The ARM9 bios does a number of things on boot, before entering a wait on ARM7 loop.
Here is pseudocode for the process up until the first signaling operation:
(*(vuint32*)0x040001A4) = 0;
(*(vuint32*)0x040001A1) = 0x80; // not a mistake, it isn't word aligned
CPSR = 0xDF; // system mode, inhibit IRQ, FIQ
DelayLoop(0x2000);
WAIT_CR = 0x2000;
DelayLoop(0x2000);
vuint16 temp = (*(vuint16*)0x027FFFFE);
(*(vuint16*)0x027FFFFE) = temp;
(*(vuint16*)0x027FFFFE) = temp;
(*(vuint16*)0x027FFFFE) = 0xFFDF;
(*(vuint16*)0x027FFFFE) = 0xE732;
temp = (*(vuint16*)0x027E57FE);
WAIT_CR = 0x6000;
WriteCP15c1(0x00002078);
DTCM_baseAddr = 0x00800000; // size = 16 KB (c9,c1=0x0080000A)
vuint32 ignored = CP15.c1;
cp15.c1 = 0x00012078;
IME = 0;
SP_svc = 0x803FC0;
SPSR_svc = 0;
SP_irq = 0x803FA0;
SPSR_irq = 0;
SP = 0x00803EC0;
ZeroMemory(DTCM_BaseAddress+0x3E00 .. DTCM_BaseAddress+0x3FFF);
Doesn't really belong here, but there is no great place for it at the moment:
// Low ROM constants
// Related to firmware
0x000010A0:16
0x000010A2:16
0x000010A4:16
0x00000024:32 = uint32 CONSTANT_FOR_1B4;
0x00000028:8 = uint8 CONSTANT_FOR_1BA;
0x00000029:8 = uint8 CONSTANT_FOR_1B0;
// 0x1078..0x1087 (16 bytes, used as a table)
0x00001088:32 = CONST_1088;
0x0000108C:32 = CONST_108C;
0x00001090:32 = CONST_1090;
0x00001094:32 = CONST_1094;
0x00001098:32 = CONST_1098;
0x0000109C:32 = CONST_109C;
//////////////////////////////////////////////////////////////////////
Memory addresses:
//////////////////////////////////////////////////////////////////////
0x037F8000: rtcAfterInit (control, year, month, day, week, hour, minute, second)
0x037F8000:32
0x037F8000:16
0x037F8002:16
0x037F8004:32
0x037F8004:16
0x037F8006:16
0x037F800A:16 = uint16 streamState; // 0..7 ish, see SerialStreamReadByte
0x037F8014 = ? (3rd arg of ARM10EC)
0x037F802C:32 = f(rtcAfterInit)
0x037F8030:32 = g(rtcAfterInit)
0x037F8038:32 = h(rtcAfterInit)
0x037F8034:32 = i(rtcAfterInit)
0x037F8040:16 = headerChecksOK
0x037F8058:32 = int sizeToRead
0x037F805C:16 = int16 cardIRQstate
0x037F805E:16 = int16 cirqBitIndex // set to zero somewhere I'll assume
0x037F8060:32 = uint8 * cirqDataAddress;
0x037F8064:16 = int16 arm9binStart;
0x037F8066:16 = int16 cirqUnknown;
0x037F8068:16 = int16 cirqOffset;
0x037F806E:16 = int16 cirqUnknown2
0x037F806C:32 = timer3_params[0];
0x037F8070:32 = timer3_params[1];
0x037F8074:32 = timer3_params[2];
0x037F8078:32 = timer3_params[3];
//////////////////////////////////////////////////////////////////////
0x0380FC00:32 = fcSourceROM;
0x0380FC04:32 = fcDestination;
0x0380FC08:32 = dataLeftForMCIRQ
0x0380FC0C:32 = fcLength
StartCardTransfer(0, 0x0380FC04:32 + r1 + r2, r5, params)
0x0380FC10:32 = global params[0]
0x0380FC14:32 = global params[1]
0x0380FC18:32 = global params[2]
0x0380FC1C:32 = global params[3]
0x0380FC20:32 = CustomMCIRQVector
CardIRQVector = 0x0380FC40:32
TimerIRQVector = 0x0380FC44:32
VBlankIRQVector = 0x0380FC48:32
0x0380FFF8:32 = IF_BUFFER
//////////////////////////////////////////////////////////////////////
0x027FF800:32 = int CurrentCardID
0x027FF804:32 = int Command10CardID
0x027FF808:16 = uint16 computedHeaderCRC;
0x027FF80C:16 = uint16 arm9copiedCRC
0x027FF810:16 = int16 state147A
0x027FF812:16 = desiredBit
0x027FF814:16 = int16 firmwareAuthenticated (1=yes)
0x027FF816:16 = int16 rtcInitFailure; // RTC initialization failed if non-zero
0x027FF820:32 = arm9 firmware execute address
0x027FF824:32 = arm7 firmware execute address
0x027FF82C:16 = err, perhaps firmware loaded successfully (we get a ZeroRAM64() if non-zero, and both arm7/arm9 hang if zero)
0x027FF840:16 = arm7biosCRC;
0x027FF848:32 = source of arm9 firmware exec addr (copied down to 820)
0x027FF84C:32 = source of arm7 firmware exec addr (copied down to 824)
//////////////////////////////////////////////////////////////////////
0x027FFE00..0x027FFF70 NDSHeader
//0x027FFE00..0B // NDSHeader.GameTitle
//0x027FFE0C..FFE11 // NDSHeader.First 6 characters of game code
0x027FFE12:16 // NDSHeader.GameCodeLast2
//0x027FFE14:32 // NDSHeader.cartSize
//0x027FFE18..1E // unknown
//0x027FFE1F:8 // Auto-boot flags
0x027FFE20:32 // NDSHeader.arm9romSource
0x027FFE24:32 // NDSHeader.arm9executeAddress (the arm9 bios looks at it)
0x027FFE28:32 // NDSHeader.arm9destination
0x027FFE2C:32 // NDSHeader.arm9binarySize
0x027FFE30:32 // NDSHeader.arm7romSource
0x027FFE34:32 // NDSHeader.arm7executeAddress
0x027FFE38:32 // NDSHeader.arm7destination
0x027FFE3C:32 // NDSHeader.arm7binarySize
//FE40..FE4F // filename table / FAT
//FE50..FE5F // overlays, not going to be seen
0x027FFE60:32 // NDSHeader.unknown2a
0x027FFE64:32; // NDSheader.unknown2b
//0x027FFE68:32 // NDSheader.IconOffset (not going to be seen)
//0x027FFE6C:16 // NDSheader.SecureCRC16
0x027FFE6E:16 // NDSHeader.unknown2d (0x051E typically)
//0x027FFE70:32 // NDSHeader.unknownRAM1
//0x027FFE74:32 // NDSHeader.unknownRAM2
0x027FFE78:32 // NDSHeader.unknown3c. first half
0x027FFE7C:32 // NDSHeader.unknown3c. second half
//0x027FFE80:32 // NDSHeader.ROMsize
0x027FFE84:32 // NDSHeader.HeaderSize -- fixme, no, its not!
//FE88..FFBF // zeros
//FEC0..FF5B // NDSHeader.GBAlogo
0x027FFF5C:16 // is NDSHeader.LogoCRC16
0x027FFF5E:16 // is NDSHeader.HeaderCRC16
0x027FFF60:32 // NDSHeader.wordAt0x160
0x027FFF64:32 // NDSHeader.wordAt0x164
0x027FFF68:32 // NDSHeader.wordAt0x168
//0x027FFF6C:32
//////////////////////////////////////////////////////////////////////
0x027FFFFC:16 = 1 when header or logo crc-16 check failed, 0 if passed or not attempted
0x027FFFEC:16 = 1 when header or logo crc-16 check failed, 0 if passed or not attempted