Message: 2 From: Matt Evans matt@axio.ms Subject: Re: [E3-hacking] W00t; it runs. Date: Sat, 23 Apr 2005 13:24:49 +0100 To: e3-hacking@earth.li Reply-To: e3-hacking@earth.li
Dear Jonathan,
Well done for your code download via the modem! Sounds interesting. Have you documented your procedure anywhere? Protocol/format of the data is probably* pretty similar to that over EXP, maybe? :) I don't have the means here to talk modem-modem to the device.
I was interested to read in your GPL-vio email that the PBL/kernel images were obtained by de-soldering the flash chips on an E3. I'm keen to have a look at the E3's version of PBL (and thanks for sharing the symbols you'd deduced so far), but I'd prefer a non-invasive way of getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the state of the E3 whose flash chips were removed? Were they read and then soldered back in place, or was it a sacrificial broken
The flashes were desoldered, then the tsop48 was dumped.. I couldn't get my hands on an adapter for the vsop :( They were both resoldered ( I changed the boot param block on the flash and fixed the crc ) and was rewarded with a working console. From this I was able tar the filesystem (just to make sure - I'd already reconstructed it from the flash dump), and dump the pbl.. ( Thanks to Noodles for pointing out the mmap neccessity :D ).
I sacrificed a different one so I could trace the jtag traces though.. :) They do go somewhere : theres a resistor block that needs fitted on the top of the board, iirc.. I've just acquired a TI debug pod for the omap, so I'll doubtless be continuing along this route, once I've completed disassembly of the pbl. Cheers Jake
(before/after) E3? IFF it was the latter I wonder if it might be possible to remove the OMAP5910 and beep out the JTAG pins to see if they go anywhere and if so, where?
Best regards,
Matt
Dear Jake,
On 24 Apr 2005, at 11:56, Otaku wrote:
The flashes were desoldered, then the tsop48 was dumped.. I couldn't get my hands on an adapter for the vsop :( They were both resoldered ( I changed the boot param block on the flash and fixed the crc ) and was rewarded with a working console. From this I was able tar the filesystem (just to make sure - I'd already reconstructed it from the flash dump), and dump the pbl.. ( Thanks to Noodles for pointing out the mmap neccessity :D ).
I sacrificed a different one so I could trace the jtag traces though.. :) They do go somewhere : theres a resistor block that needs fitted on the top of the board, iirc.. I've just acquired a TI debug pod for the omap, so I'll doubtless be continuing along this route, once I've completed disassembly of the pbl.
Good news! Fancy sharing which pads the JTAG lines run to? ;-) I've only the one E3 and don't fancy popping it into the oven & buying a new one :-D
[I'm also interested in the pads silkscreened 'CFG0' and 'CFG1'; look like pullup/downs on them. I'm wondering if they do something interesting with PBL since they're made specifically 'configurable' (for instance in-house dev mode on a production board).]
Cheers,
Matt