How to unbrick JTAG enabled smartphones with open source software and hardware?

This is a stub! This article is just a stub since a working solution via JTAG so far seems only available for HTC Dream / Magic. You may search for software-based debricking solutions, maybe it can solve your problem.

Creating “open source phones”. The background to this experiment is that I want to have “open source phones”: phones that you can operate and repair fully on your own with open source hardware and software tools, needing the manufacturer no longer after manufacturing the device. The tools needed for this are very different for different phones, so I specialize here on JTAG enabled smartphones, esp. HTC Desire HD and HTC Desire S. (Note that JTAG is quite a universal standard in modern smartphones, so it does not make much sense to deal with older, even more proprietary devices.) This article is immediately applicable to these models only, but will work for other HTC models and mostly also generically for JTAG enabled devices.

Now the toolbox for maintaining and repairing most HTC phones consists of (gratis or free) software tools to be found via famous XDA Developers, but not all tasks can be done by software. Esp. for some variants of unbricking, a hardware device is needed because the JTAG port has to be accesses. The task of this article is to explore this JTAG-related part of the toolbox, which seems to be so far the biggest gap for a fully open source toolchain for operating and repairing modern (Android based) smartphones.

Desired features of the open source JTAG tools. For the concept of “open source phones”, it is not really necessary that all tools involved in rooting, setting S-OFF, SIM unlocking etc. are open source. Because a phone is an “open source phone” only once being in this freed condition, so it does not matter if the tools to free it are as proprietary as those used to lock it down in the first place. However all tools needed at any point of the life cycle of a “freed phone” have to be open source software and hardware. This means, additionally to all the custom ROMs available and the techniques to apply them, the following:

  • open hardware JTAG adapter (this is just the hardware to connect a computer to the phone’s JTAG interface)
  • open source software and instructions for debricking / resurrecting the phone
  • open source boundary scan test software for identifying hardware damages to the phone via JTAG
  • open source software for changing IMEI, CID and model ID (however, be sure to respect the legal boundaries in your jurisdiction regarding these operations)

This also means that only those phones can become “open source phones” for which all challenges of freeing it have been solved (for HTC phones: S-OFF, radio S-OFF, permanent rooting, flashing a custom ROM). Simply ignore other models, as they’re not yet part of the free world 😉

Component: open source JTAG hardware adapter

This is just an idea list of principal alternatives so far. I did not investigate them more than detailed below.

  1. Bus Blaster v2. An open source hardware piece for just 35 USD that can cooperate with lots of open source JTAG debugging and flashing software, including Open OCD and urJTAG. At first sight, seems like the first solution to try.
  2. Open JTAG. This is an open source hardware project for a JTAG adapter. It is available fully assembled for ca. 80 EUR as of 2013-01.
  3. GoodFET. Another JTAG interfacing open source hardware that can flash chips, also including client software. However I could not find out so far if it can be used to access HTC phones; this should probably start by looking at their list of supported chips.
  4. Proprietary hardware (for use with open source software). Might be a good first step: finding or creating open source software to use in collaboration with an existing commercial JTAG box like the RIFF box. Notes: I do not know yet if and which means the RIFF box uses to secure access from other software.
    1. RIFF box. This is a great (widespread and recommended) choice. Ca. 130 USD [example]. It is possible to unbrick many devices [list], including HTC Desire HD and Desire S. Their software is proprietary and for Windows XP / Vista / 7 only [source]. Also see their manual and support documents and an additional official support forum.
    2. ORT-JTAG. The Omnia Repair Tool, a JTAG flasher and emulator that supports various CPU types and platforms, including the HTC Desire HD and HTC Desire S [source]. It is possible to unbrick the HTC Desire HD with this tool [instructions]. Price is 150 USD as of 2013-01 [source].
    3. XTC Clip. This is an unlocking device, not an unbricking device. However, as I do not know if RIFF box can do S-OFF for all models it supports, and as there are models where S-OFF can not be done by software only, you may need the XTC Clip for some purposes.
    4. Some other boxes. Not all available boxes used for phone service are based on the JTAG interface. It seems that JTAG is only available on newer phones, so a box like the Saras Twister cannot be hacked to do JTAG stuff.

Component: open source JTAG software

  1. goJTAG. A free and open source software package developed by universities that makes exhaustive use of JTAG capabilities, including your own boundary scan tests. [TODO: Find out if it is capable of flashing to devices as well.] It normally is meant to work with the commercial PicoTAP JTAG hardware adapter, but the great news is that now you can use the open source Bus Blaster v2 as well.
  2. OpenOCD. The “Open On-Chip Debugger” project, a mature, sophisticated, flexible software suite for dealing with all things JTAG. Esp., it can be adapted to work with several JTAG debug adapters [source], but you may have to write an own config.
  3. UrJTAG. An open source project to create a universal JTAG library, server and tools. From superficial impression, it seems that OpenOCD is more mature and more active in development, however. But UrjTAG has great documentation with interesting background infos.

Creating a solution

There is no ready-made solution for unbricking most phones with these open source tools so far. But I found one great example process, based on OpenOCD: JTAG Softboot for HTC Dream / Magic. It shows that several security measures have to be dealt with in order to flash, and the development of that process shows a strategy how to develop it for other phones like (in my case here) the HTC Desire HD and Desire S.

This knowledge about security workarounds etc. is what the authors of commercial tools (RIFF box, ORT-JTAG) have developed, and guard in their software and firmware. So maybe the simplest solution is to reverse engineer it from there.

Anyway, getting these tools to work for unbricking phones is a lot of work. The first few steps, in my view:

  1. Get a JTAG cable adapter for the phone in question, like this for HTC Desire HD or this for HTC Desire S.
  2. Get yourself an open source JTAG hardware interface, such as the Bus Blaster v2.
  3. Find out the JTAG pinout for the phone in question.
  4. Find working OpenOCD / UrJTAG / goJTAG configurations for the phone in question. One can also create them oneself, but it’s not a straightforward job as even with the same processor, devices have other configurations for access with JTAG [source, example for HTC Wildfire S].
  5. Find every piece of information about debricking the phone in question, incl. the security measures to deal with in order to flash a working bootloader again. This may include the reverse engineering just mentioned, which you would carry out by sniffing and looking at the live communication between commercial software, its JTAG hardware interface, and the actual phone.
  6. Create a script or instructions that use a suitable open source JTAG software package to execute the proper debricking method for the device.







2 responses to “How to unbrick JTAG enabled smartphones with open source software and hardware?”

  1. Yogesh

    What about samsung phones? Do they support openocs/urjtag?

  2. Andrew

    For samsung phones You can find here

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.