SamsungSerial » History » Revision 29
« Previous |
Revision 29/33
(diff)
| Next »
Wolfgang Wiedmeyer, 03/29/2017 12:51 PM
host all images on redmine
Introduction¶
This page contains information on to get serial on, at least, the following phones:- Nexus S
- Galaxy Nexus
Informations¶
- The S5PC110 has a bootrom
- The Nexus S has an usb port with an FSA9480 behind it
Serial Console¶
It is possible to setup a serial console on the Nexus S. It will show:- the 1st bootloader output
- the 2nd bootloader output
- the 2nd bootloader #2 output
- the fiq debugger
- (the kernel output if enabled)
How to enable serial console¶
- completely turn off the Nexus S
- attach the microUSB connector to the Nexus S
- wire GND and ID (from the microUSB connector) to a 150K resistor
- get an UART to USB module like this one: http://www.dealextreme.com/p/usb-to-uart-5-pin-cp2102-module-serial-converter-81872
- wire it following this table:
UART to USB board output | Resistor | microUSB connector(s) name(s) | microUSB wire color |
---|---|---|---|
N/A | 150K Ohm | ID and GND | ID not wired (the 5th connector that is unused), GND is black |
3.3V | N/A | V+ | red |
GND | N/A | GND | black |
Rx | N/A | D- | white |
Tx | N/A | D+ | green |
Warning: the voltage to use is 3.3V and not 5V! Using 5V can cause serious damages to the UART component.
To read/write on the serial, you can use screen (or picocomm, or any other software that deals with serial consoles):
115200 is the baud rate to use (certainly with most UART to USB board).
Then, do a regular boot. You should see the second bootloader #2 output. To get the 1st and 2nd bootloaders output, press <enter> to get in fiq debugger and write "reboot" then <enter>.
Photos: here's what it looks like when all setup:
The UART to USB board. USB is connected to the host PC, UART pins to the microUSB connector.
The 150K resistor (two resistors here that make 150K together) soldered to the microUSB connector, that is attached to the Nexus S.
Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board).
The USB cable that is connected to the Nexus S ends on the connectors attached to the UART to USB board.
Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board).
Bootloaders outputs¶
Nexus S¶
first bootloader:
----------------------------------------------------------- Samsung Primitive Bootloader (PBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 ----------------------------------------------------------- Muxed [[OneNAND]] 512MB (0x50) Sync Scanning Bad Block ....... Bad Block 77 (5) Bad Block 295 (5) Bad Block 1232 (5) Bad Block 1646 (5) Bad Block 1831 (5) Bad Block 2047 (0) SBL loadding success Set cpu clk. from 400MHz to 800MHz. OM=0x9, device=OnenandMux(Audi) IROM e-fused - Secure Boot Version.
second bootloader:51ea3aaa63e65b74b7386fe1365d7b52f4495c43
----------------------------------------------------------- Samsung Secondary Bootloader (SBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 Board Name: HERRING REV 52 Build On: Jan 20 2011 17:19:41 ----------------------------------------------------------- MMC SEM16G 15188 MB Re_partition: magic code(0x0) Muxed [[OneNAND]] 512MB (0x50) Sync Scanning Bad Block ....... Bad Block 77 (5) Bad Block 295 (5) Bad Block 1232 (5) Bad Block 1646 (5) Bad Block 1831 (5) Bad Block 2047 (0) Partitions loading success Read image(PARAM) from flash ....... Done init_fuel_gauge: vcell = 4083mV, soc = 94 PMIC_IRQ1 = 0xc0 PMIC_IRQ2 = 0x0 PMIC_IRQ3 = 0x0 PMIC_IRQ4 = 0x0 PMIC_STATUS1 = 0x0 PMIC_STATUS2 = 0x0 PMIC_STATUS3 = 0x0 PMIC_STATUS4 = 0x0 PMIC_STATUS5 = 0x0 PMIC_SMPL = 0x0 Key scan = 0x0 message.command = message.status = message.recovery =
second bootloader #2:
BOOT_MODE_NORMAL (SW_RST(0x00000004), INFORM(0x000000ee)) LCD ID = 0x0060a953 Done Kernel(boot.img) read success from partition no.5 Setting param.serialnr = 0x3733bab6 0x6de200ec Setting param.board_rev = 0x34 Setting param.cmdline = console=ttyFIQ0 no_console_suspend androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0xee,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked Setting param.initrd_start = 0x31000000, param.initrd_size = 0x23265 Starting kernel at 0x30008000... Uncompressing Linux... done, booting the kernel.
kernel
<hit enter to activate fiq debugger>
Galaxy S¶
----------------------------------------------------------- Samsung Primitive Bootloader (PBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 ----------------------------------------------------------- +n1stVPN 2688 +nPgsPerBlk 64 PBL found bootable SBL: Partition(3). Set cpu clk. from 400MHz to 800MHz. OM=0x9, device=OnenandMux(Audi) IROM e-fused - Non Secure Boot Version. ----------------------------------------------------------- Samsung Secondary Bootloader (SBL) v3.0 Copyright (C) Samsung Electronics Co., Ltd. 2006-2010 Board Name: ARIES REV 03 Build On: Dec 29 2011 16:57:09 ----------------------------------------------------------- Re_partition: magic code(0x0) [PAM: ] ++FSR_PAM_Init [PAM: ] OneNAND physical base address : 0xb0000000 [PAM: ] OneNAND virtual base address : 0xb0000000 [PAM: ] OneNAND nMID=0xec : nDID=0x50 [PAM: ] --FSR_PAM_Init fsr_bml_load_partition: pi->nNumOfPartEntry = 12 partitions loading success board partition information update.. source: 0x0 .Done. read 1 units. ==== PARTITION INFORMATION ==== ID : IBL+PBL (0x0) ATTR : RO SLC (0x1002) FIRST_UNIT : 0 NO_UNITS : 1 =============================== ID : PIT (0x1) ATTR : RO SLC (0x1002) FIRST_UNIT : 1 NO_UNITS : 1 =============================== ID : EFS (0x14) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 2 NO_UNITS : 40 =============================== ID : SBL (0x3) ATTR : RO SLC (0x1002) FIRST_UNIT : 42 NO_UNITS : 5 =============================== ID : SBL2 (0x4) ATTR : RO SLC (0x1002) FIRST_UNIT : 47 NO_UNITS : 5 =============================== ID : PARAM (0x15) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 52 NO_UNITS : 20 =============================== ID : KERNEL (0x6) ATTR : RO SLC (0x1002) FIRST_UNIT : 72 NO_UNITS : 30 =============================== ID : RECOVERY (0x7) ATTR : RO SLC (0x1002) FIRST_UNIT : 102 NO_UNITS : 30 =============================== ID : FACTORYFS (0x16) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 132 NO_UNITS : 1146 =============================== ID : DBDATAFS (0x17) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 1278 NO_UNITS : 536 =============================== ID : CACHE (0x18) ATTR : RW STL SLC (0x1101) FIRST_UNIT : 1814 NO_UNITS : 140 =============================== ID : MODEM (0xb) ATTR : RO SLC (0x1002) FIRST_UNIT : 1954 NO_UNITS : 50 =============================== loke_init: j4fs_open success.. load_lfs_parameters valid magic code and version. load_debug_level reading debug level from file successfully(0x574f4c44). init_fuel_gauge: vcell = 4062mV, soc = 95 reading nps status file is successfully!. nps status=0x504d4f43 PMIC_IRQ1 = 0x0 PMIC_IRQ2 = 0x0 PMIC_IRQ3 = 0x0 PMIC_IRQ4 = 0x0 PMIC_STATUS1 = 0x0 PMIC_STATUS2 = 0x0 get_debug_level current debug level is 0x574f4c44. aries_process_platform: Debug Level Low keypad_scan: key value ----------------->= 0x0 CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 aries_process_platform: final s1 booting mode = 0 DISPLAY_PATH_SEL[MDNIE 0x1]is on MDNIE setting Init start!! vsync interrupt is off video interrupt is off [fb0] turn on MDNIE setting Init end!! Autoboot (0 seconds) in progress, press any key to stop get_debug_level current debug level is 0x574f4c44. get_debug_level current debug level is 0x574f4c44. boot_kernel: Debug Level Low FOTA Check Bit Read BML page=, NumPgs= FOTA Check Bit (0xffffffff) Load Partion idx = (6) ..............................done Kernel read success from kernel partition no.6, idx.6. setting param.serialnr=0x38301804 0xb3e900ec setting param.board_rev=0x30 setting param.cmdline=console=ttySAC2,115200 loglevel=4 Starting kernel at 0x32000000...
Galaxy Nexus¶
reading nps status file is successfully!. nps status=0x504d4f43 PMIC_IRQ1 = 0x80 PMIC_IRQ2 = 0x0 PMIC_IRQ3 = 0x1 PMIC_IRQ4 = 0x0 PMIC_STATUS1 = 0x80 PMIC_STATUS2 = 0x0 get_debug_level current debug level is 0x574f4c44. aries_process_platform: Debug Level Low keypad_scan: key value ----------------->= 0x40 CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 aries_process_platform: final s1 booting mode = 0 DISPLAY_PATH_SEL[MDNIE 0x1]is on MDNIE setting Init start!! vsync interrupt is off video interrupt is off [fb0] turn on MDNIE setting Init end!! Autoboot (0 seconds) in progress, press any key to stop get_debug_level current debug level is 0x574f4c44. get_debug_level current debug level is 0x574f4c44. boot_kernel: Debug Level Low FOTA Check Bit Read BML page=, NumPgs= FOTA Check Bit (0xffffffff) Load Partion idx = (6) ..............................done Kernel read success from kernel partition no.6, idx.6. setting param.serialnr=0x38301804 0xb3e900ec setting param.board_rev=0x30 setting param.cmdline=console=ttySAC2,115200 loglevel=4 Starting kernel at 0x32000000...
JTAG¶
Here is the location and the description of the JTAG pins on the Nexus S board:
JTAG was untested on the device so far.
Conclusions¶
- Heimdall mode is accessible but we didn't try to flash images with heimdall
- Serial can be set up and works
- The bootrom(IROM) seems signed:
IROM e-fused
- JTAG is there but we didn't try it
As the IROM is apparently signed, porting a free bootloader will most likely fail as Primary Boot Loader (PBL).
Updated by Wolfgang Wiedmeyer over 7 years ago · 29 revisions