Flash algo header data: 0xE00ABE00, 0x062D780D, 0x24084068, …

[jhembed]

Hello, what does this code do? I checked a lot of sources and there's no explanation for that.

0xE00ABE00, 0x062D780D, 0x24084068, 0xD3000040, 0x1E644058, 0x1C49D1FA, 0x2A001E52, 0x4770D1F2

[flit]

Hi there. This header has been present since the first commits of pyocd, and nobody really knows where it came from (the original pyocd author was no longer available to ask). It's one of those things where I wasn't completely comfortable removing because it might be performing some magic that's necessary. 😄

The header has two parts:

1. A bkpt instruction used to halt the CPU after the flash algo runs. This is obvious and required. LR is set to the address of this instruction when a flash algo entry point is invoked, so that function call returns to the bkpt.
2. Everything else…

A few years ago I disassembled then decompiled the header by hand to try and understand it.

Here's the disassembly, with the code located at 0x20000000:

0x20000000:  be00         bkpt    #0
0x20000002:  e00a         b       .+24            ; 0x2000001a
0x20000004:  780d         ldrb    r5, [r1]
0x20000006:  062d         lsls    r5, r5, #24     ; 0x18
0x20000008:  4068         eors    r0, r5
0x2000000a:  2408         movs    r4, #8
0x2000000c:  0040         lsls    r0, r0, #1
0x2000000e:  d300         bcc     .+4             ; 0x20000012
0x20000010:  4058         eors    r0, r3
0x20000012:  1e64         subs    r4, r4, #1
0x20000014:  d1fa         bne     .-8             ; 0x2000000c
0x20000016:  1c49         adds    r1, r1, #1
0x20000018:  1e52         subs    r2, r2, #1
0x2000001a:  2a00         cmp     r2, #0
0x2000001c:  d1f2         bne     .-24            ; 0x20000004
0x2000001e:  4770         bx      lr

The decompiled version:

// r0 = initial value
// r1 = ptr
// r2 = count
// r3 = modifier xor'd into r0
uint32_t foo(uint32_t r0, uint32_t r1, uint32_t r2, uint32_t r3)
{
    while (r2 != 0)
    {
        uint32_t r5 = *(uint8_t *)r1;
        r5 <<= 24;
        r0 ^= r5;

        uint32_t r4 = 8;
        do {
            uint32_t b = r0 & (1 << 31);
            r0 <<= 1;
            if (b)
            {
                r0 ^= r3;
            }
            r4 -= 1;
        } while (r4 != 0);

        r1 += 1;
        r2 -= 1;
    }

    return r0;
}

Basically, this looks like a form of CRC. It's never used by any flash algo that I know of. Why it was included is completely unknown. My only guess is that there was an original idea of running a CRC over part of the flash memory, so it was included in the flash algo binaries. (Somewhat ironically, that functionality was later implemented separately in pyocd.)

Fyi, the generate_flash_algo.py script no longer includes the entire header. The bkpt is required, and the second instruction was kept to maintain word alignment. (The second instruction should really be changed to something like 0xe7fd, or b .-2.)

[jhembed]

This is very helpful to me. Thank you very much for your reply.