Related
Subj. Does anybody research the JTAG way?
I have an information what pins on PXA272 are JTAG interface. But I don't know where it's pins traced out on mainboard. The separation of PXA272 from mainboard is impossible in my case(for a while).
Does anybody know JTAG pins on mainboard for ATOM?
What tools for PC can support JTAG? Can I make a LPT-device for the connection PDA to PC by JTAG?
Did you find jtag pimout yet ? I have the same problem as yours, dead atom !
Basicly, I've seen couple connector in PDA which I believe are JTAG pinout, I've seen it in ETEN and in Atom it seem placed near the simcard holder. You'll see eight gold circle contact on the PCB, I believe six of them are JTAG pinout.
But still can't find the info about those specific pinout.
Still find the soft, mostly run under linux needed in win
I guess JTAG is my only option for waking up my atom, so if you have any info regarding this matter, would you please share with me ??
Thank you
Hi,
i found some pins on my mobile phone that mostlikely will be some jtag pins
(since i found serial already).
Now hard part is to find what pin is jtag and what not.
I am not seem to be able to find information how i can eliminate pins.
Does anyone of you have any tips or howto´s?
ps desoldering mt fpga cpu is not an option
thanks!
No-one?
Common guys (&girls) !
I remember it here as the forum to get such help or information!
I am sure plenty of you guys should have experiences with jtag´ing
mobile devices!
Maybe i did not post enough information;
it has an arm s3c6410 (pins are hidden under the fpga),
so i know it has jtag and serial debug (witch i found).
My device has +-22 pins around the simholder that are reachable and show some reading while testing voltages , a few of them should be jtag since there are no other testpins on the pcb..
So if any of you could point me to a howto or
explains how to find some important pin(s) i think i can manage it.
Hi,
as i wrote in another thread, i purchased a bricked A101.
There's no response from the system so i decided to start investigation on the hardware .
A101it chipset information:
Processor
• Ti OMAP3630 (515-pin CBB/P BGA package) ARM Cortex A8 at 1 GHz with DSP
• POWERVR SGX530 Graphic accelerator: 3D OpenGL ES 2.0
Memory
• 256MB LPDDR SDRAM (168-pin PoP BGA package) soldered on top of OMAP3630
• 8/16GB eMMC (169-pin BGA package) connected to OMAP3630 internal mmc2 interface
Interfaces
• USB slave 2.0 (OMAP3630 internal interface, MicroUSB connector)
• USB host interface (TPS65921 host interface, TYP A connector)
• Micro SD slot (OMAP3630 internal mmc1 interface, SDHC compatible)
Display subsystem
• ChiMei 10.1" TFT-Display N101L6-L02 (18Bit-LVDS interface)
• Ti SN75LVDS83B LVDS transmitter (56-pin BGA package)
Touchscreen subsystem
• Pixcir capacitiv touchscreen unit (TR16C0 controller, USB interface)
• Ti TUSB2551A USB transceiver (16-pin QFN package)
HDMI subsystem
• NXP TDA19989AET 24-Bit HDMI transmitter
• HDMI output (19-pin Mini HDMI connector)
Communication
• Ti WL1270/1 WiFi (802.11 b/g/n)
• Ti WL1270/1 Bluetooth 2.1 EDR
Miscellaneous
• Built-in speaker
• Built-in Microphone
• Freescale MMA7660FC G-sensor
• Omnivison OV7675 VGA camera (0.3M)
Power source
• Ti TPS65921 power management chip
• Intersil ISL9220 LiPo charger
• Internal: Lithium Polymer battery
• External: 5V/1A Power adapter/charger
To get some detailed informations about these chips, i made a sweet datasheet collection.
Grab the zip-file here.
TBC...
EDIT: The brick issue is solved.
The platform did not boot up due to a broken connection to onboard RAM.
This thread will present various hacks and other stuff a geek might have fun with
Read on for some more information.
So here's my first result:
I successfully located the sys_boot signals of the OMAP3630.
I made a first test by changing the default boot mode.
With sys_boot5 pulled high the boot order changes to peripheral boot first.
In other words you may use this tool to directly access the OMAP memory (e.g. RAM).
In theory it should alos be possible to boot the device form external microSD as well, but at factory default the microSD slot is covered by power management. In other words, power is switched off at boot time.
This could be hacked as well
My attempt will be to un-brick my device by using external boot mechanism.
Maybe i'll need some help at a later point!
EDIT: Peripheral boot modes had successfully been verifed.
It definitely works on the Archos 101. Perhaps this may be useful for some open bootloader project.
Aynway, i already discovered some other things, that might be helpful for hardware hackers. So if you are kind leave a comment or ask some questions.
Stay tuned!
scholbert
Oh, that's interesting ... I don't know anything about hardware hacking but I'd like to learn hope you will show us ... keep on the good effort ... and I'll keep an eye on this tread .... might come handy ... jejeje
sounds great, keep on rolling
peripheral boot
Hi,
thanks for your replies.
So as expected using peripheral boot over USB/UART is working (sys_boot5 pulled high).
At least the ASIC ID is send correctly and the initial communication starts.
See the screenshot attached.
Flash V1.6 also got a eMMC driver included.
So this could be the way .
Right now there's an error message:
Code:
Unknown status message 'dKAYd 2nd stdrted?' during peripheral boot (waiting for 2nd)
I guess the response should be: OKAY! 2nd started?
EDIT:
MMMh strange... i'll have to find out who is generating this message.
If it is comming from OMAP the SDRAM setup should be verified.
Seems that the LSB byte stuck @ 0x64.
Code:
dKAYd 2nd stdrted?
ascii = dKAY -> hex = 0x59414b64 (msb..lsb)
ascii = d 2n -> hex = 0x6e322064
ascii = d st -> hex = 0x74732064
ascii = drte -> hex = 0x65747264
ascii = d? -> hex = 0x00003F64
See the session log file for more details!
Anyway i justed started to play around... maybe some tweaks in the configuration are needed
Have fun!
scholbert
Pretty Cool
Thanks for attesting coolness
Made some further tests... though my time is really limited right now.
I found out that the message is send from 2nd loader which is used for Ti's Flash tool.
So this might indicate that there's something wrong with my memory or memory bus.
I re-checked the RAM setup sripts for the Ti tool again but could not find any error. Reduced the timing as well. Still got that message...
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Anyway this is open discussion, feel free to post
Cheers,
scholbert
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
We already know that, it's built-in ^^
(some have opened their Archos before ^^)
trungvn1988 said:
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
Click to expand...
Click to collapse
http://forum.archosfans.com/viewtopic.php?f=74&t=42806
Soldered on, not changable by anyone with home soldering tools. Very small ball soldering. I gave it an attempt, even got a replacement 1GB RAM module as a test piece... Didn't work out well for me.
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
.............yippie yeah it's working out!!!!
Thanks for the feedback
First i'll have to quote myself:
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Click to expand...
Click to collapse
Guess what...... it's fixed!!!!!
I really go crazy. See attached log file.
External boot over USB and 2nd loader started up successfully, using the Ti tool.
So RAM is working now!
This definitely saved my day...
What happened exactly?
As i pointed out, the data on memory bus stucked at 0x64, so i assumed there was an issue with DQM/DQS signals on PoP memory.
See some related documents about the function of these signals on RAM chips.
The DQM/DQS where not toggled in the right way because of bad soldering at the PoP memory chip.
See the attached pic for the excact position of these signals (marked in red).
The chip itself is soldered on top of the OMAP3630.
In the end i used a hot-air solder gun and soem soldering flux and fixed the broken connection. In fact i used this "technique" some time ago to fix a "No GSM" issue on HTC Hermes.
Though i'm very excited right know, i'll have to make a break for today, because i have a date
Harfainx said:
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
Click to expand...
Click to collapse
Yes i'll try my very best
Kind regards,
scholbert
Guy, it's so nice! Keep up the good work!
datasheet collection
Hey,
i was lucky last week. My device is up and running.
Fortunately the eMMC data structure was O.K. In the end my device refused to boot, because of that broken connection to the RAM.
So there'd been no need to fiddle around with eMMC for now.
Maybe i'll do some investigation at a later point.
Feel free to set up your device for peripheral boot and try the Ti Flash tool debugging possibilities.
Right now i decided to re-assemble the device and use it for a while.
I must assume that i know nothing about the internal structure of the firmware. So it would be essential to get some insights
I got some additional information about the eMMC/microSD data lines.
If there's some interest i might post further pics.
To get some background about the chips on the A101 mainboard, i collected some datasheets of the main components.
Grab the zip-file here.
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
yes it would be great if we could find one, maybe we could find a way to get inside and change some things
scholbert said:
...
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
Click to expand...
Click to collapse
As far as i know we can't extract aos files since they are encrrypted and we don't have they proper KEY - its saved inside the device somewhere
But good luck with going on! Rly sounds interesting who knows what it's good for in future
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
..... uuuh great!!!
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
Yupp, that's awesome. I just joined that thread.
In the meantime i disassembled my device again, because i want to spent some more time on research.
I found out some more details about the chips and the design in general.
The A101 seems a pretty neat device for extensive hacking, because archos did a good job and made a very clear design.
I started to prepare a pin map by looking at the kernel sources again.
Maybe i'll be able to find some other useful testpoints on the mainboard (e.g. UART2)
As you might know, the touchscreen is connected to USB using OHCI mode.
To attach it to the OMAP ports they also used a chip from Ti.
See this datasheet for more information:
http://focus.ti.com/docs/prod/folders/print/tusb2551a.html
If i'll find some time i'll try to make kind of a floor plan from the mainboard and post some pics as well.
P.S.: If someone knows the manufaturer of the speaker drivers, please tell me! The parts are marked as 8JAM892 and are located near the soldering points for the speaker.
Keep on hackin'
scholbert
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
pbarrett said:
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
Click to expand...
Click to collapse
Mmmh... without being affected by this issue it's hard to tell.
If the port dies, there could be many reasons of course.
Maybe the 5V power supply for Vbus is dying on these devices, due to "over-current" issue. I have not identified that part right now.
The signal lines itself usually won't be harmed... apart from injecting ESD pulses right to the connector.
The USB host port is directly connected to data lines of the USB PHY inside TPS65921 (Power Management chip).
OMAP3630 itself uses ULPI mode to connect to this part.
That's all i could say for now.
Regards,
scholbert
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
If we can't extract those AOS files - how are custom ROM builders such as $auron getting their hands on the upper layer of the firmware? I know I am not expressing myself technically correct, but what I understand is that for instance $auron's UrukDroid is a custom Linux kernel etc. with on top of it the modules, GUI etc of the official Archos packages...
you don't need to extract the aos file to get the filesystem of the archos android. you simply have to root your device or just install angstrom (which comes with SDE) and then you can copy the squashfs file to your computer so you can extract whatever you need. it's not encrypted but signed, you only have to skip the first 256 bytes (if I remember correctly) of the file to get a valid squashfs image.
I've hit a wall in my quest to improve the Samsung Gravity Smart (SGH-T589). The kernel source that Samsung released for it doesn't quite work right (no wifi, broken touchscreen drivers). I'm trying to do something about it, but my test kernels hang before ADB is able to detect and connect to the phone.
The phone is powered by the Qualcomm MSM 7227 (S1 Snapdragon @800Mhz), which I understand is supposed to have a debug UART. How do I access it?
Reading the Google Nexus i9250 thread, I took a closer look at the system board. I've highlighted what I suspect is the JTAG header (see attachment).
However, I lack both the tools and expertise to determine if that is the header, and what the pinout is (most jtag pinouts I see pictures of online are in 2-column layout).
But, I might not need that. If I understand the discussion in the i9250 thread correctly, what I need is a combination of this miniUSB breakout kit, a 619Kohm resistor, and the FTDI Friend to use to connect the UART to my PC. I'm not quite sure where I go from there, but I expect that Windows will detect the serial port and give me something to connect to via SecureCRT or the like.
Is this correct? I'd kinda like to know before I spend any money on parts
Alternately, if anyone wants to take a crack at wiring up the JTAG port, I have a spare (broken) phone I can ship out. Screen doesn't work, but it still boots which will make it perfect for testing with!
Now, if you had bothered to SEARCH you'd have found THIS post in this thread with this picture!
I actually did come across that thread, however that particular post would not have come up in a search and you'll forgive me for missing a post in a 25-page thread However, I appreciate your help nonetheless.
Next question: I have 2 conflicting schematics for wiring an LPT JTAG cable. One shows TDO wired to pin 13, the other has it wired to pin 11. Which is correct? Or should I just try it both ways?
Try both. Shouldn't happen anything bad until you connect it to 12V or so.
I'm banging my head against a wall here, trying to figure things out but not finding clear instructions.
Is it true that, in order to perform JTAG, I need to use some kind of adapter (i.e. RiffBox), or can I connect it directly to the LPT port of my PC? If I can use my PC, what software do I use to read the debug output? I'm less concerned with recovering from hard brick than I am with getting the early debug output.
I'm thinking a hacked USB approach might be simpler and less expensive. My problem is lack of tools. If anyone else has made such a cable, could I buy it off you for a reasonable price?
Hello, i have a semi bricked Samsung Galaxy S5770 Mini/Pop/Next. It is a Qualcomm MSM7227 board. I have tryied the usb UART approach, but the only thing i can get from it is AST-POWERON, and it repeats (i think it bootloops)
I am trying to find UART on board, there are some little pads around the CPU.
Sent from my GT-I9003 using XDA
Ah my TDO is wired to pin 11. You don't need riffbox if you make a LPT JTAG adapter such as the Wiggler (low voltage variant 3.3V).
There are many softwares that can handle the wiggler, such as H-JTAG, openocd and urjtag.
I used "H-JTAG" and "NoICE for ARM" on windows. It's easy to setup H-JTAG for the wiggler and you don't have to do anything from the command line.
The msm7227 platform is multi-cpu (modem cpu, applications cpu).
With the JTAG port you saw, you can access the modem cpu, which is a ARM926ej-s.
Sent from my GT-I9003 using XDA
tanks for you
Another way, without looking for UART is just comparing what you've changed in kernel, revert it all and apply changes one by one until it stops booting again. You might also find/create some proper thread for that and ask for help. With original repo pulled from opensource.samsung and your changes applied on it commit by commit.
Rebellos said:
Another way, without looking for UART is just comparing what you've changed in kernel, revert it all and apply changes one by one until it stops booting again. You might also find/create some proper thread for that and ask for help. With original repo pulled from opensource.samsung and your changes applied on it commit by commit.
Click to expand...
Click to collapse
The issue here is that I'm trying to backport the MXT224 driver because the driver that's in the Samsung release is butchered beyond repair--the orientation is wrong, the resolution is wrong, the alignment is wrong.
My backported driver either fails to recognize the hardware (which is odd, because the init code uses the exact same kernel calls as the FUBAR driver for the I2C transfers), or locks up the boot process too early to get any useful debug output.
Anyway, I have the parts I need on order, all I need is for the orders to show up and a decent soldering iron and I should be in business.
Ah! The MXT224. I know this one pretty well, aswell as messup that Samsung does, configuring it in hundreds of different ways, with usually same result.
I think you don't need to port anything there. There's parameter table passed to MXT224 during init, that's probably only one thing you need to setup. You might want to reverse driver from some stock kernel, or adjust it experimentally, or simply request Samsung for proper parameter table.
There are many helping examples in various kernel arounds, sometimes it's called MXT224, and sometimes it's QT602240. This is in fact 100% same thing.
I'm not sure if any datasheet is publicily available. Though setup structures explaination should be enough, there it is:
https://bitbucket.org/gokhanmoral/s.../drivers/input/touchscreen/qt602240.h#cl-4848
For example flipping it would be changing "orient" byte in T9 structure. Probably all othere parameters you need to change are also in T9.
Thanks for the link. I managed to figure out the correct "orient" value by trial-and-error, but the screen alignment is screwed up. On a stock kernel, the top-left is 0,0. On a compiled kernel, top-left doesn't even register properly (none of the edges do). I've tried a few experimental things but nothing helped so far. I'll check out that link when I get home and hopefully find something useful.
You might also want to look into mach_aries.c and mach_herring.c files from I9000 and I9020 kernel sources. These shows pretty good how very similiar results can be done in pretty different set of T9 parameters.
I appreciate your input. I'm experimenting with different T9 values. I found a partial datasheet that shed a little light into some of the parameters.
I've managed to strip out the "piggy" (uncompressed vmlinux) from the stock kernel. Is there anything I can do with that to somehow find out what T9 parameters are used by the actual stock kernel (as opposed to what Samsung released)? I did some searching for kernel disassembly but didn't find anything that looked promising.
Can you upload it somewhere? I'd take a look into it.
Sure thing. I'll upload it tonight when I get home. Thanks!
Here it is, gzipped:
http://min.us/mrUKEtr7W
Thanks, one more request - could you also upload .map file generated during your kernel compilation? I don't remember what was the full name of it, AFAIR it's ~70meg textfile in kernel source root or arch/arm/bin dir. Not sure though.
Also, are sources for this kernel available on github somewhere? Downloading tarball but this will take few hours more. :\
Ty in advance.
Rebellos said:
Thanks, one more request - could you also upload .map file generated during your kernel compilation? I don't remember what was the full name of it, AFAIR it's ~70meg textfile in kernel source root or arch/arm/bin dir. Not sure though.
Also, are sources for this kernel available on github somewhere? Downloading tarball but this will take few hours more. :\
Ty in advance.
Click to expand...
Click to collapse
It's not on github at the moment. I'm just working from the kernel sources posted on opensource.samsung.com for the SGH-T589. I'll start an account tonight when I get home and upload what I have. I'll get the map file you're after uploaded too.
Okay so on my device I have two serial ports. One port is labeled J2 with 4 pin outs that I think is the UART. The seconded port labeled JPEEK3 has 6 pin outs that I think is the JTAG. Here's the problem, they aren't giving me UART and JTAG readings on my multimeter or logic analyzer.
J2 is reading like this.
3.28VGND3.28V3.28V
No data just straight to idling high.
As for JPEEK3 I'm reading this
GND.04V.04V2.95V2.95VGND
On this I'm getting data on all active pins. I tried hooking my JTAGulator up to the device to read it but every time I do the device it's stuck in reset mode.
Anyone got any idea of what these readings mean?
biomedguy said:
Okay so on my device I have two serial ports. One port is labeled J2 with 4 pin outs that I think is the UART. The seconded port labeled JPEEK3 has 6 pin outs that I think is the JTAG. Here's the problem, they aren't giving me UART and JTAG readings on my multimeter or logic analyzer.
J2 is reading like this.
3.28VGND3.28V3.28V
No data just straight to idling high.
As for JPEEK3 I'm reading this
GND.04V.04V2.95V2.95VGND
On this I'm getting data on all active pins. I tried hooking my JTAGulator up to the device to read it but every time I do the device it's stuck in reset mode.
Anyone got any idea of what these readings mean?
Click to expand...
Click to collapse
The voltage levels for the UART are OK.
UART "J2"
3.28V GND 3.28V 3.28V
It could match the signals:
VCC, GND, TxD, RxD
For UART you need to know the communication baud rate and other connection parameters. You also need to know the communication protocol at the UART layer.
The voltage levels for JTAG are OK.
JTAG "JPEEK3"
GND .04V .04V 2.95V 2.95V GND
It could match the signals:
GND, CLK, DIO, RST, VCC, GND
Which is JTAG in SWD mode.
Maybe "JPEEK3" is SWD?
For full JTAG you have this pins on "JPEEK3":
TDI, TCK, TMS, TDO, RST, VDD, GND
If RST is missing in JTAG, the problem is to get the target into debug mode if the targer has its own power supply.
Appreciate the help, never considered the pinouts for JPEEK3 to be SWD.
The board doesn't technically have it's own supply, the power comes from other boards that it's connected to, in order to power on. Should I figure out a way to power it on with a power bank in that case?
As for the UART, I have a DSLogic Plus, should I just test multiple baud rates and see what happens? I'm not sure what other protocols and communications to look for other then that.
biomedguy said:
Appreciate the help, never considered the pinouts for JPEEK3 to be SWD.
The board doesn't technically have it's own supply, the power comes from other boards that it's connected to, in order to power on. Should I figure out a way to power it on with a power bank in that case?
As for the UART, I have a DSLogic Plus, should I just test multiple baud rates and see what happens? I'm not sure what other protocols and communications to look for other then that.
Click to expand...
Click to collapse
It is a question of whether the board is powered from an external source or only from the JTAG programmer (SWD). For JTAG / SWD, it is better if the target is powered only from the JTAG programmer (SWD), unless it is required to power other peripherals and cover power requirements. For JTAG (SWD), there must be direct JTAG (SWD) programmer support for a specific target (MCU), debug mode, Flash write, and so on. Each MCU has a different protocol and must be directly supported by the JTAG (SWD) programmer or control software. For JTAG (SWD) communication, you can change the communication speed arbitrarily (it is not fixed), if it fails to connect to the target (MCU), you can reduce the communication speed.
For the UART, the communication speed (connection) is precisely determined in advance, you must know it or analyze the output data (timing of given bytes using DSLogic Plus ) if it is sent natively on the UART interface (boot log). The protocol on the UART interface also needs to be known if it is not a shell terminal output.
Well hot dog, that's a lot of solid info. Appreciate it, really.
I just got a flyswatter2 in the mail, hopefully that'll be compatible with the AT91 Atmel MCU on the board, apparently it's using an ARM7 processor. Good to know to not power on the board like I have been with the JTAGulator and DSLogic.
You wouldn't happen to know how to locate the configuration memory for the FPGA, now would you? I'm talking with my cousin whose an EE major, and he was asking for it. I'm not even sure how that'll help with getting into the JTAG.
biomedguy said:
Well hot dog, that's a lot of solid info. Appreciate it, really.
I just got a flyswatter2 in the mail, hopefully that'll be compatible with the AT91 Atmel MCU on the board, apparently it's using an ARM7 processor. Good to know to not power on the board like I have been with the JTAGulator and DSLogic.
You wouldn't happen to know how to locate the configuration memory for the FPGA, now would you? I'm talking with my cousin whose an EE major, and he was asking for it. I'm not even sure how that'll help with getting into the JTAG.
Click to expand...
Click to collapse
Atmel AT91 MCU is supported by OpenOCD. Flyswatter2 works with OpenOCD. From the FT2232H chip used by Flyswatter2, I made a programmer for SPI EEPROM [https://geekdoing.com/threads/unbrick-mi-band-3-with-without-nfc.700/]
I have never used Field Programmable Gate Arrays (FPGA), always only MCUs, I will not advise you in this area. Unfortunately. FPGA arrays have configuration memory as an external memory chip.
The JTAG programming interface is also used for FPGA arrays. FPGA and MCU are completely different technologies. Custom MCUs can also be created using an FPGA array.