I’m trying to use JTAG on a phone (LG KS360). I have made the socket for the JTAG(30 pins connector with 0.4mm of pitch) to a standard HE-10 20pins JTAG. It seems good (autodetect found something).
I’ve done quite a bit of this. You can try two things:
find a boot loader mode. Sometimes they are easier to start with when jtagging a phone.
check that you have rtck. Many newer arms really need that to handle power saving modes.
If those don’t work, double check that your reference voltage is good. Sometimes an incorrect voltage will register but not debug.
These things are a little more difficult with open source tools, but it can be done. (it also depends on phone. Do you know the processor? I.e. Company and chip label? Lg uses a fair number of qualcomm chips and I’ve debugged many of them.
Ps: almost forgot. A power supply to set the debugger reference voltage can be invaluable. Your debugger should also support the device voltage. If it doesn’t you are SOL.
I also didn’t check your output carefully. Your ir length is wrong for an arm chip, so you probably have something else in the chain, or your talking to the DSP. Usually ir Len should be 4 for arm7/9, xscale can be 5 or 7 I believe (depends on version), and I don’t remember the newer ir lengths, but I don’t think there is an 8 among them.
If I read the output correctly and it is correct, you have an SGold infineon chip. Same thing as the iPhone 2g baseband. It should be an Arm 926ejs. It should also be debuggable. Try stopping the phone early as it sometimes leads to better results. There is probably something else (the dsp) in the debug chain. I don’t know if open OCD supports multiple devices in the chain, but I would presume so. That means you’ll have to tell it what order the devices are in. Google around for sgold jtag config or something like that.
find a boot loader mode. Sometimes they are easier to start with when jtagging a phone.
What do you mean by that?
I can also make code injection (like iphone with a AT command injection).
I have also try urjtag (always a 8 irlen tap)
jtag> detect
longueur IR: 8
Longueur de la chaîne: 1
Device Id: 00100000000011100101000010000011 (0x200E5083)
Unknown manufacturer! (00001000001) (/usr/local/share/urjtag/MANUFACTURERS)
jtag> discovery
Détection de la longuer IR...8
Détection de la longeur DR de IR 11111111...1
Détection de la longeur DR de IR 00000000...390
Détection de la longeur DR de IR 00000001...390
Détection de la longeur DR de IR 00000010...390
Détection de la longeur DR de IR 00000011...390
Détection de la longeur DR de IR 00000100...32
Détection de la longeur DR de IR 00000101...32
Détection de la longeur DR de IR 00000110...1
Détection de la longeur DR de IR 00000111...1
Détection de la longeur DR de IR 00001000...1
Détection de la longeur DR de IR 00001001...1
Détection de la longeur DR de IR 00001010...1
Well, most phones typically have a boot loader mode that let’s you reflash the phone. Motorola phones are typically # * while turning on power for example. You might try camera and power-on. The reason is to minimize what the phone is doing while you are connecting. In your case, though, you’ll need to describe the jtag chain to urjtag. It doesn’t recognize the chip because it isn’t in the database. You probably have two items in the jtag chain. Your Arm irlen should be 4. So you either have something in front or behind the arm giving you more ir bits. You may need to play with a config file until you describe the chain correctly. The other thing in the chain is probably the dsp.
