How can you be 101% sure? From what we've seen, that will pretty much mean all platforms are done the same. How do you know there is not a transistor on the board which breaks ground or high on a signal from say... the call processor... or maybe even grounded to another register or I/O pin on the Application Processor?
The watchdog timer is part of the boot sequence. It's referenced in the boot sequence on the processor manual
3.1 OVERVIEW OF WATCHDOG TIMER
The Watchdog Timer (WDT) in S5PC110 is a timing device that resumes the controller operation after
malfunctioning due to noise and system errors. WDT can be used as a normal 16-bit interval timer to request
interrupt service. The WDT generates the reset signal.
The difference between WDT and PWM timer is that WDT generates the reset signal.
Watchdog could come in handy if we figure out a way to modify memory, it could be used like a pause button. Also, watchdog could explain why sometimes my phone runs slow when I'm around power supplies at work...
off topic... the year register is only 12bits wide, and , it can only handle 999 years and a 2 is in the first position. Be prepared for Y2K all over again in 999 years... Y3K.
Ok... so, reflecting on the boot sequence.... The IROM/Processor calls and verifies the PBL, The PBL calls and verifies the SBL.... If the PBL fails verification, it fails over to other methods of booting, like UART. We need to figure out what failover the PBL contains.
One of the bricks I analyzed... Let's call it an "odin brick".. It had a mismatched PBL/SBL. It could be possible that it was looking for a MMC boot or something. Please take a look at the PBL and see what failover it has...
as for external I2C, we're looking for two lines which are in a high condition. I was not able to establish communications on the line which we assumed to be UART TX on the JTAG port. It may be worth it to look at that port again with i2c... I will make a note of that to come back again later. We still have yet to locate the EXT-I2C hard-lines to the i2c bus which is referenced by a NAK in the SBL boot sequence randomly... These hardlines would be able to control the processor and make it do just about anything.
All we know right now about I2c is that it has an EXT-I2C connection somewhere, the AP can function as a I2C master or slave, it communicates via 8bit comms, and an unlimited amount of data can be sent to the processor over i2c.
the SPI bus would allow unlimited access to the processor, and just as with I2C, it does not require any software to be running. This bus runs at 8-bit/16-bit/32-bit. I'm not good with SPI, but if we can find the wires, this would be very powerful. SPI or i2c would both potentially be able to load software and then restart.
The modem interface has abstracted access to the same bus that the OneNand is located.... possible check.
Good call on the MMC card Robellos.. The MMC card supports "512 bytes FIFO for data Tx/ Rx"
There's several GP registers which are dedicated to "Keypad" interface... So.. Now being that the numbers are so different between all of the buttons currently used, it may have an affect to short out one pin on a button to another pin on a different button. This would cause a different key to be pressed... Just something to look at.. It would be nice to find all of the pins.
So yeah... There's still lots to try.
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages
. Add me to your circles on Google Plus