David Woodhouse wrote: The code bytes disassemble to the following: f80d2460: 31 db xor %ebx,%ebx f80d2462: 8b 4d e8 mov -0x18(%ebp),%ecx f80d2465: 8b 55 e4 mov -0x1c(%ebp),%edx f80d2468: 8b 45 e0 mov -0x20(%ebp),%eax f80d246b: c7 44 24 04 a5 00 00 movl $0xa5,0x4(%esp) f80d2472: 00 f80d2473: 89 34 24 mov %esi,(%esp) f80d2476: e8 94 fb ff ff call f80d208a f80d247b: 85 c0 test %eax,%eax f80d247d: 0f 88 21 03 00 00 js f80d2827 f80d2483: 85 f6 test %esi,%esi f80d2485: 0f 84 9c 00 00 00 je f80d25b2 f80d248b: 8b 0b mov (%ebx),%ecx <-- crash here f80d248d: 31 f6 xor %esi,%esi f80d248f: 0f c9 bswap %ecx f80d2491: 85 db test %ebx,%ebx f80d2493: 89 4d e4 mov %ecx,-0x1c(%ebp) f80d2496: 74 ca je f80d2462 f80d2498: 0f b7 43 04 movzwl 0x4(%ebx),%eax f80d249c: 0f b7 d0 movzwl %ax,%edx The offending command is obviously line 157 of emi62.c. rec being NULL is how the ihex helper functions signal the end of the firmware data; the old driver just had a harmless empty record. emi26.c uses just "rec" as outer loop condition; that ought to work. HTH Clemens