[25.01.2011] WARNING! Do not flash JM*,KA*... README! [Patch released, L/N supported]
- Thread starter Chainfire
- Start date
Thanks for the idea - got my Tab back alive again. However, I did not follow this suggestion. Instead, I just tried a CODE/MODEM/CSC combo, and... IT WORKED!
I used this:
Odin3 v. 1.0 (don't know if Odin 1.3 or Odin 1.7 is better, but I used the old one)
909.pit
P1000OXAJM6(PAR).tar (JM6 firmware)
MODEM_P1000XXJID.tar.md5 (from XXJID firmaware)
GT-P1000-CSC-SERJJ2.tar.md5 (from XXJID firmaware)
And now the beast is alive.
Baseband version P1000XXJID
Kernel 2.6.32.9 root@sep-53 #1
Build: FROYO.XXJM6
EDIT:
Worked, booted, but just one small problem: The backlight won't turn off automatic. But then I flashed these files:
http://xdaforums.com/showpost.php?p=9468220&postcount=1
And now it works perfect - backlight turns off, it's quite snappy.
I don't know if the firmware (boot/kernel) are signed or not, so right now I don't know which firmwares I am able to flash.
Next step: Is there any point in rooting the device? And are there no signs of custom ROM's ?
Last edited:
you should definitely be able to flash jk5 kernel, because i have the same constellation, and it works like this:
EDIT: I´m not responsible if it fails, as this is just decribing what I did...
1. backup everything.
2. factory reset and formatting internal sd
3. repartition with odin (just pit file which is adecuate for jk5)
4. don´t reboot go straight back to downloading screen by holding vol down after flashing pit
5. heimdall graphical frontend (sorry geeks, it works and its comfortable) everything from jk5; but i would go to a former firmware as jk5 which includes all, also boot.bin and sbl.bin; put in heimdall everything from your firmware you like to flash except pit and recovery-->
6. press start in heimdall; the process on the computer should go without any error
AND NOW
7. your tab get stucked at aproximately 87 %update process; NO Panic
8. disconnect your device from your pc and start it, you should come to a very basic bootscreen "tab---warning---computer"
9. start odin and do just the step 3 again
10. while rebooting hold volup to make sure it starts installing the rest
11. voila, you should have your wished firmware installed.
ATTENTION, it might show again that the primary bootloader and kernel is still signed, but .....
12. flash your dbdata and install your tab new
that was how i made it working, can somebody confirm it please??
Now, that is interesting. If your procedure can be reproduced it would show at least one thing.
The failure to flash an unsigned kernel is because somehow the partitioning does not work for an unsigned kernel. Thus the flashing fails.
According to your procedure the flashing of an unsigned kernel works if the Tab is first repartitioned to a layout which matches the unsigned kernel.
I still have my doubts whether this procedure also allows to downgrade/replace the PBL to an unsigned version (or works at all for that matter).
If that is indeed the result of your procedure
it simply means that the flashing of the PBL (boot.bin) and the kernel were both unsuccessful, even if the flashing of the other parts worked okay.
I will check and post my findings.
@blacklevel,
Heimdall is not stating an error on flashing those parts as kernel, pbl and sbl.
Sent from my GT-P1000 using XDA App
Heimdall is not stating an error on flashing those parts as kernel, pbl and sbl.
Sent from my GT-P1000 using XDA App
you should definitely be able to flash jk5 kernel, because i have the same constellation, and it works like this:
EDIT: I´m not responsible if it fails, as this is just decribing what I did...
1. .....
6. press start in heimdall; the process on the computer should go without any error
AND NOW
7. your tab get stucked at aproximately 87 %
.....
11. voila, you should have your wished firmware installed.
ATTENTION, it might show again that the primary bootloader and kernel is still signed, but .....
.....
that was how i made it working, can somebody confirm it please??
Have you compared the kernel?
I have done it as you have described it. But the kernel is still the same.
Here is what i think:
it is the same kernel as before, this is why it stucks at 87%, the kernel can not be flashed.
You can go easyer to an older firmware, remove the boot.bin, sbl.bin, and zImage from the firmwarefile, and flash it.
In my oppinion, is the way that you described a very dangerous way.
m.tom59
can you post the kernel info from the settings menu? Maybe heimdall does not recognize if the Tab has refused to accept the new kernel.
Heimdall doesn't really say anything one way or the other when flashing. These kinds of tools are always very blunt and "dumb" in information terms. I suspect like others that you're not flashing an equivalent kernel when rolling back to whatever previous version you're choosing. Simple way to tell is to run chainfire's script. If you've managed to get to an unencrypted kernel/bootloader then that is significant but we will need proof
.
Paul...
I assumed also that its not really changed. But under*#1234# it shows me the firmware i flashed and i wanted. Kernel, pbl and sbl i do not really know wht heimdal is doing on it or not.
Sent from my GT-P1000 using XDA App
I assumed also that its not really changed. But under*#1234# it shows me the firmware i flashed and i wanted. Kernel, pbl and sbl i do not really know wht heimdal is doing on it or not.
Sent from my GT-P1000 using XDA App
I have try to flash an unsigned sbl with the foolowing command:
adb shell su -c "dd if=/sdcard/Sbl.bin of=/dev/block/bml4 bs=4096"
but with no working result. After reading the sbl again:
adb shell su -c "dd if=/dev/block/bml4 of=/sdcard/Sbl.bin bs=4096", it is still the same as before.
Also i have flashed an unsigned zImage in this way.
The kernel can flashed, but after flashing, the Tab don't start up.
I must flash an signed kernel again to reactivate the Tab.
m.tom59
adb shell su -c "dd if=/sdcard/Sbl.bin of=/dev/block/bml4 bs=4096"
but with no working result. After reading the sbl again:
adb shell su -c "dd if=/dev/block/bml4 of=/sdcard/Sbl.bin bs=4096", it is still the same as before.
Also i have flashed an unsigned zImage in this way.
The kernel can flashed, but after flashing, the Tab don't start up.
I must flash an signed kernel again to reactivate the Tab.
m.tom59
In order to get a useful log out of Heimdall, you need to flash from the command line and pass the --verbose option
Code:
[user@localhost]$ ./heimdall
Usage: heimdall <action> <arguments> [--verbose] [--delay <ms>]
action: flash
arguments:
--repartition --pit <filename> --factoryfs <filename>
--cache <filename> --dbdata <filename> --primary-boot <filename>
--secondary-boot <filename> --param <filename> --kernel <filename>
--modem <filename>
or:
[--pit <filename>] [--factoryfs <filename>] [--cache <filename>]
[--dbdata <filename>] [--primary-boot <filename>]
[--secondary-boot <filename>] [--secondary-boot-backup <filename>]
[--param <filename>] [--kernel <filename>] [--recovery <filename>]
[--efs <filename>] [--modem <filename>]
description: Flashes firmware files to your phone.
@chainfire,
What's the status of this? maybe we can pool resources with more people looking into this.
also, I assume (?) you played around with bmlunlock by koush ?
https://github.com/CyanogenMod/android_device_samsung_bmlunlock
Precompiled binary here: http://koush.tandtgaming.com//samsung/bmlunlock
After running bmlunlock on the samsung device, one can flash the kernel using the following command: dd if=/sdcard/zImage of=/dev/block/bml7 bs=4096
(yes i'm catching up, didn't read through 19 pages so excuse me if double posting
Now I can understand you haven't been able to catch up with everything that has been said in every single page. However, the bmlunlock thing is mentioned even in the first post. Also, you could have tried "searching this thread" for bmlunlock, which would give you many references to it. As an FSM, both should have occurred to you. (
)As for current status, nothing yet. There isn't much that I can do without an operational Tab.
Regarding resources, pooling, and people, there's enough people on the job. Right now it's just a bit of a waiting game for everyone to get their equipment in order to start testing. I'm still analysing a lot of dumps myself, trying to figure out some things about the BLs. Rotohammer is on the job and waiting for his RIFF BOX (JTAG unit) to arrive. Richthofen is waiting for a Tab + RIFF BOX to help figure this out (expected within days), and also going through the tech docs trying to figure out how to make a "factory mode" JIG (quite similar to the "download mode" JIG for SGS) which can possibly revive my Tab. In the meantime, Da_G has offered to ship his own JTAG unit + tools to me, and if Richthofen's "factory mode" JIG doesn't work out, I'll take Da_G up on this offer. Da_G and cmonex' expertise is also just an IRC connection away should I need them
Really, we have enough people on the job with enough knowhow to fix this, and I don't expect the fix is much more than a week or so away. Right now everyone is pretty much just waiting on the hardware to allow testing in a safe way.
I'm not sure what's wrong with the SBL, I've analysed one of these unsigned SBLs between signed PBL and kernel, and it does actually seem to be unsigned. Maybe it's sneakily using SBL2, or the bml dump got garbled (blocks out of order) which is also completely possible. There's some weird stuff still with the PBL dump as well, hopefully we'll figure out soon why/what/how.
I've looked a bit at redbend (not very extensively), do you know how to flash multiple parts without rebooting ? Also of course we do not know whether flashing through redbend involves the checks.
you should definitely be able to flash jk5 kernel, because i have the same constellation, and it works like this:
EDIT: I´m not responsible if it fails, as this is just decribing what I did...
1. backup everything.
2. factory reset and formatting internal sd
3. repartition with odin (just pit file which is adecuate for jk5)
4. don´t reboot go straight back to downloading screen by holding vol down after flashing pit
5. heimdall graphical frontend (sorry geeks, it works and its comfortable) everything from jk5; but i would go to a former firmware as jk5 which includes all, also boot.bin and sbl.bin; put in heimdall everything from your firmware you like to flash except pit and recovery-->
6. press start in heimdall; the process on the computer should go without any error
AND NOW
7. your tab get stucked at aproximately 87 %
8. disconnect your device from your pc and start it, you should come to a very basic bootscreen "tab---warning---computer"
9. start odin and do just the step 3 again
10. while rebooting hold volup to make sure it starts installing the rest
11. voila, you should have your wished firmware installed.
ATTENTION, it might show again that the primary bootloader and kernel is still signed, but .....
12. flash your dbdata and install your tab new
that was how i made it working, can somebody confirm it please??
That's just a very elaborate way to flash a different ROM without replacing PBL, SBL and kernel. Has been discussed before in this thread.
The "Could not Find ..." is because the script deletes old files (if present) before transferring the new dumps. The first time you run it, there won't be any old files present, hence the error message trying to delete them.
Interesting. It has been attempted to flash both bml1 AND bml4, resulting in full bricks. Maybe both need to flashed in order to make any difference stick ?
But really people, STOP TRYING TO OVERWRITE BML1 AND BML4 IF YOU DO NOT HAVE A JTAG UNIT AND KNOW HOW TO USE IT. If you mess it up, only a JTAG unit (or possibly a "factory mode" JIG) will be able to revive your device.
Last edited:
Hi Happy New year!
Help me please, I brick my tab
I have T-mobile with JJB firmware version and try to load full(with PIT)
russian ver P1000XWJJ7 via Odin 1.7 (Im from Russia).
After start I wait long time with no result, then I power off my tab
and now see "PC -!- phone" pic only. No download mode,
but if I press both vol bat and plug USB I see
"Power rest or Unknown upload mode" and Odin see my tab.
What I sould do to unbrick my tab?
Help me please
Help me please, I brick my tab
I have T-mobile with JJB firmware version and try to load full(with PIT)
russian ver P1000XWJJ7 via Odin 1.7 (Im from Russia).
After start I wait long time with no result, then I power off my tab
and now see "PC -!- phone" pic only. No download mode,
but if I press both vol bat and plug USB I see
"Power rest or Unknown upload mode" and Odin see my tab.
What I sould do to unbrick my tab?
Help me please
Flash Roto-JME to get back to a working state, then decide what you really want after.
Thanks for all your hard work guys. Got my Tab a few a weeks back but held off flashing for a while to take some time to read up on it all. Thanks to your info I successfully flashed up to JMC from T-Mobile JJ3 (UK) a few days back without getting a signed boot.bin or sbl.bin, and am now going to flash Roto's JME.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
226DO NOT USE THIS ON THE GINGERBREAD RELEASES ! THE SAMSUNG GINGERBREAD RELEASES DO HAVE SIGNED BOOTLOADERS, BUT THEY ARE NOT LOCKED. In other words, you can still flash custom kernels and such, and the bootloader patch will only break things, not fix them.
To read the history of this problem, see the 2nd post of this thread (scroll down).
A number of new firmwares for the Samsung Galaxy Tab come with "signed / protected" bootloaders. These new bootloaders prevent you from flashing custom or otherwise unsigned kernels on the device. Trying to do so anyway will result in errors and usually requires you to reflash your ROM completely.
I hope everybody here has learned the lesson not to just flash anything that SamFirmware releases
The patch
After a great many hours of researching, testing and coding, myself (Chainfire) and Rotohammer have come up with a patch that works on most devices (currently all known GSM Tab variants), and flashes back unprotected JJ4 (T-Mobile ?) bootloaders, or the original P1000N bootloaders for the Latin models. The app only patches when it finds protected bootloaders, and you have to press a button for that, so the app can also be used to look at your current status.
