/////////////////////////////////////////////////////////////////// READNAND # ----------------------------------------- # Init phone RAM a 0x20010000 f x-load.bin // Call a sub from x-load.bin: TT BoardInit (should only work with TT) a 0x20010da4 c # ----------------------------------------- # Upload FlashWriteNAND.bin program a 0x10000000 f FlashWriteNAND.bin # ----------------------------------------- # ------------------X-LOAD----------------- # ----------------------------------------- # Setup read command for x-load.bin a 0x1000ffec p 0x00000003 p 0x10010000 p 0x00000000 p 0x00004000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-x-load.bin C 0 # ----------------------------------------- # Download phone memory into local buffer a 0x10010000 m 16 # ----------------------------------------- # Save the local buffer into a file D # ----------------------------------------- # ------------------U-BOOT----------------- # ----------------------------------------- # Setup read command for u-boot.bin a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00004000 p 0x00030000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-u-boot.bin C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 192 D # ----------------------------------------- # ------------------UNUSED----------------- # ----------------------------------------- # Setup read command for u-boot-params.bin a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00034000 p 0x00020000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-u-boot-params.bin C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 128 D # ----------------------------------------- # ------------------SPLASH----------------- # ----------------------------------------- # Setup read command for splash.bin a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00054000 p 0x0002c000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-splash.bin C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 176 D # ----------------------------------------- # ------------------KERNEL----------------- # ----------------------------------------- # Setup read command for uImage.bin a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00080000 p 0x00100000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-uImage.bin C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 1024 D # ----------------------------------------- # ------------------ROOTFS----------------- # ----------------------------------------- # Setup read command for rootfs.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00180000 p 0x00590000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-rootfs.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 5696 D # ----------------------------------------- # ------------------E28-FS----------------- # ----------------------------------------- # Setup read command for e28fs.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x00710000 p 0x01200000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-e28fs.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 18432 D # ----------------------------------------- # ------------------RSC-FS----------------- # ----------------------------------------- # Setup read command for resource.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x01910000 p 0x00500000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-resource.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 5120 D # ----------------------------------------- # ------------------USERFS----------------- # ----------------------------------------- # Setup read command for user_jffs2.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x01e10000 p 0x00dc0000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-user_jffs2.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 14080 D # ----------------------------------------- # -----------------RESERVE----------------- # ----------------------------------------- # Setup read command for reserve.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x02bd0000 p 0x01200000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-reserve.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 18432 D # ----------------------------------------- # ------------------PART1------------------ # ----------------------------------------- # Setup read command for part1.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x03dd0000 p 0x00008000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-part1.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 32 D # ----------------------------------------- # ------------------PART2------------------ # ----------------------------------------- # Setup read command for part2.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x03dd8000 p 0x00008000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-part2.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 32 D # ----------------------------------------- # ------------------GSMFS------------------ # ----------------------------------------- # Setup read command for gsmfs.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x03de0000 p 0x00020000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-gsmfs.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 128 D # ----------------------------------------- # -----------------GSMCODE----------------- # ----------------------------------------- # Setup read command for gsm_code.raw a 0x1000ffec p 0x00000000 p 0x10010000 p 0x03e00000 p 0x00200000 p 0x00000000 // Just peek to control command is set as expected a 0x1000ffec P;P;P;P;P # ----------------------------------------- # Call FlashWriteNAND program a 0x10000000 c # ----------------------------------------- # Setup file to be updated F /lib/firmware/tt-gsm_code.raw C 0 # ----------------------------------------- # Download firmware to local file a 0x10010000 m 2048 D # ----------------------------------------- end /////////////////////////////////////////////////////////////////// READNAND END /////////////////////////////////////////////////////////////////// KERNEL # Booting TT with modified hosted u-boot a 0x20010000 f x-load.bin // Call a sub from x-load.bin: TT BoardInit (should only work with TT) a 0x20010da4 c // Load updated u-boot.bin a 0x10280000 f u-boot-updated.bin a 0x11800000 f uImage.bin // Send u-boot start address and boot there, u-boot "bootcmd" must has // fixed to not download kernel from NAND but always boot the kernel // loaded at 0x11800000 address in RAM a 0x10280000 b end /////////////////////////////////////////////////////////////////// KERNEL END /////////////////////////////////////////////////////////////////// U-BOOT // Send an address a 0x20010000 // Load a file in phone memory at the previous given address f x-load.bin // Call a sub from x-load.bin: TT BoardInit (should only work with TT) a 0x20010da4 c // Load another program to a new address, check README to generate u-boot.bin a 0x11080000 f u-boot.usb a 0x10000000 M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 1ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 2ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 3ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 4ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 5ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 6ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 7ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 8ko a 0x1103F800 M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 1ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 2ko // dump depuis _bss_start //a 0x11098160 a 0x1029f300 M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 1ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 2ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 3ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 4ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 5ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 6ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 7ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 8ko // dump zone malloc a 0x11060800 M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 1ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 2ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 3ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 4ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 5ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 6ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 7ko M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M // 8ko // Send u-boot start address and boot there a 0x11080000 b end /////////////////////////////////////////////////////////////////// U-BOOT END /////////////////////////////////////////////////////////////////// U-BOOT # Booting TT with hosted u-boot a 0x20010000 f x-load.bin // Call a sub from x-load.bin: TT BoardInit (should only work with TT) a 0x20010da4 c // Load u-boot.bin a 0x10280000 f u-boot.bin // Send u-boot start address and boot there a 0x10280000 b end /////////////////////////////////////////////////////////////////// U-BOOT END /////////////////////////////////////////////////////////////////// X-LOAD # Booting TT with hosted x-load // Load x-load in the phone a 0x20010000 // Check README to generate x-load.bin f x-load.bin // Boot with x-load a 0x20010c00 b end /////////////////////////////////////////////////////////////////// X-LOAD END /////////////////////////////////////////////////////////////////// DUMP MEM // Send an address a 0x20000000 // Dump from that address M;M;M;M;M;M;M;M;M;M;M;M;M;M;M;M end /////////////////////////////////////////////////////////////////// DUMP MEM END