release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Search | Go
Wiki > Main > SanDisk > SansaAMS > SansaAMSJTAG (r2)
To use JTAG for unbricking it is necessary to disassemble the device and solder wires to the JTAG pads.

On some Sansa models the pinout is documented on the PCB, on others the JTAG pinout is not documented.

Please look at http://forums.rockbox.org/index.php?topic=14064 first if the pinout is not yet documented on this page.

You will also need a JTAG interface for your computer, if you have a parallel port a simple 'wiggler' type will do the job, but might be slow. The cheapest option for USB JTAG interfaces are FT2232 based devices like the OOCDLink http://www.joernonline.de/contrexx2/cms/index.php?page=126 (a DIY device, schematics, partslist etc. available on the site) or the commercial JTAGKey2.

Finally you need JTAG interfacing software, this guide is written for the open source openocd http://openocd.berlios.de/.

This guide assumes you will use a OOCDLink or compatible, if you use a different device you will have to adjust the openocd configuration accordingly.

General Step by step overview

  1. Attach your player to the JTAG interface, pay special attention to the GND and VREF signals (the latter supplies the target device operating voltage to the level shifters of your JTAG interface). If you create a short here you might destroy your device and/or the JTAG interface
  2. Plug the JTAG interface into your computer
  3. Supply power to your MP3 player board, ideally you will have a lab power supply you can use to provide 3.7V to the battery contacts (make sure you get the polarity right!).
  4. Power on the player board either using the power button or by plugging in USB.
  5. Start the JTAG software and make sure the player CPU is recognized
  6. Halt the CPU
  7. Load the original firmware image starting at address 0 (extracted from the firmware file using utils/AMS/hacking/extract_fw)
  8. Resume execution from address 0 (You may have to set CPSR to 0x60000053 first)
  9. The original firmware should boot now
  10. Connect USB and upload new firmware
  11. Disconnect usb to start the flashing process
  12. If all went well you have now successfully unbricked your AMS Sansa!

Step by step walkthrough

Unfortunately there is no magic bullet yet, the step-by-step may or may not work depending at where exactly the boot fails. Ideally someone would write a patch for openocd so openocd can access the nand flash directly. Right now you have to get the original firmware to boot so you can upload a new firmware image and trigger the flashing process. To achieve this it helps a lot to have some low-level ARM processor/assembly knowledge.

  1. Attach your player to the JTAG interface, pay special attention to the GND and VREF signals (the latter supplies the target device operating voltage to the level shifters of your JTAG interface). If you create a short here you might destroy your device and/or the JTAG interface
  2. Plug the JTAG interface into your computer
  3. Supply power to your MP3 player board, ideally you will have a lab power supply you can use to provide 3.7V to the battery contacts (make sure you get the polarity right!).
  4. Power on the player board either using the power button or by plugging in USB.
  5. Start openocd with your openocd config file, i.e. "openocd -f .cfg"
Open On-Chip Debugger 0.4.0 (2010-02-23-17:04)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.berlios.de/doc/doxygen/bugs.html
jtag_ntrst_delay: 100
Info : clock speed 6000 kHz
Info : JTAG tap: as3525.cpu tap/device found: 0x00922f0f (mfg: 0x787, part: 0x0922, ver: 0x0)
Info : Embedded ICE version 2
Info : as3525.cpu: hardware has 2 breakpoint/watchpoint units
  1. Open a telnet session on port 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> 
  1. Halt device, upload firmware, resume execution
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x60000093 pc: 0x30047bc4
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> reg cpsr 0x60000013
cpsr (/32): 0x60000013
> load_image /path/to/firmware 0
118332 bytes written at address 0x00000000
downloaded 118332 bytes in 4.371294s (26.436 kb/s)
> resume 0
  1. The original firmware should boot now.

Debugging the bootloader

  1. Boot rockbox
  2. Halt the cpu, put a hw breakpoint on address 0, resume execution
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x60000093 pc: 0x30047bc4
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> bp 0 4 hw
breakpoint set at 0x00000000
> resume
  1. Trigger a reboot (e.g. plug in usb) or use the JTAG debugger to manually do the steps as in target/arm/as3525/system-as3525.c:system_reboot()
  2. The first time you'll hit the breakpoint will be built-in rom, resume once and you should be at the first stage rockbox bootloader and can single-step it now
target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> resume
target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x60000053 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled

Example OpenOCD configuration

telnet_port 4444
gdb_port 3333

# Note: This is for FT2232 based USB interfaces, if you use a wiggler type parallel port interface refer to the openocd documentation on how to configure it
interface ft2232
# Note: Substitute different layout here if you don't use a oocdlink, refer to openocd documentation for supported layouts.
ft2232_layout oocdlink
# Note: I used an EEPROM-less FT2232 board with the default USB ids, you will have to substitute your JTAG interface USB ids here
ft2232_vid_pid 0x0403 0x6010

jtag_ntrst_delay 100

set _CHIPNAME as3525
set _ENDIAN little
set _CPUTAPID 0x00922f0f

#jtag scan chain
jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm920t -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm920t

# FIXME: copied from Samsung config
$_TARGETNAME configure -work-area-phys 0x200000 -work-area-size 0x4000 -work-area-backup 1

Known JTAG pinouts

C200v2

C240v2 JTAG pinout

USB

    1 GND
 F  2 TDO
 L  3 TCLK
 A  4 TMS
 S  5 TDI
 H  6 TRST
    7 VCC

RAM

Clip+

ClipPlus JTAG pinout

 DISPLAY
 CONNECTOR

     8      GND
  7         nSRST
     6      TDO   (high impedance)
  5         TCK   (pulldown)
     4      TMS   (pullup)
  3         TDI   (pullup)
     2      nTRST (pulldown)
  1         VCC
 
 BUTTONS

-- TobiasDiedrich - 2010-02-25
Edit | Attach | Print version | History: r5 | r4 < r3 < r2 < r1 | Backlinks | View wiki text | More topic actions...
r2 - 28 Apr 2010 - 15:18:05 - TobiasDiedrich

Parents: SanDisk > SansaAMS
Copyright by the contributing authors.