Dear Jonathan,
Well done for your code download via the modem! Sounds interesting. Have you documented your procedure anywhere? Protocol/format of the data is probably* pretty similar to that over EXP, maybe? :) I don't have the means here to talk modem-modem to the device.
I was interested to read in your GPL-vio email that the PBL/kernel images were obtained by de-soldering the flash chips on an E3. I'm keen to have a look at the E3's version of PBL (and thanks for sharing the symbols you'd deduced so far), but I'd prefer a non-invasive way of getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the state of the E3 whose flash chips were removed? Were they read and then soldered back in place, or was it a sacrificial broken (before/after) E3? IFF it was the latter I wonder if it might be possible to remove the OMAP5910 and beep out the JTAG pins to see if they go anywhere and if so, where?
Best regards,
Matt