Bootloader
From OpenEZX
Contents |
General
Motorola runs a heavily modified version of the Intel Lubbock port of blob (see also http://sourceforge.net/projects/blob).
The modifications include EZX hardware specifics, but also include the ability to download (and execute) code that was received via USB. This is how Motorola's official firmware update procedures work: Send a 'flash program' and the new 'flash image' via USB, then have the bootloader execute it.
Also included is support for a serial console on the FFUART, but it is not yet proven that this code is actually activated.
Harald has written a list of GPIO assignments by the bootloader.
Motorola has released their modified (GPL'd) blob version, see http://ftp.gpl-devices.org/pub/vendors/Motorola/A780/gpl-cd-20060421/a780-e680-blob.tar.bz2. This code is used for both, the E680 and the A780.
Enter the bootloader
- A780: press camera and jogdial(scrollwheel) button while power on. (Blue bootloader screen)
- E680(i): press camera and volume down button while power on. (Blue bootloader screen)
- ROKR E2: press voicedail button while power on. (Red bootloader screen)
- ROKR E6: press camera button while power on. (Red bootloader screen)
- A1200(i,E): press voicedial button while power on. (Red bootloader screen)
- A910: press voicedial button while power on. (Red bootloader screen)
- V8: press '*' and '#' buttons while power on. (Black bootloader screen)
Communication with the bootloader
Based on the source code Harald Welte wrote a userspace application for communication with the bootloader over USB. At the moment you can use it to load a selfcompiled kernel into RAM and execute it. This gives the possibility to test kernels without having to reflash the phone again and again. boot_usb source is available here: http://svn.openezx.org/trunk/src/host/boot_usb. You need libusb, version 0.1.12 is recommended. An x86 binary can be found e.g. at [1]
Note that reflash mode appears to also place the baseband into reflash mode (appearing as a usb device, if you enable the pxa hub). It appears that use of the baseband is not possible whilst it is in this mode.
FLAG
We have some problems where the flag values come from. Blob, the bootloader, reads the flag value from the first four bytes of SDRAM. The question is who wrote these bytes into the SDRAM? The only corresponding value we can find in the kernel source code is 0x7c7c7c7c.
UPDATE: It looks like they don't have any real meaning. For reference here's a table of values we encountered so far, note that by tests we found out that they don't actually influence booting.
Shouldn't that be magic bootup flags that tell the bootloader e.g. whether this startup is supposed to be a genuine full-boot or a resume back to a running session living in SDRAM? At least that's what some PocketPC bootloaders do... If this is a corresponding mechanism (and come to think of it I bet it is!), then it could be the kernel suspend code for this machine type (or even the architecture?) which writes those values upon shutdown or suspend. OK, in the shutdown case those values would be void since the SDRAM would be powered off... (which probably explains the rather random flag variations below). -am
| Flags entry | Image | Meaning |
|---|---|---|
| 0x7c7c7c7c | [2] | It's called OFF_FLAG in ezx.h |
| 0x12345678 | - | If blob reads this FLAG value it will enter an passthrough mode. In this mode the host can communicate directly with the BP. |
| 0x95aa95aa | - | Reproducible. Power off phone over night and enter bootloader first gives you this flag. Perhaps indicates long time off. Also detected after the battery runs out, after recharging the value was set back to OFF_FLAG. |
| 0x958a95aa | - | Reproducible. |
| 0xd5aa95aa | - | No idea. |
| 0x558a95aa | No idea. | |
| 0x1caabca8 | - | Possible Low power. |
| 0x15babdae | - | Low Power. System did not start. Only bootloader. |
| 0x60d56f34 | - | No idea. |
| 0x6b6b6b6b | [3] | Defined in ezx.h (lubbock.h too) "SLEEP_FLAG" |
| 0x3c7c3c7c | - | No idea. |
| 0x0C1D2E3F | - | Defined in ezx.h "REFLASH_FLAG" tested for by blob (not actually seen yet, anyone?) |
RESET
The reset value seems to be 0x00000001.
This value is printed to the LCD by output_reset_inf() in ...blob/src/blob/main.c. It is the value stored in FFSPR (FFUART Scratch Pad Register) which is copied there by .../blob/src/blob/start.S from RCSR (Reset Controller Status Register).
A value of 0x00000001 means that a hardware reset has occured.
BRESET
The reset value seems to be 0x00000000.
This value is printed to the LCD by output_reset_inf() in ...blob/src/blob/main.c. It is the value stored in PSPR (Power Manager Scratch Pad Register).
ARESET
The reset value seems to be 0x00000000.
This value is printed to the LCD by output_reset_inf() in ...blob/src/blob/main.c. It is the value stored in RCSR. The hardware reset flag is cleared by ...blob/src/blob/start.S after it's copied to FFSPR.
Messages
We have discovered two messages at the moment:
- No BP_WDI before reset start reflash code!
- start reflash code!
Version and date
Version 3.0 from 2004-05-18
If you get another version and date on your phone please add here.
Booting your own kernel
- Power off the phone
- Power on the phone and enter the bootloader (see above)
- Attach the phone to your computer via USB
- Run ./boot_usb zImage on your computer, where boot_usb is compiled via a simple "make", and zImage is the kernel image you want to boot (e.g. this one).
- The kernel image will be transfered to your phone and it will boot using that kernel.
Troubleshooting
In case you followed all steps correctly and the only thing you get is white colors with blueish stripes fading slowly into white, then you encountered a bug in our initialization routine. In that case, boot first with the MOTO kernel, right after that remove the battery, insert it again, enter bootloader and try again.
Differences between the phone bootloaders
If you enter the bootloader on the ROKR E2 you get a red background with black font displaying something like this:
FLASH_KEY_PRESS Boot Module: BOOT_G_00.02.05R_SUMATRA MBM FLASH MODE
The bootloader of the A1200/E2/A910 enters an USB BP pass through mode if you press the voice dial key in Flash mode. Note that it seems to take some seconds before switching to the new mode is possible.
The same trick works for E2. You need to press the voicedail button again.
USB ID's: 22b8:4903
For ROKR E6, the bootloader(red screen with black text) shows the following:
FLASH_KEY_PRESS Boot_Module: BOOT_G_00.02.21P_MACAU MBM FLASH MODE
To get the "USB BP Pass Through Mode" with the 2nd generation phones (red bootloader screen), press again the button which triggered the bootloader (camera or voicedial button).
Categories: Development | A780 | A1200 | E680 | E2
![[2]](http://people.openezx.org/stefan/photos/a780-bootloader-2.jpg){kind=link}
![[3]](http://wiki.openezx.org/images/2/25/IGP7383.jpg){kind=link}