2,956
edits
Changes
Jump to navigation
Jump to search
no edit summary
Line 1,749:
Line 1,749:
|-
−| FUSE_SPARE_BIT_30
−| 0x7000FBF8
−|-
−| FUSE_SPARE_BIT_31
−| 0x7000FBFC
Tegra210 based hardware such as the Switch provides support for bootrom patches. The patch data is burned to the hardware fuse bitmap using a specific format (see [https://gist.github.com/shuffle2/f8728159da100e9df2606d43925de0af shuffle2's ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.+
+
+
+
+
+
+
+
| FUSE_SPARE_BIT_29
| FUSE_SPARE_BIT_29
| 0x7000FBF4
| 0x7000FBF4
−|}
|}
Line 2,403:
Line 2,397:
=== irom_patch ===
=== irom_patch ===
−Bootrom patches are burned to the hardware fuse bitmap using a specific format (see [https://gist.github.com/hexkyz/98c28e292597d8fc7bef7a2200e792d7 ipatch decoder]). The bootrom reads these fuses in order to initialize the IPATCH hardware, which allows overriding data returned for code and data fetches done by BPMP.
The following represents the patch data dumped from a Switch console:
The following represents the patch data dumped from a Switch console:
Line 2,412:
Line 2,406:
RAM:00000000 irom_svc_dispatch
RAM:00000000 irom_svc_dispatch
RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):
RAM:00000000 STMFD SP!, {R0-R2} ; ipatches (new):
−RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
+RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
−RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
+RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
−RAM:00000000 ; 2 3797df26 6f2e df26 : svc #0x26 (offset 0x94)
+RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
−RAM:00000000 ; 3 3b4d2100 769a 2100 : movs r1, #0x00
+RAM:00000000 ; 3: 0x3b4d2100 0x0010769a 0x00002100 : movs r1, #0x00
−RAM:00000000 ; 4 42bdf2c 856 df2c : svc #0x2c (offset 0xa0)
+RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
−RAM:00000000 ; 5 37aadf42 6f54 df42 : svc #0x42 (offset 0xcc)
+RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
−RAM:00000000 ; 6 972df4b 12e4 df4b : svc #0x4b (offset 0xde)
+RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
−RAM:00000000 ; 7 2293df54 4526 df54 : svc #0x54 (offset 0xf0)
+RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
−RAM:00000000 ; 8 21fadf5d 43f4 df5d : svc #0x5d (offset 0x102)
+RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
−RAM:00000000 ; 9 bba2ac57 17744 ac57 : data
+RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data
−RAM:00000000 ; 10 bbac3d19 17758 3d19 : data
+RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data
−RAM:00000000 ; 11 1e952001 3d2a 2001 : movs r0, #0x01
+RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
RAM:00000000 ;
RAM:00000000 ;
RAM:00000000 ; ipatches (old):
RAM:00000000 ; ipatches (old):
−RAM:00000000 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
+RAM:00000000 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
−RAM:00000000 ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
+RAM:00000000 ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
−RAM:00000000 ; 2 3797df26 6f2e df26 : svc #0x26 (offset 0x94)
+RAM:00000000 ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
−RAM:00000000 ; 3 7d9e2000 fb3c 2000 : movs r0, #0x00
+RAM:00000000 ; 3: 0x7d9e2000 0x0010fb3c 0x00002000 : movs r0, #0x00
−RAM:00000000 ; 4 42bdf2c 856 df2c : svc #0x2c (offset 0xa0)
+RAM:00000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
−RAM:00000000 ; 5 37aadf42 6f54 df42 : svc #0x42 (offset 0xcc)
+RAM:00000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
−RAM:00000000 ; 6 972df4b 12e4 df4b : svc #0x4b (offset 0xde)
+RAM:00000000 ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
−RAM:00000000 ; 7 2293df54 4526 df54 : svc #0x54 (offset 0xf0)
+RAM:00000000 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
−RAM:00000000 ; 8 21fadf5d 43f4 df5d : svc #0x5d (offset 0x102)
+RAM:00000000 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
−RAM:00000000 ; 9 bba2ac57 17744 ac57 : data
+RAM:00000000 ; 9: 0xbba2ac57 0x00117744 0x0000ac57 : data
−RAM:00000000 ; 10 bbac3d19 17758 3d19 : data
+RAM:00000000 ; 10: 0xbbac3d19 0x00117758 0x00003d19 : data
−RAM:00000000 ; 11 1e952001 3d2a 2001 : movs r0, #0x01
+RAM:00000000 ; 11: 0x1e952001 0x00103d2a 0x00002001 : movs r0, #0x01
RAM:00000004 MOV R2, LR
RAM:00000004 MOV R2, LR
RAM:00000008 SUB R2, R2, #2
RAM:00000008 SUB R2, R2, #2
Line 2,464:
Line 2,458:
RAM:00000048
RAM:00000048
RAM:00000048 sub_48
RAM:00000048 sub_48
−RAM:00000048 MOVS R2, #0 ; 0 b57df00 16ae df00 : svc #0x00 (offset 0x48)
+RAM:00000048 MOVS R2, #0 ; 0: 0x0b57df00 0x001016ae 0x0000df00 : svc #0x00 (offset 0x48)
RAM:0000004A MVNS R2, R2
RAM:0000004A MVNS R2, R2
RAM:0000004C LDR R1, =0x60006410
RAM:0000004C LDR R1, =0x60006410
Line 2,503:
Line 2,497:
RAM:0000008C
RAM:0000008C
RAM:0000008C sub_8C
RAM:0000008C sub_8C
−RAM:0000008C LDR R0, [R1,#0x18] ; 1 1820df22 3040 df22 : svc #0x22 (offset 0x8c)
+RAM:0000008C LDR R0, [R1,#0x18] ; 1: 0x1820df22 0x00103040 0x0000df22 : svc #0x22 (offset 0x8c)
RAM:0000008E MOVS R2, #1
RAM:0000008E MOVS R2, #1
RAM:00000090 ORRS R0, R2
RAM:00000090 ORRS R0, R2
Line 2,514:
Line 2,508:
RAM:00000094
RAM:00000094
RAM:00000094 sub_94
RAM:00000094 sub_94
−RAM:00000094 LDR R2, [R4,#0x50] ; 2 3797df26 6f2e df26 : svc #0x26 (offset 0x94)
+RAM:00000094 LDR R2, [R4,#0x50] ; 2: 0x3797df26 0x00106f2e 0x0000df26 : svc #0x26 (offset 0x94)
RAM:00000096 ADDS R2, R2, #2
RAM:00000096 ADDS R2, R2, #2
RAM:00000098 STR R2, [R4,#0x50]
RAM:00000098 STR R2, [R4,#0x50]
Line 2,530:
Line 2,524:
RAM:000000A0 ; FUNCTION CHUNK AT RAM:00000148 SIZE 00000004 BYTES
RAM:000000A0 ; FUNCTION CHUNK AT RAM:00000148 SIZE 00000004 BYTES
RAM:000000A0
RAM:000000A0
−RAM:000000A0 MOVS R0, #0x70000000 ; 4 42bdf2c 856 df2c : svc #0x2c (offset 0xa0)
+RAM:000000A0 MOVS R0, #0x70000000 ; 4: 0x042bdf2c 0x00100856 0x0000df2c : svc #0x2c (offset 0xa0)
RAM:000000A4 LDR R6, =dword_7000EF14
RAM:000000A4 LDR R6, =dword_7000EF14
RAM:000000A6 LDR R2, =dword_7000E5B4
RAM:000000A6 LDR R2, =dword_7000E5B4
Line 2,562:
Line 2,556:
RAM:000000CC
RAM:000000CC
RAM:000000CC sub_CC
RAM:000000CC sub_CC
−RAM:000000CC MOVS R2, #0xF000000 ; 5 37aadf42 6f54 df42 : svc #0x42 (offset 0xcc)
+RAM:000000CC MOVS R2, #0xF000000 ; 5: 0x37aadf42 0x00106f54 0x0000df42 : svc #0x42 (offset 0xcc)
RAM:000000D0 BICS R1, R2
RAM:000000D0 BICS R1, R2
RAM:000000D2 STR R1, [R4,#0x10]
RAM:000000D2 STR R1, [R4,#0x10]
Line 2,577:
Line 2,571:
RAM:000000DE
RAM:000000DE
RAM:000000DE sub_DE
RAM:000000DE sub_DE
−RAM:000000DE LDR R2, =dword_7000FA9C ; 6 972df4b 12e4 df4b : svc #0x4b (offset 0xde)
+RAM:000000DE LDR R2, =dword_7000FA9C ; 6: 0x0972df4b 0x001012e4 0x0000df4b : svc #0x4b (offset 0xde)
RAM:000000E0 LDR R2, [R2]
RAM:000000E0 LDR R2, [R2]
RAM:000000E2 LSRS R2, R2, #8
RAM:000000E2 LSRS R2, R2, #8
Line 2,596:
Line 2,590:
RAM:000000F0 arg_0= 0
RAM:000000F0 arg_0= 0
RAM:000000F0
RAM:000000F0
−RAM:000000F0 LDR R0, =0x400049F0 ; 7 2293df54 4526 df54 : svc #0x54 (offset 0xf0)
+RAM:000000F0 LDR R0, =0x400049F0 ; 7: 0x2293df54 0x00104526 0x0000df54 : svc #0x54 (offset 0xf0)
RAM:000000F2 LDR R2, [R0]
RAM:000000F2 LDR R2, [R0]
RAM:000000F4 STR R2, [SP,#arg_0]
RAM:000000F4 STR R2, [SP,#arg_0]
Line 2,619:
Line 2,613:
RAM:00000102 arg_0= 0
RAM:00000102 arg_0= 0
RAM:00000102
RAM:00000102
−RAM:00000102 LDR R2, =0x40010220 ; 8 21fadf5d 43f4 df5d : svc #0x5d (offset 0x102)
+RAM:00000102 LDR R2, =0x40010220 ; 8: 0x21fadf5d 0x001043f4 0x0000df5d : svc #0x5d (offset 0x102)
RAM:00000104 STR R2, [SP,#arg_0] ; set r2 retval = [0x40010220]
RAM:00000104 STR R2, [SP,#arg_0] ; set r2 retval = [0x40010220]
RAM:00000106 LDR R2, [R2,#0x18]
RAM:00000106 LDR R2, [R2,#0x18]
Line 2,865:
Line 2,859:
==== IROM patch 11 ====
==== IROM patch 11 ====
This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.
This patch forces the value of [[Security_Engine|SE_TZRAM_SECURITY]] to be 0x01 instead of restoring it from the saved SE context.
+
+== Mariko ==
+{| class="wikitable" border="1"
+! Name
+! Number
+! Redundant number
+! Bits
+|-
+| enable_fuse_program
+| 0
+| 1
+| 0
+|-
+| disable_fuse_program
+| 0
+| 1
+| 1
+|-
+| bypass_fuses
+| 0
+| 1
+| 2
+|-
+| jtag_direct_access_disable
+| 0
+| 1
+| 3
+|-
+| production_mode
+| 0
+| 1
+| 4
+|-
+| jtag_secureid_valid
+| 0
+| 1
+| 5
+|-
