Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

WallabyBootloader

From XDA-Developers
Jump to: navigation, search

One of the more promising accidental finds: if you press and hold the on/off key and then soft-reset the device, you will land in the WALLABY Bootloader. A soft reset is performed by gently pressing the stylus into the little hole on the left side of the device. The (even smaller) hole on the right with the crossed-out battery marked next to it is if you want to erase the device memory, but that's not necessary to play with the booloader a bit.

<center><img src="/danger.gif" border="0" alt=""></center> 

Please keep in mind that we can accept no responsibility for anything that happens to your device from here on out. We've seen some options that could easily send your device straight back to the factory for re-calibration, and we're sure there are many other ways to destroy your device here. We haven't yet wasted our devices, and we even still have all our data. This is no indication you will be equally lucky. Explorers are thought of as heroes because some of them die.

When the device goes into Bootloader mode, my device displays a background that consists of four equally sized vertical bars, colored (from top to bottom) white, red, green and blue. On top of this, it says:

 
     WALLABY 
    Bootloader 
 
      V5.14 
 
 
 
 
 
 WAIT 
 


After a few seconds, the WAIT is replaced by GSM OK. Both messages are in the blue bar, but have a white background. If I then press the volume button (the device calls it a 'Record' button) on the left side of the device, you'll get a white screen that says:

 
  USB FLASH 
    MODE 
============= 
 
CONNECT USB 
CABLE NOW... 
 

Obviously some way to flash the device via USB. From here there's no way out (except probably hooking up something to USB, which I did not do), so I soft-reset while pressing the On/Off switch again.

dumping the ROM

When you're at the bootloader start screen you can press the left button above the screen with the little business card on it (the device calls this button 'App3'), the device says:

 
 FLASH TOOLS 
============= 
CE ROM  TO SD 
BOOT    TO SD 
CE+BOOT TO SD 
GSM ROM TO SD 
CE+GSM  TO SD 
 

If you have a 5.14 bootloader, and select either "GSM ROM TO SD" or "CE+GSM TO SD", the system responds with:

 
  SD BACKUP 
============= 
 
 
Please 
connect rs232 
and run 
PC Monitor 
 
Now 
 

We're not yet sure how to use this to dump the GSM ROM.

Writing main ROM to SD-card

The first option is highlighted by an inverse bar, and this bar can be moved using the arrow buttons on the device. If you select "BOOT TO SD", "CE ROM TO SD" or "CE+BOOT TO SD", the system will write the corresponding parts of the ROM to the SD card. It will do so 'RAW', i.e. without a file system, so it will destroy any data already on your SD card.

If you have a 5.17 bootloader, you cannot use these features without a 'Card Key' written on your SD card.


Flashing the main ROM from SD

If you insert (or leave in) an SD card written as described above, and then boot to the bootloader, the system will come up with:

 
 SD  Download 
 ============= 
 
 
 CARD TYPE: 
 CE OS 
 
 Press ACTION 
 to Download 
 
      or 
 
 Press REC 
 to EXIT 
 

Of course there is little point in flashing the ROM with an image you've just made on the same device. But this does allow you to flash one device with bootloader and WinCE ROM images from another.

It's obvious to us, but we'll say it anyway: The maintainers of xda-developers.com do not accept any responsability for lost devices if you flash the ROM. Sheeesh...

5.17 bootloader

Starting with bootloader 5.17, we can see that the people at HTC have realised this was probably a little too open: anyone with a device and SD card could flash the ROM. So they incorporated a feature called a "Card Key". Basically, they create a key field which is set depending on the hardware ID of a specific SD-card. So as long as this SD-card dependent key is on the card, it can be used by the bootloader, and otherwise it is rejected. And they've also included a counter that determines how many times an SD card can be used to flash a device.

More info on SD ROM dump formats

Can be found in our <A HREF="SDdump.php">SD format description</a>.


Various tests

Back to reset while pressing On/Off again, and now pressing the right button, with the little calendar printed on it (called App1 by the device). Now the device displays:

 
  UTILITIES 
============= 
DEBUG/CALI. 
GSM TURN ON 
GSM TURN OFF 
GSM RESET 
GSM 900 
GSM 1900 
GSM 900/1800 
GSM RFCAL 
GSM NORMAL 
 

Now these look a lot nicer than they may be. We still haven't tested whether the device is actually a tri-band phone that is just software-limited to being a dual-band phone, but postings on the net seem to indicate that it is not actually a tri-band phone. But even though we think we know, we still need someone with access to a European phone in the U.S. or vice-versa to test this. We haven't tried, and we strongly advise against trying "DEBUG/CALI.", "GSM RFCAL" and possibly even "GSM RESET", unless you really don't care about the device. Options like these are used in factories where they have lots of expensive RF equipment to calibrate each individual phone. If you don't listen and still want to try these options, make sure you keep a good log of what happens, and please do tell us!

Over the next menu, this time after starting the bootloader and pressing the 'Action button', which is the center of the rocker key below the screen. This time, it quickly reports the GSM was already on, and then displays:

 
 DIAGNOSTICS 
GPRS3. 94324e2 
Auto      Test 
RAM       Test 
Display   Test 
Touch     Test 
Playback  Test 
Record    Test 
Button    Test 
CheckSum  Test 
USB       Test 
Sir       Test 
Series    Test 
F Light   Test 
LED       Test 
Battery   Test 
Vibrator  Test 
SD Card   Test 
GSM Aud.  Test 
 

The last option isn't visible, but becomes visible when scrolling to the end of the list. Each of these options performs a test of some part of the hardware. feel free to play around, it is mostly straightforward. Just make sure you don't hold it too close to your ears when you test the GSM Audio, as the audio loops back and creates quite a howl. Also noteworthy: the SD-card test erases the SD-card in the process of testing that part of the device.

InitDebugSerial

Connect the XDA with a serial cable to the PC. Use Hyperterminal to connect (COM1:, 115200 8N1 Hardware flowcontrol). Now reboot the XDA in bootloader mode, and you'll see this:

 
****************************************************** 
InitDebugSerial using SERIAL PORT 2 
****************************************************** 
 
HTC Bootloader for ~[Wallaby] Version:5.14 
Copyright (c) 1998-2001 High Tech Computer Corporation 
Built at: Apr 18 2002 12:25:54 
 
CPU speed = 206 MHz 
DRAM speed = 103 MHz 
Hardware platform = 2; (0:DVT, 1:Pre-PV, 2:PV, 3:Panasonic LCD, 4:Reserved) 
Get resp timeout err, status is 42 Receive Response error, cmd = 41, 
arg = FFC000 comd1 No Response Block size = 512 BYTES 
Total blocks in Card: 243200 = 121600k bytes 
Card type : Bootloader SD card identify flag check ok ! 
Wait for turn on GSM... GSM Turn on time = 1763 ms FW 0:16:6> 

There's a list of commands if you enter 'h', and if you enter "h [command]" you get some basic help for that command. Here's the complete list:"

 
 
? [command] 
 
  Helps on command. 
 
  When no command is given, output a list of commands. 
 
 
h [command] 
 
  Helps on command. 
 
  When no command is given, output a list of commands. 
 
 
r [[register] [[=] [hex_value]]] 
 
 Display/Set register value(s). 
 
  When no register is given, all the registers' content are displayed. 
  When only a register name is given, the content of that register is 
    displayed. 
  If the optional value is also given, the register's content is set to 
    the new value. 
  '=' sign is always ignored. 
 
 
g StartAddr 
 
 Jump and execute from a new address. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, PC is used as the new address. 
  The starting address MUST be in valid unmapped space. 
  The monitor does not validate this address. 
 
 
mb [StartAddr [Count [Filler]]] 
 
 Display/Set memory content. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, memory display continues from the 
    previous address. 
  When Count is not given, previous Count is used for memory display 
    Count is initially set to 20 (hex). 
  If Filler is specified, the memory area is filled with Filler. 
  Memory will be displayed/counted as bytes 
  StartAddr must be in valid unmapped space. 
    It is not validated. 
 
 
mh [StartAddr [Count [Filler]]] 
 
 Display/Set memory content. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, memory display continues from the 
    previous address. 
  When Count is not given, previous Count is used for memory display 
    Count is initially set to 20 (hex). 
  If Filler is specified, the memory area is filled with Filler. 
  Memory will be displayed/counted as half-words 
  StartAddr must be in valid unmapped space. 
    It is not validated. 
 
 
mw [StartAddr [Count [Filler]]] 
 
 Display/Set memory content. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, memory display continues from the 
    previous address. 
  When Count is not given, previous Count is used for memory display 
    Count is initially set to 20 (hex). 
  If Filler is specified, the memory area is filled with Filler. 
  Memory will be displayed/counted as words 
  StartAddr must be in valid unmapped space. 
    It is not validated. 
 
 
mv SourceAddr DestAddr Length 
 
SourAddr:hex memory address of source 
DestAddr:hex memory address of destination 
Length:The length of half-word memory data to move 
 
 
ew Addr  
 
Addr:hex memory address 
 
 
eh Addr  
 
Addr:hex memory address 
 
eb Addr  
 
Addr:hex memory address 
 
 
u [StartAddr [Count]] 
 
 Unassemble instructions. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, unassmebling continues from the 
    previous address used for unassembling. 
  When Count is not given, previous Count is used. 
    Count is initially set to 14 (hex). 
  For the first unassmeble command, EPC is used if StartAddr is not given. 
  StartAddr must be in valid unmapped space. 
    It is not validated. 
 
  To avoid confusion, all the hex-numbers displayed 
    are prefixed with 0x 
  The absolute target address in a jump or branch instruction is 
    caculated and displayed (except for jr instructions) 
  Offset in 'offset(base)' is displayed in hex format 
 
 
ud [StartAddr [Count]] 
 
 Unassemble instructions. 
 
  StartAddr can be either a hex_address or a register name 
  When StartAddr is not given, unassmebling continues from the 
    previous address used for unassembling. 
  When Count is not given, previous Count is used. 
    Count is initially set to 14 (hex). 
  For the first unassmeble command, EPC is used if StartAddr is not given. 
  StartAddr must be in valid unmapped space. 
    It is not validated. 
 
  To avoid confusion, all the hex-numbers displayed 
    are prefixed with 0x 
  The absolute target address in a jump or branch instruction is 
    caculated and displayed (except for jr instructions) 
  Offset in 'offset(base)' is displayed in decimal format 
 
 
l [path_name] 
 
 Download BIN file across from bi-directional parallel port. 
  When path_name is not given, the file to be downloaded is determined 
    by ppfs on the host. 
  Otherwise, path_name on the host is downloaded regardless the ppfs setting. 
  The file must be in the format of BIN (preprocessed SRE). 
 
  The code is auto-launched once downloaded. 
 
 
lcp filename.bin 
 
compare image with flash by serial port 
 
 
lb [path_name] 
 
 Download BIN file across from bi-directional parallel port. 
  When path_name is not given, the file to be downloaded is determined 
    by ppfs on the host. 
  Otherwise, path_name on the host is downloaded regardless the ppfs setting. 
  The file must be in the format of BIN (preprocessed SRE). 
 
  Auto-launched is disabled after downloading. 
 
 
ppdl 
 
 Download the BIN file that assigned by PPSH command line. 
 This download is via parallel port 
 
 
ppcp 
 
for comparing image difference between 
download and flash datum 
The usage resembles ppdl command 
 
 
s StartAddr Count Pattern... 
 
 Search Memory for pattern. 
 
  StartAddr can be either a hex_address or a register name 
  The starting address MUST be in valid unmapped space. 
  The monitor does not validate this address. 
 
  Count and StartAddr defines a search region 
  Patterns can be hex numbers or (single or double) quoted strings 
  A hex number with less than three digits is considered a byte 
  A hex number with less than fice digits but greater than two digits 
    is consider a half-word 
  Otherwise a hex number must contain less than 9 digits and is considered 
    a word 
  Up to 8 Patterns can be given in the command line 
  They are concatenated as a single search pattern. 
 
 
ram start len 
 
 DRAM test 
 
 
map 
 
 Display virtual address mapping table 
 
 

(And here's the output of map...)

 
 Physical         Virtual 
-------------------------------------------- 
0x00000000   0xA0000000 
0x08000000   0xA2000000 
0x18000000   0xA4000000 
0x40000000   0xA6000000 
0xC0000000   0xAC000000 
0x10000000   0xAE000000 
0x20000000   0xABA00000 
0x30000000   0xABC00000 
0x28000000   0xB0000000 
0x38000000   0xB4400000 
0x2C000000   0xB4C00000 
0x3C000000   0xB8C00000 
0x80000000   0xA8000000 
0x90000000   0xA9000000 
0xA0000000   0xAA000000 
0xB0000000   0xAB000000 
0xE0000000   0xA8C00000 
0x41000000   0xA8600000 
0x49000000   0xA8700000 
0x4A000000   0xA8800000 
 
 
page 
 
 Set flash ROM to page mode 
 
 
lr bin-file 
 
Load BIN to ram and Go 
 
 
cp reg# OPC_2 CRm [value] 
 
Access coprocessor registers 
 
 
lcdtest [loop delay(ms)] 
 
 Default: 
 loop=1, delay=1000 
 
 
usb 
uart 
ulysse 
 
Help does not provide info about these commands 
 
 
normal number(Hex) 
 
Unyless Normal mode(UART2 --- UART3 
number indicates what baud rate set to UART 
number inputed is considered as heximal, not decimal. 
0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600, 
 
 
atcmd number(Hex) 
 
Unyless ATCommand mode(UART2 --- UART1 
number indicates what baud rate set to UART 
number inputed is considered as heximal, not decimal. 
0: 115200(defaut), 1: 57600, 2: 38400, 3: 19200, 4: 9600, 
 
 
diag 
 
Use the key of target for diagnostic test ! 
 
 
util 
 
Use the key of target for GSM utilities ! 
 
 
r2c 
 
Copy WinCE ROM Image to SD Card 
 
 
r2ca 
 
Copy WinCE & Bootloader ROM Image to SD Card 
 
 
r2cb 
 
Bootloader ROM Image to SD Card 
 
 
c2r 
 
Restore ROM image from SD to FlashROM 
 
 
sddump 
 
sddump [block_num] 
 
 
dualtrace 
 
Command mode : 
UART3 <- pack/unpack AT command -> PPSH 
UART3 <-      X-panel trace     -> UART2 
 
Data mode : 
UART1 <-          Data          -> PPSH 
UART3 <-      X-panel trace     -> UART2 
 
 
dual 
 
Command mode : 
UART3 <- pack/unpack AT command -> PPSH 
UART3 <-      X-panel trace     -> UART2 
 
Data mode : 
UART1 <-          Data          -> PPSH 
UART3 <- pack/unpack AT command -> UART2 
 
 
dualser 
 
Command mode : 
UART3 <- pack/unpack AT command -> UART2 
UART3 <-      X-panel trace     -> PPSH 
 


For instance: to manually jump to the CE bootstrap (entry point is at 0x41000):

 
g 41000 

For some reason the display is not initialized ok here, but it is running PocketPC now... The entrypoint for the bootloader itself is at (0x1000). Disassemble:

 
u 8c079000 
 
8C079000   E321F0D3  _c         CPSR_c        , #0x000000D3 
8C079004   E59F04D8  LDR        R0, [PC, #0x000004D8] 
8C079008   E5901000  LDR        R1, [R0] 
8C07900C   E2111001  ANDS       R1, R1, #0x00000001 
8C079010   0A000018  B          Offset 0x00000068( 0x8C079078 ) 
8C079014   E5901000  LDR        R1, [R0] 
8C079018   E2111B01  ANDS       R1, R1, #0x00000400 
8C07901C   1A000003  B          Offset 0x00000014( 0x8C079030 ) 
8C079020   E59F04C0  LDR        R0, [PC, #0x000004C0] 
8C079024   E5901000  LDR        R1, [R0] 
8C079028   E2111002  ANDS       R1, R1, #0x00000002 
8C07902C   0A000011  B          Offset 0x0000004C( 0x8C079078 ) 
8C079030   E3A00A41  MOV        R0, #0x00041000 
8C079034   E1A0F000  MOV        PC, R0 

This is the code from the entrypoint. When some tests fail it will load the entrypoint of CE into the PC register (and jumps there...)


Done? Just hit soft reset, wait for boot, and you're back to normal. Pfew...


Back to the Wallaby Home Page