[E3-hacking] Nearly there

David Given e3-hacking@earth.li
Tue, 22 Mar 2005 00:30:21 +0000


Well, I've finally worked out how to bend the E2's flash to my will.

The secret to reflashing it is directive 06, which erases the flash
chip. It took a while to find because the parameters are different.

	0600AAAA AAAABBBB BBBBCCCC
	AAAAAAAA = offset of start of area
	BBBBBBBB = length of area
	CCCC = flash chip to erase

Unlike directive 0E, which reprograms the flash, 06 *doesn't* want a
pseudoaddress in the range 80010000 and up. So, to reprogram the first
8kB page, you need:

	06000000 00000020 00000100

It might be possible to use this directive to erase the NOR flash, but I
don't even want to go *near* that --- JTAGless as I am, if I trash that
I've bricked the whole thing.

Once the flash has been erased it can be reprogrammed with 0E.

I've added flash erasure to pblq; it happens automatically when you try
to write to the flash. The average speed of the combined operation, at
115200 bps using 8kB data packets, is 6400 Bps. Not brilliant, but
better than some dev boards I've had to deal with. (Gen 2 M-Core
development board. 150 Bps, with a 2/5 chance of it crashing half-way
through a 4MB download, DIEDIEDIEDIE. Cough.)

Incidentally, as part of my test procedure, I erased the first megabyte
of flash --- the Amstrad firmware no longer boots. Hurray. When you boot
it, it fails to find the initial boot block (that I trashed last time),
blinks its lights rapidly at me, sit there for about ten seconds as it
tried to find another boot block, and then gives up and repeats.

...

The next step is to (a) create an image, (b) fix the checksum, (c)
persuade the E2 to run it, and (d) port a reasonable OS. Well, (a), (b)
and some of (c) are done.

It turns out that PBL *does* check the checksum of the boot chunk after
all (I'd mistaken a bne for a beq), and doing the maths to find out the
magic value to force the checksum to be zero is... slightly more complex
than I thought! When I'm less tired I'll try and do it properly, but for
now I'm brute-forcing it. As a result, PBL now sees my image as being
valid and tries to run it... and falls over:

PBL V3.1 Build:1277
PBL Exception at PC=EAFFFFFAh CPSR=600000D7h(Abort) SPSR=600000D3h(SVC)
 R0=00040074h  R1=00410090h  R2=00040090h  R3=FFFFFFFFh
 R4=00550000h  R5=00410000h  R6=00030000h  R7=00040000h
 R8=FFFF4C00h  R9=000141CCh R10=00000000h R11=FFFF4000h
R12=00000000h

That program counter looks awfully strange.

But, anyway, this means that I'm *this close* to running code. This
current bug is probably really simple, but I'm amazingly tired and need
to go to bed, and so I'll tackle it tomorrow.

Do we have anywhere where I can upload my shiny new version of pblq
(v0.2), which now has the ability to write to DRAM and flash, and has a
built-in serial terminal?

-- 
+- David Given --McQ-+ "I love the way Microsoft follows standards. In
|  dg@cowlark.com    | much the same manner that fish follow migrating
| (dg@tao-group.com) | caribou." --- Paul Tomblin
+- www.cowlark.com --+