We now have the ability to make all devices with Hummingbird processors into "Super-Dev Phones". I just need a single dead board from each model to locate the proper modification. It can be water-damaged, broken, busted, cracked, smacked, set on fire, chewed on by your dog, dropped, thrown against a wall, or otherwise inoperable. I need a mainboard from each device to make this work.
If you wish to donate a dead device, post here, send a PM, or email me at my username @gmail.com
We can bring this modification to every device with the same processor, we just need to perform analysis before you can set up your device for bootloader development, or resurrect them from a hard-bricked state with nothing but software after a slight hardware mod.
We need to locate the xOM5 pin on following devices before they can be modified into UnBrickable Super-Development devices:
SGH-i896Samsung Captivate UnBrickable thanks: bulletproof
SGH-i897 Samsung Captivate UnBrickable thanks: bulletproof
GT-i9000Samsung SGS UnBrickable thanks: Zak Stinson
S8500Samsung Wave Plans Available thanks: Rebellos
S8530Samsung Wave II Plans Available thanks: Rebellos
SPH-D700Samsung Epic 4G Plans Available thanks: James I-----
SGH-i997Samsung Infuse 4G UnBrickable thanks pdx 528e
SGH-T959Samsung Vibrant UnBrickable thanks: ChauncyG
SGH-T959VSamsung GalaxyS 4G UnBrickable thanks: bhundven
SGH-T849 Samsung Galaxy Tab 7.0 inch
GT-P1000 Samsung Galaxy Tab UnBrickable Thanks F50+
GT-P100Samsung Sprint Galaxy Tab UnBrickable
SCH-i800 Samsung Verison/US Cellular Galaxy Tab 7.0 UnBrickable
SHW-M180 Samsung Galaxy Tab
GT-i9010 Samsung Giorgio Armani Galaxy
T839 Samsung Sidekick 4g UnBrickable
SCH-i500Samsung Fascinate UnBrickable thanks: RootzWiki
SCH-i520 Samsung Droid Charge USB OTG port issue thanks: Clarkkent434
7e ViewSonic ViewPad
R90L200 Pandigital 9" tablet
SGH-i987 Samsung Galaxy Tab 7.0
SGH-T849 T-Mobile Samsung Galaxy Tab 7.0
GT-P1000N Samsung Galaxy Tab 7.0
SGH-i877 Samsung Inspiration
GT-I9020 Google Nexus S GSM - Failed -
GT-I9023 Google Nexus S CDMA - USB OTG port issue - Modification located, but CDMA gets in the way of USB OTG
GT-P1010 Samsung Galaxy Tab 7.0 Wi-Fi 16GB
M9 Meizu
SC-01C NTT DoCoMo Galaxy Tab 7.0
X10 Viliv HSPA 32GB
X7 Viliv HSPA 32GB
SCH-i400 Samsung Continuum
M9300 Kyocera Echo
YP-G1CW Samsung Galaxy S WiFi 4.0 8GB
SGH-T759 Samsung Exhibit 4G
yp-g70 Samsung galaxy s wifi 50 2
YP-G70EW Samsung Galaxy S WiFi 5.0 16GB
YP-GB70NW Samsung Galaxy Player 70 32GB
SCH-I500 Samsung Galaxy S Mesmerize
YP-MB2 Samsung Yepp / Galaxy Touch 32GB
GT-I9088 Samsung Galaxy S
YP-GB1EW Samsung Galaxy Player
16GBH-I909 Samsung Galaxy S Pro Galaxy S
SCH-W899 Samsung phone
SCH-R910 Samsung Galaxy Indulge / Forte\
MID8024-4G Coby Kyros 8"
MID7022-4G Coby Kyros 7"
MID1024-4G Coby Kyros 10.1
Just about anything with a Samsung processor in it.. There's so many
devices. These are the most common ones we are targeting.
Once I have received any of the above boards, I will attempt one of the following tricks to find out where the xOM5 resistor lies. Please understand that there is ALWAYS risk while working on electronics. I have done several of these sucessfully.
Methods for locating modificaton
1. Monitor memory locations in real-time while using the viewmem tool for changes to the OM registers. This only works on a rooted and working device. I can short high from behind a 10kohm pull-up resistor to a low value which is pulled down from a 100kOhm pull-down reistor. This will allow the high to counteract the low and a memory location can be monitored while performing this operation. This leaves the device totally operational and is the best way to perform this type of analysis, but is only accessible on some devices
2. Using overlays and processor pinouts, I can trace out likely locations of the xOM5 resistor, make a modification, and watch the results from the SBL over UART. This leaves the device totally operational.
3. Using relative positioning, I can pick a resistor, make a change and test for proper modifiction. This leaves the device totally operational.
4. Using a multimeter, I can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.
As an additional benefeit, we may be able to port the Nexus S bootloaders to the device, allowing for the latest version of Android to be ported easily to the device... After that, Ubuntu, Apple iOS, WP7, you name it...
Let me get into some of the technical details here... If you're not technical, jump to the end.
----
Pure and simple, this is a hardware exploit which allows direct upload of code to run on the S5PC110/Hummingbird/Cortex A8 platform. Samsung's chain of trust(CoT) model uses hardware to authenticate the Integrated Read-Only Memory (IROM), which authenticates the initial bootloader (IBL), which authenticates the Primitive Bootloader(PBL)... The IROM,IBL, and PBL are all loaded in IRAM, the PBL's job is to initialize Dynamic RAM(DRAM) and authenticate/load the Secondary bootloader(SBL AKA BL3), which loads a kernel, which loads the operating system you see on-screen.
This is a two part hack. We've developed a hardware modification which allows USB download of code. We've also developed the Hummingbird Interceptor bootloader(HIBL) which intercepts the CoT and allows a second, unsigned download. The HIBL uses official code to handle authentication, which jumps to another memory location. It's this memory location where we place our exploit. Our exploit reuses the same code that downloads the HIBL to IRAM, but it initializes DRAM which means you can directly upload a SBL(the final bootloader) to DRAM.
So once again.. really quick... We use a hardware mod to download Rebellos' HIBL, which violates the Chain of Trust, exploits a memory jump and allows unsigned code to run on the processor. All this means you can revive a dead phone easily or try out other operating systems and debug easily, regardless of signature checking on the device.
---------
The first part is the hardware modification so things can be tested without risk. Please help out if you have a dead device. I can make constructive use of it, or you can PM me for instructions. Either way, that old junked device you have can help out millions of people.
If you wish to donate a dead device, post here, send a PM, or email me at my username @gmail.com
We can bring this modification to every device with the same processor, we just need to perform analysis before you can set up your device for bootloader development, or resurrect them from a hard-bricked state with nothing but software after a slight hardware mod.
We need to locate the xOM5 pin on following devices before they can be modified into UnBrickable Super-Development devices:
SGH-i896
SGH-i897
GT-i9000
S8500
S8530
SPH-D700
SGH-i997
SGH-T959
SGH-T959V
SGH-T849 Samsung Galaxy Tab 7.0 inch
GT-P1000
GT-P100
SCH-i800
SHW-M180 Samsung Galaxy Tab
GT-i9010 Samsung Giorgio Armani Galaxy
T839 Samsung Sidekick 4g UnBrickable
SCH-i500
SCH-i520 Samsung Droid Charge USB OTG port issue thanks: Clarkkent434
7e ViewSonic ViewPad
R90L200 Pandigital 9" tablet
SGH-i987 Samsung Galaxy Tab 7.0
SGH-T849 T-Mobile Samsung Galaxy Tab 7.0
GT-P1000N Samsung Galaxy Tab 7.0
SGH-i877 Samsung Inspiration
GT-I9020 Google Nexus S GSM - Failed -
GT-I9023 Google Nexus S CDMA - USB OTG port issue - Modification located, but CDMA gets in the way of USB OTG
GT-P1010 Samsung Galaxy Tab 7.0 Wi-Fi 16GB
M9 Meizu
SC-01C NTT DoCoMo Galaxy Tab 7.0
X10 Viliv HSPA 32GB
X7 Viliv HSPA 32GB
SCH-i400 Samsung Continuum
M9300 Kyocera Echo
YP-G1CW Samsung Galaxy S WiFi 4.0 8GB
SGH-T759 Samsung Exhibit 4G
yp-g70 Samsung galaxy s wifi 50 2
YP-G70EW Samsung Galaxy S WiFi 5.0 16GB
YP-GB70NW Samsung Galaxy Player 70 32GB
SCH-I500 Samsung Galaxy S Mesmerize
YP-MB2 Samsung Yepp / Galaxy Touch 32GB
GT-I9088 Samsung Galaxy S
YP-GB1EW Samsung Galaxy Player
16GBH-I909 Samsung Galaxy S Pro Galaxy S
SCH-W899 Samsung phone
SCH-R910 Samsung Galaxy Indulge / Forte\
MID8024-4G Coby Kyros 8"
MID7022-4G Coby Kyros 7"
MID1024-4G Coby Kyros 10.1
Just about anything with a Samsung processor in it.. There's so many
devices. These are the most common ones we are targeting.
Once I have received any of the above boards, I will attempt one of the following tricks to find out where the xOM5 resistor lies. Please understand that there is ALWAYS risk while working on electronics. I have done several of these sucessfully.
Methods for locating modificaton
1. Monitor memory locations in real-time while using the viewmem tool for changes to the OM registers. This only works on a rooted and working device. I can short high from behind a 10kohm pull-up resistor to a low value which is pulled down from a 100kOhm pull-down reistor. This will allow the high to counteract the low and a memory location can be monitored while performing this operation. This leaves the device totally operational and is the best way to perform this type of analysis, but is only accessible on some devices
2. Using overlays and processor pinouts, I can trace out likely locations of the xOM5 resistor, make a modification, and watch the results from the SBL over UART. This leaves the device totally operational.
3. Using relative positioning, I can pick a resistor, make a change and test for proper modifiction. This leaves the device totally operational.
4. Using a multimeter, I can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.
As an additional benefeit, we may be able to port the Nexus S bootloaders to the device, allowing for the latest version of Android to be ported easily to the device... After that, Ubuntu, Apple iOS, WP7, you name it...
Let me get into some of the technical details here... If you're not technical, jump to the end.
----
Pure and simple, this is a hardware exploit which allows direct upload of code to run on the S5PC110/Hummingbird/Cortex A8 platform. Samsung's chain of trust(CoT) model uses hardware to authenticate the Integrated Read-Only Memory (IROM), which authenticates the initial bootloader (IBL), which authenticates the Primitive Bootloader(PBL)... The IROM,IBL, and PBL are all loaded in IRAM, the PBL's job is to initialize Dynamic RAM(DRAM) and authenticate/load the Secondary bootloader(SBL AKA BL3), which loads a kernel, which loads the operating system you see on-screen.
This is a two part hack. We've developed a hardware modification which allows USB download of code. We've also developed the Hummingbird Interceptor bootloader(HIBL) which intercepts the CoT and allows a second, unsigned download. The HIBL uses official code to handle authentication, which jumps to another memory location. It's this memory location where we place our exploit. Our exploit reuses the same code that downloads the HIBL to IRAM, but it initializes DRAM which means you can directly upload a SBL(the final bootloader) to DRAM.
So once again.. really quick... We use a hardware mod to download Rebellos' HIBL, which violates the Chain of Trust, exploits a memory jump and allows unsigned code to run on the processor. All this means you can revive a dead phone easily or try out other operating systems and debug easily, regardless of signature checking on the device.
---------
The first part is the hardware modification so things can be tested without risk. Please help out if you have a dead device. I can make constructive use of it, or you can PM me for instructions. Either way, that old junked device you have can help out millions of people.
Last edited: