ARM binary disassembler ??

Hi Guys

From time to time, I need to disassemble pre-compiled ARM binaries, but I don’t have an easy way to do this

As far as I can tell objdump can’t disassemble binaries, so the only way appears to load the binary onto a processor using GDB and then use GDB to disassemble.

But there must be a better / easier way that doesn’t require the hardware to be connected etc, and to just spit out a assemble decompilation of the binary ?

Edit.

It looks like objdump may be able to do this using the -b binary option, but I somehow need to tell to tell it the architecture, as currently when I try that I get a message saying it can’t disassemble as “architecture UNKNOWN”

The only one I know of is IDA Pro, but it’s not free…

BennehBoy wrote:The only one I know of is IDA Pro, but it’s not free…

IDA Pro is an amazing tool tbh.

You can install an eval version to check it out, may be worth the outlay but I guess only you can decide that.

I was looking at it for disassembling the ECU code from my vehicle – it uses an MC68836 CPU32 microcontroller.

I was able to get the basic disassembly done, but simply did not have time to make head nor tails of the code, besides one of your Aussie compatriots has already spent well over a year doing just the same so there was probably little benefit.

Thanks

I’ll download the eval version

BTW

I got a bit further using objdump

Looks like if I use

objdump -b binary -m arm -D test.bin > test.asm

I do get some output, but its disassembling from the start of the binary, which is the vector table, so by the time it gets to the real start of code, its all messed up

I think the stack pointer is stored in the first 4 bytes and the next 4 bytes is the Reset vector , which I presume is the code start address

But strangely in this case the address is not on an even byte boundary, the Reset vector appears to be at add 0x8002765

but perhaps I’m miss-reading the vector table data

Edit.

I cant be reading the vector table reset vector numbers correctly

The start of the binary is

00 04 00 20

which I assume means put the stack pointer at 0x200400

But the next 4 bytes are

67 37 00 80

Which I thought meant that the Reset Vector was at 0x8003767 but thats not a 2 byte boundary and disassembling from that address just gives gibberish

I use https://www.onlinedisassembler.com/static/home/ to check the output of my 68K disassembler written in postscript. It is also useful for checking small snippets of machine code.

Hex rays Ida pro is probably the most complete. I have used the intel 386 & family demo version. The Arm core may be payware.

The Cristina Cifuentes dissertation on de-compilation while over 25 years old is a pretty good explanation as to the difficulty in re generating human readable code. One needs multiple passes and to be able to re-create the symbol tables and link maps. With register optimization and code pipe lining it becomes more work to reverse the code, than it is to write equivalent code.

Writing a disassembler is not too difficult most are table driven. So there is a table entry for each instruction group. While there are millions of possible instructions, most are based on logic flag words. There really are only about 7 machine instructions. Everything else is a variation. Where things get complex is addressing modes and memory spaces. In the end one pretty much winds up writing a machine emulator do to the register tracing.

A lot of the work is statistical analysis and library template matching. This leads to a lot of user interaction. Why I use a language like postscript to analyze 68K code, as it can generate the call graphs directly.

Reverse engineering is also illegal under the US DMCA. A lot of software specifically forbids reverse engineering. On the other hand, there is need when one wants to learn from abandon ware, or has to deal with the DPA (dead programmers association,) to maintain older code and hardware. This is a gray area. Especially when combating hacking attacks and malware identification.

Older code, especially MAC OS 6 through 9 abandoned and dead ware also has anti trace instructions and self modifying code. On the other hand some well known programs from the late 1980s and early 1990s were released with the debug tables (ascii data at the end of each function) intact.

I just tried IDA pro demo, but it only supports X86

That online dissassembler looks good, but the problem is the start / reset vector

Any ideas how I find the actual start of code , as the data at the start of the binary, which I thought was the reset vector looks like its wrong, or I’m miss reading it

Looks like you’r reading the vector table correctly from what I can see from the datasheet…

BennehBoy wrote:Looks like you’r reading the vector table correctly from what I can see from the datasheet…

From section 2.3.4:
The vector table contains the reset value of the stack pointer, and the start addresses, also called exception vectors, for all exception handlers. Figure 2.2 shows the order of the exception vectors in the vector table. The least-significant bit of each vector must be 1, indicating that the exception handler is Thumb code, see Thumb state.

So for the purposes of grabbing the actual start address, you can just ignore the LSB that makes it odd.

If you want a decompiler that will let you specify the entry point, I’ve tried a couple of free tools.

The Retargetable Decompiler is available online. I haven’t been able to do much analysis with it, but it doesn’t require installing anything.

Hopper (for macOS and Linux) has a decent GUI and a free time-limited trial that limits you to 30 minutes at a time. It worked pretty well when I was looking at the STLink bootloader dumps.

@davan

So if the start address in the vector table is 0x80007729

Does this mean its really 0x80007728 ?

Edit.

What does the VM setting do in the Retargettable decompiler ?

RogerClark wrote:So if the start address in the vector table is 0x80007729

Does this mean its really 0x80007728 ?

RogerClark wrote:
… objdump -b binary -m arm -D test.bin > test.asm

To decode the vector table:

$ od -t x4 -v sketch_feb09a.ino.bin | head -15
0000000 20005000 08000165 080003e1 080003e5
0000020 080003e9 080003ed 080003f1 08000441
0000040 08000441 08000441 08000441 08000441
0000060 08000441 08000441 08000441 080007f9
0000100 08000441 08000441 08000441 08000441
0000120 08000441 08000441 08000441 08000441
0000140 08000441 08000441 08000441 08000441
0000160 08000441 08000441 08000441 08000441
0000200 08000441 08000441 08000495 08000441
0000220 08000441 08000441 08000441 08000441
0000240 08000881 080008a5 080008c9 08000901
0000260 08000955 080009c5 08000a35 08000441
0000300 08000441 08000441 08000441 08000441
0000320 08000441 08000afd 08000b4d 08000b9d
0000340 08000441 08000441 08000441 4c05b510

All the vector addresses are odd because that is how the arm processor knows it is a thumb instruction. so 0x08000165 is really @ 0x08000164
(nm.. i see early posts answered this question)

Thanks Rick

I think I’m a little closer to a readable disassembly, by using your settings, but something is still a bit screwy, because I’m getting undefined instructions

8000484: fff9 ffff ; <UNDEFINED> instruction: 0xfff9ffff

which probably means that any code after that point is definitely screwed up

See attached blink.bin

PS. I think something is wrong with the vector table dump as the first 4 byes are zeros where they should be the stack address
so it looks like 4 bytes of zero got pre-pended to that listing.

Thanks

Roger

PS. I also tried the online disassembler that @devan linked to, and its marginally worse than objdump as far as I can see

https://retdec.com/decompilation/

As it doesn’t seem to be as clever as objdump at showing relative offsets etc, and has some other issues

Roger, I’ll run the binary through IDA Pro this evening (when not at the office) and see what it’s output is like.

Hi Roger, did you try using option –disassembler-options=force-thumb in the arm-none-eabi-objdump?

Best, E.

BennehBoy wrote:Roger, I’ll run the binary through IDA Pro this evening (when not at the office) and see what it’s output is like.

edogaldo wrote:Hi Roger, did you try using option –disassembler-options=force-thumb in the arm-none-eabi-objdump?

Best, E.

This page might be useful (for others if not yourself Roger)… http://pygmy.utoh.org/riscy/cortex/led-stm32.html

Thanks

Here is a link to someones page of collected resources that I have bookmarked for learning more about bare metal and ASM arm programming.

http://asm.thi.ng/

this sub link is a good place to start
http://www.coranac.com/tonc/text/asm.htm

This one looks promising too.
https://community.arm.com/processors/b/ … r-cortex-m

EDIT: I found the blog and git that I was reading last month, I thought I had it bookmarked. I thought the code link posted by @BennehBoy looked familiar.
his blog is https://ioprog.com/2015/10/05/minimal-b … assembler/
and the gits are https://github.com/fduignan?tab=repositories

Not had much luck with the cursory glance at IDA Pro, suspect it’s more to do with my lack of knowledge than tool issues though.

