SUCCESS! De-Bricking Dreams - Complete JTAG Testpoints! UPDATE! 04/07/10
- Thread starter BinaryDroid
- Start date
-
- Tags
- jtag
Some datasheets I found on the net
I found some files concerning 7000A and 7000. I know they differ a bit, but maybe it would be helpful for the main developers in this thread. I don't know if it's ok to post it here publicly, so just let me know by pm if you need it.
- MSM7200™ Software Interface Manual
- MSM7200A™ Chipset Training MSM7200A Baseband Topics (rather common)
- MSM7xxx Qfuses and Security 80-V9038-15 Rev. C (quite interesting read about the boot process and chip safety)
I will be debricking my brothers Magic when my BusBlaster arrives, so I wanted to have the opportunity to thank you guys for your hard work. I read the thread (it took me one day, with follow ups) and it was a great read. Also the insight you were able to get from the code disassembly was awsome. Thanks and in case of any problems with the process (I think I know the process quite well now, so maybe I will be able to debrick on my own) I will be back here for help
.
Great read!
Edit: I think I will try to limit soldering to the board, so has anybody any input on the quality of w!!!ww.ipmart.com/main/product/JTAG,Adapter,Compatible,For,HTC,Google,G2,,Magic,307712.php?prod=307712 vs w!!ww.multi-com.pl/index.php/en_US,details,id_pr,7864,menu_mode,categories.html ? The multicom (even though I'm from Poland) is 2x the price inc VAT and shipping, then the one from china (the other side of the globe). I would still like to get some feeling if I won't buy cheap, but 2x - as the Chinese quality may be inferior
Sorry for broken links (new/old user)
I found some files concerning 7000A and 7000. I know they differ a bit, but maybe it would be helpful for the main developers in this thread. I don't know if it's ok to post it here publicly, so just let me know by pm if you need it.
- MSM7200™ Software Interface Manual
- MSM7200A™ Chipset Training MSM7200A Baseband Topics (rather common)
- MSM7xxx Qfuses and Security 80-V9038-15 Rev. C (quite interesting read about the boot process and chip safety)
I will be debricking my brothers Magic when my BusBlaster arrives, so I wanted to have the opportunity to thank you guys for your hard work. I read the thread (it took me one day, with follow ups) and it was a great read. Also the insight you were able to get from the code disassembly was awsome. Thanks and in case of any problems with the process (I think I know the process quite well now, so maybe I will be able to debrick on my own) I will be back here for help
.Great read!
Edit: I think I will try to limit soldering to the board, so has anybody any input on the quality of w!!!ww.ipmart.com/main/product/JTAG,Adapter,Compatible,For,HTC,Google,G2,,Magic,307712.php?prod=307712 vs w!!ww.multi-com.pl/index.php/en_US,details,id_pr,7864,menu_mode,categories.html ? The multicom (even though I'm from Poland) is 2x the price inc VAT and shipping, then the one from china (the other side of the globe). I would still like to get some feeling if I won't buy cheap, but 2x - as the Chinese quality may be inferior
Sorry for broken links (new/old user)
Last edited:
My little brother's Magic works again. I used BusBlaster as JTAG, LM317 as 2.6V source, BusPirate as 2.6V UART, old broken headphones as ExtUSB cable and the cheap Chinese adapter. As I already had Buspirate and some other components, I managed to limit the cost to the adapter and BusBlaster (this one will be useful for my other projects, so I don't consider this cost as just for unbricking). Adapter was ~10usd (it works, but it's quality could be a bit better. There is some hot glue holding pogo pins together on top side etc), busblaster was ~50usd with shipping.
Some things I noticed:
-it's best to run openocd from virtual machine if you don't use linux already (it works well - it is rather complicated to crosscompile openocd as there is some problems with mingw compilation). Of course you need to compile it to be used with ft2232 interface.
-I used openocd 0.5 but I had to add adapter_khz option to config (10000 worked, higher probably possible). It had some warnings:
"Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Warn : JTAG tap: arm9.cpu UNEXPECTED: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Error: JTAG tap: arm9.cpu expected 1 of 1: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)"
It seems that it finds arm9 core with a different version then in config specified in debricking manual. It works though without any changes.
-I had initial problems that I had 6.x radio that I didn't know of, so I had load_image second time with a proper offset. That solved all the problems (thanks for that info).
- After first attempt with cego it went into a different boot mode (as a result of watchdog, or the watchdog event itself was a result of some error in boot process). The second attempt was successful and it went into fastboot.
The fastboot allowed me to clear all the partitions and upload hboot and recovery, but after reboot the recovery didn't boot.
-THIS IS THE IMPORTANT PART: What I found out from console output, it always entered boot mode 1 no matter which combination of buttons I pressed. What I did to solve it was in console, in blue led mode, I wrote "setboot 0" and enter. It allowed to start in the modes depending on buttons pressed.
Afterwards the standard way to load the system from recovery was all what was needed to start a working system. I want to thank all the people that had input into this thread and who spent massive spare time to develop this open solution to debricking of magic. Thanks!
edit: I updated wiki on cyanogen to include the setboot 0 step in case it doesn't work.
Some things I noticed:
-it's best to run openocd from virtual machine if you don't use linux already (it works well - it is rather complicated to crosscompile openocd as there is some problems with mingw compilation). Of course you need to compile it to be used with ft2232 interface.
-I used openocd 0.5 but I had to add adapter_khz option to config (10000 worked, higher probably possible). It had some warnings:
"Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Warn : JTAG tap: arm9.cpu UNEXPECTED: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Error: JTAG tap: arm9.cpu expected 1 of 1: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)"
It seems that it finds arm9 core with a different version then in config specified in debricking manual. It works though without any changes.
-I had initial problems that I had 6.x radio that I didn't know of, so I had load_image second time with a proper offset. That solved all the problems (thanks for that info).
- After first attempt with cego it went into a different boot mode (as a result of watchdog, or the watchdog event itself was a result of some error in boot process). The second attempt was successful and it went into fastboot.
The fastboot allowed me to clear all the partitions and upload hboot and recovery, but after reboot the recovery didn't boot.
-THIS IS THE IMPORTANT PART: What I found out from console output, it always entered boot mode 1 no matter which combination of buttons I pressed. What I did to solve it was in console, in blue led mode, I wrote "setboot 0" and enter. It allowed to start in the modes depending on buttons pressed.
Afterwards the standard way to load the system from recovery was all what was needed to start a working system. I want to thank all the people that had input into this thread and who spent massive spare time to develop this open solution to debricking of magic. Thanks!
edit: I updated wiki on cyanogen to include the setboot 0 step in case it doesn't work.
Last edited:
Hi,
after De-Brick my Dream only boots with stock firmware 1.5:
Everytime after flashing another custom rom like CyanogenMod, Ginger Yoshi, SuperBler (with the recommended hboot / radio) it doesn't start up:
I've tried it several times with fastboot erase commands:
But no success.
Any suggestion to get my Dream working with an up-to-date rom?
Regards,
tonne
after De-Brick my Dream only boots with stock firmware 1.5:
Code:
boot reason: PM_WDOG_TOUT_RT_ST
(PowerOn Status,Boot Reason)=(16,4)
NAND_FLASH_READ_ID : SAMSUNG_256MB_FLASH_128MB_SDRAM
ARM9_BOOT_MODE0, Boot Linux
Clearing RAM...
Load Bootimg header, addr=0x507C0000 taget=0xA8100000
bad=0x15E
Load Bootimg header OK
Load Kernel, addr=0x507C0800 taget=0x80008000 Size=0x00153004
bad=0x15E
Load kernel OK
bad block=0x15E
bad block num=1
Load ramdisk, addr=0x50934000 target=0x81000000 Size=0x00022C1D
Load ramdisk OK
SPL2 doesn't exist
Load OK.
SetupTAG addr=0x80000100 cmdline add=0xA8100040
TAG:Ramdisk OK
Get CID OK
androidboot.serialno=HT852KV01331
boot reason=0x0
commandline from head: no_console_suspend=1
command line length =277
active commandline: board_trout.disable_uart3=0 board_trout.usb_h2w_sw=0 board_t
rout.disable_sdcard=0 board_trout.smisize=64 androidboot.baseband=1.22.12.29 an
droidboot.bootloader=0.95.0000 androidboot.carrier=TMA board_trout.keycaps=qwert
z androidboot.serialno=HT852KV01331 no_console_suspend=1
PARTITIOM_NUM_MAX =6 Valid partition num=6
jump to linux kernelEverytime after flashing another custom rom like CyanogenMod, Ginger Yoshi, SuperBler (with the recommended hboot / radio) it doesn't start up
:
Code:
boot reason: PM_KPD_PWR_KEY_ON_RT_ST
(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : SAMSUNG_256MB_FLASH_128MB_SDRAM
ARM9_BOOT_MODE0, Boot Android
Y2±…Í¡8 bit
-msm_nand_probe
[MDDI] Bitmap_Width = 480
[MDDI] Bitmap_Height = 640
[MDDI] RGB_Capability = 0x8888
[MDDI] Mfr_Name = 0xD263
[MDDI] Product_Code = 0x0
Board_PID : 0x1F
Wlan data header ++++++++++++++++++++
Signature : 0xEE1251
UpdateStatus : 0x2
UpdateCount : 0x321A
BodyLength : 0x2F0
BodyCRC : 0xE829B1C1
aDieId(0) : 0xD00D4080
aDieId(1) : 0x7D087284
aDieId(2) : 0x20000000
aDieId(3) : 0x964
countryID : 0x30
Wlan data header --------------------------
chipset_bootmode reset_reason:0
ARM11 Boot Mode: 0
Platform: HBOOT-7201A
[ERR] partition_read::Failed to read page 22400 or it is empty
[ERR] boot image does not exist!!!
###[ Fastboot Mode ]###
Code:
fastboot erase hboot
fastboot erase recovery
fastboot erase system
fastboot erase userdata
fastboot erase cache
fastboot erase bootAny suggestion to get my Dream working with an up-to-date rom?
Regards,
tonne
Last edited:
jtag was used to get your phone back right? then from there what was the radio and spl you had? from this point it booted to a stock 1.5? what were the steps you took to root and upgrade recovery, radio, spl and rom from here. if you are up to the spl 1.33.0013d then you cant use anything in fastboot besides fastboot -w. so what is your current recovery, radio and spl.
After De-Brick I've had SPL ...2005 and radio 2.22.19 26I. But CyanogenMod didn't boot. So I flashed SPL ...33d and radio 2.22.27.08 to try Ginger Yoshi 1.5. No success, no boot. But everytime I start over from bootloader with inserted sd card and dreaimg.img on it and "downgrade" the dream, 1.5 boots without any error.
And then to test it once again: Rooting -> telnetd -> flashing recovery -> flashing radio ...26l -> flashing danger spl -> flashing CyanogenMod -> no boot
I've tried super wipe from recovery before flashing another rom. No boot after flashing a new rom.
I hope this is more precise to understand what's the problem.
I am familiar with hboot, S-OFF, S-ON, fastboot and I know that several commands do not work with some hboot versions / security settings.
Regards,
tonne
if downgrading and rerooting works, try this and flash a rom from recovery that is compatible with your radio spl (like cm4) and this should work. if so try to upgrade to the danger spl and then try updating through recovery something like cm5. if this works great if they dont work try updating through fastboot.
once all of this is confirmed working update radio and spl and then try something newer like froyobylaszlo.
i only recommend all these steps to see where the problem occurs
once all of this is confirmed working update radio and spl and then try something newer like froyobylaszlo.
i only recommend all these steps to see where the problem occurs
I gathered my logs in case someone can help me.
////////////////////////////////////
normal power, just power button pressed
the phone just reboots at the vodafone logo
this happened after i flashed a recovery that was not compatible with the radio that i had (i don't know for sure but i think i had a 6.xx radio)
after flashing that recovery from the android market, clockworkmod, if i remember correctly, i checked an option to reboot into fastbood, or something like that, and after that, the phone kept looping in the vodafone logo. before that, all was ok.
////////////////////////////////////
//////////////////////////////////
trackball power
//////////////////////////////////
OPENOCD
After the above, I tried
a small test file about 500k, which went ok (xx bytes written at adress 0x..)
but then I tried
which gives me "checksum mismatch ... more than 128 errors..."
If I try the same thing at 100kHz, I don't even get the verify error, it just says "memory read caused data abort". I have now tried a small file, just 1kB which writes and verifies OK "verified x bytes".
Is there any way I can get out of this loop? I tried the commands for hboot, but I get no response from the phone after "resume" and then "shutdown". The serial does not respond, not to "version" not to "?", nothing.
Please help, I am out of ideas. Should I try to load the radio and the radata even if verify_image fails?
Thanks in advance,
Alex
////////////////////////////////////
normal power, just power button pressed
the phone just reboots at the vodafone logo
this happened after i flashed a recovery that was not compatible with the radio that i had (i don't know for sure but i think i had a 6.xx radio)
after flashing that recovery from the android market, clockworkmod, if i remember correctly, i checked an option to reboot into fastbood, or something like that, and after that, the phone kept looping in the vodafone logo. before that, all was ok.
////////////////////////////////////
Code:
boot reason: PM_KPD_PWR_KEY_ON_RT_ST
(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAM
ARM9_BOOT_MODE0, Boot Android
Read CFG0 = AA5400C0, CFG1 = 0008746E
[NAND SCAN] CFG0 = 0xE85408C0, CFG1 = 0x8746E
[NAND SCAN] flash: id 5590BC2C, size 20000000
[NAND SCAN] Use wide flash 16 bit
Camera 3M
panel_id = 0x1
Sharp panel detected
Panel_NT_sharp_power_on enter.
EEPROM: read 2032 bytes
Board_PID : 0x2E
Wlan data header ++++++++++++++++++++
Signature : 0xEE1251
UpdateStatus : 0x2
UpdateCount : 0x3
BodyLength : 0x2F0
BodyCRC : 0xCB610515
aDieId(0) : 0x0
aDieId(1) : 0x0
aDieId(2) : 0x0
aDieId(3) : 0x0
countryID : 0x30
Wlan data header --------------------------
ARM11 Boot Mode: 3
Platform: HBOOT-7201A
msm_nand_dm_read_oob 0x02712000 2048 0 failed (-117), correct 1 bits
[ERR] ECC error has been corrected(errno -117): page id 20004
msm_nand_dm_read_oob 0x028CD800 2048 0 failed (-117), correct 1 bits
[ERR] ECC error has been corrected(errno -117): page id 20891
setup_tag addr=0xA0000100 cmdline add=0x8F0841F0
TAG:Ramdisk OK
TAG:smi ok, size = 32
TAG:hwid 0x1
TAG:skuid 0x21401
TAG:hero panel = 0x0
TAG:engineerid = 0x2
Device CID is not super CID
CID is VODAPP25
setting.cid::VODAPP25
serial number: HT978KF02036
commandline from head: no_console_suspend=1 console=null
command line length =367
active commandline: board_sapphire.disable_uart3=0 board_sapphire.usb_h2w_sw=0 board_sapphire.disal
aARM_Partion[0].name=misc
aARM_Partion[1].name=recovery
aARM_Partion[2].name=boot
aARM_Partion[3].name=system
aARM_Partion[4].name=cache
aARM_Partion[5].name=userdata
partition number=6
Valid partition num=6
69466957
69784520
7473
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0//////////////////////////////////
trackball power
//////////////////////////////////
Code:
boot reason: PM_KPD_PWR_KEY_ON_RT_ST
(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAM
ARM9_BOOT_MODE1OPENOCD
Code:
root@blk-MS-6566:/home/blk/magic# openocd -f magic.cfg
Open On-Chip Debugger 0.5.0-dev-00964-gb5a324e (2011-07-29-01:16)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
parport port = 0x0
100 kHz
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
Info : clock speed 100 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection from 4444
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0x0090909c
MMU: disabled, D-Cache: disabled, I-Cache: disabledAfter the above, I tried
Code:
load_image small.img 0x103b5300a small test file about 500k, which went ok (xx bytes written at adress 0x..)
but then I tried
Code:
verify_image small.img 0x103b5300which gives me "checksum mismatch ... more than 128 errors..."
If I try the same thing at 100kHz, I don't even get the verify error, it just says "memory read caused data abort". I have now tried a small file, just 1kB which writes and verifies OK "verified x bytes".
Is there any way I can get out of this loop? I tried the commands for hboot, but I get no response from the phone after "resume" and then "shutdown". The serial does not respond, not to "version" not to "?", nothing.
Please help, I am out of ideas. Should I try to load the radio and the radata even if verify_image fails?
Thanks in advance,
Alex
Last edited:
I think that I have at last figured it out. I have serial working, openocd responding to commands. So I know that the setup is OK-ish.
I have tweaked the supply voltage from 2.59 to 2.61 and saw that I get more errors when I am not at 2.6. So it seems that the JTAG is unstable, even without serial cable attached. I am trying now to find out why, I will try changing the power supply to an external one (I am currently using USB to power the JTAG through an LM317). I will try filtering the supply better. If I am at around 2.6V (as close as my multimeter allows), I am able to write and verify a 500kB test file. I still do get errors from time to time, but not as many as before (when I was at 2.61-2.62).
If I have on the phone a 6.xx radio, how can I change these offsets so that I can get into fastboot:
As I remember, the reason for my phone not turning on is an incompatibility between recovery and radio. If I can get into fastboot (having to enter shorter commands, maybe the JTAG will work) and write the RA recovery, I think I will be able to turn on the phone, or not?
As far as I can see from the serial output, when turning on the phone normally, it goes into bootmode0 then enters bootmode3, finds some errors and resets. I think this is the problem and I have no idea how to get around it without having to write that big radio file (which seems impossible at this time), so that the offsets work and enter fastboot.
Regards,
A.
I have tweaked the supply voltage from 2.59 to 2.61 and saw that I get more errors when I am not at 2.6. So it seems that the JTAG is unstable, even without serial cable attached. I am trying now to find out why, I will try changing the power supply to an external one (I am currently using USB to power the JTAG through an LM317). I will try filtering the supply better. If I am at around 2.6V (as close as my multimeter allows), I am able to write and verify a 500kB test file. I still do get errors from time to time, but not as many as before (when I was at 2.61-2.62).
If I have on the phone a 6.xx radio, how can I change these offsets so that I can get into fastboot:
Code:
halt
mww 0x0090379C 0xea000013
mww 0x9029d8 0x0
load_image /tmp/hboot.img 0x0
mww 0x00000c0c 0x98000C4C
mww 0x00000c08 0x98000C4C
mww 0x00000c04 0x98000C4C
mww 0x00000c00 0x98000C4C
resume
shutdownAs I remember, the reason for my phone not turning on is an incompatibility between recovery and radio. If I can get into fastboot (having to enter shorter commands, maybe the JTAG will work) and write the RA recovery, I think I will be able to turn on the phone, or not?
As far as I can see from the serial output, when turning on the phone normally, it goes into bootmode0 then enters bootmode3, finds some errors and resets. I think this is the problem and I have no idea how to get around it without having to write that big radio file (which seems impossible at this time), so that the offsets work and enter fastboot.
Regards,
A.
I have managed to unbrick using the Olimex USB-Tiny adapter. Now everything seems to be working, but when I want to powerdown the phone, from Android, or from recovery, it just restarts. What could be wrong? I have read something about radio 3.22.26.17 not meant for the Magic (I've got a 32A), people recomended 3.22.20.17. Should I install this version?
Last edited:
help needed
hi to all.
I have magic 32b that is bricked because of incompatible recovery and radio.
I have made wiggler clone with 2.6v supply and i have rs232 level shifter. All of them are working.
Problem is that Magic is not communicating over serial port (i have used connector from headset to make cable). I have tried and failed to enable communication.
Question: is there any way that I can force processor to jump to certain address in memory and to load fastboot?
JTAG communication works and I can send and control fine. just serial port is ether busted or not initialized on boot.
hi to all.
I have magic 32b that is bricked because of incompatible recovery and radio.
I have made wiggler clone with 2.6v supply and i have rs232 level shifter. All of them are working.
Problem is that Magic is not communicating over serial port (i have used connector from headset to make cable). I have tried and failed to enable communication.
Question: is there any way that I can force processor to jump to certain address in memory and to load fastboot?
JTAG communication works and I can send and control fine. just serial port is ether busted or not initialized on boot.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3I figured this should be in its own thread so those working on a solution can now focus on the software side of things.
These are the JTAG connection points I traced from the CPU to their test points. i'm almost 90% sure the Primary is still usable. Auxilary JTAG port is Very very hard to get too and i'd imagine even for the technicians that reprogram them at the repair center. I didnt have much luck getting a connection made due to mu lack of JTAG knowledge and incorrect type of JTAG circuit(working on another though). i'm posting up the complete testpoints I spent MANY MANY countless hours and sleepless nights tracing so someone who has done this before can get a recovery procedure made to fix all bricked HTC-dreams. The reason I am doing all of this is not specifically for the Dream but because in the field of work im in, and the type of work I do I could benefit from it both for my personal phones and at work. I did research over the years but could never quite understand how JTAG is used until now. I took my spare fully working beater G1 and unsoldered the CPU with an IR Rework Station(T-870A) at home with the intentions of placing the CPU back on when done. took ALOT longer than I hoped and because of the fact that i had to hold test probes on the contact pads tight so I could flip the board and trace their also, it killed a couple of the pads so thats when I decided to say screw it, still have all the spares for my main Dream, now I can REALLY find the rest of the pins....and a few extras that might be used in the future to add features.
********Technical Notes*******
Their are 4 Mode control pins listed in the pictures.
Mode 3 is under the SIM slot, accessing requires de-soldering 4 points holding the SIM carrier to the board.
Mode 0 is NOT a testpoint, but a solder point were a resistor could go to ground. it is VERY hard to solder too directly.
Watchdog pin can simply be grounded with a resistor in place or with a needle through the shielding which would be ground. its a single solder point.
Primary JTAG is next to the LCD connector.
When you see were the pins for AUX are located you will see why I think thats not were the focus should be...their scattered in odd places, also have to remove the sim slot to access the last one which took forever to find.
Trackball has a hidden test point for the return clock as well, otherwise you need to solder directly to the connector on the main board.
Note: Return Clock is missing in the Picture for the AUX_JTAG connector...it is located at the top right testpoint just above the trackball pad, otherwise you will need to solder directly to the connector on main board.
if you need any more just let me know, if anyone wants to add to this please feel free.
Images are NOT MINE, they are the property of whomever took them, I only traced and added the labels, if their is a problem with using them let me know!
IF anyone wants to donate a bricked G1 board for experimenting or donate in general please feel welcome! email@ irenep@binarytechzone.com11Here are the other test points. if you need any others please let me know! I added them to the first post. Please note some are not on actual test points but single solder points.
1Maybe i should go to complete the BSDL software for pure JTAG access...
Seeing as the USB-method ***WILL*** require some kind of working code to already exist on the device, a jtag solution will be ideal. Let us fix a totally dead phone.
I say that this is first priority.
Second priority is simple solutions to partial failures.1Its Alive
Hi All;
So a successful un-brick
To continue/confirm my post
http://xdaforums.com/showpost.php?p=5795214&postcount=252
I've recently got a Tmobile G1 bricked by the previous owner installing HBOOT 1.33.2005 on top of radio 1.22.12.29.
This like when rogers phones install the ota zip file causes the SPL to get stuck in "ARM11 Boot Mode: 3"; without a recovery to flash (thus stuck on boot screen)
The following ought to allow you to correct any phone with 1.33.2005 SPL stuck in this mode. However will require some adjustments depending on the current running radio. (And I've only succeeded on radio 1.22.12.29)
(Rogers Dream users if you installed the OTA radio 2.22.19.26I did already overwrite the EBI1 radio)
Instructions obviously preliminary I am still trying to see if we can avoid jtag for this.
---
Note I've copied and simplified the process, see the wiki page:
http://wiki.cyanogenmod.com/index.php/JTAG_DREAM_AND_MAGIC
---
Prerequisites
A) a phone working with jtag (I will provide commands for "Open On-Chip Debugger 0.4.0" translate to your setup):
B) A working stack for your phone in fastboot *.img format (you will want radio.img hboot.img recovery.img
mww ['phys'] address value [count]
write memory word
resume [address]
resume target execution from current PC or address
halt [milliseconds]
request target to halt, then wait up to the specifiednumber of
milliseconds (default 5) for it to complete
bp [address length ['hw']]
list or set hardware or software breakpoint
rbp address
remove breakpoint
C) HTC Serial wire or serial/USB hybrid wire; please ensure you can disconnect the USB/Power separate from the serial if need be
Procedure
1) Enter blue light mode and attach both serial wire/console + jtag
2) Halt CPU
halt3) enable the CID bypass for your version of the radio
4) set the cego breakpoint for your radio
1.22.12.29: mww 0x00902EB4 0xea000013
2.22.19.26I: mww 0x009038F0 0xea000013
3.22.20.17: mww 0x009038F0 0xea000013
3.22.26.17: mww 0x0090379C 0xea000013
5) resume CPU
1.22.12.29: bp 0x00901A24 0x4
2.22.19.26I: bp 0x00902b30 0x4
3.22.20.17: bp 0x00902b30 0x4
3.22.26.17: bp 0x009029DC 0x4
resume6) run 'cego' on the serial oemspl console
7) if all is well the CPU halted due to the breakpoint.. if its failing to boot android you didn't set the breakpoint correctly.. if its gave an error about an unknown command you didn't apply the CID bypass correctly please pull battery and try again
8) Clear breakpoint that you set earlier
9) change BOOT Mode 3 to "FASTBOOT" mode
1.22.12.29: rbp 0x00901A24
2.22.19.26I: rbp 0x00902b30
3.22.20.17: rbp 0x00902b30
3.22.26.17: rbp 0x009029DC
(address only for 1.33.2005 SPL and 1.33.2009 SPL)
mww 0x00000c0c 0x98000C4C10) resume CPU
resume11) now if your video wire is attached (the wire right over the jtag port..) you will see the boot screen with "FASTBOOT" at the top.. if its not attached.. lets hope that is what you would see and attempt to continue anyway
12) attach USB wire to phone and on PC run "fastboot devices" to see if we are correctly in fastboot mode
13) fastboot yourself a working stack
14) once all the above complete successfully pull battery/serial/dissable jtag (we need a very cold reboot and it gets confused)
fastboot flash radio radio.img
fastboot flash hboot hboot.img
fastboot flash recovery recovery.img
15) boot phone it will boot in boot mode 3 to recovery; clear cache; and with luck behave... use recovery to flash your desired system as usual.
If you wish to load an alternate SPL rather then only modify the existing one or avoid the breakpoint; see my rogers solution: http://xdaforums.com/showpost.php?p=5934885&postcount=6
BTW If this did get you out of a bind I do accept donations to cover costs of phones that can no longer get recovered
(Now that I have a working jtaged phone there was some other things I wanted to look at)
New posts
-
-
-
General Android 15 Beta 1 AP31.240322.018 - "Vanilla Ice Cream" - Pixel 7 Pro [Cheetah]- Latest: roirraW "edor" ehT
