![[camera pic]](pv2-icon.jpg){kind=icon}
| $800000 |
Top of memory (8MB) |
| ... |
Unknown. May not be used -- the
SDRAM market is driven by personal computers, and lower density SDRAMs aren't economical to produce. |
| $400000 |
The USB code seems to not want
us to go beyond this size. Maybe something else is above this (I don't see why we'd need more memory), or maybe the camera is designed to work with less memory. |
| $260000-$36FB00 |
Uncompressed image in 1288x864
Bayer RGRG/GBGB, 8 bits/pixel (total size $10FB00 bytes) |
| $15209c-variable |
Compressed picture, data |
| $152000-$15209b |
Compressed picture ($90 byte
header) |
| $142000-1502B8 |
Probably used for TFT display,
or just to keep thumbnail (seen in data dumps) |
| $140080 |
Another USB scratchpad area |
| $140000 |
The major scratchpad area for
USB transfers/responses |
| $0EF000-? |
Used for TFT display?
(often-used third TFT buffer?) |
| $0DF000-$EEFFF |
Related to $0AF000 (second TFT
buffer?) |
| $0CF000-$DEFFF(?) |
Related to $0AF000 (first TFT
buffer?) |
| $0AF000-$0BEFFF |
Unknown. Initialized to $00
during boot. Could be area for TFT display? |
| ... |
|
| $0AE900-0AEBFF |
String table in use - only one
string table, $300 bytes, 16 bytes/string. |
| ... |
unknown. |
| $086400-? |
Storage area for NVRAM.DAT (the
entire file is 776 bytes long) |
| ... |
|
| $048400-? |
All text strings loaded here?
From
LANG-EN.DAT, which contains multiple sets of strings. |
| $046400-0483FF |
Font table loaded here? From
LANG-EN.DAT |
| ... |
|
| $02383C-02387B $023800-02383B |
Two similar buffers, $3C bytes
long, initialized to $00 by function index 13. Also used by function 11 and 0E. Probably associated with a LUN (logical unit number) |
| $023600-0237FF |
Used for some sort of file I/O
(may be a block buffer since it is 512 bytes) |
| $001400-probably
$020400 |
Copy of FIRMWARE.BIN, used for
bank switching. Each bank starts at $1400 + ($3000 * bank) |
| $000400-$001400 |
Copy of the about the first
$1000 bytes of FIRMWARE.BIN? Unknown. May also be at $000100-$0010FF (as seen in the bootloader) |
| $000000-$0003FF |
Bootloader? Unknown. |
| $000000-$001000 |
This may also be the bootloader
(based on reading SDRAM from camera), but I haven't checked. |
| $000000 |
Bottom of SDRAM memory |
| $FFFF |
Top of memory (64KB, 16-bit
program counter) |
| $F000-$FFFF |
Registers (probably this entire
range, but they are sparse) |
| $FB00-$FFFF |
Unknown, 16 registers? |
| $FA00-$FAFF |
Seems like a memory map to
somewhere - maybe a page into SDRAM or FLASH. |
| $F920-$F9FF |
Seems to be repeats of registers
at $F900-$F91F |
| $F900-$F903 |
SDRAM address for DMA. |
| $F800-$F8FF |
Unknown, 16 registers? |
| $F740-$F7FF |
Seems to be repeats of registers
at $F700-$F73F |
| $F730-$F73F |
Probably sets up the LCD screen
parameters. |
| $F72E $F72F |
Controls power to the screen. To
turn off, set $F72F to $00 and clear bit 1 (0x02) of $F72E. |
| $F727 $F726 |
Bit mapped button register.
$F727 may signal state has changed. Bit 1 - $02 - On/Off button (aka SW6) |
| $F723 $F722 |
Bit-mapped button register.
$F723 may signal state has changed. Bit 7 - $80 - Unpopulated button SW4 Bit 6 - $40 - Delete button (aka SW3) Bit 5 - $20 - Shutter button (aka S1 on daughter board) Bit 4 - $10 - Display button (aka SW2) Bit 1 - $02 - Checked, but physical location on board not known. Is it the missing SW5 or edge connector? Bit 0 - $01 - Unpopulated button SW1 If bits 4 & 5 are set when powering up, we get the two-finger-salute status page. |
| $F71C |
Seems like a direction control
register for $F71B. Set to $00 to enable LED on/off if running code invoked by bootloader (if FIRMWARE.BIN is running, it probably sets this correctly for you) $9C might be a good value to set this to, too (from initialization code in FIRMWARE.BIN, done as a series of three &=) |
| $F71B |
$F0 - Triggers Flash $40 - Triggers Flash $20 - Closes Shutter $10 - Triggers Flash $08 - LED on/off $02 - Opens Shutter (Analysis by BillW) |
| $F719 |
Battery power level. Doesn't
update when on USB power. (billW) |
| $F718 |
Bit mapped register, read-only.
Perhaps buttons? Bit 7 unknown, unset during testing. Bit 6 seems related to USB. Bit 5 related to USB. Bit 4 unknown, set during testing. Bit 3 unknown, returned by cmd $5E, byte 17= 0x17. Related to USB Bit 2 unknown, set during testing. Bit 1 toggled by pressing the power button - a latch of the power button. Bit 0 unknown, unset. Bits 3,5,6 respond to USB cable removal. 0=unplugged, 1=plugged in. (Thanks BillW) |
| $F716 |
Camera watchdog timer; must be
written every 5 seconds or the camera resets. (discovered by daBass). Only 01 is written to this. This is in the two-finger-salute loop where we are waiting for the user to release either button. |
| $F715 | Camera reset. Writing *anything*
(including $00) into this location immediately resets/powers-down the
cam. The firmware writes $01. Attempted reads return $00. (billW) |
| $F711-$F714 |
? |
| $F710 |
Hardware ID? Reads 06 and
stored in compressed header. |
| $F705-$F70F |
? |
| $F704-$F705 |
These are used as a silent
timer. As far as I can tell, the $F700-$F703 locations can't be used
for silent timer operation. The firmware itself uses $F704-$F705 for
pausing between beeps. To use, store the delay in $F704, and check $F705 until it is non-zero. An example: PAUSE: LDI R4,#$02 STA R4,$F704 PLOOP: LDA R0,$F705 BRZ PLOOP (analysis & example by BillW)
|
| $F700-$F703 |
Used to produce beeps, and may
be a general-purpose timer. Here is sample code that produces a beep: LDI R2,#$40 ;pitch (smaller value is higher tone) LDI R4,#$04 ;duration (this is may be 1/4 of a second) STA R4,$F700 STA R2,$F701 LDI R0,#$01 STA R0,$F702 LABEL: LDA R0,$F703 BNZ LABEL ;wait for beep to complete. |
| $F704 |
sometimes this is checked to see
if it is zero - may be related to $F703. |
| $F703 |
Count down value for timer, or
maybe a completion flag? Is zero when beep is done. |
| $F702 |
Flag to start timer? Or maybe
determines if the timer produces a sound. $02 = no sound $01 = sound $00 = probably no sound (not checked) |
| $F701 |
Timer/beeper pitch. Lower
numbers are higher frequencies. |
| $F700 |
Timer/beeper duration. Typical
values are 1-4 for beeps. |
| $F600-$F6FF |
Unknown, 16 registers? |
| $F500-$F5FF |
Unknown, 32 registers? |
| $F400-$F4FF |
Unknown, 16 registers? |
| $F300-$F3FF |
Unknown, 32 registers? |
| $F200-$F2FF |
Unknown. 16 registers? |
| $F13A |
Type ID, aka USB Product ID.
Writable, set from $F139 |
| $F100-$F1FF |
Unknown, registers. |
| $F000-$F0FF |
Unknown, registers. |
| $C000-$EFFF |
Image of $0000-$2FFF. |
| $8000-$BFFF |
Image of $0000-$3FFF. |
| $4000-$7FFF |
Image of $0000-$3FFF. |
| $1000-$3FFF |
Code from FIRMWARE.BIN; bank
switched manually with a DMA transfer |
| $0090-$0FFF |
Code from FIRMWARE.BIN; fixed. |
| $0080-$008F |
Interrupt vector table. $0082 and $0083 is the USB interrupt vector. |
| $0000-$007F |
Processor stack. Looks like it
starts from $7F and grows downward. It could eventually overwrite the RAM copy of the bootloader, but that is acceptable because the bootloader has already been executed. |
| $0000-$0029 |
Bootloader or utility program.
Appears to load the
first $1000 bytes of FIRMWARE.BIN from some unknown area. There are probably other sections of the bootloader that operate first. Pseudocode: $F800=$90, $F801=$00 (destination in SRAM) RSP (with R1=00, R0=7f, so I assume it sets the stack pointer to $007f) $F803=$00 (transfer direction: SRAM<-SDRAM) $F804=$01 (get ready to transfer) i=$0fff do { $F802=LSB(i); $F804=$00 } while (--i != 0); $F802 = $eb; JMP L0090 (start of FIRMWARE.BIN) |
| $0000 |
Bottom of program space. |
| $F903:$F900 |
32-bit SDRAM address |
| $F801:$F800 |
SRAM address |
| $F802 |
involved. |
| $F803 |
transfer direction: 01 = SRAM->SDRAM 00 = SRAM<-SDRAM |
| $F804 |
set to 1 during init, then to 0
later |
| $F002 |
also involved in this, but not
in inner loop |