Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,805,503 Members 36,667 Now Online
XDA Developers Android and Mobile Development Forum

[HOW-TO]UnBrick the UnBrickable Captivate

Tip us?
(Last edited by AdamOutler; 1st February 2012 at 08:50 PM.)
AdamOutler's Avatar
Recognized Developer - OP
Thanks Meter 9,622
Posts: 5,196
Join Date: Feb 2011
Location: Louisiana

Default [HOW-TO]UnBrick the UnBrickable Captivate


After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.


1. Apply UnBrickable Mod to your device:
2. Run UnBrickable Resurrector: This will only work on linux currently. Install Linux or dual boot if you have windows.
3. Run Heimdall One-Click: (or odin3 one-click),
4. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).

You've unbricked the unbrickable captivate... This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.

The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...

Windows32 command line app and drivers
Linux one-click Resurrector:
4SEP11: added 32 bit, miscellanious impovements to visuals
6SEP11: removed additional commands
Attached Files
File Type: zip - [Click for QR Code] (770.5 KB, 14217 views)
File Type: zip - [Click for QR Code] (697.6 KB, 13439 views)
Flash with Odin on Windows, Linux and Mac. Use JOdin3, Available in a web browser or offline
Check out my developer pages. Add me to your circles on Google Plus.
Wanna see the longest Linux BASH script ever made? click here.
The Following 61 Users Say Thank You to AdamOutler For This Useful Post: [ Click to Expand ]
(Last edited by Rebellos; 1st September 2011 at 11:49 PM.) Reason: Fixed addresses, it was one char moved to the wrong side previously.
Senior Recognized Developer
Thanks Meter 3,425
Posts: 1,339
Join Date: May 2009
Location: Gdańsk

Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.

Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.

This, properly used provides similiar debug output (similiar, because its outdated testlog)
�������������������������������������������������� ����������������������
Uart negotiation Error

Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
Calling IBL Stage2
Testing BL3 area
iRAM reinit
Please prepare USB dltool with BL3

Starting download...
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.

Starting BL3...


Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
The Following 29 Users Say Thank You to Rebellos For This Useful Post: [ Click to Expand ]
IlluminatedOne's Avatar
Senior Member
Thanks Meter 1,358
Posts: 672
Join Date: Feb 2011
Location: Blacksburg

Awesome job guys!! Hats-off to you!
Galaxy S2 (I777, 1109): Illuminance SE, Entropy's Daily Driver, KH7, Stock Theme
Captivate (I897, 1006): Illuminance 3.0, Samurai 1.4.2, KK4, SGS2 Themed
HP Touchpad (16 GB): CM7 Alpha 3

================================================== =====

================================================== =====
Odin OneClick Stock Packages + Kernels + Modems (for Samsung Captivate)
Koizuma's Avatar
Senior Member
Thanks Meter 63
Posts: 725
Join Date: Jun 2011
Location: South Texas
Amazing work, very nice job guys!
Info: KitKat 4.4.2 / S-Off

⇩⇩ Please be sure to hit thanks if this post helped you!!
bulletproof1013's Avatar
Senior Member
Thanks Meter 83
Posts: 907
Join Date: Dec 2008

woop woop

Sent from my SGH-I897 using XDA Premium App
If I have helped you please hit the THANKS button
Smasher816's Avatar
Senior Member
Thanks Meter 166
Posts: 389
Join Date: Jan 2011
Location: Missouri

Amazing work. Glad to see this finally finished and open to the community with a tutorial. I also heard you would be porting this to windows, and i will look forward to that. I have a virtual Ubuntu machine however i can not get adb to work

My dad is also thinking about picking up a $20 infuse, and therefore I would get his old captivate, giving me 2 captivates. If this happens i will defiantly take you up on your $30 offer, and transform one into a super dev phone, and the other my daily phone. Then maybe i can help Rebellos and you with some bootloader development.

But seriusly. Once again amazing work guys
and remember use the THANKS button

Retired: Samsung Captivate
Current: Samsung Galaxy S III

Glitch Updater App (Developed by yours truly)
psycho2097's Avatar
Senior Member
Thanks Meter 155
Posts: 928
Join Date: Nov 2010
Location: Raleigh

donated to adam. sorry didn't split up between adam n rebellos... adam pls b fair n share... but seriously guys, this is epic appreciate and donate.
HOX 32gb, Note 10.1 2014, Nexus 7 16GB
History-Note 2, Galaxy Nexus i9250, Captivate, TF101,HTC HD2,Nook Color,

This is my Nexus. There are many others like it, but this one is mine. My Nexus is my best friend. It is my life. I must master it as I must master my life. Without me, my Nexus is useless. Without my Nexus, I am useless.
AdamOutler's Avatar
Recognized Developer - OP
Thanks Meter 9,622
Posts: 5,196
Join Date: Feb 2011
Location: Louisiana


I updated the jar. If you're having problems launching it, it's because I made the Ultimate UnBrickable Resurrector from source from my other project, Heimdall One-Click... I forgot to change something in the manifest at the last minute. Please redownload if it won't launch.

This should work on any device which identifies itself as an S5PC110 .... B/D. Sometimes, if you're lucky, any phone can brick itself in this state.
Flash with Odin on Windows, Linux and Mac. Use JOdin3, Available in a web browser or offline
Check out my developer pages. Add me to your circles on Google Plus.
Wanna see the longest Linux BASH script ever made? click here.
The Following User Says Thank You to AdamOutler For This Useful Post: [ Click to Expand ]
Junior Member
Thanks Meter 0
Posts: 7
Join Date: Feb 2010
When using Virtual box, how will the phone show up on the USB list pre-Download mode download?
connexion2005's Avatar
Senior Member
Thanks Meter 708
Posts: 988
Join Date: Feb 2009
Location: Texas

It's honestly easiest if you have the time to dual boot an Ubuntu OS on your current machine. It has a major bug still but I figured out the issue and contacted Adam on the fix for it.
Follow me on TWITTER and/or FACEBOOK...

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes