phone-side
/
osmocom-bb
mirror of https://gerrit.osmocom.org/osmocom-bb
9
0
Fork 0
Code Issues Releases Wiki Activity

target_dsp/calypso: Add some pointers to get started in IDA 

Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
This commit is contained in:
Sylvain Munaut 2010-03-11 22:25:50 +01:00
parent 3b5cc0824d
commit 9ef3107463
3 changed files with 503 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/target_dsp/calypso/ida/README.txt Normal file
View File

@ -0,0 +1,73 @@
Here's a few steps to get started quickly and get something readable:
- Compile a patched for the IDA TMS320C54 module
I made several enhancement to it to support the calypso better (the tms320c54
module is part of the SDK and can be modded and recompiled) :
- Add support for memory mappings so that the same memory zone can
'appear' at several place in the address space (to handle data & code
overlay)
- Fix the section handling when loading a file:
. to set XPC properly,
. to not override section name
. to support more than 2 sections
- Fix a bug in cross reference detection when dealing with section
having selectors != 0
- Add stub support for the type system. This allows loading of a .h
header file with the NDB structure definition
- Add definition for the IO ports so that they are symbolically
displayed
I can't publically distribute the IDA processor module modification
because even just the patch contains some hex-rays code, so I'll handle
this on a case by case basis. (just ask me privately and we'll work it out)
- Dump the DSP ROM
Using the compal_dsp_dump.bin, you must create a text dump of the DSP ROM,
just piping the console output to a text file.
- Generate COFF image
The dump2coff.py script can convert the text dump into a usable COFF file
containing all the correct sections and addresses.
- Load this COFF image into IDA
In the load dialog make sure :
- Uncheck the 'Fill segment gaps (COFF)' checkbox
- Select 'TMS320C54' in 'Change processor'
- In 'Analysis Options/Processor specific analysis options' :
- 'Choose device name': CALYPSO
- 'Data segment address': 0x80000000
- 'Add mapping' (do it several time)
- From 0x00000060 -> 0x80000060 size 0x6FA0
- From 0x00010060 -> 0x80000060 size 0x6FA0
- From 0x00020060 -> 0x80000060 size 0x6FA0
- From 0x00030060 -> 0x80000060 size 0x6FA0
- From 0x8000E000 -> 0x0000E000 size 0x2000
- Set 'stub' compiler options to allow the type system to load .h files
In 'Options/Compiler':
- Compiler: 'GNU C++'
- Calling convention: 'Cdecl'
- Memory model: 'Code Near, Data Near'
- Pointer size: 'Near 16bit, Far 32bit'
- Include directory: '/usr/include' (or a directory with your includes
... needs to exist)
- Load the NDB types
- Load the ndb.h file
- In the local types view, import all structure / enum into the database
- Then declare the following symbol and set them as struct type
appropriately.
0x80000800 api_w_page_0 db_mcu_to_dsp
0x80000814 api_w_page_1 db_mcu_to_dsp
0x80000828 api_r_page_0 db_dsp_to_mcu
0x8000083c api_r_page_1 db_dsp_to_mcu
0x800008d4 ndb ndb_mcu_dsp

294
src/target_dsp/calypso/ida/ndb.h Normal file
View File

@ -0,0 +1,294 @@
typedef unsigned char API;
typedef signed char API_SIGNED;
struct db_mcu_to_dsp
{
API d_task_d;
API d_burst_d;
API d_task_u;
API d_burst_u;
API d_task_md;
API d_background;
API d_debug;
API d_task_ra;
API d_fn;
API d_ctrl_tch;
API hole;
API d_ctrl_abb;
API a_a5fn[2];
API d_power_ctl;
API d_afc;
API d_ctrl_system;
};
struct db_dsp_to_mcu
{
API d_task_d;
API d_burst_d;
API d_task_u;
API d_burst_u;
API d_task_md;
API d_background;
API d_debug;
API d_task_ra;
API a_serv_demod[4];
API a_pm[3];
API a_sch[5];
};
struct param_mcu_dsp
{
API_SIGNED d_transfer_rate;
API_SIGNED d_lat_mcu_bridge;
API_SIGNED d_lat_mcu_hom2sam;
API_SIGNED d_lat_mcu_bef_fast_access;
API_SIGNED d_lat_dsp_after_sam;
API_SIGNED d_gprs_install_address;
API_SIGNED d_misc_config;
API_SIGNED d_cn_sw_workaround;
API_SIGNED d_hole2_param[4];
API_SIGNED d_fb_margin_beg;
API_SIGNED d_fb_margin_end;
API_SIGNED d_nsubb_idle;
API_SIGNED d_nsubb_dedic;
API_SIGNED d_fb_thr_det_iacq;
API_SIGNED d_fb_thr_det_track;
API_SIGNED d_dc_off_thres;
API_SIGNED d_dummy_thres;
API_SIGNED d_dem_pond_gewl;
API_SIGNED d_dem_pond_red;
API_SIGNED d_maccthresh1;
API_SIGNED d_mldt;
API_SIGNED d_maccthresh;
API_SIGNED d_gu;
API_SIGNED d_go;
API_SIGNED d_attmax;
API_SIGNED d_sm;
API_SIGNED d_b;
API_SIGNED d_v42b_switch_hyst;
API_SIGNED d_v42b_switch_min;
API_SIGNED d_v42b_switch_max;
API_SIGNED d_v42b_reset_delay;
API_SIGNED d_ldT_hr;
API_SIGNED d_maccthresh_hr;
API_SIGNED d_maccthresh1_hr;
API_SIGNED d_gu_hr;
API_SIGNED d_go_hr;
API_SIGNED d_b_hr;
API_SIGNED d_sm_hr;
API_SIGNED d_attmax_hr;
API_SIGNED c_mldt_efr;
API_SIGNED c_maccthresh_efr;
API_SIGNED c_maccthresh1_efr;
API_SIGNED c_gu_efr;
API_SIGNED c_go_efr;
API_SIGNED c_b_efr;
API_SIGNED c_sm_efr;
API_SIGNED c_attmax_efr;
API_SIGNED d_sd_min_thr_tchfs;
API_SIGNED d_ma_min_thr_tchfs;
API_SIGNED d_md_max_thr_tchfs;
API_SIGNED d_md1_max_thr_tchfs;
API_SIGNED d_sd_min_thr_tchhs;
API_SIGNED d_ma_min_thr_tchhs;
API_SIGNED d_sd_av_thr_tchhs;
API_SIGNED d_md_max_thr_tchhs;
API_SIGNED d_md1_max_thr_tchhs;
API_SIGNED d_sd_min_thr_tchefs;
API_SIGNED d_ma_min_thr_tchefs;
API_SIGNED d_md_max_thr_tchefs;
API_SIGNED d_md1_max_thr_tchefs;
API_SIGNED d_wed_fil_ini;
API_SIGNED d_wed_fil_tc;
API_SIGNED d_x_min;
API_SIGNED d_x_max;
API_SIGNED d_slope;
API_SIGNED d_y_min;
API_SIGNED d_y_max;
API_SIGNED d_wed_diff_threshold;
API_SIGNED d_mabfi_min_thr_tchhs;
API_SIGNED d_facch_thr;
API_SIGNED d_max_ovsp_ul;
API_SIGNED d_sync_thres;
API_SIGNED d_idle_thres;
API_SIGNED d_m1_thres;
API_SIGNED d_max_ovsp_dl;
API_SIGNED d_gsm_bgd_mgt;
API a_fir_holes[4];
API a_fir31_uplink[31];
API a_fir31_downlink[31];
};
struct ndb_mcu_dsp
{
API d_dsp_page;
API d_error_status;
API d_spcx_rif;
API d_tch_mode;
API d_debug1;
API d_dsp_test;
API d_version_number1;
API d_version_number2;
API d_debug_ptr;
API d_debug_bk;
API d_pll_config;
API p_debug_buffer;
API d_debug_buffer_size;
API d_debug_trace_type;
