Boot0
From WiiBrew
boot0 is the first-stage bootloader in the Starlet ARM core on board the Hollywood; it's contained in 4K of Mask ROM (only 1.5K of which is actually used).
It contains code to read the first 48 pages of the attached NAND flash, decrypt them with a fixed AES key, hash them with SHA-1 engine, and compare the hash with a value read from OTP memory. If the hashes do not match. The system will refuse to boot. If the hash in OTP is all zeroes. Then the system will always boot -- this is true of development consoles and probably also during the manufacturing process. For more discussion on this subject, see bushing's HackMii post.
The division between boot0/boot1 allows the RSA signature verification to be done using trusted code loaded from flash. It would not have fit into the 4K of space available. It is coded in a mixture of C and assembly.
; reset vectors
FFFF0000 LDR PC, =_start
FFFF0004 LDR PC, =__arm_undefined_handler
FFFF0008 LDR PC, =__arm_syscall_handler
FFFF000C LDR PC, =__arm_prefetch_abort_handler
FFFF0010 LDR PC, =__arm_data_abort_handler
FFFF0014 LDR PC, =__arm_reserved_handler
FFFF0018 LDR PC, =__arm_irq_handler
FFFF001C LDR PC, =__arm_fiq_handler
FFFF001C ; ---------------------------------------------------------------------------
FFFF0020 off_FFFF0020 DCD _start ; DATA XREF: FFFF0000
FFFF0024 off_FFFF0024 DCD __arm_undefined ; DATA XREF: FFFF0004
FFFF0028 off_FFFF0028 DCD __arm_syscall ; DATA XREF: FFFF0008
FFFF002C off_FFFF002C DCD __arm_prefetch_abort ; DATA XREF: FFFF000C
FFFF0030 off_FFFF0030 DCD __arm_data_abort ; DATA XREF: FFFF0010
FFFF0034 off_FFFF0034 DCD __arm_reserved ; DATA XREF: FFFF0014
FFFF0038 off_FFFF0038 DCD __arm_irq ; DATA XREF: FFFF0018
FFFF003C off_FFFF003C DCD __arm_fiq ; DATA XREF: FFFF001C
FFFF0040 ; =============== S U B R O U T I N E =======================================
FFFF0040 _start ; CODE XREF: FFFF0000 FFFF001C
FFFF0040 ; DATA XREF: off_FFFF0020
FFFF0040 MOV R1, #0
FFFF0044 MOV R4, #0
FFFF0048 MOV R11, #0
FFFF004C MOV R11, #0
FFFF0050 MOV LR, #0
FFFF0054 LDR SP, =0xD417C00 ; set stack pointer to top of SRAM
FFFF0058 BL _main
FFFF005C BL panic ; should never be reached
FFFF005C ; End of function _start
; All of the other vector handlers just hang
FFFF0060 __arm_undefined_handler
FFFF0060 B __arm_undefined_handler
FFFF0064 __arm_syscall_handler
FFFF0064 B __arm_syscall_handler
FFFF0068 __arm_prefetch_abort_handler
FFFF0068 B __arm_prefetch_abort_handler
FFFF006C __arm_data_abort_handler
FFFF006C B __arm_data_abort_handler
FFFF0070 __arm_reserved_handler
FFFF0070 B __arm_reserved_handler
FFFF0074 __arm_irq_handler
FFFF0074 B __arm_irq_handler
FFFF0078 __arm_fiq_handler
FFFF0078 B __arm_fiq_handler
FFFF007C _main ; CODE XREF: _start+18
FFFF007C B main
FFFF0080 boot0_stack DCD 0xD417C00 ; DATA XREF: _start+14
FFFF0084 ; =============== S U B R O U T I N E =======================================
FFFF0084 debug_port_output ; CODE XREF: panic+14 panic+28 main+170 ...
