[E3-hacking] PBL & running arbitrary code

[Matt Evans]

Hi David,

Sounds like you're getting somewhere!  It's a lovely little motherboard 
once you strip out the GCSE D&T casing, isn't it?  I'm especially 
looking forward to getting something going on it.

As a completely tangential aside, I noticed the extra pads around the 
(I can't remember, guessing) speech codec;  my board, at least, has 2 
sets of pads for the 2 types of SCP.  What an excellent place to 
slodder on new peripherals! ;-)  There are unused chip select lines 
from the CPU, too!

On 12 Mar 2005, at 22:30, David Given wrote:

> On Sat, 2005-03-12 at 19:40 +0000, Ralph Corderoy wrote:
> [...]
>> Possibly.  Both Matt and I independently assumed a key held down on 
>> the
>> telephone keypad, that's probably our Acorn backgrounds, but nothing 
>> in
>> the code suggests that AFAIK.
>
> I can't think of anything else that it could be --- unless the 
> trigger's
> something in the firmware, and that my unit has been locked down, and
> your units haven't.
>
> (My unit *does* seem to be a little different --- Matt, have you taken
> the lid off yours yet? Does it have an SMC adaptor soldered onto the 
> top
> of the motherboard? What PBL version and build is it? [Start it up,
> press SETUP, 1.])

Yep, the case was discarded long ago.  So this sounds interesting - I 
thought all units had the smartmedia slot.  Mine certainly does - but I 
have the older psion5-style keyboard model.  Does yours still have a 
smart/card/ slot on the right too?

My PBL is the same version as yours (1277).

Something that was unclear in your previous emails was the cable that 
you were using - it sounded like it was direct RS232 plug to a 3.5mm 
jack with no voltage conversion?  This didn't work for me.

My reasoning:  the port levels are 5V and 'about 5V' on transmit and 
receive pins, respectively.  This does not look like an RS232 port.  
You will see at least -6 or probably -9V on most RS232 ports (i.e. 
below ground), when they're in a quiescent state.  Therefore I'm pretty 
sure we shouldn't be connecting it straight to RS232 levels because it 
won't work.

> Incidentally, useful factoid. The boot process goes like this:
>
>      1. Splash screen (pretty picture of the emailer).
>      2. Title screen (with 'Personal Communication Centre' across the
>         middle).
>      3. Main menu.
>
> If on the transition between 1 and 2, you press STOP+HANDSFREE, the
> machine will reset itself back into a virgin state.
>
> Do we know yet what puts up the splash screen? PBL or the main 
> software?
> What do you see on a successfully suspended boot?

That's very cool... wonder what that's for?  (Unless it's just a bug ;) 
  Also when playing with JTAG I got the unit to crash and got a nicely 
anti-aliased debug code and a TLA on a screen that looks like 2. didn't 
make sense to me, was a 32bit hex number but not a plausible address... 
anyway.  As far as I can tell the splash screen is from the main ROM, 
not PBL.  (I haven't seen PBL touching the LCD (Ralph, you?) nor is 
there space in the boot ROM to hold such a bitmap (even compressed, 
that dithering.. hmm.. just doesn't feel likely).

When I interrupted its boot the other night I was sending chr(27) via a 
TTL-level serial port (one half of a USB-RS232 cable, i.e. the bare 
UART pins before they go to the MAX232-style linedriver to make them 
+/-9V), and I saw.... nothing.  (Screen remained dark, no backlight 
power either).

If at all possible if you can't get it working with your RS232 cable 
I'd try to wire up a linedriver chip (MAX232, MAX3232, loads of ppl 
make them & RS sell them) to turn the RS232 levels from your PC serial 
port back into 0V/5V levels.  You may also be able to bodge these 
signals from something in your PC;  if you have an old ISA serial card 
you can often lift these signals from the 16550 UART before they go 
through the linedriver chip to the external socket.  I don't know your 
level of electronics knowledge but if I can help just ask.



Cheers,



Matt