Replicant

h2. Introduction

This page contains information on how to get serial on at least the following phones:

* Nexus S

* Galaxy Nexus

h2. Information

* The S5PC110 has a bootrom

* The Nexus S has an USB port with an FSA9480 behind it

h2. Serial Console

It is possible to setup a serial console on the Nexus S. It will show:

* the 1st bootloader output

* the 2nd bootloader output

* the 2nd bootloader @#2@ output

* the fiq debugger

* (the kernel output if enabled)

h3. How to enable serial console

* Completely turn off the Nexus S

* Attach the microUSB connector to the Nexus S

* Wire GND and ID (from the microUSB connector) to a 150K resistor

* Get an UART to USB module like this one: https://roboticsdna.in/product/usb-to-ttl-cp2012-module-5-pin/

* Wire it following this table:

|_. UART to USB board output |_. Resistor |_. microUSB connector(s) name(s) |_. microUSB wire color |

| N/A | 150K Ohm | ID and GND | ID not wired (the 5th connector that is unused), GND is black |

| 3.3V | N/A | V+ | red |

| GND | N/A | GND | black |

| Rx | N/A | D- | white |

| Tx | N/A | D+ | green |

*Warning: the voltage to use is 3.3V and not 5V! Using 5V can cause serious damages to the UART component.*

To read/write on the serial, you can use screen (or picocomm, or any other software that deals with serial consoles):

115200 is the baud rate to use (certainly with most UART to USB board). 

Then, do a regular boot. You should see the second bootloader @#2@ output. To get the 1st and 2nd bootloaders output, press <enter> to get in fiq debugger and write "reboot" then <enter>.

Photos: here's what it looks like when all setup:

!serial_1145.jpeg!

!serial_1150.JPG!

!serial_1151.jpeg!

!uart_board.jpg!

The UART to USB board. USB is connected to the host PC, UART pins to the microUSB connector.

!nexuss_resistor.jpg!

The 150K resistor (two resistors here that make 150K together) soldered to the microUSB connector, that is attached to the Nexus S.

_Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board)._ 

!nexuss_global_text.jpg!

The USB cable that is connected to the Nexus S ends on the connectors attached to the UART to USB board.

_Note: it was done the quick and dirty way here, it's better to use a protoboard (prototyping board)._

h3. Bootloaders outputs

h4. Nexus S

first bootloader:

<pre>

-----------------------------------------------------------

   Samsung Primitive Bootloader (PBL) v3.0

   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

-----------------------------------------------------------

Muxed [[OneNAND]] 512MB (0x50) Sync

Scanning Bad Block .......

Bad Block 77 (5)

Bad Block 295 (5)

Bad Block 1232 (5)

Bad Block 1646 (5)

Bad Block 1831 (5)

Bad Block 2047 (0)

SBL loadding success

Set cpu clk. from 400MHz to 800MHz.

OM=0x9, device=OnenandMux(Audi)

IROM e-fused - Secure Boot Version.

</pre>

second bootloader:51ea3aaa63e65b74b7386fe1365d7b52f4495c43

<pre>

-----------------------------------------------------------

   Samsung Secondary Bootloader (SBL) v3.0

   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: HERRING REV 52

   Build On: Jan 20 2011 17:19:41

-----------------------------------------------------------

MMC SEM16G 15188 MB

Re_partition: magic code(0x0)

Muxed [[OneNAND]] 512MB (0x50) Sync

Scanning Bad Block .......

Bad Block 77 (5)

Bad Block 295 (5)

Bad Block 1232 (5)

Bad Block 1646 (5)

Bad Block 1831 (5)

Bad Block 2047 (0)

Partitions loading success

Read image(PARAM) from flash .......

Done

init_fuel_gauge: vcell = 4083mV, soc = 94

PMIC_IRQ1    = 0xc0 

PMIC_IRQ2    = 0x0 

PMIC_IRQ3    = 0x0 

PMIC_IRQ4    = 0x0 

PMIC_STATUS1 = 0x0 

PMIC_STATUS2 = 0x0 

PMIC_STATUS3 = 0x0 

PMIC_STATUS4 = 0x0 

PMIC_STATUS5 = 0x0 

PMIC_SMPL    = 0x0 

Key scan = 0x0

message.command = 

message.status = 

message.recovery = 

</pre>

second bootloader @#2@:

<pre>

BOOT_MODE_NORMAL (SW_RST(0x00000004), INFORM(0x000000ee))

LCD ID = 0x0060a953

Done

Kernel(boot.img) read success from partition no.5

Setting param.serialnr = 0x3733bab6 0x6de200ec

Setting param.board_rev = 0x34

Setting param.cmdline = console=ttyFIQ0 no_console_suspend androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0xee,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked 

Setting param.initrd_start = 0x31000000, param.initrd_size = 0x23265

Starting kernel at 0x30008000...

Uncompressing Linux... done, booting the kernel.

</pre>

kernel

<pre>

<hit enter to activate fiq debugger>

</pre>

h4. Galaxy S

<pre>

-----------------------------------------------------------

   Samsung Primitive Bootloader (PBL) v3.0

   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

-----------------------------------------------------------

+n1stVPN       2688 

+nPgsPerBlk    64 

PBL found bootable SBL: Partition(3).

Set cpu clk. from 400MHz to 800MHz.

OM=0x9, device=OnenandMux(Audi)

IROM e-fused - Non Secure Boot Version.

-----------------------------------------------------------

   Samsung Secondary Bootloader (SBL) v3.0

   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010

   Board Name: ARIES REV 03

   Build On: Dec 29 2011 16:57:09

-----------------------------------------------------------

Re_partition: magic code(0x0)

[PAM:   ] ++FSR_PAM_Init

[PAM:   ]   OneNAND physical base address       : 0xb0000000

[PAM:   ]   OneNAND virtual  base address       : 0xb0000000

[PAM:   ]   OneNAND nMID=0xec : nDID=0x50

[PAM:   ] --FSR_PAM_Init

fsr_bml_load_partition: pi->nNumOfPartEntry = 12

partitions loading success

board partition information update.. source: 0x0

.Done.

read 1 units.

==== PARTITION INFORMATION ====

 ID         : IBL+PBL (0x0)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 0

 NO_UNITS   : 1

===============================

 ID         : PIT (0x1)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 1

 NO_UNITS   : 1

===============================

 ID         : EFS (0x14)

 ATTR       : RW STL SLC (0x1101)

 FIRST_UNIT : 2

 NO_UNITS   : 40

===============================

 ID         : SBL (0x3)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 42

 NO_UNITS   : 5

===============================

 ID         : SBL2 (0x4)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 47

 NO_UNITS   : 5

===============================

 ID         : PARAM (0x15)

 ATTR       : RW STL SLC (0x1101)

 FIRST_UNIT : 52

 NO_UNITS   : 20

===============================

 ID         : KERNEL (0x6)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 72

 NO_UNITS   : 30

===============================

 ID         : RECOVERY (0x7)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 102

 NO_UNITS   : 30

===============================

 ID         : FACTORYFS (0x16)

 ATTR       : RW STL SLC (0x1101)

 FIRST_UNIT : 132

 NO_UNITS   : 1146

===============================

 ID         : DBDATAFS (0x17)

 ATTR       : RW STL SLC (0x1101)

 FIRST_UNIT : 1278

 NO_UNITS   : 536

===============================

 ID         : CACHE (0x18)

 ATTR       : RW STL SLC (0x1101)

 FIRST_UNIT : 1814

 NO_UNITS   : 140

===============================

 ID         : MODEM (0xb)

 ATTR       : RO SLC (0x1002)

 FIRST_UNIT : 1954

 NO_UNITS   : 50

===============================

loke_init: j4fs_open success..

load_lfs_parameters valid magic code and version.

load_debug_level reading debug level from file successfully(0x574f4c44).

init_fuel_gauge: vcell = 4062mV, soc = 95

reading nps status file is successfully!.

nps status=0x504d4f43

PMIC_IRQ1    = 0x0 

PMIC_IRQ2    = 0x0 

PMIC_IRQ3    = 0x0 

PMIC_IRQ4    = 0x0 

PMIC_STATUS1 = 0x0 

PMIC_STATUS2 = 0x0 

get_debug_level current debug level is 0x574f4c44.

aries_process_platform: Debug Level Low

keypad_scan: key value ----------------->= 0x0

CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 

aries_process_platform: final s1 booting mode = 0

DISPLAY_PATH_SEL[MDNIE 0x1]is on

MDNIE setting Init start!!

vsync interrupt is off

video interrupt is off

[fb0] turn on

MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop 

get_debug_level current debug level is 0x574f4c44.

get_debug_level current debug level is 0x574f4c44.

boot_kernel: Debug Level Low

FOTA Check Bit 

 Read BML page=, NumPgs=

FOTA Check Bit (0xffffffff)

Load Partion idx = (6)

..............................done

Kernel read success from kernel partition no.6, idx.6.

setting param.serialnr=0x38301804 0xb3e900ec

setting param.board_rev=0x30

setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x32000000...

</pre>

h4. Galaxy Nexus 

<pre>

reading nps status file is successfully!.

nps status=0x504d4f43

PMIC_IRQ1    = 0x80 

PMIC_IRQ2    = 0x0 

PMIC_IRQ3    = 0x1 

PMIC_IRQ4    = 0x0 

PMIC_STATUS1 = 0x80 

PMIC_STATUS2 = 0x0 

get_debug_level current debug level is 0x574f4c44.

aries_process_platform: Debug Level Low

keypad_scan: key value ----------------->= 0x40

CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48 

aries_process_platform: final s1 booting mode = 0

DISPLAY_PATH_SEL[MDNIE 0x1]is on

MDNIE setting Init start!!

vsync interrupt is off

video interrupt is off

[fb0] turn on

MDNIE setting Init end!!

Autoboot (0 seconds) in progress, press any key to stop 

get_debug_level current debug level is 0x574f4c44.

get_debug_level current debug level is 0x574f4c44.

boot_kernel: Debug Level Low

FOTA Check Bit 

 Read BML page=, NumPgs=

FOTA Check Bit (0xffffffff)

Load Partion idx = (6)

..............................done

Kernel read success from kernel partition no.6, idx.6.

setting param.serialnr=0x38301804 0xb3e900ec

setting param.board_rev=0x30

setting param.cmdline=console=ttySAC2,115200 loglevel=4

Starting kernel at 0x32000000...

</pre>

h2. JTAG

Here is the location and the description of the JTAG pins on the Nexus S board:

!jtag-pins.png!

!jtag-pins-desc.png!

JTAG was untested on the device so far. 

h2. Conclusions

* Heimdall mode is accessible but we didn't try to flash images with Heimdall

* Serial can be set up and works

* The bootrom (IROM) seems signed: @IROM e-fused@

* JTAG is there but we didn't try it

*As the IROM is apparently signed, porting a free bootloader will most likely fail as Primary Boot Loader (PBL).*