Here’s part of the maple mini v2 bootloader though…

Think the simplicity of the blink binary is what confused me

ROM:00000000 ;
ROM:00000000 ; +-------------------------------------------------------------------------+
ROM:00000000 ; | This file has been generated by The Interactive Disassembler (IDA) |
ROM:00000000 ; | Copyright (c) 2015 Hex-Rays, <[email protected]> |
ROM:00000000 ;
ROM:00000000 ; Input MD5 : 75CB4151F3410F6B3499993DD0792D03
ROM:00000000 ; Input CRC32 : 55FE9A24
ROM:00000000
ROM:00000000 ; File Name : C:\Users\bennehboy\Desktop\maple_mini_boot20.bin
ROM:00000000 ; Format : Binary file
ROM:00000000 ; Base Address: 0000h Range: 0000h - 1BD4h Loaded length: 00001BD4h
ROM:00000000
ROM:00000000 ; Processor : ARM
ROM:00000000 ; ARM architecture: metaarm
ROM:00000000 ; Target assembler: Generic assembler for ARM
ROM:00000000 ; Byte sex : Little endian
ROM:00000000
ROM:00000000 ; ===========================================================================
ROM:00000000
ROM:00000000 ; Segment type: Pure code
ROM:00000000 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:00000000 CODE32
ROM:00000000 DCD 0x20005000, 0x80000F1, 0x8000131, 0x8000131, 0x8000131
ROM:00000000 DCD 0x8000131, 0x8000131, 0, 0, 0, 0
ROM:0000002C DCD 0x8000131, 0x8000131, 0
ROM:00000038 DCD 0x8000131
ROM:0000003C DCD 0x8000131
ROM:00000040 dword_40 DCD 0x8000131 ; DATA XREF: ROM:0000193Co
ROM:00000044 DCD 0x8000131
ROM:00000048 DCD 0x8000131
ROM:0000004C DCD 0x8000131
ROM:00000050 DCD 0x8000131
ROM:00000054 DCD 0x8000131
ROM:00000058 DCD 0x8000131
ROM:0000005C DCD 0x8000131
ROM:00000060 DCD 0x8000131
ROM:00000064 DCD 0x8000131
ROM:00000068 DCD 0x8000131
ROM:0000006C DCD 0x8000131
ROM:00000070 DCD 0x8000131
ROM:00000074 DCD 0x8000131
ROM:00000078 DCD 0x8000131
ROM:0000007C DCD 0x8000131
ROM:00000080 DCD 0x8000131
ROM:00000084 DCD 0x8000131
ROM:00000088 DCD 0x8000131
ROM:0000008C DCD 0x8000131
ROM:00000090 DCD 0x80004B5
ROM:00000094 DCD 0x8000131
ROM:00000098 DCD 0x8000131
ROM:0000009C DCD 0x8000131
ROM:000000A0 DCD 0x8000131
ROM:000000A4 DCD 0x8000131
ROM:000000A8 DCD 0x8000131
ROM:000000AC DCD 0x8000131
ROM:000000B0 DCD 0x8000131
ROM:000000B4 DCD 0x8000131
ROM:000000B8 DCD 0x8000131
ROM:000000BC DCD 0x8000131
ROM:000000C0 DCD 0x8000131
ROM:000000C4 DCD 0x8000131
ROM:000000C8 DCD 0x8000131
ROM:000000CC DCD 0x8000131
ROM:000000D0 DCD 0x8000131
ROM:000000D4 DCD 0x8000131
ROM:000000D8 DCD 0x8000131
ROM:000000DC DCD 0x8000131
ROM:000000E0 DCD 0x8000131
ROM:000000E4 DCD 0x8000131
ROM:000000E8 DCD 0x8000131
ROM:000000EC DCD 0xF108F85F
ROM:000000F0 DCD 0xE0032100
ROM:000000F4 DCD 0x585B4B09
ROM:000000F8 DCD 0x31045043
ROM:000000FC DCD 0x4B094808
ROM:00000100 DCD 0x429A1842
ROM:00000104 DCD 0x4A08D3F6
ROM:00000108 DCD 0x2300E002
ROM:0000010C DCD 0x3B04F842
ROM:00000110 DCD 0x429A4B06
ROM:00000114 DCD 0xF000D3F9
ROM:00000118 DCD 0x4770FA27
ROM:0000011C DCD 0x800190C
ROM:00000120 DCD 0x20000000
ROM:00000124 DCD 0x200002C8
ROM:00000128 DCD 0x200002C8
ROM:0000012C DCD 0x2000030C
ROM:00000130 DCD 0x2803E7FE
ROM:00000134 DCD 0x2002BF8C
ROM:00000138 ; ---------------------------------------------------------------------------
ROM:00000138 CODE16
ROM:00000138 MOVS R0, #0
ROM:0000013A BX LR
ROM:0000013C ; ---------------------------------------------------------------------------
ROM:0000013C LDR R3, =0x20000304
ROM:0000013E LDR R3, [R3] ROM:00000140 LDRB R3, [R3,#0xA] ROM:00000142 CBZ R3, locret_14A
ROM:00000144 LDR R3, =0x20000310
ROM:00000146 MOVS R2, #5
ROM:00000148 STR R2, [R3] ROM:0000014A
ROM:0000014A locret_14A ; CODE XREF: ROM:00000142j
ROM:0000014A BX LR
ROM:0000014A ; ---------------------------------------------------------------------------
ROM:0000014C dword_14C DCD 0x20000304 ; DATA XREF: ROM:0000013Cr
ROM:00000150 dword_150 DCD 0x20000310 ; DATA XREF: ROM:00000144r
ROM:00000154 ; ---------------------------------------------------------------------------
ROM:00000154 BX LR
ROM:00000154 ; ---------------------------------------------------------------------------
ROM:00000156 ALIGN 4
ROM:00000158 LDR R3, =0x20000310
ROM:0000015A MOVS R2, #4
ROM:0000015C STR R2, [R3] ROM:0000015E BX LR
ROM:0000015E ; ---------------------------------------------------------------------------
ROM:00000160 dword_160 DCD 0x20000310 ; DATA XREF: ROM:00000158r
ROM:00000164 ; ---------------------------------------------------------------------------
ROM:00000164 PUSH {R4,LR}
ROM:00000166 BL sub_A48
ROM:0000016A LDR R3, =0x20000304
ROM:0000016C LDR R2, =0x200002B8
ROM:0000016E LDR R3, [R3] ROM:00000170 MOVS R4, #0
ROM:00000172 LDR R2, [R2] ROM:00000174 STRB R4, [R3,#0xA] ROM:00000176 LDRB R2, [R2,#7] ROM:00000178 LDR R1, =0x40005C50
ROM:0000017A STRB R2, [R3,#9] ROM:0000017C LDR R2, =0x40005C00
ROM:0000017E STR R4, [R1] ROM:00000180 LDR R3, [R2] ROM:00000182 MOV R0, R4
ROM:00000184 BIC.W R3, R3, #0x7600
ROM:00000188 BIC.W R3, R3, #0x70
ROM:0000018C ORR.W R3, R3, #0x200
ROM:00000190 UXTH R3, R3
ROM:00000192 STR R3, [R2] ROM:00000194 LDR R3, [R2] ROM:00000196 BIC.W R3, R3, #0x7000
ROM:0000019A BIC.W R3, R3, #0x40
ROM:0000019E UXTH R3, R3
ROM:000001A0 EOR.W R3, R3, #0x10
ROM:000001A4 STR R3, [R2] ROM:000001A6 LDR R2, [R1] ROM:000001A8 LDR R3, =0x20003004
ROM:000001AA UXTH R2, R2
ROM:000001AC ADD R3, R2
ROM:000001AE LSLS R3, R3, #1
ROM:000001B0 MOVS R2, #0x40 ; '@'
ROM:000001B2 STR R2, [R3] ROM:000001B4 LDR R3, [R1] ROM:000001B6 MOVS R2, #0x80 ; 'Ç'
ROM:000001B8 UXTH R3, R3
ROM:000001BA ADD.W R3, R3, #0x20000000
ROM:000001BE ADD.W R3, R3, #0x3000
ROM:000001C2 LSLS R3, R3, #1
ROM:000001C4 STR R2, [R3] ROM:000001C6 BL sub_E28
ROM:000001CA LDR R3, =0x200002DC
ROM:000001CC MOV R0, R4
ROM:000001CE LDR R3, [R3] ROM:000001D0 LDRB.W R1, [R3,#0x30] ROM:000001D4 BL sub_E88
ROM:000001D8 MOV R0, R4
ROM:000001DA BL sub_DEE
ROM:000001DE LDR R3, =0x20000310
ROM:000001E0 MOVS R2, #1
ROM:000001E2 MOV R0, R4
ROM:000001E4 POP.W {R4,LR}
ROM:000001E8 STR R2, [R3] ROM:000001EA B.W sub_1830
