UART Output/ Bootloader hacking/ Kernel Debugging on AT&T SGS2

[Entropy512]

can't help. Wrong device forum. Different processor.

What do you mean, different processor? The Galaxy Note has the exact same CPU (Exynos 4210) as the I9100/I777, just binned at a slightly higher frequency. Architecturally it's almost identical. The bootloader software setup is nearly identical too. In fact the Cyanogenmod team is building kernels for all three devices off of the same kernel source base.

(I don't know if you noticed, but since he's not from North America, Xplodwild has a real Note with an Exynos and not the North American abomination with a Snapdragon.)

Xplod: I don't know about others, but a device with a working PBL and not SBL is not something I've seen before. Although I guess this wouldn't surprise me, considering that PBL/SBL don't seem to have the close linkage they did with Hummingbird devices, considering that people routinely flash SBLs without changing PBL, and that was a guaranteed brick on most Hummingbirds.

 

[AdamOutler]

Alright guys. It's been a while, but there's some interesting news to speak of.. While the USB UnBrickable Mod on this device has been showing no promise, we have a new angle to explore. Josh over at mobiletechchvideos.com has been resurrecting Galaxy s1 devices with a bad sdcard by simply removing it. He came up with a totally similar idea for the GS2... however removing thr emmc may be a bad idea.. we need to change the boot modes.

If this method works, any EMMC bricks can be operational in a slightly different way than before.

Idea
Here's the idea, booting entirely from External SDCard on the Galaxy S2.

Plan
Here's the plan. We can obtain an initial firmware from an operational device

1. with the following command:

   dd if=/dev/block/mmcblk0 of=/sdcard/emmc.img bs=4096

2. Then grab that emmc image and copy it to your LINUX desktop computer.
3. Next, grab an SDCard, insert it into the desktop, then type the following:

   dd if=emmc.img of=/dev/sd*MySDCard* bs=4096

   where *MySDCard* is your device.. EG.. /dev/sdc, /dev/sdb
4. Insert this into an unbootable device

Background Information
Now, what's left is we must locate UnBrickable Mod for SDCard...
Here are the XOM mappings.. In this image:

• Green represents ground or digital low.
• Red represents voltage, or digital high.
• PurplePink represents signal lines to the processor
• Blue is the labels for the XOM pins I have mapped out.

There absolutely *IS* a combination of XOM pins which will cause the device to boot from SDCard. We must now locate them. The only problem we have is that while I've mapped out each of the XOM pins, we don't have a theory-of-operation map for the Exynos processor (chapter 18 is missing from our manual).

Techniques

The black squares on the XOM areas are the resistors. they link the Low or High signals to the pink/purple signal areas on the board. We must modify these signals to allow the device to boot from SDCard.

The mappings for these 5 resistors are by default:
XOM1 Low
XOM2 Low
XOM3 High
XOM4 Low
XOM5 Low

This leaves a total of 5^2-1 (24) combinations to test. However, one of these pins surely reverses the boot sequence to allow the device to boot first from UART/USB first instead of last so that means it will likey only take 12 tries. It's also likely that booting from external SD is a default option, so maybe only a single signal line will require modification.


Testing
In order to test, create the SDCard as mentioned above, then drop a bead of solder to bring the Low pink lines to become High pink lines using the image above as a reference, then insert the battery and turn on the device. That's all there is to it!


I do not have an i777. My wife does and I cannot modify it. I need some help testing this theory.

 

[connexion2005]

You may also obtain the firmware by placing an sdcard directly into the device you are getting it from and using this command from CWM recovery.

dd if=/dev/block/mmcblk0 of=/dev/block/mmcblk1

Where mmcblk0 equals internal EMMC sdcard and mmcblk1 equals the sdcard in the external sdcard slot. This has been verified via parted using the print command to 100% replicate the internal data to the external card. This means that now, we must find a way to have the CPU look directly at the external card as if it were the internal EMMC. In this manner, theoretically, it should boot from the external card.

 

[E:V:A]

Summary + Update + Uboot code

Oooh man, it's very confusing to follow well over 60 (similar) threads over
time. So let's try to summarize what we have in this case.

Ok, so far we have figured out that the Exynos-4210 is using 7-pins
(registers) for determining the processor Boot Modes by the use of the OM
(Operational Mode) register, which give its name to the XOM pins. This also
shown in the "Chip ID" section (3.2) of the Exynos Processor User's Manual.
Here is a picture of that.

(Exynos 4210 User's Manual)

In that table, it says that the OP_MODE is determined by "XOM[7:0]", however
this must be a typo since there is no XOM7 pin on the CPU pin assignments as
show in the GT-I9100 Service Manual (p.93) for chip "UPC400".

Then Adam confirmed that some of the pins are hardwired as follows:

[SIZE=2]Pin     Name    Defualt         GPIO    Function
-----------------------------------------------------------
K2      XOM0    ?                       ? XTAL or Tflash?
K4      XOM1    Low                     Device:b1
J3      XOM2    Low                     Device:b2
J2      XOM3    High                    Device:b3
J5      XOM4    Low                     ? --> Device:b4 ?
J4      XOM5    Low                     ? 
K3      XOM6    ?                       ?
[/SIZE]

Pins marked with "?" was not found/documented.

@Adam: Can you confirm/check these? I'll update this post when you do.

Now if we gonna do some more educated guessing, instead of testing everything,
I'd like to propose the following guess, based on our experience with the
pre-decessor's processor Boot Modes of the S5PC110 (SGS-1). In that processor
we have only 6-pins (OM0..OM5) which were mapped to the input GPIO registers
ETC1[0..5].

Now, looking at the old picture below, we see that the actual boot devices
were determined by pins OM1-OM3. And as stated in the s5pc110 manual "It also
decides the device options such as bit width, wait cycles, page sizes, and ECC
modes." It further states: "USB booting is provided for system debugging and
flash reprogramming, not for normal booting. Hence, it is selected by toggling
OM[5:4] pin to "2’b10" without considering other OM pin values."

Now, that last sentence, taken in consideration with the JIG resistor values
as specified here, may be key for understanding how to boot from USB.
Basically, and so far, we have only been using the 523/619K values which are
designated for UART Factory Modes. We should instead try to use the 255/301K
values which are specified as USB Factory Modes. For this to work, we probably
also need to connect the USB VBUS (pass-through) and possibly also disconnect
our serial as stated in the s5pc110 manual shown. This lead me once again to
believe that we do not need a serial converter for getting the boot/kernel
logs etc. But that it should be enough to to have the correct (FTDI ?) serial
drivers installed on your PC, to be able to connect your terminal to virtual
serial over COM port. (All level-shifting should be taken care of automatically
by the mobile device.)

The S5PC110 OM pins (p.470):

[SIZE=2]Pin     Function
---------------------------------------
XOM0    XTAL (0=? , 1=USB)
XOM1    Device:b1
XOM2    Device:b2
XOM3    Device:b3
XOM4    IROM
XOM5    MODE
---------------------------------------
Where XOM[4:5] are a combination pair:
00 = normal
01 = normal
10 = "1st Boot UART then USB"
[/SIZE]

Here's the picture:

(S5PC110 User's Manual, p.471)

The S5PV310 Boot Modes

On the Origen S5PV310 EVB CPU mainboard schematics, there are 7 pins,
XOM[0-6], where the XM0 is fixed to 3V3 and XOM6 to GND, and the others are
set by a DIP switch.

(Origen S5PV310 EVB schematics)

Similarly from another suspect Odroid A4 schematics, we have:

(in here)

with the resulting set:

[SIZE=2]Pin     Defualt 
----------------
XOM0    <not shown>     
XOM1    0
XOM2    1       
XOM3    0       
XOM4    0       
XOM5    <not connected> 
XOM6    <not shown>     
[/SIZE]

We know this device does boot from SD, but not USB. (Need verification!)

My Two Guesses

1) If the follow-up processor allows for more boot devices or functions, that
new register/pin should be added after OM3, and possibly before OM4, in order
to maintain iROM boot compatibility. (Thus left-shifting OM4 to OM5 etc..)
However, this processor is more advanced, so we can only speculate as to what
they do.

2) My second guess is about what that extra XOM pins does. That it would
determine additional boot devices seem very unlikely from both inspection of
the Uboot code below, and common sense since after iROM has passed booting to
another boot loader (BL1 etc), you can boot anything you like. But since I have no idea
if this code is the same as in our firmware there could easily be other
devices to boot from, although unlikely. More likely is that this pin is one
of:

a) used to connect to to something external,
b) used to determine the CPU core to boot from,
c) used to select/enable some secure CPU mode, RAM type, boot mode or debug interface (JTAG SW, DAP etc)
d) not used at all.

The Uboot Assembly Code

As have been mentioned elsewhere Samsung uses a minimized (?) Uboot image
for their iROM loaders. Thus you can just go check around in the Uboot sources,
for something that suit your processor and configuration. I downloaded the
uboot_22_mar_2012.tar and found the following assembly code in the file:

../uboot/board/samsung/smdkv310/lowlevel_init.S

Basically all the Boot Mode detection is happening right here, in the
subroutine called "read_om". I have edited out some comments for readability.
Now we just need to decode the cases below. But before we do that, we need to
verfiy that "smdkv310" is the code also used in our phones.

[SIZE=2]../uboot/board\/samsung/smdkv310/lowlevel_init.S        read_om
-------------------------------------------------------------------------------
read_om:
        /* Read booting information */
        ldr     r0, =S5PV310_POWER_BASE
        ldr     r1, [r0,#OMR_OFFSET]
        bic     r2, r1, #0xffffffc1

        /* NAND BOOT */
        cmp     r2, #0xA
        moveq   r3, #BOOT_ONENAND

        cmp     r2, #0x10               @ 2KB 5-cycle   16-bit ECC
        moveq   r3, #BOOT_NAND

        /* SD/MMC BOOT */
        cmp     r2, #0x4
        moveq   r3, #BOOT_MMCSD

        /* eMMC BOOT */
        cmp     r2, #0x6
        moveq   r3, #BOOT_EMMC

#if defined(CONFIG_EVT1)
        /* eMMC 4.4 BOOT */
        cmp     r2, #0x8
        moveq   r3, #BOOT_EMMC_4_4
        cmp     r2, #0x28
        moveq   r3, #BOOT_EMMC_4_4
#endif

        ldr     r0, =INF_REG_BASE
        str     r3, [r0, #INF_REG3_OFFSET]
        
        mov     pc, lr[/SIZE]

(There is also the related UART init code in there, so do have a look at the entire code.)

Thus we see that we have the following options for this early booting:

BOOT_ONENAND
BOOT_NAND
BOOT_MMCSD
BOOT_EMMC
BOOT_EMMC_4_4

including from UART0/1/2/3 which effectively also means USB.

Other Points of Interest

Overheard at the Odroid forum:

Can Odroid-A boot up from USB, MMC0 OR MMC1? How to do it?

Exynos4210's internal ROM can support eMMC43 on CH0 and eMMC44 on CH4.
There is no way to boot from MMC1.

Did you connect the eMMC memory to ODROID-A?
As per User's Manual, there is no comment of USB booting.
​

Sources and References

[1] Origen
[2] Odroid (developer site and forum)
[3] Uboot (latest)
[4] An Informative Hardkernel Presentation (~3MB, 7-zip)
[5] Chapter 6 (Booting Sequence) of the S5PC110 Manual

 

[pokey9000]

Alright guys. It's been a while, but there's some interesting news to speak of.. While the USB UnBrickable Mod on this device has been showing no promise, we have a new angle to explore. Josh over at mobiletechchvideos.com has been resurrecting Galaxy s1 devices with a bad sdcard by simply removing it. He came up with a totally similar idea for the GS2... however removing thr emmc may be a bad idea.. we need to change the boot modes.

Yeah, it might be a little tricky to remove the emmc, but maybe shorting a pullup to ground on one of the MMC signals would have the same effect. This would make reads of the boot signature invalid, and force the Exynos to move on to the next boot mode.

Having already trashed one I777 in the name of science (or stupidity, see earlier ITT), I'm not about to mess with this again, but maybe someone more daring could?

 

[E:V:A]

I think I understand it now. The following table should be tested,

[SIZE=2]K2      XOM0    ?                       Clock Source (XTAL) [0=internal, 1=USB]
K4      XOM1    Low                     Device:b1
J3      XOM2    Low                     Device:b2
J2      XOM3    High                    Device:b3
J5      XOM4    Low                     ? 0=First Boot: UART-->USB-->MEM [XOM5=1 Required!]
J4      XOM5    Low                     ? 1=Secure Boot 
[/SIZE]

So basically XOM0 is determining the clock source to be used for the device, so if you use a USB device for booting you should probably also use a USB clock source. Then the "first boot" sequence is already activated by default XOM4=0, but in order to make it take effect, you have to also enable secure booting with XOM5!

==> We have to rise XOM5 to high in order to boot from USB.

However, I have no way of testing this, so if you wanna move on with this, someone else has to test!

In addition I'm not sure its enough to just copy the image to SD card for booting from SD card. Usually one need to also flag the partition as "bootable". Perhaps different in Android? (See Odroid and Origen documents & wiki how to make bootable SD card.)

Finally, I'm not sure if someone ever found XOM0 and XOM6 on the PCB? In addition, I think it may be possible that XOM0,5,6 can be set by another chip/switch, like PMIC or MUX, that may be alive without need for CPU.

I hope this is correct and make sense, because at this hour in the morning, nothing make sense to me...

 

[keesmathot]

willing to try

I think I understand it now. The following table should be tested,

[SIZE=2]K2      XOM0    ?                       Clock Source (XTAL) [0=internal, 1=USB]
K4      XOM1    Low                     Device:b1
J3      XOM2    Low                     Device:b2
J2      XOM3    High                    Device:b3
J5      XOM4    Low                     ? 0=First Boot: UART-->USB-->MEM [XOM5=1 Required!]
J4      XOM5    Low                     ? 1=Secure Boot 
[/SIZE]

So basically XOM0 is determining the clock source to be used for the device, so if you use a USB device for booting you should probably also use a USB clock source. Then the "first boot" sequence is already activated by default XOM4=0, but in order to make it take effect, you have to also enable secure booting with XOM5!

==> We have to rise XOM5 to high in order to boot from USB.

However, I have no way of testing this, so if you wanna move on with this, someone else has to test!

In addition I'm not sure its enough to just copy the image to SD card for booting from SD card. Usually one need to also flag the partition as "bootable". Perhaps different in Android? (See Odroid and Origen documents & wiki how to make bootable SD card.)

Finally, I'm not sure if someone ever found XOM0 and XOM6 on the PCB? In addition, I think it may be possible that XOM0,5,6 can be set by another chip/switch, like PMIC or MUX, that may be alive without need for CPU.

I hope this is correct and make sense, because at this hour in the morning, nothing make sense to me...

Hi guys!
i don't have a clue what u guys talking about but im getting the idea that u can make my hard bricked sgs2 live again. Im willing to test your theories u only need to tell me what to do. If i understand u right i need to do the same as the 'unbrickable mod' of the sgs1. Can u please tell me what to do? and what if it works how to flash the things that i need to revive my sgs2.
kind regards!

 

[keesmathot]

And can u please post the 'file' or thing i need to put on my sd card so i can test ur theorie.

 

[E:V:A]

And can u please post the 'file' or thing i need to put on my sd card so i can test ur theorie.

I'd like to know this as well!! 8-/

 

[daxxone]

Maybe I can help...maybe not.

I'd like to know this as well!! 8-/

I got E4GT, two of them. One has i9100 firmware. One is rooted running CM10 beta2 nightly. My laptop was down last week and I will be setting my other OS's this week. The only major difference between your device here and mine is radio control, as mine is running a qualcomm radio chip with wimax for 4g. The i9100 firmware lets the d710 boot, just no radios but bluetooth (not sure how that is working, thought it was in the qualcomm chip and that shouldn't function with this firmware issue). This is something I can do, I mostly work with laptops, and flash cell phones to CricKet, I been reading a lot on this topic, in a few different sections for a few other devices. You all have taught me more than I thought I could learn about Android, boot operations and hardware.
I really don't have the experience you all have here, but I think this will work with D710 I got. I wanted to acknowledge your hard work here before I start to work on this for a D710 and will link back to here for others if I make any progress worth posting. If anybody has pinout for the XOM on D710 it would help, PM it to me since this isn't the right area for that device.

 

[ggaabbe]

Maybe wrong thread, sorry then

I have an i9100, my friend flashed a primalc3 bootloader from a Gnex by mistake and his phone is dead. I´ve read the thread and i still dont get if you can like "force" a new sbl on because pbl still works (afaik). In other threads i find that UART should allow u both load an image to boot and write to the nand.

Could i in some way make the Gnex sbl work with his device just for an odin update, i suppose no because the different hardware but still. Or could i use my Gnex in anyway to get the right sbl on his device, he has sbl from mine aight

 

[Nick281051]

Maybe wrong thread, sorry then

I have an i9100, my friend flashed a primalc3 bootloader from a Gnex by mistake and his phone is dead. I´ve read the thread and i still dont get if you can like "force" a new sbl on because pbl still works (afaik). In other threads i find that UART should allow u both load an image to boot and write to the nand.

Could i in some way make the Gnex sbl work with his device just for an odin update, i suppose no because the different hardware but still. Or could i use my Gnex in anyway to get the right sbl on his device, he has sbl from mine aight

Um, no, go to the section for the damn device in question? We can't help you.

Sent from my Zanpakuto using Getsuga Tensho!

 

[LuffarJoh]

Did you ever find out the addresses of IBL+PBL? Cause I have a device that can be flashed using smdk.

 

[AdamOutler]

Did you ever find out the addresses of IBL+PBL? Cause I have a device that can be flashed using smdk.

yeah, but we don't have a bootloader that will work.

 

[LuffarJoh]

yeah, but we don't have a bootloader that will work.

Ok. What are these? What part is missing from getting this to work, except for that bootloader? It wont work to flash an official bootloader?