I could really use some help on how you normally get a phone into debug mode, or how can I do a simple test to read the Chip ID?
May help out if i got my device....
Anyway it would be very nice idea to contact ViperBJK (author of QMAT).
He prooved JTAG access to Diamond already and good very deep knowledge of the device.
Debug mode should be also activated by hardware.
If nothing works out it would be a possibility is to ask one of the Hard-SPL creators. Disassembly of the SPL may give a hint of activating debug mode.
It's obvious, that the mode pins are important to be setup correctly.
The watchdog needs to be disabled (can't remember the pin), PS_HOLD would be required too.
The MSM chipset is bit more complex to access for debugging.
We need patience to gather the necessary informations.
MPU on Hermes was much easier i guess
From what i know so far, there would be mainly two methods on MSM to give access to the NAND chip:
1. Using TAP controller
This is a basic access and it is possible to toggle the pins in hardware, simple LPT adaptor should do the job.
2. Using ETM unit
This should be the mode used in QMAT.
Some binary is loaded into RAM (RAM needs to be initialised) and is used as a programming tool.
ETM gives control to the memory, but it's bit more complex to handle.
Anyway, the ARM units inside MSM chip have different ID's. Both should be accessible through primary port.
As far as in know MMU needs to be disabled while accessing the chip.