Hi All, New to this forum and have not found a resolve reading the threads so if someone could correct me that would be awsome.
I am trying to un-hard brick our samsung galaxy player 5.0 intl. It attempted to boot with a flat battery along time ago and has been a brick since. i have periodically kept it charged in case one day i find a resolve.
I have been attempting to use Unbrickable Ressurector but cannot even get it to load.
Initial process:
I have installed ubuntu on a spare laptop.
Installed Java through command line and verified the install.
Downloaded Unbrickable Ressurector from: (github) downloaded as a zip file. 'hummingbird-hibl-master.zip'
changed the zip file permissions to allow executable.
Right clicked an run with Java. But nothing happens. A little bit of hard drive noise but nothing comes up.
In the threads there is mention of running the .jar file but there is no .jar file in this package. I have unzipped and searched the folders to no avail.
I have even tried renaming the zip file to .jar which yeilds the same result as above.
I think it may be that i'm simply stupid or am i missing something?
Any help greatly appreciated.
I have just tried installing java 6 instead of java 8 in case there was a compatibility issue. Set default application to Java 6 runtime. Icon pops up in side bar after double click on 'hummingbird-hibl-master.zip'
then after 14 seconds icon disappears.
Not sure what else to try. I must be missing something obvious?
SymondoR said:
Hi All, New to this forum and have not found a resolve reading the threads so if someone could correct me that would be awsome.
I am trying to un-hard brick our samsung galaxy player 5.0 intl. It attempted to boot with a flat battery along time ago and has been a brick since. i have periodically kept it charged in case one day i find a resolve.
I have been attempting to use Unbrickable Ressurector but cannot even get it to load.
Initial process:
I have installed ubuntu on a spare laptop.
Installed Java through command line and verified the install.
Downloaded Unbrickable Ressurector from: (github) downloaded as a zip file. 'hummingbird-hibl-master.zip'
changed the zip file permissions to allow executable.
Right clicked an run with Java. But nothing happens. A little bit of hard drive noise but nothing comes up.
In the threads there is mention of running the .jar file but there is no .jar file in this package. I have unzipped and searched the folders to no avail.
I have even tried renaming the zip file to .jar which yeilds the same result as above.
I think it may be that i'm simply stupid or am i missing something?
Any help greatly appreciated.
I have just tried installing java 6 instead of java 8 in case there was a compatibility issue. Set default application to Java 6 runtime. Icon pops up in side bar after double click on 'hummingbird-hibl-master.zip'
then after 14 seconds icon disappears.
Not sure what else to try. I must be missing something obvious?
Click to expand...
Click to collapse
Did you miss something? Yes, You missed the date on the OP which was DEC 2011!. The links are out of date and so are the instructions.
1. In 2011 I think maybe ubuntu 11.04/12.04 was current. So you might have trouble getting 14.04 or 16.04 to work.
2. The link for the download of Unbrickable Resurrector is not right. You are looking for a file called "UnBrickableResurrectorR36.jar" which is apparently been expunged from the internet. The current link, that is redirected to github.com, leads to the source code that will "compile" UnBrickableResurrectorR40.jar"( or whatever the lasted version was). So unless you've got some java 6 skills...
EDIT: I managed to find 1 copy of the file here:
https://www.4shared.com/file/1Gx6ZSXjei/UnBrickableResurrectorR40.html
Thanks meticulus for taking the time to reply. That got me out of a sticking point. Greatly appreciated. I know i'm trying to revive old tech but i also don't like being wasteful by just throwing it away. I hope to revive it so my daughter can use it as a ipod alternative. Here's hoping.
Hopefully i don't need any further help and this thread will help any other late comers to fixing the old galaxy player 5.0.
Thanks again.
Hi Meticulus. Progress update: Unbrickable Resurrector R40 now functional.
Connect SGP 5.0 intl.
Device recognised.
S5PC110 Detected.
Clicked : Perform Resurrection - Download Mode
Begin Resurrection Sequence
Requesting Permission to access device
Please wait......Uploading...
This is far as the process goes. Device does not go into download mode. Could i be missing something simple again?
SymondoR said:
Hi Meticulus. Progress update: Unbrickable Resurrector R40 now functional.
Connect SGP 5.0 intl.
Device recognised.
S5PC110 Detected.
Clicked : Perform Resurrection - Download Mode
Begin Resurrection Sequence
Requesting Permission to access device
Please wait......Uploading...
This is far as the process goes. Device does not go into download mode. Could i be missing something simple again?
Click to expand...
Click to collapse
1. It's been quite awhile since I used this but I believe that I used it with ubuntu 12.04 LTS. So first make sure you use that version.
2. Make sure you are NOT using virtualization software such as virtualbox or vmware. Either use a thumbdrive, dualboot, or just install ubuntu natively.
3. You man need to set permission on the USB device in udev. Sort of like this: http://ptspts.blogspot.co.il/2011/10/how-to-fix-adb-no-permissions-error-on.html
Use lsusb to find the exact IdVendor
4. Launch the file in the terminal like this: java -jar UnbrickableRessurectorR40.jar . This may* give you more output to tell what is going on.
Hi Again Meticulus. thanks for you instruction. I have managed to make some more headway from your help.
I performed a new native install of ubuntu 12.04 LTS and Java 6
Now Unbrickable Ressurector appears to work. It recognises the device and after password prompt brings up the now in download mode screen on the GUI window. Although the samsung player screen stays black.
I have now also installed Heimdall Frontend in ubuntu and in the process of learning how to use it and acquiring the correct pit file and firmware. It appears to recognise the player at this stage.
Just to refresh it is a Samsung Galaxy Player 5.0 International 16GB. Made in Korea.
I have pit file: GB70-GalaxyPlayer-16gb.pit
also G70intl.pit
I am thinking the first is a safer bet.
Firmware: G70XXKPL_CL1105219_REV01_user_low_ship_HOME.tar.md5
and: CODE_GB70KRKPG_CL762569_REV01_user_low_ship_HOME.tar
Although heimdall expects tar.gz file extensions. so i'm doing something wrong again.
I'm going to sleep on it and re approach in the morning. (I'm on the other side of the planet in good old New Zealand)
If you have any further advise to offer on correct firmware for this device any help is most appreciated.
SymondoR said:
Hi Again Meticulus. thanks for you instruction. I have managed to make some more headway from your help.
I performed a new native install of ubuntu 12.04 LTS and Java 6
Now Unbrickable Ressurector appears to work. It recognises the device and after password prompt brings up the now in download mode screen on the GUI window. Although the samsung player screen stays black.
I have now also installed Heimdall Frontend in ubuntu and in the process of learning how to use it and acquiring the correct pit file and firmware. It appears to recognise the player at this stage.
Just to refresh it is a Samsung Galaxy Player 5.0 International 16GB. Made in Korea.
I have pit file: GB70-GalaxyPlayer-16gb.pit
also G70intl.pit
I am thinking the first is a safer bet.
Firmware: G70XXKPL_CL1105219_REV01_user_low_ship_HOME.tar.md5
and: CODE_GB70KRKPG_CL762569_REV01_user_low_ship_HOME.tar
Although heimdall expects tar.gz file extensions. so i'm doing something wrong again.
I'm going to sleep on it and re approach in the morning. (I'm on the other side of the planet in good old New Zealand)
If you have any further advise to offer on correct firmware for this device any help is most appreciated.
Click to expand...
Click to collapse
".tar.md5" or ".tar" file must be flashed with Odin in Windows but those files are archives that can be opened via the Archive Manager in Ubuntu and the files extracted. As I said it's been awhile and I'm just talking from memory so do your homework but, basically each file in the archive is a raw dump of the partition. So system.img is the system partition, cache is cache and so on (zImage is kernel) and can be flash via heimdall. I am not very familiar with heimdall front end but from the Terminal, the command is something like:
"heimdall flash --system system.img" ( <---real iffy on exact syntax, something close to that.)
DO NOT FLASH PIT FILES!!! ( I have bricked my device many times and have never had to do this and you shouldn't do it unless you are sure that you have muffed up your partition table!)
Odin is available here and the drivers for windows too but the last time I used them Windows 7 was the thing so...
Techically if you can use Heimdall or Odin with any success, you are already in "Download Mode" and you do not need the Resurrector.
The Terminal command "heimdall --print-pit is a good test. If it can connect to the device and print the pit file with out error then Download mode is working and you can flash a stock ROM with ODIN and as long as it's the right one, your golden...
Hi Meticulus, Here's a quick result of a pit print:
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
ERROR: Failed to receive PIT file size!
ERROR: Failed to download PIT file!
Ending session...
Rebooting device...
Releasing device interface...
Re-attaching kernel driver...
So I may have a bigger problem. Would that indicate a muffed partition? from what i have read elsewhere i may have a hardware failure which means RIP samsung player.
What originally bricked the device was an attempted boot with a dead flat battery. the device has never had any custom firmware flashed. Purely stock.
Will do some more research in the meantime.
SymondoR said:
Hi Meticulus, Here's a quick result of a pit print:
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Initialising protocol...
Protocol initialisation successful.
Beginning session...
Some devices may take up to 2 minutes to respond.
Please be patient!
Session begun.
Downloading device's PIT file...
ERROR: Failed to receive PIT file size!
ERROR: Failed to download PIT file!
Ending session...
Rebooting device...
Releasing device interface...
Re-attaching kernel driver...
So I may have a bigger problem. Would that indicate a muffed partition? from what i have read elsewhere i may have a hardware failure which means RIP samsung player.
What originally bricked the device was an attempted boot with a dead flat battery. the device has never had any custom firmware flashed. Purely stock.
Will do some more research in the meantime.
Click to expand...
Click to collapse
I can be sure but i would say yes, that does point to a partition. The only way to repair you partition table is if you can get into a custom recovery.
Your only hope is if you can flash a custom kernel:
http://www.meticulus.co.vu/p/galaxy-player-5-beanstalk-install-from.html
You can also extract the zImage from the .tar or .tar.md5 file and flash the zImage (kernel) with heimdall sort of like this:
heimdall flash --KERNEL zImage .
The kernel has custom recovery in it and if you can boot into it, you can use the partition tools to straiten yours out.
You might need this:
https://www.youtube.com/watch?v=Uzu4uDTDL5k
and you might want to read through this entire thread:
https://forum.xda-developers.com/showthread.php?t=2398120
Meticulus said:
I can be sure but i would say yes, that does point to a partition. The only way to repair you partition table is if you can get into a custom recovery.
Your only hope is if you can flash a custom kernel:
http://www.meticulus.co.vu/p/galaxy-player-5-beanstalk-install-from.html
You can also extract the zImage from the .tar or .tar.md5 file and flash the zImage (kernel) with heimdall sort of like this:
heimdall flash --KERNEL zImage .
The kernel has custom recovery in it and if you can boot into it, you can use the partition tools to straiten yours out.
You might need this:
https://www.youtube.com/watch?v=Uzu4uDTDL5k
and you might want to read through this entire thread:
https://forum.xda-developers.com/showthread.php?t=2398120
Click to expand...
Click to collapse
Thanks again Maticulus. I have been through all of the above to no avail. The last thread was interesting and tried to repeat the process there to see it the partitions were messed up.
Used adb-shell. (On Windows terminal)after installing Android devalopment suite. but Shows no connected devices. The player shows as SEC S5PC110 test B/D in device manager requiring drivers. Even though I have installed the samsung drivers.
I've also tried to use the zImage previously. Heimdall front end will only allow me to add the extracted file after adding the pit file. But in the end fails to upload the pit file.
Sorry for the low detail as I have decided to give up on this one. I appreciate your input to get me this far. You certainly went above and beyond to help and for that I thank you.
hopefully there is something in here to help someone else in a similar situation.
Hi again,
I have a friends T95Z and trying to fix it up. It won't connect on WiFi. When you go to network settings - WiFi is switched off. If you switch it on - it "pretends" to search for about 40 seconds - finds no AP nearby and switches "Off".
I have wrenched on a number of these T95Z. boxes and always seem to get them working.*
Hats off to Superceleron and his ROM -* His ROM really cleaned up the first couple of these I worked on. They had the LTM8830 chipset I think.
Then I worked on a couple newer T95Z's and that ROM didn't work. If I recall - same thing where you can try and turn the WiFi on but it just turns off. I think they turned out to have the 9377 chipset. Found a workable ROM for them and all is well.
Okay so here are some pics of the insides of this one:**https://imgur.com/a/Kd2M1Ta
I flashed a bunch of ROMs - Here is like a list of some of the file names etc:
Poison ROM - https://forum.xda-developers.com/an...mputers/amlogic/t95z-plus-poison-rom-t3751720
T95ZPLUS_q200_9377_customV3.2
atvXperience_v2F_s912
s912_atvXperience_v2FF
T95U PRO_S912_02012017_
v1016-EB-AGCF-LPDDR3-2G
Sorry that I didn't keep great notes on what I flashed but hey - once you start flashing - it is just so easy to try another one.*
Anyway - Several of the ROM's said they were for the AP6255 chipset and ALL of the ROM's do the same thing where the WiFi just won't turn on.*
Now I am not an expert on this - so I don't know:
Can you confirm - Is this a Sunvell?
Is the wifi chipset an AP6255?
What else should I try?* I wandered into a T95U ROM... should I wander further and look for Beelink or other manuf ROM's that show the AP6255?
Is there any other tool or APK that can be flashed after ROM install to query the hardware config or add chipset support?
Open to ideas.*
Thanks!
wantpizza said:
Hi again,
I have a friends T95Z and trying to fix it up. It won't connect on WiFi. When you go to network settings - WiFi is switched off. If you switch it on - it "pretends" to search for about 40 seconds - finds no AP nearby and switches "Off".
I have wrenched on a number of these T95Z. boxes and always seem to get them working.*
Hats off to Superceleron and his ROM -* His ROM really cleaned up the first couple of these I worked on. They had the LTM8830 chipset I think.
Then I worked on a couple newer T95Z's and that ROM didn't work. If I recall - same thing where you can try and turn the WiFi on but it just turns off. I think they turned out to have the 9377 chipset. Found a workable ROM for them and all is well.
Okay so here are some pics of the insides of this one:**https://imgur.com/a/Kd2M1Ta
I flashed a bunch of ROMs - Here is like a list of some of the file names etc:
Poison ROM - https://forum.xda-developers.com/an...mputers/amlogic/t95z-plus-poison-rom-t3751720
T95ZPLUS_q200_9377_customV3.2
atvXperience_v2F_s912
s912_atvXperience_v2FF
T95U PRO_S912_02012017_
v1016-EB-AGCF-LPDDR3-2G
Sorry that I didn't keep great notes on what I flashed but hey - once you start flashing - it is just so easy to try another one.*
Anyway - Several of the ROM's said they were for the AP6255 chipset and ALL of the ROM's do the same thing where the WiFi just won't turn on.*
Now I am not an expert on this - so I don't know:
Can you confirm - Is this a Sunvell?
Is the wifi chipset an AP6255?
What else should I try?* I wandered into a T95U ROM... should I wander further and look for Beelink or other manuf ROM's that show the AP6255?
Is there any other tool or APK that can be flashed after ROM install to query the hardware config or add chipset support?
Open to ideas.*
Thanks!
Click to expand...
Click to collapse
The problem is that flashing multiple ROM's can sometimes leave remnants behind and mess things up. Or, you flashed an incompatible ROM that hosed up the EEPROM. The first thing I'd suggest trying, is to go back to square one by flashing the proper stock ROM back on the device again using the USB Flash Tool and be sure to select "Force Erase All" when doing it. I've ran into the same problem on multiple occasions and flashing stock always seems to get me back up and running again.
If that doesn't work, then you'll probably need to crack it open and reset the EEPROM by shorting out the pins in order to get it into a state where it'll overwrite the incorrect code. To do that, make sure the USB Burning tool is running and the USB cable it plugged in so you know when it's been triggered. Then run a paperclip along the pins of the chip until it trips and shows back up in the tool. That will put it into programming mode so you can re-flash the ROM again completely.
Link to 2/16 STOCK FW: https://mega.nz/#F!YJ0nTC4Z!qBz6gmJCjwHn0HtlVe2apw
Link to 3/32 STOCK FW: https://goo.gl/RG92GR
Good luck!
Thanks for the reply.
I am downloading the 2G version now. I will try a force flash as suggested.
A couple of questions - when a ROM leaves remnants - what are the other symptoms? I thought that lots of problems appear when the flash is "dirty"?
Anyway - I will flash this version when Mega lets me finish the download.
If I have to move on to step two and short the eeprom - which chip in my pictures is that?
Thanks again!
AthieN said:
. . . .If that doesn't work, then you'll probably need to crack it open and reset the EEPROM by shorting out the pins in order to get it into a state where it'll overwrite the incorrect code. To do that, make sure the USB Burning tool is running and the USB cable it plugged in so you know when it's been triggered. Then run a paperclip along the pins of the chip until it trips and shows back up in the tool. That will put it into programming mode so you can re-flash the ROM again completely.
. . . .
Good luck!
Click to expand...
Click to collapse
....
Okay - well force flashed the referenced ROM and even another "Factory" ROM supposedly for the 6255 wifi chipset. No go.
They both still work it seems fine - but no wifi.
So any hints on reseting the EEPROM?
Thanks again,
wantpizza said:
....
Okay - well force flashed the referenced ROM and even another "Factory" ROM supposedly for the 6255 wifi chipset. No go.
They both still work it seems fine - but no wifi.
So any hints on reseting the EEPROM?
Thanks again,
Click to expand...
Click to collapse
Very strange. It almost sounds like your WiFi radio is malfunctioning. If that's the case, then there's really not much you'll be able to do to fix it unfortunately...
One thing you can do to verify, is to grab a file manager like FX, go into /system/etc/wifi and verify that the 6255 directory exists. If it does, then it's probably just the radio. You'll need to be rooted to do the above though. Also, grab a terminal emulator, 'su -' to root, and run a 'dmesg |grep eth' and 'dmesg |grep wifi' and see what it says. You might be able to figure some stuff out based on the output... Are you 100% sure you have the 6255 radio?
As for the EEPROM, it's pretty dangerous to do that, but if you really want to try, just do what I mentioned earlier. Crack open the device, plug it in to power and the USB, and then run a paperclip along the posts, shorting them out until the device resets and shows back up in the USB burning tool...
Okay - flashed just about as many variations I could find. I tried your trick of looking for a folder inside /system/etc/wifi and did confirm there is a directory labeled 6255 and it has some files in it. I will try to run a couple of grep commands too and post what I find. But I am starting to feel that the actual chip is faulty.
After further thought - I am not really wanting to do a dangerous step to reset an EEPROM when it might turn this from a device without wifi to a device that does nothing.
Still curious - looking at the pictures I posted to begin with - is anyone sure that the chipset is the AP6255? Does this chipset do both the cat5 and wifi networking? Or is there yet another chip that does the cat5 networking? (I know there are better words for this - just can't think of them right now)
Anyway - anyone have any other thoughts? I already explained to my friend that this one looks like a hardwire only device so I am putting it back together.
Thanks again,
You're beating a dead horse thinking some magic ROM you flash will fix it when it's clear the source of the problem is the common denominator of wifi being hosed on all of them. Especially since you said you installed roms that supported your AP6255 (as your board pic makes clear) wifi chip where everything else worked except the wifi.
You need to grep for the wifi network errors as AthieN spelled out how to do in his initial reply.
wantpizza said:
Hi again,
I have a friends T95Z and trying to fix it up. It won't connect on WiFi. When you go to network settings - WiFi is switched off. If you switch it on - it "pretends" to search for about 40 seconds - finds no AP nearby and switches "Off".
I have wrenched on a number of these T95Z. boxes and always seem to get them working.*
Hats off to Superceleron and his ROM -* His ROM really cleaned up the first couple of these I worked on. They had the LTM8830 chipset I think.
Then I worked on a couple newer T95Z's and that ROM didn't work. If I recall - same thing where you can try and turn the WiFi on but it just turns off. I think they turned out to have the 9377 chipset. Found a workable ROM for them and all is well.
Okay so here are some pics of the insides of this one:**https://imgur.com/a/Kd2M1Ta
I flashed a bunch of ROMs - Here is like a list of some of the file names etc:
Poison ROM - https://forum.xda-developers.com/an...mputers/amlogic/t95z-plus-poison-rom-t3751720
T95ZPLUS_q200_9377_customV3.2
atvXperience_v2F_s912
s912_atvXperience_v2FF
T95U PRO_S912_02012017_
v1016-EB-AGCF-LPDDR3-2G
Sorry that I didn't keep great notes on what I flashed but hey - once you start flashing - it is just so easy to try another one.*
Anyway - Several of the ROM's said they were for the AP6255 chipset and ALL of the ROM's do the same thing where the WiFi just won't turn on.*
Now I am not an expert on this - so I don't know:
Can you confirm - Is this a Sunvell?
Is the wifi chipset an AP6255?
What else should I try?* I wandered into a T95U ROM... should I wander further and look for Beelink or other manuf ROM's that show the AP6255?
Is there any other tool or APK that can be flashed after ROM install to query the hardware config or add chipset support?
Open to ideas.*
Thanks!
Click to expand...
Click to collapse
Thanks for the other hint on running the grep command.
I tried and tried to copy this a better way - but short of retyping word for word - a picture was the best I could do.
https://imgur.com/a/oZxojmU
I don't read many reports from a grep command but it is interesting - on one of the lines it reports that "No power on pin 2"
Not sure if it simply is that the chip wasn't soldered in correctly?
Anyway - that is the update. Any thoughts or things to try before I give up are appreciated.
Regards,
el80ne said:
You're beating a dead horse thinking some magic ROM you flash will fix it when it's clear the source of the problem is the common denominator of wifi being hosed on all of them. Especially since you said you installed roms that supported your AP6255 (as your board pic makes clear) wifi chip where everything else worked except the wifi.
You need to grep for the wifi network errors as AthieN spelled out how to do in his initial reply.
Click to expand...
Click to collapse
Sorry - didn't read this before my post but don't worry - I am with ya. I had a suspicion from the start. But - there is lots of "Wizardry" in these forums so worth a post.
Thanks everyone.
The good news is that it looks like your kernel isn't finding the right wifi driver on boot which is why it's shutting down. That means there actually might be a ROM version out there that supports your device. But maybe it just doesn't know where to look.
The name of your modular driver is for the AP6255 is dhd.ko.
Try loading it manually from command line as root.
# modprobe dhd
See if you can find dhd.ko in your filesystem somewhere under /lib/modules.
If you can't then try and find a rom that has your wifi driver module on it called dhd.ko.
Update: Just saw there's a more updated qualcomm driver called qca9377.ko so try to load that module or see if the file qca9377.ko exists under /lib/modules.
# modprobe qca9377
wantpizza said:
Thanks for the other hint on running the grep command.
I tried and tried to copy this a better way - but short of retyping word for word - a picture was the best I could do.
https://imgur.com/a/oZxojmU
I don't read many reports from a grep command but it is interesting - on one of the lines it reports that "No power on pin 2"
Not sure if it simply is that the chip wasn't soldered in correctly?
Anyway - that is the update. Any thoughts or things to try before I give up are appreciated.
Regards,
Click to expand...
Click to collapse
Okay - well good news bad news?
I tried to load each of those other drivers
Code:
# modprobe qca9377
modprobe: can't change directory to '/system/lib/modules': No such file or directory
# modprobe dhd
modprobe: can't change directory to '/system/lib/modules': No such file or directory
Now I need to find some other rom that has those drivers?
Or can I just find those files and place them in that file directory? Anywhere I can just get the driver?
Thanks again,
Okay - newest update
I searched and there was no folder named 'modules' in system/lib
So I created that folder and I copied dhd.ko into that folder. (I searched for the newer qca9377 but i couldn't find it)
Now if I type modprobe dhd in terminal as su I get
Code:
#modprobe dhd
modprobe: can't open 'modules.dep': No such file or directory
Oh and - newest wrinkle - somehow I installed something that pops a durex condom ad ontop of everything about every 45 seconds. What is the easy way to find the offending apk? I tried to long click so I could find the properties or something but nothing working. The only thing open is this terminal emulator??
Anyway- that is the latest.
Thanks again,
i have the same issue did you ever resolve?
me too, anyone resolve it?
Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Looking for someone who help me root this device.
Code:
CPU: Amlogic S905X2 Quad Core ARM Cortex A53
GPU: ARM Mail-G31 MP2
OS: Android 10.0 ATV
Memory: DDR4 2GB, eMMC 8GB
Review: https://www.wirelesshack.org/review-mecool-km2-android-10-tv-box-2gb-ram-s905x2-cpu.html
reserved for future updates
LifelessLife said:
Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Click to expand...
Click to collapse
I don't think this will happen. This box is certified by Netflix.
Once you can root it, Mecool will lose the Netflix certification and most probably Mecool won't get certification in the future.
Noter2017 said:
Once you can root it, Mecool will lose the Netflix certification and most probably Mecool won't get certification in the future.
Click to expand...
Click to collapse
That's not true. Nvidia Shield is rooted, doesn't mean they cannot get future certifications.
rajricardo said:
That's not true. Nvidia Shield is rooted, doesn't mean they cannot get future certifications.
Click to expand...
Click to collapse
Can you name another box?
The Shield is a complete exception. Not even the certificated Xiaomi boxes can be rooted, even though they have a huge community.
Mecool also has to be super careful. Not that long ago they have been selling boxes with fake/illegal certificates that could play Netflix in HD. Netflix blocked all of these boxes at some point.
Hi All,
I'm fairly new to this android tv scene, but have been following these discussions for a couple months now... I'm a hardware guy, so I picked up a couple of these units, and dissected one, ie took off the CPU and emmc.
I'm still not quite understanding of what exactly is happening with 'unlocking' bootloaders, and how this AMLogic 'tee' environment fully works, maybe you all can try to help me out a bit..
but I did want to share that I see we can still USB boot this thing, and use the AMLogic burning tool to at least re-write an image to the flash... the 'boot_5' pin I've shown in the attached pics..
you can catch it from that via (or trace) in the pic, and just touch it to gnd while powering on the unit, and it goes into USB boot via the amlogic rom... world cup device comes up and you can indeed use the burning tool..
I also dumped the emmc flash if anyone wants it? I'm not sure if that helps for being able to root it though, that's where I need some help understanding... I realize there are BL1, BL2, and BL3 boot stages, BL2 & BL3 I believe are the 'boot.img' and 'bootloader.img' that are present in the flash? that right?
I can put the emmc dump up on a mega.nz link if anyone wants it, but wasn't sure if it matters...
Principal-McVicker said:
but I did want to share that I see we can still USB boot this thing,
Click to expand...
Click to collapse
By, "USB boot" do you mean actually boot operating system files from USB, or do you mean just the ability to obtain a burn mode (worldcup) connection over USB?
Principal-McVicker said:
I'm still not quite understanding of what exactly is happening with 'unlocking' bootloaders,
Click to expand...
Click to collapse
Skyworth has modified u-boot (bl33) for this device such that u-boot won't recognize an unlocked status for the bootloader.
Principal-McVicker said:
use the AMLogic burning tool to at least re-write an image to the flash...
Click to expand...
Click to collapse
For the above reason (no recognition of an unlocked status), flashing images that are not unmodified stock will fail verification and not boot.
Principal-McVicker said:
I also dumped the emmc flash if anyone wants it?
Click to expand...
Click to collapse
What version does it contain?
Hi,
So hopefully this will clarify a bit... the AmLogic S905X2/X3 uses the 'boot4/boot5/boot6' pins for the power-on boot order (power-on config) pins... these are shared pins, that are also DAT4,DAT5,DA6 (data bits 4,5,6) for the emmc interface.
So internally the amlogic has boot4/5/6 pull up, ie '111' for the boot order. When you pull boot5 low, it goes 101, ie USB first.... this is essentially what this is doing, so the amlogic bootRom is now in USB boot first, versus emmc.
(I'm assuming you can prob. also do this by just shorting any of the emmc data bits to gnd (versus just bit 5), cause corruption, and it should also fail over to usb..
I haven't tried to actually flash any image yet, but at least I see the worldcup device, and connect with the burning tool...
so I'll attach the bootup log, as well as the 'build.prop' from the /vendor folder in the image... I think this should tell you what version it's running...
*** BTW: forgot to mention, most of these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin... and it's coded into the AmLogic u-boot code is 'AMLOGIC_KEY' or something like that... so when you hold it... u-boot eventually see's it and halts, and starts up the usb device ***
This is much later then when doing the above, putting the CPU into usb-boot.. just FYI....
Another thing I wanted to mention, regarding the BL33 (which I now understand is u-boot), in the image dump, it starts at offset 0x200, and appears to probably be AES encrypted, there's not even a header on it?
I also took apart an X96 Max+ for comparison, since that box is pretty much open, and the flash image has u-boot unencrypted at the same location, and it starts with the @aml header...
I've been going through the AMLogic tools trying to understand where/how the encryption is done, but I don't understand yet how this BL33 is encrypted, and how BL32 knows what the keys are? and what's the difference from the X96 having u-boot unencrypted..
and in this one, the BL33 is encrypted? How did 'Skyworth' decrypt the bootloader to patch it?
(I'll follow-up with a mega.nz link with the mecool image once it finishes uploading)
Here's the full emmc dump:
734.74 MB file on MEGA
mega.nz
LifelessLife said:
Mecool KM2 - Root
Hi
Is there any change for TWRP or ROOT method for this Widevine certified Mecool device? Any TWRP,ROOT and MagiskHide are possible?
Looking for someone who help me root this device.
Code:
CPU: Amlogic S905X2 Quad Core ARM Cortex A53
GPU: ARM Mail-G31 MP2
OS: Android 10.0 ATV
Memory: DDR4 2GB, eMMC 8GB
Review: https://www.wirelesshack.org/review-mecool-km2-android-10-tv-box-2gb-ram-s905x2-cpu.html
Click to expand...
Click to collapse
Principal-McVicker said:
but at least I see the worldcup device, and connect with the burning tool...
Click to expand...
Click to collapse
Note that there are two types of worldcup connections. One is invoked entirely from bootrom, it is sometimes called usb download mode. It is sort of a DFU mode that has limited functionality.
In the uart console, a connection to this type of worldcup connection will look something like this;
Code:
G12A:BL:0253b8:61aa2d;FEAT:F2F939B2:32060;POC:F;RCY:0;EMMC:800;NAND:81;SD?:20000;USB:8
Note that nothing can be done using the burning tool, or the command-line update tool, with the above type of worldcup connection on the km2, due to download mode access being password protected on this device. Notwithstanding the fact that the usb burning tool will report the connection.
The second type of worldcup connection is invoked from an application in u-boot named "update". This type of worldcup connection can work with the usb burning tool or the command-line update tool. There is no password protection. In the uart console, a connection to this type of worldcup connection will look something like this;
Code:
InUsbBurn
wait for phy ready count is 0
[MSG]sof
Set Addr 1
Get DT cfg
Get DT cfg
Get DT cfg
set CFG
Get DT cfg
Get DT cfg
Principal-McVicker said:
I've been going through the AMLogic tools trying to understand where/how the encryption is done, but I don't understand yet how this BL33 is encrypted, and how BL32 knows what the keys are? and what's the difference from the X96 having u-boot unencrypted..
Click to expand...
Click to collapse
Read all of the stuff at the following link, starting from oldest to newest;
Code:
https://fredericb.info/tag/amlogic.html
Principal-McVicker said:
How did 'Skyworth' decrypt the bootloader to patch it?
Click to expand...
Click to collapse
Maybe it is not most correct to call it a "patch" I use that terminology because that is what skyworth uses. You'll see something like this in the uart console;
Code:
[sk_patch,24]amlogic's uboot for Android10().date:Apr 8 2021
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
** Bad device usb 0 **
[sk_usb_cfg_init,422]load file "/skyworth/factory_mode/uboot/check_udisk.cfg" from u disk failed!
[sk_boot,182]general boot.
Whatever skyworth does to u-boot, it is done at the source level before the bootloader is compiled.
Principal-McVicker said:
most of these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin... and it's coded into the AmLogic u-boot code is 'AMLOGIC_KEY' or something like that... so when you hold it... u-boot eventually see's it and halts, and starts up the usb device ***
This is much later then when doing the above, putting the CPU into usb-boot.. just FYI....
Click to expand...
Click to collapse
You can define the upgrade_key to be any gpio pin you like that is not otherwise used.
You can use GPIOA0_3, but I think skyworth also uses that for some usb power mode. I think I used GPIOA0_5, which is one of the pins on the uninstalled infrared led near the micro sd slot.
The factory location for the reset button is a side mounted smd switch below the microsd slot (opposite side of the board). In the fcc photo's this switch is actually installed along with some smd resistors near it. I never figured out what gpio pin it uses. But it could never work without being defined in the environment, which it is not!
What's your end goal here? Modifying the bootloader will be rough unless you can get the bootrom keys. If you don't modify the bootloader so that an unlocked status is recognized, you can't flash non-stock partitions.
If you just want root, that can be done with a workaround. If you want to use the device to boot an alternate operating system, this probably can be done, with a workaround.
G12A:BL:0253b8:61aa2d;FEAT:F2F939B2:32060;POC:F;RCY:0;EMMC:800;NAND:81;SD?:20000;USB:8
Note that nothing can be done using the burning tool, or the command-line update tool, with the above type of worldcup connection. Notwithstanding the fact that the usb burning tool will report the connection.
Click to expand...
Click to collapse
Heya,
Just wanted to clarify on this... that is the USB connection right from bootROM that I get... and the burning tool would work if I had the bootrom pwd, as this unit reports PWD is needed...
I just did this last night on a 'banana pi M5', which does not have a pwd locked bootrom, and I did the usb burn from this boot method, as it did not have any code on it whatsoever prior to me loading it....
Thanks for all of the info BTW, I'll read over it all, what I really wanted to know about was how that BL33 was encrypted... I'll get back if I have more questions, but I really appreciate all the info
My end goal was really just to understand what all of you already knew, I just couldn't get my head around all of it... I wanted to either just load another OS on this entirely, or figure out a way to hack the bootloader....
Principal-McVicker said:
Just wanted to clarify on this... that is the USB connection right from bootROM that I get... and the burning tool would work if I had the bootrom pwd, as this unit reports PWD is needed...
Click to expand...
Click to collapse
Right, in order to use usb download mode, you need the password (if one is employed).
But this is the very odd case use of a worldcup connection. Unheard of for end-user use.
End users use the reset button, which runs the u-boot "update" application to establish a more robust worldcup connection that can flash and read, and even run u-boot shell commands, without any password.
yeah, so I've been looking at compiling source, as its all up there for the banana pi, so I can play with all the pieces..
Is this skyworth info up in another thread here on this site?
Also, how did he actually write this re-compiled BL33 to the device? he re-program the flash and re-mount it? or just tap the lines and program in place?
Or, I'm taking a guess he may have used the unsigned loader exploit? I'm guessing that may not be patched in current bootROMs? or at least not all of them?
Principal-McVicker said:
these devices that have a 'recovery' button or hidden switch, seem to be using 'GPIOA0_3' pin, a GPIO pin...
Click to expand...
Click to collapse
goapy said:
The factory location for the reset button is a side mounted smd switch below the microsd slot (opposite side of the board). In the fcc photo's this switch is actually installed along with some smd resistors near it. I never figured out what gpio pin it uses. But it could never work without being defined in the environment, which it is not!
Click to expand...
Click to collapse
Since you have an extra km2 with the x2 SoC removed, can you trace back the factory reset button traces to the gpio location on the SoC?
I tried finding it by shorting the traces, and using u-boot's gpio command to see which pins had a status change, but I still couldn't find which gpio pin is being used by the factory reset switch location.
Principal-McVicker said:
Here's the full emmc dump:
734.74 MB file on MEGA
mega.nz
Click to expand...
Click to collapse
Thanks for this. This contains version;
MECOOL/HP4035-Mecool/LAS:10/QTT5.200819.003/C2.0.6_20210723:user/release-keys
Although over a year old, it is 4 months newer than what I had.
Since you have an extra km2 with the x2 SoC removed, can you trace back the factory reset button traces to the gpio location on the SoC?
I tried finding it by shorting the traces, and using u-boot's gpio command to see which pins had a status change, but I still couldn't find which gpio pin is being used by the factory reset switch location.
Click to expand...
Click to collapse
Sure thing... I'll do this tonight when I get back home from work, no problem at all...
I think the first step I'd like to try with this thing is just get root? if possible... or at least do something fun to it...
(best way to try and really get a better understanding of this arm tee is to work on a fully locked implementation like this one)
Principal-McVicker said:
I think the first step I'd like to try with this thing is just get root? if possible... or at least do something fun to it...
Click to expand...
Click to collapse
Since doing this is a rather technical process and requires verbose instructions, I'll send the details via direct message.
Principal-McVicker said:
(best way to try and really get a better understanding of this arm tee is to work on a fully locked implementation like this one)
Click to expand...
Click to collapse
It might help to turn on full log level console output for the stock build. Then at least you'll see all of the tee interactions during bootup.
goapy said:
Since doing this is a rather technical process and requires verbose instructions, I'll send the details via direct message.
It might help to turn on full log level console output for the stock build. Then at least you'll see all of the tee interactions during bootup.
Click to expand...
Click to collapse
Heya, Ok... that would be great if you could PM me whatever you can help with...
I double-checked myself, as I thought maybe I missed a u-boot console, but I don't see one on this thing, I don't see any way for it to break into u-boot or any stage while it's booting up? nothing I hammer on the keyboard stops the process from what I can tell?
So, I was trying to identify which pads you are saying are for the smd switch.. but I waasn't totally sure, figured it would be faster to just post the top/bottom pics from that side, and you just circle the spot you want me to trace out?
(FYI, I took down my mega.nz link for the dump, since it sounds like you pulled it down, I hate leaving that stuff up for long unless someone else needs it, they can always PM me)
See attached image. The purple arrow identifies the pad that I want to trace.
But I just remembered that it is difficult to trace because it goes to a via to the opposite side of the board underneath the card slot.
I don't want to make work for you, I was just curious.