Friday, February 19, 2010

Here's rx1950 nand flash layout:

0x0000 - 0x1000 - First stage bootloader
0x1000 - 0x4000 - Some data, i.e. wifi mac is here
0x4000 - 0x44000 - Second stage bootloader. This block starts with 0x1000 byte header,
0x44000 - 0x-------- - WinCE image. This block starts with 0x400-byte partition table (???) followed by 0x1000 byte header (almost same as bootloader, but different addresses)

Bootloader header looks like this:
0xfe 0x03 0x00 0xea ; some magic bytes?
0x00 * 0x3c ; 0x3c zeros
0x45 0x43 0x45 0x43 ; "ECEC" - more magic bytes?
0x8c0b5dcc ; stored in little endian format, virtual address in ram where image ends
0x00035dcc ; stored in little endian format, image size
0x00 * 0xfb4 ; 0xfb4 zeros

So, bootloader will be loaded at 0x8c0b5dcc - 0x00035dcc = 0x8c080000 (virtual address)

WinCE header looks almost the same, except address is 0x8014e388 and size is 0x0014e388, so WinCE image will be loaded at 0x80000000 (virtual)

WinCE partition table is not looking interesting to me, we're not going to use WinCE-compatible FS :)

So, rx1950 will use following mtd partition table:
0x00000000-0x00004000 : "Boot0"
0x00004000-0x00044000 : "Boot1"
0x00044000-0x00344000 : "Kernel"
0x00344000-0x04000000 : "Filesystem"

If anyone interested in Boot0/Boot1/Kernel images - I can put it on tuxfamily ftp :)

P.S. I ported basic rx1950 patches to latest git kernel, and I'm going to submit it mainstream again :)

Wednesday, February 17, 2010

More bootloader stuff

I think I found a part of nand flash that wince bootloader loads to ram. This part is nk.exe, and it starts at 0x45400, whole wince partition starts at 0x44000. Bootloader loads some chunk (~1mb) at 0x80000000 (virtual address) and then jumps to 0x80000000. But that's only theory, need some practice now :)

Anyway, more interesting links:

Monday, February 8, 2010

Stuck with bootloader :\

Tried to get htc bootloader load my custom "diag" image, but it fails with "Download failed" message :(

My image consists of:
  • 1024-byte header, starting with "HTC$IBG--444", others are zeros
  • 28-byte code that fills framebuffer with some pattern (0x00ff)
It seems that I need to add some more info to header (checksums, size?) - If anyone knows _anything_ about diagnostic image for WM5-based devices with s3c24xx CPU and HTC bootloader - please let me know. Also I hope that bootloader outputs some info to UART, but unfortunately I have no usb-com adapter to check :(

And some more info: first stage bootloader seems to be nboot from smdk2440, but it does nothing except loading second stage bootloader :)

Wednesday, February 3, 2010

bootloader stuff

Still gathering info on HTC bootloader, acer n30 linux port and htc-flasher could be usefull.
It seems that there're two ways to go:
  • flash linux kernel into internal NAND flash (dangerous, I want to ensure that I can restore WM)
  • boot linux via SD card with diagnostic image
Second way seems to be complicated, as I'll need to write mmc and FAT drivers if bootloader puts diagnostic image in some unappropriated memory area. Anyway still need to figure out where bootloader puts diagnostic image, how this diagnostic image should look, etc...

Tuesday, February 2, 2010


Good news, everyone!

I've just owned iPAQ h1940, so I'm going to hack linux on it too :)

rx1950 bootloader

Just found some interesting info how to boot device with htc bootloader from sd without booting wince.
Tool is named eol (embedded OS loader) and is designed to be put on a miniSD card and loaded by the SPL (the initial loader in the flash ROM) by faking a diagnostic card signature. It's originally intended to use with HTC Tycoon. I'm going to modify it to use with rx1950 :) Can't wait getting hand on this tool ;)