RIFF JTAG -Samsung Galaxy II, OMAP4430 version supported (Samsung i9100G, Samsung i9108)

07.10.2011    Samsung Galaxy II, OMAP4430 version supported (Samsung i9100G, Samsung i9108)

Samsung I9108 is based on the OMAP4430 Processor (Cortex-A9 Dual-Core). JTAG pads are very small; professional experience in soldering is required to connect wires to the JTAG interface. There is a big variety of versions of Galaxy II devices: GT-I9100, GT-I9100G, GT-I9100L, GT-I9100M, GT-I9100T, GT-I9101, GT-I9103, GT-I9108, GT-I9188, and maybe more. Some of them are based on different hardware platform – the Samsung S5PV310 (Cortex-A9 Dual-Core). Thus make sure first which exact hardware version you have on hands.

Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on.
Current DLL is still a beta one. It will work only with phones which have killed X-Loader.

To resurrect Samsung I9108:

  •  Solder JTAG cable to Samsung I9108 JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I9108 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.

RIFF JTAG – JTAG Manager v1.36, RIFF Box firmware v1.27, GDB Server v1.05 released

07.10.2011   JTAG Manager v1.36, RIFF Box firmware v1.27 released

Whats new :

JTAG Manager 1.36
—————————
– Added fast presets for automatic selection of settings for most common operations on DCC Read/Write page
For this click Settings by Code button and select a desired preset from list and then click Apply Settings.
For example if user selects “Write Full Image into NAND memory” the valid settings on the DCC Read/Write page
for writting full images into devices with NAND memory will be automatically selected
– Fixed serious bug which caused resurrector DLLs which do upload data into RAM to upload broken data
For example DLLs which start Downlad Mode directly use this feature.
– Added feature to accept text name of memory chip from DCC Loader and display it (currently used to display eMMC memory product name)
– Fixed bug for resumming interrupted DCC Read: ifvcurrently cached file size was greater than > 2GB
(that is if read was interrupted on point when there was already more than 2GB of data read) the new reading data was not appended to the readout file end, but instead the file was corrupted.
– Fixed bug for saving big files (after reading on DCC Read/Write page): if size exceeded 0x7FFFFFFF bytes JTAG Manager show no free disk space error.
– Added TEGRA2 chipset selection in the Target list
– Fixed an issue with the resurrection progress bar: in some cases during resurrection operations the progress bar would always stay at 0%.

Firmware 1.27
—————————
– Added TEGRA2 debugging support (dual-core Cortex-A9)
– Added new breakpoint type: “address mismatch” which allows geniune single-stepping on Cortex-A8,A9 (CoreSight) targets
(thus GDB Server can now perform low-level single step commands)

RIFF GDB Server v1.05
—————————–
– Added Thumb2 instructions CBNZ and CBZ for single stepping
– Added more Thumb2 32-bit branch exctructions for single stepping
– Added CoreSight low-level signle-stepping support (at least RIFF BOX Firmware v1.27 is required)

RIFF JTAG – Samsung I9100 Galaxy S II Unbrick – Boot repair supported, World First ! ! !

29.07.2011     Samsung I9100 Galaxy S II Unbrick – Boot repair supported, World First ! ! !

Samsung I9100 is based on the S5PV310 (Exynos 4210) Processor (Cortex-A9 Dual-Core).

JTAG pads are very small; professional experience in soldering is required to connect wires to the JTAG interface. There is a big variety of versions of Galaxy II devices: GT-I9100, GT-I9100G, GT-I9100L, GT-I9100M, GT-I9100T, GT-I9101, GT-I9103, GT-I9108, GT-I9188, and maybe more. Some of them are based on different hardware platform – the OMAP4430 (Cortex-A9 Dual-Core). Thus make sure first which exact hardware version you have on hands.
Note, one simple way to connect over JTAG – connect USB cable to PC and insert battery. In this case phone is automatically powered on.
Phone has such booting sequence: ROM → FBL → IBL → PBL → SBL. Current resurrector will resurrect Partition Table (PIT) and SBL zones which are located in the iNAND (eMMC) memory. Write access to memory which contains FBL, IBL and PBL loaders is not supported currently, but in case your phone has these loaders damaged, you can choose “Initiate Download Mode” way of resurrection in order to directly put the phone into the Download Mode.

To resurrect Samsung I9100:

  •  Solder JTAG cable to Samsung I9100 JTAG pads;
  •  Connect USB cable to phone and PC;
  •  Insert battery;
  •  Make sure Samsung I9100 is selected in the list of models;
  •  Make sure a fixed TCK frequency is selected;
  •  Click Resurrect button;
  •  Wait till software signals a successful operation completion;
  •  Disconnect USB cable, de-solder JTAG wires;

Now phone is in bootable condition, that is, even if it does not start up normally, you can flash it using original Samsung downloader software to restore it to the working state.

To enter download mode:

  •  Disconnect PC cable;
  •  Insert battery;
  •  Hold both ‘Volume Down’ and ‘Home’ keys and press Power-On.
Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.

RIFF JTAG – JTAG Manager v1.34, RIFF Box firmware v1.26 – Cortex-A9 Dual core support added ! GDB Server v1.04 Released

29.07.2011  JTAG Manager v1.34, RIFF Box firmware v1.26 – Cortex-A9 Dual core support added ! GDB Server v1.04

Whats new :

RIFF JTAG Manager v1.34:

  •  JTAG Manager Project has been migrated into UNICODE.

Main advantage of this – GUI (captions of buttons, labels, etc) can now support all international characters, for example chinese
WARNING!!! Due to UNICODE migration old plugin DLLs are not compatible with JTAG Manager 1.34
Simply download new set of plugins which are unicode compatible now.

  •  Multilanguage GUI is implemented (and due to migration to UNICODE even chinese language can be fully supported)

You need to download language pack dll, for example Russian.dll. After installation go to BOX SERVICE page and there will
be available language selection.
Following items are translated into selected language by the language DLL:
1. JTAG Manager interface – labels, captions, etc.
2. JTAG Manager messages which are shown during active operation.
3. Most of messages shown by resurrector DLLs
4. Some of Resurrection Manuals (if current version of language pack does not have translated version of Resurrection Manual, then an original, English version will be shown)

  • A dded warning window which will appear on DCC Read/Write page in case user tries to flash full dump with wrong settings.

So user can check what he does wrong and thus avoid losing time and making mistakes.

  •  ARM Core Cortex-A9 (Single and MPCore) and Chipset OMAP4430 (Dual-core Cortex-A9) are addred to the supported cores list;
  •  Cortex-A9 core added to the CMM Script Engine: Example: SYSTEM.CPU CORTEXA9
  •  OMAP4430 core added to the CMM Script Engine: Example: SYSTEM.CPU OMAP4430
  •  Multicore control is added to the CMM Script Engine (Use CORE.SELECT instructions to switch between cores in multicore targets)

For example CORE.SELECT 0 will select core0, CORE.SELECT 3 will select core3

  •  Added access (32-bit Read/Write) to the APB bus of CoreSight-compatible targets (Cortex-A8, Cortex-A9, etc.)

through the CMM Script Engine (‘APB’ segment specifier added)
Thus, for example instruction: &Resp=data.long(APB:0x12345678) – will read dword from APB bus at address 0x12345678

  • Added SYSTEM.CONFIG.RESETTIMEOUT variable to the CMM Script Engine, thus it’s now possible to customise reset type and timeout

by setting this variable prior SYSTEM.UP command.

  •  Fixed bug which caused saving trash after read operaions on DCC Read/Write page in these cases:

a) reading was stopped by user
b) after JTAG Manager exe restart

  •  DCC Read/Write Page operations now allow 64-bit addressing, thus user can have full access to memory devices which size exceeds 0xFFFFFFFF bytes range.

For this, the Address and Length fields have now 10 digits instead of old 8 digits. Be carefull entering values there.
UNEXPERIENED USERS PLEASE NOTE: For example 8 digit hex value 0x12345678 entered into 10 digit field IS NOT 0x1234567800 (!!!!!) CORRECT IS 0x0012345678

  •  TGauge64 component was implemented in order to support full 64-bit range of progress indications (while old progress bars were limited to 31-bit maximum value)
  •  Fixed bug with incorrect display of scrollbars during scroling through Model and Manufacturer Lists
  • Fixed bug during erase:
    If bad block happened, and user choosed Ignore method and checked ‘Remember selection’ – software  would again popup selection dialog on next bad block.
  •  JTAG I/O Voltage (for Custom Target Settings) now has voltages from 1.6V upto 3.30V with resolution 0.05V
  •  Just for convenience added button “Target Continue” to the JTAG Read/Write page.
    This just allows to resume target running from current PC value without need to enter it explicitly into “Address” field as is needed for the “Target GO” button
RIFF Box firmware v1.26 :
  • Added support for Cortex-A9 single processor core;
  • Added support for Cortex-A9 multiprocessor cores. Multicore handling rules are following:1. After target reset (NRST=1-0-1) the Core0 is automatically selected;

    2. HALT operation halts only currently selected core (by default core0 is selected); Thus in order to halt other core user has to select required core and then execute halt operation.

    3. Reset operation can accept different strategies of reset and halt:

    – Reset, then halt all cores at the very first instruction (for now only for OMAP MCUs)
    – Reset, than halt only core0 at the very first instruction (for now only for OMAP MCUs)
    – Reset, pause, then halt all cores
    – Reset, pause, than halt only core0

    4. RUN operation starts only currently selected core.

Thus in order to start other core user has to select required core and then execute run operation.

For example, if target has 4 cores (Quad-core MCU), then after HALT operation only Core0 is halted.
To halt Core2 user has to write script:
CORE.SELECT 2
BREAK

For example, to run Core3 user has to write script:
CORE.SELECT 3
GO

  • Added H/W script (*.has) instruction which enables selection of core for multiprocessor targets;
  • Added script (CMM/HAS) access (32-bit Read/Write) to the APB bus of CoreSight-compatible targets (Cortex-A8, Cortex-A9, etc.)
  • Added support for OMAP4430 Dual-core Cortex-A9 MCU
RIFF GDB Server v1.04 :
  • Fixed bug with reset timeout – erroneously value in Edit field was taken as HEX not decimal, Now is ok
  • Added few more GDB commands for compatibility with IDA 6.1 remote debugging.
  • Added Thumb2 instruction TBB and TBW for single stepping
  • Fixed bug in Thumb/Thumb2 when stepping out of sub when POP {RegList, PC} is used (In Thumb mode return PC address is 0x01 ORed)
Please click “Check For Updates” button in order to download and apply new files. Closing all running application before starting update process is recommended.