Skyworth hp4024 (hp40a)

Search This thread

kalehrl

Senior Member
Nov 22, 2017
778
330
Suppose we manage to decrypt the bootloader and have the official ota.zip. What would the next steps be?
 

Stefan781

New member
May 18, 2022
2
0
I tried to decrypt but this problem occurs.
IMG_20220805_125651.jpg
 

Kubanac

Member
Oct 19, 2007
15
1
Because I have a direct access now to a emmc thru external reader. I can extract system and vendor partition from dump, unpack them, make some changes (change launcher, enable developers options) repack and flash it back for test.
If you guys wont to help I will send you a dump.
Note that my device runs android 9 not 10.
 

kalehrl

Senior Member
Nov 22, 2017
778
330
You will brick the box that way. Verified boot is active and when partition hashes don't match, the box won't boot. I tried it and bricked it. The only way seems to be to decrypt the bootloader but password is required 😕 😔
 

Kubanac

Member
Oct 19, 2007
15
1
You will brick the box that way. Verified boot is active and when partition hashes don't match, the box won't boot. I tried it and bricked it. The only way seems to be to decrypt the bootloader but password is required 😕 😔
Can we use a bootloader from another s905x2 device?
How do Aidan's rom works on most of these devices?
 

kalehrl

Senior Member
Nov 22, 2017
778
330
I tried to decrypt but this problem occurs.View attachment 5678365
I found this post:
Seems a dead end of this method.
 
D

Deleted member 11959327

Guest
I tried to decrypt but this problem occurs.

When usb download mode is protected by a password, the bootrom dumping script won't work. Most certified devices do protect usb download mode with a password.

Skyworth devices do use fatload during every boot to check for files on usb devices:

Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found
** Unable to read file /skyworth/factory_mode/uboot/check_udisk.cfg **
[sk_usb_cfg_init,422]load file "/skyworth/factory_mode/uboot/check_udisk.cfg" from u disk failed!

The recent exploit for the Google Nest Hub (2nd Gen) uses a fatload exploit that allows arbitrary code execution. It's possible that this exploit could be leveraged to dump the bootrom on these skyworth devices, but it would be a lot of work.
 
D

Deleted member 11959327

Guest
Because I have a direct access now to a emmc thru external reader. I can extract system and vendor partition from dump, unpack them, make some changes (change launcher, enable developers options) repack and flash it back for test. Note that my device runs android 9 not 10.

It's true that changing any of the system partitions is unlikely to work and is difficult to reverse.

However, since you have a full emmc dump with a working OS, you can always start over by writing back the whole emmc image. So, this gives you more flexibility to try risky things.

Would you post details about which reader you use and how you connect it to the board?
 

Kubanac

Member
Oct 19, 2007
15
1
ied boot is active and when partitio

It's true that changing any of the system partitions is unlikely to work and is difficult to reverse.

However, since you have a full emmc dump with a working OS, you can always start over by writing back the whole emmc image. So, this gives you more flexibility to try risky things.

Would you post details about which reader you use and how you connect it to the board?
Desolder, put it on external reader. Reball, solder. Advanced soldering and reballing skills needed, hotair station and soldering station and any emmc capable reader.
20220806_013404.jpg
 
D

Deleted member 11959327

Guest
Desolder, put it on external reader. Reball, solder. Advanced soldering and reballing skills needed, hotair station and soldering station and any emmc capable reader.

Good job, but that is an awful lot of work. I have a hot air gun but none of the rest of that suff.

Awhile back I was thinking of connecting a header so that it could be repeatedly done quickly in circuit.

I popped off the emmc from a board, just to get the trace locations. It shouldn't take more than connections to vcc, vccq, gnd, dat0, cmd, and clk. Although with only one data line it would be slow going.

But later I discovered the short method for the emmc, and also that even if the emmc becomes unbootable, it will boot from the sd card instead (if the sd card contains a dd copy of the mmcblk0 block).

Then, after booting from the sd card, I could just copy the mmcblk0 image back to the emmc, which is pretty much the same as writing the entire emmc directly.

So, I didn't think it was worth the effort to wire up in circuit access to the emmc, but others here might still find it useful.

sw-board.jpg
 

iAbdul

Member
Feb 9, 2022
6
0
Hi,

Good to see you making a progress in here.

I have the same model which is HP4105-Intigral branded by "stc tv" and I want to contribute.

The box is useless without the freedom to install any apps we want, in earlier software version I was able to uninstall AppWatch so the apps I install don't get removed, and enabled Developer Mode back then, after last software update, AppWatch got installed again and can't uninstall it anymore.