API d_dsp_state;
API d_hole1_ndb[2];
API d_hole_debug_amr;
API d_hole2_ndb[1];
API d_mcsi_select;
API d_apcdel1_bis;
API d_apcdel2_bis;
API d_apcdel2;
API d_vbctrl2;
API d_bulgcal;
API d_afcctladd;
API d_vbuctrl;
API d_vbdctrl;
API d_apcdel1;
API d_apcoff;
API d_bulioff;
API d_bulqoff;
API d_dai_onoff;
API d_auxdac;
API d_vbctrl1;
API d_bbctrl;
API d_fb_det;
API d_fb_mode;
API a_sync_demod[4];
API a_sch26[5];
API d_audio_gain_ul;
API d_audio_gain_dl;
API d_audio_compressor_ctrl;
API d_audio_init;
API d_audio_status;
API d_toneskb_init;
API d_toneskb_status;
API d_k_x1_t0;
API d_k_x1_t1;
API d_k_x1_t2;
API d_pe_rep;
API d_pe_off;
API d_se_off;
API d_bu_off;
API d_t0_on;
API d_t0_off;
API d_t1_on;
API d_t1_off;
API d_t2_on;
API d_t2_off;
API d_k_x1_kt0;
API d_k_x1_kt1;
API d_dur_kb;
API d_shiftdl;
API d_shiftul;
API d_aec_ctrl;
API d_es_level_api;
API d_mu_api;
API d_melo_osc_used;
API d_melo_osc_active;
API a_melo_note0[4];
API a_melo_note1[4];
API a_melo_note2[4];
API a_melo_note3[4];
API a_melo_note4[4];
API a_melo_note5[4];
API a_melo_note6[4];
API a_melo_note7[4];
API d_melody_selection;
API a_melo_holes[3];
API d_sr_status;
API d_sr_param;
API d_sr_bit_exact_test;
API d_sr_nb_words;
API d_sr_db_level;
API d_sr_db_noise;
API d_sr_mod_size;
API a_n_best_words[4];
API a_n_best_score[8];
API a_dd_1[22];
API a_du_1[22];
API d_v42b_nego0;
API d_v42b_nego1;
API d_v42b_control;
API d_v42b_ratio_ind;
API d_mcu_control;
API d_mcu_control_sema;
API d_background_enable;
API d_background_abort;
API d_background_state;
API d_max_background;
API a_background_tasks[16];
API a_back_task_io[16];
API d_gea_mode_ovly;
API a_gea_kc_ovly[4];
API d_hole3_ndb[7];
API d_thr_usf_detect;
API d_a5mode;
API d_sched_mode_gprs_ovly;
API d_hole4_ndb[5];
API a_ramp[16];
API a_cd[15];
API a_fd[15];
API a_dd_0[22];
API a_cu[15];
API a_fu[15];
API a_du_0[22];
API d_rach;
API a_kc[4];
API d_ra_conf;
API d_ra_act;
API d_ra_test;
API d_ra_statu;
API d_ra_statd;
API d_fax;
API a_data_buf_ul[21];
API a_data_buf_dl[37];
API a_tty_holes[8];
API a_sr_holes0[414];
API a_new_aec_holes[12];
// API a_sr_holes1[145];
struct param_mcu_dsp params;
API d_cport_init;
API d_cport_ctrl;
API a_cport_cfr[2];
API d_cport_tcl_tadt;
API d_cport_tdat;
API d_cport_tvs;
API d_cport_status;
API d_cport_reg_value;
API a_cport_holes[1011];
API a_model[1041];
API a_eotd_holes[22];
API a_amr_config[4];
API a_ratscch_ul[6];
API a_ratscch_dl[6];
API d_amr_snr_est;
API a_voice_memo_amr_holes[1];
API d_thr_onset_afs;
API d_thr_sid_first_afs;
API d_thr_ratscch_afs;
API d_thr_update_afs;
API d_thr_onset_ahs;
API d_thr_sid_ahs;
API d_thr_ratscch_marker;
API d_thr_sp_dgr;
API d_thr_soft_bits;
API d_holes[61];
};
enum dsp_error {
DSP_ERR_RHEA = 0x0001,
DSP_ERR_IQ_SAMPLES = 0x0004,
DSP_ERR_DMA_PROG = 0x0008,
DSP_ERR_DMA_TASK = 0x0010,
DSP_ERR_DMA_PEND = 0x0020,
DSP_ERR_VM = 0x0080,
DSP_ERR_DMA_UL_TASK = 0x0100,
DSP_ERR_DMA_UL_PROG = 0x0200,
DSP_ERR_DMA_UL_PEND = 0x0400,
DSP_ERR_STACK_OV = 0x0800,
};

