[E3-hacking] PBL & running arbitrary code

Matt Evans e3-hacking@earth.li
Fri, 11 Mar 2005 11:02:20 +0000 

David, Ralph,


>> Where is the E2 GBP 20 now?  I think the E3's down to GBP 70 at 
>> Carphone
>> Warehouse.  The E2's still worth playing with though, especially if 
>> you
>> want to end up with more than one device.
>
> Froogle reckons the cheapest is 27.99 from Ligo Electronics, but I've
> seen them in my local ASDA and I'll need to compare the price. Now the
> E3's out, they may be shifting the E2s cheap.

Got a display model from Dixons - but I heard they'd reduced the price 
from 30 to 20 the next week anyway...

>> Request 05 checks the destination addresses.  All the bytes 
>> overwritten
>> must be in the range 0x40000..0x7fffff inclusive, 7936KiB.  I think 
>> the
>> stack descends from 0x1ba00.
>
> Meh. Not very useful. I take it the boot flash chip is mapped at 0 on
> reset? Looking at the processor's datasheet, that would seem to be
> logical.

Arse.  (re addr limits).  Boot flash is indeed mapped at 0.

>> Although with JTAG it should be possible to put a little EXP-port
>> downloader into RAM, run it, that pulls down a bootloader which in 
>> turn
>> is happy to run the code in Smart Media card inserted in the side of 
>> the
>> E2 which would avoid having to flash during development.
>
> Unfortunately the E2 doesn't have a SMC card reader (as far as I know);
> it has a Smart Card reader, but you don't get a lot of data onto one of
> those. This limits your options; nice though it may be, I don't think
> you're going to get a USB Mass Storage driver onto that boot ROM.

!  Smart media holds /enough/ - Well, enough to hold a kernel that will 
then drive USB storage devices ;-)

> Failing all else, you could download over the serial port.

IME downloading via serial is, during development, probably most 
convenient.  If PBL isn't going to let us blat its stack, maybe it's 
time to look for subtler buffer overflows ;-)  *still really keen to 
keep PBL rather than reinvent it, if at all possible*

> Do you have a dump of the E2's PBL I could look at, by any chance?

I do, but Amstrad lawyers would come and kill me if I did, I think :(  
Don't suppose you have the means to make a JTAG cable...?


-Matt