Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[GUIDE] USB Uart on Galaxy S devices [2012/09/25]

OP bhundven

23rd September 2012, 05:18 PM   |  #1  
bhundven's Avatar
OP Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,493
 
2,040 posts
Join Date:Joined: Aug 2009
Donate to Me
More
== General Info ==

Hello, and welcome to my usb uart guide - aka, how to totally f' your phone up, if you don't think first!

Really though, read everything before attempting anything!

USB Uart is not new news. There are many great people whom have come before me to make what I am documenting here possible. But I am putting this here because I keep getting PM'd about getting help with USB Uart, and figured it would be good to start a thread that documents what you need and how to get going.

So up front, I need to list some credits.
I gained a lot of knowledge from these people:

== WARNING ==

I am not responsible for anything you do to your device! If you follow my guide and it results from anything like your phone not working or ending the world, I cannot be held accountable for what you do!

This guide will show you how to use the usb uart on most galaxy s phones (with the FSA9480 USB port accessory detector and switch)

It helps to have Unbrickable Mod. There are some commands you can run from the SBL that will wipe your bootloaders!
You must be VERY CAREFUL!

== Requirements ==

First off, you will need some hardware to connect to your computer. It helps. Below is a list of things I use and they are common and cheap. The links to the items below are what I have. Its what works for me.

Also, I use minicom on Linux and Mac OS X (use homebrew to install minicom), but you should be able to use any serial console program you like (i.e. kermit, cu, etc...)

I highly suggest getting to know your bus pirate, but this guide assumes you have read manuals and updated firmware. Any of the other uart modes should also work this way, but I currently don't cover that here... yet.

== Getting Started ==

When we connect to the usb port on the bus pirate(bp), you can find the version info by typing i at the high impedance mode (HiZ>) prompt. Change to this mode when your modifying connections or cable argments.

Code:
HiZ>i
Bus Pirate v3b
Firmware v6.0 r1625  Bootloader v4.4
DEVID:0x0447 REVID:0x3043 (24FJ64GA002 B5)
http://dangerousprototypes.com
Disconnect the bp and lets connect everything from the micro usb port connecting to your phone backwards to the bp. I use a breadboard for things that I might work on later or things I'll re-arrange a lot. You may also decide to solder the resistor directly to the GND/ID pins, but you will need a little lead on the GND. Connect MOSI to D+ and MISO to D-.

Another warning!
You can also fry the ftdi on the bus pirate, if you mess with the connections while the bus pirate is in any mode besides HiZ (Hi Impedance) or unplugged. Usually, I'm in uart bridge mode, so you can't go back to HiZ. You just have to unplug the usb cable.



Solder some jumper wire to the micro usb breakout board. I use about an inch.



I usually start at a1 on the breadboard with vcc and a4 and a5 for ID and GND (respectively). In these images, I'm at the opposite end of the board to make it easier to have the phone next to and above my mouse so it is easy for me to work with the phone.

Put the resistor on b4 and b5 - which is where I connect GND on the bp.

Now that you have the bp connected to the circut, lets move forward and plug in the micro usb cable into the bp and then into your computer.

To change into UART mode on the buspirate, type 'm' at the HiZ> prompt:

Code:
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
x. exit(without change)

(1)>3
Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
10. BRG raw value

(1)>9
Data bits and parity:
 1. 8, NONE *default
 2. 8, EVEN
 3. 8, ODD
 4. 9, NONE
(1)>1
Stop bits:
 1. 1 *default
 2. 2
(1)>1
Receive polarity:
 1. Idle 1 *default
 2. Idle 0
(1)>1
Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)

(1)>2
Ready
UART>(3)
UART bridge
Reset to exit
Are you sure? y
After you get into UART Bridge mode, you will have to unplug the usb port from your computer to reset the bus pirate.

This is where experimenting with different resistors on the GND/ID pins make a difference. Using 619k resistance, I just plug the phone in and it boots up. During boot up, I can see the PBL output like the output you will see in the rest of this document. Using 150k resistance, the phone doesn't automatically turn on.

Also, you may have different usability of the console depending on if you set the output type to Open drain or Normal drain.
With Open drain, I am able to see the uart output, but I am not able to break into the SBL prompt like I am with Normal drain.

Interestingly, with 619k on my SGH-T959V, I don't see all of the kernel console output. I still haven't figured out exactly why yet. With 150k resistance, I don't see the PBL output, but I can still break into the SBL prompt (with normal drain) and get full kernel console output.

When you get to this point, the mode light should now be green. When you plug your phone into the micro usb adapter (again 619k in these examples), you should see everything from the pbl in to the kernel starting:

Code:
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688
+nPgsPerBlk    64
+n1stVPN       3008
+nPgsPerBlk    64
PBL found bootable SBL: Partition(4).

Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: Oct 28 2011 15:45:50
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x60
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
 read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1540
===============================
 ID         : DATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1672
 NO_UNITS   : 2120
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 3792
 NO_UNITS   : 160
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 3952
 NO_UNITS   : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4013mV, soc = 86
check_quick_start_condition- Voltage: 4013.75000, Linearized[74/89/100], Capacity: 89
init_fuel_gauge: vcell = 4013mV, soc = 86, rcomp = d000
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x20
PMIC_IRQ2    = 0x0
PMIC_IRQ3    = 0x0
PMIC_IRQ4    = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x0
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x3733b898 0x1ffc00ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x32000000...
== The SBL (Secondary BootLoader) ==

The most interesting line out of all of that was:
Code:
Autoboot (0 seconds) in progress, press any key to stop
If you happen to hold down the Enter/Return key while booting the phone you will get into the "SBL>" prompt.
The Secondary BootLoader is essentially like u-boot.

Code:
...
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop Autoboot aborted..
SBL>
If we type help, we will get some commands you can run. Some of these commands are affected by what is set in the environment.

Code:
SBL> help
Following commands are supported:
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* format
* open
* close
* erasepart
* eraseall
* loadkernel
* showpart
* addpart
* delpart
* savepart
* nkernel
* nramdisk
* nandread
* nandwrite
* usb
* mmctest
* keyread
* readadc
* usb_read
* usb_write
* fuelgauge
* pmic_read
* pmic_write
To get commands help, Type "help <command>"
SBL>
You can get some minimal help for each command:

Code:
SBL> help loadkernel
* Help : loadkernel
* Usage : loadkernel
        load kernel image
       - loadkernel 0x80A00000 from kernel partition
Another set of intersting commands here are the ones that manipulate the environment:
  • setenv
  • saveenv
  • printenv


Code:
SBL> help setenv
* Help : setenv
* Usage : setenv [name] [value] . .
        Modify current environment info on ram

SBL> help saveenv
* Help : saveenv
* Usage : saveenv
        Save cuurent environment info to flash

SBL> help printenv
* Help : printenv
* Usage : printenv
        Print current environment info on ram
printenv is probably the safest of them to run, so lets try this first.

Code:
SBL> printenv
PARAM Rev 1.3
SERIAL_SPEED : 7
LOAD_RAMDISK : 0
BOOT_DELAY : 0
LCD_LEVEL : 97
SWITCH_SEL : 1
PHONE_DEBUG_ON : 0
LCD_DIM_LEVEL : 0
LCD_DIM_TIME : 6
MELODY_MODE : 1
REBOOT_MODE : 0
NATION_SEL : 0
LANGUAGE_SEL : 0
SET_DEFAULT_PARAM : 0
CUST_KERNEL_DL_COUNT : 0
KERNEL_BINARY_TYPE : 0
VERSION : I9000XXIL
CMDLINE : console=ttySAC2,115200 loglevel=4
DELTA_LOCATION : /mnt/rsv
PARAM_STR_3 : 
PARAM_STR_4 :
I'm not fully sure what all of these options are, but the ones I know about are SWITCH_SEL and PHONE_DEBUG_ON.

I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what. That maybe specific to the device I have.

Setting at least 6543 in SWITCH_SEL will give you kernel log output:

Code:
setenv SWITCH_SEL 6543
saveenv
I also set PHONE_DEBUG_ON to 1:

Code:
setenv PHONE_DEBUG_ON 1
saveenv
When I set this, I get some extended battery statistics like:
Code:
[BAT] CHR(0) CAS(0) CHS(3) DCR(0) ACP(2) BAT(81,0,0) TE(31) HE(1) VO(3926) ED(1000) RC(0) CC(0) VF(591) LO(0)
You must remember that after running setenv, you must then run saveenv at least once at the end to save the environment. I believe this environment info is saved to either an offset on the sbl partition or on the param.lfs. It would be useful to find this out, because u-boot has a userspace utility (that you can use from within linux userspace) to modify the u-boot environment. It may be handy to use a tool like that to modify the CMDLINE option during rom flashing time.

Also, instead of powering your phone off then on again to put the new settings in place, just run reset from the sbl prompt to reboot the phone with the new settings.

Anyways, This is what I have so far. I will be adding more to this as time goes on.

Enjoy!

-Bryan
Last edited by bhundven; 11th October 2012 at 12:19 AM. Reason: Updated
The Following 23 Users Say Thank You to bhundven For This Useful Post: [ View ]
23rd September 2012, 06:58 PM   |  #2  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,904
 
1,385 posts
Join Date:Joined: Dec 2011
Very nice and clear guide!

Also check out my Anyway thread on more details about JIG resistances etc. Soon I hope there will be more added to that about building your own Samsung Test Jig...
The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
25th September 2012, 04:21 PM   |  #4  
bhundven's Avatar
OP Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,493
 
2,040 posts
Join Date:Joined: Aug 2009
Donate to Me
More
Quote:
Originally Posted by bhundven

I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what.

Quote:
Originally Posted by AdamOutler

Setenv switch sel 1234567
Phone debug on 1

This gives you some kernel debugging.

Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.
Last edited by bhundven; 25th September 2012 at 04:37 PM.
The Following User Says Thank You to bhundven For This Useful Post: [ View ]
25th September 2012, 06:42 PM   |  #5  
dragonnn's Avatar
Senior Member
Thanks Meter: 859
 
1,069 posts
Join Date:Joined: Oct 2011
More
Any chance that it will work witch Galaxy Ace too?
25th September 2012, 07:17 PM   |  #6  
bhundven's Avatar
OP Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,493
 
2,040 posts
Join Date:Joined: Aug 2009
Donate to Me
More
Quote:
Originally Posted by dragonnn

Any chance that it will work witch Galaxy Ace too?

I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:

Code:
Android Bootloader - UART_DM Initialized!!!
[VIBETONZ] ENABLE
[VIBETONZ] DISABLE
HW_REV = 12
mipi_init : status = 1
HW_REV = 12
start init_charger
smb328a_init_charger : is_reboot_mode = 0, vcell = 3975
check valid dcin (0x33) = 0x0
no dcin, skip init_charger
fuelguage : soc = 80%, vcell = 3975mV
fuelguage : rcomp(0xd01f) ==?? 0xd0d0
HW_REV = 12
VReset : 0x8c
Hibernation mode : 0x0
8340 = ( 397500 - 334350 ) * 13207 / 100000
HW_REV = 12
reboot_mode = 0xb6cef249
do key check
enter normal booting mode
AST_POWERON
usable ddi data.
HW_REV = 12
HW_REV = 12
E.V.A. said that it might be some debugging setting in the kernel that might have disabled the kernel log output.
It would be helpful to get some MSM developers here to help us out with that!
The Following User Says Thank You to bhundven For This Useful Post: [ View ]
25th September 2012, 08:13 PM   |  #7  
dragonnn's Avatar
Senior Member
Thanks Meter: 859
 
1,069 posts
Join Date:Joined: Oct 2011
More
Quote:
Originally Posted by bhundven

I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:

I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
25th September 2012, 08:47 PM   |  #8  
bhundven's Avatar
OP Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,493
 
2,040 posts
Join Date:Joined: Aug 2009
Donate to Me
More
Quote:
Originally Posted by dragonnn

I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.

Currently, I only know this method to work on SGS( not sgs2 or sgs3 ) phones with the FSA9480.
The Following User Says Thank You to bhundven For This Useful Post: [ View ]
26th September 2012, 03:30 PM   |  #9  
Quote:
Originally Posted by bhundven

Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.

The switches are messages from levels 1-7. Turn on more to get more messages.
The Following 3 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
26th September 2012, 06:17 PM   |  #10  
bhundven's Avatar
OP Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,493
 
2,040 posts
Join Date:Joined: Aug 2009
Donate to Me
More
Quote:
Originally Posted by AdamOutler

The switches are messages from levels 1-7. Turn on more to get more messages.

That makes sense, but what doesn't is if I set SWITCH_SEL to 1234567 or any combination with 2, I get no output. As long as I don't have 2 in there, it works fine. Must just be this device.

The Following User Says Thank You to bhundven For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
fsa9480, galaxy s, usb uart
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes