this is a description of the inner workings of the xda-1 bootloader.

how it starts

note on running code from wallaby bootloader prompt

How to run manually entered code from the wallaby bootloader command prompt

say I want to run this code, ( opcode bytes manually taken from arm reference )

stmfd  SP!, {LR}          @ 00 40 2d e9
add    r1, pc, #0x18      @ 18 10 8f e2 | ldr r1, offset buf
ldr    r0, [pc, #0c]      @ 0c 00 9f e5 | ldr r0, =0x8C231EC0
ldrh   r2, [r0, #0e]      @ be 20 d0 e1
mov    lr, pc             @ 0f e0 a0 e1 
ldr    pc, [pc, #4]       @ 04 f0 9f e5 | bl =0x8C098FFC
ldmfd  SP!, {PC}          @ 00 80 bd e8

ptr: .word 0x8C231EC0     @ ptr to sdcardinfo struct
sub: .word 0x8C098FFC     @ ptr to function to get sdcard id
buf: .byte 64 dup(0)

testing if it works

to test if my code really does what I mean, I first tested it by calling printf to see if all parameters come out as expected.

so I replace the ptr and sub with these:

ptr: .word 0x8C07BD78  @ ptr to nice string with 2 '%x' in it
sub: .word 0x8C0845BC  @ ptr to uartprintf
leading to this end result:
ew 8c240000
e92d4000
e28f1018
e59f000c
e1d020be
e1a0e00f
e59ff004
e8bd8000
8C07BD78
8C0845BC
.
g 8c240000
and yes, it prints 'Image start: 8C240024h length: 00005825h. ' as expected.

so now try reading the sdcard id:

ew 8c240000
e92d4000
e28f1018
e59f000c
e1d020be
e1a0e00f
e59ff004
e8bd8000
8C231EC0
8C098FFC
.
g 8c240000
mb 8c240000
giving this result:
01 50 41 53 31 32 38 42 11 2C 85 03 C1 00 2C 00
 .  P  A  S  1  2  8  B
note: I am running bootloader version 5.15 from t-mobile offsets are different for other bootloader versions.

sd cards

If a SD-Card contains a specific signature while your xda resets, it is recognized by the bootloader, and one of several things can happen:
signatureaction
HTC$WALLABY00upgrade bootloader
HTC$WALLABY11upgrade CE image
HTC$WALLABY22upgrade Boot + CE image
HTC$WALLABY33run diagnostic code from sd card
HTC$WALLABY44upgrade gsm rom
HTC$WALLABY55upgrade CE + gsm rom
HTC FLASH KEYcard has signature - 5.17, see sector 5 for real card contents

bootloader 5.17 or 6.22 sd cards

bug_md5sum = the md5sum calculated with a implementation with typo: the first 0x80 of the padding is written as 80 ( 0x50 hex ) Use the wallaby patch loader to circumvent this protection, and be able to load any type of sdcard.
But an easier way out of bootloader 6.22 or 5.17, is to use pnewbootloader, to just flash a different bootloader.

big warning: be sure to use a real bootloader image when updating your bootloader,
!!!!! the CLoader_usb.nb and CLoader_serial.nb files are NOT bootloaders. !!!!!

dianostic sd cards

if you insert a sd card containing the signature 'HTC$WALLABY33', the first 256 k of the card will be loaded in memory, at address 8c240000, and executed.

example diagnostic image: wbt-1.5.tar.gz - can patch 5.17 and 6.22 bootloaders, such that the 'HTC FLASH KEY' feature is disabled.

gsm commands

these are the gsm-at commands sent by the various gsm menu options
900 "AT%CHG900"
1900 "AT%CHG1900"
900/1800 "AT%CHGDUAL"
rfcal "AT%RFCAL"
normal "AT%NORMAL"