PBL V3.1 Build:1277 EXP packet format ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset Size Value Name Description 0 1 2 stx ASCII STX byte. 1 1 0/1 comp Is `data' compressed. 2 2 - len Length of data. 4 len - data Payload. 4+len 1 - cksum Sum modulo 0x100 of bytes in len and data. First byte of payload gives message type. Probably first two bytes in low, high order really. Payload requests ~~~~~~~~~~~~~~~~ Contents of data in received packet. First two bytes given request number. Reply is request_number | 0x80 if all went well, or a NAK reply otherwise. Request: 00 00 Not used. Reply: 15 00 NAK message, sent to indicate disagreement. Request: 01 00 Set 0x1001c = 0x01 to remember request 01 received. Reply: 81 00 Request: 02 00 Request PBL version info and max. buffer size for further communication. Reply: 82 00 72 00 mj mn bl bh pl ph fe 7b 0e b0 `72 00' is constant. `mj' is PBL major version, e.g. 0x03. `mi' is PBL minor version, e.g. 0x01. `bl bh' is PBL build number, e.g. `fd 04' for 0x4fd, i.e. 1277. `pl ph' is maximum packet data length, i.e. `10 20', 0x2010. `fe 7b 0e b0' is constant near PBL version as 0xb00e7bfe, probably build flags indicating what features are available, e.g. debug. Request: 03 00 a0 a1 a2 a3 b0 b1 b2 b3 Request 32-bit sum of 0xb3b2b1b0 bytes at 0xa3a2a1a0. If 0xa3a2a1a0 lies within the start..(start + len) of a flash_mem_table entry of type 4, i.e. 0x80010000 <= 0xa3a2a1a0 < 0x80560000, then code is used that isn't understood yet, but it looks like it's pulling the pages from NAND flash and the sum is still returned. However, beware that no checking is done that the sum requested doesn't cross a boundary of different memory types. Reply: 83 00 c0 c1 c2 c3 0xc3c2c1c0 is sum of bytes in memory specified in request. Request: 04 00 a0 a1 a2 a3 Store 0xa3a2a1a0 at 0x10024. Set 0x10020 = 1. Reply: 84 00 Reply to 04 00. Request: 05 00 a0 a1 a2 a3 l0 l1 d0... 0xl1l0 is number of bytes `d0' onwards. 0xa3a2a1a0 is where to place the bytes in memory. Must be >= 0x40000. Must be <= 0x800000 - 0xl1l0. Reply: 85 00 ?? ?? Last two bytes of reply unset, apparently a bug. Request: 06 00 a0 a1 a2 a3 b0 b1 b2 b3 c0 c1 0xa3a2a1a0 is an address. 0xb3b2b1b0 is length of memory at 0xa3a2a1a0. 0xc1c0 is flash_mem_table index, i.e. < 2. flash_mem_table: # type s1 start len start2 len2 0 00 00 00 00 00000000 80000000 00010000 80000000 00010000 1 04 00 00 00 00000000 80010000 00550000 00000000 00000000 type is sometimes stored at 0x10120. s1 is sometimes checked by code for being 1; sometimes 1. Reply: 86 00 a0 00 a0 is the byte at 0x1011c. Request: 07 00 a0 a1 a2 a3 b0 b1 l0 l1 d0... 0xa3a2a1a0 0xb1b0 0xl1l0 is number of bytes `d0' onwards. 0xd0... Reply: 87 00 a0 00 a0 is 0 or 1. Request: 08 00 a0 a1 a2 a3 b0 b1 b2 b3 0xa3a2a1a0 is an address within the range of a flash_mem_table entry of type 4. 0xb3b2b1b0 Reply: 88 00 ?? 00 Request: 09 00 a3 a2 a1 a0 0xa3a2a1a0 <= 115200 is the new baud rate to switch to. Reply: 89 00 Request: 0a 00 Not used. Reply: 15 00 NAK message, sent to indicate disagreement. Request: 0b 00 Request number of elements in flash_mem_table above, i.e. 2. Reply: 8b 00 nf 00 `nf' is the value of the global variable at 0x10040. This is initialised to 0x02 and apparently never altered. It looks like the number of entries in the table at 0x8620 which looks like descriptions of flash memory areas. Request: 0c 00 a0 b0 a0 < 2, index into flash_mem_table. b0 Reply: 8c 00 a0 a1 a2 a3 b0 b1 b2 b3 c0 c1 c2 c3 d0 d1 d2 d3 e0 e1 f0 f1 0xa3a2a1a0 is start field from flash_mem_table entry. 0xb3b2b1b0 is len field from flash_mem_table entry. 0xc3c2c1c0 is start2 field from flash_mem_table entry. 0xd3d2d1d0 is len2 field from flash_mem_table entry. 0xe1e0 0xf1f0 Request: 0d 00 Sends reply containing four 32-bit constants. Reply: 8d 00 00 00 00 00 00 00 80 00 00 00 04 00 00 00 7c 00 0x00000000 0x00800000 0x00040000 0x007c0000 Request: 0e 00 a0 a1 a2 a3 b1 b0 l0 l1 d0... 0xa3a2a1a0 address within flash_mem_table segment. 0xb1b0 < 2, index into flash_mem_table. 0xl1l0 is number of bytes `d0' onwards that are to fit at 0xa3a2a1a0. Writes data to SoC segment 0. Reply: 8e 00 ?? 00 Request: 0f 00 Not used. Reply: 15 00 NAK message, sent to indicate disagreement. Request: 10 00 Not used. Reply: 15 00 NAK message, sent to indicate disagreement. Request: 11 00 Get *0x10054. Reply: 91 00 a0 00 a0 is the byte at 0x10054, always 9. Number of entries in request 12's table. Request: 12 00 a0 ?? a0 < *0x10054 == 9 index into table: 0 SDRAM 1 FLASH 2 PBL Info 3 EPLD 4 Strap Pins 5 Int. Data FLASH 6 Int. Data Extra 7 Ext. Data FLASH 8 Ext. Data Extra Return information from a variety of sources, e.g. a unique machine id, or perhaps it performs self-tests too? Reply: 92 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? Request: 13 00 a0 a1 a2 a3 b0 b1 b2 b3 c0 ?? a0 < *0x10054 == 9 index into same table as request 12. Reply: 93 00 ?? 00 ?? ?? Request: 14 00 Not used. Reply: 15 00 NAK message, sent to indicate disagreement. $Revision: 1.4 $