Database Develop

Images of the G1's motherboard in HQ?

Hey everyone,
I have a strong backing in electronics, and I have a G1. I don't dare open it because it's my only phone and I'm a college student, however, I want to study the circuit board to see how we can exploit the device.
My first idea I want to investigate is just building a chip flasher to flash the ROM. There's no way they could block that. I see the threads on working with the JTAG, however, I'm not familiar in that area. Wouldn't it make more sense to build a solderless chip flasher?
Regardless, does anybody have some high-res images of the board, front and back?

Wrong section, and I don't think many users will hold the high res pictures you are looking for...I could be wrong =)

protomanez said:
Wrong section, and I don't think many users will hold the high res pictures you are looking for...I could be wrong =)
Click to expand...
Click to collapse
I wasn't sure whether to put this in Q&A or not, as I wanted to discuss development of the chips once identified.

http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures

Moved as not Android Development.

Sent Move Request

mejorguille said:
http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures
Click to expand...
Click to collapse
I looked through it, unfortunately, it did not detail the main board. I really would like to just study the traces on the board. Does anybody have a front and back picture of the main board?

mejorguille said:
http://mikechannon.net/PDF Manuals/HTC Dream SM (A04).pdf
Does this help any? It has complete disassembly/assemby instructions, and lots of pictures
Click to expand...
Click to collapse
That'll probably help him all the way down to the bottom.
EDIT:
http://forum.xda-developers.com/showthread.php?t=591048
That should help you ;]

XBrav said:
Hey everyone,
I have a strong backing in electronics, and I have a G1. I don't dare open it because it's my only phone and I'm a college student, however, I want to study the circuit board to see how we can exploit the device.
My first idea I want to investigate is just building a chip flasher to flash the ROM. There's no way they could block that. I see the threads on working with the JTAG, however, I'm not familiar in that area. Wouldn't it make more sense to build a solderless chip flasher?
Regardless, does anybody have some high-res images of the board, front and back?
Click to expand...
Click to collapse
Look in the debricking JTAG testpoint thread in development. First post has some good pictures of the top (side that faces the inside part, toward the screen side) part of the board. I had mine open the other day but I didn't take any pics, sorry

Milestone JTAG

Hi,
i've been following the progress on Milestone hacking quite a while now.
Some days ago i started intensive research on the Milestone hardware myself
So here's the some interesting discovery.
Thanks goes out to XVilka for putting this down on the wiki so fast
Of course this is just the starting point for a new hunting....
As you might see many signals are not identified yet.
Essential:
TDO
TDI
TMS
TCK
RTCK
Possible:
EMU0
EMU1
Optional:
DEBUG_UART_RX
Someone needs unsolder the CPU and trace these signals on the mainboard.
So if you got a broken mainboard it would be welcome for scientific examination
This of course would not give us an open bootloader, but might open the door for some promising attempts to debug the platform more intensely.
UPDATE:
All signals had been identified. Unfortunately JTAG access to ARM core and other units is blocked.
EDIT:
O.k. now that xvilka had put my detailed pics in the droid-developers wiki, no need to hide it anymore
Find my updated pics attached.
In fact JTAG access is blocked by the security mechanism on the Milestone.
So all that is accessible is the main TAP controller... everything else is blocked.
No access to the ARM core... nothing except ID could be retrieved.
Have a look at my resignation post here:
http://forum.xda-developers.com/showpost.php?p=11759352&postcount=54
Anyway the journey was a fun thing and i learned a lot of the ARM core internals including TAP units inside OMAP
The craziest thing was, to realize that all this incredible security stuff really depends on one hard-coded bit... called the "HS-Bit".
If you need more infos tell me!!
Cheers,
scholbert

Software tool
We might use the famous OpenOCD for debugging, once we got the full pinout.
Look here for further details about it:
http://elinux.org/BeagleBoardOpenOCD
Have fun!
scholbert

This looks very much fun, but how is this going to benefit an end user?

^^ How does "unlocked bootloader" sound to you

Well said and nice to see some reaction here also.
Sure that's fun... at least for me... and it's to widen your knowledge
I've joined this forum some time ago and it is still called xda-developers.
Maybe i'm little old-fashioned but that's what is still driving me... development
By initiating this thread i was aware there's no benefit for the end user right now,
but the more people stumble over here, the more there's a chance to find some other enthusiasts following this path.
I'm aware that the magic parts are missing.
We need someone willing to do wicked stuff and equipped with professional equipment to unsolder parts from the mainboard.
Once to the remaining signals could be traced, there's a lot play with.
Unlike other devices the core elements of the hardware residing in the Milestone are pretty well documented and lot of software tools exist.
I'm pretty sure there's a way to find a nicer backdoor on this locked down device.
The market is fast though and maybe some day there'll be a device you could use to fly with... even as an end user
Anyway, would be nice to talk about.
Best regards,
scholbert

if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.

good luck scholbert!!

AbdouRetro said:
if thats true, then that'd be great. but the guy says "This of course would not give us an open bootloader" in his first post.
Click to expand...
Click to collapse
Yes, having a working JTAG is not going to open the bootloader. But will give something very important - access to the CPU and flash without having any working code - read "bootloader development".
Sent from my Milestone using Tapatalk

scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?

AbdouRetro said:
scholbert, if u have flash access then u can write to some very privileged areas, does that mean u can make the processor boot into general purpose mode?
Click to expand...
Click to collapse
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and it is hardcoded with efuse.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert

scholbert said:
Privileged areas is a nice word
....but yes, if it's in NAND you may access it easily using JTAG.
AFAIK the HS mode is hard coded into OMAP3430, so booting into GP mode will never happen i guess.
EDIT:
Just had a short glimpse at the OMAP3430 TRM, there's the register CONTROL_PRODUCTION_ID @ 0x4830_A210 to check for GP mode (ID = 0xF0).
On milestone this ID is obviously different and i guess it's hardcoded.
The ROM bootloader checks this register and could not be rewritten because it's OTP.
Regards,
scholbert
Click to expand...
Click to collapse
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.

I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
reminds me of the xbox360...

Quintasan said:
Sir, I was wondering if a bricked device would be okay for this (by bricked I mean someone [not me of course ] flashed some ****ty firmware and it doesn't boot now), if it is so then I think I visit a few shops and ask around in the "black" market for a bricked device.
Click to expand...
Click to collapse
Sure a bricked device would do, even a partly physical damaged device will do. As i said before the CPU needs to be unsoldered to trace some signals.
EDIT: Just a remark, because you talk about "black" market.... please don't buy any stolen phones or something.
AbdouRetro said:
I don't think motorola has the capacity to manufacture things so different for the milestone and droid. its enough cost that they use different radios!!
I'm hoping its an external chip/trace that controls which mode it boots.
in the chip block diagram on the site, there's an internal boot rom, do we have that??
Click to expand...
Click to collapse
Of course there's a boot ROM, all modern OMAP got this OTP memory implemented.
Have a look at:
https://www.droid-developers.org/wiki/Main_Page
You'll find very interesting and useful information....
Concerning capacities...
Sure they have and obviously Motorola is one of the big customers of Ti.
Apart form the device ID there are also different boot ROMs for different platforms.
This is simply called customizing
TI does it, Qualcomm does it, whoever builds ARM SoC's may do it.
Also Ti's eFuse technology gives the customer (e.g. Motorola) the opportunity to block certain parts of the chip by software setup.
And that's what they did on the Milestone.
Regards,
scholbert

when i said "do we have that"
i meant, do we have a dump of that code that is disassembled and looked into.
by checking here
Code:
droid-developers.org/wiki/Booting_chain
its obvious this has already been done

Hi again,
seems less interest here.... sure this is a very technical thread....
Anyway, see this picture of the mainboard.
https://www.droid-developers.org/images/d/dd/Photo-1.jpg
Seems to be taken from one of the first mass production units, or even a developers phone.
You see there's a FPC connector soldered on the mainboard (underneath the microSD connector).
After doing a little research, it seems that these connectors are used for professional environment:
http://www.hirose.co.jp/cataloge_hp/e58004008.pdf
Part.-No. FH19C-17S-0.5SH
Cheers,
scholbert

I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.

Hi eustice!
eustice said:
I have a dead phone. If someone can provide me with a pinout for the processor, I will be glad to trace out the rest of the jtag header.
Click to expand...
Click to collapse
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert

scholbert said:
Hi eustice!
Wow, that 's great, let's crack that nut
I just created a map, bit small though, but i think everything could located...
BTW, on Milestone they seem to have used a OMAP3430 in CBC (S-PBGA-N515) package with POP-memory (see attached datasheet of the package).
Had to digg a little to find that out...
Tell me if you need further information!
Please be careful while removing the CPU, these little pads will easily rip of...
Good luck!!
scholbert
Click to expand...
Click to collapse
Sir, well, I'm not sure if this is of intrest to us but
http://allegro.pl/okazja-jak-nowa-motorola-droid-i1386494285.html
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?

Hey Qintasan,
thanks for the link!
Quintasan said:
This guys sell's DROIDs for 200 polish zloty, it's cheap. The main problem is that the guy says they were flooded during the transport, he also claims that they were not switched on since then. Are we interested in getting one and disassembling it?
Click to expand...
Click to collapse
Indeed the price is nice, but it's your decision, wether to buy one or not.
Personnally i got two working devices and i'm not willing to rip them apart.
By starting this thread i intended to draw some interest about this JTAG stuff and to collect information to gain access on the Milestone.
It is yet unknown, if it will ever work on this platform.
It might also be possible that the JTAG signals are physically connected, but had been disabled by e-fuses on the production units.
..... but if no one ever tries we'll never know.
Best regards,
scholbert

milestone jtag board and connector pic
attached are the pics for the jtag board and the connector on the phone.

Please Help: Brick+No Download Mode(even Jig)

Please give me advice~
I am using i897, while I updating it(Odin), I wrongly unplug it. And now what happen on my phone:
Power / 3 Key - no thing happen
Tried send to one of the mobile fix shop(they tell me they tried Jig) and still can't fix it.
Plug in to computer - no feedback of both side
I did a bit research of it , I think it is about the boot-loader is empty
I know I have been stupid this time, just want to try any thing I can do.
P.S. I don't know soldering iron so I can't do the UnBrickable Mod
Any one know any way/place to fix it (in Aus-Melbourne)?
Thx for your time to read my problem, plz help me if you have any suggestions~

UnBrickable Mod is here to save the day.... http://forum.xda-developers.com/showthread.php?t=1206216
That or JTAG.

Thx, however I don't know how to do step 4&5 for the UnBrickable Mod><
Also I am not really know where can I find any shop have JTAG to do it for me.
P.S. I am a high school student. In many area I am also have less experiences. I want to try on it, but......><

Send http://www.mobiletechvideos.com/blog/donate-2/ a email, he has great success on Jtag. I believe he can install the UnBrickable Mod as well. Not sure on the second part but you never know. Keep in mind Jtag service (and probably the mod not sure) cost $40 + shipping
Edit: He does offer UnBrickable Mod for $40.

Thank-you! However is it that mean I can't fix it myself>< ??

chujoshua said:
Thank-you! However is it that mean I can't fix it myself>< ??
Click to expand...
Click to collapse
No. UnBrickable mod is the DIY method. It's as easy as it gets. Rebellos and I have already taken care of the assembly language, signatures, working in the linux command prompt, research and everything... You just need to replace a resistor with a wire and run the software.

AdamOutler said:
No. UnBrickable mod is the DIY method. It's as easy as it gets. Rebellos and I have already taken care of the assembly language, signatures, working in the linux command prompt, research and everything... You just need to replace a resistor with a wire and run the software.
Click to expand...
Click to collapse
Although I agree, the physical mod part requires decent soldering skills.

Thx for your attention ^^
the place I am not sure is 4.and 5.
Although I know it is trouble for you,but will you have the chance to make a video of the real step by step,thx very much!!(or a clear pic also is good!!)

Trusted boot jumper?

Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks

glegge said:
Not wanting to open up old threads and discussions about booting the atrix 4g, but i was just browsing the schematics i found on xda, and noticed what looks like a 'trusted boot' jumper. I don't know much about trust technology in these platforms but someone here may know more.
Brief searches show intel's trusted platform technology, I'm not sure the atrix contains something similar.
but if it does, would this jumper - if changed, allow us to boot anything perhaps?
I've attached a photo of the schematic (i found this trying to follow the good old 'FM radio not working' thread as well).
so yeah, thoughts from those more in the guts of trusted platforms?
please feel free to shut this thread down if I'm just total out of the ball park, but if this is a lead, all be it a hardware mod(depending where this jumper is and how easy it is to change its state on the board), it may be a way to unbrick perhaps.
I'm also aware the atrix 4G is getting a little older now, and interest maybe being depleted given other options in the market these days.
thanks
Click to expand...
Click to collapse
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.

Hai_Duong said:
i have a question. why didnt u write this to a trusted dev for atrix?? because its not very useful to write this without 100% knowledge so it would have been the best to write it to a hardware dev that can proof this and test it.
thanks it was meant good, but still write this to a dev that know how to work with this.
Click to expand...
Click to collapse
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks

glegge said:
Understood, I'm all good intentions and thumbs and fingers.
could you suggest a dev to IM this too?
many thanks
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2016837
here these guys are the hope for ics kernel just write them if its useful they will reply.

Calling car guys that code (BMW specific)

Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.

loudaccord said:
Just curious if there are any BMW guys that are devs here? This is SUPER random but since 2007 people have been trying to hack the Transmission Control Unit (TCU) on BMWs with very little success. It's becoming more interesting recently since more and more people are making 600+ hp and being able to control the line pressure will help hold the power. Figured I'd check to see since the best devs I know of are on here.
Click to expand...
Click to collapse
Bump.
What we need is someone to 'look very closely' at the rom files for the TCU. The rom files are protected with what I believe is 1024bit RSA signatures and we need to find a weakness in the bootloader or something in order to upload modified files. The 335i ECU had a security hole which allows for tricking the ECU into verifying the same signature twice, opening up the important part of the file for modifications. There were three sections, the BAF, PAF and DAF. BAF verified the PAF and BAF verified the DAF. We got the BAF to verify the PAF signature twice.
I think the TCU works on something of a similar system most likely, but nobody has really taken a good look. I think someone has cracked it once before for the M3 which uses the same TCU but different ROM files, but they aren't telling.

Bump. I'm sure there could be some good money raised too if a developer needs some incentive.

doublespaces said:
.
ROM files,
Click to expand...
Click to collapse
You said ROM, so we just need SU right?
I agree with nguyenvn - could end up with some $$$ as there is quite the demand.

At the moment the community at e90post is trying to find a way, but after months and a steep learning curve, we're stuck with the signature problem.... the thread is called "Transmission remap - Lets do it ourselves"