ROM:000001EA ; ---------------------------------------------------------------------------
ROM:000001EE ALIGN 0x10
ROM:000001F0 dword_1F0 DCD 0x20000304 ; DATA XREF: ROM:0000016Ar
ROM:000001F4 dword_1F4 DCD 0x200002B8 ; DATA XREF: ROM:0000016Cr
ROM:000001F8 dword_1F8 DCD 0x40005C50 ; DATA XREF: ROM:00000178r
ROM:000001FC dword_1FC DCD 0x40005C00 ; DATA XREF: ROM:0000017Cr
ROM:00000200 dword_200 DCD 0x20003004 ; DATA XREF: ROM:000001A8r
ROM:00000204 dword_204 DCD 0x200002DC ; DATA XREF: ROM:000001CAr
ROM:00000208 dword_208 DCD 0x20000310 ; DATA XREF: ROM:000001DEr
ROM:0000020C ; ---------------------------------------------------------------------------
ROM:0000020C PUSH {R3-R5,LR}
ROM:0000020E LDR R3, =0x20000304
ROM:00000210 MOV R5, R0
ROM:00000212 LDR R2, [R3] ROM:00000214 MOV R4, R3
ROM:00000216 LDRB R2, [R2] ROM:00000218 AND.W R2, R2, #0x7F
ROM:0000021C CMP R2, #0x21 ; '!'
ROM:0000021E BNE def_22C ; jumptable 0000022C default case
ROM:00000220 BL sub_B7C
ROM:00000224 CBZ R0, def_22C ; jumptable 0000022C default case
ROM:00000226 SUBS R0, R5, #1 ; switch 5 cases
ROM:00000228 CMP R0, #4
ROM:0000022A BHI def_22C ; jumptable 0000022C default case
ROM:0000022C TBB.W [PC,R0] ; switch jump
ROM:0000022C ; ---------------------------------------------------------------------------
ROM:00000230 jpt_22C DCB 9 ; jump table for switch statement
ROM:00000231 DCB 5
ROM:00000232 DCB 7
ROM:00000233 DCB 0x12
ROM:00000234 DCB 3
ROM:00000235 ALIGN 2
ROM:00000236
ROM:00000236 loc_236 ; CODE XREF: ROM:0000022Cj
ROM:00000236 LDR R3, =0x8000A8D ; jumptable 0000022C case 5
ROM:00000238 B loc_244
ROM:0000023A ; ---------------------------------------------------------------------------
ROM:0000023A
ROM:0000023A loc_23A ; CODE XREF: ROM:0000022Cj
ROM:0000023A LDR R3, =0x8000AE5 ; jumptable 0000022C case 2
ROM:0000023C B loc_244
ROM:0000023E ; ---------------------------------------------------------------------------
ROM:0000023E
ROM:0000023E loc_23E ; CODE XREF: ROM:0000022Cj
ROM:0000023E LDR R3, =0x8000AA5 ; jumptable 0000022C case 3
ROM:00000240 B loc_244
ROM:00000242 ; ---------------------------------------------------------------------------
ROM:00000242
ROM:00000242 loc_242 ; CODE XREF: ROM:0000022Cj
ROM:00000242 LDR R3, =0x8000ABD ; jumptable 0000022C case 1
ROM:00000244
ROM:00000244 loc_244 ; CODE XREF: ROM:00000238j
ROM:00000244 ; ROM:0000023Cj ...
ROM:00000244 LDR R2, [R4] ROM:00000246 MOVS R4, #0
ROM:00000248 STR R3, [R2,#0x18] ROM:0000024A STRH R4, [R2,#0x12] ROM:0000024C MOV R0, R4
ROM:0000024E BLX R3
ROM:00000250 MOV R0, R4
ROM:00000252 POP {R3-R5,PC}
ROM:00000254 ; ---------------------------------------------------------------------------
ROM:00000254
ROM:00000254 def_22C ; CODE XREF: ROM:0000021Ej
ROM:00000254 ; ROM:00000224j ...
ROM:00000254 MOVS R0, #2 ; jumptable 0000022C default case
ROM:00000256 POP {R3-R5,PC}
ROM:00000256 ; ---------------------------------------------------------------------------
ROM:00000258 dword_258 DCD 0x20000304 ; DATA XREF: ROM:0000020Er
ROM:0000025C dword_25C DCD 0x8000A8D ; DATA XREF: ROM:loc_236r
ROM:00000260 dword_260 DCD 0x8000AE5 ; DATA XREF: ROM:loc_23Ar
ROM:00000264 dword_264 DCD 0x8000AA5 ; DATA XREF: ROM:loc_23Er
ROM:00000268 dword_268 DCD 0x8000ABD ; DATA XREF: ROM:loc_242r
ROM:0000026C ; ---------------------------------------------------------------------------
ROM:0000026C LDR R1, =0x20000144
ROM:0000026E B.W loc_1418
ROM:0000026E ; ---------------------------------------------------------------------------
ROM:00000272 ALIGN 4
ROM:00000274 dword_274 DCD 0x20000144 ; DATA XREF: ROM:0000026Cr
ROM:00000278 ; ---------------------------------------------------------------------------
ROM:00000278 LDR R1, =0x200002B8
ROM:0000027A B.W loc_1418
ROM:0000027A ; ---------------------------------------------------------------------------
ROM:0000027E ALIGN 0x10
ROM:00000280 dword_280 DCD 0x200002B8 ; DATA XREF: ROM:00000278r
ROM:00000284 ; ---------------------------------------------------------------------------
ROM:00000284 LDR R3, =0x20000304
ROM:00000286 LDR R3, [R3] ROM:00000288 LDRB R3, [R3,#2] ROM:0000028A CMP R3, #7
ROM:0000028C BHI loc_298
ROM:0000028E LDR R1, =0x20000094
ROM:00000290 ADD.W R1, R1, R3,LSL#3
ROM:00000294 B.W loc_1418
ROM:00000298 ; ---------------------------------------------------------------------------
ROM:00000298
ROM:00000298 loc_298 ; CODE XREF: ROM:0000028Cj
ROM:00000298 MOVS R0, #0
ROM:0000029A BX LR
ROM:0000029A ; ---------------------------------------------------------------------------
ROM:0000029C dword_29C DCD 0x20000304 ; DATA XREF: ROM:00000284r
ROM:000002A0 dword_2A0 DCD 0x20000094 ; DATA XREF: ROM:0000028Er
ROM:000002A4 ; ---------------------------------------------------------------------------
ROM:000002A4 LDR R1, =0x200000E0
ROM:000002A6 B.W loc_1418
ROM:000002A6 ; ---------------------------------------------------------------------------
ROM:000002AA ALIGN 4
ROM:000002AC dword_2AC DCD 0x200000E0 ; DATA XREF: ROM:000002A4r
ROM:000002B0 ; ---------------------------------------------------------------------------
ROM:000002B0 PUSH {R3,LR}
ROM:000002B2 LDR R3, =0x20000304
ROM:000002B4 LDR R3, [R3] ROM:000002B6 LDRB R3, [R3] ROM:000002B8 AND.W R3, R3, #0x7F
ROM:000002BC CMP R3, #0x21 ; '!'
ROM:000002BE BNE loc_2C6
ROM:000002C0 BL sub_B7C
ROM:000002C4 CBNZ R0, loc_2CA
ROM:000002C6
ROM:000002C6 loc_2C6 ; CODE XREF: ROM:000002BEj
ROM:000002C6 MOVS R0, #2
ROM:000002C8 POP {R3,PC}
ROM:000002CA ; ---------------------------------------------------------------------------
ROM:000002CA
ROM:000002CA loc_2CA ; CODE XREF: ROM:000002C4j
ROM:000002CA MOVS R0, #0
ROM:000002CC POP {R3,PC}
ROM:000002CC ; ---------------------------------------------------------------------------
ROM:000002CE ALIGN 0x10
ROM:000002D0 dword_2D0 DCD 0x20000304 ; DATA XREF: ROM:000002B2r
ROM:000002D4 ; ---------------------------------------------------------------------------
ROM:000002D4 BX LR