FFFF0084 MOV R3, #0xD800000
FFFF0088 LDR R2, [R3,#0xE0]
FFFF008C MOV R0, R0,LSL#16
FFFF0090 BIC R2, R2, #0xFF0000
FFFF0094 AND R0, R0, #0xFF0000
FFFF0098 ORR R2, R2, R0
FFFF009C STR R2, [R3,#0xE0] ; output 8 bits to the 8 GPIOs at 0xD8000E0
FFFF00A0 BX LR
FFFF00A0 ; End of function debug_port_output
FFFF00A4 ; =============== S U B R O U T I N E =======================================
FFFF00A4 ; int __stdcall panic(unsigned __int8 error)
FFFF00A4 panic ; CODE XREF: _start+1C main+3B8 main+3D4
FFFF00A4 MOV R12, SP
FFFF00A8 STMFD SP!, {R4,R11,R12,LR,PC}
FFFF00AC SUB R11, R12, #4
FFFF00B0 MOV R4, R0
FFFF00B4 loc_FFFF00B4 ; CODE XREF: panic+38
FFFF00B4 MOV R0, R4 ; alternate between 0 and the error code
FFFF00B8 BL debug_port_output
FFFF00BC MOVL R0, 1000000
FFFF00C4 BL delay
FFFF00C8 MOV R0, #0
FFFF00CC BL debug_port_output
FFFF00D0 MOVL R0, 1000000
FFFF00D8 BL delay
FFFF00DC B loc_FFFF00B4 ; infinite loop
FFFF00DC ; End of function panic
FFFF00E0 ; =============== S U B R O U T I N E =======================================
FFFF00E0 init_gpio_direction ; CODE XREF: main+104
FFFF00E0 MOV R3, #0xD800000 ; configure GPIO direction registers
FFFF00E4 LDR R2, [R3,#0xDC]
FFFF00E8 AND R2, R2, #0xFF000000
FFFF00EC ORR R2, R2, #0xFF0000
FFFF00F0 STR R2, [R3,#0xDC] ; D8000DC = (D8000DC & 0xff000000) | 0x00ff0000
FFFF00F4 LDR R2, [R3,#0xE4]
FFFF00F8 AND R2, R2, #0xFF000000
FFFF00FC ORR R2, R2, #0xFF0000
FFFF0100 STR R2, [R3,#0xE4] ; D8000E4 = (D8000E4 & 0xff000000) | 0x00ff0000
FFFF0104 BX LR
FFFF0104 ; End of function init_gpio_direction
FFFF0108 ; =============== S U B R O U T I N E =======================================
FFFF0108 main ; CODE XREF: _main
FFFF0108 MOV R12, SP
FFFF010C STMFD SP!, {R4-R12,LR,PC}
FFFF0110 MOV R3, #0xD000000
FFFF0114 SUB R11, R12, #4
FFFF0118 ADD R3, R3, #0x20000 ; R3 = 0D020000 = AES command reg
FFFF011C MOV R9, #0
FFFF0120 MOV R1, #7
FFFF0124 MOV R2, #0xD800000
FFFF0128 SUB SP, SP, #0x2C
FFFF012C STR R1, [R2,#0x60] ; 0D800060 = 7
FFFF0130 SUB R2, R11, #0x54
FFFF0134 STR R9, [R3] ; write 0 to AES command reg
FFFF0138 LDR R1, =boot1_key
FFFF013C STR R9, [R2]
FFFF0140 MOV R0, R3
FFFF0144 MOV LR, #0xD400000
FFFF0148 MOV R2, #3
FFFF014C set_AES_key ; CODE XREF: main+50
FFFF014C LDR R3, [R1],#4 ; use hardcoded boot1 key
FFFF0150 SUBS R2, R2, #1
FFFF0154 STR R3, [R0,#0xC]
FFFF0158 BPL set_AES_key
FFFF015C MOV R12, #0xD000000
FFFF0160 LDR R1, =boot1_iv ; boot1_iv is all zeroes
FFFF0164 ADD R12, R12, #0x20000
FFFF0168 MOV R2, #3
FFFF016C set_AES_iv ; CODE XREF: main+70
FFFF016C LDR R3, [R1],#4
FFFF0170 SUBS R2, R2, #1
FFFF0174 STR R3, [R12,#0x10]
FFFF0178 BPL set_AES_iv
FFFF017C LDR R3, =0x67452301 ; set initial SHA context
FFFF0180 MOVL R1, 0xD030000
FFFF0188 MOV R0, #0
FFFF018C LDR R2, =0xEFCDAB89
FFFF0190 STR LR, [R12,#4]
FFFF0194 STR LR, [R12,#8]
FFFF0198 STR R0, [R1]
FFFF019C STR R3, [R1,#8]
FFFF01A0 LDR R3, =0x98BADCFE
FFFF01A4 STR R2, [R1,#0xC]
FFFF01A8 LDR R2, =0x10325476
FFFF01AC STR R3, [R1,#0x10]
FFFF01B0 LDR R3, =0xC3D2E1F0
FFFF01B4 STR R2, [R1,#0x14]
FFFF01B8 MOV R2, #0xD400000
FFFF01BC STR R3, [R1,#0x18]
FFFF01C0 STR R2, [R1,#4]
FFFF01C4 MOVL R3, 0xD010000
FFFF01CC LDR R2, [R3,#4]
FFFF01D0 MOVL R1, 0x80FF0000
FFFF01D8 ORR R2, R2, #0x8000000
FFFF01DC ADD R1, R1, #0x8000
FFFF01E0 STR R2, [R3,#4]
FFFF01E4 MOV R4, #0xD800000
FFFF01E8 STR R0, [R3,#0x10]
FFFF01EC STR R0, [R3,#0x14]
FFFF01F0 STR R0, [R3,#8]
FFFF01F4 STR R0, [R3,#0xC]
FFFF01F8 STR R1, [R3]
FFFF01FC MOV R3, #0x80000000
FFFF0200 MOV R6, R0
FFFF0204 STR R3, [R4,#0x1EC] ; 0D8001EC = 0x80000000
FFFF0208 SUB R5, R11, #0x3C
FFFF020C BL init_gpio_direction
FFFF0210 MOV R1, R6 ; c
FFFF0214 MOV R0, R5 ; dest
FFFF0218 MOV R2, #20 ; len
FFFF021C BL memset ; zero out hash buffer
FFFF0220 MOV R1, #16 ; read 20 bytes of OTP data into *R5
FFFF0224 get_otp_hash ; CODE XREF: main+138
FFFF0224 AND R3, R6, #0x1F
FFFF0228 ORR R3, R3, #0x80000000
FFFF022C STR R3, [R4,#0x1EC] ; *starlet_otp_addr = (R6 & 0x1f) | 0x80000000;
FFFF0230 LDR R2, [R4,#0x1F0] ; R2 = *starlet_otp_data
FFFF0234 SUBS R1, R1, #4
FFFF0238 STR R2, [R5],#4
FFFF023C ADD R6, R6, #1 ; R6++
FFFF0240 BPL get_otp_hash
FFFF0244 MOV R1, #0
FFFF0248 SUB R2, R11, #0x28
FFFF024C is_otp_hash_empty? ; CODE XREF: main+15C
FFFF024C LDR R3, [R2,#-0x14] ; if OTP hash is all zeroes, then we're still
FFFF0250 CMP R3, #0 ; in the factory with a blank OTP, so
FFFF0254 ADD R1, R1, #1 ; don't verify the hash against boot1
FFFF0258 ADD R2, R2, #4
FFFF025C BNE otp_hash_not_empty
FFFF0260 CMP R1, #4
FFFF0264 BLS is_otp_hash_empty?
FFFF0268 loc_FFFF0268 ; CODE XREF: main+3CC
FFFF0268 MOVL R8, 0xD010000
FFFF0270 MOV R4, #0 ; R4 = flash page number
FFFF0274 boot1_read_loop ; CODE XREF: main+2F0
FFFF0274 MOV R0, R4 ; as we read in the flash pages, output
FFFF0278 BL debug_port_output ; each page number to the debug port
FFFF027C ORR R0, R4, #0x80 ; hi bit is a strobe bit
FFFF0280 BL debug_port_output
FFFF0284 loc_FFFF0284 ; CODE XREF: main+184
FFFF0284 LDR R3, [R8] ; R3 = *0D100000 = NAND status
FFFF0288 CMP R3, #0
FFFF028C BLT loc_FFFF0284 ; wait for command to complete
FFFF0290 CMP R4, #47 ; pageno > 47?
FFFF0294 BCS done_reading_flash
FFFF0298 MOV R3, #0x9F000000
FFFF029C STR R4, [R8,#0xC]
FFFF02A0 STR R3, [R8]
FFFF02A4 MOVL R0, 0xD010000 ; D010000 = NAND Flash HW
FFFF02AC read_flash_page ; CODE XREF: main+1AC
FFFF02AC LDR R3, [R0] ; wait for non-busy status from NAND flash
FFFF02B0 CMP R3, #0
FFFF02B4 BLT read_flash_page
FFFF02B8 AND R3, R4, #1
FFFF02BC MOV R3, R3,LSL#7
FFFF02C0 MOV R1, #0x80000000
FFFF02C4 ADD R3, R3, #0xD400000
FFFF02C8 ADD R1, R1, #0x308000 ; 0x30 = READ PAGE
FFFF02CC MOV R2, R4,LSL#11
FFFF02D0 ADD R2, R2, #0xD400000
FFFF02D4 ADD R3, R3, #0x17800 ; read into 0xD417800
FFFF02D8 ADD R1, R1, #0x3840
FFFF02DC STR R2, [R0,#0x10]
FFFF02E0 STR R3, [R0,#0x14]
FFFF02E4 STR R1, [R0] ; send flash command
FFFF02E8 done_reading_flash ; CODE XREF: main+18C
FFFF02E8 MOVL R2, 0xD020000 ; D020000 = AES hw
FFFF02F0 loc_FFFF02F0 ; CODE XREF: main+1F0
FFFF02F0 LDR R3, [R2]
FFFF02F4 CMP R3, #0 ; wait for non-busy status from AES
FFFF02F8 BLT loc_FFFF02F0
FFFF02FC CMP R4, #0
FFFF0300 BEQ loc_FFFF03D0
FFFF0304 CMP R4, #47
FFFF0308 BHI loc_FFFF03D0
FFFF030C SUB R2, R4, #1
FFFF0310 AND R3, R2, #1
FFFF0314 MOV R3, R3,LSL#7
FFFF0318 ADD R6, R3, #0xD400000
FFFF031C MOV R2, R2,LSL#11
FFFF0320 MOV R10, #0xFF0
FFFF0324 ADD R6, R6, #0x17800
FFFF0328 ADD R10, R10, #0xF
FFFF032C ADD R5, R2, #0xD400000
FFFF0330 MOV R7, #0
FFFF0334 calc_ecc ; CODE XREF: main+2A4
FFFF0334 MOV R2, R7,LSL#2 ; this code takes the hardware-generated ECC syndrome
FFFF0338 ADD R3, R6, #0x30 ; from the NAND flash interface, and uses it to try to
FFFF033C LDR R12, [R3,R2] ; correct single-bit errors in boot1.
FFFF0340 ADD R0, R6, R2 ; If we hit more than one error per 512 bytes, we're screwed.
FFFF0344 AND R1, R12, #0xFF0000
FFFF0348 LDR R2, [R0,#0x40]
FFFF034C MOV R1, R1,LSR#8
FFFF0350 AND R3, R12, #0xFF00
FFFF0354 ORR R1, R1, R12,LSR#24
FFFF0358 ORR R1, R1, R3,LSL#8
FFFF035C AND R3, R2, #0xFF0000
FFFF0360 MOV R3, R3,LSR#8
FFFF0364 ORR R3, R3, R2,LSR#24
FFFF0368 AND R0, R2, #0xFF00
FFFF036C ORR R3, R3, R0,LSL#8
FFFF0370 CMP R12, R2
FFFF0374 ORR R12, R1, R12,LSL#24
FFFF0378 ORR R2, R3, R2,LSL#24
FFFF037C EOR R12, R12, R2
FFFF0380 SUB R1, R12, #1
FFFF0384 BEQ loc_FFFF03A0
FFFF0388 MOV R3, R12,LSL#20
FFFF038C MOV R3, R3,LSR#20
FFFF0390 MOV R2, R12,LSR#16
FFFF0394 TST R1, R12
FFFF0398 EOR R3, R2, R3
FFFF039C BNE uncorrectable_ecc_error
FFFF03A0 loc_FFFF03A0 ; CODE XREF: main+27C main+3B4 main+3BC
FFFF03A0 ADD R7, R7, #1
FFFF03A4 CMP R7, #4
FFFF03A8 ADD R5, R5, #0x200
FFFF03AC BCC calc_ecc
FFFF03B0 MOV R1, #0x98000000
FFFF03B4 ADD R2, R1, #0x1040
FFFF03B8 MOV R3, #0xD000000
FFFF03BC CMP R4, #1
FFFF03C0 ADD R2, R2, #0x3F
FFFF03C4 ADD R3, R3, #0x20000
FFFF03C8 ADDEQ R2, R1, #0x7F
FFFF03CC STR R2, [R3]
FFFF03D0 loc_FFFF03D0 ; CODE XREF: main+1F8 main+200
FFFF03D0 MOVL R2, 0xD030000 ; D030000 = SHA1 HW
FFFF03D8 loc_FFFF03D8 ; CODE XREF: main+2D8
FFFF03D8 LDR R3, [R2]
FFFF03DC CMP R3, #0 ; wait for SHA1 non-busy status
FFFF03E0 BLT loc_FFFF03D8
FFFF03E4 CMP R4, #1
FFFF03E8 MOVHI R3, #0x8000001F
FFFF03EC ADD R4, R4, #1
FFFF03F0 STRHI R3, [R2] ; update SHA1 context
FFFF03F4 CMP R4, #48
FFFF03F8 BLS boot1_read_loop
FFFF03FC MOVL R2, 0xD030000
FFFF0404 done_reading_boot1 ; CODE XREF: main+304
FFFF0404 LDR R3, [R2]
FFFF0408 CMP R3, #0 ; wait for SHA1 non-busy status
FFFF040C BLT done_reading_boot1
FFFF0410 SUB R3, R11, #0x54 ; Was OTP hash zero?
FFFF0414 LDR R3, [R3]
FFFF0418 CMP R3, #0
FFFF041C BEQ jump_boot1
FFFF0420 MOVL R0, 0xD030000
FFFF0428 ADD R0, R0, #8
FFFF042C MOV R1, #0
FFFF0430 SUB R2, R11, #0x28
FFFF0434 loc_FFFF0434 ; CODE XREF: main+340
FFFF0434 LDR R3, [R0,R1,LSL#2]
FFFF0438 ADD R1, R1, #1
FFFF043C CMP R1, #4
FFFF0440 STR R3, [R2,#-0x28]
FFFF0444 ADD R2, R2, #4
FFFF0448 BLS loc_FFFF0434
FFFF044C SUB R0, R11, #0x28
FFFF0450 MOV R1, #4
FFFF0454 compare_hashes ; CODE XREF: main+364
FFFF0454 LDR R2, [R0,#-0x14]
FFFF0458 LDR R3, [R0,#-0x28]
FFFF045C CMP R2, R3
FFFF0460 MOVNE R9, #1
FFFF0464 SUBS R1, R1, #1
FFFF0468 ADD R0, R0, #4
FFFF046C BPL compare_hashes
FFFF0470 CMP R9, #0
FFFF0474 BNE hash_fail
FFFF0478 jump_boot1 ; CODE XREF: main+314 main+3D8
FFFF0478 MOV R0, #0xA
FFFF047C BL debug_port_output ; output 0x0A
FFFF0480 MOV R0, #0x88
FFFF0484 BL debug_port_output ; output 0x88
FFFF0488 LDR PC, =0xFFF00000 ; jump to BOOT1 (this is aliased to 0x0D400000)
FFFF048C ; ---------------------------------------------------------------------------
FFFF048C SUB SP, R11, #0x28 ; return code generated by compiler
FFFF0490 LDMFD SP, {R4-R11,SP,PC}; (unreachable)
FFFF0494 ; ---------------------------------------------------------------------------
FFFF0494 uncorrectable_ecc_error ; CODE XREF: main+294
FFFF0494 BIC R1, R2, #7
FFFF0498 MOV R1, R1,LSL#20
FFFF049C CMP R3, R10
FFFF04A0 MOV R1, R1,LSR#20
FFFF04A4 AND R12, R2, #7
FFFF04A8 LDREQB R2, [R5,R1,ASR#3]
FFFF04AC MOVEQ R3, #1
FFFF04B0 EOREQ R2, R2, R3,LSL R12
FFFF04B4 MOV R0, #0xF1 ; error F1
FFFF04B8 STREQB R2, [R5,R1,ASR#3]
FFFF04BC BEQ loc_FFFF03A0
FFFF04C0 BL panic ; panic code F1 = ECC failure
FFFF04C4 B loc_FFFF03A0
FFFF04C8 ; ---------------------------------------------------------------------------
FFFF04C8 otp_hash_not_empty ; CODE XREF: main+154
FFFF04C8 MOV R2, #1
FFFF04CC SUB R3, R11, #0x54
FFFF04D0 STR R2, [R3] ; set a flag indicating that the otp hash is valid
FFFF04D4 B loc_FFFF0268
FFFF04D8 ; ---------------------------------------------------------------------------
FFFF04D8 hash_fail ; CODE XREF: main+36C
FFFF04D8 MOV R0, #0xF2 ; error F2 = OTP mismatch
FFFF04DC BL panic
FFFF04E0 B jump_boot1
FFFF04E0 ; ---------------------------------------------------------------------------
FFFF04E4 off_FFFF04E4 DCD boot1_key ; DATA XREF: main+30
FFFF04E8 off_FFFF04E8 DCD boot1_iv ; DATA XREF: main+58
FFFF04EC kSHA1_0 DCD 0x67452301 ; DATA XREF: main+74
FFFF04F0 kSHA1_1 DCD 0xEFCDAB89 ; DATA XREF: main+84
FFFF04F4 kSHA1_2 DCD 0x98BADCFE ; DATA XREF: main+98
FFFF04F8 kSHA1_3 DCD 0x10325476 ; DATA XREF: main+A0
FFFF04FC kSHA1_4 DCD 0xC3D2E1F0 ; DATA XREF: main+A8
FFFF0500 boot1_entrypt DCD 0xFFF00000 ; DATA XREF: main+380
FFFF0504 DCB 0
FFFF0505 a_GCCGNU3_4_3 DCB "GCC: (GNU) 3.4.3",0 ; garbage inserted by compiler lol?
FFFF0516 DCB 0, 0
FFFF0518 ; =============== S U B R O U T I N E =======================================
FFFF0518 unused1
FFFF0518 BIC R0, R0, #0x35000000
FFFF051C BIC R0, R0, #0x10000
FFFF0520 MOVL R3, 0xFFFFFFC
FFFF0524 SUB R3, R3, #0x2BC0000
FFFF0528 ORR R0, R0, #0xCA000000
FFFF052C SUB R3, R3, #0x28000
FFFF0530 ORR R0, R0, #0xFE0000
FFFF0534 STR R0, [R3]
FFFF0538 MOV R0, #0
FFFF053C B unused11
FFFF053C ; End of function unused1
FFFF0540 ; =============== S U B R O U T I N E =======================================
FFFF0540 unused2
FFFF0540 BIC R0, R0, #0x45000000
FFFF0544 BIC R0, R0, #0x2F0000
FFFF0548 MOVL R3, 0xFFFFFFC
FFFF054C SUB R3, R3, #0x2BC0000
FFFF0550 ORR R0, R0, #0xBA000000
FFFF0554 SUB R3, R3, #0x28000
FFFF0558 ORR R0, R0, #0xD00000
FFFF055C STR R0, [R3]
FFFF0560 MOV R0, #1
FFFF0564 B unused12
FFFF0564 ; End of function unused2
FFFF0568 ; =============== S U B R O U T I N E =======================================
FFFF0568 unused3
FFFF0568 STR R1, [R0]
FFFF056C BX LR
FFFF056C ; End of function unused3
FFFF0570 ; =============== S U B R O U T I N E =======================================
FFFF0570 unused4
FFFF0570 LDR R0, [R0]
FFFF0574 BX LR
