Boot Chain
boot/boot.bin
Load Address: 0x40200000
The bootloader is actually stored outside the filesystem, starting from the second block of the Pre's flash disk.
This does some minimal hardware initialization, then loads the "real" bootloader and executes it. The "real" bootloader is tacked onto the end of boot.bin as a gzip. The offset of the "real" bootloader is different for every version. Table below will give you the right offset (If your version is not listed, then search with "hexdump -C boot-castle.bin | less" for the byte sequence "1f 8b" (the gzip format identifier)).
| Version | Offset |
| Pre webOS 1.0.3 through webOS 1.2.1 | 0x19D0 (thanks roxfan) |
| Pre webOS 1.3.1 | 0x19f0 |
6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100eww-wr-1.1.3/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwbellmo-1.1.0/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwbellmo-1.2.1/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwsprint-1.0.3/webOS/boot-castle.bin 6438a2f52ab18c0b71e9f95d4ad1980d webosdoctorp100ewwsprint-1.2.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ewwbellmo-1.3.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ewwsprint-1.3.1/webOS/boot-castle.bin 8f709233691f043b42d36f25c5398cde webosdoctorp100ueu-wr-1.3.1/webOS/boot-castle.bin 02cfec1a9c7ae81316ac85c5c5979f9f webosdoctorp200ewwsprint-1.2.9.1/webOS/boot-pixie.bin 43647a5b1f746478d17584d7fd92c60c webosdoctorp200ewwsprint-1.3.2/webOS/boot-pixie.bin
"real" bootloader (bootie)
Load Address: 0x82000000
This looks a _lot_ like iBoot from the iPhoneOS devices, but others say that this is based off u-boot, so I will assume that is true and that iBoot is also based off of it. It even seems to have some of the u-boot commands, such as "printenv", "run", "setenv", "getenv", etc. I am currently looking into how to communicate with it as you can with iBoot.