• Status Closed
  • Percent Complete
  • Task Type Patches
  • Category Bootloader
  • Assigned To No-one
  • Operating System Another
  • Severity Low
  • Priority Very Low
  • Reported Version Daily build (which?)
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Rockbox
Opened by funman - 2008-09-12
Last edited by linuxstb - 2008-10-01

FS#9396 - Enhancement to the firmware patcher for SansaV2

Currently we are limited for our code to 512 bytes - what is used by the original firmware.
This value varies depending the firmware version, but it’s clear that it’s not enough for a bootloader.

This patch aims to make extra room for code in the firmware, the current program will use memmove to relocate the firmware but it’s confirmed to produce buggy files (tested on e200v2)

The button mapping figured so far is valid for Clip & E200v2 only (other models not tested)

You may want to remove also the code which makes the buttons led blink, because this has been tested only on E200 & Clip (this is GPIO pin D7), and there is no indication that driving this pin high will not damage other models.

How this works:
We find the largest block of aligned 32 bits words filled with the same value (most of the time it’s 0)

We will write the stage2 at this offset, and the stage1 will copy the ROM content into RAM, and overwrite this area with the original word before branching back to the OF; because we don’t know if it’s meaningful or not.
We write offset, size, and word in the “data” segment of stage1.

What the code does:

Check GPIO A3 & A6, if set: clean the RAM, resume OF
(A3 is hold on the Clip & USB on the E200, A6 is USB on the Clip)
Continue to stage2, which will make the led blink (D7)
Return to stage1, which will clean the RAM and resume OF.

The button check can be used as software recovery mode.
Hackers can only modify stage2.S , mkamsinfo will check if it fits in the area we found, and will refuse to write the firmware if so.

Closed by  linuxstb
2008-10-01 23:28
Reason for closing:  Out of Date
Additional comments about closing:   Warning: Undefined array key "typography" in /home/rockbox/flyspray/plugins/dokuwiki/inc/parserutils.php on line 371 Warning: Undefined array key "camelcase" in /home/rockbox/flyspray/plugins/dokuwiki/inc/parserutils.php on line 407

Superseded by the UCL compression method added to SVN on 1 October 2008.

Here is the patch

You seem to have TABs in your patch, please read

here is a patch without tabs (except in Makefile), sorry for not checking that

I just found something interesting: driving pin A7 low, reading from it will give you #1 if any button has been pressed (including power so you would have to release it quickly before the code runs).

If this is confirmed on other models, I will use it for the patch to be a safe cross-model recovery mode

false alarm: I was not releasing the button quickly enough: A7 is always power

Here is a patch which uses a .c file for the 2nd stage, much more clear for hacking at the expense of maybe a bit more bigger files.
I’ll do precise mesurements when I converted all my code into C.

There is no visible impact on binary code size :)

Moarc commented on 2008-09-29 14:47

Newest version of patch doesn’t apply on code fully and doesn’t compile.

It was broken today by revision 18663, here is an updated patch.

I generated it with git, but you can apply it on a svn tree this way:
$ cd rockbox; patch -p1 < bootloader.patch

Marcin if you want to join the hacking, be sure to read the forum thread :

Here is a patch without tabs ..
The Clip specific check in stage2 has been commented out, and the stage1 only checks gpio A3 (which is mapped to a button on all tested models)
I also had forgotten to add crt0.o to clean: target in Makefile


Available keyboard shortcuts


Task Details

Task Editing