FFFF0574 ; End of function unused4
FFFF0578 ; =============== S U B R O U T I N E =======================================
FFFF0578 unused5
FFFF0578 STRH R1, [R0]
FFFF057C BX LR
FFFF057C ; End of function unused5
FFFF0580 ; =============== S U B R O U T I N E =======================================
FFFF0580 unused6
FFFF0580 LDRH R0, [R0]
FFFF0584 BX LR
FFFF0584 ; End of function unused6
FFFF0588 ; =============== S U B R O U T I N E =======================================
FFFF0588 delay ; CODE XREF: panic+20 panic+34
FFFF0588 CMP R0, #0
FFFF058C BXEQ LR
FFFF0590 loc_FFFF0590 ; CODE XREF: delay+C
FFFF0590 SUBS R0, R0, #1
FFFF0594 BNE loc_FFFF0590
FFFF0598 BX LR
FFFF0598 ; End of function delay
FFFF059C ; =============== S U B R O U T I N E =======================================
FFFF059C unused7
FFFF059C STMFD SP!, {R0-R3}
FFFF05A0 ADD SP, SP, #0x10
FFFF05A4 RET
FFFF05A4 ; End of function unused7
FFFF05A8 ; =============== S U B R O U T I N E =======================================
FFFF05A8 unused8
FFFF05A8 STMFD SP!, {R0-R3}
FFFF05AC ADD SP, SP, #0x10
FFFF05B0 RET
FFFF05B0 ; End of function unused8
FFFF05B4 ; =============== S U B R O U T I N E =======================================
FFFF05B4 unused9
FFFF05B4 STMFD SP!, {R0-R3}
FFFF05B8 ADD SP, SP, #0x10
FFFF05BC RET
FFFF05BC ; End of function unused9
FFFF05C0 ; =============== S U B R O U T I N E =======================================
FFFF05C0 ; int __stdcall memset(void *dest, int c, int len)
FFFF05C0 memset ; CODE XREF: main+114
FFFF05C0 SUB R2, R2, #1
FFFF05C4 CMN R2, #1
FFFF05C8 MOV R3, R0
FFFF05CC BXEQ LR
FFFF05D0 loc_FFFF05D0 ; CODE XREF: memset+1C
FFFF05D0 SUB R2, R2, #1
FFFF05D4 CMN R2, #1
FFFF05D8 STRB R1, [R3],#1
FFFF05DC BNE loc_FFFF05D0
FFFF05E0 BX LR
FFFF05E0 ; End of function memset
FFFF05E4 ; =============== S U B R O U T I N E =======================================
FFFF05E4 ; Attributes: noreturn
FFFF05E4 unused10 ; CODE XREF: unused11+4, unused12+4
FFFF05E4 MCR p15, 0, R0,c7,c0, 4
FFFF05E8 hang ; CODE XREF: unused10:hang
FFFF05E8 B hang
FFFF05E8 ; End of function unused10
FFFF05EC ; =============== S U B R O U T I N E =======================================
FFFF05EC unused11 ; CODE XREF: unused1+24
FFFF05EC MOV R0, #0
FFFF05F0 BL unused10
FFFF05F0 ; End of function unused11
FFFF05F4 ; =============== S U B R O U T I N E =======================================
FFFF05F4 unused12 ; CODE XREF: unused2+24
FFFF05F4 MOV R0, #1
FFFF05F8 BL unused10
FFFF05F8 ; End of function unused12
FFFF05F8 ; ---------------------------------------------------------------------------
FFFF05FC boot1_key DCD 0x9258A752,0x64960D82,0x676F9044,0x56882A73
FFFF05FC ; DATA XREF: main:off_FFFF04E4
FFFF060C boot1_iv DCD 0, 0, 0, 0 ; DATA XREF: main:off_FFFF04E8
FFFF1FFC DCD 0xABAB0101 ; not sure what this is
FFFF1FFC ; boot0 ends
