HD 8, 2018 gets downgraded, rooted and UNLOCKED - Fire General

Anyone owning a Fire 7 needs to stop drop and roll...literally. Please go to your tablet and with a file explorer (i don't know if you need root) in the root directory please try in whatever way possible to read the contants of all files (theres like 3 or 4) with 'fstab' in the file title. Look for ANY properties ANYWHERE that have to do with 'acm'. I am fairly certain, without root you can persist this property in ADB. Get your tablet, plug into PC and open ADB window and type:
Code:
adb shell setprop persist.sys.usb.config mtp,adb,acm
Your PC will light up like a christmas tree with new drivers for the tablet. If it does, then the chances are VERY high that you will be able to root and unlock your fire 7. This is almost certainly going to work on the HD 10. https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
Turns out I wasn't crazy or stupid after all !!!!!! All I ever asked was for you guys to just listen to me and understand I knew exactly what I was seeing

DragonFire1024 said:
Anyone owning a Fire 7 needs to stop drop and roll...literally. Please go to your tablet and with a file explorer (i don't know if you need root) in the root directory please try in whatever way possible to read the contants of all files (theres like 3 or 4) with 'fstab' in the file title. Look for ANY properties ANYWHERE that have to do with 'acm'. I am fairly certain, without root you can persist this property in ADB. Get your tablet, plug into PC and open ADB window and type:
Code:
adb shell setprop persist.sys.usb.config mtp,adb,acm
Your PC will light up like a christmas tree with new drivers for the tablet. If it does, then the chances are VERY high that you will be able to root and unlock your fire 7. This is almost certainly going to work on the HD 10. https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
Turns out I wasn't crazy or stupid after all !!!!!! All I ever asked was for you guys to just listen to me and understand I knew exactly what I was seeing
Click to expand...
Click to collapse
Can you explain what is the acm mode, its bootrom download mode? I do not understand what we can do with the tablet in ACM mode. If we do not get the tablet to enter the BootROM Download Mode this mode will not help us at all.
How does the computer detect the tablet when it is in ACM? I tried it on my Fire 7 and it does not install any driver ...
EDIT: I read this:
Code:
Before Download mode can be entered, the Preloader has to find out if a host is connected via USB or UART and running the MTK SP Flash Tool. It does this by configuring a virtual CDC ACM discipline on USB, so both lines are in fact serial ports and behave similarly.
The USB port will assume that the tool is connected if it receives a “set line coding” (configures baudrate etc.) CDC message. It then sends the string READY to the tool and waits for the reception of a token of eight bytes.
After successful detection, the tool can send the special Start command sequence (0xa0 0x0a 0x50 0x05) to enter a special mode that is only available via USB. It interprets the following commands (I left the ones marked with “legacy” out):
Its seem that ACM mode its Download Mode

Rortiz2 said:
Anyone owning a Fire 7 needs to stop drop and roll...literally. Please go to your tablet and with a file explorer (i don't know if you need root) in the root directory please try in whatever way possible to read the contants of all files (theres like 3 or 4) with 'fstab' in the file title. Look for ANY properties ANYWHERE that have to do with 'acm'. I am fairly certain, without root you can persist this property in ADB. Get your tablet, plug into PC and open ADB window and type:
Can you explain what is the acm mode, its bootrom download mode? I do not understand what we can do with the tablet in ACM mode. If we do not get the tablet to enter the BootROM Download Mode this mode will not help us at all.
How does the computer detect the tablet when it is in ACM? I tried it on my Fire 7 and it does not install any driver ...
EDIT: I read this:
Its seem that ACM mode its Download Mode
Click to expand...
Click to collapse
ACM allows a device to emulate ports. Example: the tech doesn't have a usb port to connect the tablet. ACM can be used so the tablet emulates a different port other than USB. In our case, ACM appears to be the God mode.

DragonFire1024 said:
ACM allows a device to emulate ports. Example: the tech doesn't have a usb port to connect the tablet. ACM can be used so the tablet emulates a different port other than USB. In our case, ACM appears to be the God mode.
Click to expand...
Click to collapse
Had this device before. Got a new phone and gave it to my brother. But can you explain a bit, just entering those acm commands wont give you root, I know but what after that?
Will check this method when I go to my brother's.

Adyatan said:
Had this device before. Got a new phone and gave it to my brother. But can you explain a bit, just entering those acm commands wont give you root, I know but what after that?
Will check this method when I go to my brother's.
Click to expand...
Click to collapse
Please see: https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
ACM is a proprietary function mediatek uses to emulate the USB port as a different port so they can access their devices using various hosts. It's also a way for them to access the device without modifying the firmware or system. It's a clean, legit way an oem should access a device. This explains a lot of my discovery that kicked off this whole process. We could see all this happening in the HD 10 binary files, but we couldn't see how this access was happening or where it was coming from. My theory was Amazon used a back door and a mode or user ID greater than super to access devices without the use of private keys. Of course that was crazy talk and impossible and I can't blame any one of you for not believing me. I however never imagined this going beyond Amazon. I'm honestly in total disbelief that any of this is happening and even more so that my crazy cat lady theory was right from day one. I'm just greatful and honored that the few of you who didn't think I was crazy, took it to the next level. If it weren't for all of you, my theory would have been buried and forgotten. In the 3 years since I started all this I never imagined it would come to this. All of you are amazing!!!

DragonFire1024 said:
Please see: https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
ACM is a proprietary function mediatek uses to emulate the USB port as a different port so they can access their devices using various hosts. It's also a way for them to access the device without modifying the firmware or system. It's a clean, legit way an oem should access a device. This explains a lot of my discovery that kicked off this whole process. We could see all this happening in the HD 10 binary files, but we couldn't see how this access was happening or where it was coming from. My theory was Amazon used a back door and a mode or user ID greater than super to access devices without the use of private keys. Of course that was crazy talk and impossible and I can't blame any one of you for not believing me. I however never imagined this going beyond Amazon. I'm honestly in total disbelief that any of this is happening and even more so that my crazy cat lady theory was right from day one. I'm just greatful and honored that the few of you who didn't think I was crazy, took it to the next level. If it weren't for all of you, my theory would have been buried and forgotten. In the 3 years since I started all this I never imagined it would come to this. All of you are amazing!!!
Click to expand...
Click to collapse
ACM isn't a proprietary function from mediatek. TtyACM is typically used for modem-devices, but in the end it's just a serial-connection.
And the ACM you are enabling using this command has nothing to do with the ACM of the BOOT-ROM.
Also this has nothing to do with amazon or backdoor-keys or any super user access.
It is an exploit of the mediatek boot-rom which is part of the SOC and cannot be changed.
They are totally different things.

DragonFire1024 said:
Your PC will light up like a christmas tree with new drivers for the tablet. If it does, then the chances are VERY high that you will be able to root and unlock your fire 7.
Click to expand...
Click to collapse
Does that mean the 2015 Fire 7 in (5th gen) may be able to be rooted? If so, do we have to do the thing where the back of the tablet needs to be opened and the pins have to be grounded?

whattheclap said:
Does that mean the 2015 Fire 7 in (5th gen) may be able to be rooted? If so, do we have to do the thing where the back of the tablet needs to be opened and the pins have to be grounded?
Click to expand...
Click to collapse
If device is running FireOS 5.3.1 or lower it can be rooted via software hack. Otherwise, you'll need to crack open the case and play the pin shunt game.

whattheclap said:
Does that mean the 2015 Fire 7 in (5th gen) may be able to be rooted? If so, do we have to do the thing where the back of the tablet needs to be opened and the pins have to be grounded?
Click to expand...
Click to collapse
Davey126 said:
If device is running FireOS 5.3.1 or lower it can be rooted via software hack. Otherwise, you'll need to crack open the case and play the pin shunt game.
Click to expand...
Click to collapse
Don't have to open the case! Need to start by bricking with 5.0.1 sideload, then you can talk to 5.0.1 preloader as in here:
https://forum.xda-developers.com/amazon-fire/development/downgrade-fire-7-2015-softbrick-t3894671
It'll be bricked with 5.0.1, but preloader with get into Bootrom via a button push, and that's all you need.

bibikalka said:
Don't have to open the case! Need to start by bricking with 5.0.1 sideload, then you can talk to 5.0.1 preloader as in here:
https://forum.xda-developers.com/amazon-fire/development/downgrade-fire-7-2015-softbrick-t3894671
It'll be bricked with 5.0.1, but preloader with get into Bootrom via a button push, and that's all you need.
Click to expand...
Click to collapse
Would this work on the Austin?

Pix12 said:
Would this work on the Austin?
Click to expand...
Click to collapse
Yes it already does. A bit limited by the current low knowledge of the hardware but it will improve with time
and some software tool to help less skilled people avoid to have to do with a soldering iron and/or disarm the tablet.
.:HWMOD:.

hwmod said:
Yes it already does. A bit limited by the current low knowledge of the hardware but it will improve with time
and some software tool to help less skilled people avoid to have to do with a soldering iron and/or disarm the tablet.
.:HWMOD:.
Click to expand...
Click to collapse
Oh nice, so this could lead to a bootloader unlock for both Fire 7s?

bibikalka said:
Don't have to open the case! Need to start by bricking with 5.0.1 sideload, then you can talk to 5.0.1 preloader as in here:
https://forum.xda-developers.com/amazon-fire/development/downgrade-fire-7-2015-softbrick-t3894671
It'll be bricked with 5.0.1, but preloader with get into Bootrom via a button push, and that's all you need.
Click to expand...
Click to collapse
Well that's an interesting approach and one I would not advise to the faint of heart. That said, it's probably the path I'd pursue on a personal device that I would be willing to sacrifice. Advantages of 5.0.1 bootloader outweigh other considerations in my world where simplicity, stability and minimal maintenance outweigh redirected blood flow.