ROM:000002D6 ; ---------------------------------------------------------------------------
ROM:000002D6 BX LR
ROM:000002D8 ; ---------------------------------------------------------------------------
ROM:000002D8 BX LR
ROM:000002DA ; ---------------------------------------------------------------------------
ROM:000002DA BX LR
ROM:000002DC ; ---------------------------------------------------------------------------
ROM:000002DC BX LR
ROM:000002DE ; ---------------------------------------------------------------------------
ROM:000002DE BX LR
ROM:000002E0 ; ---------------------------------------------------------------------------
ROM:000002E0 BX LR
ROM:000002E2 ; ---------------------------------------------------------------------------
ROM:000002E2 BX LR
ROM:000002E4 ; ---------------------------------------------------------------------------
ROM:000002E4 BX LR
ROM:000002E4 ; ---------------------------------------------------------------------------
ROM:000002E6 ALIGN 4
ROM:000002E8
ROM:000002E8 ; =============== S U B R O U T I N E =======================================
ROM:000002E8
ROM:000002E8
ROM:000002E8 sub_2E8 ; CODE XREF: ROM:00000576p
ROM:000002E8 PUSH {R3-R5,LR}
ROM:000002EA LDR R5, =0x40010C04
ROM:000002EC MOVS R0, #9
ROM:000002EE LDR R4, [R5] ROM:000002F0 BL sub_9B0
ROM:000002F4 ANDS R0, R4
ROM:000002F6 LDR R4, =0x40010C00
ROM:000002F8 ORR.W R0, R0, #0x50
ROM:000002FC STR R0, [R5] ROM:000002FE MOVS R2, #1
ROM:00000300 MOV R0, R4
ROM:00000302 MOVS R1, #9
ROM:00000304 BL sub_640
ROM:00000308 MOVS R2, #0
ROM:0000030A MOV R0, R4
ROM:0000030C MOVS R1, #9
ROM:0000030E BL sub_640
ROM:00000312 BL sub_9D4
ROM:00000316 LDR R3, =0x200002C8
ROM:00000318 UXTB R2, R0
ROM:0000031A STR R0, [R3] ROM:0000031C LDR R3, =0x200000EC
ROM:0000031E UBFX.W R0, R0, #8, #8
ROM:00000322 STRB.W R2, [R3,#0x29] ROM:00000326 STRB.W R0, [R3,#0x2A] ROM:0000032A LDR R3, =0x20000129
ROM:0000032C STRB R2, [R3,#5] ROM:0000032E STRB R0, [R3,#6] ROM:00000330 POP.W {R3-R5,LR}
ROM:00000334 B.W sub_106C
ROM:00000334 ; End of function sub_2E8
ROM:00000334
ROM:00000334 ; ---------------------------------------------------------------------------
ROM:00000338 dword_338 DCD 0x40010C04 ; DATA XREF: sub_2E8+2r
ROM:0000033C dword_33C DCD 0x40010C00 ; DATA XREF: sub_2E8+Er
ROM:00000340 dword_340 DCD 0x200002C8 ; DATA XREF: sub_2E8+2Er
ROM:00000344 dword_344 DCD 0x200000EC ; DATA XREF: sub_2E8+34r
ROM:00000348 dword_348 DCD 0x20000129 ; DATA XREF: sub_2E8+42r
ROM:0000034C
ROM:0000034C ; =============== S U B R O U T I N E =======================================
ROM:0000034C
ROM:0000034C
ROM:0000034C sub_34C ; CODE XREF: ROM:00000506p
ROM:0000034C LDR R2, =0x40005C40
ROM:0000034E LDR R3, [R2] ROM:00000350 UXTH R3, R3
ROM:00000352 ORR.W R3, R3, #0xC
ROM:00000356 STR R3, [R2] ROM:00000358 LDR R3, =0x20000310
ROM:0000035A MOVS R2, #3
ROM:0000035C STR R2, [R3] ROM:0000035E BX LR
ROM:0000035E ; End of function sub_34C
ROM:0000035E
ROM:0000035E ; ---------------------------------------------------------------------------
ROM:00000360 dword_360 DCD 0x40005C40 ; DATA XREF: sub_34Cr
ROM:00000364 dword_364 DCD 0x20000310 ; DATA XREF: sub_34C+Cr
ROM:00000368
ROM:00000368 ; =============== S U B R O U T I N E =======================================
ROM:00000368
ROM:00000368
ROM:00000368 sub_368 ; CODE XREF: sub_380:loc_39Ap
ROM:00000368 ; sub_380:loc_3A0p
ROM:00000368 MOVW R2, #0xFFFB
ROM:0000036C LDR R3, =0x40005C40
ROM:0000036E LDR R1, [R3] ROM:00000370 ANDS R2, R1
ROM:00000372 STR R2, [R3] ROM:00000374 MOV.W R2, #0xBF00
ROM:00000378 STR R2, [R3] ROM:0000037A BX LR
ROM:0000037A ; End of function sub_368
ROM:0000037A
ROM:0000037A ; ---------------------------------------------------------------------------
ROM:0000037C dword_37C DCD 0x40005C40 ; DATA XREF: sub_368+4r
ROM:00000380
ROM:00000380 ; =============== S U B R O U T I N E =======================================
ROM:00000380
ROM:00000380
ROM:00000380 sub_380 ; CODE XREF: ROM:000004F8p
ROM:00000380 ; ROM:0000053Ap
ROM:00000380 PUSH {R4,LR}
ROM:00000382 LDR R4, =0x200002CE
ROM:00000384 CMP R0, #7
ROM:00000386 IT NE
ROM:00000388 STRNEB R0, [R4] ROM:0000038A LDRB R3, [R4] ROM:0000038C CMP R3, #5 ; switch 6 cases
ROM:0000038E BHI def_390 ; jumptable 00000390 default case
ROM:00000390 TBB.W [PC,R3] ; switch jump
ROM:00000390 ; ---------------------------------------------------------------------------
ROM:00000394 jpt_390 DCB 3 ; jump table for switch statement
ROM:00000395 DCB 6
ROM:00000396 DCB 0xA
ROM:00000397 DCB 0xE
ROM:00000398 DCB 0x16
ROM:00000399 DCB 0x21
ROM:0000039A ; ---------------------------------------------------------------------------
ROM:0000039A
ROM:0000039A loc_39A ; CODE XREF: sub_380+10j
ROM:0000039A BL sub_368 ; jumptable 00000390 case 0
ROM:0000039E B def_390 ; jumptable 00000390 default case
ROM:000003A0 ; ---------------------------------------------------------------------------
ROM:000003A0
ROM:000003A0 loc_3A0 ; CODE XREF: sub_380+10j
ROM:000003A0 BL sub_368 ; jumptable 00000390 case 1
ROM:000003A4 MOVS R3, #4
ROM:000003A6 B loc_3F8
ROM:000003A8 ; ---------------------------------------------------------------------------
ROM:000003A8
ROM:000003A8 loc_3A8 ; CODE XREF: sub_380+10j
ROM:000003A8 MOVS R3, #2 ; jumptable 00000390 case 2
ROM:000003AA STRB R3, [R4,#1] ROM:000003AC MOVS R3, #3
ROM:000003AE B loc_3F8
ROM:000003B0 ; ---------------------------------------------------------------------------
ROM:000003B0
ROM:000003B0 loc_3B0 ; CODE XREF: sub_380+10j
ROM:000003B0 LDRB R3, [R4,#1] ; jumptable 00000390 case 3
ROM:000003B2 SUBS R3, #1
ROM:000003B4 UXTB R3, R3
ROM:000003B6 STRB R3, [R4,#1] ROM:000003B8 LDRB R3, [R4,#1] ROM:000003BA CBNZ R3, locret_3FA
ROM:000003BC MOVS R2, #4
ROM:000003BE B loc_3F0
ROM:000003C0 ; ---------------------------------------------------------------------------
ROM:000003C0
ROM:000003C0 loc_3C0 ; CODE XREF: sub_380+10j
ROM:000003C0 LDR R2, =0x40005C40 ; jumptable 00000390 case 4
ROM:000003C2 LDR R3, [R2] ROM:000003C4 UXTH R3, R3
ROM:000003C6 ORR.W R3, R3, #0x10
ROM:000003CA STR R3, [R2] ROM:000003CC MOVS R3, #5
ROM:000003CE STRB R3, [R4] ROM:000003D0 MOVS R3, #0xA
ROM:000003D2 STRB R3, [R4,#1] ROM:000003D4 POP {R4,PC}
ROM:000003D6 ; ---------------------------------------------------------------------------
ROM:000003D6
ROM:000003D6 loc_3D6 ; CODE XREF: sub_380+10j
ROM:000003D6 LDRB R3, [R4,#1] ; jumptable 00000390 case 5
ROM:000003D8 SUBS R3, #1
ROM:000003DA UXTB R3, R3
ROM:000003DC STRB R3, [R4,#1] ROM:000003DE LDRB R3, [R4,#1] ROM:000003E0 CBNZ R3, locret_3FA
ROM:000003E2 MOVW R3, #0xFFEF
ROM:000003E6 LDR R2, =0x40005C40
ROM:000003E8 LDR R1, [R2] ROM:000003EA ANDS R3, R1
ROM:000003EC STR R3, [R2] ROM:000003EE MOVS R2, #6
ROM:000003F0
ROM:000003F0 loc_3F0 ; CODE XREF: sub_380+3Ej
ROM:000003F0 LDR R3, =0x200002CE
ROM:000003F2 STRB R2, [R3] ROM:000003F4 POP {R4,PC}
ROM:000003F6 ; ---------------------------------------------------------------------------
ROM:000003F6
ROM:000003F6 def_390 ; CODE XREF: sub_380+Ej
ROM:000003F6 ; sub_380+1Ej
ROM:000003F6 MOVS R3, #6 ; jumptable 00000390 default case
ROM:000003F8
ROM:000003F8 loc_3F8 ; CODE XREF: sub_380+26j
ROM:000003F8 ; sub_380+2Ej
ROM:000003F8 STRB R3, [R4] ROM:000003FA
ROM:000003FA locret_3FA ; CODE XREF: sub_380+3Aj
ROM:000003FA ; sub_380+60j
ROM:000003FA POP {R4,PC}
ROM:000003FA ; End of function sub_380
ROM:000003FA
ROM:000003FA ; ---------------------------------------------------------------------------
ROM:000003FC dword_3FC DCD 0x200002CE ; DATA XREF: sub_380+2r
ROM:000003FC ; sub_380:loc_3F0r
ROM:00000400 dword_400 DCD 0x40005C40 ; DATA XREF: sub_380:loc_3C0r
ROM:00000400 ; sub_380+66r
ROM:00000404
ROM:00000404 ; =============== S U B R O U T I N E =======================================
ROM:00000404
ROM:00000404
ROM:00000404 sub_404 ; CODE XREF: ROM:0000045Ep
ROM:00000404 LDR R3, =0x40005C40
ROM:00000406 MOVS R2, #1
ROM:00000408 STR R2, [R3] ROM:0000040A LDR R2, =0x40005C44
ROM:0000040C MOVS R0, #0
ROM:0000040E LDR R1, =0x20000308
ROM:00000410 STR R0, [R3] ROM:00000412 STR R0, [R2] ROM:00000414 MOV.W R2, #0x1C00
ROM:00000418 STRH R2, [R1] ROM:0000041A STR R2, [R3] ROM:0000041C BX LR
ROM:0000041C ; End of function sub_404
ROM:0000041C
ROM:0000041C ; ---------------------------------------------------------------------------
ROM:0000041E ALIGN 0x10
ROM:00000420 dword_420 DCD 0x40005C40 ; DATA XREF: sub_404r
ROM:00000424 dword_424 DCD 0x40005C44 ; DATA XREF: sub_404+6r
ROM:00000428 dword_428 DCD 0x20000308 ; DATA XREF: sub_404+Ar
ROM:0000042C
ROM:0000042C ; =============== S U B R O U T I N E =======================================
ROM:0000042C
ROM:0000042C
ROM:0000042C sub_42C ; CODE XREF: ROM:00000472p
ROM:0000042C ; sub_A48+20p
ROM:0000042C
ROM:0000042C var_C = -0xC
ROM:0000042C var_B = -0xB
ROM:0000042C var_A = -0xA
ROM:0000042C var_9 = -9
ROM:0000042C var_4 = -4
ROM:0000042C
ROM:0000042C PUSH {R0-R2,LR}
ROM:0000042E MOVS R3, #0x14
ROM:00000430 STRB.W R3, [SP,#0x10+var_C] ROM:00000434 MOVS R3, #0
ROM:00000436 STRB.W R3, [SP,#0x10+var_B] ROM:0000043A STRB.W R3, [SP,#0x10+var_A] ROM:0000043E ADD R0, SP, #0x10+var_C
ROM:00000440 MOVS R3, #1
ROM:00000442 STRB.W R3, [SP,#0x10+var_9] ROM:00000446 BL sub_840
ROM:0000044A ADD SP, SP, #0xC
ROM:0000044C LDR.W PC, [SP+4+var_4],#4
ROM:0000044C ; End of function sub_42C
ROM:0000044C
ROM:00000450 ; ---------------------------------------------------------------------------
ROM:00000450 PUSH {R4,LR}
ROM:00000452 BL sub_9EC
ROM:00000456 LDR R3, =0x20000304
ROM:00000458 MOVS R4, #0
ROM:0000045A LDR R3, [R3] ROM:0000045C STRB R4, [R3,#0xA] ROM:0000045E BL sub_404
ROM:00000462 LDR R3, =0x40005C44
ROM:00000464 LDR R2, =0x20000308
ROM:00000466 STR R4, [R3] ROM:00000468 MOV.W R3, #0xBF00
ROM:0000046C STRH R3, [R2] ROM:0000046E LDR R2, =0x40005C40
ROM:00000470 STR R3, [R2] ROM:00000472 BL sub_42C
ROM:00000476 LDR R3, =0x20000310
ROM:00000478 STR R4, [R3] ROM:0000047A POP {R4,PC}
ROM:0000047A ; ---------------------------------------------------------------------------
ROM:0000047C dword_47C DCD 0x20000304 ; DATA XREF: ROM:00000456r
ROM:00000480 dword_480 DCD 0x40005C44 ; DATA XREF: ROM:00000462r
ROM:00000484 dword_484 DCD 0x20000308 ; DATA XREF: ROM:00000464r
ROM:00000488 dword_488 DCD 0x40005C40 ; DATA XREF: ROM:0000046Er
ROM:0000048C dword_48C DCD 0x20000310 ; DATA XREF: ROM:00000476r
ROM:00000490
ROM:00000490 ; =============== S U B R O U T I N E =======================================
ROM:00000490
ROM:00000490
ROM:00000490 sub_490 ; CODE XREF: sub_8CC+Ap
ROM:00000490
ROM:00000490 var_C = -0xC
ROM:00000490 var_B = -0xB
ROM:00000490 var_A = -0xA
ROM:00000490 var_9 = -9
ROM:00000490 var_4 = -4
ROM:00000490
ROM:00000490 PUSH {R0-R2,LR}
ROM:00000492 MOVS R3, #0x14
ROM:00000494 STRB.W R3, [SP,#0x10+var_C] ROM:00000498 ADD R0, SP, #0x10+var_C
ROM:0000049A MOVS R3, #0
ROM:0000049C STRB.W R3, [SP,#0x10+var_B] ROM:000004A0 STRB.W R3, [SP,#0x10+var_A] ROM:000004A4 STRB.W R3, [SP,#0x10+var_9] ROM:000004A8 BL sub_840
ROM:000004AC ADD SP, SP, #0xC
ROM:000004AE LDR.W PC, [SP+4+var_4],#4
ROM:000004AE ; End of function sub_490
ROM:000004AE
ROM:000004AE ; ---------------------------------------------------------------------------
ROM:000004B2 ALIGN 4
ROM:000004B4 PUSH {R4-R6,LR}
ROM:000004B6 LDR R5, =0x40005C44
ROM:000004B8 LDR R4, =0x200002CC
ROM:000004BA LDR R3, [R5] ROM:000004BC LDR R6, =0x20000308
ROM:000004BE UXTH R3, R3
ROM:000004C0 STRH R3, [R4] ROM:000004C2 LDRH R2, [R4] ROM:000004C4 LDRH R3, [R6] ROM:000004C6 ANDS R3, R2
ROM:000004C8 LSLS R3, R3, #0x15
ROM:000004CA BPL loc_4D8
ROM:000004CC MOVW R3, #0xFBFF
ROM:000004D0 STR R3, [R5] ROM:000004D2 LDR R3, =0x20000000
ROM:000004D4 LDR R3, [R3,#4] ROM:000004D6 BLX R3
ROM:000004D8
ROM:000004D8 loc_4D8 ; CODE XREF: ROM:000004CAj
ROM:000004D8 LDRH R2, [R4] ROM:000004DA LDRH R1, [R6] ROM:000004DC ANDS R2, R1
ROM:000004DE LSLS R0, R2, #0x12
ROM:000004E0 ITT MI
ROM:000004E2 MOVMIW R3, #0xDFFF
ROM:000004E6 STRMI R3, [R5] ROM:000004E8 LDRH R3, [R4] ROM:000004EA ANDS R3, R1
