Lets save some bricks...

Status
Not open for further replies.
Search This thread
By:
Advanced…
J

js22

Senior Member
Feb 12, 2011
79
26
midas5 said:
I still think we have an undocument resistor value to find because the om5 is not being set with any of the current resistors.
Click to expand...
Click to collapse

Don't forget, the OM5 pin is on the CPU. The pin on the fsa chip that "should" be connected to it is BOOT. Right now (pretty certain) we know R values to turn BOOT on, but it doesn't appear to affect OM5. One of the big questions right now is : what does the BOOT pin affect?


As for programability of the fsa chip, we can't be sure of anything without the real data sheet. Looking through the linux kernel code, there is no evidence that it has any non-volatile memory. Just a typical-looking set of control and status registers.

Sent from my SAMSUNG-SGH-I897 using XDA App
 
J

js22

Senior Member
Feb 12, 2011
79
26
TheBeano said:
Interesting idea! Completely disabling the NAND would also work, probably. Unfortunately the OneNAND chip is in a package-on-package stack with the processor, that is it's basically stuck onto the top of the processor package, and it's in a combined package with the RAM.
Click to expand...
Click to collapse

Sheesh!

Why don't they just stick the CP and the touch screen on the stack while they're at it?




Sent from my SAMSUNG-SGH-I897 using XDA App
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
It might be worth it to blip ground at startup. During the time when the phone loads data into memory, when power is first applied. usb tx line has some action on it. Using that for a trigger may yield some interesting results.... it may be enough to ruin the IBL transfer or verification... assuming the power management chip dosnt shut everything down immediately on a power fluctuation.
 
Last edited:
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
js22 said:
Don't forget, the OM5 pin is on the CPU. The pin on the fsa chip that "should" be connected to it is BOOT. Right now (pretty certain) we know R values to turn BOOT on, but it doesn't appear to affect OM5. One of the big questions right now is : what does the BOOT pin affect?


As for programability of the fsa chip, we can't be sure of anything without the real data sheet. Looking through the linux kernel code, there is no evidence that it has any non-volatile memory. Just a typical-looking set of control and status registers.

Sent from my SAMSUNG-SGH-I897 using XDA App
Click to expand...
Click to collapse

Boot tells the phone if the kernel should load or charge the battery. Boot on charges the battery. This is with power applied.
This is how I know that.
2011-05-01160918-1.jpg
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
These four logs are from UART, Boot On and Boot Off, Powered and Unpowered at the USB jack. I skipped waiting for "BOOTING COMPLETE" on each log.



here's the Factory mode Boot OFF-UART unpowered Boots normally
Code: 
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: Feb  1 2011 10:54:21
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 140
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1954
 NO_UNITS   : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3748mV, soc = 37
check_quick_start_condition- Voltage: 3748.75000, Linearized[36/51/66], Capacity: 37
init_fuel_gauge: vcell = 3748mV, soc = 37, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x20 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x0 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 800, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x313511a1 0xff6300ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x314dc000...

here's the Factory mode Boot ON-UART unpowered -this boots normally
Code: 
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: Feb  1 2011 10:54:21
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 140
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1954
 NO_UNITS   : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3748mV, soc = 37
check_quick_start_condition- Voltage: 3748.75000, Linearized[36/51/66], Capacity: 37
init_fuel_gauge: vcell = 3748mV, soc = 37, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x20 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x0 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 800, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x313511a1 0xff6300ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x314dc000...


External power produces a looping primitive bootloader..
Here's the Factory mode boot ON uart powered - this boots to battery charging
Code: 
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: Feb  1 2011 10:54:21
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR      ��]�STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 140
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1954
 NO_UNITS   : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3986mV, soc = 100
check_quick_start_condition- Voltage: 3986.25000, Linearized[73/88/100], Capacity: 100
init_fuel_gauge: vcell = 3986mV, soc = 100, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x0 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x14 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x2c 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 400, key_value = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
set_boot_mode: boot mode = 1
aries_process_platform: final s1 booting mode = 1
aries_check_vf_status() ----- aver_vf_adc : 616

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x313511a1 0xff6300ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x314dc000...


Here's the Factory mode boot OFF uart powered - this boots normally
Code: 
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: Feb  1 2011 10:54:21
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 140
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1954
 NO_UNITS   : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3851mV, soc = 102
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
check_quick_start_condition_with_charger- Voltage: 3851.25000, Linearized[0/14/29], Capacity: 100
quick_start- quick start is executed!
init_fuel_gauge: vcell = 3855mV, soc = 55, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x0 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x14 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x2c 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 800, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x313511a1 0xff6300ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x314dc000...

Download mode works the other way. Boot On USB = phone goes into download mode. Boot off USB = phone goes into charging mode. I'm not really able to find any use for BOOT OFF USB... maybe that's special..
 
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
No idea if this helps us in any way, but I accidently stumbled over a datasheet of a similiar product from a *different* manufacturer (Texas Instruments).

http://download.siliconexpert.com/pdfs/2010/9/23/7/37/40/38/txn_/manual/tsu5511.pdf

It's not related to the FSA chip, but as this datasheet is complete it describes somehow this kind of device works in general.. (and also describes how *they* do the resistor value detection, see page 12).

Maybe this input brings new inspiration?? :)
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
I was in the SBL and I decided to change the SWITCH_SEL variable from 65 to 6543 and I ended up with this log in UART mode.

Code: 
Uncompressing Linux...........................................................................................................................................................................................................................
[    0.000000] copy: bad source 0
[    0.000000] mout_audss: bad source 0
[    0.090115] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44
[    0.094842] KERNEL:magic_number=0x0 DEBUG LEVEL low!!
[    0.099861] (kernel_sec_set_upload_cause) : upload_cause set 0
[    2.909872] Failed to request gpio touchkey_init:661
[    2.913480] Failed to request gpio touchkey_init:663
[    3.889568] init: [disk_config] initialize_mbr_flash for S1_EUR
[    3.894141] init: [disk_config] [Disk Size (16005464064), (15630336k), sector_size 512 :: num_lba 31260672 ]
[    3.903715] init: [disk_config] calc_pte_of_disk -> start 64 num lba 27328448 next : 27328512 
[    3.912264] init: [disk_config] calc_pte_of_disk -> start 27328512 num lba 3932160 next : 31260672 
[    3.921930] init: [disk_config] compare_partition -> num_part 0 , offset (446)(0x1be)
[    3.930675] init: [disk_config] [ target -> Disk0 : 13992165376 (13664224k) 00:0c:00000040:01a0ffc0 ]
[    3.938468] init: [disk_config] Match partition table entry ... skip(0)
[    3.945064] init: [disk_config] compare_partition -> num_part 1 , offset (462)(0x1ce)
[    3.952871] init: [disk_config] [ target -> Disk1 : 2013265920 (1966080k) 00:0c:01a10000:003c0000 ]
[    3.961876] init: [disk_config] Match partition table entry ... skip(1)
[    3.968483] init: [disk_config] compare_partition -> num_part 2 , offset (478)(0x1de)
[    3.976273] init: [disk_config] [ target -> Disk2 : 0 (0k) 00:00:00000000:00000000 ]
[    3.983984] init: [disk_config] Match partition table entry ... skip(2)
[    3.990601] init: [disk_config] compare_partition -> num_part 3 , offset (494)(0x1ee)
[    3.998392] init: [disk_config] [ target -> Disk3 : 0 (0k) 00:00:00000000:00000000 ]
[    4.006109] init: [disk_config] Match partition table entry ... skip(3)
[    4.012714] init: [disk_config] bNeedRoot : 0x00
[    4.024245] init: cannot open '/initlogo.rle'
[    5.270232] init: [disk_config] :::: /dev/block/mmcblk0p1 :::::
[    5.276196] init: [disk_config] vfat_identify -> ok
[    5.279637] init: [disk_config] :::: /dev/block/mmcblk0p2 :::::
[    5.288269] init: [disk_config] rfs_identify -> ok[FSA9480]connectivity_switching_init = switch_sel : 0x198f
[    6.595514] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
sh: can't access tty; job control turned off
$ [    6.671431] init: wifi.mac_addr: check_wifi_address()
[    6.733126] init: wifi.mac_addr: .mac.info already exist!
[    6.789689] init: Cannot open "/system/bin/.BT_26_0M.hcd": Unknown error: -1
[    8.359214] smdkc110_power_off: PHONE OFF Success
[    8.422442] smdkc110_power_off: TA or USB connected, rebooting...
[    8.427079] KERNEL:magic_number=0 CLEAR_UPLOAD_MAGIC_NUMBER
[    8.432630] KERNEL:magic_number=0 CLEAR_UPLOAD_MAGIC_NUMBER
[    8.438175] (kernel_sec_hw_reset) Upload Magic Code is cleared for silet reset.
[    8.445460] (kernel_sec_hw_reset) ARIES_BUILD_INFO: HWREV: 1 Date:Feb  1 2011 Time:11:37:36
[    8.453791] (kernel_sec_hw_reset) The forced reset was called. The system will be reset�1

This is the stuff we don't usually see during the kernel booting. This is a stock AT&T phone complete with errors. ;)

I ended up with a SH terminal :D


Um.. this may be obvious to some, but can anyone tell me what will occur when I select "Erase All" from the SBL? Will that toast the IBL and PBL? I'd like to figure out a way to use the SBL to boot from mmc or SDCard. I'm sure it's possible and it would be a good test to make sure we have a bootable mmc card to start with.
 
Last edited:
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
AdamOutler said:
This is the stuff we don't usually see during the kernel booting.
Click to expand...
Click to collapse
I found that I get the full kernel output during boot (useful for kernel debugging when compiling your own kernel) when I enable the following:
In the *#9090# menu: "LOG VIA UART"
and in the *#7284# menu: UART: PDA

These settings seem to stay persistent over a reboot.

AdamOutler said:
Um.. this may be obvious to some, but can anyone tell me what will occur when I select "Erase All" from the SBL?
Click to expand...
Click to collapse
No idea what this would do, but I wouldn't recommend trying it until we know more I guess.. :)
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
except....
setenv SWITCH_SEL 65 provides error logging
setenv SWITCH_SEL 654 provides light debug logging
setenv SWITCH_SEL 6543 provides Shell access

This also provides a shell access.

Check this out...

put busybox on an sdcard
Code: 
mkdir /data/myfolder
cat /sdcard/external_sd/busybox >/data/myfolder/busybox
chmod 777 /data/myfolder/busybox
/data/myfolder/busybox tcpsvd -vE 0.0.0.0 21 ftpd -w /&
then you have an FTP right into your phone.

This can save some phones with unusable screen damage, or at least save the important data off it.
 
Last edited:
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
TheBeano said:
So far it looks like a really simple protocol:

1. Intro: Phone sends 0xAA, waits for 0xAA back
2. Data start: Phone sends 0xCC, waits for 0xCC back
3. Phone receives 4 bytes, possibly the entry point address?
4. Phone receives exactly 0x15400-6 bytes (I think). It looks like you have to pad it if your code isn't that long.
5. Phone receives and checks a 16-bit checksum of all the bytes in step 4.
6. Phone sends three 0xbb characters to mark end of transfer.

Does anyone recognize this protocol, is it a standard thing?

It looks like any error messages will be sent back down the serial line, and possibly displayed to the screen as well. The code is loaded to IRAM at 0xD0020000.
Click to expand...
Click to collapse

Is there any way this could be ascii rather then hex? If you use the 255Kohm FM Boot Off USB cable, and hold enter, you receive ascii AA back. I'm not sure if it's just some randomness or not, but I tried a few other keys.. Each key would return a different result. However, the delete key returned something special...

Code: 
0|0|0|0|42|52|44|20|42|52|44|20|0|A|D|
          B  R  D     B  R  D
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
OH WOW.. I do believe there is something to this.

I have a brick here which will only give me PBL and this mode.

I'm not really sure what I'm looking at here, but it's definately something
because of the frequency of "0" I decided to linebreak after each occurance. I hit a few keys like home, page up, and delete, I did my ABCs and 123s in lower case and then upper. It seems really really random... but I'm sure it's responding to something it sees me typing.
Code: 
0|
9|0|
12|4|0|
0|
52|44|20|0|
52|22|20|0|
52|45|20|0|
50|28|0|
52|44|20|0|
52|44|20|42|52|44|20|0|
52|44|20|42|52|44|20|42|52|44|20|0|
52|44|20|0|
52|44|20|0|
52|44|20|0|
52|44|20|0|
22|0|
11|45|22|0|
22|0|
4|4|22|49|0|
22|44|0|
11|0|
0|
48|0|
8|22|24|21|21|21|21|21|0|
0|
0|
24|0|
12|0|
24|0|
9|0|
25|0|
12|0|
24|0|
4|22|0|
22|0|
11|0|
22|0|
8|0|
21|2|0|
0|
0|
11|0|
22|0|
8|0|
4|0|
0|
28|0|
14|0|
28|0|
A|0|
29|0|
14|0|
28|0|
5|0|
0|
2A|0|
15|0|
2A|0|
A|0|
29|
It could be at the wrong baud rate because sometimes enter is a 0, and sometimes it's a 41. Any logical answer here? The phone never responds to anything except this mode and primary bootloader. So, this is in the primary bootloader, or the irom.
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
I got something here.

Code: 
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4188mV, soc = 94
check_quick_start_condition_with_charger- Voltage: 4188.75000, Linearized[72/87/100], Capacity: 98
init_fuel_gauge: vcell = 4188mV, soc = 94, rcomp = d01f
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x0 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x2c 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
EXT_I2C(0) -> No ACK
check_download: micorusb_status1 = 4ff, key_value = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
set_boot_mode: boot mode = 1
aries_process_platform: final s1 booting mode = 1
aries_check_vf_status() ----- aver_vf_adc : 3680
main: booting stop and power off..
loke_exit: bye~ bye!
aries_power_off: TA or USB connected
aries_power_off: WDT reset

EXT_I2C(0)..... See that? That's the I2C bus.. looking for an external connection.

I disconnected the middle pin on the battery and tried different resistance values to ground.... That's the secret. The middle pin is called the BSI. http://www.cpkb.org/wiki/Samsung_AB463446BU_battery_pinout Normally, it's a resistor that tells the phone what kind of battery is being used.

I'm using aproximately 3.1kohms and that message is hit and miss. So, now we have to figure out where the i2c bus is, how to access it, and what resistance values do what on the battery strength indicator (middle battery pin).
 
  • Like
Reactions: TorqueWrench001 and Nitro_123
androcheck

androcheck

Senior Member
Dec 7, 2009
236
413
john.zweng.at
Interesting finding!

But in case of a bricked SBL bin this still won't help as the output you are seeing comes from the SBL.


But another idea: as we didn't see any OM value change with a lot of different resistor values until now, I was wondering if the information if the power source comes from micro-usb connector (VBUS_IN) or from the battery (V_BAT) is taken into decision for setting the boot pin.

Unfortunately I have no 5V output on my FTDI board so until now I did all my tests with battery inserted.

@AdamOutler:
Do you see some new serial output before the PBL and SBL output begins. Maybe something different than the usual 0x10 0x31?
 
M

midas5

Senior Member
Mar 24, 2011
303
30
Hi,

My Arduino Mega 2560 arrived today. So I will be able to do my own tests soon.
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
androcheck said:
Interesting finding!

But in case of a bricked SBL bin this still won't help as the output you are seeing comes from the SBL.


But another idea: as we didn't see any OM value change with a lot of different resistor values until now, I was wondering if the information if the power source comes from micro-usb connector (VBUS_IN) or from the battery (V_BAT) is taken into decision for setting the boot pin.

Unfortunately I have no 5V output on my FTDI board so until now I did all my tests with battery inserted.

@AdamOutler:
Do you see some new serial output before the PBL and SBL output begins. Maybe something different than the usual 0x10 0x31?
Click to expand...
Click to collapse


I did this test with battery inserted as well. I can only supply 50ma 3.3v or 500ma 5V regulated power to the unit, and it can draw up to 1A. I slipped a piece of cardboard from a razor blade and a resistor over the middle pin to test this.

Using this method, everyone can do it...

Actually, now that I got to thinking about it.. I do have a 3.3V regulated battery backpack for the arduino, so I should be able to get something, however it is expecting 3.7-4.1 from the battery... hrm.. I'll have to test it out a bit. I'm willing to bet it will handle 5V.
 
Last edited:
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
midas5 said:
Hi,

My Arduino Mega 2560 arrived today. So I will be able to do my own tests soon.
Click to expand...
Click to collapse

Setting it up under ubuntu is a breeze.
1. Type:
Code: 
sudo apt-get install arduino
arduino
2. copy and paste this to the arduino http://xdaforums.com/showpost.php?p=13351363&postcount=223
3. click the upload button
4. Close out the arduino program and type
Code: 
sudo minicom -d /dev/ttyUSB0
5. hit ctrl+a, then "o" to access options and set it as 115200 8N1 flow controls off
6. save as /dev/ttyUSB0

From now on you can access the UART port by using minicom /dev/ttyUSB0 with no sudo.
 
M

midas5

Senior Member
Mar 24, 2011
303
30
AdamOutler said:
Setting it up under ubuntu is a breeze.
1. Type:
Code: 
sudo apt-get install arduino
arduino
2. copy and paste this to the arduino http://xdaforums.com/showpost.php?p=13351363&postcount=223
3. click the upload button
4. Close out the arduino program and type
Code: 
sudo minicom -d /dev/ttyUSB0
5. hit ctrl+a, then "o" to access options and set it as 115200 8N1 flow controls off
6. save as /dev/ttyUSB0

From now on you can access the UART port by using minicom /dev/ttyUSB0 with no sudo.
Click to expand...
Click to collapse

Thank you.
I have boot output from the i9000 via my Arduino using a 619K resistor.
I have 50x300K and 50x620K, so I am waiting for other ones that I have ordered.
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Here is the procedure for booting from MMC

http://hi.baidu.com/j2h3344/blog/item/85740dfc0be35951d7887dd5.html


If we get it right, then we should observe this message:
Code: 
OND check sum error

This is what we are trying to do. OND check sum error.

It's now a matter of figuring out the proper resistor values.

Judging by those OMpin settings and the fact that we only have OM pins... It may be possible that this represents what we need?
Code: 
RID_AUD_REMOTE_S11_BTN,	/* 0 1 1 0 0 	20.5K		Audio Remote S11 Button */
 
M

midas5

Senior Member
Mar 24, 2011
303
30
Is there any way to run an ssh server on the i9000?
I would like to ssh into the i9000 via the wifi interface while I change resistors on the usb port and monitor the kernel log.
 
Status
Not open for further replies.

Similar threads

P
  • Locked
  • Poll
How to unlock Apple iPad 2, 3, 4, Air, mini iCloud Locked (ready solution)
Replies
28
Views
355K
mark manning
mark manning
E:V:A
  • Locked
The Samsung Anyway Jig
Replies
80
Views
159K
E:V:A
E:V:A
TRusselo
Samsung Galaxy Phone Rapid Charger Mod
Replies
132
Views
149K
M
miketho
O
[Soldering?] Move internal memory chip
Replies
49
Views
110K
Yamaha169
Yamaha169
L
How cable length and chargers affect charge rate
Replies
11
Views
72K
HalFBlooDPrincE
HalFBlooDPrincE

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 19
    J
    js22
    I've been reading up on SGS hardware and bootloaders, and I feel like there's a very good chance that there's a way (within reach? ??) to to fix a totally bricked phone.

    NOTE: I'm no expert on this stuff. If I'm missing something totally stupid, please forgive me. Anyways, here goes...


    The user manual for the s5pc110 chip describes the booting process; it has 3 levels. On hw reset the cpu begins executing code that lives in ROM. The ROM code loads the primary bootloader from a source selected by external pin inputs. The PBL pretty much just loads the SBL, which does the major setup and loads the kernel.

    The important thing, which I haven't seen anyone discuss, is that the initial ROM code includes the ability (poorly documented, of course) to load the PBL from UART or USB.

    Repeat : non-eraseable code in our phones which is executed on hw reset can load a bootloader over serial or USB into memory and then execute it.

    From other threads, we know that Samsung is able to restore a bricked phone without opening it up. Why should they have all the fun?

    The first step is asserting the proper pins. This is done by connecting the proper resistance betw pins 4 & 5. The 'jig' thread describes using 301k to get into download mode, but this is happening in the SBL. Many other R values are desribed in the 'fun with resistors' thread and in the fsaXXXX-i2c.c kernel source. One of them does a reboot and connects a (3.3V) UART to the D+/D- pins.

    One thing that is described in the docs is that the ROM code tries UART first and then fails over to USB. Since UART is so much simpler, I'd say that's where to begin.

    We already learned in that thread that connecting at 115200 baud and banging on RETURN brings up a "SBL>" prompt with lots of cool commands available. But as TheBeano pointed out, that's not much use if the SBL is toast.

    What I'm wondering is whether there's a way to interrupt the normal boot while its still running ROM code. There's no reason the ROM would set up the UART at the same baud rate as the SBL and kernel. Maybe just a lower baud and banging on RETURN is enough.

    For anybody with the time and the hardware, that should be easy enough to try. TheBeano?

    There's probably some handshake/protocol issues to figure out to get a bootloader loaded and executing, but we do have a known good one (the PBL) to play with.

    If that can be made to work, it would be a huge step towards a working solution. There is code floating around (I saw it on the teamhacksung git) that ports u-boot bootloader to our phones. AFAIK, nobody around here has tried it. But if we are able to test bootloaders w/o flasing, then maybe we (someone with a clue about bootloaders,that is) can open the door to safe, open-source booting.


    So that's it. Is this crazy-talk, or do you guys n gals think it just ... might ... work?
    View
    5
    O
    Odia
    I am actually very surprised that no one has replied to this, it is actually a very good idea and also very possible ;)

    I will add a little insight without giving too much away :)

    Its also possible to start the phone via JTAG and pass the control over to USB or UART, even to enter DLM and flash the phone without repairing the current IBL/PBL/SBL within the phone which are damaged, e.g. the loaders are running in RAM this is done via CMM or JNAND ...

    I have the full unstripped source code for the PBL and SBL and may consider releasing them if some input starts in this thread, its all too easy just to give them out without the scene thinking on its feet ;)

    Oh BTW: My dog spoke to another dog who's owner works for Samsung and he told him that the 2.3.3 release, will be released when its f**king ready and not 1 day before.
    View
    4
    AdamOutler
    AdamOutler
    WE HAVE HELLO WORLD

    Rebellos! You are the man!

    Ok, steps to reproduce:

    1. Perform UnBrickable mod from the first post in this thread. http://xdaforums.com/showthread.php?t=1206216

    2. With the phone off, Insert battery into phone. Press power on button for 1 second. Observe message on internal UART:
    Code: 
    Insert an OTG cable into the connector!
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error

    3. Insert the OTG Cable (standard USB cable plugged into USB port on phone-- OTG port) and obvserve message on internal UART port:
    Code: 
    ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error

    4. on a Linux system run the "dltool" and use this firmware http://xdaforums.com/attachment.php?attachmentid=698077&d=1314105521 from Rebellos
    Code: 
    adam@Adam-Desktop:~/Desktop/dltool$ sudo ./smdk-usbdl -f ./s5pc110_test/s5pc110_testcode.bin  -a D0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <ben-linux@fluff.org>

S3C64XX Detected!
=> found device: bus 001, dev 050
=> loaded 16384 bytes from ./s5pc110_test/s5pc110_testcode.bin
=> Downloading 16394 bytes to 0xd0020000
=> Data checksum af84
=> usb_bulk_write() returned 16394
adam@Adam-Desktop:~/Desktop/dltool$

    5. Observe Internal UART message:
    Code: 
    Hey you!
Out there on the road,
Always doing what you are told,
Can you help me?
    which repeats every 20 seconds.

    GREAT WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    View
    3
    F
    Fuma
    TheBeano what service manual will help you? full one?
    http://www.filesonic.com/file/305248751/Samsung_GT-i9000_Galaxy_S_service_manual.rar full one.

    http://megaupload.com/?d=C0JHS7A8 - service training manual 01/2011
    View
    2
    AdamOutler
    AdamOutler
    ^^ Thanks.... So what do we have when the primary bootloader is destroyed?

    Here is a general purpose video describing what we have so far.

    View

New posts