Boot Chain
boot/boot.bin
Load Address: 0x40200000
This does some minimal hardware initialization, then loads the "real" bootloader and executes it. The "real" bootloader is tacked onto the end of boot.bin as a gzip. The offset of the "real" bootloader is different for every version. Table below will give you the right offset (If your version is not listed, then search with "hexdump -C boot-castle.bin | less" for the byte sequence "1f 8b" (the gzip format identifier)).
| Version | Offset |
| Pre webOS 1.0.3 through webOS 1.2.1 unknown | 0x19D0 (thanks roxfan) |
| Pre webOS 1.3.1 | 0x19f0 |
6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100eww-wr-1.1.3/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwbellmo-1.1.0/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwbellmo-1.2.1/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwsprint-1.0.3/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwsprint-1.2.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ewwbellmo-1.3.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ewwsprint-1.3.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ueu-wr-1.3.1/webOS/boot-castle.bin 02cfec1a9c7ae81316ac85c5c5979f9f webosdoctorp200ewwsprint-1.2.9.1/webOS/boot-pixie.bin 43647a5b1f746478d17584d7fd92c60c webosdoctorp200ewwsprint-1.3.2/webOS/boot-pixie.bin
"real" bootloader (bootie)
Load Address: 0x82000000
This looks a _lot_ like iBoot from the iPhoneOS devices, but others say that this is based off u-boot, so I will assume that is true and that iBoot is also based off of it. It even seems to have some of the u-boot commands, such as "printenv", "run", "setenv", "getenv", etc. I am currently looking into how to communicate with it as you can with iBoot.