[E3-hacking] Knowledge of bootloader

Tue Jan 24 22:16:22 GMT 2006

Mark Underwood wrote:
> --- David Given <dg at cowlark.com> wrote:
> 
>> On Thursday 19 January 2006 19:01, Mark Underwood wrote:
>> [...]
>>> Could someone let me know if there are any docs describing how I can use
>>> the boot-loader to upload my own kernel into RAM and ideally also re-flash
>>> it?
>> Yes, this has been fairly well reverse engineered. I wrote a tool called pblq 
>> that would do this sort of thing; see http://www.cowlark.com/amstrad.html. 
>> Someone else on the list has a very similar tool called pbltool which is 
>> apparently more complete --- sorry, I've forgotten who and where!
>>
>> Is there a decent set of resources for this kind of software, yet? The one 
>> page I know about (Ralph's page on inputplus) has lots of information on the 
>> hardware, but not much about software.
>>
> 
> Right, I now have my E3 talking to my PC :-) (hence the new boot logs) and have tried to run both
> pbltool and pblq.
> 
> When I run pbltool it doesn't seem to pickup the right character at the beginning and just prints
> lots of "Flushing: 0x**" messages while the E3 boots up and then "Prodding..."
> 
> With pblq it seems to get further. If I run "pblq -p /dev/ttyS0 -v ping" I get the following
> response:
> 
> (voice and e-mail LEDS flashing)
> Waiting for device to reset...
> Handshaking...
> Switching to 115200 baud...
> (voice and e-mail LEDS stop flashing)
> (10 sec pause)
> (voice and e-mail LEDS start flashing again)
> pblq: Protocol error: incorrect packet prefix (got C9, should be 02)
> (Continues to boot)
> 
> If I set the fast baud rate to 9600 then it doesn't print the "Switching to 115200 baud..."
> message. If my understanding is correct then this means the program has stopped the E3 from going
> into it's normal boot mode and the PBL software should now be in a state to receive commands, but
> it seems that any command that is sent to it is ignored (well at least PACKET_SETBAUD and
> PACKET_GETVERSION). It couldn't be that my slow P120 Laptop is being outrun by a E3 could it (if
> the response got sent from the E3 before the UART was read from would the buffer be flushed when
> the read() call was made? I don't think this is the case)?!
> 
> Any idea's, please :-)
> 
> Mark
> 
> 
>> -- 
>> +- David Given --McQ-+ 
>> |  dg at cowlark.com    | C:\DOS, C:\DOS\RUN, RUN\DOS\RUN
>> | (dg at tao-group.com) | 
>> +- www.cowlark.com --+ 
>>

Hi,

I find that the E3 boots a bit too quick for me to run pbltool and
connect the power.

What I do is run pbltool and then connect the power. This gives an error
message unexpected packet 0x02 or something like that, and then I get
what you are getting 0x?? (which is the text of the booting kernel
image). At the point pbltool goes into prodding/probing mode I power
cycle the phone and it then normally goes into PBL mode. Give the phone
enough time to power down before you reconnect the power though.

I put it down to noise on the serial line, maybe its because I'm not
using the line converter, who knows.

You'll know when its in PBL mode, the phone appears completely dead (the
LEDS are just visible as they flash about every five seconds).

Mark.