FS#9396 - Enhancement to the firmware patcher for SansaV2
Opened by Rafaël Carré (funman) - Friday, 12 September 2008, 16:40 GMT
Last edited by Dave Chapman (linuxstb) - Wednesday, 01 October 2008, 23:28 GMT
Currently we are limited for our code to 512 bytes - what is used by the original firmware.
This value varies depending the firmware version, but it's clear that it's not enough for a bootloader.
This patch aims to make extra room for code in the firmware, the current program will use memmove to relocate the firmware but it's confirmed to produce buggy files (tested on e200v2)
The button mapping figured so far is valid for Clip & E200v2 only (other models not tested)
You may want to remove also the code which makes the buttons led blink, because this has been tested only on E200 & Clip (this is GPIO pin D7), and there is no indication that driving this pin high will not damage other models.
How this works:
We find the largest block of aligned 32 bits words filled with the same value (most of the time it's 0)
We will write the stage2 at this offset, and the stage1 will copy the ROM content into RAM, and overwrite this area with the original word before branching back to the OF; because we don't know if it's meaningful or not.
We write offset, size, and word in the "data" segment of stage1.
What the code does:
Check GPIO A3 & A6, if set: clean the RAM, resume OF
(A3 is hold on the Clip & USB on the E200, A6 is USB on the Clip)
Continue to stage2, which will make the led blink (D7)
Return to stage1, which will clean the RAM and resume OF.
The button check can be used as software recovery mode.
Hackers can only modify stage2.S , mkamsinfo will check if it fits in the area we found, and will refuse to write the firmware if so.
Wednesday, 01 October 2008, 23:28 GMT
Reason for closing: Out of Date
Additional comments about closing: Superseded by the UCL compression method added to SVN on 1 October 2008.