UART Output / Bootloader Hacking / Kernel Debuging

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Hey guys, I set up my Arduino Mega to communicate via UART with my Infuse4g.

The UART output comes out of the USB port at 115200kbps on the D+ and D- lines when you connect a 619kOhm resistor to USB Pins 4 and 5. It can be used for kernel debugging or general hacking around.


Here's some pics of my setup.







This emulates the "Test Board" from the KIT-S5PC110 which is used to develop the Aeries platform



You can make it do all kinds of crazy stuff....




Typical boot with battery just inserted.

Code:
1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
MAX8893_REG_ONOFF return val 1
MAX8893_REG_DISCHARGE return val ff
MAX8893_REG_LSTIME return val 8
MAX8893_REG_DVSRAMP return val 9
MAX8893_REG_BUCK return val 4
MAX8893_REG_LDO1 return val e
MAX8893_REG_LDO1 new val e
MAX8893_REG_LDO2 return val 10
MAX8893_REG_LDO2 new val 10
MAX8893_REG_ONOFF return val 1
MAX8893_REG_ONOFF new val 21
MAX8893_REG_ONOFF return val 21
MAX8893_REG_ONOFF new val 31

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: May 19 2011 22:17:14
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 130
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1944
 NO_UNITS   : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3797mV, soc = 57
check_quick_start_condition- Voltage: 3797.50000, Linearized[45/60/75], Capacity: 59
init_fuel_gauge: vcell = 3797mV, soc = 57, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x20 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x0 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=hex value hex value
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x32000000...
0xF8

AST_POWERON

BOOTING COMPLETED
 
Last edited:

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
held enter while booting UART
Code:
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
MAX8893_REG_ONOFF return val 1
MAX8893_REG_DISCHARGE return val ff
MAX8893_REG_LSTIME return val 8
MAX8893_REG_DVSRAMP return val 9
MAX8893_REG_BUCK return val 2
MAX8893_REG_LDO1 return val 2
MAX8893_REG_LDO1 new val e
MAX8893_REG_LDO2 return val e
MAX8893_REG_LDO2 new val 10
MAX8893_REG_ONOFF return val 1
MAX8893_REG_ONOFF new val 21
MAX8893_REG_ONOFF return val 21
MAX8893_REG_ONOFF new val 31

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: May 19 2011 22:17:14
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 130
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1944
 NO_UNITS   : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3777mV, soc = 48
check_quick_start_condition- Voltage: 3777.50000, Linearized[41/56/71], Capacity: 49
init_fuel_gauge: vcell = 3777mV, soc = 48, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x30 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x0 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3

Autoboot (0 seconds) in progress, press any key to stop Autoboot aborted..
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL> 
SBL>
SBL Prompt
Code:
SBL> printenv
PARAM Rev 1.3
SERIAL_SPEED : 7
LOAD_RAMDISK : 0
BOOT_DELAY : 0
LCD_LEVEL : 97
SWITCH_SEL : 65
PHONE_DEBUG_ON : 0
LCD_DIM_LEVEL : 0
LCD_DIM_TIME : 6
MELODY_MODE : 1
REBOOT_MODE : 0
NATION_SEL : 0
LANGUAGE_SEL : 0
SET_DEFAULT_PARAM : 0
PARAM_INT_13 : 0
PARAM_INT_14 : 0
VERSION : I9000XXIL
CMDLINE : console=ttySAC2,115200 loglevel=4
DELTA_LOCATION : /mnt/rsv
PARAM_STR_3 : 
PARAM_STR_4 : 
SBL> setenv SWITCH_SEL 6543
argv[0] : setenv
argv[1] : SWITCH_SEL
argv[2] : 6543
value : 6543
SBL> reboot
command_loop: parse command error! (reboot)
SBL> reset
Rebooting...

SB1
-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

+n1stVPN       2688 
+nPgsPerBlk    64 
PBL found bootable SBL: Partition(3).
MAX8893_REG_ONOFF return val 31
MAX8893_REG_DISCHARGE return val ff
MAX8893_REG_LSTIME return val 8
MAX8893_REG_DVSRAMP return val 9
MAX8893_REG_BUCK return val 2
MAX8893_REG_LDO1 return val e
MAX8893_REG_LDO1 new val e
MAX8893_REG_LDO2 return val 10
MAX8893_REG_LDO2 new val 10
MAX8893_REG_ONOFF return val 31
MAX8893_REG_ONOFF new val 31
MAX8893_REG_ONOFF return val 31
MAX8893_REG_ONOFF new val 31

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03
   Build On: May 19 2011 22:17:14
-----------------------------------------------------------

Re_partition: magic code(0x0)
[PAM:   ] ++FSR_PAM_Init
[PAM:   ]   OneNAND physical base address       : 0xb0000000
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50
[PAM:   ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 130
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1944
 NO_UNITS   : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3768mV, soc = 48
check_quick_start_condition- Voltage: 3768.75000, Linearized[40/55/70], Capacity: 49
init_fuel_gauge: vcell = 3768mV, soc = 48, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1    = 0x0 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x40 
PMIC_STATUS2 = 0x0 
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3

Autoboot (0 seconds) in progress, press any key to stop 
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit 
 Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=serial number.....
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x32000000...
0xF8

AST_POWERON

BOOTING COMPLETED
 
Last edited:
  • Like
Reactions: andreapier and Aou

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
All commands available at SBL Prompt.

Code:
SBL> help
Following commands are supported:
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* format
* open
* close
* erasepart
* eraseall
* loadkernel
* showpart
* addpart
* delpart
* savepart
* nkernel
* nramdisk
* nandread
* nandwrite
* usb
* mmctest
* keyread
* readadc
* usb_read
* usb_write
* fuelgauge
* pmic_read
* pmic_write
To get commands help, Type "help <command>"
SBL> help setenv
* Help : setenv
* Usage : setenv [name] [value] . .
        Modify current environment info on ram

SBL> help saveenv
* Help : saveenv
* Usage : saveenv
        Save cuurent environment info to flash

SBL> help printenv
* Help : printenv
* Usage : printenv
        Print current environment info on ram

SBL> help reset
* Help : reset
* Usage : reboot
Reboot system

SBL> help boot
* Help : boot
* Usage : boot [kernel options]
Boot Linux with optional kernel options

SBL> help kernel
* Help : kernel
* Usage : kernel hex_adr
Change the Linux kernel base

SBL> help format
* Help : format
* Usage : format
        format device
SBL> help open
* Help : open
* Usage : open
        open device
SBL> help close
* Help : close
* Usage : close
        close device
SBL> help erasepart
* Help : erasepart
* Usage : erasepart partition_id
        erase part of units
       - ex) erase 0x9(temp partition)
SBL> help eraseall
* Help : eraseall
* Usage : eraseall
        erase all units
SBL> help loadkernel
* Help : loadkernel
* Usage : loadkernel
        load kernel image
       - loadkernel 0x80A00000 from kernel partition
SBL> help showpart
* Help : showpart
* Usage : showpart
        show partition information
SBL> help addpart
* Help : addpart
* Usage : addpart <id> <attr> <unit>
        add partition information
       - ex) addpart 0x(id) 0x1(attr) 0x10(units)
SBL> help delpart
* Help : delpart
* Usage : delpart
        delete last partition information
SBL> help savepart
* Help : savepart
* Usage : savepart
        save partition information
SBL> help nkernel
* Help : nkernel
* Usage : nkernel command
* Usage : nkernel
        read kernel from flash to DDR

SBL> help nramdisk
* Help : nramdisk
* Usage : nramdisk command
* Usage : nramdisk
        read ramdisk from flash to DDR

SBL> help nandread
* Help : nandread
* Usage : * Usage : nandread <PARTID> <SIZE>
        read partition from flash to SDRAM(0x80000000)

SBL> help nandwrite
* Help : nandwrite
* Usage : * Usage: nandwrite <PARTID> <SIZE>
        write partition from SDRAM(0x80000000) to flash

SBL> help usb
* Help : usb
* Usage : usb download command
SBL> help mmctest
* Help : mmctest
* Usage : *Usage : mmctest 

SBL> help keyread
* Help : keyread
* Usage : *Usage : keyread 

SBL> help readadc
* Help : readadc
* Usage : *Usage : readadc <channel> 

SBL> help usb_read
* Help : usb_read
* Usage : usb_read reg
Read the usb ic register

SBL> help usb_write
* Help : usb_write
* Usage : usb_write reg, val
Read the usb ic register

SBL> help fuelgauge
* Help : fuelgauge
* Usage : *usage : fuelgauge

SBL> help pmic_read
* Help : pmic_read
* Usage : pmic_read reg
Read the pmic register

SBL> help pmic_write
* Help : pmic_write
* Usage : pmic_write reg, val
Read the pmic register

SBL> printenv
PARAM Rev 1.3
SERIAL_SPEED : 7
LOAD_RAMDISK : 0
BOOT_DELAY : 0
LCD_LEVEL : 97
SWITCH_SEL : 65
PHONE_DEBUG_ON : 0
LCD_DIM_LEVEL : 0
LCD_DIM_TIME : 6
MELODY_MODE : 1
REBOOT_MODE : 0
NATION_SEL : 0
LANGUAGE_SEL : 0
SET_DEFAULT_PARAM : 0
PARAM_INT_13 : 0
PARAM_INT_14 : 0
VERSION : I9000XXIL
CMDLINE : console=ttySAC2,115200 loglevel=4
DELTA_LOCATION : /mnt/rsv
PARAM_STR_3 : 
PARAM_STR_4 : 
SBL> showpart
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
 ID         : IBL+PBL (0x0)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 0
 NO_UNITS   : 1
===============================
 ID         : PIT (0x1)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1
 NO_UNITS   : 1
===============================
 ID         : EFS (0x14)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 2
 NO_UNITS   : 40
===============================
 ID         : SBL (0x3)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 42
 NO_UNITS   : 5
===============================
 ID         : SBL2 (0x4)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 47
 NO_UNITS   : 5
===============================
 ID         : PARAM (0x15)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 52
 NO_UNITS   : 20
===============================
 ID         : KERNEL (0x6)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 72
 NO_UNITS   : 30
===============================
 ID         : RECOVERY (0x7)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 102
 NO_UNITS   : 30
===============================
 ID         : FACTORYFS (0x16)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 132
 NO_UNITS   : 1146
===============================
 ID         : DBDATAFS (0x17)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1278
 NO_UNITS   : 536
===============================
 ID         : CACHE (0x18)
 ATTR       : RW STL SLC (0x1101)
 FIRST_UNIT : 1814
 NO_UNITS   : 130
===============================
 ID         : MODEM (0xb)
 ATTR       : RO SLC (0x1002)
 FIRST_UNIT : 1944
 NO_UNITS   : 60
===============================
SBL> mmctest
Enable Movinand
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : MAG4FA
<display_card_info:935> ext_csd

<display_card_info:937>card_size: 15264
 Total Card Size: 15265 MByte

SBL> keyread
keyread: row(0) col(0) read key value = 0x1
keyread: row(1) col(0) read key value = 0x2
SBL> pmic_read
---------read pmic register : multiple
(0x0 : 0x0),  (0x1 : 0x0),  (0x2 : 0x0),  (0x3 : 0x0),  
(0x4 : 0x0),  (0x5 : 0xf0),  (0x6 : 0x0),  (0x7 : 0x0),  
(0x8 : 0x40),  (0x9 : 0x0),  (0xa : 0xff),  (0xb : 0xff),  
(0xc : 0xa),  (0xd : 0x80),  (0xe : 0xff),  (0xf : 0xff),  
(0x10 : 0x3f),  (0x11 : 0xef),  (0x12 : 0x78),  (0x13 : 0x10),  
(0x14 : 0xbb),  (0x15 : 0x12),  (0x16 : 0x12),  (0x17 : 0x12),  
(0x18 : 0x12),  (0x19 : 0xe),  (0x1a : 0xe),  (0x1b : 0x2),  
(0x1c : 0x4),  (0x1d : 0x86),  (0x1e : 0x11),  (0x1f : 0xc),  
(0x20 : 0x2),  (0x21 : 0x2),  (0x22 : 0x30),  (0x23 : 0xac),  
(0x24 : 0x4),  (0x25 : 0x14),  (0x26 : 0x6),  (0x27 : 0x10),  
(0x28 : 0x2),  (0x29 : 0xe),  (0x2a : 0x31),  (0x2b : 0x17),
This is what happens when you go into download mode... this occurs near the end of the SBL.
Code:
SBL> usb
reading nps status file is successfully!.
nps status=0x504d4f43

==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3
 
Last edited:
  • Like
Reactions: andreapier and Aou

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
and here's the kernel debugging.... in case the kernel locks up during boot and Android will not function correctly, it provides a shell. Authorize ahead of time so that you can use Super User.

The settings in SBL prompt are
Code:
setenv SWITCH_SEL  6543
setenv PHONE_DEBUG_ON  1
saveenv
This can be very useful for kernel devlopers
Code:
Starting kernel at 0x32000000...

Uncompressing Linux...................................................................................................................................................................................
[    0.000000] copy: bad source 0
[    0.000000] mout_audss: bad source 0
[    0.090142] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44
[    0.094877] KERNEL:magic_number=0x0 DEBUG LEVEL low!!
[    0.099895] (kernel_sec_set_upload_cause) : upload_cause set 0
[    5.833835] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
sh: can't access tty; job control turned off
$ [   11.433364] init: no such service 'bootanim'
[   24.851663] init: sys_prop: permission denied uid:1000  name:wifi.interface
[   35.227503] init: no such service 'bootanim'
[   38.484304] init: sys_prop: permission denied uid:1000  name:dpm.allowcamera
su
sh: can't access tty; job control turned off
# dmesg|tail
<4>[   47.443068] [email protected]
<4>[   51.363390] mook - wm8994 TTY Off
<4>[   51.666438] eth0: SIOCSIWSCAN : ISCAN
<4>[   51.667822] +++: Set Broadcast ISCAN
<4>[   53.013468] [email protected]
<4>[   54.447852] Send Event ISCAN complete
<4>[   54.448053] eth0 wl_iw_iscan_get_scan buflen_from_user 8192:
<4>[   54.448067] eth0: SIOCGIWSCAN GET broadcast results
<4>[   54.448111] wl_iw_iscan_get_scan return to WE 803 bytes APs=3
<4>[   84.445803] wl_iw_set_ss_cache_timer_flag called
#
Looks like samsung has an autorun to reflash the recovery partition at /system/etc/install-recovery.sh
 
Last edited:

LinuxBozo

Retired Recognized Developer
May 29, 2011
334
452
0
Salem, VA
I can see this being very handy indeed. Running kernels blind, having to get to at least ADB is a real pain. At least we now know this method works for the Infuse.
 

gtg465x

Inactive Recognized Developer
Jun 16, 2008
4,750
3,277
0
No, and I don't plan on it unless I have a problem that requires me to take it apart. Apparently this phone does not have bricking problems with people porting bootloaders from other devices.
No bricking problems b/c we can't flash bootloaders haha. Well actually there is a way, but the only person to try said way bricked.
 

Dxtra

Senior Member
May 27, 2010
497
40
0
That's because the bootloaders are lock. well not motorola lock. I've read some where in the Galaxy tab 10.1 forum that Samsung had to lock the bootloaders because of copyright issues with media hub. if thats true Roger infuse don't offer media hub and the bootloaders for that phone are not lock. we got an update for the tab 10.1 that lock the bootloaders and the tab offer media hub could be true since Samsung are not known for locking them. I could be wrong.

Sent from my SAMSUNG-SGH-I997 using XDA Premium App
 

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
No bricking problems b/c we can't flash bootloaders haha. Well actually there is a way, but the only person to try said way bricked.
*raises hand* hehe

But I'm wondering if accessing the phone via UART would work with a device that's hardbricked as bad as that was? Too late to test now, it's already in the mail. ... unless I were to try flashing bootloaders like we did before? hehe
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
*raises hand* hehe

But I'm wondering if accessing the phone via UART would work with a device that's hardbricked as bad as that was? Too late to test now, it's already in the mail. ... unless I were to try flashing bootloaders like we did before? hehe
I have JTAG capabilities if you want to test.

You can get into download mode as long as you have SBL.

I've worked on and developed a way to turn Captivate into KIT-S5PC110 (the aeries development platform)... http://forum.xda-developers.com/showthread.php?t=1206216 It may be possible on this device.... I'm still working on my captivate.
 
Last edited:

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
I have JTAG capabilities if you want to test.

You can get into download mode as long as you have SBL.

I've worked on and developed a way to turn Captivate into KIT-S5PC110 (the aeries development platform)... http://forum.xda-developers.com/showthread.php?t=1206216 It may be possible on this device.... I'm still working on my captivate.
Thanks, but the dead phone is gone and in the mail. I'd rather not void a warranty on this device by using JTAG. That device would not even go to download mode when using a JIG. Even the battery charging screen was gone. It was a hard brick.
 

gtg465x

Inactive Recognized Developer
Jun 16, 2008
4,750
3,277
0
I have JTAG capabilities if you want to test.

You can get into download mode as long as you have SBL.

I've worked on and developed a way to turn Captivate into KIT-S5PC110 (the aeries development platform)... http://forum.xda-developers.com/showthread.php?t=1206216 It may be possible on this device.... I'm still working on my captivate.
Since you have JTAG capabilities there should be no risk of bricking. Maybe you can experiment with bootloader flashing on this phone. I can link you to gb bootloaders and custom bmlwriter flashing program if you're interested.
 

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
Since you have JTAG capabilities there should be no risk of bricking. Maybe you can experiment with bootloader flashing on this phone. I can link you to gb bootloaders and custom bmlwriter flashing program if you're interested.
Did you ever get a copy of BML5 from a Rogers device?
 

gtg465x

Inactive Recognized Developer
Jun 16, 2008
4,750
3,277
0
Did you ever get a copy of BML5 from a Rogers device?
Yes, but there's a bit of a problem with that. The dump of bml5 was blank. We aren't entirely sure what's going on with our bootloaders, thus the need for someone with a JTAG to test crazy ass shiz.

edit: Although it's not a pressing issue now that we have a kernel workaround for no GB bootloaders.
 
  • Like
Reactions: AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Since you have JTAG capabilities there should be no risk of bricking. Maybe you can experiment with bootloader flashing on this phone. I can link you to gb bootloaders and custom bmlwriter flashing program if you're interested.
I just gave you 1001 thanks! lol.

Just because you have a JTAG writer does not mean it's easy to JTAG a device. I would test with bootloaders if something required it, however it's not a good idea to go flashing random bootloaders ever... Only if required.

The proper way is to rework the kernel like you did.
 
  • Like
Reactions: bedwa

Aou

Senior Member
Aug 4, 2008
794
777
0
Arizona
Well, thanks to your original post, I was able to get something from the UART on my Infuse. Unfortunately, it's all garbage. Are you using a standard RS-232 connection, or TTL 5v connection? If using TTL 5v, would it be possible to use a TTL 3.3v? This is what I'm getting in putty:

½^ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZÚ¯¿¿¿Y=%#1¿_¿{!!'!=7/¿¯y*¿Y=%#1¿u'59¿y!£§¿g7£¿¥ë奥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ëåëåj¤t4õ5ý¿¿¿¿¿¿¿ëåj¤Ê_5')¿¿¿¿¿ëåµ--!#¯*£ëåßg

(repeats). I get a whole new set of garbage when I put int he battery. It all looks like your video on youtube with the captivate, but it's just all garbage. I tracked down another forum post where you were getting garbage also, but then never posted the resolution.

Any help would be awesome. Thanks!
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,095
25,085
0
Owego, NY
Since you have JTAG capabilities there should be no risk of bricking. Maybe you can experiment with bootloader flashing on this phone. I can link you to gb bootloaders and custom bmlwriter flashing program if you're interested.
I don't think he's got JTAG capabilities on the phone yet, and probably won't until he REALLY needs them.

Getting JTAG capability requires soldering a connector to the board permanently or semi-permanently, or soldering individual wires to the board only for the flash process. No one has been able to figure out any compression-spring/pogo-pin contact approach, the connector pad pitch is just too damn small.

Otherwise I'd probably have JTAG capability too. If not for the connector issue I'd be experimenting with a Bus Blaster v2.
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
I don't think he's got JTAG capabilities on the phone yet, and probably won't until he REALLY needs them.

Getting JTAG capability requires soldering a connector to the board permanently or semi-permanently, or soldering individual wires to the board only for the flash process. No one has been able to figure out any compression-spring/pogo-pin contact approach, the connector pad pitch is just too damn small.

Otherwise I'd probably have JTAG capability too. If not for the connector issue I'd be experimenting with a Bus Blaster v2.
I can put the connector on.. assuming its 12 pin plus 4 mounting pads? I have them in stock. Its not a problem for me to solder them. I can do it.

Does anyone have some tech porn of this board, or disassembly instructions?