HTC Dream & Magic: JTAG

What is JTAG?

JTAG is a hardware debugging interface, allowing both to validate that the hardware has been assembled correctly and to provide debug access to the CPU of the device. This is usually available independent of firmware. It allows debugging at a level sometimes inaccessible by any other means (short of very expensive test equipment).

Both the HTC Dream and HTC Magic's processors support the JTAG interface, however they do not have a standard JTAG port. This means we must build an interface between the phone and an ARM compatible JTAG adapter. As we are on a very open source device, we will be using OpenOCD to accessing the device's CPU in debug mode and loading/executing commands for all the hacks described here.

What can be done with JTAG?

Many things: JTAG is great for debugging the bootloaders on the devices before the Linux environment of Android is booted.

Our main focus is:

• Restoring bricks to operation
• Installing Engineering SPLs (until a software means is available)

NOTE: This is a very advanced procedure — thus is not recommended for rooting devices unless there is no other method & you are very comfortable with the procedure.

Preparations

You will require the following to proceed through this procedure:

ITEM	DETAILS
OpenOCD compatible JTAG adapter supporting a 2.6V reference voltage	Some known to work examples are: ARM-USB-OCD ARM-USB-TINY low voltage wiggler clone Dangerous prototypes BusBlaster
2.6 reference voltage	This may come from: From the device — please see the devices PIN out if a 2.6V reference voltage is known From a LM317 variable voltage regulator with an input voltage between 5V (USB port) and 9V (square battery or ARM-USB-OCD power port) input
HTC Serial wire	Used to interact with OEMSPL & to output debug information from the phone. Some options are: Instructables Wire (an example) MAX232 adapter to convert the serial port to the approx. 2.8v/3.3v tty levels the phone serial port operates at NOTE: OEMSPL doesn't always boot correctly when the phone is charging, thus it is recommended to leave V +5 detached or able to be detached. It is also possible to make a wire that attaches both to USB & serial.
OpenOCD v0.4.0	This has only been tested with 0.4.0. OpenOCD frequently changes their software, so other versions may or may not be compatible with the instructions here.
OpenOCD CFG files	Some pre-made ones (has configuration for JTAG Adapter + device): ARM-USB-OCD Wiggler Generic The generic profile does not specify a JTAG interface. Please specify the one for the device. See /usr/share/openocd/scripts/interface/ from your install for examples.
Engineering SPL	Extract the hboot.img file from the recommended SPL update.zip: Dream 1.33.2005 MD5: 2B1AAA9012DC28F88C482E1B21A46FDD Magic 1.33.2009 MD5: 6FE91DDD2AC591F8EE838CEA3E5F84B0
Radio 3.22.26.17	MD5: 0eb7c5530ef38eeaa07590e6924c7814 NOTE: If this is already installed on the device, you will not need it. There are also ways to skip using this radio, but for simplification it is advised to install it until the phone is restored to a working order. NOTE: This was originally released as a radio for the Rogers Dream, however it will work on allDream and Magic devices.
EBI1 recovery image	Dream: recovery-RA-dream-v1.7.0R-cyan.img MD5: ba2bf2d1c27e1bee009de2f66ac977e7 Source: xda Magic: recovery-RA-sapphire-v1.7.0H-cyan.img MD5: 1ed8363e05b3515d7f976a8764cfad51 Source: xda
Fully charged battery	This is highly recommended to do prior to opening up the phone.
Working Radio Firmware	We use the radio firmware to help fix the phone. So if the radio doesn't work, this process will not work. How to tell: If the phone is turned off & the LED turns on (Green/Red/Orange) indicating the phone is charging, the radio is working. Alternatively, if you power on the phone while holding down the trackball, the LED on the phone should turn blue (ie. blue light mode).

Attach the JTAG

This is unfortunately the hard part, attaching the JTAG adapter to the device.

You will need to attach the following wires to the device:

• TRST-N
• TDI
• TMS
• TCK
• TDO
• GND
• vREF (not required if you built the LM317 circuit)

GND is anything electrically connected to the batteries negative terminal. This includes all of the devices shielding.

Where the points can be found:

• Dream: link

  (Photo of the data wires and ground soldered to the main board via twitpic)

• Magic: link

  (Photo of the data wires soldered to the main board via twitpic [note ground is not shown in this photo])

This then needs to be attached to the JTAG adapter.

• If you built one please see the connection points in your schematic.
• If you have a standard arm 20Pin adapter look at the pin out.

Please ensure Ground is well connected and the voltages are correct before attaching to the phone or adapter.

Loading Radio 3.22.26.17

If this is the radio already being used (example if you are a Rogers Dream user with 911 update applied) you may skip this. However, if you are uncertain of what version of the radio is being used or if a different radio is being used, please proceed.

This is based off ezterry's instructions found, here.

Theory

The concept is simple. Normally the SPL loads the radio (radio.img) into ram then calls the OEMSBL radata command to actually flashit. Here we can't boot the SPL, so we will load it into ram via JTAG then call radata <offset> <size> ourself, with the offset we we loaded the file at.

Please note the Magic 6.x radio requires different offsets or the flash will fail. It will not further brick the device, just fail to flash. Please see note about the radio below for the correct offset.

Steps

1. Attach JTAG wires to the phone (do not start OpenOCD).
2. While holding down on the trackball button (the scroll ball), press power. The phone should turn on the Blue LED, if the screen is attached. If the screen is not attached, lets assume it did.
3. Plug in HTC serial wire.
4. Start a terminal session on the serial wire
   • Posix: run screen /dev/<serial device> 115200 where <serial device> is the TTY used by the HTC serial connector
   • Windows: connect to the com port using speed 115200 without software or hardware flow control 8bit mode
5. Over the serial line, type ?. Then press enter. The phone will not echo what you type but should reply with:

   Invalid command : ?

6. Now launch OpenOCD from the directory with the cfg file. Run: openocd -f <dream|magic>.cfg replacing <dream|magic> for the name of the cfg file you created for the phone. We should to now see:

   Open On-Chip Debugger 0.4.0 (2010-03-04-07:17)  Licensed under GNU GPL v2  For bug reports, read  	http://openocd.berlios.de/doc/doxygen/bugs.html  trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain  dcc downloads are enabled  fast memory access is enabled  Info : clock speed 6000 kHz  Info : JTAG tap: arm9.cpu tap/device found: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)  Info : Embedded ICE version 6  Info : arm9: hardware has 2 breakpoint/watchpoint units

7. Connect to openocd via telnet (connect to port 4444 on localhost: 'telnet localhost 4444') and load radio image into ram

   1. type 'halt' (then enter)
   2. type 'load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300' (then enter) replacing '/tmp/' with the path to your copy of the radio image
   3. type 'resume' (then enter)
   4. type 'shutdown' (then enter) to exit openocd; and terminate the jtag server

   Trying ::1...  telnet: connect to address ::1: Connection refused  Trying 127.0.0.1...  Connected to localhost.  Escape character is '^]'.  Open On-Chip Debugger  > halt  target state: halted  target halted in ARM state due to debug-request, current mode: Supervisor  cpsr: 0x800000d3 pc: 0x00947b8c  MMU: disabled, D-Cache: disabled, I-Cache: disabled  > load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300  No working memory available. Specify -work-area-phys to target.  no working area available, falling back to memory writes  22020096 bytes written at address 0x103b5300  downloaded 22020096 bytes in 813.456421s (26.435 kb/s)  > resume  > shutdown  shutdown command invoked  > Connection closed by foreign host.

   NOTE: This will take a while (45 minutes is still normal). There will be no information after "falling back to memory writes" until upload is finished
8. over the HTC serial console run 'radata 103B5300 01500000' (then enter). This will take a moment to validate and flash theradio

    FA0F129C  Format EFS...    EFS Block: 234-277  Erase Block: 234  Erase Block: 235  Erase Block: 236  Erase Block: 237    ...continues ...    Erase Block: 272  Erase Block: 273  Erase Block: 274  Erase Block: 275  Erase Block: 276  Erase Block: 277  Done    HTCST   ���HTCE

9. Over the HTC serial console run 'powerdown' (then enter). This will turn off the phone (if you run '?' after this you ought to receive no reply

Now radio 3.22.26.17 is installed and we can continue with the rest of the instructions

Magic 32A users with 6.x radio

If you have the 6.x radio installed the 3.22.26.17 radio loading procedure will fail as documented above.

Two simple changes will get you on your way:

• Change the openocd command 'load_image /tmp/radio-3.22.26.17_dream.img 0x103B5300' to 'load_image /tmp/radio-3.22.26.17_dream.img 0x19500000'
• Change the radio command 'radata 103B5300 01500000' to 'radata 19500000 01500000'

If you are unsure of the radio installed:

The radata command usually outputs the "FA0F129C" in under 5mins and this indicates the signature of the radio image is valid andflashing is beginning. However with the 6.x radio we never reach that point.

So after 5mins (check your clock) of waiting unplug the power to the jtag adapter; serial wire; and battery to powerdown the system and try again with 6.x radio modifications.

Soft boot And Flash Engineering SPL

Now we will need to load the Engineering SPL into ram and force it to enter fastboot. (this is the 2005/2009 SPL you have already downloaded)

This is based off the following posts by ezterry and bart99:

http://forum.xda-developers.com/showpost.php?p=5934885&postcount=6  http://forum.xda-developers.com/showpost.php?p=5911627&postcount=302  http://forum.xda-developers.com/showpost.php?p=6260574&postcount=510  

Theory

The high level approach is to first bypass the Security check that prevents us from running the additional OEMSBL commands; This is done by changing the instruction at '0x0090379C' from a beq [branch if equal] to b [non-conditional branch] in turn changing the logic from if(security flag){} to if(false){}

Next we slightly modify the 'cego' command to skip the loading of the spl from flash (and thus just use the contents already in ram instead) 0x9029d8 is a bl (branch with link) that we nop out.

Last we load the SPL into ram ourself (at 0x0) and modify it to make bootmodes 0,1,2,3 all enter fastboot instead if their usual operations. 0x00000c00 - 0x00000c0c switch jump table

Note these offsets only apply to the 3.22.26.17 radio, thus that needs to be loaded via radata before starting this process (if not already installed as in the case of rooting a rogers 911 patched dream)

Steps

Note: If you have just loaded the radio you can probably skip steps 1,3, and 4 as they ought to already be done

1. Attach JTAG wires to the phone (do not start openocd)
2. While holding down the 'Action' button (the scroll ball) press power [phone ought to have turned on the Blue LED if the screen is attached.. if not lets assume it did]
3. plug in HTC serial wire
4. Start a terminal session on the serial wire
   • Posix: run 'screen /dev/<serial device> 115200' where <serial device> is the TTY used by the HTC serial connector
   • Windows: connect to the com port using speed 115200 without software or hardware flow control 8bit mode
5. over the serial line type '?' (then enter)
   The phone will not echo what you type but ought to reply:

   Invalid command : ?

6. now start open ocd: from the directory with the cfg file run:

   openocd -f <dream|magic>.cfg

   replacing <dream|magic> for the name of the cfg file you created for the device
   we ought to now see:

   Open On-Chip Debugger 0.4.0 (2010-03-04-07:17)  Licensed under GNU GPL v2  For bug reports, read  	http://openocd.berlios.de/doc/doxygen/bugs.html  trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain  dcc downloads are enabled  fast memory access is enabled  Info : clock speed 6000 kHz  Info : JTAG tap: arm9.cpu tap/device found: 0xa01700e1 (mfg: 0x070, part: 0x0170, ver: 0xa)  Info : Embedded ICE version 6  Info : arm9: hardware has 2 breakpoint/watchpoint units

7. Connect to openocd via telnet (connect to port 4444 on localhost: 'telnet localhost 4444') and load hboot.img (the SPL) into ram with the following commands:
   • halt
   • mww 0x0090379C 0xea000013
   • mww 0x9029d8 0x0
   • load_image /tmp/hboot.img 0x0
   • mww 0x00000c0c 0x98000C4C
   • mww 0x00000c08 0x98000C4C
   • mww 0x00000c04 0x98000C4C
   • mww 0x00000c00 0x98000C4C
   • resume
   • shutdown

   Trying 127.0.0.1...  Connected to localhost.  Escape character is '^]'.  Open On-Chip Debugger  > halt  target state: halted  target halted in ARM state due to debug-request, current mode: Supervisor  cpsr: 0x000000d3 pc: 0x00946d78  MMU: disabled, D-Cache: disabled, I-Cache: disabled  > mww 0x0090379C 0xea000013  > mww 0x9029d8 0x0  > load_image /tmp/hboot.img 0x0  No working memory available. Specify -work-area-phys to target.  no working area available, falling back to memory writes  524288 bytes written at address 0x00000000  downloaded 524288 bytes in 11.620226s (44.061 kb/s)  > mww 0x00000c0c 0x98000C4C  > mww 0x00000c08 0x98000C4C  > mww 0x00000c04 0x98000C4C  > mww 0x00000c00 0x98000C4C  > resume  > shutdown  shutdown command invoked  > Connection closed by foreign host.

8. over the serial line type 'version' (then enter) 
   

   OEMSBL VERSION: 3.22.26.17  OEMSBL Build Date: Jan 17 2010 12:08:33  PLATFORM: DREAM  PID: 31  PLATFORM ID: 0  

   (Platform ought to represent the Actual platform so magic users will likely see MAGIC) This indicates we are unlocked and can continue

9. over the serial line type 'cego' (then enter) 
   

   Boot CE manually...  Done.  

   and output continues until

     ARM11 Boot Mode: 0  Platform: HBOOT-7201A    ###[ Fastboot Mode ]###  

   (Note if you where bricked you may see a different boot mode; but if you reach "Fastboot Mode" you are in the correct mode)

10. Plug USB wire into phone (unplug the Serial wire first unless the wire supports both USB+serial)
    
11. Run 'fastboot devices' on your computer; this ought to echo the devices Serial number
12. Run the following fastboot commands; where hboot.img is the Engineering SPL; and recovery.img is the recovery your downloaded in the preparations section.

    fastboot erase hboot  fastboot erase recovery  fastboot erase system  fastboot erase userdata  fastboot erase cache  fastboot erase boot  fastboot flash hboot hboot.img  fastboot flash recovery recovery.img  fastboot oem powerdown

We have now flashed an Engineering SPL and thus can install any EBI1 or Magic 32A port.. Prior to removing the JTAG it is recommended to ensure recovery boots.. if the screen is not attached this can still be checked by watching for linux boot debug messages over the serial line. It is possible that the phone will not react to the key combination used to enter into recovery- in some cases the phone is stuck in one of the bootmodes. In such a case it helps to enter in blue led mode into the console "setboot 0" and press enter. The response will be "ARM9BootMode:0". After rebooting the phone should react to recovery key combination.

Remember even if you had a T-Mobile Dream phone (which is usually ebi0) you now have a ebi1 phone because of the 3x radioinstalled; this will work fine with the radio; however many people will wish to return to ebi0 radios please see the following sections for additional information.

Flashing CyanogenMod

Currently you have installed a EBI1 radio with EBI1 recovery thus we have the various options depending on the type of phone you have

HTC Dream/Magic (Non-Fender)

Here we have two options

1. install the EBI1 port (common on Magic32A and non-google branded dreams; but will work on any Magic/Dream)
2. install the EBI0 port (common on Magic32B and google branded dreams; Will work on all Magic/Dreams however Magic 32A will not have all the memory available)

EBI1 port

Install as per the instructions on the upgrading from rooted roms page, including the EBI1 port recommended for Magic32A and Rogers Dream users.

EBI0 port

Before we install we will need to revert the radio back to EBI0

1. Download the 2.22.23.02 radio (MD5: faf0db41d28daf1cefefc7be0fceb55c)
2. Extract the radio.img from the file from the zip file
3. Download EBI0 recovery:
   • Dream users: recovery-RA-dream-v1.7.0-cyan.img MD5: 11ae63afee9813a9b76cb3f7fd5ac2ad from xda
   • Magic users: recovery-RA-sapphire-v1.7.0G-cyan.img MD5: 8846b53e3184d688e3e8a628ad81074f from xda
4. Enter fastboot on your phone and run the following fastboot commands
   • fastboot flash radio radio.img
   • fastboot reboot-bootloader
5. verify the radio at the top of the screen is now the 2.x radio
6. flash the recovery image replacing "recovery.img" with the EBI0 recovery you downloaded
   • fastboot flash recovery recovery.img
7. ensure the system is clean
   • fastboot erase system -w
   • fastboot erase boot
8. Install as per the instructions on the upgrading from rooted roms page,

HTC Magic — Fender/3.5mm Jack

We must return to the fender's SPL/RADIO This is best described on the Fender upgrade guide: Installation

Note: you will not need to flash the sapping.zip, Start with 'Download the following zip file (the stock myTouch SPL and Radio)' and continue until CyanogenMod is installed.

DeathSPL Flashed on 1.x Radio

The process outlined above brings you from assuming the only thing working (or that you trust) is an unknown radio. However a common type of brick is the 1.33.2005 SPL Flashed on a Dream with a 1.x radio..

The above process will still work in this case; but if you know you are facing this particular type of brick a simplified version follows:

1. Download the 2.22.23.02 radio (MD5: faf0db41d28daf1cefefc7be0fceb55c)
2. Extract the radio.img from the file
3. Follow Loading Radio 3.22.26.17 Process substituting the 3.22.26.17 radio.img with the 2.22.23.02 radio.img
4. Once the correct radio is installed, boot the phone and it ought to enter recovery mode as if you just flashed SPL 1.33.2005
5. Enter the command line and run 'reboot bootloader' to return to fastboot
6. ensure the system is clean
   • fastboot erase system -w
   • fastboot erase boot
7. Install as per the instructions on the upgrading from rooted roms page

Credits

XDA ezterry

First Dream Debrick and author of the process

XDA bart9984 (aka bart99)

First Magic Debrick via this process

XDA BinaryDroid

Device hacking + Dream jtag points

XDA scholbert

For hardware knowlege and a large quantity of information required to make this work

ORT szxtso

For the magic jtag test points

Also thanks to the many others that helped to make this possible; or gave insight to the various components used.