xda-developers.com
forum.xda-developers.com
device database
wiki.xda-developers.com
Wiki HomePage
FAQ
|
Xanadux
RecentChanges
|
FindPage
|
|
LikePages
|
BackLinks
View Source:
WallabyBootloader
!!!WALLABY Bootloader One of the more promising accidental finds: if you press and hold the on/off key and then soft-reset the device, you will land in the <i><b>WALLABY Bootloader</b></i>. A soft reset is performed by gently pressing the stylus into the little hole on the left side of the device. The (even smaller) hole on the right with the crossed-out battery marked next to it is if you want to erase the device memory, but that's not necessary to play with the booloader a bit. <center><img src="/danger.gif" border="0" alt=""></center> <b>Please keep in mind that we can accept no responsability for anything that happens to your device from here on out.</b> We've seen some options that could easily send your device straight back to the factory for re-calibration, and we're sure there are many other ways to destroy your device here. We haven't yet wasted our devices, and we even still have all our data. This is no indication you will be equally lucky. Explorers are thought of as heroes because some of them die. When the device goes into Bootloader mode, my device displays a background that consists of four equally sized vertical bars, colored (from top to bottom) white, red, green and blue. On top of this, it says: <pre><b> WALLABY Bootloader V5.14 WAIT </b> </pre> After a few seconds, the WAIT is replaced by GSM OK. Both messages are in the blue bar, but have a white background. If I then press the volume button (the device calls it a 'Record' button) on the left side of the device, you'll get a white screen that says: <pre><b> USB FLASH MODE ============= CONNECT USB CABLE NOW... </b> </pre> Obviously some way to flash the device via USB. From here there's no way out (except probably hooking up something to USB, which I did not do), so I soft-reset while pressing the On/Off switch again. !!dumping the ROM When you're at the bootloader start screen you can press the left button above the screen with the little business card on it (the device calls this button 'App3'), the device says: <pre><b> FLASH TOOLS ============= CE ROM TO SD BOOT TO SD CE+BOOT TO SD GSM ROM TO SD CE+GSM TO SD </b> </pre> If you have a 5.14 bootloader, and select either "GSM ROM TO SD" or "CE+GSM TO SD", the system responds with: <pre><b> SD BACKUP ============= Please connect rs232 and run PC Monitor Now </b> </pre> We're not yet sure how to use this to dump the GSM ROM. !!Writing main ROM to SD-card The first option is highlighted by an inverse bar, and this bar can be moved using the arrow buttons on the device. If you select "BOOT TO SD", "CE ROM TO SD" or "CE+BOOT TO SD", the system will write the corresponding parts of the ROM to the SD card. It will do so 'RAW', i.e. without a file system, so it will destroy any data already on your SD card. If you have a 5.17 bootloader, you cannot use these features without a 'Card Key' written on your SD card. !!Flashing the main ROM from SD If you insert (or leave in) an SD card written as described above, and then boot to the bootloader, the system will come up with: <pre><b> SD Download ============= CARD TYPE: CE OS Press ACTION to Download or Press REC to EXIT </b> </pre> Ofcourse there is little point in flashing the ROM with an image you've just made on the same device. But this does allow you to flash one device with bootloader and WinCE ROM images from another. It's obvious to us, but we'll say it anyway: <b>The maintainers of xda-developers.com do not accept any responsability for lost devices if you flash the ROM.</b> Sheeesh... !!5.17 bootloader Starting with bootloader 5.17, we can see that the people at HTC have realised this was probably a little too open: anyone with a device and SD card could flash the ROM. So they incorporated a feature called a "Card Key". Bascially, they create a key field which is set depending on the hardware ID of a specific SD-card. So as long as this SD-card dependent key is on the card, it can be used by the bootloader, and otherwise it is rejected. And they've also inlcuded a counter that determines how many times an SD card can be used to flash a device. !!More info on SD ROM dump formats Can be found in our <A HREF="SDdump.php">SD format description</a>. !!Various tests Back to reset while pressing On/Off again, and now pressing the right button, with the little calendar printed on it (called App1 by the device). Now the device displays: <pre><b> UTILITIES ============= DEBUG/CALI. GSM TURN ON GSM TURN OFF GSM RESET GSM 900 GSM 1900 GSM 900/1800 GSM RFCAL GSM NORMAL </b> </pre> Now these look a lot nicer than they may be. We still haven't tested whether the device is actually a tri-band phone that is just software-limited to being a dual-band phone, but postings on the net seem to indicate that it is not actually a tri-band phone. But even though we think we know, we still need someone with access to a European phone in the U.S. or vice-versa to test this. <b>We haven't tried, and we strongly advise against trying "DEBUG/CALI.", "GSM RFCAL" and possibly even "GSM RESET", unless you really don't care about the device.</b> Options like these are used in factories where they have lots of expensive RF equipment to calibrate each individual phone. If you don't listen and still want to try these options, make sure you keep a good log of what happens, and please do tell us! Over the next menu, this time after starting the bootloader and pressing the 'Action button', which is the center of the rocker key below the screen. This time, it quickly reports the GSM was already on, and then displays: <pre><b> DIAGNOSTICS GPRS3. 94324e2 Auto Test RAM Test Display Test Touch Test Playback Test Record Test Button Test CheckSum Test USB Test Sir Test Series Test F Light Test LED Test Battery Test Vibrator Test SD Card Test GSM Aud. Test </b> </pre> The last option isn't visible, but becomes visible when scrolling to the end of the list. Each of these options performs a test of some part of the hardware. feel free to play around, it is mostly straightforward. Just make sure you don't hold it too close to your ears when you test the GSM Audio, as the audio loops back and creates quite a howl. Also noteworthy: the SD-card test erases the SD-card in the process of testing that part of the device. !!InitDebugSerial Connect the XDA with a serial cable to the PC. Use Hyperterminal to connect (COM1:, 115200 8N1 Hardware flowcontrol). Now reboot the XDA in bootloader mode, and you'll see this: <pre> ****************************************************** InitDebugSerial using SERIAL PORT 2 ****************************************************** HTC Bootloader for ~[Wallaby] Version:5.14 Copyright (c) 1998-2001 High Tech Computer Corporation Built at: Apr 18 2002 12:25:54 CPU speed = 206 MHz DRAM speed = 103 MHz Hardware platform = 2; (0:DVT, 1:Pre-PV, 2:PV, 3:Panasonic LCD, 4:Reserved) Get resp timeout err, status is 42 Receive Response error, cmd = 41, arg = FFC000 comd1 No Response Block size = 512 BYTES Total blocks in Card: 243200 = 121600k bytes Card type : Bootloader SD card identify flag check ok ! Wait for turn on GSM... GSM Turn on time = 1763 ms FW 0:16:6> </pre> There's a list of commands if you enter 'h', and if you enter "h [command]" you get some basic help for that command. Here's the complete list:" <pre> <b>? [command]</b> Helps on command. When no command is given, output a list of commands. <b>h [command]</b> Helps on command. When no command is given, output a list of commands. <b>r [[register] [[=] [hex_value]]]</b> Display/Set register value(s). When no register is given, all the registers' content are displayed. When only a register name is given, the content of that register is displayed. If the optional value is also given, the register's content is set to the new value. '=' sign is always ignored. <b>g StartAddr</b> Jump and execute from a new address. StartAddr can be either a hex_address or a register name When StartAddr is not given, PC is used as the new address. The starting address MUST be in valid unmapped space. The monitor does not validate this address. <b>mb [StartAddr [Count [Filler]]]</b> Display/Set memory content. StartAddr can be either a hex_address or a register name When StartAddr is not given, memory display continues from the previous address. When Count is not given, previous Count is used for memory display Count is initially set to 20 (hex). If Filler is specified, the memory area is filled with Filler. Memory will be displayed/counted as bytes StartAddr must be in valid unmapped space. It is not validated. <b>mh [StartAddr [Count [Filler]]]</b> Display/Set memory content. StartAddr can be either a hex_address or a register name When StartAddr is not given, memory display continues from the previous address. When Count is not given, previous Count is used for memory display Count is initially set to 20 (hex). If Filler is specified, the memory area is filled with Filler. Memory will be displayed/counted as half-words StartAddr must be in valid unmapped space. It is not validated. <b>mw [StartAddr [Count [Filler]]]</b> Display/Set memory content. StartAddr can be either a hex_address or a register name When StartAddr is not given, memory display continues from the previous address. When Count is not given, previous Count is used for memory display Count is initially set to 20 (hex). If Filler is specified, the memory area is filled with Filler. Memory will be displayed/counted as words StartAddr must be in valid unmapped space. It is not validated. <b>mv SourceAddr DestAddr Length</b> SourAddr:hex memory address of source DestAddr:hex memory address of destination Length:The length of half-word memory data to move <b>ew Addr </b> Addr:hex memory address <b>eh Addr </b> Addr:hex memory address <b>eb Addr </b> Addr:hex memory address <b>u [StartAddr [Count]]</b> Unassemble instructions. StartAddr can be either a hex_address or a register name When StartAddr is not given, unassmebling continues from the previous address used for unassembling. When Count is not given, previous Count is used. Count is initially set to 14 (hex). For the first unassmeble command, EPC is used if StartAddr is not given. StartAddr must be in valid unmapped space. It is not validated. To avoid confusion, all the hex-numbers displayed are prefixed with 0x The absolute target address in a jump or branch instruction is caculated and displayed (except for jr instructions) Offset in 'offset(base)' is displayed in hex format <b>ud [StartAddr [Count]]</b> Unassemble instructions. StartAddr can be either a hex_address or a register name When StartAddr is not given, unassmebling continues from the previous address used for unassembling. When Count is not given, previous Count is used. Count is initially set to 14 (hex). For the first unassmeble command, EPC is used if StartAddr is not given. StartAddr must be in valid unmapped space. It is not validated. To avoid confusion, all the hex-numbers displayed are prefixed with 0x The absolute target address in a jump or branch instruction is caculated and displayed (except for jr instructions) Offset in 'offset(base)' is displayed in decimal format <b>l [path_name]</b> Download BIN file across from bi-directional parallel port. When path_name is not given, the file to be downloaded is determined by ppfs on the host. Otherwise, path_name on the host is downloaded regardless the ppfs setting. The file must be in the format of BIN (preprocessed SRE). The code is auto-launched once downloaded. <b>lcp filename.bin</b> compare image with flash by serial port <b>lb [path_name]</b> Download BIN file across from bi-directional parallel port. When path_name is not given, the file to be downloaded is determined by ppfs on the host. Otherwise, path_name on the host is downloaded regardless the ppfs setting. The file must be in the format of BIN (preprocessed SRE). Auto-launched is disabled after downloading. <b>ppdl</b> Download the BIN file that assigned by PPSH command line. This download is via parallel port <b>ppcp</b> for comparing image difference between download and flash datum The usage resembles ppdl command <b>s StartAddr Count Pattern...</b> Search Memory for pattern. StartAddr can be either a hex_address or a register name The starting address MUST be in valid unmapped space. The monitor does not validate this address. Count and StartAddr defines a search region Patterns can be hex numbers or (single or double) quoted strings A hex number with less than three digits is considered a byte A hex number with less than fice digits but greater than two digits is consider a half-word Otherwise a hex number must contain less than 9 digits and is considered a word Up to 8 Patterns can be given in the command line They are concatenated as a single search pattern. <b>ram start len</b> DRAM test <b>map</b> Display virtual address mapping table </pre> (And here's the output of map...) <pre> Physical Virtual -------------------------------------------- 0x00000000 0xA0000000 0x08000000 0xA2000000 0x18000000 0xA4000000 0x40000000 0xA6000000 0xC0000000 0xAC000000 0x10000000 0xAE000000 0x20000000 0xABA00000 0x30000000 0xABC00000 0x28000000 0xB0000000 0x38000000 0xB4400000 0x2C000000 0xB4C00000 0x3C000000 0xB8C00000 0x80000000 0xA8000000 0x90000000 0xA9000000 0xA0000000 0xAA000000 0xB0000000 0xAB000000 0xE0000000 0xA8C00000 0x41000000 0xA8600000 0x49000000 0xA8700000 0x4A000000 0xA8800000 <b>page</b> Set flash ROM to page mode <b>lr bin-file</b> Load BIN to ram and Go <b>cp reg# OPC_2 CRm [value]</b> Access coprocessor registers <b>lcdtest [loop delay(ms)]</b> Default: loop=1, delay=1000 <b>usb uart ulysse</b> Help does not provide info about these commands <b>normal number(Hex)</b> Unyless Normal mode(UART2 --- UART3 number indicates what baud rate set to UART number inputed is considered as heximal, not decimal. 0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600, <b>atcmd number(Hex)</b> Unyless ATCommand mode(UART2 --- UART1 number indicates what baud rate set to UART number inputed is considered as heximal, not decimal. 0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600, <b>diag</b> Use the key of target for diagnostic test ! <b>util</b> Use the key of target for GSM utilities ! <b>r2c</b> Copy WinCE ROM Image to SD Card <b>r2ca</b> Copy WinCE & Bootloader ROM Image to SD Card <b>r2cb</b> Bootloader ROM Image to SD Card <b>c2r</b> Restore ROM image from SD to FlashROM <b>sddump</b> sddump [block_num] <b>dualtrace</b> Command mode : UART3 <- pack/unpack AT command -> PPSH UART3 <- X-panel trace -> UART2 Data mode : UART1 <- Data -> PPSH UART3 <- X-panel trace -> UART2 <b>dual</b> Command mode : UART3 <- pack/unpack AT command -> PPSH UART3 <- X-panel trace -> UART2 Data mode : UART1 <- Data -> PPSH UART3 <- pack/unpack AT command -> UART2 <b>dualser</b> Command mode : UART3 <- pack/unpack AT command -> UART2 UART3 <- X-panel trace -> PPSH </pre> For instance: to manually jump to the CE bootstrap (entry point is at 0x41000): <pre> g 41000 </pre> For some reason the display is not initialized ok here, but it is running PocketPC now... The entrypoint for the bootloader itself is at (0x1000). Disassemble: <pre> u 8c079000 8C079000 E321F0D3 _c CPSR_c , #0x000000D3 8C079004 E59F04D8 LDR R0, [PC, #0x000004D8] 8C079008 E5901000 LDR R1, [R0] 8C07900C E2111001 ANDS R1, R1, #0x00000001 8C079010 0A000018 B Offset 0x00000068( 0x8C079078 ) 8C079014 E5901000 LDR R1, [R0] 8C079018 E2111B01 ANDS R1, R1, #0x00000400 8C07901C 1A000003 B Offset 0x00000014( 0x8C079030 ) 8C079020 E59F04C0 LDR R0, [PC, #0x000004C0] 8C079024 E5901000 LDR R1, [R0] 8C079028 E2111002 ANDS R1, R1, #0x00000002 8C07902C 0A000011 B Offset 0x0000004C( 0x8C079078 ) 8C079030 E3A00A41 MOV R0, #0x00041000 8C079034 E1A0F000 MOV PC, R0 </pre> This is the code from the entrypoint. When some tests fail it will load the entrypoint of CE into the PC register (and jumps there...) Done? Just hit soft reset, wait for boot, and you're back to normal. Pfew...