ROM:000004EC LSLS R2, R3, #0x13
ROM:000004EE BPL loc_4FC
ROM:000004F0 MOVW R3, #0xEFFF
ROM:000004F4 MOVS R0, #0
ROM:000004F6 STR R3, [R5] ROM:000004F8 BL sub_380
ROM:000004FC
ROM:000004FC loc_4FC ; CODE XREF: ROM:000004EEj
ROM:000004FC LDRH R2, [R4] ROM:000004FE LDRH R3, [R6] ROM:00000500 ANDS R3, R2
ROM:00000502 LSLS R3, R3, #0x14
ROM:00000504 BPL loc_510
ROM:00000506 BL sub_34C
ROM:0000050A MOVW R3, #0xF7FF
ROM:0000050E STR R3, [R5] ROM:00000510
ROM:00000510 loc_510 ; CODE XREF: ROM:00000504j
ROM:00000510 LDRH R2, [R4] ROM:00000512 LDRH R1, [R6] ROM:00000514 ANDS R2, R1
ROM:00000516 LSLS R0, R2, #0x16
ROM:00000518 BPL loc_52A
ROM:0000051A MOVW R3, #0xFDFF
ROM:0000051E LDR R2, =0x2000030C
ROM:00000520 STR R3, [R5] ROM:00000522 LDRB R3, [R2] ROM:00000524 ADDS R3, #1
ROM:00000526 UXTB R3, R3
ROM:00000528 STRB R3, [R2] ROM:0000052A
ROM:0000052A loc_52A ; CODE XREF: ROM:00000518j
ROM:0000052A LDRH R3, [R4] ROM:0000052C ANDS R3, R1
ROM:0000052E LSLS R2, R3, #0x17
ROM:00000530 BPL loc_53E
ROM:00000532 MOVW R3, #0xFEFF
ROM:00000536 MOVS R0, #7
ROM:00000538 STR R3, [R5] ROM:0000053A BL sub_380
ROM:0000053E
ROM:0000053E loc_53E ; CODE XREF: ROM:00000530j
ROM:0000053E LDRH R2, [R4] ROM:00000540 LDRH R3, [R6] ROM:00000542 ANDS R3, R2
ROM:00000544 LSLS R3, R3, #0x10
ROM:00000546 BPL locret_550
ROM:00000548 POP.W {R4-R6,LR}
ROM:0000054C B.W sub_F08
ROM:00000550 ; ---------------------------------------------------------------------------
ROM:00000550
ROM:00000550 locret_550 ; CODE XREF: ROM:00000546j
ROM:00000550 POP {R4-R6,PC}
ROM:00000550 ; ---------------------------------------------------------------------------
ROM:00000552 ALIGN 4
ROM:00000554 dword_554 DCD 0x40005C44 ; DATA XREF: ROM:000004B6r
ROM:00000558 dword_558 DCD 0x200002CC ; DATA XREF: ROM:000004B8r
ROM:0000055C dword_55C DCD 0x20000308 ; DATA XREF: ROM:000004BCr
ROM:00000560 dword_560 DCD 0x20000000 ; DATA XREF: ROM:000004D2r
ROM:00000564 dword_564 DCD 0x2000030C ; DATA XREF: ROM:0000051Er
ROM:00000568 ; ---------------------------------------------------------------------------
ROM:00000568 PUSH {R0,R1,R4-R6,LR}
ROM:0000056A BL sub_6B4
ROM:0000056E BL sub_6FC
ROM:00000572 BL sub_75C
ROM:00000576 BL sub_2E8
ROM:0000057A BL sub_784
ROM:0000057E BL sub_7F8
ROM:00000582 CMP R0, #1
ROM:00000584 MOV R4, R0
ROM:00000586 BEQ loc_58E
ROM:00000588 CMP R0, #2
ROM:0000058A BEQ loc_5F4
ROM:0000058C B loc_5A0
ROM:0000058E ; ---------------------------------------------------------------------------
ROM:0000058E
ROM:0000058E loc_58E ; CODE XREF: ROM:00000586j
ROM:0000058E STR R0, [SP] ROM:00000590 MOV R1, R0
ROM:00000592 MOV.W R3, #0x50000
ROM:00000596 MOVS R2, #5
ROM:00000598 LDR R0, =0x40010C00
ROM:0000059A BL sub_664
ROM:0000059E B loc_626
ROM:000005A0 ; ---------------------------------------------------------------------------
ROM:000005A0
ROM:000005A0 loc_5A0 ; CODE XREF: ROM:0000058Cj
ROM:000005A0 MOVS R4, #1
ROM:000005A2 LDR R0, =0x40010C00
ROM:000005A4 STR R4, [SP] ROM:000005A6 MOV.W R3, #0x50000
ROM:000005AA MOVS R2, #5
ROM:000005AC MOV R1, R4
ROM:000005AE BL sub_664
ROM:000005B2 LDR R0, =0x8005000
ROM:000005B4 BL sub_7A0
ROM:000005B8 CBZ R0, loc_5C6
ROM:000005BA
ROM:000005BA loc_5BA ; CODE XREF: ROM:000005CEj
ROM:000005BA BL sub_654
ROM:000005BE MOVS R4, R0
ROM:000005C0 IT NE
ROM:000005C2 MOVNE R4, #1
ROM:000005C4 B loc_626
ROM:000005C6 ; ---------------------------------------------------------------------------
ROM:000005C6
ROM:000005C6 loc_5C6 ; CODE XREF: ROM:000005B8j
ROM:000005C6 LDR R0, =0x8002000
ROM:000005C8 BL sub_7A0
ROM:000005CC CBZ R0, loc_626
ROM:000005CE B loc_5BA
ROM:000005D0 ; ---------------------------------------------------------------------------
ROM:000005D0
ROM:000005D0 loc_5D0 ; CODE XREF: ROM:000005EEj
ROM:000005D0 ; ROM:000005F2j
ROM:000005D0 MOVS R2, #1
ROM:000005D2 MOV.W R3, #0x100000
ROM:000005D6 MOV R1, R2
ROM:000005D8 LDR R0, =0x40010C00
ROM:000005DA STR R6, [SP] ROM:000005DC BL sub_664
ROM:000005E0 BL sub_DB4
ROM:000005E4 CBZ R0, loc_5EA
ROM:000005E6 BL loc_DC0
ROM:000005EA ; ---------------------------------------------------------------------------
ROM:000005EA
ROM:000005EA loc_5EA ; CODE XREF: ROM:000005E4j
ROM:000005EA ADDS R5, #1
ROM:000005EC
ROM:000005EC loc_5EC ; CODE XREF: ROM:0000062Aj
ROM:000005EC CMP R5, #5
ROM:000005EE BLS loc_5D0
ROM:000005F0 CMP R4, #0
ROM:000005F2 BNE loc_5D0
ROM:000005F4
ROM:000005F4 loc_5F4 ; CODE XREF: ROM:0000058Aj
ROM:000005F4 LDR R0, =0x8002000
ROM:000005F6 BL sub_7A0
ROM:000005FA CBZ R0, loc_600
ROM:000005FC LDR R0, =0x8002000
ROM:000005FE B loc_60A
ROM:00000600 ; ---------------------------------------------------------------------------
ROM:00000600
ROM:00000600 loc_600 ; CODE XREF: ROM:000005FAj
ROM:00000600 LDR R0, =0x8005000
ROM:00000602 BL sub_7A0
ROM:00000606 CBZ R0, loc_610
ROM:00000608 LDR R0, =0x8005000
ROM:0000060A
ROM:0000060A loc_60A ; CODE XREF: ROM:000005FEj
ROM:0000060A BL sub_8CC
ROM:0000060E B loc_62C
ROM:00000610 ; ---------------------------------------------------------------------------
ROM:00000610
ROM:00000610 loc_610 ; CODE XREF: ROM:00000606j
ROM:00000610 MOVS R1, #1
ROM:00000612 STR R1, [SP] ROM:00000614 MOV.W R3, #0x50000
ROM:00000618 MOVS R2, #5
ROM:0000061A LDR R0, =0x40010C00
ROM:0000061C BL sub_664
ROM:00000620 BL sub_8F0
ROM:00000624 ; ---------------------------------------------------------------------------
ROM:00000624 B loc_62C
ROM:00000626 ; ---------------------------------------------------------------------------
ROM:00000626
ROM:00000626 loc_626 ; CODE XREF: ROM:0000059Ej
ROM:00000626 ; ROM:000005C4j ...
ROM:00000626 MOVS R5, #0
ROM:00000628 MOVS R6, #1
ROM:0000062A B loc_5EC
ROM:0000062C ; ---------------------------------------------------------------------------
ROM:0000062C
ROM:0000062C loc_62C ; CODE XREF: ROM:0000060Ej
ROM:0000062C ; ROM:00000624j
ROM:0000062C MOVS R0, #0
ROM:0000062E ADD SP, SP, #8
ROM:00000630 POP {R4-R6,PC}
