i already checked, the difference of my dump and the other dump is only in unique data not checksumed at 4000-7FFF
the code analize the uploaded firmare in 7 passes, which denotes 7 firmware zones:
1st pass: base 0 len 4000 (0-3FFF) main firmware (checksumed)
2ns pass: base 10000 len D0000 (10000-DFFFF) main firmware (checksumed)
3rd pass: base 6000 len 2000 (6000-7FFF) unique data, S/N and few other bytes, maybe region (not checksumed)
4th pass: base 8000 len 4000 (8000-BFFF) don't know what's inside, does not seems code (checksumed)
5th pass: base F0000 len 10000 (F0000-FFFFF) bootloader (checksumed)
6th pass: base E0000 len 10000 (E0000-EFFFF) just a few bytes then 00, same data in other MC08 dump, empty in TS06 fw upgrade (checksumed, but 00 on 8th byte)
7th pass: base 4000 len 2000 (4000-5FFF) unique data, probably AACS related (not checksumed)
difference is only in part 3 and 7 (not checksumed), which are filled with FF in the buffalo TS06 fw upgrade. Filling FF on my dump and flashing back to drive, the drive still works, so, as the code analisys seems to confirm, that zones are skipped, and it sounds logical, even in many other drives you can't reflash the area that stores region code and serial number.
what i'm not sure is part 6: it's the same for both flash dumps, but it's filled with FF on buffalo TS06 upgrade, so it seems not firmare code but data common to all SD-S802A. Filled with FF on my dump and flashed back, the drive works again.
Anyway the code explain himself, it skips from checking part 3, 6 and 7, but what i'm not sure, is if a skipped area will be flashed or not, i suppose not, but i must be sure of this.
Code:
ROM:002FE364 ldi:8 #6, r0
ROM:002FE366 mul r0, r9 ; r9 = pass number, from 0 to 6
ROM:002FE368 ldi:32 #0x2FDC18, r13
ROM:002FE36E mov mdl, r10
ROM:002FE370 lduh @(r13, r10), r6 ;can be F010, F011, 0080, A090, 70A0, 00D0, 00D1
.........
.........
ROM:002FE3A2 loc_2FE3A2: ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+DCj
ROM:002FE3A2 ldi:20 #0x2000, r0
ROM:002FE3A6 and r0, r6 ; r6 was F010, F011, 0080, A090, 70A0, 00D0, 00D1
ROM:002FE3A6 ; so 2000, 2000, 0000, 2000, 2000, 0000, 0000
ROM:002FE3A8 beq loc_2FE46E ; branch for part 3, 6, 7 (not firmare code)
.........
.........
ROM:002FE46E loc_2FE46E: ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+ECj
ROM:002FE46E ; bootmode_unknown_3B_not04_writebuffer+194j
ROM:002FE46E ; bootmode_unknown_3B_not04_writebuffer+1A4j
ROM:002FE46E ldi:32 #0x2FDC18, r13
ROM:002FE474 lduh @(r13, r10), r4 ; F010, F011, 0080, A090, 70A0, 00D0, 00D1
ROM:002FE476 ldi:20 #0x4000, r0
ROM:002FE47A and r4, r0 ; 4000, 4000, 0000, 0000, 4000, 0000, 0000
ROM:002FE47C beq next_pass_or_goon_if_was_last ; don't branch for pass 1, 2, 5 mainfw and bootloader