The patch has been tested repeatedly and with success on (0 bricks so far):
- GT-P1000 Euro/International/Unbranded Galaxy Tab
- SGH-I987 AT&T Galaxy Tab
- SGH-I987 Rogers Galaxy Tab
- SGH-T849 T-Mobile Galaxy Tab
- GT-P1000L Latin Galaxy Tab (use LATIN version!)
- GT-P1000N Latin Galaxy Tab (use LATIN version!)
Additional thanks to: koush, neldar, richardtrip, AColwill, farahbolsey, deezid, wgery, tmaurice, rmanaudio, crisvillani, alterbridge86, ivannw, themartinohana, luisfer691 (in no particular order!)
Please note that even though there have not been any bricks so far, replacing bootloaders is a very dangerous operation that may BRICK your device, and you should think twice before using the patch. Using the patch is completely AT YOUR OWN RISK!
Instructions
Download the attached APK, install it on your device, and run it. It will show you a status screen, and if your device is compatible and you have protected bootloaders, the bottom entry "Patch bootloaders" will become available. Tapping it will start the patch procedure.
Note that the patch requires root !
Mini-FAQ
--- After the fix, my "zImage" still shows signed ! Is this a problem ?
No, this is perfectly fine! What matters is that "PBL", "SBL" and "SBL_Backup" are not signed. If "zImage" is signed, it means this ROM can be flashed onto a device that has signed bootloaders. UNsigned "zImage"s can NOT be flashed on signed bootloaders. This is the origin of the problem, because custom kernels are always UNsigned "zImage"s !
--- Can I now flash any ROM and just use this application to fix the bootloaders ?
Technically yes. But it would be stupid to do so. Flashing bootloaders (what this app does) is VERY dangerous, it is the only way to really brick a Tab. If you want to flash a new ROM, make sure it DOES NOT contain bootloaders. Remove them yourself, or wait for somebody else (like Rotohammer) to remove the bootloaders and post the "safe" ROM. Even though this patch is available, if at all possible, you should always try to avoid having to use it.
CDMA tabs
There is currently no support for CDMA Galaxy Tabs, nor do we know if support is needed at this time.
LINKING
You are expressly forbidden to repost the APK elsewhere. If you post about this, post a link to this thread, not to the download (or a repost of the download).
Download
Don't forget to donate and/or press the thanks button!
For non-XDA members who cannot access the attachment, here are multiupload links:
Euro / International / Unbranded / AT&T / Rogers / T-Mo: http://www.multiupload.com/EMOCU1S0V2
Latin (P1000L and P1000N): http://www.multiupload.com/3TJ3YWMWJR
MAKE SURE TO SELECT THE RIGHT DOWNLOAD!17WARNING! Do not flash JM6/9/A/C/D/E/F... Before reading this !
THIS POST, #2 OF THIS THREAD, IS HISTORICAL AND LEFT HERE "FOR THE RECORD". SEE THE FIRST POST FOR WHAT IS CURRENT!
BREAKING NEWS / JAN 15: A fix has been found ! See this post. Also see the bounty thread: http://xdaforums.com/showthread.php?t=906464.
This really applies to other ROMs as well, but the "new" JM6/9/A/C/D/E/F ROMs specifically.
Some of these ROMs include new bootloaders. These bootloaders check checksums/signatures in various parts of the firmwares. The "normal" Samsung ROMs, nor custom ROMs and kernels, have these checksums.
The result is that once flashed, you cannot revert to older/official/custom Samsung ROMs, and you are pretty much stuck using one of these four ROMs, as they are the only ones containing the right checksums.
At least TRIPLE CHECK if you want to flash one of these ROMs, that what you are flashing DOES NOT include the new bootloaders ( boot.bin and sbl.bin ). I know from the CF-Root thread that a fair number of you are already too late, but I thought to warn new users anyways. Some modders (like rotohammer) already usually remove these parts, but still triple check everything to make sure.
There is no known fix. I know, I've tried all of them some people suggested in other threads. None of them really works. Sure, with some effort, you can get a different firmware to somewhat run, but you'll still be using the "checksum" bootloaders and the kernel will not be modified. You will still be running the kernel from the "checksum" firmware you loaded earlier. You will not be able to do full flashes, nor will KIES updates work.
Hopefully somebody will find a real solution for this issue for those already affected. If so, please post it in this thread.
Are you affected ?
NEW DEC 28: See SGTBootloaderCheck script below!
It is hard to say for sure without actually trying to flash a non-JM6/A/C/D kernel without the correct checksum. Here's a screenshot of the error you'll get:
If you still have the original files for the ROM you flashed, but do not want to try flashing a non-Samsung-stock kernel, there are some indicators:
- Rename all .tar.md5 files to .tar
- Extract all the .tar files with WinRAR
- Look at the resulting files:
--- Includes "boot.bin" (primary bootloader)
--- Includes "sbl.bin" (secondary bootloader)
If one or both are present, this indicates new bootloaders are being flashed. That does not make it certain if they are "protected" or not, though. But if a large zImage is also present (see the next item), it is very likely they are.
- Look at the resulting files:
--- "zImage" (kernel)
If zImage is about 7800 kb (as opposed to 4000 - 5500 kb that is normal), it is very likely this kernel includes a checksum. If you want to be 100% sure, open zImage in a hex editor, and go all the way to the end. There will be a few mb of 0's, followed by 128 bytes checksum - the very last 128 bytes in the file.
Such a zImage can be flashed both on "original" and the new "protected" bootloaders. The "protected" bootloaders can only flash these zImage, not the smaller variants.
If you have boot.bin, sbl.bin and a 7800 kb zImage, it is 99% likely flashing this ROM will give you a "protected" bootloader.
Some tech
Once these ROMs are flashed, it is required updates to "boot", "sbl", "zImage" have a 128-byte checksum/signature. In boot.bin and sbl.bin these are near the end, in zImage (7800 kb files) they are the very last 128 bytes. Only firmwares with a zImage that have this signature will be flashable (which at the time of this writing are only JM6/A/C/D).
I have no idea how this signature is generated as of yet, so "faking it" is also not an option. If somebody figures that out, please post it in this thread. Then we could just insert the signatures in the older bootloaders and flash them back (still a dangerous effort by itself).
I think, and possible others will correct me on this, the verification goes as follows, on a running device:
- PBL ( boot.bin ) checks SBL ( sbl.bin ) signature
- SBL checks kernel ( zImage ) signature
While flashing, I think it's the SBL that verifies the PBL/SBL/kernel flash, and refuses to write if the signature isn't correct.
Possible solutions
Flashing back "unprotected" bootloaders from older ROMs through either Odin or Heimdall does not work. These older bootloaders do not have the required signatures/checksums and thus the flash will fail.
A possible solution would be rooting the device, using Koush' bmlunlock, and dd'ing back bml1 and bml4 from backups, complete bypassing the flash checks. This is a very very dangerous to be trying out though, and unless you really know what you are doing, I wouldn't attempt it. Maybe someone has Samsung repair center contacts or a JTAG unit close by ?
Personal note
I have tried to flash back older bootloaders and kernels several times and in several ways (from for example JJ4) but this fails. Odin said it succeeded the very last time I tried, however it really didn't, as my device is now a full (user-wise) brick. It doesn't even turn on to show me the "phone --- | --- pc" error screen. So I guess I need to make a trip to the nearest Samsung repair center (200 miles away). Too bad my car also broke down today Guess it'll be some time (and money) before I have a working Tab again. Note that the brick was a problem with Odin, probably, not directly caused by the protected bootloaders themselves.
Update: Tab is back and working Replaced mobo, so I no longer have the signed bootloaders myself.
NEW DEC. 28: SGTBootloaderCheck
Attached is also SGTBootloaderCheck. This is a script run on your Windows PC through ADB to check your bootloaders. It requires root, SuperUser, and a working ADB connection.
Just unzip the archive to a new folder, and double-click "check.bat". That should dump your bootloaders and kernel, copy them to your computer, check the content for signatures, and let you know the result.
I can't guarantee it works, but it should
Attached
An archive with some relevant files for those who want to do some research. DON'T FLASH THESE FILES !!!
( 467, 909 )16Ok, I have spoken to Rotohammer, and he has sent me the files for the fix.
It is a sensitive fix, and thus we are not just releasing it. We will be making an APK that does the unlocking for you, so there's no chance you mess up the commands and brick your device. That is, at least, if we don't mess up the APK
Expect the APK to go into (closed!) testing early next week, with hopefully a public release early the week after that.10
I flashed a protected bootloader, then tried flashing a stock at&t kernel as well as CF-Root, both failed to flash. Then I flashed the recovery bootloaders using the jtag box, and I now Its unprotected.
Next step: force a new sbl via redbend!
