Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

HTC Dream/JTAG Softboot

From XDA-Developers
< HTC Dream
Revision as of 10:17, 22 February 2011 by Stewdk (Talk | contribs)

Jump to: navigation, search

JTAG your DREAM or MAGIC back to life after a failed SPL or Radio flash.

What is JTAG

JTAG is a hardware debugging interface; allowing both to validate that the hardware has been assembled correctly and to provide debug access to the CPU of the device; This is usually available independent of firmware. It allows debugging at a level sometimes inaccessible by any other means (short of very expensive test equipment).


Both the HTC Dream and HTC Magic's processors support the JTAG interface however they do not have a standard JTAG port. This means we must build an interface between the phone and an ARM compatible JTAG adapter.

As we are on a very open source device; We will be using the OpenOCD software for accessing the phones CPU in debug mode and loading/executing commands for all hacks described here.

The following process allows for both the following:

  • Restoring bricks to operation
  • Installing Engineering SPLs (until a software means is available)

Please note: this is a very advanced procedure - thus is not recommended for rooting devices unless there is no other method; as it is very possible to cause permanent damage to the phone.

Preparations

You will require the following to work this procedure:

ITEM DETAILS
OpenOCD compatible JTAG adapter supporting a 2.6V reference voltage
Some known to work examples are:
2.6 reference voltage This may come from:
  • From the device [Please see your devices PIN out if a 2.6V reference voltage is known]
  • From a LM317 Variable voltage regulator with an input voltage between 5V (USB port) and 9V (square battery or ARM-USB-OCD power port) input
HTC Serial wire

Used to interact with OEMSPL; and to output debug information from the phone.

Some options are:

  • Instructables Wire (an example)
  • MAX232 adapter to convert the serial port to the aprox. 2.8v/3.3v tty levels the phone serial port operates at

Note: OEMSPL doesn't always boot correctly when the phone is charging; thus it is recommended to leave V +5 detached; or able to be detached; It is also possible to make a wire that attaches both to USB + serial.
You can use HTC Headset as cheap ExtUSB breakout.

OpenOCD v0.4.0 This is the version tested; openOCD frequently changes their software so other version may or may not be compatible with the instructions here
OpenOCD CFG files

Some pre-made ones (has configuration for JTAG Adapter + Phone)

The generic profile does not specify a JTAG interface; please specify the one for your device (see /usr/share/openocd/scripts/interface/ from your install for examples)

Engineering SPL

Extract the 'hboot.img' file from the recommended SPL update.zip:

  • Dream 1.33.2005 MD5 : 2B1AAA9012DC28F88C482E1B21A46FDD
  • Magic 1.33.2009 MD5 : 6FE91DDD2AC591F8EE838CEA3E5F84B0
Radio 3.22.26.17

MD5: 0eb7c5530ef38eeaa07590e6924c7814 (note if you know this is already installed on your device you will not need it; there are also ways to skip using this radio; but for simplification we will use it in this process)

Note: this was originally released as a radio for the Rogers Dream; however it will work on *all* Dream and Magic devices

EBI1 recovery image
Fully charged battery best to do this prior to opening up the phone
Working Radio Firmware

We use the radio firmware to help us fix the phone; so if the radio won't work this process won't work

How to tell:

If while the phone is off the LED turns on (Green/Red/Orange) indicating the phone is charging; the radio is working.. alternatively if you turn the power of the phone on while holding down the trackball the phone ought to turn on the blue LED (ie. blue light mode)


Attach the JTAG

HTC Dream with JTAG, vref not show as an external power supply was used

This is unfortunately the hard part; attaching the JTAG adapter to the device.

You will need to attach the following wires to the device:

  • TRST-N
  • TDI
  • TMS
  • TCK
  • TDO
  • GND
  • vREF (not required if you built the LM317 circuit)

GND is anything electrically connected to the batteries negative terminal; this includes all of the devices shielding. TRST-N: If JTAG connection fails, it could be possible that this signal has to be inverted/tied high (2,6V), depending on your JTAG adapter.

The points can be found:

This then needs to be attached to the JTAG adapter.

  • If you built one please see the connection points in your schematic
  • If you have a standard arm 20Pin adapter look at the pin out

Please ensure Ground is well connected and the voltages are correct before attaching to the phone or adapter.

If you run into troubles establishing a working JTAG connection: double check all connections, make sure TRST is well connected and has correct level. If your connection is not that stable, verify your image upload by using "verify_image"-command after "load_image"-command. Sometimes it helps to disconnect serial cable while uploading an image with JTAG to reduce noise.

Loading Radio 3.22.26.17

If you know this is the radio you are already using (example if you are a Rogers Dream user with 911 update applied) you may skip this; However if you don't know what version of the radio you are using; or are on a different radio please proceed.

This is based off ezterry's instructions found at http://forum.xda-developers.com/showthread.php?p=6100287&highlight=radata#post6100287

Theory

The concept is simple: Normally the SPL loads the radio (radio.img) into ram then calls the OEMSBL 'radata' command to actually flash it. Here we can't boot the SPL, so we will load it into ram via JTAG then call 'radata <offset> <size>' ourself, with the offset we we loaded the file at.

Please note the Magic 6.x radio requires different offsets or the flash will fail (it will not further brick the phone, just fail to flash) see note about the radio below for the correct offset.

Steps

  1. Attach JTAG wires to the phone (do not start openocd)
  2. While holding down the 'Action' button (the scroll ball) press power [phone ought to have turned on the Blue LED if the screen is attached.. if not lets assume it did]
  3. plug in HTC serial wire
  4. Start a terminal session on the serial wire
    • Posix: run 'screen /dev/<serial device> 115200' where <serial device> is the TTY used by the HTC serial connector
    • Windows: connect to the com port using speed 115200 without software or hardware flow control 8bit mode
  5. over the serial line type '?' (then enter)
    The phone will not echo what you type but ought to reply:
    Invalid command : ?
  6. now start open ocd: from the directory with the cfg file run:
    openocd -f <dream|magic>.cfg
    replacing <dream|magic> for the name of the cfg file you created for the phone
    we ought to now see:
    Open On-Chip Debugger 0.4.0 (2010-03-04-07:17)
    Licensed under GNU GPL v2
    For bug reports, read
    	http://openocd.berlios.de/doc/doxygen/bugs.html
    trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
    dcc downloads are enabled
    fast memory access is enabled
    Info : clock speed 6000 kHz
    Info : JTAG tap: arm9.cpu tap/device found: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)
    Info : Embedded ICE version 6
    Info : arm9: hardware has 2 breakpoint/watchpoint units
  7. Connect to openocd via telnet (connect to port 4444 on localhost: 'telnet localhost 4444') and load radio image into ram
    1. type 'halt' (then enter)
    2. type 'load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300' (then enter) replacing '/tmp/' with the path to your copy of the radio image
    3. type 'resume' (then enter)
    4. type 'shutdown' (then enter) to exit openocd; and terminate the jtag server
    Trying ::1...
    telnet: connect to address ::1: Connection refused
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    Open On-Chip Debugger
    > halt
    target state: halted
    target halted in ARM state due to debug-request, current mode: Supervisor
    cpsr: 0x800000d3 pc: 0x00947b8c
    MMU: disabled, D-Cache: disabled, I-Cache: disabled
    > load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300
    No working memory available. Specify -work-area-phys to target.
    no working area available, falling back to memory writes
    22020096 bytes written at address 0x103b5300
    downloaded 22020096 bytes in 813.456421s (26.435 kb/s)
    > resume
    > shutdown
    shutdown command invoked
    > Connection closed by foreign host.

    Note This will take a while. Wiggler-Users be patient: it will take ~50mins to load! (~6,9kb/s)

  8. over the htc serial console run 'radata 103B5300 01500000' (then enter) this will take a moment to validate and flash the radio
     FA0F129C
    Format EFS...  
    EFS Block: 234-277
    Erase Block: 234
    Erase Block: 235
    Erase Block: 236
    Erase Block: 237
    
    ...continues ...
    
    Erase Block: 272
    Erase Block: 273
    Erase Block: 274
    Erase Block: 275
    Erase Block: 276
    Erase Block: 277
    Done
    
    HTCST   ���HTCE
  9. over the htc serial console run 'powerdown' (then enter) this will turn off the phone (if you run '?' after this you ought to receive no reply

Now radio 3.22.26.17 is installed and we can continue with the rest of the instructions

Magic 32A users with 6.x radio

If you have the 6.x radio installed the 3.22.26.17 radio loading procedure will fail as documented above.

Two simple changes will get you on your way:

  • Change the openocd command 'load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300' to 'load_image /tmp/radio-3.22.26.17_dream.img 0x19500000'
  • Change the radio command 'radata 103B5300 01500000' to 'radata 19500000 01500000'

If you are unsure of the radio installed:

The radata command usually outputs the "FA0F129C" in under 5mins and this indicates the signature of the radio image is valid and flashing is beginning. However with the 6.x radio we never reach that point.

So after 5mins (check your clock) of waiting unplug the power to the jtag adapter; serial wire; and battery to powerdown the system and try again with 6.x radio modifications.

