LeapFrog Pollux Platform: Surgeon

Surgeon is a special USB Bootable firmware designed for the LeapPad Explorer and Leapster Explorer, that is used during the firmware updating process. Emerald Boot is required for USB Booting, which comes stock with both LeapPad and Explorer. The Didj can be modified to run Emerald-Boot also, but requires some work.

Anatomy
Surgeon is wrapped in a CBF layer. Inside is a basic gzip compressed zImage with an initramfs that includes all of the programs necessary to run the basic Linux and updating software.

Once in USB boot mode, either with LFConnect or with out the surgeon.cbf file can be sent to the device, where it is loaded by Emerald Boot and executed.

This will start the DFTP Device which is basically a modified FTP server. You can use OpenLFConnect to exploit various functionality of the server. Using the update command the kernel, erootfs and bulk firmwares can be flashed to NAND. You can also mount the already installed firmware partitions, if you need to fix an issue that can not be done during normal booting. Do remember Surgeon is completely temporary, anything you modifying with in Surgeon, will not remain after a reboot, which can make it an excellent means of non-destructive testing.

Prerequisites
Set Up Build Environment

Kernel Configuration

Software Needed
OpenLFConnect

Kernel Sources LeapPad or Explorer RootFS * Build your own * Use OpenLFConnect to extract one from Surgeon

Rootfs
The easiest way is to use OpenLFConnect, and extract one from a factory Surgeon file. These commands will download the Surgeon package, extract it, then extract the initramfs(rootfs) to /rootfs.lx/ package_download LX surgeon package_extract LX_surgeon .lfp surgeon_extract_rootfs lx surgeon.cbf

This will

Compiling
Nothing out of the ordinary here, there is a supplied config file for surgeon, and just need SURGEONFS on the command line to point to your rootfs. make lf1000_ts_surgeon_defconfig SURGEONFS=/path/to/your/rootfs ./install.sh

In either /linux-2.6/arch/arm/boot/ or /target/tftp you'll find a zImage file of roughly 5.8mb depending on LeapPad or Explorer sources.

Next using OpenLFConnect again, the file needs to be wrapped in CBF. High(0x00010000) or Low(0x00008000) memory is according to your device, check the versions chart. cbf_wrap high surgeon.cbf path/to/zImage

Didj Patches
Didj Surgeon Patch

These patches take care of a few minor adjustments with the RootFS and Kernel to allow Surgeon to work as normal with Emerald Boot on the Didj.

Booting
Set the device in USB Boot mode, with cord connected. Again with OpenLFConnect boot surgeon. surgeon_boot /path/to/surgeon.cbf

Once the command line returns, your device should be booting up. You can then connect to the DFTP if you like thru OpenLFConnect dftp_device

You should get a summary of data, and you can now play around with Surgeon.