Greetings all,
Just off of the success of fixing the frustration of the broken audio adapter after upgrading to a new ROM problem, I think that a new and even more valeuable project is at hand: UnBricking these that are really bricked.

Ok, here is my thought and experience in as short a summery as I can give. Almost ALL consumber products these days evolved from general purpose processors with outboard EPROM or EEPROM, RAM, and peripheral components. As the devices develope, custom chipsets come into play to reduce size, component count, weight, power consumption, cost, etc, while upping the reliability, battery life, features, speed, and just the joy factor of these things. Look at them as they get better and better, just the transition from 6th gen 6700 to the 7th gen 6800 how much better it works. This goes for everything from the PDA/Smartphones, to the refrigerator, to satellite receivers, everything. A problem was that as more stuff gets crammed onto a smaller number of chips, they needed a way to initially configure these things so they would not come out as dumb boxes. Enter the JTAG interface. For those who do not know the acronym, look it up, but basically it is a standard interface and protocol to communicate with dedicated microprocessors and program them, without having to exactly speak the language of each model and brand. When you get a device off the production line at the end it goes to a workstation that has a JTAG interface jig and a PC configured to load the initial stuff, like the bootloader and basic stuff needed to make it what it is. I have been working with stuff for many years now and have JTAGGed satellite receivers, cell phones, air cards, cars, yes even cars use it, and a standard set of software talks to it all. The only difference is the connector or jig that is used and the BIN file you load. This is usually createable from the bootloader file that we usually load up to the USB port with the RUU, but without a bootloader in it already we can not do anything with it, so we need to JTAG like OLIPRO2.40 straight to the memory address range it needs to go to. JTAG software will, thru the interface, establish communication with, communicate, identify, and program the flash directly, heck you can put the entire ROM on it if you want. I do this all the time with other devices, so I know it is possible.


If you have a 6800 that is bricked thru software error and NOT broken by any crazy stuff done to it afterwards, then JTAGging WILL fix it. I propose to start the JTAG project for the 6800 series HTC devices, as I see an ever increasing number of these getting bricked it needs to be done. The ONLY way one should be touched inside is if it is known to be bricked by software error that you can not get back out of and thats all that is wrong with it, and very important that there is no possibility of returning it to your carrier under warranty for repair. HTC would do exactly what I propose and send it back fixed but probably charge a bunch. I have not killed mine, and do not intend to do so just for this project, but if anyone has one that is just a paperweight and meets the above criteria and has nothing to loose and plenty of time (cause my paying job takes priority) I would be happy to take this on and find, probe, and JTAG your device, fix it and provide before, during, and afterwards logging of what is done. I would then prepare a package of instructions and software on how everyone else can do it as well.


Anyone got a really dead one that they would care to try ???????

I hope I'm not on the list. I haven't seen JTAG since I went to the DD-WRT forums.

Sounds like a great project for those in need.

Mmm, JTAG... DD-WRT and old CNC machines..

I'm curious about this, how do you interface with the phone for JTAG? I just skimmed the article [dont have my glasses] but would love to know.

JTAG does work - it brought my bricked hermes back to life!

Mmm, JTAG... DD-WRT and old CNC machines..

I'm curious about this, how do you interface with the phone for JTAG? I just skimmed the article [dont have my glasses] but would love to know.

You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.

You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.

I was thinking the same thing, there's not much on this chip out there... I have JTAG stuff for old school EPROMs and such, even got a cable for Linksys routers... I would worry about digging into my phone though. I know with Sprint you can add insurance at anytime, but you must wait 30 days to make a first claim... I got some old Treo 600s for Sprint I could donate to someone needing a phone as a temp.

You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.

And the great Shadowmite emerges from the......shadows?

Long time no see! (TC)

You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.

JTAG points are usually together in a pattern and not scattered, and JTAG prober software is wonderful for getting the pinout by analyzing the signals it sees, JKEYS is good as is QXDM (Qualcomm Extensible Diagnostic Monitor) is what I used for doing the same thing with a Sierra Wireless 580 card that uses the MSM5500. The card was corrupted during a flash update and I was able to JTAG and get it back and use it as a test card to this day. QXDM even can unlock the protected memory and change things you are not allowed to change (ESN), it is pretty much all powerfull as far as the Qualcomm chips go. By the way, before Nortel I worked for Qualcomm and still have access so I was reeeeeeeal happy to see HTC start useing this chipset ;-)

You go ahead and try then, let us know if you succeed.

You go ahead and try then, let us know if you succeed.

When a unit becomes available I will do it ;-)

bump.

Surely there must be one person out the the hundreds with "bricked";) titans that would donate it to madman. I am sure he will give it back when he is finished with it.

madman34: I think you may have found a winner. (http://forum.xda-developers.com/showthread.php?t=377480)

madman34: I think you may have found a winner. (http://forum.xda-developers.com/showthread.php?t=377480)

Thanks, I went there and asked him to come here and have a look. I am thinking that he does have a possible candidate, but just for grins I just pulled my battery and plugged in my wall pack and right away get the red light, but with my laptop I do get his 'data device' and red light so I am open to the possibility that there might be a fusible link bad in his if it is not a software problem. Either way, if it is useless to him I will be happy to look at it.

man i bricked the ecu on my subaru once... i had to send it to the open source ecu tool dev to jtag it... good times

man i bricked the ecu on my subaru once... i had to send it to the open source ecu tool dev to jtag it... good times

That would be a bummer as you could not drive to get the fix. I started by writing code for the TMS7000 processors in the old VC2, then my Acura in 1988, but then they stopped useing PROMS and went to JTAG, really got me going.

Well nobody has come forward with a victim,,,,,hmmmmm,,,,uuuuhhhhh,,,,,unit to try ;-) and mine works still so we wait.

madman34, one one unit we have so far that has died did not entirely die. It would appear if the spl gets wiped out on a msm7xxx series device using comm core as cpu it has a failsafe mode if the oemsbl/qcsbl are still present. The device goes into download mode on boot and sits there.

Since you stated you worked for qualcomm, can you shed any light on this and how we might possibly be able to write nand from download mode? Or get back to debug mode instead?

madman34, one one unit we have so far that has died did not entirely die. It would appear if the spl gets wiped out on a msm7xxx series device using comm core as cpu it has a failsafe mode if the oemsbl/qcsbl are still present. The device goes into download mode on boot and sits there.

Since you stated you worked for qualcomm, can you shed any light on this and how we might possibly be able to write nand from download mode? Or get back to debug mode instead?

I worked for them before this series came out, but I will get up with some of my old friends there and see if I can get more info.

my mogul is stuck on the bitch ass sprint screen after a tried upgrade but im in Houston

madman34, one one unit we have so far that has died did not entirely die. It would appear if the spl gets wiped out on a msm7xxx series device using comm core as cpu it has a failsafe mode if the oemsbl/qcsbl are still present. The device goes into download mode on boot and sits there.

Since you stated you worked for qualcomm, can you shed any light on this and how we might possibly be able to write nand from download mode? Or get back to debug mode instead?

This is where mine is stuck. Thanks to these forums I can at least put it into "Download Mode." I will gladly ship you mine to screw with.

Hey Madman,

did you happen to see this thread? http://forum.xda-developers.com/showthread.php?t=372305
JockyW seems to have found a way to get past a 2a brick with a new program called Frankenkaiser.

Take a look and see it is an easier way to possibly unbrick than the jtag route. Although it may be specific to Kaiser.

Mac

Greetz all,
Yes I am looking at that now. Ikon was nice enough to send me his bricked unit and I have been pokeing around and been able to write to and read from memory. I did gently take it apart and did a very good look see and find no evidence of an organized jtag interface, but that is not so bad because the unit can still be talked to and if I can adapt a bootloader to it and get it to the right place I think there will be life again. I have put it back together and the only evidence is the voided label so it will still be a good looking unit when I get it fixed for IKON ;-) and I will ;-)

Hey guys, im having the same exact red light problem.... has anything been resolved yet? i just bought my mogul ne woff of ebay.. didnt even get to activate it.. :[ the phone got bricked after installing the 3.27.00 radio... http://forum.xda-developers.com/showthread.php?t=377480
i've had the 6700 for almost 3yrs...so i still have hope since there was always afix for everything on that thing... any updates?

Greetz all,
Yes I am looking at that now. Ikon was nice enough to send me his bricked unit and I have been pokeing around and been able to write to and read from memory. I did gently take it apart and did a very good look see and find no evidence of an organized jtag interface, but that is not so bad because the unit can still be talked to and if I can adapt a bootloader to it and get it to the right place I think there will be life again. I have put it back together and the only evidence is the voided label so it will still be a good looking unit when I get it fixed for IKON ;-) and I will ;-)

Who needs a warranty with guys like you on here.