Reverse engineered BootROM protocol to boot packed GxLoader (proprietary U-Boot fork) images.
There's 3 versions of the protocol so far:
- Generic (reverse engineered from their tools repo)
- Generic where version != 1 (v0? v2? Most likely requires older/newer BootROM)
- Vendor (newer? Reverse engineered from the same boot program but for specific STB & Windows)
BootROM seems to accept both without issues.
Header is chip (u16) + version (u16). Stage 1 (U-Boot SPL?) is 0x2000 bytes. Stage 2 is sliced by the stage 1 (because we send all data as stage 2).
Header is magic (u32) + version (u16) + chip (u16) + baud (u32). Stage 1 (U-Boot SPL?) is 0x2000 -4 bytes (likely). Stage 2 is weirdly sliced data with magic + stage 1 + stage 2 (has its own header? + 28 offset after 0x2000).
U-Boot is locked down and doesn't have commands to do RAM boot. The bootloader which lives in the SPI flash is even more locked down, but can boot from the USB.