Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,786,479 Members 37,311 Now Online
XDA Developers Android and Mobile Development Forum

[25.01.2011] WARNING! Do not flash JM*,KA*... README! [Patch released, L/N supported]

Tip us?
 
Chainfire
Old
(Last edited by Chainfire; 6th July 2011 at 02:20 PM.)
#1  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,445
Posts: 9,022
Join Date: Oct 2007

 
DONATE TO ME
Exclamation [25.01.2011] WARNING! Do not flash JM*,KA*... README! [Patch released, L/N supported]

DO NOT USE THIS ON THE GINGERBREAD RELEASES ! THE SAMSUNG GINGERBREAD RELEASES DO HAVE SIGNED BOOTLOADERS, BUT THEY ARE NOT LOCKED. In other words, you can still flash custom kernels and such, and the bootloader patch will only break things, not fix them.

To read the history of this problem, see the 2nd post of this thread (scroll down).

A number of new firmwares for the Samsung Galaxy Tab come with "signed / protected" bootloaders. These new bootloaders prevent you from flashing custom or otherwise unsigned kernels on the device. Trying to do so anyway will result in errors and usually requires you to reflash your ROM completely.

I hope everybody here has learned the lesson not to just flash anything that SamFirmware releases

The patch
After a great many hours of researching, testing and coding, myself (Chainfire) and Rotohammer have come up with a patch that works on most devices (currently all known GSM Tab variants), and flashes back unprotected JJ4 (T-Mobile ?) bootloaders, or the original P1000N bootloaders for the Latin models. The app only patches when it finds protected bootloaders, and you have to press a button for that, so the app can also be used to look at your current status.

The patch has been tested repeatedly and with success on (0 bricks so far):

- GT-P1000 Euro/International/Unbranded Galaxy Tab
- SGH-I987 AT&T Galaxy Tab
- SGH-I987 Rogers Galaxy Tab
- SGH-T849 T-Mobile Galaxy Tab

- GT-P1000L Latin Galaxy Tab (use LATIN version!)
- GT-P1000N Latin Galaxy Tab (use LATIN version!)

Additional thanks to: koush, neldar, richardtrip, AColwill, farahbolsey, deezid, wgery, tmaurice, rmanaudio, crisvillani, alterbridge86, ivannw, themartinohana, luisfer691 (in no particular order!)

Please note that even though there have not been any bricks so far, replacing bootloaders is a very dangerous operation that may BRICK your device, and you should think twice before using the patch. Using the patch is completely AT YOUR OWN RISK!

Instructions
Download the attached APK, install it on your device, and run it. It will show you a status screen, and if your device is compatible and you have protected bootloaders, the bottom entry "Patch bootloaders" will become available. Tapping it will start the patch procedure.

Note that the patch requires root !

Mini-FAQ

--- After the fix, my "zImage" still shows signed ! Is this a problem ?

No, this is perfectly fine! What matters is that "PBL", "SBL" and "SBL_Backup" are not signed. If "zImage" is signed, it means this ROM can be flashed onto a device that has signed bootloaders. UNsigned "zImage"s can NOT be flashed on signed bootloaders. This is the origin of the problem, because custom kernels are always UNsigned "zImage"s !

--- Can I now flash any ROM and just use this application to fix the bootloaders ?

Technically yes. But it would be stupid to do so. Flashing bootloaders (what this app does) is VERY dangerous, it is the only way to really brick a Tab. If you want to flash a new ROM, make sure it DOES NOT contain bootloaders. Remove them yourself, or wait for somebody else (like Rotohammer) to remove the bootloaders and post the "safe" ROM. Even though this patch is available, if at all possible, you should always try to avoid having to use it.

CDMA tabs
There is currently no support for CDMA Galaxy Tabs, nor do we know if support is needed at this time.

LINKING
You are expressly forbidden to repost the APK elsewhere. If you post about this, post a link to this thread, not to the download (or a repost of the download).

Download
Don't forget to donate and/or press the thanks button!

