The Captivate Development Platform mod AKA UnBrickable Mod

Search This thread
By:
Advanced…
N

ndowens

Senior Member
Nov 15, 2012
134
12
Alabama
Does anybody know if mobile tech video would do this to my phone and guarantee its safety lol


Well after this post I noticed they do offer this service,I may order it sometime so I won't be afraid of installing roms
Sent from my rooted Samsung Proclaim using XDA app
 
Last edited:
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Limitz Cash said:
I have done this modification to my captivate, and it's awesome! Thank you OP. I am really good with a soldering iron by the way. I have allot of really good, expensive supplies and tools for this kind of work. The iron I have is, an Hakko FX - 888 temperature controlled soldering station. With helping hands and magnifying glass. An Xacto knife kit, And A kit of 6 Anti Static precision tweezers. And of course Flux, desoldering braid, kynar wire etc.. I have been installing the JTAG modification on xbox 360's for a long time, but this is just a little more difficult then xbox 360 consoles. But a really good mod. Thanks again.

Sent from my Serendipity VII flashed Captivate using xda premium
Click to expand...
Click to collapse

Well, since youre advertising in my thread... Maybe you should consider donating to the team.
 
  • Like
Reactions: G-Man. and laughingT
T

tokafondo

Senior Member
Jun 3, 2010
117
29
Samsung Galaxy S9+
Hello.

I'm following all this stuff about UART - USB - JTAG.

I have a GT-i9000.

I think instead of soldering, maybe this adapter could be used.

product_1289812309_2074259099_sam_i9000_big.png


But that's what I believe... could it be true?

In all, what I want to know if is there a way to access de OneNAND and try to achieve what seems to be impossible: fix a read only internal sd.

Maybe in some of the IPL, PBL or SBL there are commands that allows what flashing, wiping, or adb'ing cannot do.

Thanks.
 
  • Like
Reactions: G-Man.
laughingT

laughingT

Senior Member
Oct 30, 2011
620
461
Oakland, CA
Google Pixel 6a
In all, what I want to know if is there a way to access de OneNAND and try to achieve what seems to be impossible: fix a read only internal sd.

Maybe in some of the IPL, PBL or SBL there are commands that allows what flashing, wiping, or adb'ing cannot do.
Click to expand...
Click to collapse

I assume you are talking about overcoming the EU bug from ics, yes?

I'm curious, if that's what you are thinking about. If so, what leads to the idea that a read only state of the nand is the problem? can one read the contents, but not write to it? Adam O may know with all of his UART/JTAG experience.


sent via carrier pigeon via cm10.1 Knightly, Keira.
 
Last edited:
  • Like
Reactions: 4-2ndtwin
T

tokafondo

Senior Member
Jun 3, 2010
117
29
Samsung Galaxy S9+
Well, I've made my research on the matter.

There are several reports that the internal sd memory of a phone gets unavailabe or at least 'read only'.

http://xdaforums.com/showthread.php?t=941139
http://xdaforums.com/showthread.php?t=1530034
http://androidforums.com/samsung-galaxy-s/245701-internal-sd-card-read-only.html

...and some others, including me.

I think the EXT_CSD register of the emmc card gets some kind of 'protected' or 'read only' status because of some kind of bug or trigger when flashing.

And I think that maybe by using a JTAG cable or by issuing IBL, PBL or SBL commands, some thing can be done.
 
  • Like
Reactions: laughingT
S

Splinter836

Guest
So does this mean I could install different linux distros onto this device and the will boot, like how you can do with the raspberry pi?
 
S

shinji257

Senior Member
Feb 13, 2010
517
59
Newburg
OnePlus 6T
OnePlus Nord N200 5G
I have a Captivate still (it is my retired phone) and as far as I know it works still. Would someone be willing to do the unbrickable mod for me at all? I don't trust my own soldering skills.. XD

PM me if you are willing to do so. I'm located in the US.
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
shinji257 said:
I have a Captivate still (it is my retired phone) and as far as I know it works still. Would someone be willing to do the unbrickable mod for me at all? I don't trust my own soldering skills.. XD

PM me if you are willing to do so. I'm located in the US.
Click to expand...
Click to collapse

I ask for $35+shipping cost, which is usually $7.
 
  • Like
Reactions: poontab
G-Man.

G-Man.

Senior Member
Nov 15, 2010
773
267
40
Laramie, WY
@AdamOutler - I have a Captivate that isn't exactly bricked, in the sense that it will go into download mode, successfully flash with odin, but wont boot past AT&T boot animation or samsung S logo... screen just goes black after... would this mod allow me to fix this somehow? if so, Id have no qualms about paying you to do this. Just P.M. me with info/instructions
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
G-Man. said:
@AdamOutler - I have a Captivate that isn't exactly bricked, in the sense that it will go into download mode, successfully flash with odin, but wont boot past AT&T boot animation or samsung S logo... screen just goes black after... would this mod allow me to fix this somehow? if so, Id have no qualms about paying you to do this. Just P.M. me with info/instructions
Click to expand...
Click to collapse


If you can get in download mode, you don't need this.
 
G-Man.

G-Man.

Senior Member
Nov 15, 2010
773
267
40
Laramie, WY
Says it can't mount /data after Odin flash... then does what I described in my previous post. Any suggestions?

Swyped on my awesome 64Gb 1+1
 
G-Man.

G-Man.

Senior Member
Nov 15, 2010
773
267
40
Laramie, WY
@AdamOutler - Now says that there was a firmware upgrade problem, try recovery - but cant get to recovery, or download mode... this is the ONLY screen that comes up now.... Should I assume that this device is simply dead?
 
You must log in or register to reply here.

Similar threads

designgears
[ROM][2.2] »» Cognition 4.5.3 «« | The Original Captivate Rom
Replies
7K
Views
1M
Avikar
Avikar
designgears
  • Locked
[ROM]Cognition v2.3b8
Replies
13K
Views
2M
LMSarmiento
LMSarmiento
designgears
[STOCK ROM] Odin3 One-Click Downloader and Drivers CAPTIVATE ONLY
Replies
2K
Views
2M
carbon12
carbon12
atinm
[NIGHTLY][ROM] CyanogenMod 7 for Samsung Captivate (captivatemtd)
Replies
13K
Views
3M
ajeesh vijayan
ajeesh vijayan
atinm
[ROM][ICS][IML74K] teamhacksung's CM9 ALPHA for Captivate (BUILD 17)
Replies
7K
Views
2M
RootTheMachine
RootTheMachine

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 74
    AdamOutler
    AdamOutler
    Background
    First off, big thanks to TheBeano and Midas5 for teaching me about UART, decompiling bootloaders and figuring out how the OM values work. Their initial work and dedication in "Lets Save Some Bricks" inspired me greatly. Since the work started we've analyzed UART outputs, hacked the heck out of the SBL prompt, obtained both decompiled and source for bootloaders, and generally learned a **** ton about our devices... Mind you, that's a Metric **** ton, not the Imperial **** ton, which is equivalent to nearly 2000 assloads. The reason I'm branching this operation at the current point is because this modification is specific to our device. The proper modifications for other Samsung devices have not been identified yet. We're first! Yay! We need to focus on Captivate firmware development now. The firmware may encompass all GalaxyS models as well, but this modification will only work on the Captivate.

    introduction
    I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Captivate into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.

    Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.

    Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).

    This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
    1. The only part required is a wire.
    2. No shipping time.
    3. No cost for a box to interface the computer.
    4. Permanent.
    5. Can be done as a preventive measure.
    6. Gives the ability to test new Bootloaders temporarily.
    7. Allows development of the entire system.
    8. Removes worry about flashing and acts as a backup.

    After performing this mod:
    Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a captivate. See the Special Instructions section.

    Modification

    You will need:
    1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can send me a PM(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com). Note: I do not work for/with mobiletechvideos.com.
    2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
    3. flux
    4. solder
    5. tweezers
    6. A relay (for the wire contained within)

    getting started:
    You will need a very small peice of wire. Tear apart the relay unravel the coil within and grab about 12cm~ of wire. The fact that it comes from a relay is important because relays generally have very small wire which are individually treated with a non-conductive coating.

    Take the 12cm~ wire from the relay and tin the very edge of it. No more then 1/32". If you tin more then 1mm, cut off the excess. It is desirable to have a slight bit of excess solder on the tip of this wire.

    performing the modification:
    1. tear apart your phone... remove 6 #0 phillips screws from the back. Two of them are under the battery slide flap. The slide flap must be up on one end and down on the other in order to get to these screws... Don't LIFT the slide flap, just rotate it at an angle. Once the 6 screws are out, then you can separate the back from the front. Make sure to take out your SIM and external SDCard before you do this.
    2v0e6o1.jpg



    2. remove the mainboard... there's a single screw and 5 connectors which require removal. Remove them. Pull the board out and place it on your workspace
    kbq3yc.jpg


    28aneba.jpg


    3. remove the EM shield from the processor side.
    ndpjrm.jpg



    4. remove the OM5 resistor in the picture below. It's coated in glue. I've found the best thing is to just coat the area in flux and let it do the work while prodding with the iron to move the resistor out of place.
    2vcdf8w.jpg



    5. Connect the active side of xOM0 resistor to the active pad on OM5's resistor pads.
    http://i51.tinypic.com/160zmty.jpg

    fuxhsm.jpg


    160zmty.jpg


    attachment.php



    6. reassemble the phone.


    Special Instructions

    • This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
    • To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
    • 3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.


    Conclusion

    Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://xdaforums.com/showthread.php?t=1235219

    reading material
    Creating your own Samsung Bootloaders: http://xdaforums.com/showthread.php?t=1233273
    KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
    how to use DNW: http://tinyurl.com/dnw-how-to
    Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
    another DNW example: http://www.boardset.com/products/mv6410.php
    ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2


    drivers and utilities
    This will be an ever expanding list
    Windows Drivers http://xdaforums.com/attachment.php?attachmentid=678937&d=1312590673
    Windows Download Tool DNW: http://xdaforums.com/attachment.php?attachmentid=678938&d=1312590673
    Windows Command Line tool: http://xdaforums.com/showpost.php?p=17202523&postcount=27
    Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
    Linux Detector tool: http://xdaforums.com/showthread.php?t=1257434
    Linux Automated UnBricker:http://xdaforums.com/showthread.php?t=1242466

    firmware
    Bootloader Hello World by Rebellos http://xdaforums.com/attachment.php?attachmentid=698077&d=1314105521
    UnBrick tool http://xdaforums.com/showthread.php?t=1242466
    View
    6
    AdamOutler
    AdamOutler
    Mark this moment.....

    WE HAVE HELLO WORLD

    Rebellos! You are the man!

    Ok, steps to reproduce:

    1. Perform UnBrickable mod from the first post in this thread.

    2. With the phone off, Insert battery into phone. Press power on button for 1 second. Observe message on internal UART:
    Code: 
    Insert an OTG cable into the connector!
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error

    3. Insert the OTG Cable (standard USB cable plugged into USB port on phone-- OTG port) and obvserve message on internal UART port:
    Code: 
    ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error

    4. on a Linux system run the "dltool"
    Code: 
    adam@Adam-Desktop:~/Desktop/dltool$ sudo ./smdk-usbdl -f ./s5pc110_test/s5pc110_testcode.bin  -a D0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <ben-linux@fluff.org>

S3C64XX Detected!
=> found device: bus 001, dev 050
=> loaded 16384 bytes from ./s5pc110_test/s5pc110_testcode.bin
=> Downloading 16394 bytes to 0xd0020000
=> Data checksum af84
=> usb_bulk_write() returned 16394
adam@Adam-Desktop:~/Desktop/dltool$

    5. Observe Internal UART message:
    Code: 
    Hey you!
Out there on the road,
Always doing what you are told,
Can you help me?
    which repeats every 20 seconds.

    GREAT WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    View
    4
    AdamOutler
    AdamOutler
    I submit for your approval, The Rebellos Resurrection Bootloader in action

    Code: 
    �������������������������������������������
Uart negotiation Error                                                          
                                                                               
Welcome to the S5PC110 resurrector by Rebellos!                                
Desired BL3 entry point: 0x40244000                                            
                                                                               
0x00000000                                                                      
0x00000000                                                                      
0x00000000                                                                      
0x00000000                                                                      
                                                                               
                                                                               
                                                                               
Calling SGS IBL Stage2 (DMC + oneNAND configuration)                            
                                                                               
DONE!                                                                          
0x00000000                                                                      
0x00000000                                                                      
0x00000000                                                                      
0x00000000                                                                      
                                                                               
Testing if BL3 area is R/W                                                      
                                                                               
DONE!                                                                          
                                                                               
Reinitializing iRAM variables                                                  
                                                                               
DONE!                                                                          
                                                                               
DONE!                                                                          
                                                                               
Please prepare USB dltool with BL3 (SBL)                                        
                                                                               
Starting downloader in...                                                      
3                                                                              
2                                                                              
1                                                                              
0                                                                              
0x00000000                                                                      
Downloading complete, please hold download mode key combination if you are not .
                                                                               
Starting BL3 in...                                                              
:                                                                              
9                                                                              
8                                                                              
6                                                                              
5                                                                              
                                                                               
Set cpu clk. from 400MHz to 800MHz.                                            
IROM e-fused - Non Secure Boot Version.                                        
                                                                               
-----------------------------------------------------------                    
   Samsung Secondary Bootloader (SBL) v3.0                                      
   Copyright (C) Samsung Electronics Co., Ltd. 2006-2010                        
                                                                               
   Board Name: ARIES REV 03                                                    
   Build On: Jun  8 2011 21:44:47                                              
-----------------------------------------------------------                    
                                                                               
