Does anyone have tried to install a dual boot with Linux and GPE?
Yeah, I can get it to work. But there is no phone support!and i had a major problem getting in contact with the device (had 2 have a friend of mine do it) using USB. (normally I’d use serial of compact flash for file transfers etc. when using Linux on a PPC device)
Other then that there is not much fun having an i-mate Jam phone with no phone, so i switched back.
will this (http://wiki.xda-developers.com/index.php?pagename=HimalayaLinuxBooting) works also on magician?
how do i do this, what files to d/l where can i get it ? please help
follow the link above :wink:
Dear ALL,
1)Is there any way to have 2 opering systems(linux and windows) on Magican simutanious like on iPAQs ?
2)How to activate gsm\gprs in linux?
booting linux
Does the Himalaya kernel really boots on an Magician?
I will make a try....
BTW porting the linux kernel didn't seems to be an hard work (but i'm not a kernel developper), because the Magician architecture is not so far from Himalaya one, and the PXA272 is allready supported by linux (see linux2.6 sources)
The realy big problem is to control all hardware devices, from USB to touchpad and most important and hard : the Phone.
Hope there is as little differences as possible between HTC hardwares.
Hello,
I have a HTC Wizard without bootloader. So that device cant not come up. I've searched on the net, m-system give many tool to dump from another then write it again.
But i dont know how to plug DOC into PC? What hardware did you use? How many $ for this? And are there another way to fix that?
THanx for your help
I think this might require jtag.
Not my field
V
i'm thinking the same thing
well, anyone here tried it yet?
pmquan said:
Hello,
I have a HTC Wizard without bootloader. So that device cant not come up. I've searched on the net, m-system give many tool to dump from another then write it again.
But i dont know how to plug DOC into PC? What hardware did you use? How many $ for this? And are there another way to fix that?
THanx for your help
Click to expand...
Click to collapse
VJ is right, you need Jtag programmer to reprogram a IPL/SPL erased DOC, but Jtag can not be connected to DOC directly, so you need to know abut test points to connect Jtag probes to it...
I wonder if HTC has embedded ON-Board DOC programming interface in its devices, because this technique makes DOC reprogramming more easy by connecting some testpoints to initiate on board DOC programming mechanism for onboard mini USB connector...
Hi,
it's done!!!
Today i discovered the JTAG pins of HTC hermes.
My device got bricked and was not able to boot anymore. Not even the bootlader came up.
Anyway i decided to do some investigation, there was nothing to loose
Thanks to Lt.Cmdr.Ivan who discovered the JTAG pins on the universal hardware.
(It made the step successful!!!)
See the attachment!
(had to make a zip because high-resolution pix )
These are the testpoints to access Hermes main system Samsung MPU and recover OS bootloader!
To get access to the GSM chipset please have a look in the second post!
You may use this package to access the platform.
http://210.118.57.197/Products/Semi...or/ARM9Series/SC32442/JtagFlash_Prog_Code.zip
EDIT: If the link is not working, see attachment (backup package form samsung site, source code included)
See the documentation in the archive for information how to build a LPT adaptor, to use this software!
EDIT: The software tool has been modified to handle the /WP issue.
See attachment MSP_HERM.zip!
What ever happens to IPL/SPL on your device, it can be recovered quite easily now, using the JTAG method!
EDIT: Added Olipro's 2.10 (Hard-SPL V7) for completeness.
This is a pure binary file, ready to flash via JTAG. Thanks again to olipro for this beautiful bunch of bits!!
EDIT: Due to the numerous questions of some users how to go through this, here's what has already been written down all over the thread.
Follow these steps:
1. Disassemble your device (link to the Hermes Service-Manual is in the wiki).
2. Locate the JTAG pins on PCB (download/extract htc_hermes_jtag.zip -> look at the picture)
3. Use a very small soldering iron and attach some wires to the testpoints (only experienced users should do this!)
4. Use one of the wiggler clones (LPT-adaptor) to built up a connection to the JTAG pins using LPT port of your host pc.
Please have a look in the software documentation for the schematics (JtagFlash_Prog_Code.zip -> Source files and doc included).
Whatever your adaptor would look like, follow the pin assignment, that is used in the schematic (e.g. LPT pin 2 -> TCK, LPT pin 3 -> TDI, LPT pin 4 -> TMS, LPT pin 11 -> TDO)
5. Partly assemble your device and insert fully charged battery. Check all connections and press and hold power button on hermes (min 2sec.).
Though the device won't start if your bootloader is bricked, this step is necessary to activate internal power supply.
To check if power is O.K. measure the VCC pad (VCC ~ 3.15V).
6. Use the modifed samsung software on your host (download/extract MSP_HERM.zip -> MSP_HERM.exe is a command line tool)
Please make sure that the processor is recognized. If not check all connections again!
7. Grab IPLSPL210_OLIPRO.zip, extract it and put the file the directory where flashing software is located.
8. Use flashing software (MSP_HERM.exe) and try to reflash your NAND.
type: MSP_HERM.exe /f:IPLSPL210_OLIPRO.bin
type: 1 to choose the flash type
NAND flash type on hermes is k9f1g08 and should be recognized
type: 0 K9f1g08 Program
Start page and block must be set to 0
9. Be patient and cross fingers while flash is programmed.
Alternatively you may grab some coffee or beer and relax!
10. Enjoy the rebirth of your device.
Credits:
A warm and healthy "Thank you!" goes out to pof, cmonex, cr2, the_dipe and the others who gave useful hints or helped testing.
Regards,
scholbert
HTC Hermes GSM JTAG pins
Hi again,
after a lot of wicked things had been done with my device, i decided to lift another secret.
Anyway i spent some time to do some investigation and managed to trace the JTAG testpins of the GSM chipset on the hermes!
So it's done!
To be 100% secure, this has again to be verified with some software.
Work is in progress!
To solve the "noGSM" issue we need a bullet proof flash tool to rewrite the radio bootloader.
Hopefully we could get the necessary information to do so!
Maybe someday all these "no GSM" devices could be brought to life again...
at least if it's software related issue (e.g. broken Radio bootloader)!!!
See the attachment for the pin location!
(had to make a zip because high-resolution pix)
These are the testpoints to get access to the Qualcomm GSM chipset and possibly fix broken radio bootloader!
Information about missing signals
TRST_N = could not be found (seems to be N.C.)
RTCK = could not be found (will only be needed for special debugger)
Mode0 = N.C.
We need your help!
If anyone got information about the JTAG chain of MSM6275 (BSDL file) or similar info, please PM me!
scholbert
I have used JTAG on my linksys router when I bricked it.
It's actually pretty easy to make a cable for JTAG and uploading a ROM.
Did you actually manage to revive your tytn?
Flash access
Hi,
it seems to work fine with the program from the samsung site.
I just flashed IPL & SPL to my device.
See the screenshot
scholbert
thanks for this ill look into this. im still trying to figure out which part messed up on my phone. no power anymore not even charge light. dead. hardware? i think i burnt a capacitor coz it died while charging/connected to usb. Also i just flashed a radio rom but it was successful... before it died out. is yours the same case that it did not even show life of accepting power? thanks.
i was looking at the schematics and i think i need a technician for that but if i can revive my dead phone using that since im going to try and find the messed up capacitor anyway, ill learn and research.
Congratulations!! this is a great and useful finding
Thanks
Hi again,
thank you for adding a link to this thread in the wiki!
Unfortunately my device still won't start
There maybe anything else broken.
Anyway, the JTAG thing worked very smart, programming is quite slow though.
O.K. but that's the bit banging (i just remember, once flashed an image to the skeyepad and it took nearly half a day using an LPT adaptor).
sphynx88 said:
i was looking at the schematics and i think i need a technician for that but if i can revive my dead phone using that since im going to try and find the messed up capacitor anyway, ill learn and research.
Click to expand...
Click to collapse
@sphynx88:
What schematic are you talking about???
Do you got a schematic for hermes???
Regards,
scholbert
Scematic
Hello sphynx88,
do you have a scematic of Hermes? I'm an technican and I'm used to JTAG programming. So if you have the scematic and I can have a look at it, perhaps I can help you bringing your hermes up again.
Greetings Pudl
More info
Hi,
first i'll have to quote myself:
scholbert said:
it seems to work fine with the program from the samsung site.
I just flashed IPL & SPL to my device.
Click to expand...
Click to collapse
There are some problems with rewriting flash on my device.
After some more investigation, i found out that my device still got OLIPRO'S IPL (version 1.04) but SPL is not HARD-SPL anymore (version 2.10 "Hard-SPL")
SPL was rewritten to original bootlader (version 1.04).
I made some memory dumps using the JTAG tools and compared the output with the binary files.
IPL and SPL do not match, that's why my device is not booting anymore.
For some reason i am not able to rewrite IPL with the samsung programmer.
There are no errors, everythings seems nice, but IPL remains unchanged after programming. No idea why
Maybe there's something special on hermes hardware, that protects NAND to be rewritten per default.
O.K., now that i found out what's wrong with my device, i'll have a look in the programmers source code, to understand what's going on.
I'll keep you informed about my progress
scholbert
...after having a look around, i'm quite sure that my flash is kind of blocked.
This maybe caused by damaged hardware .
If anyone would try to flash some bits to his damaged hermes, please let me know.
This would clear up if the the software provided by Samsung may be used to flash the hermes hardware and fix broken bootloaders.
At least flash content can be read out via JTAG, that's proven .
scholbert
I have bricked my hermes too.
I will try to flash IPL and SPL with the JTAG programmer.
How can I build a bin file for the programmer from an official RUU_signed.nbh or from the extracted 00_IPL.nb and 01_SPL.nb?
Hi,
bauner said:
I have bricked my hermes too.
I will try to flash IPL and SPL with the JTAG programmer.
How can I build a bin file for the programmer from an official RUU_signed.nbh or from the extracted 00_IPL.nb and 01_SPL.nb?
Click to expand...
Click to collapse
It's sad that your Hermes got bricked .
Maybe it will be the first device revived by JTAG flashing.
Here we go:
00_IPL.nb and 01_SPL.nb are already binaries.
Refer to the memory map in the wiki to know where the contents have to be placed.
So you might flash them seperately or build one file to flash (see attachment).
To make it easier have a look in this slightly modified table, it shows the block numbers of NAND flash ( :
Code:
------------------------------------------
0x50000000 Page0
Block0 IPL
0x5001ffff Page63
------------------------------------------
0x50020000 Page0
Block1 SPL
0x5003ffff Page63
------------------------------------------
0x50040000 Page0
Block2 SPL
0x5005ffff Page63
------------------------------------------
0x50060000
... not used
0x5009ffff
------------------------------------------
0x500a0000 Page0
Block5 CID, S/N
0x500bffff Page63
------------------------------------------
0x500c0000 Page0
Block6 WLAN
0x500dffff Page63
------------------------------------------
0x500e0000 Page0
Block7 MainSplash
0x500fffff Page63
------------------------------------------
0x50100000 Page0
Block8 MainSplash
0x5011ffff Page63
------------------------------------------
0x50120000
...
Good luck !!!!
scholbert
Thanks a lot for your help I flashed my IPL/SPL an now my hermes is working again
Hey
bauner said:
Thanks a lot for your help I flashed my IPL/SPL an now my hermes is working again
Click to expand...
Click to collapse
Congratulations!!!!
So everything went fine using the provided tools?
Did you use a wiggler (clone) for the job?
Best regards,
scholbert
yes everything worked fine with this tools.
I used this Interface:
Holly Gates' Schematics for the JTAG Dongle
Im sorry to have replied for so long but i gave up on my hermes and have not been checking. ill subscribe to this thread. After crazy searching and one site leading to another i did find what i think was schematics for the hermes. a service manual. it was in chinese and i couldnt understand it but i saw one for my samsung one which was in english and i think it really is the service manual with schematics. ill try and retrace my tracks. cross fingers.
anyway, in my case, the phone died. not bricked. something inside short circuited. it was on and charging via usb then the next thing when it reached 100 coz i was pretty sure it was 90 the time i started installing apps, it just died. no turning on, no nothing not even the rlod. i opened the case and i think there might be a fuse to the left of the charger entry, maybe changing it would simply fix the whole problem. i dont know but hopefully my cpu isnt broken so i may even have two phones.
JTAG flashing proven, my device definitely broken
Hi,
...anyway, in my case, the phone died. not bricked. something inside short circuited.
Click to expand...
Click to collapse
same with my second device, sphynx88.
Something hardware related is damaged.
I may use the flash tool a 1000 times, the flash seems unaccessable for programming. Maybe the WP-pin stucks to GND on my device
Anyway it's nice to access the device via JTAG, also debuggers may be used
Have fun!
scholbert
I know what's wrong
Hi again,
can't stop my investigation and like to bring my dead hermes to life!
I started to look around and i found the WP testpoint
So i made sure what i assumed, the WP pin of flash is tied to ground.
This prevents NAND flash to be rewritten -> write protection!
I made some further measurements and found out, that there must be a general purpose pin responsible for this function. Obviously this pin is set low during basic setup, maybe it's done in IPL (after reset all pins are tied low by internal resistors).
The only way to find out which pin is responsible for write protection, is to set some of the GP output pins to high level and and measure the voltage level at the testpoint (maybe it's GPC4 because it's very close to WP).
So this goes out to pof or olipro who already done a lot reverse engineering on this platform
Any idea which pin is used for NAND write protection on hermes????
Regards,
scholbert
I dont like windows mobile because it differs from pc-version windows?
and there is no version of wm, based on wince6 - all are based on 5.2 which limits memory usage for process to 32mb
So i've built wince 6 with skd from ms site.
and i want to flash my device with it
i have 2 files - eboot.bin and nk.bin
when i am trying to flash, using nk.nb0 - flashrom says, that this is some kind of junk.. or smth1ng like this, because its format differs from one, that used in exsisting firmwares.
when i am trying to flash, using eboot.bin (ethernet bootloader)
FlashROM says that it will not flash because this is wrong bootloader and so on..
i've heard letters "jtag" but i dont know what is it and how to use it..
i have no idea how to do this.. could anyone help?
P.S.: PPC is AsusP750 with PXA270 cpu (ARMv4)
i think it will be easy to handle with drivers and other stuff like this
the main purpose is to flash and boot it.
tnx in advance
and only silence was the answer...
you might do better for support on this over at ppcgeeks.
Hi I hope you can help me because this htc got me with headaches, is that I have a htc read this with the computer software problem they changed to a system upgrade htc official and the computer died ahy
is that I have a riff to restore box, the restoration process continues and ends smoothly
but when you start it in bootloader mode, the screen goes to SPL 2.8 but will not let me start that the UCP I get a message (invalid Vendor ID)
I can not flash it by usb cable or sd
So all I have left is flash by JTAG
looking in forums and much googling I found that you can flash through jtag
the problem is that flash through jtag the box riff I have to have some support from the htc 512mb read format. BIN
I only found. bin for the version of 1024 MB
solucitud me is: Some of you will have the file i need? if not much bother someone could help me?
You request @ wrong place. first of all, this section for LEO1024 GSM not for LEO512 GSM.
If you own a JTAG box, then why not contact with author of the box. as far as i know RIFF has section @ Gsmhosting. please make a request over there. or contact Mr Legija personally.