I can provide some more information about the ICs from the pictures :
6CA1KHJ WF245
is a level translator, 16 bits
SN74AVC16T245DGVR
WE245 68K A2HY
is another level translator, 8 bits
SN74AVC8T245
7ED22 D9GKW c788
is sRam memory :
Micron 1GB
PC2-4200 (DDR2-533)
model 7ED22-D9GMH
chip MT16HTF12864HY-53ED3 1.8V
WM8985G
is the audio codec and amplifier
LC4032ZC 75MN6
Probably a Lattice programmable logic device.
No perfect match, but close.
BBO 6AW M420
TPS62040DRC step down converter
(Intel) F160C3
Advanced Boot Block Flash Memory
--->Flash 16Mbits
http://www.olimex.com/dev/pdf/Intel_C3.pdfThis is probably where the bootloaders sit !
LC6Y J829 611
No clue ...
It is probably a larger NAND Flash used for the system base storage and os.
Maybe similar to K9K1G08
There are some other sot23-5 chips that seems to be DC-DC Converters, but nothing interresting there. (also extremely hard to identify)
Ok, now the good and the bads...
There's 99% chances the bootloader(s) are stored in the intel flash.
(The other is much smaller in size and probably NAND - similar to the EVM schematic actually.
NAND is nice because it is much denser, but not so good for a bootloader because it is slower and can contain errors)
The bad side is that it is a BGA package (Ball grid array) requiring very special and expensive equipment to unsolder/reball/resolder. (not even talking about experience required)
I can see two things that can be done to write to the flash (and get rid of that nasty bootloader)
-Either peek into the address/data lines of the flash, hoping they are all accessible somewhere on the right when going into the davinci chip.
I can already see many of them are available, but if one is missing and going into an inner layer, that's dead.
Knowing that we need to tap into 22 address lines, 8 data lines and a few other control ... to be honest it is unlikely to happen.
-The other way might be using software to unlock the flash and write a new bootloader.
Knowing the IC used and commands (from
http://www.olimex.com/dev/pdf/Intel_C3.pdf) it might be possible to unlock the bootloader blocks and modify them.
The flash seems to have some protection modes, but I haven't read anything about definitive irreversible protection. (except for the 128 bits protection register which is like a serial number)
That's pretty much all I can do at this stage.
Hoping this will help software guys to hack it further...