A lot of reverse engineering and guesswork actually!

One of the parts when writing a extensions for a device from which you've only extract a firmware blob from memory space is to understand as much as possible from the memory layout, and possible memory mappings. With HiMD MiniDisc recorders, they don't just have to bring up the MCU on boot, but also the VME (Virtual Mobile Engine / DSP).

As such, during my investigation I found a bit of code mapped to an unknown memory area 0x0081_0000. It contained what seemed to be a vector table, code for bootstrapping the system, and then some USB code with a small protocol to do some debug operations. The code was written as it was supposed to live at address 0x00 (which is where the Flash is mapped to in normal conditions).

As such, to me this seemed to clearly be a bootrom that could be activated in some condition. The question was, how?

Sony has always been protective of their hardware, and as such they have been careful in the service manual documentation of their NetMD/HiMD devices and renamed any pin/pad that could be potentially dangerous (as in, giving more control to users than they should have). Of course, if you look for nonsensical names, that brings you directly to the interesting pins :) That's how I isolated JTAG (though figuring out how to get it working and the right pinout was another story). The HSALF pin stood out as well, somehow I sort-of recognised the name, but I did not know how until I realised it stood for FLASH in reverse. Basically, it was pulled up, activating the flash. Pulling it down activated the bootrom.

The other pin that has to be bridged is related to the power IC. If not asserted by the MCU it will shut off. In bootrom mode or JTAG the MCU will not do this, so you need to force the power IC to stay alive.