Exploring HP IPAQ 6515e bootloader

This is a long terminal log of me exploring the IPAQ 6515e’s bootloader firmware


USB>? full
Available monitor commands are:
? [command] [full]
h [command] [full]
r [[register] [[=] [hex_value]]]
eb Addr
eh Addr
ew Addr
mb [StartAddr [Count [Filler]]]
mh [StartAddr [Count [Filler]]]
mw [StartAddr [Count [Filler]]]
string [Type [String]]
info [Type [Value]]
password [string]
l [path_name [startAddr offset ["cp"]]]
lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
ppdl [startAddr offset["cp"]]
s StartAddr Count Pattern...
map
cp reg# OPC_2 CRm [value]
stress [Type [Count(Hex)]]
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
s2d
set [Type [Value]]
task [Type [Value [Value1]]]
shmsg [Row [Col ["String"]]]
rbmc [FileName [StartAddr [Len]]]
erase [StartAddr [Len]]
wdata [StartAddr [Len]]
checksum [StartAddr [Len]]
prouter [PortID1[Baud1[PortID2[Baud2]]]]
lw [path_name [startAddr offset ["cp"]]]
rtask [Type [Value]]
rroute [UART Path1[Baud Rate1[UART Path2[Baud Rate2]]]]



USB>map

Virtual Physical Length
----------------------------------------------------------------------------------
0xA0000000 0x00000000 64
0xA8000000 0x44000000 1
0xA8200000 0x48000000 1
0xA8300000 0x4C000000 1
0xA8400000 0x58000000 1
0xA8500000 0x5C000000 1
0xA9000000 0x16000000 1
0xA9100000 0x04000000 1
0xA9200000 0x10000000 1
0xA9300000 0x0C000000 1
0xAAC00000 0x50000000 1
0xAC000000 0x20000000 1
0xAC100000 0x28000000 1
0xAC200000 0x2C000000 14
0xAD000000 0x30000000 1
0xAD100000 0x38000000 1
0xAD200000 0x3C000000 14
0xAE000000 0x40000000 32
0xB0000000 0xA0000000 64
0xB4000000 0xA4000000 64

USB>? shmsg
Usage:

shmsg [Row [Col ["String"]]]

Show texts on display.
Row(hex) : 0 - 17(11).
Col(hex) : 0 - 12(C).
Text String : The string which will be show on display.
USB>? rbmc
Usage:

rbmc [FileName [StartAddr [Len]]]

Read back the memory content from the specified address to the host
and save the data to specified file name.
FileName : Full file path for save data of memory(default=c:\temp\Mem.nb).
StartAddr : Start address of memory(default(hex)=A0000000).
Len : How many bytes will be read. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).

USB>? set
Usage:

set [Type [Value]]

Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
If value is not given, default is 0.

Type 0(Echo on/off): 1(on) and 0(off).
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 3(Inverse on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable).
Type 1E(RUU command read/write flag): 1(unlock) and 0(lock).

Current flag settings:
Type 0(Echo flag): cEchoFlag=(0x1).
Type 1(Operation mode flag): cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x1).
Type 3(Inverse flag): cShowInverseFlag=(0x0).
Type 4(Front color): g_wFColor=(0x0).
Type 5(Background color): g_wBColor=(0xFFFF).
Type 6(Set color of screen): None.
Type 8(COMM queue flag): g_cCommQueueFlag=(0x0).
Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
USB>? info
Usage:

info [Type [Value]]
Type(hex) 0: Get platform name(16 bytes) and [value](hex) is ignore.
Type(hex) 1: Get bootloader version(16 bytes) and [value](hex) is ignore.
Type(hex) 2: Get device CID(8 bytes CID with 8 bytes dummy data(0x20)) and [value](hex) is ignore.
USB>info 4
HTCS Lœ3ÆHTCE
USB>info 5
USB>info 0
BEETLES
USB>info 1
0.21
USB>info 2
USB>info 8
USB>? rtask
Usage:

rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>? task
Usage:

task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Type(hex) 8: Software reset with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 3C: Set terminal COM port baud rate.
Type(hex) 46: Force BT enter test mode.

USB>? string
Usage:

string [Type [String]]
Type(hex) 0: Set device CID.
USB>? s
Usage:

s StartAddr Count Pattern...

Search Memory for pattern.

StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.

Count and StartAddr defines a search region
Patterns can be hex numbers or double quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.
USB>? ppdl
Usage:

ppdl [startAddr offset["cp"]]
Startaddr offset(MSB bit is a sign bit):: Start address offset of every packet in bin file.
If [cp] is not given: Download the BIN file that assigned by PPSH command line.

If [cp] is given: for comparing image difference between
download file and data of flash ROM.
If parameter is given but not 'cp': Show message when downloading.

This download is via parallel port

USB>? l
Usage:

l [path_name [startAddr offset ["cp"]]]

Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).

The code is auto-launched once downloaded.
USB>? lnb
Usage:

lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]

Download nb file to ROM.
StartAddr : Start address for downloading(default=80000000).
Length : Length for downloading(default=FFFFFFFF).
SkipOffset : SkipOffset for downloading(default=00040000).
cp : Compare image with file data only.
USB>? d2s
Usage:

d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
DOC flash: Skip area size need equal to MBLOCKLEN(32kB).
USB>? s2d
Usage:

s2d
Restore memory from storage.

USB>? mw
Usage:

mw [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? mh
Usage:

mh [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as half-words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? lw

The same as "l" command, but download to radio flash memory.

Usage:

lw [path_name [startAddr offset ["cp"]]]

Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).

Auto-launched is disabled after downloading.
USB>? r
Usage:

r [[register] [[=] [hex_value]]]

Display(r0-r15)/Set registers(r9-r11 only) value(s).

When no register is given, all the registers' content are displayed.
When only a register name is given, the content of that register is
displayed.
If the optional value is also given, the register's content is set to
the new value.
'=' sign is always ignored.

USB>? eb
Usage:

eb Addr
Addr:hex memory address

USB>? eh
Usage:

eh Addr
Addr:hex memory address

USB>? ew
Usage:

ew Addr
Addr:hex memory address

USB>? mw
Usage:

mw [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? password
Usage:

password [string]

Enter the password string to enable full help and command functions.

Enter the password string1 to enable some command functions related to RUU.

USB>? mb
Usage:

mb [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as bytes
StartAddr must be in valid unmapped space.
It is not validated.

USB>? mh
Usage:

mh [StartAddr [Count [Filler]]]

Display/Set memory content.

StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
Memory will be displayed/counted as half-words
StartAddr must be in valid unmapped space.
It is not validated.

USB>? eh
Usage:

eh Addr
Addr:hex memory address

USB>? s
Usage:

s StartAddr Count Pattern...

Search Memory for pattern.

StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.

Count and StartAddr defines a search region
Patterns can be hex numbers or double quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.

USB>rtask 8
GSM Trace Route.
Wait 2413 ms

USB>rtask 1
Please use type 3 and 4 instead.

USB>? task 32
Syntax error!
Usage:

? [command] [full]

Helps on command.

When no command is given, output a list of normal commands.
If "full" option used, display all commands(need password enable).
But if one command is given, It will show the command usage method.

USB>? erase
Usage:

erase [StartAddr [Len]]

Erase the contain of flash ROM.
StartAddr : Start address of ROM(default(hex)=A0040000).
Len : How many bytes will be erased(default(hex)=40000).

USB>rtask a
Radio image flash by external bootloader.
HTCSôº6úÍÁHTCE


The IPAQ froze and I had to reboot the IPAQ before I could reconnect.


USB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB>? rtask
Usage:

rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>rtask a
Radio image flash by external bootloader.
2.12.00484830000EF23CB887AC20E08199E335&HTCE


Links

• HOWTO: Change serial number and model number for HP IPAQ 6515
• HP IPAQ 6515 Bootloader password
• HP IPAQ 6510 / 6515 dead GSM after failed Firmware upgrade