One of the more promising accidental finds: if you press and hold the on/off key and then soft-reset the device, you will land in the WALLABY Bootloader. A soft reset is performed by gently pressing the stylus into the little hole on the left side of the device. The (even smaller) hole on the right with the crossed-out battery marked next to it is if you want to erase the device memory, but that's not necessary to play with the booloader a bit.
Please keep in mind that we can accept no responsability for anything that happens to your device from here on out. We've seen some options that could easily send your device straight back to the factory for re-calibration, and we're sure there are many other ways to destroy your device here. We haven't yet wasted our devices, and we even still have all our data. This is no indication you will be equally lucky. Explorers are thought of as heroes because some of them die.
When the device goes into Bootloader mode, my device displays a background that consists of four equally sized vertical bars, colored (from top to bottom) white, red, green and blue. On top of this, it says:
WALLABY
Bootloader
V5.14
WAIT
After a few seconds, the WAIT is replaced by GSM OK. Both messages are in the blue bar, but have a white background. If I then press the volume button (the device calls it a 'Record' button) on the left side of the device, you'll get a white screen that says:
USB FLASH
MODE
=============
CONNECT USB
CABLE NOW...
Obviously some way to flash the device via USB. From here there's no way out (except probably hooking up something to USB, which I did not do), so I soft-reset while pressing the On/Off switch again.
dumping the ROM
When you're at the bootloader start screen you can press the left button above the screen with the little business card on it (the device calls this button 'App3'), the device says:
FLASH TOOLS
=============
CE ROM TO SD
BOOT TO SD
CE+BOOT TO SD
GSM ROM TO SD
CE+GSM TO SD
If you have a 5.14 bootloader, and select either "GSM ROM TO SD" or "CE+GSM TO SD", the system responds with:
SD BACKUP
=============
Please
connect rs232
and run
PC Monitor
Now
We're not yet sure how to use this to dump the GSM ROM.
Writing main ROM to SD-card
The first option is highlighted by an inverse bar, and this bar can be moved using the arrow buttons on the device. If you select "BOOT TO SD", "CE ROM TO SD" or "CE+BOOT TO SD", the system will write the corresponding parts of the ROM to the SD card. It will do so 'RAW', i.e. without a file system, so it will destroy any data already on your SD card.
If you have a 5.17 bootloader, you cannot use these features without a 'Card Key' written on your SD card.
Flashing the main ROM from SD
If you insert (or leave in) an SD card written as described above, and then boot to the bootloader, the system will come up with:
SD Download
=============
CARD TYPE:
CE OS
Press ACTION
to Download
or
Press REC
to EXIT
Ofcourse there is little point in flashing the ROM with an image you've just made on the same device. But this does allow you to flash one device with bootloader and WinCE ROM images from another.
It's obvious to us, but we'll say it anyway: The maintainers of xda-developers.com do not accept any responsability for lost devices if you flash the ROM. Sheeesh...
5.17 bootloader
Starting with bootloader 5.17, we can see that the people at HTC have realised this was probably a little too open: anyone with a device and SD card could flash the ROM. So they incorporated a feature called a "Card Key". Bascially, they create a key field which is set depending on the hardware ID of a specific SD-card. So as long as this SD-card dependent key is on the card, it can be used by the bootloader, and otherwise it is rejected. And they've also inlcuded a counter that determines how many times an SD card can be used to flash a device.
More info on SD ROM dump formats
Can be found in our <A HREF="SDdump.php">SD format description</a>.
Various tests
Back to reset while pressing On/Off again, and now pressing the right button, with the little calendar printed on it (called App1 by the device). Now the device displays:
UTILITIES
=============
DEBUG/CALI.
GSM TURN ON
GSM TURN OFF
GSM RESET
GSM 900
GSM 1900
GSM 900/1800
GSM RFCAL
GSM NORMAL
Now these look a lot nicer than they may be. We still haven't tested whether the device is actually a tri-band phone that is just software-limited to being a dual-band phone, but postings on the net seem to indicate that it is not actually a tri-band phone. But even though we think we know, we still need someone with access to a European phone in the U.S. or vice-versa to test this. We haven't tried, and we strongly advise against trying "DEBUG/CALI.", "GSM RFCAL" and possibly even "GSM RESET", unless you really don't care about the device. Options like these are used in factories where they have lots of expensive RF equipment to calibrate each individual phone. If you don't listen and still want to try these options, make sure you keep a good log of what happens, and please do tell us!
Over the next menu, this time after starting the bootloader and pressing the 'Action button', which is the center of the rocker key below the screen. This time, it quickly reports the GSM was already on, and then displays:
DIAGNOSTICS
GPRS3. 94324e2
Auto Test
RAM Test
Display Test
Touch Test
Playback Test
Record Test
Button Test
?CheckSum Test
USB Test
Sir Test
Series Test
F Light Test
LED Test
Battery Test
Vibrator Test
SD Card Test
GSM Aud. Test
The last option isn't visible, but becomes visible when scrolling to the end of the list. Each of these options performs a test of some part of the hardware. feel free to play around, it is mostly straightforward. Just make sure you don't hold it too close to your ears when you test the GSM Audio, as the audio loops back and creates quite a howl. Also noteworthy: the SD-card test erases the SD-card in the process of testing that part of the device.
Connect the XDA with a serial cable to the PC. Use Hyperterminal to connect (COM1:, 115200 8N1 Hardware flowcontrol). Now reboot the XDA in bootloader mode, and you'll see this:
******************************************************
?InitDebugSerial using SERIAL PORT 2
******************************************************
HTC Bootloader for [Wallaby] Version:5.14
Copyright (c) 1998-2001 High Tech Computer Corporation
Built at: Apr 18 2002 12:25:54
CPU speed = 206 MHz
DRAM speed = 103 MHz
Hardware platform = 2; (0:DVT, 1:Pre-PV, 2:PV, 3:Panasonic LCD, 4:Reserved)
Get resp timeout err, status is 42 Receive Response error, cmd = 41,
arg = FFC000 comd1 No Response Block size = 512 BYTES
Total blocks in Card: 243200 = 121600k bytes
Card type : Bootloader SD card identify flag check ok !
Wait for turn on GSM... GSM Turn on time = 1763 ms FW 0:16:6>
There's a list of commands if you enter 'h', and if you enter "h ?command" you get some basic help for that command. Here's the complete list:"
? ?command
Helps on command.
When no command is given, output a list of commands.
h ?command
Helps on command.
When no command is given, output a list of commands.
r ?[register?[=?hex_value]]
Display/Set register value(s).
When no register is given, all the registers' content are displayed.
When only a register name is given, the content of that register is
displayed.
If the optional value is also given, the register's content is set to
the new value.
'=' sign is always ignored.
g StartAddr
Jump and execute from a new address.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, PC is used as the new address.
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.
mb ?StartAddr [Count [Filler]]
Display/Set memory content.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as bytes
StartAddr must be in valid unmapped space.
It is not validated.
mh ?StartAddr [Count [Filler]]
Display/Set memory content.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as half-words
StartAddr must be in valid unmapped space.
It is not validated.
mw ?StartAddr [Count [Filler]]
Display/Set memory content.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as words
StartAddr must be in valid unmapped space.
It is not validated.
mv ?SourceAddr?DestAddr Length?SourAddr:hex memory address of source
?DestAddr:hex memory address of destination
Length:The length of half-word memory data to move
ew Addr
Addr:hex memory address
eh Addr
Addr:hex memory address
eb Addr
Addr:hex memory address
u ?StartAddr [Count]
Unassemble instructions.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, unassmebling continues from the
previous address used for unassembling.
When Count is not given, previous Count is used.
Count is initially set to 14 (hex).
For the first unassmeble command, EPC is used if StartAddr is not given.
StartAddr must be in valid unmapped space.
