[HARD-UNBRICK][EDL Cable DIY] Unbricking a HARD-bricked ZenFone5 LIVE (QUALCOMM) - Zenfone 5 Q&A, Help & Troubleshooting

Hello, First time post, moderate time lurker
---------------------------------------------------------------------------------------------------------------------------
Disclaimer:
I'm just recently learning tampering with android and been pretty obsessed with achieving my personal goal on mine.
With that being said I AM NOT a professional, I am merely posting this guide because I have not yet seen this specific method I used to un-brick my phone, but it does borrow from other similar concepts.
I will probably have limited followup capability and expertise, and everything is AT YOUR OWN RISK, not only do you risk your phone being damaged beyond repair, not just a brick but scrap metal, you also risk anything you connect it to if you are not careful. YOU HAVE BEEN WARNED.
Also, this guide may apply to multiple models of Qualcomm phones (Research first if it applies to yours), but was performed on a ZenFone 5 >-LIVE-< not a regular ZenFone 5, its being posted here due to lack of my phone model on the forum. Do not assume that everything that works on a live will work on a regular, I have found they are VASTLY different and only similar in name.
---------------------------------------------------------------------------------------------------------------------------
Symptoms:
Very Hard-Bricked ZenFone 5 Live, due to attempting to hex edit the boot-loader
(I've already learned my lesson, save your lectures)
The indication that your phone is actually a HARD brick, is that it will not appear to turn on at all, and when connected to a PC will show something along the line of Diagnostics 900E on the COM Port devices section of your device manager
For anyone whose poked at it at the Qualcomm level, you will notice a few things wrong
-It never goes it 9008 QDL mode on its own
-It rejects any kind of memory diagnostics(which is a miniature requirement before a flash by automation) with ACK ERROR FROM DEVICE: NAK_MEMORY_DEBUG_NOT_SUPPORTED
or will report IMAGE_TYPE_INVALID, even when selecting the correct firmware
and lastly you get timeout/phone wait errors, header/reply reads "0" or if you try to manually connect with the QSaharaServer it will only reply to Hello Prompts/commands then reset, and anything else gives unknown command received: 4 or "0", also manual PUTTY connections to it via TELNET over COM port also results in a mass overload of "0"s being sent to PUTTY en-masse and only "0"s can be sent.
If your phone is still able to get to your boot loader or has any other functionality I would suggest looking into alternatives than following this guide first.
---------------------------------------------------------------------------------------------------------------------------
Tools Needed:
- Hard-Bricked QUALCOMM phone
(this will not work if it does not have Qualcomm firmware, I.E. Sahara, Firehose, etc.)
- USB-C cable
(or whichever cable applies to your phone, this was however performed using a -c cable)
- Wire cutting/stripping/joining tools ; soldering is optional ;
I personally used: Box cutter blade, Knife, Scissors, pliers, and a lighter
- Qualcomm flashing software, QPST or QFIL, and Qualcomm Drivers ;
whichever you're used to, if you're new to Qualcomm tools I recommend a standalone version of QFIL, google it, they aren't too hard to find (and I'm too new and don't wanna risk posting links to bad sites)
Also the drivers for Qualcomm specifically ARE REQUIRED
if you found the correct ones you should have a folder in program files (x86)/Qualcomm Incorporated
Google these too, not too hard to find, too many risky links, I'm not a pro.
- Phones Firmware - QUALCOMM LEVEL
this is not your regular ROM with boot.img,system.img, etc.
Qualcomm level firmware will look more like Firehose_8917.mdn, Rawprogram.xml, Patch0.xml
these can be tough to find for some people
If you're lucky your phones regular OTA/Firmware downloads will also contain these, for others its a standard ROM without them. You may need to google fu around for them but do make sure you're using the correct Qualcomm firmware for your phone/msm, or you may risk putting your phone into perma-brick.
- Optional - USB Hub with surge protection ;
Due to the electrical danger of this guide, I highly recommend a USB Hub with surge protection capability, I just so happened to have one laying around, it is optional, but HIGHLY recommended, I believe mine saved my phone/PC during this procedure at least once.
- Optional - Stock Factory ROM
Just to make sure to clear out whatever caused the brick in the first place, I supposed you could flash whatever else works for you if you still have an unlocked boot-loader, somehow, after the flash, heck I don't even know if there's a system left in there to boot into if you try skipping altogether, either way, highly recommend an OEM stock regular flash after the Qualcomm flash.
---------------------------------------------------------------------------------------------------------------------------
Verify phones condition:
First off, your phone should be pretty bricked, if you're this far. Make sure its not DEAD DEAD though. Plugging it into a PC should give at least an unknown device, Qualcomm 900E COM port device, or some kind of life, plugging it in (and maybe holding power + down vol, or up if a different model) indicates a flashing LED.
If there is sign of life, proceed ; if not your phone may have physical/electrical damage and prepare for the worst and consider a new phone.
---------------------------------------------------------------------------------------------------------------------------
We begin the real work at the cable
-Why? (can skip if you dont wanna know whats going on in the software)
The phone is locked-down by the highest level boot-loader (PBL i think?), its name as of this guide, Sahara.
When Sahara security is triggered it locks down the secondary bootloader, Firehose. With Firehose on lockdown it cannot load the usual oem-bootloader you see, or your custom if you have one. This is probably a security feature to try to force would-be thieves to not be able to unlock the phone without bringing it to a service dealer. Or possibly to thwart would be phone moders who can't figure out whats going on and cash in on a voided warranty and a simple flash work labor fee for their techs, or new phone purchase.
Either way, Qualcomm has a backdoor, and the backdoor is in the USB cable.
---------------------------------------------------------------------------------------------------------------------------
Cable work
-Begin Guide
Begin by stripping the sleeving off a section of the USB-C cable, I recommend somewhere in the middle, and a few 3-5 inches worth to give yourself play room, if you're experienced with cable modding then do whatever s comfortable to have room to switch a wire to another, though that's not necessarily accurate on what the next steps are. Keep in mind there is a entire secondary sleeve of tin wire mesh braiding so it can get messy and you need that isolated from other wires.
Once you have your section of stripped wire, examine wires for what type you have
(to my surprise and delayed my work 6 hours of research was the absence of a black wire.)
You will either have:
Red, White, Green Black wires ; including Tin shielding mesh, and possibly a nylon core
OR
Red, White, Green; including Tin shielding mesh, and possibly a nylon core
If yours was like mine, the black wire is actually a mesh of copper wires mixed in with the tin mesh, in this case treat the tin outer mesh like the black wire, which makes things difficult to work with, but very doable still. Just be careful not to fully sever the copper strands mixed in too much, you need at least some of them in-tact to some degree
Next cut the green wire, and strip the tips down a good amount, enough where you can twist it by hand (1/8" or so?)
if you have a black wire do the same and skip the next tin mesh step.
---------------------------------------------------------------------------------------------------------------------------
Tin mesh wire-
If you have a tin mesh, things get a little dicey but it worked for me,
the tin mesh surrounds the cable entirely in a tubular braid pattern
it is impossible to work with in this state
therefore ~1/2 of it needs to be severed in order to craft it from a shielding braid, into a makeshift wire
tip, the thin insulation sleeving separating the wires from the shield when pulled peels the shielding off the wires nicely after the mesh is cut in one spot (severing point a-b on the cable), though bunches it up, this does make it easier to cut it half though, rather than poking and pulling at it by hand.
once you're able to separate it from the rest of the wires, twist the mesh into a wire form, due to its rough tin spike nature it holds in shape quite nicely
The key on the tin mesh type though is to examine it for the copper strands hidden within and do not severe too many of them, the shielding will be disconnected from point a-b on the cable but still the copper wires need to not be mutilated.
once you have your mesh in wire cable form on both ends proceed
---------------------------------------------------------------------------------------------------------------------------
Cable work Pt. 2
At this point you should have:
Green wire, cut and tips stripped
Black wire, the same as green, if it applies
Mesh shield crafted into a wire, if it applies
(either the black wire or mesh are required, but NOT BOTH)
- From here-on the tin wire mesh is effectively the black wire, if it applies, and thus will be refereed interchangeably to as such unless otherwise specified-
Take your black wires, twist them together and secure them
you must make sure of 4 things
1 - Obviously, the copper of the wire is in contact
2 - they do not accidentally become disconnected and can withstand at least some force before separating
3 - However, they must remain QUITE EXPOSED, you need the bare wire to be somewhat accessible for later steps
If you're experienced you can do this your own way after reviewing the next steps, but these wires must be able to connect and disconnect at will without unplugging the USB cable itself
4 - Make sure the wires are in such a configuration that they can reach the green wire, but stay - 100% ISOLATED FROM EVERYTHING ELSE- (oh if you have a black wire, this INCLUDES THE SHIELDING, NO BLACK ON TIN)
If you fail to practice safety first you risk frying your phone, and whatever else you connect it to, I.E. your 10k Gaming PC, anything you fry you are responsible for and I disclaim any responsibility for your actions, even if you follow this guide accurately you're still at your own risk.
Next do the same to the green wire
---------------------------------------------------------------------------------------------------------------------------
Cable Work Pt. 3
- Pre-EDL "Deep Flash"
at this point, if you've followed the cable instructions your EDL "Deep Flash" Cable is actually complete
you may be asking yourself why? all you did was strip wires and reconnect them
the trick is actually, that you've provided one cable to cross-talk to another temporarily
to prep for the EDL "Deep Flash" command initiation one more step is needed though
you must connect the exposed and completed green wire, to the black wire
this however MUST be temporary, you must be able to separate these wires, safely, and without disconnecting the USB device.
For example in my build I bent my twisted makeshift tin black wire into a u-shape that just barley held onto the green wires copper, and could be removed with a simple tug
Depending on the internals of your wire and how rugged they are this may work for you
however if you have an actual black wire in yours, or your material is more "rubbery" and less rigid you may need to find your own method, maybe stick them both on duck-tape crossing wires or something
Still you get the idea though, cross the green and black wire, but in a temporary fashion.
Finished Product (This is post-EDL command, with the green wire pulled)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
---------------------------------------------------------------------------------------------------------------------------
Testing and Driver preparation
At this point were good to go for a deep flash, but I would recommend testing before plugging it into a PC
(you can fry a PC through a USB port btw)
I recommend testing your setup with a USB adapter on a power outlet or a powered USB hub (preferable surge protected and not connected to your PC for now)
If your cable works, you should get a flashing LED
More-so now than if you didn't before, because sometimes the LED won't light when in Firehose mode, but only Sahara. If you didn't have an LED before... they its a maybe... use a multi-meter to make sure you have live connections and no shorts? if you have a flashing LED though you're golden, or should be.
Also, you want to make sure you're PC is prepped for the flash with the Qualcomm drivers, QPST/QFIL software, and your phones correct Qualcomm Level Firmware, in my case Its a Firehose_xxxx.mdn rawprogram.xml patch0.xml files.
Looking at the software though, depending on your model you may end up using a .hex file as well?
-this guide is more about the EDL cable and less about the software, many guides exist for those so if you need more info go looking for those. I'm posting this as this specific method of EDL cable I couldn't find anywhere, this is not a complete a-b guide, just the most crucial part of recovery for peoples hard bricked Qualcomm phones. -
---------------------------------------------------------------------------------------------------------------------------
The Deep Flash
Here comes the risky part, risking a PC
I've already warned you 2-3 times so whatever happens, you are responsible for.
Connect the phone with the PC, preferably through a surge protected USB HUB, or directly if you're desperate and brave/suicidal.
You should get NO CONNECTION indication from the PC, nothing in device manager, no USB connected audio blips, nothing. The only thing that should happen is the LED will flash on your phone. This is good.
Wait for about 10-20 seconds, you do not want to jump the gun or you will have to reset your wires.
after 10-20 seconds, execute your wire release / pull method on the green & black wire, separating them, but making sure their own connections don't get severed in the process.
If success, you will get a connection blip from the PC and if you have QUALCOMM DRIVERS in stalled you will see the fabled 9008 QDL loader install on its own without having to force it through device manager.
If you get 900E still, try again. if you can't get 9008 without forcing it something is wrong, either your phone has actually been in Firehose the whole time or there is a different method for your phone, or the cables are mismatched on the wire, or some other issue.
---------------------------------------------------------------------------------------------------------------------------
Successful 9008 EDL Deep flash
- A footnote for those familiar with Qualcomm already
Nice having 9008 on its own without going through device manager isnt it? ( for those experienced with Qualcomm already lol)
This is a proper QDL Deep flash and the way its meant to be loaded on these drivers.
If you had issues with QPST/QFIL before, proceed as normal if you're familiar with the process, the rest of the guide will briefly touch up on that. Just be careful not to sever the connection mid-flash, the Firehose firmware flash is much quicker than a ROM flash, so it won't be long if you already know what you're doing.
I recommend either safe-proofing your cable or switching to a UN-modified one ASAP to minimize risk to your equipment.
God-speed.
---------------------------------------------------------------------------------------------------------------------------
Qualcomm Flashing
- For those new to Firehose/Sahara
As mentioned previously this is not a Qualcomm software guide
This stuff is shrouded in mystery and proprietary hush hush so not a-lot is known and depending on what you got can be quite confusing to understand.
If you're new to Qualcomm software i previously recommenced QFIL, so that's what i will briefly touch, if you got QPST you're on your own.
(though usually QPST has QFIL included in SOME builds just fyi, if so you can continue following but you will ONLY be using QFIL using this guide, ignore all other tools in the package)
When you load QFIL, you will most likely be in "Meta" mode, this is not what we want, hit the radio bubble for "flat build" if you're missing these bubbles you may be on an ancient version of it and I recommend finding a more up to date version.
Next you must specify your programmer, this is going to be your eMMC_Firehose_XXXX.mbn file
(XXXX is your phones snapdragon MSN #, look it up on qualcomm snapdragon spec sheets if you need to)
I've only worked with my Zenfone 5 Live with this software, so eMMC_Firehose is all I know, if you find that your phone uses .hex or any other format aside from .mbn's or .xml's then I recommend you stop here and find a Qualcomm flashing guide for your specific phone, but try to keep your phone connected IF ITS SAFE TO DO SO (I.E. no risk of cat/pet attacks, children, liquids, living thing contact, etc.) , otherwise if you disconnect your phone you will need to re-perform the deep flash sequence from before.
Next click "Load XML"
this will prompt you to load both your rawprogram.xml and patch0.xml (one after the other)
Then click download.
This process took my phone about 20 seconds, its very quick
once this is complete reboot your phone with its "special reboot" key combo, whatever it is for your phone.
For mine its Vol down + power
if all goes well, you should have your good old fashioned OEM boot-loader
to make sure that whatever caused Sahara to lock-down your phone is gone, proceed to flash a factory/stock ROM to your phone. If you've made it this far I assume you either already have one on hand or found it while looking for you Qualcomm firmware.
And your phone is back from the dead.
Praise the sun!
---------------------------------------------------------------------------------------------------------------------------
FIN!
P.S. -
While waiting for your phone to flash your factory stock ROM I recommend listening to
Korn - Another Brick In The Wall (Pink Floyd Cover)
P.S.S -
I am continuing my research on brute forcing the unlock on this device, ZenFone 5 LIVE
if you have any information to share, please PM me for anything you can share or if you would like to collaborate on this project.
If you found this guide helpful and you want to show your appreciation share your feedback!
Also I wouldn't mind any donations, I am a paycheck to paycheck sweatshop callcenter tech. Link in my profile
- Sources for this methods inspiration -
club.lenovo (china)
User:
francescotagliam**te
en.miui -
Users:
[email protected]
mitch002
id post links, but i am forbidden as a new member.

Wonderful!

Hey @Leomaxwell973 , thank you for the tutorial.
I used your method, along with the one here: https://forum.xda-developers.com/t/...ight-turns-on-for-a-second-using-edl.4228641/
My phone came back to life, and I have to thank you, really.

Related

Developing methods to recover bricks without JTAG

I have not seen anything in the Captivate forums about UART, I2C, or really anything other then Download Mode/Recovery Mode. We could use some developers to help with this project. It's an interesting combination of hardware, software, and inter-chip communications protocols...
I think everyone knows about the 301Kohm resistor between pins 4 and 5. Did you know about the 150Kohm or the 619Kohm resistors? How about the middle battery pin?
Watch this video.
Resources
Users
One-Click Unbrick was relesed This will unbrick softbricked phones http://forum.xda-developers.com/showthread.php?t=1153310
Kernel developers
UART Kernel debug log AND shell terminal (like adb shell without adb active) On the captivate you can get into the SBL prompt, then type
Code:
printenv
setenv SWITCH_SEL 6543
printenv
saveenv
This changes the SWITCH_SEL value from 65 to 6543 and enables extra output. This will give you a kernel debug output and drop you into a shell prompt.
Developers
bootloader source code For a simlilar samsung device: http://forum.xda-developers.com/showthread.php?t=1018862&page=68
here is the iROM,: I've rehosted it here: http://teamkomin.googlecode.com/svn-history/r75/branches/IROMcode/bootdumps.rar
here: http://www.mediafire.com/file/c9bg6gyk1cuapsz/bootdumps.rar
and here: ftp://adamoutler.dyndns.org/bootdumps.rar
we need help deciphering it. We think the annotations may be wrong. This is the unchangable code in the first few blocks of memory. There must be a way to communicate with this.
Hardware guys
S5PC110 processor datasheethttp://www.mediafire.com/file/3znisgfm3amxgpj/S5PC110_EVT1_UM10.pdf This is the processor in our phones. This documents everything which is capable natively with the processor. It is 2425 pages long.. I read through it and added some notes here.. This is the meat of the manual: http://forum.xda-developers.com/showthread.php?t=1018862&page=51
FSA9280A datasheet http://www.mediafire.com/?d4e21efhuktctcb This is the first time we've had access to this manual. Our phones use the FSA9480A chip, this chip is functionally the same. The datasheet here describes all functions available to the USB switching device. From the FSA9280 datasheet we've located all resistor values. http://forum.xda-developers.com/showpost.php?p=14408452&postcount=62
All
The All-In-One GalaxyS HackPack hardware, software and documentation on our phones http://forum.xda-developers.com/showthread.php?t=1111866
It has been revealed from a source which is not to be mentioned that the OM pins/registers are fixed and cannot be changed on the processor without removing the processor from the device or making some hardware modifications.
Here's some must read threads.
Fun with resistors:http://forum.xda-developers.com/showthread.php?t=820275 This thread shows all known resistor values
Lets save some bricks:http://forum.xda-developers.com/showthread.php?t=1018862 This thread deals with ways to revive phones from the dead. We are hacking the heck out of them in here.
Development platform booting from MMC http://hi.baidu.com/j2h3344/blog/item/85740dfc0be35951d7887dd5.html This is the platform used to develop our phones. We need to find these OM bits, or access them somehow.
the middle battery pin http://forum.xda-developers.com/showpost.php?p=13448859&postcount=253 This may be the answer. We could use some help in this area.
Download the GalaxyS Hack Pack here: http://forum.xda-developers.com/show....php?t=1111866
Known Causes of hard Bricking
1. PBL(Primitive bootloader) and SBL(secondary bootloader) were not designed for the phone
2. Mismatched PBL/SBL combination
3. SBL does not fit in the Partition information table, or location does not match Partition Information Table
4. Bad USB cables
5. power loss
6. Damaged PBL/SBL
--Theoretical--
7. Something known as Secondary Bootloader Rotation may be to blame for improper bootloaders sometimes. Apparently when flashing, the SBL and SBL2 blocks may switch places. In this case you may have the proper PBL, but the SBL is not proper for the device.
Hardware Used
If you're looking to help, you'll need some development hardware. I use an Arduino Mega. http://www.bizoner.com/arduino-atme...e-p-180.html?zenid=9mg23h688slfjgh88910o5jfd2 This is a programmable interface. You can use this code to talk to the phone. http://forum.xda-developers.com/showpost.php?p=13351363&postcount=223
Here's some plans for a communications adapter http://forum.xda-developers.com/showthread.php?t=925034
The plan
If we can get into a bricked phone via UART or the i2C bus, or the USB bus, or any other method available to U301, we can corrupt the PBL(boot.bin) in the OneNand which will cause the processor to search for a PBL and SBL on USB, UART and MMC.
If we can locate an additional communications port somewhere on the phone we can change or corrupt the code running in memory and then cause the processor to reboot into USB or UART mode.
So far we know of UART only and have eliminated that as a solution on it's own.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Using SBL, it is very likely possiblity that Windows7 phone or iOS, or ubuntu could be ported over.... Basically, full control.
Why you should help
We've been working on ways to recover these phones for months now. We're comming to an end. We need massive amounts of testing to figure out this last bit.
This is a call to duty. Every developer who has ever released a boot.bin, SBL.bin, param.ifs or a PIT with their release needs to be a part of this. Every member who has ever bricked a phone while using one of the many tools which are designed to upgrade your phone can help. Anyone who wants to feel secure while flashing their phone should put some effort into this because it's expensive and requires superhuman soldering to JTAG these phones. If you've even thought about using Odin3, we need your help.
Update: UnBrickable Captivate http://forum.xda-developers.com/showthread.php?t=1206216
Seems interesting / promising, unfortunately I can't help BC I moved back to Morocco (Africa) and only brought 1 captivate with me. Good luck that is all I can say.
Sent from my SGH-I897 using XDA Premium App
Really interesting and very cool.
But I have a fully bricked captivate which I still have cause it was a friends who just went onto the Inspire. Always have wondered if I could recover the hard brick.
Wish I could help but I'm pretty useless with Soldering and taking apart my phone. But if development moves along with this I'd love to support. The idea of porting those OS and helping everyone saving hard bricked phones would be great.
Good Luck!
Sent from my SGH-I897 using XDA App
im bookmarking this. i can only help in fabrication. im not a super genius dev. but threads/projects like this do interest me.
Middle battery pin? Reminds me of the battery jig trick on the original PSP.
All-in-all, this looks promising, I'll be following it.
Posted up the iROM in the first post. this is the code which we hope to establish communications...
Keep in mind, this could be over the USB port, the Middle battery terminal, or even the headphone port.
But I have a fully bricked captivate which I still have cause it was a friends who just went onto the Inspire. Always have wondered if I could recover the hard brick.
Click to expand...
Click to collapse
I'M GETTING ONE OF THOSE IN THE AM!!!!!
i have a fully bricked cappy that i bricked lastnight. i was able to recover from the phone..!..pc icon but then failed @95% via odin3 v1.00.
i will mail you the cappy if you can fix it and use it as a test mule for future brick\unbrick attempts...... the outer glass is broken thanks to a fall from my lap to the concrete
I think I actually discussed this with you before. I ran twice into some instance where no action would make difference on the phone, no response to key combos, no response to charger or USB. But, download mode was still accessible via USB Jig.
What could've happened there?
cumanzor said:
I think I actually discussed this with you before. I ran twice into some instance where no action would make difference on the phone, no response to key combos, no response to charger or USB. But, download mode was still accessible via USB Jig.
What could've happened there?
Click to expand...
Click to collapse
Not really positive at this point, id suspect corrupted pbl.bin or param.lfs partitions. I've seen some weird stuff with the pbl. One phone would only output uart when volume + was held for 5 seconds.
Basically from my understanding... The IROM loads into the processor. This is the first 40000 bytes and it's protected memory. The iROM brings up basic functionality for the processor, including the initial factory UART/MMC load of PBL & SBL. The IROM then instructs the phone to load the IBL/PBL(Initial Boot Loader/Primitive Boot Loader). The IBL initializes memory for the SBL(Secondary Boot Loader) , then the PBL loads Params(a partition on the OneNAND) and checks the pins on the processor for commands. The PBL then makes more memory available for applications, then locates and and loads the SBL. The SBL initializes other functions and then locates and loads the kernel.
The SBL is responsible for Download Mode and the SBL prompt. it is basically the system's "BIOS" for lack of a better word. I'm not sure of the steps which can be skipped for sucessful download mode.
The iRom download it broken.
Ill look at it once your reupload
Some kid reported the iROM code as being in violation of the terms of agreement of the hosting website... It must have been a kid because Samsung would not do that. Just as we have a right to use tools to disassemble our phones, take pictures, annotate those pictures and post them on the internet, we have the same right to the IROM. It's not hurting Samsung's sales, nor is it intellectual property of Samsung. We bought the phones and it came with this. The only intellectual property in this document belongs to the person who disassembled and annotated this code.
I've rehosted it here: http://teamkomin.googlecode.com/svn-history/r75/branches/IROMcode/bootdumps.rar
here: http://www.mediafire.com/file/c9bg6gyk1cuapsz/bootdumps.rar
and here: ftp://[email protected]/bootdumps.rar username xda password developers
Lets not be childish and hinder progress anymore by clicking buttons. I've removed that ability.
I think this is a wonderfull bunch of work that is being done here and if i can offer any assistance please let me know. If you would like a private IRC channel to discuss your work in with other developers I would be more than happy to provide to a quiet private place to do so. Just shoot me a pm if i can be of any assistance.
We can really use some SGS folks to help. Check out the lets save some bricks thread mentioned in the first post.
Two quick questions:
1. How would you manage to get these files? First, aren't they burned into the nand? Secondly, wouldn't they be assembled already? How do you disassemble them?
2. Do you have any good links/books on how to learn arm assembly? I know some x86, but I've never found a good link to arm based stuff (or any sort of dev platform, for that matter).
Sorry about being semi-offtopic.
Subscribed, and very interested in following progress on this.
Also: Sending PM.
Nothing revolutionary to add just yet.
However, I just finished adding a JTAG breakout to my collection. This is what my current test setup looks like:
We could use some more DIYer's on this project. The biggest thing to have is an Arduino and a microUSB breakout board. We need to figure out how to get this phone to boot from MMC, USB, or UART... and we know Samsung does this to bricks.
this looks interesting.. gonna keep my eye on it
AdamOutler said:
Nothing revolutionary to add just yet.
We could use some more DIYer's on this project. The biggest thing to have is an Arduino and a microUSB breakout board. We need to figure out how to get this phone to boot from MMC, USB, or UART... and we know Samsung does this to bricks.
Click to expand...
Click to collapse
i can build anything, the purchase of and arduino and making the breakout board are easy but i would have no idea what to do with it afterwards.
it is funny the time you posted this because my friend found out about a club that works with arduino boards making all sorts of things and asked me if i wanted to go to there meetings. this thread popped up the next day.
well i may buy an arduino board or 2 but im not sure if even then i can be helpful
Well, a pretty much unexplored area of the phone is the middle battery terminal. The middle battery terminal is a ADC(analog to digital converter) pin. We know for a fact that it triggers something called EXT-I2C (External Inter-Integrated Circuit). EXT-I2C can be used to communicate with any chip on the I2C bus. The I2C bus connects with everything on the phone... Call Processor, OneNand, Memory and Application Processor. Using the EXT-I2C, we would have full control over the phone.
I know the middle battery terminal has something to do with it because I managed to get my phone to boot-loop with the pin disconnected and I saw messages about EXT-I2C NACK( EXT-I2C not acknowledged) when playing with resistance values and watching the UART output on my Arduino MEGA.
The unanswered questions are,
How to reproduce that EXT-I2C message?
What are the Addresses on the I2C bus?
Which pins control the I2C bus?
Here's some of the possible I2C bus connections:
USB VCC
USB Ground
USB D+
USB D-
Batt+ (when powered on USB)
Batt- (when powered on USB)
BSI (Battery Signal Indicator - middle battery pin)
Headphone Left Audio
Headphone Right Audio
Headphone Video
Headphone Ground
all External-SDCard (MMC) connections
all SIM connections
This is something you can bring to the table at that Arduino club. You can also read up on this hackaday article http://hackaday.com/2011/05/11/i2c-101/
If anyone has a good idea of which pins may be OM pins here, let me know..
Side facing LCD screen
Side facing back of unit

The Captivate Development Platform mod AKA UnBrickable Mod

Background
First off, big thanks to TheBeano and Midas5 for teaching me about UART, decompiling bootloaders and figuring out how the OM values work. Their initial work and dedication in "Lets Save Some Bricks" inspired me greatly. Since the work started we've analyzed UART outputs, hacked the heck out of the SBL prompt, obtained both decompiled and source for bootloaders, and generally learned a **** ton about our devices... Mind you, that's a Metric **** ton, not the Imperial **** ton, which is equivalent to nearly 2000 assloads. The reason I'm branching this operation at the current point is because this modification is specific to our device. The proper modifications for other Samsung devices have not been identified yet. We're first! Yay! We need to focus on Captivate firmware development now. The firmware may encompass all GalaxyS models as well, but this modification will only work on the Captivate.
introduction
I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Captivate into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.
Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.
Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).
This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.
After performing this mod:
Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a captivate. See the Special Instructions section.
Modification
You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can send me a PM(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com). Note: I do not work for/with mobiletechvideos.com.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (for the wire contained within)
getting started:
You will need a very small peice of wire. Tear apart the relay unravel the coil within and grab about 12cm~ of wire. The fact that it comes from a relay is important because relays generally have very small wire which are individually treated with a non-conductive coating.
Take the 12cm~ wire from the relay and tin the very edge of it. No more then 1/32". If you tin more then 1mm, cut off the excess. It is desirable to have a slight bit of excess solder on the tip of this wire.
performing the modification:
1. tear apart your phone... remove 6 #0 phillips screws from the back. Two of them are under the battery slide flap. The slide flap must be up on one end and down on the other in order to get to these screws... Don't LIFT the slide flap, just rotate it at an angle. Once the 6 screws are out, then you can separate the back from the front. Make sure to take out your SIM and external SDCard before you do this.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2. remove the mainboard... there's a single screw and 5 connectors which require removal. Remove them. Pull the board out and place it on your workspace
3. remove the EM shield from the processor side.
4. remove the OM5 resistor in the picture below. It's coated in glue. I've found the best thing is to just coat the area in flux and let it do the work while prodding with the iron to move the resistor out of place.
5. Connect the active side of xOM0 resistor to the active pad on OM5's resistor pads.
http://i51.tinypic.com/160zmty.jpg
6. reassemble the phone.
Special Instructions
This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.
Conclusion
Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://forum.xda-developers.com/showthread.php?t=1235219
reading material
Creating your own Samsung Bootloaders: http://forum.xda-developers.com/showthread.php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
drivers and utilities
This will be an ever expanding list
Windows Drivers http://forum.xda-developers.com/attachment.php?attachmentid=678937&d=1312590673
Windows Download Tool DNW: http://forum.xda-developers.com/attachment.php?attachmentid=678938&d=1312590673
Windows Command Line tool: http://forum.xda-developers.com/showpost.php?p=17202523&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Linux Detector tool: http://forum.xda-developers.com/showthread.php?t=1257434
Linux Automated UnBricker:http://forum.xda-developers.com/showthread.php?t=1242466
firmware
Bootloader Hello World by Rebellos http://forum.xda-developers.com/attachment.php?attachmentid=698077&d=1314105521
UnBrick tool http://forum.xda-developers.com/showthread.php?t=1242466
Great work adam. cant wait to see this used to reflash bootloaders or something.
now we need firmware... i figured adam would have flashed something already , and thought about getting back from that flash later
https://github.com/teamhacksung/uBoot
possibility of uBoot on our devices... so much nicer than our current bootloaders. initial work has been done by codeworkx for compatibility with our boards, but (obviously) hasn't been tested
COOOL
looks good
Very exciting work y'all! Any plans on using it to dual boot Andbuntu/iOS?
Wow dude, you do some great work. Keep us posted!
Now if it only was a light sabor too....
i did a little bit of reading and definitly agree it would be cool to get uboot on our phones,
along with unbicking devices.
I would love to help sadly I have no knowledge of this low level stuff, or soldering skills.
I will watch this thread closely. Good luck guys.
http://www.linuxfordevices.com/c/a/...s-UBoot-the-universal-open-source-bootloader/
I was attempting to see what i could "upload" from my daily phone. I messed up my daily phone while performing this modification. I was trying to remove the xOM5 resistor and got impatient. I broke it off, it took the pad with it and I and was left with only a .001mm wire on the board. I attempted to solder it for about 6 hours straight and after a while I swiped off 5 resistors in a line. I'm sure I could repair it, but I just went and bought another phone.
Lesson: Take your time, and don't try to force anything. That glue is tough and it acts as a heat sink. Remove the glue from one side of the resistor, heat the entire resistor up and let it slide off. Don't try to speed it up.
Once you perform this modification everything works just fine. No problems. It's a risky procedure though.
I still have not tested any firmware sucessfully. I tried a few precompiled uboots, but I did not yet try the uboot mentioned above.
This looks awesome, although I'm hesitant to do it, because there's always that chance that I will need to RMA. Sorry about your phone Adam, I think everyone in the forum is probably in love with you now though!
Sent from my SAMSUNG SGH-I897 using XDA Premium App
I would add that when doing this work, you should use ESD protections. Wrist strap (you can rig a homemade version), ESD mat, etc. Not as big of a risk in a humid environment, but as relative humidity drops, the risk increases. You can never be to safe if your phone is valuable to you. Typically, consumer electronics are hardened to ESD through connectors and the housing, but when you are directly handing the PCBA, you are potentially bypassing the hardware filters.
I need something to flash with this bad boy now.
Sent from my GT-I9000 using XDA Premium App
Adam, thanks for all your work, and everyone else for that matter. Connexion never responded to my PM about jtag work, but this little modification is so damned easy I went ahead and did it. I'll be patiently waiting for a firmware we can use to reflash bricked phones in the future.
Again, thanks a ton!
I don't need to rework the board do I? As in is picture 4 simply for reference?
Proxyep said:
I don't need to rework the board do I? As in is picture 4 simply for reference?
Click to expand...
Click to collapse
Picture 6.
Adam, did you try tracing the i2c?
It might give us an un-brick mode without even soldering om5.
So what would this exaclty do?, dont wanna do it till i know exactly what it does.
Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App
midas5 said:
Adam, did you try tracing the i2c?
It might give us an un-brick mode without even soldering om5.
Click to expand...
Click to collapse
No, I have not been messing with hardware since I found the OM5 mod. I wish to develop this further. If you can get me a pin number to trace I will do that. Please look up the pin in the S5PC110 manual and I will trace it... I've been very busy locating software for this mod.
b-eock said:
So what would this exaclty do?, dont wanna do it till i know exactly what it does.
Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App
Click to expand...
Click to collapse
Currently we are running into this:
Code:
��������������������������������������������������������������������������������
Uart negotiation Error
Secure Fail Error
Secure Fail Error is likely because the uBoot I am loading violates the S5PC110 chain of trust. I am working to locate software which will not violate the chain of trust.
See this post for more:
popfan said:
I found this while waiting for the reply from Samsung.
http://www.aesop.or.kr/?document_srl=266600&mid=Board_Download_S5PC100
This is Linux Native - Complier Package
Please note this is in Korean.
One more found:
http://www.aesop.or.kr/?mid=Board_Download_S5PC100&page=2&document_srl=75581
USB OTG-Mon Binary ??
Last one - S5PC100 Code Visor Debug resource
http://www.aesop.or.kr/?document_srl=267106&mid=Board_Download_S5PC100
Click to expand...
Click to collapse
I have a 3 day waiting period for my id on that site to become active, at which point, I believe we will have a solution.
I believe the binary on this page will be the solution http://www.aesop.or.kr/?mid=Board_Download_S5PC100&page=2&document_srl=75581
b-eock said:
So what would this exaclty do?, dont wanna do it till i know exactly what it does.
Sent from my Cappy with Glitch V11 LL at 1.6GHz stable, Juwe's RAM script, V6 script, V8 kickass kernel tweaks, and 3G booster script using XDA Premium App
Click to expand...
Click to collapse
Allows you to boot from things other than the internal sdcard, and overwrite memory on the phone. Basically, if you break a bootloader, this is the only thing that could fix it beyond re-jtaging it.
At this point, there's no real point unless a) your device is bricked or b) Adam gets the software half up and running, in which you could do it as a pre-emptive measure.

Reverse engineering the Blu Studio 5.3 dock port

Okay. It seems that Blu Products isn't going to explain anything about the dock port on their Studio 5.3, so I am embarking on a project to reverse engineer it. I'll update my progress here.
Pictures of the dock port:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Pictures of the plug that fits it. It's the same 30-pin plug as found on the iPod and a bunch of other devices.
(Last 3 images from https://www.sparkfun.com/products/8295)
What I just ordered to work on this project:
(Again from https://www.sparkfun.com/products/8295)
Here's what I've figured out so far.
The cable from my iPod Nano 6th gen has pins 1, 15, 16, 23, 25 and 27. All others are missing. I haven't had time to analyze it all yet, but according to allpinouts.org, 1 is a ground, 15 and 16 are grounds and are tied together (internally on the iPod motherboard), 23 is USB +5v, and 25/27 are USB Data+/- OR, alternately, they are resistor-to-ground value-based signals.
My theory so far is that there is some internal resistance between the pins in this cable and other pins or ground; because plugging just the cable in--with it not being plugged into the USB port--disables the Blu's touchscreen and automatic screen rotation features and locks the screen in whatever position it's in when you plug in the cable. (Although interestingly, if you plug it in in landscape mode, you can use the screen rotation lock hardware button to put it back to portrait mode.) Plugging the other end of the cable into a USB port brings up the Recent Apps display (the thing that comes up when you hold the touchscreen home button down) and the phone says it's charging, but the touchscreen is still disabled. Not sure if it's actually charging or not; I'm gonna leave it plugged in for awhile and see. The phone does not show up as a new USB device when this (iPod) cable is plugged into the dock port.
Once I get the breakout board I'm gonna take the phone apart and see if I can trace where the pins in this dock port go. I'm also going to wire up a USB cable to the breakout board and see if I can get the phone to enumerate.
Hopefully I never toast my phone.
Edit for more pics from teardown:
Notice that this ribbon cable is 3 layers; those are little pieces of a paperclip holding them apart to show the layers.
It really looks like PDMI connector
If it IS a PDMI connector, would getting a usb-to-pdmi cable work to connect to the phone? I've never used pdmi. I know the Dell Streak has a pdmi port though.
You should open it to see what chips are used in that thing. That will help you a LOT to figure out what is going on...
lvnr00tddrd said:
If it IS a PDMI connector, would getting a usb-to-pdmi cable work to connect to the phone? I've never used pdmi. I know the Dell Streak has a pdmi port though.
Click to expand...
Click to collapse
I have both Dell Streak 5 and Blu Studio 5.3 and I can comfirm that the pdmi cable for the Streak does not fit in the Studio 5.3.
The ports on both are the same width and same number of pins but the Streak's pins are arranged on 2 wedges, for lack of a better term, whereas the Studio and ipods are 2 rows of pins on both sides of a single wedge. It's like the Streak has a female type port and the Studio/ipods have male type ports.
This could be some kind of dock connector that Blu has not released for our version. I've been doing some research on this phone to find the original recovery firmware and found that this exact phone is being sold under the following names:
Blu Studio 5.3
Texet TM-5200
Umeox X-Land / X-5
Pearl Simvalley SPX-5
On every "rebranded" listing I found they all had this port so it isn't just unique to the Blu. Also might try seeing if anything can be found for the MTK6573 chipset that would include this port. More info on this chipset here mediatek.com /en/Products/ featured_content.php?sn=2 {will have to copy / paste too new to post links yet}.
I've also found other indications through russian and chinese sites that this thing is being pushed in some countries as an iPhone knockoff with a custom "iOS" skin / launcher. Hard to tell for sure due to some things being lost in translation.
So to wrap it all up I would almost go for a crazy guess that this might be used on some of the "iPhone" knockoffs to fake as a 30-pin connector that may or may not actually work or only work for charging.
Its seems like its a docking port for a keyboard. I found this for Pearl Simvalley SPX-5 site found at http://www.pearl.de/a-PX3502-4072.shtml.
Now we know. I think I may import one of these to see if it works on the Blu as well. Might be disabled in the firmware though....
Just got the PodBreakout board. To the soldering station I go. Send good karma my way.
I took the entire thing apart. Everything is under full-board metal shields as can be seen from the recent post-op pic. (You can also see the breakout board.) My phone still works, so I'm not prepared to go pulling the shields off just to see what's under them. I think that the only things would be the MediaTek CPU and some RAM and Flash chips anyway. Everything else is pretty tightly integrated.
Puppeto if you get ahold of one of those keyboards please keep us updated.
Behold the wonders of voiding your warranty:
Ok here's what I've figured out so far.
1. Make sure if you take your phone apart that you reconnect all the connectors inside the phone, or else you'll spend an hour trying to figure out why the dock port won't work at all before realizing what you did.
2. Onward to real research, here's what's been found so far.
Connecting pin 15 to 16 disables the touchscreen, but there is a threshold that must be met that I haven't found yet. If the 2 pins are directly tied together the touchscreen is disabled, and if there's a 3k resistor between them it is, too. But if there's a 100k resistor inline it doesn't disable the touchscreen.
Pin 1 appears to be a ground pin.
Pin 16 is USB ground
Pin 23 is USB +5 volts
It DOES charge when just Pins 16 and 23 are connected. My next step is to find which pins are the USB Data +/-. As can be seen below, it's non-standard.
Connecting Pin 27 to ground presses the hardware multifunction button (bottom middle of the front panel)
Pin 6 to ground presses hardware power key
Pin 29 to ground presses hardware volume down key
Pin 28 to ground is an oddball. Connecting it to ground through a 10k resistor seems to start the music player AND press the hardware volume up key
Connecting pin 9 to ground with a resistor less than 4k causes a white screen followed by a black screen and the phone freezing until the battery is removed.
Audio
Pin 3 - Audio Ground
Pin 4 - Audio Right
Pin 5 - Audio Left
The audio pins appear to be connected to the same lines as the headphone jack, only they don't have the hardware external speaker disable (or if they do I haven't found it yet). Apparently, the headphone hardware triggers a software signal of some kind that disables the external speaker. I confirmed that this is the case by plugging in a set of headphones, in which case these lines still give the audio output but the external speaker is disabled. Apparently this is something that can be controlled from within Android, because there were some bug reports awhile back about the external speaker not disabling when headphones were plugged in. So we need to find (or maybe someone can write?) an app that does nothing but disable the external speaker while leaving the headphone line active.
No luck yet on getting USB working. Still hoping someone here can help me out with knowing how to monitor what's going on by using adb?
Puppeto any luck on that keyboard?
FYI received the keyboard, plugged it in, and YES it works. Didn't receive a prompt or anything when I plugged it in. I opened up a notepad app and just started typing away.
I do forewarn you though it is very cheaply made. Not something I would recommend anyone wasting their time or money on. I found it faster to just type on the screen.
Puppeto would you mind taking the keyboard apart and taking some high-res pictures of it? It would be very very helpful I think because it will have the data lines and possibly some other stuff
Please guys, is there no one trying to get flash working on this phone?
Adobe flash player worked great, however it need some mod
First install MX player then it will ask for special codec, so install them as recommended.
then you need to install UC browser ( try latest version )
Finally install flash 10.3.185.360_armv6.apk from xda
run uc browser, everything fine.
My only concern is Video skype, I couldnt run any version of skype that enables Video call please can anybody help
Hi guys,
As you can see I'm new at the forum, but I have a Motorola Atrix 4G, Rooted, Unlocked BOOTLOADER, and with the NOTTACHTRIX ROM Installed with the Darks Side Kernel....
I also recently bought a Blu Studio D510, and I have an issue with play music...
I tried with several music players, and I'm still not success...
All the type of files that I tried are .mp3 and .wma
Do you know were I need to put the files in order to used the music player?
Thank You...
Can someone please provide the ROM without the bloated softwares(facebook, twitter etc.). Just the barebone os. Reason for this is I can then install apps I want and move them to memory card. More memory available.
Found this link which seems to be the ROM. Can someone verify: http://www.pearl.de/support/product.jsp?pdid=PX3459&catid=4073&nodocs=1
chrismotto said:
Can someone please provide the ROM without the bloated softwares(facebook, twitter etc.). Just the barebone os. Reason for this is I can then install apps I want and move them to memory card. More memory available.
Found this link which seems to be the ROM. Can someone verify: http://www.pearl.de/support/product.jsp?pdid=PX3459&catid=4073&nodocs=1
Click to expand...
Click to collapse
Its not the rom. If you are willing to try some other roms for this device (i cant find a blu rom either), search for either the umeox x3 original rom or the texet tm-5200 original rom. the umeox is in chinese and the texet is in russian but change the language in the options and change the launcher and everything should be fine. I have found the texet to be a little lighter and faster, however, i couldnt get any of the drivers to work for it. umeox uses the spx-5 drivers which windows is able to find easily. Im looking for a rom for the pearl simvalley spx-5 phone which is another clone and uses the same hardware, but i havent any luck yet. right now, though im using the umeox which also was able to be rooted with SOC and its working fine so far.. hope i could help
virustwin
Please share the link to this ROM. Thanks a lot.
Hey you all can anyone please supply me with a link to obtain the actual stock rom for the blue studio 5.3 or even a custom rom would be of great help thanking you in advance
Sent from my BLU Studio 5.3 using xda app-developers app

[SOLVED] Bricked i9500

Pretty sure I already know the answer to this question, but just on the off chance anyone has any ideas
The power button failed and got stuck pressed in, causing the constant rebooting, removed the power button, and the phone worked again using the quick battery replace trick to power it up
Decided to flash a new ROM to it because something had messed up with the one that it was running and WiFi stopped working, apps wouldn't install
Firmware upgrade with ODIN failed and left the phone with the error of Firmware encountered an issue, recover using KIES etc etc
The phone boots directly to that error when USB is connected
We don't have a power button, I bought two, and attempted to solder one on today, after two hours I admitted defeat, it's just too tiny, and my soldering iron too big
One of the contacts on the board seems to have come off with the button too, so doesn't look like we can fix that, so basically this is an S4 without a power button, stuck on the firmware error screen
I've tried holding Volume Down & Home while connecting USB, but it still just boots to the error screen
No Download mode, No Power button, Stuck on the firmware error screen, and KIES says GT-I9500 can not be initialized when I try to run the firmware recovery program
Is she dead, or can anyone think of a method I've missed to at least get this thing back up and running a ROM again?
Thanks
When I encountered that issues I simply flashed a bootloader with odin.
Problem is, you need to get into download mode.
GDReaper said:
When I encountered that issues I simply flashed a bootloader with odin.
Problem is, you need to get into download mode.
Click to expand...
Click to collapse
Yep, and there lies my problem, without a power button, I can't get into download mode
Pretty sure it's dead, but because I know it's not really dead (If it had a power button) it makes me not want to give up just yet
That, and it's my brothers phone he's asked me to try and fix
Hi @*Detection* have you tried a usb jig?
It will force the phone into download mode even from a powered off state.
AFAIK it works on any/every Samsung device....
And about the contact on the board.....There *is* possibly a workaround.....
If you live near a Maplin store, you can get some electrically conductive 'silver' paint that you can use to repaint the contact and possibly even electrically bond that side of the power button (a steady hand and a very fine artists paintbrush is all that's needed)......
http://www.maplin.co.uk/p/electrically-conductive-silver-paint-n36ba
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
Hi @*Detection* have you tried a usb jig?
It will force the phone into download mode even from a powered off state.
AFAIK it works on any/every Samsung device....
And about the contact on the board.....There *is* possibly a workaround.....
If you live near a Maplin store, you can get some electrically conductive 'silver' paint that you can use to repaint the contact and possibly even electrically bond that side of the power button (a steady hand and a very fine artists paintbrush is all that's needed)......
http://www.maplin.co.uk/p/electrically-conductive-silver-paint-n36ba
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
Nice thinking about the Jig, I'd completely forgotten there was such a thing cheers, I`ll see if I have a 300K Ohm resistor, if not I`ll probably just buy the Jig pre-made
Not sure about the contact repair, even if I managed it, I can't solder a new button on anyway, the contact was there originally, but after 2 hours and 2 new buttons, it was gone, must have come off with one of the buttons when I de-soldered it
Watched endless videos of people soldering them on, and it looks simple, loads of room, but in reality it is not, and there is no room at all
EDIT - Decided to just order a Jig, no doubt it will come in handy in the future too
http://www.ebay.co.uk/itm/151494728184
Cheers Keith, I`ll update once it arrives
*Detection* said:
Nice thinking about the Jig, I'd completely forgotten there was such a thing cheers, I`ll see if I have a 300K Ohm resistor, if not I`ll probably just buy the Jig pre-made
Not sure about the contact repair, even if I managed it, I can't solder a new button on anyway, the contact was there originally, but after 2 hours and 2 new buttons, it was gone, must have come off with one of the buttons when I de-soldered it
Watched endless videos of people soldering them on, and it looks simple, loads of room, but in reality it is not, and there is no room at all
EDIT - Decided to just order a Jig, no doubt it will come in handy in the future too
http://www.ebay.co.uk/itm/151494728184
Cheers Keith, I`ll update once it arrives
Click to expand...
Click to collapse
I doubt you'll need to solder the button ribbon to the layer of dried paint (I wouldn't expect to be able to anyway).....My thinking was......
If the paint adheres to the circuit board, then by definition, anything that is put on top of it will adhere to it too.....
So, paint a layer onto the circuit board, let it dry, then paint another layer on top, put the ribbon in place and allow it to dry.....
In theory, that *should* electrically bond the ribbon in place without the need to solder it. It won't be physically as strong a bond as a solder bond, but it will be electrically sound.
Edit.....ignore my reference to a ribbon, (I'd assumed the button was similar to the S2) just found out its mounted directly to the motherboard......
A 'blob' of superglue gel (somewhere away from the contacts) will hold the button firmly in place. Then simply painting the connections instead of soldering them is all that's needed.
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
I doubt you'll need to solder the button ribbon to the layer of dried paint (I wouldn't expect to be able to anyway).....My thinking was......
If the paint adheres to the circuit board, then by definition, anything that is put on top of it will adhere to it too.....
So, paint a layer onto the circuit board, let it dry, then paint another layer on top, put the ribbon in place and allow it to dry.....
In theory, that *should* electrically bond the ribbon in place without the need to solder it. It won't be physically as strong a bond as a solder bond, but it will be electrically sound.
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
It's not a ribbon, it's a 4mm x 2mm button, with 5 solder points, 3 for power contacts at the back, and 2 for mounting it to the board
Leaving about a half mm gap between shorting them all together, and getting it right
Basically impossible with what I have to solder with
This image is about 2-3x bigger (On the non zoomed part) than the physical size
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
*Detection* said:
It's not a ribbon, it's a 4mm x 2mm button, with 5 solder points, 3 for power contacts at the back, and 2 for mounting it to the board
Leaving about a half mm gap between shorting them all together, and getting it right
Basically impossible with what I have to solder with
This image is about 2-3x bigger (On the non zoomed part) than the physical size
Click to expand...
Click to collapse
Yeah, just figured that out....see my post above.....
And the edit....forget the superglue....those 2 solder points negate the need for that....
http://i.imgur.com/rVnFwJM.jpg
This is the actual button on my finger
And pretty close to actual size
*Detection* said:
This is the actual button on my finger
Click to expand...
Click to collapse
Lol....yeah, I know, they're tiny....that's why I suggested the paint.....much easier than soldering (I've had to do something similar myself.....hardwired headphone socket).....
http://i.imgur.com/rVnFwJM.jpg
Don't think paint would hold up to the constant and possibly rough button pressing, even the two front mount solder points are next to impossible to solder without it shorting the two rear side connectors
Just far too small (See my edited image of actual size)
And my soldering iron is a PoS, solder didn't want to stick to it unless I scraped it down to the bare metal with a stanley blade, and as soon as flux touched it, it stopped the solder sticking to it again
Need to buy a new one really
EDIT - I have a load of old electronics lying around, any idea what would be most likely to have a 300 ohm resister in it?, so far everything just seems to have caps.
Yes I'm impatient, Jig isn't coming till Tuesday
You could try soldering 2 small cables to the power connectors, might not be as difficult to solder on as the power button, at least you could work with that to get into download mode.
And if you cant find a 300ohm resistor, you can make your own.
https://www.youtube.com/watch?v=VPVoY1QROMg
Backe888 said:
You could try soldering 2 small cables to the power connectors, might not be as difficult to solder on as the power button, at least you could work with that to get into download mode.
And if you cant find a 300ohm resistor, you can make your own.
https://www.youtube.com/watch?v=VPVoY1QROMg
Click to expand...
Click to collapse
lol, nah I don't think I could be bothered to make my own resistor
Tried soldering a single strand of wire from an old 12v cable to each connector, but they just kept coming off, the part needed to solder to is just too small
You think the power button is tiny, the solder points are a 10th the size, if that
OK, so it got the better of me and I went out and bought some 300k ohm resistors, and some 100k ohm too
Took a MicroUSB cable apart, but I'm met with 2 pins on one side, which are both grounded and connected together
And 4 pins on the other side, one of which is also ground, Black
The video says I should have 2 pins on one side, and 3 on the other
Every single combination of pins using the Jig/Resistors does nothing
I've Multimeter tested the resistors and they are 300k Ohm, same with 3x 100k together
Any ideas?
I've now destroyed 2 USB cables and have 4 pins on one side of the 2nd cable too, and none on the other side
This guide over on the S2 forum
http://forum.xda-developers.com/showthread.php?t=1604707
gives step by step instructions on how to make one.
http://i.imgur.com/rVnFwJM.jpg
I've managed it, I had to take the entire MicroUSB jack to pieces, turn the pins upside down so I actually had a connection to the ID pin, which neither of the MicroUSB cables had the correct way around, and then I could Jig it with the resistors
Flashed TWRP, working, now downloading a stock ROM
Hopefully it doesn't brick it again, a stock ROM for the i9500 is what bricked it in the first place, flashing recovery unbricks it, so it's recovery that's killing it
Not sure why a stock i9500 ROM is bricking an i9500 yet
Cheers for the Jig reminder Keith, appreciate it
*Detection* said:
I've managed it, I had to take the entire MicroUSB jack to pieces, turn the pins upside down so I actually had a connection to the ID pin, which neither of the MicroUSB cables had the correct way around, and then I could Jig it with the resistors
Flashed TWRP, working, now downloading a stock ROM
Hopefully it doesn't brick it again, a stock ROM for the i9500 is what bricked it in the first place, flashing recovery unbricks it, so it's recovery that's killing it
Not sure why a stock i9500 ROM is bricking an i9500 yet
Cheers for the Jig reminder Keith, appreciate it
Click to expand...
Click to collapse
How are you accessing recovery? Have you got usb debugging enabled so that you can use ADB commands? It *might* simply be that the lack of data wipe is all that's stopping the device from booting post flash.
http://i.imgur.com/rVnFwJM.jpg
---------- Post added at 11:06 PM ---------- Previous post was at 10:59 PM ----------
For info, and possibly some extra help, I've found a website full of engineer/repair firmwares. From what I understand, they completely erase any trace of a pre existing OS when flashed (instead of overwriting as in a normal firmware flash)
These firmwares *should* negate the need to data wipe after flashing......
http://www.tsar3000.com/Joomla/inde...ader-csc-pit-files&catid=55:samsung&Itemid=82
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
How are you accessing recovery? Have you got usb debugging enabled so that you can use ADB commands? It *might* simply be that the lack of data wipe is all that's stopping the device from booting post flash.
http://i.imgur.com/rVnFwJM.jpg
---------- Post added at 11:06 PM ---------- Previous post was at 10:59 PM ----------
For info, and possibly some extra help, I've found a website full of engineer/repair firmwares. From what I understand, they completely erase any trace of a pre existing OS when flashed (instead of overwriting as in a normal firmware flash)
These firmwares *should* negate the need to data wipe after flashing......
http://www.tsar3000.com/Joomla/inde...ader-csc-pit-files&catid=55:samsung&Itemid=82
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
Thanks, downloading one of them now, I can access download mode with my Jig fairly easily now, and yes, I used adb reboot recovery to get back into TWRP, but the stock ROM already installed gave a security warning about unauthorised changes, and then flashed stock recovery back on boot
So I've worked out by flashing TWRP with ODIN, Auto reboot enabled, reboots straight into TWRP each time it's flashed, so I have a method to access recovery too now
PITA having no power button though
Recovery firmware flashed a treat, cheers, running stock 5.0.1 nice and smooth
adb reboot bootloader just reboots the phone into Android, got to use the Jig for download mode, gonna root tomorrow, and then I can install something like Quick Boot for that
Jobs a good'n, cheers bud
No problem fella....glad I could help....
http://i.imgur.com/rVnFwJM.jpg

[Tutorial] AC8227L head units - how to unlock the bootloader

If you have one of these 8227L units that doesn't have any physical buttons, and you've tried to unlock your bootloader, you may have given up in frustration when the on-screen instructions say, press volume down to continue...
If you have one of the units that does have physical buttons, your process will be similar but much simpler, as you won't have to take your unit apart, so you can follow along with this tutorial after that portion is done.
Disclaimer: If you don't have physical buttons on your unit, you're going to have to dismantle it and potentially do some soldering to get through this. The points in question are tiny and if you permanently short them or apply too much heat and lift a pad, you could get stuck with a unit that's permanently muted or just bricked altogether. You have been warned about the risks, and I am not responsible for any damage you may incur!
Here's how it's done.
Prerequisites:
8227L unit with no physical buttons
Phillips screwdriver
Comfort with soldering on fairly small stuff
(You might get by without having to do any soldering, but if you can solder, you'll have an easier time)
PC of some type, probably a laptop if you want to do this inside a vehicle
adb and fastboot installed - there are plenty of tutorials on this elsewhere on these forums
It is possible to root these things without unlocking the bootloader, so if your device happens to be
rooted already, note that you'll be able to skip the adb portion entirely by installing a reboot utility
from the play store that allows you to just reboot the device to bootloader mode, but you'll still need to
use fastboot over USB.
If you need to bring the unit inside to get to a computer, you'll need a 12v power supply of some type
USB A male to male cable - that's just a cable with a "full size" usb plug on both ends - You can just chop up two old USB cables and splice them back together by matching the colors of the inner wires to make your own if need be.
We're going to be disassembling the unit, so obviously you'll want to completely disconnect it first.
On the backside of the unit there is a Phillips head screw at each corner, go ahead and pull those out and put them someplace safe.
Once you remove those screws, the back of the unit is loose, but don't just pull up on it! It's still connected to the board, which is connected to the screen assembly by some fragile ribbon cables, and you don't want to tear those! The cables attach towards the bottom of the screen, so tilt the back of the unit away from the screen top side first, opening it like a book. This will reveal the three ribbon cables we need to disconnect. They connect into three plastic connectors (They're called ZIF or Zero Insertion Force connectors) attached to the board that can also be fragile, so take care with this next step. On the back side of each connector, the side away from the ribbon cable is a little plastic "flap," usually black in color. Take your fingernail or a plastic spudger, or a toothpick or something (non-metallic preferably) and get underneath that and flip it upwards. The flap should stay in the connector and just hinge open. Once this is done, the ribbon cable itself should come out easily. If you have to apply any pressure to get it out, you don't have it unlocked and you will damage something, so make sure you've got it unlocked before you go pulling on the ribbon cables.
With the ribbon cables disconnected, the screen assembly can be set to the side for the time being. We now have access to the front side of the board, but what we need is on the other side, so we'll have to remove it completely from the housing. There will be 4 or 5 more Phillips screws to remove, depending on your model. Once you get those out, you can pull the board free and flip it over. We're looking for 5 small copper pads exposed on the surface of the mainboard, in the area of the CPU, RAM and NAND/EMMC memory chips. I have attached an image that I borrowed from elsewhere on these forums, because I don't have a unit opened up right now and didn't want to take one apart just to take some pictures.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
In the image I attached, you're looking for the points marked 1 and 2. The caption on the image suggests they connect to Volume Up, but on every unit I've seen these points connect to Volume Down. Your mileage may vary. The layout of these points can vary from model to model, but they're always in this area. On all the models I have seen, two of these points are slightly larger than the rest, and those are the two we're concerned with for now. You may here this referred to as the "test point," but in fact these points simply expose access to Home, Back, Volume Up and Volume Down. Of the two bigger points, one of them will be ground. (If you know your way around a multimeter you can verify which one by checking for continuity to ground elsewhere on the board, but it's really not important for our current purposes which is which.) The next part will be much, much easier if you can handle soldering on stuff this size. We need to have access to momentarily short the two bigger points. The one that isn't ground is volume down, and making a connection between the two sends a Volume Down key press. (If you have identified which is ground you can access Home, Back and Volume Up by shorting it to the three smaller points) At first, I thought I'd just be able to touch the two points with a
screwdriver to accomplish this, but I never ended up getting that to work. If your unit is a bit different than mine, you may have more luck with that. But in my case, I needed to tin both points (that simply means to apply fresh solder to them) and attach a small wire to one of them. (The jumper wires that come with an Arduino work great for this if you have any of those laying around, otherwise just use a really small wire of some kind.) This jumper wire is going to function as our "volume down" button for the next part. These are also the same points you will need to access if you ever manage to brick your unit and need to get access to the "backup" pre-loader.
Now that we have our "button" in place, we're going to need to connect the ribbon cables for the screen back to the board, power the unit up and get connected via adb. There are two different usb cables that come with the unit. One of them has a 6 pin connector and one has a 4 pin connector. You want to use the one with the 4 pins. At this point you've got to handle the unit with the board exposed, power running through it, and those ribbon cables connected. It should go without saying that you need to be very careful. Don't tear any ribbon cables, and don't let your jumper wire accidentally short out against anything as you turn the unit over to use the screen.
If your unit has a physical volume down button, you can follow along from here and just ignore all the horrific parts about running the unit with the guts hanging out and jumper wires and all that scary stuff.
Once the unit powers on, you'll probably notice that it's not detected by the PC right away. That's because these units default to usb host mode, so they can mount your flash drive or whatever you may store music on and plug into them. So we're going to have to go to the "factory" settings menu. This is the one that asks for a password when you try to go into it. For most units it's 8888, but I have seen a few where the password is 1111. Once you're into the factory settings menu, towards the bottom you should see USB options. Open that menu, and click on "Other" towards the bottom left. On the next screen, tap the "usb mode" option, and you should get a popup where you can toggle between "host" and "device" mode. Device mode may be already selected, but go ahead and click it anyway. After this, you should be able to get a connection over adb. Try entering the command "adb devices" from your command line, and you should see your unit identifed by it's serial number. If it says "offline", go back to the factory settings menu, toggle it to host mode once and then back to device. If you're seeing "unauthorized" there are some pre-requisite steps you're missing. They are covered extensively on these forums and elsewhere, so if you need to find them immediately just search these forums or google for "adb tutorial mediatek device" and you'll find about a dozen walkthroughs. All we need from here is to be able to ender the command:
Code:
adb reboot bootloader
Once you get that done, your device should reboot to the boot logo screen, but it will stay on that screen and display the words "FASTBOOT MODE" Back to the command line of your PC, you can enter the command:
Code:
fastboot devices
to verify that you have a connection. If you're still with me at this point and you're able to communicate with the bootloader through fastboot, enter the command:
Code:
fastboot oem unlock
At this point, the instructions on the screen of your unit will warn you about how Santa Claus won't bring you any presents if you unlock your bootloader, and prompt you to press Volume Down if you really want to proceed. At this point you'll need to use that jumper wire to make the connection we prepared previously to execute the Volume Down entry. You may have to hold it in place for a couple of seconds, but eventually you should get a confirmation that your bootloader has been unlocked! Now, power the unit off, disconnect your jumper wire, and reverse the disassembly process to put it back together. One thing to keep in mind, if you're attempting to flash a new firmware and it comes with a locked bootloader, you'll have to repeat this proces, so if you can get away with it, don't flash the LK partition.
threadreaper said:
If you have one of these 8227L units that doesn't have any physical buttons, and you've tried to unlock your bootloader, you may have given up in frustration when the on-screen instructions say, press volume down to continue...
If you have one of the units that does have physical buttons, your process will be similar but much simpler, as you won't have to take your unit apart, so you can follow along with this tutorial after that portion is done.
Disclaimer: If you don't have physical buttons on your unit, you're going to have to dismantle it and potentially do some soldering to get through this. The points in question are tiny and if you permanently short them or apply too much heat and lift a pad, you could get stuck with a unit that's permanently muted or just bricked altogether. You have been warned about the risks, and I am not responsible for any damage you may incur!
Here's how it's done.
Prerequisites:
8227L unit with no physical buttons
Phillips screwdriver
Comfort with soldering on fairly small stuff
(You might get by without having to do any soldering, but if you can solder, you'll have an easier time)
PC of some type, probably a laptop if you want to do this inside a vehicle
adb and fastboot installed - there are plenty of tutorials on this elsewhere on these forums
It is possible to root these things without unlocking the bootloader, so if your device happens to be
rooted already, note that you'll be able to skip the adb portion entirely by installing a reboot utility
from the play store that allows you to just reboot the device to bootloader mode, but you'll still need to
use fastboot over USB.
If you need to bring the unit inside to get to a computer, you'll need a 12v power supply of some type
USB A male to male cable - that's just a cable with a "full size" usb plug on both ends - You can just chop up two old USB cables and splice them back together by matching the colors of the inner wires to make your own if need be.
We're going to be disassembling the unit, so obviously you'll want to completely disconnect it first.
On the backside of the unit there is a Phillips head screw at each corner, go ahead and pull those out and put them someplace safe.
Once you remove those screws, the back of the unit is loose, but don't just pull up on it! It's still connected to the board, which is connected to the screen assembly by some fragile ribbon cables, and you don't want to tear those! The cables attach towards the bottom of the screen, so tilt the back of the unit away from the screen top side first, opening it like a book. This will reveal the three ribbon cables we need to disconnect. They connect into three plastic connectors (They're called ZIF or Zero Insertion Force connectors) attached to the board that can also be fragile, so take care with this next step. On the back side of each connector, the side away from the ribbon cable is a little plastic "flap," usually black in color. Take your fingernail or a plastic spudger, or a toothpick or something (non-metallic preferably) and get underneath that and flip it upwards. The flap should stay in the connector and just hinge open. Once this is done, the ribbon cable itself should come out easily. If you have to apply any pressure to get it out, you don't have it unlocked and you will damage something, so make sure you've got it unlocked before you go pulling on the ribbon cables.
With the ribbon cables disconnected, the screen assembly can be set to the side for the time being. We now have access to the front side of the board, but what we need is on the other side, so we'll have to remove it completely from the housing. There will be 4 or 5 more Phillips screws to remove, depending on your model. Once you get those out, you can pull the board free and flip it over. We're looking for 5 small copper pads exposed on the surface of the mainboard, in the area of the CPU, RAM and NAND/EMMC memory chips. I have attached an image that I borrowed from elsewhere on these forums, because I don't have a unit opened up right now and didn't want to take one apart just to take some pictures.
In the image I attached, you're looking for the points marked 1 and 2. The caption on the image suggests they connect to Volume Up, but on every unit I've seen these points connect to Volume Down. Your mileage may vary. The layout of these points can vary from model to model, but they're always in this area. On all the models I have seen, two of these points are slightly larger than the rest, and those are the two we're concerned with for now. You may here this referred to as the "test point," but in fact these points simply expose access to Home, Back, Volume Up and Volume Down. Of the two bigger points, one of them will be ground. (If you know your way around a multimeter you can verify which one by checking for continuity to ground elsewhere on the board, but it's really not important for our current purposes which is which.) The next part will be much, much easier if you can handle soldering on stuff this size. We need to have access to momentarily short the two bigger points. The one that isn't ground is volume down, and making a connection between the two sends a Volume Down key press. (If you have identified which is ground you can access Home, Back and Volume Up by shorting it to the three smaller points) At first, I thought I'd just be able to touch the two points with a
screwdriver to accomplish this, but I never ended up getting that to work. If your unit is a bit different than mine, you may have more luck with that. But in my case, I needed to tin both points (that simply means to apply fresh solder to them) and attach a small wire to one of them. (The jumper wires that come with an Arduino work great for this if you have any of those laying around, otherwise just use a really small wire of some kind.) This jumper wire is going to function as our "volume down" button for the next part. These are also the same points you will need to access if you ever manage to brick your unit and need to get access to the "backup" pre-loader.
Now that we have our "button" in place, we're going to need to connect the ribbon cables for the screen back to the board, power the unit up and get connected via adb. There are two different usb cables that come with the unit. One of them has a 6 pin connector and one has a 4 pin connector. You want to use the one with the 4 pins. At this point you've got to handle the unit with the board exposed, power running through it, and those ribbon cables connected. It should go without saying that you need to be very careful. Don't tear any ribbon cables, and don't let your jumper wire accidentally short out against anything as you turn the unit over to use the screen.
If your unit has a physical volume down button, you can follow along from here and just ignore all the horrific parts about running the unit with the guts hanging out and jumper wires and all that scary stuff.
Once the unit powers on, you'll probably notice that it's not detected by the PC right away. That's because these units default to usb host mode, so they can mount your flash drive or whatever you may store music on and plug into them. So we're going to have to go to the "factory" settings menu. This is the one that asks for a password when you try to go into it. For most units it's 8888, but I have seen a few where the password is 1111. Once you're into the factory settings menu, towards the bottom you should see USB options. Open that menu, and click on "Other" towards the bottom left. On the next screen, tap the "usb mode" option, and you should get a popup where you can toggle between "host" and "device" mode. Device mode may be already selected, but go ahead and click it anyway. After this, you should be able to get a connection over adb. Try entering the command "adb devices" from your command line, and you should see your unit identifed by it's serial number. If it says "offline", go back to the factory settings menu, toggle it to host mode once and then back to device. If you're seeing "unauthorized" there are some pre-requisite steps you're missing. They are covered extensively on these forums and elsewhere, so if you need to find them immediately just search these forums or google for "adb tutorial mediatek device" and you'll find about a dozen walkthroughs. All we need from here is to be able to ender the command:
Code:
adb reboot bootloader
Once you get that done, your device should reboot to the boot logo screen, but it will stay on that screen and display the words "FASTBOOT MODE" Back to the command line of your PC, you can enter the command:
Code:
fastboot devices
to verify that you have a connection. If you're still with me at this point and you're able to communicate with the bootloader through fastboot, enter the command:
Code:
fastboot oem unlock
At this point, the instructions on the screen of your unit will warn you about how Santa Claus won't bring you any presents if you unlock your bootloader, and prompt you to press Volume Down if you really want to proceed. At this point you'll need to use that jumper wire to make the connection we prepared previously to execute the Volume Down entry. You may have to hold it in place for a couple of seconds, but eventually you should get a confirmation that your bootloader has been unlocked! Now, power the unit off, disconnect your jumper wire, and reverse the disassembly process to put it back together. One thing to keep in mind, if you're attempting to flash a new firmware and it comes with a locked bootloader, you'll have to repeat this proces, so if you can get away with it, don't flash the LK partition.
Click to expand...
Click to collapse
This is very useful, thanks! However it doesn't cover bricked devices, which I think many people would be interested in fixing. For example, what can be done with these techniques on a damaged unit? Can it be restored from say an accidental wipe from SP Flash tools?
Thanks for the feedback, and to answer your question, yes, there is a way to recover a bricked device utilizing these internal points, even if the memory has been completely wiped.
It's actually something I'm planning to do a tutorial on. Ironically, it was one of the first things I had to learn. Having never owned any device with a MediaTek chipset in it before, I wasn't familiar with how they worked. So before attempting to do any sort of modification to my brand new unit, I hit up these very forums looking for information on how to do a full system backup. The post I ended up stumbling across actually led to me "bricking" my own unit. In hindsight, and having learned a lot about these units since that day, I now realize that I was misunderstanding the instructions, but I feel like it was perhaps poorly worded. One thing that has always existed in the Android modding community (and to be fair, most others like it) is a real lack of comprehensive, completely newbie friendly tutorials/documentation. The fact is, by the time most of us have gained enough knowledge to actually write a tutorial, the basic operations seem so trivial that they hardly warrant the effort of writing a tutorial. It's easy to forget that most of us once needed those tutorials ourselves. So, as long as my ambition keeps up, my goal is to do a whole series of tutorials, as detailed as I can think to make them.
I have another one that I'm working on right now that has ended up taking longer to put together than I anticipated, but once it's finished and I've worked the bugs out of the software I'm releasing to go along with it, I will move the brick recovery tutorial to the top of the list! If you're in need of assistance right now, feel free to ask questions via PM. I'd rather not take this thread off topic.
threadreaper said:
Thanks for the feedback, and to answer your question, yes, there is a way to recover a bricked device utilizing these internal points, even if the memory has been completely wiped.
It's actually something I'm planning to do a tutorial on. Ironically, it was one of the first things I had to learn. Having never owned any device with a MediaTek chipset in it before, I wasn't familiar with how they worked. So before attempting to do any sort of modification to my brand new unit, I hit up these very forums looking for information on how to do a full system backup. The post I ended up stumbling across actually led to me "bricking" my own unit. In hindsight, and having learned a lot about these units since that day, I now realize that I was misunderstanding the instructions, but I feel like it was perhaps poorly worded. One thing that has always existed in the Android modding community (and to be fair, most others like it) is a real lack of comprehensive, completely newbie friendly tutorials/documentation. The fact is, by the time most of us have gained enough knowledge to actually write a tutorial, the basic operations seem so trivial that they hardly warrant the effort of writing a tutorial. It's easy to forget that most of us once needed those tutorials ourselves. So, as long as my ambition keeps up, my goal is to do a whole series of tutorials, as detailed as I can think to make them.
I have another one that I'm working on right now that has ended up taking longer to put together than I anticipated, but once it's finished and I've worked the bugs out of the software I'm releasing to go along with it, I will move the brick recovery tutorial to the top of the list! If you're in need of assistance right now, feel free to ask questions via PM. I'd rather not take this thread off topic.
Click to expand...
Click to collapse
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go
iceblue1980 said:
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go
Click to expand...
Click to collapse
Tutorial has been posted, you can follow the link in my signature.
Hey, just got mtk device with 2gb ram and 16gb storage, I wonder if I can use all the files from this forum or 4pda with my device?
Second, how can I create a full backup of this device ?
Sent from my MI 9 using Tapatalk
zetlaw01 said:
Hey, just got mtk device with 2gb ram and 16gb storage, I wonder if I can use all the files from this forum or 4pda with my device?
Second, how can I create a full backup of this device ?
Sent from my MI 9 using Tapatalk
Click to expand...
Click to collapse
I'm planning to do a comprehensive backup tutorial very soon, probably in the next day or two. The answer to your first question is no! Not every rom dump you find is going to be compatible with your device. In general I have found that if a rom dump comes with a scatter file and that scatter file is identical to the scatter file from your stock backup, then you're usually safe to flash it, but there may be exceptions to that rule, so always have a backup before you flash anything. While all of these units are based on the same SoC, they can have different amplifiers, radio chips, etc, and you could find yourself with a ROM that boots, but has no audio for example.
Thanks, I managed to take the backup and also use wwr to create my own Scatter file
Using that I flash twrp and rooted my device.
Sent from my MI 9 using Tapatalk
I´m trying to install twrp. I successfully unlock the bootloader and finally flash twrp, but now can´t access to recovery. System says: " Orange state your device has been unlocked and can't be trusted Your device will boot in 5 secods" when reboot recovery mode.
Any ideas?
Thank you very much.
Hi @threadreaper,
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But while I was modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
what are the solutions so that PC detects it back as a preloader?
amit_coolcampus said:
Thank you very much for the tutorial. My android unit is not detected in SP tools. When I reboot the radio, It appears in Device manage as MTK USB for 2 seconds and disappears. Is it because bootloader is locked? Will the problem resolve after unlocking the bootloader.
Just wanted to check if you have prepared to recover the bricked devices using this method.
My unit is working but I would love to have a Plan B ready.
Click to expand...
Click to collapse
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.
dickinson said:
I´m trying to install twrp. I successfully unlock the bootloader and finally flash twrp, but now can´t access to recovery. System says: " Orange state your device has been unlocked and can't be trusted Your device will boot in 5 secods" when reboot recovery mode.
Any ideas?
Click to expand...
Click to collapse
I haven't come across anything like this before... What brand/model is your device?
threadreaper said:
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.
Click to expand...
Click to collapse
Aaah. ... I see. Now I get it. I'll give one more try and will get back to you. Thank you very much
threadreaper said:
I haven't come across anything like this before... What brand/model is your device?
Click to expand...
Click to collapse
Finally I´ve solved this problem. My model is 9213 with a 9260 board , firm 8.1 (Oreo real) YT9213AJ_00011_V001_20200718_0 . Orange´s state happens when bootloader is unlocked . I only need flash a new twrp version for Oreo system. Twrp3.4.0 ( previous versions don´t work) and locked my unit again. It´s working now and can access to recovery
Note: in this version I only can connect to spflahTool with a male-male usb without ground pin (only 3 wires) and external 12v supply
Woohooo!
I was able to detect my radio in sp flash tools.
1. Created a preloader backup.
2. Created a rom_0 backup. Just one clarification required. Can you please tell me what should be the last address(length) so that it includes everything. I have put start address of BMTpool as the total length of backup so that includes whole userdata partition.
So start address- 0x0
Total length - 0x738A80000
Can you confirm if this should have everything to restore in case of any mishappening?
Thank you so much @threadreaper,
I was able to get it detected and take a full backup, but something wrong happened after I rooted and tried to update the build.prop file in the system folder. Can you please help. Here is the brief:
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But when I modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed wrong preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected in the first place. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
Is the only solution left to read memory in Flash tool by using test point?
threadreaper said:
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.
Click to expand...
Click to collapse
iceblue1980 said:
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go
Click to expand...
Click to collapse
How did you create that 12v adapter. I am interested to make one, it's really painful to sit in the vehicle and do everything.
I am also looking to buy 4 Pin connector for USB.
amit_coolcampus said:
Thank you so much @threadreaper,
I was able to get it detected and take a full backup, but something wrong happened after I rooted and tried to update the build.prop file in the system folder. Can you please help. Here is the brief:
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But when I modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed wrong preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected in the first place. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
Is the only solution left to read memory in Flash tool by using test point?
Click to expand...
Click to collapse
Yes. If you have flashed the wrong preloader to your device, you will have to recover from test-point. Never flash a backup with a scatter file that doesn't exactly match your existing scatter file.
amit_coolcampus said:
How did you create that 12v adapter. I am interested to make one, it's really painful to sit in the vehicle and do everything.
I am also looking to buy 4 Pin connector for USB.
Click to expand...
Click to collapse
It really doesn't take much. I have run a few different versions of these head units just fine off of a 12V/2A "wall wart" type power supply. Just cut the end off, check polarity (carefully!) with a multimeter while it's plugged in and then wire it up just like you would with 12V in a vehicle.
threadreaper said:
Yes. If you have flashed the wrong preloader to your device, you will have to recover from test-point. Never flash a backup with a scatter file that doesn't exactly match your existing scatter file.
Click to expand...
Click to collapse
Two confirmations sir:
Got it. So the scatter file which I created from the stock backup has to be used always, no matter if I flash back any other ROM?
One more question. When I flashed TWRP recommend for my radio. It got flashed and I was I able to install supersu by flashing and boot up the system. But when I tried to take backup of system, data and cache via recovery, after half of the backup process, twrp started turning into different colors like a distorted screen and touch stopped working (screenshot attached) and system rebooted normally without finishing the backup. It happened the same second time also. So is it something like - we can't take backup of radio from the twrp. Can it only be backed up & restore back from sp flash tools?

Categories

Resources