[E3-hacking] Re: The boot process, revealed!
David Given
e3-hacking@earth.li
Sat, 19 Mar 2005 13:34:21 +0000
On Sat, 2005-03-19 at 09:42 +0000, Otaku wrote:
[...]
> Aye - that pretty much matches whats on the E3.. only the header runs
> from 0x3B513B51 to 0xB513B513. The rest is image specific. fyi : in the
> E3 theres over a hundred of these sections - bits containing wavs,
> images, etc...
What, someone already worked it out? Gah!
BOT obviously means it's a boot block, then.
[...]
> Theres also a simple image crc system there too - you crc the file and
> if the result is 0 then its a good image - theres a fix-up byte that
> must be introduced to make sure of the zero result..
The E2 only checks this if it's a compressed block, luckily for us. (Not
that it would be hard to calculate, but it's fiddly.) For what we want
to do, uncompressed is better; we just need to be able to run
*something*, we can take it from there ourselves.
[...]
> Does it do similar keypress checks to the E3 on boot ?
> I've a list of about 8 "special function" keys - Only 2 of which I can
> activate, so I'm assuming the others require some sort of special
> circumstance to be available - I'm still working through the disassembly
> on this..
I don't know; I didn't look. I found the boot code by searching through
the diassembly for the ARM's distinctive indirect subroutine call
instructions. (There are only two.)
The next stage is to figure out how to reflash the firmware, so I can
upload a custom image. Request 14 seems to have something to do with it;
it takes a pseudo-address into the flash section and a block of data,
and when I do this everything seems to work, but the flash doesn't
actually change. Possibly I need to erase a page first, but I'd expect
to at least corrupt the flash if I didn't.
However, accessing the NAND control registers is also pretty distinctive
so I should be able to track down the erasure code reasonably easily.
Oh, yeah, I pblq will now write data into the E2's SDRAM. Speed: 11000
Bps, which is a slight improvement to the download speed...
--
+- David Given --McQ-+ "Safe upon the solid rock
| dg@cowlark.com | The ugly houses stand.
| (dg@tao-group.com) | Come and see my shining palace
+- www.cowlark.com --+ Built upon the sand." --- Edna St.Vincent Millay