Why can't a bricked phone be revived? - EVO 4G Q&A, Help & Troubleshooting

This is a question for those in the know when it comes to programming.Why isn't there a way to revive a bricked phone? Can't there be some method for a host computer to manually write the radio to the device? How does HTC fix a bricked phone for it to be a refurb?
I'm just very curious about this because I see a few people attempt to update the radio only to lose power and brick their EVO. I have no programming experience so don't know what goes on at the internal component level. Thanks in advance for your input.

It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!

That helped me, thanks.

Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?

Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks good explanation appreciate that.

rafroehlich2 said:
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Click to expand...
Click to collapse
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"

pflatlyne said:
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
Click to expand...
Click to collapse
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100

rafroehlich2 said:
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
Click to expand...
Click to collapse
Yea,it would be nice if it were. Its kinda sorta quasi standard,so it HAS been done in some cases where its necessary,but often there are easier ways around it. Personally, I have allways thought that its a pretty stupid thing to make a piece of equipment that can fail due to a bad flash. The people who designed many of the flash memory chips seemed to agree,and they added something called a "boot block" to many,but the way its implemented,when its implemented doesn't fully protect you from a bad flash. Its even worse now that everything is in ball grid array chips soldered down to the board.

Related

Phone life after death. Breaking the Jtag taboo.

I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
1st off, it's "taboo" not tabu. Secondly there is already a pretty good amount of threads that have covered this in detail, I'm certain because I have posted in them. Lastly, please SEARCH the existing threads before creating a new one; the answers to all your questions are already there.
1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.
Michael.fri said:
1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.
Click to expand...
Click to collapse
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium
Do you know what caused the brick?
Sent from my SGH-T989 using xda premium
Searched, and yet no result. Sending the phone to the U.S is quite risky. I have no idea how they're intended to pack it before sending it back. I would rather doing this in Israel.
I saw on ebay several devices associated with Jtag. the price starts from 10$ for a simple usb dongle, through 30$ devices, which is the price of most of the jtag devices I found, to the 150$ riff box that is associated with phone unbricking.
By what I know Jtag is a simple serial protocol. I just need sort of "bridge" to translate the logic 1's and 0's with the right voltage level and certain clock speed to a usb interface or even RS232. How expensive can that be?
I also contacted several ebay sellers which offer a jtag repair service. they all answered this model is not supported.
I would go to Samsung labs in Israel and see what they can do to get it working.
I just thought to invest 20$, get that sort of device and to get it done by my own.
Another issue is the pinout. The pinoput of the Jtag connection is not shown in any website, so I have no way of knowing how to connect on this specific PCB.
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
About the reason for bricking the phone, I have no Idea. As I said, last time I've installed new rom was more than a week prior to the incident. I've used some overclocking app mostly to underclock my phone, cause it drained the battery like hell before, even while it was running on stock and after changing the rom several times.
I also used some usb otg device which worked normally, but was not plugged to the device even few hours before it was bricked.
Hopefully we can figure out the cause of these permabricks so we can prevent it from happening to more people.
Sent from my SGH-T989 using xda premium
I gotta say, this is quite alarming. That the phone can just hard brick itself like this spontaneously.
I've had some scary experiences with the phone myself. Like a couple of random reboots that required the long power press for the phone to power back on. At least it always came back on.
I'm also from Israel myself so a similar scenario can bring me to the same situation as you.
Good luck with getting any kind of solution.
Sent from my SGH-T989 using xda premium
parusia said:
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium
Click to expand...
Click to collapse
Troll for advising to follow the posted rules of membership ? WOW
I just contacted Adam and still no jtag for this device .
Sent from my Galaxy Nexus using XDA App
did you look for a service manual?
- the manual may cover schematics for jtag device.
Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.
reocej said:
Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.
Click to expand...
Click to collapse
I recommend splurging on the $2-3 for a jig, I have had moments where I thought I was SOL & the jig saved my arse.
Michael.fri said:
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
Click to expand...
Click to collapse
Did you solve your problem?
I was looking at using QPST
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it. This has tools for building and installing bootloaders and partition tables. Our device after a hard brick (and still serviceable by JTAGing) has a com port open still and if you load the driver in windows you will see a port number as others here on XDA have said. The driver allows ODIN to see the device but not connect. QPST does connect, but I have not attempted to flash anything to it since I have not built any files to load. I'm kind of stuck creating the needed xml that makes the partition table and headers and file that are to be loaded to partitions. This is really a softbrick, in my opion, but nobody has the knowledge for this level of building and coding, with this tool, here at XDA. If somebody does, it may make those selling JTAG services mad, but that would mean we could fix our phones on our own. On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days.
By the way, this is a multi-device solution in the long run. We get one fixed and we can start on the others with this same issue, where the only life left in the device is the Qualcomm download mode driver showing in windows device manager.
Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
Mobile Tech offers the JTag service. There is even a discount for XDA members. They offer the service for all variants of the S2
Here you go!
http://mobiletechvideos.mybigcommerce.com/samsung-galaxy-s-ii-jtag-brick-repair/
daxxone said:
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it.*snip* On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days..
Click to expand...
Click to collapse
Any word on a fix using QPST?

Request for a certain ROM

Dear developers,
I recently found my old i9000. It had a bad accident some time ago, and its screen is completely busted. There appears to be damage to the motherboard as well, which was why the repair centre considered it a total loss. It still boots, though, and woke me up some time ago with a preset alarm, so I expect the internal damage is actually minimal. I suspect I can still use the the phone for something, maybe a server.
Thus, I would like a ROM that by default has some method of input/output apart from the touch screen (perhaps VNC, and I believe there are settings to allow you to connect the phone to a TV using the sound plug, that + USB mouse would also be cool, or if you can come up with another solution, just as long as it works, it's good). I would also like to be notified of some way to preload wifi settings into the ROM itself (mostly in case an Internetttechnology like VNC is used).
I assume I can use Odin to actually flash the ROM (thus allowing me not to use screen input for this process). It doesn't matter what method is used to circumvent touch screen input/output, as long as it works.
If someone could make such a ROM, I would be very thankful.
this is not the right place to post this.
Also, if it was as easy as your saying, we wouldn't need developers. What you can do is sell it for whatever price it gets and buy a raspberry motherboard. Which is exactly what you're asking for plus an HDMI port.
http://www.alliedelec.com/lp/120626raso/
I had hoped it would be easy for someone who was more familiar with custom ROMs. I have no idea what goes into it.
I do have 2 Pis, BTW, I just like reusing things +my i9000 would be better suited for a purpose I had in mind, due to being flatter and already having wifi. I guess I hoped for too much, then.
Please post this in the general forum not in developers forum
Sent from my GT-N7100 using xda premium

[Discussion] Direct access to e-MMC to fix bricked KF? - CONFIRMED!

Hello! Been lurking for a while and just finally decided to post.
A little background: My first Kindle Fire 2 was rooted just fine. Everything worked for several months, then the screen went bad. Called Amazon and got a replacement sent over. The night I received said replacement, I decided that I wanted to try the 2nd bootloader + TWRP and install CyanogenMod. Unfortunately, I missed the part about reverting back to the older version of the bootloader before patching. Oops.
TLDR; Bricked KF2.
That brings me to the main focus of this topic: After reading a plethora of threads stating that there was no way to fix a bricked KF2 with the USB, I began thinking... Theoretically speaking, couldn't the e-MMC be accessed if it was taken out and mounted to an e-MMC to USB? This would allow reflashing the partitions and (hopefully) returning it to an unbricked state. Of course, that means remounting the e-MMC to the KF2 motherboard, but you can do wonders with a stencil, some solder paste, and a toaster oven, it seems.
Then, while searching for a good e-MMC to USB adapter, I stumbled across a very intriguing thread on hacking TomToms' NAV3 where the e-MMC is left on the device and wired to a MMC USB reader. Page 36 and 37 are the useful bits. (I can't post links yet, so this is the best to demonstrate): mobilescommunity.com/tomtom-discussions/178770-nav3-cracking-patching-copying-navcore-v10-v11-v12-36.html
At this point, I'm just waiting on an old, broken KF1 to arrive to track down where the leads go and possible solder points. I'll keep you posted as things progress.
Any comments, thoughts, suggestions?
P.S. I have a feeling that this would be better suited in the development forum, but as I am new, I can't post there. Assuming that this crazy idea actually works, (and considering that I'll probably have ten posts by then), I'll likely post a clean guide over on that forum.
i had my already taken apart cause of a broken screen, and one is for sure, there was no e-MMC or anything that you could take out and put into an adapter :\
I think you are not out of luck! Are you getting a red screen or is evrything dead?
Completely dead.
...and there is an e-MMC. On my KF2, it was under a piece of foam. If you look at it like you just took off the back cover (without moving the motherboard) from the bottom (the side with the usb port) it's on the right lower portion of the motherboard. It's a Samsung chip, KLM8G2FE3B-B001. There's also a line of solder points just below it. It looks like a decent number of the pins (which we can't see because it's a surface mount) go to that bank of solder points.
Since I still can't post real links/pictures: tinypic.com/r/20hppw5/5
Image credit: iFixit.
That picture is the motherboard from a KF1, but it's in the same location. It's the chip outlined in red.
Just a little update... Have a junk motherboard, the e-MMC is off, now I'm just tracking down where the pins go and possible solder points. It looks like the motherboard has exposed pads that will work well for soldering (my guess is they were originally access points for board/component testing?). I'll post again when I have more info.
Another update: I've tracked down solder points for DAT0-7, CMD, and CLK. I just need to track down the voltage (Vcc and Vss) and grounds (VccQ and VssQ). After that, I'll have pictures with it labelled. Then I need to work on soldering to said points and attaching them to a MMC reader, and praying that it works.
Hmm well if you can get your PC to recognize the emmc, with what I'm assuming is going to be Linux because of the fact the filesystem is ext4 on kindles last I checked, I'm curious if the modules that Linux have will recognize the device. If it does I wonder if u can simply use dd to flash the messed up partitions with the correct signed replacements. I wish I had your solder skills... I need a new tip for mine but I'm too lazy to go out and get one, much less do soldering on a kindle motherboard. If this works u could offer repair services to people, because I doubt most people would attempt this. I find this thread very interesting!
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Then good luck to you!
Hopefuly we will have an unbrick method...
Finished tracking down solder points. Attached are some pictures with them labelled. I'll be working on the actual soldering and connecting it to my computer in the next few days here as my mini-vacation is over and I have to go back to work tonight.
So! I have good news. I soldered everything together and plugged it in. Ubuntu auto-mounted all the partitions from the e-MMC! I'll post pictures on Friday as I'm about to take a nap before spending the next 24 hours at work.
I have a couple minutes on break, so I'm uploading a screenshot of Ubuntu with the partitions mounted. All my pictures of the board/SD card reader and solder job are on my camera at home, so I'll post those later.
Note: The partitions are on the bottom left of the window, the 17 MB one through the 929 MB one. Once I track down which one is the boot partition, I'm going to rewrite it with the original boot image and pray that has fixed the problem.
Wow this is awesome, I am very impressed at this. Now to just use dd to shove the boot loader down the emmc's throat. I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties? Not sure if u have gparted installed, probably have to install it from the repos. Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
Wow this is awesome, I am very impressed at this.
Click to expand...
Click to collapse
Thanks! Assuming this works, I'm thinking of designing a solder-less device to make all the connections. Soldering to those tiny pads on the motherboard was a pain!
stunts513 said:
I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties?
Click to expand...
Click to collapse
Is it the partition itself that's signed, or the boot files?
stunts513 said:
Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Click to expand...
Click to collapse
That's a really good idea. I'll make sure to take a screenshot of the partitions in gparted when I have a chance to work on it some more on Friday.
From what I understand not all, but some of the partitions are signed, like the boot loader, they have a 64kb signature in the partitions header if I remember correctly. That's also the reason we can't fix the device when we brick the boot loader, because these things show up as omap devices and we have the means to use that device and try to fix it, but we can't fix it because the initial file it loads up has to be signed. Your fix is kinda unorthodox, but hey, whatever works.:thumbup:bet amazon didn't think people would go this far to fix it. Heck technically if this works you could probably root it in this manor even if an exploit wasn't viable. Anyways for more I to on what I was talking about read q2, q3, and q4 of this post: http://forum.xda-developers.com/showthread.php?t=2228539
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file, not to me took that would be next to impossible I think since it would be difficult to try to make a partition exactly like the one on the kindle minus a signature (because even if u copied the files over, they wouldn't necessarily be in the stored in the exact same sectors of a partition), making it even more complicated for me to see the actual signature. Soupemagnet said this is impossible to do already and he knows what he's talking about so i seriously doubt I could do this.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file
Click to expand...
Click to collapse
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Yea that's an interesting idea, I have no idea how u could generate headers to try to forge what the kindle has though, and I'm assuming if it is a 64kb signature, that is a huge amount of combinations. I'm assuming figuring out how to make a signed image is similar to how some key generators are made that take a activation code and spit put another code for you to use. Though I have no idea how they figure out the common denominators for making a code based on such. Its one thing in simple math but to do it to strings of letters and numbers is beyond me. Luckily we have several partitions for reference, if it was just one we'd be pretty screwed, assuming I have any idea what I'm talking about. Feel free to run the idea by him, I chatted with him before a little about something like this in some PM's.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
kurohyou said:
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Click to expand...
Click to collapse
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
You should probably just focus on getting the device restored so you can have yourself a little side business of restoring hard bricked 2nd generation Kindle Fires...although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
soupmagnet said:
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Click to expand...
Click to collapse
Sounds like a lot of work; although, I didn't expect anything less.
soupmagnet said:
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
Click to expand...
Click to collapse
What, you're telling me that cracking the encryption in a few million years from now wouldn't be useful?
It probably didn't help that in my sleep-deprived state last night, I failed to differentiate between 64kb and 64bit. Oops.
soupmagnet said:
You should probably just focus on getting the device restored
Click to expand...
Click to collapse
That's always been the focus, but I also figured that while we're here discussing things (and with confirmed access to the e-MMC now), why stop with just the basic restore to working when there's the possibility of more?
soupmagnet said:
although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
Click to expand...
Click to collapse
Of course I'm going to share! As soon as I finish the last few steps here and confirm that it's working, I'm going to post a guide over on the Development forum. I don't know how many people will be comfortable with the soldering part, though. It was a beast trying to solder to the motherboard. I do plan on trying to develop a solderless method, probably by fabricating a board that connects to all the important points and secures to the motherboard itself (probably using the screw holes).
Some more images, now that I'm home.
Here's what everything looks liked when it's soldered together:
Here it is connected to the computer:
...and finally, a screenshot of the partitions in gparted:
Sweet, didn't realize how many partitions the kindle had. So now all we need to figure out is which partition of those is the bootloader partition, so u can try flashing the boot loader with the dd command. Might I suggest backing up the entire emmc device with dd instead of just some of the partitions? Also was wondering if all goes well, if the kfhd's emmc pin layout is the same, be nice if a solderless bolt on version could be truly "universal" for all kindles, shape wise it wouldn't be a problem as long as the bolt-on-board has multiple hole configurations.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

Is it possible to recover data from a truly bricked phone?

I used these searches before compiling this thread;
"how to recover data from a bricked SGN"
"data extraction from a SGN that will not boot"
"removing the HD from samsung galaxy nexus"
These searches did not yield results that replicate my situation. The only search that resulted in many entries were for people with "bricked phones" that (at least somewhat) responded to input. I associate the term "bricked" with a phone that does not respond to input, or show any indication of getting power.
My phone is a Samsung Galaxy Nexus on verizon wireless. It has been rooted and is running a custom ROM by...AOKP i think. I had some assistance each time I rooted and updated my ROM.
Here is my problem, what caused it,my troubleshooting steps, and what I'm trying to do. My phone was partially submerged in water for an unknown amount of time. The battery and SIM were removed and kept in a water proof container within an hour of submersion. The water damage indicator stickers (on both the battery and the phone have not been triggered). About 24hrs later, the phone was placed in a zip lock bag with 4 desiccant silica gel packs where it will remain for the next 24. Per vzw's tech support, I tried to power the phone on using the charger and the battery removed. No change. Verizon was not advised of the partial submersion, only the non triggered water damage stickers. This phone is under warranty and a replacement has been shipped. I confirmed that my contacts are backed up to google.
The reason for this post is, I have close to 30GB of pictures and videos that I stored on this device's "internal SD" that I want to recover. Looking through the searches I mentioned above, it sounds like this isn't so much a separate card, but more of a partition on the phone's HD. I have been told by vzw that neither their branch office tech support, nor their recovery/diagnostic team that analyzes returned phones has the capability to remove and return this data.
If someone here has hardware experience with cracking open a SGN and swapping the "internal SD card" I would greatly appreciate any information available for this task.
if it cant turn on, you cant retrieve data.
Zepius said:
if it cant turn on, you cant retrieve data.
Click to expand...
Click to collapse
Well..OK. I'm not ready to give up just yet. When my desktop PC's power supply failed, the PC was unusable, and didn't indicate power. I swapped that out and it now it works fine. This seems like it could be a similar situation. I at least want to exhaust every option I have before throwing in the towel.
Those 30GB contain hundreds of pictures of the first 2 years of my kid's life.
It seems to me that data recovery should still be possible if an replacement power source is utilized. Maybe more than just the power source has failed. Maybe every other hardware component in my wet phone has failed. But maybe, that "internal SD" is recoverable.
If anyone here knows what the "internal SD" looks like, and has successfully swapped one, I'll risk it. I know I can't trust vzw with such a task.
I realize this is a developers forum, and I'm asking for hardware failure advice. If anyone can refer me to a different forum that is more specialized to my specific task, I'll gladly take my trouble there.
Thanks for reading,
Jef
you're assuming 1 thing. the nand that houses the storage is in good health. When water is introduced, you have the unknown factors of what it does to circuitry.
im sure there is a ifixit teardown showing where the nand is. The problem is its soldered to the mainboard of the phone. You might be able to unsolder it, but thats a stretch.
Zepius said:
you're assuming 1 thing. the nand that houses the storage is in good health. When water is introduced, you have the unknown factors of what it does to circuitry.
im sure there is a ifixit teardown showing where the nand is. The problem is its soldered to the mainboard of the phone. You might be able to unsolder it, but thats a stretch.
Click to expand...
Click to collapse
Thank you very much Zepius. I googled "ifixit teardown samsung galaxy nexus" which lead me to a page (that I'm not able to paste here as a new user).
which is exactly what I was looking for. I wouldn't go so far as to say that I'm assuming the nand is in good health, just wishful thinking.
Anncoco - sorry, I don't remember what I did with this. It's been about 4 years, and this was 3 phones ago. I think I had some of the photos backed up somewhere else, enough that I never went to the trouble to disassemble the Nexus. From my notes - I remember the phone did not indicate it was getting power when plugged in.

[Q] Phone Run Over

Hey guys,
Just signed up to ask a few questions, a very good friend of mine had her phone (T-mobile Samsung Galaxy SII SGH-T989) run over the other day. Needless to say she is not very tech savvy. She has a new S4 now. Now the problem is, that being she is not so tech savvy she didn't back up (ever?) So i am looking to somehow recover lost pictures and contacts if possible.
Now I have a small background in building computers and taking stuff apart so I agreed to take a look at the phone. The screen is shot. but besides that the other internals look fine. Nothing is broken as far as i can tell. When I plug the phone in with the battery nothing comes up at all, except when i leave it plugged in for a little bit the LED under the camera will flash about once every minute or so.
So i guess the question i have is did the motherboard somehow short circuit when it was run over? Has anyone had experience with a situation similar to this before?
And is there a way to get the phone on long enough to recover the lost info?
Help would be much appreciated if possible.
Justin
As phones don't have an actual hard drive, I doubt you can recover anything from a phone that isn't running.
Sent from my N5, N7, Moto X, G Tab 3 or S2.....
This is not easy, but can be done. I have done similar recoveries several times…
You’ll need:
1) The equipment & ability to remove a surface mount soldered chip, and re-solder it onto another board *without* damaging it.
2) Another identical phone to host the transplanted chip.
3) A service manual, or someone with intimate knowledge of the device, to identify the correct chip…
Note that if the pix were encrypted this will not work…

Categories

Resources