Message: 2 From: Matt Evans matt@axio.ms Subject: Re: [E3-hacking] W00t; it runs. Date: Sat, 23 Apr 2005 13:24:49 +0100 To: e3-hacking@earth.li Reply-To: e3-hacking@earth.li
Dear Jonathan,
Well done for your code download via the modem! Sounds interesting. Have you documented your procedure anywhere? Protocol/format of the data is probably* pretty similar to that over EXP, maybe? :) I don't have the means here to talk modem-modem to the device.
I was interested to read in your GPL-vio email that the PBL/kernel images were obtained by de-soldering the flash chips on an E3. I'm keen to have a look at the E3's version of PBL (and thanks for sharing the symbols you'd deduced so far), but I'd prefer a non-invasive way of getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the state of the E3 whose flash chips were removed? Were they read and then soldered back in place, or was it a sacrificial broken
The flashes were desoldered, then the tsop48 was dumped.. I couldn't get my hands on an adapter for the vsop :( They were both resoldered ( I changed the boot param block on the flash and fixed the crc ) and was rewarded with a working console. From this I was able tar the filesystem (just to make sure - I'd already reconstructed it from the flash dump), and dump the pbl.. ( Thanks to Noodles for pointing out the mmap neccessity :D ).
I sacrificed a different one so I could trace the jtag traces though.. :) They do go somewhere : theres a resistor block that needs fitted on the top of the board, iirc.. I've just acquired a TI debug pod for the omap, so I'll doubtless be continuing along this route, once I've completed disassembly of the pbl. Cheers Jake
(before/after) E3? IFF it was the latter I wonder if it might be possible to remove the OMAP5910 and beep out the JTAG pins to see if they go anywhere and if so, where?
Best regards,
Matt