ELF, How are addresses mapped using the program headers?

I work on ELF files for embedded systems and try to interpret them with own tools.

In some of the files I work with, there is a behaviour that I don't understand:

Please find the output of readelf -l -S further below to have an overview of the sections and program headers used in the ELF file.

The example below is for a device that has internal flash memory from 0x00000000 to 0x3FFFFFFF and it has RAM starting from 0x40000000 onwards. "readelf -l -S" tells me that .data starts at 0x58F4. This is also what my own ELF reader tells me.

But the variables in .data are placed at 0x40000000 and following, as it should be. Also, the program works as expected. And the linker has created a map file and a part in there reads like this:

.data                   000058f4    00000034
        .data           40000000    00000014 out/obj/test.o
             some_var   40000000    00000001

To my understanding there must be some extra information that I don't understand and that tells the tools (debugger, converter from ELF to HEX) that .data is at 0x40000000. So somehow there must be the information available that .data is at 0x40000000.

I think this information must be in the program headers somehow.

There is a program header of type LOAD at virtual address 0x58F4, but it maps to physical address 0x00000000. If it would map to 0x40000000 then I would understand this, but it is unclear to me how debuggers and other tools get to know that.

Can somebody tell me how I need to interpret the program headers and how in this case there is a mapping from 0x58f4 (.data) to 0x40000000 ?

In general I'd like to find the correct addresses of the sections, not just for this example.

Thanks for any hints, Torsten

Here is the output of "readelf -l -S": There are 21 section headers, starting at offset 0xaf9c:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .rchw             PROGBITS        00000000 000140 000008 00  AX  0   0  1
  [ 2] .intvector        PROGBITS        00000010 000148 000fe2 00  AX  0   0 16
  [ 3] .cpuvector        PROGBITS        00001000 00112a 000132 00  AX  0   0 16
  [ 4] .text_vle         PROGBITS        00002000 00125c 000cf0 00  AX  0   0 16
  [ 5] .flstst           PROGBITS        00002cf0 001f4c 000000 00  AX  0   0  1
  [ 6] .text_vle         PROGBITS        00002cf4 001f4c 002bf8 00  AX  0   0  4
  [ 7] .sdata2           PROGBITS        000058ec 004b44 000004 00  AX  0   0  4
  [ 8] .text             PROGBITS        000058f0 004b48 000000 00  AX  0   0  1
  [ 9] .data             PROGBITS        000058f4 004b48 000034 00  WA  0   0  4
  [10] .sdata            PROGBITS        00005928 004b7c 000000 00  WA  0   0  1
  [11] .sbss             NOBITS          40000038 004b7c 000000 00  WA  0   0  1
  [12] .bss              NOBITS          40000038 004b7c 0000c2 00  WA  0   0  4
  [13] .PPC.EMB.apuinfo  NOTE            00000000 004b7c 000018 00      0   0  1
  [14] .debug_line       PROGBITS        00000000 004b94 000b0b 00      0   0  1
  [15] .debug_abbrev     PROGBITS        00000000 00569f 0004ec 00      0   0  1
  [16] .debug_info       PROGBITS        00000000 005b8b 00262c 00      0   0  1
  [17] .debug_frame      PROGBITS        00000000 0081b7 000390 00      0   0  1
  [18] .symtab           SYMTAB          00000000 008548 001370 10     19 165  4
  [19] .strtab           STRTAB          00000000 0098b8 001624 00      0   0  1
  [20] .shstrtab         STRTAB          00000000 00aedc 0000c0 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

Elf file type is EXEC (Executable file)
Entry point 0x0
There are 8 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000140 0x00000000 0x00000000 0x00008 0x00008 R E 0x1
  LOAD           0x000148 0x00000010 0x00000000 0x00fe2 0x00fe2 R E 0x1
  LOAD           0x00112a 0x00001000 0x00000000 0x00132 0x00132 R E 0x1
  LOAD           0x00125c 0x00002000 0x00000000 0x00cf0 0x00cf0 R E 0x1
  LOAD           0x001f4c 0x00002cf4 0x00000000 0x02bfc 0x02bfc R E 0x1
  LOAD           0x004b48 0x000058f4 0x00000000 0x00034 0x00034 RW  0x1
  LOAD           0x004b48 0x40000000 0x00000000 0x00000 0x00034 RW  0x1
  LOAD           0x004b7c 0x40000038 0x00000000 0x00000 0x000c2 RW  0x1

 Section to Segment mapping:
  Segment Sections...
   00     .rchw 
   01     .intvector 
   02     .cpuvector 
   03     .text_vle 
   04     .text_vle .sdata2 
   05     .data 
   06     
   07     .bss