Soft boot And Flash Engineering SPL

Now we will need to load the Engineering SPL into ram and force it to enter fastboot. (this is the 2005/2009 SPL you have already downloaded)

This is based off the following posts by ezterry and bart99:

http://forum.xda-developers.com/showpost.php?p=5934885&postcount=6
http://forum.xda-developers.com/showpost.php?p=5911627&postcount=302
http://forum.xda-developers.com/showpost.php?p=6260574&postcount=510

Theory

The high level approach is to first bypass the Security check that prevents us from running the additional OEMSBL commands; This is done by changing the instruction at '0x0090379C' from a beq [branch if equal] to b [non-conditional branch] in turn changing the logic from if(security flag){} to if(false){}

Next we slightly modify the 'cego' command to skip the loading of the spl from flash (and thus just use the contents already in ram instead) 0x9029d8 is a bl (branch with link) that we nop out.

Last we load the SPL into ram ourself (at 0x0) and modify it to make bootmodes 0,1,2,3 all enter fastboot instead if their usual operations. 0x00000c00 - 0x00000c0c switch jump table

Note these offsets only apply to the 3.22.26.17 radio, thus that needs to be loaded via radata before starting this process (if not already installed as in the case of rooting a rogers 911 patched dream)

Steps

Note: If you have just loaded the radio you can probably skip steps 1,3, and 4 as they ought to already be done

  1. Attach JTAG wires to the phone (do not start openocd)
  2. While holding down the 'Action' button (the scroll ball) press power [phone ought to have turned on the Blue LED if the screen is attached.. if not lets assume it did]
  3. plug in HTC serial wire
  4. Start a terminal session on the serial wire
    • Posix: run 'screen /dev/<serial device> 115200' where <serial device> is the TTY used by the HTC serial connector
    • Windows: connect to the com port using speed 115200 without software or hardware flow control 8bit mode
  5. over the serial line type '?' (then enter)
    The phone will not echo what you type but ought to reply:
    Invalid command : ?
  6. now start open ocd: from the directory with the cfg file run:
    openocd -f <dream|magic>.cfg
    replacing <dream|magic> for the name of the cfg file you created for the phone
    we ought to now see:
    Open On-Chip Debugger 0.4.0 (2010-03-04-07:17)
    Licensed under GNU GPL v2
    For bug reports, read
    	http://openocd.berlios.de/doc/doxygen/bugs.html
    trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
    dcc downloads are enabled
    fast memory access is enabled
    Info : clock speed 6000 kHz
    Info : JTAG tap: arm9.cpu tap/device found: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)
    Info : Embedded ICE version 6
    Info : arm9: hardware has 2 breakpoint/watchpoint units
  7. Connect to openocd via telnet (connect to port 4444 on localhost: 'telnet localhost 4444') and load hboot.img (the SPL) into ram with the following commands:
    • halt
    • mww 0x0090379C 0xea000013
    • mww 0x9029d8 0x0
    • load_image /tmp/hboot.img 0x0
    • mww 0x00000c0c 0x98000C4C
    • mww 0x00000c08 0x98000C4C
    • mww 0x00000c04 0x98000C4C
    • mww 0x00000c00 0x98000C4C
    • resume
    • shutdown
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    Open On-Chip Debugger
    > halt
    target state: halted
    target halted in ARM state due to debug-request, current mode: Supervisor
    cpsr: 0x000000d3 pc: 0x00946d78
    MMU: disabled, D-Cache: disabled, I-Cache: disabled
    > mww 0x0090379C 0xea000013
    > mww 0x9029d8 0x0
    > load_image /tmp/hboot.img 0x0
    No working memory available. Specify -work-area-phys to target.
    no working area available, falling back to memory writes
    524288 bytes written at address 0x00000000
    downloaded 524288 bytes in 11.620226s (44.061 kb/s)
    > mww 0x00000c0c 0x98000C4C
    > mww 0x00000c08 0x98000C4C
    > mww 0x00000c04 0x98000C4C
    > mww 0x00000c00 0x98000C4C
    > resume
    > shutdown
    shutdown command invoked
    > Connection closed by foreign host.
  8. over the serial line type 'version' (then enter)
    OEMSBL VERSION: 3.22.26.17
    OEMSBL Build Date: Jan 17 2010 12:08:33
    PLATFORM: DREAM
    PID: 31
    PLATFORM ID: 0
    

    (Platform ought to represent the Actual platform so magic users will likely see SAPPHIRE (PID 46, PLATFORM ID 1)) This indicates we are unlocked and can continue

  9. over the serial line type 'cego' (then enter)
    Boot CE manually...
    Done.
    

    and output continues until

    ARM11 Boot Mode: 0
    Platform: HBOOT-7201A
    
    ###[ Fastboot Mode ]###
    

    (Note if you where bricked you may see a different boot mode; but if you reach "Fastboot Mode" you are in the correct mode)

  10. Plug USB wire into phone (unplug the Serial wire first unless the wire supports both USB+serial)
  11. Run 'fastboot devices' on your computer; this ought to echo your phones Serial number
  12. Run the following fastboot commands; where hboot.img is the Engineering SPL; and recovery.img is the recovery your downloaded in the preparations section.
    fastboot oem eraseconfig
    fastboot erase hboot
    fastboot erase recovery
    fastboot erase system
    fastboot erase userdata
    fastboot erase cache
    fastboot erase boot
    fastboot flash hboot hboot.img
    fastboot flash recovery recovery.img
    fastboot oem powerdown

We have now flashed an Engineering SPL and thus can install any EBI1 or Magic 32A port.. Prior to removing the JTAG it is recommended to ensure recovery boots.. if the screen is not attached this can still be checked by watching for linux boot debug messages over the serial line. If possible it is also recommended to ensure recovery can mount an SD card, but this is not always easy with JTAG wires hooked up.

Remember even if you had a T-Mobile Dream phone (which is usually ebi0) you now have a ebi1 phone because of the 3x radio installed; this will work fine with the radio; however many people will wish to return to ebi0 radios please see the following sections for additional information.

Flashing A Rom back onto the phone

Currently you have installed a EBI1 radio with EBI1 recovery thus we have the various options depending on the type of phone you have


HTC Dream/Magic non-fender


Here we have two options

  1. install the EBI1 port (common on Magic32A and non-google branded dreams; but will work on any Magic/Dream)
  2. install the EBI0 port (common on Magic32B and google branded dreams; Will work on all Magic/Dreams however Magic 32A will not have all the memory available)

EBI1 port

Install a EBI1 (32a) rom such as CyanogenMod with the EBI1 patch file

EBI0 port

Before we install we will need to revert the radio back to EBI0

  1. Download the 2.22.23.02 radio (MD5: faf0db41d28daf1cefefc7be0fceb55c)
  2. Extract the radio.img from the file from the zip file
  3. Download EBI0 recovery:
  4. Enter fastboot on your phone and run the following fastboot commands
    • fastboot flash radio radio.img
    • fastboot reboot-bootloader
  5. verify the radio at the top of the screen is now the 2.x radio
  6. flash the recovery image replacing "recovery.img" with the EBI0 recovery you downloaded
    • fastboot flash recovery recovery.img
  7. ensure the system is clean
    • fastboot erase system -w
    • fastboot erase boot
  8. Install a EBI0 (32b) rom such as CyanogenMod

HTC Magic Fender/3.5mm Jack device


We must return to the fender's SPL/RADIO This is best described on the Fender upgrade guide: http://wiki.cyanogenmod.com/index.php?title=Full_Update_Guide_-_Fender/1.2

Note: you will not need to flash the sapping.zip, Start with 'Download the following zip file (the stock myTouch SPL and Radio)' and continue until CyanogenMod is installed.

DeathSPL Flashed on 1.x Radio

The process outlined above brings you from assuming the only thing working (or that you trust) is an unknown radio. However a common type of brick is the 1.33.2005 SPL Flashed on a Dream with a 1.x radio..


The above process will still work in this case; but if you know you are facing this particular type of brick a simplified version follows:

  1. Download the 2.22.23.02 radio (MD5: faf0db41d28daf1cefefc7be0fceb55c)
  2. Extract the radio.img from the file
  3. Follow Loading Radio 3.22.26.17 Process substituting the 3.22.26.17 radio.img with the 2.22.23.02 radio.img
  4. Once the correct radio is installed, boot the phone and it ought to enter recovery mode as if you just flashed SPL 1.33.2005
  5. Enter the command line and run 'reboot bootloader' to return to fastboot
  6. ensure the system is clean
    • fastboot erase system -w
    • fastboot erase boot
  7. Install a EBI0 (32b) rom such as CyanogenMod

Credits

XDA ezterry
First Dream Debrick and author of the process
XDA bart9984 (aka bart99)
First Magic Debrick via this process
XDA BinaryDroid
Device hacking + Dream jtag points
XDA scholbert
For hardware knowlege and a large quantity of information required to make this work
ORT szxtso
For the magic jtag test points


Also thanks to the many others that helped to make this possible; or gave insight to the various components used.