At first, U-boot may seem like just a way to load a root file system on your Zipit Z2 but it is capable of so much more. If you type “help” at your U-boot prompt, you will get a HUGE list of commands. Some are self explanatory but others are coupled with vague descriptions. To delve deeper into some of these commands, I did a bit of poking around online. Before you proceed, please realize that attempting to fuzz memory locations like this could potential result in a brick or hardware damage. That being said, here is a short list of commands I’ve put together that I’ve found useful for exploring the Zipit at the bit level:
MD (Memory Display) – You can use this command with a couple of suffixes. For example md.b, md.w & md.l all change the way that the output is displayed. Experiment with those and see which one works best for your purpose.
By default, md will show you several lines of memory starting at the address you type in. To see the exact contents 4 bytes of memory, you would type in something like:
md 0x40E00000 1
The “1″ is an offset value that tells the command to display one 4-byte block. You can change that to see however many locations you would like. After you use a value here, it will persist until you use a different value. In other words, next time you type “md 0x40E00000″ without the “1″, it will show you 4-bytes until you run the command again with a different offset.
MTEST (Memory Test) – Memory test will perform test passes on a specified range of memory using a specified pattern. For instance, if you want to see some interesting bits get flipped, type in:
mtest 40E0000C 40E0000D FFFFFFFF
This will fuzz the range of memory from 40E0000C-40E0000D with the specified test pattern. I believe the LCD or power saving features may live in this range because this command makes the screen flicker. I’m not entirely sure how the pattern value (“FFFFFFFF”) works but a bit of experimentation and you should be able to figure it out.
NM (Memory Modify) – This command allows you to selectively flip bits of any byte in memory. For instance, if you run:
You will see something similar to:
40E0000C: 0000032a ?
That is a prompt that is showing you the existing contents of the 4-bytes. If you type in “FFFFFFFF”, that will set ALL of the 32-bits(4-bytes) to the “on” position. In this case, it makes the screen dimmer. The line will increment and ask you again what you would like to change to. This time, if you type “00000000″, it will turn ALL 32-bits off and the screen will go to full brightness. If it’s not already obvious, ALL of those bits and bytes don’t control the screen brightness. You can start to narrow it down by flipping the nibbles(half-bytes). Starting with “F0000000″, “0F000000″, “00F00000″ and so on will narrow down which byte the brightness lives in.
It appears to be in the “00000F00″ nibble. So now it’s time to start flipping the bits. The individual bits are at 1, 2, 4 & 8. So something like “00000100″, “00000200″, “00000400″ etc will track down the specific bit. Turns out that it’s the most significant bit of that specific nibble. So in binary, it looks like “1000″. That translates to 8 in hex. To sum it up, changing between “00000800″ and “00000000″ with toggle the LCD backlight between bright and dim.
If any of this is confusing, you should read my post on binary to hex number conversion. Many people seem to think that computers somehow don’t operate on binary logic anymore but an exercise such as this proves quite the opposite to be true.
On the Zipit Z2, you probably don’t NEED to probe around like this since you can download a manual for the CPU and find most of the memory locations in there but if you just want to experiment or if you have another similar undocumented device that you want to reverse engineer, then this is a good way to go.