Hi Matt,
It sounds like your aims are the same as mine - and those of Ralph to whom I have been talking this week about booting stuff on the E2. I have an E2 at the moment because it was 20 quid instead of 100 ;-)
Where is the E2 GBP 20 now? I think the E3's down to GBP 70 at Carphone Warehouse. The E2's still worth playing with though, especially if you want to end up with more than one device.
I connected the USB-serial (which didn't have linedrivers to RS232 levels) to the EXP port and by sending ESC characters I was able to interrupt the E2 from its normal boot routine.
That's good. (I'd explained to Matt that this was what had been achieved with the E3; the suspension of its booting while its EXP port was being tickled.) Matt, did you achieve this with that exp program out of interest?
I didn't see the expected reply but I'm having all sorts of minicom/serial weirdness on OS X so I'm still hopeful.
The E2's at 9600 baud. Have you a scope that could monitor the E2's TXD? Lastly, was this using the same wiring as on the site for the E3's EXP port, i.e. TXD on the E2 is tip.
PC pin 2, RXD o----------o TXD o-----v | | Emailer 9-pin pin 3, TXD o----------o RXD o-------^ | | 3.5mm stereo D-type pin 5, GND o----------o GND o---------|__| jack plug
David Given wrote:
Does anyone know if it's possible to use PBL to download and run arbitrary code on the device?
Directive 05 would seem to allow data to be written to memory, but there doesn't seem to be any way of getting it to be executed. Does anyone know of such a thing? Would 05 allow you to overwrite PBL's stack (the dodgy way of doing this?)
Yes :-) It appears that all should be possible though I don't think it's been done yet - Ralph will know in more detail but it should be poss. to do exactly that since the stack pointer will be in a relatively predictable place.
Request 05 checks the destination addresses. All the bytes overwritten must be in the range 0x40000..0x7fffff inclusive, 7936KiB. I think the stack descends from 0x1ba00.
What about well-known PBL variables?
Yes, there's quite a few of them now so something similar may be possible with investigation.
And what does 07 do?
Hmm. Not sure yet. A very quick look suggests it dabbles with the NOR boot flash.
(I suppose the easiest way of running your own code is to write it into the flash and then do a normal boot, but I'd rather not brick it immediately. Heaven forbid, the standard software might turn out to be useful.)
Yes this sounds sensible - if there's an Easy Enough way to get bootstrap code in there via serial/EXP then we don't need any horrible JTAG stuff. Ideally something like loading our own loader through PBL
- our loader takes over and then we can download a DRAM image, or get
it to reflash the NAND in such a way that PBL will later load our own code.
The 64KiB NOR flash containing PBL is almost half empty IIRC.
Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development.
Cheers,
Ralph.