[E3-hacking] 2. Re: W00t; it runs. (Matt Evans)
Sun, 24 Apr 2005 11:56:54 +0100
>From: Matt Evans <firstname.lastname@example.org>
>Subject: Re: [E3-hacking] W00t; it runs.
>Date: Sat, 23 Apr 2005 13:24:49 +0100
>Well done for your code download via the modem! Sounds interesting.
>Have you documented your procedure anywhere? Protocol/format of the
>data is probably* pretty similar to that over EXP, maybe? :) I don't
>have the means here to talk modem-modem to the device.
>I was interested to read in your GPL-vio email that the PBL/kernel
>images were obtained by de-soldering the flash chips on an E3. I'm
>keen to have a look at the E3's version of PBL (and thanks for sharing
>the symbols you'd deduced so far), but I'd prefer a non-invasive way of
>getting it out. (So, JTAG or some EXP hacks - chicken and egg scenario
>w.r.t. reverse-engineering PBL's (v4) protocol though ;) What is the
>state of the E3 whose flash chips were removed? Were they read and
>then soldered back in place, or was it a sacrificial broken
The flashes were desoldered, then the tsop48 was dumped.. I couldn't get
my hands on an adapter for the vsop :(
They were both resoldered ( I changed the boot param block on the flash
and fixed the crc ) and was rewarded with a working console.
From this I was able tar the filesystem (just to make sure - I'd
already reconstructed it from the flash dump), and dump the pbl.. (
Thanks to Noodles for pointing out the mmap neccessity :D ).
I sacrificed a different one so I could trace the jtag traces though..
:) They do go somewhere : theres a resistor block that needs fitted on
the top of the board, iirc..
I've just acquired a TI debug pod for the omap, so I'll doubtless be
continuing along this route, once I've completed disassembly of the pbl.
>(before/after) E3? IFF it was the latter I wonder if it might be
>possible to remove the OMAP5910 and beep out the JTAG pins to see if
>they go anywhere and if so, where?