+| odm_lock
+| 0
+| 1
+| 6-21
+|-
+| fa_mode
+| 0
+| 1
+| 22
+|-
+| security_mode
+| 0
+| 1
+| 23
+|-
+| arm_debug_dis
+| 0
+| 1
+| 24
+|-
+| obs_dis
+| 0
+| 1
+| 25
+|-
+| public_key0
+| 64
+| 65
+| 15-31
+|-
+| public_key0
+| 66
+| 67
+| 0-14
+|-
+| public_key1
+| 66
+| 67
+| 15-31
+|-
+| public_key1
+| 68
+| 69
+| 0-14
+|-
+| public_key2
+| 68
+| 69
+| 15-31
+|-
+| public_key2
+| 70
+| 71
+| 0-14
+|-
+| public_key3
+| 70
+| 71
+| 15-31
+|-
+| public_key3
+| 72
+| 73
+| 0-14
+|-
+| public_key4
+| 72
+| 73
+| 15-31
+|-
+| public_key4
+| 74
+| 75
+| 0-14
+|-
+| public_key5
+| 74
+| 75
+| 15-31
+|-
+| public_key5
+| 76
+| 77
+| 0-14
+|-
+| public_key6
+| 76
+| 77
+| 15-31
+|-
+| public_key6
+| 78
+| 79
+| 0-14
+|-
+| public_key7
+| 78
+| 79
+| 15-31
+|-
+| public_key7
+| 80
+| 81
+| 0-14
+|-
+| private_key0
+| 86
+| 87
+| 30-31
+|-
+| private_key0
+| 88
+| 89
+| 0-29
+|-
+| private_key1
+| 88
+| 89
+| 30-31
+|-
+| private_key1
+| 90
+| 91
+| 0-29
+|-
+| private_key2
+| 90
+| 91
+| 30-31
+|-
+| private_key2
+| 92
+| 93
+| 0-29
+|-
+| private_key3
+| 92
+| 93
+| 30-31
+|-
+| private_key3
+| 94
+| 95
+| 0-29
+|-
+| private_key4
+| 94
+| 95
+| 30-31
+|-
+| private_key4
+| 96
+| 97
+| 0-29
+|-
+| boot_device_info
+| 96
+| 97
+| 30-31
+|-
+| boot_device_info
+| 98
+| 99
+| 0-13
+|-
+| reserved_sw
+| 98
+| 99
+| 14-25
+|-
+| secure_provision_index
+| 152
+| 153
+| 23-26
+|-
+| secure_provision_info
+| 152
+| 153
+| 27-28
+|-
+| aid
+| 165
+| None
+| 2-31
+|-
+| aid
+| 166
+| None
+| 0-1
+|-
+| spare_bit_0
+| 167
+| None
+| 2
+|-
+| spare_bit_1
+| 167
+| None
+| 3
+|-
+| spare_bit_2
+| 167
+| None
+| 4
+|-
+| spare_bit_3
+| 167
+| None
+| 5
+|-
+| spare_bit_4
+| 167
+| None
+| 6
+|-
+| spare_bit_5
+| 167
+| None
+| 7
+|-
+| spare_bit_6
+| 167
+| None
+| 8
+|-
+| spare_bit_7
+| 167
+| None
+| 9
+|-
+| spare_bit_8
+| 167
+| None
+| 10
+|-
+| spare_bit_9
+| 167
+| None
+| 11
+|-
+| spare_bit_10
+| 167
+| None
+| 12
+|-
+| spare_bit_11
+| 167
+| None
+| 13
+|-
+| spare_bit_12
+| 167
+| None
+| 14
+|-
+| spare_bit_13
+| 167
+| None
+| 15
+|-
+| spare_bit_14
+| 167
+| None
+| 16
+|-
+| spare_bit_15
+| 167
+| None
+| 17
+|-
+| spare_bit_16
+| 167
+| None
+| 18
+|-
+| spare_bit_17
+| 167
+| None
+| 19
+|-
+| spare_bit_18
+| 167
+| None
+| 20
+|-
+| spare_bit_19
+| 167
+| None
+| 21
+|-
+| spare_bit_20
+| 167
+| None
+| 22
+|-
+| spare_bit_21
+| 167
+| None
+| 23
+|-
+| spare_bit_22
+| 167
+| None
+| 24
+|-
+| spare_bit_23
+| 167
+| None
+| 25
+|-
+| spare_bit_24
+| 167
+| None
+| 26
+|-
+| spare_bit_25
+| 167
+| None
+| 27
+|-
+| spare_bit_26
+| 167
+| None
+| 28
+|-
+| spare_bit_27
+| 167
+| None
+| 29
+|-
+| spare_bit_28
+| 167
+| None
+| 30
+|-
+| spare_bit_29
+| 167
+| None
+| 31
+|-
+| reshift_fcpu0
+| 168
+| None
+| 0-31
+|-
+| reshift_fcpu1
+| 169
+| None
+| 0-31
+|-
+| reshift_fcpu2
+| 170
+| None
+| 0-31
+|-
+| reshift_fcpu3
+| 171
+| None
+| 0-31
+|-
+| reshift_fl2_tbank0
+| 172
+| None
+| 0-31
+|-
+| reshift_fl2_tbank1
+| 173
+| None
+| 0-31
+|-
+| reshift_fl2_tbank2
+| 174
+| None
+| 0-31
+|-
+| reshift_fl2_tbank3
+| 175
+| None
+| 0-31
+|-
+| [[#irom_patch_2|irom_patch]]
+| 176
+| None
+| Variable
+|}
+
+=== irom_patch ===
+<syntaxhighlight>
+RAM:00000000 ; =============== S U B R O U T I N E =======================================
+RAM:00000000
+RAM:00000000
+RAM:00000000 irom_svc_dispatch
+RAM:00000000 STMFD SP!, {R0-R2} ; ipatches:
+RAM:00000000 ; 0: 0x085bdf00 0x001010b6 0x0000df00 : svc #0x00 (offset 0x48)
+RAM:00000000 ;
+RAM:00000000 ; 0: 0x12d3df06 0x001025a6 0x0000df06 : svc #0x06 (offset 0x54)
+RAM:00000000 ; 1: 0x28144770 0x00105028 0x00004770 : bx lr
+RAM:00000000 ; 2: 0x0fb72001 0x00101f6e 0x00002001 : movs r0, #0x01
+RAM:00000000 ; 3: 0x692ddf15 0x0010d25a 0x0000df15 : svc #0x15 (offset 0x72)
+RAM:00000000 ; 4: 0x436ddf1f 0x001086da 0x0000df1f : svc #0x1f (offset 0x86)
+RAM:00000000 ; 5: 0x4376df23 0x001086ec 0x0000df23 : svc #0x23 (offset 0x8e)
+RAM:00000000 ; 6: 0x4103df2b 0x00108206 0x0000df2b : svc #0x2b (offset 0x9e)
+RAM:00000000 ; 7: 0x495c0060 0x001092b8 0x00000060 : lsls r0, r4, #1
+RAM:00000000 ; 8: 0x62e3ef5b 0x0010c5c6 0x0000ef5b
+RAM:00000000 ; 9: 0x10d1df6a 0x001021a2 0x0000df6a : svc #0x6a (offset 0x11c)
+RAM:00000004 MOV R2, LR
+RAM:00000008 SUB R2, R2, #2
+RAM:0000000C LDR R2, [R2]
+RAM:00000010 AND R2, R2, #0xFF
+RAM:00000014 MOV R2, R2,LSL#1
+RAM:00000018 LDR R0, =0x10022C
+RAM:0000001C LDR R1, =0x100174
+RAM:00000020 SUB R1, R1, R0
+RAM:00000024 LDR R0, =0x40004164
+RAM:00000028 ADD R0, R0, R1
+RAM:0000002C ADD R2, R2, R0
+RAM:00000030 ORR R2, R2, #1
+RAM:00000034 LDMFD SP!, {R0,R1}
+RAM:00000038 BX R2
+RAM:00000038 ; End of function irom_svc_dispatch
+RAM:00000038
+RAM:00000038 ; ---------------------------------------------------------------------------
+RAM:0000003C dword_3C DCD 0x10022C ; DATA XREF: irom_svc_dispatch+18↑r
+RAM:00000040 dword_40 DCD 0x100174 ; DATA XREF: irom_svc_dispatch+1C↑r
+RAM:00000044 dword_44 DCD 0x40004164 ; DATA XREF: irom_svc_dispatch+24↑r
+RAM:00000048 CODE16
+RAM:00000048
+RAM:00000048 ; =============== S U B R O U T I N E =======================================
+RAM:00000048
+RAM:00000048
+RAM:00000048 sub_48 ; 0: 0x085bdf00 0x001010b6 0x0000df00 : svc #0x00 (offset 0x48)
+RAM:00000048 CMP R5, #0xAF
+RAM:0000004A BNE loc_4E
+RAM:0000004C MOVS R5, #0xFF
+RAM:0000004E
+RAM:0000004E loc_4E ; CODE XREF: sub_48+2↑j
+RAM:0000004E SUBS R6, R5, #1
+RAM:00000050
+RAM:00000050 loc_50 ; CODE XREF: sub_54+18↓j
+RAM:00000050 ; sub_72+12↓j ...
+RAM:00000050 POP {R2}
+RAM:00000052 MOV PC, LR
+RAM:00000052 ; End of function sub_48
+RAM:00000052
+RAM:00000054
+RAM:00000054 ; =============== S U B R O U T I N E =======================================
+RAM:00000054
+RAM:00000054
+RAM:00000054 sub_54 ; 0: 0x12d3df06 0x001025a6 0x0000df06 : svc #0x06 (offset 0x54)
+RAM:00000054 MOVS R3, #7
+RAM:00000056
+RAM:00000056 loc_56 ; CODE XREF: sub_72+10↓j
+RAM:00000056 ; sub_8E+E↓j
+RAM:00000056 PUSH {R0,R1,R3-R6}
+RAM:00000058 LDR R0, =0x4000FC20
+RAM:0000005A LDR R1, =0x40040000
+RAM:0000005C LDR R3, =0xEAFFFFFE
+RAM:0000005E MOVS R4, R3
+RAM:00000060 MOVS R5, R3
+RAM:00000062 ADDS R6, R3, #0
+RAM:00000064
+RAM:00000064 loc_64 ; CODE XREF: sub_54+14↓j
+RAM:00000064 STMIA R0!, {R3-R6}
+RAM:00000066 CMP R0, R1
+RAM:00000068 BCC loc_64
+RAM:0000006A POP {R0,R1,R3-R6}
+RAM:0000006C B loc_50
+RAM:0000006C ; End of function sub_54
+RAM:0000006C
+RAM:0000006E ; ---------------------------------------------------------------------------
+RAM:0000006E ; START OF FUNCTION CHUNK FOR sub_8E
+RAM:0000006E
+RAM:0000006E loc_6E ; CODE XREF: sub_8E+8↓j
+RAM:0000006E LDR R0, =0x1002A0
+RAM:00000070 BX R0
+RAM:00000070 ; END OF FUNCTION CHUNK FOR sub_8E
+RAM:00000072
+RAM:00000072 ; =============== S U B R O U T I N E =======================================
+RAM:00000072
+RAM:00000072
+RAM:00000072 sub_72 ; 3: 0x692ddf15 0x0010d25a 0x0000df15 : svc #0x15 (offset 0x72)
+RAM:00000072 MOVS R2, #2
+RAM:00000074 CMP R0, #0x26 ; '&'
+RAM:00000076 BLS loc_7A
+RAM:00000078 ADDS R2, #0x50 ; 'P'
+RAM:0000007A
+RAM:0000007A loc_7A ; CODE XREF: sub_72+4↑j
+RAM:0000007A MOV R3, LR
+RAM:0000007C ADDS R3, R3, R2
+RAM:0000007E MOV LR, R3
+RAM:00000080 CMP R0, #0
+RAM:00000082 BNE loc_56
+RAM:00000084 B loc_50
+RAM:00000084 ; End of function sub_72
+RAM:00000084
+RAM:00000086
+RAM:00000086 ; =============== S U B R O U T I N E =======================================
+RAM:00000086
+RAM:00000086
+RAM:00000086 sub_86 ; 4: 0x436ddf1f 0x001086da 0x0000df1f : svc #0x1f (offset 0x86)
+RAM:00000086
+RAM:00000086 arg_8 = 8
+RAM:00000086
+RAM:00000086 MOVS R3, R0
+RAM:00000088 LDR R2, =0x5A55F0E1
+RAM:0000008A STR R2, [SP,#arg_8]
+RAM:0000008C B loc_50
+RAM:0000008C ; End of function sub_86
+RAM:0000008C
+RAM:0000008E
+RAM:0000008E ; =============== S U B R O U T I N E =======================================
+RAM:0000008E
+RAM:0000008E
+RAM:0000008E sub_8E ; 5: 0x4376df23 0x001086ec 0x0000df23 : svc #0x23 (offset 0x8e)
+RAM:0000008E
+RAM:0000008E arg_8 = 8
+RAM:0000008E
+RAM:0000008E ; FUNCTION CHUNK AT RAM:0000006E SIZE 00000004 BYTES
+RAM:0000008E
+RAM:0000008E MOVS R3, R0
+RAM:00000090 LDR R2, =0x5A55F0E1
+RAM:00000092 LDR R0, [SP,#arg_8]
+RAM:00000094 CMP R0, R2
+RAM:00000096 BEQ loc_6E
+RAM:00000098 CMP R0, #0
+RAM:0000009A BEQ loc_50
+RAM:0000009C B loc_56
+RAM:0000009C ; End of function sub_8E
+RAM:0000009C
+RAM:0000009E
+RAM:0000009E ; =============== S U B R O U T I N E =======================================
+RAM:0000009E
+RAM:0000009E
+RAM:0000009E sub_9E ; 6: 0x4103df2b 0x00108206 0x0000df2b : svc #0x2b (offset 0x9e)
+RAM:0000009E LDR R0, =0x7000F900
+RAM:000000A0 SUBS R0, #0xD8
+RAM:000000A2 MOVS R2, #1
+RAM:000000A4 STR R2, [R0]
+RAM:000000A6 LDR R0, =0x7001231C
+RAM:000000A8 LDR R3, =0x7041231C
+RAM:000000AA MOVS R1, #0xE0
+RAM:000000AC B loc_B4
+RAM:000000AE ; ---------------------------------------------------------------------------
+RAM:000000AE
+RAM:000000AE loc_AE ; CODE XREF: sub_9E+2E↓j
+RAM:000000AE MOVS R1, #0xF0
+RAM:000000B0 B loc_B4
+RAM:000000B2 ; ---------------------------------------------------------------------------
+RAM:000000B2
+RAM:000000B2 loc_B2 ; CODE XREF: sub_9E+32↓j
+RAM:000000B2 MOVS R1, #0xC0
+RAM:000000B4
+RAM:000000B4 loc_B4 ; CODE XREF: sub_9E+E↑j
+RAM:000000B4 ; sub_9E+12↑j
+RAM:000000B4 MOVS R4, #0
+RAM:000000B6
+RAM:000000B6 loc_B6 ; CODE XREF: sub_9E+28↓j
+RAM:000000B6 MOVS R2, #0
+RAM:000000B8 STR R1, [R0]
+RAM:000000BA STR R2, [R0,#4]
+RAM:000000BC STR R1, [R3]
+RAM:000000BE STR R2, [R3,#4]
+RAM:000000C0 ADDS R1, #1
+RAM:000000C2 ADDS R4, #1
+RAM:000000C4 CMP R4, #7
+RAM:000000C6 BLS loc_B6
+RAM:000000C8 LSRS R1, R1, #4
+RAM:000000CA CMP R1, #0xE
+RAM:000000CC BEQ loc_AE
+RAM:000000CE CMP R1, #0xF
+RAM:000000D0 BEQ loc_B2
+RAM:000000D2 MOV R5, LR
+RAM:000000D4 MOVS R0, #0
+RAM:000000D6
+RAM:000000D6 loc_D6 ; CODE XREF: sub_9E+56↓j
+RAM:000000D6 MOVS R1, #0xD
+RAM:000000D8 MOVS R2, #0
+RAM:000000DA MOVS R3, #0xD
+RAM:000000DC PUSH {R0-R3}
+RAM:000000DE LDR R4, =0x40004164
+RAM:000000E0 PUSH {R2,R4}
+RAM:000000E2 ADRL R4, (loc_EC+1)
+RAM:000000E6 MOV LR, R4
+RAM:000000E8 LDR R4, =0x105A19
+RAM:000000EA BX R4
+RAM:000000EC
+RAM:000000EC loc_EC ; DATA XREF: sub_9E+44↑o
+RAM:000000EC ADD SP, SP, #8
+RAM:000000EE POP {R0-R3}
+RAM:000000F0 ADDS R0, #1
+RAM:000000F2 CMP R0, #1
+RAM:000000F4 BEQ loc_D6
+RAM:000000F6 MOV LR, R5
+RAM:000000F8 LDR R0, =0x4000FC20
+RAM:000000FA MOV R8, R0
+RAM:000000FC B loc_50
+RAM:000000FC ; End of function sub_9E
+RAM:000000FC
+RAM:000000FE
+RAM:000000FE ; =============== S U B R O U T I N E =======================================
+RAM:000000FE
+RAM:000000FE
+RAM:000000FE sub_FE
+RAM:000000FE POP {R2}
+RAM:00000100 MOV R4, SP
+RAM:00000102 SUBS R4, R4, R0
+RAM:00000104 BLS loc_10C
+RAM:00000106 CMP R4, R2
+RAM:00000108 BCS loc_118
+RAM:0000010A B loc_116
+RAM:0000010C ; ---------------------------------------------------------------------------
+RAM:0000010C
+RAM:0000010C loc_10C ; CODE XREF: sub_FE+6↑j
+RAM:0000010C LDR R4, =0x4000BE68
+RAM:0000010E SUBS R4, R4, R0
+RAM:00000110 BLS loc_118
+RAM:00000112 CMP R4, R2
+RAM:00000114 BCS loc_118
+RAM:00000116
+RAM:00000116 loc_116 ; CODE XREF: sub_FE+C↑j
+RAM:00000116 ADDS R2, R4, #0
+RAM:00000118
+RAM:00000118 loc_118 ; CODE XREF: sub_FE+A↑j
+RAM:00000118 ; sub_FE+12↑j ...
