Author Topic: Siemens Bootloader Extended Commands (Read 6999 times)

Digi · « **on:** March 04, 2006, 02:51:17 pm »

Hi all,

does anybody know any more extended commands (done by typing 'X', followed by a hex value between 00 and ff) than the ones I found so far:

01 raises CPU frequency
ff lowers it
e0 erases flash bank 0
e1 erases flash bank 1
eb erases bootstrap (whatever that is, but it includes the FabData)

Digi

fladda · « **Reply #1 on:** March 08, 2006, 04:41:25 am »

I have recently been to Simpad Hell and back trying to recover one of my Simpads via JTAG. One of the foolish things I tried was loading the CL bootloader onto my SL4 Simpad 'simpadCL.rom'. After this I could not even get the SL4 bootloader to work at all, even when loaded using JTAG.

It appears that the exact contents of some the flash not occupied by the bootloader and the FABdata are also important ! This means that when we load the bootloader image 'loader_BL', we are not always setting all memory loactions in the flash to the 'correct' values.

To get the SL bootloader working again I used JTAG to clear the flash contents in memory addresses 0x08000000 and above, just by loading a file containing a single byte 0x00 into each block. I think that flash blocks 2,3... might also need to be cleared too.

Thanks for posting details of these 'extended commands' here - sounds like a very good method of erasing unwanted flash memory blocks, before you load in the FABdata image.

Ralph

Quote

Hi all,

does anybody know any more extended commands (done by typing 'X', followed by a hex value between 00 and ff) than the ones I found so far:

01 raises CPU frequency
ff lowers it
e0 erases flash bank 0
e1 erases flash bank 1
eb erases bootstrap (whatever that is, but it includes the FabData)

Digi
[div align=\"right\"][a href=\"index.php?act=findpost&pid=116987\"][{POST_SNAPBACK}][/a][/div]

fladda · « **Reply #2 on:** March 08, 2006, 07:13:27 am »

Erasing the boot block using the 'eb' command shows that the people at Siemens Switzerland had a sense of humour:-)

Only do this if you already have JTAG up and running, so that you can re-load your bootloader again if necessary. That said, pressing reset gave me the option to reload the bootloader again using "serload loader_bl". So I guess that the backup bootloader was still working ?

Ralph

************ extract from serial terminal session *************

Monitor:
=====================
Boot from Flash 'f'
Boot from Net 'n'
Power Off 'o'
Erase PSM+Registry'p'
Exit 'q'
Erase Registry 'r'
Soft Reset 's'
Print Fab-String 'w'
-> x

Extended Command
Enter hexcode to execute:eb
Erasing Bootstrap. Please Wait
[***************************************-]

Bootstrap Erased.
You will see me never again.
ByeBye !

Quote

Hi all,

does anybody know any more extended commands (done by typing 'X', followed by a hex value between 00 and ff) than the ones I found so far:

01 raises CPU frequency
ff lowers it
e0 erases flash bank 0
e1 erases flash bank 1
eb erases bootstrap (whatever that is, but it includes the FabData)

Digi
[div align=\"right\"][a href=\"index.php?act=findpost&pid=116987\"][{POST_SNAPBACK}][/a][/div]

Digi · « **Reply #3 on:** March 08, 2006, 01:02:46 pm »

Do you know of a way to put the FabData back in once it has been deleted?

Digi

fladda · « **Reply #4 on:** March 09, 2006, 10:37:52 am »

No I've not found a way of getting the FabData reloaded yet. However I guess that you might be able to use the flashmem JTAG command to put the correct string back into the flash ?? However JTAG can only access the first flash IC, presumably in 16-bit mode. I guess that the FabData string is probably 32-bit aligned ?? (I'm just guessing here as I am not sure how the memory map of the Simpad's flash looks in detail).

Perhaps loading WinCE3.0 initialises the FabData string ?? (I'll try and see what happens). Siemens must had dome this somehow ?

Is getting the FabData string re-entered important ?

Incidentally the 'x' commands E0 and E1 appear to work differently with the original Siemens 2.4 bootloader, to the modified (linux/WinCE) 2.5.3 bootloader. Using the E0 and E1 commands allows you to delete different areas of the flash from the 2.4 bootlader (similar to the 'y' command with the 2.5.3 bootloader).

When I get my Simpad working with WinCE 4.1 (I've been working on this for almost 2 weeks now!), I will write up all of my experiences, and suggestions. I've had about 20 different lock up states all with different symptoms. Usually these lock-ups stop the bootladers from working correctly. However all these states appear to be caused by different things in the flash. Erasing all 128 blocks in the first flash chip using a JTAG script, and then re-loading the 2.4 bootloader using the JTAG command "flashmem 0 simpadSL.rom" appears to always allow the 2.4 boot-loaders to be loaded with serload, and then the primary 2.5.3 bootloader to be loaded OK. Don't think that I've ever managed to load the alternative 2.5.3 bootloader though ??

Ralph

Quote

Do you know of a way to put the FabData back in once it has been deleted?

Digi
[div align=\"right\"][a href=\"index.php?act=findpost&pid=117597\"][{POST_SNAPBACK}][/a][/div]

Digi · « **Reply #5 on:** March 10, 2006, 04:54:07 pm »

No, putting the FabData back would just be cosmetics. Which 4.1 image are you having problems with? I used sl4_winCEnet41_ENG with 27.255.299 bytes without any problems.

Digi

Quote from: fladda,Mar 9 2006, 04:37 PM

No I've not found a way of getting the FabData reloaded yet. However I guess that you might be able to use the flashmem JTAG command to put the correct string back into the flash ?? However JTAG can only access the first flash IC, presumably in 16-bit mode. I guess that the FabData string is probably 32-bit aligned ?? (I'm just guessing here as I am not sure how the memory map of the Simpad's flash looks in detail).

Perhaps loading WinCE3.0 initialises the FabData string ?? (I'll try and see what happens). Siemens must had dome this somehow ?

Is getting the FabData string re-entered important ?

Incidentally the 'x' commands E0 and E1 appear to work differently with the original Siemens 2.4 bootloader, to the modified (linux/WinCE) 2.5.3 bootloader. Using the E0 and E1 commands allows you to delete different areas of the flash from the 2.4 bootlader (similar to the 'y' command with the 2.5.3 bootloader).

When I get my Simpad working with WinCE 4.1 (I've been working on this for almost 2 weeks now!), I will write up all of my experiences, and suggestions. I've had about 20 different lock up states all with different symptoms. Usually these lock-ups stop the bootladers from working correctly. However all these states appear to be caused by different things in the flash. Erasing all 128 blocks in the first flash chip using a JTAG script, and then re-loading the 2.4 bootloader using the JTAG command "flashmem 0 simpadSL.rom" appears to always allow the 2.4 boot-loaders to be loaded with serload, and then the primary 2.5.3 bootloader to be loaded OK. Don't think that I've ever managed to load the alternative 2.5.3 bootloader though ??

Ralph

fladda · « **Reply #6 on:** March 13, 2006, 06:33:42 am »

Just to correct my own post - I was wrong. The 'x e0' and 'x e1' commands appear to work the same on rev. 2.4 and 2.5.3 Siemens bootloaders.

e0 erases the flash from 05080000 to 06000000 (16Mbytes minus the boot loader)
e1 erases the flash from 08000000 to 09000000 (16Mbytes)

Assuming that these Siemens EEPROM addresses are correct, then the 'y' erase flash option in the 2.5.3 bootloader appears to show the wrong addresses for erasing ??
'y' reports to erase the flash ROM between 05080000 to 07000000

I think that this should be 05080000-06000000, 08000000-09000000 using the Siemens memory map ??

Note that the 'y' erase flash option is not available in the original 2.4 Siemens bootloader. However it does appear that the extended commands 'x e0' and 'x e1' commands perform the same function to erase the flash, and can be used in both the 2.4 and the 2.5.3 Siemens bootloaders.

The 'x eb' extended command provides an extremely useful method of going back from the Siemens 2.5.3 bootloader to the original 2.4 bootloader.

So we can erase all of the flash in the Simpad using the E0/E1 commands, except for a small area at the start of the second EEPROM chip (4 flash erase blocks or 512kbytes) corresponding to the area occupied by the bootloader in the first EEPROM chip.

Ralph

Quote

Incidentally the 'x' commands E0 and E1 appear to work differently with the original Siemens 2.4 bootloader, to the modified (linux/WinCE) 2.5.3 bootloader. Using the E0 and E1 commands allows you to delete different areas of the flash from the 2.4 bootlader (similar to the 'y' command with the 2.5.3 bootloader).

[div align=\"right\"][a href=\"index.php?act=findpost&pid=117769\"][{POST_SNAPBACK}][/a][/div]

cmonex · « **Reply #7 on:** October 07, 2006, 10:55:13 pm »

hi,

what i dont understand here.

the first flash chip is at 0x0-0x10000000
second flash chip is indeed at 0x0800000-0x09000000

whats this about 0x05080000 and stuff? thought that was just virtual addresses?

but i'll admit i don't know much about jtagging and such

thanks for anything that would clear up my confusion,

cmonex

Quote

Just to correct my own post - I was wrong. The 'x e0' and 'x e1' commands appear to work the same on rev. 2.4 and 2.5.3 Siemens bootloaders.

e0 erases the flash from 05080000 to 06000000 (16Mbytes minus the boot loader)
e1 erases the flash from 08000000 to 09000000 (16Mbytes)

Assuming that these Siemens EEPROM addresses are correct, then the 'y' erase flash option in the 2.5.3 bootloader appears to show the wrong addresses for erasing ??
'y' reports to erase the flash ROM between 05080000 to 07000000

I think that this should be 05080000-06000000, 08000000-09000000 using the Siemens memory map ??

Note that the 'y' erase flash option is not available in the original 2.4 Siemens bootloader. However it does appear that the extended commands 'x e0' and 'x e1' commands perform the same function to erase the flash, and can be used in both the 2.4 and the 2.5.3 Siemens bootloaders.

The 'x eb' extended command provides an extremely useful method of going back from the Siemens 2.5.3 bootloader to the original 2.4 bootloader.

So we can erase all of the flash in the Simpad using the E0/E1 commands, except for a small area at the start of the second EEPROM chip (4 flash erase blocks or 512kbytes) corresponding to the area occupied by the bootloader in the first EEPROM chip.

Ralph

Quote
Incidentally the 'x' commands E0 and E1 appear to work differently with the original Siemens 2.4 bootloader, to the modified (linux/WinCE) 2.5.3 bootloader. Using the E0 and E1 commands allows you to delete different areas of the flash from the 2.4 bootlader (similar to the 'y' command with the 2.5.3 bootloader).

[div align=\"right\"][a href=\"index.php?act=findpost&pid=117769\"][{POST_SNAPBACK}][/a][/div]
[div align=\"right\"][a href=\"index.php?act=findpost&pid=118325\"][{POST_SNAPBACK}][/a][/div]

News:

Author Topic: Siemens Bootloader Extended Commands (Read 6999 times)