The Captivate Development Platform mod AKA UnBrickable Mod

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Background
First off, big thanks to TheBeano and Midas5 for teaching me about UART, decompiling bootloaders and figuring out how the OM values work. Their initial work and dedication in "Lets Save Some Bricks" inspired me greatly. Since the work started we've analyzed UART outputs, hacked the heck out of the SBL prompt, obtained both decompiled and source for bootloaders, and generally learned a **** ton about our devices... Mind you, that's a Metric **** ton, not the Imperial **** ton, which is equivalent to nearly 2000 assloads. The reason I'm branching this operation at the current point is because this modification is specific to our device. The proper modifications for other Samsung devices have not been identified yet. We're first! Yay! We need to focus on Captivate firmware development now. The firmware may encompass all GalaxyS models as well, but this modification will only work on the Captivate.

introduction
I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Captivate into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.

Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.

Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).

This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.

After performing this mod:
Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a captivate. See the Special Instructions section.

Modification

You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can send me a PM(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com). Note: I do not work for/with mobiletechvideos.com.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (for the wire contained within)

getting started:
You will need a very small peice of wire. Tear apart the relay unravel the coil within and grab about 12cm~ of wire. The fact that it comes from a relay is important because relays generally have very small wire which are individually treated with a non-conductive coating.

Take the 12cm~ wire from the relay and tin the very edge of it. No more then 1/32". If you tin more then 1mm, cut off the excess. It is desirable to have a slight bit of excess solder on the tip of this wire.

performing the modification:
1. tear apart your phone... remove 6 #0 phillips screws from the back. Two of them are under the battery slide flap. The slide flap must be up on one end and down on the other in order to get to these screws... Don't LIFT the slide flap, just rotate it at an angle. Once the 6 screws are out, then you can separate the back from the front. Make sure to take out your SIM and external SDCard before you do this.



2. remove the mainboard... there's a single screw and 5 connectors which require removal. Remove them. Pull the board out and place it on your workspace




3. remove the EM shield from the processor side.



4. remove the OM5 resistor in the picture below. It's coated in glue. I've found the best thing is to just coat the area in flux and let it do the work while prodding with the iron to move the resistor out of place.



5. Connect the active side of xOM0 resistor to the active pad on OM5's resistor pads.
http://i51.tinypic.com/160zmty.jpg








6. reassemble the phone.


Special Instructions

  • This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
  • To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
  • 3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.


Conclusion

Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://forum.xda-developers.com/showthread.php?t=1235219

reading material
Creating your own Samsung Bootloaders: http://forum.xda-developers.com/showthread.php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2


drivers and utilities
This will be an ever expanding list
Windows Drivers http://forum.xda-developers.com/attachment.php?attachmentid=678937&d=1312590673
Windows Download Tool DNW: http://forum.xda-developers.com/attachment.php?attachmentid=678938&d=1312590673
Windows Command Line tool: http://forum.xda-developers.com/showpost.php?p=17202523&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Linux Detector tool: http://forum.xda-developers.com/showthread.php?t=1257434
Linux Automated UnBricker:http://forum.xda-developers.com/showthread.php?t=1242466

firmware
Bootloader Hello World by Rebellos http://forum.xda-developers.com/attachment.php?attachmentid=698077&d=1314105521
UnBrick tool http://forum.xda-developers.com/showthread.php?t=1242466
 

Attachments

Last edited:

Smasher816

Senior Member
Jan 16, 2011
405
201
0
Missouri
plus.google.com
Last edited:

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
I was attempting to see what i could "upload" from my daily phone. I messed up my daily phone while performing this modification. I was trying to remove the xOM5 resistor and got impatient. I broke it off, it took the pad with it and I and was left with only a .001mm wire on the board. I attempted to solder it for about 6 hours straight and after a while I swiped off 5 resistors in a line. I'm sure I could repair it, but I just went and bought another phone.

Lesson: Take your time, and don't try to force anything. That glue is tough and it acts as a heat sink. Remove the glue from one side of the resistor, heat the entire resistor up and let it slide off. Don't try to speed it up.

Once you perform this modification everything works just fine. No problems. It's a risky procedure though.

I still have not tested any firmware sucessfully. I tried a few precompiled uboots, but I did not yet try the uboot mentioned above.
 
Last edited:
  • Like
Reactions: kevnuke

Trae32566

Member
Dec 10, 2010
33
8
0
This looks awesome, although I'm hesitant to do it, because there's always that chance that I will need to RMA. Sorry about your phone Adam, I think everyone in the forum is probably in love with you now though!

Sent from my SAMSUNG SGH-I897 using XDA Premium App
 

BigMc71

Senior Member
Nov 26, 2010
242
16
0
I would add that when doing this work, you should use ESD protections. Wrist strap (you can rig a homemade version), ESD mat, etc. Not as big of a risk in a humid environment, but as relative humidity drops, the risk increases. You can never be to safe if your phone is valuable to you. Typically, consumer electronics are hardened to ESD through connectors and the housing, but when you are directly handing the PCBA, you are potentially bypassing the hardware filters.
 
  • Like
Reactions: kevnuke

ReznikAkime

Senior Member
Jun 19, 2008
70
5
0
Adam, thanks for all your work, and everyone else for that matter. Connexion never responded to my PM about jtag work, but this little modification is so damned easy I went ahead and did it. I'll be patiently waiting for a firmware we can use to reflash bricked phones in the future.

Again, thanks a ton!
 
Last edited:

b-eock

Senior Member
Dec 30, 2010
3,591
1,397
0
Dallas, Texas
So what would this exaclty do?, dont wanna do it till i know exactly what it does.

Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App
 

AdamOutler

Retired Senior Recognized Developer
Feb 18, 2011
5,224
9,808
0
Miami, Fl̨̞̲̟̦̀̈̃͛҃҅͟orida
Adam, did you try tracing the i2c?
It might give us an un-brick mode without even soldering om5.
No, I have not been messing with hardware since I found the OM5 mod. I wish to develop this further. If you can get me a pin number to trace I will do that. Please look up the pin in the S5PC110 manual and I will trace it... I've been very busy locating software for this mod.

So what would this exaclty do?, dont wanna do it till i know exactly what it does.

Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App

Currently we are running into this:
Code:
��������������������������������������������������������������������������������
Uart negotiation Error                                                          
                                                                                
Secure Fail Error
Secure Fail Error is likely because the uBoot I am loading violates the S5PC110 chain of trust. I am working to locate software which will not violate the chain of trust.

See this post for more:

I found this while waiting for the reply from Samsung.


http://www.aesop.or.kr/?document_srl=266600&mid=Board_Download_S5PC100

This is Linux Native - Complier Package
Please note this is in Korean.

One more found:
http://www.aesop.or.kr/?mid=Board_Download_S5PC100&page=2&document_srl=75581

USB OTG-Mon Binary ??


Last one - S5PC100 Code Visor Debug resource
http://www.aesop.or.kr/?document_srl=267106&mid=Board_Download_S5PC100
I have a 3 day waiting period for my id on that site to become active, at which point, I believe we will have a solution.
 

TheEscapist

Senior Member
Nov 9, 2010
1,862
356
0
Toronto
So what would this exaclty do?, dont wanna do it till i know exactly what it does.

Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App
Allows you to boot from things other than the internal sdcard, and overwrite memory on the phone. Basically, if you break a bootloader, this is the only thing that could fix it beyond re-jtaging it.

At this point, there's no real point unless a) your device is bricked or b) Adam gets the software half up and running, in which you could do it as a pre-emptive measure.