Hi all,
Anyone worked out where/if (uhoh) the JTAG TAP is brought out to on the E3's motherboard? Google won't tell me :(
(Failing that, has anyone got a broken one they could strip down & find out? ;)
-Matt
On Tue, Apr 19, 2005 at 09:23:03PM +0100, Matt Evans wrote:
Anyone worked out where/if (uhoh) the JTAG TAP is brought out to on the E3's motherboard? Google won't tell me :(
(Failing that, has anyone got a broken one they could strip down & find out? ;)
I've no idea about the JTAG pinouts, but I have been working on trying to figure out the E3 PBL (having bricked it by overwriting my kernel in the NAND flash). I think I've almost figured out how to feed it a block over the modem to execute - it looks like a Q;Q; as used in the actual flash. Haven't actually worked out how to talk to it just over the EXP port yet though. First time dealing with ARM disassembly. :(
Got a few functions marked up so far; is anyone else working on it who has anything to share?
; FUNC: 0x00001744 setup_vectors() ; FUNC: 0x000018d8 change_processor_mode(r0, r1) ; FUNC: 0x0000206c uart0_setbaud(r0) ; FUNC: 0x00002144 tx_uart0_char(r0) ; FUNC: 0x000021d4 tx_uart0_string(*r0) ; FUNC: 0x00002200 printf(r0, ...) ; FUNC: 0x0000a468 getkey() ; FUNC: 0x00011ddc strcat(*r0, *r1)
Oh, and .c filename strings:
7c4: 676f7250 db "ProgAppInit.c", 0, 0, 0 1188: 2e687366 db "fsh.c", 0, 0, 0 13e8: 70687366 db "fshprogi.c", 0, 0 1494: 73687366 db "fshstart.c", 0, 0 1ab4: 396d7261 db "arm9\cpuint.c", 0, 0, 0 1d70: 2e776468 db "hdw.c", 0, 0, 0 2138: 396d7261 db "arm9\dsi.c", 0, 0 72dc: 746c6270 db "pbltask.c", 0, 0, 0 77ec: 636c6270 db "pblconf.c", 0, 0, 0 7a44: 646c6270 db "pbldecod.c", 0, 0 8814: 726c6270 db "pblrersec.c", 0 8e90: 756c6270 db "pblusrdev.c", 0 9b04: 756c6270 db "pblusrerase.c", 0, 0, 0 a240: 756c6270 db "pblusrkbd.c", 0 a6a0: 756c6270 db "pblusrmod.c", 0, 0 a884: 756c6270 db "pblusrmodem.c", 0, 0, 0 b3f0: 756c6270 db "pblusrtransfer.c", 0 ,0, 0, 0 b66c: 646d7978 db "xymdownload.c", 0, 0, 0 c2b0: 6273666d db "mfsblank.c", 0, 0 c470: 6c73666d db "mfslrc.c", 0, 0, 0, 0 c7ec: 6d73666d db "mfsmount.c", 0, 0 ce34: 7273666d db "mfsread.c", 0, 0, 0 cf04: 6573666d db "mfsextra.c", 0, 0 d4ac: 6673666d db "mfsformat.c", 0 d8ec: 7273666d db "mfsremap.c", 0, 0 dd18: 72646664 db "dfdrdid.c", 0, 0, 0 df30: 72646664 db "dfdread.c", 0, 0, 0 e748: 65646664 db "dfderase.c", 0, 0 efc8: 77646664 db "dfdwrite.c", 0, 0 f9b8: 316d6168 db "ham1chk.c", 0, 0, 0 fd2c: 72637a6c db "lzcrw1_decompress.c", 0 fd78: 2e6d6974 db "tim.c", 0, 0, 0 fde8: 2e687366 db "fsh.c", 0, 0, 0 ff48: 70687366 db "fshprogi.c", 0, 0 10238: 65687366 db "fshedev.c", 0, 0, 0 10314: 73687366 db "fshstart.c", 0, 0 1072c: 396d7261 db "arm9\comdrv.c", 0, 0, 0 107fc: 396d7261 db "arm9\comdrvp.c", 0, 0 1091c: 396d7261 db "arm9\comdrvi.c", 0, 0 110b4: 646d646d db "mdmdrvi.c", 0, 0, 0 11488: 646d646d db "mdmdrvp.c", 0, 0, 0 11898: 396d7261 db "arm9\cpuint.c", 0, 0, 0 11ba8: 2e776468 db "hdw.c", 0, 0, 0 1247c: 7773666d db "mfswritebuff.c", 0, 0 125fc: 6573666d db "mfserase.c", 0, 0 128fc: 7773666d db "mfswrite.c", 0, 0
J.
On Tue, Apr 19, 2005 at 10:28:28PM +0100, Jonathan McDowell wrote:
[PBL V4.9]
Got a few functions marked up so far; is anyone else working on it who has anything to share?
Sorry, those were progpbl, not pbl. The following is what I have for "PBL 4.9 Build:1131" just in case I confused anyone with the last lot. :)
; FUNC: 0x00000020 reset() ; FUNC: 0x00000144 halt() ; FUNC: 0x0000020c ; FUNC: 0x00000228 ; FUNC: 0x000004a8 main() ; FUNC: 0x00001c30 printerror(r0, r1) ; FUNC: 0x00002914 uart0_setbaud(r0) ; FUNC: 0x0000336c printexception(r0, r1, r2, r3) ; FUNC: 0x00003cc0 getkey() ; FUNC: 0x0000470c ??? download module over modem ; FUNC: 0x00009428 ??? lzw decompress related (r0, r1, r2, r3) ; FUNC: 0x00009598 ; FUNC: 0x00009b84 printhex(r0, r1, r2) ; FUNC: 0x00009fec uart0_rx_char ; FUNC: 0x00009ffc uart0_tx_char(r0) ; FUNC: 0x0000a00c uart0_tx_char2(r0) ; FUNC: 0x0000a01c uart0_tx_string(*r0) ; FUNC: 0x0000a064 uart0_tx_buf(*r0, r1) ; FUNC: 0x0000a828 mdm_carrierdetect ; FUNC: 0x0000a84c mdm_setdtr(r0) ; FUNC: 0x0000a878 mdm_make_packet(r0, r1) ; FUNC: 0x0000af14 change_processor_mode(r0, r1) ; FUNC: 0x0000b2c4 ; FUNC: 0x0000b634 strcat(*r0, *r1) ; FUNC: 0x0000b7c8
J.