROL 0x0800
+MCSI_MAIN-PARAMETERS 0x0801
+MCSI_INTERRUPTS 0x0802
+MCSI_CHANNEL-USED 0x0803
+MCSI_OVER-CLK 0x0804
+MCSI_CLK-FREQ 0x0805
+MCSI_STATUS 0x0806
+MCSI_TX0 0x0820
+MCSI_TX1 0x0821
+MCSI_TX2 0x0822
+MCSI_TX3 0x0823
+MCSI_TX4 0x0824
+MCSI_TX5 0x0825
+MCSI_TX6 0x0826
+MCSI_TX7 0x0827
+MCSI_TX8 0x0828
+MCSI_TX9 0x0829
+MCSI_TX10 0x082A
+MCSI_TX11 0x082B
+MCSI_TX12 0x082C
+MCSI_TX13 0x082D
+MCSI_TX14 0x082E
+MCSI_TX15 0x082F
+MCSI_RX0 0x0830
+MCSI_RX1 0x0831
+MCSI_RX2 0x0832
+MCSI_RX3 0x0833
+MCSI_RX4 0x0834
+MCSI_RX5 0x0835
+MCSI_RX6 0x0836
+MCSI_RX7 0x0837
+MCSI_RX8 0x0838
+MCSI_RX9 0x0839
+MCSI_RX10 0x083A
+MCSI_RX11 0x083B
+MCSI_RX12 0x083C
+MCSI_RX13 0x083D
+MCSI_RX14 0x083E
+MCSI_RX15 0x083F
+
+; RHEA
+RHEA_TRANSFER_RATE 0xF800
+
+RHEA_BRIDGE-CTRL 0xF801
+RHEA_BRIDGE-CTRL.TIMEOUT_ENABLE 8
+RHEA_BRIDGE-CTRL.NSUPV 9
+
+; API
+API_CONF 0xF900
+API_CONF.RESERVED0 0
+API_CONF.API_HOM 1
+API_CONF.BRIDGE_CLK_EN 2
+
+; Interrupts
+INT_CNTRL 0xFA00
+INT_CLEAR 0xFA01
+
+; DMA
+DMA_CONTROLLER_CONF 0xFC00
+DMA_ALLOC_CONFIG 0xFC02
+DMA1_RAD 0xFC10
+DMA1_RDPTH 0xFC12
+DMA1_AAD 0xFC14
+DMA1_ALGTH 0xFC16
+DMA1_CTRL 0xFC18
+DMA1_CUR_OFFSET_API 0xFC1A
+DMA2_RAD 0xFC20
+DMA2_RDPTH 0xFC22
+DMA2_AAD 0xFC24
+DMA2_ALGTH 0xFC26
+DMA2_CTRL 0xFC28
+DMA2_CUR_OFFSET_API 0xFC2A
+DMA3_RAD 0xFC30
+DMA3_RDPTH 0xFC32
+DMA3_AAD 0xFC34
+DMA3_ALGTH 0xFC36
+DMA3_CTRL 0xFC38
+DMA3_CUR_OFFSET_API 0xFC3A
+DMA4_RAD 0xFC40
+DMA4_RDPTH 0xFC42
+DMA4_AAD 0xFC44
+DMA4_ALGTH 0xFC46
+DMA4_CTRL 0xFC48
+DMA4_CUR_OFFSET_API 0xFC4A
+
|