Announcement

Collapse
No announcement yet.

Help: JTAG dump of Samsung SGH-I917 (DCC Checksum Error)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help: JTAG dump of Samsung SGH-I917 (DCC Checksum Error)

    Help please.

    What I'm trying to do: JTAG dump of NAND

    == Phone ==
    Phone: Samsung i917
    Mobile OS: Windows Phone 7.5
    Chipset: Qualcomm QSD8250

    == Riffbox ==
    Hardware: RIFF Box v2
    Software: RIFF Box. Version 1.73

    == Setup steps ==
    1. Extracted motherboard from phone
    2. Soldered to JTAG points using 2.5" long pieces of 30AWG magnet wire (all points wired, including VREF, NRST, and TRST)
    3. Soldered to RIFF II adapter board (checked for shorts and verified solder points with conductivity test)
    4. Supply battery pins with 4.1 volts (DC bench power supply)
    5. Press and motherboard hold power button until power on (vibrates on power on + monitor amperage draw)

    Setup picture: Link

    == JTAG Read/Write Panel Output ==
    JTAG TCK Speed: RTCK, Sample at 1 MHz
    MAX sample rate was giving issues.
    rates less than 80 KHz gives memory read timeouts

    Connect & Get ID result:
    Open serial port...OK
    Connecting to the RIFF Box...OK
    Firmware Version: 1.47 (RIFFBOX2), JTAG Manager Version: 1.73
    Selected Resurrector: [Samsung I917 V1.0.4466.60929]

    Connecting to the dead body...OK
    Set I/O Voltage reads as 3.02V, TCK Frequency is RTCK

    Detected dead body ID: 0x202400E1

    Analyze JTAG Chain result:
    Connecting to the target...OK
    Set I/O Voltage reads as 3.00V, TCK Frequency is RTCK

    Following devices are found on the JTAG chain:
    Device on TAP #0: ID = 0x1BA000E1, IR Length = 0x04 bits
    Device on TAP #1: ID = 0x202400E1, IR Length = 0x04 bits
    Total IR length: 0x0008 bits

    Analizing IDCODE(s) of the JTAG scan chain:
    1. 0x202400E1: Qualcomm QCS8250, H/W Rev. #2

    == DCC Read/Write Panel Output ==
    JTAG TCK Speed: RTCK, Sample at 1 MHz
    Access ROM1 Address Space
    checked: Auto FullFlash Size
    checked: Image File Is Used (Main + Spare Combined into single file)

    Read Memory output:
    Connecting to the dead body...OK
    Detected dead body ID: 0x202400E1 - CORRECT!
    Set I/O Voltage reads as 3.02V, TCK Frequency is RTCK
    Adaptive Clocking RTCK Sampling is: [Sample at 1 MHz]
    Settings Code: 0x25010009000000000000000000000000

    Resurrection sequence started.
    Establish communication with the phone...OK
    Initializing internal hardware configuration...OK
    Uploading resurrector data into memory...OK
    Starting communication with resurrector...FAILED
    ERROR: Wrong DCC data checksum.

    == Direct Memory Programming Plugin Output ==
    Plugin version 1.05
    Chipset (MCU): QSD8250
    Memory Type & Host: NAND (via Chipset)
    JTAG TCK Speed: RTCK, Sample at 1 MHz
    Reset Sequence (Method): RESET, Wait 0ms, HALT at 0
    JTAG I/O Voltage: 2.60V
    TAP#: 0 (have also tried 1)

    Connect & Flash ID Output:
    Selected Target: [QSD8250, 2.60V, TAP0]

    Connecting to the QSD8250 target...OK
    Detected dead body ID: 0x1BA000E1 - IGNORED!
    Set I/O Voltage reads as 2.61V, TCK Frequency is RTCK
    Adaptive Clocking RTCK Sampling is: [Sample at 1 MHz]

    Resetting and Halting target...OK

    R0 = 0xFFFFFFFF R6 = 0xFFFFFFFF R12 = 0xFFFFFFFF
    R1 = 0xFFFFFFFF R7 = 0xFFFFFFFF R13 = 0xFFFFFFFF
    R2 = 0xFFFFFFFF R8 = 0xFFFFFFFF R14 = 0xFFFFFFFF
    R3 = 0xFFFFFFFF R9 = 0xFFFFFFFF R15 = 0xFFFFFFED
    R4 = 0xFFFFFFFF R10 = 0xFFFFFFFF CPSR = 0xFFFFFFFF
    R5 = 0xFFFFFFFF R11 = 0xFFFFFFFF

    Connecting to MCU's NAND Memory Controller...FAILED
    ERROR: Read/Write memory failed during H/W Init.
    == Have also tried ==
    Powering methods tried:
    USB only
    OEM battery only
    USB + OEM battery
    USB + DC power supply 4.1V
    DC power supply only 4.1V
    Have tried pressing and/or holding the power button during connection => doesn't do anything

    Relevant portions of JTAGManager.txt: RIFFBOX - Pastebin.com
    Last edited by foxybox; 10-29-2017, 12:02 AM.

  • #2
    Vref/Vcc must NOT be connected to RIFF v1/v2 box.
    It looks like HW problem to me, or badly connected GND/NRST.

    Can this phone power on ?
    Can You try connecting TAP1 and selecting ARM9 on direct access plugin ?
    ICQ: 299-912-089
    QQ: 1634811353

    Comment


    • #3
      Originally posted by Legija View Post
      Vref/Vcc must NOT be connected to RIFF v1/v2 box.
      It looks like HW problem to me, or badly connected GND/NRST.

      Can this phone power on ?
      Can You try connecting TAP1 and selecting ARM9 on direct access plugin ?
      I've tried without VREF connected. Also tried direct wiring (using the rainbow ribbon cable instead of PCB and magnet wires). No luck =/

      Phone powers on fine.

      I'll try the ARM9 access and report back.
      Last edited by foxybox; 10-30-2017, 01:44 AM.

      Comment


      • #4
        1. Untangle wires.
        2. Make sure that NRST and GND pins are 100% connected
        3. Don't use any fluorescent light source in near vicinity of RIFF Box and phone (important)
        4. Play with RTCK/TCK settings and values, at some point it must work properly.
        ICQ: 299-912-089
        QQ: 1634811353

        Comment


        • #5
          3. Don't use any fluorescent light source in near vicinity of RIFF Box and phone (important)
          Ah, the capacitive effect. Would it be sensitive to RF interference as well (wifi, bluetooth, transformers)?

          Comment


          • #6
            Still no luck.

            Tried directly connecting via rainbow wires.

            Now back to using PCB with shorter 1" long magnetic wire.

            No fluorescent lights nearby.

            Have tried all RTCK sampling settings.

            Setting the JTAG TCK to anything other than RTCK results in body not being detected.

            For direct access plugin, I don't see ARM9 settings. I do see ARM926E, ARM946E, ARM920T, however, they fail.

            Comment


            • #7
              At this point how do we know it's not a software bug? Is there a debug build of RIFFBOX I can take a look at?

              Comment


              • #8
                It must work with just TCK set, if connection is ok. RTCK is just optional . . .

                Direct JTAG settings You can see if You simply switch from "Resurrector Settings" to "Custom JTAG Target settings"
                ICQ: 299-912-089
                QQ: 1634811353

                Comment


                • #9
                  What settings would you like me to try?

                  The QSD8250 is Qualcomm's SNAPDRAGON S1, which they used a custom processor. Not sure what instruction set they use (no luck finding the spec sheets).

                  Last edited by foxybox; 11-01-2017, 11:44 AM.

                  Comment


                  • #10
                    I'm taking a look at TDI/TDO with a logic analyzer now, but it's a bit over my head. I can at least provide traces if it'll help debug this.

                    Comment


                    • #11
                      Now I remembered, there was bad batch of QSD8250 CPU-s.
                      They would freeze randomly, maybe thats the problem ?

                      Is that phone fully functional, or just can power on to some point ?
                      ICQ: 299-912-089
                      QQ: 1634811353

                      Comment


                      • #12
                        It's fully functional. This is the second phone I'm trying with.

                        Comment


                        • #13
                          Is there anything I can do to help debug this?

                          I have a client at stake, and this is my bottleneck at the moment =/

                          Comment


                          • #14
                            1. Select i917 in resurrector settings.
                            2. Switch to "Custom JTAG Target"
                            3. Switch to JTAG Read/Write TAB
                            4. Click "Connect & get ID"
                            5. Click "Reset the Target"
                            6. Click "Reset the Target"
                            Cut the log and paste it here using codetags.
                            ICQ: 299-912-089
                            QQ: 1634811353

                            Comment


                            • #15
                              Custom JTAG target sampling at RTCK@1MHz

                              Code:
                              [11/1/2017 5:57:09 AM] [START OPERATION_ID = GET_DEVICE_ID]
                              [11/1/2017 5:57:09 AM] Open serial port...OK
                              [11/1/2017 5:57:09 AM] Connecting to the RIFF Box...OK
                              [11/1/2017 5:57:09 AM] Firmware Version: 1.47 (RIFFBOX2), JTAG Manager Version: 1.73
                              [11/1/2017 5:57:09 AM] Selected Custom Target: [ARM926EJ, 3.00V, TAP1]
                              [11/1/2017 5:57:09 AM] 
                              [11/1/2017 5:57:09 AM] Connecting to the ARM926EJ target...OK
                              [11/1/2017 5:57:09 AM] Set I/O Voltage reads as 2.99V, TCK Frequency is RTCK
                              [11/1/2017 5:57:09 AM] 
                              [11/1/2017 5:57:09 AM] Target ID on TAP1: 0x202400E1 - Connected OK
                              [11/1/2017 5:57:09 AM] [FINISH OPERATION_ID = GET_DEVICE_ID]
                              
                              [11/1/2017 5:57:17 AM] [START OPERATION_ID = RESET_TARGET]
                              [11/1/2017 5:57:17 AM] Open serial port...OK
                              [11/1/2017 5:57:17 AM] Connecting to the RIFF Box...OK
                              [11/1/2017 5:57:17 AM] Firmware Version: 1.47 (RIFFBOX2), JTAG Manager Version: 1.73
                              [11/1/2017 5:57:17 AM] Selected Custom Target: [ARM926EJ, 3.00V, TAP1]
                              [11/1/2017 5:57:17 AM] 
                              [11/1/2017 5:57:17 AM] Resetting target...OK
                              [11/1/2017 5:57:17 AM] STATUS: Target is halted.
                              [11/1/2017 5:57:17 AM] 
                              [11/1/2017 5:57:17 AM]   R0 = 0x02001006    R6 = 0x00000000    R12 = 0x55555555
                              [11/1/2017 5:57:17 AM]   R1 = 0xFFFF4C1C    R7 = 0xC3C00200    R13 = 0xC003BF3C
                              [11/1/2017 5:57:17 AM]   R2 = 0x00000000    R8 = 0xF000C544    R14 = 0xFFFF1184
                              [11/1/2017 5:57:17 AM]   R3 = 0x00000000    R9 = 0x00000000    R15 = 0xFFFF1130
                              [11/1/2017 5:57:17 AM]   R4 = 0xC003BF64   R10 = 0x00000001   CPSR = 0x600000D3
                              [11/1/2017 5:57:17 AM]   R5 = 0xC0035D80   R11 = 0x00000000
                              [11/1/2017 5:57:17 AM] [FINISH OPERATION_ID = RESET_TARGET]
                              
                              [11/1/2017 5:57:20 AM] [START OPERATION_ID = RESET_TARGET]
                              [11/1/2017 5:57:20 AM] Open serial port...OK
                              [11/1/2017 5:57:20 AM] Connecting to the RIFF Box...OK
                              [11/1/2017 5:57:20 AM] Firmware Version: 1.47 (RIFFBOX2), JTAG Manager Version: 1.73
                              [11/1/2017 5:57:20 AM] Selected Custom Target: [ARM926EJ, 3.00V, TAP1]
                              [11/1/2017 5:57:20 AM] 
                              [11/1/2017 5:57:20 AM] Resetting target...OK
                              [11/1/2017 5:57:20 AM] STATUS: Target is halted.
                              [11/1/2017 5:57:20 AM] 
                              [11/1/2017 5:57:20 AM]   R0 = 0x02001006    R6 = 0x00000000    R12 = 0x55555555
                              [11/1/2017 5:57:20 AM]   R1 = 0xFFFF4C1C    R7 = 0xC3C00200    R13 = 0xC003BF3C
                              [11/1/2017 5:57:20 AM]   R2 = 0x00000000    R8 = 0xF000C544    R14 = 0xFFFF1184
                              [11/1/2017 5:57:20 AM]   R3 = 0x00000000    R9 = 0x00000000    R15 = 0xFFFF1130
                              [11/1/2017 5:57:20 AM]   R4 = 0xC003BF64   R10 = 0x00000001   CPSR = 0x600000D3
                              [11/1/2017 5:57:20 AM]   R5 = 0xC0035D80   R11 = 0x00000000

                              Comment

                              Working...
                              X