This is a description of all bootloader commands found in the xda-2 bootloader. you can enter bootloader mode by resetting the device while holding down the powerbutton plus the navigator button.
in recent bootloader versions most help has been removed. the password for the 'password' command is 'BOOTLOADER'. but I have not really found anything that needs it.
Usage:
r [[register] [[=] [hex_value]]]
Display(r0-r15)/Set registers(r9-r11 only) value(s).
When no register is given, all the registers' content are displayed.
When only a register name is given, the content of that register is
displayed.
If the optional value is also given, the register's content is set to
the new value.
'=' sign is always ignored.
Usage:
m{bhw} [StartAddr [Count [Filler]]]
Display/Set memory content.
StartAddr can be either a hex_address or a register name
When StartAddr is not given, memory display continues from the
previous address.
When Count is not given, previous Count is used for memory display
Count is initially set to 20 (hex).
If Filler is specified, the memory area is filled with Filler.
** Panic: Internal error (memory display help)
Memory will be displayed/counted as words
Usage:
l [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
Auto-launched is disabled after downloading.
Usage: h [command] [full] Helps on command. When no command is given, output a list of normal commands. If "full" option used, display all commands(need password enable). But if one command is given, It will show the command usage method.
Usage:
s StartAddr Count Pattern...
Search Memory for pattern.
StartAddr can be either a hex_address or a register name
The starting address MUST be in valid unmapped space.
The monitor does not validate this address.
Count and StartAddr defines a search region
Patterns can be hex numbers or double quoted strings
A hex number with less than three digits is considered a byte
A hex number with less than fice digits but greater than two digits
is consider a half-word
Otherwise a hex number must contain less than 9 digits and is considered
a word
Up to 8 Patterns can be given in the command line
They are concatenated as a single search pattern.
Usage: ew Addr Addr:hex memory address
Usage: ppdl [startAddr offset["cp"]] Startaddr offset(MSB bit is a sign bit):: Start address offset of every packet in bin file. If [cp] is not given: Download the BIN file that assigned by PPSH command line. If [cp] is given: for comparing image difference between download file and data of flash ROM. If parameter is given but not 'cp': Show message when downloading. This download is via parallel port
Usage: map Display virtual address mapping table
Usage: cp reg# OPC_2 CRm [value] Access coprocessor(cp15 only) registers
Usage: lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]] Download nb file to ROM. StartAddr : Start address for downloading(default=80000000). Length : Length for downloading(default=FFFFFFFF). SkipOffset : SkipOffset for downloading(default=00040000). cp : Compare image with file data only.
Usage: d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]] Backup memory to storage. StartAddr : Start address for backup(0xA0040000). Len : Length of memory will be backup. And if not given value, it will be Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)). Type : Which storage(cf/sd) type will be selected(cf). Append : Backup methods(a/). SkipStartAddr : Start address of skip area(0x0). SkipLen : Skip length(0x0). Skip area must be less than or equal to one block size of flash. Skip area must not over two blocks, must inside one block. Nand flash: Skip area size need be page boundary. Nor flash: Skip area size need be DWORD boundary.
Usage: s2d Restore memory from storage.
Usage: stress count(Hex) for stress test write six kind of patterns to flash each count count indicates how many loop times do you want to run count inputed is considered as heximal, not decimal.
Usage: shmsg [Row [Col ["String"]]] Show texts on display. Row(hex) : 0 - 17(11). Col(hex) : 0 - 12(C). Text String : The string which will be show on display.
Usage: set [Type [Value]] Set control flags. Type(hex) : Control function types. Value(hex) : Setting values for types. If value is not given, default is 0. Type 0(Echo on/off): 1(on) and 0(off). Type 1(Operation mode): 1(auto) and 0(user). Type 2(Back color on/off): 1(on) and 0(off). Type 3(Inverse on/off): 1(on) and 0(off). Type 4(Front color value): 16 bits data Type 5(Background color value): 16 bits data Type 6(Set color of screen): Fill color to whole screen one time. Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable). Current flag settings:
Usage: task [Type [Value [Value1]]] Type,Value and Value1 are both DWORD(hex). Value and Value1 are ignore in some case. Type(hex) 0: Do hardware clear boot. Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Usage: rbmc [FileName [StartAddr [Len]]] Read back the memory content from the specified address to the host and save the data to specified file name. FileName : Full file path for save data of memory(default=c:\temp\Mem.nb). StartAddr : Start address of memory(default(hex)=A0000000). Len : How many bytes will be read. And if not given value, it will be Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Usage: erase [StartAddr [Len]] Erase the contain of flash ROM. StartAddr : Start address of ROM(default(hex)=a0040000). Len : How many bytes will be erased(default(hex)=40000).
Usage: checksum [StartAddr [Len]] Return CRC checksum of memory. StartAddr : Start address of ROM(default(hex)=A0000000). Len : How many bytes will be calculated. default(hex) = ROM total size - ((dwStartAddress & 0x0FFFFFFF) - (ROM_BASE & 0x0FFFFFFF)) In user mode: Show 4 bytes of CRC checksum value on display of terminal. In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
Usage:
wdata [StartAddr [Len]]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory(default(hex)=B00B0000).
Len : How many bytes will be written(default(hex)=40).
Length must not more than 0x20000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
Usage: info [Type [Value]] Type(hex) 0: Get platform name(16 bytes) and [value](hex) is ignore. Type(hex) 1: Get bootloader version(16 bytes) and [value](hex) is ignore.
Usage: password [string] Enter the password string to enable full help and command functions.
Usage:
prouter [PortID1[Baud1[PortID2[Baud2]]]]
Port Router: Construct data path between two ports.
PortID1: PortID1 number(default=6).
Baud1: Baud rate1 select(default=5).
PortID2: PortID2 number(default=0).
Baud2: Baud rate2 select(default=5).
Port ID: 0(ACTIVE_PORT),1(PPSH_CABLE),2(PPSH_SERIAL2),3(PPSH_PAR1),4(USB_CABLE),
5(ON_BOARD_FFUART),6(ON_BOARD_BTUART),7(ON_BOARD_STUART) and 9(DPRAM_MEMORY).
Baud Rate: 1(9600),2(19200),3(38400),4(57600),5(115200),6(230400),7(460800) and 8(921600).
Usage: rroute [UART Path1[Baud Rate1[UART Path2[Baud Rate2]]]] UART Router: Construct data path between Radio and Terminal. UART Path1: UART path1 number(default=1). UART Path2: UART path2 number(default=2). Baud Rate1: Baud rate1 select(default=5). Baud Rate2: Baud rate2 select(default=5). UART Path: 1(FFUART) and 2(STUART). Baud Rate: 1(9600),2(19200),3(38400),4(57600) and 5(115200).
Usage: rtask [Type [Value]] Type(hex) 0: Reset radio and [value](hex) is ignore. Type(hex) 1: Turn on radio, lease use type 3 and 4 instead. Type(hex) 2: Turn off radio and [value](hex) is ignore. Type(hex) 3: Run radio image and [value](hex) is ignore. Type(hex) 4: Run radio bootloader and [value](hex) is ignore. Type(hex) 5: GSM code Burn In (19200). Type(hex) 6: GSM code Burn In (115200). Type(hex) 7: Radio AT Command Debug. Type(hex) 8: GSM trace route.
d2s 60000000 00300000
SD:Waiting for card insert......... CMD3 for SD, it's OK, ready to get RCA from response. SD:Detected one card SD:ready for transfer OK Total card size=1D30000ze=0 **************** Store image to SD/MMC card successful.and now append the extended rom to the sd card:
d2s 70080000 01000000 sd a
SD:Waiting for card insert......... CMD3 for SD, it's OK, ready to get RCA from response. SD:Detected one card SD:ready for transfer OK Total card size=1D30000ze=0 DOCInfoTableinitHW+ Binary0:dwSize=80000 BINFS0:dwSize=0 FAT0:dwSize=1000000 FAT1:dwSize=EA0000 All:dwSize=1F20000 **************************************************************** Store image to SD/MMC card successful.then when you insert the sdcard, and then boot into bootloader mode, the following happens: on the display, you see a message 'sections=2', and 'press power to flash'. after pressing the power button, you see the following output on the serial port:
Flash ROM mapping total size = 2000000 Flash ID = 89,8802 Trumbull INTEL StrataFlash 128 Mbit MEMORY (K3/k18) found dwROMTotalSize = 2000000 wTotalChip = 2 HTC Integrated Re-Flash Utility for bootloader Version:1.29 HIMALAYAS PVT version:1.02 MainBoardID = 4 Built at: Sep 24 2003 18:17:06 Copyright (c) 1998-2002 High Tech Computer Corporation Turbo Mode Frequency = 398 MHz Run Mode Frequency = 199 MHz Memory Frequency = 100 MHz SDRAM Frequency = 100 MHz Main=0x90035EE4 LCD Power ON! ATI Chip Id=0x56441002 DOCInfoTableinitHW+ Binary0:dwSize=80000 BINFS0:dwSize=0 FAT0:dwSize=1000000 FAT1:dwSize=EA0000 All:dwSize=1F20000 SD:Waiting for card insert......... CMD3 for SD, it's OK, ready to get RCA from response. SD:Detected one card SD:ready for transfer OK Total card size=1D30000ze=0 Radio flash Updating... ************ SD/MMC download to ROM is successful! DOCInfoTableinitHW+ Binary0:dwSize=80000 BINFS0:dwSize=0 FAT0:dwSize=1000000 FAT1:dwSize=EA0000 All:dwSize=1F20000 DOC flash Updating... **************************************************************** SD/MMC download to ROM is successful!now both the radio and extended rom are upgraded!
| 00000-00010 | "HIMALAYAS " |
| 00010-00020 | "0000000000000000" |
| 00020-00180 | ??? random data ??? |
| 00180-0019c | first section header |
| 0019c ... | followed by data |
| ... | 2nd section header |
| ... | followed by data |
| ... | ... |
| end | "HTCE" |
| 00-04 | "HTCS" |
| 04-0c | start in hex |
| 0c-14 | length in hex |
| 14-1c | ??? checksum ??? |