Related
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
twice.
And the detected cpu type is unknown
Anyway i could start the application and open a tcp port
Here is the result of dump cp(0) :
c00: ffffffd2 | c08: ffffffd2
c01: ffffffd2 | c09: ffffffd2
c02: ffffffd2 | c10: ffffffd2
c03: ffffffd2 | c11: ffffffd2
c04: ffffffd2 | c12: ffffffd2
c05: ffffffd2 | c13: ffffffd2
c06: ffffffd2 | c14: ffffffd2
c07: ffffffd2 | c15: ffffffd2
And here is the result of dump mmu:
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
Error: EXCEPTION CAUGHT AT MEGABYTE 0!
ffffffff | | | End of virtual address space
It seems that haret is having problem trying to read the CPU registeries,
what could be the problem?
So it means that I have to patch the source of haret before I can use it on a smartphone?
Or is it because of smartphone security policies? something about user-mode, kernel-mode in
wince?
I'm quite a nub but I think I have to know what to read first before I start reading books. Any info or help is appreciated.
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
...
Any info or help is appreciated.
Click to expand...
Click to collapse
You can try to add this code the the assembler file
and call the functions directly. Worked for
me with wince2.11, where i also had problems:
export |cp15_0|
|cp15_0| proc
mrc p15, 0, r0, c0, c0, 0
mov pc, lr
endp
export |cp15_2|
|cp15_2| proc
mrc p15, 0, r0, c2, c0, 0
mov pc, lr
endp
export |cp15_13|
|cp15_13| proc
mrc p15, 0, r0, c13, c0, 0
mov pc, lr
endp
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
Click to expand...
Click to collapse
Don't forget to post at least the 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4' here when
haret works
cr2 said:
... 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4'
Click to expand...
Click to collapse
Thank you for your help.
I signed the code with a privileged certification, then dump gpio and
physical address worked.
Code:
#dump gpio :
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 FE | 21 I 0 0 | 42 I 1 1 | 63 I 1 0 FE
1 I 0 0 RE FE | 22 O 1 0 | 43 O 1 2 | 64 O 1 0
2 I 0 0 RE | 23 O 0 0 | 44 I 1 1 | 65 O 1 0
3 I 0 0 RE FE | 24 O 0 0 | 45 O 1 2 | 66 O 1 0
4 I 0 0 RE | 25 O 0 0 | 46 I 1 2 | 67 I 1 0 FE
5 I 1 0 FE | 26 I 1 0 | 47 O 1 1 | 68 I 1 0
6 O 0 1 | 27 I 1 0 | 48 I 1 0 | 69 I 0 0
7 I 1 0 | 28 I 1 1 | 49 O 1 2 | 70 I 1 0
8 O 1 1 | 29 I 0 1 | 50 O 1 0 | 71 I 1 0
9 I 1 0 | 30 O 0 2 | 51 O 0 0 | 72 I 1 0 FE
10 I 1 0 FE | 31 O 0 2 | 52 I 1 0 | 73 O 1 0
11 I 1 0 | 32 I 1 0 | 53 I 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 0 0 | 75 O 1 0
13 I 0 0 RE FE | 34 I 1 1 | 55 O 1 0 | 76 O 0 0
14 I 0 0 RE FE | 35 I 0 1 | 56 O 0 0 | 77 O 0 0
15 O 1 2 | 36 I 0 0 | 57 I 1 0 | 78 O 1 2
16 I 1 0 | 37 I 0 1 | 58 O 0 0 | 79 I 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 1 2 | 60 O 1 0 | 81 I 1 1
19 O 1 0 | 40 O 0 0 | 61 O 1 0 | 82 O 1 1
20 O 1 0 | 41 O 0 0 | 62 O 1 0 | 83 I 1 2
#pd 0x41300004 4 :
41300004 | 00017bef | .{..
(What is so special about these four bytes?)
Then I tried to apply your code, but i don't know where should I call those fumctions, I tried calling them right before cpuDetect() or put it inside cpu-pxa.cpp and call them before cpuGetCP(), same effect.
The error message box doesn't show up but there is no message in the wince side console (detected cpu type),
then the same exception show up when I telnet it and when I dump any cp other then cp0.
phrack #63 - Hacking Windows CE said:
...
; SetProcessorMode.s
AREA |.text|, CODE, ARM
EXPORT |SetProcessorMode|
|SetProcessorMode| PROC
mov r1, lr ; different modes use different lr - save it
msr cpsr_c, r0 ; assign control bits of CPSR
mov pc, r1 ; return
END
...
Most of Pocket PC ROMs were builded with Enable Full Kernel Mode option, so all applications appear to run in kernel mode. The first 5 bits of the Psr register is 0x1F when debugging, that means the ARM processor runs in system mode. This value defined in nkarm.h:
// ARM processor modes
#define USER_MODE 0x10 // 0b10000
#define FIQ_MODE 0x11 // 0b10001
#define IRQ_MODE 0x12 // 0b10010
#define SVC_MODE 0x13 // 0b10011
#define ABORT_MODE 0x17 // 0b10111
#define UNDEF_MODE 0x1b // 0b11011
#define SYSTEM_MODE 0x1f // 0b11111
...
Click to expand...
Click to collapse
I guess smartphone is a little bit different from pocketpc?
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
I'd better start reading the ARM reference manual.
aybabtu said:
(What is so special about these four bytes?)
Click to expand...
Click to collapse
This is a ClocKENable (CKEN) register, so you have:
LCD,I2C,ICP,MMC,USB,NSSP,I2S,BTUART,FFUART,STUART,
SSP,AC97,PWM1,PWM0
enabled.
Then I tried to apply your code, but i don't know where should I call those fumctions
Click to expand...
Click to collapse
Add them to the wince/asmstuff.asm file,
and modify the cpuGetCP function in
wince/s-cpu.cpp to
Code:
uint32 cpuGetCP (uint cp, uint regno)
{
uint32 result=0xffffffff;
int ok=0;
if (cp > 15)
return 0xffffffff;
if (cp==15)
{
ok=1;
SetKMode (TRUE);
cli ();
switch (regno)
{
case 0:
result=cp15_0();
break;
case 2:
result=cp15_2();
break;
case 13:
result=cp15_13();
break;
default:
ok=0;
break;
}
sti ();
SetKMode (FALSE);
}
if (!ok) Output (L"Invalid register read cp=%d regno=%d\n",cp,regno);
return result;
uint32 value;
selfmod [0] = 0xee100010 | (cp << 8) | (regno << 16);
if (!FlushSelfMod ("read"))
return 0xffffffff;
__try
{
value = ((uint32 (*) ())&selfmod) ();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Complain (C_ERROR ("EXCEPTION reading coprocessor %d register %d"), cp, regno);
value = 0xffffffff;
}
return value;
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
Click to expand...
Click to collapse
Maybe, but how did you come to using this address ?
The 'dump gpio' shows that the phone is not using the
builtin LCD pins. Then there must be a
video chipset in the phone. Interesting,
because even HTC is saving money on that.
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Maybe, but how did you come to using this address ?
Click to expand...
Click to collapse
Well I got a leaked dump out rom and tried to extract it with itsme's tool.
and i got something similar to these:
Code:
img 00000000 : hdr=81d5352c base=81a00000 commandlineoffset=81a00000
img 00640000 : hdr=82c40878 base=81a00000 commandlineoffset=81a00000
img 01300000 : hdr=82d02dd8 base=81a00000 commandlineoffset=81a00000
img 01380000 : hdr=8356d204 base=81a00000 commandlineoffset=81a00000
there must be a video chipset in the phone
Click to expand...
Click to collapse
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later. And yes this phone is interesting, low price for it's high specification compared to other same generation phones but crappy customer service .
I'll post the result of dump mmu to the point it crash a little bit later.
aybabtu said:
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Click to expand...
Click to collapse
Unlikely.
Well I got a leaked dump
Click to expand...
Click to collapse
Then you can just lookup the static remapping
table.
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later.
Click to expand...
Click to collapse
The datasheet is available here
www.handhelds.org/platforms/hp/ipaq-h22xx/mq-lcd-interface-appnote.pdf
And the mapping table dumped out using itsme's pmemmap:
Code:
v81a00000-83a00000 -> p00000000-02000000
v86000000-86100000 -> pe0000000-e0100000
v86100000-86200000 -> p48000000-48100000
v86200000-88200000 -> p40000000-42000000
v8c000000-8e000000 -> pa0000000-a2000000
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
Dumped it out and i can only tell that the first 32MB is my rom data.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone,
at least I know what to read now.
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
And at the end of the rom, there are 2 copies of 256K code, in which I found
strings of the bootloader in it, and the second copy is 1 byte different from
the first one, 1:0x00 2:0x01, in the middle of the code.
I'm not sure these are Mitac only layout, just put it here in case anyone
knows.
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
aybabtu said:
And the mapping table dumped out using itsme's pmemmap:
Click to expand...
Click to collapse
v81a00000-83a00000 -> p00000000-02000000
32MB ROM
v86000000-86100000 -> pe0000000-e0100000
Weird.
v86100000-86200000 -> p48000000-48100000
PXA26x Memory Controller
v86200000-88200000 -> p40000000-42000000
PXA26x Peripherals
v8c000000-8e000000 -> pa0000000-a2000000
32MB SDRAM
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
mmaped devices.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone
Click to expand...
Click to collapse
You can also dump/decode the registry and identify the
use of the serial ports.
Your GPIO table suggests that the PXA MMC
controller is used.
Looks good
aybabtu said:
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
Click to expand...
Click to collapse
Battery monitoring or something like that,
maybe keyboard controller.
aybabtu said:
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
Click to expand...
Click to collapse
Not all wince devices have a bootloader,
wince2.11 and wince2005 un universal for example.
You can also look with 'strings -el' for
other useful strings.
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
aybabtu said:
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
Click to expand...
Click to collapse
Built-in ? BTW, does this device support SD cards or only MMC ?
Built-in ? BTW, does this device support SD cards or only MMC ?
Click to expand...
Click to collapse
Built-in, It should be the M-System DiskOnChip MD3831-D16-V3Q18-T inside.
Support both.
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
aybabtu said:
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
Click to expand...
Click to collapse
It is a normal UART, not blue at all , Himalaya
uses it for the serial cable.
That's not exactly the datasheet of
mq2100...
archive.org show that this was available
for downloads.. oh well
Put the list of all components and the known
information to wiki. That can help other people.
Not sure if it's been posted anywhere here (google didn't show anything) so I thought I'd post the service menus and my configuration. It may come in handy for someone, right?
Note that it's not all the menus but the most interesting ones at least.
Code:
*#197328640#
hhh = hexadecimal
nnn = decimal
MAIN MENU
[1] DEBUG SCREEN
[1] BASIC INFORMATION
UMTS : HOME(CS+PS)
RRC State: IDLE
WCDMA 2100 Band 1
Reg PLMN 240-2, IsPCS? 0
FREQ DL:10737
FREQ UL:9787
CELL_ID:0xhhhhhh <- Disappears when 3G is not available
LAC: 0xhhhh
PSC:hhh
RSCP:-94, ECIO:-5 <- Changing
[2] MM INFORMATION
MM state: IDLE
Reg state: INDEP_REGISTRATION
IMSI attatch status: 1
LU Rej: Norm=0, Period=13
T1312=11, Count=9
T32(10,11,12,13)=0010
T32(20,30,40)=000
Att Rej Cause=0
RAU Rej Cause=9
[3] RR INFORMATION
[4] NEIGHBOUR CELL
[5] GPRS INFORMATION
[6] SIM INFORMATION
[7] HANDOVER
[8] PHONE CONTROL
[9] ANTENNA/ADC
[2] VERSION INFO.
[1] SW VERSION
[1] READ IMEI
IMEI : nnnnnnnnnnnnnnnnn
[2] READ IMSI
"Don't Support it in GSM mobile!"
[3] READ SW VERSION
CP SW VERSION : I9000XXJF3
CP SW COMPILE DATE : Jun 3 20
CP SW COMPILE TIME : 11:25:05
[4] READ FTA SW VERSION
FTA SW VERSION : I9000.012
[5] READ ALL SW VERSION
CP SW VERSION : I9000XXJF3
HW VERSION : MP 0.800
FTA SW VERSION : I9000.012
FTA HW VERSION : REV1.2
RF CAL DATE : 2010.6.15
CSC CODE :
[6] READ CSC CODE
CP SW VERSION : I9000XXJF3
HW VERSION : MP 0.800
FTA SW VERSION : I9000.012
FTA HW VERSION : REV1.2
RF CAL DATE : 2010.6.15
CSC CODE :
[2] HW VERSION
[1] READ HW VERSION
HW VERSION : MP 0.800
[2] WRITE HW VERSION
NOT SUPPORTED
[3] READ FTA HW VERSION
FTA HW VERSION : REV1.2
[4] READ CAL DATE
CAL DATE : 2010.6.15
[5] WRITE CAL DATE
NOT SUPPORTED
[3] UMTS RF NV
[1] RF NV READ
NOT SUPPORTED
[2] RF NV WRITE
MENU NOT EXIST
PRESS BACK KEY
Current Command is 32
[4] GSM RF NV
[1] RF NV READ
NOT SUPPORTED
[2] RF NV WRITE
MENU NOT EXIST
PRESS BACK KEY
Current Command is 42
[5] AUDIO
[1] HANDSET
[1] Volume
[1]SRC Speech RX Volume
[0]0_lvl : 72
[1]1_lvl : 76
[2]2_lvl : 80
[3]3_lvl : 84
[4]4_lvl : 88
[5]5_lvl : 92
[2]DST I2S1 TX Volume
[0]0_lvl : 68
[1]1_lvl : 72
[2]2_lvl : 76
[3]3_lvl : 80
[4]4_lvl : 84
[5]5_lvl : 88
[3]SRC I2S1 RX Volume : 88
[4]DST Speech TX Volume : 88
[5]Sidetone : 0x0
[6]I2S1 Rx Gain : 0x1fff
[7]I2S1 Tx Gain : 0x2000
[2] HandsFree
[1]Gain Analog: 0x7fff
[2]NrCoeffs Real: 0x64
[3]NrCoeffs Complex 1: 0x64
[4]NrCoeffs Complex 2: 0x64
[5]LdAddGain: 0x0
[6]LdAddGainMax: 0x0
[7]LdAddGainMin: 0x1400
[3] NR
[1]UL NR
[1]AttenFactorMinVal : 0x1000
[2]OvEstFacBandZero : 0x2000
[3]OvEstFacBandNoZero : 0x2000
[2]DL NR
[1]AttenFactorMinVal : 0x1000
[2]OvEstFacBandZero : 0x1000
[3]OvEstFacBandNoZero : 0x1000
[4] DRP
[1]UL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -15360
[2]LB : -5120
[3]Gcomp : 0x0
[4]RinfA : 0x700
[5]RAB : 0x100
[6]RB0 : 0xb3
[2]DL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -16640
[2]LB : -5120
[3]Gcomp : 0x0
[4]RinfA : 0x700
[5]RAB : 0x100
[6]RB0 : 0x99
[5] SER
[1]beta : 31000
[2]overest : 700
[3]thplout : 70
[6] CNI
[1]Rx CNI gain : 20
[2]Tx CNI noise_gain : 16384
[3]Tx CNI noise_floor : 2048
[4]Tx CNI noise_gain_drp : 0
[9] Diamond Solution
[1]DYVE(OFF)
[1]DYVE OnOff : OFF
[2]mic_sensitivity : 5
[3]stepgain 1
[1]Step Gain 1 : 0
[2]Step Gain 2 : 0
[3]Step Gain 3 : 0
[4]Step Gain 4 : 0
[5]Step Gain 5 : 0
[4]stepgain 2
[1]StepGain 6 : 6
[2]StepGain 7 : 8
[3]StepGain 8 : 10
[4]StepGain 9 : 12
[5]StepGain 10 : 14
[6]StepGain 11 : 16
[5]clarity : 8
[6]noise_level : 0x800
[2]Swing Free(OFF)
[1]SF OnOff : OFF
[2]
[3]Voice Booster(OFF)
[1]VB OnOff : OFF
[2]hpf_cutoff : 4
[3]harmonic_level : 8192
[4]boostgain : 6
[5]limit_level : 21
[4]Acoustic Shock Free(OFF)
[1]ASF OnOff : OFF
[2]rms_mode : 2
[3]limit_level : 24
[5]Comport Noise Generator(OFF)
[1]CNG OnOff : OFF
[2]level : 1
[6]1Mic TX(OFF)
[1]1Mix TX OnOff : OFF
[2]Fir_Coeff Table
[1]fir_coeff 0 : 0xffffff49
[2]fir_coeff 1 : 0xfffffce6
[3]fir_coeff 2 : 0xfffffab3
[4]fir_coeff 3 : 0xfffffccb
[5]fir_coeff 4 : 0xfffff0e9
[6]fir_coeff 5 : 0xffffffc7
[7]fir_coeff 6 : 0x3e4a
[3]AEC Table 1
[1]rxmode_onoff : OFF
[2]delay_onoff : OFF
[3]delay : 0
[4]aec_onoff : OFF
[5]aec_rxgain : 0x200
[6]aec_mu : 0x0
[4]AEC Table 2
[1]dtrxg_onoff : OFF
[2]post_onoff : OFF
[3]post_min : 11
[4]post_gain : 11
[5]dtgc_onoff : OFF
[6]rxdet_onoff : OFF
[5]AEC Table 3
[1]rxdet_th_1st : -38
[2]rxdet_hangmax_1st : 6
[3]dtgc_gain_1st : 0x4000
[4]rxdet_th_2nd : -38
[5]rxdet_hangmax_2nd : 6
[6]dtgc_gain_2nd : 0x4000
[7]txdet_onoff : OFF
[6]NS Table 1
[1]iir_onoff: OFF
[2]ns_onoff : ON
[3]rxtx_agc_tbl : 13
[4]weight_ss_ns : 20
[5]ss_gain_ns : 11
[6]ns_gain_ns : 11
[7]NS Table 2
[1]tx_filter_onoff : ON
[2]tx_agc_onoff : ON
[3]in_txgain : 0x400
[4]out_txgain : 0xe40
[5]tx_cng_onoff : OFF
[6]noise_th_bits : 16
[2] HEADSET
[1] Volume
[1]SRC Speech RX Volume
[0]0_lvl : 75
[1]1_lvl : 78
[2]2_lvl : 81
[3]3_lvl : 84
[4]4_lvl : 87
[5]5_lvl : 90
[2]DST I2S1 TX Volume
[0]0_lvl : 75
[1]1_lvl : 78
[2]2_lvl : 81
[3]3_lvl : 84
[4]4_lvl : 87
[5]5_lvl : 90
[3]SRC I2S1 RX Volume : 100
[4]DST Speech TX Volume : 100
[5]Sidetone : 0x0
[6]I2S1 Rx Gain : 0x2d34
[7]I2S1 Tx Gain : 0x2000
[2] HandsFree
[1]Gain Analog: 0x7fff
[2]NrCoeffs Real: 0x32
[3]NrCoeffs Complex 1: 0x6e
[4]NrCoeffs Complex 2: 0x6e
[5]LdAddGain: 0x0
[6]LdAddGainMax: 0x0
[7]LdAddGainMin: 0xa8c
[3] NR
[1]UL NR
[1]AttenFactorMinVal : 0xfa0
[2]OvEstFacBandZero : 0xfa0
[3]OvEstFacBandNoZero : 0x1f40
[2]DL NR
[1]AttenFactorMinVal : 0x1000
[2]OvEstFacBandZero : 0x1000
[3]OvEstFacBandNoZero : 0x1000
[4] DRP
[1]UL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -15360
[2]LB : -7680
[3]Gcomp : 0xc00
[4]RinfA : 0x500
[5]RAB : 0x133
[6]RB0 : 0x80
[2]DL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -12800
[2]LB : -3840
[3]Gcomp : 0x0
[4]RinfA : 0x500
[5]RAB : 0x100
[6]RB0 : 0x0
[5] SER
[1]beta : 31000
[2]overest : 4000
[3]thploud : 70
[6] CNI
[1]Rx CNI gain : 20
[2]Tx CNI noise_gain : 0
[3]Tx CNI noise_floor : 0
[4]Tx CNI noise_gain_drp : 200
[9] Diamond Solution
[1]DYVE(OFF)
[1]DYVE OnOff : OFF
[2]mic_sensitivity : 5
[3]stepgain 1
[1]Step Gain 1 : 0
[2]Step Gain 2 : 0
[3]Step Gain 3 : 0
[4]Step Gain 4 : 0
[5]Step Gain 5 : 0
[4]stepgain 2
[1]StepGain 6 : 6
[2]StepGain 7 : 8
[3]StepGain 8 : 10
[4]StepGain 9 : 12
[5]StepGain 10 : 14
[6]StepGain 11 : 16
[5]clarity : 8
[6]noise_level : 0x800
[2]Swing Free(OFF)
[1]SF OnOff : OFF
[2]
[3]Voice Booster(OFF)
[1]VB OnOff : OFF
[2]hpf_cutoff : 4
[3]harmonic_level : 8192
[4]boostgain : 6
[5]limit_level : 21
[4]Acoustic Shock Free(OFF)
[1]ASF OnOff : OFF
[2]rms_mode : 2
[3]limit_level : 24
[5]Comport Noise Generator(OFF)
[1]CNG OnOff : OFF
[2]level : 1
[6]1Mic TX(OFF)
[1]1Mix TX OnOff : OFF
[2]Fir_Coeff Table
[1]fir_coeff 0 : 0xffffff49
[2]fir_coeff 1 : 0xfffffce6
[3]fir_coeff 2 : 0xfffffab3
[4]fir_coeff 3 : 0xfffffccb
[5]fir_coeff 4 : 0xfffff0e9
[6]fir_coeff 5 : 0xffffffc7
[7]fir_coeff 6 : 0x3e4a
[3]AEC Table 1
[1]rxmode_onoff : OFF
[2]delay_onoff : OFF
[3]delay : 0
[4]aec_onoff : OFF
[5]aec_rxgain : 0x200
[6]aec_mu : 0x0
[4]AEC Table 2
[1]dtrxg_onoff : OFF
[2]post_onoff : OFF
[3]post_min : 11
[4]post_gain : 11
[5]dtgc_onoff : OFF
[6]rxdet_onoff : OFF
[5]AEC Table 3
[1]rxdet_th_1st : -38
[2]rxdet_hangmax_1st : 6
[3]dtgc_gain_1st : 0x4000
[4]rxdet_th_2nd : -38
[5]rxdet_hangmax_2nd : 6
[6]dtgc_gain_2nd : 0x4000
[7]txdet_onoff : OFF
[6]NS Table 1
[1]iir_onoff: OFF
[2]ns_onoff : ON
[3]rxtx_agc_tbl : 13
[4]weight_ss_ns : 20
[5]ss_gain_ns : 11
[6]ns_gain_ns : 11
[7]NS Table 2
[1]tx_filter_onoff : OFF
[2]tx_agc_onoff : OFF
[3]in_txgain : 0x400
[4]out_txgain : 0xe40
[5]tx_cng_onoff : OFF
[6]noise_th_bits : 16
[3] SPEAKER
[4] BLUETOOTH
[5] HANDSET VT
[6] HEADSET VT
[7] SPEAKER VT
[8] BLUETOOTH VT
[6] COMMON
[1] FTM
[1] FTM : ON
NOT SUPPORTED
[2] FTM : OFF
NOT SUPPORTED
[2] DEBUG INFO
[1] MM REJECT CAUSE
CS Reg State: 0x0
CS Reg Reject Cause: 0x11
CS Net Reject Cause: 255
PS Reg State: 0x0
PS Reg Reject Cause: 0x11
PS Net Reject Cause: 255
[2] LOG DUMP
NOT SUPPORTED
[3] PCM LOGGING(OFF)
[1] Disable
[2] Enable
[3] RF SCANNING
[1] SETTING
[1] WCDMA THRESHOLD
[2] GSM THRESHOLD
MENU NOT EXIST
PRESS BACK KEY
Current Command is 63112
[3] RF SCANNING TIMER
[4] DISPLAY BAND[0~12]
[2] START RF SCANNING
[3] RESULT TO PC
[4] RESULT TO SCREEN
[4] DIAG CONFIG
[1] LOG VIA USB [*]
[2] LOG VIA UART
[3] LOG VIA IPC
[4] SPEED 115200 [*]
[5] SPEED 921600
[6] DBG MSG ON
[7] DBG MSG OFF [*]
[8] RAMDUMP ON
[9] RAMDUMP OFF [*]
[5] WCDMA/GSM SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[1] VBATT
[1] VBATT READ
[2] VBATT WRITE
[2] RTC
[3] AUDIO LOOPBACK
[4] GPRS SETTING
[5] AMR
[6] AUTO ANSWER
[7] SELLOUT SMS
[8] FM RADIO
[9] TOTAL CALL TIME
[8] FORCE SLEEP
[1] AP ONLY SLEEP
[2] CP ONLY LPM
[9] GPS
GPS MODULE IS IN AP SIDE
great this is exactly what I was looking for. Now can you tell me which setting under volume is the ear-piece volume?
Is yours really that quiet?? man.. u deaf?
ah thanks for this. Some new tweaks to try...
BTW anybody knows what "DIAMOND SOLUTION" means? There are some nice potential tweaks under that menu
Anyone already know more about what all these settings do (or some explanation on the terms?).
Trying to find out if I can change something here to improve the audio part of the video recording.
Diamond solution is the settings the phone uses when a headphone is plugged in. It is essentially your music settings of the phone. Lots of tweaks exist in there and yes it has a HARDWARE EQUALIZER right in there. It's called "Fir_Coeff Table".
Nice
Thank you VERY MUCH for this listing antzen !
Did you grab it manually or using some tool ?
supercurio said:
Thank you VERY MUCH for this listing antzen !
Did you grab it manually or using some tool ?
Click to expand...
Click to collapse
I manually typed the whole thing... ;-)
More SGS service menu entries ...
Remembered that I'd not completed the documentation of this and here's a bit more of the service menu. (I've updated the original post as well)
I'm not sure if my changes done to the device has affected the service menu in any way but bear that in mind as this device is not 100% default as it was shipped any longer. I've documented my changes here: endoid.wordpress.com/2010/08/08/my-sluggish-samsung-galaxy-s/ (could a moderator perhaps remove the url-restriction?)
Code:
[5] AUDIO
[2] HEADSET
[1] Volume
[1]SRC Speech RX Volume
[0]0_lvl : 75
[1]1_lvl : 78
[2]2_lvl : 81
[3]3_lvl : 84
[4]4_lvl : 87
[5]5_lvl : 90
[2]DST I2S1 TX Volume
[0]0_lvl : 75
[1]1_lvl : 78
[2]2_lvl : 81
[3]3_lvl : 84
[4]4_lvl : 87
[5]5_lvl : 90
[3]SRC I2S1 RX Volume : 100
[4]DST Speech TX Volume : 100
[5]Sidetone : 0x0
[6]I2S1 Rx Gain : 0x2d34
[7]I2S1 Tx Gain : 0x2000
[2] HandsFree
[1]Gain Analog: 0x7fff
[2]NrCoeffs Real: 0x32
[3]NrCoeffs Complex 1: 0x6e
[4]NrCoeffs Complex 2: 0x6e
[5]LdAddGain: 0x0
[6]LdAddGainMax: 0x0
[7]LdAddGainMin: 0xa8c
[3] NR
[1]UL NR
[1]AttenFactorMinVal : 0xfa0
[2]OvEstFacBandZero : 0xfa0
[3]OvEstFacBandNoZero : 0x1f40
[2]DL NR
[1]AttenFactorMinVal : 0x1000
[2]OvEstFacBandZero : 0x1000
[3]OvEstFacBandNoZero : 0x1000
[4] DRP
[1]UL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -15360
[2]LB : -7680
[3]Gcomp : 0xc00
[4]RinfA : 0x500
[5]RAB : 0x133
[6]RB0 : 0x80
[2]DL DRP
[1]Hi Band
[1]LA : -11520
[2]LB : -6144
[3]Gcomp : 0x0
[4]RinfA : 0x100
[5]RAB : 0x100
[6]RB0 : 0x100
[2]Low Band
[1]LA : -12800
[2]LB : -3840
[3]Gcomp : 0x0
[4]RinfA : 0x500
[5]RAB : 0x100
[6]RB0 : 0x0
[5] SER
[1]beta : 31000
[2]overest : 4000
[3]thploud : 70
[6] CNI
[1]Rx CNI gain : 20
[2]Tx CNI noise_gain : 0
[3]Tx CNI noise_floor : 0
[4]Tx CNI noise_gain_drp : 200
[9] Diamond Solution
[1]DYVE(OFF)
[1]DYVE OnOff : OFF
[2]mic_sensitivity : 5
[3]stepgain 1
[1]Step Gain 1 : 0
[2]Step Gain 2 : 0
[3]Step Gain 3 : 0
[4]Step Gain 4 : 0
[5]Step Gain 5 : 0
[4]stepgain 2
[1]StepGain 6 : 6
[2]StepGain 7 : 8
[3]StepGain 8 : 10
[4]StepGain 9 : 12
[5]StepGain 10 : 14
[6]StepGain 11 : 16
[5]clarity : 8
[6]noise_level : 0x800
[2]Swing Free(OFF)
[1]SF OnOff : OFF
[2]
[3]Voice Booster(OFF)
[1]VB OnOff : OFF
[2]hpf_cutoff : 4
[3]harmonic_level : 8192
[4]boostgain : 6
[5]limit_level : 21
[4]Acoustic Shock Free(OFF)
[1]ASF OnOff : OFF
[2]rms_mode : 2
[3]limit_level : 24
[5]Comport Noise Generator(OFF)
[1]CNG OnOff : OFF
[2]level : 1
[6]1Mic TX(OFF)
[1]1Mix TX OnOff : OFF
[2]Fir_Coeff Table
[1]fir_coeff 0 : 0xffffff49
[2]fir_coeff 1 : 0xfffffce6
[3]fir_coeff 2 : 0xfffffab3
[4]fir_coeff 3 : 0xfffffccb
[5]fir_coeff 4 : 0xfffff0e9
[6]fir_coeff 5 : 0xffffffc7
[7]fir_coeff 6 : 0x3e4a
[3]AEC Table 1
[1]rxmode_onoff : OFF
[2]delay_onoff : OFF
[3]delay : 0
[4]aec_onoff : OFF
[5]aec_rxgain : 0x200
[6]aec_mu : 0x0
[4]AEC Table 2
[1]dtrxg_onoff : OFF
[2]post_onoff : OFF
[3]post_min : 11
[4]post_gain : 11
[5]dtgc_onoff : OFF
[6]rxdet_onoff : OFF
[5]AEC Table 3
[1]rxdet_th_1st : -38
[2]rxdet_hangmax_1st : 6
[3]dtgc_gain_1st : 0x4000
[4]rxdet_th_2nd : -38
[5]rxdet_hangmax_2nd : 6
[6]dtgc_gain_2nd : 0x4000
[7]txdet_onoff : OFF
[6]NS Table 1
[1]iir_onoff: OFF
[2]ns_onoff : ON
[3]rxtx_agc_tbl : 13
[4]weight_ss_ns : 20
[5]ss_gain_ns : 11
[6]ns_gain_ns : 11
[7]NS Table 2
[1]tx_filter_onoff : OFF
[2]tx_agc_onoff : OFF
[3]in_txgain : 0x400
[4]out_txgain : 0xe40
[5]tx_cng_onoff : OFF
[6]noise_th_bits : 16
dagrim1 said:
Anyone already know more about what all these settings do (or some explanation on the terms?).
Trying to find out if I can change something here to improve the audio part of the video recording.
Click to expand...
Click to collapse
Same here...I'm interested in how to adjust the recording volume or to make the mic less sensible.
Not sure tweaking some of these settings will enable both side voice recording?
pmtan666 said:
Not sure tweaking some of these settings will enable both side voice recording?
Click to expand...
Click to collapse
What do you mean by that? Full Duplex? I am also interested in knowing that... Want to record my calls sometimes.
Also, as of now, I am desperately trying to ENABLE SERVICE MODE as it does not work in DDGJ4 firmware.
Can someone help?
EDIT: GOTCHA!
I found a way to get inside the service mode which does not work otherwise using the usual *#197328640# code. You could follow this on DDGJ4 to get inside:
Use the network info code *#0011#, you reach the below menu:
MAIN MENU
[1] DEBUG SCREEN
[1] BASIC INFORMATION
UMTS : HOME(CS+PS)
RRC State: IDLE
WCDMA 2100 Band 1
Reg PLMN 240-2, IsPCS? 0
FREQ DL:10737
FREQ UL:9787
CELL_ID:0xhhhhhh <- Disappears when 3G is not available
LAC: 0xhhhh
PSC:hhh
RSCP:-94, ECIO:-5 <- Changing
Now just hit the menu button, back (twice) and voila! you are at the ServiceMode home page! hope this helps.
Noticed, no "Audio" menu and hence no "Diamond Solution" in ServiceMode. Seems no hardware tweaks on this firmware with sound (good for me).
I'm also almost sure we could tweak audio recording with this section but we need someone who knows what settings mean what, I've tried playing with some of them to no effect at all.
I think there's an app in the market that you can easily access the sevice menu with a tap. check it out.
Service mode DIAG CONFIG
what's the relevance for the SPEED 115200 and 921600 I changed mine to 921600 long ago and I don't think it matters? I know they're baud rates but for what? Data or? I get the same data streams either way so what's it for?
NV Rebluid
Anyone try this.
[6] COMMON
[6] NV REBUILD
I have some hope that command resolve my IMEI problema, but... no success.
I have JPC firmware. As anyone with an 2.1 firmware try it?
help phone app not producing sound via handset
so I went into the service menu and changed some things and now my phone app doesn't work right....it is fine in speakermode or with a headset attached, but by default it now produces no sound nor does it capture any sound.
I've tweaked gain and volume in the 5.1.1 menu to no avail...
so I was hoping I could understand more about what those menus do.
am I correct in assuming that the phone app would use handset->volume for calls that use the built-in earpiece and speaker? what's partly puzzling to me is that sipdroid, using the same devices, works fine....
I also just generally don't know what a lot of the items are for (I didn't change any of the things I didn't know about, but it would be nice to have a clue).
NR, DRP, SER, and CNI are just acronyms to me. I assume NR is for noise reduction but I have no idea what the others are...
does anyone have a complete list of how it comes out of the box?
thanks...
-alan
same thing :S
@chekovma:
I'm suffering the same problem, did you happen to get your hands on a solution to this?
Does anyone have any feedback on how to solve this problem?
Any assistance would be appreciated.
-aehlayel
I dialed *#197328640# but nothing is happening. My SGS is NON-ROOTED
My FW Info:
PDA: I9000DDJP6
PHONE: I9000DDJP2
CSC: I9000ODDJP5
Build Info: 2010,11
my headset/earphones.only one speaker works
my headset/earphones.only one speaker works out of 2 and in a very low volume.Can i use any service menu selections for this?
I could not post directly in the development thread as I joined simply to share my solution. If anyone can confirm and prepare a better guide please post to CM7 thread by whistelstop.
You will need your factory mac address.
MAC Addresses all being the same is due to the nvs_map.bin file required by the tiwlan driver. dmseg driver will tell you it is looking for it and defaulting mac address.
I am running CM7 mileage will vary in stock rom.
http://www.omappedia.org/wiki/Porting_MCP_WLAN_to_Android#TxBiP_Calibration
I used the calibration instructions in terminal emulator on cm7 Kindle as "su"
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
New nvs_map.bin file will be ceated in /data/misc/wifi/
#cp /data/misc/wifi/nvs_map.bin to /sdcard/nvs_map.bin
connect to linux/windows host copy file to pc
open with hex editor I used xvi32 for windows.
link to my source for instruction for byte order and editing.
http://processors.wiki.ti.com/index...ce_(CLI)_User's_Guide#Editing_the_MAC_Address
Short instructions:
Editing the MAC Address
After the TX BIP runs, there is a new file called nvs_map.bin in Linux that contains the MAC address and the calibration data. The document SWAA044_NVS_INI_File_Functions_AN.pdf contains the format of the NVS file. If MAC address fields are manually edited with a hex editor, the byte order should be low byte first, followed by the high byte:
MAC address low register (offset 0x01 to 0x02)
MAC address LSB (offset 0x3 to 0x06)
MAC address high register (offset 0x08 to 0x09)
MAC address MSB (offset 0x0A to 0x0D)
The MAC address LSB and MAC address MSB, respectively, are shown in bold in the
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
Using a hex editor, you should change the bold numbers to the MAC address you
want to use.
Be careful about byte order and look closely at examples.
Good Luck
Please confirm instructions yourself and use at your own risk
Just tried that and it worked beautifully!
Thanks for that - great find!
TheKid2 said:
I could not post directly in the development thread as I joined simply to share my solution. If anyone can confirm and prepare a better guide please post to CM7 thread by whistelstop.
You will need your factory mac address.
MAC Addresses all being the same is due to the nvs_map.bin file required by the tiwlan driver. dmseg driver will tell you it is looking for it and defaulting mac address.
I am running CM7 mileage will vary in stock rom.
As I can not post links you will need to google my text and find correct link (noob)
maybe a moderator can fix for me.
######.omappedia.org/wiki/Porting_MCP_WLAN_to_Android#TxBiP_Calibration
I used the calibration instructions in terminal as "su"
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
New nvs_map.bin file will be ceated in /data/misc/wifi/
#cp /data/misc/wifi/nvs_map.bin to /sdcard/nvs_map.bin
connect to linux/windows host copy file to pc
open with hex editor I used xvi32 for windows.
link to my source for instruction for byte order and editing.
##processors.wiki.ti.com/index.php/OMAP35x_Wireless_Connectivity_WL1271_Command_Line_Interface_(CLI)_User%27s_Guide#Editing_the_MAC_Address
Short instructions:
Editing the MAC Address
After the TX BIP runs, there is a new file called nvs_map.bin in Linux that contains the MAC address and the calibration data. The document SWAA044_NVS_INI_File_Functions_AN.pdf contains the format of the NVS file. If MAC address fields are manually edited with a hex editor, the byte order should be low byte first, followed by the high byte:
MAC address low register (offset 0x01 to 0x02)
MAC address LSB (offset 0x3 to 0x06)
MAC address high register (offset 0x08 to 0x09)
MAC address MSB (offset 0x0A to 0x0D)
The MAC address LSB and MAC address MSB, respectively, are shown in bold in the
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
Using a hex editor, you should change the bold numbers to the MAC address you
want to use.
Be careful about byte order and look closely at examples.
Good Luck
Please confirm instructions yourself and use at your own risk
Click to expand...
Click to collapse
I'll verify tomorrow. Thanks for taking the time to help run this to ground and get a workaround.
** Deleted **
For new driver only ....
so next cm7 build will get the fix
right?
As it was my first post forum would not allow me to post links I am hoping someone will clean up solution and add to development thread.
whistlestop said:
I'll verify tomorrow. Thanks for taking the time to help run this to ground and get a workaround.
Click to expand...
Click to collapse
love this rom , I have four of these running on my router now with original factory mac addresses, Thank You for your work. I know from personal experience hours and hours can just disappear when you get involved with a project of this type.
Is there a way to get the factory MAC address while still in CM7 or do I have to load the stock ROM to get it and then go back to CM7?
I have not found am method other than loading stock software back on device.
If you only have one kindle on your network you most likely will never have a problem.
If you had more than one running cm7 you could have router issues as they all were reporting same mac address. You will not have any issues unless another cm7 kindle shows up on the same wireless access point as yours.
Unless you have a router log or something with your former mac address, I think you have to reload stock to find it. Thats what I did anyway.
Thanks to the OP for posting this; worked like a charm!
direct editing
could we use a hex editor to change the local file on the kindle?
I spotted one at the market place, and combined with SU privileges it might get the job done.
jfb9301 said:
could we use a hex editor to change the local file on the kindle?
I spotted one at the market place, and combined with SU privileges it might get the job done.
Click to expand...
Click to collapse
any hex editor should work. I am so use to using laptop still adjusting to touch keyboard.
Hopefully better instructions
having just stumbled through to OPs instructions (hats off to the OP for finding this). Successfully I might add, I thought I'd write up a hopefully more clear method of achieving this.
As I have had difficulty with the adb.exe command (connection issues, probably from a dodgy connection if I have too many USB devices plugged in) I chose to use applications local to my Kindle itself for as much as I could.
Apps:
adb.exe (the one that came with Kindle_Fire_Utility worked for me) grab a copy of this useful tool here kindle fire utility thread
Root explorer from the android market android market link
HexEditor android market link
Kindle fire
Computer
Data:
Your original MAC address - this might suck to get, as you will have to get it from your Kindle booted to stock Kindle Fire Firmware. I had installed CM7 using TWRP, so I booted to TWRP did a backup of my current CM7 OS, did a restore to the KF OS, booted to stock(rooted) opened up settings/device and nabbed that pesky MAC address, rebooted to TWRP, restored CM7.
Instructions:
connect KF to computer
open the computers start menu and select run, type CMD in the box
navigate to kindle_fire_utility/tools
type command: adb shell
adb should open and start communication with you Kindle
within the shell you have to type the following (be mindful of the spaces as they are important, ignore the #s as they are to make this post put the spaces in):
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
now use ctrl-c to end ADB, and command:
exit
to close cmd, you are done with windows.
now the kindle part...
open root explorer
/data/misc/wifi
select nvs_map.bin and copy to the sdcard, I made two copies and named the second nvs_map.bin.bak just in case things got screwed from this point on.
exit root explorer
open HexEditor
open /sdcard/nvs_map.bin and change the digits in the very first line of the file
(example from OPs post)
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08 00 00
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
save the file
use root explorer to copy it back to /data/misc/wifi
long press the file and set permissions to RW-RW-RW-
Reboot.....
Done
---------- Post added at 04:09 PM ---------- Previous post was at 03:11 PM ----------
I confimed MAC address using my wifi router (DDWRT) is awesome.
Does anyone know a way to get CM7 to cough up the kindles MAC address?
I'm having some difficulties with these instructions. I've tried with the WiFi setting from CM7 on and off, and also with the full instructions from the omappedia.org site, and it's still not working. A quick Google didn't come up with anything.
This is my output (from an ADB shell, obviously):
Code:
# insmod /system/etc/wifi/tiwlan_drv.ko
# start wlan_loader
# ifconfig tiwlan0 up
# wlan_cu –b
ERROR - IpcWpa_Sockets_Open - can't connect the socket
******************************************************
Connection to supplicant failed
******************************************************
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 800003, res = -1, errno = 19)
ERROR - driver is not in RUNNING state!
user_main, start
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
/ D S
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
.../Driver> Start, sTop, stAtus
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 8000001, res = -1, errno = 19)
ERROR - Failed to start driver!
I have tried it with and without the first three lines (going straight to wlan_cu -b), and the / D S line is an unsuccessful attempt to start the driver. An attempt to just push through all the commands gives an error message with every line, and does not create the nvs_map.bin file.
Anyone have any ideas?
I had wifi on, and did not run the first 3 commands. No thoughts beyond that.
For reference, I am on the latest CM7 with the updated video stuff by wistlestop (I think)
csyria6919 & jfb9301,
I can confirm, you'll get the errors csyria6919 gets with WiFi OFF - turn on Wifi on the KF and then the ADB commands work without errors.
VERY NICE Fix - +1 thanks to TheKid2!
~J
csyria6919 said:
I'm having some difficulties with these instructions. I've tried with the WiFi setting from CM7 on and off, and also with the full instructions from the omappedia.org site, and it's still not working. A quick Google didn't come up with anything.
This is my output (from an ADB shell, obviously):
Code:
# insmod /system/etc/wifi/tiwlan_drv.ko
# start wlan_loader
# ifconfig tiwlan0 up
# wlan_cu –b
ERROR - IpcWpa_Sockets_Open - can't connect the socket
******************************************************
Connection to supplicant failed
******************************************************
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 800003, res = -1, errno = 19)
ERROR - driver is not in RUNNING state!
user_main, start
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
/ D S
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
.../Driver> Start, sTop, stAtus
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 8000001, res = -1, errno = 19)
ERROR - Failed to start driver!
I have tried it with and without the first three lines (going straight to wlan_cu -b), and the / D S line is an unsuccessful attempt to start the driver. An attempt to just push through all the commands gives an error message with every line, and does not create the nvs_map.bin file.
Anyone have any ideas?
Click to expand...
Click to collapse
Hi,
I only used docs as reference. Wifi should be turned on on Kindle. I issued all command from terminal emulator running on Kindle. Hope you have found solution that works for you. Also there are spaces in between just about every letter in the commands.
Let us know if you were successful.
Hello,
I am hearing about cpu utilization issue in another thread. http://forum.xda-developers.com/showthread.php?t=1411895
Can anyone running cm7 and using nvs_map file check utilization connected to secure network. My installation is not exhibiting cpu behavior stuck at 1008 that is being described. Wondering if using calibration file is actually improving performance.
As a side not same file can be used in the current build of ics they are developing in that thread.
cpu scaling issue does not show up on unsecured net. Need a few people to sound off here to determine if my kindles are the only ones not having scaling issue.
Thanks
Is there somewhere in cm7 to check cpu utilization, I looked everywhere ended up downloading task manager from market. Seems like task manager, and performance monitor should be in there somewhere. I am sure I am overlooking something simple.
Thanks
TheKid2 said:
Is there somewhere in cm7 to check cpu utilization, I looked everywhere ended up downloading task manager from market. Seems like task manager, and performance monitor should be in there somewhere. I am sure I am overlooking something simple.
Thanks
Click to expand...
Click to collapse
I used your guide, got CM7 on my device and will check that once I get home.
To check CPU utilization I'd recommend CPU Spy https://market.android.com/details?id=com.bvalosek.cpuspy
Hi all,
I have a problem with my defy, whitout fall or update the touch screen stop responding.
After some resets & sbf flashing I've noticed that the touch screen is ok only when there is no sdcard.
I've tried over sdcards with no more success.
The sdcard is readable, I can access with adb.
Clockworkmod access the sdcard too.
With sdcard dmesg :
qtouch_force_reset: Forcing HW reset
Unable to get gpio pin num for touch_pwr_enq
touch_write: Error while trying to write 2 bytes
qtouch_set_addr: Can't send obp addr 0x 0
qtouch_process_info_block: Cannot read info object block
qtouch_ts_probe:Cannot read info block -121, checking for bootloader mode.
Without sdcard :
qtouch_force_reset: Forcing HW reset
Unable to get gpio pin num for touch_pwr_en
qtouch_process_info_block: Build version is 0x10
qtouch_process_info_block: Object 5 @ 0x00f2 (9) insts 1 rep_ids 0
qtouch_process_info_block: Object 6 @ 0x00fb (6) insts 1 rep_ids 1
qtouch_process_info_block: Object 38 @ 0x0101 (8) insts 1 rep_ids 0
(...)
Can it be a HW problem ?
What do you think I can do ?
Questions go in the Q&A section
CharlyBrok said:
Hi all,
I have a problem with my defy, whitout fall or update the touch screen stop responding.
After some resets & sbf flashing I've noticed that the touch screen is ok only when there is no sdcard.
I've tried over sdcards with no more success.
The sdcard is readable, I can access with adb.
Clockworkmod access the sdcard too.
With sdcard dmesg :
qtouch_force_reset: Forcing HW reset
Unable to get gpio pin num for touch_pwr_enq
touch_write: Error while trying to write 2 bytes
qtouch_set_addr: Can't send obp addr 0x 0
qtouch_process_info_block: Cannot read info object block
qtouch_ts_probe:Cannot read info block -121, checking for bootloader mode.
Without sdcard :
qtouch_force_reset: Forcing HW reset
Unable to get gpio pin num for touch_pwr_en
qtouch_process_info_block: Build version is 0x10
qtouch_process_info_block: Object 5 @ 0x00f2 (9) insts 1 rep_ids 0
qtouch_process_info_block: Object 6 @ 0x00fb (6) insts 1 rep_ids 1
qtouch_process_info_block: Object 38 @ 0x0101 (8) insts 1 rep_ids 0
(...)
Can it be a HW problem ?
What do you think I can do ?
Click to expand...
Click to collapse
AFAIK, it is HW related..
Best choice, get it to the SC..
Maybe I'll try to change the digitizer (20€ on ebay).
Warranty period is finish.
I want more log,
The goal is to enable logging debug in qtouch_obp_ts
I put in /system/etc/init.d/77debug
Echo 0xFF > /sys/module/qtouch_obp_ts/parameters/tsdebug
But no change at all...
What I am doing wrong ?
Envoyé depuis mon A500 avec Tapatalk
== General Info ==
Hello, and welcome to my usb uart guide - aka, how to totally f' your phone up, if you don't think first!
Really though, read everything before attempting anything!
USB Uart is not new news. There are many great people whom have come before me to make what I am documenting here possible. But I am putting this here because I keep getting PM'd about getting help with USB Uart, and figured it would be good to start a thread that documents what you need and how to get going.
So up front, I need to list some credits.
I gained a lot of knowledge from these people:
TheBeano - Fun with resistors (home/car dock mode + more)
UberPenguin - Galaxy S UART JIG & Debugging Connector
AdamOutler - UART Output / Bootloader Hacking / Kernel Debuging
E:V:A - The Samsung Anyway Jig
I'm sure there is more... let me know if you think you need to be in this list. I'll be happy to update it!
== WARNING ==
I am not responsible for anything you do to your device! If you follow my guide and it results from anything like your phone not working or ending the world, I cannot be held accountable for what you do!
This guide will show you how to use the usb uart on most galaxy s phones (with the FSA9480 USB port accessory detector and switch)
It helps to have Unbrickable Mod. There are some commands you can run from the SBL that will wipe your bootloaders!
You must be VERY CAREFUL!
== Requirements ==
First off, you will need some hardware to connect to your computer. It helps. Below is a list of things I use and they are common and cheap. The links to the items below are what I have. Its what works for me.
mini-usb cable - http://www.sparkfun.com/products/598
bus pirate or arduino (I only cover bus pirate here... for now.) - http://www.seeedstudio.com/depot/bus-pirate-v3-assembled-p-609.html?cPath=174
In my guide i use the bus pirate probe kit - http://www.seeedstudio.com/depot/bus-pirate-probe-kit-p-526.html?cPath=178_180
I used a tape printer to label the test clips.
breadboard (optional, if you rather just solder the resistor to the micro-usb break-out board. more later...) - http://www.sparkfun.com/products/112
USB MicroB Plug Breakout Board - http://www.sparkfun.com/products/10031
some jumper wire - http://www.sparkfun.com/products/124
150k, 523k, 619k resistor (ymmv. AdamOutler and others told me to try 523k or 619k, but I was able to get all the output I need with 150k)
guts - priceless
Also, I use minicom on Linux and Mac OS X (use homebrew to install minicom), but you should be able to use any serial console program you like (i.e. kermit, cu, etc...)
I highly suggest getting to know your bus pirate, but this guide assumes you have read manuals and updated firmware. Any of the other uart modes should also work this way, but I currently don't cover that here... yet.
== Getting Started ==
When we connect to the usb port on the bus pirate(bp), you can find the version info by typing i at the high impedance mode (HiZ>) prompt. Change to this mode when your modifying connections or cable argments.
Code:
HiZ>i
Bus Pirate v3b
Firmware v6.0 r1625 Bootloader v4.4
DEVID:0x0447 REVID:0x3043 (24FJ64GA002 B5)
http://dangerousprototypes.com
Disconnect the bp and lets connect everything from the micro usb port connecting to your phone backwards to the bp. I use a breadboard for things that I might work on later or things I'll re-arrange a lot. You may also decide to solder the resistor directly to the GND/ID pins, but you will need a little lead on the GND. Connect MOSI to D+ and MISO to D-.
Another warning!
You can also fry the ftdi on the bus pirate, if you mess with the connections while the bus pirate is in any mode besides HiZ (Hi Impedance) or unplugged. Usually, I'm in uart bridge mode, so you can't go back to HiZ. You just have to unplug the usb cable.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Solder some jumper wire to the micro usb breakout board. I use about an inch.
I usually start at a1 on the breadboard with vcc and a4 and a5 for ID and GND (respectively). In these images, I'm at the opposite end of the board to make it easier to have the phone next to and above my mouse so it is easy for me to work with the phone.
Put the resistor on b4 and b5 - which is where I connect GND on the bp.
Now that you have the bp connected to the circut, lets move forward and plug in the micro usb cable into the bp and then into your computer.
To change into UART mode on the buspirate, type 'm' at the HiZ> prompt:
Code:
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
x. exit(without change)
(1)>3
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value
(1)>9
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1)>1
Stop bits:
1. 1 *default
2. 2
(1)>1
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1)>1
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)>2
Ready
UART>(3)
UART bridge
Reset to exit
Are you sure? y
After you get into UART Bridge mode, you will have to unplug the usb port from your computer to reset the bus pirate.
This is where experimenting with different resistors on the GND/ID pins make a difference. Using 619k resistance, I just plug the phone in and it boots up. During boot up, I can see the PBL output like the output you will see in the rest of this document. Using 150k resistance, the phone doesn't automatically turn on.
Also, you may have different usability of the console depending on if you set the output type to Open drain or Normal drain.
With Open drain, I am able to see the uart output, but I am not able to break into the SBL prompt like I am with Normal drain.
Interestingly, with 619k on my SGH-T959V, I don't see all of the kernel console output. I still haven't figured out exactly why yet. With 150k resistance, I don't see the PBL output, but I can still break into the SBL prompt (with normal drain) and get full kernel console output.
When you get to this point, the mode light should now be green. When you plug your phone into the micro usb adapter (again 619k in these examples), you should see everything from the pbl in to the kernel starting:
Code:
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
+n1stVPN 3008
+nPgsPerBlk 64
PBL found bootable SBL: Partition(4).
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: Oct 28 2011 15:45:50
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x60
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1540
===============================
ID : DATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1672
NO_UNITS : 2120
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 3792
NO_UNITS : 160
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 3952
NO_UNITS : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4013mV, soc = 86
check_quick_start_condition- Voltage: 4013.75000, Linearized[74/89/100], Capacity: 89
init_fuel_gauge: vcell = 4013mV, soc = 86, rcomp = d000
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x20
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x0
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
check_download: micorusb_status1 = 400, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit
Read BML page=, NumPgs=
FOTA Check Bit (0xffffffff)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x3733b898 0x1ffc00ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4
Starting kernel at 0x32000000...
== The SBL (Secondary BootLoader) ==
The most interesting line out of all of that was:
Code:
Autoboot (0 seconds) in progress, press any key to stop
If you happen to hold down the Enter/Return key while booting the phone you will get into the "SBL>" prompt.
The Secondary BootLoader is essentially like u-boot.
Code:
...
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop Autoboot aborted..
SBL>
If we type help, we will get some commands you can run. Some of these commands are affected by what is set in the environment.
Code:
SBL> help
Following commands are supported:
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* format
* open
* close
* erasepart
* eraseall
* loadkernel
* showpart
* addpart
* delpart
* savepart
* nkernel
* nramdisk
* nandread
* nandwrite
* usb
* mmctest
* keyread
* readadc
* usb_read
* usb_write
* fuelgauge
* pmic_read
* pmic_write
To get commands help, Type "help <command>"
SBL>
You can get some minimal help for each command:
Code:
SBL> help loadkernel
* Help : loadkernel
* Usage : loadkernel
load kernel image
- loadkernel 0x80A00000 from kernel partition
Another set of intersting commands here are the ones that manipulate the environment:
setenv
saveenv
printenv
Code:
SBL> help setenv
* Help : setenv
* Usage : setenv [name] [value] . .
Modify current environment info on ram
SBL> help saveenv
* Help : saveenv
* Usage : saveenv
Save cuurent environment info to flash
SBL> help printenv
* Help : printenv
* Usage : printenv
Print current environment info on ram
printenv is probably the safest of them to run, so lets try this first.
Code:
SBL> printenv
PARAM Rev 1.3
SERIAL_SPEED : 7
LOAD_RAMDISK : 0
BOOT_DELAY : 0
LCD_LEVEL : 97
SWITCH_SEL : 1
PHONE_DEBUG_ON : 0
LCD_DIM_LEVEL : 0
LCD_DIM_TIME : 6
MELODY_MODE : 1
REBOOT_MODE : 0
NATION_SEL : 0
LANGUAGE_SEL : 0
SET_DEFAULT_PARAM : 0
CUST_KERNEL_DL_COUNT : 0
KERNEL_BINARY_TYPE : 0
VERSION : I9000XXIL
CMDLINE : console=ttySAC2,115200 loglevel=4
DELTA_LOCATION : /mnt/rsv
PARAM_STR_3 :
PARAM_STR_4 :
I'm not fully sure what all of these options are, but the ones I know about are SWITCH_SEL and PHONE_DEBUG_ON.
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what. That maybe specific to the device I have.
Setting at least 6543 in SWITCH_SEL will give you kernel log output:
Code:
setenv SWITCH_SEL 6543
saveenv
I also set PHONE_DEBUG_ON to 1:
Code:
setenv PHONE_DEBUG_ON 1
saveenv
When I set this, I get some extended battery statistics like:
Code:
[BAT] CHR(0) CAS(0) CHS(3) DCR(0) ACP(2) BAT(81,0,0) TE(31) HE(1) VO(3926) ED(1000) RC(0) CC(0) VF(591) LO(0)
You must remember that after running setenv, you must then run saveenv at least once at the end to save the environment. I believe this environment info is saved to either an offset on the sbl partition or on the param.lfs. It would be useful to find this out, because u-boot has a userspace utility (that you can use from within linux userspace) to modify the u-boot environment. It may be handy to use a tool like that to modify the CMDLINE option during rom flashing time.
Also, instead of powering your phone off then on again to put the new settings in place, just run reset from the sbl prompt to reboot the phone with the new settings.
Anyways, This is what I have so far. I will be adding more to this as time goes on.
Enjoy!
-Bryan
Very nice and clear guide!
Also check out my Anyway thread on more details about JIG resistances etc. Soon I hope there will be more added to that about building your own Samsung Test Jig...
Setenv switch sel 1234567
Phone debug on 1
This gives you some kernel debugging.
bhundven said:
I usually turn SWITCH_SEL to 765431. If I turn 2 on, I don't get anything. It would be worthy to test each number in SWITCH_SEL to figure out what number changes what.
Click to expand...
Click to collapse
AdamOutler said:
Setenv switch sel 1234567
Phone debug on 1
This gives you some kernel debugging.
Click to expand...
Click to collapse
Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.
Any chance that it will work witch Galaxy Ace too?
dragonnn said:
Any chance that it will work witch Galaxy Ace too?
Click to expand...
Click to collapse
I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:
Code:
Android Bootloader - UART_DM Initialized!!!
[VIBETONZ] ENABLE
[VIBETONZ] DISABLE
HW_REV = 12
mipi_init : status = 1
HW_REV = 12
start init_charger
smb328a_init_charger : is_reboot_mode = 0, vcell = 3975
check valid dcin (0x33) = 0x0
no dcin, skip init_charger
fuelguage : soc = 80%, vcell = 3975mV
fuelguage : rcomp(0xd01f) ==?? 0xd0d0
HW_REV = 12
VReset : 0x8c
Hibernation mode : 0x0
8340 = ( 397500 - 334350 ) * 13207 / 100000
HW_REV = 12
reboot_mode = 0xb6cef249
do key check
enter normal booting mode
AST_POWERON
usable ddi data.
HW_REV = 12
HW_REV = 12
E.V.A. said that it might be some debugging setting in the kernel that might have disabled the kernel log output.
It would be helpful to get some MSM developers here to help us out with that!
bhundven said:
I'm not sure. The GT-i9001 and the SGH-i717 (at&t galaxy note) also both have the FSA9480 chip, but use Qualcomm chips. I can only get some bootloader output from the SGH-i717:
Click to expand...
Click to collapse
I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel:good:. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
dragonnn said:
I looked in the kernel source and it have ./drivers/i2c/chips/fsa9280.c and the driver is included in the build kernel:good:. As far I understand we can using this method recovery the phone from hard brick? That will be really nice, my friend bricked his Ace, maybe he can use this method.
Click to expand...
Click to collapse
Currently, I only know this method to work on SGS( not sgs2 or sgs3 ) phones with the FSA9480.
bhundven said:
Yup. I've got that in there.
It's interesting to note that not all bootloaders are created equal. My results are on SGH-T959V.
Click to expand...
Click to collapse
The switches are messages from levels 1-7. Turn on more to get more messages.
AdamOutler said:
The switches are messages from levels 1-7. Turn on more to get more messages.
Click to expand...
Click to collapse
That makes sense, but what doesn't is if I set SWITCH_SEL to 1234567 or any combination with 2, I get no output. As long as I don't have 2 in there, it works fine. Must just be this device.
Memory Architecture
Of course each device will have a different Memory Map. Each carrier designs their varient based on what they want and need to function. The MM is sectioned off in the ROM. Any user or modifiable area is stored in RAM so remember we are working in an area that is not supposed to touched (ROM).
Bootloaders are tricky beasts, have never developed a flashing algorithm so I don't know. Usually BLs are not updated after release ( atleast in my field) only sw/fw is.
Either way, excellent ideas, but there is always a way in!
Fly-n-High said:
Of course each device will have a different Memory Map. Each carrier designs their varient based on what they want and need to function. The MM is sectioned off in the ROM. Any user or modifiable area is stored in RAM so remember we are working in an area that is not supposed to touched (ROM).
Bootloaders are tricky beasts, have never developed a flashing algorithm so I don't know. Usually BLs are not updated after release ( atleast in my field) only sw/fw is.
Either way, excellent ideas, but there is always a way in!
Click to expand...
Click to collapse
huh?
Good post
Nice...!!
Thanks you~
can't get SBL or PBL logs on uart in galaxy-y (GT-S5360)
Hello sir,
Thanks for your great tutorial .
I Tried to get uart on galaxy-y (GT-S5360) . I got a working uart but can't see any PBL or SBL logs during the boot. The only log I see during the booting is
Code:
AST_POWERON..
BOOTING COMPLETED
After booting, uart works fine and i can use a shell via serial using command
(on phone)
Code:
busybox sh</dev/ttyS0 >/dev/ttyS0
and on PC
Code:
microcom -s 115200 -p /dev/ttyS0
ttyS0 settings of the phone is
Code:
speed 115200 baud; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 hupcl -cstopb cread clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff
-iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt
echoctl echoke
And that of PC is
Code:
speed 115200 baud; rows 0; columns 0; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 hupcl -cstopb cread clocal -crtscts
ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl -ixon -ixoff
-iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl -onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt
-echoctl echoke
cat /proc/cmdline of phone is
Code:
console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw androidboot.console=ttyS0 mtdparts=bcm_umi-nand:[email protected](bcm_boot)ro,[email protected](loke)ro,[email protected](loke_bk)ro,[email protected](systemdata)ro,[email protected](modem)ro,[email protected](param_lfs)rw,[email protected](boot)ro,[email protected](boot_backup)ro,[email protected](system)rw,[email protected](cache)rw,[email protected](userdata)rw,[email protected](efs)rw,[email protected](sysparm_dep)ro,[email protected](umts_cal)ro,[email protected](cal)r BOOT_MODE=0 loglevel=0 BOOT_FOTA=0 DEBUG_LEVEL=LOW
Circuit diagram is attached below
any one please help
harish2704 said:
I Tried to get uart on galaxy-y (GT-S5360) . I got a working uart but can't see any PBL or SBL logs during the boot. The only log I see during the booting is
Code:
AST_POWERON..
BOOTING COMPLETED
Click to expand...
Click to collapse
I get something similar on a Samsung Rugby Smart (SGH-I847). I think they have tweaked the UART stuff on the newer devices that post date the Galaxy S devices. They might share the UART chip, but it seems as if they changed the loader implementation which is causing the newer devices to not see the PBL and SBL information during boot.
harish2704 said:
Circuit diagram is attached below
Click to expand...
Click to collapse
Have you tried a 150k or 619k resistor instead of the 523k? I was able to get output with both a 150k and 619k, but the output was very similar to what you have posted. Likely a long shot, but worth a try.
harish2704 said:
cat /proc/cmdline of phone is
Code:
console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw androidboot.console=ttyS0 mtdparts=bcm_umi-nand:[email protected](bcm_boot)ro,[email protected](loke)ro,[email protected](loke_bk)ro,[email protected](systemdata)ro,[email protected](modem)ro,[email protected](param_lfs)rw,[email protected](boot)ro,[email protected](boot_backup)ro,[email protected](system)rw,[email protected](cache)rw,[email protected](userdata)rw,[email protected](efs)rw,[email protected](sysparm_dep)ro,[email protected](umts_cal)ro,[email protected](cal)r BOOT_MODE=0 loglevel=0 BOOT_FOTA=0 DEBUG_LEVEL=LOW
Click to expand...
Click to collapse
Do you have any control over this? It might be the case that ttyS0 isn't setup during early-boot and you need to use a different tty to get it to output over the FSA chip.
Have you tried a 150k or 619k resistor instead of the 523k?
Click to expand...
Click to collapse
yes I tried I didn't feel any difference b/w 619k & 523k when tried. And with 150k, I couldn't get uart active ()
Do you have any control over this? It might be the case that ttyS0 isn't setup during early-boot and you need to use a different tty to get it to output over the FSA chip
Click to expand...
Click to collapse
.
What you mean by control? You mean, can i change this parameters? yes its possible by reflashing (update.zip methode)
Or
you mean do i have control on ttyS0 device? yes I could change that by
Code:
busybox stty -F /dev/ttyS0 ..........
command
Sorry for my language
harish2704 said:
What you mean by control? You mean, can i change this parameters? yes its possible by reflashing (update.zip methode)
Click to expand...
Click to collapse
This is the method I was referring to. If you tweak the parameters you might be able to get the kernel log over serial.
Sent from my SAMSUNG-SGH-I547 using Tapatalk 2
Can you please describe about the tweaks i have to do...
in my knowledge, kernel param
Code:
console=ttyS0,115200n8
is enough for that....
So please specify the tweaks...
harish2704 said:
Can you please describe about the tweaks i have to do...
in my knowledge, kernel param
Code:
console=ttyS0,115200n8
is enough for that....
So please specify the tweaks...
Click to expand...
Click to collapse
If you can interact with ttyS0 post-boot I'd expect it to work. Is there maybe anther serial device such as ttyHS0 or similar that you can interact with? If so, that might be something to try.
You need to change that ttyS0 to ttySAC2 in the boot parameters. Use the abootimg tool on Ubuntu. Apt-get install abootimg.