What's the popel util good for and how to use it? :-)
You can mess around in the RAM of your wlan-card with it.
Here's a short usage info:

hunz@akasha:~/lucent/hfw/popel$ sudo ./popel /dev/orinoco/eth1_mem 
# now we dump 48 bytes from offset 382000 on
# (that's the beginning of the PRI fw in the flash) 
> dump 382000 48
  382000:  30 22 72 60 00 61 FF 60 A4 62 00 60 52 63 3E 60  0"r`.a.`.b.`Rc>`
  382010:  00 65 61 46 5A D0 65 46 A2 D8 FB 1F FF 60 58 4F  .eaFZ.eF.....`XO
  382020:  D3 78 FF FF 10 60 15 78 FF FF 00 64 01 60 FE 63  .x...`.x...d.`.c
# now we initialize a diff - 100000 bytes from offset 0 on
# we always have to initialize the diff first if we wanna diff a new offset
# by using diff <offset> <len>
> diff 0 100000
# now we compare this mem to the values from the last diff (that from the init) 
> diff
      56:  05                                               .
      56:  06                                               .
# that means: offset 56 (hex - offsetts are always hex) changed from 5 to 6
# since last diff (init)
# let's diff it again
> diff
      56:  06                                               .
      56:  03                                               .
# oh! it changed from 6 to 3 since the last diff!
# and so on...
> diff
      56:  03                                               .
      56:  06                                               .
> diff
      56:  06                                               .
      56:  05                                               .
# switch to firmware download mode and boot from offset 800 when finished
> entry 800
HERMES_PREPARE_RAMDL: 0
# 0 means: no error _YET_ ;)
# now we copy 8752 bytes from offset 38 2000 to offset 800
# length is always in dec - 8752 == 0x2230 == PRI len
# 38 2000 is PRI offset, 800 is a mostly random offset in ram...
# don't care about that 800 it does nothing useful 8)
> copy 382000 800 8752
# now reboot from the entry (800) we gave above
> reboot
HERMES_FINISH_RAMDL: 0
# 0 -> fine (doesn't mean the firmware works! only that the card tried to reboot)
# maybe - and very likely ;( - we crashed the card with from entrypoint/fw
# ok boot <offset> does the same as entry <offset> and reboot
# but it's safer to use entry/reboot since foreign writes are being blocked
# between entry and reboot -> you've got exclusive write access then 
> boot 33000
HERMES_PREPARE_RAMDL: -1
HERMES_FINISH_RAMDL: -1
# uh :( failed - i guess we already crashed our card with the entry 800 / reboot
# ok - enough popel'ed - let's quit...
> quit

hunz@akasha:~/lucent/hfw/popel$ dmesg
hermes @ IO 0x100: Timeout waiting for command completion.
eth1: Error -110 reading firmware info. Wildly guessing capabilities...
eth1: Station identity 0000:0000:0000:0000
eth1: Looks like a Lucent/Agere firmware version 0.00
eth1: Ad-hoc demo mode supported
hermes @ IO 0x100: Error -16 issuing command.
eth1: failed to read MAC address!

# yes we did crash our card :(

hunz@akasha:~/lucent/hfw/popel$ sudo cardctl eject
hunz@akasha:~/lucent/hfw/popel$ sudo cardctl insert

and your card is running again for further popeling ;)
