Tag Archives: Flash Memory

RIFF JTAG – STB Orton 4100C Unbrick supported

Posted on by

06.04.2012    RIFF JTAG – STB Orton 4100C Unbrick supported

Repairing bricked Orton 4100C is easy with the RIFF Box. Receiver is based on the ALI M3329C processor. Receiver is powered on when power plug is attached. If connection process stops at “Establish communication with the phone…” just reset the receiver’s power.
Current resurrector contains Boot, Firmware and Data zones which in total is complete full connects for 2Mb SPI serial memory chip.
Please note, to enable JTAG you have to make sure the JP1 jumper on board is not shorted. Sometimes you may need to disconnect front LED panel interface cable from the board (13-pin connector). After resurrection do not forget to solder the resistor back or shortcut JP1 jumper.
To resurrect Orton 4100C:

  •  Solder JTAG cable to Orton 4100C JTAG pads;
  •  Make sure Orton 4100C is selected in the list of models;
  •  Connect power;
  •  Click Resurrect button;
  •  Choose which areas to flash;
  •  Wait till software signals a successful operation completion;
  •  De-solder JTAG wires;

Now receiver is in bootable condition, that is, even if it does not start up normally you can flash it via UART using known flashing methods. Or you can do resurrection checking full clone resurrect option – this will re-write all flash memory contents.
.

RIFF JTAG – STB EuroSky ES-4100 Unbrick supported

Posted on by

06.04.2012   RIFF JTAG – STB EuroSky ES-4100 Unbrick supported

Repairing bricked EuroSky ES-4100 is easy with the RIFF Box. Receiver is based on the ALI M3329C processor. Receiver is powered on when power plug is attached. If connection process stops at “Establish communication with the phone…” just reset the receiver’s power.
Current resurrector contains Boot, Firmware and Data zones which in total is complete full connects for 2Mb SPI serial memory chip.
Please note, to enable JTAG you have to make sure the JP1 jumper on board is not shorted, desolder resistor R65. Sometimes you may need to disconnect front LED panel interface cable from the board (13-pin connector). After resurrection do not forget either to solder the resistor back or shortcut JP1 jumper.

To resurrect EuroSky ES-4100:

  •  Solder JTAG cable to EuroSky ES-4100 JTAG pads;
  •  Make sure EuroSky ES-4100 is selected in the list of models;
  •  Connect power;
  •  Click Resurrect button;
  •  Choose which areas to flash;
  •  Wait till software signals a successful operation completion;
  •  De-solder JTAG wires;

Now STB is in bootable condition, that is, even if it does not start up normally you can flash it via UART using known flashing methods. Or you can do resurrection checking full clone resurrect option – this will re-write all flash memory contents.
.

RIFF JTAG – Lynksis Router LinkSys WRT54G unbrick supported

Posted on by

06.04.2012 RIFF JTAG – Lynksis Router LinkSys WRT54G unbrick supported
Repairing bricked LinkSys WRT54GL is easy with the RIFF Box. Router is powered on when power plug is attached. If connection process stops at “Establish communication with the phone…” just reset router’s power.
Current resurrector contains Boot, Configuration and Firmware zones for memory chip with ID 0x00C2/0x22A8

To resurrect LinkSys WRT54GL:

  •  Solder JTAG cable to LinkSys WRT54GL JTAG pads;
  •  Insert USB Data cable into board and PC;
  •  Make sure LinkSys WRT54GL is selected in the list of models;
  •  Click Resurrect button;
  •  Choose which areas to flash;
  •  Wait till software signals a successful operation completion;
  •  De-solder JTAG wires;

Now router is in bootable condition, that is, even if it does not start up normally you can flash it via UART using known flashing methods. Or you can do resurrection checking full clone resurrect option – this will re-write all flash memory contents.
.

RIFF JTAG – Direct JTAG Access to Flash Memory Plugin v1.01, TEGRA2 eMMC Supported

Posted on by

28.12.2011   Direct JTAG Access to Flash Memory Plugin v1.01, TEGRA2 eMMC Supported
Whats new:

 

  •  Added MSM6500
  •  Added TEGRA2 eMMC controller #2 support
  •  Added partition access selection for eMMC devices
  • Fixed AutoFlash Size bug for eMMC devices

Important info:

TEGRA 2 can be connected via CORTEX or ARM7 cores. In some cases, where CORTEX core is in sleep mode, it’s only possible to access ARM7 core, thus allowing access to shared memory space. Restoring Boot partitions via ARM7 core will enable access to CORTEX core after power reset.

Sample:

RIFF JTAG – Direct JTAG Access to Flash Memory Plugin v1.00 released

Posted on by

16.12.2011 Direct JTAG Access to Flash Memory Plugin v1.00

Release info:

This plugin performs direct access to a flash memory used in the selected target. No DCC Loader is used here, thus it is completely independent of target hardware implementation (RAM memory availability, visibility, addressing and layout, core clocking, etc.). Main disadvantage is a noticeable data exchange speed decrease comparing to the DCC Loader’s data exchange speeds (approximately 10…20 times slower).

With the help of this plugin you can do:

  • Read selected flash memory range;
  • Write selected flash memory range;
  • Erase selected flash memory range.

Currently supported memory controllers are:

  • OneNAND Memory (connected directly to the MCU’s address space);
  • CFI Compliant NOR Memory with CFI Command sets 0x0001, 0x0002, 0x0200 and 0x0003;
  • NAND Controller in MSM6250, MSM6250A;
  • NAND Controller in QSC6055, QSC6085, QSC6240, QSC6270;
  • NAND Controller in MDM6085, MDM6200, MDM6600;
  • NAND Controller in MSM6245, MSM6246, MSM6270, MSM6275, MSM6280, MSM6280A, MSM6281, MSM6290, MSM6800A, MSM6801A;
  • NAND Controller and OneNAND Controller in MSM7225, MSM7227, MSM7625, MSM7627;
  • NAND Controller in MSM7200, MSM7200A, MSM7201A, MSM7500, MSM7500A, MSM7501A, MSM7600;
  • NAND Controller in QSD8250, QSD8650;
  • eMMC Controller #2 in MSM7230, MSM8255, MSM8255T;
  • eMMC Controller #0 in S5PV310;


Currently supported chipsets and cores for JTAG I/O operations:

  • Generic ARM Cores: ARM7, ARM9 (ARM920, ARM926, ARM946), ARM11, CORTEX-A8,CORTEX-A9;
  • Qualcomm QSC Family: QSC1100, QSC1110, QSC6010, QSC6020, QSC6030, QSC6055, QSC6085, QSC6240, QSC6270;
  • Qualcomm MSM Family: MSM6000, MSM6150, MSM6245, MSM6246, MSM6250, MSM6250A, MSM6260, MSM6275, MSM6280, MSM6280A, MSM6281, MSM6800A, MSM6801A, MSM6290, MSM7225, MSM7227, MSM7625, MSM7627, MSM7230, MSM8255, MSM8255T, MSM8260;
  • Qualcomm QSD Family: QSD8250, QSD8650;
  • Qualcomm ESM Family: ESM7602A;
  • Qualcomm MDM Family: MDM6085 MDM6200, MDM6600;
  • OMAP Family: OMAP1710, OMAP3430, OMAP3630, OMAP4430;
  • NVIDIA Family: TEGRA2;
  • Marvell/XScale Family: PXA270, PXA271, PXA272, PXA310, PXA312, PXA320.
  • Samsung Processors: S5P6422, S5PV310.

Memory reading/programming logic is almost same as is performed on the DCC Read/Write page in the JTAG Manager – Main and Spare fields, Auto FullFlash size detection, ability to flash image files (for NAND)., etc. Users familiar with the DCC Read/Write page features will not be required to learn almost anything new in order to be able to use this plugin. Thus it means data files read from memory by this plugin (partial or full flash image) can be flashed back through the DCC Read/Write page, and vice versa.
Here, it is user’s task now to know such info about target as what exact MCU is used in current device, what memory is used (NAND, OneNAND, NOR, eMMC/SD, MDOC or other), which component of target system can see this memory (for example NAND memory is usually visible to MCU’s Embedded Memory Controller, while NOR is directly accessible by the MCU itself; OneNAND memory in most cases is directly accessible by MCU but sometimes it can be visible via MCU’s Embedded Memory Controller).

Please note main differences with the DCC Read/Write methods:

  • Exact chipset (MCU) name selection is required;
  • Memory type selection is required (for example: NAND or NOR memory);
  • Which component of target system can see this memory (for example: MCU itself or MCU’s Embedded Memory Controller): the ‘Memory Type & Host’ setting;
  • Memory Controller Mode is introduced here (while on DCC Read/Write page in the JTAG Manger the Memory Controller Mode was automatically chosen depending on ROMi Address Space selected). Many Qualcomm NAND Controllers are widely configurable, for example they allow for firmware to select any desired position of bad block marker byte inside of NAND page’s main or spare area, and upon reads/writes this byte will be handled by controller itself, making it ‘invisible’ in the NAND page data. Thus reading NAND with configuration different to the one used by the manufacturer for writing data into this NAND memory (firmware for example) will result in 1 byte to be erroneously read or lost. In many cases (by many manufacturers) the default bad block marker position is configured to be at offset 0x01D1 in the page’s main area (abbreviated Memory Controller Mode you will see in the list as this: “M:0200/S:10/BM:01D1” – meaning NAND controller to be configured for main area 0x0200 bytes, spare area 0x0010 bytes, bad block marker position in main area (BM) at offset 0x01D1 (BM:01D1)); other most common case is for bad block marker to be at position 0x0006 in spare area (such abbreviated Memory Controller Mode you will see in the list as this: “M:0200/S:10/BS:0006” – meaning NAND controller to be configured for main area 0x0200 bytes, spare area 0x0010 bytes, bad block marker position in spare area (BS) at offset 0x0006 (BS:0006));
  • During NAND read operations, if ECC Module Enable is checked, the ECC status is checked too. Thus make sure to disable ECC checks during reads unless you’re in need for an advanced operation.

Short Manual how to Read/Write/Erase memory:

  • Select chipset (MCU) used in the current target (for example MSM6280);
  • Select memory type and it’s host (MCU or MCU’s Embedded Memory Controller);
  • Setup TCK/RTCK frequencies, JTAG I/O Voltage levels, target’s core position on the JTAG scan chain (TAP#);
  • Connect target device to the RIFF BOX, make sure it has power, and click Connect & Flash ID button to ensure target device is connected and selected memory is initialized and visible;
  • All further actions are completely same as is done when using DCC Read/Write page features.

Most common errors which can happen during direct read/write operations:

  • The NRST signal is neglected by user. Please take into account that NRST signal is the most important one. Making system reset helps debugger (RIFF BOX) to establish device into 100% pre-known hardware state, which guarantees that a MCU’s memory controller selected by user will be configured as it should be and successful memory access will be established;
  • Cannot connect to selected memory (Connect & Flash ID): check NRST signal; check Reset Method in settings; make sure proper MCU, memory type and controller is selected in settings; in case NOR or directly accessible OneNAND memory is selected make sure valid memory base is set;
  • “Resetting and Halting Target…” fails: make sure device is powered and power on key (if present) is pressed during this stage; some devices like HTCs based on the MSM8255 chipsets are fused, and JTAG may be enabled only by started firmware – thus you may need to vary the Reset Method settings: disable reset at all (which is not desirable though) or adjust higher waiting time after system is reset by the NRST signal assertion to the moment when an attempt to HALT core is made (for fused HTCs based on MSM8255 this is 670 ms and more);

RIFF JTAG – HTC Wizard 200 Unbrick – Boot repair supported

Posted on by

25.08.2011  HTC Wizard 200 Unbrick – Boot repair supported

Resurrection of HTC Wizard 200 is simple. Battery must be connected in order to establish JTAG connection.
Current resurrector works with devices based on G4 MDOC chip.
Resurrector can repair IPL and SPL areas (which areas to repair you can select in popup window).
Please note: DiskOnChip G4 memory has security features, due to which there is a risk of permanently blocking the access to the flash memory while re-flashing the IPL area. Thus be very carefull not to interrupt IPL repair process (in case you have selected IPL area to be repaired).
In case your device has permanently blocked MDOC memory you will see this error:

****************************************************************
Detected a Not Initialized FLASH1 Chip ID: 0x0400/0xFBFF
ERROR: Selected FLASH Chip was not initialized by the DCC Loader
****************************************************************
This can happen due to unknown protection keys used or due to permanently blocked MDOC chip. If latter is true we advise you to solder a new flash memory chip or throw this phone away to the trash bin.
To resurrect HTC Wizard:

  •  Solder JTAG cable to HTC Wizard JTAG pads;
  •  Insert battery and connect USB cable to phone and PC;
  •  Make sure HTC Wizard is selected in the list of models;
  •  Press Power On key
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using known flashing methods.
To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold ‘Camera’ key and press ‘Power ON’ button.

Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.

RIFF JTAG – Qtek 9000 (HTC Universal) Unbrick – Boot repair supported

Posted on by

15.07.2011  Qtek 9000 (HTC Universal) Unbrick – Boot repair supported

Current resurrector works with Qtek 9000 with MDOC G3 memory version. In order to establish JTAG connection charged battery is required. In some cases you will need to press power on key during initiating connection.
Please note, in case the Download Mode Initiation resurrection way is selected in the resurrector popup settings window, battery must be charged enough in order for phone to enter download mode.

Current resurrector offers 2 ways to resurrect the phone:

  •  WAY1: Writing SPL code directly into the MDOC memory (there are 2 hardware versions of the Qtek 9000 exist: boards with G4-type MDOC memory and boards with G3-type MDOC memory; current resurrector contains DCC Loader for G3 MDOC memory; thus for G4 version you need to use other resurrector)

 

  •  WAY2: Initiating DOWNLOAD MODE without touching MDOC contents;

MDOC G3 memory has security features, due to which there is a risk of permanently blocking the access to the flash memory while re-flashing the IPL loader. Current resurrector will not touch the IPL zone, but it is possible you’re already holding such killed device in hands. If it is so you will see this error:

****************************************************************
Detected a Not Initialized FLASH1 Chip ID: 0x0200/0xFDFF
ERROR: Selected FLASH Chip was not initialized by the DCC Loader
****************************************************************
In this case resurrection of your device is not possible. We advise you to solder a new flash memory chip and then use resurrector with IPL re-flash enabled.
To resurrect Qtek 9000 G3:

  •  Solder JTAG cable to Qtek 9000 G3 JTAG pads;
  •  Insert battery and connect USB cable to phone and PC;
  •  Make sure Qtek 9000 G3 is selected in the list of models;
  •  Click Resurrect button;
  •  In popup window select desired way of resurrection;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Light’ key (the one near to the volume slider) and ‘Power On’ key and press with stylus the reset hole-button.

Additional info:

  •  The DiskOnChip G3 memory type has security features. Access to both protected partitions (as IPL loader area) is done using password 00000000.
  •  IPL re-flash is intentionally switched off in this resurrector. While re-flashing the IPL area there is a risk of permanently blocking the memory chip.
  •  Memory is two DiskOnChip (MDOC) G3 cascaded chips, IDs are 0x0200; capacity is 64Mb+64Mb); though current DCC Loader was tested to read/write correctly only the SPL zones.

 

Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.

RIFF JTAG – Toshiba Portege G900 Unbrick, Dead Boot repair supported

Posted on by

14.03.2011 Toshiba Portege G900 Unbrick, Dead Boot repair supported

Resurrection of Toshiba Portégé G900 PDA part is not hard. Battery is required for successful HALT operation. If USB Data Cable is connected phone is auto powered on when battery is inserted.
If during connect operation (“Establish communication with the phone…”) after 2-3 passes there is still no success (progress bar keeps running from 0 to 100% and so on) then remove battery and insert it again. If USB cable is not connected then press and hold Power On key.
Current resurrector re-flashes only the EBOOT and secondary EBOOT area, and will not re-write IPL area (though write of this area is supported too).
Please note: DiskOnChip G4 memory has security features, due to which there is a risk of permanently blocking the access to the flash memory while re-flashing the IPL areas. Current resurrector will not touch the IPL zone, but it is possible you’re already holding such killed device in hands. If it is so you will see this error:
****************************************************************
Detected a Not Initialized FLASH1 Chip ID: 0x0400/0xFBFF
ERROR: Selected FLASH Chip was not initialized by the DCC Loader
****************************************************************

This can happen due to unknown protection keys used or due to permanently blocked MDOC chip. If latter is true we advise you to solder a new flash memory chip or throw this phone away to the trash bin.

To resurrect Toshiba G900 PDA part:

  • Solder JTAG wires to the Toshiba G900 PDA pads;
  • Connect USB cable to phone and PC;
  • Make sure Toshiba G900 PDA is selected in the list of models;
  • Insert battery and click Resurrect button;
  • Wait till software signals a successful operation completion;
  • Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using known flashing methods.

To enter USB download mode:

  • Disconnect PC cable;
  • Insert battery;
  • Hold ‘Left soft’ key (which is exactly above the Dial key) and press ‘Power ON’ button. In few seconds you should see red download screen.

To enter SD-card download mode:

  • Disconnect PC cable;
  • Insert battery;
  • Hold ‘D’ key and press ‘Power ON’ button.

Additional info:

  • Phone has DiskOnChip G4 memory type, which has security features. It has two password protected partitions (Password1 = 12345678, Password2 = 00000000);
  • IPL re-flash is not performed in this resurrector on purpose. While re-flashing the IPL area there is a risk of permanently blocking the memory chip.
  • Any write access (Erase or Write) on MDOC NAND memory range 0x00000000 to 0x0017FFFF is rejected by the DCC Loader. For full image writing convenience access to that range will not rise any error, data will just be ignored and reported as if it was written successfully, thus you still can write full image files using ‘Auto FullFlash Size’ checked.

Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.

RIFF JTAG – ASUS P526 Unbrick, Dead Boot repair supported

Posted on by

10.03.2011   ASUS P526 Unbrick, Dead Boot repair supported

Resurrection of ASUS P526 is slightly complicated. JTAG pads are very small and sensitive thus extreme care must be taken when soldering wires to the board. Battery must be connected in order to establish JTAG connection.
Current resurrector re-flashes only the IPL area, and will not re-write MDOC XLOADER area (though write of this area is supported too).
Please note: DiskOnChip G4 memory has security features, due to which there is a risk of permanently blocking the access to the flash memory while re-flashing the XLOADER areas. Current resurrector will not touch the XLOADER zone, but it is possible you’re already holding such killed device in hands. If it is so you will see this error:
****************************************************************
Detected a Not Initialized FLASH1 Chip ID: 0x0400/0xFBFF
ERROR: Selected FLASH Chip was not initialized by the DCC Loader
****************************************************************

This can happen due to unknown protection keys used or due to permanently blocked MDOC chip. If latter is true we advise you to solder a new flash memory chip or throw this phone away to the trash bin.

To resurrect ASUS P526:

  • Solder JTAG cable to ASUS P526 JTAG pads;
  • Insert battery and connect USB cable to phone and PC;
  • Make sure ASUS P526 is selected in the list of models;
  • Click Resurrect button;
  • Wait till software signals a successful operation completion;
  • Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using known flashing methods.
If phone not enters download mode after resurrection then it means XLOADER was damaged too but memory chip is still usable. In this case repeat resurrection using RAM Downloader Mode and when USB connection is established reflash the phone with official firmware.

To enter download mode:

  • Disconnect PC cable;
  • Insert battery;
  • Move ‘Lock’ slider down, hold ‘OK’ key (on the left) and press ‘Power ON’ button. In few seconds you should see TriColor picture.

Additional info:

  • Phone has DiskOnChip G4 memory type, which has security features. It has two password protected partitions (Password1 = 12345678, Password2 = 00000000);
  • XLOADER re-flash is not performed in this resurrector on purpose. While re-flashing the XLOADER area there is a risk of permanently blocking the memory chip.
  • Any write access (Erase or Write) on MDOC NAND memory range 0x00000000 to 0x0017FFFF is rejected by the DCC Loader

Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.