ESP8266 Community Forum

- Sat Sep 06, 2014 2:43 am #234

How did you do it?

Looks like RE the XTCOM protocol to read single memory location and Python scripts to perform massive dump

- Sat Sep 06, 2014 2:46 am #235 @kongo: you have been dumping the I-RAM instead of the I-ROM.

From the lx106 configuration file:

Code: Select allMemory Protection/MMU: Region Protection
  System RAM start address / size                               0x60000000 / 64M
  System ROM start address / size                               0x50000000 / 16M
Local Memory     
  Instruction RAM [0] start address / size                      0x40000000 / 1M [busy]
  Instruction RAM [1] start address / size                      0x40100000 / 1M [busy]
  Instruction ROM start address / size                          0x40200000 / 1M [busy]
  Data RAM [0] start address / size                             0x3ffc0000 / 256K [busy]
  Data RAM [1] start address / size                             0x3ff80000 / 256K [busy]
  Data ROM start address / size                                 0x3ff40000 / 256K [busy]
  XLMI start address / size                                     0x3ff00000 / 256K [busy]
Vector configuration     
  Reset Vector start address / size                             0x50000000 / 0x300
  Kernel (Stacked) Exception Vector start address / size        0x40000030 / 0x1c
  User (Program) Exception Vector start address / size          0x40000050 / 0x1c
  Double Exception Vector start address / size                  0x40000070 / 0x10
  Level 2 Interrupt Vector start address / size                 0x40000010 / 0xc
  Level 3 Interrupt Vector (NMI vector) start address / size    0x40000020 / 0xc

I wouldn't count on the sizes being correct (as in: actually implemented in hardware), though.
Edit: further reading of product briefs suggests that these memory sizes are actually possible.

Last edited by Bert on Sat Sep 06, 2014 3:11 am, edited 1 time in total.

- Sat Sep 06, 2014 2:54 am #236

Just FYI, here are the (more or less) meaningful strings in the binary:

Code: Select allets_unpack_flash_code
 ets %s,rst cause:%d, boot mode:(%d,%d)
Jan  8 2013
wdt reset
ets_main.c
unknown reset
user code done
waiting for host
load 0x%08x, len %d, room %d
flash read err, %s
tailtail
chksum 0x%02x
csum 0x%02x
csum err
ho %d tail %d room %d
sp %p
sf_dump[%d] a0: 0x%08x  a1: 0x%08x  a2: 0x%08x  a3: 0x%08x
epc1=0x%08x, epc2=0x%08x, epc3=0x%08x, excvaddr=0x%08x, depc=0x%08x
Fatal exception (%d):
eprintf no bno b0123456789
<null>
ets_timer.c
bootup , addr 0x%08x
no rds
sip bogus rx done
rx done unknown
sip bogus tx
seq %u, %u ds %p
tx unknown
rxiq_get_mis: s_pwr=%lld, %d-%d,
stagstag: CGAIN=%d FGAIN=%d, DC_OS=(%d,%d), DAC=(%d,%d)
pwctrl: rate_i=%d, target_power=%d, detect_power=%d
num_k=%d, power_out=%d,
reg_i=%d, indata=%d
txiq: tone_atten=%d
txiq_gain=%d
txiq_phase=%d
bt:

Seems like the AT-stuff is implemented in flash memory, yay!

No, the AT parser is not there, or we should see the AT command strings, which is not the case.

But the ROM contains at least a bootloader, exception handling routines and RF debug functions.

- Sat Sep 06, 2014 2:56 am #237

@kongo: you have been dumping the I-RAM instead of the I-ROM.

From the lx106 configuration file:

Code: Select allMemory Protection/MMU: Region Protection
  System RAM start address / size                               0x60000000 / 64M
  System ROM start address / size                               0x50000000 / 16M
Local Memory     
  Instruction RAM [0] start address / size                      0x40000000 / 1M [busy]
  Instruction RAM [1] start address / size                      0x40100000 / 1M [busy]
  Instruction ROM start address / size                          0x40200000 / 1M [busy]
  Data RAM [0] start address / size                             0x3ffc0000 / 256K [busy]
  Data RAM [1] start address / size                             0x3ff80000 / 256K [busy]
  Data ROM start address / size                                 0x3ff40000 / 256K [busy]
  XLMI start address / size                                     0x3ff00000 / 256K [busy]
Vector configuration     
  Reset Vector start address / size                             0x50000000 / 0x300
  Kernel (Stacked) Exception Vector start address / size        0x40000030 / 0x1c
  User (Program) Exception Vector start address / size          0x40000050 / 0x1c
  Double Exception Vector start address / size                  0x40000070 / 0x10
  Level 2 Interrupt Vector start address / size                 0x40000010 / 0xc
  Level 3 Interrupt Vector (NMI vector) start address / size    0x40000020 / 0xc

I wouldn't count on the sizes being correct (as in: actually implemented in hardware), though.

Yes, but it looks like I-RAM is a kind of I-ROM mirror or cache, or at least a R/W copy of I-ROM.