PP Boot
This is propietary bootloader with no open sources.
All trails point to Conexant as owner.
There are known evolutions of this PP boot, v1.5, v5.09... but little documentation in general.
PP Boot v1.5
PP Boot v1.5 seems to be unique to the Conexant Solos CX946xx board as used in the Linksys WAG54G2, Xavi 7968, DG834, Billion 7402XL and some others.
However, the behaviour and look of pp-boot seems to change depending on the vendor. For instance, Xavi pp-boot seems to have ethernet uploading cancelled, which prevents firmware replacement.
On the contrary, routers WAG54G2, DG834 and Billion 7402XL have a recovery tool, allowing replacement of working firmware via pp-boot.
Preliminary investigation shows that the default config of PP Boot simply tries to boot the kernel at rom offset 0x20000.
Commands
Boot can be interrupted and a console entered by pressing space on the serial console (usually 38400 bauds) early in the boot sequence.
Pressing help or ? will pop the following text:
Commands to the console are:
configeeprom display EEPROM configuration information
configflash display FLASH configuration information
mac <address> set MAC address
networkboot {yes | auto} boot auto-select Ethernet, USB or PCI
networkboot ethernet boot from Ethernet only
networkboot usb boot from USB only
networkboot pci boot from PCI only
networkboot no boot from FLASH
networkboot ask always prompt user for boot source
copyimages {yes | no} copy network booted image files
flashfs {auto | emergency} use automatic FLASHFS selection or
force boot from emergency FLASHFS
flashnetboot {yes | no} flash boots auto network boots
autolanrecover {yes | no} attempt LAN recovery if flash corrupt
initialise initialise configuration information
listenv list environment variables
setenv <key> <value> set environment variable
unsetenv <key> unset environment variable
pda read read PDA information
configpci display EEPROM PCI configuration
configpci set <idx> <addr> <data> set PCI pair
dw <address> [<length>] dump words (hex/ascii)
enter <address> enter an image
erw <wrdaddress> read a single word from EEPROM
eww <wrdaddress> <value> write a single word to EEPROM
fdw <address> [<length>] dump flash words (hex/ascii)
flash config print flash configuration
help print this text
netboot [recover] perform immediate network boot [in recovery mode]
quit leave the console
reset reset system
rw <address> read a single word
why reason for console entry
ww <address> <value> write a single word
xmodem [fast] download mkflash image using X-Modem
Structure
Taken from Edimax sources, the following code checks the integrity of a working pp-boot 1.5 binary (and enlightens us with its structure):
// This reads the flash boot program from flash. This program needs // to comprehend the format that mkflash has built the flash in. // This is // // Word 0: NP boot length in words (b) // Word 1: First word of NP boot // : // Word b:Last word of NP boot // Word b + 1: NP boot checksum // Word b + 2: Number of unused words (u) // : // Word b + u + 3: PP boot length (p) // Word b + u + 4: First word of PP boot // : // Word b + u + p + 3:Last word of PP boot // Word b + u + p + 4: Number of unused words (v) // : // Word b + u + p + v + 4: Configuration Information
DISCLAIMER!
The following data is a proposal that hasn't be tested yet. Analysing the code of Edimax sources, this is the booting sequence of a Conexant 94610:
- Reading of flash 0x38000000 word 0: Amount of words (b) that will be copied to cache 0x50000000
- Automatic copy from flash (0x3800000 + 1) → (0x38000000 + b) to cache
- Executing cache at 0x50000000
The NPboot is a piece of code compiled at cache address 0x50000000 that makes the first set-up, including SDRAM access. Because it must fit the cache, its size is very small, below 4kb.
After it, the same code has to jump back to the flash at (0x38000000 + b +1) and then continue booting sequence. This latter would be the place for u-boot as an example.