From: "Cyrano Jones" <cyranojones_lalp@...>
Mar 10, 2005
I have uploaded a current copy of my remote debugger
to the files section (a DOS executable, mailbug.exe).
It includes code to flash the remote target code
(MBOOT/MBUG) into a mailstation. I have tested
it on version 2.22r and 2.53yr. It should work with
2.54, too. I don't know about any of the others,
but it might. You need a parallel laplink cable to
use it. I think a windows DCC (direct cable connect)
is essentially the same thing.
If you don't feel adventurous, it should be possible
to make a version that is more likely to work on
unknown versions, it just is not done yet.
It also includes a "RAM" target, that emulates only the
mailstation ROM (you don't need to connect to real mailstation).
This will allow "on the fly" disassembly of the rom code,
including comments, but not execution. (unzip don
hamiltons dump in subdir "hamilton", and debugger
will convert it to .rom files.)
Installing the MBUG target will erase most of the
mailstation code, but the low level stuff is preserved.
MBUG will allow on the fly disassembly, uploading to
ram, and executing, among other things. Breakpoints
still do not work.
There is also an extremely simple "hello world" program
(both .asm & .hex). It makes a call to a system routine,
and displays on the LCD.
The source code is included for the remote part, with
an explanation of how it (remote) works. The source
for the PC side is not included, 'cause it is not ready yet.
There is no documentation on using it yet either, but
the menu should help.
It uses the same code I posted earlier (unit_tribbles.pas)
but with new timeout code that should work regardless
of cpu speed now. And it is still a DOS app (just be glad
it is not still CP/M!!!). If anyone knows how to turn
tribbles.pas into a win32 device driver, then I could
make a win32 version.
I only included comment file for page #00 of the rom
for now. I have a lot more, but it is taking time to get
everything in order. I hope to post more soon. But I
wanted to get something out now.
I'm sure I have forgot something....
Oh, if something goes wrong, you could toast your
mailstation. I now have 4 units with unbootable rom code.
And I would highly advise not to leave the laplink
connected between your PC and the mailstation when
booting the PC.
CJ
From: "John R. Hogerhuis" <jhoger@...>
Mar 19, 2005
On Thu, 2005-03-10 at 08:13 +0000, Cyrano Jones wrote:
(URL)
I'm not sure how well such a clip would work, given the low profile of a
TSOP flash part, but if it does work wouldn't that mean one could
reprogram a toasted mailstation flash chip without desoldering the part?
From: "Cyrano Jones" <cyranojones_lalp@...>
Mar 20, 2005
(URL)
essories/test_clips/tsop_test_clips/
OUCH! Did you see the price on those? You could
buy 20 or 30 mailstations for that price! :-)
I am sure you can rescue a misflashed mailstation
without removing the chip. It's just not gonna be
real easy.
I was thinking that the ram chip would be the easiest
place to get at the bus, like in Don Hamilton's pic
in the groups photo section. Just solder wires to it!
I don't know about just driving the bus and flashing,
but what I was thinking was to connect the data bus
to the data pins on a pc parallel port, and maybe the
/rd or /ce, or an address line or two, to the status
pins. You would need to cut the /ce to the flash, and
pull the flash side of it high, and monitor the other
side of it.
Then, with a fast pc, emulate the codeflash. Send
code for the cpu to execute, and have it load
whatever you want into ram, then jump to it.
After your arbitrary code was running from
ram, disconnect the pc from the bus, and reconnect
the /ce to the codeflash chip.
Then the code in ram can flash whatever it needs to
into the codeflash. This technique would
give you access to any device, not just
a trashed mailstation. You could even use
it to access/download the rom before erasing
any of the unknown ms firmware versions.
Maybe there is some socket with the right pitch
to mate with that ram chip? It wouldn't need to
snap on, you could just hold it on for the instant
it would take to load the ram. A through-hole
type rather than surface mount might work
even better (use the solder side pins to contact
the ram, and solder your wires to the component side).
(It might be easier to just piggyback a similar
packaged preprogrammed rom on to the ram, with
its /cs connected to the codeflash /cs, but I don't
have such a chip, or a programmer for it.)
Anybody able to identify the type of package
for the ram chip? I am by no means an expert
on surface mount packages. Is it a SOP? SSOP??
TSOP-II???
Whats the difference between all those anyhow???
The fact that different manufacturers seem
to use different names for the same packages
doesn't help.
CJ
From: "John R. Hogerhuis" <jhoger@...>
Mar 21, 2005
On Sun, 2005-03-20 at 07:11 +0000, Cyrano Jones wrote:
Well with shipping on each one I think it would be more like 10 or 15,
but yeah. It ain't free.
But then such a solution would work in all cases, no matter how hose the
MS, and whether or not the built-in flash routine is accessible. Only
one of us would have to own one, and could reprogram MS's for others.
I heard about this particular test clip from someone that reprograms
firmware on certain tv receivers.
From: "Cyrano Jones" <cyranojones_lalp@...>
Mar 21, 2005
wrote:
15,
I got a bunch for betwwen $0.01 & $1.00, plus s/h.
I figure the average price I paid might be about $8.00
after shipping. I got a box of 10 150's, shipped for
$50.00 total. :-)
But the price seems to have gone UP on ebay this
week. <heh, heh>
the
Only
others.
I can't afford it. Maybe I'll send mine to you? ;^)
TVs??? Or Tivos???
CJ
From: "John R. Hogerhuis" <jhoger@...>
Mar 22, 2005
On Tue, 2005-03-22 at 03:22 +0000, Cyrano Jones wrote:
Satellite tv receivers. Every once in a while they change some codes,
and the modders have to reprogram their firmware.