+RAM:00000118 SUBS R3, R0, R1
+RAM:0000011A BX LR
+RAM:0000011A ; End of function sub_FE
+RAM:0000011A
+RAM:0000011C
+RAM:0000011C ; =============== S U B R O U T I N E =======================================
+RAM:0000011C
+RAM:0000011C
+RAM:0000011C sub_11C ; 9: 0x10d1df6a 0x001021a2 0x0000df6a : svc #0x6a (offset 0x11c)
+RAM:0000011C SUBS R3, #5
+RAM:0000011E MOVS R2, #0xF0
+RAM:00000120 BICS R2, R3
+RAM:00000122 B loc_50
+RAM:00000122 ; End of function sub_11C
+RAM:00000122
+RAM:00000122 ; ---------------------------------------------------------------------------
+RAM:00000124 dword_124 DCD 0x4000FC20 ; DATA XREF: sub_54+4↑r
+RAM:00000124 ; sub_9E+5A↑r
+RAM:00000128 dword_128 DCD 0x40040000 ; DATA XREF: sub_54+6↑r
+RAM:0000012C dword_12C DCD 0xEAFFFFFE ; DATA XREF: sub_54+8↑r
+RAM:00000130 off_130 DCD 0x1002A0 ; DATA XREF: sub_8E:loc_6E↑r
+RAM:00000134 dword_134 DCD 0x5A55F0E1 ; DATA XREF: sub_86+2↑r
+RAM:00000134 ; sub_8E+2↑r
+RAM:00000138 dword_138 DCD 0x7000F900 ; DATA XREF: sub_9E↑r
+RAM:0000013C off_13C DCD 0x7001231C ; DATA XREF: sub_9E+8↑r
+RAM:00000140 off_140 DCD 0x7041231C ; DATA XREF: sub_9E+A↑r
+RAM:00000144 dword_144 DCD 0x40004164 ; DATA XREF: sub_9E+40↑r
+RAM:00000148 off_148 DCD 0x105A19 ; DATA XREF: sub_9E+4A↑r
+RAM:0000014C dword_14C DCD 0x4000BE68 ; DATA XREF: sub_FE:loc_10C↑r
+RAM:0000014C ; RAM ends
+</syntaxhighlight>
+
+==== First IROM patch ====
+This patch is applied to the bootrom IPATCH handling function so that more patches can be loaded from fuses.
+
+<syntaxhighlight lang="c">
+ if (patch_start_addr == 0xAF) {
+ patch_start_addr = 0xFF;
+ }
+ patch_start_addr--;
+ return;
+</syntaxhighlight>
+
+==== IROM patch 0 ====
+This patch initializes all unused IRAM memory to 0xEAFFFFFE (infinite loop instruction).
+
+<syntaxhighlight lang="c">
+ /*
+ Untranslated instructions:
+ MOVS R3, #7
+ PUSH {R0,R1,R3-R6}
+ */
+ for (u32 addr = 0x4000FC20; addr < 0x40040000; addr += 0x04) {
+ *(u32 *)addr = 0xEAFFFFFE;
+ }
+ /*
+ Untranslated instructions:
+ POP {R0,R1,R3-R6}
+ */
+ return;
+</syntaxhighlight>
= Anti-downgrade =
= Anti-downgrade =