Firmware Notes

Load addresses

Compress MIPS code with LZMA (format "alone"/"lzma")
- Make sure the "uncompressed size" field is set (unforuntately some tools/libraries don't do this)
Write LZMA stream somewhere
Adjust offset/size of "demo" partition

The av_cpu image consists of a 16-byte header followed by LZMA-Compressed data.

offset	example	value	description
0	`4a 72 04 00`	291402	size of partition minus 12
4	`00 00 e1 83`	0x83e10000	load target?
8	`00 00 e1 83`	0x83e10000	jump target
12	`00 04 72 46`	291398	size of compressed data
16	`5d 00 00...`		compressed data

The resource partition contains strings used in the user interface, in UTF-16. The partition is LZMA compressed, like the demo partition.

The uncompressed content is stored in a buffer of 0x113000 bytes (a little over 1 MiB).

For every allocated chunk at address p, we have the following structure:

address	type	description
p - 8	u32	allocation size
p - 4	u32	flags

send 0x00
receive 0x52 'R'
send RAM image; the first 4 bytes are bf 9c 7d 5a
- 32 bit @ 0x00: 0x5a7d9cbf
- 32 bit @ 0x14: image size minus 0x300
- loaded at 0x9e800000
- entry point at 0x400 bytes offset

The boot1 stage in files named btinit... uses the following cache operations to establish a clean cache:

from 0x9e800000 to 0x9e810000:
- load from every location
from 0x9e800000 to 0x9e804000:
- set ITagLo (TagLo.0) to 0
- cache 0b01000 (I$, index store tag)
- cache 0b10100 (I$, fill from address)
- cache 0b01000 (I$, index store tag)
from 0x9e800000 to 0x9e804000:
- set DTagLo (TagLo.2) to 0
- cache 0b01001 (D$, index store tag)
- load from to location
- cache 0b01001 (D$, index store tag)

The main action happens in data_manager_v2.c
Partitions are identified by their 8-bit ID, such as 0x93 for the logo partition and 0x8c for the resource partition.

Overview:

Basics:

Peripherals:

Hardware:

Misc: