[only for devs please] flashing Aria flash to Photon

munjeni · Feb 20, 2012

Hi, after some my tests I sucesfully runing photon wince rom in my aria android phone. But I done it using jtag, so I opening this thread for devs that is interested for creating software based flasher without using jtag! If someone have asm, c ...etc knownledge please help here! After geting aria flash back to phone I catched some logs from my box that is comunicated with aria procesor and I want to share it here. Nand config writing log:

Code:

T0BAC 002:778 JLINK_Halt()
T0BAC 002:870 JLINK_WriteU32(0xA900026C, 0x00000009)
T0BAC 002:879 JLINK_WriteU32(0xA0B00000, 0x00000000)
T0BAC 002:880 JLINK_WriteU32(0xA0A00000, 0x0000000B)
T0BAC 002:881 JLINK_WriteU32(0xA0A00010, 0x00000001)
T0BAC 002:882 JLINK_ReadMemU32(0xA0A00014, 0x0001 Items, ...) - Data: 0x00003020
T0BAC 002:884 JLINK_ReadMemU32(0xA0A00040, 0x0001 Items, ...) - Data: 0x5500BCEC
T0BAC 002:892 JLINK_ReadMemU32(0xA0A00020, 0x0001 Items, ...) - Data: 0xAB5400C0
T0BAC 002:894 JLINK_ReadMemU32(0xA0A00024, 0x0001 Items, ...) - Data: 0x000B0477
T0BAC 002:896 JLINK_ReadMemU32(0xA0A00020, 0x0001 Items, ...) - Data: 0xAB5400C0
T0BAC 002:898 JLINK_ReadMemU32(0xA0A00024, 0x0001 Items, ...) - Data: 0x000B0477
T0BAC 002:900 JLINK_ReadMemU32(0xA0A00024, 0x0001 Items, ...) - Data: 0x000B0477
T0BAC 024:448 JLINK_WriteU32(0xA0A00000, 0x0000000B)
T0BAC 024:450 JLINK_WriteU32(0xA0A00004, 0x4AC80000)
T0BAC 024:451 JLINK_WriteU32(0xA0A00008, 0x00000000)
T0BAC 024:452 JLINK_WriteU32(0xA0A0000C, 0x00000004)
T0BAC 024:453 JLINK_WriteU32(0xA0A00010, 0x00000000)
T0BAC 024:454 JLINK_WriteU32(0xA0A00014, 0x00003020)
T0BAC 024:455 JLINK_WriteU32(0xA0A00018, 0xFFFF0000)
T0BAC 024:456 JLINK_WriteU32(0xA0A0001C, 0x00000020)
T0BAC 024:457 JLINK_WriteU32(0xA0A00020, 0xAA5400C0)
T0BAC 024:458 JLINK_WriteU32(0xA0A00024, 0x000A7476)
T0BAC 024:461 JLINK_WriteU32(0xA0A00028, 0x00000000)
T0BAC 024:462 JLINK_WriteU32(0xA0A0002C, 0x00000000)
T0BAC 024:464 JLINK_WriteU32(0xA0A00030, 0xAAD4001A)
T0BAC 024:466 JLINK_WriteU32(0xA0A00034, 0x002101BD)
T0BAC 024:468 JLINK_WriteU32(0xA0A00038, 0x00000000)
T0BAC 024:470 JLINK_WriteU32(0xA0A0003C, 0x00000000)
T0BAC 024:472 JLINK_WriteU32(0xA0A00040, 0x5500BCEC)
T0BAC 024:474 JLINK_WriteU32(0xA0A00044, 0x00000000)
T0BAC 024:475 JLINK_WriteU32(0xA0A00048, 0x00000000)
T0BAC 024:477 JLINK_WriteU32(0xA0A0004C, 0x00000000)
T0BAC 024:479 JLINK_WriteU32(0xA0A00050, 0x00000000)
T0BAC 024:481 JLINK_WriteU32(0xA0A00054, 0x00000000)
T0BAC 024:483 JLINK_WriteU32(0xA0A00058, 0x00000000)
T0BAC 024:485 JLINK_WriteU32(0xA0A0005C, 0x00000000)
T0BAC 024:487 JLINK_WriteU32(0xA0A00060, 0x00000000)
T0BAC 024:489 JLINK_WriteU32(0xA0A00064, 0x00000000)
T0BAC 024:492 JLINK_WriteU32(0xA0A00068, 0x00000000)
T0BAC 024:494 JLINK_WriteU32(0xA0A0006C, 0x00000000)
T0BAC 024:496 JLINK_WriteU32(0xA0A00070, 0x04E00480)
T0BAC 024:498 JLINK_WriteU32(0xA0A00074, 0x49F04999)
T0BAC 024:500 JLINK_WriteU32(0xA0A00078, 0x85E08580)
T0BAC 024:502 JLINK_WriteU32(0xA0A0007C, 0xC400C400)
T0BAC 024:504 JLINK_WriteU32(0xA0A00080, 0xC000C000)
T0BAC 024:506 JLINK_WriteU32(0xA0A00084, 0xC000C000)
T0BAC 024:508 JLINK_WriteU32(0xA0A00088, 0xC000C000)
T0BAC 024:510 JLINK_WriteU32(0xA0A0008C, 0x00000000)
T0BAC 024:512 JLINK_WriteU32(0xA0A00090, 0x00000000)
T0BAC 024:514 JLINK_WriteU32(0xA0A00094, 0x00000000)
T0BAC 024:515 JLINK_WriteU32(0xA0A00098, 0x00000000)
T0BAC 024:517 JLINK_WriteU32(0xA0A0009C, 0x00000000)
T0BAC 024:520 JLINK_WriteU32(0xA0A000A0, 0x1080D060)
T0BAC 024:521 JLINK_WriteU32(0xA0A000A4, 0xF00F3000)
T0BAC 024:523 JLINK_WriteU32(0xA0A000A8, 0xF0FF7090)
T0BAC 024:526 JLINK_WriteU32(0xA0A000AC, 0x0000001D)
T0BAC 024:528 JLINK_WriteU32(0xA0A000B0, 0x00000000)
T0BAC 024:530 JLINK_WriteU32(0xA0A000B4, 0x00000000)
T0BAC 024:532 JLINK_WriteU32(0xA0A000B8, 0x00000000)
T0BAC 024:534 JLINK_WriteU32(0xA0A000BC, 0x00000000)
T0BAC 024:536 JLINK_WriteU32(0xA0A000C0, 0x00000000)
T0BAC 024:538 JLINK_WriteU32(0xA0A000C4, 0x00000000)
T0BAC 024:540 JLINK_WriteU32(0xA0A000C8, 0x00000000)
T0BAC 024:542 JLINK_WriteU32(0xA0A000CC, 0x00000000)
T0BAC 024:544 JLINK_WriteU32(0xA0A000D0, 0xF0FF7090)
T0BAC 024:546 JLINK_WriteU32(0xA0A000D4, 0x00800000)
T0BAC 024:548 JLINK_WriteU32(0xA0A000D8, 0x00F30094)
T0BAC 024:550 JLINK_WriteU32(0xA0A000DC, 0x000040E0)
T0BAC 024:552 JLINK_WriteU32(0xA0A000E0, 0x00000000)
T0BAC 024:554 JLINK_WriteU32(0xA0A000E4, 0x00000000)
T0BAC 024:556 JLINK_WriteU32(0xA0A000E8, 0x00000000)
T0BAC 024:558 JLINK_WriteU32(0xA0A000EC, 0x00000000)
T0BAC 024:560 JLINK_WriteU32(0xA0A000F0, 0x000001FF)
T0BAC 024:562 JLINK_WriteU32(0xA0A000F4, 0x00000000)
T0BAC 024:564 JLINK_WriteU32(0xA0A000F8, 0x00000000)
T0BAC 024:566 JLINK_WriteU32(0xA0A000FC, 0x00000000)

This parts of logs was procedure when I pushed nand config (previously dumped) to phone! From my analyse I got some knownledge. Lets analyse it:
- Halt() not sure but I think it stoping procesor?
- 0xa900026c is TLMM_INT_JTAG_CTL
- 0xa0b00000 is DISABLE_NAND_MPU
- 0xa0a00000 is NAND_FLASH_BASE
- 0xa0a00004 is NAND_ADDR0
- 0xa0a00008 is NAND_ADDR1
- 0xa0a0000c is NAND_FLASH_CHIP_SELECT
- 0xa0a00010 is NAND_EXEC_CMD
- 0xa0a00014 is NAND_FLASH_STATUS
- 0xa0a00018 is NAND_BUFFER_STATUS
- 0xa0a0001c not know

- 0xa0a00020 is NAND_DEV0_CFG0
- 0xa0a00024 is NAND_DEV0_CFG1
- 0xa0a00028 not know

- 0xa0a0002c not know

- 0xa0a00030 is NAND_DEV1_CFG0
- 0xa0a00034 is NAND_DEV1_CFG1
- 0xa0a00038 not know

- 0xa0a0003c not know

- 0xa0a00040 is NAND_FLASH_ID_DATA
- ...etc

... here is all we need:

Code:

	<flashmode>3</flashmode>
	<id>00E0</id>
	<id>0170</id>
	<id>0190</id>
	<id>0180</id>
	<id>0080</id>
	<id>0083</id>
	<id>0240</id>
	<id>03C0</id>
	<id>01B1</id>
	<id>0100</id>
	<NAND_FLASH_BASE>A0A00000</NAND_FLASH_BASE>
	<NAND_FLASH_CMD>A0A00000</NAND_FLASH_CMD>
	<NAND_EXEC_CMD>A0A00010</NAND_EXEC_CMD>
	<NAND_FLASH_STATUS>A0A00014</NAND_FLASH_STATUS>
	<NAND_BUFFER_STATUS>A0A00018</NAND_BUFFER_STATUS>
	<NAND_FLASH_READ_STATUS>A0A00044</NAND_FLASH_READ_STATUS>
	<NAND_FLASH_BUFFER>A0A00100</NAND_FLASH_BUFFER>
	<NAND_FLASH_ID_DATA>A0A00040</NAND_FLASH_ID_DATA>
	<NAND_FLASH_CHIP_SELECT>A0A0000C</NAND_FLASH_CHIP_SELECT>
	<FLASH_MACRO1_REG>A0A00064</FLASH_MACRO1_REG>
	<NAND_DEV0_CFG0>A0A00020</NAND_DEV0_CFG0>
	<NAND_DEV0_CFG1>A0A00024</NAND_DEV0_CFG1>
	<NAND_DEV1_CFG0>A0A00030</NAND_DEV1_CFG0>
	<NAND_DEV1_CFG1>A0A00034</NAND_DEV1_CFG1>
	<FLASH_XFR_STEP1>A0A00070</FLASH_XFR_STEP1>
	<FLASH_XFR_STEP2>A0A00074</FLASH_XFR_STEP2>
	<FLASH_XFR_STEP3>A0A00078</FLASH_XFR_STEP3>
	<FLASH_XFR_STEP4>A0A0007C</FLASH_XFR_STEP4>
	<FLASH_XFR_STEP5>A0A00080</FLASH_XFR_STEP5>
	<FLASH_XFR_STEP6>A0A00084</FLASH_XFR_STEP6>
	<FLASH_XFR_STEP7>A0A00088</FLASH_XFR_STEP7>
	<FLASH_DEV_CMD0>A0A000A0</FLASH_DEV_CMD0>
	<FLASH_DEV_CMD1>A0A000A4</FLASH_DEV_CMD1>
	<FLASH_DEV_CMD2>A0A000A8</FLASH_DEV_CMD2>
	<FLASH_DEV_CMD3>A0A000D0</FLASH_DEV_CMD3>
	<FLASH_DEV_CMD4>A0A000D4</FLASH_DEV_CMD4>
	<FLASH_DEV_CMD5>A0A000D8</FLASH_DEV_CMD5>
	<FLASH_DEV_CMD6>A0A000DC</FLASH_DEV_CMD6>
	<FLASH_DEV_CMD_VLD>A0A000AC</FLASH_DEV_CMD_VLD>
	<EBI2_MISR_SIG_REG>A0A000B0</EBI2_MISR_SIG_REG>
	<NAND_ADDR0>A0A00004</NAND_ADDR0>
	<NAND_ADDR1>A0A00008</NAND_ADDR1>
	<NAND_ADDR2>A0A000C0</NAND_ADDR2>
	<NAND_ADDR3>A0A000C4</NAND_ADDR3>
	<NAND_ADDR4>A0A000C8</NAND_ADDR4>
	<NAND_ADDR5>A0A000CC</NAND_ADDR5>
	<SFLASHC_BURST_CFG>A0A000E0</SFLASHC_BURST_CFG>
	<NAND_EBI2_ECC_BUF_CFG>A0A000F0</NAND_EBI2_ECC_BUF_CFG>
	<TLMM_INT_JTAG_CTL>A900026C</TLMM_INT_JTAG_CTL>
	<NAND_CMD_RESET>1</NAND_CMD_RESET>
	<NAND_CMD_ABORT>31</NAND_CMD_ABORT>
	<NAND_CMD_PAGE_READ>32</NAND_CMD_PAGE_READ>
	<NAND_CMD_PAGE_READ_ECC>33</NAND_CMD_PAGE_READ_ECC>
	<NAND_CMD_PAGE_READ_ALL>34</NAND_CMD_PAGE_READ_ALL>
	<NAND_CMD_SEQ_PAGE_READ>15</NAND_CMD_SEQ_PAGE_READ>
	<NAND_CMD_PRG_PAGE>36</NAND_CMD_PRG_PAGE>
	<NAND_CMD_PRG_PAGE_ECC>37</NAND_CMD_PRG_PAGE_ECC>
	<NAND_CMD_PRG_PAGE_ALL>39</NAND_CMD_PRG_PAGE_ALL>
	<NAND_CMD_ERASE_BLOCK>3A</NAND_CMD_ERASE_BLOCK>
	<NAND_CMD_FETCH_ID>B</NAND_CMD_FETCH_ID>
	<NAND_CMD_STATUS>C</NAND_CMD_STATUS>
	<NAND_CMD_RESET_MEMORY>D</NAND_CMD_RESET_MEMORY>
	<init addr="TLMM_INT_JTAG_CTL" MODE="4" VAL="A900026C">9</init>
	<init addr="DISABLE_NAND_MPU"  MODE="4" VAL="A0B00000">0</init>

After puting nand config to device I executed "nand init" and got this log:

Code:

T0830 150:335 JLINK_CP15_ReadEx(CRn = 1, CRm = 0, op1 = 0, op2 = 0, ...) >0x80 JTAG> -- Data = 0x00053078 (0003ms, 16772ms total)
T0830 150:335   returns 0x00 (0003ms, 16772ms total)
T0830 150:338 JLINK_CP15_WriteEx(CRn = 1, CRm = 0, op1 = 0, op2 = 0, Data = 0x00053078)  returns 0x00 (0000ms, 16775ms total)

And here is detailed log:

Code:

T0830 145:178 JLINK_WriteU32(0xA0A00000, 0x0000000B) - Writing 0x04 bytes @ 0xA0A00000 -- WriteRemote(4 bytes @ 0xA0A00000)  returns 0x00 (0003ms, 16618ms total)
T0830 145:181 JLINK_WriteU32(0xA0A00004, 0x4AC80000) - Writing 0x04 bytes @ 0xA0A00004 -- WriteRemote(4 bytes @ 0xA0A00004)  returns 0x00 (0003ms, 16621ms total)
T0830 145:184 JLINK_WriteU32(0xA0A00008, 0x00000000) - Writing 0x04 bytes @ 0xA0A00008 -- WriteRemote(4 bytes @ 0xA0A00008)  returns 0x00 (0002ms, 16624ms total)
T0830 145:186 JLINK_WriteU32(0xA0A0000C, 0x00000004) - Writing 0x04 bytes @ 0xA0A0000C -- WriteRemote(4 bytes @ 0xA0A0000C)  returns 0x00 (0002ms, 16626ms total)
T0830 145:188 JLINK_WriteU32(0xA0A00010, 0x00000000) - Writing 0x04 bytes @ 0xA0A00010 -- WriteRemote(4 bytes @ 0xA0A00010)  returns 0x00 (0003ms, 16628ms total)
T0830 145:191 JLINK_WriteU32(0xA0A00014, 0x00003020) - Writing 0x04 bytes @ 0xA0A00014 -- WriteRemote(4 bytes @ 0xA0A00014)  returns 0x00 (0003ms, 16631ms total)
T0830 145:195 JLINK_WriteU32(0xA0A00018, 0xFFFF0000) - Writing 0x04 bytes @ 0xA0A00018 -- WriteRemote(4 bytes @ 0xA0A00018)  returns 0x00 (0002ms, 16634ms total)
T0830 145:198 JLINK_WriteU32(0xA0A0001C, 0x00000020) - Writing 0x04 bytes @ 0xA0A0001C -- WriteRemote(4 bytes @ 0xA0A0001C)  returns 0x00 (0002ms, 16636ms total)
T0830 145:201 JLINK_WriteU32(0xA0A00020, 0xAA5400C0) - Writing 0x04 bytes @ 0xA0A00020 -- WriteRemote(4 bytes @ 0xA0A00020)  returns 0x00 (0003ms, 16638ms total)
T0830 145:204 JLINK_WriteU32(0xA0A00024, 0x000A7476) - Writing 0x04 bytes @ 0xA0A00024 -- WriteRemote(4 bytes @ 0xA0A00024)  returns 0x00 (0003ms, 16641ms total)
T0830 145:207 JLINK_WriteU32(0xA0A00028, 0x00000000) - Writing 0x04 bytes @ 0xA0A00028 -- WriteRemote(4 bytes @ 0xA0A00028)  returns 0x00 (0003ms, 16644ms total)
T0830 145:210 JLINK_WriteU32(0xA0A0002C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0002C -- WriteRemote(4 bytes @ 0xA0A0002C)  returns 0x00 (0002ms, 16647ms total)
T0830 145:212 JLINK_WriteU32(0xA0A00030, 0xAAD4001A) - Writing 0x04 bytes @ 0xA0A00030 -- WriteRemote(4 bytes @ 0xA0A00030)  returns 0x00 (0003ms, 16649ms total)
T0830 145:215 JLINK_WriteU32(0xA0A00034, 0x002101BD) - Writing 0x04 bytes @ 0xA0A00034 -- WriteRemote(4 bytes @ 0xA0A00034)  returns 0x00 (0003ms, 16652ms total)
T0830 145:218 JLINK_WriteU32(0xA0A00038, 0x00000000) - Writing 0x04 bytes @ 0xA0A00038 -- WriteRemote(4 bytes @ 0xA0A00038)  returns 0x00 (0003ms, 16655ms total)
T0830 145:221 JLINK_WriteU32(0xA0A0003C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0003C -- WriteRemote(4 bytes @ 0xA0A0003C)  returns 0x00 (0003ms, 16658ms total)
T0830 145:224 JLINK_WriteU32(0xA0A00040, 0x5500BCEC) - Writing 0x04 bytes @ 0xA0A00040 -- WriteRemote(4 bytes @ 0xA0A00040)  returns 0x00 (0003ms, 16661ms total)
T0830 145:227 JLINK_WriteU32(0xA0A00044, 0x00000000) - Writing 0x04 bytes @ 0xA0A00044 -- WriteRemote(4 bytes @ 0xA0A00044)  returns 0x00 (0003ms, 16664ms total)
T0830 145:231 JLINK_WriteU32(0xA0A00048, 0x00000000) - Writing 0x04 bytes @ 0xA0A00048 -- WriteRemote(4 bytes @ 0xA0A00048)  returns 0x00 (0002ms, 16667ms total)
T0830 145:234 JLINK_WriteU32(0xA0A0004C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0004C -- WriteRemote(4 bytes @ 0xA0A0004C)  returns 0x00 (0002ms, 16669ms total)
T0830 145:237 JLINK_WriteU32(0xA0A00050, 0x00000000) - Writing 0x04 bytes @ 0xA0A00050 -- WriteRemote(4 bytes @ 0xA0A00050)  returns 0x00 (0002ms, 16671ms total)
T0830 145:240 JLINK_WriteU32(0xA0A00054, 0x00000000) - Writing 0x04 bytes @ 0xA0A00054 -- WriteRemote(4 bytes @ 0xA0A00054)  returns 0x00 (0002ms, 16673ms total)
T0830 145:243 JLINK_WriteU32(0xA0A00058, 0x00000000) - Writing 0x04 bytes @ 0xA0A00058 -- WriteRemote(4 bytes @ 0xA0A00058)  returns 0x00 (0003ms, 16675ms total)
T0830 145:246 JLINK_WriteU32(0xA0A0005C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0005C -- WriteRemote(4 bytes @ 0xA0A0005C)  returns 0x00 (0003ms, 16678ms total)
T0830 145:249 JLINK_WriteU32(0xA0A00060, 0x00000000) - Writing 0x04 bytes @ 0xA0A00060 -- WriteRemote(4 bytes @ 0xA0A00060)  returns 0x00 (0003ms, 16681ms total)
T0830 145:252 JLINK_WriteU32(0xA0A00064, 0x00000000) - Writing 0x04 bytes @ 0xA0A00064 -- WriteRemote(4 bytes @ 0xA0A00064)  returns 0x00 (0002ms, 16684ms total)
T0830 145:254 JLINK_WriteU32(0xA0A00068, 0x00000000) - Writing 0x04 bytes @ 0xA0A00068 -- WriteRemote(4 bytes @ 0xA0A00068)  returns 0x00 (0003ms, 16686ms total)
T0830 145:257 JLINK_WriteU32(0xA0A0006C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0006C -- WriteRemote(4 bytes @ 0xA0A0006C)  returns 0x00 (0003ms, 16689ms total)
T0830 145:260 JLINK_WriteU32(0xA0A00070, 0x04E00480) - Writing 0x04 bytes @ 0xA0A00070 -- WriteRemote(4 bytes @ 0xA0A00070)  returns 0x00 (0003ms, 16692ms total)
T0830 145:264 JLINK_WriteU32(0xA0A00074, 0x49F04999) - Writing 0x04 bytes @ 0xA0A00074 -- WriteRemote(4 bytes @ 0xA0A00074)  returns 0x00 (0002ms, 16695ms total)
T0830 145:267 JLINK_WriteU32(0xA0A00078, 0x85E08580) - Writing 0x04 bytes @ 0xA0A00078 -- WriteRemote(4 bytes @ 0xA0A00078)  returns 0x00 (0002ms, 16697ms total)
T0830 145:270 JLINK_WriteU32(0xA0A0007C, 0xC400C400) - Writing 0x04 bytes @ 0xA0A0007C -- WriteRemote(4 bytes @ 0xA0A0007C)  returns 0x00 (0002ms, 16699ms total)
T0830 145:273 JLINK_WriteU32(0xA0A00080, 0xC000C000) - Writing 0x04 bytes @ 0xA0A00080 -- WriteRemote(4 bytes @ 0xA0A00080)  returns 0x00 (0002ms, 16701ms total)
T0830 145:276 JLINK_WriteU32(0xA0A00084, 0xC000C000) - Writing 0x04 bytes @ 0xA0A00084 -- WriteRemote(4 bytes @ 0xA0A00084)  returns 0x00 (0002ms, 16703ms total)
T0830 145:279 JLINK_WriteU32(0xA0A00088, 0xC000C000) - Writing 0x04 bytes @ 0xA0A00088 -- WriteRemote(4 bytes @ 0xA0A00088)  returns 0x00 (0002ms, 16705ms total)
T0830 145:282 JLINK_WriteU32(0xA0A0008C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0008C -- WriteRemote(4 bytes @ 0xA0A0008C)  returns 0x00 (0002ms, 16707ms total)
T0830 145:285 JLINK_WriteU32(0xA0A00090, 0x00000000) - Writing 0x04 bytes @ 0xA0A00090 -- WriteRemote(4 bytes @ 0xA0A00090)  returns 0x00 (0003ms, 16709ms total)
T0830 145:288 JLINK_WriteU32(0xA0A00094, 0x00000000) - Writing 0x04 bytes @ 0xA0A00094 -- WriteRemote(4 bytes @ 0xA0A00094)  returns 0x00 (0003ms, 16712ms total)
T0830 145:291 JLINK_WriteU32(0xA0A00098, 0x00000000) - Writing 0x04 bytes @ 0xA0A00098 -- WriteRemote(4 bytes @ 0xA0A00098)  returns 0x00 (0003ms, 16715ms total)
T0830 145:294 JLINK_WriteU32(0xA0A0009C, 0x00000000) - Writing 0x04 bytes @ 0xA0A0009C -- WriteRemote(4 bytes @ 0xA0A0009C)  returns 0x00 (0002ms, 16718ms total)
T0830 145:296 JLINK_WriteU32(0xA0A000A0, 0x1080D060) - Writing 0x04 bytes @ 0xA0A000A0 -- WriteRemote(4 bytes @ 0xA0A000A0)  returns 0x00 (0003ms, 16720ms total)
T0830 145:300 JLINK_WriteU32(0xA0A000A4, 0xF00F3000) - Writing 0x04 bytes @ 0xA0A000A4 -- WriteRemote(4 bytes @ 0xA0A000A4)  returns 0x00 (0002ms, 16723ms total)
T0830 145:303 JLINK_WriteU32(0xA0A000A8, 0xF0FF7090) - Writing 0x04 bytes @ 0xA0A000A8 -- WriteRemote(4 bytes @ 0xA0A000A8)  returns 0x00 (0002ms, 16725ms total)
T0830 145:306 JLINK_WriteU32(0xA0A000AC, 0x0000001D) - Writing 0x04 bytes @ 0xA0A000AC -- WriteRemote(4 bytes @ 0xA0A000AC)  returns 0x00 (0002ms, 16727ms total)
T0830 145:309 JLINK_WriteU32(0xA0A000B0, 0x00000000) - Writing 0x04 bytes @ 0xA0A000B0 -- WriteRemote(4 bytes @ 0xA0A000B0)  returns 0x00 (0002ms, 16729ms total)
T0830 145:312 JLINK_WriteU32(0xA0A000B4, 0x00000000) - Writing 0x04 bytes @ 0xA0A000B4 -- WriteRemote(4 bytes @ 0xA0A000B4)  returns 0x00 (0002ms, 16731ms total)
T0830 145:315 JLINK_WriteU32(0xA0A000B8, 0x00000000) - Writing 0x04 bytes @ 0xA0A000B8 -- WriteRemote(4 bytes @ 0xA0A000B8)  returns 0x00 (0002ms, 16733ms total)
T0830 145:318 JLINK_WriteU32(0xA0A000BC, 0x00000000) - Writing 0x04 bytes @ 0xA0A000BC -- WriteRemote(4 bytes @ 0xA0A000BC)  returns 0x00 (0002ms, 16735ms total)
T0830 145:321 JLINK_WriteU32(0xA0A000C0, 0x00000000) - Writing 0x04 bytes @ 0xA0A000C0 -- WriteRemote(4 bytes @ 0xA0A000C0)  returns 0x00 (0002ms, 16737ms total)
T0830 145:324 JLINK_WriteU32(0xA0A000C4, 0x00000000) - Writing 0x04 bytes @ 0xA0A000C4 -- WriteRemote(4 bytes @ 0xA0A000C4)  returns 0x00 (0002ms, 16739ms total)
T0830 145:327 JLINK_WriteU32(0xA0A000C8, 0x00000000) - Writing 0x04 bytes @ 0xA0A000C8 -- WriteRemote(4 bytes @ 0xA0A000C8)  returns 0x00 (0003ms, 16741ms total)
T0830 145:331 JLINK_WriteU32(0xA0A000CC, 0x00000000) - Writing 0x04 bytes @ 0xA0A000CC -- WriteRemote(4 bytes @ 0xA0A000CC)  returns 0x00 (0002ms, 16744ms total)
T0830 145:334 JLINK_WriteU32(0xA0A000D0, 0xF0FF7090) - Writing 0x04 bytes @ 0xA0A000D0 -- WriteRemote(4 bytes @ 0xA0A000D0)  returns 0x00 (0002ms, 16746ms total)
T0830 145:336 JLINK_WriteU32(0xA0A000D4, 0x00800000) - Writing 0x04 bytes @ 0xA0A000D4 -- WriteRemote(4 bytes @ 0xA0A000D4)  returns 0x00 (0002ms, 16748ms total)
T0830 145:339 JLINK_WriteU32(0xA0A000D8, 0x00F30094) - Writing 0x04 bytes @ 0xA0A000D8 -- WriteRemote(4 bytes @ 0xA0A000D8)  returns 0x00 (0002ms, 16750ms total)
T0830 145:342 JLINK_WriteU32(0xA0A000DC, 0x000040E0) - Writing 0x04 bytes @ 0xA0A000DC -- WriteRemote(4 bytes @ 0xA0A000DC)  returns 0x00 (0003ms, 16752ms total)
T0830 145:346 JLINK_WriteU32(0xA0A000E0, 0x00000000) - Writing 0x04 bytes @ 0xA0A000E0 -- WriteRemote(4 bytes @ 0xA0A000E0)  returns 0x00 (0002ms, 16755ms total)
T0830 145:350 JLINK_WriteU32(0xA0A000E4, 0x00000000) - Writing 0x04 bytes @ 0xA0A000E4 -- WriteRemote(4 bytes @ 0xA0A000E4)  returns 0x00 (0002ms, 16757ms total)
T0830 145:353 JLINK_WriteU32(0xA0A000E8, 0x00000000) - Writing 0x04 bytes @ 0xA0A000E8 -- WriteRemote(4 bytes @ 0xA0A000E8)  returns 0x00 (0002ms, 16759ms total)
T0830 145:356 JLINK_WriteU32(0xA0A000EC, 0x00000000) - Writing 0x04 bytes @ 0xA0A000EC -- WriteRemote(4 bytes @ 0xA0A000EC)  returns 0x00 (0002ms, 16761ms total)
T0830 145:359 JLINK_WriteU32(0xA0A000F0, 0x000001FF) - Writing 0x04 bytes @ 0xA0A000F0 -- WriteRemote(4 bytes @ 0xA0A000F0)  returns 0x00 (0002ms, 16763ms total)
T0830 145:362 JLINK_WriteU32(0xA0A000F4, 0x00000000) - Writing 0x04 bytes @ 0xA0A000F4 -- WriteRemote(4 bytes @ 0xA0A000F4)  returns 0x00 (0002ms, 16765ms total)
T0830 145:365 JLINK_WriteU32(0xA0A000F8, 0x00000000) - Writing 0x04 bytes @ 0xA0A000F8 -- WriteRemote(4 bytes @ 0xA0A000F8)  returns 0x00 (0002ms, 16767ms total)
T0830 145:368 JLINK_WriteU32(0xA0A000FC, 0x00000000) - Writing 0x04 bytes @ 0xA0A000FC -- WriteRemote(4 bytes @ 0xA0A000FC)  returns 0x00 (0003ms, 16769ms total)
T0830 150:335 JLINK_CP15_ReadEx(CRn = 1, CRm = 0, op1 = 0, op2 = 0, ...) >0x80 JTAG> -- Data = 0x00053078 (0003ms, 16772ms total)
T0830 150:335   returns 0x00 (0003ms, 16772ms total)
T0830 150:338 JLINK_CP15_WriteEx(CRn = 1, CRm = 0, op1 = 0, op2 = 0, Data = 0x00053078)  returns 0x00 (0000ms, 16775ms total)

Dumped nand config is:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  0B 00 00 00 00 00 C8 4A 00 00 00 00 04 00 00 00  ......ČJ........
00000010  00 00 00 00 20 30 00 00 00 00 FF FF 20 00 00 00  .... 0....˙˙ ...
00000020  C0 00 54 AA 76 74 0A 00 00 00 00 00 00 00 00 00  Ŕ.TŞvt..........
00000030  1A 00 D4 AA BD 01 21 00 00 00 00 00 00 00 00 00  ..ÔŞ˝.!.........
00000040  EC BC 00 55 00 00 00 00 00 00 00 00 00 00 00 00  ěĽ.U............
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  80 04 E0 04 99 49 F0 49 80 85 E0 85 00 C4 00 C4  €.ŕ.™IđI€…ŕ….Ä.Ä
00000080  00 C0 00 C0 00 C0 00 C0 00 C0 00 C0 00 00 00 00  .Ŕ.Ŕ.Ŕ.Ŕ.Ŕ.Ŕ....
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000A0  60 D0 80 10 00 30 0F F0 90 70 FF F0 1D 00 00 00  `Đ€..0.đ.p˙đ....
000000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  90 70 FF F0 00 00 80 00 94 00 F3 00 E0 40 00 00  .p˙đ..€.”.ó.ŕ@..
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  FF 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ˙...............

This is only part of log but I have full log (45mb) and if you help here and we create an initial simple code that will work from this part of log, I will create an php bassed log convertor to c code and will convert whole log to c code, but first I need to see an example c code for this part of log (and I will try that compiled code in my device!)!
Lets speak here!

munjeni · Feb 20, 2012

Tried to get nand id with simple function executed from wifi_nvs.c but android could not boot

Any ideas why?

Code:

#ifdef HACK
#include <linux/mtd/mtd.h>
#include <linux/mtd/blktrans.h>
#include <mach/msm_iomap.h>
#include <linux/crc32.h>
#include <linux/io.h>

void lets_see_if_it_working(void) {
	//uint32_t disable_nand_mpu = 0xa0b00000;
	//uint32_t mpu_off = 0x00000000;
	uint32_t nand_flash_base = 0xa0a00000;
	uint32_t NAND_CMD_FETCH_ID = 0x0000000b;
	//uint32_t nand_exec = 0xa0a00010;
	//uint32_t nand_exec_cmd = 0x00000001;
	uint32_t NAND_FLASH_ID_DATA = 0xa0a00040;
	uint32_t data;

	//writel(mpu_off, disable_nand_mpu);
	writel(NAND_CMD_FETCH_ID, nand_flash_base);
	//writel(nand_exec_cmd, nand_exec);

	data = readl(NAND_FLASH_ID_DATA);
	printk("NAND ID=%08X\n", data);
}
#endif

schlund · Feb 20, 2012

rewrote lk bootloader now to boot up with writeable AMSS partition:

log of kernel:

Code:

<6>NAND_EBI2_ECC_BUF_CFG: 1ff
#MTD# parts in atag = 8
Creating 8 MTD partitions on "msm_nand":
0x000002820000-0x000002840000 : "lkbootloader"
0x000002840000-0x000003240000 : "boot"
0x000003240000-0x000003c40000 : "recovery"
0x000003c40000-0x000003ce0000 : "misc"
0x000003ce0000-0x00000dce0000 : "system"
0x00000dce0000-0x00001eee0000 : "userdata"
0x00001f000000-0x000020000000 : "cache"
0x000000540000-0x000001d40000 : "AMSS"

would be nice if you can give it a try to flash it via fastboot or android (nandwrite). I have just tested to dump it via nanddump and that worked fine!

i applied bootloader bin for haret boot and nb image, whatever you prefer

munjeni · Feb 20, 2012

Hi, there is one problem! Example: if you dump whole nand with nanddump or dd or cat or any other method usind "android" and compare that dump with jtag dump that I posted..., you will see for example: htc partition is dumped but you will see there big diference (only 0xFF is there, and many other secured partitions is with 0xFF!)... I compared already nand dump and jtag dump and there is big diference and some parts can not be dumped!!! Maybe amss will be dumped (I will try) but hmmm, will be good if it will be possible! Wait moment I will post an diff!

EDIT:
yes, its not posible, see 0x130 from start of the amss partition:

photon jtag_dump:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00540000  7F 45 4C 46 01 01 01 61 00 00 00 00 00 00 00 00  .ELF...a........
00540010  02 00 28 00 01 00 00 00 00 00 E0 0C 34 00 00 00  ..(.......ŕ.4...
00540020  00 00 00 00 02 02 00 00 34 00 20 00 08 00 00 00  ........4. .....
00540030  00 00 00 00 01 00 00 00 00 10 00 00 00 50 E2 0E  .............Pâ.
00540040  00 50 E2 0E B4 00 00 00 00 10 00 00 00 00 20 02  .Pâ.´......... .
00540050  00 00 00 00 01 00 00 00 00 80 00 00 00 00 00 F0  .........€.....đ
00540060  00 00 E0 0C FC C5 01 00 B8 1E 02 00 07 00 00 00  ..ŕ.üĹ..¸.......
00540070  00 80 00 00 01 00 00 00 00 C0 02 00 00 40 02 F0  .€.......Ŕ...@.đ
00540080  00 40 E2 0C 00 60 00 00 00 60 00 00 06 00 00 00  .@â..`...`......
00540090  00 80 00 00 01 00 00 00 00 80 03 00 00 00 00 B0  .€.......€.....°
005400A0  00 00 E8 0C 87 48 01 00 87 48 01 00 05 00 00 00  ..č.‡H..‡H......
005400B0  00 80 00 00 01 00 00 00 00 00 05 00 00 00 04 B0  .€.............°
005400C0  00 00 EA 0C 84 01 00 00 04 30 01 00 06 00 00 00  ..ę.„....0......
005400D0  00 80 00 00 01 00 00 00 00 10 05 00 00 40 EB 0C  .€...........@ë.
005400E0  00 40 EB 0C 14 1E 0C 01 00 A0 EE 01 07 00 00 81  .@ë......*î.....
005400F0  00 10 00 00 01 00 00 00 00 30 11 01 00 E0 D9 0E  .........0...ŕŮ.
00540100  00 E0 D9 0E 18 00 00 00 E8 60 08 00 06 00 60 01  .ŕŮ.....č`....`.
00540110  00 10 00 00 01 00 00 00 00 40 11 01 00 00 03 B0  .........@.....°
00540120  00 80 E9 0C 00 50 00 00 00 50 00 00 06 00 00 00  .€é..P...P......

