Has anyone made a dump from the flash chip using som external device? That is, not reading stuff through esptool, but directly acessing the flash chip out of that circuit?
I'm asking because so far i did only read memory through the esptool, and found some interresting things. For one, the memory locations given in the linker script for the app don't really match what is read back through esptool. While the one at 0x40100000 gives data, the one at 0x40200000 is empty (but maybe there isn't anything to begin with, i.e. the AT app doesn't use that).
Also, reading at 0x40000000 returns what seems to be the functions whose adresses are provided in the rom.ld file. Now i'm wondering if those are really internal to the ESP, or if that stuff is also in the flash. For example, there are ets_* functions in the precompiled libs from the SDK, but also ets_* function names given in the linker script. Thus i'm now wondering how the flash is mapped physically into the ESP's memory space, i.e. what address ranges in the physical flash corrospond to what in the ESP.
So far there seem to be three "layers": One is the core stack for WiFi etc. in the ESP itself, then the stuff provided by the rom linker script to which there are no binary lib files nor sources present, and then the user code, for which we have a mix of sources and precompiled libraries. Fun stuff is that some of the names given in the linker script are what the compiler would autogenerate for some stuff, i.e. all the names beginning with a double-underscore, like __adddf3. Which makes me think that it would be strange to have them in a masked ROM in the chip itself. Is that really an OTP area on the chip? I mean, why add some OTP flash and then also use an external flash? Wouldn't it make more sense to pack it all in the external chip?