SUCCESS! De-Bricking Dreams - Complete JTAG Testpoints! UPDATE! 04/07/10

Search This thread
By:
Advanced…
[opensys]

[opensys]

Senior Member
Feb 23, 2009
123
23
Leiria Portugal
Hello,

After i read this posts in a attempt to unbriked my htc magic 32a briked with a radio version of 32b the v2.22.27.08. i was stuck in the jtag commands.


openocd -f magic.cfg
Open On-Chip Debugger 0.4.0 (2011-01-02-15:41)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
parport port = 0x0
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
Info : clock speed 500 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 0
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x200000d3 pc: 0x00907348
MMU: disabled, D-Cache: disabled, I-Cache: disabled


magic.cfg:

interface parport
parport_port 0
parport_cable wiggler
reset_config trst_and_srst srst_pulls_trst

set _CHIPNAME arm926ejs
set _ENDIAN little
set _CPUTAPID 0x301700e1

proc dbreg {} {
#show 16 arm registers only
reg 0
reg 1
reg 2
reg 3
reg 4
reg 5
reg 6
reg 7
reg 8
reg 9
reg 10
reg 11
reg 12
reg 13
reg 14
reg 15
}

jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID

set _TARGETNAME arm9.cpu
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME
arm7_9 dcc_downloads enable
arm7_9 fast_memory_access enable


Question is cfg ok for 32a?

When i got to blue led mode, i can write "?" so it works.

when i flash the new radio, i type 'resume' but i can't get access to the serial console to write the "radata 103B5300 01500000" seams freezed.

so i try pass the hboot, but to do it i need the mww address's to the radio "2.22.27.08", can anyone provide it?

i try the addresses of others radio but, no luck with the version or cego cmd shows up.

What can i do more?

OpenSys
 
Last edited:
T

tonne99

Member
Jun 15, 2010
18
0
Magic 32B radata command failed

Hi,

I bricked my htc magic 32B with the radio version 2.22.19.26l and latest Cyanogenmod flashed before.
I followed the guide "JTAG for Dream/Magic" and got access via arm-usb-tiny adapter with following config:
Code: 
#######################################
# HTC Dream/Magic - OpenOCD configuration
# > arm-usb-ocd profile
#
# For use with openocd 0.4
#######################################

## Device settings for arm-usb-odc
interface ft2232
#ft2232_device_desc "Olimex OpenOCD JTAG"
ft2232_layout "olimex-jtag"
ft2232_vid_pid 0x15BA 0x0004


##### HTC Dream configuration #####
# based on Atmel AT91rm9200
###################################

reset_config trst_and_srst srst_pulls_trst

#dream information (or something near it)
   set  _CHIPNAME arm926ejs
   set  _ENDIAN little
   set _CPUTAPID 0xa01700e1


proc dbreg {} {
    #show 16 arm registers only
    reg 0
    reg 1 
    reg 2
    reg 3
    reg 4
    reg 5
    reg 6
    reg 7
    reg 8
    reg 9
    reg 10
    reg 11
    reg 12
    reg 13
    reg 14
    reg 15
}

jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID

# Create the GDB Target.
set _TARGETNAME arm9.cpu
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME

# Work area non-functional at this point in time
#$_TARGETNAME configure -work-area-phys 0x00200000 \
#        -work-area-size 0x4000 -work-area-backup 1
# .. seems to work until watchdog is triggered..
#arm9 configure -work-area-phys 0x103B5000  \
#        -work-area-size 0x200 -work-area-backup 0

# This chip has a DCC ... use it
arm7_9 dcc_downloads enable
arm7_9 fast_memory_access enable


5V on HTC serial cable is not attached, because otherwise I have no output in serial command line.

Now I can load radio-3.22.26.17_dream.img with
Code: 
load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300
into RAM, but when I run serial command
Code: 
radata 103B5300 01500000
the phone responds with
Code: 
HTCSF   kE�(HTC
.
No further output.

On page 70 of this thread I read something about an issue with Magic 32A and radio 6.x, but I'm shure that I have no 6.x radio on my phone.

Do I have to use other offsets for radata command?

Thanks,
t0nne
 
Last edited:
[opensys]

[opensys]

Senior Member
Feb 23, 2009
123
23
Leiria Portugal
[opensys] said:
Hello,

After i read this posts in a attempt to unbriked my htc magic 32a briked with a radio version of 32b the v2.22.27.08. i was stuck in the jtag commands.


openocd -f magic.cfg
Open On-Chip Debugger 0.4.0 (2011-01-02-15:41)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
parport port = 0x0
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
Info : clock speed 500 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 0
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x200000d3 pc: 0x00907348
MMU: disabled, D-Cache: disabled, I-Cache: disabled


magic.cfg:

interface parport
parport_port 0
parport_cable wiggler
reset_config trst_and_srst srst_pulls_trst

set _CHIPNAME arm926ejs
set _ENDIAN little
set _CPUTAPID 0x301700e1

proc dbreg {} {
#show 16 arm registers only
reg 0
reg 1
reg 2
reg 3
reg 4
reg 5
reg 6
reg 7
reg 8
reg 9
reg 10
reg 11
reg 12
reg 13
reg 14
reg 15
}

jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID

set _TARGETNAME arm9.cpu
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME
arm7_9 dcc_downloads enable
arm7_9 fast_memory_access enable


Question is cfg ok for 32a?

When i got to blue led mode, i can write "?" so it works.

when i flash the new radio, i type 'resume' but i can't get access to the serial console to write the "radata 103B5300 01500000" seams freezed.

so i try pass the hboot, but to do it i need the mww address's to the radio "2.22.27.08", can anyone provide it?

i try the addresses of others radio but, no luck with the version or cego cmd shows up.

What can i do more?

OpenSys
Click to expand...
Click to collapse


Solved!

I forget to put the destination address 0x103B5300

load_image /tmp/myradio32a.img 0x103B5300

Then in run serial command:

radata 103B5300 01500000

And works.
And now have fastboot :)


Just a notes:

jtag cable must not pass over 10cm from phone to jtag board, if he pass you may have transfers errors or unable to init the jtag.
TRST must have 2.61/2.62 volts not 2.65.. 2.68 volts
Jtag by lpt port takes 50 minutes to pass the 21MB radio.

That's ALL

:p
 
Last edited:
T

tonne99

Member
Jun 15, 2010
18
0
tonne99 said:
Hi,

I bricked my htc magic 32B with the radio version 2.22.19.26l and latest Cyanogenmod flashed before.
I followed the guide "JTAG for Dream/Magic" and got access via arm-usb-tiny adapter with following config:
Code: 
#######################################
# HTC Dream/Magic - OpenOCD configuration
# > arm-usb-ocd profile
#
# For use with openocd 0.4
#######################################

## Device settings for arm-usb-odc
interface ft2232
#ft2232_device_desc "Olimex OpenOCD JTAG"
ft2232_layout "olimex-jtag"
ft2232_vid_pid 0x15BA 0x0004


##### HTC Dream configuration #####
# based on Atmel AT91rm9200
###################################

reset_config trst_and_srst srst_pulls_trst

#dream information (or something near it)
   set  _CHIPNAME arm926ejs
   set  _ENDIAN little
   set _CPUTAPID 0xa01700e1


proc dbreg {} {
    #show 16 arm registers only
    reg 0
    reg 1 
    reg 2
    reg 3
    reg 4
    reg 5
    reg 6
    reg 7
    reg 8
    reg 9
    reg 10
    reg 11
    reg 12
    reg 13
    reg 14
    reg 15
}

jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID

# Create the GDB Target.
set _TARGETNAME arm9.cpu
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME

# Work area non-functional at this point in time
#$_TARGETNAME configure -work-area-phys 0x00200000 \
#        -work-area-size 0x4000 -work-area-backup 1
# .. seems to work until watchdog is triggered..
#arm9 configure -work-area-phys 0x103B5000  \
#        -work-area-size 0x200 -work-area-backup 0

# This chip has a DCC ... use it
arm7_9 dcc_downloads enable
arm7_9 fast_memory_access enable


5V on HTC serial cable is not attached, because otherwise I have no output in serial command line.

Now I can load radio-3.22.26.17_dream.img with
Code: 
load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300
into RAM, but when I run serial command
Code: 
radata 103B5300 01500000
the phone responds with
Code: 
HTCSF   kE�(HTC
.
No further output.

On page 70 of this thread I read something about an issue with Magic 32A and radio 6.x, but I'm shure that I have no 6.x radio on my phone.

Do I have to use other offsets for radata command?

Thanks,
t0nne
Click to expand...
Click to collapse

Now I tried the solution in post http://xdaforums.com/showpost.php?p=5911627&postcount=302
and finally reached Fastboot Mode, but there is no way to flash anything:

Code: 
C:\android-sdk-windows\tools>fastboot flash radio radio.img
    sending 'radio' (21504 KB)... OKAY [  5.979s]
               writing 'radio'... INFOsignature checking...
FAILED (remote: signature verify fail)
finished. total time: 12.147s

---------

C:\android-sdk-windows\tools>fastboot flash hboot hboot.img
      sending 'hboot' (512 KB)... OKAY [  0.501s]
               writing 'hboot'... INFOsignature checking...
FAILED (remote: signature verify fail)
finished. total time: 0.651s

Any suggestions? Please help.

Thanks,
t0nne
 
ezterry

ezterry

Retired Recognized Developer
Jan 16, 2010
1,829
967
Asheville, NC
tonne99 said:
Any suggestions? Please help.

Thanks,
t0nne
Click to expand...
Click to collapse
If I understand you are forcing your current SPL to enter fastboot... this isn't very useful if its not an eng SPL.

You can try fastboot boot <recovery.img> but otherwise it may be best to softboot an SPL like in the original instructions. (if you want to use your current radio just load the 2009 SPL when you are halted at the breakpoint to 0x00 then continue with the memory write to force fastboot)

Also the radio flash problem sounds like a data error.. if not with the original file from the transfer.
 
  • Like
Reactions: tonne99
S

stewdk

Member
Jul 21, 2010
17
0
Grand Rapids
tonne99 said:
writing 'hboot'... INFOsignature checking...
FAILED (remote: signature verify fail)

Any suggestions? Please help.
Click to expand...
Click to collapse

Fastboot did the same thing to me (even with an engineering SPL), so I just flashed an appropriate update.zip from the SD card. It may take some creativity to be able to see the screen, push buttons, and leave the SD hooked up while also having JTAG cables connected... It took me a while.

EDIT: oops, I meant that I flashed a sappimg.zip, not an update.zip. I swear I'm not crazy.
 
Last edited:
T

tonne99

Member
Jun 15, 2010
18
0
:D Back to life :D

Hi @ all,

I tried different solutions mentioned in this long and interesting thread und a combination of some proposals did it.
I followed the steps in JTAG howto again but when I sent commands over JTAG I disconnected the HTC serial cable. When using the serial line I detached the JTAG adapter. And finally I was able to use
Code: 
radata 103B5300 01500000
as expected und flash the radio.
Now CyanogenMod 6.1.0-DS rocks my reborn HTC MAGIC.
Thank you all for sharing your knowledge and experience.

Next project will be a bricked G1/Dream where 3 JTAG testpoints are gone due to inadequate soldering tools and skills.
I'm shure I will be back to ask more technical questions.

Greetings,
t0nne
 
D

Daemonic79

Member
Apr 3, 2010
20
2
London / Essex
Thanks :)

After my initial post some time ago, my jtag adaptor finally arrived today (spent some time buying the required bits with spare cash).

I set about the debrick following the wiki guide, and my g1 is now alive again :D

Id just like to thank all of those involved with the research/guide for all your time.

p.s if anyone in the uk needs a debrick, give me a shout :)
 
S

shadowch31

Guest
Daemonic79 said:
After my initial post some time ago, my jtag adaptor finally arrived today (spent some time buying the required bits with spare cash).

I set about the debrick following the wiki guide, and my g1 is now alive again :D

Id just like to thank all of those involved with the research/guide for all your time.

p.s if anyone in the uk needs a debrick, give me a shout :)
Click to expand...
Click to collapse

You could be the answer to my prayers, check your pm's :)
 
Mach3te

Mach3te

Senior Member
May 20, 2008
87
16
Connecticut
Google Pixel 7 Pro
I have a bricked HTC G1 that I acquired, and have pretty much read everything in this thread and am about to attempt this procedure. I was searching the net for JTAG adapter for the G1 and I found this one at IPMart.

http://www.ipmart.com/main/product/...r,HTC,Dream,,Google,G1,277854.php?prod=277854

I was wondering if this would work and if anyone has used this particular model.

I was also wondering if there were any affordable USB JTAG programmers. The one's I have seen are about 50 bucks, with the "Wiggler" models that use the serial port being the cheapest I have seen. If anyone has any other suggestions I would appreciate it.

Thanks!
 
W

Wing_Z

New member
Feb 26, 2006
3
0
Bialystok
I got a dream that has the original TDO point broken (no point on board) is there a point some where else on the board i can use?
 
F

fsl13

Member
Aug 12, 2006
30
0
Hi Everyone

I have a problem connecting Dream.
I connected all 5 jtag points using 100k Resistors on LPT port
I can see it connected on H-JTAG software
it shows the CPU ID
but it doesnt connect openOCD

is there a way to call H-jtag connection on telnet

i am really confused and have tried a million times
Please help me someone

or even i am ready to exchange my Rogers DREAM PCB (Bricked) with a working one if anyone wish to exchange please contact me
i am really fedup of reading wiki again and again and ending nowhere

Please help
 
M

marchard

Senior Member
Feb 3, 2009
71
2
@fsl13: Your jtag adaptor just consists of a bunch of resistors? i'm really no jtag-expert, but my guess is, that you can't do bidirectional jtag communication with that. you need some kind of active signal condition, see jtag wiki. cheapest jtag adaptor is called "Wiggler". You can get something like that already manufactured for around 10 bucks. or DIY even cheaper.
Bye, Marc.
 
T

tonne99

Member
Jun 15, 2010
18
0
cego command does not run into Fastboot Mode

Hi,

another bricked Magic:

'Soft boot And Flash Engineering SPL' seem to work:

Code: 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0xa00000d3 pc: 0x009084c0
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> mww 0x0090379C 0xea000013 
> mww 0x9029d8 0x0
> load_image /home/tom/hboot.img 0x0
No working memory available. Specify -work-area-phys to target.
no working area available, falling back to memory writes
524288 bytes written at address 0x00000000
downloaded 524288 bytes in 12.405925s (41.271 kb/s)
> mww 0x00000c0c 0x98000C4C
> mww 0x00000c08 0x98000C4C
> mww 0x00000c04 0x98000C4C
> mww 0x00000c00 0x98000C4C
> resume
> shutdown
shutdown command invoked
> Connection closed by foreign host.

Now serial line 'version' returns

Code: 
OEMSBL VERSION: 3.22.26.17
OEMSBL Build Date: Jan 17 2010 12:08:33
PLATFORM: SAPPHIRE
PID: 46
PLATFORM ID: 1

But cego command does not enter Fastboot Mode

Code: 
Done.
ZWH��k�}����}�ɽ��5
                  Camera 3M
[MDDI] Bitmap_Width = 480
[MDDI] Bitmap_Height = 640
[MDDI] RGB_Capability = 0x8888
[MDDI] Mfr_Name = 0xD263
[MDDI] Product_Code = 0x0
HeapFreeTable[0].StartAddr=0xA15AE180
HeapFreeTable[0].Size=0x6A51E80
HeapFreeTable[1].StartAddr=0xA1500658
HeapFreeTable[1].Size=0x8
HeapFreeTable[2].StartAddr=0xA1500EF8
HeapFreeTable[2].Size=0x8
HeapFreeTable[3].StartAddr=0xA1500F68
HeapFreeTable[3].Size=0x18
HeapFreeTable[4].StartAddr=0xA1500FAC
HeapFreeTable[4].Size=0x14
HeapFreeTable[5].StartAddr=0xA1501178
HeapFreeTable[5].Size=0x8
HeapFreeTable[6].StartAddr=0xA1501328
HeapFreeTable[6].Size=0x18
HeapFreeTable[7].StartAddr=0xA15013A4
HeapFreeTable[7].Size=0xC5C
EEPROM: read 2032 bytes
Board_PID : 0x2E
Wlan data header ++++++++++++++++++++
                                     Signature : 0xEE1251
UpdateStatus : 0x2
UpdateCount : 0x17CB
BodyLength : 0x2F0
BodyCRC : 0x544E1ACB
aDieId(0) : 0x280EC0C0
aDieId(1) : 0xB5CE0684
aDieId(2) : 0x20000000
aDieId(3) : 0x3490
countryID : 0x30
Wlan data header --------------------------
                                           ARM11 Boot Mode: 4
Platform: HBOOT-7201A

Is there another way to enter Fastboot Mode?


t0nne
 
Last edited:
ezterry

ezterry

Retired Recognized Developer
Jan 16, 2010
1,829
967
Asheville, NC
You appear stuck in "flash_radio" mode:

simple fix:

Change this set of writes:
Code: 
> mww 0x00000c0c 0x98000C4C
> mww 0x00000c08 0x98000C4C
> mww 0x00000c04 0x98000C4C
> mww 0x00000c00 0x98000C4C
> resume
to:
Code: 
> [b]mww 0x00000c10 0x98000C4C[/b]
> mww 0x00000c0c 0x98000C4C
> mww 0x00000c08 0x98000C4C
> mww 0x00000c04 0x98000C4C
> mww 0x00000c00 0x98000C4C
> resume

Otherwise everything else stays the same

(You just need to run 'Soft boot And Flash Engineering SPL' section again with that change)
 
  • Like
Reactions: tonne99
S

scholbert

Senior Member
Aug 1, 2007
1,347
821
Hi there,

i've been hunting in foreign regions for a while :p
So it's nice to see there's still conversation over here...

Mach3te said:
I was searching the net for JTAG adapter for the G1 and I found this one at IPMart.

http://www.ipmart.com/main/product/...r,HTC,Dream,,Google,G1,277854.php?prod=277854

I was wondering if this would work and if anyone has used this particular model.
Click to expand...
Click to collapse
Yupp looks like a clone form China. Should match the G1 board.
If i ever loose my job i'll built such adapters and sell them for 5 bucks ;)

Mach3te said:
I was also wondering if there were any affordable USB JTAG programmers. The one's I have seen are about 50 bucks, with the "Wiggler" models that use the serial port being the cheapest I have seen. If anyone has any other suggestions I would appreciate it.
Click to expand...
Click to collapse
Search the web and read the thread from the beginning.
There were some early posts discussing cheap and usable adaptors.

Wing_Z said:
I got a dream that has the original TDO point broken (no point on board) is there a point some where else on the board i can use?
Click to expand...
Click to collapse
Nope... AFAIK there's no other testpoint for TDO you might attach to.
So your screwed....

fsl13 said:
I have a problem connecting Dream.
I connected all 5 jtag points using 100k Resistors on LPT port
I can see it connected on H-JTAG software
it shows the CPU ID
but it doesnt connect openOCD
Click to expand...
Click to collapse
Like marchard also pointed out...
I personally would prefer a buffered one.
Though it might work out for some using a passive adaptor to read out chip ID or stuff, you might get into some trouble during long term JTAG sessions.

Anyway you might try to lower the transmission speed for the JTAG signals.
Verify the values with the one used on H-JTAG.
Also check your connections (pin assignment JTAG<->LPT) again.
Is it based on the wiggler?

fsl13 said:
is there a way to call H-jtag connection on telnet
Click to expand...
Click to collapse
AFAIK not...
Perhaps i didn't get you, but why don't you use OpenOCD Windows Edition?

Cheers,

scholbert
 
F

fsl13

Member
Aug 12, 2006
30
0
Open On-Chip Debugger 0.4.0 (2010-02-22-19:05)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
parport port = 0x378
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
Info : clock speed 500 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0xa01700e1 (mfg: 0x070, part: 0x0170
, ver: 0xa)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 0
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0xffff01a4
MMU: disabled, D-Cache: disabled, I-Cache: disabled
Error: No working memory available. Specify -work-area-phys to target.
Info : no working area available, falling back to memory writes
Warn : Bad value '00000240' captured during DR or IR scan:
Warn : check_value: 0x00000009
Warn : check_mask: 0x00000009
Error: JTAG error while reading cpsr
Command handler execution failed




And on TELNET
_____________
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0xffff01a4
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> load_image c:/r.img 0x103B5300
No working memory available. Specify -work-area-phys to target.
no working area available, falling back to memory writes
Bad value '00000240' captured during DR or IR scan:
check_value: 0x00000009
check_mask: 0x00000009
JTAG error while reading cpsr
Command handler execution failed
in procedure 'load_image' called at file "command.c", line 650
called at file "command.c", line 361
>



-------------------------------------------
Whats wrong??? Please help i dont understand
Please Guide me

I am using HTerm as a serial terminal
Plz Reply as quick as possible
 
S

scholbert

Senior Member
Aug 1, 2007
1,347
821
Hi fsl13!

First:
fsl13 said:
...
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0xffff01a4
...
Click to expand...
Click to collapse
Please check if you entered blue LED mode, before you started the debug session.
The program counter points to boot ROM area. AFAIK, PC should point somewhere in RAM.

Second:
I'll have to quote myself :rolleyes:
scholbert said:
Though it might work out for some using a passive adaptor to read out chip ID or stuff, you might get into some trouble during long term JTAG sessions.

Anyway you might try to lower the transmission speed for the JTAG signals.
Verify the values with the one used on H-JTAG.
Click to expand...
Click to collapse

fsl13 said:
...
Warn : Bad value '00000240' captured during DR or IR scan:
Warn : check_value: 0x00000009
Warn : check_mask: 0x00000009
Error: JTAG error while reading cpsr
...
Click to expand...
Click to collapse
So to sum it up again:
These troubles could also be hardware related. So check your physical interface here.
I assume you are using the unbuffered adaptor with the resistors only.
As i pointed out this simple hardware might cause transmission errors during long term data transmission.

You might try to lower the frequency in the OpenOCD config and check again.

Anyway these are still basic transfers to the platform.
If they already fail, your adaptor is crap!
Check the posts, there are a lot of alternatives mentioned already.

I'm sorry, but i won't give a noobs guide here again...

Good luck and best regards,

scholbert
 
Last edited:
robuser007

robuser007

Senior Member
Jan 7, 2010
1,288
99
I'm trying to get into blue led modus without any battery (external power 4v like the battery) to 2 places where the battery gives power), but there's third place (control?) which is needed to power on (for blue led modus), how should I connect that one ? (middle pin)
 
You must log in or register to reply here.

Similar threads

cyanogen
[ROM] CyanogenMod - No, you can't have a pony (STABLE) [UPDATED 03/04 - v4.2.15.1]
Replies
14K
Views
4M
BookCase
BookCase
K
How-to- Root, Hack, and Flashing your G1/Dream Read first!!
Replies
2K
Views
3M
LucidREM
LucidREM
B
[APPMOD][07.11.10] Brut Google Maps 4.6.0.4686-brut17
Replies
3K
Views
2M
S
suffeks
ezterry
[ROM] EzGingerbread (Dream and Sapphire) stable-v1.0 2011-12-04
Replies
3K
Views
817K
HTCDreamOn
HTCDreamOn
cyanogen
[ROM][BBQ] CyanogenMod-6.1 for Dream & Magic :: V6.1.0 (12/05/2010)
Replies
5K
Views
2M
A
alpha-tester

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 3
    B
    BinaryDroid
    I figured this should be in its own thread so those working on a solution can now focus on the software side of things.

    htc-g1-main-frontside-labeled-1.jpg


    These are the JTAG connection points I traced from the CPU to their test points. i'm almost 90% sure the Primary is still usable. Auxilary JTAG port is Very very hard to get too and i'd imagine even for the technicians that reprogram them at the repair center. I didnt have much luck getting a connection made due to mu lack of JTAG knowledge and incorrect type of JTAG circuit(working on another though). i'm posting up the complete testpoints I spent MANY MANY countless hours and sleepless nights tracing so someone who has done this before can get a recovery procedure made to fix all bricked HTC-dreams. The reason I am doing all of this is not specifically for the Dream but because in the field of work im in, and the type of work I do I could benefit from it both for my personal phones and at work. I did research over the years but could never quite understand how JTAG is used until now. I took my spare fully working beater G1 and unsoldered the CPU with an IR Rework Station(T-870A) at home with the intentions of placing the CPU back on when done. took ALOT longer than I hoped and because of the fact that i had to hold test probes on the contact pads tight so I could flip the board and trace their also, it killed a couple of the pads so thats when I decided to say screw it, still have all the spares for my main Dream, now I can REALLY find the rest of the pins....and a few extras that might be used in the future to add features.

    ********Technical Notes*******

    Their are 4 Mode control pins listed in the pictures.
    Mode 3 is under the SIM slot, accessing requires de-soldering 4 points holding the SIM carrier to the board.
    Mode 0 is NOT a testpoint, but a solder point were a resistor could go to ground. it is VERY hard to solder too directly.
    Watchdog pin can simply be grounded with a resistor in place or with a needle through the shielding which would be ground. its a single solder point.
    Primary JTAG is next to the LCD connector.


    When you see were the pins for AUX are located you will see why I think thats not were the focus should be...their scattered in odd places, also have to remove the sim slot to access the last one which took forever to find.
    Trackball has a hidden test point for the return clock as well, otherwise you need to solder directly to the connector on the main board.

    Note: Return Clock is missing in the Picture for the AUX_JTAG connector...it is located at the top right testpoint just above the trackball pad, otherwise you will need to solder directly to the connector on main board.

    if you need any more just let me know, if anyone wants to add to this please feel free.
    Images are NOT MINE, they are the property of whomever took them, I only traced and added the labels, if their is a problem with using them let me know!

    htc-g1-main-backside-labeled.jpg

    htc-g1-main-frontside-labeled.jpg



    IF anyone wants to donate a bricked G1 board for experimenting or donate in general please feel welcome! email@ irenep@binarytechzone.com
    View
    1
    goldenarmZ
    goldenarmZ
    BinaryDroid said:
    my Ubuntu install was killed by the latest update
    Click to expand...
    Click to collapse

    You're not the only one :mad: 9.10 is a car crash.
    View
    1
    B
    BinaryDroid
    Here are the other test points. if you need any others please let me know! I added them to the first post. Please note some are not on actual test points but single solder points.

    htc-g1-main-frontside-labeled.jpg


    htc-g1-main-backside-labeled.jpg
    View
    1
    L
    lbcoder
    scholbert said:
    Maybe i should go to complete the BSDL software for pure JTAG access... :confused:
    Click to expand...
    Click to collapse

    Seeing as the USB-method ***WILL*** require some kind of working code to already exist on the device, a jtag solution will be ideal. Let us fix a totally dead phone.

    I say that this is first priority.
    Second priority is simple solutions to partial failures.
    View
    1
    ezterry
    ezterry
    Its Alive

    Hi All;

    So a successful un-brick

    To continue/confirm my post
    http://xdaforums.com/showpost.php?p=5795214&postcount=252

    I've recently got a Tmobile G1 bricked by the previous owner installing HBOOT 1.33.2005 on top of radio 1.22.12.29.

    This like when rogers phones install the ota zip file causes the SPL to get stuck in "ARM11 Boot Mode: 3"; without a recovery to flash (thus stuck on boot screen)

    The following ought to allow you to correct any phone with 1.33.2005 SPL stuck in this mode. However will require some adjustments depending on the current running radio. (And I've only succeeded on radio 1.22.12.29)

    (Rogers Dream users if you installed the OTA radio 2.22.19.26I did already overwrite the EBI1 radio)

    Instructions obviously preliminary I am still trying to see if we can avoid jtag for this.

    ---
    Note I've copied and simplified the process, see the wiki page:
    http://wiki.cyanogenmod.com/index.php/JTAG_DREAM_AND_MAGIC
    ---

    Prerequisites
    A) a phone working with jtag (I will provide commands for "Open On-Chip Debugger 0.4.0" translate to your setup):

    mww ['phys'] address value [count]
    write memory word

    resume [address]
    resume target execution from current PC or address

    halt [milliseconds]
    request target to halt, then wait up to the specifiednumber of
    milliseconds (default 5) for it to complete

    bp [address length ['hw']]
    list or set hardware or software breakpoint

    rbp address
    remove breakpoint
    B) A working stack for your phone in fastboot *.img format (you will want radio.img hboot.img recovery.img

    C) HTC Serial wire or serial/USB hybrid wire; please ensure you can disconnect the USB/Power separate from the serial if need be

    Procedure

    1) Enter blue light mode and attach both serial wire/console + jtag
    2) Halt CPU
    halt​
    3) enable the CID bypass for your version of the radio

    1.22.12.29: mww 0x00902EB4 0xea000013
    2.22.19.26I: mww 0x009038F0 0xea000013
    3.22.20.17: mww 0x009038F0 0xea000013
    3.22.26.17: mww 0x0090379C 0xea000013
    4) set the cego breakpoint for your radio

    1.22.12.29: bp 0x00901A24 0x4
    2.22.19.26I: bp 0x00902b30 0x4
    3.22.20.17: bp 0x00902b30 0x4
    3.22.26.17: bp 0x009029DC 0x4
    5) resume CPU
    resume​
    6) run 'cego' on the serial oemspl console
    7) if all is well the CPU halted due to the breakpoint.. if its failing to boot android you didn't set the breakpoint correctly.. if its gave an error about an unknown command you didn't apply the CID bypass correctly please pull battery and try again
    8) Clear breakpoint that you set earlier

    1.22.12.29: rbp 0x00901A24
    2.22.19.26I: rbp 0x00902b30
    3.22.20.17: rbp 0x00902b30
    3.22.26.17: rbp 0x009029DC
    9) change BOOT Mode 3 to "FASTBOOT" mode :) (address only for 1.33.2005 SPL and 1.33.2009 SPL)
    mww 0x00000c0c 0x98000C4C​
    10) resume CPU
    resume​
    11) now if your video wire is attached (the wire right over the jtag port..) you will see the boot screen with "FASTBOOT" at the top.. if its not attached.. lets hope that is what you would see and attempt to continue anyway
    12) attach USB wire to phone and on PC run "fastboot devices" to see if we are correctly in fastboot mode
    13) fastboot yourself a working stack

    fastboot flash radio radio.img
    fastboot flash hboot hboot.img
    fastboot flash recovery recovery.img
    14) once all the above complete successfully pull battery/serial/dissable jtag (we need a very cold reboot and it gets confused)
    15) boot phone it will boot in boot mode 3 to recovery; clear cache; and with luck behave... use recovery to flash your desired system as usual.

    If you wish to load an alternate SPL rather then only modify the existing one or avoid the breakpoint; see my rogers solution: http://xdaforums.com/showpost.php?p=5934885&postcount=6

    BTW If this did get you out of a bind I do accept donations to cover costs of phones that can no longer get recovered

    (Now that I have a working jtaged phone there was some other things I wanted to look at)
    View

New posts