Amstrad Delta - PBL V4.9 Build:1311 Assert Debug ICE YMODEM DIAL 9 NUM 1 PBL 32MB NAND Ymodem download is OK download module = TEST BLOCK, version = 0002h module is at 10020000h module will load to 10002000h module OK and copied - calling entry point Hello, world!
(That would be the E3 loading code I've fed it over the modem and executing it, that would. Now I just need to work out how to write to the flash so I can get it booting Linux again.)
J.
Dear Jonathan,
Well done for your code download via the modem! Sounds interesting. Have you documented your procedure anywhere? Protocol/format of the data is probably* pretty similar to that over EXP, maybe? :) I don't have the means here to talk modem-modem to the device.
I was interested to read in your GPL-vio email that the PBL/kernel images were obtained by de-soldering the flash chips on an E3. I'm keen to have a look at the E3's version of PBL (and thanks for sharing the symbols you'd deduced so far), but I'd prefer a non-invasive way of getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the state of the E3 whose flash chips were removed? Were they read and then soldered back in place, or was it a sacrificial broken (before/after) E3? IFF it was the latter I wonder if it might be possible to remove the OMAP5910 and beep out the JTAG pins to see if they go anywhere and if so, where?
Best regards,
Matt
On Sat, Apr 23, 2005 at 01:24:49PM +0100, Matt Evans wrote:
Well done for your code download via the modem! Sounds interesting. Have you documented your procedure anywhere? Protocol/format of the data is probably* pretty similar to that over EXP, maybe? :) I don't have the means here to talk modem-modem to the device.
The block I fed the E3 was just a Q;Q; style block; very similar to the E2 as it turned out and the same as what sits in flash. I've attached the source I used. The checksum used is an 8 bit Fletcher and it /is/ checked. The compression used seems to be lzrw1; I've got a decompresser which I've used successfully on compressed blocks from the flash, but haven't tried to compress new stuff up yet.
Ultimately I'm hoping we can talk to the E3 over the EXP port with no need for modem-modem - once I've worked that out I'll obviously post details of it, but I'm still concentrating more on getting my E3 back to a usable state. This means I'm trying to concentrate on working out the flashing routines at present, though it's not something I've dealt with before so it's going a bit slowly.
I was interested to read in your GPL-vio email that the PBL/kernel images were obtained by de-soldering the flash chips on an E3. I'm keen to have a look at the E3's version of PBL (and thanks for sharing the symbols you'd deduced so far), but I'd prefer a non-invasive way of getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the state of the E3 whose flash chips were removed? Were they read and then soldered back in place, or was it a sacrificial broken (before/after) E3? IFF it was the latter I wonder if it might be possible to remove the OMAP5910 and beep out the JTAG pins to see if they go anywhere and if so, where?
It wasn't me who did this, but I believe the E3 that was desoldered was resoldered with alternative boot params (allowing shell access). I do know there's been work on mapping out the JTAG pins too, but I don't know how far that's got.
J.
-
Jonathan McDowell -
Matt Evans