Difference between revisions of "TL866 II PLUS/Bootloader"
| Line 1: | Line 1: | ||
| − | == Reset == | + | The [[TL866 II PLUS]] has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at <tt>0000h</tt>) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware. |
| + | |||
| + | The process of reverse engineering the bootloader is still ongoing. | ||
| + | |||
| + | == Commands == | ||
| + | |||
| + | === Reset === | ||
Command <tt>3F</tt> seems to be used to reset the device. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware. | Command <tt>3F</tt> seems to be used to reset the device. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware. | ||
Revision as of 18:11, 26 August 2018
The TL866 II PLUS has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at 0000h) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware.
The process of reverse engineering the bootloader is still ongoing.
Commands
Reset
Command 3F seems to be used to reset the device. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware.
| Offset | Field | Size | Value | Description |
|---|---|---|---|---|
| 0 | command | 1 | 3F | the command identifier |
| 1 | reserved | 7 | 0 | reserved, set to zero |
When resetting from the stock firmware, another command is transmitted first. This may be some kind of key required to permit reset? Unknown until the firmware is dumped and analyzed.
| Offset | Field | Size | Value | Description |
|---|---|---|---|---|
| 0 | command | 1 | 3D | the command identifier |
| 1 | reserved | 3 | 0 | reserved, set to zero |
| 4 | key? | 4 | 86 B9 78 A5 | unknown, maybe just a fixed key? Set statically in the official client. |
