Universal Technical

Mobiler讨论 | 贡献2011年9月13日 (二) 06:30的版本 (1个修订)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航搜索

bootup key combinations

  • bootloader : light* power + reset
  • bootmenu  : camera* reset
  • coldboot  : power* reset

the bootloader

  • password: 'UNIVERSAL'
  • extended rom password: SiRevInu
  • use this with unlockextrom
  • commands:
  • eb eh ew mb mh mw string info password l lnb d2s set task shmsg rbmc erase wdata checksum prouter dbgtool emapi lw rtask rroute keypad touch bttask btrouter wifitest
  • rtask 7 - talk to gsm at cmd interface
  • rtask A - talk to gsm bootloader

bootloader dynamic passwords

For information on the dynamically generated passwords the official RUU utility uses, read this forum thread [1]

set command

the set command takes two arguments, the property and the new value, both are hexadecimal numbers. Possible properties are: (flags are either 1 or 0, values are numbers)

property internal name internal description description
0 cEchoFlag Echo flag Wether to echo all input. 1 to show what you type, 0 to stay quiet
1 cOpModeFlag Operation mode flag Set to 0 for friendlier return values, or 1 for easier to parse return values (0 for users, 1 for programs)
2 cBackColorShowFlag Back color flag Wether to draw a background with text.
3 cShowInverseFlag Inverse flag Wether to inverse fore and background colors (1 yes, 0 no)
4 g_wFColor Front color value Foreground color, 16-bit number, 5-6-5 bit compression
5 g_wBColor Background color value Background color, see Foreground color
6 Unknown Unknown Sets complete screen to a specific color (see Foreground color)
7 Unknown Unknown Unknown
8 g_cCommQueueFlag COMM queue flag Unknown
9 Unknown Unknown Unknown
A Unknown Unknown Unknown
B Unknown Unknown Unknown
C Unknown Unknown Unknown
D Unknown Unknown Unknown
E Unknown Unknown Unknown
F Unknown Unknown Unknown
10 Unknown Unknown Unknown
11 Unknown Unknown Unknown
12 Unknown Unknown Unknown
13 Unknown Unknown Unknown
14 Unknown Unknown What to do after a reset. Set to 1 to go to bootloader after reset, set to 0 to start OS

info command

The info command returns specific info from the device. it takes one hexadecimal argument. The possibilities that are known are listed below

argument example value description
0 UNIVERSAL Probably either the device type, or the bootloader password
1 1.00 Bootloader version
2 (too long) SD Card information* HTCS + (some kind of CRC) + HTCE
3 (too long) HTCS* All sorts of device information + CRC + HTCE
4 HTCSQTEK_001(crc)HTCE HTCS* CID-lock + crc + HTCE
5 (nothing) Unknown
6 HTCST (crc)HTCE Unknown (same as radio rregion command?)
7 (too long) Information about the bootloader

task command

The task command takes one argument, and performs that 'task'.

argument action taken
0 Exits bootloader and turns screen completely black.
8 Resets
1E switches to eMapiMain+++ mode :S
28 Gives info on FAT partitions and does a hard-reset
28 55aa Restores DOC to its original layout
32 Returns Radio SecLevel
37 KITL output - requires task 32 first and for Level = 0
3C sends "+SA_USB_Init" and seems to reset the USB connection

rtask command

rtask seems to accept either just a type, or a value. (two hex arguments)

type possible values description
0  ? Resets radio
1  ? tells you to use 3 or 4 instead
2  ? Turn radio off
3  ? Runs radio image
4  ? Runs radio bootloader
7  ? Allows you to debug AT commands.
a  ? Talk to GSM bootloader.
b  ? Radio AT Command Debug. Talk to GSM AT cmd interface.
 ?  ? (more follow, but not all documented)

backing up the device with 'd2s'

Device needs to be SuperCID for this command to work, if it is CID locked you'll get an error from bootloader.

d2s 60000000 00800000 8M radio rom (First 8M, where the code is)
d2s 60000000 01000000 16M Full radio NAND chip backup (filled with FF)
d2s 70000000 00100000 1M SPL
d2s 70100000 04000000 64.00 M OS TrueFFS
d2s 74100000 00a00000 10.00 M extrom DSK2:PART00 fatfsd
d2s 74b00000 02c40000 44.25 M root filesystem TRUEFFS

the radio bootloader

  • commands:
  • rchecksum rregion rinfo rversion rpass rerase rwdata rrbmc rrom rwfactory

memory map

sorted by virtual address

virtual nocached virtual cached physical description
0x88000000-88100000 0xa8000000-a8100000 0x44000000-44100000 PXA270 LCD
0x88200000-88300000 0xa8200000-a8300000 0x48000000-48100000 PXA270 memory controller
0x88300000-88400000 0xa8300000-a8400000 0x4c000000-4c100000 PXA270 USB host
0x88400000-88500000 0xa8400000-a8500000 0x58000000-58100000 PXA270 internal memory control
0x88600000-88700000 0xa8600000-a8700000 0x50000000-50100000 PXA270 CIF capture interface
0x88700000-88800000 0xa8700000-a8800000 0xa3f00000-a4000000 top 1MB SDRAM (pxafb)
0x88800000-88900000 0xa8800000-a8900000 0x5c000000-5c100000 PXA270 Internal memory (256K)
0x88f00000-89000000 0xa8f00000-a9000000 0xe0000000-e0100000
0x89000000-89100000 0xa9000000-a9100000 0x16000000-16100000
0x89100000-89200000 0xa9100000-a9200000 0x00000000-00100000 IPL
0x89200000-89300000 0xa9200000-a9300000 0x10000000-10100000
0x89300000-89400000 0xa9300000-a9400000 0x0c000000-0c100000
0x8a100000-8a300000 0xaa100000-aa300000 0x15000000-15200000
0x8a300000-8a400000 0xaa300000-aa400000 0x14000000-14100000
0x8b000000-8b100000 0xab000000-ab100000 0x08000000-08100000  ?
0x8b100000-8b200000 0xab100000-ab200000 0x0a000000-0a100000
0x8c000000-8c100000 0xac000000-ac100000 0x20000000-20100000 PCMCIA0 IO
0x8c100000-8c200000 0xac100000-ac200000 0x28000000-28100000 PCMCIA0 attrib
0x8c200000-8d000000 0xac200000-ad000000 0x2c000000-2ce00000 PCMCIA0 memory
0x8d000000-8d100000 0xad000000-ad100000 0x30000000-30100000 PCMCIA1 IO
0x8d100000-8d200000 0xad100000-ad200000 0x38000000-38100000 PCMCIA1 attrib
0x8d200000-8e000000 0xad200000-ae000000 0x3c000000-3ce00000 PCMCIA1 memory
0x8e000000-90000000 0xae000000-b0000000 0x40000000-42000000 PXA270 periferals
0x90000000-93f00000 0xb0000000-b3f00000 0xa0000000-a3f00000 63MB SDRAM
0x93f00000-97f00000 0xb3f00000-b7f00000 0xa4000000-a8000000 (64MB SDRAM)
0xf0000000-f0100000 0x00000000-00100000 IPL

sorted by physical address

p00000000-00100000 v89100000-89200000 va9100000-a9200000 IPL
p00000000-00100000 vf0000000-f0100000
p08000000-08100000 v8b000000-8b100000 vab000000-ab100000
p0a000000-0a100000 v8b100000-8b200000 vab100000-ab200000
p0c000000-0c100000 v89300000-89400000 va9300000-a9400000
p10000000-10100000 v89200000-89300000 va9200000-a9300000
p14000000-14100000 v8a300000-8a400000 vaa300000-aa400000
p15000000-15200000 v8a100000-8a300000 vaa100000-aa300000
p16000000-16100000 v89000000-89100000 va9000000-a9100000
p20000000-20100000 v8c000000-8c100000 vac000000-ac100000
p28000000-28100000 v8c100000-8c200000 vac100000-ac200000
p2c000000-2ce00000 v8c200000-8d000000 vac200000-ad000000
p30000000-30100000 v8d000000-8d100000 vad000000-ad100000
p38000000-38100000 v8d100000-8d200000 vad100000-ad200000
p3c000000-3ce00000 v8d200000-8e000000 vad200000-ae000000
p40000000-42000000 v8e000000-90000000 vae000000-b0000000
p44000000-44100000 v88000000-88100000 va8000000-a8100000
p48000000-48100000 v88200000-88300000 va8200000-a8300000
p4c000000-4c100000 v88300000-88400000 va8300000-a8400000
p50000000-50100000 v88600000-88700000 va8600000-a8700000
p58000000-58100000 v88400000-88500000 va8400000-a8500000
p5c000000-5c100000 v88800000-88900000 va8800000-a8900000
pa0000000-a3f00000 v90000000-93f00000 vb0000000-b3f00000
pa3f00000-a4000000 v88700000-88800000 va8700000-a8800000
pa4000000-a8000000 v93f00000-97f00000 vb3f00000-b7f00000
pe0000000-e0100000 v88f00000-89000000 va8f00000-a9000000

rom layout

the 64M partition starting at 70100000 in the disk on chip, contains the main os.

00000000 00000400 MSFLSH50 rom header
00000400 001d2100 first XIP block
001d2500 0012df00 empty - filled with 0x00
00300400 0000fc00 empty - filled with 0xff
00310000 002d0000 second XIP block
005e0000 02000000 MSFLSH rom filesystem
025e0000 01920000 empty - filled with 0xff
03f00000 00100000 Splash Screen (First 32 bit header?)


IPL 0.36
OS 0.82.10 WWE
radio 0.80.00
radioboot 1.0106
SPL 0.51 1.40e

文件:Chiplist-board finished-640.png

文件:Chiplist-board finished.png

Audio Codec EK4641 datasheet: http://www.asahi-kasei.co.jp/akm/en/product/ak4641/ek4641.pdf

Maxim Max2820 datasheet: http://pdfserv.maxim-ic.com/en/ds/MAX2820-MAX2821A.pdf also present in the ipaq 4100 - http://www.handhelds.org/moin/moin.cgi/HpIpaqH4100Hardware

Xilinx 2C128s: also present in the Dell Axim X50s: http://www.handhelds.org/moin/moin.cgi/DellAximX50Hardware

Apparently, the similar hardware is used by Motorola A780 - see http://sourceforge.net/projects/e680. hurrah!

Back to the Universal Home Page