Ignore it, RTCK is not always available and JTAG works without it as long as your clock is within acceptable range. I used 1000khz-3000khz. Don't know if clock is configurable in riffbox that I believe you use. Also, does riffbox support 1.8v levels?
Hardware root/JTAG pinout
- Thread starter Determined
- Start date
Ignore it, RTCK is not always available and JTAG works without it as long as your clock is within acceptable range. I used 1000khz-3000khz. Don't know if clock is configurable in riffbox that I believe you use. Also, does riffbox support 1.8v levels?
Clock is configurable, I believe it does 1.8 but I'm not home now so can't verify
Sent from my HTC One_M8 using XDA Premium 4 mobile app
Hi!
One noob question, if you can develop a root method or a way to flash the device using jtag, what kind of device will be necessary to do it?
something like this? http://dangerousprototypes.com/docs/Bus_Blaster
thanks!
One noob question, if you can develop a root method or a way to flash the device using jtag, what kind of device will be necessary to do it?
something like this? http://dangerousprototypes.com/docs/Bus_Blaster
thanks!
that's not true, i currently play with openocd, flyswatter2 and ifc6410 (another apq8064 box) and i discovered, that problem is how openocd handles writing to crtlstat register. seems openocd implements dap ver. 0 way, but not dap ver. 1 and dap ver. 2 ways. i'm currently diving to arm coresight documentation and openocd code.
Good to know that somebody is working in JTAG solution for AFTV box. Let us know your findings!
Thanks!
Long time ago since last post?
Hi there folks,
is there any progress in finding a reliable jtag connection, i. e. with a busblaster to root it?
Found http://xdaforums.com/fire-tv/general/hardware-root-via-emmc-chip-t2885344 which is of core a little bit risky in doing it because of http://xdaforums.com/fire-tv/general/hardware-root-via-emmc-chip-t2885344/post55673788#post55673788
I know I can solder but I dont have the other required hardware especially the emmc-adapter to make the connection with the flash chip on the board.
I do have a busblaster and I did some JTAG on a pogoplug. It worked well with OpenOCD.
So know I just want to know if somebody is working on it because it would be a pleasure to me to get a rooted FireTV.
Hi there folks,
is there any progress in finding a reliable jtag connection, i. e. with a busblaster to root it?
Found http://xdaforums.com/fire-tv/general/hardware-root-via-emmc-chip-t2885344 which is of core a little bit risky in doing it because of http://xdaforums.com/fire-tv/general/hardware-root-via-emmc-chip-t2885344/post55673788#post55673788
I know I can solder but I dont have the other required hardware especially the emmc-adapter to make the connection with the flash chip on the board.
I do have a busblaster and I did some JTAG on a pogoplug. It worked well with OpenOCD.
So know I just want to know if somebody is working on it because it would be a pleasure to me to get a rooted FireTV.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.2
I've got a third FireTV hooked up to my riffbox now, but having issues. If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Issue I'm as is im not getting any response from RTCK. Fuses indicate that jtag was not disabled, and this isnt my strong point.1
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://xdaforums.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/238561
that's not true, i currently play with openocd, flyswatter2 and ifc6410 (another apq8064 box) and i discovered, that problem is how openocd handles writing to crtlstat register. seems openocd implements dap ver. 0 way, but not dap ver. 1 and dap ver. 2 ways. i'm currently diving to arm coresight documentation and openocd code.
