Yay! Well done David.
The disassembly you posted is interesting - what address did you grab that from? It looks like the running exception vectors from DRAM - that's not what they are in the PBL ROM, it copies itself into DRAM then repatches various things like IRQ vec to to to real routines.
When PBL is running it remaps DRAM to 0 and the boot flash to 80000000:
I haven't got my mental image of the Sharp segmented memory scheme in clarity yet but it seems to set up segments such that: s0 00000000+64K readonly s1 00000000+8MB rw SDRAM s4 40000000+8MB rw SDRAM s5 80000000+64K rw Flash s6 a0000000+32K rw Ext bus s7 ffff0000+64K rw Int periphs
Hm, that's not good; I didn't think of that- if they're checked in order it looks like it's write-protected the first 64K. Ralph, what's your take on the memory map? (I'm hoping that's wrong, or overridden in another order such that addr 0 is writable...)
So maybe try dumping from address 0x80000000 if possible?
I'd be interested in trying your pblq prog. Hmmm... any CVS available to us? ;) Seems like we're all hacking on different things; I'd quite like a cmdline util to provide a crap shell to send commands (whilst sending nop packets while I think so it doesn't time out) - extensible to do higher-level things like "dump RAM to/from file".. Sounds like pblq does stuff aiming along those lines eh? Do post it, would be good.
Cheers,
Matt