Страница 2 из 3
Добавлено: Чт июл 30, 2020 11:52 am
TT-2016
I will test this other solution 1st.
By pressing this button during turning the unit on for 10s you are supposed to get into an emergency mode via the USB interface.
Using nvflash you are supposed to able to flash MMX as well ??????.
Just in case I will also get a JTAG.
Luckily I have a backup of my MMX.
In that case I have to create my own cutoff of MMX dump in 0 to 17EF adresses, right?
The file you provided is just in case I do not have anything, right?
But qboot.bin I would take the one you provided?
Добавлено: Чт июл 30, 2020 12:07 pm
aleka
Try any variant, you do not make it worse than now
Добавлено: Чт июл 30, 2020 1:20 pm
TT-2016
I agree, on the software side.
However, I could still shorten or damage the hardware.
Killing RRC and MMX was not that smart...
Добавлено: Чт авг 06, 2020 11:16 pm
TT-2016
I could extract the BCT from my MMX dump.
How do I get my qboot.bin, is it also a part of the MMX dump?
Flasing via JTAG starting from base address: 4800 0000.
Do I flash the full MMX dump or do I have to cut the BCT off?
Thanks a lot again!
Добавлено: Сб авг 08, 2020 10:19 pm
TT-2016
qboot seems to be located between 60000 - 70D00
Start and end as well as the middle part of that part of the MMX are very similar to the qboot.bin you provided.
Добавлено: Сб авг 08, 2020 10:48 pm
congo
A0000 -> qb_recovery.img 262144
120000 -> qb_primary.img 262144
760000 -> mifs-stage1.img 3145728
A60000 -> mifs-stage2.img 48234496
160000 -> eifs.img 6291456
0x03600000 -> efs-system.img 2097152
0x03800000 -> efs-persist.img
Some of my notes.
Добавлено: Пн авг 10, 2020 3:17 pm
KBN
760000 -> mifs-stage1.img 3145728 need some modifications 
Добавлено: Пн авг 10, 2020 3:39 pm
TT-2016
KBN писал(а):760000 -> mifs-stage1.img 3145728 need some modifications
What do you mean by this?
I'm manly looking for a way to recover my unit with a broken MMX image.
Добавлено: Пн авг 10, 2020 6:36 pm
Kufik81
TT-2016 писал(а):What do you mean by this?
I'm manly looking for a way to recover my unit with a broken MMX image.
Write me pm.
Добавлено: Ср авг 12, 2020 8:15 am
congo
Header of the image should contain the word "ANDROID!"
If you use dump from unit then it will be there.
If you use image from software SD then you will need to edit it before use.
Check the first 8 bytes.
They should be "41 4E 44 52 4F 49 44 21". On stock image they are "41 ff 44 ff 4f ff 44 ff".
That's it.
Добавлено: Пн сен 07, 2020 9:58 pm
TT-2016
@
aleka
I tried to follow your steps and got close.
But something is not working...
Do you have an idea?
JTAG connection points:
J-Link pinout:
[TABLE="width: 1"]
[TR]
[TD]
JTAG Pin[/TD]
[TD]
Function[/TD]
[TD]
J-Link Pin[/TD]
[/TR]
[TR]
[TD] 1[/TD]
[TD] TDI[/TD]
[TD] 5[/TD]
[/TR]
[TR]
[TD] 2[/TD]
[TD] TCK[/TD]
[TD] 9[/TD]
[/TR]
[TR]
[TD] 4[/TD]
[TD] GND[/TD]
[TD] 4[/TD]
[/TR]
[TR]
[TD] 6[/TD]
[TD] TMS[/TD]
[TD] 7[/TD]
[/TR]
[TR]
[TD] 7[/TD]
[TD] TDO[/TD]
[TD] 13[/TD]
[/TR]
[TR]
[TD] 8[/TD]
[TD] Vref[/TD]
[TD] 1[/TD]
[/TR]
[/TABLE]
tegrarcm command:
Код: Выделить всё
sudo tegrarcm --bct original.bct --bootloader qboot.bin --loadaddr 0x84000000
bct file: original.bct
bootloader file: qboot.bin
load addr 0x84000000
entry addr 0x84000000
device id: 0x7030
uid: 0x015ced07b70ffe12
RCM version: 3.1
downloading miniloader to target at address 0x4000a000 (128916 bytes)...
miniloader downloaded successfully
Chip UID: 0x0000000000000000015ced07b70ffe12
Chip ID: 0x30
Chip ID Major Version: 0x1
Chip ID Minor Version: 0x3
Chip SKU: 0x90 (t30)
Boot ROM Version: 0x1
Boot Device: 0x6 (SNOR)
Operating Mode: 0x3 (developer mode)
Device Config Strap: 0x0
Device Config Fuse: 0x0
SDRAM Config Strap: 0x2
sending file: original.bct
- 6128/6128 bytes sent
original.bct sent successfully
sending file: qboot.bin
\ 68648/68648 bytes sent
qboot.bin sent successfully
I tried your BCT file and the one I extracted from my own MMX dump.
Same Result in both cases.
After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.
J-Flash V6.84 output when I try to connect:
Код: Выделить всё
Connecting ...
- Connecting via USB to probe/ programmer device 0
- Probe/ Programmer firmware: J-Link V11 compiled Jul 17 2020 16:24:07
- Device "CORTEX-A9" selected.
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- Scanning AP map to find all available APs
- AP[3]: Stopped AP scan as end of AP map has been reached
- AP[0]: AHB-AP (IDR: 0x44770001)
- AP[1]: APB-AP (IDR: 0x24770002)
- AP[2]: JTAG-AP (IDR: 0x14760010)
- Iterating through AP map to find APB-AP to use
- AP[0]: Skipped. Not an APB-AP
- AP[1]: APB-AP found
- ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
- ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
- ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
- ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
- ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
- ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
- ROMTbl[0][6]: CompAddr: 80020000 CID: 20323232, PID:00-00000000 ???
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- ERROR: Cortex-A/R-JTAG (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
- Target interface speed: 1000 kHz (Auto)
- VTarget = 1.812V
- TotalIRLen = 8, IRPrint = 0x0011
J-Flash settings:
Добавлено: Пн сен 07, 2020 10:29 pm
aleka
In flash device info (9 pic) uncheck Automatically detect flash memory and manually chose Spansion S29GL512S, base address: [url=tel:4800 0000]4800 0000[/url]
Добавлено: Пн сен 07, 2020 11:23 pm
TT-2016
Sorry, for missing this!
I changed the settings, however situation is exactly the same.
Вложение 011.PNG больше недоступно
During testing I just booted the unit (no tegrarcm and hidden button).
In this state I can connect via JTAG!
Just trying to read a part of the flash 48000000 - 49000000.
The whole flash does not work due to reboot of the unit after ~3 minutes.
Добавлено: Вт сен 08, 2020 8:21 am
aleka
You can not write full flash due reboot, but first part of mmx dump have Emergency tool. Due the Emergency tool you can write whole flash.
Добавлено: Вт сен 08, 2020 9:28 am
TT-2016
Which hex range from the Original MMX dump would this be?
Добавлено: Вт сен 08, 2020 12:21 pm
aleka
TT-2016 писал(а):Which hex range from the Original MMX dump would this be?
I don’t remember and my laptop not with me now, but it seems to me it located at beginning position of MMX dump.
Добавлено: Вт сен 08, 2020 2:52 pm
congo
// qb_recovery.img 0xA0000
// qb_primary.img 0x120000
// eifs.img 0x600000
Добавлено: Вт сен 08, 2020 9:23 pm
TT-2016
Still stuck with the situation mentioned above.
Вложение error_001.PNG больше недоступно
ROM Table and Corex-9 are missing in the ROM Table.
Добавлено: Ср сен 09, 2020 2:31 pm
onyx4
HI,
HOW TO PAUSE restart (WATCHDOG) AFTER 2 MINUTES
THANKS A LOT
Добавлено: Чт сен 10, 2020 8:41 am
congo