Re_partition: magic code(0xffffffff)                                            
[PAM:   ] ++FSR_PAM_Init                                                        
[PAM:   ]   OneNAND physical base address       : 0xb0000000                    
[PAM:   ]   OneNAND virtual  base address       : 0xb0000000                    
[PAM:   ]   OneNAND nMID=0xec : nDID=0x50                                      
[PAM:   ] --FSR_PAM_Init                                                        
fsr_bml_load_partition: pi->nNumOfPartEntry = 12                                
partitions loading success                                                      
board partition information update.. source: 0x0                                
.Done.                                                                          
read 1 units.                                                                  
==== PARTITION INFORMATION ====                                                
 ID         : IBL+PBL (0x0)                                                    
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 0                                                                
 NO_UNITS   : 1                                                                
===============================                                                
 ID         : PIT (0x1)                                                        
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 1                                                                
 NO_UNITS   : 1                                                                
===============================                                                
 ID         : EFS (0x14)                                                        
 ATTR       : RW STL SLC (0x1101)                                              
 FIRST_UNIT : 2                                                                
 NO_UNITS   : 40                                                                
===============================                                                
 ID         : SBL (0x3)                                                        
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 42                                                                
 NO_UNITS   : 5                                                                
===============================                                                
 ID         : SBL2 (0x4)                                                        
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 47                                                                
 NO_UNITS   : 5                                                                
===============================                                                
 ID         : PARAM (0x15)                                                      
 ATTR       : RW STL SLC (0x1101)                                              
 FIRST_UNIT : 52                                                                
 NO_UNITS   : 20                                                                
===============================                                                
 ID         : KERNEL (0x6)                                                      
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 72                                                                
 NO_UNITS   : 30                                                                
===============================                                                
 ID         : RECOVERY (0x7)                                                    
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 102                                                              
 NO_UNITS   : 30                                                                
===============================                                                
 ID         : FACTORYFS (0x16)                                                  
 ATTR       : RW STL SLC (0x1101)                                              
 FIRST_UNIT : 132                                                              
 NO_UNITS   : 1146                                                              
===============================                                                
 ID         : DBDATAFS (0x17)                                                  
 ATTR       : RW STL SLC (0x1101)                                              
 FIRST_UNIT : 1278                                                              
 NO_UNITS   : 536                                                              
===============================                                                
 ID         : CACHE (0x18)                                                      
 ATTR       : RW STL SLC (0x1101)                                              
 FIRST_UNIT : 1814                                                              
 NO_UNITS   : 140                                                              
===============================                                                
 ID         : MODEM (0xb)                                                      
 ATTR       : RO SLC (0x1002)                                                  
 FIRST_UNIT : 1954                                                              
 NO_UNITS   : 50                                                                
===============================                                                
loke_init: j4fs_open success..                                                  
load_lfs_parameters valid magic code and version.                              
reading nps status file is successfully!.                                      
nps status=0x504d4f43                                                          
load_debug_level reading debug level from file successfully(0x574f4c44).        
init_fuel_gauge: vcell = 4180mV, soc = 81                                      
check_quick_start_condition_with_charger- Voltage: 4180.0, Linearized[71/86/1004
init_fuel_gauge: vcell = 4180mV, soc = 81, rcomp = d01f                        
reading nps status file is successfully!.                                      
nps status=0x504d4f43                                                          
PMIC_IRQ1    = 0x28                                                            
PMIC_IRQ2    = 0x0                                                              
PMIC_IRQ3    = 0x0                                                              
PMIC_IRQ4    = 0x0                                                              
PMIC_STATUS1 = 0x40                                                            
PMIC_STATUS2 = 0x2c                                                            
get_debug_level current debug level is 0x574f4c44.                              
aries_process_platform: Debug Level Low                                        
keypad_scan: key value ----------------->= 0x30                                
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48                                    
check_download: micorusb_status1 = 4, key_value = 30                            
reading nps status file is successfully!.                                      
nps status=0x504d4f43                                                          
                                                                               
==> Welcome to ARIES!                                                          
==> Entering usb download mode..                                                
DISPLAY_PATH_SEL[MDNIE 0x1]is on                                                
MDNIE setting Init start!!                                                      
vsync interrupt is off                                                          
video interrupt is off                                                          
[fb0] turn on                                                                  
MDNIE setting Init end!!                                                        
Error : Current Mode is Host                                                    
EP2: 0, 2, 0; len=7                                                            
EP2: 0, 2, 0; len=7                                                            
sug: IN EP asserted

    Take note here, both the Rebellos Resurrection Bootloader and the Samsung SBL were uploaded. This bypassed the Samsung Primitive Bootloader all together... We now have a functioning, open-source bootloader set which can load up the system normally, or boot a completely annihilated phone into download mode. On top of that, it's Open-Source.

    Please send a donation to Rebellos.
    View
    3
    R
    Rebellos
    My actual sources
    (alot of debug mess in there)

    I'm not familiar with git
    Is googlecode SVN okay?
    View
    3
    R
    Rebellos
    Thank you.

    Now you can be sure you've got 99% unbrickable phone (you can always use hammer)

    Remember to have copy of your nv_data. I think in 30minutes I'll post pack of alpha sbl loader + modified sbl.
    View

New posts