Project

General

Profile

Actions

SamsungSerial » History » Revision 21

« Previous | Revision 21/33 (diff) | Next »
Denis 'GNUtoo' Carikli, 03/26/2012 01:13 PM


Introduction

This page contains information on how to work on a bootloader replacement.

Informations

  • The official u-boot source code already has support for the S5PC110 SOC that the Nexus S uses
  • The S5PC110 has a bootrom
  • The Nexus S has an usb port with an FSA9480 behind it

Links of interest

Partitioning informations

Entry Count: 16
Unknown 1: 0
Unknown 2: 0
Unknown 3: 0
Unknown 4: 0
Unknown 5: 0
Unknown 6: 0
Unknown 7: 0
Unknown 8: 0

--- Entry #0 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 0
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 1
Unknown 2: 0
Unknown 3: 0
Partition Name: IPBL
Filename: bootloader.img

--- Entry #1 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 1
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 7
Unknown 2: 0
Unknown 3: 0
Partition Name: SBL
Filename: 

--- Entry #2 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 2
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 7
Unknown 2: 0
Unknown 3: 0
Partition Name: SBL2
Filename: 

--- Entry #3 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 3
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 4
Unknown 2: 0
Unknown 3: 0
Partition Name: PARAM
Filename: 

--- Entry #4 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 4
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 5
Unknown 2: 0
Unknown 3: 0
Partition Name: MISC
Filename: 

--- Entry #5 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 5
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 32
Unknown 2: 0
Unknown 3: 0
Partition Name: BOOT
Filename: boot.img

--- Entry #6 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 6
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 32
Unknown 2: 0
Unknown 3: 0
Partition Name: RECOVERY
Filename: recovery.img

--- Entry #7 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 7
Partition Flags: 1 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 1878
Unknown 2: 0
Unknown 3: 0
Partition Name: CACHE
Filename: cache.img

--- Entry #8 ---
Unused: Yes
Partition Type: 0 (RFS)
Partition Identifier: 8
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 54
Unknown 2: 0
Unknown 3: 0
Partition Name: RADIO
Filename: radio.img

--- Entry #9 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 9
Partition Flags: 1 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 27
Unknown 2: 0
Unknown 3: 0
Partition Name: EFS
Filename: 

--- Entry #10 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 10
Partition Flags: 0 (R)
Unknown 1: 0
Partition Block Size: 256
Partition Block Count: 1
Unknown 2: 0
Unknown 3: 0
Partition Name: DGS
Filename: dgs.img

--- Entry #11 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 0
Partition Flags: 2 (R/W)
Unknown 1: 0
Partition Block Size: 512
Partition Block Count: 2048
Unknown 2: 0
Unknown 3: 0
Partition Name: PGPT
Filename: emmc.img

--- Entry #12 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 1
Partition Flags: 2 (R/W)
Unknown 1: 0
Partition Block Size: 512
Partition Block Count: 1048576
Unknown 2: 0
Unknown 3: 0
Partition Name: SYSTEM
Filename: system.img

--- Entry #13 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 2
Partition Flags: 2 (R/W)
Unknown 1: 0
Partition Block Size: 512
Partition Block Count: 2097152
Unknown 2: 0
Unknown 3: 0
Partition Name: USERDATA
Filename: userdata.img

--- Entry #14 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 3
Partition Flags: 2 (R/W)
Unknown 1: 0
Partition Block Size: 512
Partition Block Count: 33554432
Unknown 2: 0
Unknown 3: 0
Partition Name: MEDIA
Filename: media.img

--- Entry #15 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 4
Partition Flags: 2 (R/W)
Unknown 1: 0
Partition Block Size: 512
Partition Block Count: 33
Unknown 2: 0
Unknown 3: 0
Partition Name: SGPT
Filename: 

Serial Console

It is possible to setup a serial console on the Nexus S. It will show:
  • the 1st bootloader output
  • the 2nd bootloader output
  • the 2nd bootloader #2 output
  • the fiq debugger
  • (the kernel output if enabled)

How to enable serial console

UART to USB board output Resistor microUSB connector(s) name(s) microUSB wire color
N/A 150K Ohm ID and GND ID not wired (the 5th connector that is unused), GND is black
3.3V N/A V+ red
GND N/A GND black
Rx N/A D- white
Tx N/A D+ green

Warning: the voltage to use is 3.3V and not 5V! Using 5V can cause serious damages to the UART component.

To read/write on the serial, you can use screen (or picocomm, or any other software that deals with serial consoles):
115200 is the baud rate to use (certainly with most UART to USB board).

Then, do a regular boot. You should see the second bootloader #2 output. To get the 1st and 2nd bootloaders output, press <enter> to get in fiq debugger and write "reboot" then <enter>.

Photos: here's what it looks like when all setup:


The UART to USB board. USB is connected to the host PC, UART pins to the microUSB connector.

The 150K resistor (two resistors here that make 150K together) soldered to the microUSB connector, that is attached to the Nexus S.

Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board).

The USB cable that is connected to the Nexus S ends on the connectors attached to the UART to USB board.

Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board).

Bootloaders outputs

first bootloader:

-----------------------------------------------------------
   Samsung Primitive Bootloader (PBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------

Muxed [[OneNAND]] 512MB (0x50) Sync
Scanning Bad Block .......
Bad Block 77 (5)
Bad Block 295 (5)
Bad Block 1232 (5)
Bad Block 1646 (5)
Bad Block 1831 (5)
Bad Block 2047 (0)
SBL loadding success

Set cpu clk. from 400MHz to 800MHz.
OM=0x9, device=OnenandMux(Audi)
IROM e-fused - Secure Boot Version.

second bootloader:51ea3aaa63e65b74b7386fe1365d7b52f4495c43

-----------------------------------------------------------
   Samsung Secondary Bootloader (SBL) v3.0
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: HERRING REV 52
   Build On: Jan 20 2011 17:19:41
-----------------------------------------------------------

MMC SEM16G 15188 MB
Re_partition: magic code(0x0)
Muxed [[OneNAND]] 512MB (0x50) Sync
Scanning Bad Block .......
Bad Block 77 (5)
Bad Block 295 (5)
Bad Block 1232 (5)
Bad Block 1646 (5)
Bad Block 1831 (5)
Bad Block 2047 (0)
Partitions loading success
Read image(PARAM) from flash .......
Done
init_fuel_gauge: vcell = 4083mV, soc = 94
PMIC_IRQ1    = 0xc0 
PMIC_IRQ2    = 0x0 
PMIC_IRQ3    = 0x0 
PMIC_IRQ4    = 0x0 
PMIC_STATUS1 = 0x0 
PMIC_STATUS2 = 0x0 
PMIC_STATUS3 = 0x0 
PMIC_STATUS4 = 0x0 
PMIC_STATUS5 = 0x0 
PMIC_SMPL    = 0x0 
Key scan = 0x0
message.command = 
message.status = 
message.recovery = 

second bootloader #2:

BOOT_MODE_NORMAL (SW_RST(0x00000004), INFORM(0x000000ee))
LCD ID = 0x0060a953
Done
Kernel(boot.img) read success from partition no.5
Setting param.serialnr = 0x3733bab6 0x6de200ec
Setting param.board_rev = 0x34
Setting param.cmdline = console=ttyFIQ0 no_console_suspend androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0xee,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked 
Setting param.initrd_start = 0x31000000, param.initrd_size = 0x23265

Starting kernel at 0x30008000...

Uncompressing Linux... done, booting the kernel.

kernel

<hit enter to activate fiq debugger>

JTAG

Here is the location and the description of the JTAG pins on the Nexus S board:


JTAG was untested on the device so far.

Conclusions

  • Heimdall mode is accessible but we didn't try to flash images with heimdall
  • Serial can be set up and works
  • The bootrom(IROM) seems signed:
    IROM e-fused
  • JTAG is there but we didn't try it

As the IROM is apparently signed, porting a free bootloader will most likely fail as Primary Boot Loader (PBL).

Updated by Denis 'GNUtoo' Carikli over 12 years ago · 21 revisions

Also available in: PDF HTML TXT