Photon nand_dump from android:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00540000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540080  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540090  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400C0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400D0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
005400F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540100  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540110  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00540120  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙

Amss is protected from writing, but why is protected from reading?

munjeni · Feb 20, 2012

Or another example:
nand dump:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  FF AB FF FF 34 10 D7 73 5A 43 0B 7D FF FF FF FF  ˙«˙˙4.×sZC.}˙˙˙˙
00000010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙

jtag dump:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  D1 DC 4B 84 34 10 D7 73 5A 43 0B 7D FF FF FF FF  ŃÜK„4.×sZC.}˙˙˙˙
00000010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙

Did you got first 0x130 bute from your dump with 0xff or you see elf header?

schlund · Feb 20, 2012

you are right, it doesnt look very useful. what about using fastboot ?

EDIT: ok, did some research, splash screens and radio can only be flashed by spl on lowest level, when running lkbootloader, amss is already executed.
it really seems we need hspl or at least uspl. didnt you say you have patched spl with super cid ? maybe we can simply create a uspl

munjeni · Feb 21, 2012

Hi, no, I have super cid device but super cid is not in spl "but we can get super cid if we can patch spl", offset for scid "in nand" is 0x4c0800, just have replaced VODAP30400000071 with 1111111100000071 ... this is in htc partition! Maybe cotula patched sspl give us something if we go to 3 color SSpl screen? I tried decompiling spl without succes. You think we can not read "low level" if amss is runing? Maybe you know what I need to edit in lets_see_if_it_working(void); to get that function working?

schlund said:
what about using fastboot ?

Already tried fastboot in lk, creaded an partition with size from 0 to 0x2820000, using fastboot erase jtag - it erase jtag partition without error but after reboot its not erased, when trying to write it working with for example 0x20000 size "but not working with full size of the 0x2820000 it say out of spaace", but again after writing/reboot data is not writen in protected memory... I think we need to disable mmu, mpu, nand mpu...etc before trying to write? Also see this =-> http://pof.eslack.org/HTC/splxploit/ what you think? ...We need only this in spl (SuperCID + flash unsigned code)

schlund · Feb 21, 2012

i thought about simply flashing created amss partition and trying to reflash it. mpu should already be disabled in fastbode mode by bootloader.
but i will take a log on your links now,
could you be so nice to dump all the radio partition images from aria and photon ? would be very useful for my research!

munjeni · Feb 21, 2012

Ok, offsets (from to)?
Now I going to see asm diference between leo hspl and spl (have leo hspl dump, and found same version standard spl)... we will try to patch photon spl?

munjeni · Feb 21, 2012

. sorry .

djfastest · Feb 22, 2012

maby this??????

maby this??????

EDIT:
Guys, need hspl 1.31.0000 version... please search google, I could not found any link![/QUOTE]

schlund · Feb 22, 2012

what about using another version. like 1.06 if you can't find 1.31 ?

The Partitions you could dump for me:
MIBIB: Address: 0x00000000 - 0x00140000
QCSBL: Address: 0x00140000 - 0x001C0000
OEMSBL1: Address: 0x001C0000 - 0x00280000
OEMSBL2: Address: 0x00280000 - 0x00340000
HTC: Address: 0x00340000 - 0x00540000
AMSS: Address: 0x00540000 - 0x01D40000
EFS2: Address: 0x01D40000 - 0x022C0000
FOTA: Address: 0x022C0000 - 0x023C0000
RESERVED: Address: 0x023C0000 - 0x02400000
APPSBL: Address: 0x02400000 - 0x024C0000 (should be hboot & spl)
MISC_CFG: Address: 0x024C0000 - 0x02500000
WLAN: Address: 0x02500000 - 0x02540000

EDIT: Also found SPL 1.07 in one of our stock roms

davezil · Feb 22, 2012

Hi , if it can help on Google : Raphael Cdma Hspl 037 (1.3 Mb)

munjeni · Feb 22, 2012

djfastest said:
maby this??????

Maybe you post next time without quotes? And maybe it is not hspl? Maybe it is sspl? And maybe it is exe and maybe you edit your reaply to cut this page?

schlund said:
EDIT: Also found SPL 1.07 in one of our stock roms

Ok, will dump but I will edit some personal data in dump like device s/n... etc.

Please give me link to stock rom with spl 1.07

its interested now!

schlund · Feb 22, 2012

of course, i simply flashed a 1.07.xxxx ROM to get SPL 1.07
and 1.06.xxx to get SPL 1.06 from here: http://shipped-roms.com/index.php?category=windows%20mobile&model=Photon

munjeni · Feb 22, 2012

Spl is patched! Only got supercid now

but displaying original cid

will try to patch to get super cid on screen... its tested and now I can able to install firmware without gold card

schlund · Feb 22, 2012

great news!
what exactly have you done ? which spl have you used ? how did you patch it? And how did you copy it to the device ?
Have you tried to flash stock roms from different regions, too ? what about flashing stock aria rom ?
is it secured to be overwritten by stock spl?

Lots of questions, i know

munjeni · Feb 22, 2012

Finaly cid protection is buy buy

, instaled using jtag to flash (so we need to find method how to install it without jtag)! Tested: all methods (using sd card without supercid header - it working, installing using htc ruu - it working on all regions, sd card with super cid header - working... ewerything is good)... will try to bypas "flash unsigned code" tomorow and finaly we need hspl overwrite protection

http://img39.imageshack.us/img39/5539/img0991d.jpg

schlund · Feb 22, 2012

makes me think of a method how to flash it without jtag.
sspl in general could do it, but as i know cotulla disabled radio and spl flash in it. ( i dont know how to enable)
maybe you can try it via fastboot or android nandwrite ? compared to amss its readable there, but i am too scared to brick my device with trying it

if you want me to make another lk for spl when you are to lazy to,just tell me!

derefas · Feb 23, 2012

may be try to modify hspl patcher for hd2?

[only for devs please] flashing Aria flash to Photon

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

New member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts