[E3-hacking] PBL & running arbitrary code
Ralph Corderoy
e3-hacking@earth.li
Sat, 12 Mar 2005 19:40:44 +0000
Hi David,
> > 0338 eb001b44 bl rx_uart0_byte
>
> So what does rx_uart0_byte return if the FIFO is empty? It either
> blocks, in which case we could find the timeout, or else it just
> returns failure --- probably 0. In which case, the only way of
> triggering the boot loader is to make sure that the byte hits the FIFO
> before this piece of code gets called.
There's more code before the bit I quoted.
032c eb001b37 bl is_uart0_rx_fifo_empty
0330 e3500000 cmp r0, #0
0334 0a000006 beq &0354
So rx_uart0_byte isn't called unless there's a byte in the FIFO.
This whole bit of code is run each iteration around one of the states of
the main FSMs. I can't remember more detail at the moment.
> Since both our programs are spamming the thing silly with ESC chars,
> then I suspect there might be some other condition that needs to be
> met before this code even gets called.
Possibly. Both Matt and I independently assumed a key held down on the
telephone keypad, that's probably our Acorn backgrounds, but nothing in
the code suggests that AFAIK.
> It just happens to be true on your E3 and Matt's E2, but not on mine.
I think that's unlikely.
> Might there be some sort of hardware query buried in the setup routine
> in main()?
Maybe. But there's quite a lot of code and it calls out to lots of
places that nest quite deep.
> > Attached is a small tar file, exp-1.tar.bz2, containing exp.c and
> > various other gubbins. I've heard it has some effect with the E3
> > doing what you state above.
>
> This seems to send a single 1B, and bail with a EOF error when it
> tries to read the response.
It shouldn't do that. Is that what actually happens, in which case the
stdout and stderr would be handy, or what you think from a quick look?
It writes ESCs for a while and then switches to sending a few protocol
messages for luck. All the while it looks for anything coming back.
Both read(2) and write(2) are non-blocking, it doesn't use poll(2), so
it's a busy loop which is fine for a quick hack.
Use environment variables to tweak parameters, especially baud rate.
$ ./exp -h
exp: wrong number of arguments.
usage: [EXPTTY=tty] [EXPBAUD=baud] [EXPTXLEN=txlen] [EXPTXGAP=txgap] exp
tty is the serial port to use, default /dev/ttyS0.
baud is the baud rate to use, default 115200.
txlen is the seconds spent sending escapes, default 30.
txgap is the seconds between sending escapes, default 0.005.
$
> How were you running it? Before boot, after boot?
By setting txlen large you've time to turn on the E2 once ./exp has
started sending.
Perhaps Matt can specify what his procedure is that got the E2 to
suspend booting.
Cheers,
Ralph.