Skyworth hp4024 (hp40a)

[kalehrl]

Suppose we manage to decrypt the bootloader and have the official ota.zip. What would the next steps be?

 

[mazjed]

Suppose we manage to decrypt the bootloader and have the official ota.zip. What would the next steps be?

We will work on Belding a working Android 10 which have no restrections so the devloppers
can make it a base

 

[kalehrl]

My official rom is Android 9.

 

[Stefan781]

I tried to decrypt but this problem occurs.

 

[Kubanac]

Because I have a direct access now to a emmc thru external reader. I can extract system and vendor partition from dump, unpack them, make some changes (change launcher, enable developers options) repack and flash it back for test.
If you guys wont to help I will send you a dump.
Note that my device runs android 9 not 10.

 

[kalehrl]

You will brick the box that way. Verified boot is active and when partition hashes don't match, the box won't boot. I tried it and bricked it. The only way seems to be to decrypt the bootloader but password is required

 

[Kubanac]

You will brick the box that way. Verified boot is active and when partition hashes don't match, the box won't boot. I tried it and bricked it. The only way seems to be to decrypt the bootloader but password is required

Can we use a bootloader from another s905x2 device?
How do Aidan's rom works on most of these devices?

 

[kalehrl]

You can't flash anything without password.bin it seems.

 

[kalehrl]

I tried to decrypt but this problem occurs.View attachment 5678365

I found this post:

https://xdaforums.com/t/x88-pro-x3-encrypted-firmware-for-usb_burning_tool.4243349/post-87024741

Seems a dead end of this method.

 

[Deleted member 11959327]

I tried to decrypt but this problem occurs.

When usb download mode is protected by a password, the bootrom dumping script won't work. Most certified devices do protect usb download mode with a password.

Skyworth devices do use fatload during every boot to check for files on usb devices:

Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 2 USB Device(s) found
scanning usb for storage devices... init_part() 282: PART_TYPE_DOS
1 Storage Device(s) found
** Unable to read file /skyworth/factory_mode/uboot/check_udisk.cfg **
[sk_usb_cfg_init,422]load file "/skyworth/factory_mode/uboot/check_udisk.cfg" from u disk failed!

The recent exploit for the Google Nest Hub (2nd Gen) uses a fatload exploit that allows arbitrary code execution. It's possible that this exploit could be leveraged to dump the bootrom on these skyworth devices, but it would be a lot of work.

 

[Deleted member 11959327]

Because I have a direct access now to a emmc thru external reader. I can extract system and vendor partition from dump, unpack them, make some changes (change launcher, enable developers options) repack and flash it back for test. Note that my device runs android 9 not 10.

It's true that changing any of the system partitions is unlikely to work and is difficult to reverse.

However, since you have a full emmc dump with a working OS, you can always start over by writing back the whole emmc image. So, this gives you more flexibility to try risky things.

Would you post details about which reader you use and how you connect it to the board?

 

[Kubanac]

ied boot is active and when partitio

It's true that changing any of the system partitions is unlikely to work and is difficult to reverse.

However, since you have a full emmc dump with a working OS, you can always start over by writing back the whole emmc image. So, this gives you more flexibility to try risky things.

Would you post details about which reader you use and how you connect it to the board?

Desolder, put it on external reader. Reball, solder. Advanced soldering and reballing skills needed, hotair station and soldering station and any emmc capable reader.

 

[Deleted member 11959327]

Desolder, put it on external reader. Reball, solder. Advanced soldering and reballing skills needed, hotair station and soldering station and any emmc capable reader.

Good job, but that is an awful lot of work. I have a hot air gun but none of the rest of that suff.

Awhile back I was thinking of connecting a header so that it could be repeatedly done quickly in circuit.

I popped off the emmc from a board, just to get the trace locations. It shouldn't take more than connections to vcc, vccq, gnd, dat0, cmd, and clk. Although with only one data line it would be slow going.

But later I discovered the short method for the emmc, and also that even if the emmc becomes unbootable, it will boot from the sd card instead (if the sd card contains a dd copy of the mmcblk0 block).

Then, after booting from the sd card, I could just copy the mmcblk0 image back to the emmc, which is pretty much the same as writing the entire emmc directly.

So, I didn't think it was worth the effort to wire up in circuit access to the emmc, but others here might still find it useful.

 

[mazjed]

Any news with you guys

 

[iAbdul]

Hi,

Good to see you making a progress in here.

I have the same model which is HP4105-Intigral branded by "stc tv" and I want to contribute.

The box is useless without the freedom to install any apps we want, in earlier software version I was able to uninstall AppWatch so the apps I install don't get removed, and enabled Developer Mode back then, after last software update, AppWatch got installed again and can't uninstall it anymore.

Fortunately, I still have Developer Mode and ADB enabled, so I can go to recovery and fastboot mode, but I got into another problem which is the USB Port is disabled in fastboot, so I can't flash anything. I thought it was because the drivers, but it wasn't because I tried in Linux and didn't work.

Is there any approaches to make it happen?

 

[Deleted member 11959327]

I have the same model which is HP4105-Intigral branded by "stc tv"

The jawwy build runs android 10 so temporary ram root is possible as explained earlier. It is not possible for boxes running android 9.

Fortunately, I still have Developer Mode and ADB enabled, so I can go to recovery and fastboot mode, but I got into another problem which is the USB Port is disabled in fastboot, so I can't flash anything. I thought it was because the drivers, but it wasn't because I tried in Linux and didn't work.

Most likely it is the otg_device setting. 0 is host, 1 is slave.

Unfortunately it will probably require shorting the eemc to change the setting.

 

[iAbdul]

The jawwy build runs android 10 so temporary ram root is possible as explained earlier. It is not possible for boxes running android 9.

How can I get temporary root, what do I need?

 

[Deleted member 11959327]

It's quite involved to get it setup.

 

[iAbdul]

Has anyone found the eMMC short pin?

 

[Deleted member 11959327]

Has anyone found the eMMC short pin?

See here. But it takes trial and error to get a good burn mode connection on any given attempt. Sometimes the short will result in a dfu (usbdl mode) connection, which won't work. So you may need to try repeatedly to get a working burn mode connection by tapping the points during the early boot process.