The fsa chip has a usb id pin, so i assume that is connected to the micro usb port pin 4
Lets save some bricks...
- Thread starter js22
- Start date
- Status
The fsa chip has a usb id pin, so i assume that is connected to the micro usb port pin 4
I updated my arduino code for those who are using one... This allows a bit more flexibility. Just change the HEXOUTPUT=false to true and it will output the hex characters
here is the hexoutput from a new phone I just received today direct from the factory
The setup for this log was plug it in, start logging. there is no primitave and secondary because the phone was charging already.
Code:
/*
Change HEXOUTPUT to true in order to see
hexcodes and their ascii representations.
Change HEXOUTPUT to false in order to see
only ascii output as it was intended
*/
boolean HEXOUTPUT = false;
//begin sketch
String MESSAGE="";
void setup() {
// initialize both serial ports:
Serial.begin(115200);
Serial1.begin(115200);
}
/*
Loop will check if Serial(computer) has anything to
say to the Serial1(device), and then says it. It
also reverses the operation and sends from Serial1 to
Serial. If HEXOUTPUT formatting is requested from
above, it will display output in hex format and at the
end of each line, it will display standard output.
*/
void loop() {
// read from port 1, send to port 0:
if (Serial1.available()) {
if ( HEXOUTPUT ) { //IF we are to display HEX output
int inByte = Serial1.read();
MESSAGE= MESSAGE + " " + (char)inByte;
Serial.print(inByte, HEX);
Serial.print("|");
if ( inByte == 13 ){
Serial.println("");
Serial.print(MESSAGE);
MESSAGE="";
}
} else { // if not hex, then display bytes
Serial.print(Serial1.read(), BYTE);
}
}
// read from port 0, send to port 1:
if (Serial.available()) {
Serial1.print(Serial.read(), BYTE);
}
}here is the hexoutput from a new phone I just received today direct from the factory
Code:
0|A|D|
s e t t i n g p a r a m . b o a r d _ r e v = 0
53|65|74|20|63|70|75|20|63|6C|6B|2E|20|66|72|6F|6D|20|34|30|30|4D|48|7A|20|74|6F|20|38|30|30|4D|48|7A|2E|A|D|
S e t c p u c l k . f r o m 4 0 0 M H z t o 8 0 0 M H z .
4F|4D|3D|30|78|39|2C|20|64|65|76|69|63|65|3D|4F|6E|65|6E|61|6E|64|4D|75|78|28|41|75|64|69|29|A|D|
O M = 0 x 9 , d e v i c e = O n e n a n d M u x ( A u d i )
49|52|4F|4D|20|65|2D|66|75|73|65|64|20|2D|20|4E|6F|6E|20|53|65|63|75|72|65|20|42|6F|6F|74|20|56|65|72|73|69|6F|6E|2E|A|D|
I R O M e - f u s e d - N o n S e c u r e B o o t V e r s i o n .
A|D|
2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|2D|61|53|79|61|4C|A|79|29|67|6F|2C|30|D|
- - - - - - - - - - - - - - - - - - - - - - - - - a S y a L
72|41|30|69|65|20|A|2D|2D|2D|2D|2D|2D|3A|30|D| y ) g o , 0
r A 0 i e
3A|20|4E|74|61|72|20|78|30|4D|20|44|78|49|A|20|52|74|66|73|72|5F|62|6D|6C|5F|6C|6F|61|64|5F|70|61|72|74|69|74|69|6F|6E|3A|20|70|69|2D|3E|6E|4E|75|6D|4F|66|50|61|72|74|45|6E|74|72|79|20|3D|A|6E|20|62|74|6F|64|75|2E|44|6F|6E|65|2E|A|D|
: N t a r x 0 M D x I
R t f s r _ b m l _ l o a d _ p a r t i t i o n : p i - > n N u m O f P a r t E n t r y =
n b t o d u . D o n e .
20|D|
72|65|61|64|20|31|20|75|6E|69|74|73|2E|A|D|
r e a d 1 u n i t s .
3D|3D|3D|3D|20|50|41|52|54|4F|3D|20|4C|29|20|20|52|20|30|46|4E|A|5F|20|3D|3D|3D|3D|3D|20|20|5F|3A|4E|54|34|3D|3D|3D|3D|3D|20|20|28|41|20|4F|78|20|4E|A|49|A|3D|3D|3D|49|20|28|54|3A|30|20|54|4F|20|3D|3D|3D|20|41|A|20|20|29|4E|4F|20|3D|3D|A|
= = = = P A R T O = L ) R 0 F N
_ = = = = = _ : N T 4 = = = = = ( A O x N
I
= = = I ( T : 0 T O = = = A
) N O = =
20|3A|43|30|49|54|34|4E|20|6C|6F|6B|65|5F|69|6E|69|74|3A|20|6A|34|66|73|5F|6F|70|65|6E|20|73|75|63|63|65|73|73|2E|2E|A|D|
: C 0 I T 4 N l o k e _ i n i t : j 4 f s _ o p e n s u c c e s s . .
6C|6F|61|64|5F|6C|66|73|5F|70|61|72|61|6D|65|74|65|72|73|20|76|61|6C|69|63|72|72|65|61|64|70|65|6C|74|A|6C|6F|61|64|20|20|65|30|69|6E|69|74|5F|66|75|65|6C|5F|67|61|75|67|65|3A|20|76|63|65|6C|6C|20|3D|20|34|31|34|31|6D|56|2C|20|73|6F|63|2|
l o a d _ l f s _ p a r a m e t e r s v a l i c r r e a d p e l t
l o a d e 0 i n i t _ f u e l _ g a u g e : v c e l l = 4 1 4 1 m V , s o c
69|6E|69|74|5F|66|75|65|6C|5F|67|61|75|67|65|3A|20|76|63|65|6C|6C|20|3D|20|34|31|34|31|6D|56|2C|20|73|6F|63|20|3D|20|39|32|2C|20|72|63|6F|6D|70|20|3D|20|64|30|31|66|A|D|
i n i t _ f u e l _ g a u g e : v c e l l = 4 1 4 1 m V , s o c = 9 2 , r c o m p = d 0 1 f
72|65|61|64|69|6E|67|20|6E|70|73|20|73|74|61|74|75|73|20|66|69|6C|65|20|69|73|20|73|75|63|63|65|73|73|66|75|6C|6C|79|21|2E|A|D|
r e a d i n g n p s s t a t u s f i l e i s s u c c e s s f u l l y ! .
6E|70|73|20|73|74|61|74|75|73|3D|30|78|35|30|34|64|34|66|34|33|A|D|
n p s s t a t u s = 0 x 5 0 4 d 4 f 4 3
50|4D|49|43|20|30|50|54|20|20|5F|53|32|67|65|76|72|75|20|37|A|70|70|20|65|D|
P M I C 0 P T _ S 2 g e v r u 7
73|20|2D|2D|30|47|45|4E|53|20|63|68|5F|20|74|30|75|61|72|65|70|6E|69|A|44|49|53|50|4C|41|59|5F|50|41|54|48|5F|53|45|4C|5B|4D|44|4E|49|45|20|30|78|31|5D|69|73|20|6F|6E|A|D|
s - - 0 G E N S c h _ t 0 u a r e p n i
D I S P L A Y _ P A T H _ S E L [ M D N I E 0 x 1 ] i s o n
4D|44|4E|49|45|20|73|65|74|74|69|6E|67|20|49|6E|69|74|20|73|74|61|72|74|21|21|A|D|
M D N I E s e t t i n g I n i t s t a r t ! !
76|73|79|6E|63|20|69|6E|74|65|72|72|75|70|74|20|69|73|20|6F|66|66|A|D|
v s y n c i n t e r r u p t i s o f f
76|69|64|65|6F|20|69|6E|74|65|72|72|75|70|74|20|69|73|20|6F|66|66|A|D|
v i d e o i n t e r r u p t i s o f f
5B|66|62|30|5D|20|74|75|72|6E|20|6F|6E|A|D|
[ f b 0 ] t u r n o n
4D|44|4E|49|45|20|73|65|74|74|69|6E|67|20|49|6E|69|D|
A|D| D N I E s e t t i n g I n i
41|75|74|6F|62|6F|6F|74|20|28|30|20|73|65|63|6F|6E|64|73|29|20|69|6E|20|70|72|6F|67|72|65|73|73|2C|20|70|72|65|73|73|20|61|6E|79|20|6B|65|79|20|74|6F|20|73|74|6F|70|20|A|D|
A u t o b o o t ( 0 s e c o n d s ) i n p r o g r e s s , p r e s s a n y k e y t o s t o p
67|65|74|5F|64|65|62|75|67|5F|6C|65|76|65|6C|20|63|75|72|72|65|6E|74|20|64|65|62|75|67|20|6C|65|76|65|6C|20|69|73|20|30|78|35|37|34|66|34|63|34|34|2E|A|D|
g e t _ d e b u g _ l e v e l c u r r e n t d e b u g l e v e l i s 0 x 5 7 4 f 4 c 4 4 .
67|65|74|5F|64|65|62|75|67|5F|6C|65|76|65|6C|20|63|75|72|72|65|6E|74|20|64|65|62|75|67|20|6C|65|76|65|6C|20|37|A|72|62|20|4F|20|65|67|67|41|74|66|64|69|D|
g e t _ d e b u g _ l e v e l c u r r e n t d e b u g l e v e l 7
2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|2E|64|6F|6E|65|A|D| r b O e g g A t f d i
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d o n e
4B|65|72|6E|65|6C|20|72|65|61|64|20|73|75|63|63|65|73|73|20|66|72|6F|6D|20|6B|65|72|6E|65|6C|20|70|61|72|74|69|74|69|6F|6E|20|6E|6F|2E|36|2C|20|69|64|78|2E|36|2E|A|D|
K e r n e l r e a d s u c c e s s f r o m k e r n e l p a r t i t i o n n o . 6 , i d x . 6 .
73|65|74|74|69|6E|67|20|70|61|72|61|6D|2E|73|65|72|69|61|6C|6E|72|3D|30|78|33|31|33|35|31|31|61|31|20|30|78|66|66|36|33|30|30|65|63|A|D|
s e t t i n g p a r a m . s e r i a l n r = 0 x 3 1 3 5 1 1 a 1 0 x f f 6 3 0 0 e c
73|65|74|74|69|6E|67|20|70|61|72|61|6D|2E|62|6F|61|72|64|5F|72|65|76|3D|30|41|35|6F|6C|53|6E|65|78|30|0|D|
A|42|4F|4F|54|49|4E|47|20|43|4F|4D|50|4C|45|54|45|44|D| d _ r e v = 0 A 5 o l S n e x 0
A| B O O T I N G C O M P L E T E D
CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.5 | VT102 | OfflineThe setup for this log was plug it in, start logging. there is no primitave and secondary because the phone was charging already.
Last edited:
This is the newest SBL so far.
Code:
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: Feb 1 2011 10:54:21Guys! The galaxy S 4g teardown was posted. I don't see a JTAG port. http://www.ifixit.com/Teardown/Samsung-Galaxy-S-4G-Teardown/4977/1
Ok.. So, now, what does that mean? Duh... No jtag port=FSA chip must be used. Great news right?
Alright.. So, even bigger news... My phone has a slightly different FSA chip... Check this result from the SBL.
I searched on the fairchild website... http://www.fairchildsemi.com/ds/FS/ Ok.. so we still don't have a datashet, but we have a similar one. http://www.fairchildsemi.com/ds/FS/FSA9280A.pdf
The important statement here is: The FSA9280A / FSA9288A can be programmed for manual switching or automatic switching of data paths based on accessory detected.
So... we need that resistance testing done pronto!
The data sheet specifies: UART Serial Link and Factory-Mode... those are two separate modes. It's quite possible we have not yet found Factory-Mode. It would be nice to have that code which was mentioned by the second poster in this thread. It's likely that Samsung has changed the code for their release PBLs.
Ok.. So, now, what does that mean? Duh... No jtag port=FSA chip must be used. Great news right?
Alright.. So, even bigger news... My phone has a slightly different FSA chip... Check this result from the SBL.
Code:
SBL> usb_read
---------read fsa9480 register : multiple
(0x0 : 0x0), (0x1 : 0x28), (0x2 : 0x1e), (0x3 : 0x0),
(0x4 : 0x0), (0x5 : 0x0), (0x6 : 0x0), (0x7 : 0x1c),
(0x8 : 0x4), (0x9 : 0x0), (0xa : 0x0), (0xb : 0x8),
(0xc : 0x0), (0xd : 0x0), (0xe : 0x4), (0xf : 0x0),
(0x10 : 0x0), (0x11 : 0x0), (0x12 : 0x0), (0x13 : 0x0),
Code:
The FSA9280A and FSA9288A are high-performance
multimedia switches featuring automatic switching and
accessory detection for the USB port. These switches allow
the sharing of a common USB port to pass audio, USB data /
charging, as well as factory programmability. In addition, the
FSA9280A / FSA9288A integrate detection of accessories,
such as headphones, headsets (MIC / button), car chargers,
USB chargers, and UART data cables with the ability to use
a common USB connector. The FSA9280A / FSA9288A can
be programmed for manual switching or automatic switching
of data paths based on accessory detected. FSA9280A /
FSA9288A include an integrated 28V over-voltage and 1.5A
over-current protected FET.The important statement here is: The FSA9280A / FSA9288A can be programmed for manual switching or automatic switching of data paths based on accessory detected.
So... we need that resistance testing done pronto!
The data sheet specifies: UART Serial Link and Factory-Mode... those are two separate modes. It's quite possible we have not yet found Factory-Mode. It would be nice to have that code which was mentioned by the second poster in this thread. It's likely that Samsung has changed the code for their release PBLs.
I meant the JIG signal coming out of the FSA9480 JIG pin, which Richthofen traced to the PMIC (here).
I saw a post in the thread with the jig that someone posted i thought i share it
http://xdaforums.com/showpost.php?p=9171146&postcount=200
Also look at this thread there is a guy that owns anyway jig maybe he can help debug the process
http://xdaforums.com/showthread.php?t=917229
http://xdaforums.com/showpost.php?p=9171146&postcount=200
Also look at this thread there is a guy that owns anyway jig maybe he can help debug the process
http://xdaforums.com/showthread.php?t=917229
Last edited:
Can anyone define these acronyms i'm seeing in the picture above?
DP
DM
CP
TA
IF
They have TX and RX lines. They are connected to the microUSB mux.
so, the JIG line definately controls if the phone boots or not.
The BOOT pin, likely controls if the phone boots to charge or android mode.
I want to get ahold of the I2C bus. I also need to know what is being transmitted when the phone is first plugged into the usb cable and power is applied. Anyone with a scope, can you scope the D+ and D- lines while plugging a phone which is off into power?
The JTAG points are the eight rectangular green pads on the bottom right of this picture. The circuit board looks basically the same layout as the circuit board in the I9000 service manual. The FSA9480 (U301) is the second-from-top chip in this picture, marked "PB1AV N4".
Can you point me to this source? Is it the actual bootloader source, or is it the source for the dev platform?
Couldn't you have written this BEFORE I made a big elaborate test jig to look for undocumented resistor values?
Sorry bout that. All this talk about jigs is what made me think about it more.
The while point is : suppose the fsa chip wanted to assert pin OM5 on the CPU. What output lines does it have available? Only JIG and BOOT. And we already know which R values assert them.
Hmmm... Good point. I guess if Sammy wired our phones up right, they would automatcally download firmware from our car's audio amp. lol
But what does happen to the BOOT line? Do we know of any behavior that is different for BOOT ON or OFF ?
Sent from my SAMSUNG-SGH-I897 using XDA App
Not the bootloader, but rather the code for the linux kernel. I dont have the link handy, but it is the source code samsung released for Froyo on the Captivate. Sumpn like opensorce.samsung.com.
Anyway, it shows how an already booted, up and running system interacts with the fsa9480 chip. The CPU is a master on the i2c bus, and the fsa is a slave. So i2c isn't really relevant to the early boot process. It might get used in SBL but thats too late to matter for us.
BTW, the linux code for the fsa9480 was written by samsung, and it does explicitly say "factory mode" on the lines defining the RID_FM_* values. It is possible (looking likely? ) that they just lifted that name from the (uncensored) Fairchild data sheet, even though they planned to use the mode differently (see prev post).
Sent from my SAMSUNG-SGH-I897 using XDA App
We aren't really concerned with the way linux handles the i2c bus. That's way after the communication we are seeing. We are basically communicating with the bios for lack of a better term.
The processor has to be master after the kernel boots. The processor handles i2c master and slave natively according to the datasheets. Js22 can you scope that initial communication for me? I really still believe there is something we are missing.
Where can we get that obligation and able code?
Btw... what is uart2? Are we using uart1 or uart2?
The processor has to be master after the kernel boots. The processor handles i2c master and slave natively according to the datasheets. Js22 can you scope that initial communication for me? I really still believe there is something we are missing.
Where can we get that obligation and able code?
Btw... what is uart2? Are we using uart1 or uart2?
Rambling Thought Dump....
Even though Fairchild designed the fsa9480 explicitly to allow cell phone makers to implement a factory programming mode which kicks in automaically when it senses the correct R value, maybe Samsung just didn't use the chip that way.
So the question is, how do we get into UART boot mode?
I started out feeling like it was a no-brainer. We know the UART boot mode exists, we know there is a chip (the fsa9480) explicitly designed to enable it, so had to be a piece of cake.
Now my thinking is, since it isn't easy, just how hard is it?
My understanding is that mass-produced devices usually have their chips flashed before they are assembled. In-system programming is handy for development, but there is always JTAG for that. So it could be that our dear friend OM5 is merely soldered to ground. Or possibly it is just pulled weakly to ground and there is some way of physically accessing it, like a test point somewhere on the main board. Maybe this is venturing into crazyland, but one way to find out would be to disassemble a phone : actually unsolder the CPU and go at the board with probes. I'm not saying I plan to; just that the idea is kicking around upstairs. If it turns out that there is a convenient access point, we would have a way to procede. Not as nice as a magic resistor on the usb connector, but still preferable to JTAG as a cheap, repeatable, open-source method of rescuing a phone.
Another idea I've had kicking around is finding a way to block or corrupt the IBL code as it travels from the OneNAND to the CPU's internal RAM. If the IBL isn't copied perfectly, the iROM code will detect the error and fail over to UART.
How to mess up the IBL? We've already tossed around the idea of modifying it as it is stored in the OneNAND, but that is guaranteed to permanently brick a phone until a (never before attempted) method of recovery based on UART is perfected. And in order to do this, we'd have to start with a working (non-bricked) phone.
But if the transfer of the IBL can be made to fail "on demand", that would be a reasonable way to go forward.
TBH, I don't even know where the OneNAND is or what kind of physical access we have to it. The trick is to mess with the data without breaking anything. I'm thinking of a longish wire (not connected to anything) as a noise source. Touching it to every possible contact near the OneNAND chip is bound to turn up something (clock, chip select, power, enables,???) with enough noise sensitivity to corrupt at least one bit.
Anyway, enough rambling. Time for SNL.
Sent from my SAMSUNG-SGH-I897 using XDA App
Even though Fairchild designed the fsa9480 explicitly to allow cell phone makers to implement a factory programming mode which kicks in automaically when it senses the correct R value, maybe Samsung just didn't use the chip that way.
So the question is, how do we get into UART boot mode?
I started out feeling like it was a no-brainer. We know the UART boot mode exists, we know there is a chip (the fsa9480) explicitly designed to enable it, so had to be a piece of cake.
Now my thinking is, since it isn't easy, just how hard is it?
My understanding is that mass-produced devices usually have their chips flashed before they are assembled. In-system programming is handy for development, but there is always JTAG for that. So it could be that our dear friend OM5 is merely soldered to ground. Or possibly it is just pulled weakly to ground and there is some way of physically accessing it, like a test point somewhere on the main board. Maybe this is venturing into crazyland, but one way to find out would be to disassemble a phone : actually unsolder the CPU and go at the board with probes. I'm not saying I plan to; just that the idea is kicking around upstairs. If it turns out that there is a convenient access point, we would have a way to procede. Not as nice as a magic resistor on the usb connector, but still preferable to JTAG as a cheap, repeatable, open-source method of rescuing a phone.
Another idea I've had kicking around is finding a way to block or corrupt the IBL code as it travels from the OneNAND to the CPU's internal RAM. If the IBL isn't copied perfectly, the iROM code will detect the error and fail over to UART.
How to mess up the IBL? We've already tossed around the idea of modifying it as it is stored in the OneNAND, but that is guaranteed to permanently brick a phone until a (never before attempted) method of recovery based on UART is perfected. And in order to do this, we'd have to start with a working (non-bricked) phone.
But if the transfer of the IBL can be made to fail "on demand", that would be a reasonable way to go forward.
TBH, I don't even know where the OneNAND is or what kind of physical access we have to it. The trick is to mess with the data without breaking anything. I'm thinking of a longish wire (not connected to anything) as a noise source. Touching it to every possible contact near the OneNAND chip is bound to turn up something (clock, chip select, power, enables,???) with enough noise sensitivity to corrupt at least one bit.
Anyway, enough rambling. Time for SNL.
Sent from my SAMSUNG-SGH-I897 using XDA App
Well, if you're interested in poking around on the phone, these pictures should help. I tore it down the other night to get high quality pictures for reference.
I probly should have taken the shield off around the processor.
I probly should have taken the shield off around the processor.
Last edited:
Although the CPU is capable of being set up to operate in slave mode, the fsa chip is not capable of being a master. As far as i2c is concerned, it just sits there waiting for commands which do not come. We know that the iROM code does not enable the i2c bus.
As for UART, the CPU has 4 nunbered 0,1,2,3. The one we talk to is 2. This is coded in ROM and (obviously) built into the circuit.
Of the various things that the fsa9480 can multiplex onto the USB connector, there are 2 diffferent UARTs. One of them is the UART2 from our CPU. Our CPU is called the AP in cellphone lingo. The other UART comes from the radio chip, which cellphone pholks call the CP.
The fsa chip always picks the UART from the AP by default. Only when instructed by the AP over the i2c bus does it switch to the other UART from the CP.
Sent from my SAMSUNG-SGH-I897 using XDA App
The fsa chip might be programmable via i2c. There might be an i2c message we can send to it to cause boot mode pin to change. If we can access the i2c pins of the fsa chip via the test points, we could send the message even if the phone is bricked.
I still think we have an undocument resistor value to find because the om5 is not being set with any of the current resistors.
Just a thought.
The FSA Data sheet does say "Programmability I2C". Perhaps its behaviour when presented with different resistor values (i.e whether it asserts JIG/BOOT) can be set over I2C and stored in non-volatile memory in the FSA. The info in the source could just be a cut-and-paste of the FSA's default behaviour from the full data sheet.
I can't think what else "Programmability I2C" could mean?
The FSA Data sheet does say "Programmability I2C". Perhaps its behaviour when presented with different resistor values (i.e whether it asserts JIG/BOOT) can be set over I2C and stored in non-volatile memory in the FSA. The info in the source could just be a cut-and-paste of the FSA's default behaviour from the full data sheet.
I can't think what else "Programmability I2C" could mean?
Interesting idea! Completely disabling the NAND would also work, probably. Unfortunately the OneNAND chip is in a package-on-package stack with the processor, that is it's basically stuck onto the top of the processor package, and it's in a combined package with the RAM. This is described in this teardown, note that the "Gb" figures in the article are gigabits, not gigabytes.
This makes it pretty hard to disrupt without messing up the processor or RAM as well, although if you had the schematic you might identify a way of doing it.
- Status
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
19I've been reading up on SGS hardware and bootloaders, and I feel like there's a very good chance that there's a way (within reach? ??) to to fix a totally bricked phone.
NOTE: I'm no expert on this stuff. If I'm missing something totally stupid, please forgive me. Anyways, here goes...
The user manual for the s5pc110 chip describes the booting process; it has 3 levels. On hw reset the cpu begins executing code that lives in ROM. The ROM code loads the primary bootloader from a source selected by external pin inputs. The PBL pretty much just loads the SBL, which does the major setup and loads the kernel.
The important thing, which I haven't seen anyone discuss, is that the initial ROM code includes the ability (poorly documented, of course) to load the PBL from UART or USB.
Repeat : non-eraseable code in our phones which is executed on hw reset can load a bootloader over serial or USB into memory and then execute it.
From other threads, we know that Samsung is able to restore a bricked phone without opening it up. Why should they have all the fun?
The first step is asserting the proper pins. This is done by connecting the proper resistance betw pins 4 & 5. The 'jig' thread describes using 301k to get into download mode, but this is happening in the SBL. Many other R values are desribed in the 'fun with resistors' thread and in the fsaXXXX-i2c.c kernel source. One of them does a reboot and connects a (3.3V) UART to the D+/D- pins.
One thing that is described in the docs is that the ROM code tries UART first and then fails over to USB. Since UART is so much simpler, I'd say that's where to begin.
We already learned in that thread that connecting at 115200 baud and banging on RETURN brings up a "SBL>" prompt with lots of cool commands available. But as TheBeano pointed out, that's not much use if the SBL is toast.
What I'm wondering is whether there's a way to interrupt the normal boot while its still running ROM code. There's no reason the ROM would set up the UART at the same baud rate as the SBL and kernel. Maybe just a lower baud and banging on RETURN is enough.
For anybody with the time and the hardware, that should be easy enough to try. TheBeano?
There's probably some handshake/protocol issues to figure out to get a bootloader loaded and executing, but we do have a known good one (the PBL) to play with.
If that can be made to work, it would be a huge step towards a working solution. There is code floating around (I saw it on the teamhacksung git) that ports u-boot bootloader to our phones. AFAIK, nobody around here has tried it. But if we are able to test bootloaders w/o flasing, then maybe we (someone with a clue about bootloaders,that is) can open the door to safe, open-source booting.
So that's it. Is this crazy-talk, or do you guys n gals think it just ... might ... work?5I am actually very surprised that no one has replied to this, it is actually a very good idea and also very possible
I will add a little insight without giving too much away
Its also possible to start the phone via JTAG and pass the control over to USB or UART, even to enter DLM and flash the phone without repairing the current IBL/PBL/SBL within the phone which are damaged, e.g. the loaders are running in RAM this is done via CMM or JNAND ...
I have the full unstripped source code for the PBL and SBL and may consider releasing them if some input starts in this thread, its all too easy just to give them out without the scene thinking on its feet
Oh BTW: My dog spoke to another dog who's owner works for Samsung and he told him that the 2.3.3 release, will be released when its f**king ready and not 1 day before.4WE HAVE HELLO WORLD
Rebellos! You are the man!
Ok, steps to reproduce:
1. Perform UnBrickable mod from the first post in this thread. http://xdaforums.com/showthread.php?t=1206216
2. With the phone off, Insert battery into phone. Press power on button for 1 second. Observe message on internal UART:
Code:Insert an OTG cable into the connector! ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ Uart negotiation Error
3. Insert the OTG Cable (standard USB cable plugged into USB port on phone-- OTG port) and obvserve message on internal UART port:
Code:������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ Uart negotiation Error
4. on a Linux system run the "dltool" and use this firmware http://xdaforums.com/attachment.php?attachmentid=698077&d=1314105521 from Rebellos
Code:adam@Adam-Desktop:~/Desktop/dltool$ sudo ./smdk-usbdl -f ./s5pc110_test/s5pc110_testcode.bin -a D0020000 SMDK42XX,S3C64XX USB Download Tool Version 0.20 (c) 2004,2005,2006 Ben Dooks <ben-linux@fluff.org> S3C64XX Detected! => found device: bus 001, dev 050 => loaded 16384 bytes from ./s5pc110_test/s5pc110_testcode.bin => Downloading 16394 bytes to 0xd0020000 => Data checksum af84 => usb_bulk_write() returned 16394 adam@Adam-Desktop:~/Desktop/dltool$
5. Observe Internal UART message:
which repeats every 20 seconds.Code:Hey you! Out there on the road, Always doing what you are told, Can you help me?
GREAT WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3TheBeano what service manual will help you? full one?
http://www.filesonic.com/file/305248751/Samsung_GT-i9000_Galaxy_S_service_manual.rar full one.
http://megaupload.com/?d=C0JHS7A8 - service training manual 01/20112^^ Thanks.... So what do we have when the primary bootloader is destroyed?
Here is a general purpose video describing what we have so far.
New posts
-
Development [ROM][A14][Pixel 7 Series] MATRIXX-v10.4.2 [GAPPS][04.19.2024]- Latest: nikhil007mmus
-
Themes / Apps / Mods (Magisk Mod) Google photos unlimited back up.
- Latest: pawelmiernik
-
Question Do you still need a screen protector, is the 12 a scratch magnet?
- Latest: masondoctorjt
-
-