Related
So I was reading that post about the guy who will fix bricked taps via JTAG, and thinking about how some it's necessary when the bootloader binaries don't flash properly.
This seemed to suggest to me that the download mode code is stored in memory, making it's method of interfacing with the memory controller and USB port subject to analysis through ARM disassembly.
I postulated that it would not only be academically entertaining to take a peek at such technomagic, but that it might be possible to produce a template bootloader that could serve as a basis for custom bootloaders across all devices, similar to the role CWM fills in recovery, and CM fills for the Android OS.
I reckoned a custom bootloader would not only complete the holy trinity of device operation, it would solve woes across all androids by enabling a common flashing protocol (no more ODIN, Heimdall, QPST, etc), and allowing focus on replacing locked bootloaders instead of exploiting them.
Of course, I wouldn't be able to verify my hypothesis without getting my hands dirty, so I whipped out the ol' IDA Pro and popped open the EA24 boot.bin and pressed 'c'.
God bless IDA Pro. I had beautiful ARM assembly just waiting to be learned (I'd previously only worked with Intel 8050 & PIC), but very quickly I realized that I wasn't going to get far in my analysis without information beyond the ARM instruction set reference.
Here's why:
Reason 1:
The registers are preloaded with data before the bootloader executes.
Code:
ROM:00000000 ANDEQ R0, R0, R0,LSL#16
ROM:00000004 ANDLE R0, R2, R0,LSR#11
ROM:00000008 ANDEQ R5, R2, R5,ASR LR
ROM:0000000C ANDEQ R0, R0, R0,ROR#4
ROM:00000010 B loc_30
Not only are the initial instructions skipped if the status flags are wrong, but registers 0, 2 & 5 are being compared and modified without the bootloader loading data into them. I initially suspected obfuscation, but the loader is tiny (only 1.5k of data is non-null) and the flow of code is pretty straightforward. It boots, checks some registers, and possibly takes action before waiting in a loop, (I assume in anticipation of a watchdog/shutdown interrupt firing).
So problem 1 is that I don't know how the registers look or what affects them before the bootloader is executed.
Reason 2:
The memory addressing seems to reference numbers that can't be direct memory addresses. Problem 2 is that without understanding how those addresses are interpreted, I can't understand the operation of the loader.
Code:
ROM:00000030 LDR R0, =0xD00374C0
ROM:00000034 LDR R1, [R0]
ROM:00000038 LDR R2, =0xE010A000
ROM:0000003C LDR R3, [R2]
ROM:00000040 LDR R2, =0xE010C034
ROM:00000044 LDR R4, [R2]
ROM:00000048 TST R3, #0x80000
ROM:0000004C MOVNE PC, R1
ROM:00000050 TST R3, #0x40000
ROM:00000054 BEQ loc_60
ROM:00000058 TST R4, #2
ROM:0000005C MOVNE PC, R1
So what's happening here (correct me if I'm wrong):
Code:
R1 = Memory Value [0xD00374C0] //Decimal Addr: 3,489,887,424
R3 = Memory Value [0xE010A000] //Decimal Addr: 3,759,185,920
R4 = Memory Value [0xE010C034] //Decimal Addr: 3,759,194,164
Followed by some potential jumps.
The thing is, a Sprint tab, for which this bootloader is designed, only has 2GB of internal memory, so all three address are completely out of range. This makes sense considering that ARM devices might have more than 4GB of memory. Some sort of register based memory context switching has to be in place.
Googling ARM memory mapping brings up info about mapping coprocessor registers and IO into the address space. The custom 8085 I previously worked with did something similar with its touchscreen sensors, so I'm not surprised.
With that in mind, the code would make sense if it is checking the external buttons before deciding whether to jump to the value in R1 (which has to be a real memory location to be put in PC). The tests are performed on the value in R3, so that could be the register that stores hardware button states, but R4 is also tested, so it could be only one or two of the buttons are in R3, or its some other state entirely (perhaps related to the mysterious coma semi-brick).
Regardless, it would be a fools errand to keep crawling through the assembly without better reference material on the initial state of the registers and how the memory is laid out. I was hoping that someone could can locate reference material or offer their insight, as it's been a difficult search on my own.
People like you boggle my mind. I didnt fully understand your entire writeup but if you get the the point where you are actually coding an open bootloader for android then may the force be with you. I would only assume that the android world would shower you with riches the like an xda geek has never seen.
Keep up the good fight.
Sent from my GT-P1000 using XDA Premium App
About 98% of everything in the OP was like reading japanese, to me
But whatever it was, I hope it's investigated and followed-up, cuz it sounds promising.
I think
The initial values of registers at boot should be in ARM manuals or sp5pc110/s5pv210 user, application or programmers manuals. Our ARM can even boot from serial port
See http://forum.xda-developers.com/showthread.php?t=1111866 especially download S5PC110_EVT1_UM10. With little hacking and discovering how to set up JIG resistors on Tab you should be able to boot your own code via serial.
I have made serial cable for myself and I use it to change bootloader parameters and with FIQ debugger, dmesg and serial console all the time.
very interested
i am just a beginner at this stuff but i am very interested in this stuff .i have a riffbox if this would help us at all for jtag.i am still learning about it and i am reading jeff Duntemanns assembly language step by step.i also have the free version of ida pro i think 5.5.i would love to pick ur brain for knowledge along these lines.
bootloader replacement is a very very bad idea on our SGT.
bootrom checks pbl, pbl checks sbl then sbl checks kernel.
now on our devices unless you have installed JMx leaked roms the bootchain is not sigchecked, bootrom does a small hashcheck on pbl before launching it, pbl does a signature and hash check on sbl (on GB bootloaders) and that is where it ends.
The problem is Download mode is implemented in SBL, so if you do not have a JTAG device like a riffbox there is no viable recovery method other than taking your device to samsung, but by far the biggest issue is pbl/sbl pairing, these 2 bootloaders are paired, and if they are mismatched the device is as good as a brick unless you have one of these devices.
There is one thing more important than a bootloader for all devices, and that is a viable recovery option for them. Most of the Tegra2 devices have this with APX mode, but it is still something that isn't all that common on android devices
If this can be done it would great. I suppose you could write a generic boot loader that could boot from sdcard or other linux os would be handy. All this stuff is a bit too low level hacking for me so good look in cracking this one.
Technomancer said:
The initial values of registers at boot should be in ARM manuals or sp5pc110/s5pv210 user, application or programmers manuals. Our ARM can even boot from serial port
See http://forum.xda-developers.com/show....php?t=1111866 especially download S5PC110_EVT1_UM10. With little hacking and discovering how to set up JIG resistors on Tab you should be able to boot your own code via serial.
I have made serial cable for myself and I use it to change bootloader parameters and with FIQ debugger, dmesg and serial console all the time.
Click to expand...
Click to collapse
Massive Samsung Techno Tomes! That's just the resource I need. Thanks a million. I had found a bunch of ARM memory controller references, but I couldn't find the processor specs to find out which one it uses.
reddog69 said:
very interested
i am just a beginner at this stuff but i am very interested in this stuff .i have a riffbox if this would help us at all for jtag.i am still learning about it and i am reading jeff Duntemanns assembly language step by step.i also have the free version of ida pro i think 5.5.i would love to pick ur brain for knowledge along these lines.
Click to expand...
Click to collapse
I hadn't even heard of a Riffbox till just now, but I am definitely getting one ASAP. $149 one stop shop for phone JTAG. That's way more practical than I would have imagined.
As for the brain picking, there's really only two things you need to know, at least about these snippets.
1) All processor types use different assembly mnemonic conventions, and most mobile/embedded stuff doesn't look like x86. eax, ebx, etc in x86 is generally R1, R1 in everything else. If you're starting out on an x86 book, be prepared to retrain your brain all over again when switching to anything else.
2) ARM has this thing were every opcode will be silently (no error state) skipped if the status register doesn't meet a certain condition, and every two register operation can have the second register translated before it is fed into the computation.
Code:
ROM:00000000 ANDEQ R0, R0, R0,LSL#16
ROM:00000004 ANDLE R0, R2, R0,LSR#11
The first line will only execute if the Equals flag is set. The second will only execute if the Less Than (signed) flag or the Equal flag is set. The flags are set by the previous operation, so whether these lines execute at all depends on what processor code ran before this, and whether or not its result was greater than.
Each operation also has the second operand logically shifted (LSL & LSR). The first line ANDs R0 and [R0 logically shifted left 16 bits] and stores the result in R0. The second line ANDs R2 and [R0 logically shifted right 11 bits] and stores the result in R0. There's a whole set of possible translations.
HTML:
lilstevie said:
bootloader replacement is a very very bad idea on our SGT.
bootrom checks pbl, pbl checks sbl then sbl checks kernel.
now on our devices unless you have installed JMx leaked roms the bootchain is not sigchecked, bootrom does a small hashcheck on pbl before launching it, pbl does a signature and hash check on sbl (on GB bootloaders) and that is where it ends.
The problem is Download mode is implemented in SBL, so if you do not have a JTAG device like a riffbox there is no viable recovery method other than taking your device to samsung, but by far the biggest issue is pbl/sbl pairing, these 2 bootloaders are paired, and if they are mismatched the device is as good as a brick unless you have one of these devices.
There is one thing more important than a bootloader for all devices, and that is a viable recovery option for them. Most of the Tegra2 devices have this with APX mode, but it is still something that isn't all that common on android devices
Click to expand...
Click to collapse
My thoughts:
1) Yes it's easy to do something stupid, but the worth of a plan is inversely proportional to the precision of it's execution.
2) If I'm reading this correctly, you're saying that the primary bootloader does the sig check on the secondary bootloader, the primary bootloader is hash or signature checked depending on the ROM version, and the primary bootloader does the check of the secondary.
I'm interpreting that as two things:
A) If some ROM's do sig checks and others hash, the bootrom is programmable, so the check is not only insecure on most roms, but it can be disabled or changed.
B) If I wanted to do custom download mode, I would have to make a primary bootloader that doesn't do an sbl verify, but is still accepted by the boot rom.
A tells me that shouldn't really be a problem.
3) You actually have three recovery options, two of which are pretty cool.
A) have samsung fix it (~$50-$100) - The lame route.
B) buy a riffbox and fix it yourself (~$150 + personal work) - A valuable investment in your personal skills and toolset.
C) send it to a guy (or girl) with a riffbox whose already done it (~$50). - support someone who has taken the initiative to be self sufficient.
4) Any decent phone (read basically all androids) can be unbricked using JTAG or better. It wouldn't behoove them to make a device they couldn't upgraded or that could accidentally permanently die during an upgrade. The issue then isn't whether or not you can fix it if you goof up, but how long you can wait for it to be fixed.
The fact that manufacturers like Motorola and HTC are now promising to retroactively unlock bootloaders shows that companies kept their bootloader checking processes mutable. This also makes sense since they wouldn't want to machine a million cellphones only to find out they accidentally locked them down with broken bootloaders.
Combined, this all says to me that the custom primary bootloader is a very good idea. Its impossible to kill most devices as long as you have a reasonably priced tool (or two), some brains, and some time, and as soon as a primary bootloader that skips the sbl validation is accepted, you're good to go.
-----------------
Thanks to everybody who contributed. I really wasn't expecting such quality responses, so you guys just made my night. I'm now proceeding to do stuff that isn't related to my android devices.
thanks
ya i got an arm book and i aee it is quite a bit different.i am going to start concentrating on.if anyone has a tab or any phone thars bricked and want to sell it let me know.i want to play around with my riffbox with them
What functions does the iROM perform in Samsung's Wave line of devices?
Sent from my DROID2 GLOBAL using XDA App
To be clearer, what roles does iROM fulfill?
Exactly the same as in SGS and Odroid with S5PC110, IROM code is exactly the same, it MAY differ between CPU revisions (there seems to exists 3 hw rev of this SoC CPU, evt0, evt1 and evt1-secure), however it has been not confirmed, and it seems that in all these phones are EVT1 revisions.
iROM functionality is pretty well described in S5PC110 datasheet, also on Xda SGS forum. In "lets save some bricks" you can find iROM dumps from I9000 and S8530 (exactly the same)
It CAN boot from oneNAND flash, MMC flash, UART and USB interface, depending on OM (operating mode) pins settings (there are 5 of such pins) in secure and non-secure boot mode (here iROM code is checking secboot key stored inside of S5PC110, which is set to non-zero in EVT1-SEC revision of CPU, so probably iROM code is the same in both, secure and nonsecure revisions). Altought it has been confirmed for 100% that they are physically pull-upped (2 of these) and pull-downed (3 of these) on S8500 (most likely for I9000 and S8530 also, because mainboard part under AP is basically the same project, slighty modified) with no way to change without soldering/cutting anything on mainboard. It is configuration 01001 if my memory isn't failing, which is forcing iROM to boot from oneNAND in 4k page mode (or something like that, I'm too lazy to look into my notes now, sorry. Again, it all has been described in "Let's save some bricks" thread)
Hope i cleared it for you a bit.
Is the iROM in Samsung Wave devices secure?
What do you mean by 'secure'? You can see the dumps yourself if looking for vulnerabilities.
When I say "secure" I'm talking about the boot ROM and whether or not it performs integrity checks (a.k.a. signature checks) on the first stage bootloader. You can't determine that by looking at the firmware. I know you don't consider that to be too important, but I do.
Sent from my DROID2 GLOBAL using XDA App
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=1018862
Master Melab said:
When I say "secure" I'm talking about the boot ROM and whether or not it performs integrity checks (a.k.a. signature checks) on the first stage bootloader. You can't determine that by looking at the firmware.
Click to expand...
Click to collapse
How do you think we determine that? Exactly by looking at the iROM assembly. Why cannot you do that?
The iROM does use processor internal security subsystem, but I had little time to analyze how. Basically, it does have an option of to verify BL1. The BL1 and BL2 do hashing and signature verification before shadowing next bootloader stage if it's enabled in SFR responsible for security.
Rebellos said:
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=101886
Click to expand...
Click to collapse
So, if I understand this correctly, the boot ROM/processor inside the Samsung Wave has the capability to perform signature checks, but it is not enabled.
We are not sure about what's on the market. We may speak about individual cases. Still, to load BL, it needs to go through JTAG or BL3 that verifies what is loaded. The vulnerable FOTA capability (still, requires valid firmware with FOTA enabled, all described in the 'FOTA thread') gives some perspectives, but everything low level requires some know-how, effort and patience. Especially the effort part seems unattractive to most of xda users.
So BL1 is very hidden from interaction with external tools and utilities?
What kind of utilities? You may find elf with symbols (yay!) for disassembly in the thread adfree started some time ago. Some stuff there would require SRAM and iRAM dumps (calling functions in iRAM) for the analysis, but dumps are empty on our units (I don't assume unreadable as generally we make dumps with the very same privileges as the calling code).
Never mind. What is AMSS? Is that the radio firmware?
Rebellos said:
It has got code checking BL signature, but it is executed only when it find S5PC110 SECKEY bits nonzero. These seems to be always zero in EVT1 hw revision (EVT1-SEC revision does exists but probably doesn't appear in any Wave nor SGS).
Also it has got code for checking BL checksum stored at the beggining of bootsector (in case of flash memory corruption) but it is in somehow big cascade of ifs, and doesn't appear to be executed always (but may be in fact, haven't dived enough deep to check what are exactly conditions that affect it)
Boot sequence in waves (these have got OM pins hardware pulled down and up, not like Odroid, which has got jumpers to manipulate it) I assume is something like that:
- try to boot from oneNAND (with checksum)
- try to boot from MMC0 interface
- try to boot from UART2 interface
- try to boot from oneNAND (without checksum)
- infinite loop
Consider it as possible assumption only, much more info there: http://forum.xda-developers.com/showthread.php?t=101886
Click to expand...
Click to collapse
I'm sorry Rebellos, but your link does not work. And correct me if I'm wrong, but is the public key in the Hummingbird processor (the S5PC110) the same across all devices that use it? Also, where can I find the documents on the S5PC110 that discuss things like SECKEY, if you have them?
Sent from my DROID2 GLOBAL using XDA App
Master Melab said:
I'm sorry Rebellos, but your link does not work. And correct me if I'm wrong, but is the public key in the Hummingbird processor (the S5PC110) the same across all devices that use it? Also, where can I find the documents on the S5PC110 that discuss things like SECKEY, if you have them?
Sent from my DROID2 GLOBAL using XDA App
Click to expand...
Click to collapse
Oh, sorry. Fixed it:
http://forum.xda-developers.com/showthread.php?t=1018862
And in general you can find much more about this iROM in various threads there
http://forum.xda-developers.com/forumdisplay.php?f=656
midas5 and TheBeano seems to be better informed.
Oh well, its only few KB of code. Just grab it and find answers by yourself.
http://code.google.com/p/badadroid/downloads/detail?name=0x0.0xFFFF.bin&can=2&q=
Does it cpu even have any hardware public key? Don't know about any.
Only very little amount of technical info about secure boot can be found in User Manual for S5PC110_EVT1. It is possible that deeper documentation about it may even not exist and additional info can be obtained only through samsung business tech support directly from their devs (It hasn't been proven that Samsung does use EVT1-SEC version of CPU, so who would...?)
AMSS is radio OS which is being loaded to shared mem by AP and started by DBL (modem bootloader) which is being sent in few parts to CP from AP through UART0 interface and then by oneDRAM share.
IOS (Iphone) on WAVE possible ... ???
I've pondered something similar: swapping out Apple's A4 processor with a Hummingbird processor to bypass SHSH signature checks. Although both being manufactured by the same company may not mean anything, they share the exact same ARM core, according to the teardown by Chipworks. I'm interested in bypassing the hardware aspects of the restrictions that are put on electronics.
But, running iOS on the Wave would be hard. First off, iOS uses an entirely different kernel, XNU. XNU uses Kexts (kernel extensions) as drivers, so you would have find out how to write kernel extensions compatible with ARM. Apple is very locked down about their x86 platform, even more so with iOS, so I don't think you'll get a tutorial on how to write a kernel extension for iOS without a little bribery. Second, there's a lot of other things that you would have to change. If you want to stay sane in getting to run iOS on the Wave you'll need the source code.
Can we collect different ways to dump iROM please.
I'll try to use JTAG (RIFF Box)... and maybe Commands to read this area...
Any usefull hints are welcome... for S8500 without installed Android...
Thanx in advance.
Best Regards
adfree said:
Can we collect different ways to dump iROM please.
I'll try to use JTAG (RIFF Box)... and maybe Commands to read this area...
Any usefull hints are welcome... for S8500 without installed Android...
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
You have to know that iROM has been already dumped from S8500 and S8530 using prepared FOTA code. :d Posted it somewhere I think...
...from S8500 and S8530 using prepared FOTA code. :d Posted it somewhere I think...
Click to expand...
Click to collapse
Dump from S8530 I've found.
But S8500 nor FOTA...
Maybe someone can give me please the Link to FOTA file... then I can try it at home.
Thanx.
No problem if all handsets have equal iROM dump. I will only do it for study self at home.
Best Regards
Ok So as with most android devices a group of us is trying to get the NextBook's Rooted. There are a few models BUT each model can have either a RockChip set or and AMLOGIC chipset. the Rockchip is already good to go. The AMLOGIC chipset is another story.
The only method of rooting the devices (specifially the NEXT7P12 and the NEXT8P12)
There has been 1 file that is unprotected init-pppd.sh and is run when you connect a 3g usb dongle to the tablet. So there is for sure a process that executes the script that has the proper permissions
The script has been edited and we are able to get the device rooted BUT ONLY with the 3g dongle.
The question becomes is there anyway to have this script run WITHOUT connecting the 3g dongle?
We have tried running in in terminal and adb but doing it that was we don't have the proper permissions.
here is the only root method so far that has been found http://www.freaktab.com/showthread.php?3029-Nexbook-AMlogic-root-WORK!&p=45040&viewfull=1#post45040
Any help or advice would be greatly appreciated.
Check this link out.
http://forum.xda-developers.com/showthread.php?p=36641646
Sent from my Next8P12 using xda premium
Hubitat elevation is a smart home hub (Z-Wave/Zigbee/IP). The primary advantage of the device comparing to numerous commercial products is its ability to work without a cloud connection. Unfortunately, Hubitat folks restricted access to the device, so out of the box your tinkering abilities are virtually non-existent. We're going to fix this in this rooting guide.
Hubitat Elevation hardware is built around Amlogic A113X SoC, and it is very similar to Amlogic s420 and s400 boards. It is based on a standard Android architecture and it runs linaro. The bootloader is U-Boot, but the boot timeout is set to zero, so you cannot get to the U-Boot shell/console.
To root the device using this method you will need:
- 3.3v USB to serial adapter
- Some electronics skills
- Linux/Development skills
(Apologies, this guide is not a step-by-step process for for unskilled users)
Rooting Hubitat Elevation C7:
- Open your Hubitat Elevation (there are 4 screws on the botton under rubber pads). Exactly in the middle of the board, you will see an unmarked test point. This is the recovery/bootloader mode switch. If you connect it to the ground and then plug the device into a USB port, your compluter should detect new USB device (Amlogic bootloader port).
- On the component side of the board, find four test points in a row (marked 2TP1.. 2TP4). This is Amlogic UART. 2TP2 is RX 2TP3 is TX (115200,8,N,1). Use a 3.3v USB to serial adapter to connect. If properly connected, you will be able to see boot log and interact with the console.
- You can use pyamlboot to boot from USB. Boot images can be generated using meta-meson (github.com/superna9999/meta-meson). Elevation C4 uses Amlogic A113X, so you need to build for Amlogic s420 or Amlogic s400 board. You need, at a minimum, to build two USB bootloader files (u-boot.bin.usb.bl2 and u-boot.bin.usb.tpl) for pyamlboot.
- Booting U-boot over USB using pyamlboot will get you into u-boot console. From there you can boot Linux kernel from USB, MMC, or set bootdelay for Hubitat's u-boot so you can interrupt the Hubitat's U-boot and get access to its console.
- To set bootdelay option for Hubitat's u-boot, just read environment located at MMC offset 0x27400000 (or MMC block #0x13A000) into memory, edit bootdelay, and write it back to the MMC. This will get you access hubitat's uboot console.
- boot Linux from boot or recovery partitions with edited command line that gives you shell access.
- Once you get root shell, just create a new user, add it to /etc/sudoers, and remove iptables rule in /etc that blocks inbound SSH port. You will not be able to log in to Hubitat Elevation over SSH.
Enjoy the tinkering freedom!
P.S.: Anyone with a password cracker and a beefy GPU, please recover passwords for root and hub users from MD5 hashes in /etc/shadow
I'm looking to go through this now but I have an older Hubitat version. I'd assume the process will be similar though. Is this something that would work for connect to the UART? https://www.amazon.com/Adapter-Seri...+USB+to+serial+adapter&qid=1608139326&sr=8-15
Does anyone have a dump of the firmware?
I have made some progress using the main post as a jumping off point. If anyone is interested in this board message me. I would love to work on this with someone. I am new to hardware hacking.
I recently tried to change my region from Dubai to USA for my watch active 2 but when I download the combination firmware, it's for the 4.0.0 tizen version and it blocked my Wi-Fi. Now I can't download the stock firmware to my watch because I can't make it as a hotspot. Is there any way to connect my watch using USB to my PC so that I can install the stock version again
Exact Model Name?
Example... I have SM-R820...
Now you...
Best Regards
Yeah sorry, I have SM-R820 running previously on Tizen 5.5.0. I tried to install the combination firmware but it was for the Tizen version 4.0.0.6 and now my Wi-Fi is not working and I can't install anything from odin
I have the same problem like this
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
@adfree
Summary.
You have BT only device:
SM-R820
Next steps...
A
You found Thread about USB Pinout...
B
But before...
Are you 100 % sure you killed WiFi?
What you see if you press download wireless?
Wireless mode, does not enter - gear s3 sm-r760
Hello everyone, first of all I apologize for the writing errors, I'm using the translator. I am having problems with my Gear S3 after trying to pass a ROM GEAR S3 R760XXU2BQH1 STOCK ROM_OXA_MULTI CSC. It was passing through the Wifi-net -odin and...
forum.xda-developers.com
C
What you see in Odin Mode aka Download Mode?
ODIN MODE
PRODUCT NAME: SM-R820
CURRENT BINARY: Samsung Official
REACTIVATION LOCK: ON
Secure Download: Enabled
CARRIER ID:
WARRANTY VOID: 0 (0X0000)
RP SWREV: B:0 K:0 S:0
Secure JTAG Disabled
Templete...
Here Photo:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
Look at FIRST Photo as example...
D
Btw, which Combination firmware you used?
Filename
Remember nobody here has Crystall Ball...
Best Regards
I have same issue, it's possible to connect with usb but you have to open the watch and weld the usb wires inside it, very risky and you will lose ip67 certification ...
I have chose to wait for the next update with galaxy wearable hoping that will fix the problem ..
adfree said:
Summary.
You have BT only device:
SM-R820
Next steps...
A
You found Thread about USB Pinout...
B
But before...
Are you 100 % sure you killed WiFi?
What you see if you press download wireless?
Wireless mode, does not enter - gear s3 sm-r760
Hello everyone, first of all I apologize for the writing errors, I'm using the translator. I am having problems with my Gear S3 after trying to pass a ROM GEAR S3 R760XXU2BQH1 STOCK ROM_OXA_MULTI CSC. It was passing through the Wifi-net -odin and...
forum.xda-developers.com
C
What you see in Odin Mode aka Download Mode?
ODIN MODE
PRODUCT NAME: SM-R820
CURRENT BINARY: Samsung Official
REACTIVATION LOCK: ON
Secure Download: Enabled
CARRIER ID:
WARRANTY VOID: 0 (0X0000)
RP SWREV: B:0 K:0 S:0
Secure JTAG Disabled
Templete...
Here Photo:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
Look at FIRST Photo as example...
D
Btw, which Combination firmware you used?
Filename
Remember nobody here has Crystall Ball...
Best Regards
Click to expand...
Click to collapse
When I try to use download wireless method, It start showing AP: -1 error and keeps on going
The combination firmware which I tried is "COMBINATION-FT40_R820XXU1ASI2.tar.md5"
When I go to download mode only, it shows me these things
ODIN MODE
PRODUCT NAME: SM-R820
CURRENT BINARY: SAMSUNG OFFICIAL
REACTIVATION LOCK: OFF
WDM DOWNLOAD BLOCK: 0
SECURE DOWNLOAD: ENABLED
CARRIER_ID:
WARRANTY VOID: 0(0X0000)
AP SWREV: B:1 K:0 S:0
HW REV: 5
DOR SIZE: 0.750
BUILD VERSION: FT40_R820XXUIAS12
Mouaz10 said:
I have same issue, it's possible to connect with usb but you have to open the watch and weld the usb wires inside it, very risky and you will lose ip67 certification ...
I have chose to wait for the next update with galaxy wearable hoping that will fix the problem ..
Click to expand...
Click to collapse
Is your watch connecting to your phone?
Mine is not even connecting to phone too
Okay, I see Bootloader sboot.bin is from Combination Firmware ASI2...
This means?
You are still on working Combination Firmware?
Your Watch can correct boot to Tizen and you can do clicking around?
Then please check under Settings->About....
If WiFi address and BT address is still visible or empty/gone...
Best Regards
adfree said:
Okay, I see Bootloader sboot.bin is from Combination Firmware ASI2...
This means?
You are still on working Combination Firmware?
Your Watch can correct boot to Tizen and you can do clicking around?
Then please check under Settings->About....
If WiFi address and BT address is still visible or empty/gone...
Best Regards
Click to expand...
Click to collapse
Wi-Fi address is unknown and BT address is unavailable
WiFi AND BT address gone means something happens to CSA partition...
In other words empty files in CSA...
Its long time ago... tiny chance to "restore" addresses via Codes... MAYBE...
Commands I am 100 % sure.... but you have no chance without USB to connect... to use Tool SDB...
Code(s) I have to check...
Example for Codes...
*#1234#
Hopefully you know allready to show Firmware infos...
In Combination Firmware you can use something like this:
*#6472#
3 years investigation with Gear S2 as example:
[Development] Android Wear for the gear S2
I know there is no Android Development section to this device, I personally love tizen, but who wouldn't want to see AW on this watch. That being said the Gear S2 is using a Qualcom S4 play Cpu dual core 1.2ghz, I have been doing a lot of...
forum.xda-developers.com
Tiny overview...
[Development] Android Wear for the gear S2
I know there is no Android Development section to this device, I personally love tizen, but who wouldn't want to see AW on this watch. That being said the Gear S2 is using a Qualcom S4 play Cpu dual core 1.2ghz, I have been doing a lot of...
forum.xda-developers.com
Best Regards
adfree said:
WiFi AND BT address gone means something happens to CSA partition...
In other words empty files in CSA...
Its long time ago... tiny chance to "restore" addresses via Codes... MAYBE...
Commands I am 100 % sure.... but you have no chance without USB to connect... to use Tool SDB...
Code(s) I have to check...
Example for Codes...
*#1234#
Hopefully you know allready to show Firmware infos...
In Combination Firmware you can use something like this:
*#6472#
3 years investigation with Gear S2 as example:
[Development] Android Wear for the gear S2
I know there is no Android Development section to this device, I personally love tizen, but who wouldn't want to see AW on this watch. That being said the Gear S2 is using a Qualcom S4 play Cpu dual core 1.2ghz, I have been doing a lot of...
forum.xda-developers.com
Tiny overview...
[Development] Android Wear for the gear S2
I know there is no Android Development section to this device, I personally love tizen, but who wouldn't want to see AW on this watch. That being said the Gear S2 is using a Qualcom S4 play Cpu dual core 1.2ghz, I have been doing a lot of...
forum.xda-developers.com
Best Regards
Click to expand...
Click to collapse
I have the stock firmware available for the Tizen 4.0.0.6. If I install that to my watch through USB connector, will my watch start working in a normal way?
But one more thing, before installing this combination firmware, my watch was on Tizen version 5.5.0.1, So if I try to install that older version of Tizen, will it effect my watch in any case?
I have NO Crystal Ball... so I can NOT look into future...
You can also check if Serial Number is still visible in Settings... About...
My knowledge is... if BT and/or WiFi aka MAC address is gone... you need manually action to restore...
Less (lowest) chance of magic self healing...
USB cable IMHO only increase your chance with Tool SDB to write BT and MAC to CSA partition...
Only Flashing Firmware with Odin not solve your problem... IMHO.
Feel free to try.
Meanwhile you have tried Codes?
I mean I see in my Link 2...
testmode *#232337# BT Address
I have forgotten if it shows only BT or write.... it is more then 3 years ago...
Best Regards
What is this CSA partition? and how to write that?
abdullah.libran said:
Is your watch connecting to your phone?
Mine is not even connecting to phone too
Click to expand...
Click to collapse
yes BT connection still ok
has anyone made a dongle to connect to the pc i saw idk where someone made a dongle for it that matches the pins to connect to pc to do odin manually
i did it on the galaxy watch 1st gen the 5 pins matched inside the galaxy gear 1st gen charger to make make a connection to do odin through pc
abdullah.libran said:
Wi-Fi address is unknown and BT address is unavailable
Click to expand...
Click to collapse
adfree said:
Meanwhile you have tried Codes?
I mean I see in my Link 2...
testmode *#232337# BT Address
Click to expand...
Click to collapse
Hey. I have the same problem... BT and Wifi gone...
With that code I get a bluetooth address : 184E:16:4CCD9F... but only there... On device info, nothing...
Is there a possible way to get them back?
dcasun said:
has anyone made a dongle to connect to the pc i saw idk where someone made a dongle for it that matches the pins to connect to pc to do odin manually
i did it on the galaxy watch 1st gen the 5 pins matched inside the galaxy gear 1st gen charger to make make a connection to do odin through pc
Click to expand...
Click to collapse
I did this today for Galaxy Active watch SM-R500 ... It's working fine in ODIN. but don't know how to recover BT and Wifi addresses.
see you can just use the galaxy watch charger you can get on amazon for 9$ take it apart and just push the pins into the watch easy but with active 2 the pins are up and down so dont know where to soder in the pins lol
dcasun said:
see you can just use the galaxy watch charger you can get on amazon for 9$ take it apart and just push the pins into the watch easy but with active 2 the pins are up and down so dont know where to soder in the pins lol
Click to expand...
Click to collapse
Hello I am trying to restore my Watch because I flashed it without BL file and WiFi broke. I coudn't find the charger on Amazon, only on AliExpress and I would like to fix it as soon as posible to get the new Tizen update.
Can you please share a link on the product? Does it match the pinout out of the box? Or should I remap it?