[DEV] i9000 Development Platform, AKA UnBrickable Mod and Software Based Resurrection
Some of you will, remember lets save some bricks? Well, it's taken a long time to perfect this on the i9000, which is ironic because this is where it started, but we finally have a way! You can perform this mod on a bricked device and resurrect it, or you can apply it as a protective measure.
The way this works is we change the OM value in the processor by modifying an individual electronic binary signal. The signal we are interested in is xOM5. This line is normally grounded, causing the overall OM value to equal 0x9. When we bring this line high, the OM value becomes 0x29. This reverses the booting order and ensures you will always have boot from USB available before the device starts.
This is a better option than JTAG for resurrecting a device. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.
After performing this mod:
Remove the battery, replace the battery, plug in USB, your phone will connect to the computer via USB and await commands for 2 seconds. Otherwise it will pretty much act like a i9000. See the Special Instructions section.
Part 1: Hardware Modification You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
6. A relay (for the wire contained within)
You will need a very small peice of wire. Tear apart the relay unravel the coil within and grab about 5cm~ of wire. The fact that it comes from a relay is important because relays generally have very small wire which are individually treated with a non-conductive coating.
Take the 5cm~ wire from the relay and tin the very edge of it. No more then 1/32". If you tin more then 1mm, cut off the excess. It is desirable to have a slight bit of excess solder on the tip of this wire.
1. Tear apart your device. Remove battery cover, battery, 6 screws, the back case and 4 connectors from the board.
2. remove the EM shield from the board to expose the resistors
3. Replace the xOM5 resistor from the top to the bottom or remove the xOM5 resistor and connect either xOM5 center pad to either xOM3's or xOM0's center pads.
4. Reassemble the device
This replaces the battery charging sequence for the first few seconds of being plugged in.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.
Part 2: Software Based Resurrection
Connexion2005 (Mobiltechvideos) perfomed the very first resurrection on this device based on a Google+ post I made with a picture of the xOM pins. Usually I post two separate posts, but since the software resurrection was already ready already, I decided to include it in this post. The tools used are the same as every other GalaxyS device. The resurrector must be run within 2 seconds of plugging in the USB cable. Thanks Connexion2005!
1. Apply UnBrickable Mod to your device: see Hardware Modification section
2. Run ModeDetect and plug in your i9000. (Not a requirment, but helpful)
When you see this image you are in S5PC110 SEC SoC mode. When you see this mode you must proceed to step 3.
If it will only show this image, then you have not performed the modification correctly, or you have a hardware problem.
If it shows this, regardless of what's on your screen, you're in download mode:
On this device the resurrector must be run within 2 seconds of plugging in the device. So you must be quick. I find it's easiest to click Download Mode, type a password, plug in the device, then press enter.
XDA is about developing and is for developers. Any user that recognizes that will gain the most benefit from this site
This is and always will be a site for developers, pure and simple. Without them we are nothing, without them there would be no reason for XDA Developers to exist; we should never ever forget that. Without them this place would not be called XDA-Developers but something else, e.g Mobile Phone User Support Services For Ungrateful Nerds.
Previous devices: HTC: Treo 650 - Excalibur - Diamond - Diamond 2 - Maple - HD2 - Rhodium - Desire Z - Desire HD - Vivid - Sensation - One V - One X - Titan II - One X+ - DNA - Butterfly
That's seems to be our alma mater of UB Mods. The first of whole family finally got UnBrickable.
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?
Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.
Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.
Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.
BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)
BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode: http://code.google.com/p/hummingbird...oader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.
This, properly used provides similiar debug output (similiar, because its outdated testlog)
Android L, once it is eventually released, will featuredata encryption turned on by … more
20 Sep 2014
By Tomek Kondrat
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?