Tag Archives: Cortex

RIFF JTAG – Direct JTAG Access to Flash Memory Plugin v1.00 released

Posted on by

16.12.2011 Direct JTAG Access to Flash Memory Plugin v1.00

Release info:

This plugin performs direct access to a flash memory used in the selected target. No DCC Loader is used here, thus it is completely independent of target hardware implementation (RAM memory availability, visibility, addressing and layout, core clocking, etc.). Main disadvantage is a noticeable data exchange speed decrease comparing to the DCC Loader’s data exchange speeds (approximately 10…20 times slower).

With the help of this plugin you can do:

  • Read selected flash memory range;
  • Write selected flash memory range;
  • Erase selected flash memory range.

Currently supported memory controllers are:

  • OneNAND Memory (connected directly to the MCU’s address space);
  • CFI Compliant NOR Memory with CFI Command sets 0x0001, 0x0002, 0x0200 and 0x0003;
  • NAND Controller in MSM6250, MSM6250A;
  • NAND Controller in QSC6055, QSC6085, QSC6240, QSC6270;
  • NAND Controller in MDM6085, MDM6200, MDM6600;
  • NAND Controller in MSM6245, MSM6246, MSM6270, MSM6275, MSM6280, MSM6280A, MSM6281, MSM6290, MSM6800A, MSM6801A;
  • NAND Controller and OneNAND Controller in MSM7225, MSM7227, MSM7625, MSM7627;
  • NAND Controller in MSM7200, MSM7200A, MSM7201A, MSM7500, MSM7500A, MSM7501A, MSM7600;
  • NAND Controller in QSD8250, QSD8650;
  • eMMC Controller #2 in MSM7230, MSM8255, MSM8255T;
  • eMMC Controller #0 in S5PV310;


Currently supported chipsets and cores for JTAG I/O operations:

  • Generic ARM Cores: ARM7, ARM9 (ARM920, ARM926, ARM946), ARM11, CORTEX-A8,CORTEX-A9;
  • Qualcomm QSC Family: QSC1100, QSC1110, QSC6010, QSC6020, QSC6030, QSC6055, QSC6085, QSC6240, QSC6270;
  • Qualcomm MSM Family: MSM6000, MSM6150, MSM6245, MSM6246, MSM6250, MSM6250A, MSM6260, MSM6275, MSM6280, MSM6280A, MSM6281, MSM6800A, MSM6801A, MSM6290, MSM7225, MSM7227, MSM7625, MSM7627, MSM7230, MSM8255, MSM8255T, MSM8260;
  • Qualcomm QSD Family: QSD8250, QSD8650;
  • Qualcomm ESM Family: ESM7602A;
  • Qualcomm MDM Family: MDM6085 MDM6200, MDM6600;
  • OMAP Family: OMAP1710, OMAP3430, OMAP3630, OMAP4430;
  • NVIDIA Family: TEGRA2;
  • Marvell/XScale Family: PXA270, PXA271, PXA272, PXA310, PXA312, PXA320.
  • Samsung Processors: S5P6422, S5PV310.

Memory reading/programming logic is almost same as is performed on the DCC Read/Write page in the JTAG Manager – Main and Spare fields, Auto FullFlash size detection, ability to flash image files (for NAND)., etc. Users familiar with the DCC Read/Write page features will not be required to learn almost anything new in order to be able to use this plugin. Thus it means data files read from memory by this plugin (partial or full flash image) can be flashed back through the DCC Read/Write page, and vice versa.
Here, it is user’s task now to know such info about target as what exact MCU is used in current device, what memory is used (NAND, OneNAND, NOR, eMMC/SD, MDOC or other), which component of target system can see this memory (for example NAND memory is usually visible to MCU’s Embedded Memory Controller, while NOR is directly accessible by the MCU itself; OneNAND memory in most cases is directly accessible by MCU but sometimes it can be visible via MCU’s Embedded Memory Controller).

Please note main differences with the DCC Read/Write methods:

  • Exact chipset (MCU) name selection is required;
  • Memory type selection is required (for example: NAND or NOR memory);
  • Which component of target system can see this memory (for example: MCU itself or MCU’s Embedded Memory Controller): the ‘Memory Type & Host’ setting;
  • Memory Controller Mode is introduced here (while on DCC Read/Write page in the JTAG Manger the Memory Controller Mode was automatically chosen depending on ROMi Address Space selected). Many Qualcomm NAND Controllers are widely configurable, for example they allow for firmware to select any desired position of bad block marker byte inside of NAND page’s main or spare area, and upon reads/writes this byte will be handled by controller itself, making it ‘invisible’ in the NAND page data. Thus reading NAND with configuration different to the one used by the manufacturer for writing data into this NAND memory (firmware for example) will result in 1 byte to be erroneously read or lost. In many cases (by many manufacturers) the default bad block marker position is configured to be at offset 0x01D1 in the page’s main area (abbreviated Memory Controller Mode you will see in the list as this: “M:0200/S:10/BM:01D1” – meaning NAND controller to be configured for main area 0x0200 bytes, spare area 0x0010 bytes, bad block marker position in main area (BM) at offset 0x01D1 (BM:01D1)); other most common case is for bad block marker to be at position 0x0006 in spare area (such abbreviated Memory Controller Mode you will see in the list as this: “M:0200/S:10/BS:0006” – meaning NAND controller to be configured for main area 0x0200 bytes, spare area 0x0010 bytes, bad block marker position in spare area (BS) at offset 0x0006 (BS:0006));
  • During NAND read operations, if ECC Module Enable is checked, the ECC status is checked too. Thus make sure to disable ECC checks during reads unless you’re in need for an advanced operation.

Short Manual how to Read/Write/Erase memory:

  • Select chipset (MCU) used in the current target (for example MSM6280);
  • Select memory type and it’s host (MCU or MCU’s Embedded Memory Controller);
  • Setup TCK/RTCK frequencies, JTAG I/O Voltage levels, target’s core position on the JTAG scan chain (TAP#);
  • Connect target device to the RIFF BOX, make sure it has power, and click Connect & Flash ID button to ensure target device is connected and selected memory is initialized and visible;
  • All further actions are completely same as is done when using DCC Read/Write page features.

Most common errors which can happen during direct read/write operations:

  • The NRST signal is neglected by user. Please take into account that NRST signal is the most important one. Making system reset helps debugger (RIFF BOX) to establish device into 100% pre-known hardware state, which guarantees that a MCU’s memory controller selected by user will be configured as it should be and successful memory access will be established;
  • Cannot connect to selected memory (Connect & Flash ID): check NRST signal; check Reset Method in settings; make sure proper MCU, memory type and controller is selected in settings; in case NOR or directly accessible OneNAND memory is selected make sure valid memory base is set;
  • “Resetting and Halting Target…” fails: make sure device is powered and power on key (if present) is pressed during this stage; some devices like HTCs based on the MSM8255 chipsets are fused, and JTAG may be enabled only by started firmware – thus you may need to vary the Reset Method settings: disable reset at all (which is not desirable though) or adjust higher waiting time after system is reset by the NRST signal assertion to the moment when an attempt to HALT core is made (for fused HTCs based on MSM8255 this is 670 ms and more);

RIFF JTAG – Unbrick Samsung Galaxy TAB Wi-Fi (P1010), more CDMA Models supported

Posted on by

22.11.2011  Unbrick Samsung Galaxy TAB Wi-Fi (P1010), more CDMA Models supported

Samsung P1010 is based on the OMAP3630 (ARM core is Cortex-A8).

Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on. But note, in very rare cases it is possible that you will have to hold Power On key during initial connection.
In case after resurrection (after you have tried with both boot versions) the download mode is not initiated (LCD remains blank) do repeat resurrection with ‘Clone Gremlin zone’ option checked.
Please note, in most cases you will be required to insert Samsung P1010 RIFF™ MagicCard into phone’s SD slot before starting resurrection. In case you don’t have such card yet, you can create it on the “Samsung P1010 RIFF™ MagicCard” page of the resurrector settings dialog.
This is IRAM version of the Samsung P1010 resurrector. We recommend you using it only in case you had problems connecting to phone with normal Samsung P1010 resurrector DLL.

To resurrect Samsung P1010:

  •  Solder JTAG cable to Samsung P1010 JTAG pads;
  •  Insert Samsung P1010 RIFF™ MagicCard into phone’s SD slot;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung P1010 is selected in the list of models;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.
There are two DLL-s (Normal and iRAM version) – You can use iRam version in case normal one doesnt work properly. iRam version is much slower, but more robust.
CDMA Models added today :
  • ZTE  AC2766
  • ZTE  AC2746
  • AnyData  ADU555C
Please click “Check for Updates” button in order to download and install new updates.

RIFF JTAG – Samsung i9003 Galaxy SL Unbrick, Boot repair supported

Posted on by

28.10.2011  Samsung i9003 Galaxy SL Unbrick, Boot repair supported

Samsung I9003 is based on the OMAP3630 (ARM core is Cortex-A8).
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on. But note, in very rare cases it is possible that you will have to hold Power On key during initial connection.
In case after resurrection (after you have tried with both boot versions) the download mode is not initiated (LCD remains blank) do repeat resurrection with ‘Clone Gremlin zone’ option checked.
Please note, in most cases you will be required to insert Samsung I9003 RIFF™ MagicCard into phone’s SD slot before starting resurrection. In case you don’t have such card yet, you can create it on the “Samsung I9003 RIFF™ MagicCard” page of the resurrector settings dialog.
Due to OMAP3630’s some peculiar TrustZone security features current resurrector may fail to boot: if this happens, use Samsung I9003 IRAM resurrector – which works much slower but boots without problems.

To resurrect Samsung I9003:

  •  Solder JTAG cable to Samsung I9003 JTAG pads;
  •  Insert Samsung I9003 RIFF™ MagicCard into phone’s SD slot;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I9003 is selected in the list of models;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.

RIFF JTAG -Samsung Galaxy II, OMAP4430 version supported (Samsung i9100G, Samsung i9108)

Posted on by

07.10.2011    Samsung Galaxy II, OMAP4430 version supported (Samsung i9100G, Samsung i9108)

Samsung I9108 is based on the OMAP4430 Processor (Cortex-A9 Dual-Core). JTAG pads are very small; professional experience in soldering is required to connect wires to the JTAG interface. There is a big variety of versions of Galaxy II devices: GT-I9100, GT-I9100G, GT-I9100L, GT-I9100M, GT-I9100T, GT-I9101, GT-I9103, GT-I9108, GT-I9188, and maybe more. Some of them are based on different hardware platform – the Samsung S5PV310 (Cortex-A9 Dual-Core). Thus make sure first which exact hardware version you have on hands.

Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on.
Current DLL is still a beta one. It will work only with phones which have killed X-Loader.

To resurrect Samsung I9108:

  •  Solder JTAG cable to Samsung I9108 JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I9108 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.

RIFF JTAG – JTAG Manager v1.36, RIFF Box firmware v1.27, GDB Server v1.05 released

Posted on by

07.10.2011   JTAG Manager v1.36, RIFF Box firmware v1.27 released

Whats new :

JTAG Manager 1.36
—————————
– Added fast presets for automatic selection of settings for most common operations on DCC Read/Write page
For this click Settings by Code button and select a desired preset from list and then click Apply Settings.
For example if user selects “Write Full Image into NAND memory” the valid settings on the DCC Read/Write page
for writting full images into devices with NAND memory will be automatically selected
– Fixed serious bug which caused resurrector DLLs which do upload data into RAM to upload broken data
For example DLLs which start Downlad Mode directly use this feature.
– Added feature to accept text name of memory chip from DCC Loader and display it (currently used to display eMMC memory product name)
– Fixed bug for resumming interrupted DCC Read: ifvcurrently cached file size was greater than > 2GB
(that is if read was interrupted on point when there was already more than 2GB of data read) the new reading data was not appended to the readout file end, but instead the file was corrupted.
– Fixed bug for saving big files (after reading on DCC Read/Write page): if size exceeded 0x7FFFFFFF bytes JTAG Manager show no free disk space error.
– Added TEGRA2 chipset selection in the Target list
– Fixed an issue with the resurrection progress bar: in some cases during resurrection operations the progress bar would always stay at 0%.

Firmware 1.27
—————————
– Added TEGRA2 debugging support (dual-core Cortex-A9)
– Added new breakpoint type: “address mismatch” which allows geniune single-stepping on Cortex-A8,A9 (CoreSight) targets
(thus GDB Server can now perform low-level single step commands)

RIFF GDB Server v1.05
—————————–
– Added Thumb2 instructions CBNZ and CBZ for single stepping
– Added more Thumb2 32-bit branch exctructions for single stepping
– Added CoreSight low-level signle-stepping support (at least RIFF BOX Firmware v1.27 is required)

RIFF JTAG – Samsung i997 infuse 4g Unbrick, Boot repair supported

Posted on by

07.10.2011   Samsung i997 infuse 4g Unbrick, Boot repair supported

Samsung I997 is based on the S5PCxxx Processor (ARM core is Cortex-A8).
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on. But note, in very rare cases it is possible that you will have to hold Power On key during initial connection.
In case after resurrection (after you have tried with both boot versions) the download mode is not initiated (LCD remains blank) do repeat resurrection with ‘Clone Gremlin zone’ option checked.

To resurrect Samsung I997:

  •  Solder JTAG cable to Samsung I997 JTAG pads;
  •  Connect microUSB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I997 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.

RIFF JTAG – Samsung Anycall m110s Unbrick, Dead boot repair supported

Posted on by

30.09.2011  Samsung Anycall m110s Unbrick, Dead boot repair supported

Samsung M110S is based on the S5PCxxx Processor (ARM core is Cortex-A8).
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on. But note, in some cases it is possible that you will have to hold Power On key during initial connection.
In case after resurrection (after you have tried with both boot versions) the download mode is not initiated (LCD remains blank) do repeat resurrection with ‘Clone Gremlin zone’ option checked.

To resurrect Samsung M110S:

  •  Solder JTAG cable to Samsung M110S JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Attach battery connector;
  •  Make sure Samsung M110S is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.

RIFF JTAG – Samsung Wave II S8530 Unbrick, Boot repair supported

Posted on by

30.09.2011  Samsung Wave II S8530 Unbrick, Boot repair supported

Samsung S8530 PDA is based on the S5PCxxx Processor (ARM core is Cortex-A8).
You will have to carefully scratch off the mask covering in order to access copper surface of the JTAG pads.
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on, so no need to press any power-on buttons on the phone keypad.

To resurrect Samsung S8530:

  •  Solder JTAG cable to Samsung S8530 JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung S8530 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state. We used MultiLoader 5.64 version.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ (from the left side of phone) and ‘Hold’ (right side at top) keys and press Power-On.

RIFF JTAG – Samsung Galaxy Tab M180s Unbrick – Boot Repair supported

Posted on by

03.08.2011     Samsung Galaxy Tab M180s Unbrick – Boot Repair supported

Samsung M180S is based on the S5PCxxx Processor (ARM core is Cortex-A8).
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on. But note, in some cases it is possible that you will have to hold Power On key during initial connection.
In case after resurrection (after you have tried with both boot versions) the download mode is not initiated (LCD remains blank) do repeat resurrection with ‘Clone Gremlin zone’ option checked.

To resurrect Samsung M180S:

  •  Solder JTAG cable to Samsung M180S JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Attach battery connector;
  •  Make sure Samsung M180S is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.
Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.

RIFF JTAG – Samsung I9100 Galaxy S II Unbrick – Boot repair supported, World First ! ! !

Posted on by

29.07.2011     Samsung I9100 Galaxy S II Unbrick – Boot repair supported, World First ! ! !

Samsung I9100 is based on the S5PV310 (Exynos 4210) Processor (Cortex-A9 Dual-Core).

JTAG pads are very small; professional experience in soldering is required to connect wires to the JTAG interface. There is a big variety of versions of Galaxy II devices: GT-I9100, GT-I9100G, GT-I9100L, GT-I9100M, GT-I9100T, GT-I9101, GT-I9103, GT-I9108, GT-I9188, and maybe more. Some of them are based on different hardware platform – the OMAP4430 (Cortex-A9 Dual-Core). Thus make sure first which exact hardware version you have on hands.
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on.
Phone has such booting sequence: ROM → FBL → IBL → PBL → SBL. Current resurrector will resurrect Partition Table (PIT) and SBL zones which are located in the iNAND (eMMC) memory. Write access to memory which contains FBL, IBL and PBL loaders is not supported currently, but in case your phone has these loaders damaged, you can choose “Initiate Download Mode” way of resurrection in order to directly put the phone into the Download Mode.

To resurrect Samsung I9100:

  •  Solder JTAG cable to Samsung I9100 JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I9100 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.
Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.