To use JTAG for unbricking it is necessary to disassemble the device and solder wires to the JTAG pads. PLEASE REMOVE THE RED BATTERY LEAD FROM THE DEVICE BEFORE OPERATING ON IT.

On some Sansa models the pinout is documented on the PCB, on others the JTAG pinout is not documented.

Please look at https://forums.rockbox.org/index.php?topic=14064 first if the pinout is not yet documented on this page.

You will also need a JTAG interface for your computer, if you have a parallel port a simple 'wiggler' type will do the job, but might be slow. The cheapest option for USB JTAG interfaces are FT2232 based devices like the OOCDLink http://www.joernonline.de/contrexx2/cms/index.php?page=126 (a DIY device, schematics, partslist etc. available on the site) or the commercial JTAGKey2.

Finally you need JTAG interfacing software, this guide is written for the open source openocd http://openocd.berlios.de/.

This guide assumes you will use a OOCDLink or compatible, if you use a different device you will have to adjust the openocd configuration accordingly.

General Step by step overview

1. Attach your player to the JTAG interface, pay special attention to the GND and VREF signals (the latter supplies the target device operating voltage to the level shifters of your JTAG interface). If you create a short here you might destroy your device and/or the JTAG interface
2. Plug the JTAG interface into your computer
3. Supply power to your MP3 player board, ideally you will have a lab power supply you can use to provide 3.7V to the battery contacts (make sure you get the polarity right!).
4. Power on the player board either using the power button or by plugging in USB.
5. Start the JTAG software and make sure the player CPU is recognized
6. Halt the CPU
7. Load the original firmware image starting at address 0 (extracted from the firmware file using utils/AMS/hacking/extract_fw)
8. Resume execution from address 0 (You may have to set CPSR to 0x60000053 first)
9. The original firmware should boot now
10. Connect USB and upload new firmware
11. Disconnect usb to start the flashing process
12. If all went well you have now successfully unbricked your AMS Sansa!

Step by step walkthrough

Unfortunately there is no magic bullet yet, the step-by-step may or may not work depending at where exactly the boot fails. Ideally someone would write a patch for openocd so openocd can access the nand flash directly. Right now you have to get the original firmware to boot so you can upload a new firmware image and trigger the flashing process. To achieve this it helps a lot to have some low-level ARM processor/assembly knowledge.

1. Attach your player to the JTAG interface, pay special attention to the GND and VREF signals (the latter supplies the target device operating voltage to the level shifters of your JTAG interface). If you create a short here you might destroy your device and/or the JTAG interface
2. Plug the JTAG interface into your computer
3. Supply power to your MP3 player board, ideally you will have a lab power supply you can use to provide 3.7V to the battery contacts (make sure you get the polarity right!).
4. Power on the player board either using the power button or by plugging in USB.
5. Start openocd with your openocd config file, i.e. "openocd -f .cfg"

Open On-Chip Debugger 0.4.0 (2010-02-23-17:04)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.berlios.de/doc/doxygen/bugs.html
jtag_ntrst_delay: 100
Info : clock speed 6000 kHz
Info : JTAG tap: as3525.cpu tap/device found: 0x00922f0f (mfg: 0x787, part: 0x0922, ver: 0x0)
Info : Embedded ICE version 2
Info : as3525.cpu: hardware has 2 breakpoint/watchpoint units

1. Open a telnet session on port 4444

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> 

1. Halt device, upload firmware, resume execution

> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x60000093 pc: 0x30047bc4
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> reg cpsr 0x60000013
cpsr (/32): 0x60000013
> load_image /path/to/firmware 0
118332 bytes written at address 0x00000000
downloaded 118332 bytes in 4.371294s (26.436 kb/s)
> resume 0

1. The original firmware should boot now.

Note that you will want to turn the device on, connect with openocd, get into telnet and send the halt command as soon as possible in some cases. This may require you to have several consoles open and ready at the same time to beat the device before it boots if it is turning off on you or crashing (like mine was).

Debugging the bootloader

1. Boot rockbox
2. Halt the cpu, put a hw breakpoint on address 0, resume execution

> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x60000093 pc: 0x30047bc4
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> bp 0 4 hw
breakpoint set at 0x00000000
> resume

1. Trigger a reboot (e.g. plug in usb) or use the JTAG debugger to manually do the steps as in target/arm/as3525/system-as3525.c:system_reboot()
2. The first time you'll hit the breakpoint will be built-in rom, resume once and you should be at the first stage rockbox bootloader and can single-step it now

target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> resume
target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x60000053 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled

Example OpenOCD configuration

telnet_port 4444
gdb_port 3333

# Note: This is for FT2232 based USB interfaces, if you use a wiggler type parallel port interface refer to the openocd documentation on how to configure it
interface ft2232
# Note: Substitute different layout here if you don't use a oocdlink, refer to openocd documentation for supported layouts.
ft2232_layout oocdlink
# Note: I used an EEPROM-less FT2232 board with the default USB ids, you will have to substitute your JTAG interface USB ids here
ft2232_vid_pid 0x0403 0x6010

jtag_ntrst_delay 100

set _CHIPNAME as3525
set _ENDIAN little
set _CPUTAPID 0x00922f0f

#jtag scan chain
jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm920t -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm920t

# FIXME: copied from Samsung config
$_TARGETNAME configure -work-area-phys 0x200000 -work-area-size 0x4000 -work-area-backup 1

Bus Pirate OpenOCD configuration

#
# Buspirate with OpenOCD support
#
# http://dangerousprototypes.com/bus-pirate-manual/
# This configuration worked as-is for me with a Sansa Fuze V1

interface buspirate

# you need to specify port on which BP lives (might need to be a serial port)
buspirate_port /dev/ttyUSB0
#buspirate_port /dev/bus_pirate #You should ultimately change the udev rules for your serial JTAG interfaces so you have a dedicated address you can use, see here: http://wiki.countercaster.com/The_Bus_Pirate_on_Linux:_From_/dev/ttyUSB%3F_to_/dev/bus_pirate

# communication speed setting
buspirate_speed normal # or fast # Note that fast did not work for my bus pirate

# voltage regulator Enabled = 1 Disabled = 0
#buspirate_vreg 0 #Enable this if you plan to use the 3.3V power from your bus pirate to power your sansa

# pin mode normal or open-drain
#buspirate_mode normal

# pullup state Enabled = 1 Disabled = 0
#buspirate_pullup 0

jtag_khz 6000

jtag_ntrst_delay 100

set _CHIPNAME as3525
set _ENDIAN little
set _CPUTAPID 0x00922f0f

#jtag scan chain
jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm920t -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm920t

$_TARGETNAME configure -work-area-phys 0x200000 -work-area-size 0x4000 -work-area-backup 1

• openocd.cfg: OpenOCD config for AS3525 (tested on C200v2)
• openocd_clipplus.cfg: OpenOCD config for AS353x (Tested on Clip+)

Known JTAG pinouts

C200v2

C240v2 JTAG pinout

USB

    1 GND
 F  2 TDO
 L  3 TCK
 A  4 TMS
 S  5 TDI
 H  6 TRST
    7 VCC

RAM

Clip+ & Fuze V1 (confirmed for Sansa Fuze as of Oct 5th 2010, most likely works with Fuze V2 as well)

ClipPlus JTAG pinout  (For the Sansa Fuze V1, pin 1 (+3.3v) is near the ground power wire and pin 8 (Gnd) is near the display connector.
Sansa Fuze V2 ground wire joint:If you decide to remove the battery entirely from your V2 Fuze so you can JTAG your fuze with an external power supply, please note that the solder joint holding the ground wire in place has some sort of flux resistant coating on it making it hard to desolder and resolder.  It can still be done.

 DISPLAY
 CONNECTOR

     8      GND
  7         nSRST
     6      TDO   (high impedance)
  5         TCK   (pulldown)
     4      TMS   (pullup)
  3         TDI   (pullup)
     2      nTRST (pulldown) <-THIS PIN MUST BE PULLED HIGH (TO +3.3/VDD) with a 5-50KOhm resistor, the range of workable resistors is probably even wider.
  1         VCC
 
 BUTTONS

• buspirate.cfg: Bus Pirate OpenOCD config for AS3525 (Tested on Fuze V1)