What Do You Do with All of Your Old Photos?

Smartphone cameras have advanced so tremendously over the past few years that they have … more

Diving into the April 2015 Material Design Update

Before the release of Android 5.0 Lollipop, the Holo Design guidelines served as the … more

New Cyanogen Partnerships Bring Privacy Concerns

New Privacy concerns have emerged regarding Cyanogen’s latest announcements, … more

PSA: Google Play Services Wakelock Affects Many 5.x ROMs

Wakelocks are the bane of the battery conscious, and this wakelock bug has been … more
Post Reply Subscribe to Thread Email Thread

[HOW-TO]Set up a Captivate for Samsung Bootloader Development

26th August 2011, 01:21 AM |#1  
OK, there's been quite a few unanswered questions on bootloader development.. I didn't want to clutter the Make your Own Bootloader thread with hardware stuff. I didn't want to clutter up the UnBrickable Mod thread with Bootloader development setup stuff. UnBrickable mod will be a one-stop shop thread for the Captivate eventually.


This thread will get you started with bootloader development speciffic to the captivate, however the same techniques work on all GalaxyS devices with an adjustment to the RX/TX locations
We need to delve into the hardware, remove a resistor, attach a wire, and bring two wires outside of the phone. This is quite a bit more difficult then the typical UART over USB connection which we have used in the past. For bootloader development the UART Output described in this video will not work..

The external UART output with a 619Kohm jig between pins 4 and 5, monitoring 115200 8N1 serial output between pins 2 and 3 will not work because the USB hardware is initialised by the bootloaders. In order to test the bootloaders you are developing, you must go to a lower level.

Note:While the UART output in the video will not work for Bootloader development, itis absolutely unbeatable for Kernel level debug on nearly all Samsung devices.

Getting Started

You will need:
1. UnBrickable modded captivate (or other device)
2. A UART device (Android Acessory Development kit or Arduino Mega or a Bus Pirate or any other UART device)
3. A Soldering Iron
4. Flux
5. Solid core wire
6. A relay (For the wire contained within)
7. A Linux computer (get Ubuntu here and dual boot, or run in a virtual machine)

1. Apply the UnBrickable Mod to your Samsung Captivate. See Here: http://forum.xda-developers.com/show....php?t=1206216

2. Next we need to connect a relay wire to the internal JTAG UART points. We cannot use the external UART via USB as we have seen in the past for writing bootloaders because the chip which handles switching for UART has not been initialized yet. We need to go directly to the source off of the processor. You can connect to the internal JTAG UART RX and TX lines here on the JTAG pads:

Using the JTAG header, you can connect to these points using this header: http://www.mouser.com/ProductDetail/...VM5XnLHw%3d%3d
and this Receptical: http://www.mouser.com/ProductDetail/...VyeT43Dg%3d%3d

They can be connected directly, or you can use a board from a guy named "K-WW" on the Hackaday.com forums
Here is a picture of my JTAG connector... This is optional and you will likely want to run wires directly for this project.

Alternately you can get these same points here, next to the processor:

3. Once you have the wires connected to the board, technically you're done and you can now connect up to your Android using your UART Device of choice. I decided to go the extra step and run those small wires to some solid core wire I bent and melted into the phone's case.

The further one is RX and the closer one is TX. Using this low point allows me to close up the device properly and I can still use my SDCard slot.

4. To do some debugging you can connect your Arduino at 8N1 using the same code from the video above...
void setup() {
  // initialize both serial ports:

void loop() {
  // read from port 1, send to port 0:
  if (Serial1.available()) {
    int inByte = Serial1.read();
    Serial.print(inByte, BYTE); 
  // read from port 0, send to port 1:
  if (Serial.available()) {
    int inByte = Serial.read();
    Serial1.print(inByte, BYTE);     

Or connect the Bus Pirate up to the device using the following options in a terminal:
1. HiZ
2. 1-WIRE
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
10. BRG raw value

Data bits and parity:
 1. 8, NONE *default 
 2. 8, EVEN 
 3. 8, ODD 
 4. 9, NONE
Stop bits:
 1. 1 *default
 2. 2
Receive polarity:
 1. Idle 1 *default
 2. Idle 0
Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)


4. Next you need some firmware. There is firmware in the Captivate Development Platform thread, and there is some in the Create Your Own bootloaders thread You can create your own.

5. In order to debug the firmware it has to be uploaded. You can use the SMDK Download tool attached in this post. Uncompress to your desktop

6. To prepare the phone for debug, remove the battery, insert the battery attach USB and run the following program in a new terminal (not the one you are monitoring USB Output)

Upon plugging in the USB, you should see
Uart negotiation Error
Then you execute this in a new window
sudo ~/Desktop/dltool/smdk-usbdl -f ~/Desktop/dltool/s5pc110_test/s5pc110_sbl_loader.bin  -a D0020000
you will see this in the same window
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <ben-linux@fluff.org>

S3C64XX Detected!
=> found device: bus 002, dev 011
=> loaded 24576 bytes from /home/adam/Desktop/dltool/s5pc110_test/s5pc110_sbl_loader.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum ffb7
=> usb_bulk_write() returned 24586
And upon upload of the primitive bootloader, you will see this in the UART window
Welcome to the S5PC110 resurrector by Rebellos!

Calling SGS IBL Stage2, pray so it wont hang...


Testing if BL3 area is R/W

Please prepare USB dltool with BL3 (SBL)                                                                          
Starting downloader in...                                                                                         
7. Unplug the USB cable. As soon as the USB cable is removed all executing commands stop and the device awaits you to push the power on button.

Some notes:
PBL execution automatically occurs at 0xD002000 (this is with a 0x10 signature in front so the actual code begins at 0xD002010)
SBL is in DRAM at 0x40244000


So, there you have it. This is how to set up your Captivate to be a bootloader development kit. You don't have to develop a bootloader to load it up using this method.. You can simply stop at step 1 of this guide, UnBrickable mod, and be able to test results without UART output.

If anyone would like to give me one of the following devices' mainboard I will make a UnBrickable Mod/Development Platform for each device.
Samsung Devices: I9000 S8500, S8530, SGH-897, SGH-i896, SGH-i997, T959, SGH-T849, GT-P1000, GT-i9010, GT-i8350, GT-I917
Google Nexus S, Odroid T,
Apple iPhone4
Any new Samsung WP7

Further reading
Create your own bootloader: http://forum.xda-developers.com/show....php?t=1233273
The Captivate Development Platform: http://forum.xda-developers.com/show....php?t=1206216
Lets save some bricks: http://forum.xda-developers.com/show....php?t=1018862
Attached Files
File Type: zip dltool.zip - [Click for QR Code] (18.5 KB, 806 views)
Last edited by AdamOutler; 30th November 2011 at 09:17 PM.
The Following 9 Users Say Thank You to AdamOutler For This Useful Post: [ View ]
26th August 2011, 05:31 PM |#2  
Senior Member
Flag Arizona
Thanks Meter: 452
498 posts
Join Date:Joined: Aug 2008
Donate to Me
Samsung Infuse (SGH-i997) Owners:

We've got it much easier when it comes to the JTAG header. As you can see in the picture below, the header is already attached to the PCB, and all we need is the connector board from "K-WW".

The large metallic thing on the left is the SIM card slot. The connector for the display (at the bottom of the picture) might be in the way. If it isn't we'll be able to connect to the JTAG and UART2 ports without doing any soldering or even disconnecting a single cable on the device.

We need someone to donate an Infuse to AdamOutler. He needs to remove the processor from the PCB to be able to find the xOM5 pad. This means destroying the phone, so it doesn't matter what the condition is. If it's bricked with a smashed screen and water damage, it doesn't matter! If you can help us with this, please speak up on this thead: http://forum.xda-developers.com/show....php?t=1221064
26th August 2011, 05:46 PM |#3  
You don't NEED the board. The receptical itself with wires attached will attach to the header and you could close up the device with it attached. With the socket breakout board, the device would need to remain open. I would be searching for alternate UART points as well so the JTAG header would remain available.

Like I said.... I need device mainboards... they need not work. I'm not gaining anything directly from this except fruits of firmware development.... alternate OSs and open source bootloaders
27th August 2011, 03:43 PM |#4  
Senior Recognized Developer
Flag Gdańsk
Thanks Meter: 3,448
1,342 posts
Join Date:Joined: May 2009
Donate to Me
Or, try to find 5 OM resistors while phone is being powered up.
3 should be 100.3kOhm resistance and connected to GND
2 should be ~10.1kOhm resistance and connected to VCC PDA (most likely exactly 2.8V, but 1.8V and similiar is also possible option)
These should be in row, or close to itselves. Then all whats left is guessing which one of the 3 is OM5. By some dangerous tests most likely, but with much smaller risk of damaging the board, comparing to complete CPU teardown.
The Following User Says Thank You to Rebellos For This Useful Post: [ View ]
27th August 2011, 05:20 PM |#5  
jerkysh's Avatar
Senior Member
Flag Chisinau
Thanks Meter: 180
495 posts
Join Date:Joined: Feb 2011
aww dude, that's awesome....will try to do some of it on my cappy ; )
27th August 2011, 06:39 PM |#6  
Originally Posted by Rebellos

Or, try to find 5 OM resistors while phone is being powered up.
3 should be 100.3kOhm resistance and connected to GND
2 should be ~10.1kOhm resistance and connected to VCC PDA (most likely exactly 2.8V, but 1.8V and similiar is also possible option)
These should be in row, or close to itselves. Then all whats left is guessing which one of the 3 is OM5. By some dangerous tests most likely, but with much smaller risk of damaging the board, comparing to complete CPU teardown.

On my device, all resistors are 100.3kohm.
The Following User Says Thank You to AdamOutler For This Useful Post: [ View ]
8th October 2011, 11:25 PM |#7  
Thanks Meter: 0
66 posts
Join Date:Joined: Dec 2005
how to send the MB or how to fix my bricked phone GT-i8350
5th October 2012, 10:27 PM |#8  
bhundven's Avatar
Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,498
2,045 posts
Join Date:Joined: Aug 2009
Donate to Me

I've been staring at this document, the picture of the infuse and the sgh-t959v pictures from ifixit for a while and finally got the gumption to try finding the internal uart. Big thanks for this picture:

Originally Posted by AdamOutler

You can connect to the internal JTAG UART RX and TX lines here on the JTAG pads:

SGH-T959V Internal Uart thread.

Thanks again for all you do for the community!

Last edited by bhundven; 5th October 2012 at 11:07 PM.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes