Tablets
13 September 2025
Score 7t converted a basic group to this supergroup «Score 7t»
R
03:53
Ryan
JB
03:53
John Blaze
Great work brother ya got it perfect this time.
Thank you
Thank you
R
03:55
Ryan
Just a little trial and errorπ
JB
03:57
John Blaze
And success πͺππ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ
Terry Thompson V 2.0 joined group by link from Group
TT
04:00
Terry Thompson V 2.0
D
Sabastian Medrano joined group by link from Group
JB
04:09
John Blaze
Okay okay I got one for us .
stop me if ya know this one...
A horse and a Jew walk into a prison bar with a tablet... The c/o says why the long face?
The horse said
it comes with the job of fucking the feds all day.
So....
1) rent a movie or showπ
2) watch the whole thing π«£
3) log into the kiosk π
4) hit end rental as usual on the tablet π
5) as soon as that little process finishes and it begins to show all the movie selections again ... HOLD the power button for 15 seconds so it does a hard reset and powers offπ
6) be already logged into the kiosk so when the tablet boots you immediately put in your PW and immediately go to the video selection and select any movie or show other than what you just watched ...Β select to rent it as usual.
7) quickly connect the USB and sync.π§¨
When the sync is happening you will see it downloading the previous movie or show you have already rented and paid for... not the one you have just selected on boot. π₯π€―π«¨π
You are now fucking the feds for a change out of the price of a movie.
You can do this as many times as you like to rewatch the same movie or show.
Rent once and whore it out to as many others as you like to get your money back.
Or swap you slutty tablet with somebody else's wife. Err. tablet π... And watch each other's movie... Full length not the halfie shit
FTF. π―π€
stop me if ya know this one...
A horse and a Jew walk into a prison bar with a tablet... The c/o says why the long face?
The horse said
it comes with the job of fucking the feds all day.
So....
1) rent a movie or showπ
2) watch the whole thing π«£
3) log into the kiosk π
4) hit end rental as usual on the tablet π
5) as soon as that little process finishes and it begins to show all the movie selections again ... HOLD the power button for 15 seconds so it does a hard reset and powers offπ
6) be already logged into the kiosk so when the tablet boots you immediately put in your PW and immediately go to the video selection and select any movie or show other than what you just watched ...Β select to rent it as usual.
7) quickly connect the USB and sync.π§¨
When the sync is happening you will see it downloading the previous movie or show you have already rented and paid for... not the one you have just selected on boot. π₯π€―π«¨π
You are now fucking the feds for a change out of the price of a movie.
You can do this as many times as you like to rewatch the same movie or show.
Rent once and whore it out to as many others as you like to get your money back.
Or swap you slutty tablet with somebody else's wife. Err. tablet π... And watch each other's movie... Full length not the halfie shit
FTF. π―π€
HH
04:23
Hank Hill
Okay
Terry Thompson V 2.0 invited Dub G
TT
06:20
Terry Thompson V 2.0
π€
lm joined group by link from Group
Gino Green joined group by link from Group
GG
07:15
Gino Green
In reply to this message
When you select the new movie it won't charge you the tru units?
Roscoe joined group by link from Group
HH
09:42
Hank Hill
Stay tuned for a proof of life video πΉ
R
C joined group by link from Group
Unfazed Waffle joined group by link from Group
NightCrawler joined group by link from Group
Jammer joined group by link from Group
Deleted joined group by link from Group
Billi joined group by link from Group
Halfredo Hernandez joined group by link from Group
JB
18:20
John Blaze
In reply to this message
Correct it doesn't charge the tru units.
I realize that it should since you are selecting something different.... But it also should download the thing you just selected as well but it re-downloads the last thing you had rented.
You must make sure that you do it fast.... Immediately after boot.
Though I had successfully done it with a 30 second delay I'm not sure what the threshold is
β€
I realize that it should since you are selecting something different.... But it also should download the thing you just selected as well but it re-downloads the last thing you had rented.
You must make sure that you do it fast.... Immediately after boot.
Though I had successfully done it with a 30 second delay I'm not sure what the threshold is
GG
B
18:21
It's some kinda glitch and it is repeatable multiple times without limit on the same movie or show
18:25
Also on another un related perk the tablet can be put into safe mode by pressing volume up when it says score during boot.
This will allow you to use the tablet as a charger and not trigger the security protocol to register that the tablet has been connected to an unauthorized device.
If you boot regularly and charge a phone or MP it will show a message that says it's been connected to an unauthorized device
This will allow you to use the tablet as a charger and not trigger the security protocol to register that the tablet has been connected to an unauthorized device.
If you boot regularly and charge a phone or MP it will show a message that says it's been connected to an unauthorized device
Don joined group by link from Group
J
18:59
Jammer
Has any one attempted adb yet
D
18:59
Don
Adb is off. I have tried
J
18:59
Jammer
What error does it give
U
18:59
Unfazed Waffle
Adb used to work when the tablet first came out
J
19:00
Jammer
Did you ground the mtk chip test point when trying
U
19:00
Unfazed Waffle
19:00
Yep
19:01
But I didn't plug in otg because I currently don't have one yet
19:01
Adb should work without otg
J
19:01
Jammer
Its not going to work without otg
U
19:01
Unfazed Waffle
Are you sure?
J
19:01
Jammer
Yes
U
19:02
Unfazed Waffle
What is the screen supposed to look like
J
19:02
Jammer
What's the pic for
U
19:02
Unfazed Waffle
J
19:05
Jammer
No under the metal shield look for the mtk chip on the bottom you will see a gold circle you have to ground the plug in otg host to target then type
adb devices
It should show list devices as 2 sets of 8 debut numbers
adb devices
It should show list devices as 2 sets of 8 debut numbers
R
19:05
Roscoe
In reply to this message
How else would you connect the host device to the tablet in order to run ADB if not with an OTG cable? Do you have access to a computer running Windows?
U
19:05
Unfazed Waffle
They same way you could access the bootloader before the changes it
19:05
And what metal shield
J
19:05
Jammer
You can use a USB thumb drive adapter
19:06
Count brb
U
19:06
Unfazed Waffle
Ok
19:06
Where is the actual mtk chip
J
19:10
Jammer
On the left side of the big metal shield there are some little clips bend those and take off the big metal shiels
U
19:11
Unfazed Waffle
If you can show pics would really appreciate it
19:11
And how do I gorund these
J
19:11
Jammer
19:12
Take a wire and ground it to the battery and wrap the other end around a paper clip and use it a a group pin
19:13
Also if you don't have adb fast boot installed on host your most likely not going to get any thing
J
19:15
J
Jammer 18.09.2023 22:05:56
You will need this place the firmware in theΒ android/android_sdk/platform tools
Then open terminal
Type adb devices
Then open terminal
Type adb devices
J
19:18
Jammer
This only works with rooted device as host
19:21
After you install cd to
android/android_sdk/platform tools
When your directory is platform tools type adb device if that works start daemon and if that works you need to dd the system and mod it and flash it
android/android_sdk/platform tools
When your directory is platform tools type adb device if that works start daemon and if that works you need to dd the system and mod it and flash it
19:22
You may have to creat a folder called android_sdk
19:27
adb kill-server
adb wait-for-device root
adb disable-verity
adb reboot
adb wait-for-device root
adb remount
echo "stopping wifi control"
adb wait-for-device root
adb disable-verity
adb reboot
adb wait-for-device root
adb remount
echo "stopping wifi control"
Jason Michaels joined group by link from Group
JM
20:48
Jason Michaels
Please nobody post passwords and shit, you may as well walk down to SIS and snitch on everyone.
If someone isn't smart enough to know where to get passwords, you shouldn't know it
π
If someone isn't smart enough to know where to get passwords, you shouldn't know it
U
W joined group by link from Group
14 September 2025
Freddy joined group by link from Group
HH
JB
02:48
John Blaze
In reply to this message
I'm glad that I was able to contribute something to the group that is useful. And brings a little bit of joy to your life π FTF
U
02:51
Unfazed Waffle
In reply to this message
So in theory I wouldn't need more tru units on my account if if I keep using this method. Like it won't give an error saying I don't have enough tru units since it thinks it's just syncing the tablet
JB
03:20
John Blaze
Correct. In reality you can have 1 try unit. Obviously not enough to rent anything and still it will redownload your previous purchase to watch again.
I tried it proof of concept
Poc||GTFO
I tried it proof of concept
Poc||GTFO
Tim Smith joined group by link from Group
Ryan removed Unfazed Waffle
B
03:39
he tried to sell me the tablet sauce dor 500$
TT
03:40
Terry Thompson V 2.0
He just gave all of it to me and asked me to verify that it worked
03:41
Let me see if it will forward here
B
TT
03:43
Terry Thompson V 2.0
No. He said he paid 150 to this guy I guess they were in jail in California. He said sis locked dude up and nobody saw him since
B
03:44
what he do
TT
03:44
Terry Thompson V 2.0
U
Unfazed Waffle 13.09.2025 15:52:03
Btw what have you heard about the tablets
03:44
I paid a guy 150$ for the instructions
03:44
He sent it to me with all the files but I don't have a type c otg cable to try it so idk if it works
03:44
U
Unfazed Waffle 13.09.2025 16:17:59
He also told me to short out some pins
03:44
03:44
03:44
U
Unfazed Waffle 13.09.2025 18:56:51
Plz lmk
03:44
U
Unfazed Waffle 14.09.2025 01:41:16
What do you think about what I sent
03:44
Do you have any idea if it could work
03:44
I have the files to test it I just don't have an otg cable yet
03:44
Plz lmk cause I really think the guy was serious
03:44
He got picked up by sis in California and has been MIA ever since
03:44
He showed me the tablet and everything
B
TT
03:45
Terry Thompson V 2.0
In reply to this message
He said he tried to scam him. He never asked me for no $
B
03:46
Billi
In reply to this message
ya he showed me tablet too...that shit mean nothing we got tablets i can show it n say i can do it
TT
03:47
Terry Thompson V 2.0
If he tried to scam you. I understand I have no use for scammers
B
03:49
Billi
In reply to this message
he didn't scam me bro he tried to ask me for $500.. i thought he got nothing to offer.. askin me to send cashap first ..just couldn't trust random guy without no mm
R
03:54
Roscoe
Ha. When he (?) was Trini, they wanted $3000 for the source/method.
03:55
They sent this as their proof, but others have spotted a board swap.
R
03:55
Ryan
Yeah, he definitely tried to scam someone I know and it sounds like a lot of others
TT
03:56
Terry Thompson V 2.0
Hell I heard that the dude that had the way to do it was at fort Dix and he wanted $15000 and it consisted of running a cable from a tablet to the 7c and soldering wires to board on the 7c to do whatever then remove the wires. LoL. Rumors
B
03:57
Billi
he needs to checkin whrevr he is
R
B
03:58
Billi
just breakin tabs
TT
03:59
Terry Thompson V 2.0
He sent me a screenshot of him asking Roscoe for some help in mp3. Will have to ask Roscoe what he told him
B
03:59
Billi
lets get it hank
R
03:59
Roscoe
HH
Hank Hill 13.09.2025 09:42:20
Stay tuned for a proof of life video πΉ
B
03:59
Billi
damm live
R
04:02
For what it's worth, I know Hank is legit and have seen it myself.
TT
04:03
Terry Thompson V 2.0
I heard 1500 per tablet or sell the technology and instructions for 15000
TT
04:03
Terry Thompson V 2.0
R
Ryan 14.09.2025 04:01:53
Not quite that expensive (if you mean per tablet).
TT
04:04
Terry Thompson V 2.0
What can u do with it I mean don't u have to have a hotspot for to get online
R
04:06
In reply to this message
You do but just dl everything you want to use offline. It's not as good as a phone but I'm sure you can see the benefits. But it's a lot of money.
R
TT
04:12
Terry Thompson V 2.0
Ok cool that aspiring wino says he wants you to let him in group. He said all he wants is just some help breaking tablet and to help. I guess he wants to talk with you. I am just the messenger. Don't shoot me
β€
TT
Drew joined group by link from Group
D
04:20
Drew
Aspiring wino aka Trini did scam me and a guy I know for 250 a piece. Fuck that dude
GG
04:20
Gino Green
In reply to this message
There is a guy named Drew pretty legit dude far as I know says drew either scammed him or tried to
D
04:21
Drew
Lol hey gino
GG
D
04:21
Drew
Yeah he fucked me tell him to send my money back and he can join the group
GG
04:21
Gino Green
That wino guys in my dms asking for help making an otg cable
TT
04:22
Terry Thompson V 2.0
It's a small world
D
04:23
Drew
Yeah it is especially in the system.
GG
D
GG
TT
04:25
Terry Thompson V 2.0
I have been around in the system before we had corrlinks or mp3 or whatever. I always treasured having a good reputation
β€
GA
GG
HH
04:29
Hank Hill
Im hoping to make the video tomorrow. Stay patient guys. I know seeing a tablet isn't going to help but at least you all will be able to see a working model.
D
04:30
Drew
Can't wait hank thank you
JB
04:36
John Blaze
In reply to this message
You should disassemble the flasher APK to see what it really does or if it trys to collect data or connect to an outside IP address or some malicious shit
Also analyze the hex file he sent for validity to see if it has substance or if it's just empty space
Also analyze the hex file he sent for validity to see if it has substance or if it's just empty space
TT
04:39
Terry Thompson V 2.0
And Gino u definitely a pro on them cables . One of these days gonna have to ask u a couple questions about tying the data together on USB a side to make rapid charging
TT
04:39
Terry Thompson V 2.0
GG
Gino Green 14.09.2025 04:26:12
Definitely
D
04:45
Drew
In reply to this message
The flasher app he got from another guy in the old group. His name was D with the lime green circle. It's the app that they created to mimic the kiosk but doesn't work without the key. After he scammed me I was talking to D and he told me that he asked him for the app even though it wouldn't break them
GG
06:24
Gino Green
In reply to this message
I'm here bro I helped Drew make one of those cables to charge
Bill joined group by link from Group
Tom Tom joined group by link from Group
J
17:57
Jammer
Trini tryed to scam me to
D
18:13
Don
If you send me the flasher.apk I can disassemble it
18:13
How big is the firmware file?
18:13
It would have to be quite large to do anything
18:14
Switzerland and I made the app that mimics the kiosk but without the private key it isn't useful. Just a proof of concept of using android accessory mode. Here is a screenshot
18:14
18:17
I had thought all the keys were symmetrical but missed the asymmetrical ecdsa key ππ
D joined group by link from Group
Terry Thompson V 2.0 invited John Smith
21:48
Deleted Account
In reply to this message
Unfortunately we couldn't get it to work, we need more ideas
15 September 2025
Capo joined group by link from Group
C
00:10
Capo
In reply to this message
I like! What about using forensics tools (opensrc) available on GitHub to find the private key when dumping processes?
00:14
Deleted Account
In reply to this message
Private key is never in transit. It's stored on the server. We think it's in internal network, prison specific sub domain. Probably can be retrieved by a corrupt CO.
C
00:25
C
In reply to this message
People were talking about booting up the trulinks computers with another OS, could it be done that way?
00:26
Deleted Account
You still wouldn't be able to extract the key. You might be able to hit the endpoint and ask it sign the challenge with the valid key so you get authentication on the tablet and can enable a lot of functions.
C
00:27
C
I wonder if you could get persistence on those computers
00:27
Put some kind of software that can run even on regular boot
00:27
Only with special key combo or something
00:29
Deleted Account
You making it very high risk. Nothing should be persistent to avoid detection
D
01:01
Don
The problem is they were somewhat smart with the design
01:02
The tablet id and so forth is passed to a remote server
01:02
The remote uses the key to sign and return that data
01:02
So the private key never gets sent to the end point trulincs workstation
01:04
The only thing that would work is a mitm attack where phone is plugged into tablet, intercepts request, passes over wifi to phone hooked to trulincs. Then after valid auth, can emulate trulincs. But requires two phones and the tablet owner has to log in since thst is checked as well
01:05
Its possible there is a server at each institution that has the key. But unless we get a hdd dump like we did with the workstation...
C
02:05
C
In reply to this message
Does it have to be over internal network? If it's a remote server why can't you use the dump to connect to that server from a phone?
02:06
Do you have the portion of the program code that connects to server?
HH
02:43
Halfredo Hernandez
In reply to this message
He told me he would sell me directions to put ruizu fw on the mp3 for 100$. When I stopped responding he kept asking me over and over to pay. Red flag
β€
TT
JB
03:05
John Blaze
What about the next time a firmware update comes out. Would it be possible to hijack that process? Or even when a new tablet is bought and is updating?
03:06
Or would we still need a signed fw
Danny Ortiz joined group by link from Group
D
19:17
Danny Ortiz
What's up, haxer127.0.0.1 here
β€
TT
19:19
Here strictly for the score so glad to see the new mod group
D
19:56
Don
In reply to this message
So the firmware gets placed on a special partition, but it is signed as well. And even if it were not, no easy way to write to the internal emmc
19:57
In reply to this message
They have a vlan with the wan connection. I dont have a ton of visibility into the schema but just from looking at the code
16 September 2025
HH
02:18
Halfredo Hernandez
I'm not anywhere near as tech savvy as you guys, but if I try to contact/pay some current or even former atg employees, what kind of info would they have that would be beneficial to this group?
02:18
I.e. what info would I ask them for
Specz joined group by link from Group
B
18:29
Billi
any1 wid mp3 jailbreak file? Gen2&3
D
21:13
To be more specific the private key that authenticates the tablet to edgejas
21:13
Ecdsa key
17 September 2025
HH
03:11
Halfredo Hernandez
Ok
John joined group by link from Group
18 September 2025
D joined group by link from Group
D
07:30
D
In reply to this message
It is also possible to boot the kiosk to a USB stick running a stripped-down Linux distro. From there, using the disassembled kiosk code, we could create a piece of software that queries the ATG server the same way a kiosk does. You boot into this USB, attach a tablet, and the fake kiosk software unlocks the tablet. It would take some testing and iteration, but it could work. The only difficulty is if the kiosks don't get their IP assigned by DHCP, or require an authentication key just to even talk to the network. But this could be ruled out before any extensive development is done.
07:35
This is on my to-do this upon release.
J
14:06
Jammer
Can someone list what's been tried so were not doing double the work it could be made a pin at the top
JB
17:37
John Blaze
In reply to this message
What about cloning the Mac address and IP of an already existing kiosk on the local network that would than be disconnected .
17:37
Has anyone been able to sniff network traffic?
17:55
Deleted Account
In reply to this message
There's a dump of the kiosk workstation. If your goal is to connect to their network. Check the source code and see how the kiosk operates. It might be executing some network registration services or some other security features. Please don't boot in to the kiosk from the drive while the Ethernet cable connected. You might get swatted while using itπ
JB
20:57
Deleted Account
Yes
19 September 2025
J
01:21
Jammer
Does any one have mtk client for termux handy
TT
02:52
Terry Thompson V 2.0
And to Ryan and drew and Gino anda few others I been looking into trini954 and I can agree with you he was trying to scam from my opinion on hackforums as you all know hackforums is my home on the web. My current profile is from 2021 and is a lifetime UB3R. I never have to pay and also got approved for vendor just last week. Omniscient himself the owner told me when I got out of shu to more or less stay out of trouble. And some of the other staff asked me to write a tutorial about the actions media atj2127 chip in the clip sport and some other brands. Anyway I take offense to all scammers especially one that's in a forum I am directly related to and in the telegram groups. Well Ryan deleted him from this group and I deleted him from my group but he is still member of score 7c and FTS and aic so if any group owners see this please delete aspiring wino akatrini954. He sure had me fooled
GG
D
05:00
D
In reply to this message
This is my server. I have gone through the kiosk dumps, but not as finely as possible. I never found evidence of special network security protocols or keys, but it's difficult to go through everything. Most of it was quickly copied filesystem data, which doesn't usually have network settings. But maybe there's a copy of the Windows registry hives I missed that would have this.
05:02
In reply to this message
While Termux will run on phones and regular computers, the dependencies for mtkclient have not been built or developed for phones (ARM). It will not run on Termux for now.
C
17:10
C
If anyone is interested in using crypto to send cashapps, Western Union, venmo, etc without kyc I can write up some tips. Took me some time to figure it out
17:12
In reply to this message
Localcoinswap has good vendors for cash app, venmo. They won't do Western Union to bop in my experience though. For that I used sites that sell debit cards for crypto then signed up with Western Union directly. Not all cards will work with WU though. Bitrefill visa USA one worked well for me
B
17:41
Billi
if someone caught with altered tablet battery to use for j7 or j3 in his possession. What shot he will get?
R
S
19:23
Specz
You guys think buying gold with crypto and selling the gold as cash would be a good way to clean it
B
S
21:58
Deleted Account
In reply to this message
On the conversion percentage and then to sell gold. Selling gold for cash you will get ~50-60% of what you paid in crypto for it
20 September 2025
B
B
00:07
Billi
yep
Tony Sparks joined group by link from Group
JS
02:04
John Smith
Hey thanks for invite. I have bad co 5 days out of the week so I'll only be around on weekends. But here's what I've got in regards to the mp3 players I have 3 different softwares. I have not had time to read the posts in this group but will tonight. Umm if you're having trouble with find an amv converter u can download terminux on your phone and use chatgpt or deepseek to basically help you make a converter I maybe will have this info later this weekend but dudes horde this shit. The mp3 stuff cost me a pretty penny but trying to make bids as comfortable as possible
β€
S
JS
S
02:27
Specz
Man your a life saver John I just took out the SD card from my gen 3 and formatted it to fat 32 using an otg
02:27
I was literally searching what do do next before I put the SD card back in there
HH
02:36
Halfredo Hernandez
In reply to this message
Hey John thanks so much for this. Will try it soon. One question though, when do i use the ruizu firmware file to put ruizu video firmware on the mp3? I don't see it mentioned anywhere in Your instructions
JS
02:37
John Smith
I'm uploading the rest of the zip now, should all be in there. It's taking a while...
HH
02:38
Halfredo Hernandez
In other words, i only see the us212a firmware mentioned, isnt that only for the sandisk music only firmware?
TT
02:40
Terry Thompson V 2.0
Us 212demo is only for gen 2
02:41
And gen 3 does not support video
R
02:41
Roscoe
In reply to this message
You're adding the video features when you use the Open Dir button per the instructions
JS
02:42
John Smith
All this is only for gen 2, the SanDisk fw is for music and the ability to access the SD slot.
S
JS
02:51
Should be able to grab it now. FTF
HH
02:54
Halfredo Hernandez
In reply to this message
Ok i see, so I don't need this separate ruizu fw file that i Downloaded?
R
HH
02:55
Halfredo Hernandez
Thx
R
HH
02:59
Halfredo Hernandez
Two questions for the group
02:59
Anyone tried to update the ruizu fw to something newer than v1.0?
R
HH
03:01
Halfredo Hernandez
In reply to this message
Is this anything worth looking at? For in prison any good uses
03:13
Interested in updating ruizu to newer version. If anyone tried let me know before i brick
D
HH
03:20
And it looks much better
D
03:21
Drew
There's also like an x54 I think that looks almost exactly like the SanDisk. But I couldn't get it to work
HH
03:23
Halfredo Hernandez
In reply to this message
X02 is the player but I've only seen firmware version 1.0 used. They made newer firmware for the exact same player. I don't see why it wouldn't work
D
03:25
Drew
Yeah I don't see why not. But that process is more complicated I'm not sure how it works
HH
03:26
Halfredo Hernandez
In reply to this message
True, i will try it sometime because the newer ruizu firmware looks way better
D
03:26
Drew
Also if it gets stuck on the Ruizu scree like aspiring winos did. You can power it off. Hold the power button down and the down button and plug it back while holding it and your phone will pick it back up
03:27
Took me a awhile to figure out the one I bricked
HH
03:29
Halfredo Hernandez
03:29
That's the x02 with newer fw
03:30
I think it looks better than the wheel type menu
TT
03:31
Terry Thompson V 2.0
Does this player have atj 2127 chip
HH
03:32
Halfredo Hernandez
In reply to this message
Think so. It's only a newer fw version of the same ruizu fw we already use
03:32
X02
03:32
Why wouldn't it work
TT
03:34
Terry Thompson V 2.0
Ok cool then it should work. Buttons might need reassign but should work
HH
TT
03:35
Terry Thompson V 2.0
Ok share if it does
JB
03:35
John Blaze
If you want to use whatever version of the fw I think it needs to be decrypted and disassembled. After that just use the .tbl files on top of the usa212.fw
TT
03:36
Terry Thompson V 2.0
After 212 I just put whatever as long as it was designed for atj 2127
JB
03:36
John Blaze
In reply to this message
Like it says here but the fw is already decrypted and all the tbl files are there for the Ruiz red version. The card slot works and color is good
TT
03:36
Terry Thompson V 2.0
Instead of copying SanDisk hex put whatever fw u want
JB
03:38
John Blaze
In reply to this message
Correction. It doesn't need to be . But I think it works better with less bugs if it is
TT
03:38
Terry Thompson V 2.0
There is supposed to be a AI made that it's specialty is helping u with firmware. It helps unpack it and recompile I guess. Does anybody know what it is
JB
03:39
John Blaze
Claude? Maybe
03:40
TT
03:41
Terry Thompson V 2.0
I will check it out
03:41
Thanks
JB
03:43
Also has a reverse engineering option too
B
TT
03:49
Terry Thompson V 2.0
There is never enough hours in the day. LoL. Thanks again
TS
04:01
Tim Smith
So I have a clip sport plus mp3. It has the same atg 1217 processor as the gen 2. Getting it into firmware update mode is also the same by plugging it in with the up volume button. The only difference is it has a Bluetooth chip, which I don't care if I loose functionality... And it has micro SD memory internal (no external SD card slot). So do you guys think the ruizu firmware would work on it as well?
JS
15:52
John Smith
Has anyone made any progress in regards to the score7c
15:54
I'm thinking the vulnerabilities are going to be via the security chip or people are talking about soldering a SD reader onto the board... Or using an mp3 as a bridge
R
D
21:37
Drew
In reply to this message
I think a guy here tried the card reader thing and said it wouldnt pick it up.
21:39
Here's a strange idea. The mp3 players hook up to the same system as the tablets right. Would the kiosk also need to validate the mp3 player the same way. They definitely communicate. Is there anyway you could have the mp3 player pick up or copy or find this key needed to unlock the tablets.
21:40
We can put whatever on the SD cards and maybe make a copy of whatever it sends or something. Someone way smarter than me might have an idea
21:43
Or is there a way to spoof the tablet. Let's say hook up a phone to the kiosk or have a cable that you can hook the phone up in the middle of that can read the data transferred back and forth. Like a cable that goes from the kiosk to the tablet but splices in the middle that connects to the phone.
D
22:28
Don
In reply to this message
This would work. You could have an app on a phone connect to the tablet. That phone communicates over wifi to another phone that would be connected to kiosk. This is a man in the middle attack. Drawbacks are complexity, and the need to log in as the tablet owner since that data is part of the authentication schema
22:29
It would also be difficult to test due to all the moving pieces and dangerous since you will need a phone connected to the kiosk.
22:47
Deleted Account
In reply to this message
You can't do it with the phone unfortunately. You wouldn't be able to change manufacturer Id for most phones
21 September 2025
lm invited Da Accountant
D
01:02
Drew
What if you sent a tablet out had it unlocked got it back in. Then put an app on it to read the security key
01:02
Plug it into the kiosk. I would think it would still connect and talk.
01:03
Deleted Account
In reply to this message
Security key is never transferred. It stays on the server and never leaves it.
D
01:04
Drew
Theres no app or anything that could read it when the tablet connects to it
01:05
I'm just tossing ideas out not sure how the security keys work. I'm thinking of these guys figured it out in FT Dix there's something stupid we're missing
01:06
Deleted Account
In reply to this message
No evidence that they did it in FT Dix.
Ideas are always good
Ideas are always good
D
01:06
Drew
That guy who said he had access to one they unlocked..did he say if it still had the inmate info and the original games on it it did it wipe it
01:06
I thought a guy posted a video. Maybe that was the other group
01:06
Deleted Account
So far we only saw board swaps
D
01:10
Drew
Hank Hill posted in the other group a vid of one he had his hands on said it was the real deal. But it didn't show the charging port so not sure if it was a board swap. Or actual hack
01:12
He hasn't been back on since though as far as I can tell.
01:19
Also I'm wondering. Let's say we figure out how to get one to BROM. What are we flashing to it. Do we have a FW or workable room or anything to overwrite with.
HH
02:24
Halfredo Hernandez
In reply to this message
Im no scammer and I ask for no money I'm just here to share ideas. That being said, I have personally seen jailbroken score 7c at ft d. I have no reason to lie. They don't want anyone to video it
02:24
I think it was 1800 to jailbreak
02:26
In reply to this message
Someone had a server with possible roms. One was for a Walmart onn brand tablet with the same MT chipset
02:27
Also someone sent their 7t in for warranty and atg sent it back jailbroken. Not sure if it was a dumb employee or someone looking out
JB
02:37
John Blaze
02:37
02:37
02:39
These are the supposed POC proof of concepts that I have seen. I believe that they were all done during the time that brom mode was available to us. Notice the build number on all of them appears to be the same . And they are all from very different sources.
02:41
I have not tried hard to find this fw for lack of ability to do anything with it ... but Im sure it is gettable or makeable
02:41
Also take note of the build date of 2021
02:44
Each has a different device name. One says Keefe but I'm almost sure that is the okeydoke trick to get people to send money because there is no reason it should say that on a custom build.
D
02:45
Don
Yeah those are super fake
02:45
That build is aosp v222
02:45
They would need the driver for the touchscreen
02:49
In reply to this message
That seems so shady. If they wanted money they would want to prove it can be done. I could have passed my board swap off as hacked to people but I never lied. Knowing what I know about these things I dont see a path these people could take. The only way this can be done is if there is a way to get the tablet to allow a new image to be written that will run without being signed. The image file would be of significant size as well.
02:50
The touch driver is a binary blob on one of the emmc partitions I forget which off the top of my head
β€
GG
02:51
Anyway I have heard of supposed hacks for score 7c and 7t for years and have never seen one legit. Every person who collected money from people ended up checking in.
02:52
The original score 7 was vulnerable to mtkclient but none of the prisons I have been at every sold that one
02:54
In reply to this message
This is a great question. The touch driver will probably be the biggest issue. We would need to extract the binary from the partition it lives on.
HH
02:59
Halfredo Hernandez
In reply to this message
The person who did the jailbreak is different from the person who paid and didn't want his tablet videotaped. Also the person who is doing the breaks is paranoid and only works on word of mouth which has worked
D
02:59
Don
One of those pictures has a mac address belonging to apple π
03:00
In reply to this message
How smart is the guy? Did he buy this or actually come up with it himself?
03:04
In reply to this message
Left is a locally generated mac. Also fake. And bottom right they were smart enough to not put one to avoid getting caught
HH
03:04
Halfredo Hernandez
In reply to this message
First guy was a Russian programmer who first did all mp3s. Sis caught on and he stayed low then did tablets. He's gone now but supposedly sold the info
D
03:05
Don
This prison in texas has the exact same rumor. Russian programmer that hacked the mp3s and then mysteriously left
03:06
The mp3s here were all a guy I actually know that had an SD card writer and the 212 firmware. It was all myth and rumors. I went and talked to the Russia car (there is one here) and they laughed
03:08
I mean i want this to be true but it smells. If there were any reasonable hack it would spread like wildfire. Sis doesnt give a rats ass they dont even care about phones. There are probably 1 phone for every 2 inmates here
HH
03:08
I've personally seen 2 broken scores not board swaps. They won't let me video
D
03:08
Don
In reply to this message
Where did he go? I have people at every prison in the system. I can get word to him
HH
03:09
Halfredo Hernandez
In reply to this message
I think he went home but I can confirm tomorrow. He did my mp3
β€
O
D
03:10
Don
In reply to this message
Why wouldn't they? That makes no sense. Dont take it the wrong way I am not accusing you of anything I just have been down a long time and seen this many times, it always ends up being b.s. in the end. One guy here convinced everyone he had it broken, took 500 a pop and checked in
HH
03:11
Halfredo Hernandez
In reply to this message
I understand I would be skeptical also. I've been down 15. I didn't believe anyone at all until I saw it. I guess the only assurance I can give is that I'm not asking for money or claim to know how to do it. I have no reason to lie about it
D
03:11
Don
In reply to this message
Find out, if he is in the free world I am sure he would like to make some money off it
HH
03:12
Halfredo Hernandez
They don't want it on video because both are paranoid
D
03:12
Don
In reply to this message
Again, im not accusing you, but I've seen some sophisticated schemes on these lines. People want to believe
HH
D
03:15
Don
Did the broken scores have to be physically opened? Do you know?
03:15
There may be some goofy debug mode the Chinese folks left in place when they built these. The hardware is made by a company called alps
03:16
Its very hard to get any hard data on intarwebs about the company, but they make all kinds of cheap knockoff tablets and phones
HH
03:16
Halfredo Hernandez
Guess what
03:17
I'm an idiot
03:17
There is already video on this phone of the tablet
03:17
Just saw it hold on
D
03:17
Don
K
HH
03:19
Halfredo Hernandez
03:19
03:19
Ok gotta upload it tomorrow
D
03:19
Don
Does it show that screen
HH
03:19
Halfredo Hernandez
This phone has a broken Sim with very slow upload
D
03:19
Don
With the build and all that
03:20
If you can send a Pic of just that I can find out a lot
HH
03:20
Halfredo Hernandez
To be 100% honest this might be the one they sent back for warranty and it came back jailbroken
D
03:21
Don
I still would like to see that screen
03:21
It might help locate a good rom
HH
03:21
Halfredo Hernandez
I have a video but not enough time to upload tonight
D
03:21
Don
Pic is fine
03:21
Of the build screen
HH
03:21
Halfredo Hernandez
Those are the only 2 pics
D
03:21
Don
Ok
03:21
If you can
03:21
Send that build screen it will help
HH
03:21
Halfredo Hernandez
I'll try more tomorrow
03:21
Got it
03:22
Later
D
03:22
Don
Both on a jailbroken one and the warranty one
03:22
Later
HH
03:22
Halfredo Hernandez
Ok
D
03:23
Don
For the rest of the chat, if anyone can find any tech stuff about the alps manufacturer it may help. My Googling found very little
03:23
It doesn't help that alps is a mountain range too
D
03:28
D
Is there any version of the ruizu fw for the gen2 that doesn't cut off the top portion of the screen?
JS
04:02
John Smith
Has anyone tried to rip the firmware from a deinstitutionalized tablet and put it on a prison tablet.
04:02
If we can install a whole new operating system can we not just install apps that work within the existing OS?
04:02
When we put the tablets into safe mode it does not register that we are plugging unauthorized stuff into it. Has anyone looked into if it's shutting off part of the firmware, and if it is do we think there is a way to then force new firmware into that.
R
JB
04:31
John Blaze
Overview
Based on available information, the "Alps" you're referring to appears to be a Chinese brand or manufacturer associated with low-cost Android tablets, often featuring custom or generic circuit boards (PCBA/PCB assemblies). It's not a single, well-documented multinational corporation like the Japanese Alps Alpine Co., Ltd. (which focuses on components like switches and sensors but has Chinese subsidiaries). Instead, this "Alps" seems to be a generic or OEM-style label used by various Chinese electronics firms for budget tablets sold on platforms like Alibaba or AliExpress. These products are typically produced in regions like Shenzhen, a hub for electronics manufacturing.
Key points:
Primary Focus: Manufacturing and assembly of tablet PCs, including circuit boards (PCBA for Android devices), motherboards, and full tablet units. They often emphasize affordability for markets like education, basic productivity, and media consumption.
Products: Entry-level to mid-range Android tablets (e.g., 7-14 inch screens, quad-core processors like MediaTek MT6735, Android 7-8.1 OS). Examples include the "Alps Pro 14" tablet, which has been noted for exaggerated specs (e.g., advertised as having 16GB RAM and Snapdragon 845 but actually equipped with 1.5GB RAM and a lower-end MediaTek chip).
Reputation: These tablets are budget-oriented (often under $100), but user reports highlight issues like fake specs, poor build quality, and limited support. They're popular in emerging markets but not for high-performance needs.
Company Background
Location and Operations: Likely based in Shenzhen, Guangdong Province, China, or nearby industrial areas. No single flagship company named "Alps" dominates searches, but it's linked to OEM suppliers on platforms like Made-in-China.com and Alibaba. For instance:
Circuit boards for tablets are produced by firms offering multilayer PCBs, SMT assembly, and custom PCBA for Android devices.
Suppliers advertise "Alps tablet from China" with features like 7-inch displays, wireless connectivity, and joystick add-ons for gaming.
History: Emerged in the early 2010s amid China's boom in generic Android hardware. One notable connection is to Shenzhen Yecon Technology Co., Ltd., which supplies tablet circuit boards used in products like North Korea's Samjiyon tablet (a rebranded Chinese device). Yecon's boards are generic and packaged into various brands, including those labeled "Alps MID" (Mobile Internet Device) tablets.
Scale: Small to medium-sized OEM operations. They cater to wholesale buyers, exporting to global markets via e-commerce. No public stock listing or major executives are prominently documented, suggesting it's more of a brand than a structured corporate entity.
Products and Technology
Core Offerings:
Tablet Circuit Boards (PCBA/PCB): Custom-designed for tablets, including single/double-sided boards, LED PCBs, and multilayer assemblies. These support Android OS, with components for displays, batteries, and connectivity (Wi-Fi, Bluetooth).
Full Tablets: Models like Alps Pro series feature IPS screens, front/rear cameras, and expandable storage. They're often marketed for kids' education or basic browsing.
Specs Example (Alps Pro 14):
Advertised: Android 12, 16GB RAM, Snapdragon 845.
Actual: Android 7 (Nougat), 1.5GB RAM, MediaTek MT6735 (quad-core, Mali-T720 GPU), 32-bit ARM architecture.
Price: Around $50-80 wholesale.
Manufacturing Process: Involves PCB prototyping, SMT/DIP assembly, and testing. Suppliers like those on Made-in-China.com offer OEM/ODM services, with certifications like ISO13485 for quality.
Market Position and Challenges
Strengths: Low cost, quick customization, and wide availability. Ideal for bulk orders in developing regions.
Challenges: Frequent complaints about misleading marketing (e.g., fake specs leading to poor performance). Limited after-sales support, and devices may boot with pre-setup software, raising privacy concerns.
Based on available information, the "Alps" you're referring to appears to be a Chinese brand or manufacturer associated with low-cost Android tablets, often featuring custom or generic circuit boards (PCBA/PCB assemblies). It's not a single, well-documented multinational corporation like the Japanese Alps Alpine Co., Ltd. (which focuses on components like switches and sensors but has Chinese subsidiaries). Instead, this "Alps" seems to be a generic or OEM-style label used by various Chinese electronics firms for budget tablets sold on platforms like Alibaba or AliExpress. These products are typically produced in regions like Shenzhen, a hub for electronics manufacturing.
Key points:
Primary Focus: Manufacturing and assembly of tablet PCs, including circuit boards (PCBA for Android devices), motherboards, and full tablet units. They often emphasize affordability for markets like education, basic productivity, and media consumption.
Products: Entry-level to mid-range Android tablets (e.g., 7-14 inch screens, quad-core processors like MediaTek MT6735, Android 7-8.1 OS). Examples include the "Alps Pro 14" tablet, which has been noted for exaggerated specs (e.g., advertised as having 16GB RAM and Snapdragon 845 but actually equipped with 1.5GB RAM and a lower-end MediaTek chip).
Reputation: These tablets are budget-oriented (often under $100), but user reports highlight issues like fake specs, poor build quality, and limited support. They're popular in emerging markets but not for high-performance needs.
Company Background
Location and Operations: Likely based in Shenzhen, Guangdong Province, China, or nearby industrial areas. No single flagship company named "Alps" dominates searches, but it's linked to OEM suppliers on platforms like Made-in-China.com and Alibaba. For instance:
Circuit boards for tablets are produced by firms offering multilayer PCBs, SMT assembly, and custom PCBA for Android devices.
Suppliers advertise "Alps tablet from China" with features like 7-inch displays, wireless connectivity, and joystick add-ons for gaming.
History: Emerged in the early 2010s amid China's boom in generic Android hardware. One notable connection is to Shenzhen Yecon Technology Co., Ltd., which supplies tablet circuit boards used in products like North Korea's Samjiyon tablet (a rebranded Chinese device). Yecon's boards are generic and packaged into various brands, including those labeled "Alps MID" (Mobile Internet Device) tablets.
Scale: Small to medium-sized OEM operations. They cater to wholesale buyers, exporting to global markets via e-commerce. No public stock listing or major executives are prominently documented, suggesting it's more of a brand than a structured corporate entity.
Products and Technology
Core Offerings:
Tablet Circuit Boards (PCBA/PCB): Custom-designed for tablets, including single/double-sided boards, LED PCBs, and multilayer assemblies. These support Android OS, with components for displays, batteries, and connectivity (Wi-Fi, Bluetooth).
Full Tablets: Models like Alps Pro series feature IPS screens, front/rear cameras, and expandable storage. They're often marketed for kids' education or basic browsing.
Specs Example (Alps Pro 14):
Advertised: Android 12, 16GB RAM, Snapdragon 845.
Actual: Android 7 (Nougat), 1.5GB RAM, MediaTek MT6735 (quad-core, Mali-T720 GPU), 32-bit ARM architecture.
Price: Around $50-80 wholesale.
Manufacturing Process: Involves PCB prototyping, SMT/DIP assembly, and testing. Suppliers like those on Made-in-China.com offer OEM/ODM services, with certifications like ISO13485 for quality.
Market Position and Challenges
Strengths: Low cost, quick customization, and wide availability. Ideal for bulk orders in developing regions.
Challenges: Frequent complaints about misleading marketing (e.g., fake specs leading to poor performance). Limited after-sales support, and devices may boot with pre-setup software, raising privacy concerns.
04:31
Competitors: Other Chinese brands like Chuwi, Teclast, or generic PCBA makers (e.g., PCBWay, Shenzhen Okey Circuit).
Where to Learn More or Buy
Check Alibaba or Made-in-China.com for suppliers (search "Alps tablet PCBA").
For user experiences: Forums like XDA Developers discuss rooting and custom ROMs for Alps tablets.
If this isn't the exact "Alps" you meant (e.g., if it's Dalian Alps Electronics, a separate component maker), provide more details like a website or product name for deeper digging!
If you'd like me to analyze a specific product image, post, or supplier site, just share the link.
Where to Learn More or Buy
Check Alibaba or Made-in-China.com for suppliers (search "Alps tablet PCBA").
For user experiences: Forums like XDA Developers discuss rooting and custom ROMs for Alps tablets.
If this isn't the exact "Alps" you meant (e.g., if it's Dalian Alps Electronics, a separate component maker), provide more details like a website or product name for deeper digging!
If you'd like me to analyze a specific product image, post, or supplier site, just share the link.
04:33
Website and Contact Information for "Alps" Chinese Tablet Manufacturer
Based on extensive searches, there isn't a single, prominent Chinese company explicitly named "Alps" with an official standalone website dedicated to budget Android tablets and PCBA (printed circuit board assemblies). This "Alps" appears to be a generic or white-label brand used by various Shenzhen-based OEM/ODM manufacturers for low-cost tablets (like the Alps Pro 14), often sold via e-commerce platforms. These are typically produced by anonymous or small-scale factories in Shenzhen's electronics hubs, focusing on bulk exports without heavy branding or public-facing sites.
That said, here's what I found for sourcing, suppliers, and contacts related to Alps-labeled tablets and circuit boards:
Primary Platforms for Sourcing Alps Tablets and PCBA
Alibaba.com: Multiple listings for "Alps Tablet from China" and "Alps Tablet Android." These are wholesale pages from verified suppliers offering OEM tablets with PCBA components. No direct company site, but you can contact sellers via the platform.
Example: Search for "Alps tablet PCBA" yields suppliers like Shenzhen-based exporters offering quad-core Android boards for $10β30/unit (MOQ 500+).
Contact: Use Alibaba's messaging system; typical response time 1β24 hours. Trade Assurance protects payments.
Made-in-China.com: Similar wholesale hub with "Alps phone" and tablet listings, often linking to PCBA for tablets.
Example: Suppliers advertise custom Alps-branded tablets with MediaTek processors.
Contact: Platform chat or email templates provided per listing.
Potential Linked Manufacturers in Shenzhen
Several Shenzhen companies produce similar budget tablets and could be behind "Alps" branding (based on product matches like 7β14" Android devices with MT6735 chips). Here's the most relevant with direct contacts:
Shenzhen Byelecs Technology Co., Ltd. (Specializes in OEM tablet PCs, phone-call tablets, and PCBA; matches Alps Pro specs closely)
Website: www.tabletpc-factory.com
Phone: +86-755-29357029
Mobile: +86 18038005728
Email: sales@byelecs.com
Address: 3/F, Building A, Hongwan Science Park, Fuyong Street, Bao'an District, Shenzhen, Guangdong, China
Notes: 12+ years in Android tablets; offers custom PCBA assembly. Inquire about "Alps Pro" for confirmation.
Shenzhen Telconn Technology Co., Ltd. (Tablet PC and smart device OEM, including kids' educational tablets akin to Alps models)
Website: telconn.en.made-in-china.com
Phone: +86-755-23701536 (from product pages)
Email: sales@telconn.com.cn (general inquiry)
Address: 5/F, Building 2, Longcheng Industrial Park, Longhua District, Shenzhen, Guangdong, China
Notes: Focuses on Android 13+ tablets with 2β8GB RAM options; PCBA customization available.
Shenzhen Shengle Digital Technology Co., Ltd. (OEM tablets and laptops; 50,000+ units/month capacity)
Website: shengle.manufacturer.globalsources.com
Phone: +86-755-23726688
Email: info@shengledigital.com
Address: 4/F, Building A, No. 1, Longbi Industrial Zone, Bantian Street, Longgang District, Shenzhen, Guangdong, China
Notes: ISO 9001 certified; exports to Europe/Asia. Good for bulk PCBA orders.
APEC Electronics Co., Ltd. (Wholesaler of generic Chinese tablets, including Alps-like models)
Website: szapec.en.made-in-china.com or www.szapec.com/en/
Phone: +86-755-27886666
Email: sales@szapec.com
Address: Room 201, Block B, Hongli Chengshi Shangu, Hongli Road, Futian District, Shenzhen, Guangdong, China
Notes: Handles rebranded tablets; contact for Alps-specific stock.
Other Notes
No Official "Alps" Site: Searches often redirect to the Japanese Alps Alpine (alpsalpine.com), which makes components (e.g., sensors) but not full consumer tablets. Their China contacts (e.g., ALPS ALPINE (CHINA) CO., LTD. in Shanghai) are irrelevant here.
Based on extensive searches, there isn't a single, prominent Chinese company explicitly named "Alps" with an official standalone website dedicated to budget Android tablets and PCBA (printed circuit board assemblies). This "Alps" appears to be a generic or white-label brand used by various Shenzhen-based OEM/ODM manufacturers for low-cost tablets (like the Alps Pro 14), often sold via e-commerce platforms. These are typically produced by anonymous or small-scale factories in Shenzhen's electronics hubs, focusing on bulk exports without heavy branding or public-facing sites.
That said, here's what I found for sourcing, suppliers, and contacts related to Alps-labeled tablets and circuit boards:
Primary Platforms for Sourcing Alps Tablets and PCBA
Alibaba.com: Multiple listings for "Alps Tablet from China" and "Alps Tablet Android." These are wholesale pages from verified suppliers offering OEM tablets with PCBA components. No direct company site, but you can contact sellers via the platform.
Example: Search for "Alps tablet PCBA" yields suppliers like Shenzhen-based exporters offering quad-core Android boards for $10β30/unit (MOQ 500+).
Contact: Use Alibaba's messaging system; typical response time 1β24 hours. Trade Assurance protects payments.
Made-in-China.com: Similar wholesale hub with "Alps phone" and tablet listings, often linking to PCBA for tablets.
Example: Suppliers advertise custom Alps-branded tablets with MediaTek processors.
Contact: Platform chat or email templates provided per listing.
Potential Linked Manufacturers in Shenzhen
Several Shenzhen companies produce similar budget tablets and could be behind "Alps" branding (based on product matches like 7β14" Android devices with MT6735 chips). Here's the most relevant with direct contacts:
Shenzhen Byelecs Technology Co., Ltd. (Specializes in OEM tablet PCs, phone-call tablets, and PCBA; matches Alps Pro specs closely)
Website: www.tabletpc-factory.com
Phone: +86-755-29357029
Mobile: +86 18038005728
Email: sales@byelecs.com
Address: 3/F, Building A, Hongwan Science Park, Fuyong Street, Bao'an District, Shenzhen, Guangdong, China
Notes: 12+ years in Android tablets; offers custom PCBA assembly. Inquire about "Alps Pro" for confirmation.
Shenzhen Telconn Technology Co., Ltd. (Tablet PC and smart device OEM, including kids' educational tablets akin to Alps models)
Website: telconn.en.made-in-china.com
Phone: +86-755-23701536 (from product pages)
Email: sales@telconn.com.cn (general inquiry)
Address: 5/F, Building 2, Longcheng Industrial Park, Longhua District, Shenzhen, Guangdong, China
Notes: Focuses on Android 13+ tablets with 2β8GB RAM options; PCBA customization available.
Shenzhen Shengle Digital Technology Co., Ltd. (OEM tablets and laptops; 50,000+ units/month capacity)
Website: shengle.manufacturer.globalsources.com
Phone: +86-755-23726688
Email: info@shengledigital.com
Address: 4/F, Building A, No. 1, Longbi Industrial Zone, Bantian Street, Longgang District, Shenzhen, Guangdong, China
Notes: ISO 9001 certified; exports to Europe/Asia. Good for bulk PCBA orders.
APEC Electronics Co., Ltd. (Wholesaler of generic Chinese tablets, including Alps-like models)
Website: szapec.en.made-in-china.com or www.szapec.com/en/
Phone: +86-755-27886666
Email: sales@szapec.com
Address: Room 201, Block B, Hongli Chengshi Shangu, Hongli Road, Futian District, Shenzhen, Guangdong, China
Notes: Handles rebranded tablets; contact for Alps-specific stock.
Other Notes
No Official "Alps" Site: Searches often redirect to the Japanese Alps Alpine (alpsalpine.com), which makes components (e.g., sensors) but not full consumer tablets. Their China contacts (e.g., ALPS ALPINE (CHINA) CO., LTD. in Shanghai) are irrelevant here.
04:33
User Experiences: On forums like XDA Developers, buyers of Alps Pro tablets report purchasing via AliExpress without direct manufacturer support. Rooting/custom ROMs are common due to spec discrepancies.
Recommendations: Start with Alibaba or the above sites for quotes. For PCBA specifically, specify "Android tablet motherboard MT6735" to match Alps hardware. Expect MOQs of 100β1,000 units; samples cost $20β50.
Verification Tip: Request factory videos or SGS audits before ordering, as budget Chinese OEMs vary in quality.
Recommendations: Start with Alibaba or the above sites for quotes. For PCBA specifically, specify "Android tablet motherboard MT6735" to match Alps hardware. Expect MOQs of 100β1,000 units; samples cost $20β50.
Verification Tip: Request factory videos or SGS audits before ordering, as budget Chinese OEMs vary in quality.
04:34
So maybe we can start with these companies and try to run down something
D
05:37
D
When I was at Seagoville, we tracked down the company in China. Despite several attempts, nobody there would leak anything.
05:41
As for ROMs, AOSP would work because the tablets are new enough to run Project Treble. This means the hardware drivers are on the system partition, but can be used with any version of Android from 8 onwards without any rebuilding. The critical issue is the secure boot. As long as the bootloader is locked, you cannot replace anything on the tablet's drive that isn't signed by ATG.
05:43
This is why I have been focusing on directly writing to the eMMC. The esgejas system app receives all kiosk commands and simply writes changes to config files on the device. If you can make those changes yourself, while the tablet is offline, they simply take effect when it next boots.
05:44
Also, having seen the settings, the SD card pin-outs won't work because the SD is disabled via settings. Once you can change the settings though, you won't need it as a vector for attack.
05:48
The alternative, which I will also explore in the next couple of months after my release, is to image a tablet before sending it off to have it deinstitutionalized, and then imaging it again after it comes back. This way, I can detect differences in the partitions, filesystem, and settings. This way, I can make those arbitrary changes to tablets for folks who haven't been released.
05:48
But I only have sporadic access where I am now, and do not have any of the equipment I had at my last spot to do read/write changes to the tablets.
05:49
I periodically post link to what I was able to grab though.
05:50
There are full system images and some unpacked code for both the kiosks and the tablet control apps on there.
05:51
We know what the tablet and kiosk do when they talk, including when a tablet is synced. I was just shipped to a place where drones don't seem to fly before I was able to replicate it.
GG
06:02
Any one seen this before
D
06:19
D
No, but looks like the 7t has just been made into an amp or battery pack. Some still shots of a 7t with extra wires inside isn't inspiring much confidence.
GG
06:20
Gino Green
Yes but they said they an un lock them ..I call BS but still sent a message to see what they say ππ
D
06:20
D
Well, keep us updated. I highly doubt they're legit.
GG
06:21
Gino Green
Yes I doubt it too but I'll see what they say
D
06:54
D
$$$ says they will want to remote into the tablet ππ
GG
06:54
Gino Green
πππ
06:54
We shall see
Da Accountant removed Da Accountant
JS
14:21
John Smith
Hey guys I put that mp3 firmware on here Friday. Here's what I've been able to dig up in regards to a converter. Have not tried it myself but someone loyal to our cause said it works pretty well. FTF
As far as AMV converting go there's an app called ffmpeg media encoder. It's free. select your output file as .AMV
Then below go to the template and go to blank. Rename it AMV
Then paste in the template box
-c:v amv -c:a adpcm_ima_amv -pix_fmt yuvj420p -vstrict -1 -s 128x72 -ac 1 -ar 22050 -qmin 3 -qmax 3 -r 15 -block_size 1470
As far as AMV converting go there's an app called ffmpeg media encoder. It's free. select your output file as .AMV
Then below go to the template and go to blank. Rename it AMV
Then paste in the template box
-c:v amv -c:a adpcm_ima_amv -pix_fmt yuvj420p -vstrict -1 -s 128x72 -ac 1 -ar 22050 -qmin 3 -qmax 3 -r 15 -block_size 1470
JS
14:40
John Smith
Also checked hackmantech. Whitehatservice1 and supernaturalhackers all seem like scams
14:40
They want u to pay and will remotely break tablets
D
15:04
In reply to this message
The Chinese manufacturer would definitely have the hardware signing key. I know it isnt the same as the kiosk key
15:05
But if we can get the hardware key from alps and possibly any debug tool or driver they might have should be able to write to the device
15:05
Knowing China the key is probably not unique to atg
15:06
If there really is a real hack out there attacking through alps is probably how it came to fruition
15:06
China will sell any data for a buck
JS
18:31
John Smith
Not sure if anyone has tried different swipes or things in certain apps but I do know that if u download the game traffic escape and swipe around on ur screen u open up the developer info screen
18:34
Deleted Account
Tried using the phone as an accessory keyboard to the tablet. Made an app that was trying to send commands to trigger different system calls. Nothing worked.
JS
18:43
John Smith
Of course. This is a very specific and well-known issue in the Android and enterprise mobility world. You're absolutely correct that the core of the problem is a security change Google introduced, but there are ways to work around it.
The "USB block" you're referring to is most likely a combination of two key Android 10+ features:
1. USB Restricted Mode: This feature, designed to prevent brute-force attacks on a locked device, can sometimes interfere with legitimate USB communications, especially if the device is locked or the connection isn't explicitly authorized by the user.
2. Enhanced Security & Permissions: Android became much stricter about which apps can access USB devices, requiring explicit user grants and specific intents.
Here are the methods to get around this, from the most common and recommended to more advanced solutions.
Method 1: The Most Likely Fix (Developer Options & USB Configuration)
This solves the issue in the vast majority of cases where the tablet is not being detected at all.
1. Enable Developer Options on your Android 10 Phone:
Β· Go to Settings > About Phone.
Β· Tap on Build Number 7 times quickly. You will see a message saying "You are now a developer!"
2. Change the Default USB Configuration:
Β· Go back to Settings (now you'll see Developer Options listed, usually under System).
Β· Open Developer Options.
Β· Scroll down to the Networking section.
Β· Find the setting called Default USB configuration or Select USB Configuration.
Β· Tap on it and change it from Charging to File Transfer (MTP) or PTP (Camera). MTP is the most common choice for this purpose.
3. Physical Reconnection:
Β· Unplug the USB cable from both devices.
Β· Unlock your Android phone (very important - USB Restricted Mode is most active when the phone is locked).
Β· Plug the cable back into both devices.
Β· You should now get a notification on your phone asking for permission to allow the connected device to access your phone. Tap "Allow". You may also check "Always allow for this device" if you plan to do this frequently.
Why this works: This setting forces the phone to actively look for a data connection as soon as the cable is plugged in, rather than defaulting to a "charge-only" mode which can be more restrictive.
---
Method 2: For Advanced Use (Disable USB Restricted Mode - Use with Caution)
If the above doesn't work, the issue might be related to USB Restricted Mode specifically. This mode temporarily disables USB data signals after the device has been locked for a while.
Warning: Disabling this lowers a security barrier on your phone. Only do this if you trust the physical security of your device and you absolutely need the connection to work.
1. Ensure Developer Options are enabled (as in Method 1).
2. In Developer Options, scroll down and look for "Disable USB audio routing" or a setting specifically named "USB Restricted Mode" (the exact name can vary by manufacturer).
3. Toggle this setting OFF to disable the restriction.
---
Method 3: The Enterprise/Professional Solution (for a Honeywell Device)
Since the Keefe Score7c is a Honeywell (now Zebra) enterprise tablet, the issue might be on the tablet's side. Enterprise devices are often locked down by management software (e.g., Honeywell's EMDK, StageNow, or a Mobile Device Management (MDM) tool like SOTI, VMware, etc.).
Β· Check the Tablet's USB Settings: The tablet itself might be configured to only charge, or its USB port might be locked to a specific function (e.g., host mode for peripherals). You may need to access its settings or use a provisioning tool (like StageNow) to create a profile that sets the correct USB mode.
Β· Purpose of the Connection: What are you trying to do?
Β· File Transfer? Use MTP as in Method 1.
Β· Debugging an App? You need to enable USB Debugging in the Developer Options on both the phone and the tablet and grant the computer's RSA key fingerprint.
β€
The "USB block" you're referring to is most likely a combination of two key Android 10+ features:
1. USB Restricted Mode: This feature, designed to prevent brute-force attacks on a locked device, can sometimes interfere with legitimate USB communications, especially if the device is locked or the connection isn't explicitly authorized by the user.
2. Enhanced Security & Permissions: Android became much stricter about which apps can access USB devices, requiring explicit user grants and specific intents.
Here are the methods to get around this, from the most common and recommended to more advanced solutions.
Method 1: The Most Likely Fix (Developer Options & USB Configuration)
This solves the issue in the vast majority of cases where the tablet is not being detected at all.
1. Enable Developer Options on your Android 10 Phone:
Β· Go to Settings > About Phone.
Β· Tap on Build Number 7 times quickly. You will see a message saying "You are now a developer!"
2. Change the Default USB Configuration:
Β· Go back to Settings (now you'll see Developer Options listed, usually under System).
Β· Open Developer Options.
Β· Scroll down to the Networking section.
Β· Find the setting called Default USB configuration or Select USB Configuration.
Β· Tap on it and change it from Charging to File Transfer (MTP) or PTP (Camera). MTP is the most common choice for this purpose.
3. Physical Reconnection:
Β· Unplug the USB cable from both devices.
Β· Unlock your Android phone (very important - USB Restricted Mode is most active when the phone is locked).
Β· Plug the cable back into both devices.
Β· You should now get a notification on your phone asking for permission to allow the connected device to access your phone. Tap "Allow". You may also check "Always allow for this device" if you plan to do this frequently.
Why this works: This setting forces the phone to actively look for a data connection as soon as the cable is plugged in, rather than defaulting to a "charge-only" mode which can be more restrictive.
---
Method 2: For Advanced Use (Disable USB Restricted Mode - Use with Caution)
If the above doesn't work, the issue might be related to USB Restricted Mode specifically. This mode temporarily disables USB data signals after the device has been locked for a while.
Warning: Disabling this lowers a security barrier on your phone. Only do this if you trust the physical security of your device and you absolutely need the connection to work.
1. Ensure Developer Options are enabled (as in Method 1).
2. In Developer Options, scroll down and look for "Disable USB audio routing" or a setting specifically named "USB Restricted Mode" (the exact name can vary by manufacturer).
3. Toggle this setting OFF to disable the restriction.
---
Method 3: The Enterprise/Professional Solution (for a Honeywell Device)
Since the Keefe Score7c is a Honeywell (now Zebra) enterprise tablet, the issue might be on the tablet's side. Enterprise devices are often locked down by management software (e.g., Honeywell's EMDK, StageNow, or a Mobile Device Management (MDM) tool like SOTI, VMware, etc.).
Β· Check the Tablet's USB Settings: The tablet itself might be configured to only charge, or its USB port might be locked to a specific function (e.g., host mode for peripherals). You may need to access its settings or use a provisioning tool (like StageNow) to create a profile that sets the correct USB mode.
Β· Purpose of the Connection: What are you trying to do?
Β· File Transfer? Use MTP as in Method 1.
Β· Debugging an App? You need to enable USB Debugging in the Developer Options on both the phone and the tablet and grant the computer's RSA key fingerprint.
GA
18:43
Β· Using the tablet as a peripheral (like a barcode scanner)? This requires the tablet to be in "USB Host" mode and the phone to be the "accessory." This is a more complex setup often handled by a custom Android application using the USB Manager API.
---
Summary and Step-by-Step Checklist:
1. Unlock Your Phone: Always have your phone unlocked before connecting.
2. Try a Different Cable: Use a high-quality, known-good USB cable that supports data transfer (many cheap cables are for charging only).
3. Enable Developer Options on your Android 10 phone.
4. Change "Default USB Configuration" to MTP (File Transfer).
5. Plug in the USB cable. Look for the permission prompt on your phone and tap "Allow".
6. (If applicable) Check for similar settings on the Keefe Score7c tablet (you may need admin access to its developer options or management console).
7. (If developing an app) Ensure your application has the correct <intent-filter> and <meta-data> in its AndroidManifest.xml to handle USB connections and has explicitly requested USB permission at runtime.
Start with Method 1. It resolves the detection issue for most users. If you are in an enterprise environment and that fails, your IT department or the system integrator who manages the Score7c tablets should be consulted, as the solution likely involves configuring the enterprise device itself.
---
Summary and Step-by-Step Checklist:
1. Unlock Your Phone: Always have your phone unlocked before connecting.
2. Try a Different Cable: Use a high-quality, known-good USB cable that supports data transfer (many cheap cables are for charging only).
3. Enable Developer Options on your Android 10 phone.
4. Change "Default USB Configuration" to MTP (File Transfer).
5. Plug in the USB cable. Look for the permission prompt on your phone and tap "Allow".
6. (If applicable) Check for similar settings on the Keefe Score7c tablet (you may need admin access to its developer options or management console).
7. (If developing an app) Ensure your application has the correct <intent-filter> and <meta-data> in its AndroidManifest.xml to handle USB connections and has explicitly requested USB permission at runtime.
Start with Method 1. It resolves the detection issue for most users. If you are in an enterprise environment and that fails, your IT department or the system integrator who manages the Score7c tablets should be consulted, as the solution likely involves configuring the enterprise device itself.
18:44
I'm finding deepseek will answer damn near everything as long as u frame it as research
D
22:17
Don
It is hallucinating that the Keefe is a Honeywell tablet
22:18
Plus the usb stuff it's talking about isn't really applicable here. Dev tools is disabled in the Keefe firmware
22:19
If we could get code to execute some how the mediatek chip has privilege escalation vulnerabilities
22:20
But i haven't seen anything that would allow anything like that
JB
23:10
John Blaze
S
Shag 21.09.2025 22:59:19
CD
23:10
23:10
23:10
That he wants 600
23:10
You need to open the tablet and short a component
23:10
23:10
23:10
JB
23:11
John Blaze
Here goes aspiring wino trying to scam someone again
23:11
Scum bag
23:13
This dude shag wants in the group but I told em its not for me to say.
Y'all want em.
Y'all want em.
23:17
23:19
Idk y'all maybe I'm just suspicious by nature but this statement make me think he's a cop fishing
JB
23:19
John Blaze
S
Shag 21.09.2025 23:17:56
Ight. I guess I'll get back to decompiling the tru-lincs software. I'm hoping to find the handshake there
23:19
But it seems like it's handed over the modem
JB
23:23
John Blaze
S
Shag 21.09.2025 23:22:21
I was having GrokAI help me analyze the files and it pointed out that test keys were enabled and that it might lead to a backdoor. But I lost all that research with the other jack when it got hit
D
23:28
Don
I wish I understood encryption better
23:29
I have been coding since the 80s but I've been locked up so long I missed a lot of the crypt stuff
Ohhmonky joined group by link from Group
D
23:29
Don
In my day md5 was high falutin
23:30
π
JB
23:35
John Blaze
Yeah the future is rough. Where are you running into the wall?
D
JB
23:42
John Blaze
Yo should I let this guy in
JB
23:42
John Blaze
S
Shag 21.09.2025 23:38:38
D
23:43
He knows enough to disassemble the binaries
JB
23:43
John Blaze
Unless he's a cop
D
23:43
Don
Switzerland and I did that already tho
23:44
And that's how we know the key is stored remotely
23:44
I haven't met any cops that have much clue on coding
JB
23:44
John Blaze
I think everyone is a cop until proven otherwise
D
23:45
Don
Should be okay I did something similar
23:46
We looked through the caching server too
23:46
But the key is never there
23:46
It does a web rpc call to a remote server and passes the tablet auth data to be signed
23:46
Which is actually a pretty secure design unfortunately
β€
TT
S
GG
D
23:56
Don
Anyone offering a potential hack, tell them to show you the about screen of a broken tablet with the software version and so forth. Post it here and I can verify it. One of the ones posted the other day had the manufacturer code of apple iPhone (obviously faked)
β€
HH
S
S
22 September 2025
GG
00:06
Gino Green
Oh ok well I'm just taking any bets I hear about saying so and so can unlock them for a few..I call the bluff and never hear back from no one
00:07
Here where I'm at some guy has been going around saying some one knows how to unlock the tablets and wants 20k for the program to do it ππ
JB
HH
02:13
Halfredo Hernandez
In reply to this message
I have a much better, efficient, termux script for amv conversions that makes the videos much clearer and is better than the ffmpeg gui app. If anyone is interested I'll send it
02:23
In reply to this message
There is a jailbroken tablet here. I'm working on getting the about screen with software version. This one is no scam. I posted 2 blurry photos of it yesterday and there is also a video but unfortunately my upload speed is 128kbit/s due to bad Sim card
JB
HH
02:47
87 employees with possible information
GG
R
03:50
Ryan
Aspiring wino and anyone with Whitehat in their name are scammers. For anyone who hasn't heard.
Ryan pinned this message
HH
03:54
TT
04:12
Terry Thompson V 2.0
In reply to this message
So shag is saying he is TopHopn? Or am I not reading this right. And what score 7 c group on hackforums? There is a post called official score 7c but that's just the name some names the post ain't nothing official about it and there ain't no group.
D
05:08
D
In reply to this message
That's at least a legit charging port and not a board swap, from what I can tell.
05:10
The Indigi tablets used a Mini USB, not USB-C. And that's USB-C. Though, maybe there's a other board that swap capable?
05:11
In reply to this message
Hank, when the tablet boots, is there a warning about the bootloader being unlocked?
HH
18:07
Halfredo Hernandez
For what it's worth, this is the info from the score 7t via the traffic escape game developer menu:
Build from apple's MacBook pro at 19-09-2024
Alps 711 handheld <unknown>
Mali-g52 mc2 512 8192
Screen width 600 height 1024
1954mb (ram?)
Android os 10 / api-29 (qp1a.190711.020/1730326596)
Also shows date and time and the amount of time the app has been open and the storage path for game logs
β€
Build from apple's MacBook pro at 19-09-2024
Alps 711 handheld <unknown>
Mali-g52 mc2 512 8192
Screen width 600 height 1024
1954mb (ram?)
Android os 10 / api-29 (qp1a.190711.020/1730326596)
Also shows date and time and the amount of time the app has been open and the storage path for game logs
T
18:13
Yes, the provided information is useful for determining whether a tablet can be jailbroken or flashed with a custom ROM. Here's a breakdown of what each piece of information means and why it's relevant.
Device Manufacturer and Model: "Alps 711 handheld"
The term "Alps" often refers to a generic manufacturer of Android devices, not a major brand like Samsung or Google. This is a significant piece of information because generic devices often have less stringent security measures, which can make them easier to modify.
The specific model name, "711 handheld," is the starting point for any search for exploits, custom ROMs, or rooting guides. Finding community support on forums like XDA Developers is crucial, as people who own the same device will share their experiences with rooting and flashing. Since it is a more obscure device, it is less likely to have a dedicated community, but not impossible.
Graphics Processor: "Mali-g52 mc2"
The Mali-G52 MC2 is a graphics processing unit (GPU) from Arm. While it is not directly related to the process of rooting or flashing a new ROM, it provides a strong clue about the SoC (System on a Chip).
This GPU is commonly found in mid-range MediaTek or Spreadtrum processors. Knowing the specific SoC is the next critical step for finding a custom ROM, as ROMs are built for a specific SoC, not just a device model. For example, a device with a MediaTek Helio G80 will likely share a custom ROM with other devices that have the same chip, even if they are different brands.
Operating System: "Android OS 10 / API-29"
This is the most critical piece of information. The Android 10 version and API level 29 dictate what security measures are in place. Newer Android versions have more robust security features, which makes it more difficult to find universal rooting methods or exploits that work on a wide range of devices.
However, specific vulnerabilities for Android 10 may exist. Researchers and developers often discover and publish exploits for older Android versions that can be used to gain root access. This specific API level narrows down the search for potential exploits.
Device Manufacturer and Model: "Alps 711 handheld"
The term "Alps" often refers to a generic manufacturer of Android devices, not a major brand like Samsung or Google. This is a significant piece of information because generic devices often have less stringent security measures, which can make them easier to modify.
The specific model name, "711 handheld," is the starting point for any search for exploits, custom ROMs, or rooting guides. Finding community support on forums like XDA Developers is crucial, as people who own the same device will share their experiences with rooting and flashing. Since it is a more obscure device, it is less likely to have a dedicated community, but not impossible.
Graphics Processor: "Mali-g52 mc2"
The Mali-G52 MC2 is a graphics processing unit (GPU) from Arm. While it is not directly related to the process of rooting or flashing a new ROM, it provides a strong clue about the SoC (System on a Chip).
This GPU is commonly found in mid-range MediaTek or Spreadtrum processors. Knowing the specific SoC is the next critical step for finding a custom ROM, as ROMs are built for a specific SoC, not just a device model. For example, a device with a MediaTek Helio G80 will likely share a custom ROM with other devices that have the same chip, even if they are different brands.
Operating System: "Android OS 10 / API-29"
This is the most critical piece of information. The Android 10 version and API level 29 dictate what security measures are in place. Newer Android versions have more robust security features, which makes it more difficult to find universal rooting methods or exploits that work on a wide range of devices.
However, specific vulnerabilities for Android 10 may exist. Researchers and developers often discover and publish exploits for older Android versions that can be used to gain root access. This specific API level narrows down the search for potential exploits.
23 September 2025
D
02:11
Drew
In reply to this message
I talked to the guy he's one of the people who said he can remote hack them.
02:19
In reply to this message
Id definitely be interested in a better picture on the mp3s of you don't mind sharing
GG
D
02:25
Drew
Yeah I talked to white hat and pretty much all of them in TikTok there all scammers.
GG
HH
HH
24 September 2025
D
04:19
D
In reply to this message
This means that whatever firmware they flashed has been signed using the same hardware key ATG uses. This leads credence to the idea that the Chinese company has reused the same key for multiple platforms.
04:22
If someone has contact the company, and ordered some demo models, the company may have provided the same key for signing the demo ROMs that they provided to ATG. That would explain how someone got the hardware key.
04:23
If they then had a way to get the device in BROM mode, they could flash the tablet that way.
J
04:23
Jammer
Are the hardware keuys not in the link
04:24
Why brom use fastboot?
04:25
We've got the sys.IMG vender .IMG and boot .img,ect
D
04:25
D
Fastboot is disabled in all Score7 models since around early 2023.
04:26
In reply to this message
We have the ones from a locked tablet, yes. But not ones from an unlocked tablet. Also, if we built our own, we would have to sign those with the proper key, and the key is not on the tablet anywhere.
04:26
There are some default encryption keys, but not a hardware signing key.
GG
04:27
Gino Green
Any one know why some tablets don't have the serial number on the front screen??
J
04:28
Jammer
Can't you put the firmware in android studio one remove locks add apps resign and flash
D
04:28
D
In reply to this message
That update wasn't pushed to all tablets. Their update policy is very strange.
GG
04:29
Gino Green
Ok cus mine is a 7t and it don't have it but guys with the 7c have it
D
04:29
D
In reply to this message
You could, but the key you would use to sign the new images wouldn't match the one burned into the tablet's CPU, and it would fail to boot.
J
04:30
Jammer
What about flash recovery twrp
D
04:32
D
Same problem. There are several partitions that are checked against their signature stored in the vbmeta partition. When you flash a new partition, you must sign it, and place the signature in vbmeta. If the signature of the partition doesn't match vbmeta, or if the signature isn't generated using the private signing key burned into the CPU, it will refuse to boot.
π―
D
25 September 2025
D
01:54
Drew
In reply to this message
Speaking of the serial numbers. One guy I know in ft Dix said they told him they could only jailbreak the tablets that didn't have the serial number on it. Other than that he didn't know shit though. Not sure if that's helpful at all
Shag joined group by link from Group
S
11:14
Shag
Thanks for having me. I don't have a ton of information to share off the rip but through what little I have done I think one of our routes is going to be through the use of Test_Keys. Every tablet we see the build number on is signed with Test Keys.
S
13:45
Shag
I have a Cloud Directory of AMV files for the MP3 players if anyone is interested
S
14:08
Shag
Also a bit of info I ripped from another chat group (I think the guy is in this group too though)
Switzerland:
Hardware Compatibility
The SCORE 7c's MT8167 SoC supports MediaTek's BootROM (BROM) protocol, which enables low-level communication through USB even with locked bootloaders3. Unlike Qualcomm EDL mode, BROM doesn't require authorized firehose programmers, making it theoretically exploitable via Android-to-Android connections.
Institutional Restrictions
2024 firmware updates introduced three-tier lockdowns:
GPIO pin grounding disables physical button combinations
Modified init.rc scripts block Developer Options activation
SELinux policies prevent ADB daemon initialization
These require hardware interventions prior to any software-based unlocking attempts:
Resistor Bypass: Bridging test points TP12 and TP17 on the logic board with 10kΞ© resistor restores volume key functionality
eMMC Shunt: Shorting CLK and CMD lines during boot forces permissive SELinux state
Mobile-Centric Unlocking Methodology
Required Components
Component Specification
Secondary Phone Android 13+ with USB-C OTG support
Connection Hardware USB-C to C cable with 56kΞ© CC resistor
Software Stack Termux, MTKClient-ARM64, Bugjaeger Pro
@ShyGristina
β€
Switzerland:
Hardware Compatibility
The SCORE 7c's MT8167 SoC supports MediaTek's BootROM (BROM) protocol, which enables low-level communication through USB even with locked bootloaders3. Unlike Qualcomm EDL mode, BROM doesn't require authorized firehose programmers, making it theoretically exploitable via Android-to-Android connections.
Institutional Restrictions
2024 firmware updates introduced three-tier lockdowns:
GPIO pin grounding disables physical button combinations
Modified init.rc scripts block Developer Options activation
SELinux policies prevent ADB daemon initialization
These require hardware interventions prior to any software-based unlocking attempts:
Resistor Bypass: Bridging test points TP12 and TP17 on the logic board with 10kΞ© resistor restores volume key functionality
eMMC Shunt: Shorting CLK and CMD lines during boot forces permissive SELinux state
Mobile-Centric Unlocking Methodology
Required Components
Component Specification
Secondary Phone Android 13+ with USB-C OTG support
Connection Hardware USB-C to C cable with 56kΞ© CC resistor
Software Stack Termux, MTKClient-ARM64, Bugjaeger Pro
@ShyGristina
TT
S
14:24
Shag
If this helps any?
S
14:40
Shag
I mean a lot of this could be old but I don't know what's been posted/discussed here before
Here is the TWRP build for the mt8167 tablets
https://github.com/falk0069/twrp_score7_mt8167/releases
Here is the TWRP build for the mt8167 tablets
https://github.com/falk0069/twrp_score7_mt8167/releases
26 September 2025
JS
03:08
John Smith
Hey so how would we go about getting a demo tablet? I have a buddy on the street that might be able to help but does not know a ton about this stuff. If u guys can tell me what he's got to do or try I am pretty sure he can do it. He's also not in the states.
D
08:04
D
He would have to contact the company that manufacturs the tablets for ATG, and order some tablets based on the mtk8168. My friend who contacted them before was told they don't do runs less than 1,000 units, but will make a few demo models and ship them before requiring a full order.
08:07
It's Shenzen Ployer Electronics Co., Ltd., or "Ployer" for short.
08:10
In reply to this message
While this might work on the 8168, the tablet running the 8168 will not run this code without the bootloader being unlocked or after having performed a working exploit. If the TWRP image is copied to the Recovery partition, the tablet will refuse to boot. This is because the generic TWRP image is not signed with the private key that matches the public key e-fused into the 8168 CPU.
08:11
If we got the private key (which might be distributed by Player with a demo unit), then we might be able to run TWRP. We would also be able to mod the tablets in more meaningful ways as well.
B
12:22
Bill
I have a jailbroken tablet. I don't know how they are doing it but there is no signature verification so they arent using signing keys. I was able to root my tablet with magisk and modify boot, system, vendor partitions and it boots fine no warnings or block because signature didn't match. The os seems to be this one with some changes in boot.prop to enable WiFi https://sourceforge.net/projects/andyyan-gsi/files/lineage-17.x/
HH
18:57
Halfredo Hernandez
In reply to this message
Gemini told me to try lineage. We have to look into this
D
21:19
Don
Not sure if this helps but lineage is used by atg for something
21:19
There are references to it in the edgejas code
21:20
Maybe its as simple as they are using a signing key that is freely available
21:20
Like some ssl certs use publicly available keys
21:20
If that's the case we just need a flasher that works with a phone. Hexaflash maybe?
21:25
Check out the sourceforge link bill posted
21:26
If you go to the lineage 17 source there is: vndklite: For VNDKLite devices,
21:26
signed: Signed with maintainer's keys
| | | | vndklite: For VNDKLite devices,
| | | | or for writeable /system on regular devices
| | | | personal: With personal mods, for reference
| | | | (secure): Superuser removed and system props spoofed
| | | | (not offered here)
| | | | vndklite: For VNDKLite devices,
| | | | or for writeable /system on regular devices
| | | | personal: With personal mods, for reference
| | | | (secure): Superuser removed and system props spoofed
| | | | (not offered here)
21:28
Vndk is vendor development kit
21:29
vndklite does not have a single "signing key". It is a variant of a Generic System Image (GSI) for Android, and the term "vndklite signing key" can refer to a few different things, depending on the context of the custom ROM being used.
Here's what the signing key could refer to:
A maintainer's signing key: Many GSI versions, including those with a vndklite designation, are built by community developers like Andy Yan or phhusson. In this case, "signed" means it was signed with that particular maintainer's private key. For example, a GSI filename might include the tag -signed, such as arm64_bgN-vndklite-signed.img.gz.
The platform signing key: For developers working on Android at a platform level, the signing key refers to a specific key used to sign the entire operating system and its components.
A debug key: Developers can also generate a local debug key to sign APKs they build outside of the platform build process.
Device-specific keys: Some custom ROMs might require specific keys related to the device manufacturer, but this is less common for GSI variants.
In summary, there is no single "vndklite signing key." If you are looking for a signing key for a specific vndklite ROM, you need to find the one associated with the developer who built it.
Here's what the signing key could refer to:
A maintainer's signing key: Many GSI versions, including those with a vndklite designation, are built by community developers like Andy Yan or phhusson. In this case, "signed" means it was signed with that particular maintainer's private key. For example, a GSI filename might include the tag -signed, such as arm64_bgN-vndklite-signed.img.gz.
The platform signing key: For developers working on Android at a platform level, the signing key refers to a specific key used to sign the entire operating system and its components.
A debug key: Developers can also generate a local debug key to sign APKs they build outside of the platform build process.
Device-specific keys: Some custom ROMs might require specific keys related to the device manufacturer, but this is less common for GSI variants.
In summary, there is no single "vndklite signing key." If you are looking for a signing key for a specific vndklite ROM, you need to find the one associated with the developer who built it.
21:30
So maybe they were using this Andy guy's key?
21:31
Bill can you get a screenshot of your system info page with the build on your hacked tablet?
21:36
Here's the code from my score 7c alps/vnd_tb8168p1_bsp/tb8168p1_bsp
10/QP1A.190711.020/1668098510
10/QP1A.190711.020/1668098510
21:39
This string appears to be a partial or modified Android build fingerprint from your Score 7C tablet (a secure device manufactured by Keefe Group, often used in correctional facilities, with a MediaTek MT8168 chipset). These fingerprints uniquely identify the device's software build, including the hardware platform, Android version, and specific build details. They're commonly found in system properties (e.g., via getprop ro.build.fingerprint in ADB) and help with compatibility checks for apps or updates.Breaking it down part by part:alps: This is the brand identifier. "Alps" is a generic term often used in MediaTek-based Android builds, especially for reference or vendor-specific hardware.
vnd_tb8168p1_bsp: This refers to the product name. "Vnd" likely stands for "vendor," and "tb8168p1_bsp" indicates the Board Support Package (BSP) for the MT8168 chipset. BSPs include drivers and configurations tailored to the hardware.
tb8168p1_bsp: This is the device/board name, again pointing to the MT8168 platform (a quad-core ARM processor commonly used in budget tablets).
10: The Android OS version (Android 10, also known as Android Q).
QP1A.190711.020: This is the build ID."Q" confirms Android 10.
"P1A" refers to the base platform and security patch level.
"190711" is a date code for July 11, 2019 (the base AOSP build this is derived from).
".020" is a minor variant or revision number.
1668098510: This is likely the build's incremental version or timestamp. As a Unix epoch timestamp, it converts to November 10, 2022, at 16:41:50 UTC, which could indicate when this specific firmware version was compiled or released.
The full string is in a format similar to standard Android fingerprints (e.g., brand/product/device:version/id/incremental:type/tags), but it seems abbreviated hereβpossibly copied from a log, settings menu, or diagnostic tool on the device. If it's from a prison-issued tablet, note that these are heavily locked down with custom security features (no fastboot, limited rooting options, and restricted connectivity) to prevent tampering.
vnd_tb8168p1_bsp: This refers to the product name. "Vnd" likely stands for "vendor," and "tb8168p1_bsp" indicates the Board Support Package (BSP) for the MT8168 chipset. BSPs include drivers and configurations tailored to the hardware.
tb8168p1_bsp: This is the device/board name, again pointing to the MT8168 platform (a quad-core ARM processor commonly used in budget tablets).
10: The Android OS version (Android 10, also known as Android Q).
QP1A.190711.020: This is the build ID."Q" confirms Android 10.
"P1A" refers to the base platform and security patch level.
"190711" is a date code for July 11, 2019 (the base AOSP build this is derived from).
".020" is a minor variant or revision number.
1668098510: This is likely the build's incremental version or timestamp. As a Unix epoch timestamp, it converts to November 10, 2022, at 16:41:50 UTC, which could indicate when this specific firmware version was compiled or released.
The full string is in a format similar to standard Android fingerprints (e.g., brand/product/device:version/id/incremental:type/tags), but it seems abbreviated hereβpossibly copied from a log, settings menu, or diagnostic tool on the device. If it's from a prison-issued tablet, note that these are heavily locked down with custom security features (no fastboot, limited rooting options, and restricted connectivity) to prevent tampering.
27 September 2025
JS
02:51
John Smith
Has anyone checked this out. It was posted on the hack forums
οΏΌ
Β βΌ3β°
Jailbreaking, Modding, and RootingβΊscore 7c jailbreak
οΏΌ
Β
score 7c jailbreak
οΏΌ
KcbestfitΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
1
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 11
Game XP:
0
Β Β
Jul 27, 2025 06:57 PM
Has anyone brought or heard of a solution?
Β
Β Β
οΏΌ
οΏΌ
SecuredWizzyΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
3
Threads:
1
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 17
Game XP:
0
Β Β
Aug 25, 2025 06:32 PM
Message me privately - I have the method and tools needed, for sale
Β
Β Β
οΏΌ
JimjonesΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
1
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 6
Game XP:
0
Β Β
Aug 27, 2025 03:32 PM
Looking for the method to jailbreak 7c tablet
Β
Β Β
οΏΌ
Js1201421Β οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
1
Warning Level:
0%
Credibility:
000
Popularity:
0
Ξ²ytes:
11
Game XP:
0
Β Β
Sep 14, 2025 07:13 PM
Everyone wants to sell things. Have the feds not taken enough from us. They sell us a piece of crap Chinese children's tablet that cost 20 dollars for 140. And then sell us movies from the 90s and give us crap games. All while paying you guys like 12 cents an hour.
I just found the software for the SanDisk 96.00 dollar mp3 they sold us. There is 3 versions 2 of them allow you to play movies in either avi or amv format. If you're having trouble with amv format because there are no converters online u can use chatgot or deepseek and it will help you make a converter using terminux. When I have time online next weekend I'll post all 3 of these versions on this board. Don't pay anyone for them to rip you off. Also there are two people posting on YouTube whitehat and Hackman that are just trying to scam you. The serial number on the back of your tablet is your name and info.
I think the the way to root or break the score7c is going to be through the hardware. The chip it's using mt8168v is known for it's exploits and vulnerabilities. Next weekend I'll talk with deeepseek and see what else I can find. It would be great if we could all compile and work together.
Β
Β Β
οΏΌ
JoralfΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 7
Game XP:
0
Β Β
Sep 23, 2025 03:23 AM
How much?
Β
Β Β
οΏΌ
BlitzTech80Β οΏΌ
[n00b@HF:]
οΏΌ
Posts:
6
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 11
Game XP:
0
Β Β
Sep 23, 2025 04:58 AMΒ (This post was last modified: Sep 23, 2025 05:02 AM byΒ BlitzTech80.)
I'm new to this stuff but found some info on a isp bridge. Since being in prison doesn't allow isp bridges to be mailed in, it sounds like one can be made using the SanDisk clip sport or clip sport go MP3 as your bridge. I haven't tried it but it says this..... Sorry it's long but it's what I got chatgpt to come up with.
UART/ISP Bridge Project β SanDisk Clip Sport as Phone Bridge
=========================================================
Goal:
-----
Use the SanDisk Clip Sport / Clip Sport Go as a hardware bridge to access SD/eMMC storage from your phone (Moto G with Termux + OTG). This bypasses the limitation of your Moto Gβs SD tray.
---------------------------------------------------------
Phase 1: Hardware Access
------------------------
- Open Clip Sport / Clip Sport Go.
- Expose microSD socket solder pads.
- Wire microSD pins to target device pads (SD/eMMC).
- Keep Clip powered on and phone connected via OTG.
MicroSD pinout (socket side):
1 DAT2
2 DAT3 / CS
3 CMD (MOSI in SPI)
4 VDD (3.3 V)
5 CLK (SCK)
6 VSS (GND)
7 DAT0 (MISO / Data0)
8 DAT1
9 VSS (GND)
Minimum for 1-bit mode:
- VDD (4), GND (6/9), CLK (5), CMD (3), DAT0 (7)
---------------------------------------------------------
Phase 2: Communication Layer
----------------------------
- Connect Moto G β OTG β Clip Sport.
- Termux path for Clip storage: ~/storage/external-1/
- Use file copy commands in Termux:
termux-setup-storage
cp -av /storage/XXXX-XXXX/firmware/* ~/storage/downloads/bridge-dumps/
- If Android says βneeds to formatβ: cancel.
Means raw/unknown FS. In that case:
- Try 1-bit wiring only.
- Hold SoC in reset (if needed).
- If still blocked, fallback to UART/BROM mode.
οΏΌ
Β βΌ3β°
Jailbreaking, Modding, and RootingβΊscore 7c jailbreak
οΏΌ
Β
score 7c jailbreak
οΏΌ
KcbestfitΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
1
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 11
Game XP:
0
Β Β
Jul 27, 2025 06:57 PM
Has anyone brought or heard of a solution?
Β
Β Β
οΏΌ
οΏΌ
SecuredWizzyΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
3
Threads:
1
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 17
Game XP:
0
Β Β
Aug 25, 2025 06:32 PM
Message me privately - I have the method and tools needed, for sale
Β
Β Β
οΏΌ
JimjonesΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
1
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 6
Game XP:
0
Β Β
Aug 27, 2025 03:32 PM
Looking for the method to jailbreak 7c tablet
Β
Β Β
οΏΌ
Js1201421Β οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
1
Warning Level:
0%
Credibility:
000
Popularity:
0
Ξ²ytes:
11
Game XP:
0
Β Β
Sep 14, 2025 07:13 PM
Everyone wants to sell things. Have the feds not taken enough from us. They sell us a piece of crap Chinese children's tablet that cost 20 dollars for 140. And then sell us movies from the 90s and give us crap games. All while paying you guys like 12 cents an hour.
I just found the software for the SanDisk 96.00 dollar mp3 they sold us. There is 3 versions 2 of them allow you to play movies in either avi or amv format. If you're having trouble with amv format because there are no converters online u can use chatgot or deepseek and it will help you make a converter using terminux. When I have time online next weekend I'll post all 3 of these versions on this board. Don't pay anyone for them to rip you off. Also there are two people posting on YouTube whitehat and Hackman that are just trying to scam you. The serial number on the back of your tablet is your name and info.
I think the the way to root or break the score7c is going to be through the hardware. The chip it's using mt8168v is known for it's exploits and vulnerabilities. Next weekend I'll talk with deeepseek and see what else I can find. It would be great if we could all compile and work together.
Β
Β Β
οΏΌ
JoralfΒ οΏΌ
[n00b@HF:]
οΏΌ
Posts:
2
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 7
Game XP:
0
Β Β
Sep 23, 2025 03:23 AM
How much?
Β
Β Β
οΏΌ
BlitzTech80Β οΏΌ
[n00b@HF:]
οΏΌ
Posts:
6
Threads:
0
Credibility:
000
Popularity:
0
Ξ²ytes:
Β Ξ²Β 11
Game XP:
0
Β Β
Sep 23, 2025 04:58 AMΒ (This post was last modified: Sep 23, 2025 05:02 AM byΒ BlitzTech80.)
I'm new to this stuff but found some info on a isp bridge. Since being in prison doesn't allow isp bridges to be mailed in, it sounds like one can be made using the SanDisk clip sport or clip sport go MP3 as your bridge. I haven't tried it but it says this..... Sorry it's long but it's what I got chatgpt to come up with.
UART/ISP Bridge Project β SanDisk Clip Sport as Phone Bridge
=========================================================
Goal:
-----
Use the SanDisk Clip Sport / Clip Sport Go as a hardware bridge to access SD/eMMC storage from your phone (Moto G with Termux + OTG). This bypasses the limitation of your Moto Gβs SD tray.
---------------------------------------------------------
Phase 1: Hardware Access
------------------------
- Open Clip Sport / Clip Sport Go.
- Expose microSD socket solder pads.
- Wire microSD pins to target device pads (SD/eMMC).
- Keep Clip powered on and phone connected via OTG.
MicroSD pinout (socket side):
1 DAT2
2 DAT3 / CS
3 CMD (MOSI in SPI)
4 VDD (3.3 V)
5 CLK (SCK)
6 VSS (GND)
7 DAT0 (MISO / Data0)
8 DAT1
9 VSS (GND)
Minimum for 1-bit mode:
- VDD (4), GND (6/9), CLK (5), CMD (3), DAT0 (7)
---------------------------------------------------------
Phase 2: Communication Layer
----------------------------
- Connect Moto G β OTG β Clip Sport.
- Termux path for Clip storage: ~/storage/external-1/
- Use file copy commands in Termux:
termux-setup-storage
cp -av /storage/XXXX-XXXX/firmware/* ~/storage/downloads/bridge-dumps/
- If Android says βneeds to formatβ: cancel.
Means raw/unknown FS. In that case:
- Try 1-bit wiring only.
- Hold SoC in reset (if needed).
- If still blocked, fallback to UART/BROM mode.
02:51
---------------------------------------------------------
Phase 3: Firmware Manipulation
------------------------------
- If mounted: copy firmware files off the target.
- If raw NAND/eMMC: may need root or UART fallback.
- Later patch firmware (unlock BOP, add stealth mode, etc.).
---------------------------------------------------------
Validation Steps
----------------
Step A: Plug real microSD into Clip β confirm files accessible from phone.
Step B: Harness wired to loose microSD card β confirm readable.
Step C: Harness wired to target pads β attempt to read/copy files.
---------------------------------------------------------
When to Use UART Instead
------------------------
- For tablets (Keefe Score 7C/7T), ISP may fail due to voltage mismatch.
- UART path: TX, RX, GND pads β serial session.
- Or use BROM over USB:
- Force BROM by shorting eMMC CLK to GND at boot.
- Use mtkclient in Termux to talk directly.
---------------------------------------------------------
Concrete Next Actions
---------------------
1. Open Clip Sport (Brody-502-00.05 board).
2. Identify 9 pins on microSD socket.
3. Solder 5-wire harness: GND, VDD, CLK, CMD, DAT0.
4. Test with loose microSD card (prove bridge works).
5. Move harness to SD-based target.
6. For Score 7C later: identify eMMC/SDIO pads. If 3.3V safe, attempt. Otherwise pivot to USB BROM.
---------------------------------------------------------
Safety & Success Tips
---------------------
- Never connect VDD if target has its own power. Use only Clipβs 3.3V.
- Common ground required.
- Wires short (<10 cm). Twist pairs for noise reduction.
- Start with 1-bit mode (DAT0 only).
- Read-only mount is fine.
---------------------------------------------------------
Summary
-------
Clip Sport acts as USBβSD bridge. Moto G reads storage through Clip.
Firmware files can be copied when mounted.
If eMMC not compatible: fallback to UART or BROM.
UART/ISP Bridge Project β Detailed Explanation (Part 2)
=========================================================
Goal:
-----
Maximum detail explanation of what an ISP bridge does, how it works, and the importance of holding the CPU in reset.
---------------------------------------------------------
What an ISP Bridge Does
-----------------------
- ISP = In-System Programming.
- Method for accessing and rewriting non-volatile memory (NAND, NOR, eMMC) without desoldering the chip.
- Lets you bypass the device CPU and talk directly to the flash memory.
- Bridge = external host + wiring harness + controller (Clip Sport socket in this case).
---------------------------------------------------------
How an ISP Bridge Works (Step by Step)
--------------------------------------
1. Physical Connection:
- Connect wires from memory chip pins to bridge device (Clip Sport microSD socket).
- Common pins: CLK, CMD, DAT0-3, VCC, GND.
- Once wired, bridge sees the chip like a memory card.
2. Power & Ground:
- Flash must be powered at correct voltage (3.3 V or 1.8 V).
- Bridge supplies power (Clip Sport = 3.3 V).
- Grounds must always be common.
3. Step B: Hold the CPU in Reset:
- CPU and flash share the same bus. If CPU is alive, it will fight the bridge.
- Solution: keep CPU in reset or unpowered so it releases the bus.
Methods:
- RESET_N pad: Pull low to ground to freeze CPU (tri-states bus).
- Battery disconnect: CPU never boots, but flash can be powered externally.
- CLK short trick: Temporarily short eMMC CLK to GND during power-on. CPU fails to init eMMC. Bridge then takes over.
Purpose: Ensure only the bridge is controlling the flash bus.
4. Protocol Emulation:
- Bridge device (Clip Sport, programmer, etc.) speaks correct protocol.
- Flash chip sees valid commands and responds as if talking to original CPU.
5. Data Access:
- If filesystem is recognized: normal file access.
- If raw image: host may ask to "format". Cancel and instead use raw dump tools.
- On unrooted Android, only file-level access is possible unless special block devices are exposed.
β€
Phase 3: Firmware Manipulation
------------------------------
- If mounted: copy firmware files off the target.
- If raw NAND/eMMC: may need root or UART fallback.
- Later patch firmware (unlock BOP, add stealth mode, etc.).
---------------------------------------------------------
Validation Steps
----------------
Step A: Plug real microSD into Clip β confirm files accessible from phone.
Step B: Harness wired to loose microSD card β confirm readable.
Step C: Harness wired to target pads β attempt to read/copy files.
---------------------------------------------------------
When to Use UART Instead
------------------------
- For tablets (Keefe Score 7C/7T), ISP may fail due to voltage mismatch.
- UART path: TX, RX, GND pads β serial session.
- Or use BROM over USB:
- Force BROM by shorting eMMC CLK to GND at boot.
- Use mtkclient in Termux to talk directly.
---------------------------------------------------------
Concrete Next Actions
---------------------
1. Open Clip Sport (Brody-502-00.05 board).
2. Identify 9 pins on microSD socket.
3. Solder 5-wire harness: GND, VDD, CLK, CMD, DAT0.
4. Test with loose microSD card (prove bridge works).
5. Move harness to SD-based target.
6. For Score 7C later: identify eMMC/SDIO pads. If 3.3V safe, attempt. Otherwise pivot to USB BROM.
---------------------------------------------------------
Safety & Success Tips
---------------------
- Never connect VDD if target has its own power. Use only Clipβs 3.3V.
- Common ground required.
- Wires short (<10 cm). Twist pairs for noise reduction.
- Start with 1-bit mode (DAT0 only).
- Read-only mount is fine.
---------------------------------------------------------
Summary
-------
Clip Sport acts as USBβSD bridge. Moto G reads storage through Clip.
Firmware files can be copied when mounted.
If eMMC not compatible: fallback to UART or BROM.
UART/ISP Bridge Project β Detailed Explanation (Part 2)
=========================================================
Goal:
-----
Maximum detail explanation of what an ISP bridge does, how it works, and the importance of holding the CPU in reset.
---------------------------------------------------------
What an ISP Bridge Does
-----------------------
- ISP = In-System Programming.
- Method for accessing and rewriting non-volatile memory (NAND, NOR, eMMC) without desoldering the chip.
- Lets you bypass the device CPU and talk directly to the flash memory.
- Bridge = external host + wiring harness + controller (Clip Sport socket in this case).
---------------------------------------------------------
How an ISP Bridge Works (Step by Step)
--------------------------------------
1. Physical Connection:
- Connect wires from memory chip pins to bridge device (Clip Sport microSD socket).
- Common pins: CLK, CMD, DAT0-3, VCC, GND.
- Once wired, bridge sees the chip like a memory card.
2. Power & Ground:
- Flash must be powered at correct voltage (3.3 V or 1.8 V).
- Bridge supplies power (Clip Sport = 3.3 V).
- Grounds must always be common.
3. Step B: Hold the CPU in Reset:
- CPU and flash share the same bus. If CPU is alive, it will fight the bridge.
- Solution: keep CPU in reset or unpowered so it releases the bus.
Methods:
- RESET_N pad: Pull low to ground to freeze CPU (tri-states bus).
- Battery disconnect: CPU never boots, but flash can be powered externally.
- CLK short trick: Temporarily short eMMC CLK to GND during power-on. CPU fails to init eMMC. Bridge then takes over.
Purpose: Ensure only the bridge is controlling the flash bus.
4. Protocol Emulation:
- Bridge device (Clip Sport, programmer, etc.) speaks correct protocol.
- Flash chip sees valid commands and responds as if talking to original CPU.
5. Data Access:
- If filesystem is recognized: normal file access.
- If raw image: host may ask to "format". Cancel and instead use raw dump tools.
- On unrooted Android, only file-level access is possible unless special block devices are exposed.
D
02:51
6. Reprogramming:
- ISP allows writing as well as reading.
- Can flash modified firmware, patch locks, or repair bootloaders.
---------------------------------------------------------
Why ISP Bridging is Useful
--------------------------
- Bypasses CPU-level security (e.g., BOP locks).
- Recovers bricked devices where OS wonβt boot.
- Works across many platforms (phones, tablets, MP3 players, routers, etc.).
---------------------------------------------------------
Real-world Example (Blitz Setup)
--------------------------------
Target: Keefe Score 7C tablet.
Memory: eMMC chip.
Bridge: SanDisk Clip Sport microSD socket wired to eMMC pads.
Host: Moto G phone via OTG.
Process:
1. Identify and solder wires: CLK, CMD, DAT0, VCC, GND.
2. Hold CPU in reset (RESET_N to ground, battery disconnected, or CLK short trick).
3. Power eMMC from Clip (3.3 V).
4. Moto G sees eMMC as if it were a microSD card.
5. Copy firmware image, patch it, or reflash as needed.
---------------------------------------------------------
Limitations
-----------
- Voltage mismatch: eMMC may be 1.8 V I/O, Clip supplies 3.3 V (risk of damage without level shifter).
- Wire length: must be <10 cm, twisted with ground to reduce noise.
- Moto G unrooted: canβt raw-dump block devices, only file-level copy.
- CPU control: reset must be asserted properly or bridge access fails.
---------------------------------------------------------
Summary
-------
An ISP bridge pretends to be the CPU:
- Cuts CPU out of loop.
- Powers flash separately.
- Talks directly using proper protocol.
- Grants full access to firmware regardless of device lock state.
----------------------------------
UART/ISP Bridge Project β Pinouts & Solder Points (Part 3)
=========================================================
Goal:
-----
Provide maximum detail on microSD and eMMC pinouts, solder points, wiring, and safety considerations.
---------------------------------------------------------
1. MicroSD Socket (Clip Sport side)
-----------------------------------
Standard microSD pinout (1β9):
| Pin | Signal | Function | Notes |
|-----|--------|----------|-------|
| 1 | DAT2 | Data line | Only used in 4-bit SDIO |
| 2 | DAT3/CS| Data / Chip Select | Also card-detect in some sockets |
| 3 | CMD | Command | Bidirectional, carries host commands |
| 4 | VDD | 3.3 V Power | Supplied by Clip Sport |
| 5 | CLK | Clock | Host-driven; sync for all data |
| 6 | VSS | Ground | Must be common |
| 7 | DAT0 | Primary data line | Always needed |
| 8 | DAT1 | Data line | Optional in 1-bit mode |
| 9 | VSS | Ground | Tie to Pin 6 |
Minimal wiring (1-bit mode): CMD (3), CLK (5), DAT0 (7), VDD (4), GND (6/9).
---------------------------------------------------------
2. eMMC Package (Tablet side)
-----------------------------
Key pins/pads to connect:
- CLK β timing reference
- CMD β command line
- DAT0 β data line
- VCC β core supply (3.3 V typical)
- VCCQ β I/O supply (1.8 V or 3.3 V)
- GND β ground
Mapping:
- microSD CMD β eMMC CMD
- microSD CLK β eMMC CLK
- microSD DAT0 β eMMC DAT0
- microSD VDD β eMMC VCC/VCCQ (check voltage!)
- microSD GND β eMMC GND
β οΈ Risk: Feeding 3.3 V into a 1.8 V-only I/O can kill the chip. Always verify.
---------------------------------------------------------
3. Locating Solder Points
-------------------------
- Clip Sport: pads are under the microSD socket. Scratch mask for soldering.
- Tablet: look for test pads labelled CLK, CMD, DAT0, GND, VCC near eMMC.
- Use continuity test to confirm pin mapping.
---------------------------------------------------------
4. Soldering Technique
----------------------
- Use 34β38 AWG magnet wire.
- Pre-tin pads with flux.
- Lay wire flat, secure with Kapton tape or hot glue.
- Keep runs <10 cm.
- Twist pairs: CLK+GND, CMD+GND.
---------------------------------------------------------
5. Wire Routing & Signal Integrity
----------------------------------
- Keep wires short and parallel.
- Avoid noisy traces (RF, antenna).
- Twist with ground to reduce cross-talk.
- Anchor harness to prevent pad damage.
- ISP allows writing as well as reading.
- Can flash modified firmware, patch locks, or repair bootloaders.
---------------------------------------------------------
Why ISP Bridging is Useful
--------------------------
- Bypasses CPU-level security (e.g., BOP locks).
- Recovers bricked devices where OS wonβt boot.
- Works across many platforms (phones, tablets, MP3 players, routers, etc.).
---------------------------------------------------------
Real-world Example (Blitz Setup)
--------------------------------
Target: Keefe Score 7C tablet.
Memory: eMMC chip.
Bridge: SanDisk Clip Sport microSD socket wired to eMMC pads.
Host: Moto G phone via OTG.
Process:
1. Identify and solder wires: CLK, CMD, DAT0, VCC, GND.
2. Hold CPU in reset (RESET_N to ground, battery disconnected, or CLK short trick).
3. Power eMMC from Clip (3.3 V).
4. Moto G sees eMMC as if it were a microSD card.
5. Copy firmware image, patch it, or reflash as needed.
---------------------------------------------------------
Limitations
-----------
- Voltage mismatch: eMMC may be 1.8 V I/O, Clip supplies 3.3 V (risk of damage without level shifter).
- Wire length: must be <10 cm, twisted with ground to reduce noise.
- Moto G unrooted: canβt raw-dump block devices, only file-level copy.
- CPU control: reset must be asserted properly or bridge access fails.
---------------------------------------------------------
Summary
-------
An ISP bridge pretends to be the CPU:
- Cuts CPU out of loop.
- Powers flash separately.
- Talks directly using proper protocol.
- Grants full access to firmware regardless of device lock state.
----------------------------------
UART/ISP Bridge Project β Pinouts & Solder Points (Part 3)
=========================================================
Goal:
-----
Provide maximum detail on microSD and eMMC pinouts, solder points, wiring, and safety considerations.
---------------------------------------------------------
1. MicroSD Socket (Clip Sport side)
-----------------------------------
Standard microSD pinout (1β9):
| Pin | Signal | Function | Notes |
|-----|--------|----------|-------|
| 1 | DAT2 | Data line | Only used in 4-bit SDIO |
| 2 | DAT3/CS| Data / Chip Select | Also card-detect in some sockets |
| 3 | CMD | Command | Bidirectional, carries host commands |
| 4 | VDD | 3.3 V Power | Supplied by Clip Sport |
| 5 | CLK | Clock | Host-driven; sync for all data |
| 6 | VSS | Ground | Must be common |
| 7 | DAT0 | Primary data line | Always needed |
| 8 | DAT1 | Data line | Optional in 1-bit mode |
| 9 | VSS | Ground | Tie to Pin 6 |
Minimal wiring (1-bit mode): CMD (3), CLK (5), DAT0 (7), VDD (4), GND (6/9).
---------------------------------------------------------
2. eMMC Package (Tablet side)
-----------------------------
Key pins/pads to connect:
- CLK β timing reference
- CMD β command line
- DAT0 β data line
- VCC β core supply (3.3 V typical)
- VCCQ β I/O supply (1.8 V or 3.3 V)
- GND β ground
Mapping:
- microSD CMD β eMMC CMD
- microSD CLK β eMMC CLK
- microSD DAT0 β eMMC DAT0
- microSD VDD β eMMC VCC/VCCQ (check voltage!)
- microSD GND β eMMC GND
β οΈ Risk: Feeding 3.3 V into a 1.8 V-only I/O can kill the chip. Always verify.
---------------------------------------------------------
3. Locating Solder Points
-------------------------
- Clip Sport: pads are under the microSD socket. Scratch mask for soldering.
- Tablet: look for test pads labelled CLK, CMD, DAT0, GND, VCC near eMMC.
- Use continuity test to confirm pin mapping.
---------------------------------------------------------
4. Soldering Technique
----------------------
- Use 34β38 AWG magnet wire.
- Pre-tin pads with flux.
- Lay wire flat, secure with Kapton tape or hot glue.
- Keep runs <10 cm.
- Twist pairs: CLK+GND, CMD+GND.
---------------------------------------------------------
5. Wire Routing & Signal Integrity
----------------------------------
- Keep wires short and parallel.
- Avoid noisy traces (RF, antenna).
- Twist with ground to reduce cross-talk.
- Anchor harness to prevent pad damage.
02:51
---------------------------------------------------------
6. Power Domain (Clip Sport side)
---------------------------------
- Clip Sport provides 3.3 V to socket.
- It must be the ONLY power source.
- Disconnect tablet battery or hold CPU in reset.
- Never tie two power supplies together.
---------------------------------------------------------
7. Practical Example Workflow
-----------------------------
1. Verify Clip Sport reads real SD card.
2. Wire harness from Clip socket β loose SD card β confirm readable.
3. Move harness to tablet eMMC pads.
4. Disconnect battery or assert reset.
5. Power Clip Sport β Moto G should see flash.
6. Copy firmware dump.
---------------------------------------------------------
8. Risks & Precautions
----------------------
- Wrong voltage β chip damage.
- Bad solder β lifted pads.
- Long wires β unstable signals.
- CPU not reset β bus contention.
---------------------------------------------------------
Summary
-------
Part 3 gives maximum detail on wiring the ISP bridge.
It covers pinouts, soldering methods, power safety, and workflow.
If anyone attempts this please reply so we can work off what does and does not help.
6. Power Domain (Clip Sport side)
---------------------------------
- Clip Sport provides 3.3 V to socket.
- It must be the ONLY power source.
- Disconnect tablet battery or hold CPU in reset.
- Never tie two power supplies together.
---------------------------------------------------------
7. Practical Example Workflow
-----------------------------
1. Verify Clip Sport reads real SD card.
2. Wire harness from Clip socket β loose SD card β confirm readable.
3. Move harness to tablet eMMC pads.
4. Disconnect battery or assert reset.
5. Power Clip Sport β Moto G should see flash.
6. Copy firmware dump.
---------------------------------------------------------
8. Risks & Precautions
----------------------
- Wrong voltage β chip damage.
- Bad solder β lifted pads.
- Long wires β unstable signals.
- CPU not reset β bus contention.
---------------------------------------------------------
Summary
-------
Part 3 gives maximum detail on wiring the ISP bridge.
It covers pinouts, soldering methods, power safety, and workflow.
If anyone attempts this please reply so we can work off what does and does not help.
02:53
Lol grabbed some of the wrong shit. Also with the mp3 players has anyone messed with the days glitch on the second gens. Where u can get 1500 days. Once u have that I can change the name on the player and put music podcasts audiobooks on player?
HH
03:03
Halfredo Hernandez
In reply to this message
That looks like he knows what he's talking about. Also looks very complicated.
S
JS
03:22
John Smith
Lol
03:22
Me too
03:22
Rofl
03:24
Deepseek is what I use if I don't know something
03:24
Chatgpt is crap
TS
03:24
Tony Sparks
Agreed, only kinda helpful if you get the plus version
β€
TT
JS
03:25
John Smith
Yup
HH
03:25
Halfredo Hernandez
Brom exploit for mt8168 fire hd 8. https://github.com/xyzz/amonet/tree/master
TS
03:25
Tony Sparks
Has anyone ever heard of a successful board swap being done. Ive been thinking about just going that route
JS
03:25
John Smith
Yeah
03:26
They've done it here
03:26
Sent in the tablet
03:26
Looks like a score7c problem is dude really mum about it
03:26
And does not answer questions
03:27
He also runs all the yard shit so can't really press them
TS
03:28
Tony Sparks
Lol damn
JS
03:30
John Smith
Does anyone have a rooted jack
03:38
Listen I'll try anything no matter how dumb it is. And as soon as I find something I'll share it same as I did with the mp3 breaks. But I think people brainstorming is how u figure stuff out. I was just sharing the deepseek stuff because it's the best a.i. to use and it does not monitor like got
03:38
Gpt
R
04:08
Ryan
I'm with you as far as keeping on topic. The other group talks a lot about other things so it's best if we keep this groups to the topic at hand. Also, of anyone is lookingfor a better chat gpt, less restrictive, try venice.ai. I'm sure there are others but it's pretty good and has given me answers chat gpt won't (haha, maybe a little off topic?)
β€
JS
TT
04:13
Terry Thompson V 2.0
LoL. Ok thanks
JS
04:24
John Smith
There is a way to glitch the 2nd Gen mp3 player if it is running the 1.09 version for ware. If you are trying to be incognito and not fully break it with the other firmware. You have to take a paperclip and place it into the headphone jack until it glitches. The next day there will show 1500 days remaining until revalidation. I am looking for the app that lets you add music and change the owner name of desired. I'll post when I find it.
β€
TT
JB
04:26
John Blaze
I've never made a group so I wouldn't know.
And Maybe it's too late but you might consider adding topic sections like the fts and team aic groups to keep the focus in the areas
And Maybe it's too late but you might consider adding topic sections like the fts and team aic groups to keep the focus in the areas
04:31
24 hour trial. Uninstall and reinstall to reset the clock. Read and write to a MP3 with days change the owner name in the owner directory
TT
04:31
Terry Thompson V 2.0
I have done the days hack many a time but I always took the back off and shorted the positive and negative and then turn it on with a power source restore then leave off for 60 days. It's foolproof that way. But I have never saw one that the next day it had all those days . And as far as changing name and # it's easy there is a wav file you can alter it to say whatever your name and # or whatever just don't move it or you will have a player that won't boot up
04:35
I use USB media explorer but I bought it it's not much and mlusb mounter and cx.file explorer and sometimes I use the file exploding ultimate USB for some things
04:38
HH
04:38
JB
04:44
John Blaze
Is the USB media explorer the only one that reads the ones with days on it ?
That's the only one I had successfully used
That's the only one I had successfully used
D
05:56
D
I know there's been some complaining about dumping AI output into the channel, but the method the AI explained, and Blitztech80 posted to the forum, has grounding in my experience.
05:56
A friend of mine desoldered the eMMC from a tablet, and wired it to a micro SD card. It's similar to the method described here:
https://ripitapart.com/tag/dead-bug-soldering/
https://ripitapart.com/tag/dead-bug-soldering/
05:59
Once the eMMC was mounted to the SD card, I inserted it into my Gen2's (SanDisk Clip Sport) SD slot. I then connected the Gen2 to my tablet running Linux, and was able to read and write to the eMMC. That is how I made the full tablet images you see on https://hrethgir.org/score7
06:00
It never occured to us to wire a Gen2 to the board (even temporarily) and then connect the Gen2 to a phone using USB (which is what Blitztech80 described).
06:01
We assumed any image we wrote to the tablet wouldn't boot because of SBC. But if they are using generic key signatures from an open source project, then it may be possible. This is definitely on my list of possible exploits to explore upon release in a month.
B
12:07
Bill
In reply to this message
I dont want to post it because it has my mac address which could identify the tablet to sis. Relevant parts are Model 711. Android version 10. Build number treble_a64_bvS-userdebug 10 QQ3A.200805.001 eng.crossg.20210808.162341 test-keys
D
16:40
Don
In reply to this message
That's cool all I needed was the test keys. Evidently those keys are trusted by the tablet
16:41
So it appears like all that is needed is a way to write to the emmc and just write an image that uses those test keys
16:48
I dont think ill be able to do the soldering required to mate the emmc to a Gen 2 mp3. Not to mention there aren't many of them here
16:49
I would guess the way these dudes are doing it is if they are shorting clk to enter brom
16:49
They could just overwrite the bootloader with one that has fastboot signed with testkeys
16:50
Then use fastboot to write that lineage os 17 image
16:51
Im not sure what could be used to talk to the tablet in brom on a phone though, you'd still need to start with a mini computer. Once you had one tablet flashed you could root it and then use the tablet to break others
TS
18:45
Tony Sparks
Someone here def told me about a way to break tablets with a Gen 2, thought it was rubbish, but maybe there is some merit to it.
18:49
Same guy used to work for tech companies before he was locked up so he has all kinds of experience with different devices. I wonder if he could do the soldering required
B
TS
19:59
Tim Smith
So if someone went to have an actual SD card reader USB C type then instead of working directly to an SD card could someone wire to the test points on the tablet the reader itself to make the SD card removable and not necessary to wire to the 2nd gen player? Then the card could be inserted into the phone and simply removed from the tablet and reinserted
D
20:35
My cellie has a freeworld gen 2 so I guess it would work
20:36
But yeah if we can write to the emmc using this method and put on the lineageos with the test keys
20:36
Should be in business
20:37
I dont even have an otg cable at this new spot I'm at so I got some work to do
JB
21:05
John Blaze
In reply to this message
It's funny because all the others that I have seen that claimed to have it also all had the same build number. Though some have a Mac address and some do not.
Someone had pointed out that one was from an apple device. Maybe that one was a fake or maybe the Mac address was Just generated to that. I have changed Mac address on devices in the past though I think it reset to the original on reboot.. but still the point is the build from very different sources are all the same
Someone had pointed out that one was from an apple device. Maybe that one was a fake or maybe the Mac address was Just generated to that. I have changed Mac address on devices in the past though I think it reset to the original on reboot.. but still the point is the build from very different sources are all the same
21:07
And they all have this build from 2021
JS
21:12
John Smith
Listen I am waiting for our electronics guy to come back from work. This dude is legit his credentials are pretty decent.
Hes the one that put a Deadman switch on my mp3. He made an electric soldering iron for himself. Made his own multimeter. Put a remote control into a g-shock watch. Set up something with a fm radio transmitter so that when the co comes on the range he pays someone to hit a button and everyone who has their radios on a certain station here's a beeping.noise
Hes the one that put a Deadman switch on my mp3. He made an electric soldering iron for himself. Made his own multimeter. Put a remote control into a g-shock watch. Set up something with a fm radio transmitter so that when the co comes on the range he pays someone to hit a button and everyone who has their radios on a certain station here's a beeping.noise
21:13
If anyone can do the soldering it's him
21:15
If any of u guys are in Memphis I know a legit electronics guru that's there.
TT
22:32
Terry Thompson V 2.0
In reply to this message
I know it does work but cx file explorer I know use to work I haven't used it ina year or so but mlusb mounter I like a lot also
JS
23:16
John Smith
Has anyone found an accurate diagram of the board of a 7c that includes where the pins are with labels and values? So we don't have to spend time searching for that.
23:19
Also, has anyone found a similar tablet with the SD slot installed? We need to know which is pin #1 and if the pins go clockwise or counter clockwise. We also need to know which is pin #1 on the gen2 Mp3 SD card reader?
28 September 2025
S
D
00:34
I think the reason lineageos works is atg uses it internally for something. There are references to it in their edgejas software
D
02:11
Don
Anybody know if there are test points on the board for the emmc
02:12
Or have pictures of the board?
HH
02:44
Halfredo Hernandez
In reply to this message
https://hrethgir.org/score7 there is a zip file with pix
JS
02:45
John Smith
JS
04:05
John Smith
Alright well we just burned our first tablet lol. But we are trying to map out and find all the specific test points that control the boot mode for the mt8163v chip. Which I tried finding everywhere online so we are experimenting. I'll send photos of completed project maybe tomorrow
Ryan changed topic title to «Tablets»,icon to «0»
R
04:29
Ryan
VoilΓ ! Now mp3 players have their own discussion. Need more topics, let me know.
JB
04:35
John Blaze
Great Job π΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ΄ββ οΈπ€πͺ
Maybe add one for the ai responses that were so adored.
Maybe add one for the ai responses that were so adored.
04:39
Maybe 1 for suspected scammers too
D
04:44
In reply to this message
LineageOS 17 was used because it is the LineageOS equivalent for Android 10, and this for sure compatible with the drivers in the system partition. ATG also borrowed several basic apps and backend stuff from Lineage, though it is unknown whether they began with a whole LineageOS image and adapted that to suit their needs. It wouldn't be the worst idea from an engineering standpoint.
04:46
In reply to this message
If this guy has a multimeter, he should be able to identify the correct pins for GND, CLK, DAT0, etc. The AIs could tell him what each pin would output on the multimeter when the eMMC is in use.
04:47
In reply to this message
This is the top of the processor. What we will need to attach to is likely on the other side, and I don't think I have pics of that. Any amateur photographers in the group?
04:49
In reply to this message
It would be the recovery partition that contains fastboot. If someone wrote a LineageOS recovery partition to the device, it would provide the access necessary via USB-C cable to a phone to flash whole ROMs. The trick is finding the compatible recovery image that is properly signed.
04:50
It's probably out there, hiding in plain sight, attached to another project, waiting for the right person with enough time to identify it.
D
05:19
Drew
In reply to this message
I have a card reader with a USBC end. I could use this instead of the gen2 mp3 player????
05:23
In reply to this message
I think our electric shop has a multimeter. I'll ask I have a friend there maybe he can bring it out. Or I could send a tablet into our unicor I know they have meters there. I have some friends there that would test shit for me. I need to be able to give them step by step instructions. Like they were 5.
D
05:28
D
In reply to this message
Yes. You would have to identify each pin out for the reader based on standard micro SD card contact points, and then solder or affix these correct contact points to the tablet's eMMC. The reason the Gen2s are preferred is because they can force "one-bit mode" with the eMMC and read it like an SD card. Not all USB readers are capable of this.
05:29
In reply to this message
I would ask an AI this. "How do I identify the various pins of an eMMC chip using a multimeter when the chip is connected to a mother board and running in normal operation?"
JB
05:29
John Blaze
The dot is pin 1
05:29
The dot in the corner
D
05:30
D
In reply to this message
This is the otacerts.zip mentioned in this document which is used to verify system images. I pulled it from the tablet's filesystem.
JB
05:35
John Blaze
Yo are we talking about removing the ball grid array chip and resoldering it or a quad flat pack? Or just connecting the wires to the chip on board?
JB
05:39
John Blaze
DA
Deleted Account 19.02.2025 04:48:18
JB
D
06:01
D
In reply to this message
Also, I extracted the RAM disk from the recovery partition, and there is no /res/keys folder. According to AI, this means that partition signature integrity is verified using Android Verified Boot (AVB) instead. But we already knew that from our previous research. This additional data simply confirms it.
06:05
In reply to this message
If you desolder the chip, and do not have professional tools with precise temperature control, you risk burning the chip. It is a very fiddly process. Expect to temporarily attach the lead wires from the Gen2 or USB reader, after having soldered wires to one of those devices. I don't know the recommended method for temporarily attach wires this way, but soldering seems more permanent and risks damaging the chip.
06:06
In reply to this message
Damn. I thought the underside of the chip would be visible and accessible on the other side of the board.
JB
06:15
John Blaze
So I was a component level technician with rework experience.
I have a soldering iron and certified for high reliability wiring.
I'm familiar with in circuit serial programming.
I'm sure I can handle this.
I have a soldering iron and certified for high reliability wiring.
I'm familiar with in circuit serial programming.
I'm sure I can handle this.
06:16
I do not at the moment have a tablet open to inspect the ic's and identify the emmc
If you could point it out in the photo I will get the data sheet and identify the pins needed
If you could point it out in the photo I will get the data sheet and identify the pins needed
06:19
I'm sure that I can get the correct wire I will need for this task.
My biggest concerns would be crosstalk with the wires and latency issues causing timing errors.
And maybe signal bounce .
My biggest concerns would be crosstalk with the wires and latency issues causing timing errors.
And maybe signal bounce .
06:20
Or if you already know the ic numbers just shoot that so I can hunt the data sheet
06:32
It is unclear to me if we are connecting directly to an IC or the empty pads on the motherboard that have the unpopulated SD card slot.
Can. Someone please clarify
Can. Someone please clarify
JB
06:49
John Blaze
In reply to this message
It may be able to read it... but writing may be a different story.
I know that it will not write the disk image of a gen3 to the SD card.
That has to be done with an external USB SD card reader. The gen 2 will not operate or present the chip slot in the correct way to do a low level format of the SD card.
so are we sure that it will write to this emmc chip if wired correctly ?
Or should we pursue the external SD card reader like dude was saying?
The way I read it was that the 1 bit mode was the bare minimum not the necessity
I know that it will not write the disk image of a gen3 to the SD card.
That has to be done with an external USB SD card reader. The gen 2 will not operate or present the chip slot in the correct way to do a low level format of the SD card.
so are we sure that it will write to this emmc chip if wired correctly ?
Or should we pursue the external SD card reader like dude was saying?
The way I read it was that the 1 bit mode was the bare minimum not the necessity
D
06:57
D
In reply to this message
E32GCSAF1ABE00, manufactured by SCY.
https://www.aliexpress.us/item/3256807215368506.html?gatewayAdapt=glo2usa4itemAdapt
https://www.aliexpress.us/item/3256807215368506.html?gatewayAdapt=glo2usa4itemAdapt
06:58
In reply to this message
Directly to the eMMC chip. The SD card pads (currently unpopulated) would not help because the tablet by default disables the SD card reader.
07:03
In reply to this message
My friend desoldered the eMMC from one of the tablets, cracked open a micro SD, disconnected the micro SD's internal storage, and soldered wires from the eMMC pins to the micro SD pins. I inserted it into my Gen2, and connected the Gen2 to a computer running Linux.
This one:
https://goleminipc.com/products/higole-gole-1-pro-mini-pc-windows-11-pro-intel-celeron-j4125-8gb-ram-256gb-rom
This one:
https://goleminipc.com/products/higole-gole-1-pro-mini-pc-windows-11-pro-intel-celeron-j4125-8gb-ram-256gb-rom
07:05
When connected, the eMMC presented the entire disk image, with the exception of the preboot image, since this only available in full 4-bit or 8-bit mode with special eMMC commands.
07:07
In reply to this message
I could have made changes to the eMMC, but we didn't expect that we could resolder the eMMC onto the board given our tools at the time.
07:08
Also, I want to share with the group a major discovery I just made. It has to do with boot verification and ROM image modding.
07:09
The vbmeta partition details contain the following info:
07:09
oter version: 1.0
Image size: 33554432 bytes
Original image size: 15632384 bytes
VBMeta offset: 15634432
VBMeta size: 1344 bytes
--
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 320 bytes
Auxiliary Block: 768 bytes
Public key (sha1): 4b7ddbbda20e4b15b0158af882dc06c51ba2eb30
Algorithm: SHA256_RSA2048
Rollback Index: 0
Flags: 0
Rollback Index Location: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Hash descriptor:
Image Size: 15632384 bytes
Hash Algorithm: sha256
Partition Name: recovery
Salt: e15e964943ac40445f1912d217b270d90be4462bcd9295a5ba612cc64db677b9
Digest: b1dd756b9e24f4197550fd9f70866bda90c3e51cd2bc05fe582ad68856f3b77a Flags: 0
Image size: 33554432 bytes
Original image size: 15632384 bytes
VBMeta offset: 15634432
VBMeta size: 1344 bytes
--
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 320 bytes
Auxiliary Block: 768 bytes
Public key (sha1): 4b7ddbbda20e4b15b0158af882dc06c51ba2eb30
Algorithm: SHA256_RSA2048
Rollback Index: 0
Flags: 0
Rollback Index Location: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Hash descriptor:
Image Size: 15632384 bytes
Hash Algorithm: sha256
Partition Name: recovery
Salt: e15e964943ac40445f1912d217b270d90be4462bcd9295a5ba612cc64db677b9
Digest: b1dd756b9e24f4197550fd9f70866bda90c3e51cd2bc05fe582ad68856f3b77a Flags: 0
07:09
This means that only the recovery partition is verified during boot. We can alter the boot and system partitions without triggering a boot failure.
07:10
This is why a system image signed by the AOSP test keys will boot without complaint.
07:11
Generally, the recovery partition is used to flash partitions or other data to an otherwise unworking device. I guess ATG figured that disabling access to this partition, or being unable to change it in any way, would be sufficient to secure the tablets.
07:12
In theory, one could take the LineageOS 17 base image and just flash it to the tablets and not have to worry about anything, as long as you never needed to use the recovery partition for anything. We wouldn't need the recovery partition if we use an external flashing method.
D
08:52
D
If the screenshots of the system info screen are to be trusted, the image flashed to the tablets does indeed come from the custom LineageOS 17 ROM linked posted earlier.
08:52
However, be sure to specifically get the one with the following filename:
lineage-17.1-20210808-UNOFFICIAL-treble_a64_bvS.img
lineage-17.1-20210808-UNOFFICIAL-treble_a64_bvS.img
D
09:22
D
Assuming the LineageOS 17 image from the AndyYan section of sourceforge is the one used on the tablets, the modders have done some work to make it fit.
D
09:42
D
The LineageOS image should replace the system.img on the tablets. However, the system.img is packed into a super.img, along with vendor.img and product.img. When extracted, the system.img is smaller than the Lineage image. This means we would have to shrink the other two partitions in order to make Lineage fit into this space.
B
12:09
Bill
In reply to this message
In this context the test keys relate to the keys used to sign the system apks and userdebug means it doesn't check the signatures anyway. It has nothing to do with the secure boot keys trusted by the CPU. Mtkclient already has an exploit for bypassing secure boot on the mt8168 once you connect to brom. The method they are using to get into brom is still unknown
C
12:15
In reply to this message
If the plan is to access and modify system partition, could we just root the existing OS that way and not need to figure out lineage or anything like that?
D
15:42
Don
In reply to this message
The existing one is very limited which could cause apps to not run properly
15:45
In reply to this message
Atg edgejas references lineageos directly. They surely started with that
15:46
In reply to this message
Agreed. But if we do get the tablet into brom mode how are we going to flash it? Would need a computer or rooted tablet. I haven't seen a lot of apps for regular android that do anything with usb
15:56
In reply to this message
Agreed. After the update one cant use the side button to access the recovery anyway, right?
16:03
Evidently not from googling
JB
16:24
John Blaze
In reply to this message
You realize that this is a ball grid array.
And will not be a practical or viable exploit for everyone to be able to follow.
And will not be a practical or viable exploit for everyone to be able to follow.
16:28
Hell seeing as it's a BGA it is really a difficult task to have them cleaned and fluxed and placed back with the required precision to avoid shorts and bad connections even with a professional rework station.
Let alone in here we really need to try to find the test points on the board that might be able to be used for ISP on board
Let alone in here we really need to try to find the test points on the board that might be able to be used for ISP on board
D
18:44
Don
In reply to this message
Agreed. I got no chance of fucking with a bga in here. I doubt the fort dix guys are doing that
JB
21:42
John Blaze
I don't have a spare board.
But if someone does it would be good to remove the emmc by force and identify the pads we need access to and either sand the board down to trace where they go or start peeking and poking with an led and and a battery
But if someone does it would be good to remove the emmc by force and identify the pads we need access to and either sand the board down to trace where they go or start peeking and poking with an led and and a battery
29 September 2025
S
02:06
Shag
In reply to this message
You can also Revalidate your Tablet without Syncing by cancelling the Revalidation Process as soon as it starts.
I usually press WindowsKey+R (this is a shortcut keybind that starts Revalidation) and hover the Mouse near the bottom right of the screen and spam click Cancel. The screen will go yellow and a Confirmation pops up. This will clear out the Lock Outs without Flags as well.
I usually press WindowsKey+R (this is a shortcut keybind that starts Revalidation) and hover the Mouse near the bottom right of the screen and spam click Cancel. The screen will go yellow and a Confirmation pops up. This will clear out the Lock Outs without Flags as well.
02:28
In reply to this message
It's almost impossible to brick the Clip Sport Player. If you are on the OEM Software (SanDisk) you will hold Vol Up to boot into the FW mode. On 90% of the other ATJ2127 Firmwares you will hold the Options Button (Down) while plugging in the Player.
GG
02:35
Gino Green
In reply to this message
So do you have to long into the computer first or just plug up and hit the windows+r?
JB
02:37
John Blaze
Win r is the shortcut key
S
02:37
Shag
In reply to this message
This is the company that makes the boards. Before you could browse different generic models now it's just the Index page
http://www.szbnd.cn/en/index.php
http://www.szbnd.cn/en/index.php
JB
02:37
John Blaze
U would already be logged in
GG
02:38
Gino Green
In reply to this message
Oh I was logged in on the home screen and plugged up the tablet hit the keys and it said something I can't remember what but it was something saying like something not found and gave me the option to click ok only and didn't do nothing
C
02:43
Same for m for messaging and other shortcuts
S
03:04
And now I have caught up! So let's get to work!
GG
S
GG
03:30
Gino Green
After it starts cancel it right after
TT
04:49
Terry Thompson V 2.0
Sorry for my rant about dude with the AI yesterday. I was hitting the shine a little bit . I admit I was confused to say the least. Anyway dude asked me to post these and after talking to him for a few hours or so I think we should let him in this group. So if any objections state it
TT
TT
TT
S
04:52
Shag
Probably compiled the ReadMes with a AI but looks good I say add him (I'm still new here too but still)
D
TT
04:57
Terry Thompson V 2.0
Gonna wait until tomorrow to make sure it's cool. He actually got scammed by kingdrummer. Which is had no proof of but in the back of my mind I always thought kingdrummer was trini954 aka aspiring wino. And when he told me kingdrummer new name was aspiring wino I knew I was right
S
04:58
Shag
In reply to this message
I haven't really gotten that far. I'm working more towards building something that runs on Android
04:58
I know about USB over network but thats probably not ideal
D
05:00
D
In reply to this message
We attempted to use USB over network to bridge a Win11 VPS to a Gen2, through a phone, to use the flasher software. Couldn't ever make it work for low-level flashing. It had a lot to do with the USB ID changing during the process, and the speed/reliability of the connection.
05:00
I am using my VPS to create a flashable super partition to try on the tablets once we get this IPS flashing method tested.
05:01
The Linux tools are much easier and faster, though my time to access the phone is the limiting factor π
S
05:01
Shag
I'm reading that now. It's a good idea as a workaround. Me to this is my first night holding down in like 8 months
D
05:02
D
I am due to go to halfway in under 30 days, and home confinement shortly after. Then it's definitely game on.
05:03
Apparently, identifying the test pins for eMMC access is the next real hurdle.
S
05:03
Shag
That's exactly what we need. Someone on the streets with the motivation
05:03
There are 4 pins near the bottom in the middle. Aren't they the data ones?
05:04
RX0 TX0 RX1 TX1
D
05:04
D
Not sure. We need someone who can test such things, and doesn't have to worry about borking a tablet.
S
05:05
Shag
Sec
05:09
Posted
D
05:09
D
We need pins for CMD (command), CLK (clock), DAT0 (data line), VCC (power), and GND (ground).
05:10
That's five pins, and do not correspond to RX0 TX0 RX1 TX1.
S
05:12
Shag
AI
β€
JS
05:12
I tagged you
D
05:15
D
That's generic info, with corresponding values for an Arduino's GPIO. There's no telling whether those pads are for the eMMC or for another chip on the board (like the CPU).
05:19
In reply to this message
Reviewing this guide, I can say that the Termux instructions here assume root access on the phone. Non-rooted phones do not expose direct access to /dev virtual filesystem. I would have to read further to determine if this flaw in the instructions would be fatal to the process. But it looks like the AI was assuming that Termux had the same access to the dev filesystem as a root user in true Linux.
S
05:20
Shag
In reply to this message
A little more reading and it seems that you are correct. I redact my statement
D
05:23
D
The requirement for root extends to the second guide file as well. losetup and kpartx both require root access. Though, the Termux tool is known simply as partx, available in the blk-utils package.
05:24
And lsblk needs access to /sys virtual filesystem as well.
05:27
These instructions also reference isp_bridge.sh, which is likely a custom script available wherever these guides are sourced from, and which accomplishes many of the reading/flashing tasks in Termux that would normally be handled by a tool like SP Flash.
D
09:35
D
I was also looking into what would be flashed to the tablet. Currently, the product, system, and vendor partitions are combined into a "super" partition.
09:36
The current super partition occupies 1,249,378,304 bytes on the drive. If we want to flash the LineageOS 17 image in place of the ATG system image, we need to shrink it and the other partitions.
09:37
Here's what I attempted to remove:
09:37
from atg product.img:
product.img/media
product.img/app/webview
product.img/app/LatinIME
product.img/priv-app/MtkLauncher3GoIconRecents
product.img/priv-app/MtkSettings
from lineage_system/system/app:
Backgrounds/ BasicDreams/ BluetoothMidiService/ BookmarkProvider/ BuiltInPrintService/ CaptivePortalLogin/ CarrierDefaultApp/ CompanionDeviceManager/ CtsShimPrebuilt/ EasterEgg/ LiveWallpapersPicker/ NfcNci/ OsuLogin/ PartnerBookmarksProvider/ RcsService/ SafetyRegulatoryInfo/ SecureElement/ SimAppDialog/ Stk/
from lineage_system/system/priv-app:
BackupRestoreConfirmation/ BlockedNumberProvider/ CallLogBackup/ CellBroadcastReceiver/ CtsShimPrivPrebuilt/ DynamicSystemInstallationService/ FusedLocation/ ManagedProvisioning/ MmsService/ ONS/ Seedvault/ SharedStorageBackup/ StatementService/ Tag/ Updater/ Telecom/ TelephonyProvider/ TeleService/ AudioFX/
from lineage_system/system/product/app:
Email/ Exchange2/ Jelly/ messaging/ Recorder/
from lineage_system/system/product/priv-app:
CarrierConfig/ Dialer/ Eleven/ EmergencyInfo/
product.img/media
product.img/app/webview
product.img/app/LatinIME
product.img/priv-app/MtkLauncher3GoIconRecents
product.img/priv-app/MtkSettings
from lineage_system/system/app:
Backgrounds/ BasicDreams/ BluetoothMidiService/ BookmarkProvider/ BuiltInPrintService/ CaptivePortalLogin/ CarrierDefaultApp/ CompanionDeviceManager/ CtsShimPrebuilt/ EasterEgg/ LiveWallpapersPicker/ NfcNci/ OsuLogin/ PartnerBookmarksProvider/ RcsService/ SafetyRegulatoryInfo/ SecureElement/ SimAppDialog/ Stk/
from lineage_system/system/priv-app:
BackupRestoreConfirmation/ BlockedNumberProvider/ CallLogBackup/ CellBroadcastReceiver/ CtsShimPrivPrebuilt/ DynamicSystemInstallationService/ FusedLocation/ ManagedProvisioning/ MmsService/ ONS/ Seedvault/ SharedStorageBackup/ StatementService/ Tag/ Updater/ Telecom/ TelephonyProvider/ TeleService/ AudioFX/
from lineage_system/system/product/app:
Email/ Exchange2/ Jelly/ messaging/ Recorder/
from lineage_system/system/product/priv-app:
CarrierConfig/ Dialer/ Eleven/ EmergencyInfo/
09:38
I used CharGPT to identify what items were necessary, and removed basically everything else. And I was informed I needed to prune an additional almost 150mb to make LineageOS fit.
09:39
The alternative is to not prune, but to alter the partitions to accommodate a larger super image. This is significantly more difficult.
09:46
Here is a text of the current partition table:
https://hrethgir.org/score7/OS%20Image%20Project/partition_metadata.txt
https://hrethgir.org/score7/OS%20Image%20Project/partition_metadata.txt
09:48
We would have to increase the super partition size, move the cache to accommodate the new super, and shrink the userdata partition to make up for the difference. Oh, and modify the GPT partition table to match the changes. That is some significant editing.
C
16:47
C
Btw, buddy of mine in a different spot says they have a tablet and someone is actively breaking them. Gave me this info:
" I have no idea how it's done but I know for a fact the guy opens the tablet so he's doing some kinds of hardware alterations"
"No way it's board swap because it's the same tablet and he does it in a few hours they charge 1000 per"
" And if it helps, I can send you pictures tonight of the build number and the screen showing developers options"
"When you turn it on, it has the Keefe video like normal but slower. After you turn it on, it has all the bop apps on it and when you open setting, it still has the bop options including the information of the owner. All bop same. All the original musics, and the movie app are all on there as if it's normal when you open them."
" I have no idea how it's done but I know for a fact the guy opens the tablet so he's doing some kinds of hardware alterations"
"No way it's board swap because it's the same tablet and he does it in a few hours they charge 1000 per"
" And if it helps, I can send you pictures tonight of the build number and the screen showing developers options"
"When you turn it on, it has the Keefe video like normal but slower. After you turn it on, it has all the bop apps on it and when you open setting, it still has the bop options including the information of the owner. All bop same. All the original musics, and the movie app are all on there as if it's normal when you open them."
16:48
I'm guessing it's accessing the storage and rooting it without otherwise changing firmware. Any specific info I should ask?
17:37
Deleted Account
He either has the secret key, which very unlikely.
More likely he implemented MIM attack and unlocks wifi, adb and resets mortality on initial connection. If you can, check what is the mortality of the unlocked tablet.
More likely he implemented MIM attack and unlocks wifi, adb and resets mortality on initial connection. If you can, check what is the mortality of the unlocked tablet.
C
17:56
C
If it was just doing that they wouldn't need to open the tablet I think?
18:01
In reply to this message
He says it's different firmware and the stuff that looks like Keefe is fake just for show
18:02
"It's like a picture of something it's just there"
C
18:28
Deleted Account
In reply to this message
That's what I was thinking. Maybe I'm wrong. Just checking the mortality will give us a clue. Also build number will help
C
18:31
C
Hopefully will get build later
S
19:07
Shag
Does everyone already have a copy of the audioproducttool!
19:08
I feel like open sourcing it here as a example of a USB transfer app for ATG devices
19:09
Well I guess it's not... Since we exploit the chipset
D
19:59
Don
It's driving me nuts that it's actively being done and we haven't figured it out
20:00
I feel stupid
30 September 2025
D
04:34
D
In reply to this message
Given what I learned about only the recovery partition being included in the vbmeta signing, C's suspicion of them opening the tablet to modify makes sense. Depending on which group of active modders we're talking about, it could be a different hardware image that just looks like ATG's (the LineageOS 17 build), or they could have made some of the smaller changes to the base image, either of which could be accomplished by modifying the data on the eMMC with an external writing technique.
04:36
I doubt they are making incremental changes anywhere though, because the Edgejas app code (on the ATG system partition) checks the validation timer and verifies it doesn't exceed one year. And nobody told these guys they have to pay $1k again a year from now.
04:37
Worst case scenario, someone who has paid for a tablet jailbreak could send me their tablet after I get out, I can analyze the changes to the partitions, and tell them how to recreate again themselves.
04:38
But given the issues with Android phones not exposing the underlying drive geometry in favor of just showing what filesystems are available, these guys may have a Windows or Linux tablet laying around that does the changes on an automated basis.
S
12:54
Shag
Or they could be using a outdated android device. Security protocols were more lax back in 8.1 and earlier
12:55
With SU permissions you'd have more control too
12:55
Just a π€
15:16
Deleted Account
In reply to this message
That's a good to know information. Do not reset the timer to more than a year.
D
22:58
Drew
I saw somewhere further back about popping off the Emmc and sanding it down to see connections or something. I have a tablet with a fried board. I'll take it apart and sand what ever down. I just need to know exactly what.
22:58
Someone send me a pic of what you want me to take apart.
JB
23:38
John Blaze
23:38
23:38
23:38
23:39
This is the mp3 board with the ic's removed and the board has been sanded to follow the circuit traces to see where they go.
23:41
If we have identified the pins we need on the emmc which I think we have. You would need to identify the corresponding pads on the board and trace them out.
This could be done with a make shift continuity checker aka a battery with some wires and an led.
Or sanding the board to see where the traces go and where we might get access to them
This could be done with a make shift continuity checker aka a battery with some wires and an led.
Or sanding the board to see where the traces go and where we might get access to them
1 October 2025
JB
00:05
John Blaze
It is unclear at this point how many layers the motherboard is. So depending on how many layers would dictate how deep you need to sand.
Layer 1 take a photo.
Layer 2 take a photo.
And repeat for as many layers there are or until we find where the traces are accessible
Layer 1 take a photo.
Layer 2 take a photo.
And repeat for as many layers there are or until we find where the traces are accessible
GG
00:26
Gino Green
I'll try and sand one down to if I get a chance
JB
00:49
John Blaze
In reply to this message
There are 4 pads by an IC that may be it.
However I see SDA twice which may be a silkscreen mistake
Pad 1: SCL (clock)
Pad 2: SDA (data)
Pad 3: VCC or GND (power reference)
Pad 4: RST (reset)
Vcc or ground should already be provided by the board so maybe that's why we don't see the pad.
However I see SDA twice which may be a silkscreen mistake
Pad 1: SCL (clock)
Pad 2: SDA (data)
Pad 3: VCC or GND (power reference)
Pad 4: RST (reset)
Vcc or ground should already be provided by the board so maybe that's why we don't see the pad.
00:51
You guys see this in the other group?
JB
00:51
John Blaze
b
bim 30.09.2025 16:24:25
B
JB
00:55
John Blaze
S
ShadoughDragon 25.12.2024 07:09:55
GG
00:57
Gino Green
You know some USBC ports have a connection for those tx1 and tx2 things on the tablet board if it helps any
JB
00:57
John Blaze
Those are the pads but I don't understand why there are 2 SDA lines .
And they may go the the display controller. But maybe share some of the same lines like the clk
And they may go the the display controller. But maybe share some of the same lines like the clk
00:58
That would be the transmit receive data lines for the USB protocol
00:59
Not for the emmc chip
01:00
Another thing we will have to contend with is the cpu may try to take control of the data bus so we may have to remove a capacitor or 2 to keep it from powering up while we program the emmc chip
HH
03:20
Halfredo Hernandez
I have a feeling that all this complex stuff we are considering is not the answer. There are already jailbroken scores. I doubt they had all the tools and knowledge for this very complex stuff. If has to be something simpler we are missing. Just my opinion
π
TW
R
Terry Thompson V 2.0 invited TheTechForge
D
04:32
D
In reply to this message
I think there are actually two methods for cracking the tablets, but in different prisons. The recent photos added by bim show the exact build as the standard tablets, not the LineageOS 17 image build info.
04:34
Given that the build is the standard ATG, I think they got an external write technique down, and they just modify settings in the userdata partition. That was my original vector before I got shipped somewhere without most of my equipment π
04:35
I am also beginning to think the LineageOS builds already have the drivers necessary for the tablets, and the extra space needed to get the LineageOS system partition in there comes from not having the vendor partition there anymore.
D
05:13
D
I also found out that the main vbmeta partition is only one of three. There is a separate, chained-loaded vbmeta for the system and vendor partitions, and the vbmeta_system also verifies the product partition in super. Thus, to flash the LineageOS image, they must be modifying the bootloader as well, since the bootloader is enforcing the avb verification of those partitions units from options specified in fstab.mt8168.
T
05:36
TheTechForge
He was right the isp guide I sent was for rooted phones, wasn't supposed to be setup that way
05:36
I did make a non rooted version
D
05:36
D
Shoot it!
T
05:37
Also specifically noted the pins
05:38
This goes mp3 to tablet using SD card solder points
05:38
So on mp3 looking at the board you will see 4 solder points on each side of the SD card slot
D
05:39
D
The last guide mentioned which pins to use on the MP3 player, but not the eMMC on the tablet.
T
05:39
TheTechForge
From outer edge of board top 4 it goes 1,2,3,4 and the outer edge bottom row is 8,7,6,5
05:39
The tablet pins go from top down 1-9
05:39
It's specified in the non rooted better
D
05:40
D
I don't suppose you could show us these in a photo?
T
05:40
TheTechForge
I'm going to be attempting this soon
05:40
Show what the pins?
D
05:41
D
The eMMC is soldered to the board in a ball grid array. The connect points for the eMMC are beneath it, and not exposed to the rear of the motherboard.
T
05:41
TheTechForge
Also I love chatgpt for things and had this dug up
D
05:42
D
Short of desoldering the chip and resoldering it again, how do we access the pins?
T
05:42
TheTechForge
This is tablets with the 8168 possible firmware to try it
05:42
You solder to the SD card pins
05:42
And the tablet SD card pins
05:42
The emmc does not need to be removed
05:43
This is all theoretical concepts, when I learned of the isp bridge and since I'm inside and can't get one I asked about building one out of the MP3 and it's perfect for it
05:43
1 sec I'll get something else to help
D
05:44
D
I plan to test this when I am released (and can get a Gen2 from the street).
05:44
I just didn't think the SD card pins on the tablet would access the eMMC.
T
05:46
TheTechForge
In reply to this message
.yeah the SD card isn't in the tablet but it should still work
D
05:49
D
The "it should" part is where I'm skeptical. I plan on verifying this on release in a few weeks.
T
05:50
TheTechForge
I'll be trying this weekend to at least build the bridge and see if it detects the emmc
05:51
It should show as a mass storage device on phone like a SD card
05:51
According to chatgpt it's 100% doable for the bridge, my concern is the firmware to replace it
05:52
That's why I dug around about other tablets with the 8168
05:52
Hoping if anything attempting one from the tablets listed in that text
D
05:56
D
Here are some considerations. I did this with an eMMC that had been desoldered from the board. Not all Gen2s read the eMMC (we couldn't tell what made some work and others not). And when it did access it, it accessed it as an SD card, showing the main partitions (cool), but would not permit access to the preloader boot partitions (requires true eMMC mode).
05:56
And the preloader is likely being verified by SBC on the chipset too.
T
06:00
TheTechForge
You held the cpu in reset?
06:00
Nothing should be on for the tablet, you are powering the emmc with mp3
D
06:02
D
There are two methods I managed. One was a totally offline eMMC (disconnected from the board and soldered to an SD card whose storage chip had been disconnected), and the other involved running a trace line from the USB port to the eMMC and connecting a USB reader.
06:03
The first method used a Gen2, and the MP3 player provided the power.
T
06:03
TheTechForge
This is what chatgpt just responded with
ISP Bridge Behavior β SD vs eMMC Mode
=====================================
User comment:
-------------
"I did this with an eMMC that had been desoldered from the board.
Not all Gen2s read the eMMC (we couldn't tell what made some work
and others not). And when it did access it, it accessed it as an
SD card, showing the main partitions (cool), but would not permit
access to the preloader boot partitions (requires true eMMC mode)."
Analysis:
---------
Case 1: CPU NOT in reset (normal boot active)
---------------------------------------------
- eMMC defaults to "SD compatibility mode".
- Host (bridge) only sees user data area as if it were a big SD card.
- Accessible: main partitions (system, vendor, userdata, etc).
- NOT accessible: BOOT0, BOOT1, RPMB, PRELOADER.
- Reason: SoC is still driving bus, preventing full eMMC negotiation.
Case 2: CPU held in RESET (bus released)
----------------------------------------
- Bridge can negotiate with eMMC directly.
- If the host supports eMMC commands (beyond SD subset):
- Accessible: BOOT0, BOOT1, RPMB, USER partitions.
- Full raw access possible.
- If host is only an SD adapter:
- Still limited; may only see USER area, no boot partitions.
Case 3: True ISP Setup (CPU in reset + proper eMMC host)
--------------------------------------------------------
- CPU disabled so it doesnβt interfere with lines.
- Bridge/host talks full eMMC protocol.
- Accessible: ALL partitions (USER, BOOT0, BOOT1, RPMB, GP).
- Required for full dumps, preloader access, and low-level flashing.
Summary
-------
- No reset = SD mode only β main partitions visible.
- With reset + SD-only host = still partial.
- With reset + real eMMC host = full chip access.
ISP Bridge Behavior β SD vs eMMC Mode
=====================================
User comment:
-------------
"I did this with an eMMC that had been desoldered from the board.
Not all Gen2s read the eMMC (we couldn't tell what made some work
and others not). And when it did access it, it accessed it as an
SD card, showing the main partitions (cool), but would not permit
access to the preloader boot partitions (requires true eMMC mode)."
Analysis:
---------
Case 1: CPU NOT in reset (normal boot active)
---------------------------------------------
- eMMC defaults to "SD compatibility mode".
- Host (bridge) only sees user data area as if it were a big SD card.
- Accessible: main partitions (system, vendor, userdata, etc).
- NOT accessible: BOOT0, BOOT1, RPMB, PRELOADER.
- Reason: SoC is still driving bus, preventing full eMMC negotiation.
Case 2: CPU held in RESET (bus released)
----------------------------------------
- Bridge can negotiate with eMMC directly.
- If the host supports eMMC commands (beyond SD subset):
- Accessible: BOOT0, BOOT1, RPMB, USER partitions.
- Full raw access possible.
- If host is only an SD adapter:
- Still limited; may only see USER area, no boot partitions.
Case 3: True ISP Setup (CPU in reset + proper eMMC host)
--------------------------------------------------------
- CPU disabled so it doesnβt interfere with lines.
- Bridge/host talks full eMMC protocol.
- Accessible: ALL partitions (USER, BOOT0, BOOT1, RPMB, GP).
- Required for full dumps, preloader access, and low-level flashing.
Summary
-------
- No reset = SD mode only β main partitions visible.
- With reset + SD-only host = still partial.
- With reset + real eMMC host = full chip access.
D
06:03
D
The second method involved the tablet being powered on, but hitting the reset button to stop the CPU from accessing the eMMC.
06:05
The part about "proper eMMC host" is the catch here. The Gen2 cannot operate as a true eMMC host/reader.
T
06:06
TheTechForge
I'm not sure like I said I haven't attempted this yet, I haven't messed with PCs for quite some time. I do know that this is how techs access chips and recover phones and such. Let me ask it about that.
D
06:06
D
And ChatGPT seems to be misunderstanding that the eMMC had been removed from the board, and could not have been influenced by the SoC.
06:08
In reply to this message
The FBI provided FCI Seagoville with a remote, automated hacking setup that involved another specialty phone attached to the phone being analysed. It rarely worked, but when it did, it involved nothing more than a USB-to-USB connection, and managed to dump the drive contents.
06:09
By hacking platform, I mean that it had much better success at compromising phones that had been accessed at least once after reboot, which loads the encryption keys into memory and makes user data access possible.
T
06:10
TheTechForge
Ok your correct on the true host
MP3-as-Bridge Limits
====================
What it CAN do:
---------------
- Act as a pass-through SD host for the tabletβs eMMC USER partition.
- Let your phone (via OTG) see the tablet storage as if it were a big SD card.
- Allow raw reads/writes of the main user area (system, vendor, userdata, etc).
What it CANNOT do:
------------------
- Access BOOT0, BOOT1, PRELOADER, or RPMB areas (these require full eMMC host commands).
- Replace the first-stage bootloader or preloader code.
- Handle signed/verified boot enforcement (AVB, dm-verity).
- Recover the tablet if boot partitions get corrupted.
Implication for Firmware Replacement:
-------------------------------------
- If all you wanted was to tweak *system/vendor* while leaving the stock
boot chain untouched, the MP3 bridge *might* let you overwrite those.
- If your goal is to "properly" replace the firmware (install Lineage, TitanCore,
or any custom OS), you almost always need to touch BOOT partitions
(boot image, kernel, preloader).
- Without true eMMC host mode, you canβt reliably write those areas.
- That means the MP3 bridge alone cannot guarantee a full, working firmware replacement.
- Risk: you overwrite system but kernel/bootloader are mismatched β tablet wonβt boot,
and you have no way to re-flash the boot area through the MP3.
Summary:
--------
- MP3 bridge = good for *partial access / experimenting with user data*.
- Proper firmware replacement (kernel + bootloader) = requires true eMMC host
or a tool that can command BOOT partitions.
MP3-as-Bridge Limits
====================
What it CAN do:
---------------
- Act as a pass-through SD host for the tabletβs eMMC USER partition.
- Let your phone (via OTG) see the tablet storage as if it were a big SD card.
- Allow raw reads/writes of the main user area (system, vendor, userdata, etc).
What it CANNOT do:
------------------
- Access BOOT0, BOOT1, PRELOADER, or RPMB areas (these require full eMMC host commands).
- Replace the first-stage bootloader or preloader code.
- Handle signed/verified boot enforcement (AVB, dm-verity).
- Recover the tablet if boot partitions get corrupted.
Implication for Firmware Replacement:
-------------------------------------
- If all you wanted was to tweak *system/vendor* while leaving the stock
boot chain untouched, the MP3 bridge *might* let you overwrite those.
- If your goal is to "properly" replace the firmware (install Lineage, TitanCore,
or any custom OS), you almost always need to touch BOOT partitions
(boot image, kernel, preloader).
- Without true eMMC host mode, you canβt reliably write those areas.
- That means the MP3 bridge alone cannot guarantee a full, working firmware replacement.
- Risk: you overwrite system but kernel/bootloader are mismatched β tablet wonβt boot,
and you have no way to re-flash the boot area through the MP3.
Summary:
--------
- MP3 bridge = good for *partial access / experimenting with user data*.
- Proper firmware replacement (kernel + bootloader) = requires true eMMC host
or a tool that can command BOOT partitions.
06:10
So in other words it can do some but not what is fully needed
06:15
I wonder if we are able to load music onto it that way, yeah it would need to be done whenever you sync but it could be at least something
D
06:32
D
You could add music, but ideally you're modding the tablet to ignore syncing or re-syncing itself regularly so that this isn't a concern.
06:33
I'm not saying this is game over. All the key settings are stored in the userdata partition.
06:33
These can be tweaked, and the tablet will unlock.
T
06:33
TheTechForge
Yeah I'm still going to mess with this bridge, I will need to dig around and read alot about this stuff
06:34
I wish some old phones where around still because old androids could root themselves which then could root this Motorola I have
S
12:28
Shag
In reply to this message
I posted these and can probably make and trace a new one if needed.
Synonymous joined group by link from Group
JB
D
21:38
Don
hay guyz, I am going to invite a hacker friend of mine i did time with. he's in free world now
Don invited GhostExodus
JB
21:40
John Blaze
In reply to this message
This was just an example of what I was suggesting to be done to the tablet motherboard so that we might be able to find and trace the emmc chip connections we are seeking
G
21:43
GhostExodus
From an OG, (MLT) RE: Also, what OS is running on them? Adnroid? iOS? Sometimes else?
soudns like MITM is potentially a viable option if it's sending the priivkey to a remote server
questions:
- Is this remote server on the same internal network as the Kiosk Tablets?
- is it LAN-only, or accessible over WAN?
- Is SSL (in particular HTTP+TLS)
- if SSL is in use, which version is in use?
- Can the SSL version be downgraded to an older version via manipulation of HTTP headers?
- Is the "HTTP-Strict-Transport-Security" header in use?
- is CSP in use?
- is the HttpOnly flag enabled or disabled for SSL?
- If it is disabled, are there any other domains and/or subdomains associated with this domain name?
- If there are subdomains associated with this domain, and HSTS (or HttpOnly flag) are disabled via HTTP response headers, then is it possible to find XSS (doesnt matter which type, reflected, stored, blind, whatever) on any of these subdomains? If so, then due to it lacking HttpOnly or HSTS, it should be possible to grab session cookies via document.cookie output via an XSS.. if that's the case, then session hijacking in a subdomain should allow for session cookies to be hijacked via abusing an XSS in a separate subdomain.
- If they have a CSP in use, can you paste me their EXACT CSP rules?
If they have the permissions-policy HTTP header set, then please show me their exact policy.
That's all I've got to ask for now... based on what you know about the target I can start to offer you some more advice that is wayyyyy more specific..
If they are iOS, depending on which apps are installed, I have a method for triggering Horizontal LPE based upon many major iOS apps β thing is, you'd need access to his device in the first place to carry such an attack like (or at the VERY LEAST you'd need to either be on the same WiFi network as him to carry o7ut a MITM or you'd n ee3d to trick him into clicking on a URL or something in order to infect his device with malware)
If he's using android, sadly I dion't currently have any 0day exploits which would be well-suited for this.. on the other hand, many exploit brokers who I do business with via my 0day brokering service, many of these guys have all sorts of different android 0day exploits which could be used to do stuff such as remotely infect his phone and carry out MITM internally that way.. I could also speak to an old friend of mine (Moxie Marlinespike, creator of Signal and Wickr, and currently someone who has access to SSLSrtrip Plus, a private tool that allows you to downgrade SSL to plaintext HTTP.. Moxie owes me a favour from a while ago, and if he gives me the source for this tool then it would allow you to downgrade HTTPS to HTTP, allowing a MITM to be abused to read ALL HTTPS TRAFFIC in 1100% plaintext..
Ideally though,t his would be a VERY LAST RESORT of mine.. as even governments and intelligence agencies don't know such a tool is currently working.
β€
soudns like MITM is potentially a viable option if it's sending the priivkey to a remote server
questions:
- Is this remote server on the same internal network as the Kiosk Tablets?
- is it LAN-only, or accessible over WAN?
- Is SSL (in particular HTTP+TLS)
- if SSL is in use, which version is in use?
- Can the SSL version be downgraded to an older version via manipulation of HTTP headers?
- Is the "HTTP-Strict-Transport-Security" header in use?
- is CSP in use?
- is the HttpOnly flag enabled or disabled for SSL?
- If it is disabled, are there any other domains and/or subdomains associated with this domain name?
- If there are subdomains associated with this domain, and HSTS (or HttpOnly flag) are disabled via HTTP response headers, then is it possible to find XSS (doesnt matter which type, reflected, stored, blind, whatever) on any of these subdomains? If so, then due to it lacking HttpOnly or HSTS, it should be possible to grab session cookies via document.cookie output via an XSS.. if that's the case, then session hijacking in a subdomain should allow for session cookies to be hijacked via abusing an XSS in a separate subdomain.
- If they have a CSP in use, can you paste me their EXACT CSP rules?
If they have the permissions-policy HTTP header set, then please show me their exact policy.
That's all I've got to ask for now... based on what you know about the target I can start to offer you some more advice that is wayyyyy more specific..
If they are iOS, depending on which apps are installed, I have a method for triggering Horizontal LPE based upon many major iOS apps β thing is, you'd need access to his device in the first place to carry such an attack like (or at the VERY LEAST you'd need to either be on the same WiFi network as him to carry o7ut a MITM or you'd n ee3d to trick him into clicking on a URL or something in order to infect his device with malware)
If he's using android, sadly I dion't currently have any 0day exploits which would be well-suited for this.. on the other hand, many exploit brokers who I do business with via my 0day brokering service, many of these guys have all sorts of different android 0day exploits which could be used to do stuff such as remotely infect his phone and carry out MITM internally that way.. I could also speak to an old friend of mine (Moxie Marlinespike, creator of Signal and Wickr, and currently someone who has access to SSLSrtrip Plus, a private tool that allows you to downgrade SSL to plaintext HTTP.. Moxie owes me a favour from a while ago, and if he gives me the source for this tool then it would allow you to downgrade HTTPS to HTTP, allowing a MITM to be abused to read ALL HTTPS TRAFFIC in 1100% plaintext..
Ideally though,t his would be a VERY LAST RESORT of mine.. as even governments and intelligence agencies don't know such a tool is currently working.
TT
22:35
Deleted Account
In reply to this message
1. We connect it to the kiosk to get revalidation. They use some internal network endpoint to sign the nonce challenge and validate the kiosk.
2. USB to the kiosk and then LAN
3. Based in the source code that we reviewed it over SSL, but internal network which we can't access. Any external device will trigger warnings
4. NA
5. NA
6. NA
7. NA on csp
8. NA
9....
Target is the android tablet, running Android 10. Bootloader locked. MTK8168. They use session authentication to allow the host device to write changes to the tablet. Tablet connected to the host, when Accessory mode activated it would create a challenge using random nonce and tablet id information, host will send it to the internal subdomain endpoint and use a secret key to sign the challenge, return to the tablet, tablet is using hard coded public key to verify the challenge validity, authenticate the host in success by changing internal in memory flag to be auth=true and allow any other changes to be executed to the tablet. Limited to enabling wifi, adb, expiration days, etc..
Only valid method so far I know is the MIM, but due to the lack of RPi can't test it. Phones can't emulate device id and vendor Id to match the tablet. Unless you can help with custom ROM with modified kernel to access such a low level changes on few most common phone models.
β€
2. USB to the kiosk and then LAN
3. Based in the source code that we reviewed it over SSL, but internal network which we can't access. Any external device will trigger warnings
4. NA
5. NA
6. NA
7. NA on csp
8. NA
9....
Target is the android tablet, running Android 10. Bootloader locked. MTK8168. They use session authentication to allow the host device to write changes to the tablet. Tablet connected to the host, when Accessory mode activated it would create a challenge using random nonce and tablet id information, host will send it to the internal subdomain endpoint and use a secret key to sign the challenge, return to the tablet, tablet is using hard coded public key to verify the challenge validity, authenticate the host in success by changing internal in memory flag to be auth=true and allow any other changes to be executed to the tablet. Limited to enabling wifi, adb, expiration days, etc..
Only valid method so far I know is the MIM, but due to the lack of RPi can't test it. Phones can't emulate device id and vendor Id to match the tablet. Unless you can help with custom ROM with modified kernel to access such a low level changes on few most common phone models.
G
2 October 2025
D
00:10
Don
if i could get a rooted tablet in here i could write the code to emulate the proper device ids. but its a cart/horse problem. I heard they are going to sell 8 inch Keefe tablets so when that happens will pay the local smugglers to get a 8 inch tablet with Sim card in. Hopefully pre rooted
β€
JS
00:16
ghost here is a link that has the emmc dumps from the tablets as well as windows kiosk dump: https://hrethgir.org/score7/
00:24
direct link to Java source code that runs on tablet and negotiates with kiosk. maybe he will see a vulnerability we missed? https://hrethgir.org/score7/Decompiled/Edgejas/UsbService.txt
C
00:31
C
Qq3a looks like it's from a pixel 4?
00:38
00:40
Any other info that would be useful?
00:42
Deleted first screenshot because of ip address but same info is on this
00:42
Confirmed lineage version that was posted above
HH
02:51
Halfredo Hernandez
Guys sorry for the stupid question but I rarely use tg and I've been locked up long. Will someone please dm me and tell me how I can find/ get back into this group when this phone dies and i move to another phone? I think it's on its last leg
B
03:03
Billi
In reply to this message
remember my username i will add u..if u couldn't find anyother way
HH
03:05
Soon I'll try some social engineering. I don't think it would hurt to ask some atg employees or ex employees for help. I also have a friend who is high ranking in Cisco systems as a programmer
03:08
this shit got me tight
03:08
sorry for the post here
03:09
but this bitch got 7 yrs for 155mill
03:09
worst she went to trail
HH
03:09
Halfredo Hernandez
Wow
B
03:10
Billi
can we make a room for federal jailhouse bitchting
03:11
mp3, Ai, scammer, jailhouse bitchting if its ok with admin n everyone
HH
03:11
Halfredo Hernandez
Lol
B
03:12
Billi
In reply to this message
They tell us if u go to trail thry will fry us n then i see this
TT
04:00
Terry Thompson V 2.0
I mean who are you? We don't just let anybody in these groups
04:01
Who did u know to get here? Or who can vouch for u
D
04:52
D
In reply to this message
Yes, but receipt and transmission for what? CPU, eMMC, non-existent SD card slot? And talking to an eMMC requires more than TX and RX. CLK, VCC, and GND variances are also use to send "signals" about the expected eMMC state.
04:53
This is why we need better information on the test pads that connect to the eMMC.
TT
04:58
Terry Thompson V 2.0
John are you gonna reply? I saw you just joined and I welcome you but I am curious to how you found us or how you reached us. Sorry to be so nosey but as you know we all have reason to be
D
05:01
D
I will say, John has at least been helpful in bouncing ideas about pin access for the Gen2-SD attack vector.
TT
05:01
Terry Thompson V 2.0
I want to thank our owner of this group for trusting me and having faith in me to promote me to administrator.
π
HH
JB
T
05:03
TheTechForge
Test pads for the emmc connection is in the guide
05:03
Unless you mean not using the bridge
D
05:03
D
Also, the thing John forwarded from the other group was a screen shot of a Score7T with a modified recovery. That is NOT a board swap, and leads me to think someone at his yard has already compromised ATG.
TT
05:06
Terry Thompson V 2.0
In reply to this message
I am sure he is a great guy but I just wanted to make sure somebody could vouch for him before anybody added him. Nothing personal just trying to keep us all safe and as I was explaining to Ryan back in the day when we were exploiting Nokia phones for free service from att they had people in our private group that was posing as one of us and as soon as the codes were posted they shut us down . Instead of getting 2 months of service we would get shut down in a hour . But all is good I just wanted to know
D
05:06
They still haven't been confirmed.
05:06
I was excited to find out that I could grab a Gen2 street version from Amazon for $50 so I can test the IPS method when I hit the street.
05:07
In reply to this message
I don't know that very many people here have been vouched for or verified in this way.
05:08
Also, once we exploit these tablets in the method I have proposed, there's not much they could do to stop us.
05:08
And the BOP has already committed to buying Score8 and Score11 with the EXACT SAME HARDWARE and software...
J
05:11
John
In reply to this message
Has anyone actually been able to buy a Score 8 or 11 from their commissary yet? Looking for pictures of the actual device.
T
05:16
Basically direct 1 to 1 mp3 pins go 1234 top then 8765 from outer edge going in
05:16
Tablet pins are 1-8 top down
05:17
The next few days I'll be doing this with the repair guy here and see what it's all about
D
05:18
D
In reply to this message
Where on the board are there 8 pins in a row? Can you grab one of the photos from the link and zoom in on them?
T
05:19
TheTechForge
Where the SD card is supposed to be, it's done using the SD card ports
05:19
05:19
So 1-9
05:19
But 9 is just another grnd
D
05:20
D
Ah, the unpopulated SD card slot.
T
05:21
TheTechForge
Read the guide to make sure you connect correctly but that is the pinouts for the SD on mp3 and tablet SD slots
D
05:21
D
Okay, I at least know where to try when I go at this in a few weeks.
T
05:21
TheTechForge
Yes but it should still be live just not installed
TT
05:21
Terry Thompson V 2.0
In reply to this message
I thought I was doing all of us a favor. All of us original members came from a group and I know I was vetted tophopn vetted me on my first telegram group but half the group knew me from hackforums. if anybody wants to talk about this direct message me . This is not the place.
T
05:27
TheTechForge
Oh on another note about 7t I wonder if you guys might be able to help me with a buddies tablet. He bought it and 4 months later when he powered it up it's stuck in a boot loop. It's out of warranty and he sold me it for parts but I never needed it. Can this be fixed?
05:27
He didn't do anything other then shut it off one day and the next it looped
05:28
I was hoping if anything maybe this isp bridge will allow me to copy and replace anything that might be corrupted
D
05:28
D
Because they aren't very transparent about how the system works, it's hard to troubleshoot or fix such things.
05:29
However, you will need a rooted device to troubleshoot whether any of the system ROM partitions are borked.
05:29
The IPS technique on an un-rooted device will only allow for editing files on the user data partition.
T
05:29
TheTechForge
Well then hopefully I can figure this Moto out
D
05:30
D
And while this can be used to jailbreak a tablet, it can't fix a scrambled boot partition.
T
05:31
TheTechForge
The dude can't afford another anytime soon so it would be nice to try to figure it out so if you have any ideas or if anyone has any to try let me know
D
05:32
D
Is his early enough that he can access the recovery by holding a volume button on reboot?
T
05:33
TheTechForge
No it's a 7t I think that what fixed in the Cs wasnt it. I know when they first where sold I could access that in the C, was funny I got my buddies stuck in airplane mode lol
β€
S
D
T
05:34
TheTechForge
No federal
D
05:34
D
How do you know it's in airplane mode? They should all be in airplane mode in the feds.
T
05:35
TheTechForge
When it first came out I found some weird swipe screen thing that brought up some weird shit in boot. It was like a red box you could swipe your finger around in wierd patterns. After that it has the airplane mode icon up by battery
05:35
I asked commissary about it and 3 weeks later bop did a patch
05:36
He said he had a lot of issues with that. I don't know if what I did triggered it or if it was a bug
D
05:36
D
Huh. Weird.
T
05:37
TheTechForge
Yeah the swipe thing was some kind of scan thing idk it was years back now so I don't remember it anymore
05:38
I do know the first tablets where not locked out of the fastboot stuff, you could select your boot option and everything.
05:42
Found the keefe score 8 manual, trying to find the 11 also trying to find proof of streaming services. Guy here swears seagoville has TV and games streaming via wifi
D
05:42
D
Yeah, the recovery and BROM was easily accessible then. Now you have trigger it some other way. However it's done in the factory...
05:43
In reply to this message
Which guy? I have several friends there, and the only streaming via Wifi is from phone hotspots to smart TVs.
T
05:45
TheTechForge
I heard it from one to another idk him personally a guy from upstairs unit comes down alot and said he heard it. Also said psychology said WiFi by end of year. Inmate.com most likely
D
05:45
D
Yeah, I call bullshit.
05:47
Just talked to my guy there. He said absolutely not.
T
16:26
TheTechForge
Man fuck tablets give me this in the feds
C
17:54
C
In reply to this message
How common are the old tablets, what timeframe were they easily breakable? I can go around and ask people with older ones to try. Any signs to look for? And if I get one are there simple instructions to root it?
17:55
Or would syncing it regularly have patched anything
D
21:17
Don
I have an old tablet score 7c but it's patched due to trulincs update. I remember being able to access bootloader but fastboot didnt do anything
21:19
mine has the second patch with serial number on lock screen, too. that one was more recent
21:23
I doubt the feds would bother with our chat. phones are everywhere and they dont care. one for every 2 inmates here. last spot we had board swap tablets and free world mp3 and they wouldn't even take them
21:25
be back later
GG
22:18
Gino Green
In reply to this message
What's going on at BMT heard y'all shut down and people got arrested per BMT FB group
22:21
In reply to this message
A guy here had one not long ago . He was using it to charge his phone and out of no where some thing came up on his screen he don't know what it was but just reset it and came on with the all white screen as if you bought it new
22:22
I have 2 but I'm sure they are back boards never been activated on the computer
3 October 2025
JB
00:03
John Blaze
In reply to this message
I'm really not anybody to say... But if it counts for anything I agree with Terry. It's my opinion that we should all air on the side of caution and at least use the other group to see if people are worth a fuck before just allowing them the opportunity for the kill shot.
00:10
In reply to this message
Let me know if you do get it rooted because I have the same one.
However it sadly updated to Android 15 and probably closed any security holes I could have exploited.
However it sadly updated to Android 15 and probably closed any security holes I could have exploited.
00:23
In reply to this message
Yo that is actually a good idea. I thought about a raspberry pi but this would work better I'm sure.
TT
01:09
Terry Thompson V 2.0
@Thetechforge I really think if u want to root itt properly u would use magisk and I don't think u can do it with a phone but if u figure it out let me know . I know you use to could use bugjjeager but I don't think u can now. Good luck
D
01:32
Drew
In reply to this message
I have to agree. Weed out some of the bad shit. I knew Terry from hack forums. And he also knows people I was locked up with that he's with now. It's not as easy for some people to be vetted. But if someone runs to the law then all this is for nothing.
π―
JB
D
02:04
Don
In reply to this message
it's true. perimeter truck fired on two guys dropping packs over the fence to the low.
JB
02:21
John Blaze
Damn. Time to upgrade to a drone for sure.
Better yet one that can drop a dart that will sink into the dirt or even dig into the sand with a quick slick mod π¦Ύπ΄ββ οΈπ
Better yet one that can drop a dart that will sink into the dirt or even dig into the sand with a quick slick mod π¦Ύπ΄ββ οΈπ
T
02:26
TheTechForge
They popped the commissary warehouse where I'm at just a few weeks ago with like 600 vapes and a butt load of phones. and rec yard is always closed cause of packages.
02:26
I did 7 years at oxford and never once seen a vape or phone, they go nuts here in Ohio lol
02:27
This weekend I will be seeing what all it can do and how well that isp bridge works
02:28
I also need help on as buddies tablet, it's stuck in a boot loop 4 months after he bought it, any recommendations on how to try to get it out of a loop would be great it's a 7t
TT
02:48
Terry Thompson V 2.0
Hmm did u ask in the other groups.? There once was some real sharp people in there
T
02:49
TheTechForge
I'm going to ask around the guy sold me it for parts but I never did anything with it and he's been out a tablet for half a year now, and can't afford another so I'd really like to help the old guy out of possible
TT
02:52
Terry Thompson V 2.0
Sorry I thought we were direct messaging. LoL. I will ask around about the boot loop
HH
03:09
Halfredo Hernandez
In reply to this message
So mad I could have bought the early 7c in Petersburg but I decided to wait. I also remember easily accessing some recovery type screen
T
03:13
TheTechForge
Yeah when first out you could hold the volume during boot to get to it, they patched within about 6 weeks
HH
03:18
Halfredo Hernandez
As far as vetting goes, I'm not too sure of the best way. I contributed a termux script for converting videos to amv for the mp3 players that people seem to like. I seriously doubt police would go that far lol
JB
03:25
John Blaze
In reply to this message
What about immediately after buying them from the commissary?
Is brom mode accessible before connecting to the kiosk
Is brom mode accessible before connecting to the kiosk
T
03:26
TheTechForge
They are factory updated now, well past that. That was the score 7c back in like 2022
HH
03:27
Halfredo Hernandez
In reply to this message
I used one of the first sold. It was more of a test like mode. You could test the buttons, it had some weird screen that someone else explained above. One of my friends pulled up a smiley face screen i don't know what that was about
T
03:27
TheTechForge
Blue circuit board with no Keefe logo on them
HH
03:27
Halfredo Hernandez
In reply to this message
Based on my bad memory, I don't think it was a proper recovery/brom mode
T
03:28
TheTechForge
It was some kind of graphic test thing I believe, but it did allow you to select the boot.
JB
D
05:37
D
In reply to this message
This file doesn't exist on the tablets. Remember, ATG took base Android (or LineageOS) and modified it. I have mounted the partitions from the tablet and zipped up the only two settings.db files that exist.
05:37
05:41
In reply to this message
No, anything that can run Linux is better. Windows requires special drivers and other bullshit. Every time I got somewhere with the tablets it was because I had Linux tools, not windows.
05:44
I had an early 7C, and even getting it into BROM mode didn't do much good. I had a Linux tablet with mtkclient, and got nowhere because of SBC.
05:45
However, the most promising method is, and will always be, modifying the eMMC using an external method, especially since the bootloader and recovery are locked by CPU e-fusing.
05:47
However, that works to our advantage, because ATG can't make changes to the system, including Android system settings, without having to flash new ROM updates, and that's a lot of work. It certainly can't be done every time the edgejas app makes minor tweaks. This means that all the important functions are modified in the userdata partition, and any "sensitive" changes happen to its /system subdirectory.
05:48
I have also talked to my friend who mapped out the test pads.
05:48
This is his schematic of the pins:
05:48
05:49
And, though I am waiting on confirmation from him, I believe they correspond to this image:
05:49
05:50
If you rotate the image so it is upside down, you'll notice the gold pads in the center have the same spacing as the black and white pin-out diagram.
05:51
However, it may be necessary to run semi permanent wires for testing (until we get a one-patch script to "break" a tablet for good), and the tablet may need to be powered on (and the reset switch hit early in boot to disrupt CPU to eMMC communication.
05:59
According to ATG's app code, the easiest issue to solve is mortality. One need simply edit the mortality values in [userdata]/data/com.advtechgrp.edgejas/shared_prefs/com.advtechgrp.edgejas.PREFERENCE_FILE_KEY.xml
06:00
Then delete [userdata]/system/locksettings.db
06:01
This will remove the screen lock from an expired tablet, and with the proper values in the preferences file, the edgejas app won't relock it.
06:02
Also, settings like enabling ADB or other key things like WiFi, can be done by editing settings files in the userdata partition and rebooting the tablet.
D
06:43
D
In reply to this message
As to what values to place in which fields, well, I have to look at the edgejas code some more for that answer.
D
07:01
D
According to ChatGPT's evaluation of the code, the entire mortality feature of the tablet can be disabled by changing the mortality value to "0". That's zero. A -1 means mortality expired, and any positive number is days remaining on mortality. A sync sets this to 14.
D
08:28
D
I zipped the decompiled Edgejas APK to make it easier to download, but also to allow for uploading it to AIs.
https://hrethgir.org/score7/Attack%20Vectors/edgejas.zip
https://hrethgir.org/score7/Attack%20Vectors/edgejas.zip
08:29
When I uploaded it to ChatGPT, the AI analyzed portions of the program I hadn't ever understood before.
08:30
For instance, the kiosk can send an "intent," which is like an Android command to run an app or a portion of an app.
08:34
The Edgejas has a UI that is normally hidden. It can enable adb, mtp, or USB accessory only modes with the tap of a button. It may be possible to enable these modes while the device is offline, so they are available on boot.
C
09:56
C
Ok here's a weird idea. Can you build a USB splicer so it can be connected to a phone and trulincs at the same time then once session is confirmed send commands from the phone?
09:57
Chatgpt is skeptical but I've seen people build weird shit in prison
D
09:58
D
In reply to this message
No, because the kiosk generates a key pair, and the private key is not shared via USB or Ethernet.
09:58
It stays in the kiosk memory. And this key is generated every time the tablet attaches to the kiosk and can't be reused.
C
09:58
C
In reply to this message
We don't need the private key. The idea is authentication is once per session so you can steal the session from trulincs
D
09:59
D
That's not how encryption works.
09:59
The communication on the USB is entirely done via keypairs.
10:01
There isn't a "session" that can be sniffed.
10:01
Kiosk uses a key pair and keeps the private portion in RAM. It passes the public key to the ATG server to be signed. The signed public key is passed to the tablet. The tablet verifies the signature, and then trust the public key.
10:01
All communication is done via those keys afterwards.
10:02
The initial handshake is done using pre-approved keys baked into the kiosk and tablet.
10:02
We have those, and can generate a keypair, but no way to get the ATG server to sign it.
10:03
I have proposed building a kiosk app that can run on Linux and mimic a kiosk. But this is highly risky, and involves running rogue code on a kiosk that has been booted into Linux.