Fortunately, I still have Developer Mode and ADB enabled, so I can go to recovery and fastboot mode, but I got into another problem which is the USB Port is disabled in fastboot, so I can't flash anything. I thought it was because the drivers, but it wasn't because I tried in Linux and didn't work.

Is there any approaches to make it happen?
 
D

Deleted member 11959327

Guest
I have the same model which is HP4105-Intigral branded by "stc tv"

The jawwy build runs android 10 so temporary ram root is possible as explained earlier. It is not possible for boxes running android 9.

Fortunately, I still have Developer Mode and ADB enabled, so I can go to recovery and fastboot mode, but I got into another problem which is the USB Port is disabled in fastboot, so I can't flash anything. I thought it was because the drivers, but it wasn't because I tried in Linux and didn't work.

Most likely it is the otg_device setting. 0 is host, 1 is slave.

Unfortunately it will probably require shorting the eemc to change the setting.
 
D

Deleted member 11959327

Guest
Has anyone found the eMMC short pin?

See here. But it takes trial and error to get a good burn mode connection on any given attempt. Sometimes the short will result in a dfu (usbdl mode) connection, which won't work. So you may need to try repeatedly to get a working burn mode connection by tapping the points during the early boot process.
 
  • Like
Reactions: rompo6 and iAbdul

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    D
    Deleted member 11959327
    This means that the bootloader is corrupted.

    Did you try to flash an alternative bootloader? Any alternative bootloader can't work because it will either be encrypted differently, or not encrypted at all. Which means that the encryption won't match the original bootloader.

    It can be fixed by copying the original bootloader to a micro sd card, not as a file, but as a raw device.

    Using dd in linux would work. From block device to block device. Do you know how to do this?

    Which device is this again?
    2
    D
    Deleted member 11959327
    its still recognized from the usb burning tool if i could make rom img from the super backup it will be great
    It won't work because that is the password protected type of worldcup connection. There are two types of worldcup connections. For this device, only the second type (with the uart response shown) can work because of the password protection.

    I've used this method, so I know that it works. Did you have the bootloader start at 0h offset or 200h offset?

    To be sure, you can dump the whole emmc to a micro sd card.
    1
    D
    Deleted member 11959327
    my device have been bricked if u know how to build rom img from the
    super dumped rom img i might get back to work on this device developing again

    What is seen in the uart log?

    Any partitions you saved with the update tool can be written back with the update tool, including super.

    If the bootloader is corrupted, you'll have to use other methods.

    Whatever is shown in the uart log will tell you what is wrong.
    1
    Anybody found a way to install apps on this thing? Or at least unlock dev options?
    1
    Anybody found a way to install apps on this thing? Or at least unlock dev options?
    I managed to access the browser, but that's about it.
  • 2
    Hi guys. I have a Skyworth hp4024 (hp40a) which is the same as Strong Leap-s1 or Mecool KM2. It is probably based on s905x2 and the RAM is DDR4 - at least that's what the system info on the box says. I got it from my iptv provider but I can't get out of a factory launcher so the box is useless except for iptv. There is no reset button, developer options can't be enabled because it says 'developer options are not available for this user' so I can't connect to it via adb. Can you help me figure out short pins on the box? I tried shorting some but the box wasn't recognised in the burning tool.

    PXL_20220402_084741661.jpg PXL_20220402_084704078.jpg
    2
    D
    Deleted member 11959327
    its still recognized from the usb burning tool if i could make rom img from the super backup it will be great
    It won't work because that is the password protected type of worldcup connection. There are two types of worldcup connections. For this device, only the second type (with the uart response shown) can work because of the password protection.

    I've used this method, so I know that it works. Did you have the bootloader start at 0h offset or 200h offset?

    To be sure, you can dump the whole emmc to a micro sd card.
    2
    D
    Deleted member 11959327
    This means that the bootloader is corrupted.

    Did you try to flash an alternative bootloader? Any alternative bootloader can't work because it will either be encrypted differently, or not encrypted at all. Which means that the encryption won't match the original bootloader.

    It can be fixed by copying the original bootloader to a micro sd card, not as a file, but as a raw device.

    Using dd in linux would work. From block device to block device. Do you know how to do this?

    Which device is this again?
    2
    D
    Deleted member 11959327
    Has anyone found the eMMC short pin?

    See here. But it takes trial and error to get a good burn mode connection on any given attempt. Sometimes the short will result in a dfu (usbdl mode) connection, which won't work. So you may need to try repeatedly to get a working burn mode connection by tapping the points during the early boot process.
    1
    For factory reset, unpack this folder on a flash drive and plug it in the box. Reboot it and it should reset.