SRAM dumps from A13 in FEL mode

= Introduction =

We need to know which SRAM areas are used by the FEL protocol implementation in the BROM, and which areas can be safely used for other purposes. This information is important for the 'sunxi-fel' tool and is used for loading and executing the U-Boot SPL without killing the BROM FEL protocol handler.

Such information can be obtained by doing a complete disassembly of the BROM code to see what its FEL implementation is doing and where it stores the temporary data. Or alternatively (this is somewhat less reliable though) we can look at the dumps of the SRAM memory, see how it changes after executing different FEL commands, overwrite some SRAM areas to see whether the FEL still remains operational or dies and also verify whether the FEL code overwrites these areas again or not. Dumping the SRAM data is easy:

sunxi-fel hexdump 0x0 0xc000 > a13-sram-dump.txt

After having two or more dumps, they can be compared with some visual diff tool, such as Meld. Also the following ruby script takes two files produced by "sunxi-fel hexdump" and creates a html diff output, which can be pasted into wiki. Here is the ruby script (click on the 'Expand' link to see it): require 'cgi'
 * 1) !/usr/bin/env ruby

def read_file_to_hash(filename) tmp = {} File.open(filename).each_line do |l| next unless l =~ /(\h+)\: ((\h\h\s){16}) (.*)/ tmp[$1] = $2 + $4.bytes.map {|x| x <= 0x20 ? ".".ord : x }.pack('c*') end return tmp end

f1 = read_file_to_hash(ARGV[0]) f2 = read_file_to_hash(ARGV[1])

tmp = {} f2.each do |addr, data2| next unless f1.has_key?(addr) data1 = f1[addr] next unless data1.size == data2.size html1 = "" html2 = "" highlight = false 0.upto(data1.size - 1) do |idx| if data1[idx] != data2[idx] && !highlight html1 += "" html2 += "" highlight = true end if data1[idx] == data2[idx] && highlight html1 += "" html2 += "" highlight = false end html1 += CGI.escape_html(data1[idx]) html2 += CGI.escape_html(data2[idx]) end if highlight html1 += "" html2 += "" end tmp[addr] = [addr, html1, html2] end

printf(" ")

= Comparing different SRAM dumps =

Difference between two "sunxi-fel hexdump 0x0 0xc000" outputs after power on
Basically we are doing the following:
 * Power off the device
 * Power it on
 * Immediately do "sunxi-fel hexdump 0x0 0xc000 > a13-sram-dump1.txt" after it enters FEL mode
 * Power off the device
 * Power it on
 * Immediately do "sunxi-fel hexdump 0x0 0xc000 > a13-sram-dump2.txt" after it enters FEL mode
 * Compare "a13-sram-dump1.txt" and "a13-sram-dump2.txt"

The results are below:

Some repeating pattern
Look here:

And here:

And here again:

Another repeating pattern
Look here:

And here:

And here again:

And here again:

The IRQ stack
We had "68 38 0a b6 a3 12 dd e9 bd aa d5 9b 3b 0f 77 60 h8" as a part of the repeating pattern at the address 00001af0. The first deviations from this pattern are highlighted orange below (this shows how much of the stack has been actually used by the IRQ handler so far):