S5570 and OpenOCD

You will find a lot of documents about SG-S5570 resurrection and unbricking methods. XDA is the most important knowledge source but S5570 forum lacks of experienced (senior) developers. This post describes my attempt to recover boot loader using simple wiggler and OpenOCD software. Unfortunately, I was not successful.

First, few words about Samsung Galaxy mini. I bought hard bricked S5570 phone. Guy said that he flashed wrong firmware and it’s not possible to switch phone to the download mode. Key combination for download mode is volume down + home button + power. In my case phone didn’t react at all – black screen and not recognized by Odin (Windows software for flashing Samsung devices). Phone actually shows some signs of life. When I pressed volume up + home button + power and insert the battery, the screen was still black but Odin recognized phone and connection was established (first rectangle was yellow). I even try to flash the phone in this state but at some point, process just hangs. Here is output from Odin:

Download Start...
<0> Create File...
<1> StartThread Detected : 1
<2> StartThread Detected : 0
<3> StartThread Detected : 0
<4> StartThread Detected : 0
<5> StartThread Detected : 0
<6> StartThread Detected : 0
<7> StartThread Detected : 0
<8> StartThread Detected : 0
<1> setup connection...

Unfortunately, later I figure out that this key combo will switch phone to RAM dump mode and in this mode is not possible to flash the firmware. Anyway, this gives me some hope that this phone will be possible to unbrick. Here is listed key combinations for Samsung Galaxy mini (similar for other Samsung devices – on S5670 it works too):

Volume down + Home + Power -> Download mode
Home + Power               -> Recovery mode
Volume up + Home + Power   -> RAM dump (ARM9) mode

I also tried to switch the phone to download mode with USB JIG (300K Ohm resistor connected between 4th and 5th pin on micro USB connector) but that didn’t work either. It was not possible to switch the phone to the download mode. So I start to dig info about Galaxy Mini and here are main facts:

  • S5570 is based on MSM7227 Qualcomm chip
  • phone has 4Gb OneNAND KAT007012C – BRTT storage (512MB)
  • Qualcomm chip has several cores that work independent: ARM11 (application), ARM9 (modem) and two others

At this point I have an idea to recover boot loader with OpenOCD (Open On-Chip Debugger) and my own wiggler based on scheme published on XDA. I have to build two power supplies (3.7V for phone and 2.6V for JTAG) as well. After assembling all the parts (wiggler, power supply, soldering JTAG pads …), it was possible to send commands to the ARM processor and inspect memory. My few XDA posts contain several images and will give more details. Here is OpenOCD configuration used for my case:

interface parport
parport_cable wiggler

adapter_khz 300
reset_config trst_and_srst srst_pulls_trst
#debug_level 3

# CPU settings
set _CPUTAPID 0x203c10e1
set _TARGETNAME arm9.cpu
set _ENDIAN little

# create jtag
jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID

# create target
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME

This was the highest point in recovery process with OpenOCD. OpenOCD 0.6.1 didn’t have option to flash OneNAND storage. I hoped that with some “magic” trick will be possible to flash boot loader. tom3q on forum.samdroid.net explained how he flashed boot loader for i5800 with his OneNAND flasher. Here is snippet from his post:

I have successfully flashed a fully bricked phone (after using a wrong bring-up image from i5800 in a lame 3rd party service center…) using just (ARM Linux) GDB connected to J-Link GDB server (OpenOCD should also do) and my OneNAND flasher, attached to this post. I believe you need to flash Pbl and Sbl using it, attached them too.

The way it works is very simple. Target flash image has to be uploaded at address 0x50000000 (beginning of the RAM) and the flasher can be uploaded anywhere in the RAM. Then you jump to the flasher, wait several seconds until it completes and reset the phone. You can make sure that it completed by adding a breakpoint at the last instruction of the flasher which is just an infinite loop. You can extract the address (or rather offset) by disassembling the resulting binary using objdump, like

This was the spark of hope but it didn’t last long. In short Twitter conversation, Tomasz Figa explained that his flasher will not work for S5570. Well, this didn’t discouraged me and I try to find some help on XDA forum [DEV][THE S-OFF CAMPAIGN] We need electrical engineers & experts in JTAG, OpenOCD!. Experts and high skills developers were discussing about boot loader on MSM7227 based devices. Unfortunately, I didn’t get any reply for a month so I decided to stop trying recover boot loader with OpenOCD method.

I found a local service and ask for boot loader recover with JTAG. Next day my phone was ready and it was possible to enter to the download mode. This cost me about USD $26 in Croatia.

In the meantime I bought RiffBox and now flashing phones is no longer stressful for me (if something goes wrong).
;)

2 thoughts on “S5570 and OpenOCD

  1. Hi, I found this site through Google, I have a MSM7227 mobile phone (Xperia X8) for experimentation. You can contact me by mail?

  2. @Blagus – I will try to contact you when I catch some free time. Better option is to write your question here so others can read all replies ;)

Leave a Comment