Hi,

As I'm a curious electronics engineer type, I have a few questions regarding the IPL, SPL and CE kernel.

1. Am I correct in thinking that the IPL simply loads the SPL into RAM and starts executing it?

2. Is the SPL providing the low level flashing interface and the setup code necessary to load the kernel into RAM? Does it provide any low level interfaces for the CE kernel?

3. I note that the OS portion of my flash has three partitions, what are the first two small ones for?

I've had a search on the net and I can't find many detailed answers to these questions so I thought I'd ask them here. Any help is greatly appreciated.

Hi,

3. I note that the OS portion of my flash has three partitions, what are the first two small ones for?


The first two contain the OS core in XIP format (although they still need to be copied to RAM before execution). One is the kernel for normal operation, the other is used when Windows Update flashes the ROM (it'll not overwrite anything, just add to the existing data). They can be dumped from a ROM upgrade file and edited with RomMaster and dumprom.

The third partition is an IMGFS file system. It contains all the other files needed to make your device work. It can be dumped from a ROM upgrade file and edited with the Imgfs Tools.

There is actually a forth partition in the partition table - the Storage area. This is a FAT partition. It is only in the partition table, but there is no additional data in the ROM packages. During a hard boot, the OS will format that partition.

Cheers
Daniel

Thanks for the reply. I didn't think that the CE kernel was loaded during the flashing process, I thought the SPL provided the flash interface?

Out of curiosity if am I correct in thinking that the only way to brick the device is to damage the IPL/SPL or bugger up the radio ROM so that the SPL can't return a CID. If the actual OS portion of the flash contains bad blocks will this still prevent future flashing?

1. Am I correct in thinking that the IPL simply loads the SPL into RAM and starts executing it?
Not "only", it initializes the hardware (processor, sdram, etc...), setups the physical to virtual mapping table, reads SPL from NAND puts it into RAM and jumps into its address.

If you want it more in depth, disassemble the IPL.nb file with IDA Pro. Code entry point at 0x0000000. And consult the SC32442A processor manual (http://www.samsung.com/products/semiconductor/MobileSoC/ApplicationProcessor/ARM9Series/SC32442/SC32442.htm) while following its flow.

2. Is the SPL providing the low level flashing interface and the setup code necessary to load the kernel into RAM?
Yes.

Again, IDA Pro is your friend ;) In hermes the SPL expects to be executed from virtual address 0x8c080000 which is physical 0x30080000.


am I correct in thinking that the only way to brick the device is to damage the IPL/SPL or bugger up the radio ROM so that the SPL can't return a CID.
Yes, you are correct. It is also possible that NAND blocks are marked as bad when incorrectly flashing service byte 517th, read more on Des comment here (http://forum.xda-developers.com/showpost.php?p=1143517&postcount=111).

If the actual OS portion of the flash contains bad blocks will this still prevent future flashing?
Depending on how many bad blocks. I've seen a hermes die completely during the 2nd flash on a NAND with a lot of marked bad blocks.

Okay, I think I understand. So once the 517th byte of a flash block it set to non 0xFF it's permanent and can't be restored? The next flash won't be able to write to that block? Hmmh, dangerous!

Now all I need to do is find the £300+ quid for an IDA pro license. I'd better get back to what I'm supposed to be doing, time to put my RF hat back on :-)

Yes, that's right. We haven't found a method to restore yet, but sure it is possible to do it because the marked bad blocks are not real bad blocks.... probably the way to go is patching a SPL which will never flash service data bytes from data taken of a file. Des and Olipro know more on this matter, you should ask them if you really want to get involved on some development

BTW, you can use the IDA Demo version available for free download if you don't want to spend the money just for disassembling IPL & SPL.
And there are other free alternatives, I sometimes use radare (http://radare.nopcode.org/) which is very helpful too, but you should have a *nix system.