It does indeed seem that there are crackable and so called uncrackable units.
Here is what we've been able to learn from this BBS and the uncrackable
units themselves (a summary of sorts)
Clearing the NVRAM (use a paperclip to short the jumper, described in detail
elsewhere, or move the jumper to "clear" which is labeled on the board)
causes an error, which results in access to the BIOS screen when the
f10 key (labeled "compaq") is pressed at the correct time. That time
is reported to be when the cursor appears after a memory check.
On crackable units, there is a cursor visable at various times (eg,
after a memory check). Uncrackable units do not show a cursor at any time.
If a cursor appears, persist in trying to enter the BIOS screen with
clear/boot/compaq key. Uncrackable units print a error message
staring with the number 162 and then recycle (after resetting the NVRAM),
having _never_ shown a cursor at all.
The BIOS is stored in (on at least some units) in an SST39F020 5volt
flash device. It is a 32PLCC and soldered to the board. Some people
have offered to mail copies of a good image, and others have suggested
using an image from a simmilar chipset (and report some measure of
The South Bridge is a VIA VT82C686A. It is connected to an on board
house numbered SanDisk controller and bulk NAND flash, using the primary
IDE interface on the VT82C686A (confirmed). The primary master IDE chip
select is pin(ball) L20 (PDCS1#) on the VT82C686A. It can just barely
be seen if the board is held at the correct angle (it's a ball grid array)
The primary slave chip select is on pin(ball) M16 (PDCS3#) and it (appears
to be) connected to pin 7 on the compact flash slot (forget trying to see
it's connection, the ball is deep under the chip).
- cutting the traces and crossing the chip selects _does not_ produce
useful results (in our tests). It reports it cannot find an OS on
any media, leading to one of three conclusions...
- Something else needs to be done to switch master and slave (we'll
look into this)
- You can't switch the master and slave this way (for some other reason)
- The BIOS now checks for something (new) as a key in the OS image.
One can get to a "fail safe" screen by hitting <CRTL-U> as the Compaq logo
dissapears. This is for downloading a new OS image (from MicroSloth).
Staring the download _immeadiately erases the OS_ causing the device to
complain on boot about missing files and request you call a 1-888 number.
Using <CRTL-U> for it's intended purpose _does_ download and flash a new
WinCE OS image, although you may have to change the URL it tries to use
to grab the image (see elsewhere, look in the tech support thread).
This screen does not appear easily subverted for our purpose.
The above mentioned OS image is downloadable from M$. It is called
clientman.dll, although is clearly not a normal WinBlows DLL. In
fact, "strings clientman.dll" shows that it is compressed (compression
algorithm unknown), encrypted or both. Nothing can (trivially) therefore
be gleened from it.
Compaq seems to have succeeded in making this non obvious at least,
and completely non trivial at best.
- We need a good BIOS image (anyone know where I can get one, hint?)
Something wrong with our approach to switching CF slot/SanDisk
- We need to have another look
That's it for now...