Merge branch 'master' of https://github.com/krebscode/painload

12 files changed, 435 insertions, 0 deletions

diff --git a/oncology/dpfhack_display/src/jmptbl4.s b/oncology/dpfhack_display/src/jmptbl4.s
new file mode 100644
index 00000000..c5582f6e
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl4.s
@@ -0,0 +1,22 @@
+; This is the jump table patch for the silver2 type DPF
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	.include 'hack.inc'
+
+	TERMINATOR = 0x00
+
+; This is the bootstrap for our own firmware:
+	code_start.52	= start_addr    ; Start of HOME
+	code_end.52	= end_addr
+	offset.52	= load_offset
+	
+; User code escape bootstrap:
+	.org 0x228
+p52:
+	.dw	code_start.52 - 0x800, code_end.52 - 0x800
+	.db	offset.52, offset.52 >> 8, offset.52 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/jmptbl_black.s b/oncology/dpfhack_display/src/jmptbl_black.s
new file mode 100644
index 00000000..8187a39e
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl_black.s
@@ -0,0 +1,22 @@
+; This is the jump table patch for the 'black' type DPF
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	.include 'hack.inc'
+
+	TERMINATOR = 0x00
+
+; Module p51:
+	code_start.51	= start_addr  ; DO NOT CHANGE. ABSOLUTE.
+	code_end.51	= end_addr
+	offset.51		= load_offset
+	
+	.org 0x0218
+p51:
+; New mod53:
+	.dw	code_start.51 - 0x800, code_end.51 - 0x800
+	.db	offset.51, offset.51 >> 8, offset.51 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/jmptbl_blue.s b/oncology/dpfhack_display/src/jmptbl_blue.s
new file mode 100644
index 00000000..7a2a9725
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl_blue.s
@@ -0,0 +1,23 @@
+; This is the jump table patch for the pearl type DPF
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	.include 'hack.inc'
+
+	TERMINATOR = 0x00
+
+; Module p50:
+; This is the bootstrap for our own firmware:
+	code_start.50	= start_addr  ; Start of HOME
+	code_end.50	= end_addr
+	offset.50	= load_offset
+	
+; User code escape bootstrap:
+	.org 0x210
+p50:
+	.dw	code_start.50 - 0x800, code_end.50 - 0x800
+	.db	offset.50, offset.50 >> 8, offset.50 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/jmptbl_pearl.s b/oncology/dpfhack_display/src/jmptbl_pearl.s
new file mode 100644
index 00000000..42fcf78f
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl_pearl.s
@@ -0,0 +1,22 @@
+; This is the jump table patch for the pearl type DPF
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	TERMINATOR = 0x00
+
+	.include 'hack.inc'
+
+; Module p54:
+	code_start.54	= start_addr  ; DO NOT CHANGE. ABSOLUTE.
+	code_end.54	= end_addr
+	offset.54		= load_offset
+	
+	.org 0x0230
+p54:
+; New mod54:
+	.dw	code_start.54 - 0x800, code_end.54 - 0x800
+	.db	offset.54, offset.54 >> 8, offset.54 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/jmptbl_pink.s b/oncology/dpfhack_display/src/jmptbl_pink.s
new file mode 100644
index 00000000..a651aa59
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl_pink.s
@@ -0,0 +1,23 @@
+; This is the patched jump table located at 0x`OF`:00:00
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	.include 'hack.inc'
+
+	TERMINATOR = 0x00
+
+; Module p53:
+	code_start.53	= start_addr  ; DO NOT CHANGE. ABSOLUTE.
+	code_end.53	= end_addr
+	offset.53	= load_offset
+
+	.org 0x0228
+
+p53:
+; New mod53:
+	.dw	code_start.53 - 0x800, code_end.53 - 0x800
+	.db	offset.53, offset.53 >> 8, offset.53 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/jmptbl_white.s b/oncology/dpfhack_display/src/jmptbl_white.s
new file mode 100644
index 00000000..bd8a0488
--- /dev/null
+++ b/oncology/dpfhack_display/src/jmptbl_white.s
@@ -0,0 +1,22 @@
+; This is the jump table patch for the 'white' type DPF
+; It's activated through the first stage hack
+; This is necessary, because the first sector can not be patched safely.
+
+	.area HOME(CODE)
+	.area DSEG (DATA,ABS)
+
+	.include 'hack.inc'
+
+	TERMINATOR = 0x00
+
+; Module p53:
+	code_start.53	= start_addr  ; DO NOT CHANGE. ABSOLUTE.
+	code_end.53	= end_addr
+	offset.53		= load_offset
+	
+	.org 0x0228
+p53:
+; New mod53:
+	.dw	code_start.53 - 0x800, code_end.53 - 0x800
+	.db	offset.53, offset.53 >> 8, offset.53 >> 16
+	.db	TERMINATOR
diff --git a/oncology/dpfhack_display/src/p_start_black.s b/oncology/dpfhack_display/src/p_start_black.s
new file mode 100644
index 00000000..575313bb
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_start_black.s
@@ -0,0 +1,32 @@
+; Patch for startup (mod37 on white)
+	.include 'dpf.inc'
+	.include 'dpf_int.inc'
+	.include 'hack.inc'
+
+	.area HOME (CODE)
+	.area BANK0 (CODE, ABS)
+
+	.org 0x1330
+
+        orl     wdtcon,#0x20
+        mov     a,i_G_f
+        jbc     acc.3, usbact	; If this bit is 1, USB is plugged in.
+	sjmp	continue
+usbact:
+	ljmp	hack
+
+	.org 0x133c
+continue:
+
+	.org 0x159a
+hack:
+	clr	ea	; No IRQ
+	mov	dptr, #(0x196a - 0x800)
+	mov	a, #cloned_jumptable_offset >> 16
+	movx	@dptr, a
+
+	; Jump into usb main:
+	mov	a,#(51 - 1)
+	mov	dptr,#entry_addr
+	ljmp	tramp_jmp
+
diff --git a/oncology/dpfhack_display/src/p_start_blue.s b/oncology/dpfhack_display/src/p_start_blue.s
new file mode 100644
index 00000000..1098c0f1
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_start_blue.s
@@ -0,0 +1,34 @@
+; Patch for startup (mod41 on DX_blue)
+	.include 'dpf.inc'
+	.include 'dpf_int.inc'
+	.include 'hack.inc'
+
+	.area HOME (CODE)
+	.area BANK0 (CODE, ABS)
+
+	.org 0x1418
+	lcall	0x13ac
+        orl     wdtcon,#0x20
+        mov     a,i_G_f
+        jbc     acc.3, usbact	; If this bit is 1, USB is plugged in.
+	sjmp	continue
+usbact:
+	ljmp	hack
+
+continue:
+	ljmp	tramp_return
+
+hack:
+	clr	ea	; No IRQ
+	mov	dptr, #(0x196a - 0x800)
+	mov	a, #cloned_jumptable_offset >> 16
+	movx	@dptr, a
+
+	pop	acc	; Fixup stack, as we did a jsr
+	pop	acc	; ..and a bank jsr
+
+	; Jump into our firmware
+	mov	a,#(50 - 1)
+	mov	dptr,#entry_addr
+	ljmp	tramp_jmp
+
diff --git a/oncology/dpfhack_display/src/p_start_pearl.s b/oncology/dpfhack_display/src/p_start_pearl.s
new file mode 100644
index 00000000..dde8ef9a
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_start_pearl.s
@@ -0,0 +1,32 @@
+; Patch for startup (mod37 on pearl)
+	.include 'dpf.inc'
+	.include 'dpf_int.inc'
+	.include 'hack.inc'
+
+	.area HOME (CODE)
+	.area BANK0 (CODE, ABS)
+
+	.org 0x1330
+
+	orl	wdtcon,#0x20
+	mov	a,i_G_f
+	jbc	acc.3, usbact	; If this bit is 1, USB is plugged in.
+	sjmp	continue
+usbact:
+	ljmp	hack
+
+	.org 0x133c
+continue:
+
+	.org 0x15b0
+hack:
+	clr	ea	; No IRQ
+	mov	dptr, #(0x196a - 0x800)
+	mov	a, #cloned_jumptable_offset >> 16
+	movx	@dptr, a
+
+	; Jump into own firmware:
+	mov	a,#(54 - 1)
+	mov	dptr,#entry_addr
+	ljmp	tramp_jmp
+
diff --git a/oncology/dpfhack_display/src/p_start_pink.s b/oncology/dpfhack_display/src/p_start_pink.s
new file mode 100644
index 00000000..e7b845ef
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_start_pink.s
@@ -0,0 +1,32 @@
+; Patch for startup (mod37 on pink)
+	.include 'dpf.inc'
+	.include 'dpf_int.inc'
+	.include 'hack.inc'
+
+	.area HOME (CODE)
+	.area BANK0 (CODE, ABS)
+
+	.org 0x1330
+
+        orl     wdtcon,#0x20
+        mov     a,i_G_f
+        jbc     acc.3, usbact	; If this bit is 1, USB is plugged in.
+	sjmp	continue
+usbact:
+	ljmp	hack
+
+	.org 0x133c
+continue:
+
+	.org 0x15ac
+hack:
+	clr	ea	; No IRQ
+	mov	dptr, #(0x196a - 0x800)
+	mov	a, #cloned_jumptable_offset >> 16;
+	movx	@dptr, a
+
+	; Jump into usb main:
+	mov	a,#(53 - 1)
+	mov	dptr,#entry_addr
+	ljmp	tramp_jmp
+
diff --git a/oncology/dpfhack_display/src/p_start_white.s b/oncology/dpfhack_display/src/p_start_white.s
new file mode 100644
index 00000000..c04c7fba
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_start_white.s
@@ -0,0 +1,32 @@
+; Patch for startup (mod37 on white)
+	.include 'dpf.inc'
+	.include 'dpf_int.inc'
+	.include 'hack.inc'
+
+	.area HOME (CODE)
+	.area BANK0 (CODE, ABS)
+
+	.org 0x1330
+
+        orl     wdtcon,#0x20
+        mov     a,i_G_f
+        jbc     acc.3, usbact	; If this bit is 1, USB is plugged in.
+	sjmp	continue
+usbact:
+	ljmp	hack
+
+	.org 0x133c
+continue:
+
+	.org 0x1426
+hack:
+	clr	ea	; No IRQ
+	mov	dptr, #(0x196a - 0x800)
+	mov	a, #cloned_jumptable_offset >> 16
+	movx	@dptr, a
+
+	; Jump into usb main:
+	mov	a,#(53 - 1)
+	mov	dptr,#entry_addr
+	ljmp	tramp_jmp
+
diff --git a/oncology/dpfhack_display/src/p_usbdesc.s b/oncology/dpfhack_display/src/p_usbdesc.s
new file mode 100644
index 00000000..e9ee6538
--- /dev/null
+++ b/oncology/dpfhack_display/src/p_usbdesc.s
@@ -0,0 +1,139 @@
+; Hacked DPF descriptors
+
+	.module descriptors
+
+VENDOR_ID	= 0x1908	;
+PRODUCT_ID	= 0x0102	;
+PRODUCT_VERSION	= 0x0200	; 2.0
+
+
+	.include 'usb.inc'
+
+;; -----------------------------------------------------------------------------
+	.area	HOME	(CODE,ABS)
+	.org    0x1508
+
+_usb_desc_device::
+	.db	USB_DT_DEVICE_SIZE
+	.db	USB_DT_DEVICE
+	.db	0x10, 0x1	; USB version 2.0 (BCD)
+	.db	0xff		; device class
+	.db	0xff		; sub class
+	.db	0xff		; protocol (0xff == vendor-specific)
+	.db	8		; EP0 max packet size
+	; Note little endianness:
+	.db	<VENDOR_ID, >VENDOR_ID;
+	.db	<PRODUCT_ID, >PRODUCT_ID;
+	.db	<PRODUCT_VERSION, >PRODUCT_VERSION;
+	.db	2		; manufacturer string idx
+	.db	3		; product string idx
+	.db	1		; serial number string idx
+	.db	1		; number of configurations
+
+; string table:
+	.org 0x151a
+strings: 
+	.dw  _usb_desc_string_language
+	.dw  _usb_desc_string_serial
+	.dw  _usb_desc_string_manufacturer
+	.dw  _usb_desc_string_product
+	.dw  _usb_desc_string_iface
+
+; note: strings are UNICODE
+_usb_desc_string_language::
+	.db	4		; length
+	.db	USB_DT_STRING
+	.db	0x09, 0x04	; UNICODE language ID
+
+; string 1
+_usb_desc_string_manufacturer::
+	.db	(usb_desc_string_manufacturer_end - _usb_desc_string_manufacturer)
+	.db	USB_DT_STRING
+	.db	'h, 0
+	.db	'a, 0
+	.db	'c, 0
+	.db	'k, 0
+	.db	'f, 0
+	.db	'i, 0
+	.db	'n, 0
+usb_desc_string_manufacturer_end:
+
+_usb_desc_string_serial::
+	.db	(usb_desc_string_serial_end - _usb_desc_string_serial)
+	.db	USB_DT_STRING
+	.db	'0, 0
+	.db	'0, 0
+	.db	'0, 0
+	.db	'0, 0
+usb_desc_string_serial_end:
+
+; string 2
+_usb_desc_string_product::
+	.db	(usb_desc_string_product_end - _usb_desc_string_product)
+	.db	USB_DT_STRING
+	.db	'U, 0
+	.db	'S, 0
+	.db	'B, 0
+	.db	'-, 0
+	.db	'D, 0
+	.db	'i, 0
+	.db	's, 0
+	.db	'p, 0
+	.db	'l, 0
+	.db	'a, 0
+	.db	'y, 0
+usb_desc_string_product_end:
+
+; string 3
+_usb_desc_string_iface::
+	.db	(usb_desc_string_iface_end - _usb_desc_string_iface)
+	.db	USB_DT_STRING
+	.db	'l, 0
+	.db	'i, 0
+	.db	'b, 0
+	.db	'u, 0
+	.db	's, 0
+	.db	'b, 0
+
+usb_desc_string_iface_end:
+
+	.org 0x159a
+
+_usb_desc_config::
+	.db	USB_DT_CONFIG_SIZE
+	.db	USB_DT_CONFIG
+	.db	(usbdesc_config_end - _usb_desc_config) & 0xff
+	.db	(usbdesc_config_end - _usb_desc_config) >> 8
+	.db	1		; number of interfaces
+	.db	1		; configuration number
+	.db	0		; configuration string idx
+	.db	0x80		; flags: self-powered, remote wakeup
+	.db	100		; FIXME: bus power in 2mA units
+
+	.db	USB_DT_INTERFACE_SIZE
+	.db	USB_DT_INTERFACE
+	.db	0		; interface number
+	.db	0		; alternate setting
+	.db	2		; number of endpoints
+	.db	0xff		; interface class (0xff == vendor specific)
+	.db	0x00		; sub-class
+	.db	0		; protocol
+	.db	4		; interface string idx
+
+	.db	USB_DT_ENDPOINT_SIZE
+	.db	USB_DT_ENDPOINT
+	.db	(1 | USB_DIR_IN)	; EP number and direction
+	.db	USB_ET_BULK
+	.db	64			; maximum packet size (lsb)
+	.db	0			; maximum packet size (msb)
+	.db	0			; polling interval
+
+	.db	USB_DT_ENDPOINT_SIZE
+	.db	USB_DT_ENDPOINT
+	.db	(1 | USB_DIR_OUT)	; EP number and direction
+	.db	USB_ET_BULK
+	.db	64			; maximum packet size (lsb)
+	.db	0			; maximum packet size (msb)
+	.db	0			; polling interval
+
+usbdesc_config_end: