Scribd
Upload
213 views

VR-Table User Manual EN PDF

Uploaded by

Gabriel Caicedo Russy
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
213 views

VR-Table User Manual EN PDF

Uploaded by

Gabriel Caicedo Russy
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

USER MANUAL

rev 1.0b

http://vr-table.com
http://vr

© Multi-COM Sp. z o.o. Page 1


TABLE OF CONTENTS

INTRODUCTION ........................................................................................................................................3
CHECK LIST (PACKING LIST) ......................................................................................................................4
TECHNICAL DATA......................................................................................................................................5
SCHEMATICS .............................................................................................................................................6
WARNING AND SAFETY RULES .................................................................................................................7
ENVIRONMENT DISPOSAL ........................................................................................................................7
TRADEMARKS ...........................................................................................................................................7
SETUP .......................................................................................................................................................8
eMMC – what is it ?............................................................................................................................... 10
FINDING EMMC POINTS - OVERVIEW ................................................................................................... 11
FINDING EMMC POINTS – CHIP-OFF ................................................................................................. 12
FINDING EMMC POINTS – ATF TP FINDER METHOD......................................................................... 19
JTAG – what is it ? ................................................................................................................................. 23
JTAG – FINDING TP TO USE WITH JTAG ................................................................................................ 24
eMMC/JTAG/FBUS connection to computer ........................................................................................ 25
eMMC – Hints for use SD Card readers for eMMC and Android partitions .......................................... 26
eMMC – Hints for use SD Card readers for eMMC and Windows phones 8.0/8.1/10 partitions......... 27
VR-JE02 ADAPTER CONFIGURATION ..................................................................................................... 28

© Multi-COM Sp. z o.o. Page 2


INTRODUCTION

VR-TABLE is a precision tool for non-invasive ISP (In System Programming)


reading and writing via JTAG/EMMC/FBUS which replaces the need for
soldering or de-soldering anything on motherboard. This allows forensic
examiners to acquire data from Mobile Devices, GPS Devices and other
electronics units very quickly. Optimization of VR-Table is based on a fully
individually configurable VR-ARMS ended with precision probes. VR-Table can
be also freely used in the car diagnostics (car radios, controllers) as well as in
FBUS communication mode, completely replacing the RJ45/RJ48 cables.

ADVANTAGES:

• NON-Destructive (manufactured from high quality of German TECAFORM


AH Black and brushed aluminum)
• NO Consumables
• internal voltage VCC/VccQ build-in for EMMC (3,3V, 2,85V, 1,8V)
• equipped with 7 or 10* 300 mm (VR-ARMS) with hydraulic (central)
block, ended with precise tips/probes
• central silver VR-ARM allows locate the servicing device safely without
fear of his movement exactly over a target - by this you are close to
target and avoid communication errors
• set of 10 embedded on-board channels with gold-plated connectors (L1,
L2 .... / R1, R2 ....) connected to the socket IDC 10 that can be used in any
TTL/FBUS communications
• 2-2 banana type of cables that allows to sniff communication by putting
each cable into one., i.e.: oscilloscope
• on board USB connection cable for better cable routing

© Multi-COM Sp. z o.o. Page 3


CHECK LIST (PACKING LIST)

Before starting, check that all the following items have been included with your
camera. If anything is missing, contact your dealer.

Model: ▫ 7 ARM edition ▫ 10 ARM edition

□ 1 x VR-Table □ 1 x VR-Table

□ 6 x VR BLACK arm □ 9 x VR BLACK arm

□ 1 x VR silver arm □ 1 x VR silver arm

□ 6 x black probe □ 9 x black probe

□ 2 x red probes □ 2 x red probes

□ 1 x VR holder tray □ 1 x VR holder tray

□ 1 x VR JE-02 adaptor □ 1 x VR JE-02 adaptor

□ 1 x 17cm cables for adapter □ 1 x 17cm cables for adapter

□ 4 x black 50cm cable □ 7 x black 50cm cable

□ 2 x red 50cm cables □ 2 x red 50cm cable

□ 2 x IDC 10 pin cable □ 2 x IDC 10 pin cable

□ 16 x plastic pads for arm □ 16 x plastic pads for arm

□ 1 x USB cable □ 1 x USB cable

□ 1 x TORX key □ 1 x TORX key

© Multi-COM Sp. z o.o. Page 4


TECHNICAL DATA

Please find below specification for VR-Table unit

External case dimensions (L x W x H): 470 x 370 x 100 mm


VR-Table dimensions without arms (L x W x H): 395 x 315 x 75 mm
Weight of VR-Table without arms installed: 2,9 KG
Weight of unit with 9 arms installed: 6 KG
Arms length and type: VR-M8 hydraulic 300 mm
Arm movement range : 150 degree
Max. eMMC voltage 1,8V current output : 250mA
Max. eMMC voltage 2,85V current output : 200mA
Max. eMMC voltage 3,3V current output : 150mA
Magnifying glass and glass lens type socket: 5D MA-1225CF
USB to PC connector type (USB OUT): USB B
VR-Table to device connector type (USB IN): USB A
Main connector type used: IDC 10 pin / 2.54Mm
Banana type plugs type used: 4mm

All-in-One VR-TABLE JE-02 schematics output:


Interface Pin
RJ45
N/C 1 2 3 4 5 6 7 8 N/C

RJ48

1 2 3 4 5 6 7 8 9 10

JE-02

5 13 15 3 17 11 1 7 9 19

ATF DIP SWITCH JTAG MODE


- - - + - - - - - +

ATF DIP SWITCH EMMC MODE - - - - + - + - - -

© Multi-COM Sp. z o.o. Page 5


SCHEMATICS

Below you will find scheme of internal cables routing inside VR-Table. There
are:

• 5 x 4mm gold plated channels on RIGHT side


• 5 x 4mm gold plated channels on LEFT side

All of them are connected to IDC10 connector that you can find on front of VR-
Table according to scheme below. You can use them in FBUS/TLL transmission
for better cable routing. To avoid communication problems due long signal
routing we don’t suggest to use them for eMMC/JTAG transmission.

5D MA-1225CF lamp connector

1. IDC 10 pin routing FBUS connector diagram

© Multi-COM Sp. z o.o. Page 6


WARNING AND SAFETY RULES

Before using the machine, ccheck


heck to be strictly the following safety information.

- The device is not a toy and should be kept away from children. Children are
not aware of the risks and dangers that entail contact with electronic devices.
- The unit should be used only for work for which it is intended and only
indoors.
- Do not make any modifications to the construction of the device.
- Do not allow contact with water or other liquids, and must not operate with
wet hands.
- Do not use or store the device in dusty, damp environme
environment
nt or in extreme high
or low temperatures Failure to follow these guidelines could cause damage to
and used in such conditions device may not operate properly or cause a
hazard.

- Do not connect to other devices not supplied by the manufacturer cables /


adapters - this can cause a danger of short circuits and damage the device.

ENVIRONMENT DISPOSAL
The device is subject to the WEEE Directive 2002/96 /
EC. This symbol indicates that the product must be
disposed of separately and should be delivered tto an
appropriate waste collection point. It should not be
disposed of with household waste. For more information,
please contact your company or local authorities in charge
of waste management.

TRADEMARKS
All trademarks mentioned on this manual are property
erty of their respective
companies. Including product names, logos, commercial symbols, trade names
and slogans are trademarks of those respective or related companies, and are
protected by international trademark laws.
laws They are used here ONLY for
information purpose.

© Multi-COM Sp. z o.o. Page 7


SETUP

1. Open case and remove all arms (photo 1)


2. Pull up foam, take out VR-Table
VR and place it on desk
3. Take out from case a small bag with 16 pcs of black plastic pads and
count 7 or 9 of them (depends on purchased version)
4. Take one black plast
plastic
ic pad and one black VR arm and install it in desired
M8 hole. Arms can be attached into any of the screw holes around the
table – total there are 16 holes. Choose positions near to the identified
probe points. In most of situations best will be to install it on left and
right side of table. Each arm can be adjusted by loosening the dial.
(photo 2)
5. Install silver VR Arm on position where holder can be stored over the
target device. (photo
photo 3)
6. Loose screws on VR holder and move it to desired position where PCB
will be stored. (photo
photo 4)
7. Put board into place and hold it tight to avoid movements. ((photo 5)
8. Install probe, adjust angle and put banana connector to it. (photo
( 6)
9. Adjust probes and arms to fit to desired position of connection
pads/elements. (photophoto 7)
10. Ready unitnit fully assembled and ready to work (photo
( 8)

Setup movie you can also watch at http://vr-table.com/videos.php


table.com/videos.php

NOTE:

In case you want to use eMMC power lines for your target use banana
connector to connecting target to VCC or VccQ
V according target.
DON’T USE POWER SECTION FOR BATTERY TERMINAL CONNECTION

GND – GROUND also called VSS


1.8V – in most cases VVccQ
2.8v/2.85V – in most cases V VccQ
3.3V - in most cases it will be VCC

© Multi-COM Sp. z o.o. Page 8


Photo 1 Photo 2

Photo 3 Photo 4

Photo 5 Photo 6

Photo 7 Photo 8

© Multi-COM Sp. z o.o. Page 9


eMMC – what is it ?

eMMC is an open, royalty-free


royalty standard which was developed by the MMCA
and the JEDEC. Commonly eMMC are used in mobile phones, PDAs, digital
cameras but nowadays also in latest TV and electronic devices.

eMMC Flash memories include an interface controller which is in most


cases Processor/Chip and a Flash memory. Access to the Flash memory is
performed by the interface controller on the slave side.

eMMC Master controller eMMC Slave controller

CPU (Processor) / Chip eMMC Flash Memory


Controller CLK CLK Controller

CORE Interface for CMD CMD Interface for Memory


Flash
eMMC DAT DAT eMMC

eMMC protocol uses 3 communication signals (CLK, CMD, and DAT DAT). In case you
want to use use full bandwidth of 4 bits it will need additional DATA signals
signals, as
shown below:

CLK - MCC clock

CMD - Command in / Response


esponse out

DAT0 - Data input / Output


utput (1-bit)
.........
DAT1 - Data input / Output
utput (2-bit)
DAT2 - Data input / Output
utput (3-bit)
DAT3 - Data input / Output
utput (4-bit)

There are also three additional signals needed forr communication as: GND/VSS
(called also Ground),, VCC (power of NAND memory inside eMMC)) and VccQ
(power of internal eMMC controller).

© Multi-COM Sp. z o.o. Page 10


FINDING EMMC POINTS - OVERVIEW

There are two ways of locating eMMC points if they are not available:

• De-soldering BGA method which uses Chip OFF (fits for all devices and
CPU's)
• Non soldering/De-soldering method for Advance Turbo Flasher Box
called “TP Finder method “ which work Qualcomm, Exynos, Marvell,
Broadcom and Spreadtrum based devices

While first one require from you to remove the eMMC chip from a board the
second one uses unique method to find them very quickly without need for any
soldering.

Note: Please note that no meter if you SOLDER to PCB or NOT - never attempt
searching processes on your exhibit.

Before attempt to search process we first suggest to check if pinout is not


already available at Internet forums:

http://forum.gsmhosting.com/vbb/f672/emmc-direct-pinout-collection-m-1717874/index12.html
http://winkgsm.blogspot.com/2016/05/pinout-direct-emmc-samsung.html
http://www.unlockforum.com/showthread.php/tested-emmc-pinouts-25378.html
https://www.exploitee.rs/index.php/Main_Page

There are several other GSM box producers websites where you can find pin
outs too.

© Multi-COM Sp. z o.o. Page 11


FINDING EMMC POINTS – CHIP-OFF

This method will require from you good soldering skills as also additional tools:

- multimeter with continuity tester option


- soldering station suitable for BGA rework.

STEPS:

1) Locate eMMC on PCB and de-solder it using soldering station. We


suggest small BGA station for this but if you got enough skills you can use
even manual hot air station with small down preheater.

© Multi-COM Sp. z o.o. Page 12


2) Once BGA removed you will see ball grid - please use BGA chip
schematics for your bag (159, 16, 169, 221 etc) to find correct pinout for
BGA grid array. Please make sure that orientation PIN is putted in same
place as on your BGA, if not rotate PCB to get exact same view as on
scheme.

POSITION PIN

© Multi-COM Sp. z o.o. Page 13


3) From previous chapter about eMMC we know what signals are required
to connect and now we will try to find representative points on PCB for
them. We will use scheme in finding signals one by one as below:
o CMD
o VccQ
o CLK
o VCC
o DAT0 (for 1 bit communication)
o GND/VSS

Before starting next steps please note that NOT ALL phones have exposed
CMD/CLK locations on the PCB. Some phones/tablets got those TP pins only
available under BGA so extraction is possible only by chip off.

4) Using a multimeter set to continuity tester, place one probe on exposed


point starting from CMD on BGA grid array and touch each of the
resistors/TP pads on the board until the continuity tester indicates you
have a direct connection. Don't try to find CMD on capacitors (brown
color elements) it is NEVER correct for this signal. Try only resistors and
test point pads around eMMC Area (resistors are black color elements).
Also do NOT attempt too much force on the resistors as they may come
off! If Test Point is not found around the eMMC area, you can try looking
for it around the CPU area.

© Multi-COM Sp. z o.o. Page 14


5) Once CMD found, the there is two options to find VccQ. First: if CMD
from both side of resistor giving a “BEEP” then you should start looking
for VccQ on capacitors. Second if there is no “BEEP” once you test a CMD
place resistor from both end is USUALLY on the other side of the CMD
resistor test point. You will find more than one VccQ - it does not matter
which one you use but can be simpler for you to use VccQ from different
resistor location for better VR arm routing over PCB. If you want to find a
better location for VccQ for easier probing, then you can use same
method which we use for CMD. Put a multimeter on continuity test and
check which resistor around the eMMC will "BEEP" when you test it
against the VccQ test point on the opposite side of the CMD.

6) We got now two signals - CMD and VccQ, we will now find CLK and DAT0.
Similar to CMD finding process, CLK and DAT0 test points signal are
available ONLY on resistors and test point pads around eMMC Area
(resistors are black color elements).

HINT: DAT0 signals are always found NEAR eMMC Area but If is not
found, you can try looking for it around the CPU Area.

© Multi-COM Sp. z o.o. Page 15


CLK PIN TP DAT0 PIN TP

7) Once CLK/CMD/DAT0/VccQ test points were found we will now process


to find VCC. This time do not try to TP resistors - try only TP to capacitors
(brown color elements) using same scheme as above.

8) Last step is finding GND (called also VSS). This can be easily located by
connecting to any RF Shield of target or checking opposite end of VCC.
Similar to scheme above you will find more than one GND/VSS - it does
not matter which one you use but can be simpler for you to use GND/VSS
from different capacitor location for better VR arm routing over PCB. If
you want to find a better location for GND/VSS for easier probing, then
you can use same method which we use for CMD or VccQ. Put a
multimeter on continuity test and check which capacitor around the
eMMC will "BEEP" when you test it against the GND Test Point on the
opposite side of the VCC Resistor. You can also use negative battery
hook terminal (-) for GND.

© Multi-COM Sp. z o.o. Page 16


FINDING EMMC POINTS – VCC/VccQ values

We got now all points - all we need is determine what VCC and VccQ of your
target uses.

First check if VCC and VccQ are connected together or not - for this use similar
method ad we used for finding other points. Put a multimeter on continuity
test between VCC and VccQ and check if it will "BEEP". If you identified by
continuity tester that VCC and VccQ were directly connected then you will note
they both require the same voltage and then when using VR-Table you can
extract using 5 arms and connection to only 1 power line on VR-Table. If the
VCC and VccQ voltages are different (so there is no connection between them)
then you will need to use 6 arms and connect those to separate power line
connectors on VR-Table since your eMMC use different voltage for
eMMC/NAND and controller.

Now once we know if eMMC/NAND and controller works on same voltage we


need to find information what voltage VCC and VccQ requires. As from previous
chapter we know VCC is a power of eMMC/NAND memory inside eMMC (can
be 2.8 - 3.3V) and VccQ is a power of internal eMMC controller (can be 1.8 -
2.8V). To determine voltages of VCC/VccQ you will need a working board and
multimeter but this time in set to DC Voltage test. There are two methods for
this process:

a) using battery from device/DC power supply

b) using USB cable in case your target is Qualcomm based devices

METHOD A:

Apply power to the board (either from the battery or the external DC power
supply) and turn the device on. While device is powering ON, take your
multimeter RED and BLACK prongs and apply them between VCC and GND to
check voltage on the PCB. Repeat same procedure for VccQ/GND if in previous
step you noted that they were not together connected.

© Multi-COM Sp. z o.o. Page 17


METHOD B:

In this method we will use USB cable to check what is the actual voltage of your
VCC/VccQ TP when USB cable is connected to the PCB. Sometimes the voltage
will only appear for less than 5 seconds after power ON target, so be sure to
catch it quickly. The best practice is to ask someone else to connect the USB
cable while you position your multitmeter RED and BLACK prongs on the phone
PCB and apply them between VCC and GND. Repeat same procedure for
VCCq/GND if in previous step you noted that they were not together
connected.

© Multi-COM Sp. z o.o. Page 18


FINDING EMMC POINTS – ATF TP FINDER METHOD

This method will require from you some additional tools to perform but it’s not
destructive:

- ATF Box
- Multimeter with continuity tester
- VR-JE 02 adapter
- latest probe with moving pin (not fixed standard one)
- optionally active USB HUB where VR-Table will be connected
BEFORE STARTING WE SUGGEST TO MAKE HIGH QUALITY PHOTO OF YOUR PCB WHICH
CAMERA AND PRINT IT - THIS WIL BE PLACE WHERE YOU CAN MARK FOUND TPS

1) Find phone battery terminal and prepare 2 probes - black and red
2) Connect VR probe to GND (-) negative terminal of phone battery and
Positive terminal battery to 3.3V on VR-Table
3) Take JE-02 adapter and make sure that DIP switch are set to OFF for
PIN1/2. Connect JE-02 adapter to ATF and connect one probe to JE-02
IDC pin number 9 (with will reflect to pin 8 on RJ45 of ATF)
4) Now find a way that Power Button on your phone target will be always
pressed during TP find stages. Use rubber band or tie cables for this.
5) Run latest ATF software, change tab to Nokia and from drop down list
choose ATF Plus:

REPEAT <--- number of times TP finder will loop itself automatically (choose 50)

INTERVAL <--- delay in seconds before the next TP Finder operation will start
(choose 2 seconds)

6) Press Find eMMC Test Point button in software and start connecting VR
Probe Test Point to resistors/TP pads on the phone's PCB around the
eMMC area. Do NOT put too much force on the resistors as they may
come off. Allow at least 2 tries per possible location on the PCB and
always wait for message "Please Check Another Location..." before trying
other TP locations in ATF software. Try only resistors and test point pads
© Multi-COM Sp. z o.o. Page 19
around eMMC Area (resistors are black color elements). If Test Point is
not found around the eMMC area, try looking for it around the CPU area.

NOTE: Please note that NOT ALL phones have exposed all signals locations on
the PCB (especially CMD/CLK). Some phones/tablets got those TP pins only
available under BGA so extraction is possible only by chip off.

When a correct Test Point is found you will see message in software as
for example CLK or CMD found. Repeat this step until you will have those
both signals found so CLK and CMD. Please mark found TP on printed
photo.

7) Once CMD found, the VccQ is usually on the other side of the CMD
resistor test point. You will find more than one VccQ - it does not matter
which one you use but can be simpler for you to use VccQ from different
resistor location for better VR arm routing over PCB. If you want to find a
better location for VccQ for easier probing, then you will need a
multimeter. Put a multimeter on continuity test and check which
resistor/capacitor around the eMMC will "BEEP" when you test it against
the VccQ test point on the opposite side of the CMD. When got it we
need also know which voltage to use for internal eMMC controller (can
be 1.8 - 2.8V). For this we will need USB cable with mini/micro
connector which will fits to your target. Simply use multimeter set to DC
Voltage TEST to check what is the actual voltage of VccQ when USB cable
is connected to the PCB. Simply put probes to VccQ and RF shield (you
can use even VRARMs for it) and connect the USB Cable to target - note
readings.

8) We have already found CMD, CLK, and VccQ - now we will find VCC. For
this please disconnect VR Probe from PIN 9 on JE-02 adapter and connect
it by 50cm banana cable to 3.3V power line of VR-Table. In this step all

© Multi-COM Sp. z o.o. Page 20


VR-Arm with probes should be connected to already found points as
below:

SIGNAL WHERE TO CONNECT


PIN 1 on JE-02 adapter CLK connect to already found CLK TP on PCB by VR-Arm
PIN 11 on JE-02 CMD connect to already found CLK on PCB by VR-Arm
adapter
PIN 7 on JE-02 adapter GND connect to already found GND TP on PCB by VR-Arm
VR-Table power socket 1,8V or 2,85V* connect to already found VccQ by VR-Arm
VR-Table power 3.3V connect to probe that you will use to search
socket
VR-Table power socket GND connect to probe GND (pin 7 so one will be putted into
second)
*choose value which you previously read for VccQ

9) Now on ATF software, make the necessary settings for eMMC finder loop
so choose correct CPU target model, signal which we will find (VCC) and
number of repeats. Allow at least 2 tries per possible location on the PCB
and always wait for message "Please Check Another Location..." before
trying other TP locations. This time do not try to TP resistors - try only TP
to capacitors using same scheme as above (capacitors are brown color
elements). When you have connected the test point cable to the correct
VCC Test Point, the ATF software will announce to you that the VCC
Pinout has been located.

10) Now when CMD, CLK, VCC, VccQ, GND (VSS), was found last signal
which is required is DATA (DAT0). For this signal you need to
DISCONNECT positive (+) battery probe from PCB leaving only negative (-
) battery hook connected as also changing VR-Table JE-02 adapter into
eMMC mode which will connect together CLK1/CLK2. In this situation we
will use VR Probe connected to PIN 9 ID 20 pin JE-02 adapter.

© Multi-COM Sp. z o.o. Page 21


Before attempting to find DATA make sure that all previous signals are
correctly connected as below

SIGNAL WHERE TO CONNECT


PIN 1 on JE-02 adapter CLK connect to already found CLK TP on PCB by VR-Arm
PIN 11 on JE-02 adapter CMD connect to already found CLK on PCB by VR-Arm
PIN 7 on JE-02 adapter GND connect to already found GND on PCB by VR-Arm
PIN 9 on JE-02 adapter DATA connect to probe that you will use to search
VR-Table power socket 1,8V or 2,85V* connect to already found VccQ by VR-Arm
VR-Table power socket 3.3V connect to already found VCC by VR-Arm
VR-Table power socket GND connect to probe GND (pin 7 so one will be putted into
second)
*choose value which you previously read for VccQ

11) Now on ATF software, make the necessary settings for eMMC
finder loop so choose correct CPU target model, signal which we will find
(DATA) and number of repeats. Remember to NOT put too much force
on the resistors as they may COME OFF and allow at least 2 tries per
possible location on the PCB and always wait for message "Please Check
Another Location..." before trying other TP locations. Try only resistors
and test point pads around eMMC Area (resistors are black color
elements). If Test Point is not found around the eMMC area, try looking
for it around the CPU area. When you have connected the test point
cable to the correct DATA Test Point, the ATF software will announce to
you that the DATA Pinout has been located.

© Multi-COM Sp. z o.o. Page 22


JTAG – what is it ?

The JTAG interface, collectively known as a Test Access Port (TAP


TAP), uses the
following signals to support the operation of boundary scan.
TCK (Test Clock)

TMS (Test Mode Select)

TDI (Test Data In)

TDO (Test Data Out)

TRST (Test Reset)

TMS (Test Mode Select)

In case of phones you might also need to connect:


VRef (Voltage Reference)

• TCK (Test Clock) – this signal synchronizes the internal state machine
operations.
• TMS (Test Mode Select) – this signal is sampled at the rising edge of TCK to
determine the next state.
• TDI (Test Data In) – this signal represents the data shifted into the device's
test or programming logic. It is sampled
sampled at the rising edge of TCK when the
internal state machine is in the correct state.
• TDO (Test Data Out) – this signal represents the data shifted out of the
device's test or programming logic and is valid on the falling edge of TCK when
the internal state machine is in the correct state.
• TRST (Test Reset) – this is an optional pin which, when available, can reset the
TAP controller's state machine.
• VREF (Voltage
Voltage Reference
Reference) – onn the most devices this pin is tied to the device's
VCC and may be used to power a buffer IC chip. Used sed to indicate a JTAG signal
levels: 5V, 3.3V, 2.5V

© Multi-COM Sp. z o.o. Page 23


JTAG – FINDING TP TO USE WITH JTAG

There are several solutions for finding JTAG Test Points using different devices
but all of them working on similar probing method. Difference between them
are finding time, multi TAPs in scan chain support also maximal amount of
finder pin scans.

Please just remember:

GND – must be always connected to ground PIN on device (use JE-02 scheme
or check your GND location on device you will use to connect)

Battery+ PIN (pad which is directly connected to positive battery terminal) -


must be always excluded from searching JTAG pins process

RESET/NRST PIN - must be first found and then excluded since it will interrupt
searching process of JTAG. How to find NRST? You will need for this multimeter
in diode probing mode. Please turn ON target and connect one probe of
multimeter to GND (GND are easy to detect by multimeter because they are
directly wired on battery terminals). Then search all other pins one by one by
touching them. Once RESET/NRST pin will be found phone/target will restart.

HINT: Most powerful method is to connect test points to GND via 1kOm
resistor but in most situations enough tapping it by tweezers or multimeter
probe will works.

Below you will find devices which offer finding all other JTAG lines as TCK, TMS,
TDO, TDI and TRST. You can of course use VR-Table to found those pins without
any soldering:

JTAG Finder from ORT - http://www.jtagfinder.com/x/


GPG eMMC - http://www.gpgemmc.com/features.html
Medusa PRO - http://medusabox.com/
Easy Z3x JTAG - http://z3x-team.com/easy-jtag-activation/

© Multi-COM Sp. z o.o. Page 24


eMMC/JTAG/FBUS connection to computer

Once you got proper pin out for your device you can start placing probes over
correct TP. VR-Arm which comes with VR-Table can be moved in many
direction and adjusted by loosening the dial. Also ending tip of VR-arm can be
moved UP/Down by loosening small screw on it - you can use this feature in
connection process. Best procedure is to:

a) Place banana connector with cable into PROBE/VR-Arm that you will use

b) Move VR arm with installed probe into position where your desired TP is
located

c) Gently push the spring probe tip onto the correct position - please DO NOT
put too much force on the resistors/capacitors as they may come off!!

d) Once probe is only place lock the arm by dial and adjust with up screw in
necessary

e) Take USB cable and connect it to back of VR-Table at one end and to box
which you will use for reading target at second end - place device on VR-Holder
tray

f) Connect USB cable A-B to front of VR-Table and to your computer

© Multi-COM Sp. z o.o. Page 25


eMMC – Hints for use SD Card readers for eMMC and Android partitions

If you are using SD Card readers for signal sniffing or eMMC connection for
Android please note that they use EXT2, EXT3 and EXT4 Partitions. It means
that to see logical disk under Windows you need to use special application as:

- Paragon ExfFs for Windows (https://www.paragon-software.com/home/extfs-windows/


- EXT2FSD (http://www.ext2fsd.com)

Once you got your eMMC connected below are interesting Folders/Files inside
a User Data Partition:

Phone book \data\data\com.android.providers.contacts\


databases\contacts2.db
SMS, MMS messages \data\data\com.android.providers.telephony\
databases\mmssms.db
Calendar \data\com.android.providers.calendar\databases\
calendar.db
Log \data\com.sec.android.provider.logsprovider\data
bases\logs.db
User's data \data\system\users\accounts.db
Web-browser history \data\data\com.android.browser\databases\brow
ser2.db
Dictionary \data\user\comc.android.providers.userdictionary
\databases\user_dict.db

© Multi-COM Sp. z o.o. Page 26


eMMC – Hints for use SD Card readers for eMMC and Windows phones 8.0/8.1/10 partitions

If you are using SD Card readers for eMMC connection on Windows phones
note that they use NTFS Partitions

Here are interesting Folders/Files Inside a Windows Phone Data/MainOS


Partition:

SMS, MMS messages Users\WPCOMMSERVICES\APPDATA\Local\Unistore\


store.vol
Call Logging Users\WPCOMMSERVICES\APPDATA\Local\UserData\
phone
Internet Cache: Users\DefApps\APPDATA\INERNETEXPLORER\INetCac
he
and
Users\DefApps\APPDATA\Local\Microsoft\Windows\
WebC acheV01.dat.

Pictures from Camera Users\Public\Pictures\CameraRoll\


Roll:

Pictures From Users\Public\Pictures\SavedPictures\


Facebook Etc:

More about getting data from Nokia phones you can read at
http://www.sans.org/reading-room/whitepapers/forensics/windows-phone-8-
forensic-artifacts-35787

© Multi-COM Sp. z o.o. Page 27


VR-JE02 ADAPTER CONFIGURATION

Device name Connector type / Protocol Pin out / Output signals

PIN 3, 5, 7, 9, 11, 13, 15, 17, 19 – GND


PIN 6 – JTAG NRST
PIN 8 – JTAG TDO
PIN 10 – JTAG RTCK
Riff BOX IDC-20 pin -> JTAG PIN 12 – JTAG TCK
PIN 14 – JTAG TMS
PIN 16 – JTAG TDI
PIN 18 – JTAG TRST
PIN 20 – JTAG VCC

PIN 1 – PROBE
PIN 3 – UART RXD / eMMC DAT0
PIN 7 – BSI
PIN 9 – GND
Riff BOX RJ45 8 pin-> eMMC/UART
PIN 11 – MBUS
PIN 13 – 4.2V UART
PIN 15 – UART TXD / eMMC CLK
PIN 17 – UART TX2 / eMMC CMD

PIN 1 – SGPIO-PIN / PROBE


PIN 3 – UART RXD
PIN 7 – 5V
PIN 9 – GND
Riff BOX 2 RJ45 8 pin-> GPIO/UART PIN 11 – VCC-REF
PIN 13 – 4.2V UART
PIN 15 – UART TXD
PIN 17 – GPIO PIN

PIN 3, 5, 7, 9, 11, 13, 15, 17, 19 – GND


PIN 6 – JTAG NRST
PIN 8 – JTAG TDO / SWDO
PIN 10 – JTAG RTCK
PIN 12 – JTAG TCK / SDWCLK
Riff BOX 2 IDC-20 pin -> JTAG
PIN 14 – JTAG TMS / SWDIO
PIN 16 – JTAG TDI
PIN 18 – JTAG TRST
PIN 20 – JTAG VCC

PIN 1 – eMMC ATF CLK1


PIN 7 – GND
ATF BIG CHROME/GOLD RJ45 8 pin -> eMMC
PIN 9 – eMMC DAT0
PIN 11 – eMMC CMD
PIN 17 – eMMC ATF CLK2

© Multi-COM Sp. z o.o. Page 28


PIN 15 – VCC/VCCQ

Please make sure that DIP SWITCH is


SET to eMMC MODE on adapter for use
with eMMC protocol (CLK1 + CLK2)

PIN 1 – eMMC ATF CLK1


PIN 7 – GND
PIN 9 – eMMC DAT0
PIN 11 – eMMC CMD
ATF NITRO RJ45 8 pin -> eMMC PIN 17 – eMMC ATF CLK2

Please make sure that DIP SWITCH is


SET to eMMC MODE on adapter for use
with eMMC protocol (CLK1 + CLK2)

PIN 1 – SCK
PIN 7 – GND/VSS
PIN 9 – CE#
ATF NITRO / CHROME RJ45 8 pin -> SPI PIN 11 – SI
PIN 15 – VDD/VCC
PIN 17 – S0

PIN 1 – MBUS
PIN 3 – BSI
PIN 7 – GND
ATF (Advance Turbo
RJ48 10 pin -> FBUS (Flash Bus) PIN 9 – VPP
Flasher)
PIN 11 – FBUS/UART RX
PIN 13 – FBUS/UART RX2
PIN 17 – FBUS/UART TX
PIN 19 – VBAT

PIN 1, 3, 5, 7, 9, 11, 13, 15, 17, 19 –


GND/VSS
PIN 6 – JTAG NRST / SYSRST
PIN 8 – JTAG TDO
Easy Z3x JTAG IDC-20 pin -> JTAG/eMMC PIN 10 – JTAG RTCK
PIN 12 – JTAG TCK
PIN 14 – JTAG TMS
PIN 16 – JTAG TDI / eMMC DAT0
PIN 18 – JTAG TRST / eMMC CLK
PIN 20 – JTAG VREF / eMMC CMD

© Multi-COM Sp. z o.o. Page 29


PIN 1 – MBUS
PIN 3 – BSI
PIN 7 – GND
PIN 9 – VPP
Cyclone Key RJ48 10 pin -> FBUS (Flash Bus) PIN 11 – FBUS/UART RX
PIN 13 – FBUS/UART RX2
PIN 17 – FBUS/UART TX
PIN 19 – VBAT

PIN 3, 5, 7, 9, 11, 13, 15, 17, 19 – GND


PIN 6 – JTAG NRST / SYSRST
PIN 8 – JTAG TDO
PIN 10 – JTAG RTCK
PIN 12 – JTAG TCK
ORT (Omnia Repair Tool) IDC-20 pin -> JTAG
PIN 14 – JTAG TMS
PIN 16 – JTAG TDI
PIN 18 – JTAG TRST
PIN 20 – JTAG VREF

PIN 5 – GND
PIN 13 – JTAG VREF
PIN 15 – JTAG TRST
PIN 3 – JTAG TDI
OctoPlus JTAG/Medusa
RJ48 10 pin -> JTAG PIN 17 – JTAG TMS
Box
PIN 11 – JTAG TCK
PIN 1 – JTAG RTCK
PIN 7 – JTAG TDO
PIN 9 – JTAG RESET

PIN 1 – eMMC 1.8V


PIN 3 – eMMC 2.8V
PIN 5,19 – GND
PIN 6 – JTAG RST
PIN 7 – eMMC CMD
PIN 8 – JTAG TDO
PIN 9 – eMMC CLK
Medusa PRO IDC-20 pin -> eMMC / JTAG PIN 10 – JTAG RTCK
PIN 11 – eMMC DAT3
PIN 12 – JTAG TCK
PIN 13 – eMMC DAT2
PIN 14 – JTAG TMS
PIN 15 – eMMC DAT1
PIN 16 – JTAG TDI
PIN 17 – eMMC DAT0
PIN 18 – JTAG TRST

© Multi-COM Sp. z o.o. Page 30


PIN 20 – JTAG VREF

PIN 3, 17 – GND / VSS


PIN 6 – JTAG NRST / SYSRST
PIN 8 – JTAG TDO
PIN 10 – JTAG RTCK
PIN 12 – JTAG TCK
PIN 14 – JTAG TMS
PIN 16 – JTAG TDI
GPG eMMC BOX IDC
IDC-20 pin -> eMMC/JTAG
PIN 18 – JTAG TRST
PIN 20 – JTAG VREF

In configuration, set PIN as:

PIN 3, 17 – GND
PIN 6 – JTAG NRST / SYSRST
PIN 8 – JTAG TDO
PIN 10 – JTAG RTCK
PIN 12 – JTAG TCK
GPG JTAG PRO IDC-20 pin -> JTAG PIN 14 – JTAG TMS
PIN 16 – JTAG TDI
PIN 18 – JTAG TRST
PIN 20 – JTAG VREF

In configuration set PIN as:

PIN1 – JTAG TMS


PIN 3 – JTAG TDI
PIN 7 – JTAG TCK
SMTI JTAG RJ45 8 pin -> JTAG PIN 9 – GND
PIN 13 – JTAG VPP
PIN 15 – JTAG TDO
PIN 17 – JTAG nTRST

PIN 1 – MBUS/CBUS
PIN 3 – UART TX
PIN 7,9 – GND
PIN 11 – UART RTS
“Universal” Fbus pinout RJ45 8 pin-> FBUS
PIN 13 - +5V
PIN 15 – UART RX
PIN 17 – UART CTS

© Multi-COM Sp. z o.o. Page 31

You might also like