You Serous???
That's amazing news.
So whats next uboot and dual booting or something?
Create your own I9000/S8500 (& all S5PC110 based devices) bootloader&ultimate unbrick
- Thread starter Rebellos
- Start date
-
- Tags
- bootloader s5pc110 unbrick
You Serous???
That's amazing news.
So whats next uboot and dual booting or something?
It's for real.. We used Rebellos intermediate bootloader to hijack the chain-of-trust away from the standard bootloader sequence... Usually the secure boot is secured.. Rebellos managed to insert a bit of code into the Initial Bootloader (IBL) which allowed IBL Part 1 to perform its secure authentication and replaced IBL Part2 with a loader which lets us do what we want...
Rebellos' bootloader allows you to load anything as long as its a single file and it fits into DRAM.
He suggested I try installing Bada OS bootloaders on my Captivate using his new bootloader. It ended up totally thrashed... Partitions were busted, it basically tried to assimilate my captivate partially without the supporting hardware...
So, I simply reloaded the bootloader, used that to reload the stock SBL, and held the key combination while the SBL booted up to get into download mode.
Rebellos' bootloader allows you to load anything as long as its a single file and it fits into DRAM.
He suggested I try installing Bada OS bootloaders on my Captivate using his new bootloader. It ended up totally thrashed... Partitions were busted, it basically tried to assimilate my captivate partially without the supporting hardware...
So, I simply reloaded the bootloader, used that to reload the stock SBL, and held the key combination while the SBL booted up to get into download mode.
http://xdaforums.com/showpost.php?p=17066133&postcount=21
If I erase Boot area on S8500 from 0-3FFFFF (with JTAG), then Windows request Driver...
Someone has these Drivers?
Thanx in advance.
Best Regards
If I erase Boot area on S8500 from 0-3FFFFF (with JTAG), then Windows request Driver...
Someone has these Drivers?
Thanx in advance.
Best Regards
This is the way to make device unbrickable. With this small defect everytime you want to turn on the phone you have to connect it to pc and load bootloader from pc.
You can find drivers in GalaxyS Hack-Pack. Also tool, named DNW, to use this download mode.
So far Adam with me made some tests and we've got problems with downloading code from Windows.
However Adam made few successfull hard-brick resurrections from Ubuntu, using smdk-usbdl + Heimdall.
With DNW under XP
I've tried few adresses for upload, but nothing found. Most Zeros...
Ehm, maybe some examples? What could I try on S8500?
Thanx.
Best Regards
Code:
===== USB DEVICE STATUS =====
USB_CONFIGURATION_DESCRIPTOR
bLength = 0x9, decimal 9
bDescriptorType = 0x2 ( USB_CONFIGURATION_DESCRIPTOR_TYPE )
wTotalLength = 0x20, decimal 32
bNumInterfaces = 0x1, decimal 1
bConfigurationValue = 0x1, decimal 1
iConfiguration = 0x0, decimal 0
bmAttributes = 0xc0 ( ??? UNKNOWN!! )
MaxPower = 0x19, decimal 25
-----------------------------
USB_INTERFACE_DESCRIPTOR #0
bLength = 0x9
bDescriptorType = 0x4 ( USB_INTERFACE_DESCRIPTOR_TYPE )
bInterfaceNumber = 0x0
bAlternateSetting = 0x0
bNumEndpoints = 0x2
bInterfaceClass = 0xff
bInterfaceSubClass = 0x0
bInterfaceProtocol = 0x0
bInterface = 0x0
-----------------------------
USB_ENDPOINT_DESCRIPTOR for Pipe00
bLength = 0x7
bDescriptorType = 0x5 ( USB_ENDPOINT_DESCRIPTOR_TYPE )
bEndpointAddress= 0x81 ( INPUT )
bmAttributes= 0x2 ( USB_ENDPOINT_TYPE_BULK )
wMaxPacketSize= 0x200, decimal 512
bInterval = 0x0, decimal 0
-----------------------------
USB_ENDPOINT_DESCRIPTOR for Pipe01
bLength = 0x7
bDescriptorType = 0x5 ( USB_ENDPOINT_DESCRIPTOR_TYPE )
bEndpointAddress= 0x2 ( OUTPUT )
bmAttributes= 0x2 ( USB_ENDPOINT_TYPE_BULK )
wMaxPacketSize= 0x200, decimal 512
bInterval = 0x0, decimal 0I've tried few adresses for upload, but nothing found. Most Zeros...
Ehm, maybe some examples? What could I try on S8500?
Thanx.
Best Regards
So he found an exploit in the iROM? IBL is the first bootloader that can be overwritten, right?
Yes, just 2 things:
- It wasn't exploit to be precise, only Samsung's stuff which allows insecure boot.
- IBL_stage1 must stay where it is. As it's signed and we can't overwrite it for anything we want, if we don't have Samsung's private RSA to sign it. So the first bootloader that can be overwritten and executed with our custom code is IBL_stage2.
Adfree, my HIBL isn't yet working well with windows dnw. I'll release it as soon as I fix most issues.
I have Samsung S8500, and i have tried to make "Firmware Update", as in this video "youtube.com/watch?v=9XfMn89vOmo".That program BootLoader deleted everything on my phone and than restarted the phone.But than it say "Windows cannot recognize your device, instal driver" and BootLoader cannot load new firmware. I also tried to instal driver for "download mode"
and again I've tried to upgrade with BootLoader but no succes.
A friend succeeded to upgrade my phone to the version Bada 2.01.
But the phone does not work properly.When I try to lock the screen from the lock button, or press the volume button it does nothing or shows some errors.
In this video that i have folowed and tried to uptade, it,saing(at minute 7 and 50 seconds) that if happens as to me, the phone has "a brick and must take to service for reload bootloder withh somethine like jtag box" ... as I understand.
At a service also change the Firmware version and same problem, even opened in pieces the phone for finding other problems... but still same problems.
Can You please help me and tell me what I must do to make my phone work.
Thank you very much.
"youtube.com/watch?v=9XfMn89vOmo" I can not post link
and again I've tried to upgrade with BootLoader but no succes.
A friend succeeded to upgrade my phone to the version Bada 2.01.
But the phone does not work properly.When I try to lock the screen from the lock button, or press the volume button it does nothing or shows some errors.
In this video that i have folowed and tried to uptade, it,saing(at minute 7 and 50 seconds) that if happens as to me, the phone has "a brick and must take to service for reload bootloder withh somethine like jtag box" ... as I understand.
At a service also change the Firmware version and same problem, even opened in pieces the phone for finding other problems... but still same problems.
Can You please help me and tell me what I must do to make my phone work.
Thank you very much.
"youtube.com/watch?v=9XfMn89vOmo" I can not post link
Great reading. Not exactly sure how it applies to cdma tabs, samsung epic or the epic touch, but very amazing! Thanks!
Sent from my SPH-D710 using XDA App
Sent from my SPH-D710 using XDA App
bhundven
Inactive Recognized Developer
Does someone have a mirror or an updated link to the git repository for the odroid u-boot?
The original seems to be down.
The original seems to be down.
Hello.
Finally after 2 years...
I have found way to modify boot_loader.mbn to flash via Multiloader into S8500.
"magic" incredients
- JTAG RIFF Box
- CMM Script to disable little bit Security... supervisor mode
- first 3 KB of I9000 Boot...
From 0x0 - 0x9FF... 1 RSA 1024 public key less...
Now I'm searching for users to help me to confirm this solution.
Maybe supervisor mode not mandatory...
But RIFF/JTAG to reanimate... :angel:
Best Regards
Edit 1.
Confirmed.
No JTAG needed... RSA 1024 Check disabled.
Multiloader is enough to flash modified boot_loader.mbn
Working on S8500 and S8530.
Finally after 2 years...
I have found way to modify boot_loader.mbn to flash via Multiloader into S8500.
"magic" incredients
- JTAG RIFF Box
- CMM Script to disable little bit Security... supervisor mode
Code:
r.s cpsr 0xd3From 0x0 - 0x9FF... 1 RSA 1024 public key less...
Now I'm searching for users to help me to confirm this solution.
Maybe supervisor mode not mandatory...
But RIFF/JTAG to reanimate... :angel:
Best Regards
Edit 1.
Confirmed.
No JTAG needed... RSA 1024 Check disabled.
Multiloader is enough to flash modified boot_loader.mbn
Working on S8500 and S8530.
Last edited:
seems you no longer like receiving pms :silly:
anyway im not looking into getting any free jtag services, ive found plenty of resources online if it came down to this but with adamoutler's unbrickable mod im confident i have other means of resurrection if need be
I recently picked up a samsung sidekick 4g (T839)to play around with as was disappointed to see it only made it to froyo, neither samsung nor developers have moved it past everyones favorite 2.2 android
while dinking around i found this phone to be more or less a hardware keyboard strapped to an Exhibit or a Vibrant or a Galaxy s, really a number of phones. even within the param.lfs it has the splash screens for these and other phones in it! i mean the more i look into this phone the more i see it to be hacked up and thrown together.
So what im looking to do is to steal the bootloader and params and so forth from one of these other phones and seeing what to edit to make this possible as these phone all have moved onto even jb with the sk4g not even tasting gb
If anyone here is willing to help me move this forward i would be greatly appreciative, or if you can tell me why this is impossible and i should just go back to building a kernel and cm7 for it id also like to here this
thanks either way just for reading!
I'm pretty sure I released an unbrickable mod for sidekick. Check it out to make sure. I am mobile or I'd link you...
Meh, I just looked it up. http://xdaforums.com/showthread.php?t=1347984 I charge $35+shipping if I've written a guide for it. If you want, send me an email and I can do the work.
i appreciate this but im not actually looking for jtag service or help using you unbrickable mod. im looking for answers in the possibility of swapping primary/secondary bootloaders, params etc from one phone to another essentially change one phone into another
i understand that the usual answer is no but being the intense similarity between these different phones im curious to the possibilities.
i have sent pm's to a few of the developers of these phones hoping to get their pits and well anything i can get from them so i can compare what differences there are.
so although i appreciate your offer this is not what i need, more just information as google has not been too friendly these past few hours digging into this
if you have any info in the feasibility though i would be highly appreciative
thanks!
I don't own this device. However I can offer a preventive service and the information which will allow you to get out of this sticky situation. Its likely that after switching to GS1 (captivate or i9000) bootloaders, your phone will display a black screen instead of the bootsplash. It may work fine, it may not. Make sure you copy the PBL and SBL partitions from whatever device you chose or it will surely brick. There's always a possibility even if you take that precaution. Just know that there's a way out. No ones done this before.
ah.. thanks for the warning, i was hoping there was at least an attempt! i think once i get the pbl and sbl and the like from whomever is willing i will search them over and more than likely flash (with some editing i hope not much!) with your unbrick mod i feel confident not to do much damage will occur. and this is a play device not really my dd.
its just that im very unfamiliar with samsung devices as ive never owned one until now but yeah thanks much for replying and as soon as i have those files ill begin to experiment! if you can think of anything else to watch out for our test prior to im all ears!
thanks again!
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
21Create your own I9000/S8500 (& all S5PC110 based devices) bootloader&ultimate unbrick
Preamble
I present you the results of hours of many people research.
Special thanks to:
AdamOutler
mijoma
TheBeano
midas5
Leave me a message if I forgot to mention someone.
I, nor anybody except you take no responsibility for the things you do to your PC, phone, family, neighbours, dog, cat or fish in the result of reading this and/or using any materials linked and included from here.
What is it?
Info how to bypass secure booting mechanism built in S5PC110 CPU's iROM on lowest level and create code loadable even with totally damaged bootloader, without use of JTAG.
Okay, how useful is it?
I've got no clue, it all depends on you.
Our main target, which is almost done, is ability to revive any hard-bricked hardware built on S5PC110 without use of JTAG (for eg. when JTAG pads had been damaged)
Some additional info and history
S5PC110 - the powerful CPU, heart and brain of many great handsets (like Samsung I9000, S8500, S8530, SGH-897, Google Nexus S, Odroid T, while last one is hard to be called HANDset, nvm) has got few booting levels before loading operating system:
-BL0/iROM, non-writable (not-brickable), written during CPU production process, execution starts here on every machine start, executed straight in iROM, using iRAM(iRAM is 96KB big, there is a spelling error in CPU manual), it does select booting source depending on xOM CPU pins (different types of flash memory/UART/USB), loads BL1 from it and validate its integrity using electronic sign attached to BL1 (iROM doesn't check BL1 integrity if CPU's SECKEY registers are null, there was some misunderstanding of these, but as far it appear that most or all S5PC110 units has got SECKEY not-null, and its always equal in Samsung's phones)
Execution begins from 0xD0000000
-BL1/IBL, writable (brickable), executed in iRAM, it does memory controllers setup, loads BL2 and, depending from info in BL1 electronic sign, it does or does not check BL2 integrity, BL1 is usually splitted to 2 stages, separated in iRAM by few KB of 0x00
Entrypoint of stage 1 = 0xD0020010 (while it should be loaded under 0xD0020000, as it does have 16 bytes of header)
Entrypoint of stage 2 during normal oneNAND boot = 0xD0020800 (this is already platform-dependant but doesn't seems to vary between mainboards)
Entrypoint of stage 2 during external usb/uart boot = 0xD0022010 (here we insert our custom code, sticked to the end of stage1, it must have dummy header)
-BL2/PBL, writable (brickable), executed in RAM (external DRAM or SRAM), it isn't in fact unneeded, God one knows why Samsung's developers decided to add one additional stage
Entrypoint = platform&version-dependant, it's usually 0x40204000 on I9000
-BL3/SBL, writable (brickable), executed in RAM, it does platform init, support LCD output, download mode and usually few additional functions, it does load OS image into RAM, prepare hardware to execute it and jumps into OS entrypoint
Entrypoint = platform&version-dependant, it's usually 0x40244000 on I9000
for more info about booting sequence and OM pins please reffer to section 02, chapter 6 of S5PC110_EVT1_UM.pdf in [6]
//editnote: This is my own interpretation of bootloaders levels splitting, it haven't been clearly stated in CPU user manual, but it can be also said that IBL is in one part, and PBL is splitted into 2 stages, one executed in iRAM and second executed in DRAM, that's the matter of thinking. Odroid developers seems to use terminology of the second possiblity.
//editnote2: Confirmed from SGS/Captivate boot.bin reversing - Samsung is dividing and calling bootloaders as I wrote in previous points (2nd stage of IBL, which could be aswell 1st stage of 2-stage PBL does contain "IBL" string) Uboot devs got different calling convention. Well... who cares.
After many (even more than many) research [1] we found out that there is no ther way to change iROM primarey booting source than changing OM pins setup, which are hardware soldered through pullup and pulldown resistors to give 5b'001001 (0x9) which means that primary booting source is OnenandMux(Audi) using X-TAL(USB) oscillator (to be honest I still don't hell get what does it means)
AdamOutler sacrificed Captivate mainboard to locate the pullup and pulldown resistors [2], and in result he modified board to have xOM5=1 instead of 0 which enables UART/USB as primary booting source. This booting method is normally tried only when IBL on oneNAND has been damaged, usually bricked is PBL or SBL, and iROM successfully completes its task, but phone hangs somewhere in the middle.
This enabled Adam to load various data through iROM download mode straight into iRAM. And here comes disappointment - all data we tried to load were validated by iROM code against SECKEY and rejected with "Secure Fail Error", BL1 code loaded by iROM must contain 512 bytes of e-sign, consist of 2 public rsa keys and few sha-1 hashes.
Here comes again days and night of deep code analyze, we found BL1_stage1 in Odroid T U-Boot [4] sourcecode signed by Samsung with stage2 security turned off.
That means any BL1_stage2 can be created and joined to BL1_stage1 in proper way, it will pass all integrity tests and be executed - bingo!
Base code
I've created kind of S5PC110 IBL dev kit. It's attached to the post. All you need to build it is FASMARM (downloadable from [5], its really everything except package in attachement) and you can compile any code basing on s5pc110_example.
There you will find Hello World but it does NOT produce this output to screen nor widely used UART hidden in Micro-Usb slot. It does produce output to UART2 channel, which is hidden in JTAG pads in SGS/Captivate mainboard and it has got special pads under battery in S8500/S8530. BUT if you really are determined to run it, by doing OM pulldown->pullup MOD, and feel like you must immediately see it working, it's about 20lines of ASM code which will blink SGS keypad LED and about 10, by calling iROM functions to get other UART port working.
If you want some reference, follow [3] and [7] (also in previous revisions), there you can find alot of FASMARM code written for S5PC110 (S8500/S8530 to be precise).
How to run it?
Here goes the problem, it is unable to run if you have no IBL brick or no OM5 modification (again, reffer to [2]), there you will also find more instructions. It is also able to run by JTAG. Theoretically produced code should be possible to flash and then run as normal IBL, but that's not really good thing to try without JTAG/OM5 mod to resurrect it.
Postamble
If you want to write something bigger, I'd recommend switching from FASMARM to Codesourcery ARM Crosscompiling environment - everything for S5PC110 is already in Odroid's U-Boot and many Android kernel sources (I9000 for example), ready to compile under Codesourcery. I used FASMARM because it's tiny and simple to create small ASM codes, but doesn't support many functions which are speeding up creating larger code.
We will soon release ultimate unbricking method for SGS/Captivate/Wave without use of JTAG, altough this will require high soldering skills or maybe steady hand, while that second is untested and may burn out something onboard, I'm about to test it in few days on my bricked S8530.
Further reading
[1] Where it all has began - Lets save some bricks
[2] First practical results - The Captivate Development Platform
[3] First S8500/S8530 BL3 hacking - FOTA development thread
[4] What has been used here, and what can be easily ported to any S5PC110 device - Odroid's U-Boot
[5] FASMARM homepage
[6] Samsung Galaxy S (and many similiar devices) Hack Pack by Adam Outler
[7] Badadroid FOTA source tree
[8] Walking in Memphis
Note: I wasn't sure which board should I choose to post it. If any mod/admin find better place for this thread (please note it doesn't reffer to SGS or Captivate only, that's the problem) please move it.
Note2: Post above may change if I decide to better explain something.
Note3: Please post any questions and mistakes you found. I'll be happy to answer it if it helps anybody.2I've been following the Captivate UnBrickable Mod thread, this thread, and I'm thoroughly impressed by the work you two (and many others) have done. I've taken an interest in poking around inside my Infuse (see pictures).
My questions are these:
1a. If someone were to successfully create a custom IBL/PBL that boots on the S5PC110, or even go so far as to load U-Boot or similar, would it be possible to flash this modified code onto the oneNAND, overwriting the existing IBL and (if needed) PBL?
1b. Supposedly, the IBL+PBL is "locked" on the Infuse, but gtg465x and I were able to successfully write the IBL+PBL+SBL on my first Infuse, inevitably hard-bricking the device (it's since been warranty replaced, so don't bother asking for my dead/bricked device - sorry!). If I had some way of unbricking my new device conveniently (JTAG for example), I would re-try the method gtg465x used, just to watch UART output and see what was going on behind the dark screen of a bricked Infuse.
1c. Regardless, it seems it would be possible to write anything to any part of the oneNAND if one had the proper tools (JTAG, which I am actually considering purchasing a JTAG device for several reasons!). Correct me if this is not the case.
2a. Has anyone tried intentionally corrupting the IBL? Has anyone tried to reproduce this state to confirm that this enables UART/USB as the primary booting source?
2b. If I had a way to recover my device (JTAG, again), I would like to test this myself.
3a. What cable/device/attachment is needed for the CPU to be able to attempt to boot from UART/USB (given xOM5=1, for example)?
3b. Is this just the standard USB OTG cable, or are you communicating to the device over TTL UART?
3c. What is the CPU physically looking for, exactly, when booting this way?
I suppose my goals are these:
1. I would first like to be able to JTAG my Infuse, as a means to recover from the stupid s*** I would like to do to it.
2. I would like to retry gtg465x's method of writing bootloaders, and confirm that this is possible by using nothing but software on the device itself (i.e. no JTAG), given the device is still operational and rooted.
3. I would like to intentionally corrupt the IBL, theoretically turning the device into a KIT-S5PC110 development board. From here, I could work as a tester on your team, and try loading whatever-code-you-come-up-with on the Infuse and hand you results.
4. Once a working/useful IBL+PBL has been created/ported (such as u-boot), I would like to attempt flashing this onto the oneNAND and be able to boot from this without the need of tethering the device to a PC. Further, this would theoretically allow booting from any device (emmc, for example), which would open the door to many, many possibilities.
5. I'd like to see a Dev take the work from goals #3 & #4 and create a script/package/etc that recreates these two steps. I would be happy to test such a script/package/etc.
6. Once goal #5 is complete, Devs could easily start working on porting alternative operating systems to our devices, without substantial fear of bricking their device (e.g. boot iOS or WP7 from emmc, screw around with that, and then boot back into Android from their NAND when they are done for the day).
Thanks for your time reading through my wall-o-text.
Sorry for doublepost, just noticed that questions later. (When I see alot of text it's my natural reaction to skip it at first sight ;p)
1a: Yes. oneNAND can be fully rewritten, using proper tools/drivers (drivers are available and working well in various kernels written for S5PC110 and Odroid uboot)
1b: Usually bricked S5PC110 based phone hangs somewhere on BL2 level
1c: Again yes, you are right. (1a)
2a: Yes, Adam tried to corrupt IBL but with no success as far as I understand. (please correct me if I'm wrong) So it's only theory from RE'd iROM code that CPU with damaged IBL sector would switch to USB+UART (trying SDCard previously probably), but I think I've seen somewhere post about unintentionally bricked IBL and iROM entering download mode. But we've got no 100% clear confirmation. (And its not enabling USB+UART as PRIMARY booting source, rather as LAST-CHANCE booting source)
2b:
3a: Normal USB cable, but you won't see any debug output then (of course you can develop your own USB communication protocol - long and pain in ass job), for debug output external UART interface is needed (prices starting at about 5euro) and then you've got 2 options - solder into UART2 pins (usually they are the same as JTAG pins), or connect to the hidden in micro-usb UART port (after uploading code), I'm not sure if in the second case any FSA chip reconfig is needed (if it is, it's nothing hard)
Also you can download code through UART2 port. But we haven't succeed to do it yet.
3b: Standard micro usb cable can be used to download code. But again - no output without UART connected (you can read tons about it in Adam's threads and Samsung Wave forum)
3c: First it is sending 0xAA for 300mseconds through UART2, in hope it gets one 0xAA back from PC, if it does, then its sending 0xCC for 300msec again waiting for PC's pong response. Then it does want 4 bytes of uploading code size, then n amount of bytes, equal to size and 2bytes checksum at the end.
If it doesn't get to communicate through UART2 it tries to communicate through USB. Its big-as-bloody-hell code basing on OTG controller interrupts (hard-as-hell to RE and use in proper way) but basically its waiting for USB state being set to CONNECTED (or something like that) for some time, then it wants 4byte upload address, 4 byte upload size, n amount bytes equal to size, and 2byte checksum.
By default upload address in UART boot is set to 0xD0020000, unable to change, in USB boot it should be externally set to 0xD0020000 (when uploading IBL).
//also please read my editnote about booting sequence in first post (bold text)2Ill start up a thread about internal JTAG... the unbrickable captivate thread should not be cluttered with details of hardware mods to support software development. Ill include part numbers and stuff.1Stupid Request...
Is it possible to access iROM via JTAG?
Please, maybe someone can explain how to do this with RIFF Box...
My device is S8500...
Thanx in advance.
Best Regards
I think it's no problem to access iROM via JTAG.
You'll find whole iROM under 0xD0000000 RAM address (don't confuse with oneNAND), it's size is 0x10000 (64KB) (so it's 0xD0000000-0xD000FFFF area)
It is also possible to call iROM functions (code tested by nbates66 confirmed that it's possible to call iROM functions from FOTA, which is BL3 level)
Also you will find iRAM under 0xD0020000, its size is 0x15000 (96KB, there is an error in user manual, or I'm too dumb to access the remaining 32KB)
Please post your results somewhere if you decide to test it.
PS: iRAM is probably cleaned somewhere on PBL (BL2) level (couldn't find anything there from FOTA), so if you want to find some interesting info there, try to set JTAG HW breakpoint on 0xD0020010 execution address (entry point of IBL) and then dump iRAM.1If someone need sbl.elf from I9000... and CMM Script (JTAG)...
http://xdaforums.com/showpost.php?p=48029635&postcount=212
Maybe helpfull for own study...
Best Regards
