SUCCESS! De-Bricking Dreams - Complete JTAG Testpoints! UPDATE! 04/07/10
- Thread starter BinaryDroid
- Start date
-
- Tags
- jtag
This is great! I can send my Fender to anyone that knows how to unbrick it, I flashed the wrong radio and now it says perfect SPL.
I am in the US (Orlando Florida)
Don't mind sending it oversears and I can pay by paypal or any other method you see fit.
I'd love to see my Fender up and running once again.
I am in the US (Orlando Florida)
Don't mind sending it oversears and I can pay by paypal or any other method you see fit.
I'd love to see my Fender up and running once again.
good one
this is a way to pspl 1.76.0009?
Please help but this metod to hard for me ;(
hey guys, anyone know if this one would work?
http://www.littlebirdelectronics.com/products/JTAG-Programmer{47}Debugger-for-ARM-processors.html
http://www.littlebirdelectronics.com/products/JTAG-Programmer{47}Debugger-for-ARM-processors.html
If you are using the parallel port anyway:
http://www.robotcraft.ca/webshop/Co...-bus-transceiver---74LVC245/product_info.html
And wire to parport as per scholbert's instructions
http://xdaforums.com/showpost.php?p=6055979&postcount=412
Since we don't use srst .. you can omit R1, R2, R3, and T1 and leave pin2 of the par port unattached. (making it really just one chip + male 25pin port. (and a capacitor)
If you decide to combine this with the L317 circuit rather than pull the 2.6Vref from the phone; C2 in the L317 circuit *is* C1 in the 74LVC245 diagram..
Given the tangle of wires going into the phone.. making this on a prototype board sounds like a no brainier .. 'cept for the fact none of my computers have parports anymore.
---
Otherwise [to return to your product in question].. make sure your $30 version of the $2-3 chip supports the 2.6V
If anybody is interested, I've got a Magic 32B that needs to be debricked. I don't quite have the cash to go buying all this stuff I need, but if the price is reasonable, I wouldn't mind paying to have this done. I'm located in the US as well.
If anybody is interested, I've got a Magic 32B that needs to be debricked. I don't quite have the cash to go buying all this stuff I need, but if the price is reasonable, I wouldn't mind paying to have this done. I'm located in the US as well.
You don't have the $2 you need to buy the parts to fix it, but you think that someone will do it for you for LESS THAN TWO DOLLARS????
Wiki Wiki Wiki
Ok ... I think my writing skills are gone for the day:
But JTAG via wiki.. still needs work [links to CFGs better jtag point images ect] but a start: http://wiki.cyanogenmod.com/index.php/JTAG_DREAM_AND_MAGIC
Obviously feel free to clean up; elaborate; and if applicable correct; [as it is a wiki] .. and the reason its on CM wiki not xda wiki is I much prefer the media wiki interface..
Ok ... I think my writing skills are gone for the day:
But JTAG via wiki.. still needs work [links to CFGs better jtag point images ect] but a start: http://wiki.cyanogenmod.com/index.php/JTAG_DREAM_AND_MAGIC
Obviously feel free to clean up; elaborate; and if applicable correct; [as it is a wiki] .. and the reason its on CM wiki not xda wiki is I much prefer the media wiki interface..
Last edited:
It costs a little more than $2 in parts my friend.
It's at least $50 for a JTAG USB OCD (no one has PARPORTs anymore)
Then u need a serial cable to make (yes that is $2)
I wish u would stop posting your "$2 in parts comments" in all the threads on here it's not helping anyone.
Yeah, I'll definitely agree with that. From a standing stop, it'd cost me AT LEAST $100 to get the stuff that would get me up to speed, and that's flying blind. That's also assuming I won't irreparably damage the phone in the process because I've never soldered anything more than 2 wires together before in my life.
So, lets realistically look at the parts list for a minute and see how the $2 stretches.... I've found plenty of Nokia DKU-5 cables online for something like $10 in shipping... Lets assume I have plenty of USB cables laying around I can use for the other end of that cable. I'll need a multimeter to verify the voltages and try and make sure I'm not doing something stupid, there's another $5-10 depending on how much I find one for. So, now I'm at about $15-20 for a cable that may or may not work because I may or may not screw it up pretty bad. Considering there's a HTC to Serial cable selling on the net for $35, the price doesn't seem that bad considering I still have serial ports nearby.
Lets now move on the JTAG part of the bill... The item linked in the wiki is gonna run AT LEAST $80 after being shipped. And lets be honest, even if there were other JTAG alternatives, I'm not gonna look for them because I don't really know how to judge what will work in this situation or not. Lets add in some of the equipment I might need... plenty of wiring, a half decent soldering iron with some really thin tips. Lets just say that adds another $20.
So now I'm at $120 and I've still never done this before.
I really appreciate what all the devs are doing here. You are doing tremendous work and you will ultimately save many linux devices that may otherwise have been headed to a scrap heap. I'm tempted to just consider my phone a complete loss and do my worst to it. I've already cracked it open to take a look at what I might be dealing with, and it was scary. The transparent glue on my Magic will have to be scraped away carefully after some heating with some sort of heat gun... being a noob I'm thinking a hair drier or a hobby knife that's been heated with a lighter. I'm also trying to figure out if I can just rig some pins into something that'll let me push them into the testpoints and hold in place long enough for me to do the unlocking, get a recovery on the beast, and let me seal up the thing.
Can you see the frustration now? There isn't currently a sure fire way to unbrick from serial alone, it's still a serial+jtag process. And the guys here are doing a fantastic job. But I can't see spending $150 to, lets face it, further botch a phone.
Personally, I'm thrilled that Omnia's come out with something that would let them unbrick G1's and Magics... I just wish I could locate a shop that would do it locally. I called about 20 of them on thursday.
EDIT: I wanted to add that for a lot of newbs following this thread, it'd be worth something to have someone more competent salvage their phone... It's certainly worth $50 to me, and I'm pretty sure my phone is a candidate for some salvage. Might even help pay for some of the equipment cost to do the deed in the first place
Last edited:
I really dont think that these types of comments are at all constructive mate, if you can do it for $2.00 good on ya, but I sure as hell cant.
$127 for USB Jtag device
$30 for ttl device
$11 for extUSB plug and cable
+ my time
This add to more than $2...
G.
My congrats...
.. to all the hacker working in this issue.
I still didn't got the guts to try what you've done, but I hope that others can jump in and further simplify this proccess.
Thank all of you.
.. to all the hacker working in this issue.
I still didn't got the guts to try what you've done, but I hope that others can jump in and further simplify this proccess.
Thank all of you.
does anyone know if this would work?
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160393160605
I'm trying to bring the cost down a little, and I do have a machine with a parport This would be $26 vs. $80. If I could get the serial cable together for $10 or less, I'd definitely invest in the rest of the supplies to try and do this.
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160393160605
I'm trying to bring the cost down a little, and I do have a machine with a parport
This would be $26 vs. $80. If I could get the serial cable together for $10 or less, I'd definitely invest in the rest of the supplies to try and do this.
I know its hard when everyone is fighting about the super expensive parts.. but I did post about a similar thing yesterday:does anyone know if this would work?
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160393160605
I'm trying to bring the cost down a little, and I do have a machine with a parport
http://xdaforums.com/showpost.php?p=6282188&postcount=527
The problem is the Wiggler's low end is 2.7V and the phone requires 2.6 ... this means it might work; or might work if you use a slightly higher voltage than ideal.. but to be sure its safer to use something rated for 2.6. (and ideally a bit below that)
Simply there are two requirements for the adapter:
1) openocd compatible... many are (and certainly the Wiggler is)
2) supports 2.6V referance voltage.. if you don't see a voltage range assume it won't
At the end of the day i don't recommend it if the voltage range isn't specified (if you already own one maybe its time to experiment if the hardware you have has higher than rated tolerances.. please use multi-meter before phone..) but otherwise consider building scholbert's chip.. with ~$1.60 chip
Oh and for those thinking all the USB Jtag adapters are expensive.. I think I spotted a USB -> parport adapter on amazon for < $10 ... can't promise the Jtag will be fast (USB->parport->jtag) but it ought to get the job done
EVERYBODY still has parallel ports.
If not on your (crappy) laptop, then on your DESKTOP machine.
Definitely on the old sucker in the back of your closet.
And even if you don't, $5 gets you a USB-to-parallel port adapter. So you're up to a whopping $7.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3I figured this should be in its own thread so those working on a solution can now focus on the software side of things.
These are the JTAG connection points I traced from the CPU to their test points. i'm almost 90% sure the Primary is still usable. Auxilary JTAG port is Very very hard to get too and i'd imagine even for the technicians that reprogram them at the repair center. I didnt have much luck getting a connection made due to mu lack of JTAG knowledge and incorrect type of JTAG circuit(working on another though). i'm posting up the complete testpoints I spent MANY MANY countless hours and sleepless nights tracing so someone who has done this before can get a recovery procedure made to fix all bricked HTC-dreams. The reason I am doing all of this is not specifically for the Dream but because in the field of work im in, and the type of work I do I could benefit from it both for my personal phones and at work. I did research over the years but could never quite understand how JTAG is used until now. I took my spare fully working beater G1 and unsoldered the CPU with an IR Rework Station(T-870A) at home with the intentions of placing the CPU back on when done. took ALOT longer than I hoped and because of the fact that i had to hold test probes on the contact pads tight so I could flip the board and trace their also, it killed a couple of the pads so thats when I decided to say screw it, still have all the spares for my main Dream, now I can REALLY find the rest of the pins....and a few extras that might be used in the future to add features.
********Technical Notes*******
Their are 4 Mode control pins listed in the pictures.
Mode 3 is under the SIM slot, accessing requires de-soldering 4 points holding the SIM carrier to the board.
Mode 0 is NOT a testpoint, but a solder point were a resistor could go to ground. it is VERY hard to solder too directly.
Watchdog pin can simply be grounded with a resistor in place or with a needle through the shielding which would be ground. its a single solder point.
Primary JTAG is next to the LCD connector.
When you see were the pins for AUX are located you will see why I think thats not were the focus should be...their scattered in odd places, also have to remove the sim slot to access the last one which took forever to find.
Trackball has a hidden test point for the return clock as well, otherwise you need to solder directly to the connector on the main board.
Note: Return Clock is missing in the Picture for the AUX_JTAG connector...it is located at the top right testpoint just above the trackball pad, otherwise you will need to solder directly to the connector on main board.
if you need any more just let me know, if anyone wants to add to this please feel free.
Images are NOT MINE, they are the property of whomever took them, I only traced and added the labels, if their is a problem with using them let me know!
IF anyone wants to donate a bricked G1 board for experimenting or donate in general please feel welcome! email@ irenep@binarytechzone.com11Here are the other test points. if you need any others please let me know! I added them to the first post. Please note some are not on actual test points but single solder points.
1Maybe i should go to complete the BSDL software for pure JTAG access...
Seeing as the USB-method ***WILL*** require some kind of working code to already exist on the device, a jtag solution will be ideal. Let us fix a totally dead phone.
I say that this is first priority.
Second priority is simple solutions to partial failures.1Its Alive
Hi All;
So a successful un-brick
To continue/confirm my post
http://xdaforums.com/showpost.php?p=5795214&postcount=252
I've recently got a Tmobile G1 bricked by the previous owner installing HBOOT 1.33.2005 on top of radio 1.22.12.29.
This like when rogers phones install the ota zip file causes the SPL to get stuck in "ARM11 Boot Mode: 3"; without a recovery to flash (thus stuck on boot screen)
The following ought to allow you to correct any phone with 1.33.2005 SPL stuck in this mode. However will require some adjustments depending on the current running radio. (And I've only succeeded on radio 1.22.12.29)
(Rogers Dream users if you installed the OTA radio 2.22.19.26I did already overwrite the EBI1 radio)
Instructions obviously preliminary I am still trying to see if we can avoid jtag for this.
---
Note I've copied and simplified the process, see the wiki page:
http://wiki.cyanogenmod.com/index.php/JTAG_DREAM_AND_MAGIC
---
Prerequisites
A) a phone working with jtag (I will provide commands for "Open On-Chip Debugger 0.4.0" translate to your setup):
B) A working stack for your phone in fastboot *.img format (you will want radio.img hboot.img recovery.img
mww ['phys'] address value [count]
write memory word
resume [address]
resume target execution from current PC or address
halt [milliseconds]
request target to halt, then wait up to the specifiednumber of
milliseconds (default 5) for it to complete
bp [address length ['hw']]
list or set hardware or software breakpoint
rbp address
remove breakpoint
C) HTC Serial wire or serial/USB hybrid wire; please ensure you can disconnect the USB/Power separate from the serial if need be
Procedure
1) Enter blue light mode and attach both serial wire/console + jtag
2) Halt CPU
halt3) enable the CID bypass for your version of the radio
4) set the cego breakpoint for your radio
1.22.12.29: mww 0x00902EB4 0xea000013
2.22.19.26I: mww 0x009038F0 0xea000013
3.22.20.17: mww 0x009038F0 0xea000013
3.22.26.17: mww 0x0090379C 0xea000013
5) resume CPU
1.22.12.29: bp 0x00901A24 0x4
2.22.19.26I: bp 0x00902b30 0x4
3.22.20.17: bp 0x00902b30 0x4
3.22.26.17: bp 0x009029DC 0x4
resume6) run 'cego' on the serial oemspl console
7) if all is well the CPU halted due to the breakpoint.. if its failing to boot android you didn't set the breakpoint correctly.. if its gave an error about an unknown command you didn't apply the CID bypass correctly please pull battery and try again
8) Clear breakpoint that you set earlier
9) change BOOT Mode 3 to "FASTBOOT" mode
1.22.12.29: rbp 0x00901A24
2.22.19.26I: rbp 0x00902b30
3.22.20.17: rbp 0x00902b30
3.22.26.17: rbp 0x009029DC
(address only for 1.33.2005 SPL and 1.33.2009 SPL)
mww 0x00000c0c 0x98000C4C10) resume CPU
resume11) now if your video wire is attached (the wire right over the jtag port..) you will see the boot screen with "FASTBOOT" at the top.. if its not attached.. lets hope that is what you would see and attempt to continue anyway
12) attach USB wire to phone and on PC run "fastboot devices" to see if we are correctly in fastboot mode
13) fastboot yourself a working stack
14) once all the above complete successfully pull battery/serial/dissable jtag (we need a very cold reboot and it gets confused)
fastboot flash radio radio.img
fastboot flash hboot hboot.img
fastboot flash recovery recovery.img
15) boot phone it will boot in boot mode 3 to recovery; clear cache; and with luck behave... use recovery to flash your desired system as usual.
If you wish to load an alternate SPL rather then only modify the existing one or avoid the breakpoint; see my rogers solution: http://xdaforums.com/showpost.php?p=5934885&postcount=6
BTW If this did get you out of a bind I do accept donations to cover costs of phones that can no longer get recovered
(Now that I have a working jtaged phone there was some other things I wanted to look at)
