[HOW-TO]UnBrick the UnBrickable Captivate

Search This thread
By:
Advanced…
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
6o1rbb.png

Introduction:

After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.



Instructions


Unbricking:
1. Apply UnBrickable Mod to your device: http://xdaforums.com/showthread.php?t=1206216
2. Run UnBrickable Resurrector: http://code.google.com/p/hummingbird-hibl/downloads/list This will only work on linux currently. Install Linux or dual boot if you have windows.
3. Run Heimdall One-Click: http://xdaforums.com/showthread.php?t=1266172 (or odin3 one-click),
4. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).




conclusion
You've unbricked the unbrickable captivate... This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.

HIBL
The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...

Tools
Windows32 command line app and drivers http://xdaforums.com/attachment.php?attachmentid=709292&stc=1&d=1315091523
Linux one-click Resurrector: http://code.google.com/p/hummingbird-hibl/downloads/list
4SEP11: added 32 bit, miscellanious impovements to visuals
6SEP11: removed additional commands
 

Attachments

  • Windows32DriversAndCommandLineApp.zip
    770.5 KB · Views: 22,998
  • UltimateUnBrickResurrector.zip
    697.6 KB · Views: 24,231
Last edited:
  • Like
Reactions: tltan86, jahanzaiblaghari, handscreen and 58 others
R

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.

Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.

This, properly used provides similiar debug output (similiar, because its outdated testlog)
������������������������������������������������������������������������
Uart negotiation Error

----------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
----------------------------------------
Calling IBL Stage2
DONE!
Testing BL3 area
DONE!
iRAM reinit
DONE!
Please prepare USB dltool with BL3

Starting download...
0x00000000
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.

Starting BL3...

//OUTPUT BELOW IS COMING FROM SBL

Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
Click to expand...
Click to collapse

It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
 
Last edited:
  • Like
Reactions: tltan86, atv, nirajpant7 and 26 others
Smasher816

Smasher816

Senior Member
Jan 16, 2011
405
201
Missouri
plus.google.com
Amazing work. Glad to see this finally finished and open to the community with a tutorial. I also heard you would be porting this to windows, and i will look forward to that. I have a virtual Ubuntu machine however i can not get adb to work :(

My dad is also thinking about picking up a $20 infuse, and therefore I would get his old captivate, giving me 2 captivates. If this happens i will defiantly take you up on your $30 offer, and transform one into a super dev phone, and the other my daily phone. Then maybe i can help Rebellos and you with some bootloader development.

But seriusly. Once again amazing work guys :D
 
psycho2097

psycho2097

Senior Member
Nov 1, 2010
958
156
Raleigh
donated to adam. sorry didn't split up between adam n rebellos... :p adam pls b fair n share... :p but seriously guys, this is epic development.do appreciate and donate.
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Thanks.

I updated the jar. If you're having problems launching it, it's because I made the Ultimate UnBrickable Resurrector from source from my other project, Heimdall One-Click... I forgot to change something in the manifest at the last minute. Please redownload if it won't launch.

This should work on any device which identifies itself as an S5PC110 .... B/D. Sometimes, if you're lucky, any phone can brick itself in this state.
 
  • Like
Reactions: Joe Blough
O

ostrianiel

Member
Feb 1, 2010
7
0
connexion2005 said:
It's honestly easiest if you have the time to dual boot an Ubuntu OS on your current machine. It has a major bug still but I figured out the issue and contacted Adam on the fix for it.
Click to expand...
Click to collapse

Yeah... I've spent a good bit messing with it and the settings in VB but it wont detect. (I hope it doesn't have to do with my soldering).

Ill try try the dual booting tomorrow and give it another shot.
 
killer_raj

killer_raj

Senior Member
Feb 24, 2011
438
56
Calcutta
great work adam.....appreciate it..though i m a riff box owner(just bought it for fun)..so wont need this mod....
but still its a great work for others....
cheerss!!!!!!
 
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
killer_raj said:
great work adam.....appreciate it..though i m a riff box owner(just bought it for fun)..so wont need this mod....
but still its a great work for others....
cheerss!!!!!!
Click to expand...
Click to collapse


Why open the phone every time you have a problem? Apply UnBrickable Mod once and you will never need a screwdriver to unbrick your device. If you have spare time now, apply the modification, then use the tool later.

Btw... I have two RIFF JTAG boxes... :p
 
R

Rebellos

Senior Recognized Developer
May 13, 2009
1,353
3,428
Gdańsk
AdamOutler

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,827
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
connexion2005

connexion2005

Senior Member
Feb 27, 2009
1,021
718
Texas
www.mobiletechvideos.com
AdamOutler said:
Its not a bug... your computer is too old. 64bit only for now.
Click to expand...
Click to collapse

Ok cool I'll dual boot a 64bit Ubuntu box to confirm this. I wasn't aware there were both x32 and x64 smdkusbdl tools but I didn't write this either! I just found it interesting that after replacing the suspect files in the .jar file that it worked perfectly on my "old 32 bit test mule"... ;)

Amazing work. I almost spit my drink out after using it.
 
  • Like
Reactions: AdamOutler and motoman22x
killer_raj

killer_raj

Senior Member
Feb 24, 2011
438
56
Calcutta
AdamOutler said:
Why open the phone every time you have a problem? Apply UnBrickable Mod once and you will never need a screwdriver to unbrick your device. If you have spare time now, apply the modification, then use the tool later.

Btw... I have two RIFF JTAG boxes... :p
Click to expand...
Click to collapse

i m using cappy for almost 10 months now...but i never hardbricked my phone ...(touchwood)...:p
i never had to open my phone ..as i said i just bought the riff box for fun..and to help others....
but u r right.. for ur mod..i will hav to open my phone just once...and after that i can brick it as many times as i want.:cool:.and will never need to open it again to unbrick it....thats a plus point....
 
bulletproof1013

bulletproof1013

Senior Member
Dec 11, 2008
907
78
I have never bricked my phone...but now I never will.
killer_raj said:
i m using cappy for almost 10 months now...but i never hardbricked my phone ...(touchwood)...:p
i never had to open my phone ..as i said i just bought the riff box for fun..and to help others....
but u r right.. for ur mod..i will hav to open my phone just once...and after that i can brick it as many times as i want.:cool:.and will never need to open it again to unbrick it....thats a plus point....
Click to expand...
Click to collapse



Sent from my SGH-I897 using XDA Premium App
 
You must log in or register to reply here.

Similar threads

designgears
[ROM][2.2] »» Cognition 4.5.3 «« | The Original Captivate Rom
Replies
7K
Views
1M
Avikar
Avikar
AdamOutler
[RELEASE] One-Click UnBrick updated 10july11
Replies
383
Views
962K
I
iCrazyGaming
designgears
  • Locked
[ROM]Cognition v2.3b8
Replies
13K
Views
2M
LMSarmiento
LMSarmiento
designgears
[STOCK ROM] Odin3 One-Click Downloader and Drivers CAPTIVATE ONLY
Replies
2K
Views
2M
carbon12
carbon12
atinm
[NIGHTLY][ROM] CyanogenMod 7 for Samsung Captivate (captivatemtd)
Replies
13K
Views
3M
ajeesh vijayan
ajeesh vijayan

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 61
    AdamOutler
    AdamOutler
    6o1rbb.png

    Introduction:

    After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.



    Instructions


    Unbricking:
    1. Apply UnBrickable Mod to your device: http://xdaforums.com/showthread.php?t=1206216
    2. Run UnBrickable Resurrector: http://code.google.com/p/hummingbird-hibl/downloads/list This will only work on linux currently. Install Linux or dual boot if you have windows.
    3. Run Heimdall One-Click: http://xdaforums.com/showthread.php?t=1266172 (or odin3 one-click),
    4. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).




    conclusion
    You've unbricked the unbrickable captivate... This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.

    HIBL
    The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...

    Tools
    Windows32 command line app and drivers http://xdaforums.com/attachment.php?attachmentid=709292&stc=1&d=1315091523
    Linux one-click Resurrector: http://code.google.com/p/hummingbird-hibl/downloads/list
    4SEP11: added 32 bit, miscellanious impovements to visuals
    6SEP11: removed additional commands
    View
    29
    R
    Rebellos
    Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

    Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.

    Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

    Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

    BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

    BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
    Its FASM_ARM sourcecode:
    http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.ASM
    This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
    1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
    2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
    3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
    4. Call iROM usb_downloader function.
    5. Read the address where downloaded data has been placed.
    6. Jump into this address.

    This, properly used provides similiar debug output (similiar, because its outdated testlog)
    ������������������������������������������������������������������������
    Uart negotiation Error

    ----------------------------------------
    Hummingbird Interceptor Boot Loader (HIBL) v1.0
    Copyright (C) Rebellos 2011
    ----------------------------------------
    Calling IBL Stage2
    DONE!
    Testing BL3 area
    DONE!
    iRAM reinit
    DONE!
    Please prepare USB dltool with BL3

    Starting download...
    0x00000000
    Desired BL3 EP: 0x40244000
    Download complete, hold download mode key combination.

    Starting BL3...

    //OUTPUT BELOW IS COMING FROM SBL

    Set cpu clk. from 400MHz to 800MHz.
    IROM e-fused - Non Secure Boot Version.
    Click to expand...
    Click to collapse

    It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
    View
    6
    A
    adfree
    Thanx.

    First success with Windows32DriversAndCommandLineApp.zip with
    Wave S8500

    Code: 
    -----------------------------------------------------
        Win32 SMDK dltool commandline for SMDK boards
        by Rebellos
        based on DNW code by Purnnamu
-----------------------------------------------------

usage: win32-smdk-dltool.exe <filename|optional> <hex_addr|optional> <pause_time
_ms|optional>
Trying to upload HIBL.bin into 0xd0020000
Found device!
Transmit begin...thread created!
Download completed!
endevent signaled!
-----------------------------------------------------
        Win32 SMDK dltool commandline for SMDK boards
        by Rebellos
        based on DNW code by Purnnamu
-----------------------------------------------------

usage: win32-smdk-dltool.exe <filename|optional> <hex_addr|optional> <pause_time
_ms|optional>
Trying to upload Sbl.bin into 0x40244000
Can't open USB device.
retry 1 of 5.
Can't open USB device.
retry 2 of 5.
Found device!
Transmit begin...thread created!
Download completed!
endevent signaled!
Your device is in download mode, press any key...
Drücken Sie eine beliebige Taste . . .

    Now I have back Samsung Modem driver on COM 33 :good:

    Later I will try to combine Wave BL3 from RIFF...

    Anyway, this Tool work. :good:

    Best Regards
    View
    4
    R
    Rebellos
    5 days and nights of development, few hundreds tests, in total about 50 hours of struggles, and here it comes!

    Win32 DNW commandline port

    I think that's the last time in my life I mess with Win32 drivers layer...

    Package contains DNW+32-bit driver
    One-click is on its way, to perform more manual resurrection:
    1) Download attachment
    2) Download current HIBL build: http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.bin
    3) Download patched SBL: http://code.google.com/p/hummingbir...runk/HummingBirdInterceptorBootloader/Sbl.bin
    4) Connect modded/IBL bricked device to PC, install driver.
    5) Go to commandline and perform 2 commands:
    dnw HIBL.bin D0020000
    dnw Sbl.bin 40244000
    Click to expand...
    Click to collapse

    Your device is now in ODIN download mode. :]

    Please note that regardeless my care to keep it stable, dnw can sometimes fail to download, then the you must restart device (just unplug and plug USB again) and try dnw again.


    Nitro_123 said:
    Now guys is it possible to flash bootloaders through ODIN and not do a hardware Mod and still be able to do this ?? Can this be done in the future ??
    As always, really like your work and looking forward to a SGS i9000 One-click unbrick :D
    Click to expand...
    Click to collapse

    It's not possible to do it with ODIN alone. And won't be. Your device must be modded or have bricked IBL (seems to be dead but PC recognize it on USB)

    For I9000 mod development we need to destroy one I9000 board (or, it can be already destroyed, the requirement is to be mainly in one piece around CPU)

    Note: Please remember this driver and commandtool is highly experimental, CAN (but shouldn't) damage your PC, or just simply doesn't work (but usually should). However, Linux version is working much better, I recommend using linux ver until we develop better version of Win32 port.
    View
    2
    connexion2005
    connexion2005
    AdamOutler said:
    Its not a bug... your computer is too old. 64bit only for now.
    Click to expand...
    Click to collapse

    Ok cool I'll dual boot a 64bit Ubuntu box to confirm this. I wasn't aware there were both x32 and x64 smdkusbdl tools but I didn't write this either! I just found it interesting that after replacing the suspect files in the .jar file that it worked perfectly on my "old 32 bit test mule"... ;)

    Amazing work. I almost spit my drink out after using it.
    View

New posts