I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
twice.
And the detected cpu type is unknown
Anyway i could start the application and open a tcp port
Here is the result of dump cp(0) :
c00: ffffffd2 | c08: ffffffd2
c01: ffffffd2 | c09: ffffffd2
c02: ffffffd2 | c10: ffffffd2
c03: ffffffd2 | c11: ffffffd2
c04: ffffffd2 | c12: ffffffd2
c05: ffffffd2 | c13: ffffffd2
c06: ffffffd2 | c14: ffffffd2
c07: ffffffd2 | c15: ffffffd2
And here is the result of dump mmu:
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
Error: EXCEPTION CAUGHT AT MEGABYTE 0!
ffffffff | | | End of virtual address space
It seems that haret is having problem trying to read the CPU registeries,
what could be the problem?
So it means that I have to patch the source of haret before I can use it on a smartphone?
Or is it because of smartphone security policies? something about user-mode, kernel-mode in
wince?
I'm quite a nub but I think I have to know what to read first before I start reading books. Any info or help is appreciated.
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
...
Any info or help is appreciated.
Click to expand...
Click to collapse
You can try to add this code the the assembler file
and call the functions directly. Worked for
me with wince2.11, where i also had problems:
export |cp15_0|
|cp15_0| proc
mrc p15, 0, r0, c0, c0, 0
mov pc, lr
endp
export |cp15_2|
|cp15_2| proc
mrc p15, 0, r0, c2, c0, 0
mov pc, lr
endp
export |cp15_13|
|cp15_13| proc
mrc p15, 0, r0, c13, c0, 0
mov pc, lr
endp
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
Click to expand...
Click to collapse
Don't forget to post at least the 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4' here when
haret works
cr2 said:
... 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4'
Click to expand...
Click to collapse
Thank you for your help.
I signed the code with a privileged certification, then dump gpio and
physical address worked.
Code:
#dump gpio :
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 FE | 21 I 0 0 | 42 I 1 1 | 63 I 1 0 FE
1 I 0 0 RE FE | 22 O 1 0 | 43 O 1 2 | 64 O 1 0
2 I 0 0 RE | 23 O 0 0 | 44 I 1 1 | 65 O 1 0
3 I 0 0 RE FE | 24 O 0 0 | 45 O 1 2 | 66 O 1 0
4 I 0 0 RE | 25 O 0 0 | 46 I 1 2 | 67 I 1 0 FE
5 I 1 0 FE | 26 I 1 0 | 47 O 1 1 | 68 I 1 0
6 O 0 1 | 27 I 1 0 | 48 I 1 0 | 69 I 0 0
7 I 1 0 | 28 I 1 1 | 49 O 1 2 | 70 I 1 0
8 O 1 1 | 29 I 0 1 | 50 O 1 0 | 71 I 1 0
9 I 1 0 | 30 O 0 2 | 51 O 0 0 | 72 I 1 0 FE
10 I 1 0 FE | 31 O 0 2 | 52 I 1 0 | 73 O 1 0
11 I 1 0 | 32 I 1 0 | 53 I 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 0 0 | 75 O 1 0
13 I 0 0 RE FE | 34 I 1 1 | 55 O 1 0 | 76 O 0 0
14 I 0 0 RE FE | 35 I 0 1 | 56 O 0 0 | 77 O 0 0
15 O 1 2 | 36 I 0 0 | 57 I 1 0 | 78 O 1 2
16 I 1 0 | 37 I 0 1 | 58 O 0 0 | 79 I 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 1 2 | 60 O 1 0 | 81 I 1 1
19 O 1 0 | 40 O 0 0 | 61 O 1 0 | 82 O 1 1
20 O 1 0 | 41 O 0 0 | 62 O 1 0 | 83 I 1 2
#pd 0x41300004 4 :
41300004 | 00017bef | .{..
(What is so special about these four bytes?)
Then I tried to apply your code, but i don't know where should I call those fumctions, I tried calling them right before cpuDetect() or put it inside cpu-pxa.cpp and call them before cpuGetCP(), same effect.
The error message box doesn't show up but there is no message in the wince side console (detected cpu type),
then the same exception show up when I telnet it and when I dump any cp other then cp0.
phrack #63 - Hacking Windows CE said:
...
; SetProcessorMode.s
AREA |.text|, CODE, ARM
EXPORT |SetProcessorMode|
|SetProcessorMode| PROC
mov r1, lr ; different modes use different lr - save it
msr cpsr_c, r0 ; assign control bits of CPSR
mov pc, r1 ; return
END
...
Most of Pocket PC ROMs were builded with Enable Full Kernel Mode option, so all applications appear to run in kernel mode. The first 5 bits of the Psr register is 0x1F when debugging, that means the ARM processor runs in system mode. This value defined in nkarm.h:
// ARM processor modes
#define USER_MODE 0x10 // 0b10000
#define FIQ_MODE 0x11 // 0b10001
#define IRQ_MODE 0x12 // 0b10010
#define SVC_MODE 0x13 // 0b10011
#define ABORT_MODE 0x17 // 0b10111
#define UNDEF_MODE 0x1b // 0b11011
#define SYSTEM_MODE 0x1f // 0b11111
...
Click to expand...
Click to collapse
I guess smartphone is a little bit different from pocketpc?
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
I'd better start reading the ARM reference manual.
aybabtu said:
(What is so special about these four bytes?)
Click to expand...
Click to collapse
This is a ClocKENable (CKEN) register, so you have:
LCD,I2C,ICP,MMC,USB,NSSP,I2S,BTUART,FFUART,STUART,
SSP,AC97,PWM1,PWM0
enabled.
Then I tried to apply your code, but i don't know where should I call those fumctions
Click to expand...
Click to collapse
Add them to the wince/asmstuff.asm file,
and modify the cpuGetCP function in
wince/s-cpu.cpp to
Code:
uint32 cpuGetCP (uint cp, uint regno)
{
uint32 result=0xffffffff;
int ok=0;
if (cp > 15)
return 0xffffffff;
if (cp==15)
{
ok=1;
SetKMode (TRUE);
cli ();
switch (regno)
{
case 0:
result=cp15_0();
break;
case 2:
result=cp15_2();
break;
case 13:
result=cp15_13();
break;
default:
ok=0;
break;
}
sti ();
SetKMode (FALSE);
}
if (!ok) Output (L"Invalid register read cp=%d regno=%d\n",cp,regno);
return result;
uint32 value;
selfmod [0] = 0xee100010 | (cp << 8) | (regno << 16);
if (!FlushSelfMod ("read"))
return 0xffffffff;
__try
{
value = ((uint32 (*) ())&selfmod) ();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Complain (C_ERROR ("EXCEPTION reading coprocessor %d register %d"), cp, regno);
value = 0xffffffff;
}
return value;
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
Click to expand...
Click to collapse
Maybe, but how did you come to using this address ?
The 'dump gpio' shows that the phone is not using the
builtin LCD pins. Then there must be a
video chipset in the phone. Interesting,
because even HTC is saving money on that.
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Maybe, but how did you come to using this address ?
Click to expand...
Click to collapse
Well I got a leaked dump out rom and tried to extract it with itsme's tool.
and i got something similar to these:
Code:
img 00000000 : hdr=81d5352c base=81a00000 commandlineoffset=81a00000
img 00640000 : hdr=82c40878 base=81a00000 commandlineoffset=81a00000
img 01300000 : hdr=82d02dd8 base=81a00000 commandlineoffset=81a00000
img 01380000 : hdr=8356d204 base=81a00000 commandlineoffset=81a00000
there must be a video chipset in the phone
Click to expand...
Click to collapse
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later. And yes this phone is interesting, low price for it's high specification compared to other same generation phones but crappy customer service .
I'll post the result of dump mmu to the point it crash a little bit later.
aybabtu said:
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Click to expand...
Click to collapse
Unlikely.
Well I got a leaked dump
Click to expand...
Click to collapse
Then you can just lookup the static remapping
table.
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later.
Click to expand...
Click to collapse
The datasheet is available here
www.handhelds.org/platforms/hp/ipaq-h22xx/mq-lcd-interface-appnote.pdf
And the mapping table dumped out using itsme's pmemmap:
Code:
v81a00000-83a00000 -> p00000000-02000000
v86000000-86100000 -> pe0000000-e0100000
v86100000-86200000 -> p48000000-48100000
v86200000-88200000 -> p40000000-42000000
v8c000000-8e000000 -> pa0000000-a2000000
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
Dumped it out and i can only tell that the first 32MB is my rom data.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone,
at least I know what to read now.
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
And at the end of the rom, there are 2 copies of 256K code, in which I found
strings of the bootloader in it, and the second copy is 1 byte different from
the first one, 1:0x00 2:0x01, in the middle of the code.
I'm not sure these are Mitac only layout, just put it here in case anyone
knows.
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
aybabtu said:
And the mapping table dumped out using itsme's pmemmap:
Click to expand...
Click to collapse
v81a00000-83a00000 -> p00000000-02000000
32MB ROM
v86000000-86100000 -> pe0000000-e0100000
Weird.
v86100000-86200000 -> p48000000-48100000
PXA26x Memory Controller
v86200000-88200000 -> p40000000-42000000
PXA26x Peripherals
v8c000000-8e000000 -> pa0000000-a2000000
32MB SDRAM
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
mmaped devices.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone
Click to expand...
Click to collapse
You can also dump/decode the registry and identify the
use of the serial ports.
Your GPIO table suggests that the PXA MMC
controller is used.
Looks good
aybabtu said:
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
Click to expand...
Click to collapse
Battery monitoring or something like that,
maybe keyboard controller.
aybabtu said:
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
Click to expand...
Click to collapse
Not all wince devices have a bootloader,
wince2.11 and wince2005 un universal for example.
You can also look with 'strings -el' for
other useful strings.
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
aybabtu said:
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
Click to expand...
Click to collapse
Built-in ? BTW, does this device support SD cards or only MMC ?
Built-in ? BTW, does this device support SD cards or only MMC ?
Click to expand...
Click to collapse
Built-in, It should be the M-System DiskOnChip MD3831-D16-V3Q18-T inside.
Support both.
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
aybabtu said:
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
Click to expand...
Click to collapse
It is a normal UART, not blue at all , Himalaya
uses it for the serial cable.
That's not exactly the datasheet of
mq2100...
archive.org show that this was available
for downloads.. oh well
Put the list of all components and the known
information to wiki. That can help other people.
Related
Hi.
Has anyone tried to make linux/familiar boot on the Wizard yet?
Any luck?
mind said:
Hi.
Has anyone tried to make linux/familiar boot on the Wizard yet?
Any luck?
Click to expand...
Click to collapse
Oh this looks interesting. What could you do with a linux boot?
mind said:
Has anyone tried to make linux/familiar boot on the Wizard yet?
Click to expand...
Click to collapse
Have you tried to run haret ?
If it works, can you post the
framebuffer address and 'dump mmu' here ?
It might take a bit longer for anything like this to appear, but it would be interesting when it does.
I haven't tried it. The reason for my question was that I'm going to do some development work for Opie (opie.handhelds.org), and need a machine that boots and runs familiar to test stuff. And I would like to get me a wizard
Familiar has a list of machines tested on familiar ( booting or not ). But only Wallaby (XDA), Himalaya (XDA II), Blueangel (XDA III) and Universal (MDA Pro) are listed.
So if anyone in this forum wich has a wizard and would like to try out linux/opie on it; please let me know if it boots!!!
There are a lot of advantages having linux on you're XDA instead of windows mobile. The most obvious being that if you're stuck in some corner ( lets say mp3 audio over bt isn't working ), you could always do some work on the ( BlueZ ) code you're self to try to fix the problem. Also there's alot of cool software available that you don't have on WM.
And oh, you're free
Best regards,
mind said:
Familiar has a list of machines tested on familiar ( booting or not ). But only Wallaby (XDA), Himalaya (XDA II), Blueangel (XDA III) and Universal (MDA Pro) are listed.
Click to expand...
Click to collapse
The only machine where Linux WORKS right now
is Blueangel (with GPE, never seen reports about opie). Himalaya, Universal and Magician need some work. Alpine should work with some
effort too.
Wallaby is not really working (no SD) because
nobody is interested in writing this driver.
Power management (i.e. suspend) is missing now.
So if anyone in this forum wich has a wizard and would like to try out linux/opie on it; please let me know if it boots!!!
Click to expand...
Click to collapse
To run opie, you need a running kernel, which does not exist. To write the kernel it is necessary to run 'haret'. So, the first step
is to try 'haret' !
To run opie, you need a running kernel, which does not exist. To write the kernel it is necessary to run 'haret'. So, the first step
is to try 'haret' !
Click to expand...
Click to collapse
Just tried it. Haret starts, but prints out the message "Exception reading coprocessor 15 register .." I can connect to Haret on port 9999 and can issue some commands like "dump mmu" but there's not much info there...:
Code:
descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
00000000 | | | UNMAPPED
ffffffff | | | End of virtual address sp
richardt007 said:
Haret starts, but prints out the message "Exception reading coprocessor 15 register .." I can connect to Haret on port 9999 and can issue some commands like "dump mmu" but there's not much info there...:
Click to expand...
Click to collapse
Then you need to sign haret with the "priviledged certificate". Read more here:
http://forum.xda-developers.com/viewtopic.php?t=30399&start=0
Can you tell me how to do that in a little more detail than what's described in the thread? I managed to compile the latest haret.exe using wine and the msvc package. Do I need to alter the asm-files (and which one?) with the code-snippet in that thread or is it a little more complicated than that? Would like to contribute though...
richardt007 said:
Can you tell me how to do that in a little more detail than what's described in the thread?
Click to expand...
Click to collapse
No, it seems that you don't need to change anything, only to sign the executable.
Don't ask me how, i don't know exactly
I've tried makecert.exe with wine-0.9.1 and
it works. You should look into the archives
on this site or read the microsoft documentation.
cr2 said:
Don't ask me how, i don't know exactly
Click to expand...
Click to collapse
There is an explanation now at the end of this
thread.
I managed to get some output from haret, although don't know the validity of the output.
1. I had to modify the asmstuff.asm to include the cp_0, cp_2 and cp_13 calls in order to get rid of the exception ( GetLastError returned 120=ERROR_CALL_NOT_IMPLEMENTED)
2. Called the cp_2 from _cpu_get_cp.
3. Signed the executable using signcode.exe from the Smartphone 2003 SDK (have no clue if this was needed at all)
Here is some output from the output, can somebody help out to interpret it?
Code:
HaRET(3)# dump gpio
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 O 1 0 | 21 I 0 0 | 42 O 0 0 | 63 O 0 2
1 O 0 0 | 22 I 0 0 | 43 I 0 0 | 64 I 0 0
2 I 1 0 | 23 I 0 0 | 44 I 0 0 | 65 I 0 2 FE
3 I 0 0 | 24 I 0 0 | 45 I 0 0 | 66 I 0 3
4 I 0 0 | 25 I 0 0 | 46 I 0 0 | 67 I 0 3
5 I 0 0 | 26 I 0 0 | 47 O 0 0 | 68 I 0 3
6 I 0 0 | 27 I 0 0 | 48 I 0 0 | 69 I 0 1
7 I 0 0 | 28 I 0 0 | 49 I 0 2 | 70 I 0 0
8 I 0 0 | 29 I 0 0 | 50 I 0 3 | 71 I 0 2
9 I 0 0 | 30 I 0 0 | 51 O 0 3 | 72 I 0 0
10 I 0 0 | 31 I 0 0 | 52 O 0 3 | 73 I 0 2
11 I 0 0 | 32 I 0 0 FE | 53 O 0 1 | 74 I 0 3
12 I 0 0 | 33 I 1 0 | 54 O 0 0 | 75 I 0 3
13 I 0 0 | 34 I 0 0 FE | 55 O 0 2 | 76 I 0 3
14 I 0 0 | 35 O 0 0 | 56 O 0 0 | 77 I 0 1
15 I 0 0 | 36 O 0 0 | 57 O 0 2 | 78 I 0 0
16 I 0 3 | 37 O 0 0 | 58 O 0 3 | 79 I 0 2
17 I 0 3 | 38 O 0 0 | 59 I 0 3 | 80 I 0 0
18 I 0 3 | 39 O 0 0 | 60 I 0 3 | 81 I 0 2
19 I 0 1 | 40 O 0 0 | 61 I 0 1 | 82 I 0 3
20 I 0 0 | 41 O 0 0 | 62 I 0 0 | 83 I 0 3
Code:
HaRET(2)# print "%x" VRAM
20001020
Dump mmu gives a lot of lines, have no idea what the most relevant part of it is, so here a snippet:
Code:
HaRET(7)# dump mmu
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
MMU 1st level descriptor table is at 10360000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
00000000 | | | UNMAPPED
02000000 | | | UNMAPPED
02101000 | 10463000 | CB0000 | Small page (4K)
...
...
29fff000 | 12b4b000 | CB3 | Small page (4K)
2a000000 | | | UNMAPPED
Then it stops, with the progress bar somewhere at 40%. had to give it a soft reset. So what's the next step...?
richardt007 said:
I managed to get some output from haret, although don't know the validity of the output.
Here is some output from the output, can somebody help out to interpret it?
Click to expand...
Click to collapse
I have looked in the docs, wizard has TI OMAP processor, and haret 'gpio' knows only about
PXA. So , this table is probably useless.
Code:
HaRET(2)# print "%x" VRAM
20001020
From omap730.h:
#define OMAP730_SRAM_START 0x20000000
So your VRAM is in the OMAP built-in SRAM.
Code:
HaRET(7)# dump mmu
MMU 1st level descriptor table is at 10360000
Your RAM starts at 0x10000000.
At least 4MB for the kernel & stuff.
Code:
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
02101000 | 10463000 | CB0000 | Small page (4K)
The page in RAM mapped for some system purposes.
Then it stops, with the progress bar somewhere at 40%. had to give it a soft reset.
Click to expand...
Click to collapse
It's normal, "dump mmu" in haret is buggy
So what's the next step...?
Click to expand...
Click to collapse
It is interesting to find out where is your ROM mapped.
You can also sign the itsutils and try to dump the memory with these tools.
Read the linux-omap documentation and code
and dump the OMAP registers. You can also
try to find out from the wince dlls what other
chips are used in this phone.
You can also sign the itsutils and try to dump the memory with these tools.
Click to expand...
Click to collapse
Signing itsutils was not enough unfortunately, as I had to change the security policy (policy ID=4097) from 1 to 2 to allow RAPI calls.
(see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/html/wmdeploy.asp)
After that, itsutils ran like a charm:
Code:
c:\src\itsutils\build>pmemmap
v82000000-83000000 -> p00000000-01000000
v8a000000-8a400000 -> p13c00000-14000000
v8c000000-8fc00000 -> p10000000-13c00000
v90000000-90100000 -> p20000000-20100000
v98000000-98100000 -> pfff00000-00000000 (huh?)
v98100000-98200000 -> p04000000-04100000
v98400000-98500000 -> p06000000-06100000
v98500000-98600000 -> p40000000-40100000
A simple process list, 'pps -t' showed _alot_ of .dll's being used (mainly by device.exe, naturally)
Code:
c:\src\itsutils\build>pps
handle n base kern user heap exe
0ddf5fba 5 20000000 0.0 8.2 0 rapiclnt -drndis_peer
0dfb5706 2 0e000000 0.0 0.0 0 elatepushservice.exe
0dfdf8ce 11 1a000000 0.0 0.5 0 repllog.exe /sched /remote /h
0e0f03ba 2 10000000 0.0 0.0 0 sddaemon.exe
0fbb4002 2 c2000000 0.0 0.0 0 NK.EXE
2e0a2402 8 14000000 0.0 0.0 0 srvtrust.exe 80
4de65d06 10 18000000 0.0 0.0 0 cprog.exe -n
4e3767c2 10 08000000 0.0 2.1 0 shell32.exe 50
6fba4bfa 12 04000000 0.0 37.8 0 filesys.exe
8dfb56e2 2 1c000000 0.0 0.0 0 PowerTray.exe
8e91ce1a 107 06000000 0.0 1.8 0 device.exe 20
adf78e9e 1 1e000000 0.0 0.0 0 WiFiTray.exe
ae0b6dc2 11 12000000 0.0 0.0 0 connmgr.exe 70
ae54049a 15 0a000000 0.0 0.0 0 gwes.exe 30
ce376c4a 20 0c000000 0.0 0.0 0 services.exe 60
edc4dd32 9 22000000 0.0 0.0 0 tmail.exe -RunInBKG
ee040e02 1 16000000 0.0 0.0 0 poutlook.exe
0 ........ 0.0 50.4 0 total
The list of partitions is completely unclear to me:
Code:
c:\src\itsutils\build>pdocread -l
57.00M TrueFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
48.23M TrueFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
10.00M TRUEFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
483.88M DSK1:
| 483.70M Part00
STRG handles: afb7d5fe
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(483.70M) ce9ec2da
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 10.00M) 0eae8ede
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 48.23M) 0fb2bf42
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 51.06M) efb2bd82
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 2.88M) cfb2bd5e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 3.06M)
This machine has 128Mb of ROM, is there anyway I can read this using itsutils? pmemdump can successfully read only after 0x82000000 and prints out "Attempt to access invalid address"...
I dumped the first 16Megs after 0x82000000 and there's all kind of garbage, same like on the maui device. (marxx printed the first 8192 bytes in the above thread). Unfortunately, arm-wince-pe-objdump says "File format not recognized" on both dumps... What am I missing here?
richardt007 said:
arm-wince-pe-objdump says "File format not recognized" on both dumps... What am I missing here?
Click to expand...
Click to collapse
arm-wince-pe-objdump expects a PE binary, so
it is necessary to tell it that we have a raw binary dump.
arm-wince-pe-objdump -D -b binary -m arm dump.file
I have found this information about Linux
on HTC Typhoon:
http://vivien.chappelier.free.fr/typhoon/index.html
I was going to recomend a kernel built with omap 730 support, since the 850 seems to just be a 730 with edge. TI's site isn't to informational about the other circuits built into the omap850, or 730.
I have not been able to get the bootloader thing to do a single useful thing. I only get the tricolored screen. When pluged into the usb I get it saying usb in the corner. I set my mini sd up for the omap 730 image off the above site, but no dice.
My phone is the wiza 100 I beleive (cingular 8125).
YAY! PROGRESS! i will join you guys, when i find out more about how memory is organised. TI supports linux on the omap, maybe if we asked... :/
I never have any luck with the installing the damn toolchains, they never come with any instructions, or limited instructions. But I think I may have it. I nticed a lot of you are better coders and embedded developers than I I hope to learn a lot from you. Also, if there are any tutorials you can provide links to to help me learn, that would be perfect.
Hi there,
I am trying to get Linux running on a handheld which uses the HTC bootloader and it would be great if one of the gurus here could give me some hints about using IDA on the bootloader (to find out how buttons and USB are controlled).
The handheld is Dell Axim X50 (PXA270, big ASIC,some CPLD, beside that pretty standard)-for more hardware details take a look at: http://handhelds.org/moin/moin.cgi/DellAximX50
I already identified where the bootloader loads itself into RAM and configures and enables the MMU, I modified the available .idc script (for PXA2xx-regs) to show me nice synonymes instead of the raw register addresses. I traced a little bit through the code - but only seeing lots of operations on RAM addresses and very few (far too few IMO) and very general operations on processor registers doesn't help much. I expect that the register addresses are partly loaded from RAM instead of beeing hard coded.
So now to my question: is there a way to "copy" the into RAM loaded ROM parts in IDA? I mean so that IDA can actually find the data which is supposed to be in RAM right before MMU is enabled and that I can see references to the GPIO/ASIC/CPLD addresses and to the string data (which would greatly help in identifying the useful functions).
Thanks for any hints or advices!
pphoenixx said:
The handheld is Dell Axim X50 (PXA270, big ASIC,some CPLD, beside that pretty standard)-for more hardware details take a look at: http://handhelds.org/moin/moin.cgi/DellAximX50
Click to expand...
Click to collapse
Hi,
a lot of information can be obtained without any disassembling.
I'm curious, if have the "dump gpio" haret output somewhere ?
here you go:
http://www.bfamily.us/~richard/tmp/arm/gpio_map.xml
Code:
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 RE FE | 21 O 1 1 | 42 O 0 0 | 63 O 0 0
1 I 1 0 | 22 O 0 0 | 43 O 0 0 | 64 O 0 0
2 O 1 0 | 23 O 0 2 | 44 O 0 0 | 65 O 0 0
3 O 1 0 | 24 O 1 2 | 45 O 0 0 | 66 O 0 0
4 O 1 0 | 25 O 0 2 | 46 I 1 2 | 67 O 0 0
5 I 1 0 | 26 I 1 1 | 47 O 0 1 | 68 O 0 0
6 I 1 0 | 27 I 0 0 | 48 O 1 2 | 69 O 0 0
7 I 1 0 | 28 O 0 0 | 49 O 1 2 | 70 O 0 0
8 I 1 0 | 29 O 0 0 | 50 O 1 2 | 71 O 0 0
9 O 1 1 | 30 O 0 0 | 51 O 1 2 | 72 O 0 0
10 O 0 1 | 31 O 0 0 | 52 I 1 0 | 73 O 0 0
11 I 0 0 RE FE | 32 O 0 0 | 53 O 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 1 2 | 75 O 0 0
13 I 0 0 RE | 34 O 0 0 | 55 O 1 2 | 76 O 0 0
14 I 1 0 RE FE | 35 O 0 0 | 56 I 1 1 | 77 O 0 0
15 O 1 2 | 36 O 1 0 | 57 I 1 1 | 78 O 1 2
16 O 0 0 | 37 O 0 0 | 58 O 0 0 | 79 O 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 0 0 | 60 O 0 0 | 81 O 0 0
19 O 1 0 | 40 O 0 0 | 61 O 0 0 | 82 O 0 0
20 O 1 1 | 41 O 0 0 | 62 O 0 0 | 83 I 0 0 RE FE
There is already much accomplished - A 2.6.15-rc7 kernel boots without problem, working framebuffer and I can activate IRDA and use it for console.. everything directly connected to the PXA is no issue; the ASIC and CPLDs are my major problem right now - that's why I throw myself into disassembling.
pphoenixx said:
There is already much accomplished - A 2.6.15-rc7 kernel boots without problem, working framebuffer and I can activate IRDA and use it for console.. everything directly connected to the PXA is no issue; the ASIC and CPLDs are my major problem right now - that's why I throw myself into disassembling.
Click to expand...
Click to collapse
Ok. You are using PXA270 SDIO.
We are also moving forward, but have some problems with the framebuffer.
http://wiki.xda-developers.com/index.php?pagename=UniversalResearch
http://wiki.xda-developers.com/index.php?pagename=UniversalProgress
Do you know how the wifi chip is connected ? Is it on pcmcia ?
FYI, we have a weird CPLD too.
cr2 said:
Do you know how the wifi chip is connected ? Is it on pcmcia ?
FYI, we have a weird CPLD too.
Click to expand...
Click to collapse
well, looking at
Code:
HaRET(29)# pd 0x48000014 1
48000014 | 00000003 | ....
PC Card Is Present
This bit must be written by software when either PC Card is inserted into a
socket.
0 = No PC Card inserted
1 = PC Card inserted
0 R/W NOS
PC Card Interface Number of Sockets
0 = 1 socket
1 = 2 sockets
Click to expand...
Click to collapse
one could assume that at least something is sitting on pcmcia. and if I write a 0x0 in there - WIFI is suddenly gone while the device remains responsive (= hasn't crashed). So at least on the axim, I suppose it's on pcmcia.
pphoenixx said:
Code:
HaRET(29)# pd 0x48000014 1
48000014 | 00000003 | ....
Click to expand...
Click to collapse
The same here. But i can zero it while running over wlan.
Maybe you disabled something else and WIFI is connected via USB1.1 (try to disable USB)? or your WIFI chip is connected via socket 1 (which can't be disabled) - I tried to write a 0x1 in there (no PC CARD) and WIFI remained operational, it's only gone when I completly disabled socket2 (0x0).
It's pcmcia for sure on axim.
If you have the same driver, tiacxwln.dll Version: 2.0.53(NDIS)
Create an empty file: tiacxwln_testmode.txt and put it in your WINDOWS directory and soft-reboot -- on Axim, the driver looks for that file and if it exists the wifi hardware isn't claimed anymore (propably to easly test other drivers or launch special testmode drivers..). WinCE kicks in and recognizes an unknown networking device connected to PCMCIA socket 2.
pphoenixx said:
Create an empty file: tiacxwln_testmode.txt and put it in your WINDOWS directory and soft-reboot -- on Axim, the driver looks for that file and if it exists the wifi hardware isn't claimed anymore (propably to easly test other drivers or launch special testmode drivers..). WinCE kicks in and recognizes an unknown networking device connected to PCMCIA socket 2.
Click to expand...
Click to collapse
ACX100 is used by most PDAs through the PCMCIA (or SDIO) interface.
Unfortunately, the acx100.sf.net driver supports only pci and usb...
ACX100 could be partially initialized on HTC Blueangel, but it is not working yet.
-----
\Storage Card\tiacxwln_testmode.txt
\SD Card\tiacxwln_testmode.txt
\windows\tiacxwln_testmode.txt
[only mcc models
First flash ota 20110524 to return at original cwm and do wipe data and wipe partion cache
This will make clean instalation
unrar archivehttp://www.mediafire.com/?adu3kmqhxkb8hfi
run nv flash
go recovery
format system
wipe dalvik cache
mount usb
copy update
copy gapps
copy kernel
flash them with same way
done
lcd density at 120
Stable with pershoot tweaks preload
Major bug have been fixed
Sound improved with beats audio
external sdcard fixed
Sleep fixed
Hd video and mkv video format playable with external. Player like mx video
System improved with init.d tweks
new theme ics
camera work with skype
bravia engine drivers added
set 775 permission system/etc/be photo
set 775 permission system/etc/be movie
Kill app via long press choice will help you
To my daughter Jan
malata t8 unofficial cyanogenmod 7.2.0 RC nvflash mode for mcc device
congratulation goes whyberg for that wonderfull work
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Use at your own risk its not my responsibility if brick your device
download firmware
http://www.mediafire.com/?p66bpjp1qeug6vs
download latest gapps
http://www.mediafire.com/?zglnipcv34kdt49
Click to expand...
Click to collapse
unpacks the archive
includes device "-" + "power" (APX mode)
running the batch file download [1GB | 512MB]
after the device goes into overdrive long press power off
includes device "+" + "power" (recovery mode)
now you must input and export usb cable in & out with usb mount from recovery mode until computer regognize your tablet as storage
copy the update zip and gapps zip into
pour through recovery archive with firmware update-cm-7.2.0-RC0-smb_a9701-KANG-signed.zip & and latest gapps on SDCARD
set after "install from SDcard" both before reboot
Click to expand...
Click to collapse
libcamera.so.ziphttp://forum.xda-developers.com/attachment.php?attachmentid=896892&d=1328950465
Installetion via ADB
1. unzip libcamera.so.zip
2. adb remount
3. adb push libcamera.so /system/lib/libcamera.so
Manual
With root explorer paste libcamera.so into
System/lib and give read write permission as the other
Before reboot
Via recovery(libcamera.so-update.zip)http://forum.xda-developers.com/attachment.php?attachmentid=896903&d=1328951238
Skype 2.6.0.95 version worked!!!
Gtalk video not! but in`s not a camera problem...
Click to expand...
Click to collapse
not working
video accelerator
as all gtablet must install externall video code
like
mxvideo apk
Click to expand...
Click to collapse
Best flash player with this rom is 10.3
Working you tube like a charm
New google play without errors
http://i.minus.com/1331477283/iiYu2AW7DQxVWHgoI7qIbA/dJCxyuh2eNq0W.apk
Click to expand...
Click to collapse
you must be carefull
do not partion sd
do not fix permission
it may brick
enjoy
Click to expand...
Click to collapse
confirmed working!!!!!!!
Thanks geowolf........ youre the man
I'd go as far as to say.... Best Malata zpad t8 rom I've found and was easy to install (as per instructions above you need to install zip files BEFORE first boot)
Shame about no camera. Does anyone know of a fix?
I'm off to 4pda. ru to check for updates
camera fix found
hXXp://cyanogenmod.googlecode.com/issues/attachment?aid=44480005000&name=CM07CameraFix.zip&token=HIEuD7abnRfewkHvEaa8YkZSjZg%3A1328138144361
just copy .so files over /system/lib using root explorer and set permissions same as other files
reboot
install included camera.apk if needed
Happy days
Anything for us poor mcb owners?
Hello,
I have an evolio neura tablet, which I understand is the romanian version of malata zpad t8, how do I know which serial I have, because as for as I understand there are two types of models MCB and MCC.
-also because I am new to the android family can someone explain step by step how to upgrade the rom?
Thanks
cociuba said:
Hello,
I have an evolio neura tablet, which I understand is the romanian version of malata zpad t8, how do I know which serial I have, because as for as I understand there are two types of models MCB and MCC.
-also because I am new to the android family can someone explain step by step how to upgrade the rom?
Thanks
Click to expand...
Click to collapse
Hello
There three models mca. Which doesn't use interval memory and was the easy way to upgrade any ron
Mcb its little confuse what type of nand type are use in previous update of official firmware was problem to install mcc nand type sound errors and. Not compatible firmsware
Only if know what type of you use proceed to this
and mcc with interval memory the things are very dangerous .this nvflash regognize your interval memory as SD card and sdcatd turns as emcc folder
Ihave test it to emmc models.
Under the tap of sim card has the type of memory that you use
Open the tap. And has a specification note with numbers
Something like that ( emmc34567886)
i cant find the serial under the gsm tap, is there another posibility of finding it?
cociuba said:
i cant find the serial under the gsm tap, is there another posibility of finding it?
Click to expand...
Click to collapse
At settings
About option
Give a report
Hi geowolf,
Many thanks for what you're doing.
I also have an evolio neura - malata zpad t8 rebranded.
In the "about tablet" option I only have:
Model number - Evopad
Android version - 2.2
Baseband version - R2A11
Kernel version - 2.6.32.0-00252-gf1df521-dirty [email protected] #5
Build number - 20110712_EW
Hope it helps.
Also do you think that we could get ics on this?
Thank you!
this is the result from using one of the updates for the tablet, it seems that the update uses the emmc.bat
c:\neura\neura [email protected]>download_EMMC_1G.bat
c:\neura\neura [email protected]>"nvflash.exe" --bct Malata_a02_12Mhz_H5PS1G83EFR-S6C_ 333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct --setbct --bl bootloader.bin --configfile android_fastboot_emmc_full_more.cfg --odmdata 0x3c0c0011 --create --go
Nvflash started
rcm version 0X20001
System Information:
chip name: t20
chip id: 0x20 major: 1 minor: 3
chip sku: 0x8
chip uid: 0x171411c040a08297
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 0
sdram config strap: 0
sending file:Malata_a02_12Mhz_H5PS1G83EFR-S6C_333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct - 4080/4080 bytes sent
Malata_a02_12Mhz_H5PS1G83EFR-S6C_333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct sent successfully
odm data: 0x3c0c0011
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: bootloader.bin
945472/945472 bytes sent
bootloader.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
Click to expand...
Click to collapse
EE
bungadudu said:
Hi geowolf,
Many thanks for what you're doing.
I also have an evolio neura - malata zpad t8 rebranded.
In the "about tablet" option I only have:
Model number - Evopad
Android version - 2.2
Baseband version - R2A11
Kernel version - 2.6.32.0-00252-gf1df521-dirty [email protected] #5
Build number - 20110712_EW
Hope it helps.
Also do you think that we could get ics on this?
Thank you!
Click to expand...
Click to collapse
One more
Is rooted ?
If open root directory with root explorer is any directory like emmc. emmb ....
China Malata 3g models are mmc
But Russian 3q models has been moderate with erricson 3g spare even are, or not 3g
Maybe and the Romanian models has been modified
With 3g
Try with root explorer to find mount points
And from market android system info has an option to find mount points
Check it out .
Its to early for ice cream
cant find the mount points but I attached diskstat and partition file
diskstat
7 0 loop0 0 0 0 0 0 0 0 0 0 0 0
7 1 loop1 0 0 0 0 0 0 0 0 0 0 0
7 2 loop2 0 0 0 0 0 0 0 0 0 0 0
7 3 loop3 0 0 0 0 0 0 0 0 0 0 0
7 4 loop4 0 0 0 0 0 0 0 0 0 0 0
7 5 loop5 0 0 0 0 0 0 0 0 0 0 0
7 6 loop6 0 0 0 0 0 0 0 0 0 0 0
7 7 loop7 0 0 0 0 0 0 0 0 0 0 0
179 48 mmcblk3 17433 44474 1532199 120670 136737 577806 3635982 18924640 0 1974930 19139480
179 49 mmcblk3p1 4495 282 286484 26080 3 0 6 20 0 15010 26080
179 50 mmcblk3p2 12 61 290 10 133 6864 27988 57350 0 11350 57360
179 51 mmcblk3p3 9 61 278 20 8 1 36 550 0 550 570
179 52 mmcblk3p4 0 0 0 0 0 0 0 0 0 0 0
179 53 mmcblk3p5 0 0 0 0 0 0 0 0 0 0 0
179 54 mmcblk3p6 9475 27970 846506 75240 115761 534552 2610508 14212670 0 1796540 14288720
179 55 mmcblk3p7 5 0 10 10 0 0 0 0 0 10 10
179 56 mmcblk3p8 3432 16100 398591 19310 20832 36389 997444 4654050 0 276190 4766740
254 0 dm-0 40 0 1066 340 0 0 0 0 0 130 340
254 1 dm-1 805 0 74867 14710 0 0 0 0 0 7710 14710
254 2 dm-2 34 0 478 30 0 0 0 0 0 30 30
254 3 dm-3 406 0 37090 4450 0 0 0 0 0 2180 4450
254 4 dm-4 80 0 6210 1040 0 0 0 0 0 330 1040
254 5 dm-5 118 0 6850 3190 0 0 0 0 0 810 3190
254 6 dm-6 635 0 47366 5750 0 0 0 0 0 2640 5750
Click to expand...
Click to collapse
partition
major minor #blocks name
7 0 2111 loop0
7 1 48888 loop1
7 2 2111 loop2
7 3 30177 loop3
7 4 4190 loop4
7 5 7308 loop5
7 6 24980 loop6
179 48 15648768 mmcblk3
179 49 327680 mmcblk3p1
179 50 65536 mmcblk3p2
179 51 32768 mmcblk3p3
179 52 1 mmcblk3p4
179 53 32768 mmcblk3p5
179 54 2097152 mmcblk3p6
179 55 8192 mmcblk3p7
179 56 13081600 mmcblk3p8
254 0 2110 dm-0
254 1 48888 dm-1
254 2 2110 dm-2
254 3 30177 dm-3
254 4 4189 dm-4
254 5 7308 dm-5
254 6 24979 dm-6
Click to expand...
Click to collapse
cociuba said:
cant find the mount points but I attached diskstat and partition file
diskstat
partition
Click to expand...
Click to collapse
The most important is that previous update you use was emmc
ok, so I can use your build?
if yes please explain one more time the steps, thanks.
also is it possible to use clockworkmod? or how can i make a backup of the rom that I am using
Hello All!
I build this rom from Cyanogen source +
1. kernel from Pershoot(MegaMonstr
2. MDM modems patch (my malata wifi version + F3607GW module with GPS)
3. Camera patch for Skype form toshiba ac100
4. /dev/hands
There are additional wishes?
Sorry for my english
@whyberg -does gsm work?
cociuba said:
@whyberg -does gsm work?
Click to expand...
Click to collapse
voice? i don't know, F3607gw can't support voice calls
gprs/edge/umts data worked well
whyberg said:
Hello All!
I build this rom from Cyanogen source +
1. kernel from Pershoot(MegaMonstr
2. MDM modems patch (my malata wifi version + F3607GW module with GPS)
3. Camera patch for Skype form toshiba ac100
4. /dev/hands
There are additional wishes?
Sorry for my english
Click to expand...
Click to collapse
thanks for all
great job
the post belong to you from now
it would greatfull if post your libcamera .so for working skype
thanks we wait for this long time
i hope for the next...
I will soon test your rom, but I would like to know if something goes wrong can I revert to the stock rom, and how?
thanks for your work.
ps: is it possible to install the rom from a linux machine (ubuntu)?
geowolf1000 said:
thanks for all
great job
the post belong to you from now
it would greatfull if post your libcamera .so for working skype
thanks we wait for this long time
i hope for the next...
Click to expand...
Click to collapse
View attachment libcamera.so.zip
Installetion via ADB
1. unzip libcamera.so.zip
2. adb remount
3. adb push libcamera.so /system/lib/libcamera.so
Via recovery(View attachment libcamera.so-update.zip)
Skype from market last version worked!!!
Gtalk video not! but in`s not a camera problem...
cociuba said:
I will soon test your rom, but I would like to know if something goes wrong can I revert to the stock rom, and how?
thanks for your work.
ps: is it possible to install the rom from a linux machine (ubuntu)?
Click to expand...
Click to collapse
Download stock rom from hardware developer website and reinstall it
What device you have?
My working computer under debian
Hi there.
Can somebody help me to change pagepool from dynamic to static (4MB or 6MB)?
I have iPAQ 110 with WM6.5.3 and dynamic pagepool uses a lot of memory, more than expected.
I have tried all tools available to change pagepool, but none of them work.
I have attached XIP.bin to this thread, maybe someone can take a look on it.
Thanks
can't you recook rom to set pp from 0mb(=dynamic) to any value?
pupakota said:
can't you recook rom to set pp from 0mb(=dynamic) to any value?
Click to expand...
Click to collapse
Most kitchens I tried say - PagePool not found or throws out error.
try this nk.exe - expected to be 6mb
now you know:
ultrashot said:
try this nk.exe - expected to be 6mb
Click to expand...
Click to collapse
Thanks ultrashot, but this does not work. Pagepool is dynamic same as before.
Sorry I couldn't reply sooner, as I tried it only now.
Pagepool is dynamic same as before.
Click to expand...
Click to collapse
proof, please.
pupakota said:
proof, please.
when you are not using limiters of SD CACHE, system cache, how can you tell(having WORST PDA ever made)?
buy normal device(never HTC) or learn basics, first.
Click to expand...
Click to collapse
I like to play with old devices and I don't need any other new one.
Total RAM is 57.86MB same as before. If it would work it should be around 51MB (6MB pagepool).
Vermillion said:
I like to play with old devices and I don't need any other new one.
Free RAM is 57.86MB same as before. If it would work it should be around 51MB (6MB pagepool).
Click to expand...
Click to collapse
57.86 mem free on this device?
please, post screenshot i am first to buy one, if it is true.
which kitchen are you using to make your roms?
I use OSBuilder and if I set pagepool location manually in nk section 2 and at offset 0x340 OSBuilder finds it and can change it, but there is no effect on device.
Here's a report from DevHealth as you can see pagepool is 0 (Dynamic).
Code:
Physical RAM (consumers breakdown) | 14931 | 61157376 | 58.32 | n/a
Kernel Prealloc. | 83 | 339968 | 0.32 | 0x802ac000 - 0x802fefff
Paging Pool | 0 | 0 | 0.00 | ?
Kernel RAM Map | 1 | 4096 | 0.00 | 0x802ff000 - 0x802fffff
Watson Size | 32 | 131072 | 0.13 | 0x83cdf000 - 0x83cfefff
Pagepool is somehow disabled. If I use Multiplatform PagePool Changer it can't find it.
Pagepool Changer is looking for something which it can't find, but I don't know what it is.
It means page pool value gets overrode in code
Pagepool Changer is looking for something which it can't find, but I don't know what it is.
Click to expand...
Click to collapse
crucial words, interesting issue.
i'll try to investigate, 'caue it is interesting(i never used ANY of new kitchens made for HTC mainly, and tools made for NORMAL machines are just...working).
btw sorry for my earlier attitute.
Did you check OSBuilder advanced settings "Set KernelFlags"?
MSDN reports:
0x00000001 = Demand paging is disabled.
When OSBuilder starts up it should report the settings in the ROM template, like this:
Code:
XIP (Template\<XIP>):
PP(Mb) : 8 (offset: 0x0005D558)
KERNEL : WM6.1
dllFirst : 0x01FE01FE (Lo=0x01FE0000; Hi=0x01FE0000)
dllLast : 0x02000000
physFirst : 0x8C080000
physLast : 0x8C2295D8
modules : 21
RAMStart : 0x8C230000
RAMFree : 0x8C290000
RAMEnd : 0x8FD80000
CopyEntries : 1
CopyOffset : 0x8C0DDFEC
ProfileLength : 0x00000000
ProfileOffset : 0x00000000
files : 8
[COLOR="Red"] KernelFlags : 0x00000002[/COLOR]
FSRamPercent : 0x00000004
DrivglobStart : 0x00000000
DrivglobLength : 0x00000000
CPUType : 0x01C2 (ARMV4I)
MiscFlags : 0x0002
pExtensions : 0x8C0827EC
TrackingStart : 0x00000000
TrackingLength : 0x00000000
So if you see the value of 1 there this should explain your observed behavior. Change that with OSBuilder advanced settings "Set KernelFlags" to either 0 or 2.
== General Info ==
Hello, and welcome to my usb uart guide - aka, how to totally f' your phone up, if you don't think first!
Really though, read everything before attempting anything!
USB Uart is not new news. There are many great people whom have come before me to make what I am documenting here possible. But I am putting this here because I keep getting PM'd about getting help with USB Uart, and figured it would be good to start a thread that documents what you need and how to get going.
So up front, I need to list some credits.
I gained a lot of knowledge from these people:
TheBeano - Fun with resistors (home/car dock mode + more)
UberPenguin - Galaxy S UART JIG & Debugging Connector
AdamOutler - UART Output / Bootloader Hacking / Kernel Debuging
E:V:A - The Samsung Anyway Jig
I'm sure there is more... let me know if you think you need to be in this list. I'll be happy to update it!
== WARNING ==
I am not responsible for anything you do to your device! If you follow my guide and it results from anything like your phone not working or ending the world, I cannot be held accountable for what you do!
This guide will show you how to use the usb uart on most galaxy s phones (with the FSA9480 USB port accessory detector and switch)
It helps to have Unbrickable Mod. There are some commands you can run from the SBL that will wipe your bootloaders!
You must be VERY CAREFUL!
== Requirements ==
First off, you will need some hardware to connect to your computer. It helps. Below is a list of things I use and they are common and cheap. The links to the items below are what I have. Its what works for me.
mini-usb cable - http://www.sparkfun.com/products/598
bus pirate or arduino (I only cover bus pirate here... for now.) - http://www.seeedstudio.com/depot/bus-pirate-v3-assembled-p-609.html?cPath=174
In my guide i use the bus pirate probe kit - http://www.seeedstudio.com/depot/bus-pirate-probe-kit-p-526.html?cPath=178_180
I used a tape printer to label the test clips.
breadboard (optional, if you rather just solder the resistor to the micro-usb break-out board. more later...) - http://www.sparkfun.com/products/112
USB MicroB Plug Breakout Board - http://www.sparkfun.com/products/10031
some jumper wire - http://www.sparkfun.com/products/124
150k, 523k, 619k resistor (ymmv. AdamOutler and others told me to try 523k or 619k, but I was able to get all the output I need with 150k)
guts - priceless
Also, I use minicom on Linux and Mac OS X (use homebrew to install minicom), but you should be able to use any serial console program you like (i.e. kermit, cu, etc...)
I highly suggest getting to know your bus pirate, but this guide assumes you have read manuals and updated firmware. Any of the other uart modes should also work this way, but I currently don't cover that here... yet.
== Getting Started ==
When we connect to the usb port on the bus pirate(bp), you can find the version info by typing i at the high impedance mode (HiZ>) prompt. Change to this mode when your modifying connections or cable argments.
Code:
HiZ>i
Bus Pirate v3b
Firmware v6.0 r1625 Bootloader v4.4
DEVID:0x0447 REVID:0x3043 (24FJ64GA002 B5)
http://dangerousprototypes.com
Disconnect the bp and lets connect everything from the micro usb port connecting to your phone backwards to the bp. I use a breadboard for things that I might work on later or things I'll re-arrange a lot. You may also decide to solder the resistor directly to the GND/ID pins, but you will need a little lead on the GND. Connect MOSI to D+ and MISO to D-.
Another warning!
You can also fry the ftdi on the bus pirate, if you mess with the connections while the bus pirate is in any mode besides HiZ (Hi Impedance) or unplugged. Usually, I'm in uart bridge mode, so you can't go back to HiZ. You just have to unplug the usb cable.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Solder some jumper wire to the micro usb breakout board. I use about an inch.
I usually start at a1 on the breadboard with vcc and a4 and a5 for ID and GND (respectively). In these images, I'm at the opposite end of the board to make it easier to have the phone next to and above my mouse so it is easy for me to work with the phone.
Put the resistor on b4 and b5 - which is where I connect GND on the bp.
Now that you have the bp connected to the circut, lets move forward and plug in the micro usb cable into the bp and then into your computer.
To change into UART mode on the buspirate, type 'm' at the HiZ> prompt:
Code:
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
x. exit(without change)
(1)>3
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value
(1)>9
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1)>1
Stop bits:
1. 1 *default
2. 2
(1)>1
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1)>1
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)>2
Ready
UART>(3)
UART bridge
Reset to exit
Are you sure? y
After you get into UART Bridge mode, you will have to unplug the usb port from your computer to reset the bus pirate.
This is where experimenting with different resistors on the GND/ID pins make a difference. Using 619k resistance, I just plug the phone in and it boots up. During boot up, I can see the PBL output like the output you will see in the rest of this document. Using 150k resistance, the phone doesn't automatically turn on.
Also, you may have different usability of the console depending on if you set the output type to Open drain or Normal drain.
With Open drain, I am able to see the uart output, but I am not able to break into the SBL prompt like I am with Normal drain.
Interestingly, with 619k on my SGH-T959V, I don't see all of the kernel console output. I still haven't figured out exactly why yet. With 150k resistance, I don't see the PBL output, but I can still break into the SBL prompt (with normal drain) and get full kernel console output.
When you get to this point, the mode light should now be green. When you plug your phone into the micro usb adapter (again 619k in these examples), you should see everything from the pbl in to the kernel starting:
Code:
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
+n1stVPN 3008
+nPgsPerBlk 64
PBL found bootable SBL: Partition(4).
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: Oct 28 2011 15:45:50
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x60
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1540
===============================
ID : DATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1672
NO_UNITS : 2120
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 3792
NO_UNITS : 160
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 3952
NO_UNITS : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4013mV, soc = 86
check_quick_start_condition- Voltage: 4013.75000, Linearized[74/89/100], Capacity: 89
init_fuel_gauge: vcell = 4013mV, soc = 86, rcomp = d000
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x20
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x0
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit
Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x3733b898 0x1ffc00ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4
Starting kernel at 0x32000000...
== The SBL (Secondary BootLoader) ==
The most interesting line out of all of that was:
Code:
Autoboot (0 seconds) in progress, press any key to stop
If you happen to hold down the Enter/Return key while booting the phone you will get into the "SBL>" prompt.
The Secondary BootLoader is essentially like u-boot.
Code:
...
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop Autoboot aborted..
SBL>
If we type help, we will get some commands you can run. Some of these commands are affected by what is set in the environment.
Code:
SBL> help
Following commands are supported:
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* format
* open
* close
* erasepart
* eraseall
* loadkernel
* showpart
* addpart
* delpart
* savepart
* nkernel
* nramdisk
* nandread
* nandwrite
* usb
* mmctest
* keyread
* readadc
* usb_read
* usb_write
* fuelgauge
* pmic_read
* pmic_write
To get commands help, Type "help <command>"
SBL>
You can get some minimal help for each command:
Code:
SBL> help loadkernel
* Help : loadkernel
* Usage : loadkernel
load kernel image
- loadkernel 0x80A00000 from kernel partition
Another set of intersting commands here are the ones that manipulate the environment:
setenv
saveenv
printenv
Code:
SBL> help setenv
* Help : setenv
* Usage : setenv [name] [value] . .
Modify current environment info on ram
SBL> help saveenv
* Help : saveenv
* Usage : saveenv
Save cuurent environment info to flash
SBL> help printenv
* Help : printenv
* Usage : printenv
Print current environment info on ram
printenv is probably the safest of them to run, so lets try this first.
Code:
SBL> printenv
PARAM Rev 1.3
SERIAL_SPEED : 7
LOAD_RAMDISK : 0
BOOT_DELAY : 0
LCD_LEVEL : 97
SWITCH_SEL : 1
PHONE_DEBUG_ON : 0
LCD_DIM_LEVEL : 0
LCD_DIM_TIME : 6
MELODY_MODE : 1
REBOOT_MODE : 0
NATION_SEL : 0
LANGUAGE_SEL : 0
SET_DEFAULT_PARAM : 0
CUST_KERNEL_DL_COUNT : 0
KERNEL_BINARY_TYPE : 0
VERSION : I9000XXIL
CMDLINE : console=ttySAC2,115200 loglevel=4
DELTA_LOCATION : /mnt/rsv
PARAM_STR_3 :
PARAM_STR_4 :
I'm not fully sure what all of these options are, but the ones I know about are SWITCH_SEL and PHONE_DEBUG_ON.
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what. That maybe specific to the device I have.
Setting at least 6543 in SWITCH_SEL will give you kernel log output:
Code:
setenv SWITCH_SEL 6543
saveenv
I also set PHONE_DEBUG_ON to 1:
Code:
setenv PHONE_DEBUG_ON 1
saveenv
When I set this, I get some extended battery statistics like:
Code:
[BAT] CHR(0) CAS(0) CHS(3) DCR(0) ACP(2) BAT(81,0,0) TE(31) HE(1) VO(3926) ED(1000) RC(0) CC(0) VF(591) LO(0)
You must remember that after running setenv, you must then run saveenv at least once at the end to save the environment. I believe this environment info is saved to either an offset on the sbl partition or on the param.lfs. It would be useful to find this out, because u-boot has a userspace utility (that you can use from within linux userspace) to modify the u-boot environment. It may be handy to use a tool like that to modify the CMDLINE option during rom flashing time.
Also, instead of powering your phone off then on again to put the new settings in place, just run reset from the sbl prompt to reboot the phone with the new settings.
Anyways, This is what I have so far. I will be adding more to this as time goes on.
Enjoy!
-Bryan
Very nice and clear guide!
Also check out my Anyway thread on more details about JIG resistances etc. Soon I hope there will be more added to that about building your own Samsung Test Jig...
Setenv switch sel 1234567
Phone debug on 1
This gives you some kernel debugging.
bhundven said:
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what.
Click to expand...
Click to collapse
AdamOutler said:
Setenv switch sel 1234567
Phone debug on 1
This gives you some kernel debugging.
Click to expand...
Click to collapse
Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.
Any chance that it will work witch Galaxy Ace too?
dragonnn said:
Any chance that it will work witch Galaxy Ace too?
Click to expand...
Click to collapse
I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:
Code:
Android Bootloader - UART_DM Initialized!!!
[VIBETONZ] ENABLE
[VIBETONZ] DISABLE
HW_REV = 12
mipi_init : status = 1
HW_REV = 12
start init_charger
smb328a_init_charger : is_reboot_mode = 0, vcell = 3975
check valid dcin (0x33) = 0x0
no dcin, skip init_charger
fuelguage : soc = 80%, vcell = 3975mV
fuelguage : rcomp(0xd01f) ==?? 0xd0d0
HW_REV = 12
VReset : 0x8c
Hibernation mode : 0x0
8340 = ( 397500 - 334350 ) * 13207 / 100000
HW_REV = 12
reboot_mode = 0xb6cef249
do key check
enter normal booting mode
AST_POWERON
usable ddi data.
HW_REV = 12
HW_REV = 12
E.V.A. said that it might be some debugging setting in the kernel that might have disabled the kernel log output.
It would be helpful to get some MSM developers here to help us out with that!
bhundven said:
I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:
Click to expand...
Click to collapse
I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel:good:. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
dragonnn said:
I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel:good:. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
Click to expand...
Click to collapse
Currently, I only know this method to work on SGS( not sgs2 or sgs3 ) phones with the FSA9480.
bhundven said:
Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.
Click to expand...
Click to collapse
The switches are messages from levels 1-7. Turn on more to get more messages.
AdamOutler said:
The switches are messages from levels 1-7. Turn on more to get more messages.
Click to expand...
Click to collapse
That makes sense, but what doesn't is if I set SWITCH_SEL to 1234567 or any combination with 2, I get no output. As long as I don't have 2 in there, it works fine. Must just be this device.
Memory Architecture
Of course each device will have a different Memory Map. Each carrier designs their varient based on what they want and need to function. The MM is sectioned off in the ROM. Any user or modifiable area is stored in RAM so remember we are working in an area that is not supposed to touched (ROM).
Bootloaders are tricky beasts, have never developed a flashing algorithm so I don't know. Usually BLs are not updated after release ( atleast in my field) only sw/fw is.
Either way, excellent ideas, but there is always a way in!
Fly-n-High said:
Of course each device will have a different Memory Map. Each carrier designs their varient based on what they want and need to function. The MM is sectioned off in the ROM. Any user or modifiable area is stored in RAM so remember we are working in an area that is not supposed to touched (ROM).
Bootloaders are tricky beasts, have never developed a flashing algorithm so I don't know. Usually BLs are not updated after release ( atleast in my field) only sw/fw is.
Either way, excellent ideas, but there is always a way in!
Click to expand...
Click to collapse
huh?
Good post
Nice...!!
Thanks you~
can't get SBL or PBL logs on uart in galaxy-y (GT-S5360)
Hello sir,
Thanks for your great tutorial .
I Tried to get uart on galaxy-y (GT-S5360) . I got a working uart but can't see any PBL or SBL logs during the boot. The only log I see during the booting is
Code:
AST_POWERON..
BOOTING COMPLETED
After booting, uart works fine and i can use a shell via serial using command
(on phone)
Code:
busybox sh</dev/ttyS0 >/dev/ttyS0
and on PC
Code:
microcom -s 115200 -p /dev/ttyS0
ttyS0 settings of the phone is
Code:
speed 115200 baud; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 hupcl -cstopb cread clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff
-iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt
echoctl echoke
And that of PC is
Code:
speed 115200 baud; rows 0; columns 0; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 hupcl -cstopb cread clocal -crtscts
ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl -ixon -ixoff
-iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl -onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt
-echoctl echoke
cat /proc/cmdline of phone is
Code:
console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw androidboot.console=ttyS0 mtdparts=bcm_umi-nand:[email protected](bcm_boot)ro,[email protected](loke)ro,[email protected](loke_bk)ro,[email protected](systemdata)ro,[email protected](modem)ro,[email protected](param_lfs)rw,[email protected](boot)ro,[email protected](boot_backup)ro,[email protected](system)rw,[email protected](cache)rw,[email protected](userdata)rw,[email protected](efs)rw,[email protected](sysparm_dep)ro,[email protected](umts_cal)ro,[email protected](cal)r BOOT_MODE=0 loglevel=0 BOOT_FOTA=0 DEBUG_LEVEL=LOW
Circuit diagram is attached below
any one please help
harish2704 said:
I Tried to get uart on galaxy-y (GT-S5360) . I got a working uart but can't see any PBL or SBL logs during the boot. The only log I see during the booting is
Code:
AST_POWERON..
BOOTING COMPLETED
Click to expand...
Click to collapse
I get something similar on a Samsung Rugby Smart (SGH-I847). I think they have tweaked the UART stuff on the newer devices that post date the Galaxy S devices. They might share the UART chip, but it seems as if they changed the loader implementation which is causing the newer devices to not see the PBL and SBL information during boot.
harish2704 said:
Circuit diagram is attached below
Click to expand...
Click to collapse
Have you tried a 150k or 619k resistor instead of the 523k? I was able to get output with both a 150k and 619k, but the output was very similar to what you have posted. Likely a long shot, but worth a try.
harish2704 said:
cat /proc/cmdline of phone is
Code:
console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw androidboot.console=ttyS0 mtdparts=bcm_umi-nand:[email protected](bcm_boot)ro,[email protected](loke)ro,[email protected](loke_bk)ro,[email protected](systemdata)ro,[email protected](modem)ro,[email protected](param_lfs)rw,[email protected](boot)ro,[email protected](boot_backup)ro,[email protected](system)rw,[email protected](cache)rw,[email protected](userdata)rw,[email protected](efs)rw,[email protected](sysparm_dep)ro,[email protected](umts_cal)ro,[email protected](cal)r BOOT_MODE=0 loglevel=0 BOOT_FOTA=0 DEBUG_LEVEL=LOW
Click to expand...
Click to collapse
Do you have any control over this? It might be the case that ttyS0 isn't setup during early-boot and you need to use a different tty to get it to output over the FSA chip.
Have you tried a 150k or 619k resistor instead of the 523k?
Click to expand...
Click to collapse
yes I tried I didn't feel any difference b/w 619k & 523k when tried. And with 150k, I couldn't get uart active ()
Do you have any control over this? It might be the case that ttyS0 isn't setup during early-boot and you need to use a different tty to get it to output over the FSA chip
Click to expand...
Click to collapse
.
What you mean by control? You mean, can i change this parameters? yes its possible by reflashing (update.zip methode)
Or
you mean do i have control on ttyS0 device? yes I could change that by
Code:
busybox stty -F /dev/ttyS0 ..........
command
Sorry for my language
harish2704 said:
What you mean by control? You mean, can i change this parameters? yes its possible by reflashing (update.zip methode)
Click to expand...
Click to collapse
This is the method I was referring to. If you tweak the parameters you might be able to get the kernel log over serial.
Sent from my SAMSUNG-SGH-I547 using Tapatalk 2
Can you please describe about the tweaks i have to do...
in my knowledge, kernel param
Code:
console=ttyS0,115200n8
is enough for that....
So please specify the tweaks...
harish2704 said:
Can you please describe about the tweaks i have to do...
in my knowledge, kernel param
Code:
console=ttyS0,115200n8
is enough for that....
So please specify the tweaks...
Click to expand...
Click to collapse
If you can interact with ttyS0 post-boot I'd expect it to work. Is there maybe anther serial device such as ttyHS0 or similar that you can interact with? If so, that might be something to try.
You need to change that ttyS0 to ttySAC2 in the boot parameters. Use the abootimg tool on Ubuntu. Apt-get install abootimg.