Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

device seems dead after flashing 0xF7 #1

Open
sodaws opened this issue Dec 30, 2018 · 11 comments
Open

device seems dead after flashing 0xF7 #1

sodaws opened this issue Dec 30, 2018 · 11 comments

Comments

@sodaws
Copy link

sodaws commented Dec 30, 2018

Hey man,
first of all thx for creating this guide. I discovered oranav's talk on the 34C3 a while ago but couldn't find a 0xF7 firmware to revive my S3 from the dead. Then I found your guide and gave it a try. (I got the Type1Brick)
So far I managed to flash the new firmware onto the chip and resize the boot partition. But now the device doesn't boot into anything anymore and seems to be completely dead (screen remains black). I prepared sdcards with XXELLA sboot.bin and GT_I9300_unbrick_sdcard_head.bin, but nothing happens when i try to boot into download mode with them.
I'm not sure what to do next. Should I try shorting the resistor with my unbrick.bin sdcard in the device?
How exactly should I proceed with method 3? Connecting the battery + holding (power + home + vol down) + shorting the resistor seems to be physically impossible with only two hands.

Do you have any ideas for me?
Thx in advance.

@sodaws sodaws changed the title can't get into sdcard mode device seems dead after flashing 0xF7 Dec 30, 2018
@Toomoch
Copy link
Owner

Toomoch commented Dec 30, 2018

Is your model number i9300?

@Toomoch
Copy link
Owner

Toomoch commented Dec 30, 2018

If I remeber correctly, it should boot to sdcard mode with only usb power or the power button, it is a typo

@sodaws
Copy link
Author

sodaws commented Dec 31, 2018

Yes it's a i9300.
Ok, that sounds doable. I don't have tweezers that small...hmm maybe a filed paperclip will do the job.
I'll report back after I tried that in a few days. Cya in 2k19!

@Toomoch
Copy link
Owner

Toomoch commented Apr 19, 2019

Did it work for you? I updated the guide with better instructions.

@sodaws
Copy link
Author

sodaws commented Jun 1, 2019

Hey, sorry for responding so late ^^
The last time I tried, my phone seemed completely dead after executing the resize command.
Now thanks to your guide I somehow got back to the phone being in the "Type 1 Brick state". 👍 I can get into download mode with the sdcard inserted.
I just repeated the whole process of flashing the new firmware and resizing the boot partition. This time I got some errors while flashing:

D:\Downloads\i9300_emmc_toolbox\i9300_emmc_toolbox>python exploit/sboot_exploit.py --shellcode shellcode/write_fw.bin -e 0xf7bugfree.bin
[+] Shellcode started
[] Found MMC device address
CRITICAL:root:Bad code b'Fo'
[
] Rebooted eMMC into bootrom mode
CRITICAL:root:Bad code b'Re'
[] Firmware upgrade mode!
CRITICAL:root:Bad code b'Fi'
[+] Got firmware from host
[
] Following process might take a few minutes
[] Erasing all blocks on eMMC (low-level format)...
[
] Upgrading firmware, hold tight...
[*] Writing new firmware descriptor...
[+] Shellcode is done! Rebooting...
INFO:root:Shellcode is done. Device should be restarting soon

D:\Downloads\i9300_emmc_toolbox\i9300_emmc_toolbox>python exploit/sboot_exploit.py --shellcode shellcode/change_boot_partition_size.bin
[+] Shellcode started
[*] Found MMC device address
[+] Shellcode is done! Rebooting...
INFO:root:Shellcode is done. Device should be restarting soon

Maybe you know something about these?

After that I created a recovery sdcard, inserted it and tried to boot. Nothing happened. Not even when i try to boot while shorting the resistor. I still can't get into sdcard mode with the recovery sdcard. I'm just back in the inital state of the "Brick Type 1" state.
In the meantime I obtained a second motherboard but unfortunately I get the exact same results.

The next thing I'll try is to use another sdcard. I suspect the flash errors occur because of my sdcard, since I get exactly the same errors while flashing on both MBs. The sdcard might also be the cause of why I can't get into sdcard mode....or the errors occur because I already flashed the 0xF7 firmware and the process can't be repeated. I don't know.

I'll try some stuff and post again in some days.

@Toomoch
Copy link
Owner

Toomoch commented Jun 1, 2019

Please, try a different sdcard. And by different I mean try every sdcard you have. I have had a lot of complaints that the recovery sdcard doesn't have great compatibility, and with a random sdcard it worked in the end.
Edit: Also maybe try linux, the windows implementation doesn't work all that well.

@sodaws
Copy link
Author

sodaws commented Jun 13, 2019

I did it!
I'll explain how i did it (long story). Maybe there even is something worthy to add to your guide.

tl;dr: I'm dumb and somehow got two working boards.

This time I started from the beginning and did everything with linux. As a total linux noob I recommend mx linux. For me, trying to set up Ubuntu18.04 was the worst pain in the ass ever. For every package I had to install (i.e. libusb, gcc-arm-none-eabi, binutils-arm-none-eabi) I got error after error. To even be able to install them, you have to read so many threads in forums about the 10 other things you need to modify and install. Specifically the gcc thing was the worst to install. On mx linux i just ran the command and everything was installed without any problems.

Anyways...back to the S3. I somehow got into the original state where I got into download mode without a sbootsdcard. When I then tried to run the script it gave me a "no mmc_startup() on this sboot" error. Then I did the same with my sbootsdcard inserted and it worked (even without shorting the resistor prior). I didn't even get the errors mentioned the post above. Then I resized the boot partition. After that I created a recovery sdcard and inserted it.

So here comes the thing. You have to press the power button for around 3 seconds, release and then do nothing for like 10 seconds. After that the sdcard mode screen appears. I was too impatient the last time. I pressed the button too long and, I assume, restarted the device before it could finish copying the bootloader from the sdcard. If that doesn't work, you can try to short the resistor with the recovery sdcard inserted and press the power button. That way I did it with another board I got from a friend. (It worked with both of my sdcards. I tested it with a SanDisk Ultra 32GB microSDHC and a Nokia MU-37 microSD 2GB.)

Then, for some weird reason, I could only get into download mode every 10th time or so with the 3 button combo but always when using a jig. Now that I got into download mode again, I wanted to flash a PIT and TWRP. So I switched back to windows and opened odin...and it didn't list the device.
Because I messed around with zadig and the libusbK driver before, odin couldn't list the device, since windows was still using the libusk one. To get odin to list it again, I had to open the device-manager and under the section "libusbK devices" update the driver to the "SAMSUNG Mobile USB CDC Composite Device" one.

Ok, so now it shows up in odin again. Let's flash the PIT and TWRP. Flashing the PIT file only works if you have the "nand erase all" option not selected (the linked xda-guide says otherwise).
Then I flashed TWRP but could not get into it with the 3 button combo. I only got the black and white fragments on the screen. So I plugged in my jig to get into download mode again. Then I flashed a 3 part stock android 4.3 with the pit via odin. That worked, but when I tried to boot, I just got stuck in a bootloop.

So I flashed TWRP again and this time actually got into it. This is where I where I fucked up the whole time.
The 3 button combo didn't work because I was holding the phone in a way, where the connectors on the board and the connectors of the flex cable from the home button didn't have contact. I thought the whole time that the home button was connected through the lcd flex cable....After screwing the board in with the small black screw, I could reliably get into download and recovery mode with the 3 button combo again.

Now that that's fixed, let's get rid of the bootloop. I flashed many different roms but every single one eventually just ended up bootlooping again. Fortunately I found a full nandroid backup from 2014 on my old hdd (even with a efs backup). So I restored that via twrp....and it worked! The phone is fully functional. No crashes, no bootloops, even calling works.

As I mentioned before, I have two boards...So let's find a way to get the second one to boot aswell. This one had the same problem. Bootloops after flashing the new emmc firmware and rom. Unfortunately, for this one I didn't have a nandroid backup, so I had to find another way.
I did some research and found out, that the bootloops are caused by the system being unable to mount the efs partition (an error that twrp displayed everytime i flashed something). To fix the bootloops, you have to use the terminal in twrp and enter this "mke2fs /dev/block/mmcblk0p3". If I understood correctly, this will create the efs partition and it'll get filled with "dummy" files. After that I wiped everything again and flashed a rom...and it actually booted. The second board works now too! It doesn't recognize any simcard but that's what we already expected.

Ok, we're done. At the and of the day I have one fully working board and one that boots, but has a broken efs partition.

So I guess there is nothing else left than thanking you and oranav for all of this. It was a long and painful journey but in the end, I got two working boards and l learned some new stuff ^^

I'm not a native speaker, so if there is anything, that I worded poorly and needs clarification, please point it out.

@Toomoch
Copy link
Owner

Toomoch commented Jun 13, 2019

Hey! Great news.
I know I probably missed a lot of stuff, such as the thingy for the libusbK driver, you have to uninstall it to be able to use Odin. Also I forgot in twrp you have to run these commands make_ext4fs dev/block/mmcblk0p8 make_ext4fs dev/block/mmcblk0p12 make_ext4fs dev/block/mmcblk0p10 make_ext4fs dev/block/mmcblk0p3 to be able to boot the phone. The EFS partition can be saved by using a program in windows, but you are on your own there (it may be ilegal in your country).
I'll definitely improve my guide with your findings.

@islatur
Copy link

islatur commented May 5, 2020

hi, is there a way to do all of this without losing what was in the phone? long story short, i have 1.6 BTC in the stupid phone and no wallet backup. Im a case 3 type of brick.

@Toomoch
Copy link
Owner

Toomoch commented May 5, 2020

can you boot twrp? We would need to dump the entire chip and then maybe recontruct the ftl metadata. Don't format still, maybe I can figure out a way, it would hurt to lose all that. You have a boot screen right?

@raipat
Copy link

raipat commented Feb 21, 2022

Hi, did you succeed in dumping the chip and mess with the ftl metadata?
Could you share more information on that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants