Best way to hack this board - Hardware Hacking General

Dear Hackers,
(i'm looking for a way to upload the images of the board...)
I am new to hardware hacking, but I really enjoy the thoughts.
There are a few questions I have:
1: I would like to know if there is potential for serial communication based on observation.
2: Is there a possibility to solder onto the board to read/write to the emmc chip (without desoldering)?
The board is an (android 10) radio for a car.
If there is an more easy route to root, please let me know
Cheers,

Related

Help Neaded to Upgrade The PPC 6800 RAM

...............................
I'm not sure but I think it needs special tools... at least a lot of other PPCs do.
So it is possible??
I want to upgrade my 6700 to the 6800 but the lack of RAM has going for the Touch, I don't want to give up the keyboard and wifi but it seems worth the sacrifice. But if it is possible to upgrade the RAM on the 6800 well that changes everything.
Could someone with experience pls give some feedback on the matter.
Thanks
Yes it is posible everything is posible I'm not an expert means I'm not an ingenier but I'm IPC 610 Certified I Know A+ and Network + and more..I have work directly with ingeniers developing and designing all kinds of mother boards I kow the tools needed and I also know that may be we will need to buy a hi amount of chips to the fabric I am intereste in kowing if any one can tell me before boyding my waranty what it is the exact chip and who is the vendor so I can start working with some of my friends soldering and unpgrading the RAM...
you need to be able to reliably solder mBGA components and be able to modify the bootloader/kernel to use that amount of ram
I know How to soler SMT componets... that is not a problem I worked as QC inspector of SMT components....
how did you manage to transpose your accent in your post?
I think the possible destruction of your Device is not worth the hassle... but you're welcome to try.
Do tell if you manage to pull it off successfully
Yeah, it is possible. Since you seem to already know about SMT rework and have access to proper tools, there's a fair chance you actually succeed. To get the proper chip you would probably need to open up your device and see the part number of your current RAM chip and search for its datasheet. Based on that, you'll need to choose exactly the same kind (same memory type, same timings, same pinout, preferably the same manufacturer) of memory, but of bigger capacity.
There are even some companies offering PocketPC upgrade service (just run a google search for PocketPC RAM upgrade).
And as far as i know, WinMo will use the bigger ram chip without any bootloader/kernel modifications, just like your PC (at least a winCE 4 Simpad did) - but you'll need to do some more research here since i never tried it personally and can't guarantee anything.
Unfortunately, BGA chip type limits you to 128MB ram (as far as i know, it's the biggest capacity you'll get in a single chip). In case of SOT/TQFN memory it was possible to solder a second chip on top of the old one (however i don't remember the exact details), therefore doubling the RAM size. Obviously, it's not possible with BGA, and even if it was, there's simply no room for that inside a modern device

The All-In-One GalaxyS Hack Pack

Background:
Since I'm a ROM developer, and I've recommended using ODIN3 in the past, I feel obligated to help unbrick phones. Investigation of unbricking methods for Galaxy S phones involve a lot of hacking since documentation is not available on the Samsung Galaxy S line of phones.
Myself and others have been doing some work on trying to revive bricked phones...
Ever tried JTAG unbrick recovery?--superhuman soldering skills no longer required for JTAG
Developing methods to recover bricks without JTAG - I keep this updated with current information as it develops.
ALL JIG VALUES here! --this will give you some resistor values to try
Altered water damage indicators --um... just in case you lick your battery and need warranty replacement
Galaxy S UART JIG & Debugging Connector--the hardware required for UART communications
Lets save some bricks...--Detailed hardware and software hacking in an attempt to bring gt-i9000s back to life, this is where the real hardware/software hacking is going on.
We'd appreciate more help in these threads....
Introduction:
However, you are here looking for the GalaxyS Hack Pack. During the last few months I've been collecting software and resources. This package contains everything known to help with research, investigation, security and hacking on GalaxyS phones and the Android platform. I'm not helping you root your phone, nor providing market applications. This package is not intended for new users. You are expected to be an advanced user capable of reading.
Warning:
This package contains binaries capable of bricking your phone. I have not yet mastered all of them.
Included in the package:
Android binaries go in /system/bin
bash 4.1- the best scriptable shell ever
i2cdetect - tool for i2c communications
i2cdump-dumps data from i2c
i2cget -requests data from i2c
i2cset -sends data to i2c
tcpdump-view inbound and outbound communications packets
viewmem-view memory at any location in the phone
Windows Software
AttachHeader - used for attaching a header for USB boot over OTG line.
hypertermina - sets up hyperterminal on Windows Vista and higher computers
moviNAND_Fusing_Tool & 512K-boot prepares an MMC card for booting
windows-dltool -allows terminal comms and transfers files over UART for booting
Useful Reading Material
GalaxyS i9000 service manuals- Contains 14 different levels of service manuals for GT-I9000 and are 90% valid for all SGS devices
ODROID-7 -technical manual for the development platform for our phones.. Someone translate please
Datasheets
FSA928-A_88A_full - USB Switch chip which responds to resistors and routes communications around the phone
S5PC110_EVT1_UM10 - The processor which drives our phones, the datasheet is 2400 pages long and contains alot of useful information
Disassembled binaries
bootdumps - disassembled and annotated IROM and PBL
Arduino Code
SerialConnector - Allows for UART communications with the Android Open Accessory Platform/Arduino Mega.
JTAG
Various items - Generic reading material collected about JTAG on a GalaxyS phone
Phone Speciffic
Various items - Images and documentation on specific models of phones.
Download GalaxyS Hack Pack v2
Please note, a very small amount of the files included in the hack pack are my original work. They have mostly been collected over months of searching. I am providing this as a resource for those wanting information on our devices. Over time this file will grow larger. I will continue to update and maintain this compilation.
Additional Resources:
Heimdall: An Open-Source replacement for Odin http://forum.xda-developers.com/showthread.php?t=755265
Heimdall One-Click: A repackagable one-click software uploading method http://oneclick.adamoutler.com
One-Click UnBrick: A piece of software which removes the bootlocks that cause Phone--/!\--PC http://forum.xda-developers.com/showthread.php?t=1153310
UnBrickable Mod: This is a hardware modifiction that allows upload of custom firmware including uploading Download Mode to a dead device: http://forum.xda-developers.com/showthread.php?t=1236273
ModeDetect for Linux: This piece of software will let you know what mode your device is currenly in, regardless of what is on-screen: http://forum.xda-developers.com/showthread.php?t=1257434
Using internal UART for debugging: This utilizes an external adapter to hook to UART inside the device to show what is happening on the System-On-a-Chip http://forum.xda-developers.com/showthread.php?t=1235219
bhundven said:
I've also just found these links to also be very helpful:
http://forum.xda-developers.com/showthread.php?t=1209288
http://forum.xda-developers.com/showthread.php?p=13473163 (By: UberPinguin)
Click to expand...
Click to collapse
Please post anything you feel should be included in this distribution.
Credits:
TheBeano - compiled i2c libraries
Samsung - GT-I9000 manuals/software
???? - shoot me a PM or post here to be added to this list.
Looks awesome man thanks for all your hard work for the community!
Sent from my GT-I9000 using XDA App
Sweet! Can't wait to see what it leads to!
(being the brickaphobic i am.)
I just realized that s5pc110 manual seems to be... incomplete.
There is no info about LCD FIMD and MDNIE controllers, which are most likely inside of there, or are at least mapped somehow in CPU, their SFRs arent even mentioned in manual, but are present and used in SBL and files in kernel/driver/video/samsung/ of kernel src (just try to find 0xF8200000 or0xFAE00000 for example in the cpu manual).
Probably docs about that can be called S3CFB documentation or something like that (so is called the driver)
If you have got any closer info about it - I'd be glad to see it. Im analyzing screen init sequence but it isnt fully possible without docs. :/
Updated. Added pictures of internals and other information.
thanks so much for sharing! genius, you are brilliant!
this is a new level of hacking and freedom. just be careful
can wait to see what this brings for new tools, etc.
mega thanks man =D
now that there is galaxy s2 abundance
i'm really thankful for the support we could still find on xda regarding our precious i9000
thanks a lot for this hard work
Will it be available for Galaxy Ace?
palito1980 said:
Will it be available for Galaxy Ace?
Click to expand...
Click to collapse
I have not come across anything for the Ace. If youd like to contribute, Ill add it.
THANK YOU SO MUCH!! lol
Information is very useful. Thank You!
AdamOutler said:
Background:
Since I'm a ROM developer, and I've recommended using ODIN3 in the past, I feel obligated to help unbrick phones.
Click to expand...
Click to collapse
My good sir, I have but one thing to say:
I love you.
Infuse Speaker, Earphone Issue
Hi Team,
Actually I got my Infuse and found that that everything else is working fine except the earphone, Mic and Speaker plus the earphone jack. So I am not able to hear any call or voice on phone. However I am able to dial and receive calls but with no voice. Although I tried using a stereo Bluetooth headphone but unfortunately phone calls are not audible via Bluetooth however I am able to listen to music and video's via Bluetooth.
I took the phone for repair and they told me its water damaged.. and they need the PCB diagram for repairing it. So I am wondering if someone can help me with the Diagram or some kind of documentation for the same.
Appreciate your time and reply..!!!
Regards
Gaurav
You realize this is the Captivate forum, not the Infuse.
The GalaxyS Hack Pack covers infuse too. It's practically the same processor... it's more GalaxyS2ish in it's design, but same basic GalaxyS hardware. I don't have an answer for this question though... This isn't Q&A and it's more of an informational thread.
The community and I thank you!!! U saved my brick!!!
seiledt12 said:
The community and I thank you!!! U saved my brick!!!
Click to expand...
Click to collapse
It means more if you hit the thanks button. A Guy with 11 posts cannot speak for the community.
Would this work with the vibrant?
Yes, anything that applies to Captivate applies to Vibrant. They're practically the same phone.

A101it mainboard hacking and chipset information

Hi,
as i wrote in another thread, i purchased a bricked A101.
There's no response from the system so i decided to start investigation on the hardware .
A101it chipset information:
Processor
• Ti OMAP3630 (515-pin CBB/P BGA package) ARM Cortex A8 at 1 GHz with DSP
• POWERVR SGX530 Graphic accelerator: 3D OpenGL ES 2.0
Memory
• 256MB LPDDR SDRAM (168-pin PoP BGA package) soldered on top of OMAP3630
• 8/16GB eMMC (169-pin BGA package) connected to OMAP3630 internal mmc2 interface
Interfaces
• USB slave 2.0 (OMAP3630 internal interface, MicroUSB connector)
• USB host interface (TPS65921 host interface, TYP A connector)
• Micro SD slot (OMAP3630 internal mmc1 interface, SDHC compatible)
Display subsystem
• ChiMei 10.1" TFT-Display N101L6-L02 (18Bit-LVDS interface)
• Ti SN75LVDS83B LVDS transmitter (56-pin BGA package)
Touchscreen subsystem
• Pixcir capacitiv touchscreen unit (TR16C0 controller, USB interface)
• Ti TUSB2551A USB transceiver (16-pin QFN package)
HDMI subsystem
• NXP TDA19989AET 24-Bit HDMI transmitter
• HDMI output (19-pin Mini HDMI connector)
Communication
• Ti WL1270/1 WiFi (802.11 b/g/n)
• Ti WL1270/1 Bluetooth 2.1 EDR
Miscellaneous
• Built-in speaker
• Built-in Microphone
• Freescale MMA7660FC G-sensor
• Omnivison OV7675 VGA camera (0.3M)
Power source
• Ti TPS65921 power management chip
• Intersil ISL9220 LiPo charger
• Internal: Lithium Polymer battery
• External: 5V/1A Power adapter/charger
To get some detailed informations about these chips, i made a sweet datasheet collection.
Grab the zip-file here.
TBC...
EDIT: The brick issue is solved.
The platform did not boot up due to a broken connection to onboard RAM.
This thread will present various hacks and other stuff a geek might have fun with
Read on for some more information.
So here's my first result:
I successfully located the sys_boot signals of the OMAP3630.
I made a first test by changing the default boot mode.
With sys_boot5 pulled high the boot order changes to peripheral boot first.
In other words you may use this tool to directly access the OMAP memory (e.g. RAM).
In theory it should alos be possible to boot the device form external microSD as well, but at factory default the microSD slot is covered by power management. In other words, power is switched off at boot time.
This could be hacked as well
My attempt will be to un-brick my device by using external boot mechanism.
Maybe i'll need some help at a later point!
EDIT: Peripheral boot modes had successfully been verifed.
It definitely works on the Archos 101. Perhaps this may be useful for some open bootloader project.
Aynway, i already discovered some other things, that might be helpful for hardware hackers. So if you are kind leave a comment or ask some questions.
Stay tuned!
scholbert
Oh, that's interesting ... I don't know anything about hardware hacking but I'd like to learn hope you will show us ... keep on the good effort ... and I'll keep an eye on this tread .... might come handy ... jejeje
sounds great, keep on rolling
peripheral boot
Hi,
thanks for your replies.
So as expected using peripheral boot over USB/UART is working (sys_boot5 pulled high).
At least the ASIC ID is send correctly and the initial communication starts.
See the screenshot attached.
Flash V1.6 also got a eMMC driver included.
So this could be the way .
Right now there's an error message:
Code:
Unknown status message 'dKAYd 2nd stdrted?' during peripheral boot (waiting for 2nd)
I guess the response should be: OKAY! 2nd started?
EDIT:
MMMh strange... i'll have to find out who is generating this message.
If it is comming from OMAP the SDRAM setup should be verified.
Seems that the LSB byte stuck @ 0x64.
Code:
dKAYd 2nd stdrted?
ascii = dKAY -> hex = 0x59414b64 (msb..lsb)
ascii = d 2n -> hex = 0x6e322064
ascii = d st -> hex = 0x74732064
ascii = drte -> hex = 0x65747264
ascii = d? -> hex = 0x00003F64
See the session log file for more details!
Anyway i justed started to play around... maybe some tweaks in the configuration are needed
Have fun!
scholbert
Pretty Cool
Thanks for attesting coolness
Made some further tests... though my time is really limited right now.
I found out that the message is send from 2nd loader which is used for Ti's Flash tool.
So this might indicate that there's something wrong with my memory or memory bus.
I re-checked the RAM setup sripts for the Ti tool again but could not find any error. Reduced the timing as well. Still got that message...
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Anyway this is open discussion, feel free to post
Cheers,
scholbert
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
We already know that, it's built-in ^^
(some have opened their Archos before ^^)
trungvn1988 said:
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
Click to expand...
Click to collapse
http://forum.archosfans.com/viewtopic.php?f=74&t=42806
Soldered on, not changable by anyone with home soldering tools. Very small ball soldering. I gave it an attempt, even got a replacement 1GB RAM module as a test piece... Didn't work out well for me.
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
.............yippie yeah it's working out!!!!
Thanks for the feedback
First i'll have to quote myself:
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Click to expand...
Click to collapse
Guess what...... it's fixed!!!!!
I really go crazy. See attached log file.
External boot over USB and 2nd loader started up successfully, using the Ti tool.
So RAM is working now!
This definitely saved my day...
What happened exactly?
As i pointed out, the data on memory bus stucked at 0x64, so i assumed there was an issue with DQM/DQS signals on PoP memory.
See some related documents about the function of these signals on RAM chips.
The DQM/DQS where not toggled in the right way because of bad soldering at the PoP memory chip.
See the attached pic for the excact position of these signals (marked in red).
The chip itself is soldered on top of the OMAP3630.
In the end i used a hot-air solder gun and soem soldering flux and fixed the broken connection. In fact i used this "technique" some time ago to fix a "No GSM" issue on HTC Hermes.
Though i'm very excited right know, i'll have to make a break for today, because i have a date
Harfainx said:
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
Click to expand...
Click to collapse
Yes i'll try my very best
Kind regards,
scholbert
Guy, it's so nice! Keep up the good work!
datasheet collection
Hey,
i was lucky last week. My device is up and running.
Fortunately the eMMC data structure was O.K. In the end my device refused to boot, because of that broken connection to the RAM.
So there'd been no need to fiddle around with eMMC for now.
Maybe i'll do some investigation at a later point.
Feel free to set up your device for peripheral boot and try the Ti Flash tool debugging possibilities.
Right now i decided to re-assemble the device and use it for a while.
I must assume that i know nothing about the internal structure of the firmware. So it would be essential to get some insights
I got some additional information about the eMMC/microSD data lines.
If there's some interest i might post further pics.
To get some background about the chips on the A101 mainboard, i collected some datasheets of the main components.
Grab the zip-file here.
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
yes it would be great if we could find one, maybe we could find a way to get inside and change some things
scholbert said:
...
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
Click to expand...
Click to collapse
As far as i know we can't extract aos files since they are encrrypted and we don't have they proper KEY - its saved inside the device somewhere
But good luck with going on! Rly sounds interesting who knows what it's good for in future
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
..... uuuh great!!!
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
Yupp, that's awesome. I just joined that thread.
In the meantime i disassembled my device again, because i want to spent some more time on research.
I found out some more details about the chips and the design in general.
The A101 seems a pretty neat device for extensive hacking, because archos did a good job and made a very clear design.
I started to prepare a pin map by looking at the kernel sources again.
Maybe i'll be able to find some other useful testpoints on the mainboard (e.g. UART2)
As you might know, the touchscreen is connected to USB using OHCI mode.
To attach it to the OMAP ports they also used a chip from Ti.
See this datasheet for more information:
http://focus.ti.com/docs/prod/folders/print/tusb2551a.html
If i'll find some time i'll try to make kind of a floor plan from the mainboard and post some pics as well.
P.S.: If someone knows the manufaturer of the speaker drivers, please tell me! The parts are marked as 8JAM892 and are located near the soldering points for the speaker.
Keep on hackin'
scholbert
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
pbarrett said:
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
Click to expand...
Click to collapse
Mmmh... without being affected by this issue it's hard to tell.
If the port dies, there could be many reasons of course.
Maybe the 5V power supply for Vbus is dying on these devices, due to "over-current" issue. I have not identified that part right now.
The signal lines itself usually won't be harmed... apart from injecting ESD pulses right to the connector.
The USB host port is directly connected to data lines of the USB PHY inside TPS65921 (Power Management chip).
OMAP3630 itself uses ULPI mode to connect to this part.
That's all i could say for now.
Regards,
scholbert
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
If we can't extract those AOS files - how are custom ROM builders such as $auron getting their hands on the upper layer of the firmware? I know I am not expressing myself technically correct, but what I understand is that for instance $auron's UrukDroid is a custom Linux kernel etc. with on top of it the modules, GUI etc of the official Archos packages...
you don't need to extract the aos file to get the filesystem of the archos android. you simply have to root your device or just install angstrom (which comes with SDE) and then you can copy the squashfs file to your computer so you can extract whatever you need. it's not encrypted but signed, you only have to skip the first 256 bytes (if I remember correctly) of the file to get a valid squashfs image.

Wiring sensors to android phone motherboard ???

Hi,
I am new to android hardware (have some experience with programming for Dalvik & NDK). I have an idea to use my old Android phone as a robot OS. However for that I'd need to connect more sensors to my device. I know this could be done over BT, but I am more thinking of wiring them to the OS. Is there anyone here that has any experience with that / know any link talking about that?
I am mostly thinking about connecting an array of microphones to the Android motherboard ...
Thanks in advance for your help...
Shahab.
shahab.fm said:
Hi,
I am new to android hardware (have some experience with programming for Dalvik & NDK). I have an idea to use my old Android phone as a robot OS. However for that I'd need to connect more sensors to my device. I know this could be done over BT, but I am more thinking of wiring them to the OS. Is there anyone here that has any experience with that / know any link talking about that?
I am mostly thinking about connecting an array of microphones to the Android motherboard ...
Thanks in advance for your help...
Shahab.
Click to expand...
Click to collapse
find a port that will accept it, and mod the OS to accept it and you should be fine
shahab.fm said:
I am mostly thinking about connecting an array of microphones to the Android motherboard ...
Click to expand...
Click to collapse
Depending on what you do with the audio from those microphones you're going to need support hardware (op-amps, etc.). I think you'd be better off using an intermediary device to interpret the audio and the send it to the Android device as serial data through the USB port. This can be done with an IOIO board, Arduino, etc.
I will try with IOIO to see how it goes
Hi,
I guess I would be trying IOIO in first attempt and see if I can find anything similar to IOIO but working with Bluetooth instead ...
Thanks for your help.
Bluetooth is definitely the simplest option to get going with.
If your phone and OS support USB host mode, then the other option is to use USB. I'm not sure what sound card support is like in Android, but if all else fails you could make your own USB device with an Arduino or similar to do the signal processing. Of course, then you might not need the phone...
If you have mad electronic and soldering skills you might also be able to hack into an I2C bus line. You'd then need to add some driver (maybe kernel support) for the device(s). But this would probably only work for sensors other than microphones (they're probably too high bandwidth for this method and probably don't use I2C anyhow).
I've dreamed of adding a flash LED to my phone in this way but been put off by the difficulty of the electronics and programming of it all and the fact I'd need to make an ugly case mod
This is way dirtier then just using Bluetooth or USB but I'd love to see someone try it

DishTV s8100-zc (dvb-s2 msd7s75) Mstar CPU

I have a DishTV s8100-zc, wich is the branded name of what I think is a msd7s75 board with a Mstar CPU.
What I want to do with it is to flash it with something that isn't the stock NZ firmware (locked to use freeview apps, which is now defunct), anything modular would do bsd running kodi for instance, but some flavour of android would be best. I know this board can run android TV because I've seen new devices with the same board being sold new with android on them (from alababa of course, so no useful information to be had there). It can be flashed via a rom file on a USB stick.
The first step here is to identify what the soc in this thing is - I know it's an Mstar, by after that I'm a bit stumped. Is there any way of finding out? Or is there a rom that works on all (or even most) Mstars I could try? I can't look directly at the chip because it has a heat-sink glued to it and I don't want to damage the chip trying to remove the sink.
Any thoughts would be apreciated - thanks!

Categories

Resources