5,596,431 Members 40,074 Now Online
XDA Developers Android and Mobile Development Forum

SUCCESS! De-Bricking Dreams - Complete JTAG Testpoints! UPDATE! 04/07/10

Tip us?
 
lbcoder
Old
#11  
Account currently disabled
Thanks Meter 92
Posts: 2,645
Join Date: Jan 2009
And this is why I use Fedora....
I don't even remember the last time an update broke something.
 
scholbert
Old
(Last edited by scholbert; 30th November 2009 at 10:39 PM.)
#12  
Senior Member
Thanks Meter 621
Posts: 1,263
Join Date: Aug 2007
Hi!

Quote:
Originally Posted by BinaryDroid View Post
@Scholbert, I thought about using those picures myself but didnt want to cause any copyright issues, I am going to put up a better picture anyhow. once thats up can you please remove the image so no one complains?
Maybe you're right. That's why i asked.
I just removed the pic!

I'm getting a Dream in the next days, if you're not able to take these pics, i may help out!
Just tell me

Best regards,

scholbert
 
scholbert
Old
(Last edited by scholbert; 30th November 2009 at 10:35 PM.)
#13  
Senior Member
Thanks Meter 621
Posts: 1,263
Join Date: Aug 2007
Ooops double post....

EDIT: You said you got already all the necessary pins.
Anyway, maybe this may help to verify:
http://forum.xda-developers.com/show...&postcount=300

Some time ago r3nrut put a very interesting package for download at his webpage. You may ask him for a link to download DreamJTAGcode.rar.
Included are professional scripts to set up the Dream with a PCI JTAG controller card named JT3710 from JTAG Technologies.
Though no one would afford such a hardware, you may find many useful files

Cheers,

scholbert
 
BinaryDroid
Old
(Last edited by BinaryDroid; 30th November 2009 at 10:53 PM.)
#14  
Member - OP
Thanks Meter 8
Posts: 52
Join Date: Oct 2009
Location: Philadelphia
Quote:
Originally Posted by scholbert View Post
Ooops double post....

EDIT: You said you got already all the necessary pins.
Anyway, maybe this may help to verify:
http://forum.xda-developers.com/show...&postcount=300

Some time ago r3nrut put a very interesting package for download at his webpage. You may ask him for a link to download DreamJTAGcode.rar.
Included are professional scripts to set up the Dream with a PCI JTAG controller card named JT3710 from JTAG Technologies.
Though no one would afford such a hardware, you may find many useful files

Cheers,

scholbert
Yes he gave me the access to the files already, thats one of the reasons I need to installed windows first lol. I never used windows on the development machine but honestly the only thing that seems to hold the important data is the scripts which are human readable so I'm almost sure they could be adopted to OpenOCD or similar. I mean it even has the label on which pins need to be set high, low or what have you, ways to flash, erase, you name it its their. after seeing those files I figured we didnt need the JTAG document that were seeking. if everyone can figure it out on other devices with no documents..surely cant be too hard. i have soooo much more software to test on linux though. i have no plan after work so probably going to install Ubuntu 9.04 , turn off updates and then test OpenOCD. that seems really positive! i've got 3 different parallel Jtag adapters made for testing, Old cheapo, Buffered, and the third is a really complicated one that has all the possible connections needed(but more to go wrong hehe)

I could really use some help on how you normally get a phone into debug mode, or how can I do a simple test to read the Chip ID?
Also does anyone have a bricked board their willing to donate? i'm doing all of this on my primary functional board and would hate to kill i, also not sure if i'm actually in debug mode.
 
scholbert
Old
(Last edited by scholbert; 1st December 2009 at 09:58 AM.)
#15  
Senior Member
Thanks Meter 621
Posts: 1,263
Join Date: Aug 2007
Hi BinaryDroid!

Quote:
I could really use some help on how you normally get a phone into debug mode, or how can I do a simple test to read the Chip ID?
May help out if i got my device....
Anyway it would be very nice idea to contact ViperBJK (author of QMAT).
He prooved JTAG access to Diamond already and good very deep knowledge of the device.

Debug mode should be also activated by hardware.
If nothing works out it would be a possibility is to ask one of the Hard-SPL creators. Disassembly of the SPL may give a hint of activating debug mode.

It's obvious, that the mode pins are important to be setup correctly.
The watchdog needs to be disabled (can't remember the pin), PS_HOLD would be required too.

The MSM chipset is bit more complex to access for debugging.
We need patience to gather the necessary informations.
MPU on Hermes was much easier i guess

EDIT:
From what i know so far, there would be mainly two methods on MSM to give access to the NAND chip:
1. Using TAP controller
This is a basic access and it is possible to toggle the pins in hardware, simple LPT adaptor should do the job.
2. Using ETM unit
This should be the mode used in QMAT.
Some binary is loaded into RAM (RAM needs to be initialised) and is used as a programming tool.
ETM gives control to the memory, but it's bit more complex to handle.

Anyway, the ARM units inside MSM chip have different ID's. Both should be accessible through primary port.
As far as in know MMU needs to be disabled while accessing the chip.

Regards,

scholbert
 
BinaryDroid
Old
(Last edited by BinaryDroid; 1st December 2009 at 03:53 PM.)
#16  
Member - OP
Thanks Meter 8
Posts: 52
Join Date: Oct 2009
Location: Philadelphia
Quote:
Originally Posted by scholbert View Post
Hi BinaryDroid!



May help out if i got my device....
Anyway it would be very nice idea to contact ViperBJK (author of QMAT).
He prooved JTAG access to Diamond already and good very deep knowledge of the device.

Debug mode should be also activated by hardware.
If nothing works out it would be a possibility is to ask one of the Hard-SPL creators. Disassembly of the SPL may give a hint of activating debug mode.

It's obvious, that the mode pins are important to be setup correctly.
The watchdog needs to be disabled (can't remember the pin), PS_HOLD would be required too.

The MSM chipset is bit more complex to access for debugging.
We need patience to gather the necessary informations.
MPU on Hermes was much easier i guess

EDIT:
From what i know so far, there would be mainly two methods on MSM to give access to the NAND chip:
1. Using TAP controller
This is a basic access and it is possible to toggle the pins in hardware, simple LPT adaptor should do the job.
2. Using ETM unit
This should be the mode used in QMAT.
Some binary is loaded into RAM (RAM needs to be initialised) and is used as a programming tool.
ETM gives control to the memory, but it's bit more complex to handle.

Anyway, the ARM units inside MSM chip have different ID's. Both should be accessible through primary port.
As far as in know MMU needs to be disabled while accessing the chip.

Regards,

scholbert
Ok well purchaed QMAt with JTAG last night since that tool has been written specifically for the job and will help with getting everything figured out, plus i need it for other projects. the QMAT setup does not mention the mode control pins being used at all for some reason. only the pins I already found which did not seem to work with my 5 wire unbuffered Wiggler. I have to do another test tonight with the complete complicated version that is suggested just until I get it working. once I know the connection works i'll adapt the simpler wiggler to do the same job so anyone trying to unbrick can build the simple $10 dollar adapter and build themselves. I aleady have a plan to make the soldering job to the jtag pins painless via modding the EM shield. at least now with QMAT purchased I can feel better asking him questions and getting correct answers. Primary JTAG is definitely the way to go. your correct also about the ps_hold pin attached to 10K resistor to the watchdog pin.
 
virdi
Old
#17  
Member
Thanks Meter 0
Posts: 34
Join Date: Jan 2009
Location: Tampa
Default Small step for Man, a giant leap for Android ;)

Quote:
Originally Posted by BinaryDroid View Post
Ok well purchaed QMAt with JTAG last night since that tool has been written specifically for the job and will help with getting everything figured out, plus i need it for other projects.
...
Primary JTAG is definitely the way to go. your correct also about the ps_hold pin attached to 10K resistor to the watchdog pin.
@BinaryDroid @r3nrut Keep going, good stuff. Thanks for your hard work!
I have my G1 taken apart (no, it's not bricked - I am changing the housing). Do you want me to label the Primary JTAG pinout on one of the high-resolution pictures I am taking?

How close are you to the secondary pinout?

Did you ever find the elusive pdf document with JTAG connection details?
# Samsung Galaxy S III I9300T
# LG G2X
# G1
 
scholbert
Old
#18  
Senior Member
Thanks Meter 621
Posts: 1,263
Join Date: Aug 2007
Wonderful

Quote:
once I know the connection works i'll adapt the simpler wiggler to do the same job so anyone trying to unbrick can build the simple $10 dollar adapter and build themselves.
Yeah that would be awesome...
To support the MSM7xxx familie in OpenOCD would also be very nice.
I saw lbcoder already posted a link

Anyway, if we use boundary scan mode the software implementation would not be very complicated.
First step would be to build up a header file from the BSD-file of MSM7xxx.
Also simple buffered LPT-adaptor could be used.
Have a look at this package...

Keep on hacking!

scholbert
Attached Files
File Type: zip sjf6400x_ver0.1_20071206.zip - [Click for QR Code] (2.47 MB, 496 views)
 
R3nrut
Old
#19  
R3nrut's Avatar
Member
Thanks Meter 0
Posts: 62
Join Date: Jun 2009
Location: DFW
Excellent work Binary Droid!!!

I'm working on gathering a few bricked boards for testing on. If I get two I'll send one your way.
HTC Sensation 4G
Nook Color ICS Nightlies
Nokia n810 WiMax w/Mer & Debian

R3nrut
EMAIL ME!
Follow on Twitter
 
twoscoops
Old
#20  
Junior Member
Thanks Meter 0
Posts: 7
Join Date: Sep 2009
Default Have they been verified?

Ok, we know the pinout, but has anyone successfully connected up to these pins and checked them? I.e. can you get a response to the IDCODE command working?

I gave it a quick test (with Segger), but it was not able to see anything on the chain.

For what it's worth, the Segger wants VTref (target reference voltage), and nSRST (target CPU reset signal) which we don't have labelled. I left nSRST disconnected and tied VTref to an external 3.3 source.

Tags
jtag
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes