Database Users

Developing methods to recover bricks without JTAG

I have not seen anything in the Captivate forums about UART, I2C, or really anything other then Download Mode/Recovery Mode. We could use some developers to help with this project. It's an interesting combination of hardware, software, and inter-chip communications protocols...
I think everyone knows about the 301Kohm resistor between pins 4 and 5. Did you know about the 150Kohm or the 619Kohm resistors? How about the middle battery pin?
Watch this video.
Resources
Users
One-Click Unbrick was relesed This will unbrick softbricked phones http://forum.xda-developers.com/showthread.php?t=1153310
Kernel developers
UART Kernel debug log AND shell terminal (like adb shell without adb active) On the captivate you can get into the SBL prompt, then type
Code:
printenv
setenv SWITCH_SEL 6543
printenv
saveenv
This changes the SWITCH_SEL value from 65 to 6543 and enables extra output. This will give you a kernel debug output and drop you into a shell prompt.
Developers
bootloader source code For a simlilar samsung device: http://forum.xda-developers.com/showthread.php?t=1018862&page=68
here is the iROM,: I've rehosted it here: http://teamkomin.googlecode.com/svn-history/r75/branches/IROMcode/bootdumps.rar
here: http://www.mediafire.com/file/c9bg6gyk1cuapsz/bootdumps.rar
and here: ftp://adamoutler.dyndns.org/bootdumps.rar
we need help deciphering it. We think the annotations may be wrong. This is the unchangable code in the first few blocks of memory. There must be a way to communicate with this.
Hardware guys
S5PC110 processor datasheethttp://www.mediafire.com/file/3znisgfm3amxgpj/S5PC110_EVT1_UM10.pdf This is the processor in our phones. This documents everything which is capable natively with the processor. It is 2425 pages long.. I read through it and added some notes here.. This is the meat of the manual: http://forum.xda-developers.com/showthread.php?t=1018862&page=51
FSA9280A datasheet http://www.mediafire.com/?d4e21efhuktctcb This is the first time we've had access to this manual. Our phones use the FSA9480A chip, this chip is functionally the same. The datasheet here describes all functions available to the USB switching device. From the FSA9280 datasheet we've located all resistor values. http://forum.xda-developers.com/showpost.php?p=14408452&postcount=62
All
The All-In-One GalaxyS HackPack hardware, software and documentation on our phones http://forum.xda-developers.com/showthread.php?t=1111866
It has been revealed from a source which is not to be mentioned that the OM pins/registers are fixed and cannot be changed on the processor without removing the processor from the device or making some hardware modifications.
Here's some must read threads.
Fun with resistors:http://forum.xda-developers.com/showthread.php?t=820275 This thread shows all known resistor values
Lets save some bricks:http://forum.xda-developers.com/showthread.php?t=1018862 This thread deals with ways to revive phones from the dead. We are hacking the heck out of them in here.
Development platform booting from MMC http://hi.baidu.com/j2h3344/blog/item/85740dfc0be35951d7887dd5.html This is the platform used to develop our phones. We need to find these OM bits, or access them somehow.
the middle battery pin http://forum.xda-developers.com/showpost.php?p=13448859&postcount=253 This may be the answer. We could use some help in this area.
Download the GalaxyS Hack Pack here: http://forum.xda-developers.com/show....php?t=1111866
Known Causes of hard Bricking
1. PBL(Primitive bootloader) and SBL(secondary bootloader) were not designed for the phone
2. Mismatched PBL/SBL combination
3. SBL does not fit in the Partition information table, or location does not match Partition Information Table
4. Bad USB cables
5. power loss
6. Damaged PBL/SBL
--Theoretical--
7. Something known as Secondary Bootloader Rotation may be to blame for improper bootloaders sometimes. Apparently when flashing, the SBL and SBL2 blocks may switch places. In this case you may have the proper PBL, but the SBL is not proper for the device.
Hardware Used
If you're looking to help, you'll need some development hardware. I use an Arduino Mega. http://www.bizoner.com/arduino-atme...e-p-180.html?zenid=9mg23h688slfjgh88910o5jfd2 This is a programmable interface. You can use this code to talk to the phone. http://forum.xda-developers.com/showpost.php?p=13351363&postcount=223
Here's some plans for a communications adapter http://forum.xda-developers.com/showthread.php?t=925034
The plan
If we can get into a bricked phone via UART or the i2C bus, or the USB bus, or any other method available to U301, we can corrupt the PBL(boot.bin) in the OneNand which will cause the processor to search for a PBL and SBL on USB, UART and MMC.
If we can locate an additional communications port somewhere on the phone we can change or corrupt the code running in memory and then cause the processor to reboot into USB or UART mode.
So far we know of UART only and have eliminated that as a solution on it's own.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Using SBL, it is very likely possiblity that Windows7 phone or iOS, or ubuntu could be ported over.... Basically, full control.
Why you should help
We've been working on ways to recover these phones for months now. We're comming to an end. We need massive amounts of testing to figure out this last bit.
This is a call to duty. Every developer who has ever released a boot.bin, SBL.bin, param.ifs or a PIT with their release needs to be a part of this. Every member who has ever bricked a phone while using one of the many tools which are designed to upgrade your phone can help. Anyone who wants to feel secure while flashing their phone should put some effort into this because it's expensive and requires superhuman soldering to JTAG these phones. If you've even thought about using Odin3, we need your help.
Update: UnBrickable Captivate http://forum.xda-developers.com/showthread.php?t=1206216

Seems interesting / promising, unfortunately I can't help BC I moved back to Morocco (Africa) and only brought 1 captivate with me. Good luck that is all I can say.
Sent from my SGH-I897 using XDA Premium App

Really interesting and very cool.
But I have a fully bricked captivate which I still have cause it was a friends who just went onto the Inspire. Always have wondered if I could recover the hard brick.
Wish I could help but I'm pretty useless with Soldering and taking apart my phone. But if development moves along with this I'd love to support. The idea of porting those OS and helping everyone saving hard bricked phones would be great.
Good Luck!
Sent from my SGH-I897 using XDA App

im bookmarking this. i can only help in fabrication. im not a super genius dev. but threads/projects like this do interest me.

Middle battery pin? Reminds me of the battery jig trick on the original PSP.
All-in-all, this looks promising, I'll be following it.

Posted up the iROM in the first post. this is the code which we hope to establish communications...
Keep in mind, this could be over the USB port, the Middle battery terminal, or even the headphone port.

But I have a fully bricked captivate which I still have cause it was a friends who just went onto the Inspire. Always have wondered if I could recover the hard brick.
Click to expand...
Click to collapse
I'M GETTING ONE OF THOSE IN THE AM!!!!!
i have a fully bricked cappy that i bricked lastnight. i was able to recover from the phone..!..pc icon but then failed @95% via odin3 v1.00.
i will mail you the cappy if you can fix it and use it as a test mule for future brick\unbrick attempts...... the outer glass is broken thanks to a fall from my lap to the concrete

I think I actually discussed this with you before. I ran twice into some instance where no action would make difference on the phone, no response to key combos, no response to charger or USB. But, download mode was still accessible via USB Jig.
What could've happened there?

cumanzor said:
I think I actually discussed this with you before. I ran twice into some instance where no action would make difference on the phone, no response to key combos, no response to charger or USB. But, download mode was still accessible via USB Jig.
What could've happened there?
Click to expand...
Click to collapse
Not really positive at this point, id suspect corrupted pbl.bin or param.lfs partitions. I've seen some weird stuff with the pbl. One phone would only output uart when volume + was held for 5 seconds.
Basically from my understanding... The IROM loads into the processor. This is the first 40000 bytes and it's protected memory. The iROM brings up basic functionality for the processor, including the initial factory UART/MMC load of PBL & SBL. The IROM then instructs the phone to load the IBL/PBL(Initial Boot Loader/Primitive Boot Loader). The IBL initializes memory for the SBL(Secondary Boot Loader) , then the PBL loads Params(a partition on the OneNAND) and checks the pins on the processor for commands. The PBL then makes more memory available for applications, then locates and and loads the SBL. The SBL initializes other functions and then locates and loads the kernel.
The SBL is responsible for Download Mode and the SBL prompt. it is basically the system's "BIOS" for lack of a better word. I'm not sure of the steps which can be skipped for sucessful download mode.

The iRom download it broken.
Ill look at it once your reupload

Some kid reported the iROM code as being in violation of the terms of agreement of the hosting website... It must have been a kid because Samsung would not do that. Just as we have a right to use tools to disassemble our phones, take pictures, annotate those pictures and post them on the internet, we have the same right to the IROM. It's not hurting Samsung's sales, nor is it intellectual property of Samsung. We bought the phones and it came with this. The only intellectual property in this document belongs to the person who disassembled and annotated this code.
I've rehosted it here: http://teamkomin.googlecode.com/svn-history/r75/branches/IROMcode/bootdumps.rar
here: http://www.mediafire.com/file/c9bg6gyk1cuapsz/bootdumps.rar
and here: ftp://[email protected]/bootdumps.rar username xda password developers
Lets not be childish and hinder progress anymore by clicking buttons. I've removed that ability.

I think this is a wonderfull bunch of work that is being done here and if i can offer any assistance please let me know. If you would like a private IRC channel to discuss your work in with other developers I would be more than happy to provide to a quiet private place to do so. Just shoot me a pm if i can be of any assistance.

We can really use some SGS folks to help. Check out the lets save some bricks thread mentioned in the first post.

Two quick questions:
1. How would you manage to get these files? First, aren't they burned into the nand? Secondly, wouldn't they be assembled already? How do you disassemble them?
2. Do you have any good links/books on how to learn arm assembly? I know some x86, but I've never found a good link to arm based stuff (or any sort of dev platform, for that matter).
Sorry about being semi-offtopic.

Subscribed, and very interested in following progress on this.
Also: Sending PM.

Nothing revolutionary to add just yet.
However, I just finished adding a JTAG breakout to my collection. This is what my current test setup looks like:
We could use some more DIYer's on this project. The biggest thing to have is an Arduino and a microUSB breakout board. We need to figure out how to get this phone to boot from MMC, USB, or UART... and we know Samsung does this to bricks.

this looks interesting.. gonna keep my eye on it

AdamOutler said:
Nothing revolutionary to add just yet.
We could use some more DIYer's on this project. The biggest thing to have is an Arduino and a microUSB breakout board. We need to figure out how to get this phone to boot from MMC, USB, or UART... and we know Samsung does this to bricks.
Click to expand...
Click to collapse
i can build anything, the purchase of and arduino and making the breakout board are easy but i would have no idea what to do with it afterwards.
it is funny the time you posted this because my friend found out about a club that works with arduino boards making all sorts of things and asked me if i wanted to go to there meetings. this thread popped up the next day.
well i may buy an arduino board or 2 but im not sure if even then i can be helpful

Well, a pretty much unexplored area of the phone is the middle battery terminal. The middle battery terminal is a ADC(analog to digital converter) pin. We know for a fact that it triggers something called EXT-I2C (External Inter-Integrated Circuit). EXT-I2C can be used to communicate with any chip on the I2C bus. The I2C bus connects with everything on the phone... Call Processor, OneNand, Memory and Application Processor. Using the EXT-I2C, we would have full control over the phone.
I know the middle battery terminal has something to do with it because I managed to get my phone to boot-loop with the pin disconnected and I saw messages about EXT-I2C NACK( EXT-I2C not acknowledged) when playing with resistance values and watching the UART output on my Arduino MEGA.
The unanswered questions are,
How to reproduce that EXT-I2C message?
What are the Addresses on the I2C bus?
Which pins control the I2C bus?
Here's some of the possible I2C bus connections:
USB VCC
USB Ground
USB D+
USB D-
Batt+ (when powered on USB)
Batt- (when powered on USB)
BSI (Battery Signal Indicator - middle battery pin)
Headphone Left Audio
Headphone Right Audio
Headphone Video
Headphone Ground
all External-SDCard (MMC) connections
all SIM connections
This is something you can bring to the table at that Arduino club. You can also read up on this hackaday article http://hackaday.com/2011/05/11/i2c-101/

If anyone has a good idea of which pins may be OM pins here, let me know..
Side facing LCD screen
Side facing back of unit

How to hack hardware binary and bend it to your will

Before you start on actually modifying your hardware, you must know what it is you're after. Don't just go using your finely tuned soldering iron without doing some research first... http://twitpic.com/75maxq
I wanted to share some tricks I use when locating UnBrickable Mod on various devices because it has been requested many times. Overall, the methods I'm going to talk about can be called "reverse engineering", "hacking", or "circuit bending".
Each device is different so different methods may be used. I'll start with what I feel is the best method to use and move my way on through less accurate and more destructive/difficult methods. The methods I'm using here can be used on nearly ANY device for nearly ANY purpose, not just locating boot modes. Using the techniques I'm laying out here, you can locate any physical memory register on any chip.
For the purposes of this familiarization guide, we will be locating the xOM5 resistor which changes the S5PC110 boot mode from "boot from OneNAND" to "Boot from USB, then OneNAND". Other modes are available such as booting from SDCard or MMC but these modes do not allow dual booting into the standard OneNAND boot so they are not practical unless you have a NAND failure.
By reading the S5PC110 processor manual, we can see on page 6-8, this is achieved by setting the xOM bits to 101001 (hex value 29). These binary values correspond to pins on the processor. These pins can be set high or low, and they ARE set high and low on the development board for the S5PC110 development boards. On other processors like OMAP4460, or Exynos, different pins are used but the functionality is the same.
All binaries and reading materials used are availabe in the GalaxyS hack pack: http://forum.xda-developers.com/showthread.php?t=1111866
For installation of binaries, you can use the market app "mount rw/ro" and drop the binaries in your /system/bin folder. See here for more information on direct access to Linux and installing binaries: http://forum.xda-developers.com/showthread.php?t=1030107
For the purposes of this thread we will be using a S5PC110 chip which is what the entire GalaxyS series of device is based upon.
With this knolwedge in hand, lets continue into HOW we can locate these pins.
how to locate the xOM resistor cluster
If you orient the S5PC110 processor with the PIN-0 dot at the lower left corner, you will find the xOM cluster at the lower right corner. These resistors will always be near this location because the pins on the board are near this location. It's never a good idea to have "runs" on a board longer than necessary. Therefore, these resistors will always be near this corner.
NOTE: You need not remove the processor. This is only for illustration.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
For other devices, see the pinouts on the processor manual.
Methods for locating modificaton
Monitoring memory locations in real-time
You will need:
viewmem installed in /system/bin
bash installed in /system/bin
Market App: QuickSSHD allows you to terminal into the device.
1. we locate the xOM registers on the device. According to the processor manual
OM_STAT 0xE010_E100 R OM status register 0x0000_0000
Click to expand...
Click to collapse
the OM registers are at 0xE010E100. So we know where to look in memory to monitor changes.
2. ssh into your device. See QuickSSHD for more information. Once you are in, assume super-user, get into a bash terminal, and use the viewmem utility.
Code:
$ su
# bash
bash-4.1#viewmem 0xE010E100 0x4|hexdump
[INFO] Reading 4 bytes at 0xe010e100...
0000000 0009 0000
0000004
3. Short and test. While shorting the high value to the active side, NOT THE VISIBLY GROUNDED SIDE, monitor output from the terminal.
The PullUp resistors are 10Kohm and the Pulldown resistors are 100Kohm. This means there's 10x more force behind a digital high than a digital low, in other words, you can short any low value high without a problem...
Code:
viewmem 0xE010E100 0x4|hexdump
[INFO] Reading 4 bytes at 0xe010e100...
0000000 0029 0000
0000004
the 29 signifies that the device is modded properly. A value of 0x9 is a standard production device. When you see 0029, you've located the proper resistor for the modification.
Using overlays
Take a picture of the board, then use an annotated pinout to locate the proper pins on the processor. This allows for a visual of the device as though the processor were removed.
here's a picture of my own annotated overlay. Use this and we'll walk through overlay logic.
Now, with a xOM value of 0x9, that's a binary value of 001001, use your calculator in "programmer" or "scientiffic" mode if you don't believe me.
Broken Down:
xOM5=0
xOM4=0
xOM3=1
xOM2=0
xOM1=0
xOM0=1
xOM 3 and 1 are both high values, all the rest are low. We can use this to our advantage. We can see that 4 resistors are connected to ground on one side and 2 are not. Those two are obviously xOM3 and xOM1.
If we look at the processor pinout, we can see that if xOM3 and xOM1 resistors were swapped, one would be very much longer than the other so there's only one logical solution.
Moving on to the shortest ones, xOM4 and xOM2 would obviously be closest to the top of the resistor cluster, and it's also obvious wich one would be which.
Now that leaves two resistors in the middle. One is high and one is low. by drawing it out you can see that if xOM5 were on the right, then xOM1 would be very much longer than xOM5, so xOM5 must be on the left.
So, we've located all xOM values with this method.
Using relative positioning
This method is not nearly as scientiffic... Since there are now 10 guides made for modifying xOM5 on different boards, a resistor may be picked and chosen as though it were from anothe board. See here for various modifications: http://forum.xda-developers.com/showthread.php?t=1236273
Verification from this method may be made using UART. you would be expecting an output like this over the UART on your device.
See here for info on UART: http://forum.xda-developers.com/showthread.php?t=1235219
If the modification was sucessful, UART will output a line which states OM=0x29.
Using a multimeter
You can remove the processor from a device and trace out the pins manually. This method is only appropriate for a broken device.
conclusion
So, these are my methods for hacking hardware and making it do what I want. I'd like to hear others. Lets hack up some hardware and talk about it here.

+1
Good that every chip component is configureable on lowest level by set of external passive elements - opens big possibilities to change any hardware into something different.
Worth to add - always think twice, or even once more before short circuiting anything. If between some V line and another there is positive voltage, like +1V, it still doesn't mean that second one is GND. First one can be +2V and second one +1V. READ carefully all datasheets and documentation. Don't connect any power line straight to another without resistor - this will cause high current go through some component and probably damage it.
Example of bad test - there are some capacitors on the left of Adam's needle when testing resistor. It's highly possible that these capacitors are ARM_CORE stabilisers, which is 1.2V and can handle up to about 1.4V. Adam is operating with 1.8 or 2.8V from other V line - accidentally touching the capacitor with needle can damage CPU core.
If you never been doing any hardware mods but feels like you want to start - prepare for some victims in your electronic devices. That's all of my experiences for now.
//Damn me and my bad habit of reserving posts in Adam's thread. Sorry. :d

very informative

Excellent and authoritative article! Though I'm personally too scared to do anything like this on my phone!

I've gotten replies from people that removing a BGA chip is almost impossible. A tutorial on how to unsolder one would be helpful for aspiring hardware hackers.

Master Melab said:
I've gotten replies from people that removing a BGA chip is almost impossible. A tutorial on how to unsolder one would be helpful for aspiring hardware hackers.
Click to expand...
Click to collapse
It IS almost impossible. It's rediculously difficult. You'll end up pulling a pad or two off the board. You must heat up the entire chip with a heat gun or a hot air station, then pull it off... Meaning you're heating up the entire chip to the point where the solder melts. It takes a multi-thousand dollar professional setup in order to make sure no damage is done. I use a digital temperature controlled heat gun. It works, but it's not accurate.

If you could replace the pads with a socket or something like that you'll be set to go.

we need to get you a better camera

elmanortega said:
we need to get you a better camera
Click to expand...
Click to collapse
HAHHAHHAHHA. funny story about that...
You see, my 6 year old tried to do unbrickable mod on that today..
I no longer have a dedicated camera

I wish i could try it, but i am sure i wont be able to, lol

Thank you very much for this guide.
Could you also describe what tools (soldering iron etc) do you use?

I use a Radio Shack digital soldering iron. It's nothing special but it's temperature controlled and has a fine point.

I made some more overlays
here is Exynos4210
This is from OMAP 4460, but I'm pretty sure it applies to OMAP 4430 as well

verry intresting, soon i try

Seriously this guys work is awsome, learnt quite abit from your work, thank you very much!
Sent from my Desire HD using XDA App

cdesai said:
I wish i could try it, but i am sure i wont be able to, lol
Click to expand...
Click to collapse
Same here but why dont giveit a try... just encourage

AdamOutler said:
... It takes a multi-thousand dollar professional setup in order to make sure no damage is done. I use a digital temperature controlled heat gun. It works, but it's not accurate.
Click to expand...
Click to collapse
Sorry Adam, you have a great writeup, but this is really a BS statement!
-- You can easily unsolder a BGA chip with a $5 micro-blow-torch! You just have to make sure you shield the surrounding components from the excessive heat. Put a small piece of copper (a penny?) on top of the chip, then put a piece of low-temperature (lead-free) solder on top of the coin, so you can get an idea when you have enough heat. Continue 10-20 seconds. Very carefully try to jam a few sharp toothpicks under any space between chip and PCB. Never bend!
This technique is well known and well demonstrated on YouTube, ever since the HP/Nvidia scandal of video chips falling of the MOBO after dust blocking the fan intake with (purposely) under-dimensioned and faulty heat-sink design.
The problem is getting it back ON! Then you need to invest in a professional heat plate and re-balling grid.

excuse me mister, i have done it, n my tab turn back on, now i have another problem, the screen is black and the bottom light is on, could you help me?

^^ good idea! I've always used a high power and small heat gun. It works for 99% of the pads, but I always lose 1 or 2. I never intend to put them back on.
apram75 said:
excuse me mister, i have done it, n my tab turn back on, now i have another problem, the screen is black and the bottom light is on, could you help me?
Click to expand...
Click to collapse
This is the wrong place to post that. And it does not really make sense that you did this in context.

Unsoldering a BGA is easy.
Doing it without causing unrecoverable damage is a different story. Same for resoldering it back on.
However it is getting easier nowadays - temp-controlled hot air rework stations have dropped drastically in price - http://www.amazon.com/Updated-Aoyue-Digital-Soldering-absorber/dp/B006FA481G/ref=pd_cp_hi_3
Also, reflowing a BGA without removing it (such as for Xbox360 RRoD fixes) is a LOT easier than remove-and-replace.
Also - my personal favorite deal in terms of soldering irons is http://www.amazon.com/Aoyue-937-Dig...ref=sr_1_1?s=hi&ie=UTF8&qid=1331244730&sr=1-1 - The Aoyue 937 is amazing considering it is <$50.

Vibrant unbrickable mode (you can recover from hard brick!!)

This was originally posted by AdamOutler and helped me a lot, so i think that EVERYONE who have a vibrant or an i9000 should know about it.
sorry if i´ve ressurected this post but it is too useful to get hidden.
Link to the original post:
http://forum.xda-developers.com/showthread.php?t=1273083&highlight=unbrickable
Introduction:
I'm not kidding when I say UnBrickable. Modifying the OM pins means you can boot from USB, UART or MMC. This makes the phone quite UNBRICKABLE. There is nothing you can do software wise to prevent the device from booting into this mode. We are communicating with the unrewritable, efused IROM on the processor. It's the thing that makes the system on a chip into a "system on a chip".I am here now to tell you how to turn your Samsung Droid Charge into a KIT-S5PC110 development board. The KIT-S5PC110 development board is the platform used to develop our phones. There are some differences between this mod and the official development platform. The S5PC110 has a removable internal SDCard and no touchscreen.
Why would you want to do this? When you plug in the battery and connect it to the computer in "off" mode, it will become an S5PC110 board awaiting download of a program to run. This occurs long before anything like software or firmware enters the processor. This is the IROM of the device awaiting commands or a power on signal.
Because it is accepting a memory flash, anything may be put onto the device to perform a boot sequence..... Apple iOS (iPhone4 has the same processor) WP7 (mango supports this processor).
This will be a replacement for JTAG once we are able to make some firmware. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.
After performing this mod:
Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like a Vibrant. See the Special Instructions section.
Modification
You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can send me a PM(or email my [email protected]) or Connexion2005(aka MobileTechVideos.com). Note: I do not work for/with mobiletechvideos.com.
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (possibly- for the wire within to use as a bridge)
performing the modification:
1. tear apart your phone... Make sure to take out your SIM and external SDCard before you do this.
1A. Remove the screws.
1B. Separate the top case from the bottom case
1C. disconnect the display connector and free the camera and button assemblies from the case.
1D. Remove the mainboard
****VIDEO OR PICTURES NEEDED*****
2. Perform the mod as follows: Replace the xOM5 resistor from the top position to the bottom position.
*OR: remove the xOM5 resistor and jumper the center pads of xOM5 to the center pads of xOM0 or xOM3.
Thanks to ChauncyG for the device board.
3. reassemble the phone.
Special Instructions
This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.
To enter recovery mod, press and hold power for 3 seconds, then hold volume+ and volume- until the screen comes on then release.
Conclusion
Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software. See here for setting up the UART output http://forum.xda-developers.com/show....php?t=1235219
reading material
Creating your own Samsung Bootloaders: http://forum.xda-developers.com/show....php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index....penOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
drivers and utilities
This will be an ever expanding list
Windows Drivers http://forum.xda-developers.com/atta...7&d=1312590673
Windows Download Tool DNW: http://forum.xda-developers.com/atta...8&d=1312590673
Windows Command Line Download Tool: http://forum.xda-developers.com/show...3&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
firmware
One-Click Resurrector: http://forum.xda-developers.com/atta...5&d=1314762609
Bootloader Hello World by Rebellos http://forum.xda-developers.com/atta...7&d=1314105521
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
http://forum.xda-developers.com/attachment.php?
attachmentid=727808&d=1316712617

This trick saved my phone one mounth ago...but you must be really good in soldering
Sent from my SGH-T959 using XDA

mikka06 said:
This trick saved my phone one mounth ago...but you must be really good in soldering
Sent from my SGH-T959 using XDA
Click to expand...
Click to collapse
Yeah, and I lost U$100 because i have not seen this tutorial before....

I hard bricked my vibrant about 6 months ago, Odin, completely my fault. I hadn't seen the unbrick/mod yet so I sent it to Josh at mobile tech videos for JTAG. I came across this mod a day after I shipped. I sent Josh a message and he did the mod for me. Outstanding service, I highly recommend it if you love to flash. Don't wait until bricked. If you don't feel comfortable tearing apart your phone and soldering go to mobiletechvideos, quick professional service.
Vibrant
Ics Passion
Sent from my SGH-T959 using xda premium

I'm afraid your xda links are all broken, 404, not found.

cashmundy said:
I'm afraid your xda links are all broken, 404, not found.
Click to expand...
Click to collapse
Yeah,links are broken,later on ill try to find mirrors on google,
You can help me if you want to.

Really dead vibrant
Are you sure it can get a really dead vibrant back?
I've tried the button combo,the 301k jig nothing get it into download mode. It just completely dark no sign of live.

vtp said:
Are you sure it can get a really dead vibrant back?
I've tried the button combo,the 301k jig nothing get it into download mode. It just completely dark no sign of live.
Click to expand...
Click to collapse
It worked for all the people who tried that. I did it also and saved my vibrant. But you need perfect soldering skills or try to find someone to do it.
Sent from my SGH-T959 using XDA

help?
Hello friends
I tried to understand the instructions but I could not understand anything
Is anyone ready to upload a picture that explain it better?

how?
mikka06 said:
This trick saved my phone one mounth ago...but you must be really good in soldering
Sent from my SGH-T959 using XDA
Click to expand...
Click to collapse
can you explain how to do the mod?

you have to change a position of 1 resistor on the mainboard of your phone,
then install new drivers and the programs on your pc to get the special features of it.

Can you plz post high quality pics of this mode

khan_frd2002 said:
Can you plz post high quality pics of this mode
Click to expand...
Click to collapse
i can give you the thread links that i followed when i did this trick. It's so small as it's really hard to get a high quality picture. Just read every page, i remember some guys posted some usefull pictures
http://forum.xda-developers.com/showthread.php?t=1273083
http://forum.xda-developers.com/showthread.php?p=17858853#post17858853

Wish I wouldve sweden this some time ago. I'm on my second vibrant, geesh..

[Soldering?] Move internal memory chip

Hello lovely people.
Not long ago, my wonderful Samsung Galaxy S2 dropped dead. Before I send it in for service, I would LOVE to get the data on the internal storage back.
The phone does not get hot while charging, and nothing else whatsoever makes it show sings of life.
Is it possible to swap out the internal storage chip from the motherboard, and place it on an another identical phone, and retrieve the data that way?
Any sort of tips for businesses that would do something like this is welcome!
As you can guess, I learned to back up my stuff the hard way. My last clockwork backup was 20 days ago. Precious 20 days ago

probability = 99,99% yes ... a SD-card no matter of where it was before. have good luck

psytr0nic said:
probability = 99,99% yes ... a SD-card no matter of where it was before. have good luck
Click to expand...
Click to collapse
And the deadly .01% is if the damaged part is the internal memory itself.
:good:

While emmc chip got like 20 important pads to solder (out of even hundred, when most are there being N/C) it is still BGA. A ****ass small BGA covered with glue. That would require someone really experienced with reworking such things. I do not know the prices but I would be prepared to pay even 100$ or more for such job, done right.
That from HW level. From SW+HW look: in theory there should be no trouble with properly swapped emmc ic from other phone. But you shall not forget about the said 0.01%, maybe more - reworking such chip might have influence on its content (I might be wrong) + GS2 had the emmc hardbrick bug - how did it die?
Please let us know how did it go.
Oh and btw - there must be companies working on such data recovery with proper HW to wire up to the unsoldered chip with sort of socket or other hackaround - I'd lookup there.

Max specified operating temperature of an eMMC is about 85 °C, there's no telling what happens above that... So whatever way you use to re-connect your eMMC, make sure it is not by soldering!

Of course it is possible but you need highly expensive tools for it to solder of the chip. it is BGA it's not just like a transistor..
It does have hundreds of micro balls under the chip. Did you try adb shell already? Or is it really 99% dead.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You may find a company that can do it but it will cost A LOT of money. Because you need special tools for it.
Something like this
You best bet would be to try to use a heat gun on the main board. Just heat it up for a few seconds and cool it down to zero as quick as possible. Maybe the bga is cracked because it got hit by the ground when you accidentally dropped it. By heating it up you may temporarily fix this crack(will also cause slightly damage to the chips) in the soldering. So you can back it up and sent it back. I think it will void the warranty, but you have to decide for yourself what to do. Try to get back the data or get a new working main board from Samsung (if you sent the phone back they will just replace it with a new one most likely).
Bga soldering crack

0,1% of chance .. playing with Samsung EMMC chip = bye bye phone . look around forum or elsewhere 100% of bricked is due to it .
Question : what make you confident to say that your internal memory is good ?
to remind : it is also your phone flash chip which manage boot sequence and all . don't forget it .
Max specified operating temperature of an eMMC is about 85 °C, there's no telling what happens above that.
Click to expand...
Click to collapse
Of course it is possible but you need highly expensive tools for it to solder of the chip
Click to expand...
Click to collapse
every time I tried with hot air , I removed chip with missing pads cause of glue under chip which make hard to remove .
why not to give a try ? have good luck
You best bet would be to try to use a heat gun on the main board
Click to expand...
Click to collapse

Those are options you have instead of paying hundreds of euro's to a company that can recover it if it isn't the nand/emmc itself that is the dead part of the phone.
Of course i recommend him to go to a professional company and let them do recover it. Because they will do it the proper way but like i said before it cost you a lot of money.
So your best bet would be to try it yourself or just sent it back to Samsung for warranty.(by trying yourself i don't mean to solder it off because thet will not work out good. It will probably kill the chip, just try to reflow the mainboard and maybe you have luck.)
I know about glue in the corners of bga based chips in HP & Acer and other brands in laptops and such but didn't know that phones had that too.
But glue under the chip, never seen that before. And btw you cannot remove a bga soldered chip with a heatgun you need ir so that the whole surface under the chip gets loose. And you need to cover up all other components or they will get loose too or fry
Acer bga soldered chip -> glue in corners (this is not nand or emmc, its the chipset & cpu/gpu)
http://i.imgur.com/aIHNu.jpg
Irda soldering
http://www.youtube.com/watch?feature=player_detailpage&v=RrA-trDZPNs#t=170s

Recovering data from snapped Galaxy s2 motherboard
Hi everyone, i really need some help
My galaxy s2 motherboard has snapped (around the long thin bit) with all other parts of the motherboard still intact. I really need to recover all of the data. The data has sentimental value and cannot be replaced. Is there any chance of recovering the data either through chip extraction and onto new board? Can the existing motherboard be fixed?
All i keep hearing is that it is too difficult, the motherboard is multi-layered and would be impossible to fix. I am reluctant to take this as an answer. Is there anybody out there that has a solution for recovering all the data? Who would i go to? who do i pay? Ive contacted samsung and they say it is impossible, when questioning them why it is impossible they state tit would cost too much and they cannot do it.
Please help. thank you.

EMMC reball and some other tips
Hey guys,
I know this thread is a little bit old but I'll try to give in my 2 cents maybe someone here may find it helpful
So I come from background where I do around 20 bga reballs per week, so I do know a thing or two I guess about this although my knowledge on Samsung platform is relatively low compared to an iphone logic.
So to begin with replacing the emmc chip alone is not enough as you'll need a programmer box which connects to a jtag interface which is able to rewrite the initial files like bootrom to the emmc. You can find these boxes at any prominent gsm repair shops; boxes named such as RiffBox or Z3X Samsung box are the best I found recently.
Having said that before any repair is attempted by mainly removing the flash chip it is imperative to try to resurrect the phone using these said boxes, to try to find whether or not the NAND chip is actually detected. As one may have simply installed a ROM which is not compatible with the phone and all that is required is to rewrite the bootrom files. If the NAND (basically the same name as a flash chip) fails to be detected then obviously something went wrong and it either could be the NAND is burnt inside, or the NAND has some cracks under its critical ball pins or even may be a problem that the main power management chip inside the phone is failing from supplying usually around 3V to power up the NAND.
The emmc chip at least found in a samsung is a 14 by 14 pins which only about 1/3 of it's pins are critical, the rest are dummy and do not worry if they eventually get removed, while removing the chip or cleaning the board after desoldering prior installing the new chip.
Some tips on reworking:
Always cover critical glued components like CPU + POP (package on package) RAM, baseband processor usually XGOLD found in Samsung.
Clean surrounding chip glue before attempting to remove by giving around 250C of heat and with a needle scratching the glue around
Do not exceed more than 350C to remove the actual chip to prevent more damage to the built in tracks inside the motherboard.
Last and not least a schematic for your phone would always be a lot of help to help you detect what voltages are missing on bootup to make sure that the boot up sequence is starting fine and also the relative points of each pin under a chip while knowing which pins are critical and which are dummies, or NC (not connected)
If you need any help you can always message me and I'll try my best to answer your questions.
Regards,
Ryan

solder with care
Solder with care mate, else it will be totally gone

psytr0nic said:
0,1% of chance .. playing with Samsung EMMC chip = bye bye phone . look around forum or elsewhere 100% of bricked is due to it .
Question : what make you confident to say that your internal memory is good ?
to remind : it is also your phone flash chip which manage boot sequence and all . don't forget it .
every time I tried with hot air , I removed chip with missing pads cause of glue under chip which make hard to remove .
why not to give a try ? have good luck
Click to expand...
Click to collapse
The glue in samsung is very easy to remove you just need to heat the board up to 250C and gently scratch the glued area with a needle. Do not worry on the removed pads as 1/3 of the pads under the EMMC are not connected and therefore not needed. Always clean the chip from the glue and use leaded solder for best shiny connections.

If you need any help you can always message me and I'll try my best to answer your questions.
Regards,
Ryan[/QUOTE]
Can you please explain more about JTAG.., types and the connections, how to get files for the different phones, where can we get the software etc. Thank you.:good:

richie16171 said:
If you need any help you can always message me and I'll try my best to answer your questions.
Regards,
Ryan
Click to expand...
Click to collapse
Can you please please explain more about JTAG.., types and the connections, how to get the files from different phones, where can we get the softare etc. Thank you.:good:[/QUOTE]
You will need special programmer boxes like riffbox to be able to rewrite the bootloader. JTAG is a dedicated space on the board where the riffbox will communicate with the phone.

AnArChYm said:
Can you please please explain more about JTAG.., types and the connections, how to get the files from different phones, where can we get the softare etc. Thank you.:good:
Click to expand...
Click to collapse
You will need special programmer boxes like riffbox to be able to rewrite the bootloader. JTAG is a dedicated space on the board where the riffbox will communicate with the phone.[/QUOTE]
Thank you., what about the riffbox connections? Which pin to connect what and is it common to all devices?

richie16171 said:
You will need special programmer boxes like riffbox to be able to rewrite the bootloader. JTAG is a dedicated space on the board where the riffbox will communicate with the phone.
Click to expand...
Click to collapse
Thank you., what about the riffbox connections? Which pin to connect what and is it common to all devices?[/QUOTE]
Edit: I already got the site. And everything is explained in forum there. If anyone wants.. you can find here http://faq.riffbox.org/showcat.html

Would like the learn how to reball
AnArChYm said:
Hey guys,
I know this thread is a little bit old but I'll try to give in my 2 cents maybe someone here may find it helpful
So I come from background where I do around 20 bga reballs per week, so I do know a thing or two I guess about this although my knowledge on Samsung platform is relatively low compared to an iphone logic.
So to begin with replacing the emmc chip alone is not enough as you'll need a programmer box which connects to a jtag interface which is able to rewrite the initial files like bootrom to the emmc. You can find these boxes at any prominent gsm repair shops; boxes named such as RiffBox or Z3X Samsung box are the best I found recently.
Having said that before any repair is attempted by mainly removing the flash chip it is imperative to try to resurrect the phone using these said boxes, to try to find whether or not the NAND chip is actually detected. As one may have simply installed a ROM which is not compatible with the phone and all that is required is to rewrite the bootrom files. If the NAND (basically the same name as a flash chip) fails to be detected then obviously something went wrong and it either could be the NAND is burnt inside, or the NAND has some cracks under its critical ball pins or even may be a problem that the main power management chip inside the phone is failing from supplying usually around 3V to power up the NAND.
The emmc chip at least found in a samsung is a 14 by 14 pins which only about 1/3 of it's pins are critical, the rest are dummy and do not worry if they eventually get removed, while removing the chip or cleaning the board after desoldering prior installing the new chip.
Some tips on reworking:
Always cover critical glued components like CPU + POP (package on package) RAM, baseband processor usually XGOLD found in Samsung.
Clean surrounding chip glue before attempting to remove by giving around 250C of heat and with a needle scratching the glue around
Do not exceed more than 350C to remove the actual chip to prevent more damage to the built in tracks inside the motherboard.
Last and not least a schematic for your phone would always be a lot of help to help you detect what voltages are missing on bootup to make sure that the boot up sequence is starting fine and also the relative points of each pin under a chip while knowing which pins are critical and which are dummies, or NC (not connected)
If you need any help you can always message me and I'll try my best to answer your questions.
Regards,
Ryan
Click to expand...
Click to collapse
Hi Ryan,
My son's galaxy s3 i9300 was inadvertently given a spin in the washing machine. When I realised what had happened I took it apart into its various components and put it in rice for a week. When I switched it on everything worked except the cell phone signal. From what I can gather the eMMC chip has been damaged and no software can fix it. I don't have it with me now but I think IMEI and baseband is unknown. The EFS folder is empty or corrupt.
Stumbling across your post I was interested in the fact that you seem to be an expert in re-balling. My son has since got a new phone and since I am a basic amateur in phone repair (for family and friends) I have been toying with the idea of replacing the eMMC chip on the s3 after watching this video:
http://www.youtube.com/watch?v=s38vQxXv0GE
I don't mind if I buy the chip and it doesn't work I am more intent on gaining the experience and going through the stages. Do you think this is a good idea and do you have any tips or things I can research on the topic?
Yiannos
---------- Post added at 07:30 AM ---------- Previous post was at 07:14 AM ----------
Sorry I meant this video:
http://www.youtube.com/watch?v=ds04BTVL8i0&feature=youtu.be

yiannos50 said:
Hi Ryan,
My son's galaxy s3 i9300 was inadvertently given a spin in the washing machine...
Click to expand...
Click to collapse
Hi,
If the imei is available (null), it could be the case that it needs repairing rather than actually chaging the eMMC chip , however you'll need a special tool to do this, which honestly do not know which exactly is as I'm more into hardware repairs rather than software.
Another possible issue could be that the phone can also have corrosion around critical components, ie around the main baseband supply, which is stopping from the baseband switch on, thus no signal or any radio communication from starting up. It would be best to have a microscope and inspect each part of the board for bad components, rather than rushing to the eMMC replacement.
It's very important to read this post very carefully and understand it as it is not easy to be done, but it is very much possible. And find a lot of youtube videos before even trying so you'll be more familiar with the process and different techniques.
Anyways for the most interesting part
Basically the eMMC chip is a 14 by 14 bga, ball grid array chip which is fairly easy to reball comapred to other complex ones, like baseband processor or the main application processor, You'll also be needing a reballing stencil to put the balls on top of the solder pins, and solder paste to paste the solder onto the holes and a hot air gun to melt that solder into balls. (Basically the solder paste will melt between those holes inside the stencil and will form nice silverish balls.
The chip also has got a lot of not connected pads (aka dummy pads) so do not worry when removing the chip as you'll be more then likely to lift pads from the board especially if this your first reball job.
First of all, you'll need to clean the surrounding glue around the chip by using around 200C and with a needle scrape off the glue, be very gentle not to scrape any tracks or board layers.
Then to remove the chip from the board use around 350C (always ramping up the temp), very important to use kapton tape around the surroundings to reduce heat stress. Personally I use the following temperatures: (do not use any nozzle with the heat gun as the chip is large and you need the heat to dispersed all over the chip)
1st min 180C full air
2nd min 280C full air
4th min 350C full air until the surrounding components turn silverish and are easy to lift, at that time get a very sharp needle and gently (very gently) start to pry up with ease the chip from one side, until it is fully lifted.
Then you'll need to clean the board, basically put flux and with a fine tip soldering iron clean the pads gently until all underfilled glue is no more remaining and the pads are nice and shiny and set the board aside.
If you'll buy a new eMMC chip most probably you'll have it reballed from the supplier. If not pre reballed, you ll need to reball it using a reballing stencil and solder paste.
Finally align back the eMMC chip over the board in the correct way, always note where is pin A1 and solder it back by ramping up heat again, same process as removing the chip.
The last process is all based on software, basically you'll have to copy the bootloader from a good working S3 phone to this one, as the new eMMC chip is empty of data, and obviously without the bootloader so the phone wouldn't be able to switch on.There is a process somewhere on the net how this is exactly done.
Ryan

Ryan,
Thanks a million for setting me on the right path. I'll let you know what happens.
Yiannos

Data recovery - Siemens A31
Hello everyone,
this thread seems to be what I've been looking for. My Siemens A31 got some water from a torrential rain while it was on. When I got to removing the battery, the phone was already off. I dried all accessible parts but I did not have the necessary torx screwdriver, so some water stayed inside. It was Friday evening and I got the screwdriver no earlier than on Monday. There was some corrosion in the phone, of course. It could not be turned on and subsequent cleaning with alcohol and even ultrasound improved only the look of the main board, but not its behavior. The only sign of life was that it seemingly recharged the battery while connected to the charger.
I have asked several repair services and people and I am quite confused whether it is possible to recover the data by soldering the memory chip into another A31, a functioning one of course. Last time, I asked a laptop service and I was told it is impossible, not just because of the difficulty of soldering a BGA chip. They told me it would not work because the phone would get blocked due to IMEI mismatch! This was surprising for me. If it is true, it implies that the IMEI is stored in both the flash memory and some other chip. I was unable to find any evidence for such a claim on the Internet.
Can anyone tell me if the target phone with replaced flash memory will actually work, assuming the memory is functioning? The video referred to by yiannos50 suggests it may really work. Anyone else has tried it? Two people in this discussion were about to do so.

[HARD-UNBRICK][EDL Cable DIY] Unbricking a HARD-bricked ZenFone5 LIVE (QUALCOMM)

Hello, First time post, moderate time lurker
---------------------------------------------------------------------------------------------------------------------------
Disclaimer:
I'm just recently learning tampering with android and been pretty obsessed with achieving my personal goal on mine.
With that being said I AM NOT a professional, I am merely posting this guide because I have not yet seen this specific method I used to un-brick my phone, but it does borrow from other similar concepts.
I will probably have limited followup capability and expertise, and everything is AT YOUR OWN RISK, not only do you risk your phone being damaged beyond repair, not just a brick but scrap metal, you also risk anything you connect it to if you are not careful. YOU HAVE BEEN WARNED.
Also, this guide may apply to multiple models of Qualcomm phones (Research first if it applies to yours), but was performed on a ZenFone 5 >-LIVE-< not a regular ZenFone 5, its being posted here due to lack of my phone model on the forum. Do not assume that everything that works on a live will work on a regular, I have found they are VASTLY different and only similar in name.
---------------------------------------------------------------------------------------------------------------------------
Symptoms:
Very Hard-Bricked ZenFone 5 Live, due to attempting to hex edit the boot-loader
(I've already learned my lesson, save your lectures)
The indication that your phone is actually a HARD brick, is that it will not appear to turn on at all, and when connected to a PC will show something along the line of Diagnostics 900E on the COM Port devices section of your device manager
For anyone whose poked at it at the Qualcomm level, you will notice a few things wrong
-It never goes it 9008 QDL mode on its own
-It rejects any kind of memory diagnostics(which is a miniature requirement before a flash by automation) with ACK ERROR FROM DEVICE: NAK_MEMORY_DEBUG_NOT_SUPPORTED
or will report IMAGE_TYPE_INVALID, even when selecting the correct firmware
and lastly you get timeout/phone wait errors, header/reply reads "0" or if you try to manually connect with the QSaharaServer it will only reply to Hello Prompts/commands then reset, and anything else gives unknown command received: 4 or "0", also manual PUTTY connections to it via TELNET over COM port also results in a mass overload of "0"s being sent to PUTTY en-masse and only "0"s can be sent.
If your phone is still able to get to your boot loader or has any other functionality I would suggest looking into alternatives than following this guide first.
---------------------------------------------------------------------------------------------------------------------------
Tools Needed:
- Hard-Bricked QUALCOMM phone
(this will not work if it does not have Qualcomm firmware, I.E. Sahara, Firehose, etc.)
- USB-C cable
(or whichever cable applies to your phone, this was however performed using a -c cable)
- Wire cutting/stripping/joining tools ; soldering is optional ;
I personally used: Box cutter blade, Knife, Scissors, pliers, and a lighter
- Qualcomm flashing software, QPST or QFIL, and Qualcomm Drivers ;
whichever you're used to, if you're new to Qualcomm tools I recommend a standalone version of QFIL, google it, they aren't too hard to find (and I'm too new and don't wanna risk posting links to bad sites)
Also the drivers for Qualcomm specifically ARE REQUIRED
if you found the correct ones you should have a folder in program files (x86)/Qualcomm Incorporated
Google these too, not too hard to find, too many risky links, I'm not a pro.
- Phones Firmware - QUALCOMM LEVEL
this is not your regular ROM with boot.img,system.img, etc.
Qualcomm level firmware will look more like Firehose_8917.mdn, Rawprogram.xml, Patch0.xml
these can be tough to find for some people
If you're lucky your phones regular OTA/Firmware downloads will also contain these, for others its a standard ROM without them. You may need to google fu around for them but do make sure you're using the correct Qualcomm firmware for your phone/msm, or you may risk putting your phone into perma-brick.
- Optional - USB Hub with surge protection ;
Due to the electrical danger of this guide, I highly recommend a USB Hub with surge protection capability, I just so happened to have one laying around, it is optional, but HIGHLY recommended, I believe mine saved my phone/PC during this procedure at least once.
- Optional - Stock Factory ROM
Just to make sure to clear out whatever caused the brick in the first place, I supposed you could flash whatever else works for you if you still have an unlocked boot-loader, somehow, after the flash, heck I don't even know if there's a system left in there to boot into if you try skipping altogether, either way, highly recommend an OEM stock regular flash after the Qualcomm flash.
---------------------------------------------------------------------------------------------------------------------------
Verify phones condition:
First off, your phone should be pretty bricked, if you're this far. Make sure its not DEAD DEAD though. Plugging it into a PC should give at least an unknown device, Qualcomm 900E COM port device, or some kind of life, plugging it in (and maybe holding power + down vol, or up if a different model) indicates a flashing LED.
If there is sign of life, proceed ; if not your phone may have physical/electrical damage and prepare for the worst and consider a new phone.
---------------------------------------------------------------------------------------------------------------------------
We begin the real work at the cable
-Why? (can skip if you dont wanna know whats going on in the software)
The phone is locked-down by the highest level boot-loader (PBL i think?), its name as of this guide, Sahara.
When Sahara security is triggered it locks down the secondary bootloader, Firehose. With Firehose on lockdown it cannot load the usual oem-bootloader you see, or your custom if you have one. This is probably a security feature to try to force would-be thieves to not be able to unlock the phone without bringing it to a service dealer. Or possibly to thwart would be phone moders who can't figure out whats going on and cash in on a voided warranty and a simple flash work labor fee for their techs, or new phone purchase.
Either way, Qualcomm has a backdoor, and the backdoor is in the USB cable.
---------------------------------------------------------------------------------------------------------------------------
Cable work
-Begin Guide
Begin by stripping the sleeving off a section of the USB-C cable, I recommend somewhere in the middle, and a few 3-5 inches worth to give yourself play room, if you're experienced with cable modding then do whatever s comfortable to have room to switch a wire to another, though that's not necessarily accurate on what the next steps are. Keep in mind there is a entire secondary sleeve of tin wire mesh braiding so it can get messy and you need that isolated from other wires.
Once you have your section of stripped wire, examine wires for what type you have
(to my surprise and delayed my work 6 hours of research was the absence of a black wire.)
You will either have:
Red, White, Green Black wires ; including Tin shielding mesh, and possibly a nylon core
OR
Red, White, Green; including Tin shielding mesh, and possibly a nylon core
If yours was like mine, the black wire is actually a mesh of copper wires mixed in with the tin mesh, in this case treat the tin outer mesh like the black wire, which makes things difficult to work with, but very doable still. Just be careful not to fully sever the copper strands mixed in too much, you need at least some of them in-tact to some degree
Next cut the green wire, and strip the tips down a good amount, enough where you can twist it by hand (1/8" or so?)
if you have a black wire do the same and skip the next tin mesh step.
---------------------------------------------------------------------------------------------------------------------------
Tin mesh wire-
If you have a tin mesh, things get a little dicey but it worked for me,
the tin mesh surrounds the cable entirely in a tubular braid pattern
it is impossible to work with in this state
therefore ~1/2 of it needs to be severed in order to craft it from a shielding braid, into a makeshift wire
tip, the thin insulation sleeving separating the wires from the shield when pulled peels the shielding off the wires nicely after the mesh is cut in one spot (severing point a-b on the cable), though bunches it up, this does make it easier to cut it half though, rather than poking and pulling at it by hand.
once you're able to separate it from the rest of the wires, twist the mesh into a wire form, due to its rough tin spike nature it holds in shape quite nicely
The key on the tin mesh type though is to examine it for the copper strands hidden within and do not severe too many of them, the shielding will be disconnected from point a-b on the cable but still the copper wires need to not be mutilated.
once you have your mesh in wire cable form on both ends proceed
---------------------------------------------------------------------------------------------------------------------------
Cable work Pt. 2
At this point you should have:
Green wire, cut and tips stripped
Black wire, the same as green, if it applies
Mesh shield crafted into a wire, if it applies
(either the black wire or mesh are required, but NOT BOTH)
- From here-on the tin wire mesh is effectively the black wire, if it applies, and thus will be refereed interchangeably to as such unless otherwise specified-
Take your black wires, twist them together and secure them
you must make sure of 4 things
1 - Obviously, the copper of the wire is in contact
2 - they do not accidentally become disconnected and can withstand at least some force before separating
3 - However, they must remain QUITE EXPOSED, you need the bare wire to be somewhat accessible for later steps
If you're experienced you can do this your own way after reviewing the next steps, but these wires must be able to connect and disconnect at will without unplugging the USB cable itself
4 - Make sure the wires are in such a configuration that they can reach the green wire, but stay - 100% ISOLATED FROM EVERYTHING ELSE- (oh if you have a black wire, this INCLUDES THE SHIELDING, NO BLACK ON TIN)
If you fail to practice safety first you risk frying your phone, and whatever else you connect it to, I.E. your 10k Gaming PC, anything you fry you are responsible for and I disclaim any responsibility for your actions, even if you follow this guide accurately you're still at your own risk.
Next do the same to the green wire
---------------------------------------------------------------------------------------------------------------------------
Cable Work Pt. 3
- Pre-EDL "Deep Flash"
at this point, if you've followed the cable instructions your EDL "Deep Flash" Cable is actually complete
you may be asking yourself why? all you did was strip wires and reconnect them
the trick is actually, that you've provided one cable to cross-talk to another temporarily
to prep for the EDL "Deep Flash" command initiation one more step is needed though
you must connect the exposed and completed green wire, to the black wire
this however MUST be temporary, you must be able to separate these wires, safely, and without disconnecting the USB device.
For example in my build I bent my twisted makeshift tin black wire into a u-shape that just barley held onto the green wires copper, and could be removed with a simple tug
Depending on the internals of your wire and how rugged they are this may work for you
however if you have an actual black wire in yours, or your material is more "rubbery" and less rigid you may need to find your own method, maybe stick them both on duck-tape crossing wires or something
Still you get the idea though, cross the green and black wire, but in a temporary fashion.
Finished Product (This is post-EDL command, with the green wire pulled)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
---------------------------------------------------------------------------------------------------------------------------
Testing and Driver preparation
At this point were good to go for a deep flash, but I would recommend testing before plugging it into a PC
(you can fry a PC through a USB port btw)
I recommend testing your setup with a USB adapter on a power outlet or a powered USB hub (preferable surge protected and not connected to your PC for now)
If your cable works, you should get a flashing LED
More-so now than if you didn't before, because sometimes the LED won't light when in Firehose mode, but only Sahara. If you didn't have an LED before... they its a maybe... use a multi-meter to make sure you have live connections and no shorts? if you have a flashing LED though you're golden, or should be.
Also, you want to make sure you're PC is prepped for the flash with the Qualcomm drivers, QPST/QFIL software, and your phones correct Qualcomm Level Firmware, in my case Its a Firehose_xxxx.mdn rawprogram.xml patch0.xml files.
Looking at the software though, depending on your model you may end up using a .hex file as well?
-this guide is more about the EDL cable and less about the software, many guides exist for those so if you need more info go looking for those. I'm posting this as this specific method of EDL cable I couldn't find anywhere, this is not a complete a-b guide, just the most crucial part of recovery for peoples hard bricked Qualcomm phones. -
---------------------------------------------------------------------------------------------------------------------------
The Deep Flash
Here comes the risky part, risking a PC
I've already warned you 2-3 times so whatever happens, you are responsible for.
Connect the phone with the PC, preferably through a surge protected USB HUB, or directly if you're desperate and brave/suicidal.
You should get NO CONNECTION indication from the PC, nothing in device manager, no USB connected audio blips, nothing. The only thing that should happen is the LED will flash on your phone. This is good.
Wait for about 10-20 seconds, you do not want to jump the gun or you will have to reset your wires.
after 10-20 seconds, execute your wire release / pull method on the green & black wire, separating them, but making sure their own connections don't get severed in the process.
If success, you will get a connection blip from the PC and if you have QUALCOMM DRIVERS in stalled you will see the fabled 9008 QDL loader install on its own without having to force it through device manager.
If you get 900E still, try again. if you can't get 9008 without forcing it something is wrong, either your phone has actually been in Firehose the whole time or there is a different method for your phone, or the cables are mismatched on the wire, or some other issue.
---------------------------------------------------------------------------------------------------------------------------
Successful 9008 EDL Deep flash
- A footnote for those familiar with Qualcomm already
Nice having 9008 on its own without going through device manager isnt it? ( for those experienced with Qualcomm already lol)
This is a proper QDL Deep flash and the way its meant to be loaded on these drivers.
If you had issues with QPST/QFIL before, proceed as normal if you're familiar with the process, the rest of the guide will briefly touch up on that. Just be careful not to sever the connection mid-flash, the Firehose firmware flash is much quicker than a ROM flash, so it won't be long if you already know what you're doing.
I recommend either safe-proofing your cable or switching to a UN-modified one ASAP to minimize risk to your equipment.
God-speed.
---------------------------------------------------------------------------------------------------------------------------
Qualcomm Flashing
- For those new to Firehose/Sahara
As mentioned previously this is not a Qualcomm software guide
This stuff is shrouded in mystery and proprietary hush hush so not a-lot is known and depending on what you got can be quite confusing to understand.
If you're new to Qualcomm software i previously recommenced QFIL, so that's what i will briefly touch, if you got QPST you're on your own.
(though usually QPST has QFIL included in SOME builds just fyi, if so you can continue following but you will ONLY be using QFIL using this guide, ignore all other tools in the package)
When you load QFIL, you will most likely be in "Meta" mode, this is not what we want, hit the radio bubble for "flat build" if you're missing these bubbles you may be on an ancient version of it and I recommend finding a more up to date version.
Next you must specify your programmer, this is going to be your eMMC_Firehose_XXXX.mbn file
(XXXX is your phones snapdragon MSN #, look it up on qualcomm snapdragon spec sheets if you need to)
I've only worked with my Zenfone 5 Live with this software, so eMMC_Firehose is all I know, if you find that your phone uses .hex or any other format aside from .mbn's or .xml's then I recommend you stop here and find a Qualcomm flashing guide for your specific phone, but try to keep your phone connected IF ITS SAFE TO DO SO (I.E. no risk of cat/pet attacks, children, liquids, living thing contact, etc.) , otherwise if you disconnect your phone you will need to re-perform the deep flash sequence from before.
Next click "Load XML"
this will prompt you to load both your rawprogram.xml and patch0.xml (one after the other)
Then click download.
This process took my phone about 20 seconds, its very quick
once this is complete reboot your phone with its "special reboot" key combo, whatever it is for your phone.
For mine its Vol down + power
if all goes well, you should have your good old fashioned OEM boot-loader
to make sure that whatever caused Sahara to lock-down your phone is gone, proceed to flash a factory/stock ROM to your phone. If you've made it this far I assume you either already have one on hand or found it while looking for you Qualcomm firmware.
And your phone is back from the dead.
Praise the sun!
---------------------------------------------------------------------------------------------------------------------------
FIN!
P.S. -
While waiting for your phone to flash your factory stock ROM I recommend listening to
Korn - Another Brick In The Wall (Pink Floyd Cover)
P.S.S -
I am continuing my research on brute forcing the unlock on this device, ZenFone 5 LIVE
if you have any information to share, please PM me for anything you can share or if you would like to collaborate on this project.
If you found this guide helpful and you want to show your appreciation share your feedback!
Also I wouldn't mind any donations, I am a paycheck to paycheck sweatshop callcenter tech. Link in my profile
- Sources for this methods inspiration -
club.lenovo (china)
User:
francescotagliam**te
en.miui -
Users:
[email protected]
mitch002
id post links, but i am forbidden as a new member.

Wonderful!

Hey @Leomaxwell973 , thank you for the tutorial.
I used your method, along with the one here: https://forum.xda-developers.com/t/...ight-turns-on-for-a-second-using-edl.4228641/
My phone came back to life, and I have to thank you, really.