I will test this other solution 1st.
By pressing this button during turning the unit on for 10s you are supposed to get into an emergency mode via the USB interface.
Using nvflash you are supposed to able to flash MMX as well ??????.
Just in case I will also get a JTAG.
Luckily I have a backup of my MMX.
In that case I have to create my own cutoff of MMX dump in 0 to 17EF adresses, right?
The file you provided is just in case I do not have anything, right?
But qboot.bin I would take the one you provided?
MIB JITAG
Header of the image should contain the word "ANDROID!"
If you use dump from unit then it will be there.
If you use image from software SD then you will need to edit it before use.
Check the first 8 bytes.
They should be "41 4E 44 52 4F 49 44 21". On stock image they are "41 ff 44 ff 4f ff 44 ff".
That's it.
If you use dump from unit then it will be there.
If you use image from software SD then you will need to edit it before use.
Check the first 8 bytes.
They should be "41 4E 44 52 4F 49 44 21". On stock image they are "41 ff 44 ff 4f ff 44 ff".
That's it.
@aleka
I tried to follow your steps and got close.
But something is not working...
Do you have an idea?
JTAG connection points:
J-Link pinout:
[TABLE="width: 1"]
[TR]
[TD] JTAG Pin[/TD]
[TD] Function[/TD]
[TD] J-Link Pin[/TD]
[/TR]
[TR]
[TD] 1[/TD]
[TD] TDI[/TD]
[TD] 5[/TD]
[/TR]
[TR]
[TD] 2[/TD]
[TD] TCK[/TD]
[TD] 9[/TD]
[/TR]
[TR]
[TD] 4[/TD]
[TD] GND[/TD]
[TD] 4[/TD]
[/TR]
[TR]
[TD] 6[/TD]
[TD] TMS[/TD]
[TD] 7[/TD]
[/TR]
[TR]
[TD] 7[/TD]
[TD] TDO[/TD]
[TD] 13[/TD]
[/TR]
[TR]
[TD] 8[/TD]
[TD] Vref[/TD]
[TD] 1[/TD]
[/TR]
[/TABLE]
tegrarcm command:
I tried your BCT file and the one I extracted from my own MMX dump.
Same Result in both cases.
After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.
J-Flash V6.84 output when I try to connect:
J-Flash settings:
I tried to follow your steps and got close.
But something is not working...
Do you have an idea?
JTAG connection points:
[TR]
[TD] JTAG Pin[/TD]
[TD] Function[/TD]
[TD] J-Link Pin[/TD]
[/TR]
[TR]
[TD] 1[/TD]
[TD] TDI[/TD]
[TD] 5[/TD]
[/TR]
[TR]
[TD] 2[/TD]
[TD] TCK[/TD]
[TD] 9[/TD]
[/TR]
[TR]
[TD] 4[/TD]
[TD] GND[/TD]
[TD] 4[/TD]
[/TR]
[TR]
[TD] 6[/TD]
[TD] TMS[/TD]
[TD] 7[/TD]
[/TR]
[TR]
[TD] 7[/TD]
[TD] TDO[/TD]
[TD] 13[/TD]
[/TR]
[TR]
[TD] 8[/TD]
[TD] Vref[/TD]
[TD] 1[/TD]
[/TR]
[/TABLE]
tegrarcm command:
Код: Выделить всё
sudo tegrarcm --bct original.bct --bootloader qboot.bin --loadaddr 0x84000000
bct file: original.bct
bootloader file: qboot.bin
load addr 0x84000000
entry addr 0x84000000
device id: 0x7030
uid: 0x015ced07b70ffe12
RCM version: 3.1
downloading miniloader to target at address 0x4000a000 (128916 bytes)...
miniloader downloaded successfully
Chip UID: 0x0000000000000000015ced07b70ffe12
Chip ID: 0x30
Chip ID Major Version: 0x1
Chip ID Minor Version: 0x3
Chip SKU: 0x90 (t30)
Boot ROM Version: 0x1
Boot Device: 0x6 (SNOR)
Operating Mode: 0x3 (developer mode)
Device Config Strap: 0x0
Device Config Fuse: 0x0
SDRAM Config Strap: 0x2
sending file: original.bct
- 6128/6128 bytes sent
original.bct sent successfully
sending file: qboot.bin
\ 68648/68648 bytes sent
qboot.bin sent successfully
Same Result in both cases.
After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.
J-Flash V6.84 output when I try to connect:
Код: Выделить всё
Connecting ...
- Connecting via USB to probe/ programmer device 0
- Probe/ Programmer firmware: J-Link V11 compiled Jul 17 2020 16:24:07
- Device "CORTEX-A9" selected.
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- Scanning AP map to find all available APs
- AP[3]: Stopped AP scan as end of AP map has been reached
- AP[0]: AHB-AP (IDR: 0x44770001)
- AP[1]: APB-AP (IDR: 0x24770002)
- AP[2]: JTAG-AP (IDR: 0x14760010)
- Iterating through AP map to find APB-AP to use
- AP[0]: Skipped. Not an APB-AP
- AP[1]: APB-AP found
- ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
- ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
- ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
- ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
- ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
- ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
- ROMTbl[0][6]: CompAddr: 80020000 CID: 20323232, PID:00-00000000 ???
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- ERROR: Cortex-A/R-JTAG (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
- Target interface speed: 1000 kHz (Auto)
- VTarget = 1.812V
- TotalIRLen = 8, IRPrint = 0x0011
J-Flash settings:
- Вложения
-
-
-
-
-
-
-
-
-
-
Sorry, for missing this!
I changed the settings, however situation is exactly the same.
During testing I just booted the unit (no tegrarcm and hidden button).
In this state I can connect via JTAG!
Just trying to read a part of the flash 48000000 - 49000000.
The whole flash does not work due to reboot of the unit after ~3 minutes.
I changed the settings, however situation is exactly the same.
During testing I just booted the unit (no tegrarcm and hidden button).
In this state I can connect via JTAG!
Just trying to read a part of the flash 48000000 - 49000000.
The whole flash does not work due to reboot of the unit after ~3 minutes.
- Вложения
-