Here is my analysis of the 1MB Grenada ROM dump that was sent to me. The ROM modules appear to fit within the first 512KB, but there is more "stuff" in the second 512KB.
The first 0x100 bytes of the Grenada ROM appear to constitute an index for the ROM.
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 43 0D 00 00 60 07 00 00 00 00 00 00 EF 5B 04 00
00000010 63 73 69 44 01 00 36 49 48 8F 00 00 20 FF FF FF csiD............
00000020 1D 00 00 00 22 00 01 00 05 00 00 03 1E 00 50 03
00000030 1D 00 00 04 23 00 01 04 06 00 00 07 17 00 E0 07
00000040 04 00 F0 07 00 10 F2 07 95 14 00 00 FF FF FF FF
00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
........
000000F0 FF FF FF FF FF FF FF FF FF FF FF FF 5B 46 00 00
The first 0x20 bytes should checksum to 0x0000 (little endian).
That is ...
0x0D43 + 0x0000 + 0x0760 + ... + 0xFFFF = 0x0000
The checksum word for the first 0x20 bytes appears to be located at offset 0x16-17.
Code:
00000000 43 0D 00 00 60 07 00 00 00 00 00 00 EF 5B 04 00
00000010 63 73 69 44 01 00 36 49 48 8F 00 00 20 FF FF FF csiD............
Offset 0x20 is the beginning of an index of ROM modules.
Code:
00000020 1D 00 00 00 22 00 01 00 05 00 00 03 1E 00 50 03
00000030 1D 00 00 04 23 00 01 04 06 00 00 07 17 00 E0 07
00000040 04 00 F0 07 00 10 F2 07
Here is my interpretation of the index:
Code:
ID Start Loc Description
---------------------------------------------------------------------------------------
1D 0x0 module index
22 0x100 code
05 0x30000 Servo Adaptive Parameters (SAP)
03 0x35000 code
1D 0x40000 backup of module index, but differs in a few bytes
23 0x40100 backup of ID#22 - differs in only byte at offset 0x5A2 (0x03 versus 0xFF)
06 0x70000 Read Adaptive Parameters (RAP)
17 0x7E000 data - adaptive?
04 0x7F000 Controller Adaptive Parameters (CAP) - serial number, model number, DOM
00 0x7F210 end of ROM modules
Each module, including the module index, has a word at the very end which appears to be a CRC of some kind. (That said, module ID 23 has the same CRC word as module ID 22, but differs in 1 byte at offset 0x5A2. How is that possible? Have I misunderstood the CRC word?)
Is offset 0x28-29 (immediately after the module list) a CRC word for the module list (0x20 - 0x47)?
There is more "stuff" at these locations ...
Code:
0x7F210 end of ROM modules at 0x7F20F
0x958E0
0x95CF0
0xA8B10
0xAC910
0xACDF0
0xAD000
0xB9D00
0xC0000
At the moment I have no idea what the "stuff" contains.
Module ID#22 has its own index (similar to ID#23 index).
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000100 43 0D 00 00 60 06 00 00 00 00 00 00 78 6A 04 00
00000110 63 73 69 44 00 00 AE 3B 48 8F 00 00 20 FF FF FF csiD............
00000120 16 40 00 00 15 48 00 00 0E 48 02 00 10 58 06 00
00000130 03 00 8E 01 0B 00 EE 02 00 00 FF 02 00 00 00 00
00000140 00 00 00 00 36 1A 00 00 62 00 01 00 FF FF FF 7F
00000150 17 06 03 13 23 00 00 00 80 58 00 00 00 00 26 84
00000160 28 20 10 00 08 21 01 00 26 06 07 15 06 26 15 20
00000170 08 00 10 02 68 20 10 00 43 43 44 32 07 15 B8 00
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BE B9
00000190 A0 00 02 00 FF FF FF 7F FF FF FF FF FF FF FF FF
Code:
ID Start Loc
relative absolute
-------------------------
16 0x40 0x140
15 0x48 0x148
0E 0x248 0x348
10 0x658 0x758
03 0x18E00 0x18F00
0B 0x2EE00 0x2EF00
00 0x2FF00 0x30000
I notice that the backup of the module index (at 0x40000) is very similar to the main index.