HTC Artemis BootLoader
The bootloader is the place where you can change the low-level software parameters and some hardware parameters of the Artemis, change and read the ROM and provides information about it.
The bootloader is invoked by pressing down the Record button and using the stylus at the same time to press the RESET button at the left side.
You can connect to the bootloader via USB using the program mtty under Windows or minicom / cu under Linux.
NOTE: If you use mtty you can't copy-paste, you MUST type the commands yourself.
Make sure you have disabled the USB connection in ActiveSync, before trying to connect to the bootloader: File --> Connection settings --> uncheck "allow USB connections"
Please note that some commands are locked if you do not authenticate with the proper password.
set [Type [Value]]
Set control flags. Type(hex) : Control function types. Value(hex) : Setting values for types. If value is not given, default is 0.
Type 0(Echo on/off): 1(on) and 0(off). cEchoFlag: Wether to echo all input. 1 to show what you type, 0 to stay quiet Type 1(Operation mode): 1(auto) and 0(user). cOpModeFlag: Set to 0 for friendly return values, 1 for easy-to-parse return values (0 for users, 1 for programs) Type 2(Back color on/off): 1(on) and 0(off). cBackColorShowFlag: Wether to draw a background with text. Type 3(Inverse on/off): 1(on) and 0(off). cShowInverseFlag: Wether to inverse fore and background colors (1 = yes, 0 = no) Type 4(Front color value): 16 bits data g_wFColor: Foreground color, 16-bit number, 5-6-5 bit compression Type 5(Background color value): 16 bits data g_wBColor: Background color, 16-bit number, 5-6-5 bit compression Type 6(Set color of screen): Fill color to whole screen one time. Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable). g_cCommQueueFlag: Unknown Type 14(action after reset): What to do after a reset. Set to 1 to go to bootloader after reset, set to 0 to start OS. Type 1E(RUU command read/write flag): 1(unlock) and 0(lock).
Current flag settings: Type 0(Echo flag): cEchoFlag=(0x1). Type 1(Operation mode flag): cOpModeFlag=(0x0). Type 2(Back color flag): cBackColorShowFlag=(0x1). Type 3(Inverse flag): cShowInverseFlag=(0x0). Type 4(Front color): g_wFColor=(0x0). Type 5(Background color): g_wBColor=(0xFFFF). Type 6(Set color of screen): None. Type 8(COMM queue flag): g_cCommQueueFlag=(0x0). Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
Enter the password string to enable wdata, erase and rbmc functions
See more info on the bootloader password here.
checksum [StartAddr [Len]]
Return CRC checksum of memory. StartAddr : Start address of ROM(default(hex)=A0000000). Len : How many bytes will be calculated. default(hex) = ROM total size - ((dwStartAddress & 0x0FFFFFFF) - (ROM_BASE & 0x0FFFFFFF)) In user mode: Show 4 bytes of CRC checksum value on display of terminal. In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
Usage: wdata [Len [StartAddr]] Write data to memory(if write to ROM, need erase first). StartAddr : Start address of memory. Len : How many bytes will be written. Length must not more than 0x80000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation). 1 byte(in user mode). Write to ROM: 4 bytes(CRC checksum limitation). 2(16-bit)/4(32-bit) bytes(in user mode). Write to ROM(16-bit data bus): 32 bytes(writebuffer mode). Write to ROM(32-bit data bus): 64 bytes(writebuffer mode). Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal. Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
Password is needed to use this command.
clean up the image temp buffer at 0x8C100000 Length 0x03A00000 BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000 Clear image temp buffer done . "MTTYDownloadImage" start download
There are more bootloader commands, but are still unknown. The method to research the commands is explained here:
- Take extracted SPL.nb from shipped NBH upgrade file, take the EXE and DLL files from RUU, use unix/cygwin command 'strings' and 'strings -el' to search for strings inside these files.
- Make USB monitor capture of the upgrade process, it will show all the commands sent by the RUU to the bootloader.