I recently found the Emailer Recycling page, and read the documentation there; it all looks highly intriguing, and I'm thinking of getting an E2 or E3, mainly as a toy. Amstrad have always been good at making hackable hardware --- I own a NC200, possibly the nicest Z80 laptop ever made, and have successfully run my own code on it. Still haven't managed to finish that CP/M port, though... Does anyone know if it's possible to use PBL to download and run arbitrary code on the device? Directive 05 would seem to allow data to be written to memory, but there doesn't seem to be any way of getting it to be executed. Does anyone know of such a thing? Would 05 allow you to overwrite PBL's stack (the dodgy way of doing this?) What about well-known PBL variables? And what does 07 do? (I suppose the easiest way of running your own code is to write it into the flash and then do a normal boot, but I'd rather not brick it immediately. Heaven forbid, the standard software might turn out to be useful.) -- David Given <dg@cowlark.com>
Hi David (Given), I'm new to the list too (this week) so should also say a hello. It sounds like your aims are the same as mine - and those of Ralph to whom I have been talking this week about booting stuff on the E2. I have an E2 at the moment because it was 20 quid instead of 100 ;-) So Ralph (and myself independently) has found that PBL sits waiting for a character 27 for 'a little bit' when it boots, then sends back a header (6, 6, 6, 6, 6, 6 ..) to say hello; and /then/ drops into the FSM for the EXP protocol Ralph has decyphered (!). Last night I bodged an old USB mobile phone serial cable onto my EXP port - I'm pretty sure the E3 and the E2 differ with regard to the voltages on the EXP port. That is, that webpage suggests that E3 is at RS232 levels and doesn't need any line drivers. The E2 appears to be at TTL levels (0V and 5V) and as such won't work when connected straight to an RS232 port. (I tried this too ;) I connected the USB-serial (which didn't have linedrivers to RS232 levels) to the EXP port and by sending ESC characters I was able to interrupt the E2 from its normal boot routine. I didn't see the expected reply but I'm having all sorts of minicom/serial weirdness on OS X so I'm still hopeful.
Does anyone know if it's possible to use PBL to download and run arbitrary code on the device?
Directive 05 would seem to allow data to be written to memory, but there doesn't seem to be any way of getting it to be executed. Does anyone know of such a thing? Would 05 allow you to overwrite PBL's stack (the dodgy way of doing this?)
Yes :-) It appears that all should be possible though I don't think it's been done yet - Ralph will know in more detail but it should be poss. to do exactly that since the stack pointer will be in a relatively predictable place.
(I suppose the easiest way of running your own code is to write it into the flash and then do a normal boot, but I'd rather not brick it immediately. Heaven forbid, the standard software might turn out to be useful.)
Yes this sounds sensible - if there's an Easy Enough way to get bootstrap code in there via serial/EXP then we don't need any horrible JTAG stuff. Ideally something like loading our own loader through PBL - our loader takes over and then we can download a DRAM image, or get it to reflash the NAND in such a way that PBL will later load our own code. -Matt
On Thu, 2005-03-10 at 14:31 +0000, Matt Evans wrote: [...]
Last night I bodged an old USB mobile phone serial cable onto my EXP port - I'm pretty sure the E3 and the E2 differ with regard to the voltages on the EXP port. That is, that webpage suggests that E3 is at RS232 levels and doesn't need any line drivers. The E2 appears to be at TTL levels (0V and 5V) and as such won't work when connected straight to an RS232 port.
Ung. Less good. The core itself is powered at 3.3V, so if you're getting 5V, then it sounds like the device does have a line converter of its own... what does the device run off? Could this be tweakable? [...]
Yes this sounds sensible - if there's an Easy Enough way to get bootstrap code in there via serial/EXP then we don't need any horrible JTAG stuff. Ideally something like loading our own loader through PBL - our loader takes over and then we can download a DRAM image, or get it to reflash the NAND in such a way that PBL will later load our own code.
Another, slightly scary, alternative is to replace the PBL with our own bootloader --- does the PBL copy itself to RAM before executing? If so this reprogramming could be done through the PBL itself. If not, it would have to be a JTAG thing. However, I think I'll let someone else try this first... Does anyone have a dump of the PBL? -- David Given <dg@cowlark.com>
Hi Matt,
It sounds like your aims are the same as mine - and those of Ralph to whom I have been talking this week about booting stuff on the E2. I have an E2 at the moment because it was 20 quid instead of 100 ;-)
Where is the E2 GBP 20 now? I think the E3's down to GBP 70 at Carphone Warehouse. The E2's still worth playing with though, especially if you want to end up with more than one device.
I connected the USB-serial (which didn't have linedrivers to RS232 levels) to the EXP port and by sending ESC characters I was able to interrupt the E2 from its normal boot routine.
That's good. (I'd explained to Matt that this was what had been achieved with the E3; the suspension of its booting while its EXP port was being tickled.) Matt, did you achieve this with that exp program out of interest?
I didn't see the expected reply but I'm having all sorts of minicom/serial weirdness on OS X so I'm still hopeful.
The E2's at 9600 baud. Have you a scope that could monitor the E2's TXD? Lastly, was this using the same wiring as on the site for the E3's EXP port, i.e. TXD on the E2 is tip. PC pin 2, RXD o----------o TXD o-----v | | Emailer 9-pin pin 3, TXD o----------o RXD o-------^ | | 3.5mm stereo D-type pin 5, GND o----------o GND o---------|__| jack plug
David Given wrote:
Does anyone know if it's possible to use PBL to download and run arbitrary code on the device?
Directive 05 would seem to allow data to be written to memory, but there doesn't seem to be any way of getting it to be executed. Does anyone know of such a thing? Would 05 allow you to overwrite PBL's stack (the dodgy way of doing this?)
Yes :-) It appears that all should be possible though I don't think it's been done yet - Ralph will know in more detail but it should be poss. to do exactly that since the stack pointer will be in a relatively predictable place.
Request 05 checks the destination addresses. All the bytes overwritten must be in the range 0x40000..0x7fffff inclusive, 7936KiB. I think the stack descends from 0x1ba00.
What about well-known PBL variables?
Yes, there's quite a few of them now so something similar may be possible with investigation.
And what does 07 do?
Hmm. Not sure yet. A very quick look suggests it dabbles with the NOR boot flash.
(I suppose the easiest way of running your own code is to write it into the flash and then do a normal boot, but I'd rather not brick it immediately. Heaven forbid, the standard software might turn out to be useful.)
Yes this sounds sensible - if there's an Easy Enough way to get bootstrap code in there via serial/EXP then we don't need any horrible JTAG stuff. Ideally something like loading our own loader through PBL - our loader takes over and then we can download a DRAM image, or get it to reflash the NAND in such a way that PBL will later load our own code.
The 64KiB NOR flash containing PBL is almost half empty IIRC. Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development. Cheers, Ralph.
On Thu, 2005-03-10 at 22:28 +0000, Ralph Corderoy wrote: [...]
Where is the E2 GBP 20 now? I think the E3's down to GBP 70 at Carphone Warehouse. The E2's still worth playing with though, especially if you want to end up with more than one device.
Froogle reckons the cheapest is 27.99 from Ligo Electronics, but I've seen them in my local ASDA and I'll need to compare the price. Now the E3's out, they may be shifting the E2s cheap. (I'm attracted to the E2 because they're reasonably capable devices and they're so cheap that I can justify buying one on a whim. The E3 is a lot nicer, but unfortunately, more expensive than I like to spend on a toy.) [...]
Request 05 checks the destination addresses. All the bytes overwritten must be in the range 0x40000..0x7fffff inclusive, 7936KiB. I think the stack descends from 0x1ba00.
Meh. Not very useful. I take it the boot flash chip is mapped at 0 on reset? Looking at the processor's datasheet, that would seem to be logical. [...]
Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development.
Unfortunately the E2 doesn't have a SMC card reader (as far as I know); it has a Smart Card reader, but you don't get a lot of data onto one of those. This limits your options; nice though it may be, I don't think you're going to get a USB Mass Storage driver onto that boot ROM. *However*, there are probably other ways to get data onto the thing. The processor core has an SPI interface, and it's trivial to wire up an MMC card to an SPI interface --- here's a circuit: http://www.vegeneering.com/eZ80_CPM/mmc-to-ez80.png I was also under the impression that the emailer had some sort of dock for a handheld addressbook. This must use some simple interface, probably I2C or SPI (or just wired up directly to the GPIO pins). It might be possible to abuse that somehow. Failing all else, you could download over the serial port. Do you have a dump of the E2's PBL I could look at, by any chance? -- +- David Given --McQ-+ "Under communism, man exploits man. Under | dg@cowlark.com | capitalism, it's just the opposite." --- John | (dg@tao-group.com) | Kenneth Galbrith +- www.cowlark.com --+
David, Ralph,
Where is the E2 GBP 20 now? I think the E3's down to GBP 70 at Carphone Warehouse. The E2's still worth playing with though, especially if you want to end up with more than one device.
Froogle reckons the cheapest is 27.99 from Ligo Electronics, but I've seen them in my local ASDA and I'll need to compare the price. Now the E3's out, they may be shifting the E2s cheap.
Got a display model from Dixons - but I heard they'd reduced the price from 30 to 20 the next week anyway...
Request 05 checks the destination addresses. All the bytes overwritten must be in the range 0x40000..0x7fffff inclusive, 7936KiB. I think the stack descends from 0x1ba00.
Meh. Not very useful. I take it the boot flash chip is mapped at 0 on reset? Looking at the processor's datasheet, that would seem to be logical.
Arse. (re addr limits). Boot flash is indeed mapped at 0.
Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development.
Unfortunately the E2 doesn't have a SMC card reader (as far as I know); it has a Smart Card reader, but you don't get a lot of data onto one of those. This limits your options; nice though it may be, I don't think you're going to get a USB Mass Storage driver onto that boot ROM.
! Smart media holds /enough/ - Well, enough to hold a kernel that will then drive USB storage devices ;-)
Failing all else, you could download over the serial port.
IME downloading via serial is, during development, probably most convenient. If PBL isn't going to let us blat its stack, maybe it's time to look for subtler buffer overflows ;-) *still really keen to keep PBL rather than reinvent it, if at all possible*
Do you have a dump of the E2's PBL I could look at, by any chance?
I do, but Amstrad lawyers would come and kill me if I did, I think :( Don't suppose you have the means to make a JTAG cable...? -Matt
On Fri, 2005-03-11 at 11:02 +0000, Matt Evans wrote: [...]
! Smart media holds /enough/ - Well, enough to hold a kernel that will then drive USB storage devices ;-)
Does the E2 have a Smart *Card* socket or a Smart *Media* socket? I can't seem to find a definitive spec. And does the E2 have a Pocket Docket, or was that only the E1? [...]
I do, but Amstrad lawyers would come and kill me if I did, I think :( Don't suppose you have the means to make a JTAG cable...?
I was hoping to avoid all that messy JTAG stuff, but it's obviously the way to go. The company I work for does embedded operating systems, and *rummage around in drawers* it took me 15 seconds to lay my hands on an Insight IJC2 parallel port JTAG adaptor from some long-defunct piece of hardware, but unfortunately my home computer doesn't have a parallel port. Plus, it would appear that I'd need to solder pins onto the E2's motherboard to make it work. Can anyone reccomend any Linux JTAG software? Are there any standard interfaces? As for the PBL ROM image, I'll drop in to Dixons this evening and get an E2 --- then I'll have a genuine license and you can send it to me quite legally, muhahaha. -- David Given <dg@cowlark.com>
Howdy David, On 11 Mar 2005, at 12:25, David Given wrote:
On Fri, 2005-03-11 at 11:02 +0000, Matt Evans wrote: [...]
! Smart media holds /enough/ - Well, enough to hold a kernel that will then drive USB storage devices ;-)
Does the E2 have a Smart *Card* socket or a Smart *Media* socket? I can't seem to find a definitive spec.
And does the E2 have a Pocket Docket, or was that only the E1?
Yes yes yes - has a smartcard socket, a smartmedia socket (BTW, where the hell can I buy one of these ancient things from these days?) and a pocket docket thingy. (4-pin serial nastiness - probably vcc/gnd and txd rxd - wouldn't be surprised if it was usual UART RS232-style data format (but at 'TTL' levels probably)).
I was hoping to avoid all that messy JTAG stuff, but it's obviously the way to go.
The company I work for does embedded operating systems, and
*rummage around in drawers*
it took me 15 seconds to lay my hands on an Insight IJC2 parallel port JTAG adaptor from some long-defunct piece of hardware, but unfortunately my home computer doesn't have a parallel port. Plus, it would appear that I'd need to solder pins onto the E2's motherboard to make it work.
Yeah :( It's pretty easy though, it's brought out to some pads on the board.
Can anyone reccomend any Linux JTAG software? Are there any standard interfaces?
:( Here's where it got annoying for me. If you have an OCD 'wiggler' parallel port cable, then you're in luck (me neither..) because OCD Commander is available free (Windows + Linux, nicely), plus IMHO the more useful GDB-stub-to-JTAG. (http://www.macraigor.com/ocd_cmd.htm) This will drive ARM's EmbeddedICE via JTAG and looks pretty cool. I couldn't find anything as polished, free, for my JTAG cable under linux. I ended up using libjtag + armtool, which works with a variety of parallel port cables. If you do wire up a cable compatible with Macraigor's cable (the schematic of the wiggler is around on the net in various places), that looks like a good bit of software. I'm using Xilinx's JTAG cable - it'd be easily modified to use the wiggler pinouts, but I don't want to sacrifice it cos I still use it for its original purpose.
As for the PBL ROM image, I'll drop in to Dixons this evening and get an E2 --- then I'll have a genuine license and you can send it to me quite legally, muhahaha.
Ahh right ;) Cheers, Matt
On Fri, 2005-03-11 at 12:59 +0000, Matt Evans wrote: [...]
Yes yes yes - has a smartcard socket, a smartmedia socket (BTW, where the hell can I buy one of these ancient things from these days?) and a pocket docket thingy.
Google shows up a few vendors; it would seem to be 20 UKP for 128MB, which is a complete ripoff, but sufficient for a fixed 'disk' for the emailer. Incidentally, IIRC, SmartMedia is just a raw flash chip exposed to the outside world. Which means no wear levelling, or automatic erasing, or anything, so actually *writing* to the damned things requires a fair bit of work.
(4-pin serial nastiness - probably vcc/gnd and txd rxd - wouldn't be surprised if it was usual UART RS232-style data format (but at 'TTL' levels probably)).
If I were designing this, I'd hook it up to one of the other UARTs. Might be useful as a serial user port. Now, hacking the Dockit --- that's a completely different matter... [...]
I couldn't find anything as polished, free, for my JTAG cable under linux. I ended up using libjtag + armtool, which works with a variety of parallel port cables.
I cannot find any documentation for this thing. Hooking it up to libjtag would probably be dead easy if I know what pin was wired to what --- I'll try taking the lid off and fishing around inside, but it's probably just an anonymous IC. I suppose I'll just try it and see. (I've just found another JTAG adaptor in my Drawers Of Doom --- it's a P&E Revision A ColdFire BDM cable. It's got a 26-pin header, and internally there's a 20-pin socketed IC... I suspect it's even more exotic than the Insight cable. If anyone cares, the IC has $1D1F P&E written on it.) -- David Given <dg@cowlark.com>
On Fri, 2005-03-11 at 13:39 +0000, David Given wrote: [...]
I cannot find any documentation for this thing. Hooking it up to libjtag would probably be dead easy if I know what pin was wired to what --- I'll try taking the lid off and fishing around inside, but it's probably just an anonymous IC.
Having taken the lid off, the board inside has a bunch of resistors and two 74HC125D drivers, which means it's either Wiggler-compatible or else has a slightly different pinout. Getting this to work with libjtag is probably straightforward; I need to trace out the lines and find out what goes where. Will report back if I get a reply. Incidentally, re getting a copy of the PBM firmware; having thought about it, it's probably best if I do it myself. It's not particularly difficult and it's probably best to remain as squeaky-clean as possible. -- David Given <dg@cowlark.com>
So, thanks to a late-night-opening Argos, I now have a fairly shiny E2 sitting on my desk. Damned if I can make it do anything useful. I did have one stroke of luck; while I was rummaging around in my parts boxes looking for a cable to cut up, I came across a cable with a serial plug on one end and a stereo jack on the other --- debris from some long-defunct digital camera. Right pinout, too, AFAICT. But the most I'm seeing from the E2 is the occasional 00 byte. What my program is doing is sending 0x1B bytes at 9600 8N1, ten times a second, and echoing in hex anything that comes back. I run this and power cycle the E2. What I should be seeing, if I'm understanding how things work, is the E2 respond with 0B 0B 0B... and the boot process should halt. I enclose the program, in case anyone can spot any stupid mistakes --- serial port programming in Linux is not my forté. My E2 has V13 software, PBL V3.1 build 1277, and has the cold flesh keyboard. I haven't set it up, it's completely virgin. How long does it wait at boot time to be prodded? The splash screen is appearing pretty much as soon as I switch on. -- +- David Given --McQ-+ | dg@cowlark.com | "The further you are from your server, the more | (dg@tao-group.com) | likely it is to crash." --- Woodhead's law +- www.cowlark.com --+
Hi David,
But the most I'm seeing from the E2 is the occasional 00 byte. What my program is doing is sending 0x1B bytes at 9600 8N1, ten times a second, and echoing in hex anything that comes back. I run this and power cycle the E2. What I should be seeing, if I'm understanding how things work, is the E2 respond with 0B 0B 0B... and the boot process should halt.
That's basically right. It sends 15 ASCII ACKs, 0x06 not 0x0b, on spotting an ESC. 0338 eb001b44 bl rx_uart0_byte 033c e350001b cmp r0, #&1b 0340 1a000003 bne &0354 0344 e3a04000 mov r4, #0 # r4 = 0 0348 e28f0f38 adr r0, ascii_ack_char_x_15 # 0x430, * = 0x6060606 034c eb001b4b bl tx_uart0_string
I enclose the program, in case anyone can spot any stupid mistakes --- serial port programming in Linux is not my forte.
You could use tcgetattr(), followed by bit-twiddling, and then the tcsetattr() rather than pass lots of 0-bits in. Can't see anything other than that. Attached is a small tar file, exp-1.tar.bz2, containing exp.c and various other gubbins. I've heard it has some effect with the E3 doing what you state above.
How long does it wait at boot time to be prodded?
Good question. Cheers, Ralph.
On Fri, 2005-03-11 at 23:00 +0000, Ralph Corderoy wrote: [...]
0338 eb001b44 bl rx_uart0_byte
So what does rx_uart0_byte return if the FIFO is empty? It either blocks, in which case we could find the timeout, or else it just returns failure --- probably 0. In which case, the only way of triggering the boot loader is to make sure that the byte hits the FIFO before this piece of code gets called. Since both our programs are spamming the thing silly with ESC chars, then I suspect there might be some other condition that needs to be met before this code even gets called. It just happens to be true on your E3 and Matt's E2, but not on mine. (I've tried registering, booting the thing with the phone line plugged in, booting the thing with various interesting buttons pressed, booting the thing without the handset, without the keyboard, etc. The only thing I've discovered is that without a dial tone, it'll go into attract mode after a minute or so.) Might there be some sort of hardware query buried in the setup routine in main()? [...]
Attached is a small tar file, exp-1.tar.bz2, containing exp.c and various other gubbins. I've heard it has some effect with the E3 doing what you state above.
This seems to send a single 1B, and bail with a EOF error when it tries to read the response. How were you running it? Before boot, after boot? -- +- David Given --McQ-+ "I don't like the thought of her hearing what I'm | dg@cowlark.com | thinking." "*No-one* likes the thought of hearing | (dg@tao-group.com) | what you're thinking." --- Firefly, _Objects in +- www.cowlark.com --+ Space_
On Fri, 2005-03-11 at 23:32 +0000, David Given wrote: [...]
(I've tried registering, booting the thing with the phone line plugged in, booting the thing with various interesting buttons pressed, booting the thing without the handset, without the keyboard, etc. The only thing I've discovered is that without a dial tone, it'll go into attract mode after a minute or so.)
Okay, one last piece of spam and I'm off to bed. I've disassembled my E2, down to the motherboard. (Which is suprisingly small and elegant, and the JTAG pin pads are suprisingly small and difficult to solder to...) My E2 is almost exactly the same as the one Ralph describes, except mine has a Conexant 20437 speech codec, a mysterious Conexant SCPLT L9403-11 that I haven't been able to identify --- and no SMC card adaptor. It's just missing. The slot in the side of the case is there, which feeds the card into the brainbox, but there's nothing to receive it. USB it is, then. I was actually looking for a diagnostic switch or jumper of some kind, but there wasn't one. I tried booting the motherboard bare, with no peripherals; no joy. (Yes, I had some screws left over when I reassembled it. And yes, it still works...) This any help to anyone? -- +- David Given --McQ-+ "I don't like the thought of her hearing what I'm | dg@cowlark.com | thinking." "*No-one* likes the thought of hearing | (dg@tao-group.com) | what you're thinking." --- Firefly, _Objects in +- www.cowlark.com --+ Space_
Hi David,
My E2 is almost exactly the same as the one Ralph describes, except mine has a Conexant 20437 speech codec, a mysterious Conexant SCPLT L9403-11 that I haven't been able to identify --- and no SMC card adaptor.
Is the PCB still marked as a "Gamma Logic PCB, ASL0414_3 Issue 7"? Cheers, Ralph.
Hi David,
0338 eb001b44 bl rx_uart0_byte
So what does rx_uart0_byte return if the FIFO is empty? It either blocks, in which case we could find the timeout, or else it just returns failure --- probably 0. In which case, the only way of triggering the boot loader is to make sure that the byte hits the FIFO before this piece of code gets called.
There's more code before the bit I quoted. 032c eb001b37 bl is_uart0_rx_fifo_empty 0330 e3500000 cmp r0, #0 0334 0a000006 beq &0354 So rx_uart0_byte isn't called unless there's a byte in the FIFO. This whole bit of code is run each iteration around one of the states of the main FSMs. I can't remember more detail at the moment.
Since both our programs are spamming the thing silly with ESC chars, then I suspect there might be some other condition that needs to be met before this code even gets called.
Possibly. Both Matt and I independently assumed a key held down on the telephone keypad, that's probably our Acorn backgrounds, but nothing in the code suggests that AFAIK.
It just happens to be true on your E3 and Matt's E2, but not on mine.
I think that's unlikely.
Might there be some sort of hardware query buried in the setup routine in main()?
Maybe. But there's quite a lot of code and it calls out to lots of places that nest quite deep.
Attached is a small tar file, exp-1.tar.bz2, containing exp.c and various other gubbins. I've heard it has some effect with the E3 doing what you state above.
This seems to send a single 1B, and bail with a EOF error when it tries to read the response.
It shouldn't do that. Is that what actually happens, in which case the stdout and stderr would be handy, or what you think from a quick look? It writes ESCs for a while and then switches to sending a few protocol messages for luck. All the while it looks for anything coming back. Both read(2) and write(2) are non-blocking, it doesn't use poll(2), so it's a busy loop which is fine for a quick hack. Use environment variables to tweak parameters, especially baud rate. $ ./exp -h exp: wrong number of arguments. usage: [EXPTTY=tty] [EXPBAUD=baud] [EXPTXLEN=txlen] [EXPTXGAP=txgap] exp tty is the serial port to use, default /dev/ttyS0. baud is the baud rate to use, default 115200. txlen is the seconds spent sending escapes, default 30. txgap is the seconds between sending escapes, default 0.005. $
How were you running it? Before boot, after boot?
By setting txlen large you've time to turn on the E2 once ./exp has started sending. Perhaps Matt can specify what his procedure is that got the E2 to suspend booting. Cheers, Ralph.
On Sat, 2005-03-12 at 19:40 +0000, Ralph Corderoy wrote: [...]
Possibly. Both Matt and I independently assumed a key held down on the telephone keypad, that's probably our Acorn backgrounds, but nothing in the code suggests that AFAIK.
I can't think of anything else that it could be --- unless the trigger's something in the firmware, and that my unit has been locked down, and your units haven't. (My unit *does* seem to be a little different --- Matt, have you taken the lid off yours yet? Does it have an SMC adaptor soldered onto the top of the motherboard? What PBL version and build is it? [Start it up, press SETUP, 1.]) [...]
This seems to send a single 1B, and bail with a EOF error when it tries to read the response.
It shouldn't do that. Is that what actually happens, in which case the stdout and stderr would be handy, or what you think from a quick look?
That was what strace gave. I actually sorted this out; because my program, pblq, was not calling tcgetattr but was resetting the termios structure to zeros, it was doing something strange to the serial port settings that exp couldn't cope with. I fixed pblq and exp now works fine --- the E2 still won't talk to it, though. ... Incidentally, useful factoid. The boot process goes like this: 1. Splash screen (pretty picture of the emailer). 2. Title screen (with 'Personal Communication Centre' across the middle). 3. Main menu. If on the transition between 1 and 2, you press STOP+HANDSFREE, the machine will reset itself back into a virgin state. Do we know yet what puts up the splash screen? PBL or the main software? What do you see on a successfully suspended boot? -- +- David Given --McQ-+ | dg@cowlark.com | "While I write this letter, I have a pistol in one | (dg@tao-group.com) | hand and a sword in the other." --- Sir Boyle Roche +- www.cowlark.com --+
Hi David, Sounds like you're getting somewhere! It's a lovely little motherboard once you strip out the GCSE D&T casing, isn't it? I'm especially looking forward to getting something going on it. As a completely tangential aside, I noticed the extra pads around the (I can't remember, guessing) speech codec; my board, at least, has 2 sets of pads for the 2 types of SCP. What an excellent place to slodder on new peripherals! ;-) There are unused chip select lines from the CPU, too! On 12 Mar 2005, at 22:30, David Given wrote:
On Sat, 2005-03-12 at 19:40 +0000, Ralph Corderoy wrote: [...]
Possibly. Both Matt and I independently assumed a key held down on the telephone keypad, that's probably our Acorn backgrounds, but nothing in the code suggests that AFAIK.
I can't think of anything else that it could be --- unless the trigger's something in the firmware, and that my unit has been locked down, and your units haven't.
(My unit *does* seem to be a little different --- Matt, have you taken the lid off yours yet? Does it have an SMC adaptor soldered onto the top of the motherboard? What PBL version and build is it? [Start it up, press SETUP, 1.])
Yep, the case was discarded long ago. So this sounds interesting - I thought all units had the smartmedia slot. Mine certainly does - but I have the older psion5-style keyboard model. Does yours still have a smart/card/ slot on the right too? My PBL is the same version as yours (1277). Something that was unclear in your previous emails was the cable that you were using - it sounded like it was direct RS232 plug to a 3.5mm jack with no voltage conversion? This didn't work for me. My reasoning: the port levels are 5V and 'about 5V' on transmit and receive pins, respectively. This does not look like an RS232 port. You will see at least -6 or probably -9V on most RS232 ports (i.e. below ground), when they're in a quiescent state. Therefore I'm pretty sure we shouldn't be connecting it straight to RS232 levels because it won't work.
Incidentally, useful factoid. The boot process goes like this:
1. Splash screen (pretty picture of the emailer). 2. Title screen (with 'Personal Communication Centre' across the middle). 3. Main menu.
If on the transition between 1 and 2, you press STOP+HANDSFREE, the machine will reset itself back into a virgin state.
Do we know yet what puts up the splash screen? PBL or the main software? What do you see on a successfully suspended boot?
That's very cool... wonder what that's for? (Unless it's just a bug ;) Also when playing with JTAG I got the unit to crash and got a nicely anti-aliased debug code and a TLA on a screen that looks like 2. didn't make sense to me, was a 32bit hex number but not a plausible address... anyway. As far as I can tell the splash screen is from the main ROM, not PBL. (I haven't seen PBL touching the LCD (Ralph, you?) nor is there space in the boot ROM to hold such a bitmap (even compressed, that dithering.. hmm.. just doesn't feel likely). When I interrupted its boot the other night I was sending chr(27) via a TTL-level serial port (one half of a USB-RS232 cable, i.e. the bare UART pins before they go to the MAX232-style linedriver to make them +/-9V), and I saw.... nothing. (Screen remained dark, no backlight power either). If at all possible if you can't get it working with your RS232 cable I'd try to wire up a linedriver chip (MAX232, MAX3232, loads of ppl make them & RS sell them) to turn the RS232 levels from your PC serial port back into 0V/5V levels. You may also be able to bodge these signals from something in your PC; if you have an old ISA serial card you can often lift these signals from the 16550 UART before they go through the linedriver chip to the external socket. I don't know your level of electronics knowledge but if I can help just ask. Cheers, Matt
Dear Ralph, Today I tried your 'exp' program with my setup. How come it's so well-written in that it prints debug for EVERY termios option under the sun?? ;-)) (I mean, I had to comment half of them out to get it to compile on darwin ;) Appended is its output; from what I can tell it should be SENDING_ESCS, then get an ack, then send packets for opcodes 0 and 2 - these are "get version" or something? (I don't have your list to hand, in a rush unfort.) Anyway, having sorted out my serial woes (minicom) I've sent it a bunch of escs and seen the expected 006 006 006 006 006 006 006 006 006 006 006 006 006 006 006 response. Then I thought I'd try 'exp' and see what happens; it moves to this CS_HAVE_ACK state a bunch of times - I'm guessing because it gets 006 16 times as the wakeup code print_strings a line of them. Then it just sits there doing nowt. I'll take a closer look later on but just thought I'd let you know. :) (Other observation re WDT: Quite a long timeout, you said 4-5 secs but I observed about 15secs after having got the acks before the reboot. Also, I see the WDT being initialised at 0x280. WDTCTRL gets set to 0x67; this is WDT on, resetting, 2^29 clock ticks. (This is about 1s at 50MHz - my 15sec timeout must be a different timeout?) Also I haven't seen the FRZ (WDT freeze, lock-on) bit being set ever... is it set somewhere else?) Cheers, Matt ---------------- ... 1110730112.095576 o 1b 1110730112.100625 o 1b 1110730112.105674 o 1b 1110730112.108426 i 061110730112.108435 e transitioning to state 2, CS_HAVE_ACK 1110730112.109517 i 061110730112.109527 e transitioning to state 2, CS_HAVE_ACK 1110730112.110540 i 061110730112.110550 e transitioning to state 2, CS_HAVE_ACK 1110730112.111704 i 061110730112.111713 e transitioning to state 2, CS_HAVE_ACK 1110730112.112724 i 061110730112.112734 e transitioning to state 2, CS_HAVE_ACK 1110730112.113691 i 061110730112.113700 e transitioning to state 2, CS_HAVE_ACK 1110730112.114644 i 061110730112.114653 e transitioning to state 2, CS_HAVE_ACK 1110730112.115585 i 061110730112.115594 e transitioning to state 2, CS_HAVE_ACK 1110730112.116845 i 061110730112.116856 e transitioning to state 2, CS_HAVE_ACK 1110730112.117928 i 061110730112.117938 e transitioning to state 2, CS_HAVE_ACK 1110730112.119018 i 061110730112.119029 e transitioning to state 2, CS_HAVE_ACK 1110730112.120016 i 061110730112.120025 e transitioning to state 2, CS_HAVE_ACK 1110730112.121014 i 061110730112.121024 e transitioning to state 2, CS_HAVE_ACK 1110730112.122019 i 061110730112.122028 e transitioning to state 2, CS_HAVE_ACK [sits doing nothing]
Hi Matt,
Today I tried your 'exp' program with my setup. How come it's so well-written in that it prints debug for EVERY termios option under the sun?? ;-))
Ah, well, when it didn't work ad nauseum, more debug got added to double-check everything.
(I mean, I had to comment half of them out to get it to compile on darwin ;)
Ah, good point. I hadn't intended to ship the source. Did all the problems apper in print_termios()? I suppose each use needs wrapping if a #ifdef. :-(
Appended is its output; from what I can tell it should be SENDING_ESCS, then get an ack, then send packets for opcodes 0 and 2 - these are "get version" or something?
That's about right. Request 0x0000 should always result in a NACK reply coming back. Request 0x0002 prompts a reply containing version numbers and maximum packet length. If the request's checksum is messed up, or something similar, then I think there should still be something coming back.
Anyway, having sorted out my serial woes (minicom) I've sent it a bunch of escs and seen the expected 006 006 006 006 006 006 006 006 006 006 006 006 006 006 006 response.
Hurrah! You're the first I know of to achieve that.
Then I thought I'd try 'exp' and see what happens; it moves to this CS_HAVE_ACK state a bunch of times - I'm guessing because it gets 006 16 times as the wakeup code print_strings a line of them.
Thanks. You're right. It moves to CS_HAVE_ACK on seeing an ACK regardless of its current state. I also see the stdout is a bit corrupted when this happens. You're executing un-trodden code paths there!
Then it just sits there doing nowt. I'll take a closer look later on but just thought I'd let you know. :)
It sends a couple of 0x0000 and 0x0002 requests in the hope that if it's got it wrong, and is sending too few bytes for a request, the following requests will provide the missing data, give a checksum error, and still prompt a reply as opposed to the E2 just waiting a long time for more data.
(Other observation re WDT: Quite a long timeout, you said 4-5 secs but I observed about 15secs after having got the acks before the reboot.
I think `wakeup' is written quite often to the WDT whilst it's waiting for data. There are other counters maintained by the code that decide when to give up. When the *E3* gives up after being paused due to EXP activity it doesn't re-boot. PBL re-scans memory, in case the protocol has changed something, and continues to boot the next stage. This is observable because it prints stuff to EXP. Amstrad Delta - PBL V4.9 Build:1311 Assert Debug ICE PBL 32MB NAND 0MB.-->MEMv01.00.002,CopyLim=00220000h,CodeEnd=01400000h-->PBL......1MB.......2MB* PBL 32MB NAND 0MB.-->MEMv01.00.002,CopyLim=00220000h,CodeEnd=01400000h-->PBL......1MB.......2MB* Normally, only the first three lines appear.
Also, I see the WDT being initialised at 0x280. WDTCTRL gets set to 0x67; this is WDT on, resetting, 2^29 clock ticks.
Agreed. 0280 e3a080a5 mov r8, #&a5 # r8 = 0xa5, * = 0x27eb000f 0284 e3a099fe mov r9, #&3f8000 # r9 = 0x3f8000 0288 e2499501 sub r9, r9, #&400000 # r9 = 0xffff8000 (WDTCTRL) 028c e2888ca5 add r8, r8, #&a500 # r8 = 0xa5a5, * = 0xffffffff 0290 e5898004 str r8, [r9, #4] # *0xffff8004 (WDTCNTR) = 0xa5a5 wakeup 0294 e3a00067 mov r0, #&67 # r0 = 0x67, * = 0 0298 e5c90000 strb r0, [r9, #0] # *0xffff8000 (WDTCTRL) = 0x67 enable reset 2^29 029c e5898004 str r8, [r9, #4] # *0xffff8004 (WDTCNTR) = 0xa5a5 wakeup 02a0 eb001e7c bl program_pio 02a4 e5898004 str r8, [r9, #4] # *0xffff8004 (WDTCNTR) = 0xa5a5 wakeup
(This is about 1s at 50MHz
The DS_LH79531_B@E.pdf says on page 136: There are eight selectable time intervals for a timeout: 2^21, 2^22, 2^23, 2^24, 2^25, 2^26, 2^29, or 2^31 clock cycles for time-out periods ranging from 41.94 ms to 41.95 seconds with a system clock of 60 MHz. I can't turn 2^21 clock ticks at 60 MHz into 41.94 ms. Similarly, 2^31 ticks isn't 41.95 seconds. What am I doing wrong? Do we know what speed the E2 ARM SoC is clocked at?
my 15sec timeout must be a different timeout?)
Yes, I think things like 0x10034 come into play. It gets set to 200 and decrements whilst we're waiting. addr 00010028 req_09_received addr 0001002c req_09_baud_rate addr 00010030 num_bytes_rxd_on_last_check addr 00010034 protocol_fsm_counter # whilst waiting for rx. addr 0001003c rx_data_is_compressed # byte
Also I haven't seen the FRZ (WDT freeze, lock-on) bit being set ever... is it set somewhere else?)
Not as far as I know. This came up before with en4rab. http://www.earth.li/pipermail/e3-hacking/2005-February/000013.html It may be worth skimming the list's archive, http://www.earth.li/pipermail/e3-hacking.mbox/e3-hacking.mbox, perhaps pull it into your email client or something, in case there's anything else useful in there.
1110730112.095576 o 1b 1110730112.100625 o 1b
Can you readily reproduce the ACKs coming back from the ESCs with ./exp? If so, I'd be interested to know how short the gap between ESCs needs to be for it to work. It's currently very short due to desperation.
1110730112.108426 i 061110730112.108435 e transitioning to state 2, CS_HAVE_ACK
That should read 1110730112.108426 i 06 1110730112.108435 e transitioning to state 2, CS_HAVE_ACK I'll try and fix it. Thanks for the wonderful news. Cheers, Ralph.
Hi again Matt,
Then I thought I'd try 'exp' and see what happens; it moves to this CS_HAVE_ACK state a bunch of times - I'm guessing because it gets 006 16 times as the wakeup code print_strings a line of them.
Thanks. You're right. It moves to CS_HAVE_ACK on seeing an ACK regardless of its current state. I also see the stdout is a bit corrupted when this happens. You're executing un-trodden code paths there!
Then it just sits there doing nowt. I'll take a closer look later on but just thought I'd let you know. :)
It sends a couple of 0x0000 and 0x0002 requests in the hope that if it's got it wrong, and is sending too few bytes for a request, the following requests will provide the missing data, give a checksum error, and still prompt a reply as opposed to the E2 just waiting a long time for more data.
Actually, that's not what it does. There's three states: sending ESCs, given up sending ESCs and sending some protocol in the hope of it working, and having received an ACK. Because it has never got into the ACK state before I was happy just to log that an ACK had been seen and then stop. It's only in the middle of the three states above that protocol is attempted once it's given up sending ESCs. I'll have a look at altering the FSM tonight if you don't beat me to it. I suspect it's a case of deleting the HAVE_ACK state and switching to the `send some protocol' state when either we've given up sending them, or we've seen an ACK. Sorry for the confusion. Ralph.
Hi again Matt, I wrote:
I'll have a look at altering the FSM tonight if you don't beat me to it. I suspect it's a case of deleting the HAVE_ACK state and switching to the `send some protocol' state when either we've given up sending them, or we've seen an ACK.
That's what I've done. Compile-tested. http://inputplus.co.uk/ralph/emailer/exp-2.tar.bz2 The old one's uploaded too now if you'd prefer patches. http://inputplus.co.uk/ralph/emailer/exp-1.tar.bz2 Cheers, Ralph.
Hello Ralph, Thanks for your updated exp! I've just tried it out: 1110839334.812694 o 1b 1110839334.817746 o 1b 1110839334.822813 o 1b 1110839334.824815 i 06 1110839334.825299 e received ack 1110839334.825719 e transitioning to state 1, CS_STOPPED_TX_ESC 1110839334.826307 o 02 00 00 02 00 00 02 02 00 00 02 00 02 04 1110839334.826756 i 06 1110839334.827292 i 06 1110839334.827960 i 06 1110839334.828841 i 06 1110839334.829829 i 06 1110839334.831813 i 06 1110839334.832834 i 06 1110839334.833835 i 06 1110839334.834831 i 06 1110839334.835828 i 06 1110839334.836829 i 06 1110839334.837831 i 06 1110839334.838829 i 06 1110839334.839828 i 06 So it sends the packet... but nothing back. However it hasn't finished receiving the acks and the E2 is busy-waiting on the TX queue at this point (it's not the interrupt-driven "print string" routine IIRC, it's just a spinloop) so I altered exp to count the acks and move on only when it sees 16 of them: (which incidentally it didn't always get, sometimes 15.. loss..) 1110839701.916260 o 1b 1110839701.921314 o 1b 1110839701.926360 o 1b 1110839701.931406 o 1b 1110839701.949244 o 1b 1110839701.950278 i 06(14 acks left) 06(13 acks left) 06(12 acks left) 06(11 acks left) 06(10 acks left) 06(9 acks left) 06(8 acks left) 06(7 acks left) 06(6 acks left) 06(5 acks left) 06(4 acks left) 06(3 acks left) 1110839701.951045 i 06(2 acks left) 1110839701.951959 i 06(1 acks left) 1110839701.952959 i 06(0 acks left) 1110839701.953517 e transitioning to state 2, CS_HAVE_ACK 1110839705.954042 e transitioning to state 1, CS_TX_REQUEST_ONESHOT 1110839705.955233 o 02 00 00 02 00 00 02 02 00 00 02 00 00 02 02 00 00 02 00 00 02 02 00 00 02 00 02 04 02 00 00 02 00 02 04 02 00 00 02 00 02 04 .... Nada. 'Voice' and 'email' LEDs at top alternate rapidly (with every ESC received? Certainly boots much slower, it watches ESCs for a while then replies the 06s. After receives the 2nd transmission it sits in a loop alternating the LEDs at about 2Hz. ***** Scratch that - I've bodged your code wrongly. <quick re-bodge> RIGHT! It replied! I pruned out the "send the NOP packet 3 times then the INFO packet(2) 3 times" stuff down to only sending one packet. Also your description of the protocol quite accurately says the opcode is the first byte in the payload whereas exp.c had it reversed (i.e. 02 00 not 00 02) - also I found the length field was also being sent reversed. See below; I altered the endianness of the length field, and also that of the opcode field so that the LSB was sent first. I got an acknowlegement!! ... 1110841583.893639 i 06(3 acks left) 1110841583.894640 i 06(2 acks left) 1110841583.895639 i 06(1 acks left) 1110841583.896637 i 06(0 acks left) 1110841583.897060 e transitioning to state 2, CS_HAVE_ACK 1110841587.897492 e transitioning to state 1, CS_TX_REQUEST_ONESHOT 1110841587.898645 o 02 00 02 00 02 00 04 1110841587.907837 i 02 1110841587.908858 i 00 1110841587.909852 i 0e 1110841587.910849 i 00 1110841587.911845 i 82 1110841587.912846 i 00 1110841587.913844 i 72 1110841587.914842 i 00 1110841587.915845 i 03 1110841587.916845 i 01 1110841587.917846 i fd 1110841587.918844 i 04 1110841587.919843 i 10 1110841587.921825 i 20 1110841587.922844 i fe 1110841587.923844 i 7b 1110841587.924842 i 0e 1110841587.925844 i b0 1110841587.926844 i 6e ^C1110841635.489371 e received signal 2, exiting. :D I was just getting ready to give up (or at least see which loop it was spinning in via JTAG).. I'm pretty damn impressed, I have to say, with the accuracy of your reverse-engineering for the reply! (Especially because I hit the disassembly again tonight trying to work out if there was something else necessary before it'd listen - and got nowhere.) So: 02 00 0e 00 [ 82 00 72 00 03 01 fd 04 10 20 fe 7b 0e b0 ] 63 03 01: Matches, I've v3.1 fd 04: as you predicted, of course, 1277 ... etc. as per your packet format spec. Some notes: o Once it's in this idle state it still flashes leds at 2Hz as above.. a healthy sign I think? o Duff packets are NOT acknowleged o I tried hacking exp to just send a ton of escape chars without a timeout - this didn't result in a reply! So the gap between them is good. It seems to watch for a number of these - (I see 20 being bandied about around 0x324 in the code) and any number pauses boot for a bit. Stated differently, it boots quicker if you don't send anything, whereas sending ESCs delay it for a bit even if it doesn't reply with 06060606.. for a few seconds. Time to call it a night. But looks like there's potential for a play with some of the other commands of the protocol! (First step = get some code into DRAM..) Looks like all your hard work has been pretty much spot on, so congratulations :) Have you managed to recreate getting the stream of ACKs back with your setup? I should find a source of cheap MobilePhone data cables somewhere, for ease of modding into E2 EXP cables. Best regards, Matt
On Sun, 2005-03-13 at 15:42 +0000, Matt Evans wrote: [...]
Yep, the case was discarded long ago. So this sounds interesting - I thought all units had the smartmedia slot. Mine certainly does - but I have the older psion5-style keyboard model. Does yours still have a smart/card/ slot on the right too?
Yes. I actually rather wanted the SMC socket, and the cold-flesh keyboard is pretty dire. I *suppose* it might be possible to solder on a third-party SMC socket but I don't think my soldering skills are up to it. Just have to make do with USB. [...]
Something that was unclear in your previous emails was the cable that you were using - it sounded like it was direct RS232 plug to a 3.5mm jack with no voltage conversion? This didn't work for me.
Ah, I thought you said it *did* work... hopefully I haven't buggered the UART. I experimented with a voltmeter, and I'm seeing just under 5V on RX and TX coming from the E2, which matches what you said. Alas, I don't have a scope. Hmm... TTL uses 0V for 0, 5V for 1. RS232 uses >+3V for 0 and <-3V for 1. Now, if the E2's UART is behaving sensibly, and is suitably buffered so that I haven't fried it, it might be possible to con it into responding to the RS232 signals by sending a suitably mutated signal. Basically, I'd need to send ~0x1B = 0xE4, with an inverted stop bit... but the E2 wouldn't be able to reply, because the TTL 0V signals that it's sending would be ignored by the PC's UART. Blast. I could probably rig up a software UART through the parallel port, if I had one. (Shuttle box. I'm trying to scrounge up the appropriate header, but it's had work.) [...]
I don't know your level of electronics knowledge but if I can help just ask.
I'm mostly a software guy; I have some soldering skills, but they're not great. I can rig up a line driver on breadboard easily enough, but getting a 5V signal that's suitable non-floating might be an issue... I actually have a ludicrous idea that might help; will report back later. -- +- David Given --McQ-+ "Working with Unix is like wrestling a worthy | dg@cowlark.com | opponent. Working with Windows is like attacking a | (dg@tao-group.com) | small whining child who is carrying a .38." --- +- www.cowlark.com --+ Nancy Lebovitz
Hi David,
(My unit *does* seem to be a little different --- Matt, have you taken the lid off yours yet? Does it have an SMC adaptor soldered onto the top of the motherboard?
I've received a report of an E2 that also doesn't have the metal cage visible in en4rab's photo yet takes a SmartMedia card and functions correctly. The assumption is that the case is sufficient to hold it in contact with the board. I've some photos I'll try and put up. Plus some E3 circuit board scans.
It shouldn't do that. Is that what actually happens, in which case the stdout and stderr would be handy, or what you think from a quick look?
That was what strace gave.
I actually sorted this out; because my program, pblq, was not calling tcgetattr but was resetting the termios structure to zeros, it was doing something strange to the serial port settings that exp couldn't cope with. I fixed pblq and exp now works fine
Thanks for letting me know. I don't think there's anything exp can do to avoid this. The convention is you tweak what bits you understand and leave the rest alone because platforms may have ones you've never heard of, so exp can't set the attributes to known values unfortunately.
Incidentally, useful factoid. The boot process goes like this:
1. Splash screen (pretty picture of the emailer). 2. Title screen (with 'Personal Communication Centre' across the middle). 3. Main menu.
If on the transition between 1 and 2, you press STOP+HANDSFREE, the machine will reset itself back into a virgin state.
By virgin state, do you mean it thinks it hasn't registered or something else? I'll put this into the FAQ to save it getting lost. http://inputplus.co.uk/ralph/emailer/faq.html#reset
Do we know yet what puts up the splash screen? PBL or the main software? What do you see on a successfully suspended boot?
PBL doesn't go near the LCD. The most it does is twiddle LEDs to reflect counter/FSM status. So the screen would still be blank when PBL is paused. Cheers, Ralph.
Hi, Matt wrote:
I couldn't find anything as polished, free, for my JTAG cable under linux. I ended up using libjtag + armtool, which works with a variety of parallel port cables.
For those interested in following up on JTAG the Hardware Recycling Initiative have some information and links. http://hri.sourceforge.net/tools/index.html#jtag http://hri.sourceforge.net/tools/jtag_faq_org.html Cheers, Ralph.
David, On 11 Mar 2005, at 12:25, David Given wrote:
As for the PBL ROM image, I'll drop in to Dixons this evening and get an E2 --- then I'll have a genuine license and you can send it to me quite legally, muhahaha.
BTW I'm not going to get involved in sending binaries around the place to people, I'm afraid (would like to keep within the law). Sounds like you've got some leads (so to speak) on JTAG now, so hopefully you'll be able to get it yo'self. Cheers, Matt
Hi Matt,
Got a display model from Dixons - but I heard they'd reduced the price from 30 to 20 the next week anyway...
Their web site still lists it at GBP29 so you're ahead.
Smart media holds /enough/ - Well, enough to hold a kernel that will then drive USB storage devices ;-)
You can get 128MiB ones I believe. Cheers, Ralph.
Hi David,
Where is the E2 GBP 20 now? I think the E3's down to GBP 70 at Carphone Warehouse. The E2's still worth playing with though, especially if you want to end up with more than one device.
Froogle reckons the cheapest is 27.99 from Ligo Electronics, but I've seen them in my local ASDA and I'll need to compare the price. Now the E3's out, they may be shifting the E2s cheap.
They've been GBP30 at Comet, Asda, and Sainsbury's since sometime in 2004.
(I'm attracted to the E2 because they're reasonably capable devices and they're so cheap that I can justify buying one on a whim. The E3 is a lot nicer, but unfortunately, more expensive than I like to spend on a toy.)
And cheap enough to buy more than one if you'd like a phone, intercom, and multi-media controller in more than one room of the house.
Request 05 checks the destination addresses. All the bytes overwritten must be in the range 0x40000..0x7fffff inclusive, 7936KiB. I think the stack descends from 0x1ba00.
Meh. Not very useful. I take it the boot flash chip is mapped at 0 on reset? Looking at the processor's datasheet, that would seem to be logical.
It is, but is later moved out of there and RAM's put in its place.
Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development.
Unfortunately the E2 doesn't have a SMC card reader (as far as I know);
Take a look at en4rab's page linked to from my E2 one, especially the image on that page. http://www.en4rab.dsl.pipex.com/ He labels a `SD card slot'. Amstrad sell SmartMedia cards as accessories for the E2. http://www.amstrad.com/emp_accessories.html Smart Media is digital solid state (no moving parts) memory, and is used as a data storage medium in items such as digital cameras. It enables the user to add to the existing memory of certain digital devices. By inserting a Smart Media card in to the side of the e-mailerplus, the user can store more email, fax and VoiceMail messages for later retrieval or archiving. Received and sent messages actioned whilst the smart media card is inserted will automatically be stored on the Smart Media card instead of the internal memory of the e-mailerplus. The slot is on the side of the casing. It's just a thin slot with no labelling IIRC.
it has a Smart Card reader, but you don't get a lot of data onto one of those.
Not that slot, another one. Cheers, Ralph.
On 10 Mar 2005, at 22:28, Ralph Corderoy wrote:
That's good. (I'd explained to Matt that this was what had been achieved with the E3; the suspension of its booting while its EXP port was being tickled.) Matt, did you achieve this with that exp program out of interest?
I didn't - was just sending ESC codes through some dumb mac terminal program; I'll be trying minicom, then the exp program, over the weekend when I get a mo.
The E2's at 9600 baud. Have you a scope that could monitor the E2's TXD? Lastly, was this using the same wiring as on the site for the E3's EXP port, i.e. TXD on the E2 is tip.
PC pin 2, RXD o----------o TXD o-----v | | Emailer 9-pin pin 3, TXD o----------o RXD o-------^ | | 3.5mm stereo D-type pin 5, GND o----------o GND o---------|__| jack plug
It is indeed at 9600 :) Unfortunately, no scope. Seriously considering picking one up these days... So, yes, the wiring is the same in terms of Tx and Rx pins. I 'confirmed' this by measuring a voltage of 5.17V (the same as Vcc5V) on the 'tx' pin which is consistent to a driven pin sitting at dormant '1' (as serial/RS232 usually does), and the Rx pin was at 4.5ish, consistent with probably being a weakly pulled-up input.
Although with JTAG it should be possible to put a little EXP-port downloader into RAM, run it, that pulls down a bootloader which in turn is happy to run the code in Smart Media card inserted in the side of the E2 which would avoid having to flash during development.
Aye yeah; the tiniest possible loader would be good. Another possibility (that'll be a bit more convenient than JTAGging it each time) would be - if the /WE pin is wired on the board (which I suspect it is) - to reprogram the PBL rom in-situ after downloading a little JTAG loader. We could patch PBL to accept code over serial... Or if we're going to go this route, just replace it. So many options! ;) (I'm still hoping for some sort of buff. ovf. in PBL so we can keep it unmodified - so much safer, easier, less time consuming (in some ways).) Cheers, Matt
Hi Matt,
Another possibility (that'll be a bit more convenient than JTAGging it each time) would be - if the /WE pin is wired on the board (which I suspect it is) - to reprogram the PBL rom in-situ after downloading a little JTAG loader. We could patch PBL to accept code over serial... Or if we're going to go this route, just replace it. So many options! ;)
The 64KiB NOR flash has the ability to `blow' the first of its 8KiB pages so it can never be altered. See its data sheet. I doubt this has been done on the E2 because it would be inconvenient to the manufacturer.
(I'm still hoping for some sort of buff. ovf. in PBL so we can keep it unmodified - so much safer, easier, less time consuming (in some ways).)
Agreed. Buy Emailer. Connect EXP port to computer with special cable. Run program on PC. Have control of Emailer. No case opening, soldering, or knowledge required would be nice. Cheers, Ralph.
participants (3)
-
David Given -
Matt Evans -
Ralph Corderoy