v0011: 04.01.2003 11:35

have a look at http://www.intersil.com/data/fn/fn4839.pdf

TODO: find PRI entry
      have a look at 38 26e8 (for v4.0 PRI fw - not airport!)
0038:26d0 01 87 c0 47 80 46 41 86 01 82 c0 42 80 43 41 83 ..G.FA...B.CA.
0038:26e0 00 41 c1 81 81 80 40 40 00 20 38 00 30 22 00 30 .A...@@. 8.0".0
0038:26f0 39 00 fe cf 29 f8 00 0a 10 01 68 a4 b0 01 84 01 9.)....h...
      (the length appears after the offset: 38 2000 | 2230, 39 3000 | cffe)

      somewhere the Bootloader has to know where the entry is...
      imho the PRI also has to know the entry for the STA

ser.nr. is at 38 2700 and aa8, PRI is at 38 2000 -> 700 offset to PRI start
aa8-700 = 3a8 ( -> WEP -> :( )

0038:24d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0038:24e0 00 00 00 00 00 00 00 00 00 00 c1 c0 81 c1 40 01 ...........@.
matches:
0000:0890 00 00 c1 c0 81 c1 40 01 01 c3 c0 03 80 02 41 c2 ...@.....A
0000:08a0 01 c6 c0 06 80 07 41 c7 00 05 c1 c5 81 c4 40 04 ....A...@.
-> 1st match c1 c0 81 c1 at 892 - with 4 matching zeroes leading: 88e
0000:0880 fb 00 11 00 00 00 ff 00 01 00 1e 00 f9 11 00 00 .............
-> entry should be somewhere here? :\
checked 880-890: :-(

maybe we won't find the PRI fw - assume:
1. PRI gets loaded and executed
(PRI initiates data structures? or will the STA do that?)
2. PRI loads and executed STA?
3. STA overwrites PRI - maybe with data?
-> try booting the STA fw. ?

PRI fw is written to 38 2000 - entry ?? - len ~2230 (usual v4.0) / ~256E (Airport v1.04)
PRI entry somewhere between 800 (850? and 2a80?)

STA fw is written to 39 3000 - entry ?? - len ~CFFE

TER fw is written to 1F 4800 - entry +8 - len ~A400
                    (1F FFFF ramend?)

-----------------------------------------------------

        0...3FF: 1KB internal RAM
      200...3FF: WEP
	      
    400: CIS?? (copied from ser. eeprom on boot?)
--------------
0000:0400 01 1e 03 80 00 7f 00 00 ff 17 17 ff 04 67 67 04 ...........gg.
0000:0410 5a 08 08 5a ff 1c 1c ff 04 02 02 04 00 00 00 00 Z..Z..........

    580: ???
------------
0000:0580 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
0000:0590 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 

    800: PRI??
--------------
0000:0800 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 ..<.............
0000:0810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
0000:0880 fb 00 11 00 00 00 ff 00 01 00 1e 00 f9 11 00 00 .............
0000:0890 00 00 c1 c0 81 c1 40 01 01 c3 c0 03 80 02 41 c2 ...@.....A
...
0000:0aa0 10 01 68 a4 b0 01 84 01 30 33 31 33 44 44 30 33 ..h...0313DD03
0000:0ab0 31 33 30 33 31 33 32 33 32 33 90 00 78 04 ae e4 1303132323..x.

0000:18f0 00 00 00 00 00 00 00 00 01 00 50 e4 ab e4 c5 e4 ..........P
0000:1900 fe e4 98 e2 98 e2 98 e2 98 e2 98 e2 98 e2 0e e5 .......

0000:1ce0 e0 25 98 14 00 00 9c 16 68 01 09 00 ce 00 50 31 %......h....P1
0000:1cf0 30 31 30 34 30 30 00 00 00 00 00 00 00 00 00 00 010400..........

   2a80 (2e00 on airport) - 80? : 128byte entries (2A80 (assumed PRIend) - 2230 (=PRIlen) = 850 -> ~PRI start??)
------------------------
0001:0000 01 02 7c 00 ac 6e 30 2c 70 06 48 e3 84 d0 0f a7 ..|.n0,p.H..
0001:0010 a8 cb 24 c1 30 c4 20 84 45 89 ec a9 80 94 b1 85 $0 .E....

...

0001:0100 03 02 7c 00 4e 65 7a 8e 64 50 a2 45 40 84 e1 82 ..|.Nez.dPE@..
0001:0110 7a 71 6a 4a 6b 47 32 41 d0 a7 3e 6b 28 02 06 cb zqjJkG2AЧ>k(..

0001:0180 04 02 7c 00 d7 4c 55 b6 08 9a f2 46 18 c0 08 7a ..|.LU..F..z
0001:0190 47 ac 0b bc 84 18 78 bb 9a 0c b0 db 07 14 cc 9f G...x.....

0001:0200 05 02 7c 00 9d 74 1a 5b f8 61 26 d3 93 0b 1c 22 ..|..t.[a&..."
0001:0210 66 60 84 6f 5e 08 71 e0 0a 16 71 43 75 3f 79 00 f`.o^.q..qCu?y.

...

0001:0300 07 02 7c 00 46 d8 01 ae 63 ba a2 53 48 04 13 e0 ..|.F.cSH..
0001:0310 41 70 41 f5 85 ad 02 35 60 60 b0 37 fe 14 da 01 ApA..5``7..

...

0002:0000 01 04 7c 00 e3 00 23 d0 29 8a 49 84 0f 44 02 90 ..|..#).I..D..
0002:0010 15 06 28 5c b3 b2 6d a8 51 f1 62 a3 af 00 8e 04 ..(\mQb...

0003:0000 01 06 7c 00 99 18 90 15 d6 f9 09 95 28 cc 4b 84 ..|.......(K.
0003:0010 02 13 85 9b 85 c9 a2 08 25 3b 60 5e c5 42 a2 36 .....ɢ.%;`^B6

 3 3000: STA??
--------------
0003:3000 61 44 fe fb ff fd ff 00 b3 f3 b2 f3 60 43 63 45 aD.`CcE
0003:3010 cb 81 dc 84 e0 84 e0 84 e0 84 e0 84 e0 83 00 64 ........d

 4 0400: -> 400 (=> RAMsize: 2 => 256KB)
 ##############

38 0000: PRI?
-------------
0038:0000  00 64 90 ff 20 f7 20 fe 00 64 91 ff 21 f7 20 fe  .d.  .d.! 
0038:0010  00 64 92 ff 22 f7 20 fe 00 64 93 ff 23 f7 20 fe  .d." .d.# 

38 2000: PRI data?
------------------
0038:2000  30 22 72 60 00 61 ff 60 a4 62 00 60 52 63 3e 60  0"r`.a`b.`Rc>`
0038:2010  00 65 61 46 5a d0 65 46 a2 d8 fb 1f ff 60 58 4f  .eaFZeF.`XO

38 fe00: Ident
--------------
0038:fe00 01 03 00 00 ff 17 04 67 5a 08 ff 1c 04 02 00 00 ......gZ......
0038:fe10 ff 1d 05 03 67 5a 08 ff 15 50 05 00 44 65 6c 6c ...gZ..P..Dell

39 0000: PDA
-------------
0039:0000  05 00 01 00 41 30 31 39 37 30 34 41 05 00 02 00  ....A019704A....
0039:0010  32 36 50 32 39 36 38 37 07 00 03 00 30 38 4d 36  26P29687....08M6

39 3000: STA?
------------------
0039:3000  61 44 fe fb ff fd ff 00 b3 f3 b2 f3 60 43 63 45  aD.`CcE
0039:3010  cb 81 dc 84 e0 84 e0 84 e0 84 e0 84 e0 83 00 64  ........d

3A 0000: -> 38 0000 (=> FLASHsize = 2 => 128KB ?)
###################