It is not validated.
To avoid confusion, all the hex-numbers displayed
are prefixed with 0x
The absolute target address in a jump or branch instruction is
caculated and displayed (except for jr instructions)
Offset in 'offset(base)' is displayed in hex format
ud ?StartAddr [Count]
Unassemble instructions.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, unassmebling continues from the
previous address used for unassembling.
When Count is not given, previous Count is used.
Count is initially set to 14 (hex).
For the first unassmeble command, EPC is used if StartAddr is not given.
StartAddr must be in valid unmapped space.
It is not validated.
To avoid confusion, all the hex-numbers displayed
are prefixed with 0x
The absolute target address in a jump or branch instruction is
caculated and displayed (except for jr instructions)
Offset in 'offset(base)' is displayed in decimal format
l ?path_name
Download BIN file across from bi-directional parallel port.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
lcp filename.bin
compare image with flash by serial port
lb ?path_name
Download BIN file across from bi-directional parallel port.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
Auto-launched is disabled after downloading.
ppdl
Download the BIN file that assigned by PPSH command line.
This download is via parallel port
ppcp
for comparing image difference between
download and flash datum
The usage resembles ppdl command
s StartAddr Count Pattern...
Search Memory for pattern.
StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.
Count and StartAddr defines a search region
Patterns can be hex numbers or (single or double) quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.
ram start len
DRAM test
map
Display virtual address mapping table
(And here's the output of map...)
Physical Virtual
--------------------------------------------
0x00000000 0xA0000000
0x08000000 0xA2000000
0x18000000 0xA4000000
0x40000000 0xA6000000
0xC0000000 0xAC000000
0x10000000 0xAE000000
0x20000000 0xABA00000
0x30000000 0xABC00000
0x28000000 0xB0000000
0x38000000 0xB4400000
0x2C000000 0xB4C00000
0x3C000000 0xB8C00000
0x80000000 0xA8000000
0x90000000 0xA9000000
0xA0000000 0xAA000000
0xB0000000 0xAB000000
0xE0000000 0xA8C00000
0x41000000 0xA8600000
0x49000000 0xA8700000
0x4A000000 0xA8800000
page
Set flash ROM to page mode
lr bin-file
Load BIN to ram and Go
cp reg# OPC_2 CRm ?value
Access coprocessor registers
lcdtest ?loop delay(ms)
Default:
loop=1, delay=1000
usb
uart
ulysse
Help does not provide info about these commands
normal number(Hex)
Unyless Normal mode(UART2 --- UART3
number indicates what baud rate set to UART
number inputed is considered as heximal, not decimal.
0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600,
atcmd number(Hex)
Unyless ATCommand mode(UART2 --- UART1
number indicates what baud rate set to UART
number inputed is considered as heximal, not decimal.
0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600,
diag
Use the key of target for diagnostic test !
util
Use the key of target for GSM utilities !
r2c
Copy WinCE ROM Image to SD Card
r2ca
Copy WinCE & Bootloader ROM Image to SD Card
r2cb
Bootloader ROM Image to SD Card
c2r
Restore ROM image from SD to ?FlashROMsddump
sddump ?block_numdualtrace
Command mode :
UART3 <- pack/unpack AT command -> PPSH
UART3 <- X-panel trace -> UART2
Data mode :
UART1 <- Data -> PPSH
UART3 <- X-panel trace -> UART2
dual
Command mode :
UART3 <- pack/unpack AT command -> PPSH
UART3 <- X-panel trace -> UART2
Data mode :
UART1 <- Data -> PPSH
UART3 <- pack/unpack AT command -> UART2
dualser
Command mode :
UART3 <- pack/unpack AT command -> UART2
UART3 <- X-panel trace -> PPSH
For instance: to manually jump to the CE bootstrap (entry point is at 0x41000):
g 41000
For some reason the display is not initialized ok here, but it is running PocketPC now... The entrypoint for the bootloader itself is at (0x1000). Disassemble: