Unbricking
Introduction
This procedure will take you through the restoration of your radio using a simple JTAG cable, with software we have provided.
Prerequisites
In order to recover a bricked radio, you will need:
- JTAG cable
- Software for flashing over JTAG
- An image to flash to the radio
- A lot of patience
JTAG Cables
'Wiggler' compatible cables are a popular low-cost cable, and well supported by the free jtag tools. Plans to make your own are widely available, and prebuilt ones can be found cheaply on ebay and similar sites. A "universal" wiggler will come with bare wires which can be soldered to the jtag test points on the barracuda board.
JTAG Flashing Software
The application sjf2410, along with the error correction code from the linux kernel have been modified to produce a bespoke utility for the baracuda module's NAND flash. It uses the wiggler cable in the parallel port.
- Sharpflash-src-dev223.tar.bz2 - Source Code (Alpha Test Version)
This version of sharpflash supports reading and writing of the NAND flash using the wiggler parallel port interface.
Reading Flash Images
You can make a back-up of your flash via JTAG using the following format commands:
sharpflash r kernel-mtd1.bin 004000 0fc000
Will extract the contents of the kernel partition into 'kernel-mtd1.bin', skipping any bad sectors as it goes. The program will also create 'rawdata.bin' and 'rawdata.ext' which contains the raw data and extended data information. Have a look at Reciva NAND Flash for the background on the flash structure.
Sharpfin Flash Programmer - http://www.sharpfin.zevv.nl/ . Found S3C2410 processor on JTAG Cable Found K9F2808UOC on processor Reading NAND Flash: destination = kernel-mtd1.bin raw data = rawdata.bin err data = rawdata.err start addr = 0x4000 length = 0xFC000 . Address Progress Remaining ------- -------------------------------- --------- 0000000 rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr 9h 12m 0004000 rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr 9h 11m 0008000 rrrrrr
File Formats
Backup images (see Making a backup) can be generated / obtained in several formats, as described below:
nanddump images
nanddump images consist of blocks of 512 bytes of data, and 16 bytes of extra data throughout the file. The extra data must be removed in order for the file to be written back to the flash.
Reciva upgrade images
Reciva upgrade images seem to be a complete image of the boot, kernel and root partitions, however, if this is written back to the flash using sharpflash, the resulting radio still does not boot.
JTAG sharpflash images
JTAG sharpflash images contain raw contiguous data, which skips over any bad blocks identified in the area requested. Two additional files are generated with each image capture: rawdata.bin and rawdata.err, which contain the raw disk data, including bad blocks (in 512 byte chunks), and the extra data, including the error correction data (in 16 byte blocks) respectively.
Getting Bad Block Information
This is not needed for programming, however it is recommended that you keep a record of the bad blocks marked by the manufacturer as bad, because this information is stored in re-programmable memory, and it may be useful to be able to distinguish between manufacturer-defined bad blocks, and user-defined bad blocks.
sharpflash b
The program will output several lines, with each '.' representing a 16K block which is marked as good, and a 'b' fir each block which is marked bad.
Sharpfin Flash Programmer - http://www.sharpfin.zevv.nl/ . Found S3C2410 processor on JTAG Cable Found K9F2808UOC on processor Checking NAND Blocks 0000000: ................................................................ 0100000: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb...............
Writing Flash Images
This process takes a long time to run - roughly 80 seconds per 16KBytes, so a full 16Mb flash will take about 24 hours.
sharpflash w mtd.bin 000000 0F00000
Will write an entire image from the file mtd.bin, and will produce an output similar to this:
Sharpfin Flash Programmer - http://www.sharpfin.zevv.nl/ . Found S3C2410 processor on JTAG Cable Found K9F2808UOC on processor Writing NAND Flash: source = mtd.bin start addr = 0x0 length = 0xF00000 . Address Progress Remaining ------- -------------------------------- --------- 0000000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 12m 0004000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 11m 0008000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 09m 000C000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 08m 0010000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 07m 0014000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 05m 0018000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 04m 001C000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 02m 0020000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 21h 01m 0024000 wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww 20h 59m .....