For non-XDA members who cannot access the attachment, here are multiupload links:
Euro / International / Unbranded / AT&T / Rogers / T-Mo: http://www.multiupload.com/EMOCU1S0V2
Latin (P1000L and P1000N): http://www.multiupload.com/3TJ3YWMWJR

MAKE SURE TO SELECT THE RIGHT DOWNLOAD!
Attached Thumbnails
Click image for larger version

Name:	sgt-bl-fix-1.png
Views:	19587
Size:	38.6 KB
ID:	498553  
Attached Files
File Type: apk SGT-Bootloader-Patch-v1.00.apk - [Click for QR Code] (676.5 KB, 46669 views)
File Type: apk SGT-Bootloader-Patch-v1.00-P1000_L_N_LATIN.apk - [Click for QR Code] (678.1 KB, 15972 views)
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

NOTICE: I do not respond to tech support questions through PM.
The Following 222 Users Say Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
Chainfire
Old
(Last edited by Chainfire; 21st January 2011 at 12:14 AM.)
#2  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,445
Posts: 9,022
Join Date: Oct 2007

 
DONATE TO ME
Exclamation WARNING! Do not flash JM6/9/A/C/D/E/F... Before reading this !

THIS POST, #2 OF THIS THREAD, IS HISTORICAL AND LEFT HERE "FOR THE RECORD". SEE THE FIRST POST FOR WHAT IS CURRENT!








BREAKING NEWS / JAN 15: A fix has been found ! See this post. Also see the bounty thread: http://forum.xda-developers.com/showthread.php?t=906464.

This really applies to other ROMs as well, but the "new" JM6/9/A/C/D/E/F ROMs specifically.

Some of these ROMs include new bootloaders. These bootloaders check checksums/signatures in various parts of the firmwares. The "normal" Samsung ROMs, nor custom ROMs and kernels, have these checksums.

The result is that once flashed, you cannot revert to older/official/custom Samsung ROMs, and you are pretty much stuck using one of these four ROMs, as they are the only ones containing the right checksums.

At least TRIPLE CHECK if you want to flash one of these ROMs, that what you are flashing DOES NOT include the new bootloaders ( boot.bin and sbl.bin ). I know from the CF-Root thread that a fair number of you are already too late, but I thought to warn new users anyways. Some modders (like rotohammer) already usually remove these parts, but still triple check everything to make sure.

There is no known fix. I know, I've tried all of them some people suggested in other threads. None of them really works. Sure, with some effort, you can get a different firmware to somewhat run, but you'll still be using the "checksum" bootloaders and the kernel will not be modified. You will still be running the kernel from the "checksum" firmware you loaded earlier. You will not be able to do full flashes, nor will KIES updates work.

Hopefully somebody will find a real solution for this issue for those already affected. If so, please post it in this thread.

Are you affected ?

NEW DEC 28: See SGTBootloaderCheck script below!

It is hard to say for sure without actually trying to flash a non-JM6/A/C/D kernel without the correct checksum. Here's a screenshot of the error you'll get:


If you still have the original files for the ROM you flashed, but do not want to try flashing a non-Samsung-stock kernel, there are some indicators:
- Rename all .tar.md5 files to .tar
- Extract all the .tar files with WinRAR

- Look at the resulting files:
--- Includes "boot.bin" (primary bootloader)
--- Includes "sbl.bin" (secondary bootloader)
If one or both are present, this indicates new bootloaders are being flashed. That does not make it certain if they are "protected" or not, though. But if a large zImage is also present (see the next item), it is very likely they are.

- Look at the resulting files:
--- "zImage" (kernel)
If zImage is about 7800 kb (as opposed to 4000 - 5500 kb that is normal), it is very likely this kernel includes a checksum. If you want to be 100% sure, open zImage in a hex editor, and go all the way to the end. There will be a few mb of 0's, followed by 128 bytes checksum - the very last 128 bytes in the file.

Such a zImage can be flashed both on "original" and the new "protected" bootloaders. The "protected" bootloaders can only flash these zImage, not the smaller variants.

If you have boot.bin, sbl.bin and a 7800 kb zImage, it is 99% likely flashing this ROM will give you a "protected" bootloader.

Some tech

Once these ROMs are flashed, it is required updates to "boot", "sbl", "zImage" have a 128-byte checksum/signature. In boot.bin and sbl.bin these are near the end, in zImage (7800 kb files) they are the very last 128 bytes. Only firmwares with a zImage that have this signature will be flashable (which at the time of this writing are only JM6/A/C/D).

I have no idea how this signature is generated as of yet, so "faking it" is also not an option. If somebody figures that out, please post it in this thread. Then we could just insert the signatures in the older bootloaders and flash them back (still a dangerous effort by itself).

I think, and possible others will correct me on this, the verification goes as follows, on a running device:

- PBL ( boot.bin ) checks SBL ( sbl.bin ) signature
- SBL checks kernel ( zImage ) signature

While flashing, I think it's the SBL that verifies the PBL/SBL/kernel flash, and refuses to write if the signature isn't correct.

Possible solutions

Flashing back "unprotected" bootloaders from older ROMs through either Odin or Heimdall does not work. These older bootloaders do not have the required signatures/checksums and thus the flash will fail.

A possible solution would be rooting the device, using Koush' bmlunlock, and dd'ing back bml1 and bml4 from backups, complete bypassing the flash checks. This is a very very dangerous to be trying out though, and unless you really know what you are doing, I wouldn't attempt it. Maybe someone has Samsung repair center contacts or a JTAG unit close by ?

Personal note

I have tried to flash back older bootloaders and kernels several times and in several ways (from for example JJ4) but this fails. Odin said it succeeded the very last time I tried, however it really didn't, as my device is now a full (user-wise) brick. It doesn't even turn on to show me the "phone --- | --- pc" error screen. So I guess I need to make a trip to the nearest Samsung repair center (200 miles away). Too bad my car also broke down today Guess it'll be some time (and money) before I have a working Tab again. Note that the brick was a problem with Odin, probably, not directly caused by the protected bootloaders themselves.

Update: Tab is back and working Replaced mobo, so I no longer have the signed bootloaders myself.

NEW DEC. 28: SGTBootloaderCheck

Attached is also SGTBootloaderCheck. This is a script run on your Windows PC through ADB to check your bootloaders. It requires root, SuperUser, and a working ADB connection.

Just unzip the archive to a new folder, and double-click "check.bat". That should dump your bootloaders and kernel, copy them to your computer, check the content for signatures, and let you know the result.

I can't guarantee it works, but it should

Attached

An archive with some relevant files for those who want to do some research. DON'T FLASH THESE FILES !!!

( 467, 909 )
Attached Files
File Type: zip TabBLResearch-0.1.zip - [Click for QR Code] (5.01 MB, 5996 views)
File Type: zip SGTBootloaderCheck-1.0.zip - [Click for QR Code] (339.3 KB, 6329 views)
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

NOTICE: I do not respond to tech support questions through PM.
The Following 17 Users Say Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
TheGrammarFreak
Old
#3  
TheGrammarFreak's Avatar
Senior Member
Thanks Meter 685
Posts: 2,809
Join Date: Jul 2010
I'm sorry about your Tab man.
Nexus 4, CM11 M series
Nexus 7 (2013), CM11 M series
The Following User Says Thank You to TheGrammarFreak For This Useful Post: [ Click to Expand ]
 
codewisp
Old
#4  
Senior Member
Thanks Meter 23
Posts: 132
Join Date: Dec 2010
Location: Quezon City
After flashing JM6, I have "zImage" and "Sbl.bin" but no "boot.bin" in my internal SD. Am I affected?

Also, is it safe to delete these files from my internal SD? I'm guessing they were put there temporarily and are now stored somewhere else already?
The Following User Says Thank You to codewisp For This Useful Post: [ Click to Expand ]
 
DubZyy
Old
#5  
Junior Member
Thanks Meter 1
Posts: 22
Join Date: Sep 2010
hey chainfire,

i'm sorry about the brick :/

my english seems to be very bad... could u explain me why ur tab is bricked now?

i think i understood why its not possible to flash to another firmware but why ur tab is bricked now? yesterday i flashed to jm6 from an old arabic fw (i think it was JJ1) with pit p1 and code, modem and csc file with re-part. on. so is anything there i have to look out now?
The Following User Says Thank You to DubZyy For This Useful Post: [ Click to Expand ]
 
Chainfire
Old
#6  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,445
Posts: 9,022
Join Date: Oct 2007

 
DONATE TO ME
Quote:
Originally Posted by codewisp View Post
After flashing JM6, I have "zImage" and "Sbl.bin" but no "boot.bin" in my internal SD. Am I affected?

Also, is it safe to delete these files from my internal SD? I'm guessing they were put there temporarily and are now stored somewhere else already?
You could be affected, I can't say for sure. The only way to be sure is trying to flash a custom kernel and see if Odin gives an error. See the CF-Root thread for screenshots of the error that is produced if you are affected. If there's no error and it boots, you have probably not been affected. Note that you can flash back the original JM6 kernel with both the "protected" as well as the "original" bootloaders.

I'll update the first post to add a bit more information.

Also yes, those files on your internal SD are temporary, you can delete them.

Quote:
Originally Posted by DubZyy View Post
hey chainfire,

i'm sorry about the brick :/

my english seems to be very bad... could u explain me why ur tab is bricked now?

i think i understood why its not possible to flash to another firmware but why ur tab is bricked now? yesterday i flashed to jm6 from an old arabic fw (i think it was JJ1) with pit p1 and code, modem and csc file with re-part. on. so is anything there i have to look out now?
The brick is a result of a bad bootloader flash... it's not something any of you are likely to encounter (unless you are trying to fix this issue).

If you successfully flashed to JJ1 - Odin did not produce any errors - you are probably safe!
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

NOTICE: I do not respond to tech support questions through PM.
 
chinchen
Old
(Last edited by chinchen; 26th December 2010 at 04:10 PM.)
#7  
Junior Member
Thanks Meter 0
Posts: 3
Join Date: Feb 2008
Thanks for the information, but a little bit late for me --> bricked

My luck: Next samsung repair center is 5 kilometers away.

But I don't know what i should tell him.

The truth?
 
Jesterz
Old
#8  
Jesterz's Avatar
Retired Moderator
Thanks Meter 114
Posts: 436
Join Date: Apr 2006
@chainfire

Have your tried hexediting the version of the SBL to a "fake" newer version? or does the check only care about the checksum ? on older phone we used to be able to do this....

I'm unpacking my dev. tab as we speak so I hope to have some time to play between x-mas dinners
Current: Samsung Galaxy Tab
Old: Qtek G4 S200 / HTC Hero / HTC Desire
 
Chainfire
Old
#9  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,445
Posts: 9,022
Join Date: Oct 2007

 
DONATE TO ME
Quote:
Originally Posted by chinchen View Post
Thanks for the information, but a little bit late for me --> bricked

My luck: Next samsung repair center is 5 kilometers away.

But I don't know what i should tell him.

The truth?
Damned lucky the repair center is close!

You wouldn't happen to be living near me and I just never heard of this service center, would ya ?

How exactly is it a brick ? It's only a brick if it doesn't turn on at all anymore (like mine). If you can get anything on screen, you can bring it back to life (although maybe with protected bootloaders).

Quote:
Originally Posted by Jesterz View Post
@chainfire

Have your tried hexediting the version of the SBL to a "fake" newer version? or does the check only care about the checksum ? on older phone we used to be able to do this....

I'm unpacking my dev. tab as we speak so I hope to have some time to play between x-mas dinners
As far as I have been able to deduce (I have not done a full decompile yet, and not sure if I'm going to) it's only the checksum that matters. But I could be wrong there.

I'll upload some files for you in a minute, so you can look at them yourself as well.
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

NOTICE: I do not respond to tech support questions through PM.
 
faust86
Old
(Last edited by faust86; 26th December 2010 at 04:53 PM.) Reason: some gramatics :)
#10  
Junior Member
Thanks Meter 0
Posts: 18
Join Date: Apr 2008
Quote:
Originally Posted by chinchen View Post
Thanks for the information, but a little bit late for me --> bricked

My luck: Next samsung repair center is 5 kilometers away.

But I don't know what i should tell him.

The truth?
Anything besides truth - tell them that you turn off Tab at evevning, and at the morning he doesnt start... they believe

Chainfire - my condolence... i also cannot flash CF-Root on JMC so i think i have new bootloader - im waiting for next steps when yours Galaxy Tab alive

sorry for my english

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes