FORUMS
Remove All Ads from XDA

SUCCESS! De-Bricking Dreams - Complete JTAG Testpoints! UPDATE! 04/07/10

59 posts
Thanks Meter: 21
 
By BinaryDroid, Member on 27th November 2009, 11:26 PM
Post Reply Email Thread
22nd April 2010, 04:49 AM |#511  
Member
Thanks Meter: 0
 
More
great work mate !

I see that spark fun are doing jtag arm devices for about 50$USD so might grab one of them and sort it out on my phone also.

Anyhow great work, i really should sort out my 32b, but i bought a nexus1 in the mean time.

G
22nd April 2010, 05:24 AM |#512  
ezterry's Avatar
Retired Recognized Developer
Flag Asheville, NC
Thanks Meter: 1,005
 
Donate to Me
More
Quote:
Originally Posted by bart9984

Hi all,
finally I was able to debrick my magic 32A using jtag and ezterry's method

Congratulation again.
Quote:
Originally Posted by bart9984

then the list of commands I used to restore spl+recovery. On my phone there was installed the radio version 3.22.20.17 so this offset works with this radio for sure, for other radio versions see ezterry posts

I've updated my original post with the offsets to 3.22.20.17 (as you can see its the same as the 26I radio .. indicating EBI0 and EBI1 are really very similar probably just some build variables changed.

Quote:
Originally Posted by bart9984

The method used by ezterry to load via jtag a new spl at 0x0 didn't worked for me. After cego resume the screen was still black and the phone was still in oemsbl (I was able to type other commands)

odd.. maybe you nop-ed 0x00902b30 instead of 0x00902b2c
regardless you managed the correct end result.. so not much to worry about (I know you spent many waking hours on this in the last 24 to 48 hours)

As for the power thing.. I've never needed to have +5 connected to start the jtag successfully.. maybe part of your battery issue.. or a quirk of the phone.. (unless the phone was showing the blue light but not really booted)

The needing it detached for oemspl to work however I have experienced ..
22nd April 2010, 10:06 AM |#513  
Senior Member
Thanks Meter: 809
 
More
Congratulations....
Quote:
Originally Posted by bart9984

...finally I was able to debrick my magic 32A using jtag and ezterry's method

Fantastic!
Well done bart!!!
I really love this hardcore hacking stuff....
Simply nothing more to say.

Cheers,

scholbert
22nd April 2010, 12:59 PM |#514  
Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by ezterry

odd.. maybe you nop-ed 0x00902b30 instead of 0x00902b2c
regardless you managed the correct end result.. so not much to worry about (I know you spent many waking hours on this in the last 24 to 48 hours)

here again after some sleep

I tried loading both 1.33.2009 and my original spl (not the one installed but the the original by tim) and I remember to have nop-ed with mww 0x902b2c 0x0. But as you said I was waked for a lot of time and now I can't be sure any-more

bart99
22nd April 2010, 01:17 PM |#515  
anthonws's Avatar
Senior Member
Flag Lisbon
Thanks Meter: 26
 
More
Quote:
Originally Posted by gymmy

great work mate !

I see that spark fun are doing jtag arm devices for about 50$USD so might grab one of them and sort it out on my phone also.

Anyhow great work, i really should sort out my 32b, but i bought a nexus1 in the mean time.

G

Hi gymmy,

Is this the jtag device you talked about? http://www.sparkfun.com/commerce/pro...oducts_id=8278

Thanks,
Anthon.
22nd April 2010, 03:22 PM |#516  
Senior Member
Thanks Meter: 15
 
More
Quote:
Originally Posted by bart9984

Hi all,
finally I was able to debrick my magic 32A using jtag and ezterry's method

so here is a detailed list of what I did:

  1. with a needle i carefully removed some glue on jtag pins
  2. I soldered the wires to the board according to the site posted some time ago by 3izz (http://www.omnia-repair.com/forum/to...2a-jtag-pinout)
    Since I used Olimex ARM-USB-OCD which works by default to 6MHz I didn't attached the rtck pin. Pins are really closed one to another and I had some problems loosing also a little capacitors near TDO (I'm not a solder freak)
    I've used the LM317 voltage regulator scheme posted by ezterry (http://i43.tinypic.com/124k7sk.png) and a usb cable to grab 5v to obtain vref=2.6V
  3. Installed on my ubuntu 9.10 openOCD 0.4.0 with libftdi support enabled
  4. Attached the serial cable and entered blue light mode (trackball+power)
  5. Now to let openocd to detect target I had to connect also the serial +5v voltage, if not I had a "FAILED: all ones" error by openocd. After openocd started i removed the +5v connection because with it attached I can't write to serial console (maybe is only a problem of mine and not general)
    So I connected with two terminals to serial console and to openocd via telnet
.

then the list of commands I used to restore spl+recovery. On my phone there was installed the radio version 3.22.20.17 so this offset works with this radio for sure, for other radio versions see ezterry posts

in openocd:
Code:
[email protected]:~/workspace/Prova$ telnet 127.0.0.1 4444
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0x0090d1fc
MMU: disabled, D-Cache: disabled, I-Cache: disabled

>mww 0x9038f0 0xea000013
> bp 0x902b30 0x4
breakpoint set at 0x00902b30
> resume
mww 0x9038f0 0xea000013 is to bypass CID restriction and gain access to other oeamsbl commands

bp 0x902b30 0x4 sets a breakpoint to cego command in oemsbl

then in serial console ( typing "?" now returned a list of supported commands)
typed cego to load and start spl manually

again in openocd
Code:

target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x400000d3 pc: 0x00902b30
MMU: disabled, D-Cache: disabled, I-Cache: disabled

> rbp 0x902b30
> mww 0x00000c0c 0x98000c4c
> resume
rbp 0x902b30 remove bp setted before
mww 0x00000c0c 0x98000c4c force spl to enter fastboot mode. This commands work only for some spl like 2005SPL, for others the offset table could change as saied before by ezterry.

Then I disconnected serial and connected usb, the screen showed fastboot message so I used fastboot to flash spl 1.33.2009e (compatible with my radio) and recovery recovery-RA-sapphire-v1.6.2H

The method used by ezterry to load via jtag a new spl at 0x0 didn't worked for me. After cego resume the screen was still black and the phone was still in oemsbl (I was able to type other commands)

That's all
I post some pictures like wires and final results


Cheers,
bart99

It's the same proces for HTC Magic 32B? Or its the same for HTC Dream?
22nd April 2010, 05:24 PM |#517  
Senior Member
Thanks Meter: 2,116
 
Donate to Me
More
offered as a service?
I know this likely doesn't want to be seen here, and I'm sorry about that. But I'm having a hell of a time cold calling stores and finding anyone locally that can do this sort of work.

Does anyone know if there is a mail in service (or a place reasonably near miami) that does this sort of thing? What might one expect to pay for something like this anyways?

I don't have the technical experience to do this sorta thing myself, but I'd be willing to learn. Are there any guides/info/equipment I should look into if I wanted to try this myself?

Thanks, and I appreciate all the work you all have put into this. You guys are amazing!
23rd April 2010, 08:07 AM |#518  
Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by anthonws

Hi gymmy,

Is this the jtag device you talked about? http://www.sparkfun.com/commerce/pro...oducts_id=8278

Thanks,
Anthon.

nope its this one
http://www.sparkfun.com/commerce/pro...oducts_id=7834
23rd April 2010, 08:48 AM |#519  
Member
Thanks Meter: 0
 
More
have just bought the jtag device so will make up an actual adaptor this weekend rather than soldering on to the main board.

Just have to wait for the item to arrive from the US now.

If it works well i don't mind unbricking a few peoples devices for them for free of course.

Mind u i am in NZL

G.
23rd April 2010, 12:41 PM |#520  
Member
Thanks Meter: 0
 
More
Hi Gymmy,
Jtag interface is the same used by me and ezterry.
It's a good idea to create an adaptor since pin on magic are very closer each other... Also me was thinking about something similiar but where I'm now I have no drill and other stuff. From my measures the pin are 1mm diameter and distance between two pin is also 1mm.
You can think to use one of the screw hole to fix the adaptor. If I remember well the hight from pins and top of the metal plate is about 2.5 mm
Here I post a picture of a top view scheme I drawed some days ago, you should verify the measures. I also attach a svg and dxf version.
Let us know if you got to make it

bart99
Attached Thumbnails
Click image for larger version

Name:	mask.png
Views:	170
Size:	2.6 KB
ID:	314562  
Attached Files
File Type: zip mask.zip - [Click for QR Code] (2.5 KB, 39 views)
23rd April 2010, 02:39 PM |#521  
Member
Thanks Meter: 0
 
More
cheers for that,

i have some vero-board lying about so will make it up out of that and some pins i have from a PC adaptor and should be able to just clip it together .

G
Post Reply Subscribe to Thread

Tags
jtag

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes