It is eventually found that in do_something_with_mmc@40016f88, a short loop expect changes in memory by external means.
R4 is never updated in the loop loc_ROM_40016FC0 but [R4+0x130] is expected to change by the following logics. So it is suspected that there is multi-thread operation or parallel operation with other processor like DSP or the like.
Since concurrency could be tricky, loops with this pattern should be found and further analysed.
40016FC0 loc_ROM_40016FC0 ; CODE XREF: do_something_with_mmc+3Ej
40016FC0 ; do_something_with_mmc+4Aj
40016FC0 00C D4 F8 30 21 LDR.W R2, [R4,#0x130] ; Load from Memory
40016FC4 00C 00 2A CMP R2, #0 ; Set cond. codes on Op1 - Op2
40016FC6 00C FB D0 BEQ loc_ROM_40016FC0 ; Branch
40016FC6
40016FC8 00C 15 04 LSLS R5, R2, #0x10 ; Logical Shift Left
40016FCA 00C 01 D5 BPL loc_ROM_40016FD0 ; Branch
40016FCA
40016FCC 00C 01 20 MOVS R0, #1 ; Rd = Op2
40016FCE 00C 30 BD POP {R4,R5,PC} ; Pop registers
40016FCE
40016FD0 ; ---------------------------------------------------------------------------
40016FD0
40016FD0 loc_ROM_40016FD0 ; CODE XREF: do_something_with_mmc+42j
comment: in this example LDR.W R2, [R4,#0x130] really read not from memory, but from registers of mmc peripherals, so it can change as the state of that peripheral changes.. but there are also irq handlers, that interrupts the main thread and perform some actions that can change memory.
grep -B 6 -E "[0-9]{3} F. D." rom3.txt
400144DE 000 01 61 STR R1, [R0,#0x10] 400144DE 400144E0 400144E0 loc_ROM_400144E0 400144E0 000 41 69 LDR R1, [R0,#0x14] 400144E2 000 C9 07 LSLS R1, R1, #0x1F 400144E4 000 FC D0 BEQ loc_ROM_400144E0 -- 400145F8 004 81 40 LSLS R1, R0 400145F8 400145FA 400145FA loc_ROM_400145FA 400145FA 004 50 6D LDR R0, [R2,#0x54] 400145FC 004 08 42 TST R0, R1 400145FE 004 FC D0 BEQ loc_ROM_400145FA --
impossible to dump - fully hardware implemented in cortex-a8 core; used by some handlers in BootROM/mbmloader for SVC/SMC calling. and some wrappers for secure coprocessor operations