More decompiling work
This commit is contained in:
@@ -174,16 +174,36 @@ extern volatile u8 MEM8[0x10000];
|
||||
* evidence: H'BE70
|
||||
* - serial_tx_busy_timer_candidate H'F9C0: reads 2, writes 8
|
||||
* evidence: H'BA26, H'BA2C, H'BAA2, H'BADA, H'BAE1, H'BAE8, H'BE1D, H'BE3E, H'BEEE, H'BEF4
|
||||
* - serial_session_flags_candidate H'FAA2: reads 5, writes 13; bits 3, 7
|
||||
* evidence: H'BA84, H'BA96, H'BB00, H'BC0F, H'BC15, H'BC33, H'BC5C, H'BCD0, H'BCFD, H'BD04, H'BD67, H'BD79, H'BDC2, H'BDD4, H'BDED, H'BDFF, H'BE47, H'BEAF
|
||||
* - serial_pending_mask_candidate H'FAA3: reads 1, writes 9; bits 7
|
||||
* evidence: H'BA9A, H'BB51, H'BC63, H'BD75, H'BDD0, H'BDFB, H'BE43, H'BEA5, H'BEA9, H'BECB
|
||||
* - ... 3 more state-variable candidates
|
||||
* - autonomous_report_period_timer_candidate H'F9C6: reads 1, writes 2
|
||||
* evidence: H'BB46, H'BEB5, H'BEC5
|
||||
* - autonomous_report_resend_countdown_candidate H'F9C8: reads 1, writes 2
|
||||
* evidence: H'BB4C, H'BEBB, H'BEC1
|
||||
* - ... 5 more state-variable candidates
|
||||
* retry/error model candidate:
|
||||
* - checksum path: 0x5A-seeded XOR over RX[0..4] differs from RX[5] -> loc_BE29
|
||||
* - retry path: counter H'FAA6, threshold 2; Candidate retry path clears/consults serial flags, increments FAA6, compares it with 2, and when still below the apparent limit stages a command 0x07 response.
|
||||
* - command 0x07 path: Candidate retransmit/explicit command 0x07 path either copies previous TX frame bytes back to F850-F854 or stages an observed 0x07 response before loc_BA26.
|
||||
* - evidence: H'BBD8, H'BBDC, H'BBE0, H'BBE4, H'BBE8, H'BBEC, H'BBF0, H'BE4D, H'BE56, H'BE5E, H'BE66, H'BE52, H'BE5A, H'BE62, H'BE6A, H'BE29, H'BE2D, H'BE33, H'BE37, H'BE43, H'BE47, H'BE05, H'BE0D, H'BE15, H'BE09, H'BE11, H'BE19, H'BE22
|
||||
* gate/queue state machine candidate:
|
||||
* - main_loop_may_enter_report_builder: FAA2 == 0 && F9C0 == 0 && ((FAA5.bit7 == 0) || (F9C3 == 0)); Main-loop report gate; session must be idle, TX busy timer clear, and RX gate open.
|
||||
* - queue_has_pending_report: F9B5 != F9B0; Queue/pending cursor gate; non-empty state stages through BB43 before loc_BA26.
|
||||
* - periodic_resend_may_fire: (FAA5 & FAA3 & 0x80) != 0 && F9C6 == 0 && F9C8 != 0 after countdown; Resend gate masks pending state with FAA5, checks F9C6/F9C8, then calls BA26 at BED5.
|
||||
* - rx_completion_sets_session_timer: RX completion sets F9C5 (observed reload H'14) after the sixth byte is captured.
|
||||
* - session_timeout_clears_gate_and_queue: When F9C5 is clear, loc_3FEF clears F9B5/F9B0 and clears FAA5.bit7; when nonzero, it sets FAA5.bit7.
|
||||
* - host_ack_can_advance_queue: Commands 0x05/0x06 are modeled as acknowledgement paths that can clear pending state or advance F9B5.; commands H'05, H'06
|
||||
* - caveat: Many panel controls may require host/session traffic before reporting. Observed autonomous call/camera-power indexes are runtime/capture overlays, not ROM constants.
