|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Easy-Jtag / Easy-Jtag Plus The official support section. You can ask here your question and get answer regarding using Easy-Jtag / Easy-Jtag Plus. |
| LinkBack | Thread Tools | Display Modes |
02-08-2018, 17:13 | #1 (permalink) |
Freak Poster Join Date: May 2011 Location: algeria
Posts: 141
Member: 1582098 Status: Offline Thanks Meter: 17 | EasyJtag Huawei B5328 Jtag pins help i was wondering if Easy Jtag will help me find jtag pinout of this modem's Board based on GCT GDM7243Q i need some help finding the jtag pins for this model i have tested with multimeter the pins for possible volt here attached the picture of the board and the soft version as you can see the imei and uboot version does not appear so i want to interract with the device using jtag to perform any repair to the imei and uboot . actually i did not find any firmware related to this device .any help would be appreciated. system log messages from main menu . Code: Jan 1 00:00:01 syslogd started: BusyBox v1.21.0-uc0 Jan 1 00:00:01 kernel: IPC_IF_RX_LIMIT=100 Jan 1 00:00:01 kernel: jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc. Jan 1 00:00:01 kernel: msgmni has been set to 148 Jan 1 00:00:01 kernel: io scheduler noop registered Jan 1 00:00:01 kernel: io scheduler deadline registered Jan 1 00:00:01 kernel: io scheduler cfq registered (default) Jan 1 00:00:01 kernel: Initialize gdm-i2c Jan 1 00:00:01 kernel: Probe gdm-i2c Jan 1 00:00:01 kernel: i2c bus frequency set to 400 KHz Jan 1 00:00:01 kernel: i2c-0: GDM I2C adapter Jan 1 00:00:01 kernel: PMIC Register [0x00~0x0f] Jan 1 00:00:01 kernel: d4827e58: 10 03 00 f0 7e 0f 00 0b 13 5d 35 45 45 4c 00 00 Jan 1 00:00:01 kernel: PMIC SWREGADJ1=0xb Jan 1 00:00:01 kernel: ECOSWREG: 0f->ff Jan 1 00:00:01 kernel: PMIC GMT-G5851(id:12) probed! Jan 1 00:00:01 kernel: gdm-uart.0: ttyS0 at I/O 0xfc007500 (irq = 2) is a gdm-uart Jan 1 00:00:01 kernel: gdm-uart.1: ttyS1 at I/O 0xfc007540 (irq = 21) is a gdm-uart Jan 1 00:00:01 kernel: gdm-uart.2: ttyS2 at I/O 0xfc007580 (irq = 33) is a gdm-uart Jan 1 00:00:01 kernel: gdm-uart.3: ttyS3 at I/O 0xfc007600 (irq = 12) is a gdm-uart Jan 1 00:00:01 kernel: [USIM] : GDM USIM device driver (1.0) Jan 1 00:00:01 kernel: Serial flash ID[00000000] Jan 1 00:00:01 kernel: Serial flash driver MAJOR[140] Jan 1 00:00:01 kernel: start : c4000000, regs : d6000000, area : d4a80440, size : 16777216 Jan 1 00:00:01 kernel: brd: module loaded Jan 1 00:00:01 kernel: GDM7243 NAND Driver, GCT Semiconductor, Ltd. Jan 1 00:00:01 kernel: Built-in Ecc Nand Jan 1 00:00:01 kernel: pagesize : 2K Jan 1 00:00:01 kernel: address cycle : 4 Jan 1 00:00:01 kernel: NAND device: Manufacturer ID: 0x98, Chip ID: 0xa1 (Toshiba NAND 128MiB 1,8V 8-bit), 128MiB, page size: 2048, OOB size: 64 Jan 1 00:00:01 kernel: Bad block table found at page 65472, version 0x01 Jan 1 00:00:01 kernel: Bad block table found at page 65408, version 0x01 Jan 1 00:00:01 kernel: nand_read_bbt: bad block at 0x000006000000 Jan 1 00:00:01 kernel: 17 cmdlinepart partitions found on MTD device gdm7243 Jan 1 00:00:01 kernel: 17 cmdlinepart partitions found on MTD device gdm7243 Jan 1 00:00:01 kernel: Creating 17 MTD partitions on "gdm7243": Jan 1 00:00:01 kernel: 0x000000000000-0x000000080000 : "u-boot" Jan 1 00:00:01 kernel: 0x000000080000-0x000000100000 : "env" Jan 1 00:00:01 kernel: 0x000000100000-0x000000200000 : "rev0" Jan 1 00:00:01 kernel: 0x000000200000-0x000000300000 : "ltenv" Jan 1 00:00:01 kernel: 0x000000300000-0x000000400000 : "wmnv" Jan 1 00:00:01 kernel: 0x000000400000-0x000000500000 : "cmnnv" Jan 1 00:00:01 kernel: 0x000000500000-0x000000600000 : "cmnnv2" Jan 1 00:00:01 kernel: 0x000000600000-0x000000a00000 : "rev1" Jan 1 00:00:01 kernel: 0x000000a00000-0x000000e00000 : "linux" Jan 1 00:00:01 kernel: 0x000000e00000-0x000001200000 : "linux2" Jan 1 00:00:01 kernel: 0x000001200000-0x000003000000 : "rootfs" Jan 1 00:00:01 kernel: 0x000003000000-0x000004e00000 : "rootfs2" Jan 1 00:00:01 kernel: 0x000004e00000-0x000005300000 : "tk" Jan 1 00:00:01 kernel: 0x000005300000-0x000005800000 : "tk2" Jan 1 00:00:01 kernel: 0x000005800000-0x000005880000 : "customize" Jan 1 00:00:01 kernel: 0x000005880000-0x000005b00000 : "log" Jan 1 00:00:01 kernel: 0x000005b00000-0x000007b00000 : "update" Jan 1 00:00:01 kernel: --------------------- B5328-logs mediafire link any help would be appreciated . thanks |
