About the HTC Wallaby bootloader

this is a description of the inner workings of the xda-1 bootloader.

how it starts

after reset, the SA1110 start executing at address 0.
there it jumps to 0x1000, where some checks are made to see if bootloader mode is wanted.
if so, the bootloader is copied to 0xc0078000, MMU is initialized, execution continued at virtual address 0x8c078000+.... ( not exactly, but that is where it is about )
then the bootloader initializes various IO ports.
and starts listening for keyboard, sdcard, and serialport events.

note on running code from wallaby bootloader prompt

How to run manually entered code from the wallaby bootloader command prompt

say I want to run this code, ( opcode bytes manually taken from arm reference )

stmfd  SP!, {LR}          @ 00 40 2d e9
add    r1, pc, #0x18      @ 18 10 8f e2 | ldr r1, offset buf
ldr    r0, [pc, #0c]      @ 0c 00 9f e5 | ldr r0, =0x8C231EC0
ldrh   r2, [r0, #0e]      @ be 20 d0 e1
mov    lr, pc             @ 0f e0 a0 e1 
ldr    pc, [pc, #4]       @ 04 f0 9f e5 | bl =0x8C098FFC
ldmfd  SP!, {PC}          @ 00 80 bd e8

ptr: .word 0x8C231EC0     @ ptr to sdcardinfo struct
sub: .word 0x8C098FFC     @ ptr to function to get sdcard id
buf: .byte 64 dup(0)

testing if it works

to test if my code really does what I mean, I first tested it by calling printf to see if all parameters come out as expected.

so I replace the ptr and sub with these:

ptr: .word 0x8C07BD78  @ ptr to nice string with 2 '%x' in it
sub: .word 0x8C0845BC  @ ptr to uartprintf

leading to this end result:

ew 8c240000
e92d4000
e28f1018
e59f000c
e1d020be
e1a0e00f
e59ff004
e8bd8000
8C07BD78
8C0845BC
.
g 8c240000

and yes, it prints 'Image start: 8C240024h length: 00005825h. ' as expected.

so now try reading the sdcard id:

ew 8c240000
e92d4000
e28f1018
e59f000c
e1d020be
e1a0e00f
e59ff004
e8bd8000
8C231EC0
8C098FFC
.
g 8c240000
mb 8c240000

giving this result:

01 50 41 53 31 32 38 42 11 2C 85 03 C1 00 2C 00
 .  P  A  S  1  2  8  B

note: I am running bootloader version 5.15 from t-mobile offsets are different for other bootloader versions.

sd cards

If a SD-Card contains a specific signature while your xda resets, it is recognized by the bootloader, and one of several things can happen:

signature	action
HTC$WALLABY00	upgrade bootloader
HTC$WALLABY11	upgrade CE image
HTC$WALLABY22	upgrade Boot + CE image
HTC$WALLABY33	run diagnostic code from sd card
HTC$WALLABY44	upgrade gsm rom
HTC$WALLABY55	upgrade CE + gsm rom
HTC FLASH KEY	card has signature - 5.17, see sector 5 for real card contents

bootloader 5.17 or 6.22 sd cards

block0: starts with string "HTC FLASH KEY\0"
block1: starts with 16 byte bug_md5sum of hex representation of first 16 bytes of cardid
block2: start with 4 byte value
block3: starts with bug_md5sum of hex representation of first 4 bytes of block2
block4: contains 'N'
block5: contains HTC$WALLABY... signature

bug_md5sum = the md5sum calculated with a implementation with typo: the first 0x80 of the padding is written as 80 ( 0x50 hex ) Use the wallaby patch loader to circumvent this protection, and be able to load any type of sdcard.
But an easier way out of bootloader 6.22 or 5.17, is to use pnewbootloader, to just flash a different bootloader.

big warning: be sure to use a real bootloader image when updating your bootloader,
!!!!! the CLoader_usb.nb and CLoader_serial.nb files are NOT bootloaders. !!!!!

dianostic sd cards

if you insert a sd card containing the signature 'HTC$WALLABY33', the first 256 k of the card will be loaded in memory, at address 8c240000, and executed.

example diagnostic image: wbt-1.5.tar.gz - can patch 5.17 and 6.22 bootloaders, such that the 'HTC FLASH KEY' feature is disabled.

gsm commands

these are the gsm-at commands sent by the various gsm menu options

900	"AT%CHG900"
1900	"AT%CHG1900"
900/1800	"AT%CHGDUAL"
rfcal	"AT%RFCAL"
normal	"AT%NORMAL"