|
||||
* - evidence: H'3FD3, H'3FD7, H'3FD9, H'3FDD, H'3FDF, H'3FE3, H'3FE5, H'3FE9, H'3FEB, H'3FEF, H'3FF3, H'3FF5, H'3FF9, H'3FFD, H'4001, H'4003, H'4005, H'4007, H'BAF2, H'BAF6, H'BAF8, H'BAFC, H'BAFE, H'BB00, H'BB04, H'BB06, H'BB08, H'BB0C, H'BB0E, H'BB11, H'BB13, H'BB15, H'BB17, H'BB19, H'BB1C, H'BB20, H'BB24, H'BB26, H'BB29, H'BB2B, H'BB2F, H'BB33, H'BB35, H'BB39, H'BB3D, H'BB3F, H'BB43, H'BE9E, H'BEA2, H'BEA5, H'BEA9, H'BEAD, H'BEAF, H'BEB3, H'BEB5, H'BEB9, H'BEBB, H'BEBF, H'BEC1, H'BEC5, H'BECB, H'BECF, H'BED1, H'BED5
|
||||
* TX/autonomous report model candidate:
|
||||
* - loc_BB43 -> loc_BA26: bytes 0..2 encode candidate logical index/report id; bytes 3..4 come from current_value_table_candidate; byte5 is 0x5A XOR checksum
|
||||
* - observed overlay candidates: heartbeat_or_idle_report_candidate: 00 00 00 00 80 DA; call_button_report_candidate: 00 00 15 80 00 CF, 00 00 15 00 00 4F; camera_power_report_candidate: 00 00 07 80 00 DD
|
||||
* - caveat: Real captures supplied so far show only heartbeat/idle, call, and camera-power autonomous TX frames. Other panel controls may require a host/device request or state transition before the firmware reports them.
|
||||
* - evidence: H'BB1C, H'BB20, H'BB2B, H'BB39, H'BB3F, H'BB43
|
||||
* heartbeat/periodic resend candidate:
|
||||
* - F9C6 reload H'01F4: Candidate periodic report/heartbeat timer reload.
|
||||
* - F9C8 reload H'14: Candidate periodic resend countdown/retry spacing value.
|
||||
* - FAA3 mask H'80: Candidate bit/mask that marks an autonomous report pending.
|
||||
* - BED5 resend path: Candidate periodic resend path feeding the TX staging/send-builder flow.
|
||||
* - evidence: H'BB46, H'BEC5, H'BB4C, H'BB51, H'BECB, H'BED5
|
||||
*/
|
||||
|
||||
static u8 sci1_rx_candidate_command(void)
|
||||
@@ -213,6 +233,29 @@ static u16 sci1_rx_candidate_logical_index(void)
|
||||
return 0x01FFu;
|
||||
}
|
||||
|
||||
static bool sci1_candidate_main_report_gate_open(void)
|
||||
{
|
||||
bool session_idle = MEM8[0xFAA2u] == 0u;
|
||||
bool rx_gate_open = (MEM8[0xFAA5u] & 0x80u) == 0u || MEM8[0xF9C3u] == 0u;
|
||||
bool tx_timer_clear = MEM8[0xF9C0u] == 0u;
|
||||
|
||||
return session_idle && rx_gate_open && tx_timer_clear;
|
||||
}
|
||||
|
||||
static bool sci1_candidate_report_queue_nonempty(void)
|
||||
{
|
||||
return MEM8[0xF9B5u] != MEM8[0xF9B0u];
|
||||
}
|
||||
|
||||
static bool sci1_candidate_periodic_resend_gate_open(void)
|
||||
{
|
||||
bool pending = (MEM8[0xFAA5u] & MEM8[0xFAA3u] & 0x80u) != 0u;
|
||||
bool period_elapsed = MEM8[0xF9C6u] == 0u && MEM8[0xF9C7u] == 0u;
|
||||
bool resend_countdown_active = MEM8[0xF9C8u] != 0u;
|
||||
|
||||
return pending && period_elapsed && resend_countdown_active;
|
||||
}
|
||||
|
||||
void sci1_process_candidate_protocol_command(void)
|
||||
{
|
||||
u8 command = sci1_rx_candidate_command();
|
||||
|
||||
Reference in New Issue
Block a user