Home

PBL, the boot-loader

The Amstrad Emailers contain a boot-loader called `PBL'. As well as boot-strapping the rest of the machine's software, Amstrad also use it in the factory to load software onto the machine, or upgrade what's already there. The 3.5mm stereo jack socket on the back of an Emailer labelled `EXP' is wired to the system-on-chip's UART0, i.e. it's a serial port, and PBL can communicate through this. Additionally, it has code to use its modem to dial an 0800 phone number and use the same protocol as over the EXP port through the phone line instead.

Those that have managed to extract PBL from the Emailer Plus, or E2 say that version contains 64KiB of ARM machine instructions and data. From the redundancy, most of the instructions look to be compiler generated. It contains an SCCS what(1) string identifying its version. The last 1KiB contains, amongst other things, the unit's 12-byte serial number so that's trampled when calculating digests.

$ wc -c pbl.img 
  65536 pbl.img
$ what pbl.img 
@(#)PBL V3.1 Build:1277
$ perl -0777 -pe 'substr($_, 0xff08, 12) = "foo" x 4' pbl.img | sha1sum
12f0b87dc9892555cca6c243a22687b02590c371  -
$ perl -0777 -pe 'substr($_, 0xff08, 12) = "foo" x 4' pbl.img | md5sum
c99027f549b78c710436a565410735dd  -

PBL V3.1 normally arranges for the main code to be run, but, if certain triggers occur, it checks first to see if there's anything listening on the other end of the EXP port on the back of the E2. If there is, it diverts from its normal boot-procedure and instead follows an un-documented protocol over the serial port that allows programming of the Emailer's flash memory devices, amongst other things. Eventually, the SoC's watch-dog timer will reset the device if protocol communication stops. Some incomplete details of PBL V3.1's protocol are available. Any updates or corrections are welcome.

The 3.5mm stereo jack plug for use with the EXP port should be wired with the tip as the Emailer's TXD, ring as RXD, and sleeve as GND. Thanks to Jonathan McDowell for this information.

                                               __ 
    PC  pin 2, RXD o----------o TXD o-----v   |  | Emailer
 9-pin  pin 3, TXD o----------o RXD o-------^ |  | 3.5mm stereo
D-type  pin 5, GND o----------o GND o---------|__| jack plug

He also reports that a level shifter wasn't required when obtaining a log of PBL and Linux boot messages from the E3 with a serial port setting of 115200,8n1. That log starts `Amstrad Delta - PBL V4.9 Build:1311 Assert Debug ICE' so the E3 probably allows a similar protocol to the E2.

Code exists to use the same PBL protocol over the modem. An 0800 number is dialled, without a `141 withhold my number' prefix. Reportedly, after about 15 rings the phone is answered and "Testing record of the out-going message, I hope this works OK" is heard, followed by a pause, then a sharp beep, another pause, then something similar to a dial tone. Presumably, PBL attempts this if a fault is found as it can use the protocol to re-flash with freshly downloaded software which may fix the fault. Whether this phone number is still, or ever was, in operation is unknown, as is what would happen in a non-Emailer was to dial it and talk the appropriate protocol. Would the remote party attempt to deliver a software download?

$ perl -0777 -ne 'print join("\n", /(0800\d+)/g), "\n"' <pbl.img
08007835231
08007835231
08007835231

So far, the protocol doesn't have a `send me N bytes of Emailer memory starting at address A' request, but it does have request `03 00' which returns a 32-bit sum of the memory region specified. This could be used to read memory by summing one byte at a time.


$Revision: 1.15 $

Valid HTML 4.01