- Sat Sep 06, 2014 6:20 am
#246
A simple test would be to write and read back at 0x40000000: if you can't, good chance is that it is ROM
From what I understand, the ESP8266 SoC contains an Xtensa lx106 micro 32-bit CPU core without cache.
It also contains a ROM that seems to be accessible at 0x40000000, or at least it is what is described in the ROM ld include script, where addresses are all < 0x400010000, so we may suppose that this ROM block is 64KB.
From this ld include file, the ROM contains the exception vectors, an xtos minimal "operating system" (I am not familiar with this), which looks like is using some lower-level xthal API for basic bcpoy, memcpy, intred, intclear, etc. It also contains basic libc functions like strcmp, strcpy, strlen, rand, some basic math operations on signed/unsigned integer like add/sub/div/mul.
It looks like the ROM also contains the low-level WiFi functions: all rom_* symbols. I don't know what are the sip_* and slc_*, but this might well be related to some other emebedded hardware IP from Espressif too.
Then you have what looks like a basic level framework for interfacing with the hardware: uart_*, Uart*, SPI*, mem_*, hmac_*, gpio_*, aes_*, up to the final ets_* functions.
Given the strings found in the dump and the fact that the ld ROM include script contains SPI Flash functions, it is reasonable to think that the ROM contains a bootloader able to write to the SPI Flash chip, probably getting the data from UART using the XTCOM_UTILITY with a simple packet protocol.
Then, my guess is the SPI flash contains parameters like MAC and IP address, connection information, and the code that you generate using the supplied toolchain, including the static libraries in /lib providing an IP 802.11 stack whith encryption and JSON data binding functions.
Another guess is that the "v6" suffix for the linker scripts is related to the ROM version.
Please correct me if I am wrong!
kongo wrote:Memory dumping at 0x40200000 - 0x40a00000 returns only zeros.
That gives us two options:
1) The dumped 64KiB is a RAM which acts as a patchable jump table. The IROM region is either protected from readout, or resides at another base address, however this will be easy to find as soon as the dump is disassembled. (But why would the bootloader string literals be copied to RAM?)
2) The dumped 64KiB is *the* ROM, despite the name in the configuration, and the IROM area is just an unused black hole.
I am inclined to believe in the second option. The CPU might be configured in one way, but it is then up to the ASIC designer to actually connect the RAM and ROM blocks (usually third party IP blocks, designed for that specific technology node), and that might leave room for some adjustments.
A simple test would be to write and read back at 0x40000000: if you can't, good chance is that it is ROM
kongo wrote:Edit: It seems that most of the complex code is stored in Flash/RAM anyway (liblwip.a, libnet80211.a, libphy.a, libssl.a, etc)
From what I understand, the ESP8266 SoC contains an Xtensa lx106 micro 32-bit CPU core without cache.
It also contains a ROM that seems to be accessible at 0x40000000, or at least it is what is described in the ROM ld include script, where addresses are all < 0x400010000, so we may suppose that this ROM block is 64KB.
From this ld include file, the ROM contains the exception vectors, an xtos minimal "operating system" (I am not familiar with this), which looks like is using some lower-level xthal API for basic bcpoy, memcpy, intred, intclear, etc. It also contains basic libc functions like strcmp, strcpy, strlen, rand, some basic math operations on signed/unsigned integer like add/sub/div/mul.
It looks like the ROM also contains the low-level WiFi functions: all rom_* symbols. I don't know what are the sip_* and slc_*, but this might well be related to some other emebedded hardware IP from Espressif too.
Then you have what looks like a basic level framework for interfacing with the hardware: uart_*, Uart*, SPI*, mem_*, hmac_*, gpio_*, aes_*, up to the final ets_* functions.
Given the strings found in the dump and the fact that the ld ROM include script contains SPI Flash functions, it is reasonable to think that the ROM contains a bootloader able to write to the SPI Flash chip, probably getting the data from UART using the XTCOM_UTILITY with a simple packet protocol.
Then, my guess is the SPI flash contains parameters like MAC and IP address, connection information, and the code that you generate using the supplied toolchain, including the static libraries in /lib providing an IP 802.11 stack whith encryption and JSON data binding functions.
Another guess is that the "v6" suffix for the linker scripts is related to the ROM version.
Please correct me if I am wrong!
