In s8500 theres no way to change OM register without unsoldering s5pc110, @ this one i am 101% sure.
ARIES and Wave boards are somewhat similiar, do you believe that there is difference in OM connection? I dont.

Wondering whats the difference between jtag and coresight, jtag also provide step by step debugging, isnt it?

How can you be 101% sure? From what we've seen, that will pretty much mean all platforms are done the same. How do you know there is not a transistor on the board which breaks ground or high on a signal from say... the call processor... or maybe even grounded to another register or I/O pin on the Application Processor?


The watchdog timer is part of the boot sequence. It's referenced in the boot sequence on the processor manual

Quote:

3.1 OVERVIEW OF WATCHDOG TIMER
The Watchdog Timer (WDT) in S5PC110 is a timing device that resumes the controller operation after
malfunctioning due to noise and system errors. WDT can be used as a normal 16-bit interval timer to request
interrupt service. The WDT generates the reset signal.
The difference between WDT and PWM timer is that WDT generates the reset signal.

Watchdog could come in handy if we figure out a way to modify memory, it could be used like a pause button. Also, watchdog could explain why sometimes my phone runs slow when I'm around power supplies at work...

off topic... the year register is only 12bits wide, and , it can only handle 999 years and a 2 is in the first position. Be prepared for Y2K all over again in 999 years... Y3K.


Ok... so, reflecting on the boot sequence.... The IROM/Processor calls and verifies the PBL, The PBL calls and verifies the SBL.... If the PBL fails verification, it fails over to other methods of booting, like UART. We need to figure out what failover the PBL contains.

One of the bricks I analyzed... Let's call it an "odin brick".. It had a mismatched PBL/SBL. It could be possible that it was looking for a MMC boot or something. Please take a look at the PBL and see what failover it has...

as for external I2C, we're looking for two lines which are in a high condition. I was not able to establish communications on the line which we assumed to be UART TX on the JTAG port. It may be worth it to look at that port again with i2c... I will make a note of that to come back again later. We still have yet to locate the EXT-I2C hard-lines to the i2c bus which is referenced by a NAK in the SBL boot sequence randomly... These hardlines would be able to control the processor and make it do just about anything.

All we know right now about I2c is that it has an EXT-I2C connection somewhere, the AP can function as a I2C master or slave, it communicates via 8bit comms, and an unlimited amount of data can be sent to the processor over i2c.

the SPI bus would allow unlimited access to the processor, and just as with I2C, it does not require any software to be running. This bus runs at 8-bit/16-bit/32-bit. I'm not good with SPI, but if we can find the wires, this would be very powerful. SPI or i2c would both potentially be able to load software and then restart.

The modem interface has abstracted access to the same bus that the OneNand is located.... possible check.

Good call on the MMC card Robellos.. The MMC card supports "512 bytes FIFO for data Tx/ Rx"

There's several GP registers which are dedicated to "Keypad" interface... So.. Now being that the numbers are so different between all of the buttons currently used, it may have an affect to short out one pin on a button to another pin on a different button. This would cause a different key to be pressed... Just something to look at.. It would be nice to find all of the pins.

So yeah... There's still lots to try.

Suppose we could JTAG the S5PC110, could we could use boundary scan to try and identify where the OM pins go? Maybe they go to another device on the JTAG chain that supports boundary scan?

Do we know what devices are in the JTAG chain? Is there a BSDL file for S5PC110 around?

I don't know much about JTAG, this might well not be possible.

Quote:

Originally Posted by b4dg3r

Suppose we could JTAG the S5PC110, could we could use boundary scan to try and identify where the OM pins go? Maybe they go to another device on the JTAG chain that supports boundary scan?

Do we know what devices are in the JTAG chain? Is there a BSDL file for S5PC110 around?

I don't know much about JTAG, this might well not be possible.

The memory and processor is on the JTAG as well as a few other devices... page 484 of this manual: http://www.mediafire.com/file/3znisg..._EVT1_UM10.pdf

Hey... I found that fsa9280 manual online http://www.mediafire.com/?d4e21efhuktctcb

Other devices outside the S5PC110 package could also be on the chain. I wonder if the baseband processor is.

That FSA data sheet is a good find. 242, 292, 507 & 577 Kohm resistors deserve some further scrutiny I think.

Interfaces

---

While the headphoen jack is an extrenal interface that is connected deep into silicon, there is more. There is a resistor sense - probably connected to the codec/amplifier to check if a headphone or line out is connected, and if there is a microphone or not.

However these usually also detect whether something is plugged in at all with a simple switch. Could that be the case? Should be simple enough to check looking at the connector.

hey!!!

---

guys i didnt have time to go through all the posts got to page 30 odd

dont know if this is covered.

but have you noticed this screen before. i done it on a software brick. no sbl.

held menu button. put usb cable in (no kies drivers installed) then pressed a certain volume up / down combination trying to duplicate it now again and got this.

screen apears and says
rst_stat = 0x4
pmic_irq0x0
pmic status1 0x40
pmic status2 0x02c
modem booting
end modem booting
now start usb upload

FORCED UPLOAD by KEY PRESSING

sorry for my hasted post. it seems it has been discoverd. but what may add to your project that when in this mode. it installs a usb device called gadget serial. reading more about this now. to get the drivers etc. and want to see what it does.

as it seems there is more to this little find.

update / ok i have loaded the drivers.
it creates a samsung modem on com 12
the coincedetal part is the port speed "921600"

this is the same as what you guys have been finding

I posted the FSA chip datasheet and jig values here:
http://forum.xda-developers.com/show...5#post14407905




I graphed it out.


that's all resistor values... all 5 bits are taken. There are no more resistor values.. I'll update the fun with resistors thread.

Is there any way to read the OM5 when using the 301K resistor?
Can anyone dump the boot messages when the 301K resistor is attached, without usb power applied?
I.e. Use the JTAG serial interface to watch the boot up.

I.e.
1) Attach to the JTAG serial interface.
2) Insert Battery
3) Connect 301K resistor between pins 4-5. No power on pin 1.
4) Capture the serial port output and post it here.

The I9000 phone should boot into download mode.

Quote:

Originally Posted by midas5

Is there any way to read the OM5 when using the 301K resistor?
Can anyone dump the boot messages when the 301K resistor is attached, without usb power applied?
I.e. Use the JTAG serial interface to watch the boot up.

I.e.
1) Attach to the JTAG serial interface.
2) Insert Battery
3) Connect 301K resistor between pins 4-5. No power on pin 1.
4) Capture the serial port output and post it here.

The I9000 phone should boot into download mode.

Nothing significant happens. I did that earlier and a link was requested again about 5 pages ago.

You can forget about modifying OM registers. They are inputs to the processor. It would require hardware modification.