Lets save some bricks...

[js22]

So do you agree that if OM{5..0} = 0x29, that the shifted value is 0x14, and that r8 gets set to 0x10 ? Then code goes to UART ?

Sent from my SAMSUNG-SGH-I897 using XDA App

 

[TheBeano]

So do you agree that if OM{5..0} = 0x29, that the shifted value is 0x14, and that r8 gets set to 0x10 ? Then code goes to UART ?

Yes that's right. The "Normal" boot type in R8 is 1, which tries NAND, then SDMMC2, then serial/USB. R8=10 will go to UART/USB load if it's a cold start (RST_STAT bit 0=1), or NAND if it's a warm start.

 

[AdamOutler]

I thought I'd post some interesting behavior....

Step 1. connect resistor "150K UART Cable" to pins 4 and 5
Step 2. Establish serial connection at 5v between phone and computer over usb
Step 3. Under Linux use the command "screen /dev/ttyUSB0"
Step 4. remove battery from phone
Step 6. insert battery and wait for AT&T logo,
Step 7. remove battery after 1 second of viewing AT&T logo
Step 8. Insert battery for 1 second and remove, leaving only USB connected
Step 9. Watch as random garbage is sent at 115200 baud. "blip blip" every second.

������X���0��x����$x�����%��u��x�!�ֈ����� �� ��:������t���������W���t��$��V��x ��xT��0������X� ��0W��%x����|����4��xt����������  ��'�������� �����0��48��ԃ����˕��W���x�����W0��T��x�Ԉ������4��X�w4���0��0��T���Zt��u ��$���T0�����X��u���x�u���� ����%�����Ґ����������������Ԕ�����xT��8�!��$!�������t���9��p���������0��W��u ��$Zu��<���t�������0�����1��4!����tt���%t��Z�����1�����8����t0�������8��0����x�!��U��x�w���x����x�0������x���:t����8�T�����X<������0��Xt��'���x�������%��5t��48�t!�����\���p���t��������4�������$�������9x��������t�����T��48W���tt!���0������ � �4�����d�������0ZW��d���#��8���W��8��8Z������u������4��֋���Z���x�����^����8���T����t0��0���������X�����t��t��0����u�����������p�ڒ����^�����4b��z ���䈵��#��t��t��%U��0����Z��9�t���V�������%�����8���;v����5��%x���t���4�t������$ ���������zt��Z�ԋ������t������0T����%x��t��p����������!��8u�����U���u��40����%x�������T�����T0��������5��0w��1��0����u0����T���%0��8��X����ԃ����X���4�#�����4��!��Z�����0u����؊���t�����!�����ԟ����������x���t�ڗ�����������$����x���xt0��0������������������'#�փ�����    ��t��$�������8��t ����x����t������T��8�������ҋ��0t��X5�������W�����X�����X�����x���������x�t��4t���!��p��w�ʃ0��$x�T���������4t����T���4���������tt��4�� 䃔����x���0�x����#��t��p��x�w0�����҈0��t��x�����������0����x�0�����������x��t1�����x��8�����0��'����0��Xt��4����$�������x���;��8������x����!��8���X��Ҟ��V���!�������W��&��x��%��8��Ԕ����X��9��X�����x���0��^�� ���8�������44!�ԋ��0���0t��t�҃�����8�!��8���8������t��ZT��$Ԑ������!��x������|���t!���������8v��5x�������X<����x����֜��������u��u����xu!��x�!��4��U��b���t�����x��x��x��V ��Z����8������z���x�t�����9��Z���%����8�ԃ!��$��8�����0���$ w������Z#��t������8" ��$U����xt���Ԑ������XW�������X������4��4���T�������������������0w��������9�ڋ�����5��x���� ��0t���x���������8���t�������u���X��Ҕ��x�����t���0��0�� �����������Ô�����Z���x��X������0�����#����x� �� ��x��x���x����8���5��W�������x�����x���Xt�������t0������x���x��������%T��8p����t� ����x���X��Xu ����Ý�����x�#�҃��t��8"��tu �����0�U��0t��8��4��!����;x��|����0!��t���p��������������Zt �ԋ��������$��������5�ڒ���;0|��֋0Ԓ�4X���$���<��������xu���W����8X�����Z��4�� ����x��� ���%�!���0��4�$�X��%0���8��� ����4�� ��$t��t!�����������^T�����|����!����p��8at�ڐ��4t��x��� ����%1��xw ��u���u ����ډ��y ����������p����!����$x���tԐ܃��8��%x�����4��4X���X�����������dX��t ܰ�4��5�����8T��8�����x��� ����������X�����4� �� ����0�����xW����ԃ����Z���U��x�|�����xw���w0��T�����ԃ���x����֟��x|�ڟ��1����tW�������u���8t�������4��4������������T����W��ZU��80��8��t0��t�����'������֗����z������������$0���x��4Ґ�x��t��X֠����'�������������t�����!����t�ʉ��40��0���������t���zt��8t���X���8��p$��p����w���4�����xT���������t�փ�0��8�������0����x�t��0���8�t������t���4����u�������'x�t��t�����4��x�������4�����zW����$|��4��58��������t����$!��80����t�������x���������� �8x���s���0���0�����8����Ҕ��4�����w���t0����!�����T���% ��4����t�!��$t�����V��������X������������� ��zW��x��X������W��5����40�0��x���%��$t���t������ ��x�$����8x������x��0xu!��u������t��8��8)�ҋ���x���W����x�ʃ����$���t����!����$֐�tt����������������$x7��WҒ���80��xu����X���Xt0�΂���9��˖#�ڋ��X4��x������Ґ��ԋ���8��������%���������x������Zu��40u��$���0�����W��Xt����^t��4���$�����\� �����Ґ��t��X����4x���������ʋ�����8��41�ֈ֒���8���4����x���9t0��9������%��4Vt0��t��X��������t������0�#����X����t��84#��$�������0��|�����t��4!��0����w��0����#�� �������X��ִ��X���W�����4tt0��0�������8�� ����|��4�����x����'B�����0������$�������X�0��^�����0��t�����t��x���0�ʔ��w���x������Z�����t���Ҕ!��0��$��Z���0������x�����Z40��4����t��^��x���Ԉ�0��u��xT�0��$��x����1��u��0��pV0��������x���8��0�����x�����7����x���!���1�ҋ������X�����������t����t��x�����"��!�ԈuĒ��ց�ڕ����XW������^(��z��8t��1��4���Z����t���������#��8V���$0��x������������҃�胗��%���x����T�0�Ԋ��%����t ����Z���4���U�փ��T ��48���������z��$\���0��t��zv����x����x��Ԕ�����X���Z���t0����:���#��8���Zu��x0�� ��0�����2��W��xt����t����xt���t��0�W ���������W�������4t��8�0��0�����u�֋������!����W����4�#��V ��dxt ������%�������t#����%���0x������t����tt�����^��t����'t����(t��%�����40u�������T������%x��0����������!���������8�T��������4�!����0���������� ��8u��������'�������t���8���x������%x���8��x���������u���t���� ����x��tT��V0��z������������4ܔ�� ��$Z��x��������t�����t#��W����x ���� ��x�!��xt ������V0��x�����x���|#��T���xt��8� ���4����!֬���4����u0��R֐�x����0��$x���t����U�����������x��t���t��4�1��x����������pt����1�ʋ���$���Zt��X��v��tڒ� ��8��0�����!��4!��W��0��%������V!�����#��$������0���T0�ڈ����8���ԃ��4p�t����u��!�֔�������t�����8t��5p�Ԕ�%x�!��!����!����x����t����$U��x��8�Ҕ����X�����$u��4���W�����p�tP������W����#��0�������x�u0��;z�����x���#��8����4��z��������8�����4�����%�"�ԃ���������x���t!��4��x ��x ��u��������5����!������X��$��x� �����$��������4��x���W��%8����tP����X���u0�����Z��x�����x ���40������8������0��������� ���0��%����u��0�%������zt��0���t#���������T����8���!������4v����'��0����T���$����� �����������x����V��X ���� ��%���0��$u�����������Z�ԋ0��x���ڋ����Z���%0j����x�������%p�����!��$���t�������8t��ʗ��0����0W����!������ԋ��xä��x�����4�֐�4t��!�����ԋ��tu�ċ40���֨t�����1�ʊ�֗�������%!�����Ԓ�T� ����$T������u0��$�����4x���Ҕ ��9Z��֋ ����9x��w0��4�����4x����t �҃����dV����1��������ֈV ��w��T����� ����xV�����$x������|��%T����������5X��4��������^��������8�����0����!��4xT��tu1�������Z��9^���X�0��4��������T����������!��8�t���֌�T��b��t���x� ��4��X����t����% ��W��W�����|��5� ��W���!��%�t��xt��&�Ԋ ����x��;t��ʐ������t0���0�Ҵ���W������������8Ґ���8T��%�����ԃ���Z��#���x�������% ��w%�����'������������x����0����!��������9T����u������t��x���40��X �����W��Z���t��1�����2���8���94��T0��u����t��$70�ڋ����x��tt��x4��������x��Ԑ�!�����4���u��Ɣ��8x�����xu��0t���T������Ð����$��4��pt��ZW�����4x���t0���!��x����� �����������$ ��0��t��t#��$t��5���x(������0�����xt��%xt��Ԑ�z������֐փ�ԕ��t���������������;�� ���������t ��$0��b���z���'��ċ������t�����1����u���ڤ�ʃ������V����U��ڃ��ԝ��������v!��t���������$T��0u��8����x���%������x�����������!�������!����x��$W��t�����T������4�����ڃ��xt��x���� ��t���������$������0u�������������x���!����� ��x���v�������t��8�����V��!��t����$�����t���8������ ��s����W��t ����T��8����u0��0�����t��4w1�������8����t0����V���u����8T������'8�t#��t��5T��x������!�����v���x�t��T�������0����X���t�ԋ0�����U���u!�����tt����� ��x��0�����ڃ��0����x��t�������W��x���60Ԑ����������������x��%������8x�!�����z!����8������0�����������b��8����t��0��4b���8���8������8�V��8x��� �����ҋ��W��Zt��%xVt��t��Ô����� �����t��Z��4x�։0��0x��x����t ��������x��u����4t��w�������������u����%��x���$��� ��x����!������������u��x|����z��'x�����xW���z������!����xW������4 ��x���4��������*����!��ZT�ڗ����$�w���T ��p��������x��x�w0����4��������x

Um... any ideas?

 

[AdamOutler]

As a note, I've tried all baud rates. Maybe minicom would be better.

We are expecting 8-1-N communications right?

 

[AdamOutler]

Just to verify everything is working properly... can anyone verify the proper setup for the serial communications so I can make sure I am actually communicating properly. I know I'm getting something, but I believe I am communicating at 5V rather then 3.3 and I don't know what that means for the validity of the data.

 

[js22]

I'm not sure what 'screen' is; prolly best to use minicom.

You def don't want to connect a 5V Tx to tour phone. Either leave it disconnected or use a voltage divider. Using too high a voltage can damage hardware.

Usuallly a 3.3V signal into a 5V input is okay, but best to check specs.

AFAIK all coms from phone are 8N1. Anything from PBL onwards is 115200 unless user software changes it.

The mode you're using makes the analog switch connect to UART 2 under normal kernel operation, but the kernel may not set up the UART (since nobody really uses serial). So it could just be noise on the line.

Sent from my SAMSUNG-SGH-I897 using XDA App

 

[js22]

I looked at the OM register after boot, using:
viewmem 0xe010e100 0x32 | busybox hexdump -C
(see back up the thread for link to viewmem).

It is set to 9, including the bottom crystal control bit, and doesn't change with various resistors on the USB port (working on the assumption that the USB port switch is hardwired to the OM register, so it should change even after boot).

But as far as I can see the RID_FM_BOOT_xxx_UART resistors are the only ones that make the PBL output the line about the OM register, so the PBL obviously thinks its important.

There are a couple of bytes output at boot before the PBL message, which are consistently read as 0x10, 0x31 at 115200, but the PBL boot message appears instantly afterwards so I think it's probably the PBL producing them.

Oops. missed this post somehow.

Interesting idea checking OM using viewmem.

I ran several more times today trying various button combos, bur I get the same two bytes :Ox10 and Ox31.

I even tried writing OxAA after every byte received, JIK.

I'm convinced this would work if we could get bit OM[5] set. Just don't see how to do it.

BTW, do you have +5V connected to micro-USB connector? I don't. Might be that the fsa chip takes that into account.( In addition to switching the D+/D- lines, it also is tied into controlling the power management system.)


Another Q : what is the diff betw the FM-BOOT-ON-UART and FM-BOOT-OFF-UART modes? I've only been using the former (619k) and only from powered off condition.

Sent from my SAMSUNG-SGH-I897 using XDA App

 

[TheBeano]

BTW, do you have +5V connected to micro-USB connector? I don't. Might be that the fsa chip takes that into account.( In addition to switching the D+/D- lines, it also is tied into controlling the power management system.)

I've tried the most obvious resistors with and without power on that pin. There isn't much difference except that 150K starts up automatically with power, without it you have to push the power button.

Another Q : what is the diff betw the FM-BOOT-ON-UART and FM-BOOT-OFF-UART modes?

All we know is that "ON" also triggers car dock mode, and "OFF" doesn't. The serial output seems to be the same either way.

 

[TheBeano]

Have gone a bit wider for help, here's hoping.

 

[AdamOutler]

I'm not sure what 'screen' is; prolly best to use minicom.

Screen is the defacto standard for communicating with a device. it brings the device directly to the terminal. I use it quite a bit for serial communications.

The mode you're using makes the analog switch connect to UART 2 under normal kernel operation, but the kernel may not set up the UART (since nobody really uses serial). So it could just be noise on the line.

Sent from my SAMSUNG-SGH-I897 using XDA App

It's not noise for sure. That log above was recorded over a period of 1 hour. I can watch the lights light up on my rx/tx on my arduino and it happens when my device is plugged in once per second.

Here is the initial sketch I came up with for Arduino communication

void setup() {
  // initialize both serial ports:
  Serial.begin(115200);
  Serial1.begin(115200);
}

void loop() {
  // read from port 1, send to port 0:
  if (Serial1.available()) {
    int inByte = Serial1.read();
    Serial.print(inByte, BYTE); 
  }
  // read from port 0, send to port 1:
  if (Serial.available()) {
    int inByte = Serial.read();
    Serial1.print(inByte, BYTE);     
  }
}

Maybe I should look at defining what a byte is to the serial interperater on my arduino.. possibly looking at 7n2..... Dunno. I'll keep working on it.

 

[zedgar]

Great work by you guys on this topic.


I'm on the vibrant and I can confirm that the 619k with a jig works to boot up the phone.

What is odd, is that I got it to boot into download mode the first time. Now every time I attach the resistors, I just boots up the phone normally. This also happens sometimes when I use 301k. Is that normal?

 

[AdamOutler]

Ya its normal. This thread is more for software communications. Check out the fun with resistors thread for information on using resistors to access different modes. We are primarily looking at ways to trigger communications without download mode or in other words... when the phone gets bricked.

Does anyone have a brick we can play with?

 

[androcheck]

Hi!

I was diving into this thread yesterday and am following your thinking paths closely since then! Nice work, I am really excited!

So do you agree that if OM{5..0} = 0x29, that the shifted value is 0x14, and that r8 gets set to 0x10 ? Then code goes to UART ?

Yes, I see it the same way.

It even hasn't to be exactly 0x29. As already outlined by TheBeano it seems that every OM value from 0x20 to 0x2F will result in register r8 be set to 0x10 (which should result in UART boot).

The two compare operations at d0005a94 and d0005a9c jump to the "om setting error" label if the (shifted) value is less-or-equal than 0x0f (00001111) or greater-or-equal than 0x18 (00011000). For every other value the "default case" in d0005aa4 sets register r8 to 0x10.

So in other words, before the shifting takes place this would mean that every value for OP:
0010 0000 <= OP <= 0010 1111
would do the trick.

And this perfectly matches the description in Table 6-3 (OM pin settings) of the manual where we see that only the two pins OM[5] and OM[4] need to be 1 and 0 (to boot from UART first).

So that confirms what we saw already in the manual.


The missing link:

So if I understand this correctly, we are missing the following information:

How can we trick the phone to get the pins OM[5] and OM[4] set to these values during power on (if it is possible at all).

The current approaches we have are, trying different resistor values for the FSA9480 USB switch and/or pressing some buttons during power-on. Or is there anything else we can do to influence the initialization?

Did I understand this correctly?

 

[js22]

Hi!

So if I understand this correctly, we are missing the following information:

How can we trick the phone to get the pins OM[5] and OM[4] set to these values during power on (if it is possible at all).

The current approaches we have are, trying different resistor values for the FSA9480 USB switch and/or pressing some buttons during power-on. Or is there anything else we can do to influence the initialization?

Did I understand this correctly?

Yeah, that seems to be where we are stuck. The only encouragement is that we know it is possible.

 

[TheBeano]

The current approaches we have are, trying different resistor values for the FSA9480 USB switch and/or pressing some buttons during power-on. Or is there anything else we can do to influence the initialization?

Yes that is a good summary. We are working on the theory that this schematic from the service manual shows a signal going from the FSA9480 BOOT pin to a signal named BOOT_MODE, which in any sane world would go the the chip's OM5 pin. But we don't have the full schematic to prove it, and we don't have the internal details of the FSA9480 to show how that pin gets triggered. You would think it would be the resistors with BOOT_ON in their names (like RID_FM_BOOT_ON_UART), but apparently not.

 

[AdamOutler]

There's still lots of untested items.

I know only 7 of these 12 pins are used in jtag.. the rest are unknown.

I took this picture while getting measurements on the jtag port

These pins are used for loading firmware with JTAG method. Possible that jumpering one of these may set the signals we require?

 

[midas5]

Hi!

How can we trick the phone to get the pins OM[5] and OM[4] set to these values during power on (if it is possible at all).

The current approaches we have are, trying different resistor values for the FSA9480 USB switch and/or pressing some buttons during power-on. Or is there anything else we can do to influence the initialization?

Would getting the phone into a mode that displays this [see attachment] help to maybe get OM[5] set?

One method to get there, is do a heimdall dump and press CTRL-C half way through. NOTE: You need the 301k jig to undo it so do not try until you have the jig.

 

[midas5]

Other ideas to look into (used on other chip types, so might not work here.):
1)
"The UART interface is capable of resetting the chip upon reception of a break signal. A break is identified by a continuous logic low (0V) on the UART_RX terminal."
I.e, trying to send a break signal to the UART at power on might help.
2)
"I could not get the bootloader to connect without adding an external pull-up on USB_DP."
I.e. A resistor on the USB_DP pin to pull it up to 3.3V

 

[midas5]

Yes that is a good summary. We are working on the theory that this schematic from the service manual shows a signal going from the FSA9480 BOOT pin to a signal named BOOT_MODE, which in any sane world would go the the chip's OM5 pin. But we don't have the full schematic to prove it, and we don't have the internal details of the FSA9480 to show how that pin gets triggered. You would think it would be the resistors with BOOT_ON in their names (like RID_FM_BOOT_ON_UART), but apparently not.

Yes, getting FSA9480 BOOT_MODE set should do the job. OM5 is labeled "Boot Mode" after all.
The FSA9280A.PDF mentions a "Factory Mode", but unfortunately does not include the pages on how to get into factory mode.
It does mention "Detects Factory Mode Cables".
I expect it might be a un-documented resistor value.
The FSA9280A.PDF lists:
Accessories:
Headsets
(Headphone/MIC/Remote)
USB Data Port
Accessory Detection
UART Serial Link
USB Chargers (Car-Kit, CDP, DCP)
Factory-Mode
TTY Converter

Of which, factory-mode looks the most useful.

 

[TheBeano]

Would getting the phone into a mode that displays this [see attachment] help to maybe get OM[5] set?

One method to get there, is do a heimdall dump and press CTRL-C half way through. NOTE: You need the 301k jig to undo it so do not try until you have the jig.

Once that is on the screen you are already in the secondary bootloader, which is complaining that it can't load the operating system. If the CPU boot mode was triggered you wouldn't see anything on the screen. I guess the bootloaders could have some code to go back to the CPU's recovery mode, but that wouldn't really help us for the problem we're trying to solve, which is a bricked phone that doesn't have working bootloaders.