This modification will go like this:
http://forum.xda-developers.com/showthread.php?t=1206216
note: this modification seems to look slighty different on S8500 than S8530 (slighty different board layout) - please check this post - http://forum.xda-developers.com/showthread.php?p=17724584#post17724584 (still needs testing)
This can be applied to a bricked phone and unbrick it without JTAG.
After that, unbricking your Wave will be almost as easy like this is (need kinda different soft, as following movie been made with SGS series phone):
See here for more info about unbricking Captivate:
http://forum.xda-developers.com/showthread.php?t=1242466
(Unbricking Wave tools are on its way)
I haven't tested it by myself but it will work. I did teardown of mine S8530 damaged mainboard.
Introduction
I'm not kidding when I say UnBrickable. Modifying the OM pins means you
can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE.
There is nothing you can do software wise to prevent the device from
booting into this mode. We are communicating with the unrewritable,
efused IROM on the processor. It's the thing that makes the system on a
chip into a "system on a chip".I am here now to tell you how to turn
your Samsung Wave into a KIT-S5PC110 development board. The
KIT-S5PC110 development board is the platform used to develop our
phones. There are some differences between this mod and the official
development platform. The S5PC110 has a removable internal SDCard and
no touchscreen.
Why would you want to do this? When you plug in the battery and
connect it to the computer in "off" mode, it will become an S5PC110
board awaiting download of a program to run. This occurs long before
anything like software or firmware enters the processor. This is the
IROM of the device awaiting commands or a power on signal.
Because it is accepting a memory flash, anything may be put onto the
device to perform a boot sequence..... Apple iOS (iPhone4 has the same
processor) WP7 (mango supports this processor).
This will be a replacement for JTAG once we are able to make some
firmware. How could it possibly be better then JTAG? Let's count the
ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.
After performing this mod:
Remove the battery, replace the battery, your phone will connect to the
computer via USB and await commands. Otherwise it will pretty much act
like a Droid Charge. See the Special Instructions section.
Modification
You will need:
1. Get someone who knows what they're doing with a soldering
iron. If they don't know what flux is, then they don't know what
they're doing. You can speak to AdamOutler or
Connexion2005(aka MobileTechVideos.com). I don't know who from Europe region is able to perform this mod, I still need some more soldering practice, probably in month or two I will be also able to perform this.
2. soldering iron - make sure it's sharp, if it's not sharp, then
sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (possibly- for the wire within to use as a bridge)
Performing the modification:
1. tear apart your phone... Make sure to take out your SIM and external
SDCard before you do this.
1A. Remove the mainboard (you can see on the movie how to do it)
S8500 disassembly movie (S8530 looks basically the same):
Mainboard picture:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Closer picture:
xOM resistors mapping:
2. Perform the mod by removing the xOM5 resistor and connecting its active (CPU) side to the active side of xOM0 or xOM3 resistor (so it become pull-up instead of pull-down).
3. Reassemble the phone.
Special Instructions
This may change battery charging sequency, or even disable it when the phone is turned off (it may be needed to turn on the phone first) <-- needs some tests
To turn on the device, and operate in normal mode, you must hold the
power button for 5 seconds.
3 button Download mode works as usual, however you must not have the
S5PC110 drivers installed on the computer. 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 iROM dload mode.
Conclusion
Congratulations. You now have a device which works like a KIT-S5PC110
with an OM Value of 29. Now get to developing some serious custom
software. See here for setting up the UART output
http://forum.xda-developers.com/showthread.php?t=1235219
Reading material
Creating your own Samsung Bootloaders:
http://forum.xda-developers.com/showthread.php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW:
http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
another DNW example:
http://www.boardset.com/products/mv6410.php
ODroid dev center:
http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Drivers and utilities
This will be an ever expanding list
Windows Drivers
http://forum.xda-developers.com/attachment.php?attachmentid=678937&d=1312590673
Windows Download Tool DNW:
http://forum.xda-developers.com/attachment.php?attachmentid=678938&d=1312590673
Windows Command Line Download Tool:
http://forum.xda-developers.com/showpost.php?p=17202523&postcount=27
Linux DNW Utility:
http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Firmware
One-Click Resurrector (made for SGS series):
http://forum.xda-developers.com/attachment.php?attachmentid=705515&d=1314762609
Bootloader Hello World by Rebellos
http://forum.xda-developers.com/attachment.php?attachmentid=698077&d=1314105521
Please note that we are not yet able to rebuild Wave's NV_Data, so if you damage your IMEI (by trying to flash SGS stuff before dumping your oneNAND through Badadroid) you have to deal with it on your own.
Thanks to Adam Outler.
Please message me or simply make post here if you perform this mod and need any additional info.
Already done MODs:
Captivate (the first one): http://forum.xda-developers.com/showthread.php?t=1206216
Droid Charge: http://forum.xda-developers.com/showthread.php?t=1245391
It is important to note that this modification has never been performed on a S8500 before. Rebellos is very competent and will work out the details of the firmware portion. His HIBL allows insecure code to be loaded to the device and it is extremely likely that this modification will lead to easy development of alternate firmwares for your device. This mod enables a special download mode which will allow you to experiment freely as long as you have a backup of your EFS and critical data.
Once Rebellos is able to get the firmware operational, and he will likely work with you directly and remotely if you're willing, recovery of the S8500 will be this easy:
We are fully confident in this modification and if you have a bricked S85**, please send a PM to Rebellos. He will develop a firmware rather quickly to resurrect the device and then everyone will have an UnBrickable Wave!
Bonus - have you been ever wondering how does PoP BGAs or S8530 mainboard without CPU does look?
http://i53.tinypic.com/xlf8rt.jpg
From the left to right:
- oneNAND+oneDRAM+DRAM package
- Hummingbird CPU
- S8530 Mainboard
If you want I can take better macro photos of these. Also if someone want to try reballing of memory package (CPU has got burned core) I can donate it to him. However it has got like 0.1mmx0.1mm size balls. Maybe if I ever get rich and smart and I get bionic hand, I'll make a board under this package.
So Adam Did you try this with the Wave S8500/S8530 ??? or you still need a Wave for donation ???
I am very interested in this but i won't do it because i heard about some stability problems after removing the resistor
Also i have a question...Can i put the resistor back after unbricking my device or it will be totally fried??
Best Regards
You can put the resistor back if you manage to. SMD elements are usually high-temp resistable.
There is no stability problems if you connect it to some other pullup or pulldown resistor.
CPU will become unstable only if you remove resistor and leave xOM5 line unconnected to anything as it'll take electrostatic charges and induce voltage from other elements and electromagnetic field causing noise inside of CPU when not grounded or HIGHed.
you mean it will act like a really tiny capacitor (i am electrical engineering student)
Do you think that mod will reach the mobile repairing shops?
i mean if you could write a good bootloader that will dual boot android and bada (yes i think you are genius enough) then this can go to mobile shops to get it done by experts hands that will be awsome(i've never opened up my Wave and don't have much experience to do this)
You will get donations for this for sure
Best Regards
mylove90 said:
So Adam Did you try this with the Wave S8500/S8530 ??? or you still need a Wave for donation ???
I am very interested in this but i won't do it because i heard about some stability problems after removing the resistor
Also i have a question...Can i put the resistor back after unbricking my device or it will be totally fried??
Best Regards
Click to expand...
Click to collapse
Rebellos performed the destructive inspection on his own device. The work is complete, you may modify your device according to the specs above. This will allow you to boot from USB.
You may be able to put it back, but it's not likely, and you will never need to.
MobileTechVideos.com is already offering this service for Captivates as the mod is finished and we have it working fully on Linux platform. All thats left for Wave is for Rebellos to work with someone who has a working Wave (maybe 1 hour via google talk). Modify your device and PM Rebellos.
If your device is broke this will resurrect it. If your device is not broken, this will allow you to flash Android ROMs without fear of permanent damage.
I think Rebellos already has worked out the changes needed to the bootloaders to run Android on Bada with the BadaDroid project.
mylove90 said:
you mean it will act like a really tiny capacitor (i am electrical engineering student)
Click to expand...
Click to collapse
No. Rather like tiny not-grounded antenna or induction coil, which transforms all magnetic field jitters into small, noisy voltage current, which are very annyoing for CPU.
(thats why in electronic chips all pins should be connected to something which can provide stable LOW or HIGH state, if they doesn't support internal PUD mechanism)
mylove90 said:
Do you think that mod will reach the mobile repairing shops?
Click to expand...
Click to collapse
That would be awesome. Writing dual-boot bootloader isn't a huge deal, but needs some work and designing, for example problem is that oneNAND (the fastest flash memory we can use) size is only 512MB, so it can hold only like 150% of 1 OS files. That could be solved by moviNAND repartitioning and modifying bada kernel properly to not wipe Android partitions.
AdamOutler said:
I think Rebellos already has worked out the changes needed to the bootloaders to run Android on Bada with the BadaDroid project.
Click to expand...
Click to collapse
Yup, got these files ready. But I don't want to release something completely untested.
//edit:
Here you have links to modified S8530 and S8500 BL3 images.
Original, decrypted and extracted and ones can be used aswell, but needs dload-mode key combination to be hold. The modified ones does enter DLoad mode immediately.
Entrypoint for both is 0x42480000
http://hummingbird-hibl.googlecode.com/svn/trunk/HummingBirdInterceptorBootloader/S8500_BL3.bin
http://hummingbird-hibl.googlecode.com/svn/trunk/HummingBirdInterceptorBootloader/S8530_BL3.bin
I'm not seeing any action here. If you bricked your device, this will resurrect it.
Rebellos, you want me to start working on the Ultimate One-click resurrector? I don't feel motivated since Boone has put your work of proper pin identification to work... maybe the Bada guys don't DIY, or they just rather pay for JTAG?
Using this mod you can get Android on your device. You can load other device's firmware. Its very powerful and allows you to revert all changes.
AdamOutler said:
I'm not seeing any action here. If you bricked your device, this will resurrect it.
Rebellos, you want me to start working on the Ultimate One-click resurrector? I don't feel motivated since Boone has put your work of proper pin identification to work... maybe the Bada guys don't DIY, or they just rather pay for JTAG?
Using this mod you can get Android on your device. You can load other device's firmware. Its very powerful and allows you to revert all changes.
Click to expand...
Click to collapse
Maybe it's just because Wave users groups is much smaller than Cappy, also it isn't Android device, so people aren't flashing it so often as Cappy. Or they are just scared the crap out of DIY. ;d
it is not like that
Wave is not easily bricked (thank Samsung for that)
Until now i saw people with out knowledge who bricked it
Rebellos , you know bootloader is flashed in nearly 2 seconds and the phone will be bricked only if you did something wrong in these 2 seconds
i promise if my Wave bricked i'll try that method but where is the software stuff ?!
Please complete what you started Adam , Rebellos
Best Regards
mylove90 said:
it is not like that
Wave is not easily bricked (thank Samsung for that)
Until now i saw people with out knowledge who bricked it
Rebellos , you know bootloader is flashed in nearly 2 seconds and the phone will be bricked only if you did something wrong in these 2 seconds
i promise if my Wave bricked i'll try that method but where is the software stuff ?!
Please complete what you started Adam , Rebellos
Best Regards
Click to expand...
Click to collapse
Under Linux-- The HIBL gets loaded with this command:
Code:
sudo smdk-usbdl -f ./HIBL.bin -a D0020000
the SBL gets loaded very similarly
Code:
sudo smdk-usbdl -f ./S8500_BL3.bin -a 42480000
You should boot at this point. The HIBL is standard, the BL3 is provided in post 8 http://forum.xda-developers.com/showpost.php?p=17311448&postcount=8
Hi, first of all, sorry for my bad english, i'm spanish.
I bricked my wave more than one month ago. I have disassembled the phone but the xOMS mapping isn't the same. I have tried to modify the xoms but no results. Here are one photo of the xoms mapping, if you know who is the mod than i must to do, i'll try to do.
Here are the photo: h**p://i51.tinypic.com/wk1x52.jpg
This is my first post, i cant post links, change ** for tt.
jomadeto said:
Hi, first of all, sorry for my bad english, i'm spanish.
I bricked my wave more than one month ago. I have disassembled the phone but the xOMS mapping isn't the same. I have tried to modify the xoms but no results. Here are one photo of the xoms mapping, if you know who is the mod than i must to do, i'll try to do.
Here are the photo: h**p://i51.tinypic.com/wk1x52.jpg
This is my first post, i cant post links, change ** for tt.
Click to expand...
Click to collapse
Sorry. I assumed that S8500 board is the same, because schema in service manual is the same. However, it seems that there are differences.
Also see your mistake.
You connected some pulled up line straight to GND, you just made some resistor (I haven't traced it, it doesn't seem to be xOM, if order is the same) pull-down.
I'm sure the upper-left row of 3 are pull-ups, the bottom-right row of 3 are pull-downs. So resistors order should be the same.
All X resistors are pull-ups, with VCC on the upper side.
VCC line is marked purple
part of GND is marked by red spray - you can see it is big baseline, going through whole board.
second and third X resistors counting from the left should be xOM0 and xOM3.
1, 5, 2, 4 correspond to the xOM lines, they have CPU and GND sides arranged the same as on my picture from S8530 - 1,5,2 has GND on the downside, 4 has got GND on the upside.
The easiest way is connecting some VCC side of any X resistor with CPU side of xOM5 resistor, IF xOM5 resistor is 100kOhm or higher (should be around 100kOhm). If it is not - you should unsolder xOM5 resistor.
You can also connect CPU side of any X resistor with CPU side of any xOM5 resistor (theoretically the safest way, however mentioned above - short circuiting VCC with GND through 100kOhm resistor - is used on Samsung's dev board) IF you can find X resistor with resistance few times smaller than xOM5.
I'm sure this will work if done properly.
Remember to remove the soldering you've done already. Also remember to not leave xOM5 line not-connected to GND nor VCC - this will cause CPU to hang often.
Your board:
My board:
Can you see similiarities? I hope so.
After that just try ModeDetect by AdamOutler http://forum.xda-developers.com/showthread.php?t=1257434
And you should see UnBrickable Debug.
Thanks for the info Rebellos, later i'll try and post the results.
I can't unbrick my phone, after disassemble the phone and mod another time, obtain the same result, no answer on the phone and can't find the device in linux. Probably the reason is that the mod that i have done are incorrect (i haven't the tools necesary). For more info, i used Ubuntu 11.04 under virtualbox and under livecd. Thanks for all, and sorry but my experience can't help you in the development of this tool.
jomadeto said:
I can't unbrick my phone, after disassemble the phone and mod another time, obtain the same result, no answer on the phone and can't find the device in linux. Probably the reason is that the mod that i have done are incorrect (i haven't the tools necesary). For more info, i used Ubuntu 11.04 under virtualbox and under livecd. Thanks for all, and sorry but my experience can't help you in the development of this tool.
Click to expand...
Click to collapse
If you simply remove the resistor, about 1/2 of the time it should enumerate properly with the battery removed from the device. Once you have unbricked, jumper the xOM5 to something (high or low) so that it's not free floating.
hmmm Port Android easier, i see, but i am always asking myself why putting so much energy in a device that is after 2 years surely gone from market? (Only a question)
The energy could be put in other directions but everyone has his special hobby...
Seeying this android port will be maybe finished when everyone gets new device, for personal it has no sense to put the free time in such projects.
I know what i am talking about, i developed slyfer 3 months, hacked their server got for 9 months all firmwares, but what i have now from this? Nothing, i am very sad that i put so much time in such a project with no future, maybe you guys understand what i mean. So much skills can be on other site usefuller.
@Rebellos, why you dont try a "jailbrake" like for bada? You have the skills for that, but it seems that all of your energy will go in the bootloader for android, so around more than 50% (cause a lot arent on forums) will not have benefits from it. But anyway its your work and decision. And as we all know a not possible for bada doesnt exists.
Everything is possible.
But think about it the life is short, maybe things that helps all would make you also happy as me, but if you already know that your work will be in nearly a year for nothing it would be better to search another thing to kill time. Slyfer now is a dead program with no sense, it only shows me that i made it some day but uselesser it cannot be like this:
http://www.youtube.com/watch?v=UkgoSOSGrx4
Only my thinking.
You have the skills for that, but it seems that all of your energy will go in the bootloader for ...
Click to expand...
Click to collapse
Why not improve Reversing skills...
Bootloader knowledge is mandatory for deeper research/develop of Hardware or Software solutions...
Not everyone need it or understand it.
Anyway.
Its free decision.
@ larioteo
You are interested in Software ...
Others are interested in Hardware... like me...
Rebellos for instance like to learn more about Hardware + Software.
@Rebellos, why you dont try a "jailbrake" like for bada?
Click to expand...
Click to collapse
You know the answer...
Compression Algo of apps_compressed.bin (same for RC1 and CSC Languages... aka QMD compressed stuff) is not complete hacked...
Bootloader contains Algo for QMD...
Best Regards
Jomadeto, sorry for that it didn't worked
Larioteo, that movie is awesome. Thank you.
Excuse me little offtopic, but... maybe someone can PM me this
What exactly is jailbreak?
According to first phrase of this definition:
http://en.wikipedia.org/wiki/IOS_jailbreaking
We do already have jailbreak. Through modified FOTA we can force BL to load any ARM binary, any modified bada apps and so on. Just gimme practic target and I can try to achieve it someway. (I hope I'll have dev board soon )
But, beggining studies in 3 days, so ain't sure how much time I'll have for various hobby R&D.
Related
This is a question for those in the know when it comes to programming.Why isn't there a way to revive a bricked phone? Can't there be some method for a host computer to manually write the radio to the device? How does HTC fix a bricked phone for it to be a refurb?
I'm just very curious about this because I see a few people attempt to update the radio only to lose power and brick their EVO. I have no programming experience so don't know what goes on at the internal component level. Thanks in advance for your input.
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
That helped me, thanks.
Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Soylent Grin said:
It goes back to the old bootstrapping problem when computers were being developed. A computer (in this case, your cell phone) is pretty dumb at the hardware level. All it can do is run programs. That's ALL it can do. It can't even load a program, only run them. Thus the problem. It gets solved by injecting a "bootstrap" program at startup (from the phrase "pull yourself up by your bootstraps") which is a program that runs and gives access to all the I/O, and the computer can then load more programs.
When you update this bootstrapping program, it gets dicey, because if it isn't written right, or if there's a glitch during the update, this most basic of all functions gets corrupted. If the program that tells the phone how to load programs goes away, all the phone can do is... sit there. Like a brick.
Hope this helped!
Click to expand...
Click to collapse
Thanks good explanation appreciate that.
rafroehlich2 said:
Thanks for the info. That is interesting. So how does HTC initially put the bootstrap in and/or how do they handle a bricked phone?
Click to expand...
Click to collapse
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
pflatlyne said:
There is probably a JTAG interface somewhere in there. In fact,that's how the original hack of the IPhone was done. (Better ways were since found) Most devices have a quasi standard interface for programming the flash and accessing and the hardware for diagnostics. For instance,linksys routers actually have a spot on the board to solder a header and you can make a cable that connects to the parralel port. Do a google search for "Hairy Dairy Maid Debrick" and you will find it. A similar thing is probobally possible with the Evo (Ive even seen them on Hard Drives and CD Rom drives) The problem is,its not entirely standardized,and it might not even be a connector or pads on the board. It might instead be a matter of knowing where you can connect the leads on the board to something that under the right circumstances BECOMES the JTAG connector. (For instance,a pin that controls something else might be a JTAG interface for the first few hundred milliseconds of start-up,or if a certain other pin of the chip is grounded when the power is applied. It might also be completely internal to the chip,and there be NO connectors on the board (it almost CERTAINLY has the capability,they need it during prototyping) and the chips might be programmed BEFORE they are soldered in. It might take replacing the rom chip to get it to go. There are lots of ifs
Chances are though,the factory has a special cable and a special software program that can reprogram the device. To replicate that might be relatively easy or could be next to impossible but requires a certain degree of knowledge about the hardware. What I suspect is,until someone who has the skills to make such a cable bricks their phone,they wont bother figuring out how to debrick one. In fact,when that person bricks their phone,they will probably take it back to sprint and say "I dont know what happens" In fact,even if its stuck looping in an obviously hacked boot loader he for some odd reason cant undo,hes probably going to send it back to sprint. I know someone who did exactly that to their brand new HP laptop. He found that 15kv from the flyback of an old B&W television applied to the memory slots took care of the looping and Best Buy gave him another one. As he put it "I dont know what happened,but it smells bad and wont boot up"
Click to expand...
Click to collapse
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
rafroehlich2 said:
Wow. Thanks for the detailed answer. Too bad this isn't a standardized item. I hope eventually things progress enough where this isn't even a thought. Thanks again for the good response.
Sent from my PC36100
Click to expand...
Click to collapse
Yea,it would be nice if it were. Its kinda sorta quasi standard,so it HAS been done in some cases where its necessary,but often there are easier ways around it. Personally, I have allways thought that its a pretty stupid thing to make a piece of equipment that can fail due to a bad flash. The people who designed many of the flash memory chips seemed to agree,and they added something called a "boot block" to many,but the way its implemented,when its implemented doesn't fully protect you from a bad flash. Its even worse now that everything is in ball grid array chips soldered down to the board.
I have some experience with JTAG.
Segger J-Link with PSAS.
I have "Testdevice"... broken Display... soon I will try to connect.
Testpoints and JTAG dump floating somewhere in Internet.
My Questions:
1.
Someone tried Segger with S8500?
2.
Many more Questions to come.
Best Regards
P.S.:
http://www.gsmupload.com/beta-test-thread-samsung-wave-s8500-repair-here/
Edit 1:
Tried to edit Thread title...
...and not yet attached my S8500 to JTAG
oh yeah !!! sachinsud an indian guy bought a riff box... and he tried...
i thnik that you are in the right way...
btw have you tried to connect the wave with broken display to a external monitor?
the wave have video output!
cheers!
At the moment my damaged S8500 is good enough for training.
Only glass is broken...
I have an 512 MB dump from S8500 via JTAG... NOT my. But interesting for study.
I play as long as I can with Multiloader. With AMSS and maybe soon with Bootloaders... and only if I brick this S8500, I will try my Segger JTAG...
About TV out.
I bought Original Samsung AV cable, because normal AV cable seems to have other Pins connected.
But very impressive to see some Games or Videos from my handset on TV.
Never seen before...
my last handset is from 2006.
Best Regards
Nice. Found today S8530 JTAG dump from ORT JTAG.
Thanx.
http://srimeenakshimobiles.com/foru...t-s8530-wave-ii-unbrick-repair-dead-boot.html
Nice:
http://www.ort-jtag.com/blog/
About S8500:
http://www.ort-jtag.com/blog/?e=10
Best Regards
Hope I could get one of that ORT Plus software for free!
Today I saw this:
http://www.segger2.com/index.php?page=Thread&postID=1786&highlight=s5pc100#post1786
Found 1 JTAG device, Total IRLen = 0:
#0 Id: 0x1BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)
Cortex-A8 identified.
Click to expand...
Click to collapse
So maybe my J-Link will work...
I'll try next month... but started today.
With removing Label.
I can see now Testpoints are big enough for my solder skills.
And easy in 2 rows, with enough space between.
Maybe I'll play solderless... but lonoooog time ago my MSM6250 experiences.
Best Regards
Edit 1.
Or for 8 Euro from Poland:
http://www.multi-com.pl/index.php/en_US,details,id_pr,8047,menu_mode,categories.html
Edit 2.
I hope you see difference between pro stuff.
1 of these 3 Pics is not my...
need some info about connect to Samsung Cortex-A8 S5PC110 and dump internal memory.
what software need with my JTAGs:
- TI XDS560PCI;
- SpectrumDigital XDS510USB;
- Blackhawk USB2000;
- Altera USB-Blaster;
- Altera ByteBlaster2 (LPT);
- Wiggler (LPT);
- Luminary Micro Development Board;
- NXP LPCXpresso LPC1114 Development Board.
According to this:
http://www.segger2.com/index.php?page=Thread&postID=1786&highlight=s5pc100#post1786
...we are able to recognized the cpu type as cortex A8, but all the memory content are zero...
Click to expand...
Click to collapse
The proper Software for S8500 is mandatory and much more important as Hardware.
Few of the JTAG Masters are able to make own JTAG Hardware for less then 20 Euro.
But the Software...
If Bootloader alive, then higher chance to have connection with any JTAG Hardware and CPU only... memory is something different...
But if Bootloader is erased, then CPU Bootcycle... and it is nearly impossible to halt CPU without proper Software to have access to memory... RAM or NAND.
Next week I can maybe answer, if I had success with my J-Link... now I must wait for my second S8500 compatible JTAG.
Best Regards
Try OpenOCD, may (but dont have to) work. It should support A8. Btw in s5pc110 manual we can read about some new debugging interface except jtag, anyone ever seen this?
Last time I checked OpenOCD did not have the driver for writing NAND through s5pc110. Is it available now?
Gah, it isn't, i confused something. :/
Btw.
Why do you want to make full internal memory dumps, while these seems to be ones you're looking:
http://forum.gsmhosting.com/vbb/f665/share-full-flashes-1245293/
Compared S8530 FULL_RAW posted there with boot_loader.mbn, first bytes are exactly the same
Of course these could be RAM images, but why would them be called "full flashes"? ;d
@ Rebellos
Very good Link.
S5250 + S8500 + S8530 JTAG Dump.
And meanwhile ... I9000 Dump for study.
Thank you very much.
Best Regards
First attempt.
I have soldered 8 wires...
Anyone found Pictures of soldered wires in S8500...
Please post.
Any hints/tips are welcome. As I have at the moment no idea if I can insert Battery... or I have to hold... maybe I have to insert something to protect wires...
Thanx in advance.
Battery pins are quite big, try to use ac/dc 3-4V converter stabilised by some capacitor and clips on pins.
This is my wires for JTAG. Used standart battery for power.
and pinout for JTAG.
Thanks, how are you powering Wave? does battery fits together with cables or have to wire DC too?
In theory you can use USB cable to power on...
I have only used battery and pressed Button.
Now my S8500 is alive again.
Next attempt is to prepare my XXJB6 Bootloader... I will see if Wave is then dead again or Bootloader is usable...
Best Regards
Seems I'll need 30 minutes for 256 MB reading...
So 512 MB complete 1 hour...
Ehm, I'm tooo dumb to dump OneNAND.
Can someone please help me.
What I need to set/enter/press...
This is what I did... See Screenshot. I can read something from 0x42480000... but this is not what I want.
Please correct settings needed.
Thanx in advance.
Best Regards
It isn't "Memory reading" for sure, not directly at least.
Probably oneNAND reading isn't possible by some clicks and you need driver for oneNAND in script. oneNAND is controlled by modifying special registers under 0xB000_0000 address space. If you want oneNAND dumps you have to find driver for that or do it through FOTA using BL3 function Flash_Read_Data and rebell_memdump from our SVN repo.
Maybe I've found my mistake...
Now I can read something at 0... will see in an hour what it is.
Best Regards
Edit 1.
Okay, I have my 512 MB Dump.
But under DCC Red/Write Tab... and need to set few things... so not only press 1 Button.
Less then 30 minutes for 512 MB Reading...
Now I have to learn how to write safe.
As I don't need Full 512 MB write, only 4 MB at Start...
to prevent erase full 512 MB
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
1st off, it's "taboo" not tabu. Secondly there is already a pretty good amount of threads that have covered this in detail, I'm certain because I have posted in them. Lastly, please SEARCH the existing threads before creating a new one; the answers to all your questions are already there.
1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.
Michael.fri said:
1. Thanks, Changed to "Taboo".
2. I searched, I really did. I went all over google with many key words and covered up this forum as well. All I got is some articles about the jtag protocol, which is good for knowledge but too general for the application I need, and some threads in which people writing that their phone is bricked and asks what to do about it. Not a single post is about how to fix that independently, and what does it require. If you could give me link to these threads you say that covers up the subject, I'll delete this thread at once.
Click to expand...
Click to collapse
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium
Do you know what caused the brick?
Sent from my SGH-T989 using xda premium
Searched, and yet no result. Sending the phone to the U.S is quite risky. I have no idea how they're intended to pack it before sending it back. I would rather doing this in Israel.
I saw on ebay several devices associated with Jtag. the price starts from 10$ for a simple usb dongle, through 30$ devices, which is the price of most of the jtag devices I found, to the 150$ riff box that is associated with phone unbricking.
By what I know Jtag is a simple serial protocol. I just need sort of "bridge" to translate the logic 1's and 0's with the right voltage level and certain clock speed to a usb interface or even RS232. How expensive can that be?
I also contacted several ebay sellers which offer a jtag repair service. they all answered this model is not supported.
I would go to Samsung labs in Israel and see what they can do to get it working.
I just thought to invest 20$, get that sort of device and to get it done by my own.
Another issue is the pinout. The pinoput of the Jtag connection is not shown in any website, so I have no way of knowing how to connect on this specific PCB.
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
About the reason for bricking the phone, I have no Idea. As I said, last time I've installed new rom was more than a week prior to the incident. I've used some overclocking app mostly to underclock my phone, cause it drained the battery like hell before, even while it was running on stock and after changing the rom several times.
I also used some usb otg device which worked normally, but was not plugged to the device even few hours before it was bricked.
Hopefully we can figure out the cause of these permabricks so we can prevent it from happening to more people.
Sent from my SGH-T989 using xda premium
I gotta say, this is quite alarming. That the phone can just hard brick itself like this spontaneously.
I've had some scary experiences with the phone myself. Like a couple of random reboots that required the long power press for the phone to power back on. At least it always came back on.
I'm also from Israel myself so a similar scenario can bring me to the same situation as you.
Good luck with getting any kind of solution.
Sent from my SGH-T989 using xda premium
parusia said:
don't pay attention to that guy he like to troll every where he goes. Try to google search for mobile tech or Adam Outler, and check if he get the Jtag service for our phone. If I'm not wrong the charge for the Vibrant was $50.00 plus shipping and handling. I hope you can fix your phone.
Sent from my SGH-T989 using xda premium
Click to expand...
Click to collapse
Troll for advising to follow the posted rules of membership ? WOW
I just contacted Adam and still no jtag for this device .
Sent from my Galaxy Nexus using XDA App
did you look for a service manual?
- the manual may cover schematics for jtag device.
Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.
reocej said:
Been flashing phones since the Razr and never bricked a phone I couldn't repair myself. That is until I tried to flash my GSII back to stock through odin. Sent it to Samsung and they had to replace motherboard. Now I'm a little nervous about using odin.
Click to expand...
Click to collapse
I recommend splurging on the $2-3 for a jig, I have had moments where I thought I was SOL & the jig saved my arse.
Michael.fri said:
Last thing I need is that new bootloader I can flash, and a software to flash it through. Where can I download it?
Click to expand...
Click to collapse
Did you solve your problem?
I was looking at using QPST
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it. This has tools for building and installing bootloaders and partition tables. Our device after a hard brick (and still serviceable by JTAGing) has a com port open still and if you load the driver in windows you will see a port number as others here on XDA have said. The driver allows ODIN to see the device but not connect. QPST does connect, but I have not attempted to flash anything to it since I have not built any files to load. I'm kind of stuck creating the needed xml that makes the partition table and headers and file that are to be loaded to partitions. This is really a softbrick, in my opion, but nobody has the knowledge for this level of building and coding, with this tool, here at XDA. If somebody does, it may make those selling JTAG services mad, but that would mean we could fix our phones on our own. On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days.
By the way, this is a multi-device solution in the long run. We get one fixed and we can start on the others with this same issue, where the only life left in the device is the Qualcomm download mode driver showing in windows device manager.
Michael.fri said:
I had some research yesterday, yet I still can't find a proper answer to most of my questions about the following subject. Hoping some of the experts here can contribute some of their knowledge and hopefully I will edit this thread to a guide, or at least spare others the need for wondering around the web as I did.
Well, Few days ago I turned off my phone, and it wont turn on or response to any physical key combination, usb connection (Except for charging the battery) or even that famous Samsung jig (301KΩ Between pin 4 and 5 on the usb connection). It is not recognizable by any device while connected through usb interface. It is permabricked. The worst thing that can happen to a phone while the hardware is intact.
Although the name indicates otherwise, some things can be done in order to get the device working again.
It is a process in which the phone's main bored is exposed, than a special device (e.g riff box) is connected to certain areas on the pcb that were made that way for the initial configuration of the phone back in the factory. The pinout of the connection varies in each model, but the interface is the same and called "Jtag". Than, that device connects to a pc through usb interface.
So the first step would be to get that device and to connect it to both pc and phone's motherboard through a certain pinout that is mostly hard to get. You'll need a driver for that jtag flashing device and a compiled file which you would like to flash in to your phone. I don't know if that file is specific to each model or to the certain chip the phone is using (Can different models with the same chip be flashed the same way? Reply if you know and I'll edit it here).
By what I know, after flashing that file the phone will be accessible through usb interface for further flashing of the rom.
Alternatively, There are some companies that offer that kind of service. I couldn't find any who work with T989, and prices for that kind of service.
I would like to have as much information as possible and maybe eventually I'll be able to get my phone fixed. In that case I'll add some photos and document the process.
Click to expand...
Click to collapse
Mobile Tech offers the JTag service. There is even a discount for XDA members. They offer the service for all variants of the S2
Here you go!
http://mobiletechvideos.mybigcommerce.com/samsung-galaxy-s-ii-jtag-brick-repair/
daxxone said:
QPST is a program often frowned upon here at xda. It is commonly used to flash phones, and has little to do with android coding. The software is made for Qualcomm (or by them) and this device has a chip from them in it.*snip* On my own, I'm a few weeks away from this solution, with some help from people here that know how to write xml for partition tables and can help me locate files for a build, I can generate the files, test them, make a write up and post the solution in just a few days..
Click to expand...
Click to collapse
Any word on a fix using QPST?
Hello! Been lurking for a while and just finally decided to post.
A little background: My first Kindle Fire 2 was rooted just fine. Everything worked for several months, then the screen went bad. Called Amazon and got a replacement sent over. The night I received said replacement, I decided that I wanted to try the 2nd bootloader + TWRP and install CyanogenMod. Unfortunately, I missed the part about reverting back to the older version of the bootloader before patching. Oops.
TLDR; Bricked KF2.
That brings me to the main focus of this topic: After reading a plethora of threads stating that there was no way to fix a bricked KF2 with the USB, I began thinking... Theoretically speaking, couldn't the e-MMC be accessed if it was taken out and mounted to an e-MMC to USB? This would allow reflashing the partitions and (hopefully) returning it to an unbricked state. Of course, that means remounting the e-MMC to the KF2 motherboard, but you can do wonders with a stencil, some solder paste, and a toaster oven, it seems.
Then, while searching for a good e-MMC to USB adapter, I stumbled across a very intriguing thread on hacking TomToms' NAV3 where the e-MMC is left on the device and wired to a MMC USB reader. Page 36 and 37 are the useful bits. (I can't post links yet, so this is the best to demonstrate): mobilescommunity.com/tomtom-discussions/178770-nav3-cracking-patching-copying-navcore-v10-v11-v12-36.html
At this point, I'm just waiting on an old, broken KF1 to arrive to track down where the leads go and possible solder points. I'll keep you posted as things progress.
Any comments, thoughts, suggestions?
P.S. I have a feeling that this would be better suited in the development forum, but as I am new, I can't post there. Assuming that this crazy idea actually works, (and considering that I'll probably have ten posts by then), I'll likely post a clean guide over on that forum.
i had my already taken apart cause of a broken screen, and one is for sure, there was no e-MMC or anything that you could take out and put into an adapter :\
I think you are not out of luck! Are you getting a red screen or is evrything dead?
Completely dead.
...and there is an e-MMC. On my KF2, it was under a piece of foam. If you look at it like you just took off the back cover (without moving the motherboard) from the bottom (the side with the usb port) it's on the right lower portion of the motherboard. It's a Samsung chip, KLM8G2FE3B-B001. There's also a line of solder points just below it. It looks like a decent number of the pins (which we can't see because it's a surface mount) go to that bank of solder points.
Since I still can't post real links/pictures: tinypic.com/r/20hppw5/5
Image credit: iFixit.
That picture is the motherboard from a KF1, but it's in the same location. It's the chip outlined in red.
Just a little update... Have a junk motherboard, the e-MMC is off, now I'm just tracking down where the pins go and possible solder points. It looks like the motherboard has exposed pads that will work well for soldering (my guess is they were originally access points for board/component testing?). I'll post again when I have more info.
Another update: I've tracked down solder points for DAT0-7, CMD, and CLK. I just need to track down the voltage (Vcc and Vss) and grounds (VccQ and VssQ). After that, I'll have pictures with it labelled. Then I need to work on soldering to said points and attaching them to a MMC reader, and praying that it works.
Hmm well if you can get your PC to recognize the emmc, with what I'm assuming is going to be Linux because of the fact the filesystem is ext4 on kindles last I checked, I'm curious if the modules that Linux have will recognize the device. If it does I wonder if u can simply use dd to flash the messed up partitions with the correct signed replacements. I wish I had your solder skills... I need a new tip for mine but I'm too lazy to go out and get one, much less do soldering on a kindle motherboard. If this works u could offer repair services to people, because I doubt most people would attempt this. I find this thread very interesting!
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Then good luck to you!
Hopefuly we will have an unbrick method...
Finished tracking down solder points. Attached are some pictures with them labelled. I'll be working on the actual soldering and connecting it to my computer in the next few days here as my mini-vacation is over and I have to go back to work tonight.
So! I have good news. I soldered everything together and plugged it in. Ubuntu auto-mounted all the partitions from the e-MMC! I'll post pictures on Friday as I'm about to take a nap before spending the next 24 hours at work.
I have a couple minutes on break, so I'm uploading a screenshot of Ubuntu with the partitions mounted. All my pictures of the board/SD card reader and solder job are on my camera at home, so I'll post those later.
Note: The partitions are on the bottom left of the window, the 17 MB one through the 929 MB one. Once I track down which one is the boot partition, I'm going to rewrite it with the original boot image and pray that has fixed the problem.
Wow this is awesome, I am very impressed at this. Now to just use dd to shove the boot loader down the emmc's throat. I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties? Not sure if u have gparted installed, probably have to install it from the repos. Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
Wow this is awesome, I am very impressed at this.
Click to expand...
Click to collapse
Thanks! Assuming this works, I'm thinking of designing a solder-less device to make all the connections. Soldering to those tiny pads on the motherboard was a pain!
stunts513 said:
I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties?
Click to expand...
Click to collapse
Is it the partition itself that's signed, or the boot files?
stunts513 said:
Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.
Click to expand...
Click to collapse
That's a really good idea. I'll make sure to take a screenshot of the partitions in gparted when I have a chance to work on it some more on Friday.
From what I understand not all, but some of the partitions are signed, like the boot loader, they have a 64kb signature in the partitions header if I remember correctly. That's also the reason we can't fix the device when we brick the boot loader, because these things show up as omap devices and we have the means to use that device and try to fix it, but we can't fix it because the initial file it loads up has to be signed. Your fix is kinda unorthodox, but hey, whatever works.:thumbup:bet amazon didn't think people would go this far to fix it. Heck technically if this works you could probably root it in this manor even if an exploit wasn't viable. Anyways for more I to on what I was talking about read q2, q3, and q4 of this post: http://forum.xda-developers.com/showthread.php?t=2228539
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file, not to me took that would be next to impossible I think since it would be difficult to try to make a partition exactly like the one on the kindle minus a signature (because even if u copied the files over, they wouldn't necessarily be in the stored in the exact same sectors of a partition), making it even more complicated for me to see the actual signature. Soupemagnet said this is impossible to do already and he knows what he's talking about so i seriously doubt I could do this.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
stunts513 said:
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file
Click to expand...
Click to collapse
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Yea that's an interesting idea, I have no idea how u could generate headers to try to forge what the kindle has though, and I'm assuming if it is a 64kb signature, that is a huge amount of combinations. I'm assuming figuring out how to make a signed image is similar to how some key generators are made that take a activation code and spit put another code for you to use. Though I have no idea how they figure out the common denominators for making a code based on such. Its one thing in simple math but to do it to strings of letters and numbers is beyond me. Luckily we have several partitions for reference, if it was just one we'd be pretty screwed, assuming I have any idea what I'm talking about. Feel free to run the idea by him, I chatted with him before a little about something like this in some PM's.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
kurohyou said:
I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.
An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.
Perhaps we could run the idea by soupmagnet and see what he thinks?
Click to expand...
Click to collapse
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
You should probably just focus on getting the device restored so you can have yourself a little side business of restoring hard bricked 2nd generation Kindle Fires...although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
soupmagnet said:
Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.
Click to expand...
Click to collapse
Sounds like a lot of work; although, I didn't expect anything less.
soupmagnet said:
Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.
Click to expand...
Click to collapse
What, you're telling me that cracking the encryption in a few million years from now wouldn't be useful?
It probably didn't help that in my sleep-deprived state last night, I failed to differentiate between 64kb and 64bit. Oops.
soupmagnet said:
You should probably just focus on getting the device restored
Click to expand...
Click to collapse
That's always been the focus, but I also figured that while we're here discussing things (and with confirmed access to the e-MMC now), why stop with just the basic restore to working when there's the possibility of more?
soupmagnet said:
although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.
Click to expand...
Click to collapse
Of course I'm going to share! As soon as I finish the last few steps here and confirm that it's working, I'm going to post a guide over on the Development forum. I don't know how many people will be comfortable with the soldering part, though. It was a beast trying to solder to the motherboard. I do plan on trying to develop a solderless method, probably by fabricating a board that connects to all the important points and secures to the motherboard itself (probably using the screw holes).
Some more images, now that I'm home.
Here's what everything looks liked when it's soldered together:
Here it is connected to the computer:
...and finally, a screenshot of the partitions in gparted:
Sweet, didn't realize how many partitions the kindle had. So now all we need to figure out is which partition of those is the bootloader partition, so u can try flashing the boot loader with the dd command. Might I suggest backing up the entire emmc device with dd instead of just some of the partitions? Also was wondering if all goes well, if the kfhd's emmc pin layout is the same, be nice if a solderless bolt on version could be truly "universal" for all kindles, shape wise it wouldn't be a problem as long as the bolt-on-board has multiple hole configurations.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Hi,
I have a samsung watch active 2 model R825F (Canadian LTE model)
I tried to change region with Odin. The installation was ok since Odin display success. But when it restart, it begin looping start indefinitely.
I tried boot menu : turn off the watch, recovery, wireless mode but nothing work, it keep boot looping.
So i can't use wireless since i have the flower showed but cant go to AP mode. I tried the 2seconds, 1 second on power button but don't' work. (I read a lot topic on this forum)
I decided to send it to Samsung authorized repair center, and they say that they must replace the main board and back sensor for 300$ (ridiculous, new one is 260). I don't think that so I refused the repair. Is it possible that changing firmware can make physical damage ?
So i have a little hope that there is a solution to solve that. Can anyone help please?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Firmware i try to install with odin : COMBINATION-FT40_R825USQU1ASL2.tar.md5
COMBINATION-FT40_R825USQU1ASL2.tar.md5
Tizen 4 crap seems "obsolete" dangerous... because some "magic" changes in Tizen 5.5 crap...
So they increased Security crap for Rollback Prevention s h i ...
You could try USB cable action... like this:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
If you have access to 3D Printer... then look maybe here:
USB ODIN 3d Printed Cradle
Showing one option to connect USB connector to watch with the help of a 3d printer. Connection on the PCB pads were made using safety pins secured on the back of the 3d printed cradle. Some points, An extra support part is glued at the back of...
forum.xda-developers.com
Some general info is here:
SM-R765F Teardown
Dear friends, I found that the LTE connection is very useful when you have to leave your mobile somewhere and you can get calls and notifications through mobile connection. I bought a Gear S3 LTE (R765) from a Singapore site because in Italy it...
forum.xda-developers.com
And this is Pro solution if you have Original repair stuff...
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards
adfree said:
COMBINATION-FT40_R825USQU1ASL2.tar.md5
Tizen 4 crap seems "obsolete" dangerous... because some "magic" changes in Tizen 5.5 crap...
So they increased Security crap for Rollback Prevention s h i ...
You could try USB cable action... like this:
Galaxy Watch Active 2 44mm SM-R820 Odin Stuck
Hi, I have a SM-R820 and for mistake I flashed a incorret firmware (SM-R830) and now my watch it's bricked (?), It will allow me tho se the boot menu but all the options take me to the same screen, so I can't use the Download wireless again to...
forum.xda-developers.com
If you have access to 3D Printer... then look maybe here:
USB ODIN 3d Printed Cradle
Showing one option to connect USB connector to watch with the help of a 3d printer. Connection on the PCB pads were made using safety pins secured on the back of the 3d printed cradle. Some points, An extra support part is glued at the back of...
forum.xda-developers.com
Some general info is here:
SM-R765F Teardown
Dear friends, I found that the LTE connection is very useful when you have to leave your mobile somewhere and you can get calls and notifications through mobile connection. I bought a Gear S3 LTE (R765) from a Singapore site because in Italy it...
forum.xda-developers.com
And this is Pro solution if you have Original repair stuff...
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards
Click to expand...
Click to collapse
For the pro solution, what are the original repair stuff? Where i can get them? Are they usb connection to use odin?
Maybe try this post... from 2017...
Gear S3 Root and Kernel Source! (Android Wear Port Thread)
Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :) After doing some digging and paying zero attention in class today, I came across the kernel...
forum.xda-developers.com
Maybe then more clear what I mean with Pro...
1 more hint...
Samsung R&D
Samsung Service
Samsung "Partner"...
I am too lazy to search for the part number for GWA2...
Here old example...
Samsung GH81-12016H Service Jig-Pogo 3G, | TVserviceParts.com
This Samsung GH81-12016H Service Jig-Pogo 3G,
www.tvserviceparts.com
Only example! NOT for GWA2 nor for SM-R825
Best Regards
adfree said:
Maybe try this post... from 2017...
Gear S3 Root and Kernel Source! (Android Wear Port Thread)
Hey guys! Some of you might know me from the LG G5 scene, but I have since moved on from there and am hoping to make some progress with the Gear S3 :) After doing some digging and paying zero attention in class today, I came across the kernel...
forum.xda-developers.com
Maybe then more clear what I mean with Pro...
1 more hint...
Samsung R&D
Samsung Service
Samsung "Partner"...
I am too lazy to search for the part number for GWA2...
Here old example...
Samsung GH81-12016H Service Jig-Pogo 3G, | TVserviceParts.com
This Samsung GH81-12016H Service Jig-Pogo 3G,
www.tvserviceparts.com
Only example! NOT for GWA2 nor for SM-R825
Best Regards
Click to expand...
Click to collapse
And for gwa2 it exist? And how it works? It seems working by pin contact, but there is no pin in gwa2. Can you give more details?
Can you give more details?
Click to expand...
Click to collapse
Really excuse me...
I am sure I gave ALL infos you need... maybe check again all my posts in this Thread...
IMHO your turn...
Last tiny hint...
Maybe there is an reason, why other users made own USB cables... homemade...
Good Luck.
I have not soooo much time and energy to waste...
Best Regards
Is anyone here have the same problem on same watch model and find solution ?
FT55 Combination Firmware for repair attempt... AUA4:
SM-R825F CSC change tutorial
New Tutorial for Tizen 5 on SM-R825F The following guide is just a tutorial on how I changed the CSC, if you decide to follow it you take every risk Step#0: Charge your watch to >90% charged Step#1: Download 'NETODIN'...
forum.xda-developers.com
Best Regards
kaishef said:
Is anyone here have the same problem on same watch model and find solution ?
Click to expand...
Click to collapse
Hi @kaishef . I'm going to sound a little blunt here, but I'm only trying to help.
@adfree has linked everything you need to get your watch fixed and running (if it is possible to do by yourself). It will take a few hours of reading but you can figure it out if you read it enough times.
If you can't move forward at any step, come back and tell us which specific part you're stuck on and we'll try to help. But we have no idea what progress you've made and where you're having difficulty... how are we supposed to help? We can't come to your home and fix your watch for you, you have to do it yourself, and we can only help by answering clear, objective questions.
I'm not trying to be rude, but this is how volunteer help works on forums like this. I've learnt this over the last 11+ years on XDA that this forum is a treasure trove of info and good samaritans willing to help. You get more support here from people than you do from the manufacturer of the device! But there's very little spoon feeding to be expected here. Nearly everyone has a life outside of XDA and no actual obligation to help. We all do it out of love and passion and in some cases, raw talent, in our free time. We are all willing to help you, even if it takes going out of the way. But you have to meet us halfway too...
Let me try to outline the process for you once:
1. Flashing older Tizen formware over newer software will brick your watch (eg flashing 4.4 over 5.5). It's due to a software feature called Rollback Prevention that Samsung does on a low-level firmware update.
2. Usually this is a soft brick and can be salvaged by flashing back the newer, correct firmware on your watch.
3. The problem is, that usually a bad flash kills your Wireless capability and you can't use NetOdin to flash the firmware on your watch anymore.
4. This can be solved by using regular USB Odin, which doesn't rely on a functioning wireless capability.
5. The USB connection for watch is located under the watch at 12 o clock position under a kidney bean shaped cover that is removable (look for a small notch on the right side of the cover. Underneath the cover, you will find the PIN contacts for the USB connection. This helps you connect the watch to your PC with a USB cable. One end of the connecting wire is USB A that plugs into your computer, and the other end has to be connected to the pins on the watch. But the PIN connector not use any standard interface like micro-USB etc so you'll have to find a way to keep the USB wires firmly connected with the contact points through the entire software flashing process.
6. There are many different ways to do this. You could make POGO pin docks, makeshift hand-held pin connectors, 3D printed docks for the watch that mimic service dock modules that Samsung uses (if you have a 3D printer), or ask a friend or employ someone to print one for you. You could try to buy a readymade one online. And if you're very good with soldering, you could just solder the wires into place on the pins - there are many ways to reach the same destination. It will depend upon your skills and the resources available to you. Oh, and as to which wires go to which pins, even that is mentioned in the posts linked above.
7. Once this is done, all you have to do is load up ODIN on your computer, confirm that the watch is detected by it successfully, and flash the correct firmware.
This is your way to connect the watch to your computer via USB when wireless Odin is not an option.
Now, if you go through the links @adfree posted above, it covers all that I summarised, but in much greater detail. Some of them are long threads that document the journey of other people like you who got stuck and figured out the problem with trial and error. Those posts are also worth reading. It will take time and effort, but it is do-able, unless you've hard bricked your watch or discovered a new problem that nobody on these forums has encountered before. But we can try to figure that out...
Thank you very much.
The best option for me is to find this. But i searched a lot and nothing. Someone already bought it?
Someone already bought it?
Click to expand...
Click to collapse
Yes.
Samsung R&D
Samsung authorized Service
Samsung Partner
1 more hint...
I decided to send it to Samsung authorized repair center, and they say that they must replace the main board and back sensor for 300$ (ridiculous, new one is 260). I don't think that so I refused the repair.
Click to expand...
Click to collapse
Exact these guys who gave you info about 300$...
Maybe now clear?
Last Regards
I am from Germany...
I guess you are from Canada? Maybe...
Find Repair Shop where they can do this for you...
Your Watch from Odin Screen is 100% okay...
No Combination Firmware Bootloader...
Warranty Void is perfect:
0 (0x0000)
You simple need somebody, who flash for you Stock Firmware... via USB... then Watch should work again...
Maybe they want money from you...
Maybe pay 20 - 50 Dollar...
But IMHO better as your plan.
Best Regards
Also Line with AP Software Revision looks perfect...
AP SWREV: B:1 K:0 S:0
Only reason to deny your repair wish...
If this Watch is not bought in your Country... IMEI Serial Number etc not valid for your Country...
Its NO shame if you are scared to build own USB wire connection..
IMHO I spend now enough time for you...
Best Regards
Yes im frensh canadian(sorry for my english) , and the watch is canadian. Im from quebec and the only one repair center is in ontario. They said that the main board must be replaced (i think that is not true)
I cant find who repair it, i serched a lot.
I will try to contact them if they sell the usb cable.
If not, i think i will stop the process.
Thank you very much for your time. I read all the thread you gave me.
kaishef said:
Yes im frensh canadian(sorry for my english) , and the watch is canadian. Im from quebec and the only one repair center is in ontario. They said that the main board must be replaced (i think that is not true)
I cant find who repair it, i serched a lot.
I will try to contact them if they sell the usb cable.
If not, i think i will stop the process.
Thank you very much for your time. I read all the thread you gave me.
Click to expand...
Click to collapse
Best of luck. I hope with the proper "motivation" you are able to convince the service center people. I doubt they will let you buy the cradle but maybe you can get them to let you use it, or just flash the correct firmware for you, as long as they can keep this transaction off the Samsung books.
If not, are you comfortable with trying to make your own makeshift adapter? Or opening up the watch and doing some soldering?
If you're going to write off the watch as a total loss, there is no harm in trying out some Frankenstein project. May give you a chance to revive it.