[E3-hacking] PBL & running arbitrary code

Matt Evans e3-hacking@earth.li
Thu, 10 Mar 2005 14:31:03 +0000

Hi David (Given),

I'm new to the list too (this week) so should also say a hello.

It sounds like your aims are the same as mine - and those of Ralph to 
whom I have been talking this week about booting stuff on the E2.  I 
have an E2 at the moment because it was 20 quid instead of 100 ;-)

So Ralph (and myself independently) has found that PBL sits waiting for 
a character 27 for 'a little bit' when it boots, then sends back a 
header (6, 6, 6, 6, 6, 6 ..) to say hello; and /then/ drops into the 
FSM for the EXP protocol Ralph has decyphered (!).

Last night I bodged an old USB mobile phone serial cable onto my EXP 
port - I'm pretty sure the E3 and the E2 differ with regard to the 
voltages on the EXP port.  That is, that webpage suggests that E3 is at 
RS232 levels and doesn't need any line drivers.  The E2 appears to be 
at TTL levels (0V and 5V) and as such won't work when connected 
straight to an RS232 port.  (I tried this too ;)  I connected the 
USB-serial (which didn't have linedrivers to RS232 levels) to the EXP 
port and by sending ESC characters I was able to interrupt the E2 from 
its normal boot routine.  I didn't see the expected reply but I'm 
having all sorts of minicom/serial weirdness on OS X so I'm still 

> Does anyone know if it's possible to use PBL to download and run
> arbitrary code on the device?
> Directive 05 would seem to allow data to be written to memory, but 
> there
> doesn't seem to be any way of getting it to be executed. Does anyone
> know of such a thing? Would 05 allow you to overwrite PBL's stack (the
> dodgy way of doing this?)

Yes :-)  It appears that all should be possible though I don't think 
it's been done yet - Ralph will know in more detail but it should be 
poss. to do exactly that since the stack pointer will be in a 
relatively predictable place.

> (I suppose the easiest way of running your own code is to write it into
> the flash and then do a normal boot, but I'd rather not brick it
> immediately. Heaven forbid, the standard software might turn out to be
> useful.)

Yes this sounds sensible - if there's an Easy Enough way to get 
bootstrap code in there via serial/EXP then we don't need any horrible 
JTAG stuff.  Ideally something like loading our own loader through PBL 
- our loader takes over and then we can download a DRAM image, or get 
it to reflash the NAND in such a way that PBL will later load our own