Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Do you want to help out developers? Got a broken device?

OP AdamOutler

26th August 2011, 08:26 PM   |  #1  
We now have the ability to make all devices with Hummingbird processors into "Super-Dev Phones". I just need a single dead board from each model to locate the proper modification. It can be water-damaged, broken, busted, cracked, smacked, set on fire, chewed on by your dog, dropped, thrown against a wall, or otherwise inoperable. I need a mainboard from each device to make this work.

If you wish to donate a dead device, post here, send a PM, or email me at my username @gmail.com

We can bring this modification to every device with the same processor, we just need to perform analysis before you can set up your device for bootloader development, or resurrect them from a hard-bricked state with nothing but software after a slight hardware mod.

We need to locate the xOM5 pin on following devices before they can be modified into UnBrickable Super-Development devices:
SGH-i896 Samsung Captivate UnBrickable thanks: bulletproof
SGH-i897 Samsung Captivate UnBrickable thanks: bulletproof
GT-i9000 Samsung SGS UnBrickable thanks: Zak Stinson
S8500 Samsung Wave Plans Available thanks: Rebellos
S8530 Samsung Wave II Plans Available thanks: Rebellos
SPH-D700 Samsung Epic 4G Plans Available thanks: James I-----
SGH-i997 Samsung Infuse 4G UnBrickable thanks pdx 528e
SGH-T959 Samsung Vibrant UnBrickable thanks: ChauncyG
SGH-T959V Samsung GalaxyS 4G UnBrickable thanks: bhundven
SGH-T849 Samsung Galaxy Tab 7.0 inch
GT-P1000 Samsung Galaxy Tab UnBrickable Thanks F50+
GT-P100 Samsung Sprint Galaxy Tab UnBrickable
SCH-i800 Samsung Verison/US Cellular Galaxy Tab 7.0 UnBrickable
SHW-M180 Samsung Galaxy Tab
GT-i9010 Samsung Giorgio Armani Galaxy
T839 Samsung Sidekick 4g UnBrickable
SCH-i500 Samsung Fascinate UnBrickable thanks: RootzWiki
SCH-i520 Samsung Droid Charge USB OTG port issue thanks: Clarkkent434
7e ViewSonic ViewPad
R90L200 Pandigital 9" tablet
SGH-i987 Samsung Galaxy Tab 7.0
SGH-T849 T-Mobile Samsung Galaxy Tab 7.0
GT-P1000N Samsung Galaxy Tab 7.0
SGH-i877 Samsung Inspiration
GT-I9020 Google Nexus S GSM - Failed -
GT-I9023 Google Nexus S CDMA - USB OTG port issue - Modification located, but CDMA gets in the way of USB OTG

GT-P1010 Samsung Galaxy Tab 7.0 Wi-Fi 16GB
M9 Meizu
SC-01C NTT DoCoMo Galaxy Tab 7.0
X10 Viliv HSPA 32GB
X7 Viliv HSPA 32GB
SCH-i400 Samsung Continuum
M9300 Kyocera Echo
YP-G1CW Samsung Galaxy S WiFi 4.0 8GB
SGH-T759 Samsung Exhibit 4G
yp-g70 Samsung galaxy s wifi 50 2
YP-G70EW Samsung Galaxy S WiFi 5.0 16GB
YP-GB70NW Samsung Galaxy Player 70 32GB
SCH-I500 Samsung Galaxy S Mesmerize
YP-MB2 Samsung Yepp / Galaxy Touch 32GB
GT-I9088 Samsung Galaxy S
YP-GB1EW Samsung Galaxy Player
16GBH-I909 Samsung Galaxy S Pro Galaxy S
SCH-W899 Samsung phone
SCH-R910 Samsung Galaxy Indulge / Forte\
MID8024-4G Coby Kyros 8"
MID7022-4G Coby Kyros 7"
MID1024-4G Coby Kyros 10.1


Just about anything with a Samsung processor in it.. There's so many
devices. These are the most common ones we are targeting.


Once I have received any of the above boards, I will attempt one of the following tricks to find out where the xOM5 resistor lies. Please understand that there is ALWAYS risk while working on electronics. I have done several of these sucessfully.

Methods for locating modificaton
1. Monitor memory locations in real-time while using the viewmem tool for changes to the OM registers. This only works on a rooted and working device. I can short high from behind a 10kohm pull-up resistor to a low value which is pulled down from a 100kOhm pull-down reistor. This will allow the high to counteract the low and a memory location can be monitored while performing this operation. This leaves the device totally operational and is the best way to perform this type of analysis, but is only accessible on some devices

2. Using overlays and processor pinouts, I can trace out likely locations of the xOM5 resistor, make a modification, and watch the results from the SBL over UART. This leaves the device totally operational.

3. Using relative positioning, I can pick a resistor, make a change and test for proper modifiction. This leaves the device totally operational.

4. Using a multimeter, I can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.


As an additional benefeit, we may be able to port the Nexus S bootloaders to the device, allowing for the latest version of Android to be ported easily to the device... After that, Ubuntu, Apple iOS, WP7, you name it...

Let me get into some of the technical details here... If you're not technical, jump to the end.
----
Pure and simple, this is a hardware exploit which allows direct upload of code to run on the S5PC110/Hummingbird/Cortex A8 platform. Samsung's chain of trust(CoT) model uses hardware to authenticate the Integrated Read-Only Memory (IROM), which authenticates the initial bootloader (IBL), which authenticates the Primitive Bootloader(PBL)... The IROM,IBL, and PBL are all loaded in IRAM, the PBL's job is to initialize Dynamic RAM(DRAM) and authenticate/load the Secondary bootloader(SBL AKA BL3), which loads a kernel, which loads the operating system you see on-screen.

This is a two part hack. We've developed a hardware modification which allows USB download of code. We've also developed the Hummingbird Interceptor bootloader(HIBL) which intercepts the CoT and allows a second, unsigned download. The HIBL uses official code to handle authentication, which jumps to another memory location. It's this memory location where we place our exploit. Our exploit reuses the same code that downloads the HIBL to IRAM, but it initializes DRAM which means you can directly upload a SBL(the final bootloader) to DRAM.

So once again.. really quick... We use a hardware mod to download Rebellos' HIBL, which violates the Chain of Trust, exploits a memory jump and allows unsigned code to run on the processor. All this means you can revive a dead phone easily or try out other operating systems and debug easily, regardless of signature checking on the device.
---------

The first part is the hardware modification so things can be tested without risk. Please help out if you have a dead device. I can make constructive use of it, or you can PM me for instructions. Either way, that old junked device you have can help out millions of people.

Last edited by AdamOutler; 12th February 2012 at 10:53 PM.
The Following 81 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
26th August 2011, 09:23 PM   |  #2  
orb3000's Avatar
XDA Portal Team / Senior Moderator
Flag T r a v e l i n g Likes: HTC & XDA Dislikes: apples...
Thanks Meter: 3,045
 
22,289 posts
Join Date:Joined: Feb 2007
Donate to Me
Made sticky for the time being

@all
If you donīt have any of the requested stuff please stay away from cluttering the thread, all non related posts such as "great idea!" and so will be deleted and re-incidence could lead to a ban
The Following 9 Users Say Thank You to orb3000 For This Useful Post: [ View ]
29th August 2011, 12:12 AM   |  #3  
AdamiX's Avatar
Senior Member
Flag Bratislava
Thanks Meter: 11
 
402 posts
Join Date:Joined: May 2009
More
Quote:
Originally Posted by AdamOutler

As an additional benefeit, we may be able to port the Nexus S bootloaders to the device, allowing for the latest version of Android to be ported easily to the device. Apple iOS, WP7, Ubuntu, you name it...

So maybe u can run iOS on samsung, or WP7 on iPhone?
Or i misunderstand?
The Following 2 Users Say Thank You to AdamiX For This Useful Post: [ View ]
29th August 2011, 12:24 AM   |  #4  
akurei's Avatar
Member
Flag Bochum, NRW
Thanks Meter: 1
 
38 posts
Join Date:Joined: May 2010
More
Is my HTC Desire a Cortex-A8 phone or is it not? I didn't know and just NOW found out (after some googleing): "Nope... Some kind of snapdragon cpu".
But I guess not everyone takes the time to look up the cpu of their phone like I did.

I believe if you explicitely list all C-A8 devices (although it seems like a lot of work to do so) you'll receive more bricked phone donations as when you only list the most common ones, because most guys will probably read this post, say "mhh, no my phones not listed here", close their browser tab and forget about that thread, even though they might have a C-A8 phone.

If you want to maximize the donations of bricked phones, list them explicitely in a "searchable" (=search engine friendly) manner.

Just a recommendation, though
The Following User Says Thank You to akurei For This Useful Post: [ View ]
29th August 2011, 12:43 AM   |  #5  
Ace42's Avatar
Senior Member
Flag New York
Thanks Meter: 1,195
 
9,310 posts
Join Date:Joined: Jul 2009
More
Quote:
Originally Posted by akurei

Is my HTC Desire a Cortex-A8 phone or is it not? I didn't know and just NOW found out (after some googleing): "Nope... Some kind of snapdragon cpu".
But I guess not everyone takes the time to look up the cpu of their phone like I did.

I believe if you explicitely list all C-A8 devices (although it seems like a lot of work to do so) you'll receive more bricked phone donations as when you only list the most common ones, because most guys will probably read this post, say "mhh, no my phones not listed here", close their browser tab and forget about that thread, even though they might have a C-A8 phone.

If you want to maximize the donations of bricked phones, list them explicitely in a "searchable" (=search engine friendly) manner.

Just a recommendation, though

No it's not
Only phones with the above are from Ol-Sammy, Big Apple, and Google's MOTO . HTC gets their cpu's from Qualcomm which has their own special architecture that's a hybird of Arm v7/v8. But it's closer to v7 so your device can't help them.
The Following User Says Thank You to Ace42 For This Useful Post: [ View ]
29th August 2011, 01:35 AM   |  #6  
bedwa's Avatar
Recognized Developer
Flag Springfield IL
Thanks Meter: 655
 
1,129 posts
Join Date:Joined: Oct 2008
More
Oy, you now have me torn. I picked up a physically broken iphone 4 last weekend and am planning to repair and sell it, but I would love to see this go off the ground.... Decisions, decisions......
The Following 2 Users Say Thank You to bedwa For This Useful Post: [ View ]
29th August 2011, 01:36 AM   |  #7  
Quote:
Originally Posted by AdamiX

So maybe u can run iOS on samsung, or WP7 on iPhone?
Or i misunderstand?

Let me break this down... This modification means you can NEVER brick your phone. You have to physically destroy it. There's no firmware which can ruin the phone. You simply plug it in and run this tool..

This tool is still a work in progress. It requires a Linux machine (or linux Virtual machine) in order to run. However, it works, and it works well. This tool will work for:
SGH-i897
SGH-i896
SGH-i9000
SGH-i9010
SGH-i997
GT-P1000
T959... We will need to write another tool for other devices.

What this allows is for debugging of entire operating systems without any risk. For example, I installed BADA Bootloaders to my device last night with one of the guys from the BadaDroid project (they're working on porting Android to Bada). My device totally crapped when it saw that firmware, but it gave detailed logging messages about GPIOs. It would be possible to take that firmware and rewrite it to work with our devices, and it basically eliminates that "what if I screw something up" $600 barrier that prevents porting of other operating systems to our devices.

After I flashed Bada bootloaders with the tool above, I simply pulled the battery out, put it back in, connected to USB, used the tool above and it put my phone back into Odin download mode, at which point I reflashed the device.

We need to spread this mod to all the devices. Currently we have SGH-i897 mod done.
Last edited by AdamOutler; 29th August 2011 at 01:40 AM.
The Following 3 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
29th August 2011, 02:36 AM   |  #8  
Junior Member
Thanks Meter: 1
 
15 posts
Join Date:Joined: Apr 2011
Quote:
Originally Posted by Ace42

No it's not

Only phones with the above are from Ol-Sammy, Big Apple, and Google's MOTO . HTC gets their cpu's from Qualcomm which has their own special architecture that's a hybird of Arm v7/v8. But it's closer to v7 so your device can't help them.

That would mean the Samsung GT-I917 (Focus) wouldn't work because it uses a Qualcomm CPU. So why was it included in the list?
The Following User Says Thank You to StarbuxMcCloud For This Useful Post: [ View ]
29th August 2011, 02:43 AM   |  #9  
Ace42's Avatar
Senior Member
Flag New York
Thanks Meter: 1,195
 
9,310 posts
Join Date:Joined: Jul 2009
More
Quote:
Originally Posted by StarbuxMcCloud

That would mean the Samsung GT-I917 (Focus) wouldn't work because it uses a Qualcomm CPU. So why was it included in the list?

I would ask the OP, could be a mistake, unless it still has a xOM5 pin on board. Which could be possible since it's still a Sammy after all. And Sammy makes parts for Apple too. He didn't put any htc phones in the OP, so only Sammy built phones contain the pin he wants.
29th August 2011, 02:49 AM   |  #10  
Quote:
Originally Posted by StarbuxMcCloud

That would mean the Samsung GT-I917 (Focus) wouldn't work because it uses a Qualcomm CPU. So why was it included in the list?

You're right, removed from the list. I must have received some misinformation somewhere.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes