Olá pessoal,hoje vou explicar como fazer um JTAG a um HTC Magic.Claro que esta operação e complexa e requer conhecimentos de electrónica, bem como uma boa técnica de soldadura.O JTAG recuperara o smart phone de bricks causadas por problemas do flash de uma nova radio, aproveitando por isso de uma consola serie da HTC pelo cabo usb a 115200 8N1.Optei por construir a board jtag por ser bem mais barato mas se quiserem podem comprar um o usb o FT2232 FTDI JTAG, e depois só ligar os cabos.O modulo JTAG que aqui vou apresentar e por por LPT (db25) o que origina a que a transferência dos dados seja lenta, demorará cerca de 55 minutos a passar os 21MB da imagem da Radio.
Não precisam disto caso tenham fastboot' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Fastboot']fastboot ou recovery' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Recovery']recovery!Convém ler claro o post oficial:http://wiki.cyanogenmod.com/index.php?title=JTAG_for_Dream/Magic
Ficheiros necessários:Radio 32Ahttp://android.vslin..._3.22.20.17.imgRadio 32Bhttp://android.vslin...-2_22_23_02.imgopenocd 0.40 Windows (não testado, m$ sucks)http://android.vslin...enocd-0.4.0.zipopenocd 0.40 Linuxhttp://android.vslin...d-0.4.0.tar.bz2openocd config para o htc magic:http://android.vslin.../jtag/magic.cfgEsquema Jtag
Board:
O lm317 é para gerar os 2.6 volts exactos (e 2.60~2.62 não > 2.62).A board pode ser alimentada via usb ou transformador dc.Substitui o IC por um 74HC245n que não é SMD e suporta tensões maiores que 2V.
Pinout JTAG no htc magic:
Nota: O RTCK não é necessárioNota1: O TRST têm que ter 2.6v.Nota2: O Ground é as chapas de protecção do magicNota3: O comprimento do cabo jtab da placa ao magic não poderá ter mais do que 20cm, pela velocidade e pelos erros de transmissão.
Fios ligados:
Se não gostarem podem comprar este mod:
http://www.gsm-techn...categories.htmlCompilar o openocd:./configure --enable-oocd_trace --enable-parport --enable-verbose-jtag-io --enable-verbosemakemake install
Colocar o magic em radio debug: pressionar Scroll button+power (obtêm o led azul)exemplo:
Usb para serie TTL 3.3v:
Pinout da serial port (HTC ExtUSB):_____________| A B C D E |\1 2 3 4 5 6|A: GNDB: NCC: +DATAD: -DATAE: +5v1: +Mic2: +Right3: Switch / Rx / CABLE_IN24: GND / Tx / CABLE_IN15: GND6: +Left podem comprar ou estragar um cabo
http://www.podgizmo.com ou
http://www.sparkfun.comLigar a porta serie:screen /dev/
115200Consola serie deverão obter depois de escrever um ? para testar se esta ok:NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAMARM9_BOOT_MODE1Invalid command : ?Exemplo de uma consola com problemas, splash screen freeze:boot reason: PM_KPD_PWR_KEY_ON_RT_ST(PowerOn Status,Boot Reason)=(1,1)NAND_FLASH_READ_ID : MICRON_512MB_FLASH_256MB_SDRAMARM9_BOOT_MODE0, Boot AndroidZWH¨©kµ}¹…¹‘}Áɽ‰•5 Camera 3M[MDDI] Bitmap_Width = 480[MDDI] Bitmap_Height = 640[MDDI] RGB_Capability = 0x8888[MDDI] Mfr_Name = 0xD263[MDDI] Product_Code = 0x0HeapFreeTable[0].StartAddr=0xA03AE180HeapFreeTable[0].Size=0x6A51E80HeapFreeTable[1].StartAddr=0xA0300658HeapFreeTable[1].Size=0x8HeapFreeTable[2].StartAddr=0xA0300EF8HeapFreeTable[2].Size=0x8HeapFreeTable[3].StartAddr=0xA0300F68HeapFreeTable[3].Size=0x18HeapFreeTable[4].StartAddr=0xA0300FACHeapFreeTable[4].Size=0x14HeapFreeTable[5].StartAddr=0xA0301178HeapFreeTable[5].Size=0x8HeapFreeTable[6].StartAddr=0xA0301328HeapFreeTable[6].Size=0x18HeapFreeTable[7].StartAddr=0xA03013A4HeapFreeTable[7].Size=0xC5CEEPROM: read 2032 bytesBoard_PID : 0x2EWlan data header ++++++++++++++++++++ Signature : 0xEE1251UpdateStatus : 0x2UpdateCount : 0x4BodyLength : 0x2F0BodyCRC : 0xB33503CBaDieId(0) : 0x0aDieId(1) : 0x0aDieId(2) : 0x0aDieId(3) : 0x0countryID : 0x30Wlan data header -------------------------- ARM11 Boot Mode: 3Platform: HBOOT-7201Aexecutando o Openocd:openocd -f magic.cfg root' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Root']root@android-desktop:/home/android# openocd -f magic.cfg Open On-Chip Debugger 0.4.0 (2011-01-02-15:41)Licensed under GNU GPL v2For bug reports, read http://openocd.berli...ugs.htmlparport port = 0x0trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_draindcc downloads are enabledfast memory access is enabledInfo : clock speed 500 kHzInfo : JTAG tap: arm9.cpu tap/device found: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)Info : Embedded ICE version 6Info : arm9: hardware has 2 breakpoint/watchpoint unitsInfo : accepting 'telnet' connection from 0target state: haltedtarget halted in ARM state due to debug-request, current mode: Supervisorcpsr: 0x400000d3 pc: 0x00908294MMU: disabled, D-Cache: disabled, I-Cache: disabledError: No working memory available. Specify -work-area-phys to target.Info : no working area available, falling back to memory writesExemplos de Erros devido a má ligação via jtag:root' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Root']root@android-desktop:/home/android# openocd -f magic.cfgOpen On-Chip Debugger 0.4.0 (2011-01-02-15:41)Licensed under GNU GPL v2For bug reports, read http://openocd.berli...ugs.htmlparport port = 0x0trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_draindcc downloads are enabledfast memory access is enabledInfo : clock speed 500 kHzError: JTAG scan chain interrogation failed: all onesError: Check JTAG interface, timings, target power, etc.Error: JTAG scan chain interrogation failed: all onesError: Check JTAG interface, timings, target power, etc.Command handler execution failedWarn : jtag initialization failed; try 'jtag init' again.e outro:root' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Root']root@android-desktop:/home/android# openocd -f magic.cfgOpen On-Chip Debugger 0.4.0 (2011-01-02-15:41)Licensed under GNU GPL v2For bug reports, read http://openocd.berli...ugs.htmlparport port = 0x0trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_draindcc downloads are enabledfast memory access is enabledInfo : clock speed 500 kHzInfo : JTAG tap: arm9.cpu tap/device found: 0x201600e1 (mfg: 0x070, part: 0x0160, ver: 0x2)Warn : JTAG tap: arm9.cpu UNEXPECTED: 0x201600e1 (mfg: 0x070, part: 0x0160, ver: 0x2)Error: JTAG tap: arm9.cpu expected 1 of 1: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)Warn : Unexpected idcode after end of chain: 32 0x000000feWarn : Unexpected idcode after end of chain: 64 0x000000feWarn : Unexpected idcode after end of chain: 96 0x000000feWarn : Unexpected idcode after end of chain: 128 0x000000feWarn : Unexpected idcode after end of chain: 160 0x000000feWarn : Unexpected idcode after end of chain: 192 0x000000feWarn : Unexpected idcode after end of chain: 224 0x000000feWarn : Unexpected idcode after end of chain: 288 0x000000feWarn : Unexpected idcode after end of chain: 320 0x000000feWarn : Unexpected idcode after end of chain: 384 0x000000feWarn : Unexpected idcode after end of chain: 416 0x000000feWarn : Unexpected idcode after end of chain: 448 0x000000feWarn : Unexpected idcode after end of chain: 480 0x000000feWarn : Unexpected idcode after end of chain: 512 0x000000feWarn : Unexpected idcode after end of chain: 544 0x000000feWarn : Unexpected idcode after end of chain: 576 0x000000feWarn : Unexpected idcode after end of chain: 608 0x000000feError: double-check your JTAG setup (interface, speed, missing TAPs, ...)Info : JTAG tap: arm9.cpu tap/device found: 0x201600c1 (mfg: 0x060, part: 0x0160, ver: 0x2)Warn : JTAG tap: arm9.cpu UNEXPECTED: 0x201600c1 (mfg: 0x060, part: 0x0160, ver: 0x2)Error: JTAG tap: arm9.cpu expected 1 of 1: 0x301700e1 (mfg: 0x070, part: 0x0170, ver: 0x3)Warn : Unexpected idcode after end of chain: 32 0x000000feWarn : Unexpected idcode after end of chain: 64 0x000000feWarn : Unexpected idcode after end of chain: 96 0x000000feWarn : Unexpected idcode after end of chain: 128 0x000000feWarn : Unexpected idcode after end of chain: 160 0x000000feWarn : Unexpected idcode after end of chain: 192 0x000000feWarn : Unexpected idcode after end of chain: 224 0x000000feWarn : Unexpected idcode after end of chain: 256 0x000000feWarn : Unexpected idcode after end of chain: 288 0x000000feWarn : Unexpected idcode after end of chain: 320 0x000000feWarn : Unexpected idcode after end of chain: 352 0x000000feWarn : Unexpected idcode after end of chain: 384 0x000000feWarn : Unexpected idcode after end of chain: 416 0x000000feWarn : Unexpected idcode after end of chain: 448 0x000000feWarn : Unexpected idcode after end of chain: 480 0x000000feWarn : Unexpected idcode after end of chain: 512 0x000000feWarn : Unexpected idcode after end of chain: 544 0x000000feWarn : Unexpected idcode after end of chain: 576 0x000000feWarn : Unexpected idcode after end of chain: 608 0x000000feError: double-check your JTAG setup (interface, speed, missing TAPs, ...)Command handler execution failedWarn : jtag initialization failed; try 'jtag init' again.Programar o bicho por JTAGAbrir um novo terminal e fazer um telnet para entrar no openocd:telnet 127.0.0.1 4444De seguida:haltload_image /home/android/radio.img 0x103B5300resumeshutdownExemplo:root' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Root']root@android-desktop:~$ telnet 127.0.0.1 4444Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.Open On-Chip Debugger> halttarget state: haltedtarget halted in ARM state due to debug-request, current mode: Supervisorcpsr: 0x400000d3 pc: 0x00908294MMU: disabled, D-Cache: disabled, I-Cache: disabled> load_image /home/android/radio.img 0x103B5300No working memory available. Specify -work-area-phys to target.no working area available, falling back to memory writes22020096 bytes written at address 0x103b5300downloaded 22020096 bytes in 3109.545410s (6.915 kb/s)> resume> shutdownshutdown command invoked> Connection closed by foreign host. Após o envio vão obter no terminal do openocd:22020096 bytes written at address 0x103b5300downloaded 22020096 bytes in 3109.545410s (6.915 kb/s)shutdown command invokedagora vamos programar, na consola serie escrever:radata 103B5300 01500000Após o comando deverão obter: FA0F129C Format EFS...EFS Block: 234-277Erase Block: 234Erase Block: 235Erase Block: 236Erase Block: 237Erase Block: 238Erase Block: 239Erase Block: 240Erase Block: 241Erase Block: 242Erase Block: 243Erase Block: 244Erase Block: 245Erase Block: 246Erase Block: 247Erase Block: 248Erase Block: 249Erase Block: 250Erase Block: 251Skip Bad Block: 252Erase Block: 253Erase Block: 254Erase Block: 255Erase Block: 256Erase Block: 257Erase Block: 258Erase Block: 259Erase Block: 260Erase Block: 261Erase Block: 262Erase Block: 263Erase Block: 264Erase Block: 265Erase Block: 266Erase Block: 267Erase Block: 268Erase Block: 269Erase Block: 270Erase Block: 271Erase Block: 272Erase Block: 273Erase Block: 274Erase Block: 275Erase Block: 276Erase Block: 277DoneImagens finais da recuperação bem sucedia:
Desligar, pressionar return+power e se tiverem sorte e fizerem tudo certojá temos fastboot' class='bbc_url' title='Link Externo' rel='nofollow external'>http://www.androidpt.info/index.php?title=Fastboot']fastboot :PEste projecto poderá dar para recuperar outros aparelhos, é so saber o pinout do JTAG.Espero ter ajudado :POpenSys
