[E3-hacking] PBL & running arbitrary code

Ralph Corderoy e3-hacking@earth.li
Thu, 10 Mar 2005 22:28:32 +0000

Hi Matt,

> It sounds like your aims are the same as mine - and those of Ralph to
> whom I have been talking this week about booting stuff on the E2.  I
> have an E2 at the moment because it was 20 quid instead of 100 ;-)

Where is the E2 GBP 20 now?  I think the E3's down to GBP 70 at Carphone
Warehouse.  The E2's still worth playing with though, especially if you
want to end up with more than one device.

> I connected the USB-serial (which didn't have linedrivers to RS232
> levels) to the EXP port and by sending ESC characters I was able to
> interrupt the E2 from its normal boot routine.

That's good.  (I'd explained to Matt that this was what had been
achieved with the E3; the suspension of its booting while its EXP port
was being tickled.) Matt, did you achieve this with that exp program out
of interest?

> I didn't see the expected reply but I'm having all sorts of
> minicom/serial weirdness on OS X so I'm still hopeful.

The E2's at 9600 baud.  Have you a scope that could monitor the E2's
TXD?  Lastly, was this using the same wiring as on the site for the E3's
EXP port, i.e. TXD on the E2 is tip.

        PC  pin 2, RXD o----------o TXD o-----v   |  | Emailer
     9-pin  pin 3, TXD o----------o RXD o-------^ |  | 3.5mm stereo
    D-type  pin 5, GND o----------o GND o---------|__| jack plug

> David Given wrote:
> > Does anyone know if it's possible to use PBL to download and run
> > arbitrary code on the device?
> >
> > Directive 05 would seem to allow data to be written to memory, but
> > there doesn't seem to be any way of getting it to be executed. Does
> > anyone know of such a thing? Would 05 allow you to overwrite PBL's
> > stack (the dodgy way of doing this?)
> Yes :-)  It appears that all should be possible though I don't think
> it's been done yet - Ralph will know in more detail but it should be
> poss. to do exactly that since the stack pointer will be in a
> relatively predictable place.

Request 05 checks the destination addresses.  All the bytes overwritten
must be in the range 0x40000..0x7fffff inclusive, 7936KiB.  I think the
stack descends from 0x1ba00.

> > What about well-known PBL variables?

Yes, there's quite a few of them now so something similar may be
possible with investigation.

> > And what does 07 do?

Hmm.  Not sure yet.  A very quick look suggests it dabbles with the NOR
boot flash.

> > (I suppose the easiest way of running your own code is to write it
> > into the flash and then do a normal boot, but I'd rather not brick
> > it immediately. Heaven forbid, the standard software might turn out
> > to be useful.)
> Yes this sounds sensible - if there's an Easy Enough way to get
> bootstrap code in there via serial/EXP then we don't need any horrible
> JTAG stuff.  Ideally something like loading our own loader through PBL
> - our loader takes over and then we can download a DRAM image, or get
> it to reflash the NAND in such a way that PBL will later load our own
> code.

The 64KiB NOR flash containing PBL is almost half empty IIRC.

Although with JTAG it should be possible to put a little EXP-port
downloader into RAM, run it, that pulls down a bootloader which in turn
is happy to run the code in Smart Media card inserted in the side of the
E2 which would avoid having to flash during development.