[quackquack147]

Hello readers,
greetings,
can someone tell me how to brick your device w/o passing voltage like 5v or 12v and frying the efuse and thus permanently locking myself with the bootloader/bootrom from RIM/Blackberry.
Why am i asking?
I need to jtag my device. i think i know the pins. And i need to know how i can take the playbook to those secret flashing light code. 5 red blinks, 3 red blinks, 7 red blinks. 1 yellow blinks, 1 white blinks.
i mean all the permutation and combinations of bricking it?
because if i need to jtag the device i need to first have it in trace mode. where i need to have it in soft bricked mode. and when i am fixing the device using desktop tool it will record all the data via jtag.
i hope you got the idea? Right.
i know this is the craziest thread. But when chaosdivine's boards and or chespo's board comes to me? i need to do this first. soft brick it. attach jtag pins. read/trace the firmware restoration process. and also if possible pull the key while its still loading the firmware using the desktop tool. :-D
many many thanks in advance. and i am sure there will be some real good suggestions on how to soft brick using some XYZ methods.
:-D
thanks!
-paul

[SCrid2000]

Pull the usb cable while you're writing an OS with an autoloader?

[FF22]

What happens if you start a Security Wipe and then POWER down the pb?

How about starting the Debrick process and doing the same or turning off wifi router?

[quackquack147]

i should have a soft brick. and then i should be able plug the usb cable and then restore and while this happens. jtag sniffs all the sh!ts out. including the public and private keys. which we will never get! ;-)
i hope you got the idea!
so it needs to be a soft brick. are you two sure this will leave me with a soft brick?
thanks!
-paul

[quackquack147]

looks like i b!tchslapped myself by passing the 5V if i knew its the efuse trip point voltage i wiouldnt have done it. now the device stays with RIM bootrom and bootloader forever. i just checked the documents for HS for arm generic and it said 5v will trip the efuse switch. :facepalm:
so this means i can never jtag write the bootrom but i can trace. which is not sufficient. there is a key exchange everytime. :-D i need that info. ;-)
and i am not wasting my other device. i wonder when will chaosdivine's boards will arrive and also when chesmo's device will arrive.
thanks!
-paul

[9Jer99]

On the humorous side 'You already had a brick complements of Thorny'.

[kbz1960]

Is what you want to get past on a chip? Can't you just remove the chip and replace it with one that isn't coded with the crap you're trying to get around?

Might be a dumb question as I don't have a clue about all that stuff.

[xsacha]

Pull the usb cable while you're writing an OS with an autoloader?

Nope. The device operates without a bootloader or OS.

What happens if you start a Security Wipe and then POWER down the pb?

This is the most likely to kill the device. Security wipe operates on NVRAM in user-space.
Any modifications to NVRAM work like this:
1. Read NVRAM key
2. Modify NVRAM where you want (eg. boot count)
3. Re-sign NVRAM using NVRAM key.

It does several of these to change various values in the NVRAM including password and BBID.

If you kill the power between #2 and #3, you will have an NVRAM with an invalid sign. Technically that should cause the device to fail.

[quackquack147]

Is what you want to get past on a chip? Can't you just remove the chip and replace it with one that isn't coded with the crap you're trying to get around?

Might be a dumb question as I don't have a clue about all that stuff.

yes and no. they work in pairs. emmc and cpu. if you replace cpu then you need to replace emmc also. then it will work and it will again ask for the unsigned bootloader. ;-)
hope it answers.
no its not dumb but interesting. but if we wipe the emmc clean? it will just show the cpu as omap4430 and not omap4430 HS ES2.1 ;-) which is a great thing. but before that we need to jtag and wipe clean the SRAM contents and then the process is complete. flawless. :-D
hope this helps!
thanks!
-paul

[quackquack147]

On the humorous side 'You already had a brick complements of Thorny'.

not exactly. there is a on off switch right next to the video connector. unless i put a switch there and then reset i can still revive it.
so thorny time you go corny!
;-)
thanks!
-paul

[quackquack147]

Nope. The device operates without a bootloader or OS.


This is the most likely to kill the device. Security wipe operates on NVRAM in user-space.
Any modifications to NVRAM work like this:
1. Read NVRAM key
2. Modify NVRAM where you want (eg. boot count)
3. Re-sign NVRAM using NVRAM key.

It does several of these to change various values in the NVRAM including password and BBID.

If you kill the power between #2 and #3, you will have an NVRAM with an invalid sign. Technically that should cause the device to fail.

there are 8 compartments. and its in the 7 th one. which is writeable. and its in the emmc. if we wipe clean the emmc then use the u-boot and power pack it with xloader padding with fake hash keys. for which we need the jtag anyway. then it will be fooled. :-D and it wont trip the efuse switch and you are sort of safe.
;-)
i said this 1000's of times before. and also highlighted them.
thanks!
-paul

[Dr_Acula]

there are 8 compartments. and its in the 7 th one. which is writeable. and its in the emmc. if we wipe clean the emmc then use the u-boot and power pack it with xloader padding with fake hash keys. for which we need the jtag anyway. then it will be fooled. :-D and it wont trip the efuse switch and you are sort of safe.
;-)
i said this 1000's of times before. and also highlighted them.
thanks!
-paul

So what happens t0 the boot ROM then?
Wiped? Still there I think.
How would emmc wipe switch his to go?
Sent from my bullet proof revolver� //"="" ````�

[quackquack147]

So what happens t0 the boot ROM then?
Wiped? Still there I think.
How would emmc wipe switch his to go?
Sent from my bullet proof revolver™ //"="" ````�

gave my cpu a 5v deep sleep temporary shock sleep. when it turn the on off switch. it comes back to life. :-D
as of now let it sleep. and my friends cousin is getting married. so i cant do any jtag work. helpless.
thanks!
-paul

[Dr_Acula]

gave my cpu a 5v deep sleep temporary shock sleep. when it turn the on off switch. it comes back to life. :-D
as of now let it sleep. and my friends cousin is getting married. so i cant do any jtag work. helpless.
thanks!
-paul

Oh interesting.
What was I asking??
Oh never mind. Congratulations for or cousins marriage.
And may ur pb S.I.P (sleep in peace)

Sent from my bullet proof revolver� //"="" ````�

[quackquack147]

there is a tiny switch right next to the vga connector. and its connected with a 0 ohms resistor. which means resistance and it creates a bridge. the debug bridge. if its enabled? i think we can serial port connect to the device.
dont ask how. we checked the voltage its leading to 3.3v.
and me and my friend said bingo! bulls eyes. its either debug port on off or serial on off. mostly debug. because its places very strategically and to jtag the device you need to have 2 device ready and placed extremely close to each other one being crt or lcd screen and second is mouse. which is the touch screen. ;-)
the arm document says it all.
thats the pin which RIM/Blackberry disabled. and also in a few board they removed the 0 ohms resistor.
hehehehe! clever clever very very very clever. but we got eyes to inspect too. ;-)
so thats how i can confirm its the debug switch and i need to turn it on to allow the jtag process to wipe the SRAM clean. rooting post has details. and i must have included all the details. if no ask me there.
thanks!
-paul

[quackquack147]

friends cousin?
hehehe. i will never poke in internal family affairs. ;-)
you know its kinda kinky.....! and all greasy stuffs gets into your hand.
thanks!
-paul

[9Jer99]

not exactly. there is a on off switch right next to the video connector. unless i put a switch there and then reset i can still revive it.
so thorny time you go corny!
;-)
thanks!
-paul

Yes exactly. You, I, we all have a brick thanks to Thorny. Period.

[quackquack147]

Yes exactly. You, I, we all have a brick thanks to Thorny. Period.

you are right. a red rose on top of the blackberry OS tomb.
RIP! Blackberry OS! RIP!
thanks!
-paul