The Droid Charge Development Platform. AKA UnBrickable Mod

Search This thread

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,826
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Alright, I sent this Droid Charge to MobileTechVideos.com for JTAG. This allows me to verify all theory up to this point. Let's go over the UART debugging output... I'll break it down into chunks and explain the important parts.

This boot sequence is a totally stock Droid Charge booting into it's power off battery charging sequence... not rooted, not running a custom ROM, just USB plugged into a device which is off.

Ok.. So, UART is hooked up and I press the power button for less then 4 seconds. The device will attempt to boot after 4 seconds of holding the power button...
Code:
��������������������������������������������������������������������������������
Uart negotiation Error

Insert an OTG cable into the connector!
Ok, so I inserted the cable into the connector
Code:
��������������������������������������������������������������������������������
Uart negotiation Error
At this point it should enumerate on the USB port, but it does not.... I have some more stuff to try.. some FSA9040 chip foolery may prove useful.. This will come later.
Code:
Enumeration TimeOut Error
After 2 seconds of trying to enumerate with the computer it gives up and starts booting.. It does not enumerate on USB for some unknown reason
Code:
1
This piece lets you know that the iROM has executed. This binary 0010, and number 1 tells you that the device is attempting to boot into the PBL.
Code:
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       3456 
+nPgsPerBlk    64 
+n1stVPN       3776 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(4).


So, at this point, the PBL calls the SBL. The SBL is technicallyp/i] an operating system on it's own. it's capable of reading and writing to the OneNAND, Download Mode, setting registers in the power management IC, and other parts of the system.
Code:
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused version.

                                                                                
-----------------------------------------------------------                     
   Samsung Secondary Bootloader (SBL) v3.0                                      
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010                        
                                                                                
   Board Name: ARIES REV 02                                                     
   Build On: May 27 2011 01:21:27                                               
-----------------------------------------------------------                     
                                                                                
Re_partition: magic code(0x0)                                                   
[PAM:   ] ++FSR_PAM_Init                                                        
[PAM:   ]   OneNAND physical base address       : 0xb0000000                    
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000                    
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50                                       
[PAM:   ] --FSR_PAM_Init
The OM=0x29 says that the device's boot command has been set up properly.. UART>USB>OneNAND(normal boot). SO we're not experiencing problems here


Now, here's something tricky... The IROM is efused. I'm not sure if this is preventing boot from USB or if this fuse can be bypassed. Either way, the enumeration should occur before this mesage.

I will ask Rebellos for information on the IROM e-fused version message. He's disassembled the SBL and knows the inner workings well.

The SBL has been initialized and it has made memory space to begin loading the rest of the system.

It will now check the OneNAND's partitions for entries which it should load.
Code:
fsr_bml_load_partition: pi->nNumOfPartEntry = 13                                
partitions loading success                                                      
board partition information update.. source: 0x0                                
.Done.                                                                          
read 1 units.                                                                   
==== PARTITION INFORMATION ====                                                 
 ID         : IBL+PBL (0x0)                                                     
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 0                                                                 
 NO_UNITS   : 1                                                                 
===============================                                                 
 ID         : PIT (0x1)                                                         
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 1                                                                 
 NO_UNITS   : 1                                                                 
===============================                                                 
 ID         : EFS (0x14)                                                        
 ATTR       : RW STL SLC (0x1101)                                               
 FIRST_UNIT : 2                                                                 
 NO_UNITS   : 40                                                                
===============================                                                 
 ID         : EFS2 (0xd)                                                        
 ATTR       : RW SLC (0x1001)                                                   
 FIRST_UNIT : 42                                                                
 NO_UNITS   : 12                                                                
===============================                                                 
 ID         : SBL (0x3)                                                         
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 54                                                                
 NO_UNITS   : 5                                                                 
===============================                                                 
 ID         : SBL2 (0x4)                                                        
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 59                                                                
 NO_UNITS   : 5                                                                 
===============================                                                 
 ID         : PARAM (0x15)                                                      
 ATTR       : RW STL SLC (0x1101)                                               
 FIRST_UNIT : 64                                                                
 NO_UNITS   : 20                                                                
===============================                                                 
 ID         : KERNEL (0x6)                                                      
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 84                                                                
 NO_UNITS   : 30                                                                
===============================                                                 
 ID         : RECOVERY (0x7)                                                    
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 114                                                               
 NO_UNITS   : 30                                                                
===============================                                                 
 ID         : FACTORYFS (0x16)                                                  
 ATTR       : RW STL SLC (0x1101)                                               
 FIRST_UNIT : 144                                                               
 NO_UNITS   : 1380                                                              
===============================                                                 
 ID         : DBDATAFS (0x17)                                                   
 ATTR       : RW STL SLC (0x1101)                                               
 FIRST_UNIT : 1524                                                              
 NO_UNITS   : 430                                                               
===============================                                                 
 ID         : LTEMODEM (0xb)                                                    
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 1954                                                              
 NO_UNITS   : 48                                                                
===============================                                                 
 ID         : CPMODEM (0xc)                                                     
 ATTR       : RO SLC (0x1002)                                                   
 FIRST_UNIT : 2002                                                              
 NO_UNITS   : 2                                                                 
===============================
The SBL begins setting parameters for booting..
Code:
loke_init: j4fs_open success..                                                  
load_lfs_parameters valid magic code and version.                               
load_debug_level reading debug level from file successfully(0x574f4c44).        
init_fuel_gauge: vcell = 3522mV, soc = 4                                        
reading nps status file is successfully!.                                       
nps status=0x504d4f43                                                           
PMIC_IRQ1    = 0x28                                                             
PMIC_IRQ2    = 0x0                                                              
PMIC_IRQ3    = 0x0                                                              
PMIC_IRQ4    = 0x0                                                              
PMIC_STATUS1 = 0x40                                                             
PMIC_STATUS2 = 0x20                                                             
get_debug_level current debug level is 0x574f4c44.                              
aries_process_platform: Debug Level Low                                         
hwrev:a                                                                         
keypad_scan: key value = 0x0                                                    
volup 00: 1                                                                     
volup 0102: 1                                                                   
volup 00DV: 1                                                                   
volup prep1: 0                                                                  
DISPLAY_PATH_SEL[MDNIE 0x1]is on                                                
get_debug_level current debug level is 0x574f4c44.                              
get_debug_level current debug level is 0x574f4c44.                              
MDNIE setting Init start!!                                                      
vsync interrupt is off                                                          
video interrupt is off                                                          
[fb0] turn on                                                                   
MDNIE setting Init end!!                                                        
LCD ID - 0xa1                                                                   
LCD ID - 0x12                                                                   
LCD ID - 0x11                                                                   
set_boot_mode: boot mode = 1                                                    
aries_process_platform: final s1 booting mode = 1                               
                                                                                

Autoboot (0 seconds) in progress, press any key to stop
at this point, the boot sequence can be stopped by pressing "Enter" on the keyboard via UART. It will bring up the SBL> Prompt which allows you to manually edit configuration
Code:
get_debug_level current debug level is 0x574f4c44.                              
get_debug_level current debug level is 0x574f4c44.                              
boot_kernel: Debug Level Low                                                    
..............................done                                              
Kernel read success from kernel partition no.6, idx.7.                          
setting param.serialnr=0x343373b0 0xf43900ec                                    
setting param.board_rev=0xa                                                     
setting param.cmdline=androidboot.mode=unknown s3cfb_tl2796.lcd_type=2 console=0
                                                                                
Starting kernel at 0x32000000...
the parameters for booting the kernel have been set and now the kernel will boot
Code:
Uncompressing Linux.............................................................
[    0.086247] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44           
[    0.090984] KERNEL:magic_number=0x0 DEBUG LEVEL low!!                        
[    0.095995] (kernel_sec_set_upload_cause) : upload_cause set 0               
sh: can't access tty; job control turned off                                    
#
note the last line shows a root shell prompt... it can be useful for grabbing the stock ROM and PARAMS off a unit without rooting before first boot.

Ok.. so no new information.. We've verified that the OM5 pin has been brought high with this modification, but we still need to enumerate on USB. The mod was done properly so far, but something is wired differently with the power management chip or the USB chip.
 
Last edited:
  • Like
Reactions: Rebellos

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
Printing message
IROM e-fused version.
or
IROM non e-fused version.
depends on, accordingly not-null or null e-fuse SECKEY registers, stored in CPU. They seem to be the equal (not-null) for all S5PC110 chips (it has been confirmed that IBL signed with the same key works on SGS, Captivate, Odroid and so on).

Printing it is kinda easy, it is in C code:
int a,b,c,d;
a=read32(SECKEY+0x18);
b=read32(SECKEY+0x1C);
c=read32(SECKEY+0x20);
d=read32(SECKEY+0x24);
if(a!=NULL||b!=NULL||c!=NULL||d!=NULL)
printf("IROM e-fused");
else
printf("IROM non e-fused");
Message text may slighty vary depends on SBL revision and model.
I've never seen message "non e-fused". However on this level of booting it is only informative debug message, probably was used on first S5PC110 prototypes, which were non-secure.

All possible internal schemas of Charge, like service manuals of L3 and L4 are welcome in solving this mystery. Thanks in advance.
 
O

okmsdn

Guest
Thanks so much for sharing this. I have a Droid Charge 4G and been hardly bricked.
Will give a try.


This modification will go like this: http://xdaforums.com/showthread.php?t=1206216

After that, unbricking your Droid Charge will be like this...

See here for full instructions:
http://xdaforums.com/showthread.php?t=1242466

Of course I don't OWN a droid charge, so I will need to work with someone who does.



introduction
I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Droid Charge into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.

Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.

Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).

This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.

After performing this mod:
Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a Droid Charge. See the Special Instructions section.

Modification

You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can also speak to myself(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com)
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (possibly- for the wire within to use as a bridge)


performing the modification:
1. tear apart your phone... Make sure to take out your SIM and external SDCard before you do this.
1A. Remove the screws.
1B. Separate the top case from the bottom case
1C. disconnect the display connector and free the camera and button assemblies from the case.
1D. Remove the mainboard

Mainboard picture (HUGE):http://i56.tinypic.com/2945i5d.jpg
Processor Picture(HUGE): http://i52.tinypic.com/2m4rvv9.jpg

2. Perform the mod in one of the following ways:

The Proper Way:
2a. Move the xOM5 resistor from the top to the bottom position
2nvtrp.png


--or--

The Easy Way:
2b. Remove the xOM5 resistor and bridge it to one of the resistors next to it.
2m5lds2.png

thanks to Clarkkent434 for the board.


3. reassemble the phone.


Special Instructions

  • This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
  • To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
  • 3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.


Conclusion

Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://xdaforums.com/showthread.php?t=1235219

reading material
Creating your own Samsung Bootloaders: http://xdaforums.com/showthread.php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2


drivers and utilities
This will be an ever expanding list
Windows Drivers http://xdaforums.com/attachment.php?attachmentid=678937&d=1312590673
Windows Download Tool DNW: http://xdaforums.com/attachment.php?attachmentid=678938&d=1312590673
Windows Command Line Download Tool: http://xdaforums.com/showpost.php?p=17202523&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2

firmware
One-Click Resurrector: http://xdaforums.com/attachment.php?attachmentid=705515&d=1314762609
Bootloader Hello World by Rebellos http://xdaforums.com/attachment.php?attachmentid=698077&d=1314105521
 
Mar 1, 2011
21
1
Bad emmc

Hey so if I perform this mod, would I be able to install a firmware to the mmc and boot it off that? The emmc in my device seems to be fried, and right now the phone is just sitting in my room collecting dust.
 

selyb

Senior Member
Mar 10, 2008
244
5
Shreveport
Was this abandoned? I am interested in doing this on my stratosphere to dump the cp_modem for the poor users who flashed EH2 or EK1.
 

lukegman

Senior Member
Mar 5, 2011
364
111
I have this charge...fully functioning and using it right now...do you want it for developing?

Sent from my SCH-I510 using xda premium
 

tmanschuette

Senior Member
Oct 23, 2011
676
177
Was this abandoned? I am interested in doing this on my stratosphere to dump the cp_modem for the poor users who flashed EH2 or EK1.

You can actually dump most system files from the dialer onto your SD using your phones hidden menus.

Edit: On the charge it is *#9900#
I don't know if this is what you are looking for, but there is my two cents.

Tweaked 3.0 and Transparent ICS 5.0 Beta
 
Last edited:
  • Like
Reactions: kvswim

lukegman

Senior Member
Mar 5, 2011
364
111
I thought about nitro and I respect yur opinions...and at first this thread seemed like bs but I looked at his profile...he's legit...so if he can get the hardware right...the options are limitless...and if he gets it for free...fixes the hardware...gives it to a developer...it's awesome...

Sent from my SCH-I510 using xda premium
 

selyb

Senior Member
Mar 10, 2008
244
5
Shreveport
You can actually dump most system files from the dialer onto your SD using your phones hidden menus.

Edit: On the charge it is *#9900#
I don't know if this is what you are looking for, but there is my two cents.

Tweaked 3.0 and Transparent ICS 5.0 Beta

The charge and stratosphere have the same partitions. cp_modem.bin is BML13. I can dump all of them with dd but BML13 dumps 512KB of 1's which is very wrong. I hope with this mod or jtag I could dump this partition and have a complete nandroid image.
 

tmanschuette

Senior Member
Oct 23, 2011
676
177
Good luck my friend. I am not a developer so I have no clue :p. Just an experimental flasher with hopes of helping some developer some way in making our phone awesome.

Tweaked 3.0 and Transparent ICS 5.0 Beta
 

jheide44

Senior Member
Feb 3, 2013
224
108
Once I get some "hobby" time again... this thread got me thinking.

Is there any difference between the options described... moving the resistor the right way vs. shorting the points the easy way.

This is a lot different that replacing bad caps or an AV out mod on the NES-101... As a radio shack soldering iron, botch job kinda guy, we'll see if I work up the courage to give it a go.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    This modification will go like this: http://xdaforums.com/showthread.php?t=1206216

    After that, unbricking your Droid Charge will be like this...

    See here for full instructions:
    http://xdaforums.com/showthread.php?t=1242466

    Of course I don't OWN a droid charge, so I will need to work with someone who does.



    introduction
    I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Droid Charge into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.

    Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.

    Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).

    This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
    1. The only part required is a wire.
    2. No shipping time.
    3. No cost for a box to interface the computer.
    4. Permanent.
    5. Can be done as a preventive measure.
    6. Gives the ability to test new Bootloaders temporarily.
    7. Allows development of the entire system.
    8. Removes worry about flashing and acts as a backup.

    After performing this mod:
    Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a Droid Charge. See the Special Instructions section.

    Modification

    You will need:
    1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can also speak to myself(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com)
    2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
    3. flux
    4. solder
    5. tweezers
    6. A relay (possibly- for the wire within to use as a bridge)


    performing the modification:
    1. tear apart your phone... Make sure to take out your SIM and external SDCard before you do this.
    1A. Remove the screws.
    1B. Separate the top case from the bottom case
    1C. disconnect the display connector and free the camera and button assemblies from the case.
    1D. Remove the mainboard

    Mainboard picture (HUGE):http://i56.tinypic.com/2945i5d.jpg
    Processor Picture(HUGE): http://i52.tinypic.com/2m4rvv9.jpg

    2. Perform the mod in one of the following ways:

    The Proper Way:
    2a. Move the xOM5 resistor from the top to the bottom position
    2nvtrp.png


    --or--

    The Easy Way:
    2b. Remove the xOM5 resistor and bridge it to one of the resistors next to it.
    2m5lds2.png

    thanks to Clarkkent434 for the board.


    3. reassemble the phone.


    Special Instructions

    • This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
    • To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
    • 3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.


    Conclusion

    Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://xdaforums.com/showthread.php?t=1235219

    reading material
    Creating your own Samsung Bootloaders: http://xdaforums.com/showthread.php?t=1233273
    KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
    how to use DNW: http://tinyurl.com/dnw-how-to
    Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
    another DNW example: http://www.boardset.com/products/mv6410.php
    ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2


    drivers and utilities
    This will be an ever expanding list
    Windows Drivers http://xdaforums.com/attachment.php?attachmentid=678937&d=1312590673
    Windows Download Tool DNW: http://xdaforums.com/attachment.php?attachmentid=678938&d=1312590673
    Windows Command Line Download Tool: http://xdaforums.com/showpost.php?p=17202523&postcount=27
    Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2

    firmware
    One-Click Resurrector: http://xdaforums.com/attachment.php?attachmentid=705515&d=1314762609
    Bootloader Hello World by Rebellos http://xdaforums.com/attachment.php?attachmentid=698077&d=1314105521
    2
    Printing message
    IROM e-fused version.
    or
    IROM non e-fused version.
    depends on, accordingly not-null or null e-fuse SECKEY registers, stored in CPU. They seem to be the equal (not-null) for all S5PC110 chips (it has been confirmed that IBL signed with the same key works on SGS, Captivate, Odroid and so on).

    Printing it is kinda easy, it is in C code:
    int a,b,c,d;
    a=read32(SECKEY+0x18);
    b=read32(SECKEY+0x1C);
    c=read32(SECKEY+0x20);
    d=read32(SECKEY+0x24);
    if(a!=NULL||b!=NULL||c!=NULL||d!=NULL)
    printf("IROM e-fused");
    else
    printf("IROM non e-fused");
    Message text may slighty vary depends on SBL revision and model.
    I've never seen message "non e-fused". However on this level of booting it is only informative debug message, probably was used on first S5PC110 prototypes, which were non-secure.

    All possible internal schemas of Charge, like service manuals of L3 and L4 are welcome in solving this mystery. Thanks in advance.
    1
    Hi, thank you for your valuable information.

    Just for clarification, in post #1 it starts out with "the modification will go like this" and a link to another thread with some circuit mods on another samsung mobo.

    Then under that in the same post there is a video for the "Ultimate Unbricker"

    Then below that again in the same post there is another video for the teardown of a Charge and below that another mobo circuit mod.

    Is there more than one circuit mod for the Charge or is only the one within post #1 needed for the unbrick?
    Just one circuit mod. Like I said, they're like switches. the xOM5 value must be switched from a low to a high and that's it. It's easy. Much easier then the Captivate. You could do it with a crappy radio shack soldering iron in about 5 minutes.

    Just bridge xOM5 to a resistor on either side. Or heck, have me do it. I can't believe this has been around for a week and noone has done it. It's simple, free and convenient.

    Anyone got a broken Droid Charge? I'll fix it for free and make it UnBrickable. I also have two RIFF JTAG boxes within arm's reach of this computer as a backup. Christ... I pulled the processor off a very generous person's droid charge to get the details mapped out for this mod and I'll be damned if his contribution goes to waste.

    Ya'll need to get on this and start real development instead of this fooling around in the "Droid Charge Android Development" forum. Make your devices into real development phones with no boundries.. Flash some Nexus S bootloaders without worry and port Ubuntu to the device, then flash back to stock when you're done.
    1
    Thanks Adam!

    I got to tell anyone here between Adam and www.[B]MobileTechVideos.com [/B] you are in good hands here! Great service, help you name it! Most certainly the Droid Charge "Go To" guys if you have a problem.
    1
    Alright, I sent this Droid Charge to MobileTechVideos.com for JTAG. This allows me to verify all theory up to this point. Let's go over the UART debugging output... I'll break it down into chunks and explain the important parts.

    This boot sequence is a totally stock Droid Charge booting into it's power off battery charging sequence... not rooted, not running a custom ROM, just USB plugged into a device which is off.

    Ok.. So, UART is hooked up and I press the power button for less then 4 seconds. The device will attempt to boot after 4 seconds of holding the power button...
    Code:
    ��������������������������������������������������������������������������������
    Uart negotiation Error
    
    Insert an OTG cable into the connector!
    Ok, so I inserted the cable into the connector
    Code:
    ��������������������������������������������������������������������������������
    Uart negotiation Error
    At this point it should enumerate on the USB port, but it does not.... I have some more stuff to try.. some FSA9040 chip foolery may prove useful.. This will come later.
    Code:
    Enumeration TimeOut Error
    After 2 seconds of trying to enumerate with the computer it gives up and starts booting.. It does not enumerate on USB for some unknown reason
    Code:
    1
    This piece lets you know that the iROM has executed. This binary 0010, and number 1 tells you that the device is attempting to boot into the PBL.
    Code:
    -----------------------------------------------------------
       Samsung Primitive Bootloader (PBL) v3.0
       Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
    -----------------------------------------------------------
    
    +n1stVPN       3456 
    +nPgsPerBlk    64 
    +n1stVPN       3776 
    +nPgsPerBlk    64 
    PBL found bootable SBL: Partition(4).


    So, at this point, the PBL calls the SBL. The SBL is technicallyp/i] an operating system on it's own. it's capable of reading and writing to the OneNAND, Download Mode, setting registers in the power management IC, and other parts of the system.
    Code:
    Set cpu clk. from 400MHz to 800MHz.
    OM=0x29, device=OnenandMux(Audi)
    IROM e-fused version.
    
                                                                                    
    -----------------------------------------------------------                     
       Samsung Secondary Bootloader (SBL) v3.0                                      
       Copyright (C) Samsung Electronics Co., Ltd. 2006-2010                        
                                                                                    
       Board Name: ARIES REV 02                                                     
       Build On: May 27 2011 01:21:27                                               
    -----------------------------------------------------------                     
                                                                                    
    Re_partition: magic code(0x0)                                                   
    [PAM:   ] ++FSR_PAM_Init                                                        
    [PAM:   ]   OneNAND physical base address       : 0xb0000000                    
    [PAM:   ]   OneNAND virtual  base address       : 0xb0000000                    
    [PAM:   ]   OneNAND nMID=0xec : nDID=0x50                                       
    [PAM:   ] --FSR_PAM_Init
    The OM=0x29 says that the device's boot command has been set up properly.. UART>USB>OneNAND(normal boot). SO we're not experiencing problems here


    Now, here's something tricky... The IROM is efused. I'm not sure if this is preventing boot from USB or if this fuse can be bypassed. Either way, the enumeration should occur before this mesage.

    I will ask Rebellos for information on the IROM e-fused version message. He's disassembled the SBL and knows the inner workings well.

    The SBL has been initialized and it has made memory space to begin loading the rest of the system.

    It will now check the OneNAND's partitions for entries which it should load.
    Code:
    fsr_bml_load_partition: pi->nNumOfPartEntry = 13                                
    partitions loading success                                                      
    board partition information update.. source: 0x0                                
    .Done.                                                                          
    read 1 units.                                                                   
    ==== PARTITION INFORMATION ====                                                 
     ID         : IBL+PBL (0x0)                                                     
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 0                                                                 
     NO_UNITS   : 1                                                                 
    ===============================                                                 
     ID         : PIT (0x1)                                                         
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 1                                                                 
     NO_UNITS   : 1                                                                 
    ===============================                                                 
     ID         : EFS (0x14)                                                        
     ATTR       : RW STL SLC (0x1101)                                               
     FIRST_UNIT : 2                                                                 
     NO_UNITS   : 40                                                                
    ===============================                                                 
     ID         : EFS2 (0xd)                                                        
     ATTR       : RW SLC (0x1001)                                                   
     FIRST_UNIT : 42                                                                
     NO_UNITS   : 12                                                                
    ===============================                                                 
     ID         : SBL (0x3)                                                         
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 54                                                                
     NO_UNITS   : 5                                                                 
    ===============================                                                 
     ID         : SBL2 (0x4)                                                        
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 59                                                                
     NO_UNITS   : 5                                                                 
    ===============================                                                 
     ID         : PARAM (0x15)                                                      
     ATTR       : RW STL SLC (0x1101)                                               
     FIRST_UNIT : 64                                                                
     NO_UNITS   : 20                                                                
    ===============================                                                 
     ID         : KERNEL (0x6)                                                      
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 84                                                                
     NO_UNITS   : 30                                                                
    ===============================                                                 
     ID         : RECOVERY (0x7)                                                    
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 114                                                               
     NO_UNITS   : 30                                                                
    ===============================                                                 
     ID         : FACTORYFS (0x16)                                                  
     ATTR       : RW STL SLC (0x1101)                                               
     FIRST_UNIT : 144                                                               
     NO_UNITS   : 1380                                                              
    ===============================                                                 
     ID         : DBDATAFS (0x17)                                                   
     ATTR       : RW STL SLC (0x1101)                                               
     FIRST_UNIT : 1524                                                              
     NO_UNITS   : 430                                                               
    ===============================                                                 
     ID         : LTEMODEM (0xb)                                                    
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 1954                                                              
     NO_UNITS   : 48                                                                
    ===============================                                                 
     ID         : CPMODEM (0xc)                                                     
     ATTR       : RO SLC (0x1002)                                                   
     FIRST_UNIT : 2002                                                              
     NO_UNITS   : 2                                                                 
    ===============================
    The SBL begins setting parameters for booting..
    Code:
    loke_init: j4fs_open success..                                                  
    load_lfs_parameters valid magic code and version.                               
    load_debug_level reading debug level from file successfully(0x574f4c44).        
    init_fuel_gauge: vcell = 3522mV, soc = 4                                        
    reading nps status file is successfully!.                                       
    nps status=0x504d4f43                                                           
    PMIC_IRQ1    = 0x28                                                             
    PMIC_IRQ2    = 0x0                                                              
    PMIC_IRQ3    = 0x0                                                              
    PMIC_IRQ4    = 0x0                                                              
    PMIC_STATUS1 = 0x40                                                             
    PMIC_STATUS2 = 0x20                                                             
    get_debug_level current debug level is 0x574f4c44.                              
    aries_process_platform: Debug Level Low                                         
    hwrev:a                                                                         
    keypad_scan: key value = 0x0                                                    
    volup 00: 1                                                                     
    volup 0102: 1                                                                   
    volup 00DV: 1                                                                   
    volup prep1: 0                                                                  
    DISPLAY_PATH_SEL[MDNIE 0x1]is on                                                
    get_debug_level current debug level is 0x574f4c44.                              
    get_debug_level current debug level is 0x574f4c44.                              
    MDNIE setting Init start!!                                                      
    vsync interrupt is off                                                          
    video interrupt is off                                                          
    [fb0] turn on                                                                   
    MDNIE setting Init end!!                                                        
    LCD ID - 0xa1                                                                   
    LCD ID - 0x12                                                                   
    LCD ID - 0x11                                                                   
    set_boot_mode: boot mode = 1                                                    
    aries_process_platform: final s1 booting mode = 1                               
                                                                                    
    
    Autoboot (0 seconds) in progress, press any key to stop
    at this point, the boot sequence can be stopped by pressing "Enter" on the keyboard via UART. It will bring up the SBL> Prompt which allows you to manually edit configuration
    Code:
    get_debug_level current debug level is 0x574f4c44.                              
    get_debug_level current debug level is 0x574f4c44.                              
    boot_kernel: Debug Level Low                                                    
    ..............................done                                              
    Kernel read success from kernel partition no.6, idx.7.                          
    setting param.serialnr=0x343373b0 0xf43900ec                                    
    setting param.board_rev=0xa                                                     
    setting param.cmdline=androidboot.mode=unknown s3cfb_tl2796.lcd_type=2 console=0
                                                                                    
    Starting kernel at 0x32000000...
    the parameters for booting the kernel have been set and now the kernel will boot
    Code:
    Uncompressing Linux.............................................................
    [    0.086247] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44           
    [    0.090984] KERNEL:magic_number=0x0 DEBUG LEVEL low!!                        
    [    0.095995] (kernel_sec_set_upload_cause) : upload_cause set 0               
    sh: can't access tty; job control turned off                                    
    #
    note the last line shows a root shell prompt... it can be useful for grabbing the stock ROM and PARAMS off a unit without rooting before first boot.

    Ok.. so no new information.. We've verified that the OM5 pin has been brought high with this modification, but we still need to enumerate on USB. The mod was done properly so far, but something is wired differently with the power management chip or the USB chip.