more info... bootloader slowly giving up its secrets
there are 7
(not 6
) key combinations that it can recognize.
and additionally at least three more options.
-- first the keypresses:
B+C = we know it does hard reset
(checks twice, so keep that pressed long enough to be sure
)
R+O = looks for NKGZ.GZ, if not found then for NK.BIN on SD and flashes it. formatted as MS BIN. i assume that only flashes an OS image but make sure ram addresses are correct. i'm not sure if a large BIN
(over 32mb
) will fit in the OS partition in the flash, but GZ would still fit in that case.
R+S = looks for DOCSPL.NB0 on SD and flashes it - do not try this option!!!! it flashes an unformatted raw NB0, the primary bootloader image
(commonly called IPL, bsquare calls it DOCSPL
). will probably brick device if you try that with a random file.
note the main bootloader image is SABOOT just like on 900c
i didn't find mention of it as a plain image though, maybe it can be contained in BOOT.BIN
R+B = looks for BOOT.BIN on SD and flashes it. formatted as MS BIN, probably can contain bootloader or OS too, ram addresses in header will determine where to flash it, bootloader and/or OS partitions.
or maybe i'm wrong and it flashes SABOOT?
these three R+x will soft or hard reset if they don't find anything
G+K = flash image in a strange way: updates "RAMBootloader" using "KnownGoodBootloader"... it seems to be read from DOC
(DOC is the flash chip on the bsquare phh
). will soft or hard reset if image is not found. no idea on image name right now
U+D = usb download, downloads, flashes and optionally runs image from platform builder
(image name is defined in platform builder when you select it from OS build dir
). i don't know how to get platform builder 4.x to see it, maybe needs a proprietary driver, or need to try platform builder 5.0
(supports usb by default
)
U+C? = something to do with usb download... not sure yet and could please someone confirm it is U+C
-- the three extra flags i don't know yet how to specify but,
one of them looks for BOOTFL.BIN - no idea yet what it contains, or what FL means, it loads the image from SD. also loads and flashes an image to static ram address
(and its corresponding flash address
) 0x96400000?
(all i know is, OS should be from 0x94200000
)
another looks for NKFL.BIN - no idea yet what it contains, or what FL means, again it would load the image from SD. but says it is not implemented..lol.
and the last one, seems it can load a plain RAM OS
(named NK.BIN
) off SD card
this one is the only one that doesn't do any flashing... i like that most by far!! if we can figure out how the hell to get this option set, then you can use the OS dumped from ram and converted to MS BIN then load it to RAM only, without any risks.
-- this RAM OS option would easily get through the password too, can be used to test custom roms, etc... and the OS is already loaded to RAM in the same memory consuming way anyway by default by the bsquare phh.
flashing is a bit risky for now, as i don't know yet how to zip it up, unless you want to flash a smaller less fully featured image... it is obvious the current fully featured big OS image is stored compressed in flash
(or it wouldn't fit on the 32MB chip
).
actually i know they use gzip but it's still risky until it's confirmed it works and of course it needs the same raw zlib the netbook pro etc devices use too. standard GZ will not work.
-- finally, there are two terminal access options, both are useless unless someone can disassemble cradle or the device and find the right ports:
one is over debug port - looks like serial port, or some proprietary debug port, the latter is more likely, as the 900c has this debug port too
(just not used so much as on bsquare phh
). this one simply sends lots of debug info during boot etc.
(and maybe allows you to send options over, didn't see anything like that yet though.
)
the other is over ethernet debug board - allows access to a neat menu with many interesting options
L - Run the S-Record Loader, whatever that may mean
E - Completely erases all of system Flash returns to prompt when complete
C, source, destination, length - Copy memory
(RAM or Flash
)
D[B, W, D, default D] - Display data from starting address
S[B, W, D, default D] - Sets data at starting address
G, address - Starts execution from the address
M[M, U, R, W] - Mount/Unmount or Read/Write Disk data to/from RAM
T - Run the self-test
I - Identify. Prints the device identification information
V, start, length - Verify checksum of specified memory region
Z, start, length - Zero memory region.
also can program "debug ethernet card" MAC address or program "product ethernet card MAC address"
this last one makes me wonder, can we get a product ethernet card and access this neat stuff. to enter this terminal you simply run U+D to start and fail usb download.
***
as a sum up we should get the RAM OS load option working. i have an OS image dumped from the bsq's memory that would work as a RAM OS very easily after an easy conversion. and of course load a modified OS that doesn't care about password.
Edited by cmonex 2008-03-15 11:44 PM
I'm really impressed! 