Davey126 said:
Well that's an interesting approach and one I would not advise to the faint of heart. That said, it's probably the path I'd pursue on a personal device that I would be willing to sacrifice. Advantages of 5.0.1 bootloader outweigh other considerations in my world where simplicity, stability and minimal maintenance outweigh redirected blood flow.
Click to expand...
Click to collapse
Why not advice? Definitely safer than opening it up and poking around with a paperclip
But sure, if you have a rootable OS and that's all you desire both methods aren't for you.
That said the tablet is now basically unbrickable

k4y0z said:
Why not advice? Definitely safer than opening it up and poking around with a paperclip
But sure, if you have a rootable OS and that's all you desire both methods aren't for you.
That said the tablet is now basically unbrickable
Click to expand...
Click to collapse
It can need a paper clip and opening the device as well.
"With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)"

k4y0z said:
Why not advice? Definitely safer than opening it up and poking around with a paperclip
But sure, if you have a rootable OS and that's all you desire both methods aren't for you.
That said the tablet is now basically unbrickable
Click to expand...
Click to collapse
Most of my varied devices are bootloader unlocked which affords full control over hardware and flexible recovery from all but the most aggregious flubups. Not my first stroll through the turnip patch. That slobber lined path is far removed from experiences of the common user. Intentionally bricking a working device is not guidance I would give lightly during the early stages of exploit exploration. Same goes for blindly probing around the circuit board with metal objects. Die hards will eagerly take the plunge regardless of risk and share their experiences, good and bad, with the community. Tip of the hat to those bold adventures. Only after the liabilities and rewards are fully understood would I reconsider guidance for non card carring members of the geeks-r-us society. Seen plenty of noobs go down in flames naively following supposedly 'easy' instructions to nirvanaville.

Simply put .... a suggestion for the novel user poking around in the hardware is enough as a sign of being helpful.
Why should we insist trying to make them stay away from the world of electronics ?
I just suggest to start using a resistor about 1kohm when shorting test points or pads on the motherboards working from 3V to 5V.
This gives them a minimum margin of safety and potentially avoid or makes it less probable they burn some components on the PCB.
Later on they can try to lower that resistor value to a value from 100ohm to 200ohm if they didn't had the expected results and retry.
Many will burn some of their stuff, yeah ... why not, they are used to it. They paid for it and deserve to do what they want with it.
My view though, everybody has the right to express different point of view.
.:HWMOD:.

hwmod said:
Simply put .... a suggestion for the novel user poking around in the hardware is enough as a sign of being helpful.
Why should we insist trying to make them stay away from the world of electronics ?
I just suggest to start using a resistor about 1kohm when shorting test points or pads on the motherboards working from 3V to 5V.
This gives them a minimum margin of safety and potentially avoid or makes it less probable they burn some components on the PCB.
Later on they can try to lower that resistor value to a value from 100ohm to 200ohm if they didn't had the expected results and retry.
Many will burn some of their stuff, yeah ... why not, they are used to it. They paid for it and deserve to do what they want with it.
My view though, everybody has the right to express different point of view.
Click to expand...
Click to collapse
Agree with all the above including the sensible cautions. If one understands the basic function of an electrical resistor and the units involved then there is probably both interest and knowledge to proceed. Now we've addressed the 5% club I submit the rest should stay on the sideline until more is known. Same for the brink-n-revive suggestion that started this exchange. I hold no power over what individuals do with their devices. I can only provide guidance based years of experience that extends well beyond hand held gizmos.

Davey126 said:
Agree with all the above including the sensible cautions. If one understands the basic function of an electrical resistor and the units involved then there is probably both interest and knowledge to proceed. Now we've addressed the 5% club I submit the rest should stay on the sideline until more is known. Same for the brink-n-revive suggestion that started this exchange. I hold no power over what individuals do with their devices. I can only provide guidance based years of experience that extends well beyond hand held gizmos.
Click to expand...
Click to collapse
I agree with both of you, all I'm saying is for those who have made up their mind and want to do this, I think bricking intentionally and then using the exploit is the safer route, since it's a software-only solution.
With poking around on the mainboard there is more things that could go wrong, I've seen people shorting VBAT to ground.

Pix12 said:
It can need a paper clip and opening the device as well.
"With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)"
Click to expand...
Click to collapse
It's going to cost you .... You can make a hole like me with a knife but I do not recommend it ...
ITS SOLDERED ON! In Austin

Related

Lets save some bricks...

I've been reading up on SGS hardware and bootloaders, and I feel like there's a very good chance that there's a way (within reach? ??) to to fix a totally bricked phone.
NOTE: I'm no expert on this stuff. If I'm missing something totally stupid, please forgive me. Anyways, here goes...
The user manual for the s5pc110 chip describes the booting process; it has 3 levels. On hw reset the cpu begins executing code that lives in ROM. The ROM code loads the primary bootloader from a source selected by external pin inputs. The PBL pretty much just loads the SBL, which does the major setup and loads the kernel.
The important thing, which I haven't seen anyone discuss, is that the initial ROM code includes the ability (poorly documented, of course) to load the PBL from UART or USB.
Repeat : non-eraseable code in our phones which is executed on hw reset can load a bootloader over serial or USB into memory and then execute it.
From other threads, we know that Samsung is able to restore a bricked phone without opening it up. Why should they have all the fun?
The first step is asserting the proper pins. This is done by connecting the proper resistance betw pins 4 & 5. The 'jig' thread describes using 301k to get into download mode, but this is happening in the SBL. Many other R values are desribed in the 'fun with resistors' thread and in the fsaXXXX-i2c.c kernel source. One of them does a reboot and connects a (3.3V) UART to the D+/D- pins.
One thing that is described in the docs is that the ROM code tries UART first and then fails over to USB. Since UART is so much simpler, I'd say that's where to begin.
We already learned in that thread that connecting at 115200 baud and banging on RETURN brings up a "SBL>" prompt with lots of cool commands available. But as TheBeano pointed out, that's not much use if the SBL is toast.
What I'm wondering is whether there's a way to interrupt the normal boot while its still running ROM code. There's no reason the ROM would set up the UART at the same baud rate as the SBL and kernel. Maybe just a lower baud and banging on RETURN is enough.
For anybody with the time and the hardware, that should be easy enough to try. TheBeano?
There's probably some handshake/protocol issues to figure out to get a bootloader loaded and executing, but we do have a known good one (the PBL) to play with.
If that can be made to work, it would be a huge step towards a working solution. There is code floating around (I saw it on the teamhacksung git) that ports u-boot bootloader to our phones. AFAIK, nobody around here has tried it. But if we are able to test bootloaders w/o flasing, then maybe we (someone with a clue about bootloaders,that is) can open the door to safe, open-source booting.
So that's it. Is this crazy-talk, or do you guys n gals think it just ... might ... work?
I am actually very surprised that no one has replied to this, it is actually a very good idea and also very possible
I will add a little insight without giving too much away
Its also possible to start the phone via JTAG and pass the control over to USB or UART, even to enter DLM and flash the phone without repairing the current IBL/PBL/SBL within the phone which are damaged, e.g. the loaders are running in RAM this is done via CMM or JNAND ...
I have the full unstripped source code for the PBL and SBL and may consider releasing them if some input starts in this thread, its all too easy just to give them out without the scene thinking on its feet
Oh BTW: My dog spoke to another dog who's owner works for Samsung and he told him that the 2.3.3 release, will be released when its f**king ready and not 1 day before.
Sorry I meant to post to this thread earlier. I looked at this a while ago but the main thing that baffled me was that according to the CPU data sheet, to enable booting from USB or UART you needed to set some bits on the processor OM pins, and I couldn't see how to do that without internal access to the hardware, unless they are wired up to, or switched by, the fsa9480 somehow?
I've looked at the schematic fragments from the service manual but they weren't much help. If anyone has a schematic that shows what is connected to the application processor OM pins that would be a big help. Obviously the bootloader sources would be great too!
TheBeano said:
Obviously the bootloader sources would be great too!
Click to expand...
Click to collapse
Come on guys, lets have some input here, and I will give out snippets of info to help, just in case anyone is in any doubt to what I said, take a look at the attached screendump
Odia said:
I am actually very surprised that no one has replied to this, it is actually a very good idea and also very possible
Click to expand...
Click to collapse
Maybe this thead has to move to Rom development not many devs in general
If you have the sources then its possible to make our own bootloaders and dual boot whatever we want maybe win 7 (it's a joke)
TheBeano what service manual will help you? full one?
http://www.filesonic.com/file/305248751/Samsung_GT-i9000_Galaxy_S_service_manual.rar full one.
http://megaupload.com/?d=C0JHS7A8 - service training manual 01/2011
manosv said:
Maybe this thead has to move to Rom development not many devs in general
If you have the sources then its possible to make our own bootloaders and dual boot whatever we want maybe win 7 (it's a joke)
Click to expand...
Click to collapse
Hey, off topic here, but i have seen these phones on ebay, chinese own brand of course, but dual boot, runs both android and windows on one phone.
so it is possible for someone who knows how to.... would be very interested in seeing this develop
http://cgi.ebay.co.uk/W6000-Dual-Ca...ile_Phones&hash=item230f1eea0a#ht_3411wt_1139
Fuma said:
TheBeano what service manual will help you? full one?
http://www.filesonic.com/file/305248751/Samsung_GT-i9000_Galaxy_S_service_manual.rar full one.
Click to expand...
Click to collapse
Thanks, there were some schematics in that first one named "Samsung GT-i9000 Schematics.pdf" that had me going for a while, but they are from a different phone! Some Mediatek thing. The service manual files only have excerpts from the full schematics.
TheBeano said:
Thanks, there were some schematics in that first one named "Samsung GT-i9000 Schematics.pdf" that had me going for a while, but they are from a different phone! Some Mediatek thing. The service manual files only have excerpts from the full schematics.
Click to expand...
Click to collapse
different phone? I9000B? sorry. thought it was all I9000.
well i tired...
Fuma said:
different phone? I9000B? sorry. thought it was all I9000.
well i tired...
Click to expand...
Click to collapse
It's the schematic for a cheap phone with the Mediatek MT6225 processor, the "CSL Blueberry" I think. They have an "i9000" model so maybe that's how it started.
mmm...well if i stumble upon more stuff i'll send your way . it might help.
TheBeano said:
Sorry I meant to post to this thread earlier. I looked at this a while ago but the main thing that baffled me was that according to the CPU data sheet, to enable booting from USB or UART you needed to set some bits on the processor OM pins, and I couldn't see how to do that without internal access to the hardware, unless they are wired up to, or switched by, the fsa9480 somehow?
Click to expand...
Click to collapse
Yeah, it's got to be the fsa9480. That plus (possibly) the volume/power/etc buttons are the only possibilities. The fsa switches which lines from inside the phone are connected to the micro-USB pins 2 & 3 (aka D+/D-). But it also has (at least) 2 digital outputs called JIG and BOOT which feed back to the CPU. BOOT presumably causes a hardware reset, so the JIG line is free to determine the boot mode.
We know the normal boot is from OneNand. Looking at table 6.3 of the data sheet tells us that the only pin that matters is OM5. Pins OM[4:0] determine which of the 4 different OneNAND boot modes is used, and that mode is the same regardless of OM5. So they are almost certainly just fixed. If OM5 is 0, the chip boots normally (directly from OneNAND). If it is 1, the ROM will first try to negotiate a UART connection, then try a USB connection, and only then (if I'm reading it right), fail over to a normal OneNAND boot.
So it's hard to imagine any scenario other than pin OM5 connected to the JIG output of the fsa9480.
From the Samsung source code linux/drivers/usb/gadget/fsa9480_i2c.h, there are a few interesting resistor choices (I'm not sure what the 5 bits represent; maybe they are for setting/reading the switch state over i2c) :
Code:
1 0 1 1 0 150K UART Cable
1 1 0 0 0 255K Factory Mode Boot OFF-USB
1 1 0 0 1 301K Factory Mode Boot ON-USB
1 1 1 0 0 523K Factory Mode Boot OFF-UART
1 1 1 0 1 619K Factory Mode Boot ON-UART
The 301K case (Factory Mode Boot ON USB) is the familiar "jig" people on xda use. But USB protocol is fairly complex, and since the whole idea of using the fsa switch is very non-USB compliant (the thing sends analog audio over D+/D- lines !) I don't think we can assume anything about what the ROM code does to "negotiate a connection". In addition, I think that all the people who have already looked into this were specifically trying to get into "download mode" (i.e., Loke protocol to talk with Odin). So who knows what else was going on beforehand.
I'm most curious about the behavior with a 619k resistor (Factory Mode Boot ON UART). The nice thing with UART mode is that we already know from TheBeano's thread that there is output at 115200 baud that appears at some point in the boot process. By putting a scope probe on the Tx line and simultaneously watching the text output in a terminal emulator, it should be very simple to see if any kind of negotiating is going on at an early (ROM) bootloader stage. Maybe it involves different baud rate, banging on a key, or pressing/holding a button. But (for someone with time and the right hardware) this is very do-able. If there is any hint of negotiation going on before the NAND-based bootloaders begin, we know we're onto something promising.
Like Odia pointed out, any stuff that we load during the ROM bootloader stage is not being flashed to the OneNAND; it is simply being loaded into RAM and executed. So even with no clue how to write a bootloader, I can imagine writing a "hello world"-grade program to, say, toggle a GPIO. That would clearly establish that the UART bootload procedure works.
So I think its an exciting prospect. Some of it is way beyond my abilities, but there are some easy steps early on that could really generate some intense developer interest.
I've got a I897 and a scope, but no connectors or cables to sacrifice. I may get a breakout board from Sparkfun to mess around with. In the meantime, I'd love to hear if anybody with a resistor/cable combo can sniff out anything interesting.
Also, I'm glad to see some response. I guess my title was a little cryptic, but at first it was just me and the crickets.
Found an interesting post about the ROM bootloader : http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Another interesting link : http://chdk.wikia.com/wiki/GPL_Disassembling
Lets just say that the ROM code from my phone (Captivate) is definitely talking to the serial ports (all 4) and the USB OTG port.
I just sent off a quick order to Sparkfun for their USB micro-B breakout (the male connector with all 5 pins broken out) and a 3.3V FTDI (USB/serial) board. Just in case I find myself w/ too much time on my hands.
js22 thats actually sounds promising.
waiting for more updates.
Goodluck
e-fuse bits anybody ?
The one nagging concern I've been having about this scheme is the option built into the s5pc110 processor (our cpu) of "secure booting". The iROM code checks a set of "e-fuse" bits, and if one of them is non-zero, it uses the rest as an encryption key to verify that the bootloader it loads is signed. The e-fuse bits, as their name implies, are write-once. After the phone has been configured for either secure or non-secure booting, that choice cannot be altered.
I have been kinda assuming that secure booting is not enabled, b/c there is a similar option for JTAG access, and we know it is not enabled. Also, the phone is running an open-source OS and there is no real infrastructure in Android for DRM. Basically, if there is nothing to protect, why bother ?
After poking around in the data sheet, I haven't found anything that specifically says : "this is where you can read the e-fuse bits". I did, however, see a region of SFR space located at 0xE0E0_0000 that is called SECKEY. The boot ROM checks the values of several words near the start of this area, and takes a different branch if it finds any non-zero value.
I tried a viewmem dump of this stretch of memory, and got all zeros.
So either :
a) my Captivate does not have secure booting enabled, or
b) I don't know what I'm doing.
Does anybody have any more info on the e-fuses ?
Oops. I just checked and any read from the SFR address range (0xE0E00000 and up) returns zero. At least if you're using viewmem.
js22 said:
The one nagging concern I've been having about this scheme is the option built into the s5pc110 processor (our cpu) of "secure booting". The iROM code checks a set of "e-fuse" bits, and if one of them is non-zero, it uses the rest as an encryption key to verify that the bootloader it loads is signed. The e-fuse bits, as their name implies, are write-once. After the phone has been configured for either secure or non-secure booting, that choice cannot be altered.
I have been kinda assuming that secure booting is not enabled, b/c there is a similar option for JTAG access, and we know it is not enabled. Also, the phone is running an open-source OS and there is no real infrastructure in Android for DRM. Basically, if there is nothing to protect, why bother ?
After poking around in the data sheet, I haven't found anything that specifically says : "this is where you can read the e-fuse bits". I did, however, see a region of SFR space located at 0xE0E0_0000 that is called SECKEY. The boot ROM checks the values of several words near the start of this area, and takes a different branch if it finds any non-zero value.
I tried a viewmem dump of this stretch of memory, and got all zeros.
So either :
a) my Captivate does not have secure booting enabled, or
b) I don't know what I'm doing.
Does anybody have any more info on the e-fuses ?
Click to expand...
Click to collapse
Its using none secure boot and your quite right JTAG access is also none secure.
So, the source code to the IROM would answer all our questions.
It would probably take me a week to reverse engineer it, unfortunately, I don't have the time right now.
The I9000 is a fairly open platform. Would samsung themselves be prepared to give this source code out.
If we could get to a point where any hacker could un-brick their own phones without even having to unscrew the case, using pin 4-5 resistors, and a 3 Volt UART cable or a USB cable, developers would be much more willing to experiment more.
I have a method to force the IROM to try alternative boot methods, and specifically not run the PBL, SBL, but without more information on what to try in order to talk to the IROM directly, is it difficult to proceed further.
To force IROM to ignore PBL and SBL, just do a heimdall dump in Linux and press CTRL-C half way through. It results in a bricked phone, with only the IROM working. I have been told a 301K Resistor will help switch it back to loading PBL and SBL but I have not tested this yet.
Does anyone have contacts within Samsung that might be able to help, or shall I try to use my contacts to source the information?
The IROM looks like it would try to use the USB in OTG mode. Thus expecting the external USB device to be a gadget and not a PC Host. This can have advantages and disadvantages.
1) Disadvantage: Not many Android developers will have USB Gadget test hardware.
2) Advantage: The I9000 itself might be a good USB gadget development tool. Changing the kernel usb driver so that it can respond correctly to commands from the IROM over USB. Potentially, we could then use one I9000 connected directly to another I9000 and the healthy I9000 could automatically unbrick the bricked I9000.
For development though, I think using the UART option would be easier to do, as any Android developer would have a serial port, and then just need a RS232 levels RS232 to 3.3V levels converter, wired up to a Micro-USB connector and the correct resistor on the ID pin.
It is also easier to write a Serial port controlling application than USB controlling applications.
I think that we would still need to reverse engineer the IROM in order to analyze it and discover what the protocol is for loading software directly into the I9000 RAM and running it without going through the boot of IBL/PBL/SBL.
We would then need to write our own boot loader to put in this RAM in order for it to reach a mode where it can program the flash and possibly provide the same functions as the current "download mode".
If we can get it as far as partitioning, and writing the IBL/PBL/SBL. That would be enough.
There are other advantages of this IROM interface. We could use it to root the phone by writing an "su" to the /system folder.
A stepping stone to this could be a "hello world" program that simply controls a GPIO. For example, flashing the LEDs that light the BACK key or writing a message to the screen.
Having the current source code to the IBL/PBL/SBL would really help here as it contains the routines to display characters and graphics on the display etc.
I'm partway through disassembling the ROM boot code, it's pretty interesting! The serial protocol is definitely in there, but I haven't worked with ARM code before so it may take some time. If anyone has already worked it out or is nearly there please let me know now!!

Galaxy Tab unbricking service

Stumbled upon this a bit ago, a company called Mobile Tech is offering an "unbricking" service on all versions of the Galaxy Tab. At the time of this writing they charge $50. I have not used this service, am not in any affiliated with this company and cannot vouch for their work, so beware. Just thought someone out there might use this when other options aren't available.
They have a nifty video up on youtube showing how they do it:
it will be a good help for those who brick their tab because they ain't follow the steps .. thanks for sharing this out
I can actually vouch third party for this service. Have had two friends use it and the device was returned within a few days. If I'm not mistaken, the guy lives in the southern US, but can arrange international he says.
Sent from my "better than an iPad" tab... Running Overcome GINGERBREAD!!!
This is cool, but I would recommend trying to go through Samsung first if you are still under warranty. I screwed up my primary bootloader and contacted them. They took care of shipping costs, fixed it up, and sent it back in about a week and a half. If Samsung hadn't fixed it I would defiantly have payed the $50 here though.
WOW, that seems like a lot of work for $50.
Thanks for the info, should I ever screw something up its nice to know there are people out there who can clean up my mess!
spacemoose1 said:
a company called Mobile Tech is offering an "unbricking" service on all versions of the Galaxy Tab.
Click to expand...
Click to collapse
Hi spacemoose1
Thanks for link and as always, thanks for honeycomb port. I would like to ascertain the definition of BRICK? with your help, if I may.
(disclaimer: pls forgive my wrong terms or exagerated explanation, but most importantly, pls correct me if I'm wrong)
BRICKed = software total lost, must use JTAG to force revive it, Samsung has it, or buy from web supplier around 300 USD ??? 500 USD ???
JTAG is a device to push software into all newly borned IC. I.E. when factory make IC, it's empty software inside, hence has a special device to push voltage into all sections of the IC, then force the code in.
Another term is ???CRASH??? or ???HANG???, (I don't know) anyway is not BRICKed, hence a reflash can recover it.
Samsung uses proprietary method a lot, not follow conventional, make usb driver very complex. USB driver install EXE around 15MB to 28MB depends on version, ALL work the same.
but, when the device = sgt7 in different state/condition, the driver must RE-ESTABLISH again, or else cannot work.
I.E.
state 1 = "OPERATIONAL"device in android operation, normal use, surf web, phone call etc
state 2 = "SLEEP" device powered off, show battery big icon charging when powered by charger
state 3 = RECOVERY mode
state 4 = DOWNLOAD mode - this is one of the way to FORCE flash to recover, as long as bootloader and something still intact
state 5 = PHONE-!-PC mode
stage 6 = "COMA" device powered off, NO show of battery big icon, even when charger supplied. Don't panic, let it charge fully 4 hours from 2 amperes supply, 10 hours from PC 500mA. It will start again !!!. Battery big icon will appear around 30% battery charged, I know because that's what I saw. I didn't check when it's in 10% or 20%. The 1st time I check was already 30% up from no-boot or no respone.
User need to plug device into PC during each of the state above at least once, in order for various flashing functions to work.
i.e. when it's a newly arrived device, usually install the usb driver 1st, with device state in android OS running properly, then plug in to USB and see "new device detected" installing, pls wait. Finished.
But when flashing via Odin using state 4 = DOWNLOAD mode, user may experience no connection, no COM3 or something. Because device must be unplugged in USB, power-up in state 4 = DOWNLOAD mode, plug in USB, "new device detected" installing = RE-ESTABLISH, done. UNPLUG USB, replug in usb, then COM3 appears FLASH will be succesfull.
same goes for other state.
p.s. many users reported BRICKed but then recovered WITHOUT JTAG is misleading beginners, hence should rename the term to ???CRASH??? or ???HANG???. although some previously use "SEMI-brick", which is acceptable.
stage 3 = ClockWorkMod flashing (super convenient, especially on the move without PC)
stage 4 = Odin / Heimdall both works (still convenient and easy )
stage 5 = Odin / Heimdall both works (still convenient and easy )
???CRASH??? or ???HANG??? or "SEMI-brick" is usually SUCCESFULLY recovered via restock+PIT
(final disclaimer, incase above is correct and help and is copied, pls correct whatever mistakes found, feel free.)
*** Thanks for all those who taught me my mistakes *** devs and fellow forumers
ManticoreX said:
This is cool, but I would recommend trying to go through Samsung first if you are still under warranty. I screwed up my primary bootloader and contacted them. They took care of shipping costs, fixed it up, and sent it back in about a week and a half. If Samsung hadn't fixed it I would defiantly have payed the $50 here though.
Click to expand...
Click to collapse
Yeah, warranty repair is always a better choice. But sometimes you've already voided the warranty, lol.
I guess, if u change factory installed rom/kernel warranty gonna be history
thanx for the post ... it might gonna be the last resort...
cx5 said:
Hi spacemoose1
Thanks for link and as always, thanks for honeycomb port. I would like to ascertain the definition of BRICK? with your help, if I may.
(disclaimer: pls forgive my wrong terms or exagerated explanation, but most importantly, pls correct me if I'm wrong)
BRICKed = software total lost, must use JTAG to force revive it, Samsung has it, or buy from web supplier around 300 USD ??? 500 USD ???
JTAG is a device to push software into all newly borned IC. I.E. when factory make IC, it's empty software inside, hence has a special device to push voltage into all sections of the IC, then force the code in.
Another term is ???CRASH??? or ???HANG???, (I don't know) anyway is not BRICKed, hence a reflash can recover it.
Samsung uses proprietary method a lot, not follow conventional, make usb driver very complex. USB driver install EXE around 15MB to 28MB depends on version, ALL work the same.
but, when the device = sgt7 in different state/condition, the driver must RE-ESTABLISH again, or else cannot work.
I.E.
state 1 = "OPERATIONAL"device in android operation, normal use, surf web, phone call etc
state 2 = "SLEEP" device powered off, show battery big icon charging when powered by charger
state 3 = RECOVERY mode
state 4 = DOWNLOAD mode - this is one of the way to FORCE flash to recover, as long as bootloader and something still intact
state 5 = PHONE-!-PC mode
stage 6 = "COMA" device powered off, NO show of battery big icon, even when charger supplied. Don't panic, let it charge fully 4 hours from 2 amperes supply, 10 hours from PC 500mA. It will start again !!!. Battery big icon will appear around 30% battery charged, I know because that's what I saw. I didn't check when it's in 10% or 20%. The 1st time I check was already 30% up from no-boot or no respone.
User need to plug device into PC during each of the state above at least once, in order for various flashing functions to work.
i.e. when it's a newly arrived device, usually install the usb driver 1st, with device state in android OS running properly, then plug in to USB and see "new device detected" installing, pls wait. Finished.
But when flashing via Odin using state 4 = DOWNLOAD mode, user may experience no connection, no COM3 or something. Because device must be unplugged in USB, power-up in state 4 = DOWNLOAD mode, plug in USB, "new device detected" installing = RE-ESTABLISH, done. UNPLUG USB, replug in usb, then COM3 appears FLASH will be succesfull.
same goes for other state.
p.s. many users reported BRICKed but then recovered WITHOUT JTAG is misleading beginners, hence should rename the term to ???CRASH??? or ???HANG???. although some previously use "SEMI-brick", which is acceptable.
stage 3 = ClockWorkMod flashing (super convenient, especially on the move without PC)
stage 4 = Odin / Heimdall both works (still convenient and easy )
stage 5 = Odin / Heimdall both works (still convenient and easy )
???CRASH??? or ???HANG??? or "SEMI-brick" is usually SUCCESFULLY recovered via restock+PIT
(final disclaimer, incase above is correct and help and is copied, pls correct whatever mistakes found, feel free.)
*** Thanks for all those who taught me my mistakes *** devs and fellow forumers
Click to expand...
Click to collapse
I pretty much agree, but I might refine:
BRICK= Unit does not power up, visibly charge, reach a boot-screen of any kind including a service or "download" screen. A device in this state requires service from the manufacturer or an individual equipped with the proper tools. There is no other way to recover a device in this state.
SOFT-BRICK= Unit powers up, reaches a "download" or service screen, visibly charges but does not boot into an OS. Crashing, hanging etc. all apply here. It is easy to recover a device from this state so long as one has access to a firmware that was designed for the device and the ability to flash said firmware.
SEMI-BRICK= See soft-brick above
JTAG= Provides access to system hardware by applying the correct voltage to the correct pins in order to push software via an external program.
In regards to the usb drivers, there are only actually 4 states
1. Active userspace
2. Serial gadget mode
3. Recovery
4. USB storage mode
And there is a separate driver for each of these (except recovery) in the Samsung driver package that should install automatically when the device is plugged in during normal use on a stock rom, or with the installation package available on the web.
The rest of it you've got pretty much correct.
Money seems right, but the amount of work that guy has to go thru is amazing, so much to tare it apart, and reassemble. Then again when it is put back toether, he checks it, what if it did not take the fix... all over again.
Hardbricked Tab Save by Mobile Tech
I hardbricked my galaxy tab bought in Cambodia. My little brother open the tab trying to take the battery off and put it back on, thus void the warranty, found him on the Samsung vibrant forum, sent the tab to him got it back good as new. This person is professional, honest and good communication with his customers, you'll be happy with his work, if he can't fix it you get your money back (minus shipping and diagnosis)...Glad he is arround to help...
spacemoose1 said:
I pretty much agree, but I might refine:
BRICK= Unit does not power up, visibly charge, reach a boot-screen of any kind including a service or "download" screen. A device in this state requires service from the manufacturer or an individual equipped with the proper tools. There is no other way to recover a device in this state.
SOFT-BRICK= Unit powers up, reaches a "download" or service screen, visibly charges but does not boot into an OS. Crashing, hanging etc. all apply here. It is easy to recover a device from this state so long as one has access to a firmware that was designed for the device and the ability to flash said firmware.
SEMI-BRICK= See soft-brick above
JTAG= Provides access to system hardware by applying the correct voltage to the correct pins in order to push software via an external program.
In regards to the usb drivers, there are only actually 4 states
1. Active userspace
2. Serial gadget mode
3. Recovery
4. USB storage mode
And there is a separate driver for each of these (except recovery) in the Samsung driver package that should install automatically when the device is plugged in during normal use on a stock rom, or with the installation package available on the web.
The rest of it you've got pretty much correct.
Click to expand...
Click to collapse
You should post this in Q/A thread on its own as its very helpful and maybe it will stop the 1% of people saying help my phone is bricked comments ... the other 99% don't read anyway otherwise they would discover their phone isn't bricked and if they read properly it would not have gotten to the state in the first place .. and no I never posted something like that myself >:¬}
but well done on this..
alexgogan said:
You should post this in Q/A thread on its own as its very helpful and maybe it will stop the 1% of people saying help my phone is bricked comments ... the other 99% don't read anyway otherwise they would discover their phone isn't bricked and if they read properly it would not have gotten to the state in the first place .. and no I never posted something like that myself >:¬}
but well done on this..
Click to expand...
Click to collapse
+1
Sent from my GT-P1000 using Tapatalk
Nice find. For that amount of effort disassembling, and reviving, $50 is a very realistic price. I'll keep these guys in mind if I run into issues with my tab.
$50 for that much work is an absolute bargain! I wish I didn't live in a country where you get charged $200/hr for someone to pick their nose.
It's actually not that much more difficult than popping an OS install CD into a hosed computer and pressing 3 keys to let it run through the installation after flashing a corrupt motherboard BIOS. Yes, it takes familiarity with the software and hardware, but it's by no means a feat that requires a special skillset.
Granted, few people have JTAG stuff handy, so $50 is definitely worth it if you've hosed your device, but don't make it sound like he's sweating and coding the bootloader by hand, strenuously manipulating micro tools to disassemble the tablet and flipping DIP switches to restore the bootloader. You spend 5 minutes taking apart the tablet, you attach the JTAG cable, run the supplied software on your computer, and sit there recording the screen with your video recorder while the progressbar moves from 0 to 100.
Again, it's worth $50 simply because not everyone and their mother has JTAG hardware sitting around, but by no means is it hard. It's the same reason I can get away with charging $100 to clean viruses off of a computer. People either don't have the tools or don't know how to use them. That being said, I don't know a damn thing about using JTAG to restore a corrupt bootloader, nor do I have the right hardware, so I'd pay $50 if I were ever in the situation.
Edit: And yes, $100 for a virus clean is a lot, but people generally change their mind when I explain to them why they got viruses, as well as installing proper antivirus software and then instructing them on how to avoid infection in the future. I rarely get repeat business from the same customer but I get A LOT of referrals ;p They're happy paying that much when the person educates them instead of cleaning, not installing/explaining, then having to bring the computer in again two weeks later for another wallet-gouge, which most other computer 'repair people' gladly do over and over.
Everything in this world is rinse and repeat... The money comes from time spent learning to use the hardware properly, micro soldering skills (which isn't easy, no matter who you are), confidence enough to offer it as a service, not to mention the couple hundred bucks for the jtag software and hardware.
Now, the fact that if you have your device in a bricked state you likely voided the warranty, it's a 600 dollar brick if your samsung tech recognized it... 50 bucks is a steal to not deal with samsung anyway.
Try to be less pompous next time oh savoir of the hundred bone virus... Your poop stinks too, promise.
Sent from my "better than an iPad" tab running Overcome Hermes.
LycaonX said:
It's actually not that much more difficult than popping an OS install CD into a hosed computer and pressing 3 keys to let it run through the installation after flashing a corrupt motherboard BIOS. Yes, it takes familiarity with the software and hardware, but it's by no means a feat that requires a special skillset.
Granted, few people have JTAG stuff handy, so $50 is definitely worth it if you've hosed your device, but don't make it sound like he's sweating and coding the bootloader by hand, strenuously manipulating micro tools to disassemble the tablet and flipping DIP switches to restore the bootloader. You spend 5 minutes taking apart the tablet, you attach the JTAG cable, run the supplied software on your computer, and sit there recording the screen with your video recorder while the progressbar moves from 0 to 100.
Again, it's worth $50 simply because not everyone and their mother has JTAG hardware sitting around, but by no means is it hard. It's the same reason I can get away with charging $100 to clean viruses off of a computer. People either don't have the tools or don't know how to use them. That being said, I don't know a damn thing about using JTAG to restore a corrupt bootloader, nor do I have the right hardware, so I'd pay $50 if I were ever in the situation.
Edit: And yes, $100 for a virus clean is a lot, but people generally change their mind when I explain to them why they got viruses, as well as installing proper antivirus software and then instructing them on how to avoid infection in the future. I rarely get repeat business from the same customer but I get A LOT of referrals ;p They're happy paying that much when the person educates them instead of cleaning, not installing/explaining, then having to bring the computer in again two weeks later for another wallet-gouge, which most other computer 'repair people' gladly do over and over.
Click to expand...
Click to collapse
I've got to call you out on this one. Mis-connecting or shorting any wires will lead to a damaged PCB and an un-resurrectable TAB. I'm also a Systems Admin for a living so I understand where you are coming from. You must realize that I solder at levels of .1mm in spacing on the Captivate, Vibrant and Nexus S. Electrical engineers and technicians have first hand talked with me about the difficulty of doing this and is NOT something that anyone can do. You'd think twice when you burn up a phone or two valued at $500 a pop trying to JTAG them. There is more skill involved than you would think. Not to mention the liability when dis-assembling the device. JTAG software is decent but it's not fully automated. There are TCK frequencies, RTCK frequencies different PBL partition sizes, full dcc loader read/writes and the requirement of EXACT voltage from an external power supply that are needed in MANY cases. Plus, there is little to no support when fixing a device. This means that if you can't figure it out, nobody else is going to for you. I'm not trying to brag but yet point out that this isn't like plugging in your phone for an ODIN flash. I've taken hundreds of hours of time and 1000's of dollars to create what I feel is the most trusted JTAG authority online ANYWHERE. I greatly appreciate having the opportunity to help the community and enthusiasts in this community. If this was as easy as you are claiming, you could get JTAG hardware and a manual at Best Buy. I have to say you put it best when you said you don't know anything about JTAG... Ok end of rant I was just a bit bothered by your post.
Ok with that being said, thanks for the personal testimonies and compliments. I will be here whenever anyone needs JTAG assistance in the future or around the forums to help answer Q&A when it doesn't require JTAG. Here is a Nexus S promo to realize how tiny some of these things are
http://www.youtube.com/watch?v=Ecp8jKmm48k
i would love to learn more on how to do stuff like this if i had moneyz. the .1mm ext.
not just for android but to make my own ish.
thanks for the awsome videos.
Thanks for the link, hope I won't need it ;-)
Sent from my GT-P1000 using XDA App

Acer Iconia bricked...Need help

Hello to all good guys in xda-developers forum.
This is my very first post and I really feel desperate and need your kind help.
New Acer iconia with stock firmware 3.2.1 was nicely running this morning until I tried to root the device.It was supposed to be very simple process and not to get into dirty complicated procedures but the gingerbreak.apk did not work as expected so I tried alternative methods.What I read in various forums was that the gingerbreak application is not able to root the new firmwares version so I tried to downgrade the firmware to 3.0.1.
Downloaded the Acer stock recovery firmware EUUs_SBK_Acer_A501_0.017.01_PA_ATT.exe and attempted to flash onto my tablet .I think I did all necessary pre-installation checks.The process started but it stopped on 10 percent for about 30 minutes without any progress.Only Acer logo was displayed and 'entering file downloading mode' at the top of the screen.
After long time no change I finally gave up and unplugged the device from the USB port and restarted but nothing works since then.
1. No vibration on Start
2. Black screen
3. No new USB device appear on my PC
4. No sign of any activity other then power button light
I guess the original firmware was wiped but the new firmware was not flashed...for whatever reason...perhaps the worst scenario.
I will really appreciate If anybody may give me advice how to fix it.
So it turns on but does not display anything? Have you tried to hold the power button and volume down button at the same to when you turn it on to try to get it into recovery. Also there is a little reset button on the side you can try to push.
Sent from my A500 using xda premium
tried all those thinks.All kind of tricks I could find on the net.The problem is that the device is not showing up in the device manager e.g not detected as USB device of an y kind....
acera500 said:
tried all those thinks.All kind of tricks I could find on the net.The problem is that the device is not showing up in the device manager e.g not detected as USB device of an y kind....
Click to expand...
Click to collapse
Try this thread. Look about halfway down, and you'll see almost the exact thing you did, and how this guy got it going.
http://forum.xda-developers.com/showthread.php?t=1291747
Basically you can run a search for APX in the main forum threads and find some other posts, but hopefully this will get you going.
I pulled this from the general forum (eventually), but you can also search the Q&A main forum page as well, and the dev forum.
Another link;
http://forum.xda-developers.com/showthread.php?t=1255519&highlight=apx&page=2
If its new just return it to the store for another one.
Sent from my A500 using xda premium
Acer or the store did not brick it
i THINK If you mess with the rom on your tablet and... BRICK your device .. you should tough it out and fix yourself... Acer or the store is not responsible for this .But then you could also argue that if they had not locked the bootloader this type of bricking would not happen..
So i say go above and beyond to try to fix it from the help on here.. if that fails.. THEN Maybe exchange it.. Its wrong to brake something then expect someone else to foot the bill. Yes im to honest for my own good at times... Acer has also been known to repair .
If you bought a extra warranty all of the above in my book is out the window.. Make them replace it ..
GIGGLES..
Good luck on getting it repaired ..and be more careful next time..
Piece of cake to fix if you kept you USB serial number (from the downgrade tool)???
===== If you have your USB serial number ====================
1. Lets assume you know your USB serial number. If not, then you might be able to get it from your registry.
2. Download my flashing tool at http://forum.xda-developers.com/showpost.php?p=20680452&postcount=137
a. Open up the readme.pdf for the instructions on how to flash
3. KEEP your acer unplugged and run the program
4. The program will install the APX flash drivers and will tell you to plug in the USB. Ignore this step. It will not work. In the instructions skip steps 3, 8, 9, 10.
5. Eventually the flashing tool will timeout because you do NOT have the tablet connected. It will then display a message box telling you how to use a paperclip and the power button to get you into APX mode. THIS IS THE secret to getting the tool to flash your ACER. However, once you get it into APX mode you will need your USB serial number (without it, you are fubar).
a. Plug in the tablet to your computer with the USB and paperclip yourself to fastboot.
6. Now in step 11, enter your USB serial number
7. Now just follow the rest of the instructions.
====== NO USB Serial number ==========
If you do not have your USB serial number than you are going to be out of luck, unless you have ever connected the device to your computer. If you did, then your registry will have a history containing your serial number.
Google usbdeview tool and download it. This will show the serial number of any USB device you've connected to your computer.
===== No Serial number, never connected it, what to do ==========
If you have no serial number and cannot get it, then hopefully you can get to recovery mode (power & volume) and flash using a signed update.zip from ACER. Download one of the update.zip's and put it on your external SDCard and then boot to recovery.
=== Bricked and No serial number, never connected, and you fubar'ed the recovery image ===
If you never connected your table to the USB and your computer to get the USB serial number then you are NOT going to be able to flash it to fix it.
If you fubar'ed the recovery image then you won't be able to get into recovery to run the ACER update zip.
At this point, you can still get your tablet into APX fastboot mode using a paperclip and the power button. But I know of NO way to flash it without the USB serial number and I know noway to get the USB serial number from the APX driver. I've tried and looked at getting the serial number from just APX mode, but I cannot determine how to get it. Someone out there might know.
Hope this helps,
TD
Your CPUID can also be found in the uid.txt file in your cwm backup folder - /mnt/external_sd/clockworkmod/backup/ - just remember to drop the 0x when you need to enter it
erica_renee said:
i THINK If you mess with the rom on your tablet and... BRICK your device .. you should tough it out and fix yourself... Acer or the store is not responsible for this .But then you could also argue that if they had not locked the bootloader this type of bricking would not happen..
So i say go above and beyond to try to fix it from the help on here.. if that fails.. THEN Maybe exchange it.. Its wrong to brake something then expect someone else to foot the bill. Yes im to honest for my own good at times... Acer has also been known to repair .
If you bought a extra warranty all of the above in my book is out the window.. Make them replace it ..
GIGGLES..
Good luck on getting it repaired ..and be more careful next time..
Click to expand...
Click to collapse
Honestly if more people returned bricked phones/tablets etc... they would quit locking them down... the you broke it you fix it because they want to keep people from doing things they should be able to do with THEIR system they bought... In other words I completely don't agree with this at all.. If everything was unlocked and such then I would support the you fix it, but then again we wouldn't be running into these issues now would we. But then again Most people need people to babysit them and tell them what they can and can't do with what they own..
wade7919 said:
Honestly if more people returned bricked phones/tablets etc... they would quit locking them down... the you broke it you fix it because they want to keep people from doing things they should be able to do with THEIR system they bought... In other words I completely don't agree with this at all.. If everything was unlocked and such then I would support the you fix it, but then again we wouldn't be running into these issues now would we. But then again Most people need people to babysit them and tell them what they can and can't do with what they own..
Click to expand...
Click to collapse
@wade7919. You clearly have never worked in IT support on a hardware level.
Or maybe, I am barking up the wrong panty-leg?
If you bought a high dollar corvette, GM will support it. If you add an aftermarket chip, and your engine blows, do you expect GM to fix it? No. I wouldn't expect it either. Not their problem. Just because you can add a chip, doesn't mean you should do it.
That's why they try to lock bootloaders. To prevent users from doing things they shouldn't. Unlock them, and it opens a whole world of issues based on "open source". God help us if they unlock bootloaders.....
Not sure what you are getting at. I am under the belief, if you broke it, you fix it. Take responsibility for one's own actions. Shouldn't take the panzy pussyass way (no offence Erica and werecaltf), and return it for replacement. Suck it up, and learn from experience. Otherwise, the next device, you'll do the same stupid thing again.
I like things the way they are. Difficult, but not impossible. That separates the people with balls (again Erica and wercatlf, no offense), from the sheep.
But if you fubar the device, own up to it, and fix it. Don't pawn it off to somebody else (return it). And if you don't have the brain cells to have a backup plan before you start... Well, don't shed tears over it. Own up, throw the testosterone in the garbage disposal, and fix it.
Somebody give me a zanex...
And people, stop using Gingerbreak!!!!!!
Why locking a bootloader will cost ACER billions
Moscow and wade7919, you both make good arguments.
But it is what point of view you're coming form. If I bought a car and changed the RIM's on all 4 wheels and the engine blew up, would GM refuse to honor the warranty?
However, if I put jet fuel and alcohol in for gasoline and blew the engine why would they honor the warranty?
So, the question here is does rooting a device cause actual damage to the device thereby preventing rooting saves them warranty issues? Or is the device also considered to include the software and is covered under warranty?
I'm not taking sides here, but you both are making very good points but with different examples at different points of view.
So, lets look at other items and see if we can draw a parallel. If I buy a brand new Dell computer and send it in for Warranty and there is nothing wrong with the hardware they charge me (correct?). So if I fubar the OS or load something that caused the damage I pay for it or fix it. If there is actually a hardware failure then they cover it under warranty.
So, why does an Android MFG take the warranty one step further and include the OS and take steps to lock it so you cannot change it? Well, this is because nobody owns the OS (it's open source) therefore they take ownership of the build. Because there's no Microsoft to blame, they lock the software and consider it to be part of the overall device (Apple claimed this in their lawsuit). So, in the MFG's mind, there is no difference from the screen, keyboard, or the firmware & software.
So the question is what do you think should be covered under warranty? Most people think it should be just the hardware like a PC. Others see the whole device which includes the OS.
My point of view:
What follows is my rant and my opinion (you are warned )
In my opinion, I had NO problem until they decided to lock the bootloader. I have no problem with them claiming warranty from A-Z and if I change anything they won't warranty it. No problem, I understand that and accept full responsibility. But by ACER locking the bootloader they went too far.
To me this would be like GM welding the hood shut on my car. Better yet, it would be like me waking up one morning and opening my garage to get in my car and discover that during the night GM welded the hood shut. This, in my opinion, is illegal. Matter of fact, in my opinion, it violates US Federal hacking laws because they enter a system and destroyed data. I eventually think OEM's will get a class action suit filed on them for this.
Secondly, Windows 8 is going to be the game changer. OEM's can now make a hardware device and sit behind only warranting the hardware. You have a problem with the OS, call MS. Also, there is a HUGE (I mean HUGE). Did I mention HUGE, demand for tablets in business. Businesses will NOT put a device that has all these consumer games and social networking loaded into the workforce. There are billions in business applications that can be made, but you cannot sell them if they only run on a tablet that cannot have games removed etc.
Example might help: Medical field <- Think of all the applications a tablet can be used to save costs in hospitals. Do your really want your doctor or nurse etc using this tablet on facebook? Insurance company's, law firms, retailers, traveling sales, etc etc (Government). The list goes on.
Developers will see this huge opportunity and will write applications because they can sell them to A-Z and the business buying them will buy them because they can remove facebook and gmail from their company owned tablets. Now, as more and more developers move to Windows they'll drop Android. Want another example, read about Netflix and the issues they have had supporting a fragmented Android OS. So, business applications will move to Windows, but you might say so what, the consumer market is still there. True, but all you need is one killer application that everyone will want and for that to only be on Windows 8. Want some examples, here's my list, NFL (or sports), Netflix, Skype (gee owned by MS now isn't it?), or something new.
Bottom-line is this, if ACER and the others want to lock their bootloaders then they have just taken themselves out of the game for any business sales. Can you imagine walking into a boardroom showing the Government how your new VA application will save the VA Hospitals millions next year alone and improve veterans healthcare. Your application runs on any HC Android tablet. Everything is smoking, going great, as you hand your tablets, ACER a500', around the room. They are loving it. You just hit 'pay-dirt', then someone says hey I see these ACER's have gmail, facebook, blah blah. We cannot have government employees using tablets with those applications loaded, your installer removes them doesn't it? Silence enters the room, all eyes are focused on you. Your mind see millions escaping which were just within your grasp, you pause, you think, and you say YES General as you grab your Motorola Xoom and say 'that's why we recommend you buy nothing but Motorola.'. ACER just kissed millions in sales goodbye (oh and this is a true story).
i do believe acer should lock the bootloader on there devices.
However thee are things I would be doing with my tab if it were not locked.
Acer should give us the ability to flash the bootloader and not use the proprietary software. Lock that software to there bootloader.for there protections.
Give us a wway to unlock it..AT OUR OWN RISK..
So it should be locked but have a way to unlock it with the end user understanding they are totally on there own ..
I would be OK with voiding my warranty.
@Dean,
"So if I fubar the OS or load something that caused the damage I pay for it or fix it. If there is actually a hardware failure then they cover it under warranty."
Yes, that is true. Bootloaders are locked, to prevent completely stupid idiots, from doing things they absolutely no idea what the sam hell they are doing.
The issue is, should we be able to return a device, after we fubarred it? Against warranty? To say, Hey, your weakness allowed me to do it.
Just because the ability to do it exists, and we can quote a thousand instances, It doesn't mean we should, and to shirk responsibility. And pass it off to the main individual.
The fact is, the policies and regulations are there, and we should abide. And if we don't, we have to own up and deal with it.
And if we don't, then we are no better than the low life of the world. The scum.
Moscow Desire said:
@Dean,
"So if I fubar the OS or load something that caused the damage I pay for it or fix it. If there is actually a hardware failure then they cover it under warranty."
Yes, that is true. Bootloaders are locked, to prevent completely stupid idiots, from doing things they absolutely no idea what the sam hell they are doing.
The issue is, should we be able to return a device, after we fubarred it? Against warranty? To say, Hey, your weakness allowed me to do it.
Just because the ability to do it exists, and we can quote a thousand instances, It doesn't mean we should, and to shirk responsibility. And pass it off to the main individual.
The fact is, the policies and regulations are there, and we should abide. And if we don't, we have to own up and deal with it.
And if we don't, then we are no better than the low life of the world. The scum.
Click to expand...
Click to collapse
Very well put.I do know of a few people who have sent there device to acer after messing it up installing rom and telling acer.acer still fixed it free.
Honesty is always best
The evils of rooting
I'm still missing something here, why locking a bootloader does anything. Go get a Mortorola Xoom (not the FE) and you run the unlock OEM. It tells you that you are unlocking it. It tells you that you unlock it at your own risk. You cannot relock it until it is 100% back to stock. It asks you three times are you sure.
Locking the bootloader and treating everyone as an idiot is the problem. Just do what Motorola does, and stop being everybody's keeper. If they want to 'Police' this then you should have to call ACER and they fax you a form. You give DNA to prove who you are and fax it back. Then you go to a mandatory rooting class, that lasts for 5 days, where ACER preaches to you the sins of rooting. Then you have to take and pass a test. Then and only then, after passing the test you get a certificate. Then you call back, give them your certificate ID. Now they give you the secret key to unlock only your tablet.
That's the ticket,
TD
Bottom-line, it's not that they locked the boatloader, it's that you cannot unlock it. Like I said, go out to your driveway some morning and find that GM welded the hood to your car shut because they think you are stupid and shouldn't be opening the hood. Mind you that YESTERDAY, and at the time your bought it, it was not welded shut. That ladies and gentlemen is what ACER did with their OTA.
Moscow Desire said:
@wade7919. You clearly have never worked in IT support on a hardware level.
Or maybe, I am barking up the wrong panty-leg?
If you bought a high dollar corvette, GM will support it. If you add an aftermarket chip, and your engine blows, do you expect GM to fix it? No. I wouldn't expect it either. Not their problem. Just because you can add a chip, doesn't mean you should do it.
That's why they try to lock bootloaders. To prevent users from doing things they shouldn't. Unlock them, and it opens a whole world of issues based on "open source". God help us if they unlock bootloaders.....
Not sure what you are getting at. I am under the belief, if you broke it, you fix it. Take responsibility for one's own actions. Shouldn't take the panzy pussyass way (no offence Erica and werecaltf), and return it for replacement. Suck it up, and learn from experience. Otherwise, the next device, you'll do the same stupid thing again.
I like things the way they are. Difficult, but not impossible. That separates the people with balls (again Erica and wercatlf, no offense), from the sheep.
But if you fubar the device, own up to it, and fix it. Don't pawn it off to somebody else (return it). And if you don't have the brain cells to have a backup plan before you start... Well, don't shed tears over it. Own up, throw the testosterone in the garbage disposal, and fix it.
Somebody give me a zanex...
And people, stop using Gingerbreak!!!!!!
Click to expand...
Click to collapse
Okay comparing A Tablet or PHone to a car is stupid... Compare it to a Desktop Computer or Laptop... Companies do not lock them down so you can not use different OS's now do they.. They offer Backups to restore the system back to how it was with recovery partitions dont they? or they offer the choice to buy whatever OS you want to install correct? they don't limit you to say just Windows or *NIX do they? But we don't see laptops or desktops locked down to where you can't upgrade your system yourself or anything else... and any dumdass can do that without an issue most of the time. and there is more issues with viruses and crap on computers than phones or tablets...
So before you start making statements like compare this to that learn what to compare to first. If you mess something up on a hardware level sure pay for it.. if you mess something up on a software level because they decided to Babysit people its their fault. and if you think its the persons fault because they decided to open up a PRODUCT that they bought and own then you are one of the people that need babysitting and like everyone telling you what to do and how to do it. Go to an apple product then.
---------- Post added at 07:07 PM ---------- Previous post was at 06:51 PM ----------
Also if you really brick your device you can always give
http://paranoidandroid.us an email to findout about getting it fixed
wade7919 said:
Okay comparing A Tablet or PHone to a car is stupid... Compare it to a Desktop Computer or Laptop... Companies do not lock them down so you can not use different OS's now do they.. They offer Backups to restore the system back to how it was with recovery partitions dont they? or they offer the choice to buy whatever OS you want to install correct? they don't limit you to say just Windows or *NIX do they? But we don't see laptops or desktops locked down to where you can't upgrade your system yourself or anything else... and any dumdass can do that without an issue most of the time. and there is more issues with viruses and crap on computers than phones or tablets...
So before you start making statements like compare this to that learn what to compare to first. If you mess something up on a hardware level sure pay for it.. if you mess something up on a software level because they decided to Babysit people its their fault. and if you think its the persons fault because they decided to open up a PRODUCT that they bought and own then you are one of the people that need babysitting and like everyone telling you what to do and how to do it. Go to an apple product then.
---------- Post added at 07:07 PM ---------- Previous post was at 06:51 PM ----------
Also if you really brick your device you can always give
http://paranoidandroid.us an email to findout about getting it fixed
Click to expand...
Click to collapse
I still like my car comparison
I make the car comparison to illustrate a point, because when I compare tablets to a PC everyone piles on *****ing about MS.
Bottom-line it doesn't matter if it's a blender or a PC. I own it, you own yours and I can do what I want with mine as you can with yours. Now, again I have a BIG(did i mention BIG issue with them changing it on me after I bought it.
To get back on topic, is the original poster still out there?? Has any of this helped? Are you still bricked?? Give us an update so we know if anything worked or you still need help.
The device was returned and accepted for replacement by the shop.Got new one and feel very nervous to start rooting procedure over.I was really lucky that they did not charge me anything but I really want to know what I did wrong so I don't brick my new device again.
I will provide further details soon about my computer OS and firewall settings and perhaps we may figure out what I did wrong.
To all good guys who send me them suggestions and solutions I wanna say big THANK YOU !!!
Your help is really priceless and thrilled me deeply. Will update topic soon
Happy New Yer to all Android fans!!!
So...Back on the subject.
My device was purchased in Japan and its current firmware version is
Acer_A500_7.009.03_AAP_CUS6JP
Q1. Can I flash US or World Wide firmware version on that device.
Q2. Does anybody know the Acer's ftp download server address for Japan
Q3. I think its a good idea to dump my original stock firmware but it seems there is no way doing that prior rooting.So..kinda stuck .any suggestions appreciated.
P.S. I'm thinking about flashing the latest Rooted rom 3.2.1 V3 by timmiDean (thanks for your hard work) I read the instructions very carefully and I think that everything will go smoothly but just in case (considering the specific Japanese firmware version)
would appreciate any further directions by the author.
Thanks

$50 if you can tell me how to unbrick i9000 without USB jig

Okay, so I bricked my phone trying to update it, and by all accounts I now need a USB jig to ressurect it.
The problem is I live in the middle of nowhere with no mail delivery, and have to drive almost an hour just to get to my Post Office box. I'm also not the most patient of people, and I need my phone.
I've ordered a USB jig, but it'll probably take at least a few days to reach me.
In the meantime, if you can figure out a way for me to revive my phone without the jig, and without ripping it open and soldering stuff, I will pay you $50 (via PayPal).
I fell like there must be a way. After all my Windows machine responds by trying to install some driver when I plug it in (SEC S5PC110 Test B/D).
I think that something is going on there, but it's just not showing anything on the screen to give me any clues. I've tried all manner of combinations of attempting to power it up, but with no result.
So what do you think? Are you up for a challenge? If you can crack it, before the jig arrives, I'll give you $50.
xtempore said:
I fell like there must be a way. After all my Windows machine responds by trying to install some driver when I plug it in (SEC S5PC110 Test B/D).
Click to expand...
Click to collapse
SEC S5PC110 TEST B/D
You have to use resurection software
http://forum.xda-developers.com/showthread.php?t=1330491
Man are you dump. We're a community and help each other, no reason to bribe someone. As the guy above me said, use unbrickable resurrector.
dark_knight35 said:
Man are you dump. We're a community and help each other, no reason to bribe someone. As the guy above me said, use unbrickable resurrector.
Click to expand...
Click to collapse
Resurrector requires soldering - I don't have the tools or skill to do that.
Offering money is not a "bribe" - it's an incentive.
"Dumb" is spelt with a silent "B", not a "P" - and actually refers to someone who cannot speak. Using it to refer to someone who is stupid is actually very stupid in itself - and spelling it incorrectly... enough said.
Try using odin...
Sent from my GT-S5830 using xda premium
Ok, can you get into download mode?
xtempore said:
Resurrector requires soldering - I don't have the tools or skill to do that.
Click to expand...
Click to collapse
soldering will depend on the mode your phone is currently in , find out first be following this link to download detector http://forum.xda-developers.com/showthread.php?t=1257434
Sorry. I should have been clearer in my original post.
By "bricked" I mean NOTHING shows on the screen. It is completely black. It's not stuck in download mode.
I don't have a Linux box so can't do any Linux things. I have a PC (Vista) and a Mac.
I don't have the equipment or skill to solder things.
And because of where I live, I don't have access to people who might have these things.
What happens if you connect your phone to your PC and run the batch file in this archive:
http://www.2shared.com/file/b_2EYcvS/adbDownload.html
xtempore said:
By "bricked" I mean NOTHING shows on the screen. It is completely black. It's not stuck in download mode.
Click to expand...
Click to collapse
Its currently in a test mode, and the only way to get it into download mode seems to be by what Adam Sandler had done....
anyway you can try the following ( which I doubtful about its success) , meant to get into download mode.
1) First remove Ext SD card and Sim card , also remove battery and reinsert Before any attempt.
IF you have ADB already installed on your PC
click on run and type cmd
now type:- adb reboot recovery or adb reboot download
phone will go into recovery mode or download mode as typed
2)
1. Take Battery out
2. Whilst putting battery in press Vol-Down+Power+Home button
Press the three buttons, and keep them pressed while inserting the battery, and and the phone should get into download mode instantly.
ADB gives "error: device not found"
I've tried every imaginable combination of buttons, taking out battery, removing SIM, trying all sorts of things plugged into USB, plugged into charger, unplugged, ...
I'm currently installing Ubuntu to try Adam Outler's ModeDetect USBID Detector
Tried various things, including installing a VBox Ubuntu, so I could try out some Linux-only solutions. But still nothing has worked.
In fact from what I've been reading, I think even the USB jig won't kick it back into life.
How would I go about finding someone that can repair this sort of thing? I'm in the Crowsnest Pass, AB. My nearest major city is Calgary. I don't even know where to start trying to find a place that can fix this.
xtempore said:
Sorry. I should have been clearer in my original post.
By "bricked" I mean NOTHING shows on the screen. It is completely black. It's not stuck in download mode.
I don't have a Linux box so can't do any Linux things. I have a PC (Vista) and a Mac.
I don't have the equipment or skill to solder things.
And because of where I live, I don't have access to people who might have these things.
Click to expand...
Click to collapse
Save 50$ for a new motherboard. Don't lose time.
Sent from my GT-I9000 using xda app-developers app
Unbrickable Resurector worked for me without opening my phone. It was also totally off and didn't show a reaction. Resurrecting is a thing of half an hour.
xsenman said:
SEC S5PC110 TEST B/D
You have to use resurection software
http://forum.xda-developers.com/showthread.php?t=1330491
Click to expand...
Click to collapse
I was one of the developers behind the unbreakable mod.
There is one failure mode that reaches the TEST B/D.
If you have TEST B/D, you can skip the hardware mod, and just use the unbrickable mod software.

[hardware][mod]

So, I was re-reading the schematics, and while I was looking at the boot settings/hardwired configs (page 18 of the 44-page document you find floating around the web), I noticed there is a way to set a RECOVEY_MODE# flag (seems to use a pulldown resistor for that), setting either "USB Recovery Mode" or tell the SoC to "Boot from secondary device'
I can't really afford messing with my N7 right now, since phone #2 is dead and the good old TF101 needs a new cable...Anyone got any ideas on this, or has a spare, semi-dead/semi-unusable device to see if this has any useful functionality? Might save people who are bricked and without NVFlash/APX blobs...Will try to get my hands on a dead device to push this farther.
GRudolf94 said:
So, I was re-reading the schematics, and while I was looking at the boot settings/hardwired configs (page 18 of the 44-page document you find floating around the web), I noticed there is a way to set a RECOVEY_MODE# flag (seems to use a pulldown resistor for that), setting either "USB Recovery Mode" or tell the SoC to "Boot from secondary device'
I can't really afford messing with my N7 right now, since phone #2 is dead and the good old TF101 needs a new cable...Anyone got any ideas on this, or has a spare, semi-dead/semi-unusable device to see if this has any useful functionality? Might save people who are bricked and without NVFlash/APX blobs...Will try to get my hands on a dead device to push this farther.
Click to expand...
Click to collapse
This is a good idea to try pull down this signal and get the recovery mode but you need to try. I am not sure if it is workable. your experience will help us to save N7's life.:good:
BTW, would you please tell me how to get the device's schematic. I dont know whether we have the opportunity to get a gsm phone call if i have the schematic.
Like I said, I have no fallback, so I can't be fussing with my N7. @p5auser, PM'd you the link...Anyone with a bricked device or broken screen?
GRudolf94 said:
Like I said, I have no fallback, so I can't be fussing with my N7. @p5auser, PM'd you the link...Anyone with a bricked device or broken screen?
Click to expand...
Click to collapse
it is difficult to read the schematics on the website. i will try to print out. I had ever bricked my N7 device after doing firmware upgraded and went to RMA.
The RMA replace the internal PCBA. so i recommend you go to RMA if your warranty is valid.
p5auser said:
it is difficult to read the schematics on the website. i will try to print out. I had ever bricked my N7 device after doing firmware upgraded and went to RMA.
The RMA replace the internal PCBA. so i recommend you go to RMA if your warranty is valid.
Click to expand...
Click to collapse
The point is, people that are desperate enough to fuss around with the hardware (and have the knowledge to do so, reading schematics included) to try a fix are most likely out of warranty. Also, the Grouper/Tilapia models have been replaced already, and most of those units are over 1 year old, and thus, out of warranty. I, personally, don't have such a problem with my tablet, but I wanted to see if this is helpful to anyone. It's just a matter of reading the table contained in the document, finding the mentioned resistor (or it's place) on the board, and mod it.

Categories

Resources