07-20-2018, 22:05 | #4 (permalink) |
Junior Member Join Date: Jul 2018
Posts: 2
Member: 2852300 Status: Offline Thanks Meter: 0 | I have also been working on this chipset - pulled from a different device though. The chip variant in your deice appears to be similar to a LC4RT mPCI-e card however obviously with some distinct differences. On the LC4RT, mPCIe only brings out a USB ethernet+acm interface along with dedicated UART to align with mPCIe standards. What you have looks like something custom though and its hard tell what the pins are without a datasheet. Document below has a ton of information on the other variant. Not the most useful here but it does have AT commands and some things that could benefit you later on. Search FCCIO for FCCID P27LC4RT (I cant post links yet but its easy to find). UART and Telnet are both password protected (or it was in my case). Have you tried these? On OEM firmware gaining root access was trivial so hopefully it’s not that hard on Huawei either. At first, I used basic command injection that you may have to hunt for a little bit then afterword’s I found a hidden page - systemcommand<dot>html. Chances are you will not have that command page since Huawei used their own UI but injection is still a greater possibility. The command you want to run is along the lines of - ‘mount -o remount,rw / && passwd -o root’. After you have root just telnet in and enable the ftpd then freely grab anything you want to look at. This is all assuming that Huawei did not take extra measures to secure the device beyond GCT/oem provisioning – if they did it’s likely they also blew the jtag fuses or took other steps to prevent access after provisioning. More notes… Access to the DM> shell without UART can be achieved by running /usr/lted_cli from telnet. Direct ACM access is only available under Linux /dev/ttyACM0 however AT commands can be issued from the DM> shell. In theory once configurations are saved the device can work under Windows with USB Ethernet gadget options set however I have not been able to achieve a connection manually yet as I do not have service on the required bands to test with. Most interesting thing here.. LTE modem has a wide range of RF operation listed on the product brief however seems to be locked down to a handful of specific bands - in my case separate from the bands listed for the Huawei device (even though it’s the same chip package). This makes me think it’s somehow controllable in firmware, likely locked down to align with FCC and other local regulation. This would be especially useful for me since I do not use the service provider who operates on the bands currently enabled. Lastly, I wouldn’t go off and try installing openwrt or anything funny on the chip directly since storage is at some premium and unknown binaries are also at play however with the right cross compiler / tool set one could easily build additional apps/functionality for the chip. |
07-20-2018, 22:37 | #5 (permalink) |
Junior Member Join Date: Jul 2018
Posts: 2
Member: 2852300 Status: Offline Thanks Meter: 0 | Forgot some more notes that may be useful. Sorry for the blast of data here The IMEI is essentially unlocked and can be manually set in the DM> shell (or web interface on oem firmware). I would say that your's is listed as N/A because the modem initialization scripts have not yet invoked and this is likely how the software is made aware of the IMEI Huawei defined. Huawei is fairly good about providing GPL src files. The B5328 is not listed on the site but I notice the "Open Source Notice" in the screenshot. It's possible you may get lucky if you ask them directly. |
Bookmarks |
| |
|