How to hack hardware binary and bend it to your will

Search This thread

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,826
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Before you start on actually modifying your hardware, you must know what it is you're after. Don't just go using your finely tuned soldering iron without doing some research first... http://twitpic.com/75maxq

I wanted to share some tricks I use when locating UnBrickable Mod on various devices because it has been requested many times. Overall, the methods I'm going to talk about can be called "reverse engineering", "hacking", or "circuit bending".

Each device is different so different methods may be used. I'll start with what I feel is the best method to use and move my way on through less accurate and more destructive/difficult methods. The methods I'm using here can be used on nearly ANY device for nearly ANY purpose, not just locating boot modes. Using the techniques I'm laying out here, you can locate any physical memory register on any chip.

For the purposes of this familiarization guide, we will be locating the xOM5 resistor which changes the S5PC110 boot mode from "boot from OneNAND" to "Boot from USB, then OneNAND". Other modes are available such as booting from SDCard or MMC but these modes do not allow dual booting into the standard OneNAND boot so they are not practical unless you have a NAND failure.

By reading the S5PC110 processor manual, we can see on page 6-8, this is achieved by setting the xOM bits to 101001 (hex value 29). These binary values correspond to pins on the processor. These pins can be set high or low, and they ARE set high and low on the development board for the S5PC110 development boards. On other processors like OMAP4460, or Exynos, different pins are used but the functionality is the same.

  • All binaries and reading materials used are availabe in the GalaxyS hack pack: http://xdaforums.com/showthread.php?t=1111866
  • For installation of binaries, you can use the market app "mount rw/ro" and drop the binaries in your /system/bin folder. See here for more information on direct access to Linux and installing binaries: http://xdaforums.com/showthread.php?t=1030107
  • For the purposes of this thread we will be using a S5PC110 chip which is what the entire GalaxyS series of device is based upon.

With this knolwedge in hand, lets continue into HOW we can locate these pins.

how to locate the xOM resistor cluster
If you orient the S5PC110 processor with the PIN-0 dot at the lower left corner, you will find the xOM cluster at the lower right corner. These resistors will always be near this location because the pins on the board are near this location. It's never a good idea to have "runs" on a board longer than necessary. Therefore, these resistors will always be near this corner.

NOTE: You need not remove the processor. This is only for illustration.
attachment.php


For other devices, see the pinouts on the processor manual.


Methods for locating modificaton

Monitoring memory locations in real-time

You will need:
viewmem installed in /system/bin
bash installed in /system/bin
Market App: QuickSSHD allows you to terminal into the device.

1. we locate the xOM registers on the device. According to the processor manual
OM_STAT 0xE010_E100 R OM status register 0x0000_0000
the OM registers are at 0xE010E100. So we know where to look in memory to monitor changes.

2. ssh into your device. See QuickSSHD for more information. Once you are in, assume super-user, get into a bash terminal, and use the viewmem utility.

Code:
$ su
# bash
bash-4.1#viewmem 0xE010E100 0x4|hexdump
[INFO] Reading 4 bytes at 0xe010e100...
0000000 0009 0000
0000004

3. Short and test. While shorting the high value to the active side, NOT THE VISIBLY GROUNDED SIDE, monitor output from the terminal.

2hhhcua.jpg


The PullUp resistors are 10Kohm and the Pulldown resistors are 100Kohm. This means there's 10x more force behind a digital high than a digital low, in other words, you can short any low value high without a problem...
Code:
viewmem 0xE010E100 0x4|hexdump
[INFO] Reading 4 bytes at 0xe010e100...
0000000 0029 0000
0000004

the 29 signifies that the device is modded properly. A value of 0x9 is a standard production device. When you see 0029, you've located the proper resistor for the modification.


Using overlays
Take a picture of the board, then use an annotated pinout to locate the proper pins on the processor. This allows for a visual of the device as though the processor were removed.

here's a picture of my own annotated overlay. Use this and we'll walk through overlay logic.
2rrpdty.jpg


Now, with a xOM value of 0x9, that's a binary value of 001001, use your calculator in "programmer" or "scientiffic" mode if you don't believe me.
Broken Down:
xOM5=0
xOM4=0
xOM3=1
xOM2=0
xOM1=0
xOM0=1

xOM 3 and 1 are both high values, all the rest are low. We can use this to our advantage. We can see that 4 resistors are connected to ground on one side and 2 are not. Those two are obviously xOM3 and xOM1.

If we look at the processor pinout, we can see that if xOM3 and xOM1 resistors were swapped, one would be very much longer than the other so there's only one logical solution.

Moving on to the shortest ones, xOM4 and xOM2 would obviously be closest to the top of the resistor cluster, and it's also obvious wich one would be which.

Now that leaves two resistors in the middle. One is high and one is low. by drawing it out you can see that if xOM5 were on the right, then xOM1 would be very much longer than xOM5, so xOM5 must be on the left.

So, we've located all xOM values with this method.


Using relative positioning
This method is not nearly as scientiffic... Since there are now 10 guides made for modifying xOM5 on different boards, a resistor may be picked and chosen as though it were from anothe board. See here for various modifications: http://xdaforums.com/showthread.php?t=1236273

Verification from this method may be made using UART. you would be expecting an output like this over the UART on your device.
See here for info on UART: http://xdaforums.com/showthread.php?t=1235219

If the modification was sucessful, UART will output a line which states OM=0x29.


Using a multimeter
You can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.
23msar5.jpg


conclusion
So, these are my methods for hacking hardware and making it do what I want. I'd like to hear others. Lets hack up some hardware and talk about it here.
 
Last edited:

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
+1

Good that every chip component is configureable on lowest level by set of external passive elements - opens big possibilities to change any hardware into something different.

Worth to add - always think twice, or even once more before short circuiting anything. If between some V line and another there is positive voltage, like +1V, it still doesn't mean that second one is GND. First one can be +2V and second one +1V. READ carefully all datasheets and documentation. Don't connect any power line straight to another without resistor - this will cause high current go through some component and probably damage it.

Example of bad test - there are some capacitors on the left of Adam's needle when testing resistor. It's highly possible that these capacitors are ARM_CORE stabilisers, which is 1.2V and can handle up to about 1.4V. Adam is operating with 1.8 or 2.8V from other V line - accidentally touching the capacitor with needle can damage CPU core.

If you never been doing any hardware mods but feels like you want to start - prepare for some victims in your electronic devices. That's all of my experiences for now.

//Damn me and my bad habit of reserving posts in Adam's thread. Sorry. :d
 
Last edited:

Master Melab

Senior Member
Jan 26, 2011
419
16
I've gotten replies from people that removing a BGA chip is almost impossible. A tutorial on how to unsolder one would be helpful for aspiring hardware hackers.
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,826
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
I've gotten replies from people that removing a BGA chip is almost impossible. A tutorial on how to unsolder one would be helpful for aspiring hardware hackers.

It IS almost impossible. It's rediculously difficult. You'll end up pulling a pad or two off the board. You must heat up the entire chip with a heat gun or a hot air station, then pull it off... Meaning you're heating up the entire chip to the point where the solder melts. It takes a multi-thousand dollar professional setup in order to make sure no damage is done. I use a digital temperature controlled heat gun. It works, but it's not accurate.
 
S

shaky156

Guest
Seriously this guys work is awsome, learnt quite abit from your work, thank you very much! :D

Sent from my Desire HD using XDA App
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
... It takes a multi-thousand dollar professional setup in order to make sure no damage is done. I use a digital temperature controlled heat gun. It works, but it's not accurate.

Sorry Adam, you have a great writeup, but this is really a BS statement!

-- You can easily unsolder a BGA chip with a $5 micro-blow-torch! You just have to make sure you shield the surrounding components from the excessive heat. Put a small piece of copper (a penny?) on top of the chip, then put a piece of low-temperature (lead-free) solder on top of the coin, so you can get an idea when you have enough heat. Continue 10-20 seconds. Very carefully try to jam a few sharp toothpicks under any space between chip and PCB. Never bend!

This technique is well known and well demonstrated on YouTube, ever since the HP/Nvidia scandal of video chips falling of the MOBO after dust blocking the fan intake with (purposely) under-dimensioned and faulty heat-sink design.

