Remove All Ads from XDA

The T959v Development Platform, AKA UnBrickable Mod and Software Based Resurrection

5,226 posts
Thanks Meter: 9,887
By AdamOutler, Inactive Recognized Developer on 5th November 2011, 05:41 AM
Post Reply Email Thread
This is the DIY method to recover your device from a bad bootloader flash.The way this works is we change the OM value in the processor by modifying an individual electronic binary signal. The signal we are interested in is xOM5. This line is normally grounded, causing the overall OM value to equal 0x9. When we bring this line high, the OM value becomes 0x29. This reverses the booting order and ensures you will always have boot from USB available before the device starts.

This is a better option than JTAG for resurrecting a device. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.

After performing this mod:
Remove the battery, replace the battery, plug in USB, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like an i9000 GalaxyS 4G. See the Special Instructions section.

I've done quite a few of these guides now, this was the easiest-to-find UnBrickable Mod yet. Not only was it easy to locate, it's the cleanest, least tricky and easiest mod to apply as well. Please don't misunderstand this as being "easy", but it is easier than other devices.

I was able to overlay an annotated picture of a processor pinout over a picture of top of the T959V, then map out the shortest distance between the points on the processor

Part 1: Hardware Modification
You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. PM myself or contact Connexion2005 if you don't know anyone else.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (for the wire contained within)

1. Tear apart your device. Remove battery cover, battery, 7 screws, the back case and 5 connectors from the board.

2. remove the EM shield from the board to expose the resistors

3. Remove the xOM5 resistor and bridge the right pad to the resistor next to it.

4. Reassemble the device

Special Instructions

This replaces the battery charging sequence for the first few seconds of being plugged in.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.

Part 2: Software Based Resurrection


1. Apply UnBrickable Mod to your device: see Hardware Modification section
2. Run ModeDetect and plug in your i9000. (Not a requirment, but helpful)
When you see this image you are in S5PC110 SEC SoC mode. When you see this mode you must proceed to step 3.

If it will only show this image, then you have not performed the modification correctly, or you have a hardware problem.

If it shows this, regardless of what's on your screen, you're in download mode:

3. Run UnBrickable Resurrector: Get it from the SVN repository here: This will only work on linux. Install Linux or dual boot if you have windows.

The resurrector will put your device into download mode

4. Now that you are in Download Mode, run Heimdall One-Click to flash firmware on your device. bhundven created a UVKJ6 package here:

5. repeat steps 3 and 4 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).


Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software.

reading material
Creating your own Samsung Bootloaders:
KIT-S5PC110 manual:
how to use DNW:
Flash using openOCD and DNW:
another DNW example:
ODroid dev center:

drivers and utilities
This will be an ever expanding list
Windows Drivers
Windows Download Tool DNW:
Windows Command Line tool:
Linux DNW Utility:
Linux ModeDetect tool:
Linux Automated UnBricker:

Bootloader Hello World by Rebellos
UnBrick tool
The Following 24 Users Say Thank You to AdamOutler For This Useful Post: [ View ] Gift AdamOutler Ad-Free
5th November 2011, 05:42 AM |#2  
Senior Recognized Developer
Flag Gdańsk
Thanks Meter: 3,467
Donate to Me
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.

Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.

This, properly used provides similiar debug output (similiar, because its outdated testlog)

�������������������������������������������������� ����������������������
Uart negotiation Error

Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
Calling IBL Stage2
Testing BL3 area
iRAM reinit
Please prepare USB dltool with BL3

Starting download...
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.

Starting BL3...


Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.

It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
The Following 5 Users Say Thank You to Rebellos For This Useful Post: [ View ]
5th November 2011, 05:49 AM |#3  
bhundven's Avatar
Inactive Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,539
Donate to Me
Thanks Adam, Rebellos, mijoma, TheBeano, and midas5!
5th November 2011, 05:53 AM |#4  
dsexton702's Avatar
Retired Recognized Developer
Flag South Lake Tahoe
Thanks Meter: 2,279
Donate to Me
Great work on this and thanks!
5th November 2011, 06:03 AM |#5  
Junior Member
Thanks Meter: 0
Thanks for your work. Might come in handy one day.
5th November 2011, 06:49 AM |#6  
RaverX3X's Avatar
Inactive Recognized Developer
Flag Cali
Thanks Meter: 5,303
Donate to Me
once again thanks adam lol

to bad it doesnt stop a brick if yuo drop a brick on it lol sorry bad joke
5th November 2011, 07:02 AM |#7  
FBis251's Avatar
Senior Member
Thanks Meter: 3,762
Donate to Me
Oh wow. I've been subscribed to the other thread ( and I didn't even see the SGS4G on the list.
5th November 2011, 07:07 AM |#8  
bhundven's Avatar
Inactive Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,539
Donate to Me
Originally Posted by FBis251

Oh wow. I've been subscribed to the other thread ( and I didn't even see the SGS4G on the list.

Right under the vibrant
5th November 2011, 07:20 AM |#9  
FBis251's Avatar
Senior Member
Thanks Meter: 3,762
Donate to Me
Originally Posted by bhundven

Right under the vibrant

Haha, I must've thought that they would list it on the bottom of the list as devices got added.
5th November 2011, 09:21 PM |#10  
GFX.myst.'s Avatar
Senior Member
Acid Drops (YouTube)
Thanks Meter: 898
Donate to Me
this deserves a sticky. awesome job guys and thanks for all the hard work you've done.
6th November 2011, 03:14 AM |#11  
Flag Benicia
Thanks Meter: 12
Great Job - this is the stuff that interest me
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes