The loader is the code below 0×6000.
| address (range) | content | |
|---|---|---|
| 0×0000 | reset/startup address | |
| 0×0002 | FIQ handler address | |
| 0×0004 | IRQ handler address | |
| 0×0006 | TRQ handler address | |
| 0×0008 | 0×00FE | SWI handlers addresses |
| 0×0100 | Startup code | |
| 0×02EC | FIQ code installer | |
| 0×035C | IRQ handler (JMP to actual code) | |
| 0×0360 | 0×1816 | FIQ code |
| 0×1818 | Bulk of loader code | |
| 0×30A8 | 0×3586 | Loader data |
| 0×3588 | 0×5FFF | Free space (0xFF) |
0×48F0, while apparently free space is used for backdoor activation check.
The FIQ code installer does a DMA transfer to copy FIQ code where it belong, ie. FIQ area. (3FC000)
FIQ code contains basic interrupt handlers (incl. UART), but also the “real work” of the firmware upgrade procedure. Thus, flash can be overwritten safely while the CPU executes code elsewhere.
Upgrade procedure checks the flash chip id. Vendor must be SST (0xBF); chip must be one of 0×225b, 0×2280, 0×2281, 0×22b9, 0×22ba.