« GIMP does NOT support JUSTIFIED TEXTHP IPAQ 6510 / 6515 dead GSM after failed Firmware upgrade »

Exploring HP IPAQ 6515e bootloader

Technical, iPAQ, 2229 words   English (AU) Bookmark and Share

This is a long terminal log of me exploring the IPAQ 6515e’s bootloader firmware


USB>? full
Available monitor commands are:
? [command] [full]
h [command] [full]
r [[register] [[=] [hex_value]]]
eb Addr
eh Addr
ew Addr
mb [StartAddr [Count [Filler]]]
mh [StartAddr [Count [Filler]]]
mw [StartAddr [Count [Filler]]]
string [Type [String]]
info [Type [Value]]
password [string]
l [path_name [startAddr offset ["cp"]]]
lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
ppdl [startAddr offset["cp"]]
s StartAddr Count Pattern...
map
cp reg# OPC_2 CRm [value]
stress [Type [Count(Hex)]]
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
s2d
set [Type [Value]]
task [Type [Value [Value1]]]
shmsg [Row [Col ["String"]]]
rbmc [FileName [StartAddr [Len]]]
erase [StartAddr [Len]]
wdata [StartAddr [Len]]
checksum [StartAddr [Len]]
prouter [PortID1[Baud1[PortID2[Baud2]]]]
lw [path_name [startAddr offset ["cp"]]]
rtask [Type [Value]]
rroute [UART Path1[Baud Rate1[UART Path2[Baud Rate2]]]]

...


USB>map

Virtual Physical Length
----------------------------------------------------------------------------------
0xA0000000 0x00000000 64
0xA8000000 0x44000000 1
0xA8200000 0x48000000 1
0xA8300000 0x4C000000 1
0xA8400000 0x58000000 1
0xA8500000 0x5C000000 1
0xA9000000 0x16000000 1
0xA9100000 0x04000000 1
0xA9200000 0x10000000 1
0xA9300000 0x0C000000 1
0xAAC00000 0x50000000 1
0xAC000000 0x20000000 1
0xAC100000 0x28000000 1
0xAC200000 0x2C000000 14
0xAD000000 0x30000000 1
0xAD100000 0x38000000 1
0xAD200000 0x3C000000 14
0xAE000000 0x40000000 32
0xB0000000 0xA0000000 64
0xB4000000 0xA4000000 64

USB>? shmsg
Usage:

shmsg [Row [Col ["String"]]]

Show texts on display.
Row(hex) : 0 - 17(11).
Col(hex) : 0 - 12(C).
Text String : The string which will be show on display.
USB>? rbmc
Usage:

rbmc [FileName [StartAddr [Len]]]

Read back the memory content from the specified address to the host
and save the data to specified file name.
FileName : Full file path for save data of memory(default=c:\temp\Mem.nb).
StartAddr : Start address of memory(default(hex)=A0000000).
Len : How many bytes will be read. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).

USB>? set
Usage:

set [Type [Value]]

Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
If value is not given, default is 0.

Type 0(Echo on/off): 1(on) and 0(off).
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 3(Inverse on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable).
Type 1E(RUU command read/write flag): 1(unlock) and 0(lock).

Current flag settings:
Type 0(Echo flag): cEchoFlag=(0x1).
Type 1(Operation mode flag): cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x1).
Type 3(Inverse flag): cShowInverseFlag=(0x0).
Type 4(Front color): g_wFColor=(0x0).
Type 5(Background color): g_wBColor=(0xFFFF).
Type 6(Set color of screen): None.
Type 8(COMM queue flag): g_cCommQueueFlag=(0x0).
Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
USB>? info
Usage:

info [Type [Value]]
Type(hex) 0: Get platform name(16 bytes) and [value](hex) is ignore.
Type(hex) 1: Get bootloader version(16 bytes) and [value](hex) is ignore.
Type(hex) 2: Get device CID(8 bytes CID with 8 bytes dummy data(0x20)) and [value](hex) is ignore.
USB>info 4
HTCS Lœ3ÆHTCE
USB>info 5
USB>info 0
BEETLES
USB>info 1
0.21
USB>info 2
USB>info 8
USB>? rtask
Usage:

rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>? task
Usage:

task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Type(hex) 8: Software reset with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 3C: Set terminal COM port baud rate.
Type(hex) 46: Force BT enter test mode.

USB>? string
Usage:

string [Type [String]]
Type(hex) 0: Set device CID.
USB>? s
Usage:

s StartAddr Count Pattern...

Search Memory for pattern.

StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.

Count and StartAddr defines a search region
Patterns can be hex numbers or double quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.
USB>? ppdl
Usage:

ppdl [startAddr offset["cp"]]
Startaddr offset(MSB bit is a sign bit):: Start address offset of every packet in bin file.
If [cp] is not given: Download the BIN file that assigned by PPSH command line.

If [cp] is given: for comparing image difference between
download file and data of flash ROM.
If parameter is given but not 'cp': Show message when downloading.

This download is via parallel port

USB>? l
Usage:

l [path_name [startAddr offset ["cp"]]]

Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).

The code is auto-launched once downloaded.
USB>? lnb
Usage:

lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]

Download nb file to ROM.
StartAddr : Start address for downloading(default=80000000).
Length : Length for downloading(default=FFFFFFFF).
SkipOffset : SkipOffset for downloading(default=00040000).
cp : Compare image with file data only.
USB>? d2s
Usage:

d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
DOC flash: Skip area size need equal to MBLOCKLEN(32kB).
USB>? s2d
Usage:

s2d
Restore memory from storage.

USB>? mw
Usage:

mw [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? mh
Usage:

mh [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as half-words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? lw

The same as "l" command, but download to radio flash memory.

Usage:

lw [path_name [startAddr offset ["cp"]]]

Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).

Auto-launched is disabled after downloading.
USB>? r
Usage:

r [[register] [[=] [hex_value]]]

Display(r0-r15)/Set registers(r9-r11 only) value(s).

When no register is given, all the registers' content are displayed.
When only a register name is given, the content of that register is
displayed.
If the optional value is also given, the register's content is set to
the new value.
'=' sign is always ignored.

USB>? eb
Usage:

eb Addr
Addr:hex memory address

USB>? eh
Usage:

eh Addr
Addr:hex memory address

USB>? ew
Usage:

ew Addr
Addr:hex memory address

USB>? mw
Usage:

mw [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? password
Usage:

password [string]

Enter the password string to enable full help and command functions.

Enter the password string1 to enable some command functions related to RUU.

USB>? mb
Usage:

mb [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as bytes
StartAddr must be in valid unmapped space.
It is not validated.

USB>? mh
Usage:

mh [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as half-words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? eh
Usage:

eh Addr
Addr:hex memory address

USB>? s
Usage:

s StartAddr Count Pattern...

Search Memory for pattern.

StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.

Count and StartAddr defines a search region
Patterns can be hex numbers or double quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.

USB>rtask 8
GSM Trace Route.
Wait 2413 ms

USB>rtask 1
Please use type 3 and 4 instead.

USB>? task 32
Syntax error!
Usage:

? [command] [full]

Helps on command.

When no command is given, output a list of normal commands.
If "full" option used, display all commands(need password enable).
But if one command is given, It will show the command usage method.

USB>? erase
Usage:

erase [StartAddr [Len]]

Erase the contain of flash ROM.
StartAddr : Start address of ROM(default(hex)=A0040000).
Len : How many bytes will be erased(default(hex)=40000).

USB>rtask a
Radio image flash by external bootloader.
HTCSôº6úÍÁHTCE

The IPAQ froze and I had to reboot the IPAQ before I could reconnect.


USB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB>? rtask
Usage:

rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>rtask a
Radio image flash by external bootloader.
2.12.00484830000EF23CB887AC20E08199E335&HTCE

Links

Trackback address for this post

This is a captcha-picture. It is used to prevent mass-access by robots.
Please enter the characters from the image above. (case insensitive)

6 comments

Comment from: Angel granado [Visitor] Email
Angel granadoHello,

I have a problem, tries to update the ROM of the version that tapeworm to the 1,29 and when was updating the Stack Radius, I remain in the update, and it gave error me.

I have tried to put other versions of ROM and it does not load that part to me of the ROM.

I have proven to load it with the SD through mtty with the commando d2s and that part if me the load, but the RADIO no.
Also I have proven with unloading the RADIUS ROM (almost 1GB), and it remains in the screen, and it does not do anything.

That I can do?



The equipment works, but it works neither the telephone, nor the navigator to me.
03/09/07 @ 05:16
Comment from: Brinley Ang [Member] Email
Brinley AngHmm I dont quite understand what you are saying but have you had a look at http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware
03/09/07 @ 09:18
Comment from: zamolxe [Visitor] Email
zamolxehi any idea why my ipaq hw6515 is reseting by itself? did u heard of a problem like this one?
thank you in advance
27/03/08 @ 23:25
Comment from: Brinley Ang [Member] Email
Brinley AngApart from software issues which you can check by doing a hard reset, another common cause of the 6515 resetting itself is because of the microswitch for the battery cover which turns off the ipaq and prevents it from turning on if you battery cover is off. Or in many cases, users' ipaq keep shutting itself off because the L hook on the battery cover is loose and occasionally releases the microswitch turning it off. There are a few documented fix on google afaik. Some people even open up the 6515 and soldiered over the switch to disable it.
28/03/08 @ 17:53
Comment from: Martin [Visitor]
Martin[code]
Password 0000000000000000
wdata 60000000 800000

Command is Locked![/code]
Any idea how to unlock wdata? I have level 1 access but still it's locked
06/06/08 @ 09:11
Comment from: Nestor luque [Visitor] Email
Nestor luqueHello
I have an ipaq model hw6515a and it's impossible to use my sim card because this device is locked and has a simlock version 1.4. my imei is 35741********** and I don't have a code for it.
How is possible to remove the simlock or another alternative to unlock my ipaq
please give me a hand.
19/01/09 @ 01:08

Leave a comment


Your email address will not be revealed on this site.
(Line breaks become <br />)
(For my next comment on this site)
(Allow users to contact me through a message form -- Your email will not be revealed!)
This is a captcha-picture. It is used to prevent mass-access by robots.
Please enter the characters from the image above. (case insensitive)
August 2014
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Brinley Ang

Brinley Ang is a sysadmin, web dev, coder, geek boy, jedi knight fragger, caffine addict, deaf meloncholic and rockstar wannabe. Listens to the sex pistols and a wide assortment of heavy metal.

Make payments with PayPal - it's fast, free and secure!
Search
home | portfolio | blog | links | contact
© 2014 - Brinley Ang
Valid xhtml