Bootloader
From OpenEZX
Contents |
General
Motorola runs a heavily modified version of the Intel Lubbock port of blob (see also http://sourceforge.net/projects/blob).
The modifications include EZX hardware specifics, but also include the ability to download (and execute) code that was received via USB. This is how Motorola's official firmware update procedures work: Send a 'flash program' and the new 'flash image' via USB, then have the bootloader execute it.
Also included is support for a serial console on the FFUART, but it is not yet proven that this code is actually activated.
Harald has written a list of GPIO assignments by the bootloader.
Motorola has released their modified (GPL'd) blob version, see http://ftp.gpl-devices.org/pub/vendors/Motorola/A780/gpl-cd-20060421/a780-e680-blob.tar.bz2. This code is used for both, the E680 and the A780.
Enter the bootloader
- A780: press camera and jogdial(scrollwheel) button while power on. (Blue bootloader screen)
- E680(i): press camera and volume down button while power on. (Blue bootloader screen)
- ROKR E2: press voicedail button while power on. (Red bootloader screen)
- ROKR E6: press camera button while power on. (Red bootloader screen)
- A1200(i,E): press voicedial button while power on. (Red bootloader screen)
- A1600: press voicedial button while power on. (Red bootloader screen)
- A910: press voicedial button while power on. (Red bootloader screen)
- RAZR2 V8: press '*' and '#' buttons while power on. (Black bootloader screen)
- ZN5: press '*' and '#' buttons while power on. (Black bootloader screen)
- Q: press 'A' and ENTER buttons while power on. (Black bootloader screen)
Communication with the bootloader
Based on the source code Harald Welte wrote a userspace application for communication with the bootloader over USB. You can use it to load a selfcompiled kernel into RAM and execute it. This gives the possibility to test kernels without having to reflash the phone again and again. boot_usb source is available here: http://svn.openezx.org/trunk/src/host/boot_usb. You need libusb.
Note that reflash mode also place the baseband into reflash mode (appearing as a usb device, if you enable the pxa hub). It appears that use of the baseband is not possible whilst it is in this mode.
FLAG
Flag is a 32bit value stored at 0xa0000000, on RAM. It indicates wheter the phone was suspended and the bootloader should just resume to a RAM location, or if it should load a kernel from flash.
RESET
It is the value stored in FFSPR (FFUART Scratch Pad Register) which is copied there by .../blob/src/blob/start.S from RCSR (Reset Controller Status Register).
A value of 0x00000001 means that a hardware reset has occured.
BRESET
This value is printed to the LCD by output_reset_inf() in ...blob/src/blob/main.c. It is the value stored in PSPR (Power Manager Scratch Pad Register).
ARESET
This value is printed to the LCD by output_reset_inf() in ...blob/src/blob/main.c. It is the value stored in RCSR. The hardware reset flag is cleared by ...blob/src/blob/start.S after it's copied to FFSPR.
Differences between the phone bootloaders
If you enter the bootloader on the ROKR E2 you get a red background with black font displaying something like this:
FLASH_KEY_PRESS Boot Module: BOOT_G_00.02.05R_SUMATRA MBM FLASH MODE
The bootloader of the A1200/E2/A910 enters an USB BP pass through mode if you press the voice dial key in Flash mode. Note that it seems to take some seconds before switching to the new mode is possible.
The same trick works for E2. You need to press the voicemail button again.
USB ID's: 22b8:4903
For ROKR E6, the bootloader(red screen with black text) shows the following:
FLASH_KEY_PRESS Boot_Module: BOOT_G_00.02.21P_MACAU MBM FLASH MODE
To get the "USB BP Pass Through Mode" with the 2nd generation phones (red bootloader screen), press again the button which triggered the bootloader (camera or voicedial button).
Categories: Development | E680 | A780 | A910 | A1200 | Rokr E2 | Rokr E6 | A1600
