Debrick 3G USB Stick Modem ZTE MF100, MF180, MF190, MF626, MF627, MF636 and others.

This is JTAG to debrick any JTAG device. Modem, cable boxes, dish boxes routers.
Post Reply
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Debrick 3G USB Stick Modem ZTE MF100, MF180, MF190, MF626, MF627, MF636 and others.

Post by sebholz »

Hi there, Im newbie in here but not that new useing the JTAG NT.
I have done a lot of testings on my Motrola SBG900i modem, also manipulating the certificates to make it go online, but that isnt the point of these post wright now (Ive got tired doing things to that modem).

Well, the reason for these post now is that I want top get back alive my old 3G usb stick modem, due to a bad firmware update :oops:

So I was checking over the internet how do I do that, because the modem is totaly dead, it doesnt do a thing when I plugged it in. So Ive found the guide where you can debrick the modem useing a jatg wirggler cable (parallel port one), but because I use a laptop it isnt a option so I thought on giveing a try with the USB JTAG NT.

Frist of all I have to give credit to the people at gsmhosting forum for the original guide at http://forum.gsmhosting.com/vbb/f695/build-your-own-jtag-restore-modem-using-jtag-1644230/

So I will copy the guide down.
-----

Build your own JTag & Restore modem using JTag


Turn off the lights, restart the computer while the modem firmware, or for some other reason modem no signs of life - you can try a recovery tool JTAG.

It will be explained how to build JTAG, how to use. The material is taken from another site but at the end of this article because one reference is not enough.

The method tested on modem ZTE MF100, MF180, MF190, MF626, MF627, MF636, MF637 and Huawei E171, E1550.

Computer Requirements: Pentium 4 processor needed (you can Pentium 3),
a special connector LPT (preferably built into the motherboard) and
most importantly the presence of Windows XP (Vista and Windows 7 - not allowed!)

Just have to go to the BIOS, find the tab called Advanced, find the Onboard Devices Configuration, find Parallel Porrt Mode and make sure that you select EPP. Then you need to disable the screensaver and power management switch to Home \ Desktop, as well as disable all USB devices except the mouse and keyboard.

Consider this one circuit JTAG as the most simple and reliable (if the wires are no longer than 10 - 15 cm) for its assembly will need the connector from the old cable to the printer, a short adapter USB (male - female), six resistor 40 Ohm and Seven thin wires.

Image

To restore the modem you need:

1. H-JTAG - need to check that the cable Wiggler.

2. Z_Flasher Reanimator - a program to recover your modem.

3. FullFlash - recovery files for your modem (will be posted at the end) in the game will be completely full and we require cutting.

4. Binary Cutter - a program for self-cutting full.

5. WinHex - to show the correct file.

6. Giveio.exe - driver for the LPT port of your computer.

Downloadall the files you want . (H-JTAG, Z_Flasher Reanimator v03.112a, Binary Cutter, Giveio.exe) New versions Z_Flasher Reanimator in the footer.

First you need to install a driver for LPT. To do this, run the downloaded file giveio.exe, which self-extract on drive C.

Image

Here we select one and press Enter

Image

If you see this picture, it means the driver is installed.
Restore modem example Huawei E171.
To begin to start reading files from the modem (preferably drained DUMP, even if the modem is killed)
The very first thing you need to do - is to start the server H-JTAG. (How to set up a server H-JTAG look at the bottom link on page 2)

Image

If you see a CPU ID CPU, then everything is OK and you can continue.
Feature of the program Z_Flasher Reanimator

Unfortunately there is no possibility of re-drawing the log window in case of overlapping or folding. Extremely not recommend to open what or applications and maximize windows .. let the program work in peace! other words - if you block the box flasher another window, almost all of the numbers and letters will disappear!
Copied to the desktop folder Z_Flasher Reanimator, open it and double click run flasher

Image

Here, click the button = Connect =

Image

Flasher to flash CPU ID and NAND ID (your NAND will naturally vary)
While indifikatory revealed the following: NAND ID: AD36, EC36, AD76, EC76, ADA1, ECA1, 98A1
If you have determined that something else, it does not mean that the flasher will not work with your modem - we just have not come across all
stick.

Now you need to select the brand of your modem

Image

Button = Change = Select your model and click = DUMP =

Image

Notice the green line at the bottom (if you see the same thing, it means that everything is going well)

If the green line you see something else, such as 0x0 - 0x0 - 0x0 - you need to stop and start the flasher from the start. Stop the flasher only through Task Manager.
If all goes well, you'll still sit and wait for the reading .....

Image

When you finish reading files, you will see that the buttons = DUMP = and = Flash = become active again
A folder with the flasher (that you copied to your desktop) appeared six files.
On this reading is completed.
Modem recovery in reverse order.
The record itself from reading a little different, the time it only takes a little more.
Copy the folder with the flasher six files from a folder (cut) that you downloaded along with Full Flash for your modem model.

Run Z_Flasher_Reanimator, click the button = Connect =, we see that the CPU ID and NAND ID is detected properly, select the modem and click brand = FLASH =
Now we only have to wait for the record.
QUESTIONS PINOUT: Pinout modems (datasheet)

1. RTCK - in this flasher is used.
2. SRST = NRST - this means that the signal is the same - just called differently.

Which of your shared modems - will understand when your will open.
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Now it comes the JTAG part though

Post by sebholz »

So I was thinking, with the Z_Flasher software we can get the memory mapping for this devices, also Im trying these procedure with the ZTE MF100 3G USB Stick modem that uses ARM9 processor also kwon from the datasheet, so it would be supported by the USB JTAG NT Cable.

