UART Output/ Bootloader hacking/ Kernel Debugging on AT&T SGS2

[AdamOutler]

Hey, one of my buddies got a SGS2. I was able to play with it for a bit. I sterilized the Serial numbers. This was recorded on Linux, then transfered to Windows, so the formatting was off. I had to use some Microsoft Word Regex in order to get it to format right.

here's the full UART Logs
http://pastebin.ubuntu.com/715171/
http://pastebin.ubuntu.com/715182/

Here's a single boot log

Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
 Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.

Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 27 2011 04:53:57
current time: f4/f/4 3f:69:11
booting code=0x0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1926 b2473a8e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
 Total Card Size: 15029 MByte
 Total Sector Count: 30777344
MoviNand Initialization Complete!

===== PARTITION INFORMATION =====
 ID         : GANG (0x0)
 DEVICE     : MMC
 FIRST UNIT : 0
 NO. UNITS  : 0
=================================
 ID         : BOOT (0x1)
 DEVICE     : MMC
 FIRST UNIT : 0
 NO. UNITS  : 0
=================================
 ID         : EFS (0x4)
 DEVICE     : MMC
 FIRST UNIT : 8192
 NO. UNITS  : 40960
=================================
 ID         : SBL1 (0x2)
 DEVICE     : MMC
 FIRST UNIT : 49152
 NO. UNITS  : 2560
=================================
 ID         : SBL2 (0x3)
 DEVICE     : MMC
 FIRST UNIT : 53248
 NO. UNITS  : 2560
=================================
 ID         : PARAM (0x5)
 DEVICE     : MMC
 FIRST UNIT : 57344
 NO. UNITS  : 16384
=================================
 ID         : KERNEL (0x6)
 DEVICE     : MMC
 FIRST UNIT : 73728
 NO. UNITS  : 16384
=================================
 ID         : RECOVERY (0x7)
 DEVICE     : MMC
 FIRST UNIT : 90112
 NO. UNITS  : 16384
=================================
 ID         : CACHE (0x8)
 DEVICE     : MMC
 FIRST UNIT : 106496
 NO. UNITS  : 512000
=================================
 ID         : MODEM (0x9)
 DEVICE     : MMC
 FIRST UNIT : 618496
 NO. UNITS  : 32768
=================================
 ID         : FACTORYFS (0xa)
 DEVICE     : MMC
 FIRST UNIT : 651264
 NO. UNITS  : 1048576
=================================
 ID         : DATAFS (0xb)
 DEVICE     : MMC
 FIRST UNIT : 1699840
 NO. UNITS  : 4194304
=================================
 ID         : UMS (0xc)
 DEVICE     : MMC
 FIRST UNIT : 5894144
 NO. UNITS  : 23826432
=================================
 ID         : HIDDEN (0xd)
 DEVICE     : MMC
 FIRST UNIT : 29720576
 NO. UNITS  : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='6543 '
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3848 mV, vfocv = 3915 mV, soc = 66 
init_fuel_gauge : check s/w reset (20000000) : use wide tolerance
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
6308 = (382800 - 337808)*14022/100000
[3] 388426 = (6308 * 100000) / 11164 + 331923
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC  = 0x2 
PMIC_IRQ1    = 0x33 
PMIC_IRQ2    = 0x1b 
PMIC_IRQ3    = 0x3 
PMIC_IRQ4    = 0x11 
PMIC_STATUS1 = 0x2 
PMIC_STATUS2 = 0x17 
PMIC_STATUS3 = 0x3 
PMIC_STATUS4 = 0x2 
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x20000000
get_hwrev() = 14
board_process_platform: MAGIC 0 at 40000000!
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
hw_pm_status: jig_status = 1, chg_status = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop 
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
......ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL: 
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 39 54410009 'loglevel=4 console=ttySAC2,115200 sec_debug.enable=0 sec_debug.enable_user=0 c1_watchd                                                                                                                                        ATAG_NONE: 0 0
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[    0.000000] s3c_register_clksrc: clock armclk has no registers set
[    0.000000] mout_audss: bad source 0
[    0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[    0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[    0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[    0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[    0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[    0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[    0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[    0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[    0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[    0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[    0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[    0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[    0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[    0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[    0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[    0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[    0.000000] (sec_debug_set_upload_magic) 66262564
[    0.000000] (sec_debug_set_upload_cause) cafebabe
[    0.121650] s5pv310_subrev: 1
[    0.166379] ram_console: invalid start 0 or end 0
[    0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[    0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170

