E15i Data rescue

[Haltec]

Hi,


I got here badly damaged X8 a.k.a E15i / bit twisted pcb

I want to extract PB from it trough full dump and flash to another working device.

But...


Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.34, JTAG Manager Version: 1.48
Selected Resurrector: [SE E15i V1.00]

Restarting target (nRST Low then High)...OK



Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.34, JTAG Manager Version: 1.48
Selected Resurrector: [SE E15i V1.00]

Connecting to the dead body...OK
Set I/O Voltage reads as 2.59V, TCK Frequency is RTCK

Detected dead body ID: 0x203C00E1



Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.34, JTAG Manager Version: 1.48
Selected Resurrector: [SE E15i V1.00]

Connecting to the target...OK
Set I/O Voltage reads as 2.60V, TCK Frequency is RTCK

Following devices are found on the JTAG chain:
Device on TAP #0: ID = 0x203C00E1, IR Length = 0x04 bits
Total IR length: 0x0004 bits

Analizing IDCODE(s) of the JTAG scan chain:
1. 0x203C00E1: Qualcomm MSM7227, H/W Rev. #2

Code:

Connecting to the dead body...OK
Detected dead body ID: 0x203C00E1 - CORRECT!
Set I/O Voltage reads as 2.59V, TCK Frequency is RTCK
Adaptive Clocking RTCK Sampling is: [Sample at 8 MHz]
Settings Code: 0x2501000E000000000000000020000000

Resurrection sequence started.
Establish communication with the phone...OK
Initializing internal hardware configuration...OK
Uploading resurrector data into memory...OK
Starting communication with resurrector...OK

Detected an Initialized FLASH1 Chip, ID: 0x0020/0x55BC (512MB)

Reading FLASH1 address space from 0x000000000000 to 0x00001FFFFFFF
Failed to receive answer to READ command.

It stops on 0x0000006F0000 firstely 8MHZ

Code:

WARNING: Resuming interrupted read from 0x0000006F0000, yet to read - 0x00001F910000...
Reading FLASH1 address space from 0x0000006F0000 to 0x00001FFFFFFF

Code:

WARNING: Resuming interrupted read from 0x000000AD0000, yet to read - 0x00001F530000...
Reading FLASH1 address space from 0x000000AD0000 to 0x00001FFFFFFF

It stops way too many times, and Qualcomm Plugin seems that it cant find partition table...

Code:

Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.34, JTAG Manager Version: 1.48
Selected Resurrector: [SE E15i V1.00]

Connecting to the dead body...OK
Detected dead body ID: 0x203C00E1 - CORRECT!
Set I/O Voltage reads as 2.58V, TCK Frequency is RTCK
Adaptive Clocking RTCK Sampling is: [Sample at 8 MHz]
Settings Code: 0x2501000E000000000000000020000000

Resurrection sequence started.
Establish communication with the phone...OK
Initializing internal hardware configuration...OK
Uploading resurrector data into memory...OK
Starting communication with resurrector...OK

Detected an Initialized FLASH1 Chip, ID: 0x0020/0x55BC (512MB)

Reading FLASH1 address space from 0x000000040000 to 0x000000040FFF
Completed in 00:00:00.016 (Average Transfer Rate: 131071999.94 kB/s)

Reading FLASH1 address space from 0x000000060000 to 0x000000060FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x000000080000 to 0x000000080FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x0000000A0000 to 0x0000000A0FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x0000000C0000 to 0x0000000C0FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x0000000E0000 to 0x0000000E0FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x000000100000 to 0x000000100FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)

Reading FLASH1 address space from 0x000000120000 to 0x000000120FFF
Completed in 00:00:00.032 (Average Transfer Rate: 3.05 kB/s)

Reading FLASH1 address space from 0x000000140000 to 0x000000140FFF
Completed in 00:00:00.031 (Average Transfer Rate: 3.15 kB/s)

Reading FLASH1 address space from 0x000000160000 to 0x000000160FFF
Completed in 00:00:00.015 (Average Transfer Rate: 6.51 kB/s)

Reading FLASH1 address space from 0x000000180000 to 0x000000180FFF
Completed in 00:00:00.015 (Average Transfer Rate: 6.51 kB/s)

Reading FLASH1 address space from 0x0000001A0000 to 0x0000001A0FFF
Completed in 00:00:00.015 (Average Transfer Rate: 6.51 kB/s)

Reading FLASH1 address space from 0x0000001C0000 to 0x0000001C0FFF
Completed in 00:00:00.015 (Average Transfer Rate: 6.51 kB/s)

Reading FLASH1 address space from 0x0000001E0000 to 0x0000001E0FFF
Completed in 00:00:00.016 (Average Transfer Rate: 6.10 kB/s)
ERROR: Couldn't find partition table location in the device memory.

Any advices?


Thx


Haltec

[BABAK NURI]

Hi
You Need Set Speed At Lower...(like 1MHZ or 4) at TCK
--
Also Plz use Only USB cable and Power Supply
--

***
Can You Tell Me About Exactly Your Problem? What Mean "PB"?

[Haltec]

I need to extract PhoneBook. Sorry I know that this abbreviation can be confusing.

I got physically damaged phone and customer needs it's phonebook back badly.

I did tryed with all latency's but failed.


Now I am using High Quality charger and it reads more, but afterwhile I got this one:

Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.34, JTAG Manager Version: 1.48
Selected Resurrector: [SE E15i V1.00]

Connecting to the dead body...
ERROR: Set I/O Voltage to 2.60V failed. Real reading is 2.70V

[Haltec]

Weird At 1Mhz won't even establish communication with phone - while at 2Mhz works right away.

[Haltec]

And one important one - if I have to resume multiple times when full dump reading due to some inconsistency / does that affect flash file readout?

[legija]

Hi,
First thing to do is to check any size readout, since QC plugin could not detect partition table. You might be reading just zeros out of phone flash chip.

Read 16MB and save it, then open it in QC plugin and check if partition table is detected.

[Haltec]

Reading FLASH1 address space from 0x000000000000 to 0x000000FFFFFF


Readed with 4 interrupts *Failed to receive answer to READ command.

No qcom partition table in that file... : (



... ?


Checeked it with hex wiever = definetly X8 dump

Kind thanks for your help.

[Haltec]

Now with OK readout RTCK and 4MHz Sampling

Detected an Initialized FLASH1 Chip, ID: 0x0020/0x55BC (512MB)

Reading FLASH1 address space from 0x000000000000 to 0x000000FFFFFF
Completed in 00:02:05.172 (Average Transfer Rate: 134.98 kB/s)


There is still no Qcom partition table.

Would I achieve any impact by changing RESET method in custom target settings?

And I can't use RIFF's HexViewer - it come out blank when this 16Mb Loaded? Why?


This dump seems ok. Now I am at 17%... hmpff....

SEMC DRM1.0...U....SEMC DRM Root CA0...000101000010Z..291231000010Z0;1.0...U....SE1 .0...U....SEMC DRM1.0...U....SEMC DRM Root CA0

I notice that data transfer rate decresases it starts from 255 kB/s then drops all the 125 Kb/s - Is that adaptive clock sampling related ?


And I am paticulary interested about these interupted readouts. Can you please tell us, your opinion about punctuation of interupted vs non interupted readout?

I will made dupmp comparsion on this 16MB sample, but I would like to hear an expert's opinion on that.

And I also understand that it can't be tooked for granted. Just tryi'n to collect some expirience...


BR


Haltec

[legija]

Its okay to continue reading, since RIFF software overlaps broken readouts.

As for unstable connection - it happens because phone loses power supply.

[Haltec]

Thank you. Can you please implement somehow Read memory auto-continue feature in next update. Platio bih kafu. Samo da odem popiti istu.

I am browsing C:\Program Files\RIFF Box JTAG Manager\Documents it's really highly advanced manual and tool.


Can you please also gave me some pointer's what to expect since I am going to flash this dump to a fully working phone.

I am willing to kill it in a user-able sense of meaning, but really just need phonebook from it then.


I am really fascinated / when connected to proper PSU it falis EACH single time now on 5% respecteyly. ????


From 0x00001ACF8000 to 0x00001B2D4000, then 0x00001B7A8000, then 0x00001BDEC000, 0x00001C370000, 0x00001C9A4000, 0x00001CF84000 etc....


And when coming closer to the end it seems that experessed in percentage is increasing as left over to readout decreasing. It's like some electrical flaw prevents/interupts reading in same intervals (time elapsed speaking or exact data amounts)

Really strange.


Ok - I got my readout heavyly interrupted *30-40 times. We are going to see if this was any good.


BR

Haltec

[Haltec]

Yes Interupted and Not interupted dump of first 16MB is completely same.


Thx a lot for your inputs regarding all this.







Unfortunately still can't find partition table - even from full dump.

Any thoughts about this ?


You need dump uploaded somewhere ?



BR


Haltec

[Haltec]

Ok - this is funny now


It behave EXACTELY the same with fully working phone I got to flash dump into.

Code:

Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.35, JTAG Manager Version: 1.49
Selected Resurrector: [SE E15i V1.0.4463.41118]

Connecting to the dead body...OK
Detected dead body ID: 0x203C00E1 - CORRECT!
Set I/O Voltage reads as 2.67V, TCK Frequency is RTCK
Adaptive Clocking RTCK Sampling is: [Sample at 8 MHz]
Settings Code: 0x0501000E000000000000000020000000

Resurrection sequence started.
Establish communication with the phone...OK
Initializing internal hardware configuration...OK
Uploading resurrector data into memory...OK
Starting communication with resurrector...OK

Detected an Initialized FLASH1 Chip, ID: 0x002C/0x55BC (512MB)

Reading FLASH1 address space from 0x000000000000 to 0x00001FFFFFFF
Failed to receive answer to READ command.

Reading FLASH1 address space from 0x000000000000 to 0x00001FFFFFFF
Failed to receive answer to READ command.

AV and anything else disabled... Shall I install RIFF on other laptop?

I am really not into it...


I am dumping this one working set so I can restore it later after writing this dump with data, and extracting phone book old fashioned way...

Jtag cable is one that came with box approx 10cm long.

Any thoughts?



BR


Haltec

[Haltec]

Ok / something is wrong with box grounding.

When outer shield of usb socket type B touches housing it self / all stops.


Will try to isolate, and see how it's going to behave.


It solved that, but still cant read wthout interuptions...

@4MHz

Reading FLASH1 address space from 0x000000000000 to 0x00001FFFFFFF
Failed to receive answer to READ command.

[Haltec]

Ok. We rulled out PC issues. Exactely the same on another laptop...


No matter which TCK speed it always stops first time around 1%...


Then first startup afterwards:

Connecting to the dead body...OK
Detected dead body ID: 0x000000E1 - WRONG!!!
ERROR: Current ID does not belong to the SE E15i family.


And next startup OK!


???


Hmpff... bit frustrating... Any ideas ?

Jtag board is V2


Br


Haltec