how to get rid of all the strange echoing
set 0 0
how to enter bootloader mode
hold powerbutton + navigator button, and reset.
how to cold boot
hold powerbutton, and reset
how to talk to gsm from bootloader
type 'rtask 7'
how to talk to the VSP to the gsm ( the multiplex protocol )
type 'rtask 8'
now you have to type 'ctrl-v' AT 'ctrl-m' 'ctrl-b' to send 'AT\r' to the gsm.
how to save the rom from the bootloader
type 'd2s'
enable all kinds of interesting debug logs:
in regpath "HKLM\SOFTWARE\HTC\ATDbgLog", set key Enable=1
this will write atcmds to be logged in \Storage\AtDbg*.log
in regpath "HKLM\SOFTWARE\HTC\XPanel", set Enable=1

research projects

Todo: write a program, that using the msystems trueffs sdk, extracts data from the disk-on-a-chip. ( there is about 1.5 Mbyte unaccounted for, so that would be interesting to find out what is in it. )


See xda-developers/xda2 for a more indepth review.

xda-ii gsm memory map

00000000 2 identical 4M rom images
00800000 16 identical 512k ram images
01000000 16 identical 512k ram images
01800000 filled with bit23-16 of addr, 0x01
02000000 filled with bit23-16 of addr
03000000 filled with 0xff
03800000 512 identical 8k images
03c00000 16k identical 256 byte images
fff00000 ram

xda-ii wince memory map

000000008000000002000000 32M ROM
70000000 02000000 32M disk-on-a-chip ROM
0000800000008000serial number info
0001800000050000bootsplash image
this is stored as follows: 2 times 5 groups of 8 times repeated 4k blocks, or aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeaaaaaaaabbbbbbbbccccccccddddddddeeeeeeee
0008000001000000FAT16 filesystem 0x8000 sectors
0108000000e9e800FAT16 filesystem 0x74f4 sectors
a00000009000000008000000 128M RAM

xda2dmp tool

to research the memory space I use commands like this:
  xda2dmp.exe -r -s 0x10000 0x00000000 0x04000000
which steps through memory in large steps, dumping 16 bytes of each block. you can find the source to xda2dmp here, and the crc code here.

to use this tool, you must first boot your xda2 in bootloader mode. it may occasionally crash your device, and after dumping the gsm rom ( '-r' ) you can no longer dump wince memory, without doing a reboot.

WARNING: you will lose all the data on your device when you do this!!

0.99b now also checks crc's of downloaded blocks
0.99c attempt to fix bufferhandling current adds possibility to write to memory be very carefull when using this

here is a compiled version.

older versions:
0.99a here is a old compiled version. here is a old source version.
0.99b here is a old compiled version. here is a old source version.
0.99c here is a old compiled version. here is a old source version.