1. line(s): the contents of the BBRam according the file from matteo 2. blank line 3. the corresponding lines as they should be according the patched boot-eprom code 4. Comments from me 5. end sentence: ================= and so on FFFC0000 05 29 19 89 00 00 07 11 03 00 00 00 00 00 00 02 FFFC0000 05 29 19 89 xx xx xx xx 04 00 00 00 00 00 00 02 first 4 bytes is the magic number, xx are a 4 byte byte-checksum over the next 60 Bytes, the 04 seems to be the correct system modus. ======================================================================= FFFC0010 00 00 25 80 01 00 00 00 C0 A8 02 01 01 00 00 00 FFFC0010 00 00 25 80 01 00 00 00 00 00 00 00 01 00 00 00 the C0 A8 02 01 seems to be the default gateway = 192.168.2.1 must be zero, because the application blocks if a non existing address. 4 Bytes at FFFC0010: 0x2580 = 9600 seems to be the baud-rate for serial port, the two bytes from FFC0010 my be stop bits and parity on/off. ======================================================================= FFFC0020 C0 A8 02 08 FF FF FF 00 00 00 00 00 00 00 00 00 FFFC0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ip-address and netmask, should be set to zero ======================================================================= FFFC0040 01 00 05 80 00 00 3A 7B 72 61 6D 2E 68 65 78 00 FFFC0040 01 00 05 80 xx xx xx xx 72 61 6D 2E 68 65 78 00 xx is 4 byte byte-checksum over the next 100 bytes ======================================================================= the next lines are only commented lines, the BIN File is right: FFFC0090 AA AA AA AA AA AA AA AA 00 00 00 00 00 00 00 00 the last 8 bytes should be zero FFFC1F20 AA AA AA AA AA AA AA AA 33 32 20 20 00 E0 A0 00 ........32 .... FFFC1F30 04 08 AA AA AA AA 31 36 32 30 34 38 30 31 32 38 ......1620480128 6 bytes at 0xfffc1f2c mac-address to use 2 bytes at 0xfffc1f36 ramsize in megabytes ascii coded, 16 works always The access of the boot-eprom code to BBRam is restricted to 9 places: 1. read 4 byte magic number from 0xfffc0000 via read_nvram 2. read 4 byte 60 byte block checksum from 0xfffc0004 via read_nvram 3. via read_nvram 60 Bytes are copied from 0xfffc0008 to 0x7cbc 4. if magic or checksum are wrong 20bytes from location in boot-eprom are copied to 0x7cbc (default values) 5. some code operates on 0x7cbc (system-mode), 0x7cc4 (constant 0x2580), 0x7cd0 (constant 0x01000000) and 0x7cd4 (ip) 6. read 4 byte 100byte block checksum from 0xfffc0044 via read_nvram 7. via read_nvram 100 Bytes are copied from 0xfffc0048 to 0x18464 8. if magic or checksum are wrong, string 'ram.hex\0' is copied to 0x18464 and 2 long words at 0x18464+0x50 and 0x18464+0x54 are zeroed 9. mac-address and ram size are read directly from BBRam I have proofed: 1. no further access to 0xfffcxxx or via read_nvram or write_nvram 2. no further call of the checksum routine, that means that there are no other guards in the boot-eprom code. 3. the areas 0x7cbc and 0x18464 will be propably handend over to the application program that the boot-eprom loads. 4. the patched eprom should can load the application and start it, if it has not other failures 5. the original eprom should can load the application and start it, if it would be possible to program the BBRam as I have shown above. 6. that does not mean, that the application can run successfully, because I suppose that it reads other areas of BBRam and they may be guarded by checksums too.