ROM:00000630 ; ---------------------------------------------------------------------------
ROM:00000632 ALIGN 4
ROM:00000634 dword_634 DCD 0x40010C00 ; DATA XREF: ROM:00000598r
ROM:00000634 ; ROM:000005A2r ...
ROM:00000638 dword_638 DCD 0x8005000 ; DATA XREF: ROM:000005B2r
ROM:00000638 ; ROM:loc_600r ...
ROM:0000063C dword_63C DCD 0x8002000 ; DATA XREF: ROM:loc_5C6r
ROM:0000063C ; ROM:loc_5F4r ...
ROM:00000640
ROM:00000640 ; =============== S U B R O U T I N E =======================================
ROM:00000640
ROM:00000640
ROM:00000640 sub_640 ; CODE XREF: sub_2E8+1Cp
ROM:00000640 ; sub_2E8+26p ...
ROM:00000640 CLZ.W R2, R2
ROM:00000644 MOVS R3, #1
ROM:00000646 LSRS R2, R2, #5
ROM:00000648 LSL.W R1, R3, R1
ROM:0000064C LSLS R2, R2, #4
ROM:0000064E LSLS R1, R2
ROM:00000650 STR R1, [R0,#0x10] ROM:00000652 BX LR
ROM:00000652 ; End of function sub_640
ROM:00000652
ROM:00000654
ROM:00000654 ; =============== S U B R O U T I N E =======================================
ROM:00000654
ROM:00000654
ROM:00000654 sub_654 ; CODE XREF: ROM:loc_5BAp
ROM:00000654 LDR R3, =0x40010C08
ROM:00000656 LDR R0, [R3] ROM:00000658 UBFX.W R0, R0, #8, #1
ROM:0000065C BX LR
ROM:0000065C ; End of function sub_654
ROM:0000065C
ROM:0000065C ; ---------------------------------------------------------------------------
ROM:0000065E ALIGN 0x10
ROM:00000660 dword_660 DCD 0x40010C08 ; DATA XREF: sub_654r
ROM:00000664
ROM:00000664 ; =============== S U B R O U T I N E =======================================
ROM:00000664
ROM:00000664
ROM:00000664 sub_664 ; CODE XREF: ROM:0000059Ap
ROM:00000664 ; ROM:000005AEp ...
ROM:00000664
ROM:00000664 arg_0 = 0
ROM:00000664
ROM:00000664 PUSH.W {R3-R9,LR}
ROM:00000668 LDRB.W R9, [SP,#0x20+arg_0] ROM:0000066C MOV R4, R2
ROM:0000066E RSB.W R5, R9, #1
ROM:00000672 UXTB R5, R5
ROM:00000674 MOV R2, R5
ROM:00000676 MOV R7, R0
ROM:00000678 MOV R8, R1
ROM:0000067A MOV R6, R3
ROM:0000067C BL sub_640
ROM:00000680
ROM:00000680 loc_680 ; CODE XREF: sub_664+4Aj
ROM:00000680 CBZ R4, locret_6B0
ROM:00000682 MOV R3, R6
ROM:00000684
ROM:00000684 loc_684 ; CODE XREF: sub_664+26j
ROM:00000684 CBZ R3, loc_68C
ROM:00000686 NOP
ROM:00000688 SUBS R3, #1
ROM:0000068A B loc_684
ROM:0000068C ; ---------------------------------------------------------------------------
ROM:0000068C
ROM:0000068C loc_68C ; CODE XREF: sub_664:loc_684j
ROM:0000068C MOV R2, R9
ROM:0000068E MOV R1, R8
ROM:00000690 MOV R0, R7
ROM:00000692 BL sub_640
ROM:00000696 MOV R3, R6
ROM:00000698
ROM:00000698 loc_698 ; CODE XREF: sub_664+3Aj
ROM:00000698 CBZ R3, loc_6A0
ROM:0000069A NOP
ROM:0000069C SUBS R3, #1
ROM:0000069E B loc_698
ROM:000006A0 ; ---------------------------------------------------------------------------
ROM:000006A0
ROM:000006A0 loc_6A0 ; CODE XREF: sub_664:loc_698j
ROM:000006A0 MOV R2, R5
ROM:000006A2 MOV R1, R8
ROM:000006A4 MOV R0, R7
ROM:000006A6 SUBS R4, #1
ROM:000006A8 BL sub_640
ROM:000006AC UXTB R4, R4
ROM:000006AE B loc_680
ROM:000006B0 ; ---------------------------------------------------------------------------
ROM:000006B0
ROM:000006B0 locret_6B0 ; CODE XREF: sub_664:loc_680j
ROM:000006B0 POP.W {R3-R9,PC}
ROM:000006B0 ; End of function sub_664
ROM:000006B0
ROM:000006B4
ROM:000006B4 ; =============== S U B R O U T I N E =======================================
ROM:000006B4
ROM:000006B4
ROM:000006B4 sub_6B4 ; CODE XREF: ROM:0000056Ap
ROM:000006B4 ; sub_8CC+12p
ROM:000006B4 LDR R3, =0x40021000
ROM:000006B6 LDR R1, =0x40021004
ROM:000006B8 LDR R2, [R3] ROM:000006BA ORR.W R2, R2, #1
ROM:000006BE STR R2, [R3] ROM:000006C0 LDR R0, [R1] ROM:000006C2 LDR R2, =0xF8FF0000
ROM:000006C4 ANDS R2, R0
ROM:000006C6 STR R2, [R1] ROM:000006C8 LDR R2, [R3] ROM:000006CA BIC.W R2, R2, #0x1080000
ROM:000006CE BIC.W R2, R2, #0x10000
ROM:000006D2 STR R2, [R3] ROM:000006D4 LDR R2, [R3] ROM:000006D6 BIC.W R2, R2, #0x40000
ROM:000006DA STR R2, [R3] ROM:000006DC LDR R3, [R1] ROM:000006DE MOVS R2, #0
ROM:000006E0 BIC.W R3, R3, #0x7F0000
ROM:000006E4 STR R3, [R1] ROM:000006E6 LDR R3, =0x40021008
ROM:000006E8 STR R2, [R3] ROM:000006EA BX LR
ROM:000006EA ; End of function sub_6B4
ROM:000006EA
ROM:000006EA ; ---------------------------------------------------------------------------
ROM:000006EC dword_6EC DCD 0x40021000 ; DATA XREF: sub_6B4r
ROM:000006F0 dword_6F0 DCD 0x40021004 ; DATA XREF: sub_6B4+2r
ROM:000006F4 dword_6F4 DCD 0xF8FF0000 ; DATA XREF: sub_6B4+Er
ROM:000006F8 dword_6F8 DCD 0x40021008 ; DATA XREF: sub_6B4+32r
ROM:000006FC
ROM:000006FC ; =============== S U B R O U T I N E =======================================
ROM:000006FC
ROM:000006FC
ROM:000006FC sub_6FC ; CODE XREF: ROM:0000056Ep
ROM:000006FC LDR R3, =0x40021000
ROM:000006FE LDR R2, [R3] ROM:00000700 ORR.W R2, R2, #0x10001
ROM:00000704 STR R2, [R3] ROM:00000706
ROM:00000706 loc_706 ; CODE XREF: sub_6FC+10j
ROM:00000706 LDR R2, [R3] ROM:00000708 LDR R0, =0x40021000
ROM:0000070A LSLS R2, R2, #0xE
ROM:0000070C BPL loc_706
ROM:0000070E LDR R2, =0x40022000
ROM:00000710 MOVS R1, #0x12
ROM:00000712 STR R1, [R2] ROM:00000714 SUBW R2, R2, #0xFFC
ROM:00000718 LDR R1, [R2] ROM:0000071A ORR.W R1, R1, #0x1D0000
ROM:0000071E ORR.W R1, R1, #0x400
ROM:00000722 STR R1, [R2] ROM:00000724 LDR R1, [R0] ROM:00000726 ORR.W R1, R1, #0x1000000
ROM:0000072A STR R1, [R0] ROM:0000072C
ROM:0000072C loc_72C ; CODE XREF: sub_6FC+36j
ROM:0000072C LDR R1, [R3] ROM:0000072E TST.W R1, #0x3000000
ROM:00000732 BEQ loc_72C
ROM:00000734 LDR R1, [R2] ROM:00000736 ORR.W R1, R1, #2
ROM:0000073A STR R1, [R2] ROM:0000073C
ROM:0000073C loc_73C ; CODE XREF: sub_6FC+44j
ROM:0000073C LDR R1, [R2] ROM:0000073E LSLS R1, R1, #0x1C
ROM:00000740 BPL loc_73C
ROM:00000742 LDR R2, [R3,#0x18] ROM:00000744 ORR.W R2, R2, #0x1FC
ROM:00000748 STR R2, [R3,#0x18] ROM:0000074A LDR R2, [R3,#0x1C] ROM:0000074C ORR.W R2, R2, #0x800000
ROM:00000750 STR R2, [R3,#0x1C] ROM:00000752 BX LR
ROM:00000752 ; End of function sub_6FC
ROM:00000752
ROM:00000752 ; ---------------------------------------------------------------------------


RogerClark wrote:Thanks Rick
I think I’m a little closer to a readable disassembly, by using your settings, but something is still a bit screwy, because I’m getting undefined instructions
8000484: fff9 ffff ; <UNDEFINED> instruction: 0xfff9ffff
which probably means that any code after that point is definitely screwed up

RogerClark wrote:PS. I think something is wrong with the vector table dump as the first 4 byes are zeros where they should be the stack address
so it looks like 4 bytes of zero got pre-pended to that listing.

Thanks guys..

Rick.
Ok about the vector table. I only glanced at the first two 32 bit values, and didnt look at the subsequent rows.

Re: disassembler showing data e.g as invalid instructions.

My concern was that these things could completely screw up the disassembly, as especially with the thumb instruction set, ( because the instructions are shorter), the disassembly could get out if sync when it hits an invalid instruction.
Which would make all subsequent disassembly invalid. But it sounds like thats not the case.

My other concern, though it does not seem to be a problem, is the same thing, but applied to the disassembly of the vector table, i.e whether the disassembly directly after the end of the vector table is correct , or could potentially be screwed up because the end of the vector table could have a data which was decompiled on a 2 byte boundary spanning into the start of the real code.

But it looks like my concerns are unfounded and this cant happen.

BTW.

Last night ( my rime) I looked at using my BMP and GDB for this, but had problems loading a bin file rather than an elf.

I thought the GDB restore command was supposed to load a bin, but it didnt seem to work, and I couldnt get the code to reset and run.

Also something strange was happing as I kept getting a crash at the start address with the blink sketch.

No idea whats going in with that.

I also @victor_pv suggested trying the Segger OZone debugger, but again, this only really worked with the elf file, not the bin.
But it does look like its a good debugger for anyone using Windows, and has a compatible debugger.
e.g some. STLinks can can be be legally converted to Jlink.

RogerClark wrote:
Last night ( my rime) I looked at using my BMP and GDB for this, but had problems loading a bin file rather than an elf.
I thought the GDB restore command was supposed to load a bin, but it didnt seem to work, and I couldnt get the code to reset and run.

Rick Kimball wrote:RogerClark wrote:
Last night ( my rime) I looked at using my BMP and GDB for this, but had problems loading a bin file rather than an elf.
I thought the GDB restore command was supposed to load a bin, but it didnt seem to work, and I couldnt get the code to reset and run.

OK

BMP is now working with the elf file.

I’ll try manually doing the same thing with by restoring the bin file

No.

restore is not working for me in GDB

GDB is running fine

issued
monitor erase_mass

I can try disconnecting the BMP, connecting STLInk

Uploading via STLink, then reconnect BMP and tell it to reset and start

, but thats a pain to do each time