136
src/target_dsp/calypso/ida/tms320c54.cfg Normal file
View File

@ -0,0 +1,136 @@
; Append this to the tms320c54.cfg shipped with IDA
.CALYPSO
; entry _reset 0xff80 Reset vector
; RIF
RIF_DXR 0x0000
RIF_DRR 0x0001
RIF_SPCX 0x0002
RIF_SPCR 0x0003
; CYPHER
CYPHER_CNTL 0x2800
CYPHER_CNTL.START 0
CYPHER_CNTL.RESETSW 1
CYPHER_CNTL.MODE0 2
CYPHER_CNTL.MODE1 3
CYPHER_CNTL.CLK_EN 4
CYPHER_CNTL.CYPHER_ONLY 5
CYPHER_STATUS_IRQ 0x2801
CYPHER_STATUS_IRQ.LT_FIN 0
CYPHER_STATUS_WORK 0x2802
CYPHER_STATUS_WORK.WORKING 0
CYPHER_KC_1 0x2803
CYPHER_KC_2 0x2804
CYPHER_KC_3 0x2805
CYPHER_KC_4 0x2806
CYPHER_COUNT_1 0x2807
CYPHER_COUNT_2 0x2808
CYPHER_DECI_1 0x2809
CYPHER_DECI_2 0x280A
CYPHER_DECI_3 0x280B
CYPHER_DECI_4 0x280C
CYPHER_DECI_5 0x280D
CYPHER_DECI_6 0x280E
CYPHER_DECI_7 0x280F
CYPHER_DECI_8 0x2810
CYPHER_ENCI_1 0x2811
CYPHER_ENCI_2 0x2812
CYPHER_ENCI_3 0x2813
CYPHER_ENCI_4 0x2814
CYPHER_ENCI_5 0x2815
CYPHER_ENCI_6 0x2816
CYPHER_ENCI_7 0x2817
CYPHER_ENCI_8 0x2818
; MCSI
MCSI_CONTROL 0x0800
MCSI_MAIN-PARAMETERS 0x0801
MCSI_INTERRUPTS 0x0802
MCSI_CHANNEL-USED 0x0803
MCSI_OVER-CLK 0x0804
MCSI_CLK-FREQ 0x0805
MCSI_STATUS 0x0806
MCSI_TX0 0x0820
MCSI_TX1 0x0821
MCSI_TX2 0x0822
MCSI_TX3 0x0823
MCSI_TX4 0x0824
MCSI_TX5 0x0825
MCSI_TX6 0x0826
MCSI_TX7 0x0827
MCSI_TX8 0x0828
MCSI_TX9 0x0829
MCSI_TX10 0x082A
MCSI_TX11 0x082B
MCSI_TX12 0x082C
MCSI_TX13 0x082D
MCSI_TX14 0x082E
MCSI_TX15 0x082F
MCSI_RX0 0x0830
MCSI_RX1 0x0831
MCSI_RX2 0x0832
MCSI_RX3 0x0833
MCSI_RX4 0x0834
MCSI_RX5 0x0835
MCSI_RX6 0x0836
MCSI_RX7 0x0837
MCSI_RX8 0x0838
MCSI_RX9 0x0839
MCSI_RX10 0x083A
MCSI_RX11 0x083B
MCSI_RX12 0x083C
MCSI_RX13 0x083D
MCSI_RX14 0x083E
MCSI_RX15 0x083F
; RHEA
RHEA_TRANSFER_RATE 0xF800
RHEA_BRIDGE-CTRL 0xF801
RHEA_BRIDGE-CTRL.TIMEOUT_ENABLE 8
RHEA_BRIDGE-CTRL.NSUPV 9
; API
API_CONF 0xF900
API_CONF.RESERVED0 0
API_CONF.API_HOM 1
API_CONF.BRIDGE_CLK_EN 2
; Interrupts
INT_CNTRL 0xFA00
INT_CLEAR 0xFA01
; DMA
DMA_CONTROLLER_CONF 0xFC00
DMA_ALLOC_CONFIG 0xFC02
DMA1_RAD 0xFC10
DMA1_RDPTH 0xFC12
DMA1_AAD 0xFC14
DMA1_ALGTH 0xFC16
DMA1_CTRL 0xFC18
DMA1_CUR_OFFSET_API 0xFC1A
DMA2_RAD 0xFC20
DMA2_RDPTH 0xFC22
DMA2_AAD 0xFC24
DMA2_ALGTH 0xFC26
DMA2_CTRL 0xFC28
DMA2_CUR_OFFSET_API 0xFC2A
DMA3_RAD 0xFC30
DMA3_RDPTH 0xFC32
DMA3_AAD 0xFC34
DMA3_ALGTH 0xFC36
DMA3_CTRL 0xFC38
DMA3_CUR_OFFSET_API 0xFC3A
DMA4_RAD 0xFC40
DMA4_RDPTH 0xFC42
DMA4_AAD 0xFC44
DMA4_ALGTH 0xFC46
DMA4_CTRL 0xFC48
DMA4_CUR_OFFSET_API 0xFC4A