FORUMS
Remove All Ads from XDA

The T959v Development Platform, AKA UnBrickable Mod and Software Based Resurrection

5,226 posts
Thanks Meter: 9,887
 
By AdamOutler, Inactive Recognized Developer on 5th November 2011, 05:41 AM
Post Reply Email Thread
Introduction
This is the DIY method to recover your device from a bad bootloader flash.The way this works is we change the OM value in the processor by modifying an individual electronic binary signal. The signal we are interested in is xOM5. This line is normally grounded, causing the overall OM value to equal 0x9. When we bring this line high, the OM value becomes 0x29. This reverses the booting order and ensures you will always have boot from USB available before the device starts.

This is a better option than JTAG for resurrecting a device. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.

After performing this mod:
Remove the battery, replace the battery, plug in USB, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like an i9000 GalaxyS 4G. See the Special Instructions section.

Notes:
I've done quite a few of these guides now, this was the easiest-to-find UnBrickable Mod yet. Not only was it easy to locate, it's the cleanest, least tricky and easiest mod to apply as well. Please don't misunderstand this as being "easy", but it is easier than other devices.

I was able to overlay an annotated picture of a processor pinout over a picture of top of the T959V, then map out the shortest distance between the points on the processor




Part 1: Hardware Modification
You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. PM myself or contact Connexion2005 if you don't know anyone else.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (for the wire contained within)

Directions
1. Tear apart your device. Remove battery cover, battery, 7 screws, the back case and 5 connectors from the board.


2. remove the EM shield from the board to expose the resistors

3. Remove the xOM5 resistor and bridge the right pad to the resistor next to it.


4. Reassemble the device


Special Instructions

This replaces the battery charging sequence for the first few seconds of being plugged in.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.


Part 2: Software Based Resurrection

[YOUTUBE]fw-D_cKeAb8[/YOUTUBE]


Unbricking:
1. Apply UnBrickable Mod to your device: see Hardware Modification section
2. Run ModeDetect and plug in your i9000. (Not a requirment, but helpful)
When you see this image you are in S5PC110 SEC SoC mode. When you see this mode you must proceed to step 3.


If it will only show this image, then you have not performed the modification correctly, or you have a hardware problem.


If it shows this, regardless of what's on your screen, you're in download mode:



3. Run UnBrickable Resurrector: Get it from the SVN repository here: http://code.google.com/p/hummingbird...downloads/list This will only work on linux. Install Linux or dual boot if you have windows.


The resurrector will put your device into download mode
.

4. Now that you are in Download Mode, run Heimdall One-Click to flash firmware on your device. bhundven created a UVKJ6 package here: http://forum.xda-developers.com/show....php?t=1358498




5. repeat steps 3 and 4 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).


Conclusion

Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software.

reading material
Creating your own Samsung Bootloaders: http://forum.xda-developers.com/show....php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index....penOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2


drivers and utilities
This will be an ever expanding list
Windows Drivers http://forum.xda-developers.com/atta...7&d=1312590673
Windows Download Tool DNW: http://forum.xda-developers.com/atta...8&d=1312590673
Windows Command Line tool: http://forum.xda-developers.com/show...3&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Linux ModeDetect tool: http://code.google.com/p/hummingbird...downloads/list
Linux Automated UnBricker:http://code.google.com/p/hummingbird...downloads/list

firmware
Bootloader Hello World by Rebellos http://forum.xda-developers.com/atta...7&d=1314105521
UnBrick tool http://forum.xda-developers.com/show....php?t=1242466
The Following 24 Users Say Thank You to AdamOutler For This Useful Post: [ View ] Gift AdamOutler Ad-Free
 
 
5th November 2011, 05:42 AM |#2  
Senior Recognized Developer
Flag Gdańsk
Thanks Meter: 3,467
 
Donate to Me
More
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.

Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
http://code.google.com/p/hummingbird...oader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.

This, properly used provides similiar debug output (similiar, because its outdated testlog)
Quote:

�������������������������������������������������� ����������������������
Uart negotiation Error

----------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
----------------------------------------
Calling IBL Stage2
DONE!
Testing BL3 area
DONE!
iRAM reinit
DONE!
Please prepare USB dltool with BL3

Starting download...
0x00000000
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.

Starting BL3...

//OUTPUT BELOW IS COMING FROM SBL

Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.

It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
The Following 5 Users Say Thank You to Rebellos For This Useful Post: [ View ]
5th November 2011, 05:49 AM |#3  
bhundven's Avatar
Inactive Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,539
 
Donate to Me
More
Thanks Adam, Rebellos, mijoma, TheBeano, and midas5!
5th November 2011, 05:53 AM |#4  
dsexton702's Avatar
Retired Recognized Developer
Flag South Lake Tahoe
Thanks Meter: 2,279
 
Donate to Me
More
Great work on this and thanks!
5th November 2011, 06:03 AM |#5  
Junior Member
Thanks Meter: 0
 
More
Thanks for your work. Might come in handy one day.
5th November 2011, 06:49 AM |#6  
RaverX3X's Avatar
Inactive Recognized Developer
Flag Cali
Thanks Meter: 5,303
 
Donate to Me
More
once again thanks adam lol

to bad it doesnt stop a brick if yuo drop a brick on it lol sorry bad joke
5th November 2011, 07:02 AM |#7  
FBis251's Avatar
Senior Member
Thanks Meter: 3,762
 
Donate to Me
More
Oh wow. I've been subscribed to the other thread (http://forum.xda-developers.com/show...php?p=17014372) and I didn't even see the SGS4G on the list.
5th November 2011, 07:07 AM |#8  
bhundven's Avatar
Inactive Recognized Developer
Flag Seattle, WA
Thanks Meter: 4,539
 
Donate to Me
More
Quote:
Originally Posted by FBis251

Oh wow. I've been subscribed to the other thread (http://forum.xda-developers.com/show...php?p=17014372) and I didn't even see the SGS4G on the list.

Right under the vibrant
5th November 2011, 07:20 AM |#9  
FBis251's Avatar
Senior Member
Thanks Meter: 3,762
 
Donate to Me
More
Quote:
Originally Posted by bhundven

Right under the vibrant

Haha, I must've thought that they would list it on the bottom of the list as devices got added.
5th November 2011, 09:21 PM |#10  
GFX.myst.'s Avatar
Senior Member
Acid Drops (YouTube)
Thanks Meter: 898
 
Donate to Me
More
this deserves a sticky. awesome job guys and thanks for all the hard work you've done.
6th November 2011, 03:14 AM |#11  
Member
Flag Benicia
Thanks Meter: 12
 
More
Great Job - this is the stuff that interest me
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes