Quote:
Originally Posted by katadelos
You're not the first to notice this - the board submitted for FCC certification appears to have a serial port but every PW5 that I've seen in the wild lacks it. It's possible that the serial port is still accessible using the 2 tiny test points next to the digitiser connector on the bottom right or via one of the test points that are likely to be on the back of the board.
|
What pads do you think this is? I really don't think it's the two I was probing as that had 32.768 khz on it when the device was active. It's also a small connector. Can you circle it on the picture?
There has to be some way to program a blank device at the factory after the parts are installed. Typically this is done via a JTAG/serial interface. The old hc11 uP's would take a couple lines low, and go into a special mode to load a 1k program via async serial. This would then allow you to flash the chips and such.
Looking at the pictures of the under side of the board it really looks like a eMMC connector footprint. I'm betting that's how they program the flash on the production line. Assuming it's not encrypted this might be access.
Quote:
Originally Posted by katadelos
However, you're unlikely to be able to unlock your PW5 even if you find it, the last few generations of devices have been pretty comprehensively locked down.
|
Question, if we get direct access to the flash, can we root it?
I'm not sure what uP these run, but prior models were a freescale ARM and they have a built in mode to load a helper program. So either we do this, and do a bit of arm ASM or just get access to the flash, either eMMC connector or pull the chip off the board.
Thoughts?