• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[HOW-TO]UnBrick the UnBrickable Fascinate

Search This thread


Retired Senior Recognized Developer
Feb 18, 2011
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida


After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.

This video applies, but on the Fascinate, you must hold the POWER button during the entire flashing sequence.


1. Apply UnBrickable Mod to your device: http://forum.xda-developers.com/showthread.php?t=1288093
2. Run ModeDetect to verify your phone is in the proper mode: http://forum.xda-developers.com/showthread.php?t=1257434
You should see this while you hold the power button:

3. Run UnBrickable Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=710199&stc=1&d=1315173984 This will only work on linux currently. Install Linux or dual boot if you have windows.
If you are still holding the power button, you should see this on Mode Detect.

You can now disconnect your phone and move to a windows computer to use Odin or any other Samsung tool, or use Heimdall One-Click from Linux. Keep holding the power button!
4. Run Heimdall One-Click: http://forum.xda-developers.com/showthread.php?t=1288130 (or odin3 one-click),
5. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).

You've unbricked the unbrickable Fascinate.. This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.

The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...

Windows32 command line app and drivers http://forum.xda-developers.com/attachment.php?attachmentid=709292&stc=1&d=1315091523
Linux one-click Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=705515&stc=1&d=1315091523
4SEP11: added 32 bit, miscellanious impovements to visuals
6SEP11: removed additional commands
Last edited:


Senior Recognized Developer
May 13, 2009
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?

Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it. This can be fastboot Bootloader+OS image for example.

Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.

Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.

BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)

BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.

This, properly used provides similiar debug output (similiar, because its outdated testlog)
Uart negotiation Error

Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
Calling IBL Stage2
Testing BL3 area
iRAM reinit
Please prepare USB dltool with BL3

Starting download...
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.

Starting BL3...


Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.

It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
Last edited:


Will a Wubi install of linux work? Certain windows programs prevent me from making the jump to linux again. Though I wish i could.


Retired Senior Recognized Developer
Feb 18, 2011
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Will a Wubi install of linux work? Certain windows programs prevent me from making the jump to linux again. Though I wish i could.

Yes. You can use WUBI. That is the same as normal "side-by-side" or "dual boot" installation of Ubuntu but you can delete Ubuntu from within Windows.

Note: The hardware mod must be performed first in order to use the set of software above

I was informed last night that this is the ONLY recovery method available for the Fascinate. If you've got a dead brick, you have no other options at this time other then sending it to the manufacturer for a replacement.
Last edited:

Top Liked Posts