The problem is getting it back ON! Then you need to invest in a professional heat plate and re-balling grid.
 

apram75

New member
Jul 1, 2005
2
0
excuse me mister, i have done it, n my tab turn back on, now i have another problem, the screen is black and the bottom light is on, could you help me?
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,826
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
^^ good idea! I've always used a high power and small heat gun. It works for 99% of the pads, but I always lose 1 or 2. I never intend to put them back on.

excuse me mister, i have done it, n my tab turn back on, now i have another problem, the screen is black and the bottom light is on, could you help me?
This is the wrong place to post that. And it does not really make sense that you did this in context.
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
Unsoldering a BGA is easy.

Doing it without causing unrecoverable damage is a different story. Same for resoldering it back on.

However it is getting easier nowadays - temp-controlled hot air rework stations have dropped drastically in price - http://www.amazon.com/Updated-Aoyue-Digital-Soldering-absorber/dp/B006FA481G/ref=pd_cp_hi_3

Also, reflowing a BGA without removing it (such as for Xbox360 RRoD fixes) is a LOT easier than remove-and-replace.

Also - my personal favorite deal in terms of soldering irons is http://www.amazon.com/Aoyue-937-Dig...ref=sr_1_1?s=hi&ie=UTF8&qid=1331244730&sr=1-1 - The Aoyue 937 is amazing considering it is <$50.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 30
    Before you start on actually modifying your hardware, you must know what it is you're after. Don't just go using your finely tuned soldering iron without doing some research first... http://twitpic.com/75maxq

    I wanted to share some tricks I use when locating UnBrickable Mod on various devices because it has been requested many times. Overall, the methods I'm going to talk about can be called "reverse engineering", "hacking", or "circuit bending".

    Each device is different so different methods may be used. I'll start with what I feel is the best method to use and move my way on through less accurate and more destructive/difficult methods. The methods I'm using here can be used on nearly ANY device for nearly ANY purpose, not just locating boot modes. Using the techniques I'm laying out here, you can locate any physical memory register on any chip.

    For the purposes of this familiarization guide, we will be locating the xOM5 resistor which changes the S5PC110 boot mode from "boot from OneNAND" to "Boot from USB, then OneNAND". Other modes are available such as booting from SDCard or MMC but these modes do not allow dual booting into the standard OneNAND boot so they are not practical unless you have a NAND failure.

    By reading the S5PC110 processor manual, we can see on page 6-8, this is achieved by setting the xOM bits to 101001 (hex value 29). These binary values correspond to pins on the processor. These pins can be set high or low, and they ARE set high and low on the development board for the S5PC110 development boards. On other processors like OMAP4460, or Exynos, different pins are used but the functionality is the same.

    • All binaries and reading materials used are availabe in the GalaxyS hack pack: http://xdaforums.com/showthread.php?t=1111866
    • For installation of binaries, you can use the market app "mount rw/ro" and drop the binaries in your /system/bin folder. See here for more information on direct access to Linux and installing binaries: http://xdaforums.com/showthread.php?t=1030107
    • For the purposes of this thread we will be using a S5PC110 chip which is what the entire GalaxyS series of device is based upon.

    With this knolwedge in hand, lets continue into HOW we can locate these pins.

    how to locate the xOM resistor cluster
    If you orient the S5PC110 processor with the PIN-0 dot at the lower left corner, you will find the xOM cluster at the lower right corner. These resistors will always be near this location because the pins on the board are near this location. It's never a good idea to have "runs" on a board longer than necessary. Therefore, these resistors will always be near this corner.

    NOTE: You need not remove the processor. This is only for illustration.
    attachment.php


    For other devices, see the pinouts on the processor manual.


    Methods for locating modificaton

    Monitoring memory locations in real-time

    You will need:
    viewmem installed in /system/bin
    bash installed in /system/bin
    Market App: QuickSSHD allows you to terminal into the device.

    1. we locate the xOM registers on the device. According to the processor manual
    OM_STAT 0xE010_E100 R OM status register 0x0000_0000
    the OM registers are at 0xE010E100. So we know where to look in memory to monitor changes.

    2. ssh into your device. See QuickSSHD for more information. Once you are in, assume super-user, get into a bash terminal, and use the viewmem utility.

    Code:
    $ su
    # bash
    bash-4.1#viewmem 0xE010E100 0x4|hexdump
    [INFO] Reading 4 bytes at 0xe010e100...
    0000000 0009 0000
    0000004

    3. Short and test. While shorting the high value to the active side, NOT THE VISIBLY GROUNDED SIDE, monitor output from the terminal.

    2hhhcua.jpg


    The PullUp resistors are 10Kohm and the Pulldown resistors are 100Kohm. This means there's 10x more force behind a digital high than a digital low, in other words, you can short any low value high without a problem...
    Code:
    viewmem 0xE010E100 0x4|hexdump
    [INFO] Reading 4 bytes at 0xe010e100...
    0000000 0029 0000
    0000004

    the 29 signifies that the device is modded properly. A value of 0x9 is a standard production device. When you see 0029, you've located the proper resistor for the modification.


    Using overlays
    Take a picture of the board, then use an annotated pinout to locate the proper pins on the processor. This allows for a visual of the device as though the processor were removed.

    here's a picture of my own annotated overlay. Use this and we'll walk through overlay logic.
    2rrpdty.jpg


    Now, with a xOM value of 0x9, that's a binary value of 001001, use your calculator in "programmer" or "scientiffic" mode if you don't believe me.
    Broken Down:
    xOM5=0
    xOM4=0
    xOM3=1
    xOM2=0
    xOM1=0
    xOM0=1

    xOM 3 and 1 are both high values, all the rest are low. We can use this to our advantage. We can see that 4 resistors are connected to ground on one side and 2 are not. Those two are obviously xOM3 and xOM1.

    If we look at the processor pinout, we can see that if xOM3 and xOM1 resistors were swapped, one would be very much longer than the other so there's only one logical solution.

    Moving on to the shortest ones, xOM4 and xOM2 would obviously be closest to the top of the resistor cluster, and it's also obvious wich one would be which.

    Now that leaves two resistors in the middle. One is high and one is low. by drawing it out you can see that if xOM5 were on the right, then xOM1 would be very much longer than xOM5, so xOM5 must be on the left.

    So, we've located all xOM values with this method.


    Using relative positioning
    This method is not nearly as scientiffic... Since there are now 10 guides made for modifying xOM5 on different boards, a resistor may be picked and chosen as though it were from anothe board. See here for various modifications: http://xdaforums.com/showthread.php?t=1236273

    Verification from this method may be made using UART. you would be expecting an output like this over the UART on your device.
    See here for info on UART: http://xdaforums.com/showthread.php?t=1235219

    If the modification was sucessful, UART will output a line which states OM=0x29.


    Using a multimeter
    You can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.
    23msar5.jpg


    conclusion
    So, these are my methods for hacking hardware and making it do what I want. I'd like to hear others. Lets hack up some hardware and talk about it here.
    5
    I made some more overlays

    here is Exynos4210
    20s8129.png



    This is from OMAP 4460, but I'm pretty sure it applies to OMAP 4430 as well
    2h6auso.jpg
    4
    +1

    Good that every chip component is configureable on lowest level by set of external passive elements - opens big possibilities to change any hardware into something different.

    Worth to add - always think twice, or even once more before short circuiting anything. If between some V line and another there is positive voltage, like +1V, it still doesn't mean that second one is GND. First one can be +2V and second one +1V. READ carefully all datasheets and documentation. Don't connect any power line straight to another without resistor - this will cause high current go through some component and probably damage it.

    Example of bad test - there are some capacitors on the left of Adam's needle when testing resistor. It's highly possible that these capacitors are ARM_CORE stabilisers, which is 1.2V and can handle up to about 1.4V. Adam is operating with 1.8 or 2.8V from other V line - accidentally touching the capacitor with needle can damage CPU core.

    If you never been doing any hardware mods but feels like you want to start - prepare for some victims in your electronic devices. That's all of my experiences for now.

    //Damn me and my bad habit of reserving posts in Adam's thread. Sorry. :d
    1
    Excellent and authoritative article! Though I'm personally too scared to do anything like this on my phone! :D
    1
    we need to get you a better camera