Some datasheets I found on the net

---

I found some files concerning 7000A and 7000. I know they differ a bit, but maybe it would be helpful for the main developers in this thread. I don't know if it's ok to post it here publicly, so just let me know by pm if you need it.
- MSM7200™ Software Interface Manual
- MSM7200A™ Chipset Training MSM7200A Baseband Topics (rather common)
- MSM7xxx Qfuses and Security 80-V9038-15 Rev. C (quite interesting read about the boot process and chip safety)

I will be debricking my brothers Magic when my BusBlaster arrives, so I wanted to have the opportunity to thank you guys for your hard work. I read the thread (it took me one day, with follow ups) and it was a great read. Also the insight you were able to get from the code disassembly was awsome. Thanks and in case of any problems with the process (I think I know the process quite well now, so maybe I will be able to debrick on my own) I will be back here for help .
Great read!

Edit: I think I will try to limit soldering to the board, so has anybody any input on the quality of w!!!ww.ipmart.com/main/product/JTAG,Adapter,Compatible,For,HTC,Google,G2,,Magic,3 07712.php?prod=307712 vs w!!ww.multi-com.pl/index.php/en_US,details,id_pr,7864,menu_mode,categories.html ? The multicom (even though I'm from Poland) is 2x the price inc VAT and shipping, then the one from china (the other side of the globe). I would still like to get some feeling if I won't buy cheap, but 2x - as the Chinese quality may be inferior
Sorry for broken links (new/old user)

My little brother's Magic works again. I used BusBlaster as JTAG, LM317 as 2.6V source, BusPirate as 2.6V UART, old broken headphones as ExtUSB cable and the cheap Chinese adapter. As I already had Buspirate and some other components, I managed to limit the cost to the adapter and BusBlaster (this one will be useful for my other projects, so I don't consider this cost as just for unbricking). Adapter was ~10usd (it works, but it's quality could be a bit better. There is some hot glue holding pogo pins together on top side etc), busblaster was ~50usd with shipping.
Some things I noticed:
-it's best to run openocd from virtual machine if you don't use linux already (it works well - it is rather complicated to crosscompile openocd as there is some problems with mingw compilation). Of course you need to compile it to be used with ft2232 interface.
-I used openocd 0.5 but I had to add adapter_khz option to config (10000 worked, higher probably possible). It had some warnings:
"Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Warn : JTAG tap: arm9.cpu UNEXPECTED: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Error: JTAG tap: arm9.cpu expected 1 of 1: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)"
It seems that it finds arm9 core with a different version then in config specified in debricking manual. It works though without any changes.
-I had initial problems that I had 6.x radio that I didn't know of, so I had load_image second time with a proper offset. That solved all the problems (thanks for that info).
- After first attempt with cego it went into a different boot mode (as a result of watchdog, or the watchdog event itself was a result of some error in boot process). The second attempt was successful and it went into fastboot.
The fastboot allowed me to clear all the partitions and upload hboot and recovery, but after reboot the recovery didn't boot.
-THIS IS THE IMPORTANT PART: What I found out from console output, it always entered boot mode 1 no matter which combination of buttons I pressed. What I did to solve it was in console, in blue led mode, I wrote "setboot 0" and enter. It allowed to start in the modes depending on buttons pressed.

Afterwards the standard way to load the system from recovery was all what was needed to start a working system. I want to thank all the people that had input into this thread and who spent massive spare time to develop this open solution to debricking of magic. Thanks!

edit: I updated wiki on cyanogen to include the setboot 0 step in case it doesn't work.

jtag

---

Quote:

Originally Posted by scholbert

Hi!

Just finished a slightly modded schematic to fit the wiggler LPT pinout.
This one is also capable of handling the low voltage levels of HTC Dream JTAG port.
Have fun!

Regards,

scholbert

For repair boot zone to HTC Mozart, it's ok these interface?

Hi,

after De-Brick my Dream only boots with stock firmware 1.5:

Code:

boot reason: PM_WDOG_TOUT_RT_ST

(PowerOn Status,Boot Reason)=(16,4)
NAND_FLASH_READ_ID : SAMSUNG_256MB_FLASH_128MB_SDRAM

ARM9_BOOT_MODE0, Boot Linux
Clearing RAM...
Load Bootimg header, addr=0x507C0000 taget=0xA8100000
bad=0x15E
Load Bootimg header OK
Load Kernel, addr=0x507C0800 taget=0x80008000 Size=0x00153004
bad=0x15E
Load kernel OK
bad block=0x15E
bad block num=1
Load ramdisk, addr=0x50934000 target=0x81000000  Size=0x00022C1D
Load ramdisk OK
SPL2 doesn't exist
Load OK.
SetupTAG addr=0x80000100 cmdline add=0xA8100040
TAG:Ramdisk OK
Get CID OK
 androidboot.serialno=HT852KV01331
boot reason=0x0
commandline from head: no_console_suspend=1
command line length =277
active commandline: board_trout.disable_uart3=0 board_trout.usb_h2w_sw=0 board_t
rout.disable_sdcard=0 board_trout.smisize=64  androidboot.baseband=1.22.12.29 an
droidboot.bootloader=0.95.0000 androidboot.carrier=TMA board_trout.keycaps=qwert
z androidboot.serialno=HT852KV01331 no_console_suspend=1

PARTITIOM_NUM_MAX =6 Valid partition num=6
jump to linux kernel

Everytime after flashing another custom rom like CyanogenMod, Ginger Yoshi, SuperBler (with the recommended hboot / radio) it doesn't start up :

Code:

boot reason: PM_KPD_PWR_KEY_ON_RT_ST

(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : SAMSUNG_256MB_FLASH_128MB_SDRAM

ARM9_BOOT_MODE0, Boot Android
Y2±…Í¡�8 bit
-msm_nand_probe
[MDDI] Bitmap_Width = 480
[MDDI] Bitmap_Height = 640
[MDDI] RGB_Capability = 0x8888
[MDDI] Mfr_Name = 0xD263
[MDDI] Product_Code = 0x0
Board_PID : 0x1F
Wlan data header ++++++++++++++++++++
                                     Signature : 0xEE1251
UpdateStatus : 0x2
UpdateCount : 0x321A
BodyLength : 0x2F0
BodyCRC : 0xE829B1C1
aDieId(0) : 0xD00D4080
aDieId(1) : 0x7D087284
aDieId(2) : 0x20000000
aDieId(3) : 0x964
countryID : 0x30
Wlan data header --------------------------
                                           chipset_bootmode reset_reason:0
ARM11 Boot Mode: 0
Platform: HBOOT-7201A
[ERR] partition_read::Failed to read page 22400 or it is empty
[ERR] boot image does not exist!!!

###[ Fastboot Mode ]###

I've tried it several times with fastboot erase commands:

Code:

fastboot erase hboot
fastboot erase recovery
fastboot erase system
fastboot erase userdata
fastboot erase cache
fastboot erase boot

But no success.

Any suggestion to get my Dream working with an up-to-date rom?

Regards,
tonne

jtag was used to get your phone back right? then from there what was the radio and spl you had? from this point it booted to a stock 1.5? what were the steps you took to root and upgrade recovery, radio, spl and rom from here. if you are up to the spl 1.33.0013d then you cant use anything in fastboot besides fastboot -w. so what is your current recovery, radio and spl.

Quote:

Originally Posted by demkantor

jtag was used to get your phone back right? then from there what was the radio and spl you had? from this point it booted to a stock 1.5? what were the steps you took to root and upgrade recovery, radio, spl and rom from here. if you are up to the spl 1.33.0013d then you cant use anything in fastboot besides fastboot -w. so what is your current recovery, radio and spl.

After De-Brick I've had SPL ...2005 and radio 2.22.19 26I. But CyanogenMod didn't boot. So I flashed SPL ...33d and radio 2.22.27.08 to try Ginger Yoshi 1.5. No success, no boot. But everytime I start over from bootloader with inserted sd card and dreaimg.img on it and "downgrade" the dream, 1.5 boots without any error.
And then to test it once again: Rooting -> telnetd -> flashing recovery -> flashing radio ...26l -> flashing danger spl -> flashing CyanogenMod -> no boot
I've tried super wipe from recovery before flashing another rom. No boot after flashing a new rom.
I hope this is more precise to understand what's the problem.
I am familiar with hboot, S-OFF, S-ON, fastboot and I know that several commands do not work with some hboot versions / security settings.

Regards,
tonne

if downgrading and rerooting works, try this and flash a rom from recovery that is compatible with your radio spl (like cm4) and this should work. if so try to upgrade to the danger spl and then try updating through recovery something like cm5. if this works great if they dont work try updating through fastboot.
once all of this is confirmed working update radio and spl and then try something newer like froyobylaszlo.
i only recommend all these steps to see where the problem occurs

I gathered my logs in case someone can help me.

////////////////////////////////////
normal power, just power button pressed

the phone just reboots at the vodafone logo

this happened after i flashed a recovery that was not compatible with the radio that i had (i don't know for sure but i think i had a 6.xx radio)

after flashing that recovery from the android market, clockworkmod, if i remember correctly, i checked an option to reboot into fastbood, or something like that, and after that, the phone kept looping in the vodafone logo. before that, all was ok.
////////////////////////////////////

Code:

boot reason: PM_KPD_PWR_KEY_ON_RT_ST

(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAM

ARM9_BOOT_MODE0, Boot Android
Read CFG0 = AA5400C0, CFG1 = 0008746E
[NAND SCAN] CFG0 = 0xE85408C0, CFG1 = 0x8746E
[NAND SCAN] flash: id 5590BC2C, size 20000000
[NAND SCAN] Use wide flash 16 bit
Camera 3M
panel_id = 0x1 
Sharp panel detected 
Panel_NT_sharp_power_on enter.
EEPROM: read 2032 bytes
Board_PID : 0x2E
Wlan data header ++++++++++++++++++++
                                     Signature : 0xEE1251
UpdateStatus : 0x2
UpdateCount : 0x3
BodyLength : 0x2F0
BodyCRC : 0xCB610515
aDieId(0) : 0x0
aDieId(1) : 0x0
aDieId(2) : 0x0
aDieId(3) : 0x0
countryID : 0x30
Wlan data header --------------------------
                                           ARM11 Boot Mode: 3
Platform: HBOOT-7201A
msm_nand_dm_read_oob 0x02712000 2048 0 failed (-117), correct 1 bits
[ERR] ECC error has been corrected(errno -117): page id 20004
msm_nand_dm_read_oob 0x028CD800 2048 0 failed (-117), correct 1 bits
[ERR] ECC error has been corrected(errno -117): page id 20891
setup_tag addr=0xA0000100 cmdline add=0x8F0841F0
TAG:Ramdisk OK
TAG:smi ok, size = 32
TAG:hwid 0x1
TAG:skuid 0x21401
TAG:hero panel = 0x0
TAG:engineerid = 0x2
Device CID is not super CID
CID is VODAPP25
setting.cid::VODAPP25
serial number: HT978KF02036
commandline from head: no_console_suspend=1 console=null
command line length =367
active commandline: board_sapphire.disable_uart3=0 board_sapphire.usb_h2w_sw=0 board_sapphire.disal
aARM_Partion[0].name=misc
aARM_Partion[1].name=recovery
aARM_Partion[2].name=boot
aARM_Partion[3].name=system
aARM_Partion[4].name=cache
aARM_Partion[5].name=userdata
partition number=6
Valid partition num=6
69466957 
69784520 
7473 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0

//////////////////////////////////
trackball power
//////////////////////////////////

Code:

boot reason: PM_KPD_PWR_KEY_ON_RT_ST

(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAM

ARM9_BOOT_MODE1

OPENOCD

Code:

root@blk-MS-6566:/home/blk/magic# openocd -f magic.cfg 
Open On-Chip Debugger 0.5.0-dev-00964-gb5a324e (2011-07-29-01:16)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.berlios.de/doc/doxygen/bugs.html
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
parport port = 0x0
100 kHz
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
Info : clock speed 100 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 4444
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0x0090909c
MMU: disabled, D-Cache: disabled, I-Cache: disabled

After the above, I tried

Code:

load_image small.img 0x103b5300

a small test file about 500k, which went ok (xx bytes written at adress 0x..)
but then I tried

Code:

verify_image small.img 0x103b5300

which gives me "checksum mismatch ... more than 128 errors..."

If I try the same thing at 100kHz, I don't even get the verify error, it just says "memory read caused data abort". I have now tried a small file, just 1kB which writes and verifies OK "verified x bytes".

Is there any way I can get out of this loop? I tried the commands for hboot, but I get no response from the phone after "resume" and then "shutdown". The serial does not respond, not to "version" not to "?", nothing.

Please help, I am out of ideas. Should I try to load the radio and the radata even if verify_image fails?

Thanks in advance,
Alex

I think that I have at last figured it out. I have serial working, openocd responding to commands. So I know that the setup is OK-ish.

I have tweaked the supply voltage from 2.59 to 2.61 and saw that I get more errors when I am not at 2.6. So it seems that the JTAG is unstable, even without serial cable attached. I am trying now to find out why, I will try changing the power supply to an external one (I am currently using USB to power the JTAG through an LM317). I will try filtering the supply better. If I am at around 2.6V (as close as my multimeter allows), I am able to write and verify a 500kB test file. I still do get errors from time to time, but not as many as before (when I was at 2.61-2.62).

If I have on the phone a 6.xx radio, how can I change these offsets so that I can get into fastboot:

Code:

halt
mww 0x0090379C 0xea000013
mww 0x9029d8 0x0
load_image /tmp/hboot.img 0x0
mww 0x00000c0c 0x98000C4C
mww 0x00000c08 0x98000C4C
mww 0x00000c04 0x98000C4C
mww 0x00000c00 0x98000C4C
resume
shutdown

As I remember, the reason for my phone not turning on is an incompatibility between recovery and radio. If I can get into fastboot (having to enter shorter commands, maybe the JTAG will work) and write the RA recovery, I think I will be able to turn on the phone, or not?

As far as I can see from the serial output, when turning on the phone normally, it goes into bootmode0 then enters bootmode3, finds some errors and resets. I think this is the problem and I have no idea how to get around it without having to write that big radio file (which seems impossible at this time), so that the offsets work and enter fastboot.

Regards,
A.

I have managed to unbrick using the Olimex USB-Tiny adapter. Now everything seems to be working, but when I want to powerdown the phone, from Android, or from recovery, it just restarts. What could be wrong? I have read something about radio 3.22.26.17 not meant for the Magic (I've got a 32A), people recomended 3.22.20.17. Should I install this version?