2.1 KiB
CS35L27 Firmware and Trace Technical Details
I2S Code Path Details
Bidirectional Mode Write
-
First path (0xE082C2):
MOV A, #0x03; MOVX @DPTR, A
Address: 0x0000
— Enables both transmit (TX) and receive (RX) in I2S control register. -
Second path (0xE0858E):
MOV DPTR, #0x0003; MOV A, #0x03; MOVX @DPTR, A -
Note:
Value0x03usage is uncommon in typical speaker amplifier firmware, which usually only requires TX. RX (microphone-like operation) is atypical unless for diagnostics or advanced features.
Extended I2C Command Paths
- Handler at 0xE08EA4:
Triggered onCJNE A, #0x81. Non-standard command handling. - Handler at 0xE08F79:
Triggered onCJNE A, #0xC7. Similarly not standard across typical CS35L27 implementations.
Control Flow and Function Breakdown
-
Call Instructions: 113 (68 LCALL, 45 ACALL)
-
Return Instructions: 56 (Imbalance: 57)
-
Long jumps (LJMP): 104
-
Short jumps (SJMP/AJMP): 129
-
Switch/case-style indirect jumps (
JMP @A+DPTR): 3 -
Cyclomatic Complexity: 521
— For 4KB code size, this is high but not unprecedented in event-driven embedded code.
GPIO Operations
| Bit | Firmware Usage | Description/Notes |
|---|---|---|
| 0x3A | 5 SETB/CLR | Matches probable INT |
| 0x34 | 8 SETB/CLR | Frequent general usage |
| 0x38 | 8 SETB/CLR | Frequent general usage |
All toggles present in firmware, with detailed match to runtime evidence in TraceV3 logs.
Entropy and String Patterns
- DSP region (0x0C00–0x0FFF) shows highest entropy (7.30 bits/byte), matching expectations for optimized, dense DSP code.
- 11 minimal ASCII fragments (4–6 chars each), none corresponding to commands/phrases that indicate covert functions.
Codecctl.txt Usage
- Register initialization patterns extracted and mapped to firmware behavior.
- Confirms settings and expected register defaults from boot/init phase.
All statements above are based on direct static or hex evidence, with reference to actual offsets and disassembly output only.