[E3-hacking] W00t; it runs.

Jonathan McDowell e3-hacking@earth.li
Sun, 24 Apr 2005 10:36:16 +0100


--4OpS+d6oOtUQaRm1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Apr 23, 2005 at 01:24:49PM +0100, Matt Evans wrote:
 
> Well done for your code download via the modem!  Sounds interesting.  
> Have you documented your procedure anywhere?  Protocol/format of the 
> data is probably* pretty similar to that over EXP, maybe?  :)  I don't 
> have the means here to talk modem-modem to the device.

The block I fed the E3 was just a Q;Q; style block; very similar to the
E2 as it turned out and the same as what sits in flash. I've attached
the source I used. The checksum used is an 8 bit Fletcher and it /is/
checked. The compression used seems to be lzrw1; I've got a decompresser
which I've used successfully on compressed blocks from the flash, but
haven't tried to compress new stuff up yet.

Ultimately I'm hoping we can talk to the E3 over the EXP port with no
need for modem-modem - once I've worked that out I'll obviously post
details of it, but I'm still concentrating more on getting my E3 back to
a usable state. This means I'm trying to concentrate on working out the
flashing routines at present, though it's not something I've dealt with
before so it's going a bit slowly.

> I was interested to read in your GPL-vio email that the PBL/kernel
> images were obtained by de-soldering the flash chips on an E3.  I'm
> keen to have a look at the E3's version of PBL (and thanks for sharing
> the symbols you'd deduced so far), but I'd prefer a non-invasive way
> of getting it out.  (So, JTAG or some EXP hacks - chicken and egg
> scenario w.r.t. reverse-engineering PBL's (v4) protocol though ;)
> What is the state of the E3 whose flash chips were removed?  Were they
> read and then soldered back in place, or was it a sacrificial broken
> (before/after) E3?  IFF it was the latter I wonder if it might be
> possible to remove the OMAP5910 and beep out the JTAG pins to see if
> they go anywhere and if so, where?

It wasn't me who did this, but I believe the E3 that was desoldered was
resoldered with alternative boot params (allowing shell access). I do
know there's been work on mapping out the JTAG pins too, but I don't
know how far that's got.

J.

-- 
Wake up, wake up dead man.

--4OpS+d6oOtUQaRm1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="testblock.s"

.global _start
.set uart0_tx_string, 0xa01c

_start:
	.org 0x00
	.word 0x3B513B51		@ "Q;Q;" magic.
	.org 0x08
	.word _end - _start		@ Length
	.word 0x10002
	.org 0x14
	.asciz "TEST BLOCK"		@ Block name.
	.org 0x64
	.word entryvector		@ Entry vector address.
	.org 0x68
	.word 0xB513B513
	.org 0x6c
	.word 0x10002000		@ Module load address.
	.org 0x70
	.word 0x0			@ Not compressed.
	.word 0x0
	.word 0x0

entryvector:
	.word 0
	.word entry

entry:
	adr r0, message
	mov lr, pc
	ldr pc, uart0_tx_string_ptr
loop:	b loop

uart0_tx_string_ptr:
	.word uart0_tx_string
message:
	.asciz "Hello, world!\r\n"
_end:

--4OpS+d6oOtUQaRm1--