MIB JITAG

[TT-2016]

I agree, on the software side.
However, I could still shorten or damage the hardware.

Killing RRC and MMX was not that smart...

[TT-2016]

I could extract the BCT from my MMX dump.
How do I get my qboot.bin, is it also a part of the MMX dump?

Flasing via JTAG starting from base address: 4800 0000.
Do I flash the full MMX dump or do I have to cut the BCT off?

Thanks a lot again!

[TT-2016]

qboot seems to be located between 60000 - 70D00

Start and end as well as the middle part of that part of the MMX are very similar to the qboot.bin you provided.

[congo]

A0000 -> qb_recovery.img 262144


120000 -> qb_primary.img 262144


760000 -> mifs-stage1.img 3145728


A60000 -> mifs-stage2.img 48234496


160000 -> eifs.img 6291456


0x03600000 -> efs-system.img 2097152


0x03800000 -> efs-persist.img

Some of my notes.

[KBN]

760000 -> mifs-stage1.img 3145728 need some modifications

[TT-2016]

760000 -> mifs-stage1.img 3145728 need some modifications

What do you mean by this?

I'm manly looking for a way to recover my unit with a broken MMX image.

[Kufik81]

What do you mean by this?

I'm manly looking for a way to recover my unit with a broken MMX image.

Write me pm.

[congo]

Header of the image should contain the word "ANDROID!"
If you use dump from unit then it will be there.
If you use image from software SD then you will need to edit it before use.
Check the first 8 bytes.
They should be "41 4E 44 52 4F 49 44 21". On stock image they are "41 ff 44 ff 4f ff 44 ff".
That's it.

[TT-2016]

@aleka

I tried to follow your steps and got close.
But something is not working...

Do you have an idea?

JTAG connection points:
Bild13.jpg
J-Link pinout:
16.png

JTAG Pin	Function	J-Link Pin
1	TDI	5
2	TCK	9
4	GND	4
6	TMS	7
7	TDO	13
8	Vref	1

tegrarcm command:
010.PNG

Код:

sudo tegrarcm --bct original.bct --bootloader qboot.bin --loadaddr 0x84000000
bct file: original.bct
bootloader file: qboot.bin
load addr 0x84000000
entry addr 0x84000000
device id: 0x7030
uid:  0x015ced07b70ffe12
RCM version: 3.1
downloading miniloader to target at address 0x4000a000 (128916 bytes)...
miniloader downloaded successfully
Chip UID:                0x0000000000000000015ced07b70ffe12
Chip ID:                 0x30
Chip ID Major Version:   0x1
Chip ID Minor Version:   0x3
Chip SKU:                0x90 (t30)
Boot ROM Version:        0x1
Boot Device:             0x6 (SNOR)
Operating Mode:          0x3 (developer mode)
Device Config Strap:     0x0
Device Config Fuse:      0x0
SDRAM Config Strap:      0x2
sending file: original.bct
- 6128/6128 bytes sent
original.bct sent successfully
sending file: qboot.bin
\ 68648/68648 bytes sent
qboot.bin sent successfully

I tried your BCT file and the one I extracted from my own MMX dump.
Same Result in both cases.

After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.

J-Flash V6.84 output when I try to connect:
000.jpg

Код:

Connecting ...
 - Connecting via USB to probe/ programmer device 0
 - Probe/ Programmer firmware: J-Link V11 compiled Jul 17 2020 16:24:07
 - Device "CORTEX-A9" selected.
 - TotalIRLen = 8, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
 - Scanning AP map to find all available APs
 - AP[3]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x44770001)
 - AP[1]: APB-AP (IDR: 0x24770002)
 - AP[2]: JTAG-AP (IDR: 0x14760010)
 - Iterating through AP map to find APB-AP to use
 - AP[0]: Skipped. Not an APB-AP
 - AP[1]: APB-AP found
 - ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
 - ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
 - ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
 - ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
 - ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
 - ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
 - ROMTbl[0][6]: CompAddr: 80020000 CID: 20323232, PID:00-00000000 ???
 - TotalIRLen = 8, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
 -  ERROR: Cortex-A/R-JTAG (connect): Could not determine address of core  debug registers. Incorrect CoreSight ROM table in device?
 - Target interface speed: 1000 kHz (Auto)
 - VTarget = 1.812V
 - TotalIRLen = 8, IRPrint = 0x0011

J-Flash settings:
001.PNG
002.PNG
003.PNG
004.PNG
005.PNG
006.PNG
007.PNG

[aleka]

In flash device info (9 pic) uncheck Automatically detect flash memory and manually chose Spansion S29GL512S, base address: 4800 0000

[TT-2016]

Sorry, for missing this!

I changed the settings, however situation is exactly the same.

011.PNG

During testing I just booted the unit (no tegrarcm and hidden button).
In this state I can connect via JTAG!

Just trying to read a part of the flash 48000000 - 49000000.
The whole flash does not work due to reboot of the unit after ~3 minutes.

[aleka]

You can not write full flash due reboot, but first part of mmx dump have Emergency tool. Due the Emergency tool you can write whole flash.

[TT-2016]

Which hex range from the Original MMX dump would this be?

[aleka]

Which hex range from the Original MMX dump would this be?

I don’t remember and my laptop not with me now, but it seems to me it located at beginning position of MMX dump.

[congo]

// qb_recovery.img 0xA0000
// qb_primary.img 0x120000
// eifs.img 0x600000

[TT-2016]

Still stuck with the situation mentioned above.

error_001.PNG

ROM Table and Corex-9 are missing in the ROM Table.

[onyx4]

HI,
HOW TO PAUSE restart (WATCHDOG) AFTER 2 MINUTES
THANKS A LOT

[congo]

This does not work?
https://cartechnology.co.uk/showthre...6411#pid566411

Regards.

[TT-2016]

No, the solution was for MIB1.
I tried to follow a similar way on my MIB2, but git stuck. I think the NVFlash Version I got is still not the right one.

[chris2011]

Are these BCT files uniqe for each MMX board ?? or are the working if it is same FW on other MMX board ?