Develop Bugs

Why can't a bricked phone be revived?

This is a question for those in the know when it comes to programming.Why isn't there a way to revive a bricked phone? Can't there be some method for a host computer to manually write the radio to the device? How does HTC fix a bricked phone for it to be a refurb?
I'm just very curious about this because I see a few people attempt to update the radio only to lose power and brick their EVO. I have no programming experience so don't know what goes on at the internal component level. Thanks in advance for your input.

It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!

That helped me, thanks.

Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?

Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks good explanation appreciate that.

rafroehlich2 said:
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Click to expand...
Click to collapse
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"

pflatlyne said:
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
Click to expand...
Click to collapse
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100

rafroehlich2 said:
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
Click to expand...
Click to collapse
Yea,it would be nice if it were. Its kinda sorta quasi standard,so it HAS been done in some cases where its necessary,but often there are easier ways around it. Personally, I have allways thought that its a pretty stupid thing to make a piece of equipment that can fail due to a bad flash. The people who designed many of the flash memory chips seemed to agree,and they added something called a "boot block" to many,but the way its implemented,when its implemented doesn't fully protect you from a bad flash. Its even worse now that everything is in ball grid array chips soldered down to the board.

JTAG with S8500/S8530, S8600 ...

I have some experience with JTAG.
Segger J-Link with PSAS.
I have "Testdevice"... broken Display... soon I will try to connect.
Testpoints and JTAG dump floating somewhere in Internet.
My Questions:
1.
Someone tried Segger with S8500?
2.
Many more Questions to come.
Best Regards
P.S.:
http://www.gsmupload.com/beta-test-thread-samsung-wave-s8500-repair-here/
Edit 1:
Tried to edit Thread title...
...and not yet attached my S8500 to JTAG

oh yeah !!! sachinsud an indian guy bought a riff box... and he tried...
i thnik that you are in the right way...
btw have you tried to connect the wave with broken display to a external monitor?
the wave have video output!
cheers!

At the moment my damaged S8500 is good enough for training.
Only glass is broken...
I have an 512 MB dump from S8500 via JTAG... NOT my. But interesting for study.
I play as long as I can with Multiloader. With AMSS and maybe soon with Bootloaders... and only if I brick this S8500, I will try my Segger JTAG...
About TV out.
I bought Original Samsung AV cable, because normal AV cable seems to have other Pins connected.
But very impressive to see some Games or Videos from my handset on TV.
Never seen before...
my last handset is from 2006.
Best Regards

Nice. Found today S8530 JTAG dump from ORT JTAG.
Thanx.
http://srimeenakshimobiles.com/foru...t-s8530-wave-ii-unbrick-repair-dead-boot.html
Nice:
http://www.ort-jtag.com/blog/
About S8500:
http://www.ort-jtag.com/blog/?e=10
Best Regards

Hope I could get one of that ORT Plus software for free!

Today I saw this:
http://www.segger2.com/index.php?page=Thread&postID=1786&highlight=s5pc100#post1786
Found 1 JTAG device, Total IRLen = 0:
#0 Id: 0x1BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)
Cortex-A8 identified.
Click to expand...
Click to collapse
So maybe my J-Link will work...
I'll try next month... but started today.
With removing Label.
I can see now Testpoints are big enough for my solder skills.
And easy in 2 rows, with enough space between.
Maybe I'll play solderless... but lonoooog time ago my MSM6250 experiences.
Best Regards
Edit 1.
Or for 8 Euro from Poland:
http://www.multi-com.pl/index.php/en_US,details,id_pr,8047,menu_mode,categories.html
Edit 2.
I hope you see difference between pro stuff.
1 of these 3 Pics is not my...

need some info about connect to Samsung Cortex-A8 S5PC110 and dump internal memory.
what software need with my JTAGs:
- TI XDS560PCI;
- SpectrumDigital XDS510USB;
- Blackhawk USB2000;
- Altera USB-Blaster;
- Altera ByteBlaster2 (LPT);
- Wiggler (LPT);
- Luminary Micro Development Board;
- NXP LPCXpresso LPC1114 Development Board.

According to this:
http://www.segger2.com/index.php?page=Thread&postID=1786&highlight=s5pc100#post1786
...we are able to recognized the cpu type as cortex A8, but all the memory content are zero...
Click to expand...
Click to collapse
The proper Software for S8500 is mandatory and much more important as Hardware.
Few of the JTAG Masters are able to make own JTAG Hardware for less then 20 Euro.
But the Software...
If Bootloader alive, then higher chance to have connection with any JTAG Hardware and CPU only... memory is something different...
But if Bootloader is erased, then CPU Bootcycle... and it is nearly impossible to halt CPU without proper Software to have access to memory... RAM or NAND.
Next week I can maybe answer, if I had success with my J-Link... now I must wait for my second S8500 compatible JTAG.
Best Regards

Try OpenOCD, may (but dont have to) work. It should support A8. Btw in s5pc110 manual we can read about some new debugging interface except jtag, anyone ever seen this?

Last time I checked OpenOCD did not have the driver for writing NAND through s5pc110. Is it available now?

Gah, it isn't, i confused something. :/
Btw.
Why do you want to make full internal memory dumps, while these seems to be ones you're looking:
http://forum.gsmhosting.com/vbb/f665/share-full-flashes-1245293/
Compared S8530 FULL_RAW posted there with boot_loader.mbn, first bytes are exactly the same
Of course these could be RAM images, but why would them be called "full flashes"? ;d

@ Rebellos
Very good Link.
S5250 + S8500 + S8530 JTAG Dump.
And meanwhile ... I9000 Dump for study.
Thank you very much.
Best Regards

First attempt.
I have soldered 8 wires...
Anyone found Pictures of soldered wires in S8500...
Please post.
Any hints/tips are welcome. As I have at the moment no idea if I can insert Battery... or I have to hold... maybe I have to insert something to protect wires...
Thanx in advance.

Battery pins are quite big, try to use ac/dc 3-4V converter stabilised by some capacitor and clips on pins.

This is my wires for JTAG. Used standart battery for power.
and pinout for JTAG.

Thanks, how are you powering Wave? does battery fits together with cables or have to wire DC too?

In theory you can use USB cable to power on...
I have only used battery and pressed Button.
Now my S8500 is alive again.
Next attempt is to prepare my XXJB6 Bootloader... I will see if Wave is then dead again or Bootloader is usable...
Best Regards

Seems I'll need 30 minutes for 256 MB reading...
So 512 MB complete 1 hour...
Ehm, I'm tooo dumb to dump OneNAND.
Can someone please help me.
What I need to set/enter/press...
This is what I did... See Screenshot. I can read something from 0x42480000... but this is not what I want.
Please correct settings needed.
Thanx in advance.
Best Regards

It isn't "Memory reading" for sure, not directly at least.
Probably oneNAND reading isn't possible by some clicks and you need driver for oneNAND in script. oneNAND is controlled by modifying special registers under 0xB000_0000 address space. If you want oneNAND dumps you have to find driver for that or do it through FOTA using BL3 function Flash_Read_Data and rebell_memdump from our SVN repo.

Maybe I've found my mistake...
Now I can read something at 0... will see in an hour what it is.
Best Regards
Edit 1.
Okay, I have my 512 MB Dump.
But under DCC Red/Write Tab... and need to set few things... so not only press 1 Button.
Less then 30 minutes for 512 MB Reading...
Now I have to learn how to write safe.
As I don't need Full 512 MB write, only 4 MB at Start...
to prevent erase full 512 MB

Phone life after death. Breaking the Jtag taboo.

I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.

Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
1st off, it's "taboo" not tabu. Secondly there is already a pretty good amount of threads that have covered this in detail, I'm certain because I have posted in them. Lastly, please SEARCH the existing threads before creating a new one; the answers to all your questions are already there.

1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.

Michael.fri said:
1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.
Click to expand...
Click to collapse
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium

Do you know what caused the brick?
Sent from my SGH-T989 using xda premium

Searched, and yet no result. Sending the phone to the U.S is quite risky. I have no idea how they're intended to pack it before sending it back. I would rather doing this in Israel.
I saw on ebay several devices associated with Jtag. the price starts from 10$ for a simple usb dongle, through 30$ devices, which is the price of most of the jtag devices I found, to the 150$ riff box that is associated with phone unbricking.
By what I know Jtag is a simple serial protocol. I just need sort of "bridge" to translate the logic 1's and 0's with the right voltage level and certain clock speed to a usb interface or even RS232. How expensive can that be?
I also contacted several ebay sellers which offer a jtag repair service. they all answered this model is not supported.
I would go to Samsung labs in Israel and see what they can do to get it working.
I just thought to invest 20$, get that sort of device and to get it done by my own.
Another issue is the pinout. The pinoput of the Jtag connection is not shown in any website, so I have no way of knowing how to connect on this specific PCB.
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
About the reason for bricking the phone, I have no Idea. As I said, last time I've installed new rom was more than a week prior to the incident. I've used some overclocking app mostly to underclock my phone, cause it drained the battery like hell before, even while it was running on stock and after changing the rom several times.
I also used some usb otg device which worked normally, but was not plugged to the device even few hours before it was bricked.

Hopefully we can figure out the cause of these permabricks so we can prevent it from happening to more people.
Sent from my SGH-T989 using xda premium

I gotta say, this is quite alarming. That the phone can just hard brick itself like this spontaneously.
I've had some scary experiences with the phone myself. Like a couple of random reboots that required the long power press for the phone to power back on. At least it always came back on.
I'm also from Israel myself so a similar scenario can bring me to the same situation as you.
Good luck with getting any kind of solution.
Sent from my SGH-T989 using xda premium

parusia said:
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium
Click to expand...
Click to collapse
Troll for advising to follow the posted rules of membership ? WOW

I just contacted Adam and still no jtag for this device .
Sent from my Galaxy Nexus using XDA App

did you look for a service manual?
- the manual may cover schematics for jtag device.

Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.

reocej said:
Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.
Click to expand...
Click to collapse
I recommend splurging on the $2-3 for a jig, I have had moments where I thought I was SOL & the jig saved my arse.

Michael.fri said:
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
Click to expand...
Click to collapse
Did you solve your problem?

I was looking at using QPST
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it. This has tools for building and installing bootloaders and partition tables. Our device after a hard brick (and still serviceable by JTAGing) has a com port open still and if you load the driver in windows you will see a port number as others here on XDA have said. The driver allows ODIN to see the device but not connect. QPST does connect, but I have not attempted to flash anything to it since I have not built any files to load. I'm kind of stuck creating the needed xml that makes the partition table and headers and file that are to be loaded to partitions. This is really a softbrick, in my opion, but nobody has the knowledge for this level of building and coding, with this tool, here at XDA. If somebody does, it may make those selling JTAG services mad, but that would mean we could fix our phones on our own. On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days.
By the way, this is a multi-device solution in the long run. We get one fixed and we can start on the others with this same issue, where the only life left in the device is the Qualcomm download mode driver showing in windows device manager.

Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
Mobile Tech offers the JTag service. There is even a discount for XDA members. They offer the service for all variants of the S2
Here you go!
http://mobiletechvideos.mybigcommerce.com/samsung-galaxy-s-ii-jtag-brick-repair/

daxxone said:
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it.*snip* On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days..
Click to expand...
Click to collapse
Any word on a fix using QPST?

[Discussion] Direct access to e-MMC to fix bricked KF? - CONFIRMED!

Hello! Been lurking for a while and just finally decided to post.
A little background: My first Kindle Fire 2 was rooted just fine. Everything worked for several months, then the screen went bad. Called Amazon and got a replacement sent over. The night I received said replacement, I decided that I wanted to try the 2nd bootloader + TWRP and install CyanogenMod. Unfortunately, I missed the part about reverting back to the older version of the bootloader before patching. Oops.
TLDR; Bricked KF2.
That brings me to the main focus of this topic: After reading a plethora of threads stating that there was no way to fix a bricked KF2 with the USB, I began thinking... Theoretically speaking, couldn't the e-MMC be accessed if it was taken out and mounted to an e-MMC to USB? This would allow reflashing the partitions and (hopefully) returning it to an unbricked state. Of course, that means remounting the e-MMC to the KF2 motherboard, but you can do wonders with a stencil, some solder paste, and a toaster oven, it seems.
Then, while searching for a good e-MMC to USB adapter, I stumbled across a very intriguing thread on hacking TomToms' NAV3 where the e-MMC is left on the device and wired to a MMC USB reader. Page 36 and 37 are the useful bits. (I can't post links yet, so this is the best to demonstrate): mobilescommunity.com/tomtom-discussions/178770-nav3-cracking-patching-copying-navcore-v10-v11-v12-36.html
At this point, I'm just waiting on an old, broken KF1 to arrive to track down where the leads go and possible solder points. I'll keep you posted as things progress.
Any comments, thoughts, suggestions?
P.S. I have a feeling that this would be better suited in the development forum, but as I am new, I can't post there. Assuming that this crazy idea actually works, (and considering that I'll probably have ten posts by then), I'll likely post a clean guide over on that forum.

i had my already taken apart cause of a broken screen, and one is for sure, there was no e-MMC or anything that you could take out and put into an adapter :\

I think you are not out of luck! Are you getting a red screen or is evrything dead?

Completely dead.
...and there is an e-MMC. On my KF2, it was under a piece of foam. If you look at it like you just took off the back cover (without moving the motherboard) from the bottom (the side with the usb port) it's on the right lower portion of the motherboard. It's a Samsung chip, KLM8G2FE3B-B001. There's also a line of solder points just below it. It looks like a decent number of the pins (which we can't see because it's a surface mount) go to that bank of solder points.
Since I still can't post real links/pictures: tinypic.com/r/20hppw5/5
Image credit: iFixit.
That picture is the motherboard from a KF1, but it's in the same location. It's the chip outlined in red.

Just a little update... Have a junk motherboard, the e-MMC is off, now I'm just tracking down where the pins go and possible solder points. It looks like the motherboard has exposed pads that will work well for soldering (my guess is they were originally access points for board/component testing?). I'll post again when I have more info.

Another update: I've tracked down solder points for DAT0-7, CMD, and CLK. I just need to track down the voltage (Vcc and Vss) and grounds (VccQ and VssQ). After that, I'll have pictures with it labelled. Then I need to work on soldering to said points and attaching them to a MMC reader, and praying that it works.

Hmm well if you can get your PC to recognize the emmc, with what I'm assuming is going to be Linux because of the fact the filesystem is ext4 on kindles last I checked, I'm curious if the modules that Linux have will recognize the device. If it does I wonder if u can simply use dd to flash the messed up partitions with the correct signed replacements. I wish I had your solder skills... I need a new tip for mine but I'm too lazy to go out and get one, much less do soldering on a kindle motherboard. If this works u could offer repair services to people, because I doubt most people would attempt this. I find this thread very interesting!
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

Then good luck to you!
Hopefuly we will have an unbrick method...

Finished tracking down solder points. Attached are some pictures with them labelled. I'll be working on the actual soldering and connecting it to my computer in the next few days here as my mini-vacation is over and I have to go back to work tonight.

So! I have good news. I soldered everything together and plugged it in. Ubuntu auto-mounted all the partitions from the e-MMC! I'll post pictures on Friday as I'm about to take a nap before spending the next 24 hours at work.

I have a couple minutes on break, so I'm uploading a screenshot of Ubuntu with the partitions mounted. All my pictures of the board/SD card reader and solder job are on my camera at home, so I'll post those later.
Note: The partitions are on the bottom left of the window, the 17 MB one through the 929 MB one. Once I track down which one is the boot partition, I'm going to rewrite it with the original boot image and pray that has fixed the problem.

Wow this is awesome, I am very impressed at this. Now to just use dd to shove the boot loader down the emmc's throat. I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties? Not sure if u have gparted installed, probably have to install it from the repos. Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

stunts513 said:
Wow this is awesome, I am very impressed at this.
Click to expand...
Click to collapse
Thanks! Assuming this works, I'm thinking of designing a solder-less device to make all the connections. Soldering to those tiny pads on the motherboard was a pain!
stunts513 said:
I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties?
Click to expand...
Click to collapse
Is it the partition itself that's signed, or the boot files?
stunts513 said:
Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Click to expand...
Click to collapse
That's a really good idea. I'll make sure to take a screenshot of the partitions in gparted when I have a chance to work on it some more on Friday.

From what I understand not all, but some of the partitions are signed, like the boot loader, they have a 64kb signature in the partitions header if I remember correctly. That's also the reason we can't fix the device when we brick the boot loader, because these things show up as omap devices and we have the means to use that device and try to fix it, but we can't fix it because the initial file it loads up has to be signed. Your fix is kinda unorthodox, but hey, whatever works.:thumbup:bet amazon didn't think people would go this far to fix it. Heck technically if this works you could probably root it in this manor even if an exploit wasn't viable. Anyways for more I to on what I was talking about read q2, q3, and q4 of this post: http://forum.xda-developers.com/showthread.php?t=2228539
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file, not to me took that would be next to impossible I think since it would be difficult to try to make a partition exactly like the one on the kindle minus a signature (because even if u copied the files over, they wouldn't necessarily be in the stored in the exact same sectors of a partition), making it even more complicated for me to see the actual signature. Soupemagnet said this is impossible to do already and he knows what he's talking about so i seriously doubt I could do this.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

stunts513 said:
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file
Click to expand...
Click to collapse
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?

Yea that's an interesting idea, I have no idea how u could generate headers to try to forge what the kindle has though, and I'm assuming if it is a 64kb signature, that is a huge amount of combinations. I'm assuming figuring out how to make a signed image is similar to how some key generators are made that take a activation code and spit put another code for you to use. Though I have no idea how they figure out the common denominators for making a code based on such. Its one thing in simple math but to do it to strings of letters and numbers is beyond me. Luckily we have several partitions for reference, if it was just one we'd be pretty screwed, assuming I have any idea what I'm talking about. Feel free to run the idea by him, I chatted with him before a little about something like this in some PM's.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

kurohyou said:
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Click to expand...
Click to collapse
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
You should probably just focus on getting the device restored so you can have yourself a little side business of restoring hard bricked 2nd generation Kindle Fires...although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.

soupmagnet said:
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Click to expand...
Click to collapse
Sounds like a lot of work; although, I didn't expect anything less.
soupmagnet said:
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
Click to expand...
Click to collapse
What, you're telling me that cracking the encryption in a few million years from now wouldn't be useful?
It probably didn't help that in my sleep-deprived state last night, I failed to differentiate between 64kb and 64bit. Oops.
soupmagnet said:
You should probably just focus on getting the device restored
Click to expand...
Click to collapse
That's always been the focus, but I also figured that while we're here discussing things (and with confirmed access to the e-MMC now), why stop with just the basic restore to working when there's the possibility of more?
soupmagnet said:
although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
Click to expand...
Click to collapse
Of course I'm going to share! As soon as I finish the last few steps here and confirm that it's working, I'm going to post a guide over on the Development forum. I don't know how many people will be comfortable with the soldering part, though. It was a beast trying to solder to the motherboard. I do plan on trying to develop a solderless method, probably by fabricating a board that connects to all the important points and secures to the motherboard itself (probably using the screw holes).

Some more images, now that I'm home.
Here's what everything looks liked when it's soldered together:
Here it is connected to the computer:
...and finally, a screenshot of the partitions in gparted:

Sweet, didn't realize how many partitions the kindle had. So now all we need to figure out is which partition of those is the bootloader partition, so u can try flashing the boot loader with the dd command. Might I suggest backing up the entire emmc device with dd instead of just some of the partitions? Also was wondering if all goes well, if the kfhd's emmc pin layout is the same, be nice if a solderless bolt on version could be truly "universal" for all kindles, shape wise it wouldn't be a problem as long as the bolt-on-board has multiple hole configurations.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

Galaxy watch Active 2 boot loop after trying change region. Please HELP!!!!

Hi,
I have a samsung watch active 2 model R825F (Canadian LTE model)
I tried to change region with Odin. The installation was ok since Odin display success. But when it restart, it begin looping start indefinitely.
I tried boot menu : turn off the watch, recovery, wireless mode but nothing work, it keep boot looping.
So i can't use wireless since i have the flower showed but cant go to AP mode. I tried the 2seconds, 1 second on power button but don't' work. (I read a lot topic on this forum)
I decided to send it to Samsung authorized repair center, and they say that they must replace the main board and back sensor for 300$ (ridiculous, new one is 260). I don't think that so I refused the repair. Is it possible that changing firmware can make physical damage ?
So i have a little hope that there is a solution to solve that. Can anyone help please?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Firmware i try to install with odin : COMBINATION-FT40_R825USQU1ASL2.tar.md5

COMBINATION-FT40_R825USQU1ASL2.tar.md5
Tizen 4 crap seems "obsolete" dangerous... because some "magic" changes in Tizen 5.5 crap...
So they increased Security crap for Rollback Prevention s h i ...
You could try USB cable action... like this:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
If you have access to 3D Printer... then look maybe here:
USB ODIN 3d Printed Cradle
Showing one option to connect USB connector to watch with the help of a 3d printer. Connection on the PCB pads were made using safety pins secured on the back of the 3d printed cradle. Some points, An extra support part is glued at the back of...
forum.xda-developers.com
Some general info is here:
SM-R765F Teardown
Dear friends, I found that the LTE connection is very useful when you have to leave your mobile somewhere and you can get calls and notifications through mobile connection. I bought a Gear S3 LTE (R765) from a Singapore site because in Italy it...
forum.xda-developers.com
And this is Pro solution if you have Original repair stuff...
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards

adfree said:
COMBINATION-FT40_R825USQU1ASL2.tar.md5
Tizen 4 crap seems "obsolete" dangerous... because some "magic" changes in Tizen 5.5 crap...
So they increased Security crap for Rollback Prevention s h i ...
You could try USB cable action... like this:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
If you have access to 3D Printer... then look maybe here:
USB ODIN 3d Printed Cradle
Showing one option to connect USB connector to watch with the help of a 3d printer. Connection on the PCB pads were made using safety pins secured on the back of the 3d printed cradle. Some points, An extra support part is glued at the back of...
forum.xda-developers.com
Some general info is here:
SM-R765F Teardown
Dear friends, I found that the LTE connection is very useful when you have to leave your mobile somewhere and you can get calls and notifications through mobile connection. I bought a Gear S3 LTE (R765) from a Singapore site because in Italy it...
forum.xda-developers.com
And this is Pro solution if you have Original repair stuff...
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards
Click to expand...
Click to collapse
For the pro solution, what are the original repair stuff? Where i can get them? Are they usb connection to use odin?

Maybe try this post... from 2017...
Gear S3 Root and Kernel Source! (Android Wear Port Thread)
Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :) After doing some digging and paying zero attention in class today, I came across the kernel...
forum.xda-developers.com
Maybe then more clear what I mean with Pro...
1 more hint...
Samsung R&D
Samsung Service
Samsung "Partner"...
I am too lazy to search for the part number for GWA2...
Here old example...
Samsung GH81-12016H Service Jig-Pogo 3G, | TVserviceParts.com
This Samsung GH81-12016H Service Jig-Pogo 3G,
www.tvserviceparts.com
Only example! NOT for GWA2 nor for SM-R825
Best Regards

adfree said:
Maybe try this post... from 2017...
Gear S3 Root and Kernel Source! (Android Wear Port Thread)
Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :) After doing some digging and paying zero attention in class today, I came across the kernel...
forum.xda-developers.com
Maybe then more clear what I mean with Pro...
1 more hint...
Samsung R&D
Samsung Service
Samsung "Partner"...
I am too lazy to search for the part number for GWA2...
Here old example...
Samsung GH81-12016H Service Jig-Pogo 3G, | TVserviceParts.com
This Samsung GH81-12016H Service Jig-Pogo 3G,
www.tvserviceparts.com
Only example! NOT for GWA2 nor for SM-R825
Best Regards
Click to expand...
Click to collapse
And for gwa2 it exist? And how it works? It seems working by pin contact, but there is no pin in gwa2. Can you give more details?

Can you give more details?
Click to expand...
Click to collapse
Really excuse me...
I am sure I gave ALL infos you need... maybe check again all my posts in this Thread...
IMHO your turn...
Last tiny hint...
Maybe there is an reason, why other users made own USB cables... homemade...
Good Luck.
I have not soooo much time and energy to waste...
Best Regards

Is anyone here have the same problem on same watch model and find solution ?

FT55 Combination Firmware for repair attempt... AUA4:
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards

kaishef said:
Is anyone here have the same problem on same watch model and find solution ?
Click to expand...
Click to collapse
Hi @kaishef . I'm going to sound a little blunt here, but I'm only trying to help.
@adfree has linked everything you need to get your watch fixed and running (if it is possible to do by yourself). It will take a few hours of reading but you can figure it out if you read it enough times.
If you can't move forward at any step, come back and tell us which specific part you're stuck on and we'll try to help. But we have no idea what progress you've made and where you're having difficulty... how are we supposed to help? We can't come to your home and fix your watch for you, you have to do it yourself, and we can only help by answering clear, objective questions.
I'm not trying to be rude, but this is how volunteer help works on forums like this. I've learnt this over the last 11+ years on XDA that this forum is a treasure trove of info and good samaritans willing to help. You get more support here from people than you do from the manufacturer of the device! But there's very little spoon feeding to be expected here. Nearly everyone has a life outside of XDA and no actual obligation to help. We all do it out of love and passion and in some cases, raw talent, in our free time. We are all willing to help you, even if it takes going out of the way. But you have to meet us halfway too...
Let me try to outline the process for you once:
1. Flashing older Tizen formware over newer software will brick your watch (eg flashing 4.4 over 5.5). It's due to a software feature called Rollback Prevention that Samsung does on a low-level firmware update.
2. Usually this is a soft brick and can be salvaged by flashing back the newer, correct firmware on your watch.
3. The problem is, that usually a bad flash kills your Wireless capability and you can't use NetOdin to flash the firmware on your watch anymore.
4. This can be solved by using regular USB Odin, which doesn't rely on a functioning wireless capability.
5. The USB connection for watch is located under the watch at 12 o clock position under a kidney bean shaped cover that is removable (look for a small notch on the right side of the cover. Underneath the cover, you will find the PIN contacts for the USB connection. This helps you connect the watch to your PC with a USB cable. One end of the connecting wire is USB A that plugs into your computer, and the other end has to be connected to the pins on the watch. But the PIN connector not use any standard interface like micro-USB etc so you'll have to find a way to keep the USB wires firmly connected with the contact points through the entire software flashing process.
6. There are many different ways to do this. You could make POGO pin docks, makeshift hand-held pin connectors, 3D printed docks for the watch that mimic service dock modules that Samsung uses (if you have a 3D printer), or ask a friend or employ someone to print one for you. You could try to buy a readymade one online. And if you're very good with soldering, you could just solder the wires into place on the pins - there are many ways to reach the same destination. It will depend upon your skills and the resources available to you. Oh, and as to which wires go to which pins, even that is mentioned in the posts linked above.
7. Once this is done, all you have to do is load up ODIN on your computer, confirm that the watch is detected by it successfully, and flash the correct firmware.
This is your way to connect the watch to your computer via USB when wireless Odin is not an option.
Now, if you go through the links @adfree posted above, it covers all that I summarised, but in much greater detail. Some of them are long threads that document the journey of other people like you who got stuck and figured out the problem with trial and error. Those posts are also worth reading. It will take time and effort, but it is do-able, unless you've hard bricked your watch or discovered a new problem that nobody on these forums has encountered before. But we can try to figure that out...

Thank you very much.
The best option for me is to find this. But i searched a lot and nothing. Someone already bought it?

Someone already bought it?
Click to expand...
Click to collapse
Yes.
Samsung R&D
Samsung authorized Service
Samsung Partner
1 more hint...
I decided to send it to Samsung authorized repair center, and they say that they must replace the main board and back sensor for 300$ (ridiculous, new one is 260). I don't think that so I refused the repair.
Click to expand...
Click to collapse
Exact these guys who gave you info about 300$...
Maybe now clear?
Last Regards

I am from Germany...
I guess you are from Canada? Maybe...
Find Repair Shop where they can do this for you...
Your Watch from Odin Screen is 100% okay...
No Combination Firmware Bootloader...
Warranty Void is perfect:
0 (0x0000)
You simple need somebody, who flash for you Stock Firmware... via USB... then Watch should work again...
Maybe they want money from you...
Maybe pay 20 - 50 Dollar...
But IMHO better as your plan.
Best Regards

Also Line with AP Software Revision looks perfect...
AP SWREV: B:1 K:0 S:0
Only reason to deny your repair wish...
If this Watch is not bought in your Country... IMEI Serial Number etc not valid for your Country...
Its NO shame if you are scared to build own USB wire connection..
IMHO I spend now enough time for you...
Best Regards

Yes im frensh canadian(sorry for my english) , and the watch is canadian. Im from quebec and the only one repair center is in ontario. They said that the main board must be replaced (i think that is not true)
I cant find who repair it, i serched a lot.
I will try to contact them if they sell the usb cable.
If not, i think i will stop the process.
Thank you very much for your time. I read all the thread you gave me.

kaishef said:
Yes im frensh canadian(sorry for my english) , and the watch is canadian. Im from quebec and the only one repair center is in ontario. They said that the main board must be replaced (i think that is not true)
I cant find who repair it, i serched a lot.
I will try to contact them if they sell the usb cable.
If not, i think i will stop the process.
Thank you very much for your time. I read all the thread you gave me.
Click to expand...
Click to collapse
Best of luck. I hope with the proper "motivation" you are able to convince the service center people. I doubt they will let you buy the cradle but maybe you can get them to let you use it, or just flash the correct firmware for you, as long as they can keep this transaction off the Samsung books.
If not, are you comfortable with trying to make your own makeshift adapter? Or opening up the watch and doing some soldering?
If you're going to write off the watch as a total loss, there is no harm in trying out some Frankenstein project. May give you a chance to revive it.