I can't test but if you can write anywhere to the second half, then you can write everywhere in the second half, from 0xbfe00000 to 0xbfffffff.
I can confirm that writing to the second half of the flash is possible!
If writing to the second half works, do not try to flash accross the half boundary. Flash to each half with separate commands.
I can´t confirm this!
As stated in my earlier post:
cp.b 82000000 bfc40000 180000 -> ok
cp.b 82180000 bfdc0000 40000 -> ok
cp.b 821c0000 bfe00000 100 -> failed with "Copy to Flash... Flash unlock bypass write: Timeout Timeout writing to Flash"
So the write was not across the boundary.
But: When I issued the erase command, I tried to erase the whole kernel flash area which means that I hit the boundary. So probably the timeout error was caused by writing to a flash area that has not been erased properly before?
Another guess: Could it be that writing to the second half in facts writes to the first and the second half of the flash at the same time ignoring the most significant address bit?
I apologize for not replying for a time but I am quite busy these days.
I don´t think you have to apologize for doing fantastic volunteer work here!