DI-604 Flash Reverse Engineering

Flash image with firmaware version 2.10 flash.bin

Encoding : little

Flash memory map:

0x00000000 - 0x00020000 - bootloader (permanent) (used up to 0x139e0)

0x00000000 - 0x00001800 - initialisation code
0x00001800 - 0x00003000 - uncompression code (ARJ), copied to the 0x20300000 prior to execution
0x00003000 - 0x00010000 - ARJ compressed "factory setting" restoration image
0x00010000 - 0x000139e0 - text strings/ configuration data ???
0x000139e0 - 0x00020000 - empty space ??

0x00020000 - 0x00100000 - ARJ compressed firmware image - upgradable via HTTP or TFTP (current version is 2.10)

0x20000000 - SDRAM start
0x20380000 - 0x2039477b -
20383884 - ??
20383964 - ??

Address	Description	Calls	Called by
0x0000	Exceptions vectors.	Reset/IRQ	-
0x0048 - 0x007c	Switch between 0 address from Flash mem to SDRAM.	-	0x2E0
0x0080 - 0x0254	Initialisation: SDRAM memory controller Flash memory contorller GPIO Pass contorol to 0x500	0x500	0x0000
0x0268 - 0x0268	Endless loop	-	0x324
0x026C - 0x028C	read input value of the GPIO[6] (CONFIG RESET TO FACTORY). return 1 if input 0;	-	0x324
0x0290 - 0x02DC	XOR starting from start_addr(r0) for bytes(r1) length Return 0 if ==0xaabbbbaa else return -1	-	0x324
0x02E0 - 0x320	memcpy(src,dst,len)	-	0x324
0x0324 - 0x03D0	check SRC of the main firware (0x2000) check reset buttom load uncompression code to SDRAM if RESET load from 0x03000 if no RESET load from 0x20000 if uncompression return 1 - then switch memory and start from 0	-	0x0874
0x03D4 - 0x042c	UART	-	0x46C
0x0430 - 0x043c	Read UART0 flag register for "receive FIFO full"	-	0x46C
0x0440 - 0x0468	-	-	0x46C
0x046c - 0x04dc	no direct call	-	call itself ??
0x04E0 - 0x04fc	no direct call!!	-	-
0x0500 - 0x0870	Calculates relocated addreses Clean mem region 0x20380000(0x1477B bytes) memcpy(0x11a9,0x1145,0x24) copy to flash???? call 0x0874	indirect 0x0874	0x80
0x0874 - 0x09c0	do nothing; call 0x324; call 0xA08;	0x09c4 0x0e20 0x0db0 0x0324 0x0a08	indirect call 0x0500
0x09C4 - 0x09E0	void f_0x9c4() { f_0xebc(16,-1); return; }	-	0x0874
0x09E4 - 0x0A04	-	-	-
0x0A08 - 0x0AC8	-	-	-
0xacc - 0xae4	-	-	no direct call
0xae8 - 0xd24	memcpy(src,dst,len)	-	indirect call 0x500
0xd28 - 0xdac	memset(addres, char , len) - set memory region with a specific byte	-	indirect call 0x500
0x0db0 -	return 20383884;	-	indirect call 0xEDC
0x0ebc - 0x0ed8	*20383884 = r0; return -1;	-	0x09c4
0x0edc - 0x0f20	if(!f_0x00db0) return 20383964; else return f_0x0db0(); // 20383884	-	0x0f24
0x0f24 - 0x0f44	void f_0x0f24(word val){ { word addr; addr = f_0x0edc(); if(addr!=0) addr = val; return; }	-	0x0ebc
0x0f48 -	-	-	-
0x1134	indirect function call (call addr in IP register	IP defined address	multiple
0x1138	function to do nothing???? OR first parameter to itself and exit. What the big deal??	-	0x0ebc
-	-	-	-
0x29C4 - 0x2F9C	last function	-	-

indirectly called functions 0x4e0
0xacc - 0xae4
0xae8 - 0xd24
0xd28 - 0xdac