So the memory mapping for this device would be:
MIBIB.BIN: 0x0 - 0x28000
SIM_SECURE.BIN: 0x28000 - 0x18000
QCSBL.BIN: 0x40000 - 0x14000
OEMSBL1.BIN: 0x54000 - 0x48000
OEMSBL2.BIN: 0x9C000 - 0x48000
AMSS.BIN: 0xE4000 - 0x1484000

But I don't know where to start to make the USB JTAG NT recognize the devices, or even the pinouts of the cable like NRST, TRST, RTCK, TDO, TDI, TMS, GND or TCK.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

Support those devices should be possible. However since they uses Nand devices, there might need to have device in hand to add support to it.

Recently I upgrade my cell phone and have one Samsung I9000 to play with. I will also see if I can add support that.
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Post by sebholz »

How ca I help with this thread? Im available for testing anything.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

sebholz wrote:How ca I help with this thread? Im available for testing anything.
I see somewhere said ARM926. You can connect USB JTAG NT and see if it detects. However since it is Nand flash, there might need to write some code for it.
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

JTAG NT USB Pinouts

Post by sebholz »

usbbdm wrote:I see somewhere said ARM926. You can connect USB JTAG NT and see if it detects. However since it is Nand flash, there might need to write some code for it.
Are this the JTAG NT pinouts?
Image

Also, what about the voltage is it required to put some resistors or just plain direct cable connection?
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

sebholz wrote:Are this the JTAG NT pinouts?
Image
Yes. It is built with standard MIPS JTAG pinout.
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Post by sebholz »

Well so far for ZTE MF100:

Pin 1: TRST (Pin 5 on target, ok)
Pin 2, 4, 6, 8 , 10: GND (GND pin on target, ok)
Pin 3: TDI (Pin 1 on target, ok)
Pin 5: TDO (Pin 2 on target, ok)
Pin 7: TMS (Pin 3 on target, ok)
Pin 9: TCK (Pin 4 on target, ok)
Pin 11: RESET (Obviusly I think is RST (or NRST, SRST) so pin 7, ok)
Pin 12: ? (no idea)
Pin 13: DEBUG (dont know where to put it on target)
Pin 14: NC (dont know where to put it on target)

What about RTCK on target?
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

sebholz wrote:Well so far for ZTE MF100:

Pin 1: TRST (Pin 5 on target, ok)
Pin 2, 4, 6, 8 , 10: GND (GND pin on target, ok)
Pin 3: TDI (Pin 1 on target, ok)
Pin 5: TDO (Pin 2 on target, ok)
Pin 7: TMS (Pin 3 on target, ok)
Pin 9: TCK (Pin 4 on target, ok)
Pin 11: RESET (Obviusly I think is RST (or NRST, SRST) so pin 7, ok)
Pin 12: ? (no idea)
Pin 13: DEBUG (dont know where to put it on target)
Pin 14: NC (dont know where to put it on target)

What about RTCK on target?
No DEBUG. RESET is NRST
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

First results

Post by sebholz »

Well now at home, first Ive took the time with an image of the older post the cable conections:
Image
With some old computer case Ive used the led and switch pins not to solder directly de USB JTAG NT or to cut the original data cable:
Image

After checking the cable continuity to the target, was time to get it on and this is what I have on the log after a "flshdct 0" command:
Copyright (C) 2010-2015
USB JTAG NT 0.68
Target: SBG900
-flshdct 0
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 8000,0000
After registering the new target on "New Target XML" menu as on "Modem" category then choose ARM9 with the program runing in Administrator mode the exit, again run the program in normal mode this is what I got after detect command:
Copyright (C) 2010-2015
USB JTAG NT 0.68
Target: SBG900
-detect
IDCODE 80000000
ADM ADM5120
IMPCODE 80000040
EJTAG V1, V2.0
DMA supported
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 8000,0000
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Post by sebholz »

Editing my old post I though that Ive missed something, to add first the New Flash!
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

No. You have not makeing the connection correct yet.
You should get good CPU detection. Target cannot be 900 (MIPS). You need to select ARM target. So edit the xml to make one. (select arm based router first).
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

Use WNR854T to see if you can detect CPU. There is no way you can read/write NAND flash with this xml. However you should see DEBUG ON if it is right.
sebholz
Junior Member
Posts: 13
Joined: Mon Aug 18, 2014 8:12 am

Post by sebholz »

Well today it has changed the address of the CPU
Copyright (C) 2010-2015
USB JTAG NT 0.68
Target: SBG900
-flshdct 0
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 9400,01fe
Doing the procedure with this config:
<Test>
<Name>MF100</Name>
<Cat>Modem</Cat>
<Protocol>ARM9</Protocol>
<SubProtocol>ARM926</SubProtocol>
<Endian>Little</Endian>
<IRLength>4</IRLength>
<Programram>0x400000</Programram>
<Memorys>
<Memory>
<Name>Flash</Name>
<Type>1</Type>
<Address>0xFF800000</Address>
<Size>0x1</Size>
<Bootblock>0x800000</Bootblock>
</Memory>
</Memorys>
</Test>
The program starts by it self doing this:
Copyright (C) 2010-2015
USB JTAG NT 0.68
Target: MF100
Exit Thumb Mode
Exit Thumb Mode
Error
Exit Thumb Mode
Error
Exit Thumb Mode
Error
Exit Thumb Mode
Error
Exit Thumb Mode
Error
Trys to get on DEBUG ON but then it changes to OFF, on and on.

Trying to do detect command:
-detect
IDCODE 00000000
Exit Thumb Mode
Is this diagram correct??
Image
Or should I change some pin of the target to the DEBUG pin on USBJTAG??
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests