Develop Bugs

<SOS> - Samsung NAND - KMXEE0A0CM-S600 - Flash Failure !?

Hi There
Diam140 - Olinex:1.93
Used to change ROMs almost everyday - flashoholic. And one bad day a flash failed and after that
Diamond is behaving strangely. Tried 'MTTY'- {task 29} and {task 28} as well. And here is the output
from both:
task 29
Format BINFS start
Fill RSVD information for block 288 to 321
CE start sector=0x14, total sector of CE and TFAT=0x14
CE start start block=321, total block=1727
Write 0xFF start page=0x5040, total page=0x1AFC0
Format BINFS end
task 28
Format start
Fill RSVD information for block 288 to 321
CorrectNandAddr detect error addr =0x3800F164
CorrectNandAddr detect error addr =0x3800F164
CorrectNandAddr detect error addr =0x38000000
CorrectNandAddr detect error addr =0x38000000
CorrectNandAddr detect error addr =0x38000000
bad=0x1D20
R:NO bad block reversed for block ID 0x1D20
CorrectNandAddr detect error addr =0x38000000
ERASE FAIL: 0x1D20
W:NO bad block reversed for block ID 0x1D20
Write NAND Faild
Now if the power button is pushed, after 10 minutes device vibrates and comes up with a greyish screen
and after half an hour or so it can be put bootloader. And some times the battery charges with ring
light animation. But flashing any ROM stops at '0%' without any progress and also Hard Reset not
happening - same no progress bar. Checked 'mtty - info 8' and this is what it gave:
info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 0 (0x0) is reversed block
BLOCK 1 (0x1) is reversed block
BLOCK 2 (0x2) is reversed block
BLOCK 3 (0x3) is reversed block
BLOCK 8 (0x8) is reversed block
BLOCK 10 (0xA) is reversed block
BLOCK 11 (0xB) is reversed block
BLOCK 12 (0xC) is reversed block
BLOCK 13 (0xD) is reversed block
BLOCK 14 (0xE) is reversed block
BLOCK 28 (0x1C) is reversed block
BLOCK 29 (0x1D) is reversed block
BLOCK 30 (0x1E) is reversed block
BLOCK 31 (0x1F) is reversed block
OS NOT FOUND !!!
So wanted to change the NAND as above 'samsung_k9k2g08', however Diamond does not use any such chip and
it uses a different combo Nand ROM Memory by the name 'Samsung NAND - KMXEE0A0CM-S600' which is not
possible to change since it is a BGA, atleast with what tools one normally have at home.
Now can someone help reviving the almost bricked Diamond (well some PMs did not do the trick). Any help
is highly appreciated and Thanks in advance

Hi there,
Still stuck with the Device in the same condition. However now this is the output of 'TASK 29 or 28' of late....(given is the end part since it scrolls from the first address)
Flash NAND DM internal transfer failed: dmov_transfer()bad=0x7FB
DMOV transfer: out of memory
Flash NAND DM internal transfer failed: dmov_transfer()bad=0x7FC
DMOV transfer: out of memory
Flash NAND DM internal transfer failed: dmov_transfer()bad=0x7FD
DMOV transfer: out of memory
Flash NAND DM internal transfer failed: dmov_transfer()bad=0x7FE
DMOV transfer: out of memory
Flash NAND DM internal transfer failed: dmov_transfer()bad=0x7FF
R:NO bad block reversed for block ID 0x7FF
Read sector fail!!!
And also attached the screens for grey screen and HardReset without the progress bar .. can someone help ?

Well, I guess your NAND is broken. Did you try to flash in bootloader mode ?
WBR

viperbjk said:
Well, I guess your NAND is broken. Did you try to flash in bootloader mode ?
Click to expand...
Click to collapse
Hi,
Thanks for the response
Yes, tried flashing from bootloader, with no success. Progress bar stops at 0%. And now 'mtty - info 8 and 9' also gives same scrolling output with read error. Any way out ?

viperbjk said:
Well, I guess your NAND is broken. Did you try to flash in bootloader mode ?
Click to expand...
Click to collapse
Was toying with QMAT and bootloader and since the NAND was broken tried 'Write partition to NAND' with 7200A hotfix and after that though the 'task 28 and 29' of mtty were giving the same out of memory errors, the bootloader screen is showing 'DIAM100' instead of 'DIAM140'. Does it give any hope of reviving NAND with some commands either in QMAT or mtty. Well not being a technical person, expecting some engineering inputs/tips.
Thanks in advance.

.... Was just revisiting this thread to see any progress on the query or any solution posted by other members stuck in similar situation, well No Luck... still holding the dead diamond. But then have moved on to a fully customised iPhone 3G 16GB (JB and Unlocked) and may never ever come back to a WinMo and specially an HTC device. Thanks to all those helped directly or indirectly, it was pleasant visiting these pages at 'xda-developers'. Will be visiting these pages to update on the developments in future as well.....

I read your problems. was not to fix this by using J-Tag? me also interested in that topic, I read somewhere that it would be just mentioned J-Tag fix these problems. Sorry but my English is poor.

Hi isaac12,
Glad you are interested in these things, well did not get any tips from the experts of J-Tag. And tried on my own and reported all the results here. Still want to revive the dead diamond, in fact went to the extent of replacing NAND chip but realised it will be a very costly affair and getting the equipment/expertise was also out of question. So it remains dead......

I am in the same situation. I also use flashaolic.

Have a beer, its time to get a new experimental subject.

How to Check NAND and fsck

Is there a way to check the NAND storage for errors? I get errors like this from a "dmesg | grep block"
Code:
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
block 944 is bad
block 998 is bad
block 1083 is bad
block 1459 is bad
block 1460 is bad
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
Partially written block 21 detected
So far everything works but i'm a little bit concerned.
EDIT:
The Partially written blocks reappear after restart, however i managed to get rid of them by making a sdcard-filesystemcheck via gparted using a notebook (although there weren't any errors) ! Strange, I thought my phone is broken...

Hi. i have problem with my s3 i want to try to repair nand file sys. is ther any solution?

[Q] How to unbrick Dropad A8x?

Hello
I accidentally brick my device with firmware upgrade
First: it was Boot logo. and after that black screen. Using DNW tool i got this information
===== USB DEVICE STATUS =====
USB_CONFIGURATION_DESCRIPTOR
bLength = 0x9, decimal 9
bDescriptorType = 0x2 ( USB_CONFIGURATION_DESCRIPTOR_TYPE )
wTotalLength = 0x20, decimal 32
bNumInterfaces = 0x1, decimal 1
bConfigurationValue = 0x1, decimal 1
iConfiguration = 0x0, decimal 0
bmAttributes = 0xc0 ( ??? UNKNOWN!! )
MaxPower = 0x19, decimal 25
-----------------------------
USB_INTERFACE_DESCRIPTOR #0
bLength = 0x9
bDescriptorType = 0x4 ( USB_INTERFACE_DESCRIPTOR_TYPE )
bInterfaceNumber = 0x0
bAlternateSetting = 0x0
bNumEndpoints = 0x2
bInterfaceClass = 0xff
bInterfaceSubClass = 0x0
bInterfaceProtocol = 0x0
bInterface = 0x0
-----------------------------
USB_ENDPOINT_DESCRIPTOR for Pipe00
bLength = 0x7
bDescriptorType = 0x5 ( USB_ENDPOINT_DESCRIPTOR_TYPE )
bEndpointAddress= 0x81 ( INPUT )
bmAttributes= 0x2 ( USB_ENDPOINT_TYPE_BULK )
wMaxPacketSize= 0x200, decimal 512
bInterval = 0x0, decimal 0
-----------------------------
USB_ENDPOINT_DESCRIPTOR for Pipe01
bLength = 0x7
bDescriptorType = 0x5 ( USB_ENDPOINT_DESCRIPTOR_TYPE )
bEndpointAddress= 0x2 ( OUTPUT )
bmAttributes= 0x2 ( USB_ENDPOINT_TYPE_BULK )
wMaxPacketSize= 0x200, decimal 512
bInterval = 0x0, decimal 0
-----------------------------
Second: device in system appears as SEC S5PC110 Test B/D. and asks for driver.
I used drivers for samsung dev board.
The device build on samsung s5pc110 with 512mb nand memory
some shots of board inside.
Add some log from rs232
Rid images mywes below 0x0.
?lengthsdistance symbolsdynamic bit lengths tree{tance codent memoryINVAL
Error:Neither High_Speed esize:0x0
[s3c_usb_print_pkt:tcoov ...
?kernel entry point!
rom environment
o current device
(null)
(s)
not valid on device 26476424 **
ize(0x0)
_J?Under 128M
ME u¬??t erase FAT region~~!!!
ormat complete.
qoe>img4 buffer~~!!
uffer~~!!
er?~a???*I?for jounaling : 0
dr : 0x0
Descriptor Table(0)~~~!!!
?t<erase inode table(0)~~~!!!
Can't write rootdata~~~!!!
't write 7th inode~~~!!!
ta~?youg to mount ext2 filesystem...
(indir 1) malloc failed. **
1) failed. **
fsyz?U2gs read block (indir 2 2) malloc failed. **
2) failed. **
fs doesn't support tripple indirecv8au?9?zYXzONI?‘•?partition sector 0
alid Block Device Descriptor (NULL)
**
(e8rc8?{yZev: (null)
s Firm: (null) Ser#: ”y“
libuP^?
Oy“
o7wP^?
j{?v
s available
movable i?ion Map for UNKNOWN Partition Type: (null)
own partition table
partition table on 0:ad .5µt 0 26476424 1835e50s
rtition Start Sector Num Sectors Type
- list files from 'dev' on 'interface' in a 'direaooy[filename] [bytes]
- load binary file 'filename' from 'dev' on 'interface'
to address 'addr' from ext2 filesystem
o–‹?address not on sector boundary
precedes start sector
r boundary
sN…EN?and/or end address not on sector boundary
or: end address (0xx) not in flash!
tect Flash Bank # 0
Bad sectoo?|EN•‘) type
address format
0 sectors
Bank # 0
ash Sectors 0-0 in e?on for all FLASH memory banks
flinfo N
- print information for FLASH memory bank # N
ase - erase FLASH memory
|–?'start' to the end of sect w/addr 'start'+'len'-1
erase N:SF[-SL]
- erase sectors SF-SL in FLASH bank # N
erase bank N
?yuaFLASH write protection
tart end
- protect FLASH from addr 'start' to addr 'end'
protect on start +len
- protect FLqO?,?KI?SF-SL in FLASH bank # N
protect on bank N
- protect FLASH bank # N
protect on all
- protect all FLASH banks
proteaoyi> - make FLASH from addr 'start' to end of sect w/addr 'start'+'len'-1 wrtable
protect off N:SF[-SL]
- make sectors SF-SL wreuajj…*•?all FLASH banks writable
s'
-lt=?®EOµA•UMNEO?N?returning error when dumping path: , (null)
0 times to (null)...
wSUI?...
to 0x00000000 at 0 bps...
for binary (kermit) download to 0x00000000 auya0vo 0 bps and press ESC ...
ad Addr = 0x00000000
## Last Load Addr = 0x00000000
## Total Size = 0x00000000 = 0 BytesSi?0S-Record file over serial line
- load S-Record file over serial line with offset 'off'
adb - load binary ??offset 'off' and baudrate 'baud'
- load binary file over serial line (ymodem mode)
Address: 0x00000000
:?O?‘?00000000, expected 00000000
???
word at 0x00000000 (0x00000000) != word at 0x00000000 (0x00000000)
alfwordayA•02x)
ordwere the same
0000y
[# of oa?y{j•µ?Ea?modify, auto increment address
m(constant address)
ddress
- memory modify, readaory
opy
e target count
- copy memory
cmpre
addr2 co~CRC32 checksum [save at addr]
set address offset
- print address offset for memory commands
base offi??ue
.w, .l] address number_of_objects
- loop on a set of addresses
mtestRAM test
tart [end [pattern]_]yagxecution for N seconds (N is _decimal_ !!!)
turer ID: 0
cSpeed: tZ<0-bit
C read: dev # 0, block # 0, count 0 ...: (null)
write: dev # 0, blyuw,saIN•µ
read <device num> addr blk# cnt
mmc write <device num> addr blk# cnt
mmc rescan <device num>
mmc list - list available davoEN
yesoot of image at addr 0x00000000 ...
- boot image via network using BootP/TFTP protocol
stIPaddr:]bootfilename]
ootRP/TFTP protocol
dhcp - invoke DHCP clientato ob|O8=}IEUMQ?to network host
Saving Environment to (null)...
or: illegal character '=' in variable name "(null)"
uuI?not supported
tenvonment size: 0/0 bytes
onment variables
- print8?…µ•?
t environment variables
e ...
- set environment variable 'name' to 'value ...'
setenv name
- ay|?K…?•)vironment variable
- run the commands in the environment variable(s) 'var'o8oot a block start address
th is not block aligned
write (0 blocks):
ad blocks 0 at 0x0 is skipped.e80x0, 0
---ofs=0x0,len=0x0,retlen=0x0,addr=0x0,oob=0x0
(0 blocks):
k8(0) reading page 00000000
:
00 00 00 00 04 00 2x 00 00 00 00 00
zess
ffs2 write:
ata -- 0%.0x0, 0vice 0 bad blocks:
0000 at 0x00000000
ND (null): Q®I•?failed 0x0, 0
iled 0x0, 0
rite test failed at 0xx
b: (null)
—?…?‘
OneNAND sub-systemable OneNAND devices
onenand bad - show bad blocks
onenand read[.oob] addr off size
oneny?uy?Ea?address 'addr', skipping bad blocks.
onenand write.yaffs addr off size - read/write `size' bytes starting
at offset `off'?uytest [off size] - test 'size' bytes from
offset 'off' (entire device if not specified)
onenand dump[.oob] off - dump page
onena?oEµ…N???)to transmit data
nw - initialize USB device and ready to receive for Windows server (speaigy?A•?for (null) command
art
for imxtract
tractt a part of a multi-image
qble.
known command '(null)' - try 'help' without arguments for list of all known commands
ynewline
like /bin/sh
]
- test functionality
t script
§help' prints online help for the monitor commands.
Without arguments, it prints a short usage message for all commands.
To get guys as arguments.
- alias for 'help'
devices available!
utput devices available!
_env---default_environment=0x0,ENV_SIZE=0x0
ror - default environment is too large
arning - bad CRC, using defaultui/Flash
t and/or end address not on sector boundary
Unknown Vendor of Flash
pe of Flash
E)t allocated
There is a global environment variable with the same name.
I?µ?main input shell.
iftil) reached
ERROR, too many US~ F?U?E?AN?E± error 0
config descriptor too short (expected 0, got 0)
t reset port 0!?
USB device not responding, gi?Wk•?descriptor (error=0)
device descriptor short read (expected 0, got 0)
d to set default configuration len 0, staooyel part
Unknown errorCd(SOH)/0(STX)/0(CAN) packets, 0 retries
ock sequence error/checksu}??II?file1 .. 0, ld x 0x0ld loader.. 0, 0 ernel..>7y?mmc r/w sub system for SMDK board
Initialize moviNAND and show card info
movi read {u-boot | kernel} {addr} - Read data0g?‘‘Eo?[bytes(hex)] - Read rootfs data from sd/mmc by size
movi write rootfs {addr} [bytes(hex)] - Write rootfs data to sd/mmc by sia {sector#} {bytes(hex)} {addr} - instead of this, you can use "mmc write"
for Android image downloading.
8cyte) installation.
tem image installation.
d system image(0 byte) installation.
ge instalua?±•N•‘?kernel image (0 byte) installation.
installation.
ed uboot image (0 byte) installation.
vor Android
insdroid zimage - Install zimage image for Android
insdroid ramdisk - Install ramdisk image for Android
insdroid syu?eE??write u-boot {address} - Make bootable SD card with uboot
Partition table on OneNAND]
-…™™I
Warning can not do hw and sw ecc for partition '(null)'
ng these flags
boot: Adding partitions from envy?Error:FASTBOOT no partition name for '(null)'
Error:FASTBOOT no closing on name
ror:FASTBOOT partitii?Y[±?a?default partition information
rtition informations!dding: (null), offset 0x8x, size 0x00000000, flags 0x00000000
•?N•‘)ted
ables setading of 0 bytes finished
load buffer
yN????does not exist
rtition '(null)' erased
ownloadad of 0 bytes
y?•±?.
mage..
ng failed
eset the board
alid boot image?…ENaN???
partition '(null)' flashed
'(null)' failed : (null)
'(null)' saveenv-ed
NFOunknown OEM comma?rytes read
sing Image from SD Card.]
ill read images from the followy???A?oot- use USB Fastboot protocol
out]
- Run as a fastboot usb device.
?oy?!sdfuse - read images from FAT partition of SD card and write them to booting device.
- print0yz0 erase userdata, cache, and reboot.
sdfuse flash <partition> [ <filename> ] - write a file to>yy"•U??•?is NOT founded.
device's initialization is failed.
block start # block count paoti|*A"? 0x00
0 0 0x00
0 0 0*yysd/mmc.
e_num> - create partition.
fdisk -p <device_num> - print partition information
- using default u~yE«99?..
riables
bootable device data
oyyIThe input address don't need a virtual-to-physical translation : 00000000
DKC110
dowi syo?aON?down system now!
s 0!
!
s 1 already!
{KKKVE‹}µµ?}‘•U??•?error!
le to use mmc 0 for fatload **
-------------Download_addr--=0xi–‘…N…?image Error!
nd!
ea00000 0ge installation.
aDya‚‚‚?
A0000 write.yaffs2 40000000 e00000 6a00000age installation.
imgonenand write 30008000 b00000 300000k image installation.
nload kernel image Error!
ernel imq000l image installation.
logo.binnload logo image Error!
yo’‚‚‚‚‚onenand write 30008000 80000 200000.
d.bin‚A‚‚‚‚Completed uboot image installation.
update software!
d!
a|e Android zImage images Fail!
id Ramdisk images Fail!
droid System images Fail!
Android userdata imayyy‹?Uboot images Fail!
mages Fail!
images Fail!
;########################################
Completed Write Android all images From SD to Onenand!
ndroid images include:uboot/zim??0123456789abcdefghijklmnopqrstuvwxyz?literal/length code enderrorry?}IO‰µ?N}©?‰e ENOMEM
Full_SpYuZ«‘?
0, Download Filesize:0x0
sb_print_pkt:able Connected!
a OTG cauynjJ?N??fastboot ...
SId Fastbootbytes: (null)
ate_success--shut doy+E‹…
ironment
AT32 nt device
Interface: y=Invalid FAT entry
(null) file(s), 0 dir(s)
get_dentfromdir: (null)
atname: |(null)|
== NULLu=t>valid on device 0 **
on0: Start Address(0xx), Size(0x0)
is broken **
r~~!!
?•E?256M
16G~
NO NAME ite PBR~~~!!!
ke img buffer~~(reserved)!!
ggion~~!!!
ite FAT~~~!!!
n0 format complete.
* Partition0 is not ext2 file-system 0 **
mg2 buf?y?y?
make zero buffer~~!!
an't make img5 buffer~~!!
ake rootdata buffer~~!!
buffer~~!!
aling : 0
te addr : 0x0
lock(0)~~~!!!
ptor Table(d)~~~!!!
an't write reserve.~oe(0)~~~!!!
ta~~~!!!
an't write root+1~~~!!!
te 7th inode~~~!!!
't write 8th inode~~~!!!
A:?±•IaIN•µ?..
lock (indir 1) malloc failed. **
ead block (indir 1) failed. **
ext2fs read block*(?indir 2 2) malloc failed. **
d block (indir 2 2) failed. **
ext2fs doesn't support tripple indirect blocks. **
ay|ition sector 0
* Invalid Block Device Descriptor (NULL)
ext2fs_devread() read error **
* ext2fs_devread() read error8E> (null) Firm: (null) Ser#: s
Type: evice# 00 # Capacity:<y|yNition Type: (null)
?T?NA?9a&g§?`?IGyiy?y?I
o?yyy??a::‚Aba? r4 : 00000000
?|VE«n?instruction
y??}?’?I2ay?*AIaI?= 0MHz, PclkPsys = ‹5!e
?yu?…?‘?erase ea00000 1160000onenanaa~oyyada/¬??•
yaffs_unlink returning error:ay??yY.EEEEEEEEE *")nPageReads........... 0unAiiyyyycyceaTrying to add an object to a null pointY>u??aoa?N?valids_guts.h 0
?you•?N?values pagesInUse 0 counted chunk bits 0
?o}Yyr mismtch parentId 0 obj->parent is NULL
y??‡~ou•?0 0 0
?y?,uk*I)|oIbn 0 has chunkId 0 (null) (null)
?ea??W?I?(0:0)
yyy«N§???invalid chunk 0
x?aa!
±±??…N?E?out !!!!!!!!!!!!!!!!!
y—Y?I…ffs_FindObjectByName: non-directory
oyy<{*| obj addr 0
d
nyyauo ON?data chunk into a non-file
y: exis|uuoyuz?E??*?0,
that has no chunksau?yyyawN•?0 after gc, should be erased
yy?ya)yYx?point device
y=;E‹?checksum |
heckpointed 0
y+iEe?or wrong
~?cw|d not allocate block index!
yxy?from 0 0
rit|en block 0 being set for iyy???ound.
rds ends
yycuyyaffs: yaffs_GutsInitialise() done.
a??e yaffs_nand.c 0
?y±?nate
ext checkpt block: start: blocks 0 next au??yx…?±?0 next 0
ut of c??yy?yµt|i–i±v 1.19 2007/02/14 01:09:06 wookey Exp $y?x?*]ithTagsToNAND chunk 0 data 00000000 tags 00000000
failureay?y™? acc error fix performed on chunk 0:0
yaffs ayyy??ojNY?ecc error unfixed on chunk 0:0
ecc errooay~?—?ad del 0 ser 0 seq I$Id: yaffs_ecc.c,v 1.9 2007i?o?E•?N?to ded; i_?yyau?~o.—oBytes transferred = 0 (0x0)
esizexyyyg—Y…a? ?~:"??*** WARNING: (null) is too long (0 - max: 0) - try~yyyOyuoi INVALID STATE
OTP broadcast 0
??‡i~ot umount
p fail
yy—o??receive the ext_csd.
yoYsyA?EN?any high-speed modes.
8x??y.never released inhibit bit(s).
y?u??has 0 eraseregions
[offset: 0x00000000, erasesize:a?—?yyuu)- 0MB y>y?ayya~|~™?device
yyy?~gXo•a??‘?end of device
ck: Atteo?y?yoy‘}??‰}??±??*e Attempted to read beyond end of device
?~zttempted to write past end of de~uy??+i?•‘?data
d
yynot erased.
onenand?set_boundary: Please erase blocks ~goEyy?OK?Die 0
e for Di} EI«‘?for oobsize 0
can_bbt: Out of memory
?? EE?Ee status check fail: 0x0
rc error
?’]E+Ee?in 32 bit mode
de
uy?ax onknown: 0 . 0) **
i?>yBad magic number
header crc
yziyOaddr - A valid autoscr header must be present
<y—)*??Y??OSnown Image?>‚??/s:
age 0:ay?ainit Ramdisk from multi component Legacy Image at y?yues-Nµ…?•
scriptogramyuyer5
ppc~oyy?aa|ionaterminated, rc = 0x0
yxa=08lX:
Image at 00000000 ...
a~yye?aA•e yuyEIUnsupported Archotecture 0x0
gg U?y>?uuuncompress or overwrite error - must Ryyyu?~O?U•E)?oyAA±??…N????image stored in memory
passing argumeiuoyyc?e‹?µ‘?
ation ?u?a?a~µ…?•?contents (magic number, header and payload che:?s-RROFFugh) Cache is (null)
yuu?]
- enable or disable data (writethrough) cacho>Yyu‘u~ess 0xlx
yu??uyEa)artiny?y?yyya)‹Ua
??u?Yyaio|"•U??•± use `dev[art]' **
uo?Yapartitio?aA•?"(null)" (expect "U-Boot")
y?±•I?in a directory (default /)
ayaY§igname] [bytes]
- load binary file 'filename'a?~?y®e??by ext2 on 'interface'
at^cy<|ev[art]>
ition 0-----
?zayN±?‡‘?<interface> <dev[art]> <addr> <filename> [byuyyyu~?•Iu) - load binary file 'filename' from 'dev' on ?uy?uI™…?oya<dev[art]>
- print information about filesyoy?yiay‘?ad|ress not on sector boundary
??>??…rt and/or end address not on sector boundary
yyy?•|?ASH type
y?i~ for all FLASH memory banks
flinfo N
- print info~iyu?yxyI?sN…EN? to the end of sect w/addr 'start'+'len'-1
eryy?YyySx write protection
start end
- protect FLA?|y?uoI?OF-SL in FLASH bank # N
protect on bank N
-a?yyy?y~…*•?FLASH from addr 'start' to end of sect w/a|o?y?iyyyke all FLASH banks writable
r ''i’YI?yµA•UMNEO?N?returning error when dumping path: , '.ay:rrOr binary (ymodem) download ?yu>>a~ps and press ESC ...
y????E‘?file over serial line
o/—yyuYI•t 'off' and baudrate 'baud'
bi~yyyy???a?08lX, expected 00000000
y toa?yyo?AauWhalfword sao??Ia?modify, auto increment address
???<a - memory copy
.w, .l] source target ¬«iy?ya>??•?*IOµ?[save at addr]
or oau??yy—u .w, .l] address number_of_objects
- loop oao?????for N seconds (N is _decimal_ !!!)
yiy??‹)
yyyoutemaddr blk# cnt
mmc write <dc~?—o|yN
gsmage at addr 0x00000000 ...
?INyAy‘‘Ee]bootfilename]
rpboot?eeuirEQUEST to network host
?y< not supported
* Abort
yzyµ•?
nment variables
|{…?•)mands in an environment varia~yyay~?N?a block start address
ERROR: 0 length is not biiai?y~yy0xax, 0
x0,len=0x0,retlen=0x0,addr?yyIB*"? ~eading page 00000000
age 00000000 dump:
y?yI)–OE write:
y?Iy?failed 0x0, 0
failed 0x0, 0
~?‡?yI«99?sub-system?y·~?address 'addr', skipping bad blocks.
onenand writ}.ua~yyyyWst [off size] - test 'size' bytes from
offset 'offo??~Eµation
NW to transmit data
?auy•afor (null) command
e Part
~u|?±oyoUnknown command '(null)' - try 'help' without argume~t>??y«Y±??•)..]
aa?y~^coU? prints online help for the monitor commands.
Wiy?yay·•oaX.
u?Oµ•?NI?
alias for 'help'
o}y•?Uµ--default_environment=0x0,ENV_SIZE=0x0
?EI9Outside available Flash
s not Eyy?oo~!ERROR : memory not allocated
|#yyzyµ?main input shell.
?Iyu?AN?E± error 0
escriptor ooo short (expecte| ~ua—???•?descriptor (error=0)
ort raayyy?y—±apart
error, 0(SOyyyx??II?filewriting(null) 0 0xyy?o?mmc r/w sub system for SMDK board
ze mo_Ey~?{adar} [bytes(hex)] - Read rootfs data from sd/mmc by sizy??yyy?—?{oector#} {bytes(hex)} {addr} - instead of this, you cana?yo?yy¬te/ installation.
on.
o»±•N•‘?kernel image (0 byte) installation.
t ube‹??xoy—?for Android
insdroid zimage - Install zimage image for
?uuyiudmovi write u-boot {address} - Make bootable SD card with ??yuoyy•.a–O
Warning can not do hw and sw ecc for partition '(null)'
O?Y??ame for '(null)'
??yagmploy default partition information
yyy^??N•‘)tected
y?a~W‹????does not existyya?–?•±?.
/yx?…EN?N???
partition '(null)' flashed
??uayNoI?®V‘)yy?yY‘?Chip)fastbooty·es
sdfuse - read images from FAT partition of SD card an| yyy?aa  erse userdata, ¬<?y^u??• is NOT founded.
/sd device's initializationayya.Ay 0x00
3 0 a?*Au?y??i
create partition.
fdZ?=?y?A~oEEWriting to OneNAND...
®yu?>?y• input address don't need a virtual-to-physicau??u??Na|e??system now!
y~u?©I§?‘}µµ?}‘•U??•?error!
rd OK!?yaI—?dXW?image Error!
yyay00a6a00000affs2 40000000 e00000 6a00????00 300000???‚?Completed kernel image installation.
EyY???o?0000rite 30008000 80000 200000ed licy?00?‚‚‚‚Completed uboot image installation.
y?}?‘E?a‘?zImage images Fail!
I??yWboot images Fail!
Android Log images Fail!
y#####################################
?uyY??123456789abcdefghijklmnopqrstuvwxyzCDEFCoyyyyiany length or distance symbolsxy?lite®±?length codey??ai_submit_job: ENOMEM
need 0 TDs, only have 0
>xz«n?
loada?y|y??yy?©)?N??fastboot ...
LSI0n?oyyy?oint!
d 0x0 from environment
younvalid FAT entry
(null)??y±§‘?on device 0 **
0xax?y???Yy?’??j)x
Au????uu…!!
ataaoo»yyOt make zero buffer~~!!
.u…?y~±§u??: 0
write addr : 0x0
yy~«e=d)~~~!!!
't write rootdata~~~!!!
te ~u?uyyay?>?±esystem...
* ext2fs read block (indir 1) malloc faeyyy~Nnuira2 2) malloc failed. **
read block (invIa?uy>_‹????sector 0
ce Descriptor u®u?u?a TKµe (null) Ser#: (null)
y?aua?yy?Keea
 device 0 -- Partition Type: (null)
_26?UK14_32lkMsys = 0MHz, PclkMsys = 52494216MHz
A Uyz, PclkPsys = 0MHz
yy?YX‚‚‚‚SS?‚‚‚‚‚onenand read 40000000 8600000 1400000a}ffs_unlink returning error: 0
returning error: 0
??•I•…‘I?.......... 0
nBlockErasures....... 52494216
nGCCopies............ 0
garbageCollections... 52494216
passiveGarbageColl'ns 4087376
u??|d an object to a null pointer directory
g to add an object to a non-directory
€*yaffs bug: yaffs_guts.h 0
undefined state 0
gsInUse 0 counted chunk bits 52494216
suspect sequence number of 0
tags 0 obj 320ff88 oh 3e5e50
yntId 0 obj->parent is NULL
0 header mismatch parentId 52494216 parentObjectId 0
?ft delete chunk 0
struck out
li•yynt block count wrong dev 0 count 0
0 count 52494216
blocks 0 (max is 1)
oz*"?(null) ”y libuP^>
parent pointer 00000000 which does not look like an object
nt is not a directory (type 0)
bj cuaNj 0 has illegaltype 0
etiringmeDirty block 0 state 0 ”y libuP^>
iled 0
a{ounk 0
ine 0 delete of chunk 0
ore eraased blocks
ocated block 0, seq 52494216, 4087376 left
ya!!!!!!!!!!!!!!!!
unk 0 was not erased
d needs retiring
yaffs write required d attempts
yuy9…µ•e non-directory
isCheckpointed 0
ipping checkpoint write
kpoint validity
checkpoint devicyyave exit: isCheckpointed 0
daft chunkId 0 for 52494216
ocate Tnodes
uld not add tnodes to managyyno?a non-file
ting chunk < 0 in scan
alid
lected block 0 with 52494216 free, prioritioyy?a,WEe?block 0 that has no chunks in use
0
d 0 52494216
has no?e«±‘?be erased
unks before 0 after 52494216
im!!! erasedBlocks 0 after try 0 blaiy'0_[Na?file 0
mediate deletion of file 0
space during cache write
Could not allocatycNa)checkpoint objects
ruct size 0 instead of 0 ok 52494216
ead object 0 parent 52494216 ty?}ayoytore exit: isCheckpointed 0
fs: yaffs_GutsInitialise()
ice
ry problems: chunk size 0,a|: device already mounted
chunk group too large
checkpoint
only for YAFFS2!n{k index!
Block scanning block 0 state 0 seq 52494216
canning block 0 has bad sequence number?|i?written block 0 being set for retirement
ot make object for object 0 at chunk 52494216 during scan
?Y…rds ends
ntstartblk 0 intendblk 0...
on block 0 was not highest sequence id: block seq yuotialise() done.
s.c,v 1.52 2007/10/16 00:45:05 charles Exp $nknowncanningty?iting chunk 0 tags 52494216 4087376
g with no tags
affs_nand.c,v 1.7 2007/02/14 01:09:06 wookey Exp $ilableot block: start: blocks 0 next 0
h: block 0 oid 52494216 seq 0 eccr 52494216
pt block 0
…N????checkpt block 0
s
fer nand 0(52494216:4087376) objid 0 chId 52494216
t byte count 0
~E?‚SO‚EO‚????*•a?Exp $_MarkNANDBlockBad 0
nandmtd2_ReadChunkWithTagsFromNAND chunk 0 data 00000000 tags 0320FF88
_QueruIAyy 0 data 0320FF88 tags 00000000
at (null):52494216/4()!
G!/02/14 01:09:06 wookey Exp $?oyofor[Yz??chunk 0:0
ixed on chunk 0:0
error fix performed on chunk 0:1
~gd on chunk 0:0
mtd ecc error fix performed on chunk 0:1
>mtd ecc error unfixed on chunk 0:1
chunkaau?g<0
,v 1.9 2007/02/14 01:09:06 wookey Exp $needed but not set
u•

ARP Retry count exceeded; starting again
ss not given
yyn?= 0 (0x320ff88)
tluoo largeagicoot filya®’ Size is 0x0 Bytes = lx
ed; starting again
MB received
is too long (0 - max: 0) - truncated
Nameng vendor optional boot file
nBOOTP broadcast 0
ARP broadcast 0
2lX00320FF88.imga NFS from server ename '(null)/”y libuP^>'.i.'2?±•?lookup fail
MMC Device 0 not found
bl len failed
mmc r}y_y‘?
XT_CSD on a possible high capacity card. Card will be ignored.
le to read EXT_CSD, performance might su?n modes.
r 00000000init fail!
HSMMC0nnel 0
k neve?y?N?bit(s).
iting for status update.
during transfer: 0xx
mc: ^as}{asesize: 0x00000, numblocks: 0000]
Attempting to recover from uncorrectable read
L 2.65/3.3ND(null) 52494216MB 4V 16-bit (0x00)
n = 0x0000
timeout!ctrl=0x0000 intr=0x'?yynUE…I•e Unaligned address
ngth not block aligned
ase: Failed erase, block 0
nd_bbt_read_oob:0A|u?cg
olock: Attempt read beyond end of device
le_read_ops_nolock: Attempt read beyond end of devic}YY?to read beyond end of device
_oob_nolock: read failed = 0x0
e_oob_nolock: Attempted to start write outsy>>Attempted to write past end of device
ob_nolock: write failed 0
d_write_ops_nolock: Attempt write to past<UuyAI}??±??*e write filaed 0
tatus = 0x0
ma_transfer: DMA error!
nd_set_boundary: Invalid bound?uydset_boundary: Please erase blocks before boundary change
nd_set_boundary: boundary locked
flexonenand_set_boundary: Cxang^yy}‰?O?‘…Eae Failed PI write for Die 0
WN DEVICE ID!!!
rning - OneNAND read mode: async.
an(): Can't allocate?onyy?n_scan_bbt: Out of memory
or bad blocks
t 0x00000000
bbt: Can't scan flash and builduyA•x
rx crc error
error
big
ut
m9000 novooN‚‚O’O??????in 8 bit mode
00: Undefined IO-mode:0x0
02x:00:320ff88:3e5e50:x:00
lish link
…?a args (max. 0) **
efined
wn command '(null)' - try 'help'
yA«µ‰•E)Empty Script
ge format for autoscript
ting script at Aao®,.B•…‘•E?must be present
= 0x00000000
_paramsartethaddr =ip_addryi??N•?NOE•
Unknown Imageget_format
x --------
bootm_low:
o)et = 0x00000000
g init Ramdisk from Legacy Image at 00000000 ...
i component Legacy Image at lx ...
ip2ippressedilesystem.W?‘…±??•
Standalone Programat_dthaIntel x86kuperHarcckfinR32NetBSDotoO0x0
start application at address 'addr'
- start application at address 'addr'
passing ?yyy?Jµ…?•?at 00000000 ...
Bad Magic Number
Bad Header Checksum
CRC
rmt!
wycompressionData Size: 0 Bytes = 8x
Entry Point: x
xotgcture 0x0
Image Type for (null) command
t for (null) command
kernel image!
unknown yor overwrite error - must RESET board to recover
ompression type 0
RNING: legacy format multi component imagc?iE…?I™•EE????control to NetBSD stage-2 loader (at address 00000000) ...
sferring control to RTEMS (at address 00000000e ...
?•‘?in memory
passing arguments 'arg ...'; when booting a Linux kernel,
'arg' can be the address of an initrd image
yyi - print header information for application image
..]
- print header information for application image startincoa?anwmber, header and payload checksums)
sages found in flash
information about all imageo w|u?O??? Cache is (null)
Cache is (null)
le or disable instruction cache
on, off]
- enable or disqbuyuy~a䱥?data (writethrough) cache
ilable devices:
le devices and inf?year (null) @ 0x0320ff88 (4087376 bytes)
ot of VxWorks image at address 0x08lx ...
MAC address not cooyoyne (@ 0x0): ”y libuP^>
Starting vxWorks at 0x00000000 ...
terminated
n at 0x00000000 ...
?X–•II?of ELF image.
vxWorks from an ELF image
ess] - load address of vxWorks ELF image.
u…ENu? **
4 **
0 ....
boot file definedua?o2.$B*aA•?N?"U-Boot")
s 0:52494216 **
or disk - (null) 52494216:4087376 **
** Unable to read "(null)" from ao?y?~efault /)
art]> [directory]
- list files from 'dev' on 'interface' in a 'directory'
2load-uynye+‘?binary file 'filename' from 'dev' on 'interface'
to address 'addr' from ext2 filesystem
?boundary
sector precedes start sector
ddress not on sector boundary
r: cannot span across banks whayi~?N?on sector boundary
nd address (0x00000000) not in flash!
# 0
ification
—*M!?type
Erased 0 sectors
e Flash Bank # 0
rase Flash Sectors 0-d in Bank # zu # 0:a?~ks
flinfo N
- print information for FLASH memory bank # N
- erase FLASH memory
FLASH froio?N?w/addr 'start'+'len'-1
erase N:SF[-SL]
- erase sectors SF-SL in FLASH bank # N
erase bank N
- erase FLASH bank # N
eyoouusN…EN?end
- protect FLASH from addr 'start' to addr 'end'
protect on start +len
- protect FLASH from addr 'start' to eiu??r)protect on bank N
- protect FLASH bank # N
protect on all
- protect all FLASH banks
protect off start end
- maogyy? 'start' to end of sect w/addr 'start'+'len'-1 wrtable
protect off N:SF[-SL]
- make sectors SF-SL writable in FLASH bank # Nuu|?itable
nknown operator '(null)'
Invalid data width specifier
=<= true/f}y?grror when dumping path: , (null)
Writing value (0) 320ff88 times to (null)... file (null)
lsotal Siuy?E?binary (ymodem) download to 0x00000000 at 52494216 bps...
# Ready for binary (kermit) download to 0xX at 0 bps...
ary (k}o}?^X
## Last Load Addr = 0x00000000
## Total Size = 0xlX = 0 Bytes
echoxuc??•) load S-Record file over serial line with offset 'off'
oadbnary file over serial line (kary?n'aaud'
file over serial line (ymodem mode)
ress: 0x00000000
r 00000000 ... 0320ff88 ==> 003e5e50
X
ength ???
sh... (0x00000000) != word at 0x00000000 (0x8lx)
8lx (0x0000) != ha|yyal of d (null)”y libuP^> were the same
08lx:d - memory display
.b, .w, .l] address [# of objects]
- memory displament address
- memory modify (constant address)
s
- memory modify, read and keep address
yy?, .w, .l] source target count
- copy memory
[.b, .w, .l] addr1 addr2 count
- compare memory
yIu)address offset
ss offset for memory commands
base off
- set address offsat ow[¬–}?™}?‰©•?NI) - loop on a set of addresses
t [end [pattern]]]
- simple RAM read/~y?os _decimal_ !!!)
Device: (null)
r ID: 0
0
: 0
MMC read: dev # d, block # 0, count 52494216 ...
e: dev # 0, block # d, count 0 ... A52494216u???X–?blk# cnt
mmc write <device num> addr blk# cnt
mmc rescan <device num>
mmc list - list available devices
ping failed; host aiae…?•?at addr 0x00000000 ...
pa network using BootP/TFTP protocol
ilename]
yarpbootrarpboot- boot image via network using RARP/TFTP protocol
CP client to obtain IP/boot params
ypingAddress
nt to (null)...
illegal character '=' in variable name "(null)"
_R
‰?EN)0 bytes
t environment variables
of all environmenta~Xonment variables
me value ...
- set environment variable 'name' to 'value ...'
setenv name
- delete environment variableozymmands in an environment variable
the commands in the environment variable(s) 'var'
lock a ?*II=Ie 0 length is not block aligned
te (0 blocks):
0x0 is skipped.
ne----ofs=0x0,len=xyIx0,len=0x0,retlen=0x320ff88,addr=0x0,oob=0x320ff88
a read (0 blocks):

s' is not a number
e (0x0) exceede|yy…?•?00000000 dump:
02x 00 320ff88 3e5e50 x 00 320ff88 3e5e50 01 00 320ff88 3e5e50 01 x 00 320ff88
x 00 320ff88 &?ua"…N…?-- 0%.ROR: Write failed 0x0, 0 at 0x00000000
s: y failed 0x0, 52494216
Read/Write test failed at 0x0
ittenNOT ma?yyu?y - show available OneNAND devices
onenand bad - show bad blocks
onenand read[.oob] addr off size
onenand write[.oob] addr off om?ung bad blocks.
onenand write.yaffs addr off size - read/write `size' bytes starting
at offset `off' to/from memory address `aday??' bytes from
offset 'off' (entire device if not specified)
onenand dump[.oob] off - dump page
onenand markbad off [...] - maryur<dNW to transmit data
lize USB device and ready to receive for Windows server (specific)
dress]
uqv‚…EN)8lx extract a part of a multi-image
addr part [dest]
- extract uxy?y ?Ea?'help' without arguments for list of all known commands
o monitor version
?test like /bin/sh
- test functionality
- exit script
onality
or<the monitor commands.
Without arguments, it prints a short usage message for all commands.
To get detailed help information vK
±?…I?for 'help'
In: ces available!
vailable!
rr: ces avaeix?oA•x,ENV_SIZE=0x0
default environment is too large
ng - bad CRC, using default environment
out writuuy?*WEN?and/or end address not on sector boundary
f Flash
f Flash
Programming Error
osyyqted
IFS"e is a global environment variable with the same name.
variablenknown cyyuyUEaRhiledoHUB (0) reached
USB Devices, max=0
RROR: ~ua}yc>•I?E?AN?E?too short (expected 0, got 52494216)
et port 0!?
SB device not responding, giving up (status=X)
yW"•U??•?descriptor short read (expected 0, got 52494216)
set default configuration len 0, status 320FF88
mu(?(xyzModem - (null) mode, 52494216(SOH)/0(STX)/52494216(CAN) packets, 0 retries
ksum errormingi?•1A .. 0, 52494216 lx 0x0 0x320ff88 0, 52494216 er.. 0, 52494216 l.. 0, 52494216 0, ||???…E‘)ialize moviNAND and show card info
movi read {u-boot | kernel} {addr} - Read data from sd/mmc
movi write {fw?iy??N™I?data from sd/mmc by size
movi write rootfs {addr} [bytes(hex)] - Write rootfs data to sd/mmc by size
movi read {sector#} {ry|yur} - instead of this, you can use "mmc write"
Android image downloading.
ad' buttiiytzaIN•µ?image installation.
stem image(0 byte) installation.
nstallation.
y|e) installation.
Start uboot image installation.
0 byte) installation.
age}0> - Install zimage image for Android
insdroid ramdisk - Install ramdisk image for Android
insdroid system - Install system imay}<y?a- Make bootable SD card with uboot
ition table on OneNAND]
me='(null)' art=N/A ) and sw ecc for partition '(null)'
ese flags
Adding partitions from environment
STBOOT syyuns…µ•?for '(null)'
r:FASTBOOT no closing c found in partition name
FASTBOOT partition name is too long
y?Eµ…N???)ions!t 0x00000000, size 0xx, flags 0x00000000
ty timeout 0 seconyet}cted
s set of 0 bytes finished
noring
ot?g:.s?
erase partitionion '(null)' erased
adf 0 bytes
FAILdata ?yRyErROR : bootting failed
hould reset the board
FAILinvalid boot imagewnloadedILimage too large foryI?•‘) failed : (null)
rtition '(null)' saveenv-ed
nknown OEM commandition: (null), File: ”y libuP^>/yyyay?e

People, help me somebody unbrick Dropad A8X, please !!!

Helter2 said:
People, help me somebody unbrick Dropad A8X, please !!!
Click to expand...
Click to collapse
I had exactly the same (Dropad A8X) - and many with us as I read on the DX forum and other places ... however, I managed to flash new firmware ...
Here is the description:
slatedroid.com/topic/19685-dropad-a8x-hardware/page__gopid__255906#entry255906
Great thanks to Adam and especially Rebellos for his fantastic hack.
Please read my story completely as I was just to impatient and messed it up after all (if any one can be of any assistance as how to go further .
However, the method lets you flash new firmware using Odin or Adam's One-Click tool.

| bml0!c | reset flash counter in bml15 . analyze bml0!c in oneNAND

we gingerbread guys need to get serious on this fricken flash counter, else we can't truely clone our SGYs.
reedit: by this time Doky has found it in bml15 and resets it in his galaxy tool app. ty !!
Kies knows about it and it has implications for asec stuff too.
manufacturing tried to keep the info on the flash counter's whereabouts a tightly guarded secret like some Bill Clinton sex affair, but now it is busted all out in the open ! <-- link
we gotta be able to reset that data to a fricken pristine state!
then we got a 100% CLONE !!
quote :
The flash counter and triangle state had to be stored somewhere. Everybody knew that ... You can dump and compare the entire /dev/block/mmcblk0 and you won't find a difference (you'll find a few unallocated and unused gaps, though).
on SGY mmcblk0 is the sd card, /dev/block/bml0!c = total internal NAND storage - which is what we are looking for. see: http://forum.xda-developers.com/showthread.php?t=1998471
however, the flash disk actually has two hidden boot partitions,
/dev/block/mmcblk0boot0 and
/dev/block/mmcblk0boot1
The MMC driver in the kernels used for Gingerbread did not present these partitions in the past, the MMC driver in the ICS kernel does.
Dump and compare the partitions and you'll have found them in no time.
Structure /dev/block/mmcblk0boot0 @ 0x00020000:
0x00020000 header magic: 32bit - 0x12340011
0x00020004 flash count: 16bit
0x00020006 future: 16bit - 0x0000
0x00020008 type: 16bit - 0x0000 unknown, 0x0001 custom (triangle), 0x0002 Samsung Official
0x0002000A name: max 16 chars
0x0002001A end: 16bit - 0x0000
The boot partitions are presented as readonly by default, but allowing modification is a simple matter of executing the following before writing the data:
### does not fullly apply to SGY ! other phones only !! ###
echo 0 > /sys/block/mmcblk0boot0/force_ro
A number of bytes trailing this structure also change between flashes and appear to be checksum related.
click Tags below for more related info !

neither I'm able to confirm nor negate, but I'm afraid the SGY have other storage areas.
and keep in mind, on SGSII this hidden device has appears only on the leaked beta ICS kernel. Moreover I don't see any good reason, why is it accessible under Android. Kies does not care about the bin counter. I was able to restore factory state with bin counter>0 and Kies recognized my devce as valid upgradeable. On the other hand, the bin counter is handled on the sbl runlevel, where kernel and android not yet loaded.
For further reference please see my research on the SGY partition system, decoded from the pit file:
Code:
[B]minor bml stl image[/B]
1 /bml1 /stl1 BcmBoot.img
2 /bml2 /stl2 sbl.bin
3 /bml3 /stl3 bl.bin
4 /bml4 /stl4 totoro.pit
5 /bml5 /stl5 BcmCP.img
6 /bml22 /stl6 param.lfs
7 /bml6 /stl7 boot.img
8 /bml7 /stl8 (boot backup)
9 /bml21 /stl9 system.img
10 /bml23 /stl10 csc.rfs
11 /bml24 /stl11 userdata.img
12 /bml8 /stl12 (efs)
13 /bml9 /stl13 sysparm_dep.img
14 /bml10 /stl14 HEDGE_NVRAM8_RF_LE.bin
15 /bml11 /stl15 (cal)
On much deeper details please see my spreadsheet:
https://docs.google.com/spreadsheet/ccc?key=0Arilp8uJromLdHdrdGpiZ2FSN3daRzRQMkIxR0pCZXc
Minor #12 and #15 is suspicious, might have some data, which not used by the OS, and not affected by ROM update packs.

This is good research, doky. I bookmarked your spreadsheet for future reference.

efs
Doky73 said:
12 /bml8 /stl12 (efs)
15 /bml11 /stl15 (cal)
Minor #12 and #15 is suspicious, might have some data, which not used by the OS, and not affected by ROM update packs.
Click to expand...
Click to collapse
efs is directly related to the SIM card file system, I take it.
"the /efs folder is a very sensitive system folder that contains Phone-specific information such as the IMEI (encrypted in the nv_data.bin), wireless devices MAC addresses, product code (also in the nv_data.bin), and much more. Often users trying to change product codes or trying to unlock the mobile will end up corrupting data in this location."

<post deleted>

cal : calibration data
Doky73's SGY layout table: now, spot the flash counter
minor Start-offset --- End-offset ------ Size (hex) units ------- SIZE (bytes) -- BML --------- STL -- Internal name Image name ------ Description
01 0x00000000 0x00040000 0x00040000 001 000262144 /bml1 _/stl1 _bcm_boot BcmBoot.img Primitive boot loader
02 0x00040000 0x00240000 0x00200000 008 002097152 /bml2 _/stl2 _Loke sbl.bin Secondary boot loader
03 0x00240000 0x00440000 0x00200000 008 002097152 /bml3 _/stl3 _loke_bk bl.bin backup sbl
04 0x00440000 0x00480000 0x00040000 001 000262144 /bml4 _/stl4 _systemdata totoro.pit partition table
05 0x00480000 0x01100000 0x00c80000 050 013107200 /bml5 _/stl5 _Modem BcmCP.img modem/phone
06 0x01100000 0x01600000 0x00500000 020 005242880 /bml22 /stl6 _param_lfs param.lfs
07 0x01600000 0x01b00000 0x00500000 020 005242880 /bml6 _/stl7 _boot boot.img kernel & initramfs
08 0x01b00000 0x02000000 0x00500000 020 005242880 /bml7 _/stl8 _boot_backup - backup kernel & initramfs
09 0x02000000 0x10600000 0x0e600000 920 241172480 /bml21 /stl9 _System system.img ROM
10 0x10600000 0x12e00000 0x02800000 160 041943040 /bml23 /stl10 Cache csc.rfs CSC
11 0x12e00000 0x1f340000 0x0c540000 789 206831616 /bml24 /stl11 Userdata userdata.img data
12 0x1f340000 0x1f380000 0x00040000 001 000262144 /bml8 _/stl12 Efs - efs unique phone data
13 0x1f380000 0x1f3c0000 0x00040000 001 000262144 /bml9 _/stl13 sysparm_dep sysparm_dep.img
14 0x1f3c0000 0x1f400000 0x00040000 001 000262144 /bml10 /stl14 umts_cal HEDGE_NVRAM8_RF_LE.bin
15 0x1f400000 0x1f500000 0x00100000 004 001048576 /bml11 /stl15 cal - calibration data
note: not all /bml & /stl devices are visible, some of them not linked under the OS
------------------------------------------------------------
I guess, cloning all of minor 12 would be a mistake.
14 & 15 are sets of calibration data, probably for RF part (gsm radio)

mai77 said:
Darky's SGY layout table: now, spot the flash counter
Click to expand...
Click to collapse
Well, Darky is working on a custom rom for SGY???
Yep, we're saved!

Factory mode
also there is a difference between ODIN mode (via DOWN+HOME+POWER) and FACTORY MODE via USB jig 301KOhm.
makes a diff for displayed "official" vs. "custom" ROM

Any new ideas on this guys? I was wondering if this cant be hacked via the .pit file?
I wish I could find this damn partition and forcefully reset this

Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100

Princeomi said:
Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100
Click to expand...
Click to collapse
Are you sure?where did uou get that info??
Sent from my GT-S5360 using xda premium

Princeomi said:
Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100
Click to expand...
Click to collapse
Very interesting bro
Hmmmm.... That actually does make sense to me, because due to screen size limitations, I can't see the numbers carrying on into infinity. As it is when it gets to the teens, it starts screwing up the text on screen, so an ultimate limit would make sense.
I guess besides the fact that it voids your warranty if anybody had to see it from Samsung, I guess it does nothing but just annoy you cause you cant reset it
Not sure if I will try your method Princeomi but I will keep that in mind
---------- Post added at 08:23 PM ---------- Previous post was at 08:09 PM ----------
What I don't understand though is why does the USB jig not reset it on our phones but it does on the SGS2? I just watched a vid on you tube and Odin mode looks exactly the same as it does on our phones.

I read it in the news section of XDA, never tried it though as I am on zero
Sent from my GT-S5360

NanoSurfer said:
[/COLOR]What I don't understand though is why does the USB jig not reset it on our phones but it does on the SGS2? I just watched a vid on you tube and Odin mode looks exactly the same as it does on our phones.
Click to expand...
Click to collapse
actually it does not resets neither on SGSII. Only on some old/initial ROMs. The SBL has been modified by Samsung, to prevent users resetting the counter simply by USB JIG. To reset my SGSII's counter, I have to downgrade the SBL. (or upgrade to ICS , there's an other method, based on a new feature of the 3.x kernel)
Sent from my SGSII using Tapatalk 2 & Swype

Doky73 said:
actually it does not resets neither on SGSII. Only on some old/initial ROMs. The SBL has been modified by Samsung, to prevent users resetting the counter simply by USB JIG. To reset my SGSII's counter, I have to downgrade the SBL. (or upgrade to ICS , there's an other method, based on a new feature of the 3.x kernel)
Sent from my SGSII using Tapatalk 2 & Swype
Click to expand...
Click to collapse
Interesting Sir Doky
I kinda figured that Samsung would wise up to that trick sooner or later. BTW what you think of the max count trick?

doky's SGY partn table from above attached
remember,
dd if=/dev/block/bml0!c
gives you the complete NAND storage 501 MB file on SGY:
so this shell cmds gave me a 501 MB file which is probably the NAND dump :
adb shell
su
stop
dd if=/dev/block/bml0!c of=/sdcard/bml0c.outfile
## wait 2 minutes to finish
start
## wait 30 sec
I believe, the last 1 MB of the file is junk data or duplicate

bml0!c dump
the dump says:
OneNAND boot rev. 0.2
+cboot_uart_speed_handshake(0x%x)
Set Baudrate to 115k.
Set Baudrate to 230k.
¼:”Set Baudrate to 460k.
Set Baudrate to 921k.
Set Baudrate to 3m.
Invalid Baudrate, try again.
cboot_uart.c
assert at line %d in %s -cboot_uart_speed_handshake

###################################
Secondary Bootloader v3.1 version. Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: %s %s / %s %s TOTORO REV 03 Jan 14 2012 07:01:28
%s: debug level 0x%x %s: debug level low! PUMR: %d FOTA_BOOT FOTA_UAUP PUMR: 0x40 (AP only boot mode) loadmodem loadCPDATA loadkernel
boot SBL> %s: parse command error! (%s)
Autoboot (%d seconds) in progress, press any key to stop
Autoboot aborted..
booting code=0x%x stl init failed.. %s: j4fs_open.. success failed %s: bye~ bye! %s: booting stop.
%s: booting stop and power off..
S5360 console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw
androidboot.console=ttyS0 /mnt/rsv SNBL main
#############
prob. kernel command line for UART FOTA boot or whatever
#############
loke_exit
loke_init
command_loop
boot_kernel
SERIAL_SPEED LOAD_RAMDISK BOOT_DELAY LCD_LEVEL SWITCH_SEL PHONE_DEBUG_ON LCD_DIM_LEVEL LCD_DIM_TIME MELODY_MODE REBOOT_MODE NATION_SEL LANGUAGE_SEL SET_DEFAULT_PARAM PARAM_INT_13 PARAM_INT_14 VERSION CMDLINE DELTA_LOCATION PARAM_STR_3 PARAM_STR_4
mtdparts=bcm_umi-nand: %[email protected]%dK(%s)ro, %[email protected]%dK(%s)rw, fota_reboot FOTA
Boot cause : %s FOTA_BOOT FOTA_UAUP LOKE3 : FOTA_UPDATE_FOTA_BOOT
BOOT_FOTA=1 BOOT_FOTA=0
ATAG_CORE: %x
ATAG_INITRD2: %x

Linux-based NAND Flash software solution, offering higher performance and cost effectiveness for next-generation mobile phones. Samsung's Linux NAND Flash memory software allows the NAND Flash memory to store code as well as data. By eliminating the need for NOR Flash memory and supporting the Linux operating system with a demand-paging function, Samsung can lower overall costs and reduce space requirements in mobile handhelds.
Samsung's Linux file system, Robust File System (RFS), also offers greater data preservation capabilities in case of power disruption as well as wear-leveling for higher reliability. To address the problem of data loss from corrupted file allocation tables (FAT), Samsung's Linux-based NAND Flash memory solution also supports Transactional FAT for external memory cards. Compared to the conventional JFFS2 and YAFFS open file systems, Samsung's Linux file system enhances the NAND Flash write-speed up ten and four times , respectively.
This Flash memory solution is also available with Samsung's OneNAND (tm) Flash memory, which boasts a faster read speed compared to the conventional NAND Flash. With its advanced multi-tasking function, Linux will further accelerate the adoption of NAND Flash in next-generation mobile phones.
Importantly, as Samsung's new Linux NAND Flash memory software, RFS has completed verification in the Linux kernel 2.4.20-based Montavista Linux environment, Samsung's NAND Flash solution addresses the diverse needs of system developers for advanced performance, high reliability, shortened development time, and reduced costs.

SGY heimdall
with UBI running on oneNAND and UBIfs we SGY users can have our own "mobile ODIN" and Heimdall.
UBI is open source and part of the Linux kernel.

LG G4 Qualcomm 9008 (Hard Brick) Repair By Easy Jtag Z3x

Z3X EasyJtag Software ver. 2.3.0.1
Loading eMMC Addon Firmware... IO: 2800 mV
Box S/N: ******************, ,FW Ver.: 01.55CMD Pullup Level:1990 mV
CMD Active Level:2423 mV
Box IO Level:2800 mV
CLK Rate:1000 khz
HiPower mode is ON!
---------- eMMC Device Information ----------EMMC CID : 1101003033324737340051D9A92292EA
EMMC CSD : D02700320F5903FFFFFFFFE78640009A
EMMC Manufacturer ID: 0011 , OEM ID: 0100
EMMC Date: 09/2015 Rev.0x0
EMMC NAME: 032G74 , S/N: 1373219106
EMMC NAME (HEX): 30333247373400
EMMC ROM1 (Main User Data) Capacity: 29820 MB
EMMC ROM2 (Boot Partition 1) Capacity: 4096 kB
EMMC ROM3 (Boot Partition 2) Capacity: 4096 kB
EMMC RPMB (Replay Protected Memory Block) Capacity: 4096 kB
EMMC Permanent Write Protection: No
EMMC Temporary Write Protection: No
EMMC Password Locked: No
Extended CSD rev 1.7 (MMC 5.0)
Boot configuration [PARTITION_CONFIG: 0x00] No boot partition configured.
Boot bus config [177]: 0x00 , width 1bit , Partition config [179]: 0x00.
H/W reset function [RST_N_FUNCTION]: 0x01
High-capacity W protect group size [HC_WP_GRP_SIZE: 0x00000000]
Partitioning Support [PARTITIONING_SUPPORT]: 0x07
Device support partitioning feature
Device can have enhanced tech.
Partitioning Setting [PARTITION_SETTING_COMPLETED]: 0x00
---------------------------------------------
Backup saved: 032G74_1373219106_20161001_1745.extcsd
Done.
Checking NAND Image : C:\Users\sezer\Desktop\LG_H815_dump_rom1.bin
File successefuly loaded!
Processing file...C:\Users\sezer\Desktop\LG_H815_dump_rom1.bin
Z3X EasyJtag Software ver. 2.3.0.1Skip loading eMMC Addon Firmware
CMD Pullup Level:1990 mVCMD Active Level:2423 mV
Input file : C:\Users\sezer\Desktop\LG_H815_dump_rom1.binWriting 001AC00000 bytes to 00000000 ...ROM1 (USER ROM)
Done. Write Speed: 660 kB/s

Do you have a VS986 dump by any chance?

Do you have a h810