== General Info ==
Hello, and welcome to my usb uart guide - aka, how to totally f' your phone up, if you don't think first!
Really though, read everything before attempting anything!
USB Uart is not new news. There are many great people whom have come before me to make what I am documenting here possible. But I am putting this here because I keep getting PM'd about getting help with USB Uart, and figured it would be good to start a thread that documents what you need and how to get going.
So up front, I need to list some credits.
I gained a lot of knowledge from these people:
== WARNING ==
I am not responsible for anything you do to your device! If you follow my guide and it results from anything like your phone not working or ending the world, I cannot be held accountable for what you do!
This guide will show you how to use the usb uart on most galaxy s phones (with the FSA9480 USB port accessory detector and switch)
It helps to have Unbrickable Mod. There are some commands you can run from the SBL that will wipe your bootloaders!
You must be VERY CAREFUL!
== Requirements ==
First off, you will need some hardware to connect to your computer. It helps. Below is a list of things I use and they are common and cheap. The links to the items below are what I have. Its what works for me.
Also, I use minicom on Linux and Mac OS X (use homebrew to install minicom), but you should be able to use any serial console program you like (i.e. kermit, cu, etc...)
I highly suggest getting to know your bus pirate, but this guide assumes you have read manuals and updated firmware. Any of the other uart modes should also work this way, but I currently don't cover that here... yet.
== Getting Started ==
When we connect to the usb port on the bus pirate(bp), you can find the version info by typing i at the high impedance mode (HiZ>) prompt. Change to this mode when your modifying connections or cable argments.
Disconnect the bp and lets connect everything from the micro usb port connecting to your phone backwards to the bp. I use a breadboard for things that I might work on later or things I'll re-arrange a lot. You may also decide to solder the resistor directly to the GND/ID pins, but you will need a little lead on the GND. Connect MOSI to D+ and MISO to D-.
Another warning!
You can also fry the ftdi on the bus pirate, if you mess with the connections while the bus pirate is in any mode besides HiZ (Hi Impedance) or unplugged. Usually, I'm in uart bridge mode, so you can't go back to HiZ. You just have to unplug the usb cable.
Solder some jumper wire to the micro usb breakout board. I use about an inch.
I usually start at a1 on the breadboard with vcc and a4 and a5 for ID and GND (respectively). In these images, I'm at the opposite end of the board to make it easier to have the phone next to and above my mouse so it is easy for me to work with the phone.
Put the resistor on b4 and b5 - which is where I connect GND on the bp.
Now that you have the bp connected to the circut, lets move forward and plug in the micro usb cable into the bp and then into your computer.
To change into UART mode on the buspirate, type 'm' at the HiZ> prompt:
After you get into UART Bridge mode, you will have to unplug the usb port from your computer to reset the bus pirate.
This is where experimenting with different resistors on the GND/ID pins make a difference. Using 619k resistance, I just plug the phone in and it boots up. During boot up, I can see the PBL output like the output you will see in the rest of this document. Using 150k resistance, the phone doesn't automatically turn on.
Also, you may have different usability of the console depending on if you set the output type to Open drain or Normal drain.
With Open drain, I am able to see the uart output, but I am not able to break into the SBL prompt like I am with Normal drain.
Interestingly, with 619k on my SGH-T959V, I don't see all of the kernel console output. I still haven't figured out exactly why yet. With 150k resistance, I don't see the PBL output, but I can still break into the SBL prompt (with normal drain) and get full kernel console output.
When you get to this point, the mode light should now be green. When you plug your phone into the micro usb adapter (again 619k in these examples), you should see everything from the pbl in to the kernel starting:
== The SBL (Secondary BootLoader) ==
The most interesting line out of all of that was:
If you happen to hold down the Enter/Return key while booting the phone you will get into the "SBL>" prompt.
The Secondary BootLoader is essentially like u-boot.
If we type help, we will get some commands you can run. Some of these commands are affected by what is set in the environment.
You can get some minimal help for each command:
Another set of intersting commands here are the ones that manipulate the environment:
printenv is probably the safest of them to run, so lets try this first.
I'm not fully sure what all of these options are, but the ones I know about are SWITCH_SEL and PHONE_DEBUG_ON.
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what. That maybe specific to the device I have.
Setting at least 6543 in SWITCH_SEL will give you kernel log output:
I also set PHONE_DEBUG_ON to 1:
When I set this, I get some extended battery statistics like:
You must remember that after running setenv, you must then run saveenv at least once at the end to save the environment. I believe this environment info is saved to either an offset on the sbl partition or on the param.lfs. It would be useful to find this out, because u-boot has a userspace utility (that you can use from within linux userspace) to modify the u-boot environment. It may be handy to use a tool like that to modify the CMDLINE option during rom flashing time.
Also, instead of powering your phone off then on again to put the new settings in place, just run reset from the sbl prompt to reboot the phone with the new settings.
Anyways, This is what I have so far. I will be adding more to this as time goes on.
Enjoy!
-Bryan
Hello, and welcome to my usb uart guide - aka, how to totally f' your phone up, if you don't think first!
Really though, read everything before attempting anything!
USB Uart is not new news. There are many great people whom have come before me to make what I am documenting here possible. But I am putting this here because I keep getting PM'd about getting help with USB Uart, and figured it would be good to start a thread that documents what you need and how to get going.
So up front, I need to list some credits.
I gained a lot of knowledge from these people:
- TheBeano - Fun with resistors (home/car dock mode + more)
- UberPenguin - Galaxy S UART JIG & Debugging Connector
- AdamOutler - UART Output / Bootloader Hacking / Kernel Debuging
- E:V:A - The Samsung Anyway Jig
- I'm sure there is more... let me know if you think you need to be in this list. I'll be happy to update it!
== WARNING ==
I am not responsible for anything you do to your device! If you follow my guide and it results from anything like your phone not working or ending the world, I cannot be held accountable for what you do!
This guide will show you how to use the usb uart on most galaxy s phones (with the FSA9480 USB port accessory detector and switch)
It helps to have Unbrickable Mod. There are some commands you can run from the SBL that will wipe your bootloaders!
You must be VERY CAREFUL!
== Requirements ==
First off, you will need some hardware to connect to your computer. It helps. Below is a list of things I use and they are common and cheap. The links to the items below are what I have. Its what works for me.
- mini-usb cable - http://www.sparkfun.com/products/598
- bus pirate or arduino (I only cover bus pirate here... for now.) - http://www.seeedstudio.com/depot/bus...html?cPath=174
- In my guide i use the bus pirate probe kit - http://www.seeedstudio.com/depot/bus...?cPath=178_180
I used a tape printer to label the test clips. - breadboard (optional, if you rather just solder the resistor to the micro-usb break-out board. more later...) - http://www.sparkfun.com/products/112
- USB MicroB Plug Breakout Board - http://www.sparkfun.com/products/10031
- some jumper wire - http://www.sparkfun.com/products/124
- 150k, 523k, 619k resistor (ymmv. AdamOutler and others told me to try 523k or 619k, but I was able to get all the output I need with 150k)
- guts - priceless
Also, I use minicom on Linux and Mac OS X (use homebrew to install minicom), but you should be able to use any serial console program you like (i.e. kermit, cu, etc...)
I highly suggest getting to know your bus pirate, but this guide assumes you have read manuals and updated firmware. Any of the other uart modes should also work this way, but I currently don't cover that here... yet.
== Getting Started ==
When we connect to the usb port on the bus pirate(bp), you can find the version info by typing i at the high impedance mode (HiZ>) prompt. Change to this mode when your modifying connections or cable argments.
Code:
HiZ>i Bus Pirate v3b Firmware v6.0 r1625 Bootloader v4.4 DEVID:0x0447 REVID:0x3043 (24FJ64GA002 B5) http://dangerousprototypes.com
Another warning!
You can also fry the ftdi on the bus pirate, if you mess with the connections while the bus pirate is in any mode besides HiZ (Hi Impedance) or unplugged. Usually, I'm in uart bridge mode, so you can't go back to HiZ. You just have to unplug the usb cable.
Solder some jumper wire to the micro usb breakout board. I use about an inch.
I usually start at a1 on the breadboard with vcc and a4 and a5 for ID and GND (respectively). In these images, I'm at the opposite end of the board to make it easier to have the phone next to and above my mouse so it is easy for me to work with the phone.
Put the resistor on b4 and b5 - which is where I connect GND on the bp.
Now that you have the bp connected to the circut, lets move forward and plug in the micro usb cable into the bp and then into your computer.
To change into UART mode on the buspirate, type 'm' at the HiZ> prompt:
Code:
HiZ>m 1. HiZ 2. 1-WIRE 3. UART 4. I2C 5. SPI 6. 2WIRE 7. 3WIRE 8. LCD x. exit(without change) (1)>3 Set serial port speed: (bps) 1. 300 2. 1200 3. 2400 4. 4800 5. 9600 6. 19200 7. 38400 8. 57600 9. 115200 10. BRG raw value (1)>9 Data bits and parity: 1. 8, NONE *default 2. 8, EVEN 3. 8, ODD 4. 9, NONE (1)>1 Stop bits: 1. 1 *default 2. 2 (1)>1 Receive polarity: 1. Idle 1 *default 2. Idle 0 (1)>1 Select output type: 1. Open drain (H=Hi-Z, L=GND) 2. Normal (H=3.3V, L=GND) (1)>2 Ready UART>(3) UART bridge Reset to exit Are you sure? y
This is where experimenting with different resistors on the GND/ID pins make a difference. Using 619k resistance, I just plug the phone in and it boots up. During boot up, I can see the PBL output like the output you will see in the rest of this document. Using 150k resistance, the phone doesn't automatically turn on.
Also, you may have different usability of the console depending on if you set the output type to Open drain or Normal drain.
With Open drain, I am able to see the uart output, but I am not able to break into the SBL prompt like I am with Normal drain.
Interestingly, with 619k on my SGH-T959V, I don't see all of the kernel console output. I still haven't figured out exactly why yet. With 150k resistance, I don't see the PBL output, but I can still break into the SBL prompt (with normal drain) and get full kernel console output.
When you get to this point, the mode light should now be green. When you plug your phone into the micro usb adapter (again 619k in these examples), you should see everything from the pbl in to the kernel starting:
Code:
1 ----------------------------------------------------------- Samsung Primitive Bootloader (PBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 ----------------------------------------------------------- +n1stVPN 2688 +nPgsPerBlk 64 +n1stVPN 3008 +nPgsPerBlk 64 PBL found bootable SBL: Partition(4). Set cpu clk. from 400MHz to 800MHz. OM=0x29, device=OnenandMux(Audi) IROM e-fused - Non Secure Boot Version. ----------------------------------------------------------- Samsung Secondary Bootloader (SBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 Board Name: ARIES REV 03 Build On: Oct 28 2011 15:45:50 ----------------------------------------------------------- Re_partition: magic code(0x0) [PAM: ] ++FSR_PAM_Init [PAM: ] OneNAND physical base address : 0xb0000000 [PAM: ] OneNAND virtual base address : 0xb0000000 [PAM: ] OneNAND nMID=0xec : nDID=0x60 [PAM: ] --FSR_PAM_Init fsr_bml_load_partition: pi->nNumOfPartEntry = 12 partitions loading success board partition information update.. source: 0x0 .Done. read 1 units. ==== PARTITION INFORMATION ==== ID : IBL+PBL (0x0) ATTR : RO SLC (0x1002) FIRST_UNIT : 0 NO_UNITS : 1 =============================== ID : PIT (0x1) ATTR : RO SLC (0x1002) FIRST_UNIT : 1 NO_UNITS : 1 =============================== ID : EFS (0x14) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 2 NO_UNITS : 40 =============================== ID : SBL (0x3) ATTR : RO SLC (0x1002) FIRST_UNIT : 42 NO_UNITS : 5 =============================== ID : SBL2 (0x4) ATTR : RO SLC (0x1002) FIRST_UNIT : 47 NO_UNITS : 5 =============================== ID : PARAM (0x15) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 52 NO_UNITS : 20 =============================== ID : KERNEL (0x6) ATTR : RO SLC (0x1002) FIRST_UNIT : 72 NO_UNITS : 30 =============================== ID : RECOVERY (0x7) ATTR : RO SLC (0x1002) FIRST_UNIT : 102 NO_UNITS : 30 =============================== ID : FACTORYFS (0x16) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 132 NO_UNITS : 1540 =============================== ID : DATAFS (0x17) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 1672 NO_UNITS : 2120 =============================== ID : CACHE (0x18) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 3792 NO_UNITS : 160 =============================== ID : MODEM (0xb) ATTR : RO SLC (0x1002) FIRST_UNIT : 3952 NO_UNITS : 60 =============================== loke_init: j4fs_open success.. load_lfs_parameters valid magic code and version. reading nps status file is successfully!. nps status=0x504d4f43 load_debug_level reading debug level from file successfully(0x574f4c44). init_fuel_gauge: vcell = 4013mV, soc = 86 check_quick_start_condition- Voltage: 4013.75000, Linearized[74/89/100], Capacity: 89 init_fuel_gauge: vcell = 4013mV, soc = 86, rcomp = d000 reading nps status file is successfully!. nps status=0x504d4f43 PMIC_IRQ1 = 0x20 PMIC_IRQ2 = 0x0 PMIC_IRQ3 = 0x0 PMIC_IRQ4 = 0x0 PMIC_STATUS1 = 0x40 PMIC_STATUS2 = 0x0 get_debug_level current debug level is 0x574f4c44. aries_process_platform: Debug Level Low keypad_scan: key value ----------------->= 0x0 CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 check_download: micorusb_status1 = 400, key_value = 0 aries_process_platform: final s1 booting mode = 0 DISPLAY_PATH_SEL[MDNIE 0x1]is on MDNIE setting Init start!! vsync interrupt is off video interrupt is off [fb0] turn on MDNIE setting Init end!! Autoboot (0 seconds) in progress, press any key to stop get_debug_level current debug level is 0x574f4c44. get_debug_level current debug level is 0x574f4c44. boot_kernel: Debug Level Low FOTA Check Bit Read BML page=, NumPgs= FOTA Check Bit (0xffffffff) Load Partion idx = (6) ..............................done Kernel read success from kernel partition no.6, idx.6. setting param.serialnr=0x3733b898 0x1ffc00ec setting param.board_rev=0x30 setting param.cmdline=console=ttySAC2,115200 loglevel=4 Starting kernel at 0x32000000...
The most interesting line out of all of that was:
Code:
Autoboot (0 seconds) in progress, press any key to stop
The Secondary BootLoader is essentially like u-boot.
Code:
... DISPLAY_PATH_SEL[MDNIE 0x1]is on MDNIE setting Init start!! vsync interrupt is off video interrupt is off [fb0] turn on MDNIE setting Init end!! Autoboot (0 seconds) in progress, press any key to stop Autoboot aborted.. SBL>
Code:
SBL> help Following commands are supported: * setenv * saveenv * printenv * help * reset * boot * kernel * format * open * close * erasepart * eraseall * loadkernel * showpart * addpart * delpart * savepart * nkernel * nramdisk * nandread * nandwrite * usb * mmctest * keyread * readadc * usb_read * usb_write * fuelgauge * pmic_read * pmic_write To get commands help, Type "help <command>" SBL>
Code:
SBL> help loadkernel
* Help : loadkernel
* Usage : loadkernel
load kernel image
- loadkernel 0x80A00000 from kernel partition
- setenv
- saveenv
- printenv
Code:
SBL> help setenv
* Help : setenv
* Usage : setenv [name] [value] . .
Modify current environment info on ram
SBL> help saveenv
* Help : saveenv
* Usage : saveenv
Save cuurent environment info to flash
SBL> help printenv
* Help : printenv
* Usage : printenv
Print current environment info on ram
Code:
SBL> printenv PARAM Rev 1.3 SERIAL_SPEED : 7 LOAD_RAMDISK : 0 BOOT_DELAY : 0 LCD_LEVEL : 97 SWITCH_SEL : 1 PHONE_DEBUG_ON : 0 LCD_DIM_LEVEL : 0 LCD_DIM_TIME : 6 MELODY_MODE : 1 REBOOT_MODE : 0 NATION_SEL : 0 LANGUAGE_SEL : 0 SET_DEFAULT_PARAM : 0 CUST_KERNEL_DL_COUNT : 0 KERNEL_BINARY_TYPE : 0 VERSION : I9000XXIL CMDLINE : console=ttySAC2,115200 loglevel=4 DELTA_LOCATION : /mnt/rsv PARAM_STR_3 : PARAM_STR_4 :
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what. That maybe specific to the device I have.
Setting at least 6543 in SWITCH_SEL will give you kernel log output:
Code:
setenv SWITCH_SEL 6543 saveenv
Code:
setenv PHONE_DEBUG_ON 1 saveenv
Code:
[BAT] CHR(0) CAS(0) CHS(3) DCR(0) ACP(2) BAT(81,0,0) TE(31) HE(1) VO(3926) ED(1000) RC(0) CC(0) VF(591) LO(0)
Also, instead of powering your phone off then on again to put the new settings in place, just run reset from the sbl prompt to reboot the phone with the new settings.
Anyways, This is what I have so far. I will be adding more to this as time goes on.
Enjoy!
-Bryan
Philadelphia, PA
-∇ϕ
. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
Linear Mode
