No idea how this works here, really, I haven't figured it out yet.
## June 08
We pick up from where we left off, have a closeup look at the real board, hook up the second UART, and dive into the vendor firmware setup, follow the flow and see what information we can retrieve. We interact with U-Boot to figure out that we could dump the mask ROM, and eventually clone the repositories for the second loader and DDR init.
## June 15
We continue with a closer look at the stock firmware, and build and run our own modified copies of both the recovery and the secondary bootloader, ending up with a "booploader", hilariously. 🥳 We dump the mask ROM over TFTP, have a quick glance and since it is very small and merely for transferring and running code over the debug UART, we decide to continue with the source code. From the manual and the code, we discover that there are different kinds of UART, and while the secondary loader uses the high-speed UART0, the debug UART is actually UART3.
## June 29
We start right away with the code that already exists in oreboot for the BeagleV. In a first step, we print a few characters to the UART from initial assembly in a loop. We then continue with a jump to the actual Rust 🦀 code and see that we can also print to the UART from there. In doing so, we touch the oreboot driver model, and after successful writes to the UART, we print out data from memory, figuring out that we only get `ffffffff` from where the SPI flash should be mapped during regular boot. Concluding backwards, when running via mask ROM from SRAM, the SPI flash occurs to not be mapped. After another look at the datasheet to see what else we can understand from the current code in oreboot, we decide to postpone that effort and print out the first bytes of our own code from SRAM, which then matches exactly our binary, as we expected. 🥳
Video archive / playlist:
Cheers! :-)