 

[AdamOutler]

Partition information

===== PARTITION INFORMATION =====
 ID         : GANG (0x0)
 DEVICE     : MMC
 FIRST UNIT : 0
 NO. UNITS  : 0
=================================
 ID         : BOOT (0x1)
 DEVICE     : MMC
 FIRST UNIT : 0
 NO. UNITS  : 0
=================================
 ID         : EFS (0x4)
 DEVICE     : MMC
 FIRST UNIT : 8192
 NO. UNITS  : 40960
=================================
 ID         : SBL1 (0x2)
 DEVICE     : MMC
 FIRST UNIT : 49152
 NO. UNITS  : 2560
=================================
 ID         : SBL2 (0x3)
 DEVICE     : MMC
 FIRST UNIT : 53248
 NO. UNITS  : 2560
=================================
 ID         : PARAM (0x5)
 DEVICE     : MMC
 FIRST UNIT : 57344
 NO. UNITS  : 16384
=================================
 ID         : KERNEL (0x6)
 DEVICE     : MMC
 FIRST UNIT : 73728
 NO. UNITS  : 16384
=================================
 ID         : RECOVERY (0x7)
 DEVICE     : MMC
 FIRST UNIT : 90112
 NO. UNITS  : 16384
=================================
 ID         : CACHE (0x8)
 DEVICE     : MMC
 FIRST UNIT : 106496
 NO. UNITS  : 512000
=================================
 ID         : MODEM (0x9)
 DEVICE     : MMC
 FIRST UNIT : 618496
 NO. UNITS  : 32768
=================================
 ID         : FACTORYFS (0xa)
 DEVICE     : MMC
 FIRST UNIT : 651264
 NO. UNITS  : 1048576
=================================
 ID         : DATAFS (0xb)
 DEVICE     : MMC
 FIRST UNIT : 1699840
 NO. UNITS  : 4194304
=================================
 ID         : UMS (0xc)
 DEVICE     : MMC
 FIRST UNIT : 5894144
 NO. UNITS  : 23826432
=================================
 ID         : HIDDEN (0xd)
 DEVICE     : MMC
 FIRST UNIT : 29720576
 NO. UNITS  : 1048576
=================================

 

[AdamOutler]

SBL Commands

Following commands are supported:
* movichk
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* loadpart
* loadkernel
* erasepart
* format
* open
* close
* eraseall
* showpart
* addpart
* delpart
* savepart
* nkernel
* nandread
* nandwrite
* usb
* crc
* log
* sud
* upload
* emmc
* keyread
* readadc
* mmctest
* usb_read
* usb_write
* fuelgauge

There's some new ones in this 3.1 version of Samsung SBL

* crc
* log
* sud
* upload
* emmc

I think Upload allows a dump of all partitions. Also, Keyread allows testing of button presses, Volume - =0 Volume + = 1, Power = 2

 

[AdamOutler]

I couldn't get a FULL debug log in the time I had, but I managed to get some kernel output.

Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[    0.000000] s3c_register_clksrc: clock armclk has no registers set
[    0.000000] mout_audss: bad source 0
[    0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[    0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[    0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[    0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[    0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[    0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[    0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[    0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[    0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[    0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[    0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[    0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[    0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[    0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[    0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[    0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[    0.000000] (sec_debug_set_upload_magic) 66262564
[    0.000000] (sec_debug_set_upload_cause) cafebabe
[    0.121650] s5pv310_subrev: 1
[    0.166379] ram_console: invalid start 0 or end 0
[    0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[    0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170

 

[othermark]

Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.

 

[anilkuj]

Hi Adam,

Nice to see u here on this forum , hope to see some of your great work here on S II.

 

[AdamOutler]

This is only possible using UART.

Download Mode without having to accept wipe!

Upload Mode

Stock PARAMS.lfs

 

[AdamOutler]

Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.

You can reset the counter via UART

 

[agh1701]

What ROM did you dump JH7/KJ1/KJ2 ?

 

[Entropy512]

You can reset the counter via UART

Jig will reset it too - or will UART reset it even on the J2 bootloaders?

 

[pokey9000]

Jig will reset it too - or will UART reset it even on the J2 bootloaders?

Can you flash back the J1 bootloader with ODIN? I'm willing to try this.

 

[UGART3]

Another big player from the captivate scene......I feel more comfortable fashing the SGS2 now that AdamOutler is in the house to help clean up the mess lol

 

[pokey9000]

Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.

FWIW, when USB is connected and battery plugged in, I get this device:

Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd

Which ModeDetect says is Unbrickable Debug mode...

 

[XorZone]

Ah, I thought for a second I miss clicked forum and came to captivate one.

Happy to see you here, hope you will get your own attsgs2.

Thanks for spending time and sharing findings!

Sent from my SAMSUNG-SGH-I777 using xda premium

 

[AdamOutler]

Jig will reset it too - or will UART reset it even on the J2 bootloaders?

Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.

FWIW, when USB is connected and battery plugged in, I get this device:

Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd

Which ModeDetect says is Unbrickable Debug mode...

Yeah. So, you should try the SMDK Upload Tool.. this is good. this means you've established that UnBrickable Mod is possible on this device.

Now I need one for teardown.

Is it dead bricked? remove the battery and hold power for 10 seconds, then put back in the battery and hold it for 10 seconds. should turn on normally.

 

[AdamOutler]

emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.

 

[pokey9000]

emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.

I'm not sure what I'd put on the card to tell if it worked...

 

[AdamOutler]

Yeah. Nothing seems to bring it to life. Here's trying to send HIBL. It hangs after this. I didn't expect it to work...

$ ./smdk-usbdl -f HIBL.bin -a d0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>

S3C64XX Detected!
=> found device: bus 001, dev 018
=> loaded 24576 bytes from HIBL.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum 5d9c

That's what happens when it tries to upload a larger file then memory can handle.

The HIBL is a Hummingbird Interceptor BootLoader. We could use a Exynos interceptor bootloader.

Let me contact Rebellos and get him in here. That polish Hairy Potter can probly wave his magic wand over a memory dump and have it doing the hokey-pokey. He is busy and recovering from a serious loss while trying to get his device into the mode which your device is in currently... he could probly use some donations.

We will need someone with a working device to do a memory dump...

 

[Rebellos]

1a) I need few different bootloader images from I9100 and similiar SGS2 series models (I777 or whatever is it called for eg.), can you guys post these here?
1b) If you notice some weird files in ROM releases, like *.elf - post these too! These are very helpful in reversing stuff. Samsung released these for S8500 and S8530 bootloaders so here is also a chance.

2) If anybody has got rooted Exynos based device and some know-how about using SU functions - I need iROM dump.
The procedure should be 99% the same as in there http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Just grab viewmem ARM binary http://blog.maurus.be/wp-content/uploads/viewmem and use script posted there. With small modification!

Instead of

/tmp/viewmem 0xD0000000 0x10000 > /sdcard/iromdump

try

/tmp/viewmem 0x00000000 0x10000 > /sdcard/iromdump

if it doesnt work then try this

/tmp/viewmem 0x02000000 0x10000 > /sdcard/iromdump_mirror

One/both of these should produce 64KB iROM image.


3) WANTED:
- newer manual than this one: https://dl.dropbox.com/u/36177984/SEC_Exynos4210_pulbic_manual_Ver.0.00.01.pdf (we don't know if it does exist)
- Exynos 4210 Application Notes
- Exynos 4210 Secure Booting Guide
And so on.

Thank you.
Don't fear the reaper.


//edit:
Also SGS2 series seems to be more unbrickable than SGS, I bet PBL has got functionality to boot from SD card. I don't see other reason why PBL would mount it before trying to look for SBL.

Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.

Disassembly will show.

 

[pokey9000]

I'm going to see about getting a replacement tomorrow as this is my daily driver. So I won't have it around to test anything. However, once I'm up and running again I'll try to get iROM dumped.

Meanwhile, tonight I'll see if I can fuse a 9100 PBL and SBL (they're supposed to be mostly compatible) to a microsd and test the external SD boot theory.

edit:

Hmm, looks like the fusing tool needs a monolithic PBL and SBL. My attention span for reading Google translated Korean forums is shot.

That's probably not necessary anyway, because I think the confusion here over "emmc" is due to the SGS2 using eMMC (embedded MMC) for the boot device as opposed to the i9000 which boots off of parallel oneNAND. The SGS2 is always booting off of MMC, it just happens that it's soldered down.