Tablets
3 October 2025
D
10:03
D
Worst case scenario, SIS taps you on the shoulder and you're fucked.
C
10:04
C
Can you build a hook for windows that gets loaded before booting the real kiosk
D
10:05
D
Maybe? It might remotely be possible to load Linux, run some virus-like code, and then chain-load Windows. But this is beyond my experience.
C
10:07
C
I remember using some software called konboot 10+ years ago which would boot from USB then load windows and disable password login on Windows
10:09
In reply to this message
I'm still thinking you could interfere at just the right point in the process.

At time T it sends an authentication message with the signed challenge.

At T+1 it sets up a shared key.

Can you let the first go through and intercept the second?
D
10:09
D
No, because that order is backwards.
10:10
It creates the keypair in in RAM, and only shares the public half.
C
10:10
C
I'm going off chatgpt analysis which could be inaccurate
D
10:10
D
In reply to this message
👍
C
10:11
C
Trying to get a good idea of the relevant flow. It seems with full control of the data you should be able to do something
D
10:12
D
That's the point of keypair encryption. When done right, even with full access to data on the wire, you don't have shit.
C
10:23
C
I posted in ai channel
10:23
It says the authentication message doesn't sign the key so you might be able to replace with your own key if done right
17:15
Deleted Account
In reply to this message
If edgeJas is an APK that runs on the tablet maybe we would be able to access it with the phone emulation of the keyboard. Then clicking necessary buttons in the app. If I understood you correctly it should be possible.
JB
20:51
John Blaze
In reply to this message
💯 Linux for sure.
I was thinking this may have more capabilities than the raspberry pi, because sometimes shit is limited with the arm processors.
At least in my past experiences it was.
JB
21:15
John Blaze
In reply to this message
Like this?!
👍
D
21:20
In reply to this message
What about instead of sniffing the packets . We hold the tablet in the connected state.
Disconnect
Connect our phone
And possibly Chang values or code
JB
22:03
John Blaze
In reply to this message
Oh nevermind that then
22:06
In reply to this message
If it's what I'm thinking of that was because it overwrote the hash files in the system registry.
By doing so you could remove the password or set it to any value you wished but not read any files that were encrypted with this hash.
4 October 2025
01:06
Deleted Account
In reply to this message
They wouldn't do that(remove test points).
And more than that. You can't confirm that there is no police here.
JB
01:53
John Blaze
In reply to this message
True enough .
And I get that one of the admins of this group was questioning you about how you heard about the group, and I also was and am in agreement that people shouldn't be let in that have not previously at least had some interactions with the admins or trusted people in the group.
And admittedly there is no way that I can see to verify that one is not a cop or working as a snitch sadly as many shit heads have.

But no one has said shit about not trying to advance our cause as a result of lack of vetting of the individuals in the group.
Additionally that was me reposting the photo that was already on here and explained.
That was just me doing a visual representation of the instructions for clarity.

But if I am operating outside of how we are expected to than I apologize in advance and please pull me up to speed.

Otherwise I was under the assumption that this is the group to be sharing these things.
If there is another than please consider me for entry.
Or if there are questionable people here than I would urge the admins for a purg.
T
02:34
TheTechForge
I was under the impression you can't root a phone without another rooted phone, however after talking with D. I found that's not true, I came across two videos, one rooting using a second non rooted phone using termux and another using bugjaeger. I will be attempting to get the OEM unlock code to see if I can open my boot loader and if so using what's called a ota sniffer ( over the air ) to locate proper boot img. If I can figure this out I'll make a guide to walk others through it and hope we can open some road blocks we face with non rooted phones. I know a few others have the same phone as me which is a Motorola Moto g play 2024. So this will be directed more towards them but if I succeed I'll build a guide for this phone specifically and then one for others to try on other phones. If jammers are potentially coming out clicks ticking.
JB
HH
03:27
Halfredo Hernandez
In reply to this message
Fcc approved jammers end of last month but it looks like for state and local spots? Didn't read it yet
JS
03:31
John Smith
My understanding is feds have already been approved to use jammers right before covid
03:32
Just never put money into it
HH
03:33
Halfredo Hernandez
Oh I see
JS
03:37
John Smith
They were doing micro jamming tests in CA in 2019 in the feds
JB
03:38
John Blaze
I know that Miami feds have been using them for a while now. But they said that they are intermittent for some reason.
And they have been threatening to do them here for some time now.
Supposed to be able to selectively poison any unapproved IMEI numbers and allow the approved ones to communicate
03:39
I think edgefield medium has them as well but I'm not 100% on that
T
03:43
TheTechForge
I had chatgpt search before through foia and they approved not jammers but signal hackers
03:44
If you want more info on what I found I can redig it up later and post it
03:45
And was only being tested in approved facilities
D
04:45
D
In reply to this message
If it can even run it. The issue may be getting to the boot choice menu. With what keyboard? This is probably being accessed remotely via phone. I had to root a phone to use it as a keyboard to force alternate boot options on my mini tablet, and at least that had a screen.
04:47
In reply to this message
As soon as USB disconnects, edgejas app gets an intent that notifies it of the disconnect. It then resets to its standard, non-talkative state. But even if it didn't, you don't have the kiosk private key to continue the conversation.
04:48
In reply to this message
The windows kiosk default user ("mail user") doesn't have a password to override anyway. It logs in automatically and launches the kiosk software. This software does not seem to be geared towards the security model of these kiosks.
04:51
In reply to this message
The tablets are manufactured by the thousands ahead of time. Even if they decided to move them, the affected tablets would be a generation or two from now. And even if they moved them, there would still be test points somewhere because the tablets have to be modified or repaired by ATG at some point.
👍
R
04:57
In reply to this message
I have spoken to individuals at three facilities where the jamming system was implemented. They were all in the middle of nowhere, not near large metropolitan cities. The facility installs a line of waist-high posts with powered boxes on top. The boxes contain a version of IMSI catchers (aka stingrays) which sniff IMEIs from nearby devices. Any IMEI within range for 30 days gets logged. Any that don't match privileged staff members get looked up. If it's on T-Mobile, the prison calls T-Mobile and requests the IMEI be disabled as it is operating illegally in a prison. If I remember correctly, most carriers comply with this nonsense, except Simple Mobile. They just never seem to have the resources to get around to shutting phones off. However, this was Intel gathered about 18 months ago.
04:58
The way to circumvent such issues is to explain to guys doing the smuggling that eSIM phones are the way to go. If the prison cancels your IMEI with your carrier, you can adjust use the eSIM to get a new carrier.
GG
06:13
Gino Green
TT
T
08:15
TheTechForge
They said that here where I'm at as well yet no one seems to actually have one
08:16
And even if you come across one unlocked don't mean it wasn't done by Keefe and sent back over the wall
GG
08:50
Gino Green
In reply to this message
Well this guy is in Dix
08:51
I had heard about it before so i asked him
R
14:52
Roscoe
Unity discloses a years-old security exploit and urges developers to update their games | The Verge
https://www.theverge.com/news/791609/unity-security-exploit-developers-update-games
14:54
I know a lot of the games use the Unity engine, so just in case anyone has the ability to leverage the exploit ☝️
JS
16:41
John Smith
Does anyone know where the PMIC rail is located? Continuity from cap to PMIC rail usually marks VCC (≈3.3 V).
19:05
Deleted Account
In reply to this message
I didn't see no solution offered, maybe I missed it.
JB
21:20
John Blaze
In reply to this message
There are a lot of holes in that plan that I'm not even going to point out.
But that being said if the admins make a separate section to post all of that I'll be right there with you all.
5 October 2025
00:57
someone at the camp sent me that
00:58
Deleted Account
Doesn't look like our tablets
GG
01:31
Gino Green
I think those are the ones they are using in the state
HH
02:53
Halfredo Hernandez
In reply to this message
From unity forum

Requirements to exploit NON-web-enabled Unity applications:

a 3rd party application containing code to explicitly make use of the exploit installed on the users system
a Unity application (any type) installed
TS
02:58
Tony Sparks
Anyone heard anything about a mp3 being used to unlock a tablet, guy here said he wanted to make ISP something with the mp3 and the tablet
HH
03:00
Halfredo Hernandez
In reply to this message
It's called an isp bridge. And I think the goal is to write directly to the tablet emmc
03:01
It is a theory but very complicated
TS
03:13
Tony Sparks
Has anyone dug into it? Guy here says he can do it, very knowledgeable, but I don't want to sacrifice my Gen 1 for no reason
03:18
Tried to chatgpt but that shit the feds fr 😓
HH
03:19
Halfredo Hernandez
Isp bridge
HH
03:19
Halfredo Hernandez
T
TheTechForge 01.10.2025 05:37:27
ISP_Guidebook_NonRoot_Complete.txt
20.6 KB
HH
03:20
Halfredo Hernandez
Courtesy TheTechForge
TS
03:25
Tony Sparks
Ok now, I see it's complicated, but has anyone even tried this yet, or is it strictly a theory
HH
03:27
Halfredo Hernandez
In reply to this message
Not sure i think someone said they will attempt it soon
TS
03:28
Tony Sparks
I wanna show this to this guy because he had the same idea, guy used to work for tech companies before the got snatched, if anyone can do it it's him, I was gonna use my Gen 1 to flash SD cards, but that route seems to be a dead end, might just give him this player, or does it have to be the 2nd Gen?
HH
03:29
Halfredo Hernandez
I'm not sure. Once I saw how complicated it was I stopped reading lol
T
03:43
TheTechForge
Sparks just know it's not a true isp Bridge it can't do full function. This is what it can and can't do.


MP3 “ISP Bridge” ≠ True ISP
===========================

WHAT IT IS (in your setup)
- You’re wiring the SD pins from a SanDisk Clip Sport (as an SD *host*) to the tablet’s storage pads, hoping to speak to its eMMC/SD device.
- The MP3’s SD controller + firmware were designed only to talk to a *card* for music files, not to act as a general-purpose eMMC programmer.

WHY IT’S NOT A TRUE ISP
- Wrong role & stack: A real ISP tool exposes raw block access and low-level commands. The MP3 runs a closed, high-level filesystem stack that expects FAT and “files,” not raw device control.
- No bus arbitration: The tablet SoC is still a master on the same lines unless you HARD-hold it in reset and isolate rails. Without this, you get bus contention (two masters on CMD/CLK/DAT).
- No power sequencing: Proper ISP tools control VCC/VCCQ, ramp timing, and resets. The MP3 can’t do clean power-up/power-down sequences for the target eMMC domain.
- No reset/boot hold: True ISP asserts SoC RESET_n or boots it into a safe/tristate mode. The MP3 can’t hold the tablet CPU in reset or gate its clocks/chip-enables.
- Voltage/signaling mismatch: eMMC may require 1.8V I/O (VCCQ) in HS modes; the MP3 slot is typically 3.3V SD. No safe level shifting or mode negotiation = risk.
- Width/mode mismatch: eMMC supports 4/8-bit, boot partitions, RPMB, HS200/HS400, etc. The MP3’s SD host typically only does SD legacy/1/4-bit and no eMMC-specific features.
- No access to special regions: No RPMB, no BOOT0/BOOT1, limited/unknown EXT_CSD handling. You’ll likely only see (part of) user area if anything.
- No raw command console: You can’t issue vendor-specific MMC commands, switch partitions, toggle BOOT_PARTITION_ENABLE, etc.
- Firmware interference: The MP3 firmware may try to mount a filesystem, buffer, or time out. You can’t force raw, deterministic I/O sequences.

HARD LIMITS YOU’LL HIT
- Unstable enumeration or no detection at all.
- Read-only at best; writes are unsafe and prone to corruption (no stable power/timing, no cache/flush guarantees).
- Inability to switch to eMMC boot partitions, change EXT_CSD fields, or perform secure ops (RPMB/auth).
- Speed locked to slow legacy timing; high error rates.
- Any attempt while the tablet SoC is alive will collide on the bus.

WHAT’S MISSING VS. A REAL ISP RIG
- SoC control: Ability to hold target CPU in RESET or force tristate on eMMC lines.
- Power control: Independent VCC (core) and VCCQ (I/O) rails with clean sequencing and current capacity.
- Level shifting/termination: 1.8V/3.3V translators, proper series resistors/pull-ups and impedance control.
- Clock/CE gating: Ability to cleanly own CLK/CMD and CE# without contention.
- Low-level toolchain: Software to send raw MMC commands, read/write EXT_CSD, select BOOT partitions, handle RPMB.
- Error handling/logging: Proper retry, CRC checking, and recovery flows.

WHEN IT *MIGHT* PARTIALLY WORK (READ-ONLY, VERY LIMITED)
- Target eMMC is at legacy 3.3V I/O and will respond on DAT0 in legacy mode.
- Tablet SoC is HARD-held in reset (or eMMC lines are isolated) so the MP3 is the only bus master.
- You only attempt slow, best-effort reads of the user area (no BOOT/RPMB), accepting frequent timeouts.
- You accept a high risk of garbage reads and no guarantee of integrity.

RISKS
- Backfeeding power into the tablet’s rails through SD lines (can damage PMIC/SoC).
- Brown-outs from inadequate current; data corruption on write.
- Shorting/miswiring due to missing level shifting/series resistors.
- Bricking the storage if partial/failed writes touch critical metadata.

BOTTOM LINE
- The MP3 “ISP bridge” is not a true in-system programmer. It lacks reset control, power sequencing, level shifting, and a raw MMC command path.
- Treat it (at best) as a janky, low-probability, read-only tap—*not* a tool for safe firmware edits.
03:43
SAFER ALTERNATIVES
- Proper ISP with a real programmer (e.g., EasyJTAG/Medusa/SDWire-style) + level shifting + RESET control.
- SD/eMMC USB adapter wired to the chip/card pads with isolation and correct voltages, after forcing the SoC to release the bus.
- Last resort: chip-off with a real eMMC reader.

QUICK CHECKLIST IF YOU STILL EXPERIMENT (AT YOUR OWN RISK)
- HOLD tablet SoC in RESET (or remove power to SoC core while keeping eMMC powered).
- MATCH voltages: verify VCC and VCCQ; add level shifters if 1.8V needed.
- ADD series resistors on CMD/CLK/DAT to reduce contention/ringing.
- START read-only; never write unless you have full control and backups.
- MONITOR current draw; avoid backfeeding through signal lines.
03:44
These are not to big and a possible item to get over the wall. They are sold you just need to search for true isp bridge
TS
03:51
Tony Sparks
I see, thank you for your input.
D
03:54
Don
agreed. board looks different. I thought it might be a swap
03:56
https://hrethgir.org/score7/ site is giving me 403 forbidden i was going to poke around edgejas some more. did anyone with chatgpt ask it how the debug menu is accessed? is it a mode only the kiosk can put it in, or is it a android system flag like debug? or how
03:56
I will poke around a bit on my end
T
04:51
TheTechForge
Out of curiosity a guy here wants to swap his 7c battery and board into a 7t case, anyone know if the screen will work from a 7t on a 7c setup. I know the hookup is the same but will there be any difference or driver issue?
04:54
Also I have a tablet a older gentleman bought and 4 months later did a boot loop. I picked it up for parts but I'd love to be able to fix it for him so if anyone has any idea on how to get it to boot properly I'd appreciate any ideas. It was never tampered with, he shut it off and when it booted next it goes from Keefe screen to the end of the securus boot screen, rinse - repeat.
04:54
It is a 7t
D
05:39
D
In reply to this message
I was able to read and write a tablet eMMC that had been desoldered from the motherboard by hooking it up to a Gen2. But that was also using a Linux computer I had smuggled it. It is an entirely valid theory.
HH
05:48
Halfredo Hernandez
In reply to this message
It says forbidden here too
D
05:48
D
In reply to this message
Apologies. I moved some stuff around and failed to update the link! 😁
05:49
In reply to this message
This is likely what you want for analysis:

https://hrethgir.org/score7/Attack%20Vectors/edgejas.zip
D
06:08
D
In reply to this message
If the tablet eMMC is hooked to a Gen2, which is hooked to another device, it should work (at least to read/write to the userdata partition). The only question is what device is it hooked to. An Android phone? It's an open question whether a non-rooted Android phone will identify the partition and mount it for use. I will be testing this soon. I just need some wires (should get those tomorrow some time).
JB
20:43
John Blaze
In reply to this message
Yes the screens are both forward and backwards compatible
B
20:50
Billi
anyone experienced tablet battery exploded while using for J7 OR J3 PHONES
JB
20:57
John Blaze
In reply to this message
No... But I have seen videos.
Did that happen to you?
20:58
Maybe it was made in Israel 😂
JS
22:09
John Smith
Alright here's attempt one. As of right now the mp3 is not putting out any power... We are not sure if it's because of the SanDisk software or something else but about to plug jack into it will keep everyone informed of progress
👍
HH
22:24
First attempt failed to register the tablet. The mp was running the SanDisk firmware which apparently doesn't power up the SD card reader until a card is inserted and initiated. Reflashing with Ruizo firmware for retest...
GG
22:25
Gino Green
In reply to this message
You have to ground out the pin in the back of the card reader so the mp3 can detect that it has a card in it
22:26
JS
22:32
John Smith
In reply to this message
Our tech guy says that the Ruizo firmware will have a constant power on the reader, and that should work, already flashed it so we will see...
GG
22:33
Gino Green
In reply to this message
👍
JS
22:55
John Smith
It will not work as to SD. It's not recognizing regardless of my giving it power. We don't.thobk the data is reaching the EMMC from SD slot.
22:58
We are going to attempt the test pins on the reverse side of the board
We need to know if there is any point that anyone has identified where the VCC is accessible from the top or below the board to power the EMMC. None of the caps alongside the EMMC are putting out 3.3v. There are 4 of them putting out 3v. And none get continuity to the 3.3v rail
22:59
So any help wouls be great
GG
23:02
Gino Green
23:02
It says here vcc is t the positive battery connection
JS
JS
23:07
John Smith
In reply to this message
He is looking for the confirmed VCC on the EMMC chip.
GG
23:07
Gino Green
In reply to this message
👍
JS
23:17
John Smith
This setup failed to register the Tablet chip on the file explorer as well...
6 October 2025
T
01:15
TheTechForge
I'm working with John smith and this was the out come after doing what Gino Green said, we did have to fool the player to think a SD card was in it.


User: The mp3 isp bridge now detects the emmc

Assistant:
That means your wiring and voltage balance are close to correct.
Detection confirms:
- CMD / CLK / DAT0 lines are working.
- VCC = 3.3 V and VCCQ = 1.8 V rails are stable.
- MP3 controller sees the chip as an MMC device.
- Tablet CPU is off or held in reset.

Next Steps:
1. Dump boot sector:
dd if=/dev/block/sdX of=/sdcard/emmc_dump.bin bs=4M
2. Write test:
dd if=/dev/zero of=/dev/block/sdX bs=1M count=1 seek=64
3. Flash image:
dd if=firmware.img of=/dev/block/sdX bs=4M status=progress
4. Safety:
- Current draw <200mA
- Only one power source
- CMD/CLK/DAT0 mapped correctly

------------------------------------------------------------

User: Now how do I get the phone when plugged into the MP3 to detect it

Assistant:
Goal:
Phone (OTG Host) --> MP3 (Device Bridge) --> Tablet eMMC

1. Phone must be OTG Host.
Plug OTG adapter into phone, MP3 cable into OTG female.
If no popup, your cable may lack the 5.1k ID resistor.

2. MP3 must be in Mass Storage (MSC) mode.
Plug MP3 into a PC:
- If it shows as a drive letter, correct.
- If MTP or charging only, wrong mode.

3. Check enumeration:
termux-usb -l
If nothing appears, mode or power problem.

4. Power:
Use powered hub or Y-cable if MP3 needs more current.
Tie all grounds together.

5. Order:
Power MP3 first, then plug into phone.

Expected: "USB Drive connected" popup or
/dev/block/sda appears in Termux.

------------------------------------------------------------

User: Do I need a better app then cx file explorer

Assistant:
CX File Explorer only handles file-level access, not raw images.

Use:
1. Termux + BusyBox (rooted phones only)
2. EtchDroid (no root, raw image writer)
3. Pi SD Card Imager (for OS images)
4. Custom USB-DD apps (root required)

For non-root users, EtchDroid is best.

------------------------------------------------------------

User: Not rooted phone

Assistant:
Without root, Android can’t write to raw devices.

Options:
- CX File Explorer -> browse only
- EtchDroid -> can flash raw .img

Steps:
1. Install EtchDroid.
2. Connect MP3 or SD reader via OTG.
3. In EtchDroid: "Write raw image" -> select firmware.img -> select device -> Write.
4. Wait for 100%, then safely eject.

If EtchDroid doesn’t detect:
- Ensure MP3 in MSC mode.
- Plug in before opening app.
- Test with normal SD reader to verify OTG works.

Summary:
CX File Explorer = browse only
EtchDroid = write firmware (best non-root choice)

------------------------------------------------------------

User: My issue ATM is getting phone the right app to detect it

Assistant:
Goal: Get Android to see the MP3 as USB Mass Storage.

1. Phone = Host (OTG)
Plug OTG adapter into phone, MP3 into OTG.
If no popup, OTG cable likely missing ID resistor.

2. MP3 = Mass Storage (MSC)
Plug MP3 into PC:
- Drive letter = good
- MTP/charge only = wrong

3. Check with Termux:
termux-usb -l
If empty -> mode or power issue.

4. Power:
Powered hub or Y-cable if MP3 underpowered.
Grounds shared across devices.

5. Boot order:
Power MP3 fully, then connect to phone.

Expected: "USB Drive connected"
If not, I can identify pins once I know MP3 model.

------------------------------------------------------------

User: Mp3 shows the emmc but when you click on external card it says disk error I don't believe the emmc is getting power

Assistant:
That means data lines respond but the chip core isn’t powered.

eMMC needs:
- VCC = 3.3 V (core power)
- VCCQ = 1.8 V (I/O power)

Check with multimeter:
VCC -> 3.3 V expected
VCCQ -> 1.8 V expected
If missing -> "disk error"

Fix:
A) Ground Card Detect (done)
B) Inject 3.3 V to VCC through 100-220 ohm resistor
C) Add 1.8 V regulator for VCCQ
D) Common ground between MP3 and tablet

Both voltages steady = stable disk detection.

------------------------------------------------------------
01:15
User: According to the guy helping me with the multimeter there is only 1 pin with 3.3v

Assistant:
That means only VCC (3.3 V) is powered.
VCCQ (1.8 V) is missing.

VCC = core/NAND power
VCCQ = logic/I/O power

Fix:
- Keep 3.3 V on VCC.
- Add external 1.8 V regulator for VCCQ.
- Tie grounds together.
- Apply 3.3 V first, then 1.8 V.
- CMD/DAT0 lines should read ~1.8 V.

After that, MP3 should mount eMMC normally.

------------------------------------------------------------

User: How many wires are needed for this isp bridge

Assistant:
Minimum 6 wires:
VCC - 3.3 V
VCCQ - 1.8 V
GND - Ground
CLK - Clock
CMD - Command
DAT0 - Data line

Optional:
DAT1–DAT3 - extra data lines
RST_n - reset line
CD - card detect (already grounded)

6 minimum, 9 total if using all.

------------------------------------------------------------

User: So we need a 3.3 and a 1.8v wire

Assistant:
Exactly - two power rails required.

------------------------------------------------------------
Rail Voltage Purpose Source
------------------------------------------------------------
VCC 3.3 V Core/NAND power MP3 SD slot or external 3.3 V
VCCQ 1.8 V I/O bus (CMD/DAT) External 1.8 V regulator or MP3
------------------------------------------------------------

Both share the same ground (GND).

Why both matter:
- 3.3 V powers the NAND core.
- 1.8 V powers the logic interface.
If only 3.3 V -> brief detect then fail.
If only 1.8 V -> core never wakes.

Example:
5 V (from MP3 or phone)
|
v
1.8 V regulator (AMS1117-1.8V or XC6206-1.8V)
|
v
eMMC VCCQ pin ---100 ohm resistor--- (safety)
|
GND (shared)

Expected readings:
VCC ≈ 3.3 V
VCCQ ≈ 1.8 V

Once both rails are powered and ground shared,
the MP3 should mount the eMMC without "disk error".
01:19
We are struggling finding a definitive vcc 3v power pin for the emmc, but it sounds like we also need the vvcq 1.8v which is also going to need to be identified. They both are required it seems to stabilize the emmc. The 3.3v needing to go through a 100-220 ohm resistor I will need to look into more as well. Packed everything up as it's almost count but it's a start
01:28
When emmc was disconnected it still showed disk error on mp3 and I thought maybe it was never detecting the emmc, this was the answer from chatgpt so we will need to keep trying.

User: MP3 says disk error even when emmc isn't hooked up, I think the grnd short is all it's detecting

Assistant:
That’s normal behavior if CD (card-detect) is grounded but no eMMC is attached.

Explanation:
- Grounding CD tells the MP3 “a card is inserted.”
- With no eMMC present, it looks for CMD/DAT/CLK responses and gets nothing.
- It times out and reports “DISK ERROR.”

------------------------------------------------------------
Quick sanity checks
------------------------------------------------------------
1) Test MP3 with a real microSD:
- If it still says DISK ERROR, MP3 or cable is bad.
- If it works fine, wiring/power on ISP bridge is the problem.

2) With CD grounded and no eMMC connected:
- DISK ERROR is normal (no device replying).

------------------------------------------------------------
When eMMC is connected (required conditions)
------------------------------------------------------------
- VCC ≈ 3.3 V at eMMC capacitor (core power)
- VCCQ ≈ 1.8 V at eMMC capacitor (I/O power)
- GND shared between MP3 and tablet
- CMD and DAT0 idle high ≈ 1.8 V (VCCQ)
-> 0 V means short or no I/O power
- Tablet SoC disconnected or in reset

------------------------------------------------------------
Common causes of DISK ERROR (with eMMC connected)
------------------------------------------------------------
- Only VCC present (no VCCQ)
- Shorted CMD or DAT0
- Wrong voltage on I/O (3.3 V to 1.8 V domain)
- No shared ground
- Host timing too fast (use 22–47 Ω resistors on CLK/CMD/DAT0)

------------------------------------------------------------
Minimum wiring
------------------------------------------------------------
VCC - 3.3 V through 100–220 Ω resistor
VCCQ - 1.8 V through 100 Ω resistor
GND - common ground
CLK - clock
CMD - command
DAT0 - data
CD - grounded

------------------------------------------------------------
Diagnostic flow
------------------------------------------------------------
1) With eMMC connected and MP3 on:
- Measure VCC (~3.3 V)
- Measure VCCQ (~1.8 V)
- Probe CMD and DAT0 (should read ~1.8 V)
-> If 0 V, short or missing VCCQ
-> If 1.8 V and still DISK ERROR, add 22–47 Ω series resistors and ensure SoC is off.

------------------------------------------------------------
Next step
------------------------------------------------------------
Send a clear photo of the eMMC area (top and bottom if possible)
so I can mark:
- VCC and VCCQ capacitors
- Injection points for 3.3 V and 1.8 V
- Clean CMD/DAT0 probe points
01:33
eMMC FORESEE E32GCSAF (Top View)
---------------------------------
[ Typical wiring reference - not per-photo scale ]

_____
| |
| eMMC |
|_____|
| <- row of small caps along one edge
+---> usually 3.3V (VCC) decoupling cap
||||-----> 1.8V (VCCQ) decoupling cap
|||------> CMD / DAT / CLK routing to SoC or test pads
||--------> Ground ring around perimeter

Power rails:
-------------
VCC : 3.3 V (core / NAND)
VCCQ : 1.8 V (I/O)
GND : common reference

You should find:
- One capacitor with ~3.3 V on its non-ground side (VCC).
- Another nearby small capacitor with ~1.8 V when active (VCCQ).
- Both share the same grounded side (0 Ω continuity to shielding).

Those 3 small gold pads you showed on the top of the board
are often test points for:
1. CLK
2. CMD
3. DAT0
and the single separate pad below them is commonly GND or RST_n.

Use a continuity check:
* To ground -> GND pad
* To small caps near eMMC -> CMD / CLK / DAT0 lines

Safe connection summary:
------------------------
VCC -> 3.3 V via 100-220 Ω resistor
VCCQ -> 1.8 V via 100 Ω resistor
GND -> shared with MP3 bridge
CMD -> CMD pad/testpoint
CLK -> CLK pad/testpoint
DAT0 -> DAT0 pad/testpoint
RST_n -> optional, pulled up to 3.3 V through 10 kΩ

The three stacked gold pads are perfect for soldering fine wires
for CMD / CLK / DAT0, with the single lower pad for ground.

Always verify:
- 3.3 V present at the VCC cap
- 1.8 V at the VCCQ cap
- ~1.8 V logic high on CMD/DAT0 when powered

If you want, send a clearer close-up of those capacitors next to
the chip edge and I can mark which are VCC, VCCQ, and GND
so you know where to inject the 3.3 V and 1.8 V safely.
JS
01:35
John Smith
Alright so the scy chip on the tablet a.i. says is a clone of this chip. Can anyone find anything about this chip? When I Google it it says it's not available... Maybe I should contact company?
01:36
Posting info in A.I thread
T
01:37
TheTechForge
When trying to locate 3.3v pin the issue was finding 3v not 3.3 so I asked this.


User: They are showing 3v not 3.3

Assistant:
Gotcha. 3.0 V is OK for the eMMC core rail (VCC)—spec allows 2.7–3.6 V.
But if you’re also seeing ~3.0 V on the I/O rail (VCCQ), that explains the “disk error” (your bus likely wants 1.8 V I/O).

What the readings mean
----------------------
VCC ≈ 3.0 V → OK (within 2.7–3.6 V spec)
VCCQ ≈ 1.8 V → Ideal for most MTK tablets/eMMC 5.x
VCCQ ≈ 3.0 V → Only OK if BOTH host and chip use 3.0/3.3 V I/O.
If your tablet normally runs 1.8 V I/O, 3.0 V here
will break comms.

Likely situation:
- You have VCC ≈ 3.0 V present.
- You do NOT have a true 1.8 V rail for VCCQ.

What to do
----------
1) Confirm which cap is VCC and which is VCCQ
- Idle CMD/DAT0 level ≈ VCCQ. If CMD/DAT0 sit near 3.0 V, your VCCQ is wrong (too high).
2) Provide a proper 1.8 V VCCQ
- Add a small 1.8 V LDO (XC6206-1.8, AP2112-1.8, AMS1117-1.8, etc.).
- Wire: 5V → LDO → (100Ω) → VCCQ pad, ground shared with MP3/tablet.
3) Keep core at 3.0–3.3 V
- 3.0–3.3 V → (100–220Ω) → VCC.
4) Re-check idle levels
- CMD/DAT0 should now idle ≈ 1.8 V. Then the MP3 should enumerate instead of “disk error”.

Quick checks (ASCII)
--------------------
Measure:
VCC to GND -> ~3.0–3.3 V (OK)
VCCQ to GND -> want ~1.8 V (fix if ~3.0 V)
CMD to GND -> ~VCCQ (≈1.8 V when correct)
DAT0 to GND -> ~VCCQ (≈1.8 V when correct)

If you can, tell me the exact voltages you see on:
- the large cap near a power trace (likely VCC),
- the small cap tied to CMD/DAT fan-out (likely VCCQ), and
- CMD/DAT0 pins.
I’ll confirm which pad is which and where to inject 1.8 V safely.
01:39
When attempting to locate the chips data sheet all I could dig up was a very similar chip but not the exact chip.

https://datasheet.lcsc.com/lcsc/2211011430_FORESEE-FEMDNN032G-A3A55_C5117593.pdf?utm_source=chatgpt.com
TT
GG
01:47
Gino Green
Also I have noticed in Motorola phones if the phone is reading the mp3 it won't write to the card unless I unmount the mp3 first then I can transfer to the card that's on the mp3
01:48
I'm not sure if all phones do that on Samsung I have been able to transfer from card to mp3 without unmounting the mp3
T
01:49
TheTechForge
My Motorola works fine, if it detects the mp3 it also detects the SD card and works properly
01:49
Ty Gino for the info on the grnd
JS
01:50
John Smith
Yeah definitely saved time my end
01:50
On
T
01:52
TheTechForge
Main thing is defining what pins to correctly get the vcc and vccq 3.3 and 1.8v from. It says 3.3 is for core nand and 1.8 is for I/o which means we need to get both working or the emmc won't stabilize it will detect briefly then shut down which is the disk error it sounds like
01:56
Maybe all of this isp bridge stuff should get it's own thread it's a lot of information and congests others information regarding the tablet
02:00
That being said I have one more thing to post before I lose it. the gentleman helping with a multimeter said he found 4 3v pins, this is what I got from the ai in regards to that.

User: There is four 3v pins how do I know if it's the correct one

Assistant:
Multiple 3V pads are normal because several parts of the eMMC and board share similar voltages.
Only one group is the true VCC (core power). Others may be I/O rails or pull-ups.

------------------------------------------------------------
How to identify the correct 3V VCC pin
------------------------------------------------------------

1) Continuity test (power off):
- Pick one 3V pad or capacitor leg as reference.
- Check continuity to other 3V points with a multimeter.
- All true VCC pads will have 0 ohm or very low resistance between them.
- Anything that does NOT beep is a different rail (likely VCCQ or a pull-up).

2) Capacitor grouping:
- VCC decoupling capacitors are usually larger (4.7–22 µF) and in a cluster.
- VCCQ capacitors are smaller (0.1–1 µF) and near the data-line traces.

3) Load test (optional):
- Power the MP3, then connect a 1 kΩ resistor from each pad to ground, one at a time.
- The real VCC pin will hold steady near 3V.
- Weak pull-up rails will drop voltage immediately.

4) eMMC pinout pattern:
- On BGA153/169 packages, VCC pins are at upper-left and lower-right corners.
- VCCQ pins are on opposite sides.
- Traces leading to these corner zones are usually core VCC.

------------------------------------------------------------
Safety checklist
------------------------------------------------------------
- Confirm all VCC pads have continuity between them.
- Confirm VCCQ pads are isolated from VCC (kΩ separation).
- Ground must read 0 ohm to metal shielding or USB shell.
- Do NOT inject voltage until these are verified.

------------------------------------------------------------
Summary
------------------------------------------------------------
VCC = Group of 3V pads that all beep together (core power)
VCCQ = Pads near data lines, not tied to VCC (I/O power)
Other = Pull-ups (RST_n, CMD, etc.) – do NOT inject power here

If you send a clear photo showing the four 3V pads you measured,
I can mark which are VCC, VCCQ, and pull-ups for safe power injection.
JS
02:02
John Smith
Well I posted my a.i stuff about similar chips in A.I thread
T
02:02
TheTechForge
Yeah but having a isp bridge section would help combine all of these large posts into a single section
HH
02:25
Halfredo Hernandez
In reply to this message
By the way, this is an amazing share. Thx
JS
02:33
John Smith
Hey have any of you guys used badcaps.net to ask questions about boards? Deepseek suggested it
02:34
Also EEVBlogforum
02:35
Never used either
JS
03:43
John Smith
I've been looking on the Chinese google. Baidu.com my Internet is super slow tonight so I'm having trouble using Google translate. But I found the manufacturer of the chips and stuff. If anyone is having decent service this might be the avenue to try and get more information.
D
04:34
Don
somebody asked about mt8168 and if it worked and this reply: Yes!
D
05:37
D
In reply to this message
This will be helpful, but remember that the tablet would need to be placed in BROM mode in order to use mtkclient. Also, mtkclient will NOT run on Android phones in Termux or otherwise, because the underlying libraries run on x86_64 only, not on ARM chips. This goes for Raspberry Pi devices as well.
05:37
In order to run mtkclient, you have to get an Intel-based tablet/pc into the prison to use this.
05:43
In reply to this message
The eMMC can be powered by the tablet in situ. Instead of removing the motherboard, simply detach the screen and touch input ribbons to flip the motherboard. Pull back the black tape, and attach the wires, replacing the tape over them.
05:45
Attach the wires to the proper pins on the MP3, or through a scavenged SD card.
05:46
Power on the tablet, but hit the reset button early on. This resets the CPU, but not the eMMC. The eMMC should be then controlled by the MP3 player, and the tablet CPU will give up. This also should put the tablet in BROM mode, btw.
05:47
The only hitch is whether Android will see the userdata partition and mount it. A rooted phone or PC will be able to do this. A non-rooted phone can mount an f2fs partition, but it's an open question whether it will choose to, since there are at least two other ext4 partitions to choose from.
D
07:24
D
I got a hold of a spare tablet and went to assemble the rig. I thought I could hold the wires in place with electrical tape 😂 Yeah, that's not gonna work. I definitely need someone who can solder.
7 October 2025
HH
02:07
Halfredo Hernandez
This has probably been mentioned here before but I'm curious if anyone looked into this. Guy claims he broke 7c

https://xdaforums.com/t/custom-rom-for-score-7-keefe-group-mt8167-tablet.4662278/
02:18
The new carbonara exploit for mtkclient works to unlock the bootloader on mt8168. So, boot trulincs workstation from sd card with windows or Linux, install mtkclient and necessary drivers, plug in tablet and flash the lineage fw. What do you guys think?
D
02:32
Don
In reply to this message
I have talked to him. his tablet was original score7. not 7c. 8167 vs 8168
HH
02:37
Halfredo Hernandez
In reply to this message
I thought the first tablet sold was 7c (now it is 7t). There should be plenty of these around
D
02:42
Don
there were score 7 my wife had one. earlier than score 7c
HH
02:50
Halfredo Hernandez
Oh ok
GG
02:56
Gino Green
On my tablet it's the newer one but when you power it on it just says score 7 , no T or C is everyone else like that too ?
TT
02:56
Terry Thompson V 2.0
I think they sold score 7 to 2 different state prisons and the pilot program in the feds in the women's prisons. It had android 8.1 and micro USB
02:57
The feds give atjg 77 million for the development of a more secure tablet and a 5 year contract for kiosk and charging stations is what the press release said
T
03:52
TheTechForge
That contract should be up soon and inmate.com going around here is that they are going to a different tablet provider, I call bs.
S
TT
04:09
Terry Thompson V 2.0
I haven't heard anything but I was fucked up about the stuff we was suppose to get like digital books. The first press release talking about us getting said that they had 51000 books to buy and 2nd press release talked about there was 70000 approved books and educational stuff
T
04:28
TheTechForge
Yeah Gutenberg books
04:28
So I have a question, all those images of the tablets why is the 7t im looking at have a totally different emmc
04:29
04:29
D
04:31
This top image is from the tablet I have stuck in a constant boot loop, loads Keefe to securus boot flash and then keeps rebooting the securus boot flash crap over and over
04:31
I wonder if this was a less stable emmc and that's why his tablet crapped out
04:34
Same storage, too is Chinese bottom is south chip, big difference in read and write speed
04:34
Top one only does 90-110 read bottom is 120-150mbs
04:34
And write was 40-60 vs 70-90.
04:35
Makes me wonder what I have lol
04:46
Has anyone one tried this yet for trying to get to BROM.

==============================================
🧩 MediaTek “Force USB Preloader / BROM” Trick
(Target: MT8168 / MT8167 tablets like Score 7T)
==============================================

⚙️ Purpose:
Force the tablet to skip eMMC boot and enter
BROM (Boot ROM) mode so it can be detected by
flashing tools (e.g., mtkclient, SP Flash Tool).

----------------------------------------------
🧰 What You Need:
• USB cable (data capable)
• Access to eMMC test pads (CLK + GND)
• Tweezers or a fine wire

----------------------------------------------
⚠️ Safety First:
• Do NOT short CMD, DAT0–DAT7, or VCC pins.
• Only touch CLK to GND for about 1 second.
• Keep battery connected OR USB power ready.

----------------------------------------------
🧠 Steps:

1. Power the tablet completely OFF.
(Hold power 10s or disconnect the battery.)

2. Identify eMMC CLK pad.
(Usually top-left trace or labeled “CLK”.)

3. Hold tweezers between CLK pad and GND.

4. While still holding the short,
plug in the USB cable to your host device.

5. Wait 1 second, then release the short.

6. The SoC fails to mount eMMC and drops into:
→ “MediaTek USB Port (BROM)”
(visible via dmesg or lsusb on host).

7. Now you can use:
mtkclient flash / dump / unlock commands

----------------------------------------------
💡 Notes:
• If nothing shows up, try again with battery attached.
• Do not hold the short longer than 1s — only needed to
block the first eMMC handshake.
• Once in BROM mode, eMMC can be reinitialized or replaced.

==============================================
✅ Summary:
Short eMMC CLK → GND during USB plug-in (≈1 s)
→ forces MT8168 into USB Preloader / BROM mode.
==============================================
👍
R
D
05:25
D
In reply to this message
IF Carbonara works as advertised, you could make a basic (command line only) Linux bootable media with the latest mtkclient and do this. However, you would have to build and configure it ina virtual machine first, because my client requires the proper python dependencies to make it work (on Windows or Linux), and these download from Internet sources not available on the local BOP inmate intranet.

Then flashing LineageOS isn't as simple as you make it sound. You would have to shrink the userdata partition to make room for the larger super partition that LineageOS occupies, move the user data partition back, move the cache partition back, then flash LineageOS.
05:25
In reply to this message
The BOP released appropriations documents saying they agreed to purchase thousands of Score tablets that are based on the exact same hardware as the 7c and 7t, but which are 8" and 11".
05:25
In reply to this message
This is a sound procedure for triggering BROM mode, but until Carbonara exploit, putting the tablet in BROM mode didn't make any difference. Once Carbonara is incorporated into the public code and released, then things will get very interesting for anyone with an Intel-based device in the feds.

Also, in theory, this should put ANY Mediatek device into BROM mode. But BROM can be protected with DA, SLA, or SBC-based "locks."
05:26
In reply to this message
That's some janky bullshit. I wonder how that happened?
T
05:28
TheTechForge
No idea but chatgpt even says the Chinese chip is less stable which could explain why his tablet crashed 4 months after buying it
05:29
I just wish I could get it fixed for the guy, he's like 60 and has no outside help
D
05:30
D
We have some guys like that here. We just loan our tablets to them, usually overnight. They stay up playing games and then just put it on the charger when they're done.
T
05:31
TheTechForge
Yeah i have done that alot as well
05:32
Good thing is he finally got his GED so now he can make the grade 2 pay, he's been working as one forever making crap
05:34
I'm going to try this stuff tomorrow and see if it helps it.

========================================================
BLITZTECH TABLET – MT8168 (FORCE RESET / BROM SHORT)
========================================================
Goal:
Force tablet into BootROM mode (bypass preloader) so USB tools
can see it again — even if it’s looping or frozen at Keefe logo.

--------------------------------------------------------
1. Identify the eMMC package
Common: Samsung, Hynix, or SanDisk BGA153/BGA169.
Key pins of interest (viewed with dot-corner upper left):

[ ... top row ... ]
1 CMD
2 CLK
3 VCCQ
4 VCC (3.3 V)
5 GND
6 DAT0
7 RST_n (optional, not always connected)

You’ll see test pads nearby on the board — some labeled CMD,
CLK, DAT0, VCC, GND. Use a magnifier.

--------------------------------------------------------
2. Methods
--------------------------------------------------------

( A ) CMD-to-GND short (safe start)
• Disconnect battery.
• Plug USB into tablet while holding CMD pad to GND.
• Keep short 1–2 seconds during connection, then release.

→ If successful, tablet enumerates as:
"MediaTek USB Port" / "MTK USB COM" in device manager.
(screen stays black)

( B ) CLK-to-GND short (alternate)
• Same as above, short CLK instead of CMD.
• Sometimes needed if preloader still traps BROM.

( C ) RST_n pulse (if pad exists)
• Tie RST_n to GND through ~100 Ω resistor for 1 sec, then release.
• Acts like hard reset of eMMC controller.

--------------------------------------------------------
3. What happens
• CPU fails to read eMMC boot partition → falls back to BROM.
• USB enumerates in pure BROM mode (no preloader).
• You can then use mtkclient or SP Flash Tool with “BROM”
connection type to read/flash.

--------------------------------------------------------
4. Wiring & Power
• Keep tablet battery unplugged.
• Use only USB power from host (3.3 V comes from board LDO).
• Never feed external 5 V directly to eMMC pins.

--------------------------------------------------------
5. If still no detection
• Try swapping CMD ↔ CLK short timing.
• Try holding short slightly longer (2–3 sec).
• Inspect with multimeter — ensure GND continuity and no 0 Ω
permanent short after release.
• As last resort, lift the eMMC’s VCC line via small resistor to
simulate “no memory” on boot; CPU will go BROM by design.

--------------------------------------------------------
6. Risks
• Wrong pad = permanent short = dead eMMC.
• Always discharge static, use tweezers not solder.
• If pads are tiny, solder fine wire jumpers to easier points.

========================================================
05:35
I'll try anything even if it fucks it up because atm doing nothing is getting no where
D
07:50
D
In reply to this message
Any luck with this? You posted these photos of an attempt at the ISP bridge method. What happened?
D
22:05
Don
okay I have access to a computer that I have bios password for and can boot off usb drive. I bought two 32 gb usb c drives. going to try this Carbonora thing as soon as my usb drives arrive
22:05
I will document all steps for the group
22:30
Deleted Account
In reply to this message
Would be very helpful if works.
D
23:04
Don
In reply to this message
I got 32 gb so they will be fat32 and should boot uefi. i can boot a vanilla linux image and then craft a mtkclient build on the second drive.
23:05
In reply to this message
im old and have a shitload of time to go. i dont gaf
8 October 2025
00:05
Deleted Account
In reply to this message
Does the size or format matters? I'm a bit confused. 32gb is more than enough for any bootable OS as far as I remember. If you use a kiosk, make sure to unplug Ethernet cable.
D
00:38
Don
In reply to this message
i was going to get a larger drive but 32gb is the max for fat32, and some uefi cant boot off exfat, only fat32
00:40
i am trying to keep things simple. once I can boot Linux im good from there but I want to avoid complications
00:41
and i know about the ethernet cable, this pc has no ethernet at all, it' standalone in educatio and off camera
00:51
Deleted Account
In reply to this message
Great location, stay safe
D
01:30
Don
found ventoy.net it's a uefi image manager
01:30
going to use that so I dont have to etchdroid every image
D
01:49
Don
mediatek website confirms that cve 32871 carbonara affects mt8168
D
06:47
D
In reply to this message
Modern OSes, especially those implementing UEFI, have an exfat or fat32 boot partition, which holds the bootloader and loads drivers necessary for accessing unique hardware or drive setups. This partition tends to be very small, usually no more than 30 MB. It is then followed by one or more partitions that contain a full operating system, usually formatted NTFS or, for Linux, ext4. Also, the partition size limit for fat32 is 2 terabytes, not 32 GB.
06:48
May I suggest Slax for this project? It's fast and designed to be portable. It can operate a GUI or command line only. And it can be modified and repackaged with any necessary tools.
R
09:14
Roscoe
I had made a bootable SD/reader with TAILS once, but went to the SHU (unrelated) before I had the chance to try it out 😓
C
10:48
C
In reply to this message
I used to use https://pendrivelinux.com/yumi-multiboot-usb-creator/, has lots of features and incorporates ventoy
D
10:50
D
Ventoy is fine for putting a few disk images on a drive and giving the choice of which to use. However, few such images can be modified and repackaged without significant effort, and not all Linux distros are compatible with it.
10:51
For instance, the Slax loader specifically modifies the target disk in a way that is incompatible with Ventoy. I tried for days to get the two to play well together, and it never worked. However, I was able to modify Slax and add my tools so they would be available on each boot.
Tom Tom removed Tom Tom
D
23:01
Don
I will check out slax, thanks
9 October 2025
HH
03:33
Halfredo Hernandez
I would like to invite someone who is assure is no cop/rat and i think can provide valuable info because he has access to a broken 7t tablet
03:34
Please let me know all of your thoughts on this i will be back tomorrow
D
04:54
D
In reply to this message
Invite requests should be sent directly to mods. They have control anyway.
D
06:44
D
In reply to this message
I am working on getting the SD card reader in the Gen2 to read the eMMC. I was looking at your photo for hunts about where to wire things, but your solder points seem to be in the middle of the Gen2 board instead of on the SD card contact points. What are you attaching to here?
06:56
Also, I talked to my old hardware modder. He had rewired the reset pin on the tablet to short CLK and GND on the eMMC test pins instead of cutting power to the device entirely. So, in order to power the eMMC during its connection to the Gen2, you must short CLK to GND sometime after boot. The CPU will get confused and stop talking to the eMMC, leaving it free to be handled by the Gen2.
👍
JB
TT
22:05
Terry Thompson V 2.0
In reply to this message
Who is this guy you think we should add.
22:05
Is he on any of other groups or HF
10 October 2025
D
00:40
Don
hey D, that brom_8168.bin from your server score7/preloader is from the score tablet, not a generic mtk 8168, right?
D
01:15
Don
damn it sorry did not mean to spam that to chat
01:21
ro.odm.touchpanel.gsl.modle P863_QCY_TP
01:21
ro.odm.touchpanel.cst1xx.tp cst_xc_pg0700_600x1024_fw
01:22
touchpanel drivers will see if I can find their source so we can make our own build if necessary
HH
02:15
Halfredo Hernandez
In reply to this message
No sir, a friend of mine here who helped with the mp3s and tablets and knew the Russian hacker who broke the tablets here but who since went home
Terry Thompson V 2.0 invited Elegar Infernis
D
03:55
Don
In reply to this message
add him
TT
04:07
Terry Thompson V 2.0
I added him
EI
04:45
Elegar Infernis
Appreciate the add guys
D
05:29
D
In reply to this message
Because the devices from which these preloaders have been pulled, none of them are generic in the sense that they will work on any mtk8168 device. They have all likely been signed with some kind of key. I was never able to pull the preloader from the Score7c I made the ROM image from because I accessed the eMMC in SD mode, and that mode does not expose the preloader. So no, the file you are asking about does not belong to our tablets.
05:32
In reply to this message
In theory, as long as you use Android 10 for the base of your build, you can simply use the vendor image file that ships with the tablet. It will have all the drivers you need.

https://hrethgir.org/score7/OS%20Image%20Project/rom_image/super_unpacked/vendor.img
05:33
In reply to this message
But I highly doubt you will ever find these drivers as open-source.
05:45
I also reorganized the server directory structure to be easier to understand.
R
06:06
Roscoe
In reply to this message
Is there any way to view the root directory to see what all subdirectories there are?
06:06
Also, have you ever thought about allowing others to upload/contribute? Or would you rather we just sent stuff to you?
D
06:10
D
In reply to this message
It is possible, but because the tablet image belongs to a prisoner still in custody, I don't just leave it open.
06:11
In reply to this message
I manage the server and use it for multiple projects and purposes. I have lately had to be careful about disk usage. If you send or suggest an addition, I will consider it.
R
06:13
Roscoe
In reply to this message
To be clear, I was referring to the root of your server/site
O
06:16
Ohhmonky
In reply to this message
When that happens, where does this message appear? On the tablet itself? The lock screen?
D
07:19
D
The safe mode used to be available this way. It would boot into the tablet's recovery screen, with options for recovery, fastboot, etc. I haven't seen a tablet that still does this in a long time. Maybe John has a tablet that hasn't been updated in a long while.
07:22
I have removed the SD cage from my MP3 player. In this photo, I have labeled the pins per the SD spec.
07:24
The four pins on the eMMC test pads are RST, CMD, CLK, and DAT0. Reset only has functionality when connected to a proper eMMC reader. So we will need to connect pins 3, 5, and 7 to read the eMMC using the Gen2 player.
07:26
I need to get some wires soldered soon. It may be a few days, since I have to outsource the work. Those pins are fucking tiny.
B
12:36
Bill
In reply to this message
It looks like to get around this we just need rooted phones with imei changer app
TT
D
✨✨ Vejeeter✨✨ joined group by link from Group
JB
20:44
John Blaze
In reply to this message
Safe mode will appear in the bottom left corner of the screen.
I made a mistake on my post though.
You boot as normal and press and hold volume DOWN just after the Keefe group boot screen goes away right when it says score 7 than hold till boot completes. You should see the safe mode on the lock screen if all went well.
20:47
In reply to this message
It doesn't show the recovery screen or fast boot options. It just puts you into the safe mode that apparently has less security protocols running. So you can charge a phone in this mode without tripping the software to show that you have connected to an unauthorized device.

I have done this with every tablet that I have tried it on so far
11 October 2025
D
00:06
Don
the lk (little kernel) partition should have the menu for recovery, fast boot, etc. I have been looking at these from D's image. found some tools to analyze them but nothing fantastic found as of yet.
00:13
did we ever definitively figure out why that lineage rom works ? the sourceforge site has binaries only, so I have no idea what keys they are signed with?
O
00:17
Ohhmonky
In reply to this message
Is there absolutely no way to run mtkclient or something similar from a rooted arm-android? Emulator/etc?
00:18
Because the guy who hacks the tablets here uses another hacked tablet to do it. Then he definitely uses another way to do it.
00:21
In reply to this message
What about the message that an unauthorized device has been connected, where does that appear? (Talking about a case without safe mode)
R
00:22
Roscoe
In reply to this message
It is technically/technologically feasible. But mtkclient is written for x64, not ARM.
00:22
And gotta be rooted.
JB
00:46
John Blaze
In reply to this message
It will appear in the middle of the lock screen and if one connects it to a kiosk sis is shortly behind em to pick em up
JB
01:23
John Blaze
01:24
That is the safe mode that will keep that message from appearing
TT
01:55
Terry Thompson V 2.0
T
Terry 18.01.2025 19:14:41
TT
01:56
Terry Thompson V 2.0
Most places lock u up for this. If u plug it back to computer it alerts trust fund supervisor and next thing u know u in the SHU . Even at Oakdale low they lock up for this
JB
02:01
John Blaze
100% they will
02:01
The safe mode keeps that from coming on
02:02
And cracking the screen after it happens by accident keeps them from seeing it and locking ya up 🏴‍☠️😁
TS
02:14
Tim Smith
Mine showed this once when I tried connecting mp3 to the tablet. Revalidated nothing happened. I know of a few others here too they just don't care about trivial things like that here
02:15
... Or don't even monitor it at all and the computer unlocks the tablet and returns it to normal
GG
02:24
Gino Green
In reply to this message
Yes but here if your screen is cracked they pretty much know what your using it for and take them from the chargers
02:25
In reply to this message
Here they don't care much but every now and then they will write a few people up..no shu but definitely a 100 series shot
R
02:27
Roscoe
Someone here got busted with his phone in a 7c tablet case... And ruined it for the rest of us 😓
GG
02:28
Gino Green
In reply to this message
Dam
R
02:28
Roscoe
The other day they took someone to the SHU for having just the case/shell, didn't even have the phone in it
GG
02:28
Gino Green
Not good
R
02:29
Roscoe
Now they're going around making people press the power button on their "tablet" and scrutinizing everything on the chargers
JB
02:44
John Blaze
Yeah it comes in waves. They have been on that shit here for a while now.
Some dude got knocked off with one in a shell.
Same as the mp3's some cops check em on the charging station.
02:45
After a while or if ya get a c o that found out it's an easy job if ya let it be. . and it stops
GG
03:08
Gino Green
Yes here they were in the swaps for a while but now they stopped looking
HH
03:09
Halfredo Hernandez
What do you guys think about contacting shomykohai, who is the developer of the carbonara exploit for mt8168? Apparently there is a version of mtkclient with carbonara already cooked in and also mtkclient for Termux. Bugjaeger app claims to be able to flash roms on an unrooted android
03:11
Also be careful everyone, I saw on the law library someone got a shot for connecting phone to a tablet and connecting to kiosk in bop. The tablet even recorded the model of phone
D
03:11
Don
wouldn't hurt. I would chip in money
03:12
concerning bugjaeger, it can flash with fastboot iirc but that isn't enabled on tablets.
GG
03:12
Gino Green
In reply to this message
Yes I have heard that it's what we were just saying like a few minutes ago
HH
03:18
Halfredo Hernandez
Maybe a stupid question, but could the flasher apk for the mp3 player possibly be used for tablet?
03:18
Once brom is attained
R
03:24
Roscoe
In reply to this message
Negative, ghost rider. The pattern if full.
D
03:42
Don
once I get my usb flash drive im going to try to get the pc to let me modify partitions. plan is to remove edgejas and add file manager apk to start
03:42
then stage 2 get root on the atg firmware
03:43
then stage 3 figure out how to flash lineageos
03:44
and deal with any signing issues as they come up
TT
04:57
Terry Thompson V 2.0
In reply to this message
Well that sucks
TT
04:57
Terry Thompson V 2.0
TT
Terry Thompson V 2.0 25.09.2025 00:14:22
04:57
D
05:10
D
In reply to this message
They appear to be signed with the test keys that AOSP includes in their GIT repo.
05:12
In reply to this message
I was checking mtkclient last night, and my searches said it can now be built and run on arm64. However, Android makes accessing attached devices difficult, even when rooted. mtkclient cannot do the same kind of sensing and manipulation from an Android device that it can do from a regular computer or Raspberry Pi.
05:13
In reply to this message
Which hack is he doing? Is it the one with LineageOS, or the one that still has the BOP image name but is unlocked?
05:15
In reply to this message
At Seagoville, at least 2 years ago, somebody attached a phone to three random tablets on the charging block. All three guys got 100 series shots for possessing a cell phone, but didn't go to the SHU. They were pissed.
05:18
In reply to this message
It's from an unrooted Android. Bugjaeger is an implementation of adb/fastboot. The phone with Bugjaeger on it does not need to be rooted to run it. But it roots/flashes another phone/tablet besides the one it's running on.
05:23
In reply to this message
It records the VID/PID on the connected device. This is standard for a USB host to do. The BOP just uses it to catch people. You can disable this by disabling the USB sense pin on the tablet side of the USB-C to USB-C cable.
05:24
Role detection: 
The CC1 and CC2 pins are crucial for detecting the role of each port, such as a Downstream Facing Port (DFP, like a host) or an Upstream Facing Port (UFP, like a device). 
05:25
In reply to this message
Totally different back-end. The flasher software would have to be rewritten.
05:28
In reply to this message
The PC isn't denying system partition write access, it that the bootloader is locked. Edgejas is included in the /system/priv-app directory, meaning you have to rewrite the system partition to remove it. You have to unlock the bootloader (possibly via mtkclient/carbonara), and root the tablet to modify the system partition in this way. Or you flash a system image that no longer has edgejas, but it has to be signed in a way that the system will accept.
D
05:50
D
In reply to this message
Thanks for this Terry! I was looking for the exact language on the lock screen, but didn't want to hook a phone to my tablet. This helped me established the locking mechanism.
05:52
The reason the tablet doesn't lock itself when an unauthorized device is connected while in Safe Mode, is because the app that controls this behavior is on the user data partition. It is a non-privileged user app that just happens to run on boot. Safe Mode disables user apps from booting automatically, but does not disable system apps. The app in question is com.advtechgrp.devicemonitor. If this is removed, the device will no longer freak out and lock when a phone is connected.
GhostExodus removed GhostExodus
D
18:09
Don
In reply to this message
yes I know.
18:13
what I don't yet understand is, if guys are flashing the treble lineage image, how is dmverity allowing that? it won't match the hash in vbmeta. there has to be something broken in their implementation. or they are removing dmverity. on some phones you can do that with flashboot ...
18:15
I can extract system, remove edgejas, reflash system and that only changes that one hash. so I want to see if the current setup rejects that or not. on score 7, changes to system were allowed without problem, but of course that is earlier version
18:26
if the bootloader is unlocked I can use avbtool to generate a new vbmeta partition. I think. I havent had to do that before. if the bootloader can be unlocked it might be easier to just flash a whole new image and partition set, are all the touch and lcd drivers in vendor? or do they have blobs elsewhere in partitions? I think the camera does. ill check out vendor image now and see what is available
JS
18:41
John Smith
In reply to this message
Did you have success on getting that pc to let you modify it for our purposes?
O
18:46
Ohhmonky
In reply to this message
It would be safer to cut the data lines in the cable and leave CC lines alone. Even without CC pin there are some situations where the usb days connection would be possible between a tablet and other unauthorized device. But not without data lines.
18:47
Although, there doesn't seem to be any good reason to mess with the cable at all if you can just use the safe mode on the tablet.
D
19:18
Don
In reply to this message
oh yeah I have full access im waiting on the usb drive to get here
👍
JS
19:19
other things i plan to try on tablet are see if flipping bit in frp partition will unlock bl
19:20
also found a mtk exploit apk so will try to load it on tablet and see if i can get root that way.
19:21
hopefully mtkclient can just unlock bl for me, it patches seccfg partition
19:21
i will update everyone as soon as I get my flash drive
R
20:42
Roscoe
In reply to this message
Do you mind sharing that APK?
12 October 2025
D
00:18
Don
In reply to this message
Fork of MTK Easy su (app which uses mtk-su exploit to get root with locked bootloader on MTK devices) with added features and no ads/spyware. https://github.com/IsHacker003/mtk-easy-su
00:19
no idea if it works but I found it researching seccfg
R
00:27
Roscoe
In reply to this message
Much appreciated 👍
J
01:02
John
Are there any caveats to the safe mode thing? For example, does the tablet need to stay locked while the device is charging, etc? Does this 100% work on both the 7c and 7t? I just want to know before I potentially sacrifice a 7t.
GG
01:24
Gino Green
Just make a custom wire without data and you can change and not trigger the tablet ..you could literally be playing a game and charging at the same time
JB
01:40
John Blaze
What do ya do connect the cc line to ground with the 5.1k ohm resistor and cut the data ?
👍
O
D
02:00
Don
hey drew that lk image you have on your site, is that from before they took away the boot menu access?
GG
02:08
Gino Green
In reply to this message
Yes
O
02:34
Ohhmonky
56k is for the host device ("downstream facing port" in usb parlance). Don't worry about this. This is what the phone's female port already has inside its USB microcontroller.


The otg cable needs a ~5kohm connected to GND ("pull-down resistor").


Another option for charging would be if you find a usb c to usb c cable with the CC wire going all the way from one port to another. In that case you would not need an additional resistor in the wire. The tablet would negotiate the power through the cable and provide it's own internal equivalent of the pulldown resistor. This by itself should not trigger the "unauthorized device" warning, as long as you cut or disable all the data wires within the cable.
JB
02:52
John Blaze
In reply to this message
Yeah but the point is not to have the data connection to the phone so it doesn't trip the security protocols in the software that shows the message and gets you sent to the shu if connected to the kiosk
02:55
Oh that may be true. I have never done it like that before. I was mainly referring to the data lines being cut
GG
03:06
Gino Green
In reply to this message
👍
O
03:27
Ohhmonky
In reply to this message
That's why i wrote that you do have to cut data lines. CC line is different.
GG
03:28
Gino Green
Running from tablet
03:29
And it says chargin rapidly and don't block out tablets
JS
03:30
Works so good I sold my charger since I had no use for it
O
03:33
Ohhmonky
1 tablet charge lasts for about 30%-40% of the phone charge. YMMV
GG
03:35
Gino Green
In reply to this message
It depends, if I'm on airplane mode I can do from like 50 to like 90 on one tablet in like 30 to 45 minutes but if I'm using it I will only go up about 20 percent at most
O
03:37
Ohhmonky
In reply to this message
Seems to be Lineage. There is lineage mentioned in the about screen.
JS
03:41
John Smith
In reply to this message
Are you using the cut data cords with the 5.1k resistance method to get it to fast charge? I have that setup and I get about 12% charge per hour when turned off.
GG
03:43
Gino Green
In reply to this message
It's kinda like that but it also has to do with the way you wire it up
JS
03:51
John Smith
In reply to this message
Not proud but I paid a ducehead to bring me 2 charging cords from another unit and we made the charging cable from those. Would the wiring method you're talking about work with those cheap cables?
GG
03:52
Gino Green
Yes it's just harder to get the cc1 wire since they dont have the connection for it you have to go from the pin or the back of the board
👍
JS
JB
03:54
John Blaze
I use the cheap cables
Shine a light through the board to trace where the cc line connects to
There are 3 different types here all with 3 different pad locations.
03:55
I find it difficult to connect directly to the pin coming off the connector to the board
GG
03:55
Gino Green
You trace it to the back and it's easier
JB
03:57
John Blaze
03:57
That's a shitty picture of one that was also a sloppy job but worked
👍
JS
03:57
The pad is the cc line
GG
03:57
Gino Green
In reply to this message
👍
JB
03:59
John Blaze
Forgive me for repeating myself.
But your saying do that but cut the data lines .
Correct?
👌
O
D
05:00
D
In reply to this message
Cutting the data lines interrupts data transmission. Cutting the CC line on the tablet side takes advantage of the USB 3 protocol and forces the tablet in accessory mode, such that it cannot grab the phone's VID/PID.
05:01
In reply to this message
You need to flip bits in the seccfg partition. I tried flashing an empty seccfg back into the days when we could easily enter BROM mode. The tablet just rebuilt the old version. So I guess it will do that unless you put the correct values there.
D
14:45
Don
In reply to this message
I meant seccfg. it signs the seccfg with the sej key. but it seems like you can get da to sign arbitrary data. im researching.
D
15:12
Don
lk checks the frp partition for the flag oem_unlock when using the fastboot oem unlock command. I am sure of that, looking at the lk source code
13 October 2025
D
05:59
D
In reply to this message
When mtkclient it commanded to unlock a bootloader and succeeds in an exploit, it access the HACC/SEJ info (HWKEY) and uses a commonly known algorithm to 1) write a new seccfg with an "unlocked" state, and 2) signs the resulting values using the HWKEY.

It seems then that we must find a working exploit for mtkclient (likely carbonara) in order to provide access to the HACC/SEJ.
Alan joined group by link from Group
D
21:47
Don
In reply to this message
yeah hopefully carbonara works it's a rust exploit i havent messed with that before
21:52
In reply to this message
not sure if you received or answered my dms it shows blank. i asked about if you had tried sp flash tool on your windows box. i found some commercial solutions that have exploits they wrote too but will tey carbonara first
14 October 2025
JS
02:18
John Smith
Have a guy here in another unit trying to run mtkclient in a gui. He sent me this stuff so far. Any input?

#!/data/data/com.termux/files/usr/bin/bash

# Script to set up GUI environment in Termux and run mtkclient GUI
# Assumes PySide6 is installed (from previous script)
# Also assumes mtkclient is cloned and installed; if not, uncomment the installation steps below

# Step 1: Install X11 repository and VNC packages for GUI support
echo "Installing X11 repo and VNC packages..."
pkg install x11-repo -y
pkg install tigervnc fluxbox xorg-xrandr -y  # fluxbox is a lightweight window manager

# Step 2: Set up VNC server (run only once to set password)
if [ ! -f ~/.vnc/passwd ]; then
    echo "Setting up VNC password..."
    vncserver -localhost  # This will prompt for a password; set one for security
    vncserver -kill :1  # Stop the initial server
fi

# Step 3: Start VNC server with a suitable resolution (adjust geometry as needed for your screen)
echo "Starting VNC server..."
vncserver :1 -geometry 1280x720 -depth 24

# Step 4: Export DISPLAY for GUI apps
export DISPLAY=:1

# Optional: Install mtkclient if not already done (uncomment if needed)
# echo "Installing mtkclient..."
# pkg install git python libusb -y
# pip install pyusb pyserial json5 capstone colorama
# git clone https://github.com/bkerler/mtkclient ~/mtkclient
# cd ~/mtkclient
# python setup.py install
# cd ~

# Step 5: Run mtkclient GUI
echo "Running mtkclient GUI..."
cd ~/mtkclient  # Adjust path if cloned elsewhere
python mtk_gui.py

echo "mtkclient GUI should now be running in the VNC session."
echo "To view it: Install a VNC Viewer app on your Android (e.g., 'VNC Viewer' from Play Store)."
echo "Connect to localhost:5901 (or 127.0.0.1:5901) with the password you set."
echo "Once connected, you'll see the desktop; the mtkclient window should appear."
echo "Note: If GUI doesn't launch, check Termux logs for errors (e.g., missing dependencies)."
echo "To stop VNC: vncserver -kill :1"
echo "Troubleshooting: Ensure your Android version is 7.0+; if issues, try older mtkclient version (e.g., v1.52) from GitHub releases."
02:21
Status updates
02:21
R
03:21
Roscoe
I don't think it's that simple, but best of luck to him and thanks for keeping us posted
D
04:32
Don
if the phone isn't rooted he wont be able to access usb . and even if it is rooted there are libusb patches necessary
D
04:50
D
That's if you can even get the mtkclient dependencies to install/build. It will not be easy. The automated install will fail in Termux on an Android device.
D
08:03
D
In case anyone has a good drone connection and can get a Raspberry Pi, you can get a 3B+ for $50 from Amazon, and it can talk directly to the eMMC.

https://pinout.xyz/pinout/sdio
08:05
Just wire the CMD, CLK, and DAT0 lines from the eMMC test pads to the Pi, and the Pi can then talk to the eMMC in SD mode. No access to the preloader, but full access to the rest of the device's storage. The only trick is having to power the eMMC using the tablet's main power, and needing to force BROM mode by shorting eMMC CLK or CMD to ground during boot.
S
14:29
Synonymous
Anyone have any good macrodroid or tasker macros to wipe the tablet (or phone) if they leave the building or compound?
14:31
Dont believe 7c/7t/7m has GPS, so will have to initiate a countdown from the last time it connected to a particular wifi
14:32
Might be nice to set a nuke word for a wipe/unbreak. I am thinking "Jumanji"
18:56
Deleted Account
In reply to this message
It does have GPS
S
20:38
Synonymous
I know the specs sheet for mt8168 says GPS, but could you point to which chip on the board for verification?
I can only vouch for Bluetooth, which was in the test mode
20:39
And wifi, because the antenna is obvious
TT
22:35
Terry Thompson V 2.0
Hey Ryan has changed a few things with people joining our group. So now either me Ryan or Hank are the only ones that can add members. That doesn't mean we are not going to add any but they will have to be somewhat vetted , like who they heard about us from and maybe where they at or someone in good standing here maybe vouch for them. Also I think anybody we add should be a contributor to the cause or at least have some knowledge and be willing to help. So if you got somebody you think would be a asset to us by all means message me or Hank or Ryan.
22:46
Deleted Account
In reply to this message
After unlock the location service is enabled, don't know which chip is responsible. Check on FCC website it should help
15 October 2025
D
01:17
Don
anybody at ft dix confirm if the unlocks there require the tablet to be physically opened?
TT
02:11
Terry Thompson V 2.0
I had heard from somebody that was there that something had to be soldered to board while it was being done and they had said it was done with laptop. And that originally it was $1500 or if u wanted the technology to do it yourself it was $15000. I don't know any of this to be true that's just what I was told I don't know what they could be soldering to except maybe uarts or jtags but I know atg had the jtags rigged where if u tried to go through them to the MP3 it would shut down
S
02:13
Synonymous
Some Amazon fire tabs did the same thing, someone got around it. Also the fire tabs did uuart via the headphone jack
D
02:53
Don
okay im waiting on my usb drive and then will begin work
02:54
i had a 7t that had never been activated on kiosk but acquaintance clucked it off
02:54
i also have a 7c and 7t that are kiosk activated
D
03:37
Drew
In reply to this message
Do you think maybe they found a way to roll back the updates. Just a random thought
D
04:24
D
It could be done if you had an image of an earlier tablet version (like the one on my server). But you still have to have a way to write the old version to the drive.
04:26
You have to write multiple partitions (super, vbmeta, boot, etc.) because they are all chainloaded and verify each other. I am still amazed that those others with LineageOS don't complain about the bootloader being unlocked.
S
04:51
Synonymous
Related, I attempted to interrupt an update with the hard reset. I hit it close to 50 times, removing power at a later and later time each boot. I could not get corruption or the update to abort
D
04:55
D
That's because Android updates are designed to be resilient. They had 10 generations of OS development to get updates done right. ATG just gets to piggy back off of all that work.
D
05:18
D
In reply to this message
Amy confirmation on whether the Riuzu firmware does, in fact, exhibit this behavior?
Deleted joined group by link from Group
GG
21:09
Gino Green
Any one was doing the movie redownload thing?
21:09
It's not working for me no more
16 October 2025
Terry Thompson V 2.0 invited C
C
03:03
C
In reply to this message
Same, didn't work yesterday after new movies, appears to be patched although will try again
03:04
I did it successfully several times after learning about it here (back on a new account after losing a phone)
GG
03:05
Gino Green
Yes yesterday it didn't work but today it's working again
J
03:07
John
In reply to this message
Worked for me this afternoon. I actually screwed up a little, because I locked myself out of the kiosk and had to wait 15 minutes after I rebooted. It still worked.

So end rental, immediately hard reboot by holding power button for 15 seconds. You can actually go to the kiosk at your convenience. Doesn't have to be immediately after. Just don't enter your pin on the tablet after reboot until you're at the kiosk and logged in. Then open tablet, select new video, and sync.
GG
03:11
Gino Green
In reply to this message
Yes I noticed it gives you a lil more time now
J
03:12
John
Yeah, it seems like you can go to the kiosk whenever. The bug that allows this is squarely rooted in the hard reboot right after you end the rental. The rest is just doing the sync shortly after you open the tablet.
GG
03:13
Gino Green
I think you have to do it before it reads the system when you reboot it like when it's doing that stuff and showing like the card at the top and stuff you have to catch it before it does all that I think
C
03:15
C
Do you need to end rental after you logged in on the kiosk like the original instructions or can you do it separately
J
03:15
John
I did it completely separately.
03:16
Just ended the rental on my own, and did the immediate hard reboot
GG
03:16
Gino Green
Well I do it all at the station
J
03:16
John
Then went to kiosk over 20 mins later
03:16
And it was fine. But I hadn't reopened my tablet after reboot. Not sure if that's essential but probably is
GG
03:17
Gino Green
Only difference was before I took a lil longer and it didn't work but this time it took a lil longer and still worked
03:17
In reply to this message
Yes more than likely it is
03:18
Once you unlock it ..it's starts reading the system on the tablet like when you power a phone and you see the message saying starting phone
👍
J
J
03:19
John
So it's pretty simple:

End rental and do immediate hard reboot (hold power button until it reboots)

Go to kiosk at your leisure, but don't unlock until you're there and logged into kiosk

Open tablet, select new video, sync

Easy peasy
GG
03:20
Gino Green
In reply to this message
👌
J
03:23
John
If you want to protect yourself against failure, don't have enough credits on your account to rent the new video you selected. Worst case, you don't rent the new video. I purposely emptied my trulincs before I tried this, because I thought I had screwed up by not immediately going to the kiosk. It worked perfectly
03:23
Now if we could just root these things, we'd be great!
GG
03:24
Gino Green
In reply to this message
Yes definitely I was doing it one some one else tablet and I had to pay dude cus he got a random movie on Tuesday 😂
J
03:26
John
Haha yeah don't do that
JB
03:29
John Blaze
Still works here
You just have to do it quickly before the system completely boots
GG
03:30
Gino Green
Yes but I think yesterday it didn't work ..I tried it on 3 different tablets and no luck
EI
03:33
Elegar Infernis
Has anyone been able to find the lineageOS version that's been used on these things?
03:34
I know it's a custom ROM, which makes it even more of a pain. I've tried delving throughout Github but no such luck
03:35
I do have access to one and I can provide the info on the build number and stuff, but I can't seem to find it on my own. Also I don't want to risk bricking it by trying to copy the OS
D
04:43
D
I haven't verified that this is the one, but it matches the build ID string that has been posted here.
04:44
You want to grab the one that is labeled: lineage-17.1-20210808-UNOFFICIAL-treble_a64_bvS
HH
18:18
Halfredo Hernandez
I tried the movie trick one time. Everything worked exactly as described in this group, but when the movie redownloaded, it kept the same expiry time (15 minutes remaining to watch movie). Am I doing something wrong? Do I have to let the movie time fully expire on the first rental?
18:21
In reply to this message
Do you know if they had to open the tablet? Or was it purely through usb? Seems to be a persistent question here
EI
18:35
Elegar Infernis
In reply to this message
They did. It has fingerprints all over the CPU casing
JS
HH
18:38
Halfredo Hernandez
Ok all, looks like they are forcing brom with test points then flashing lineage? Raspberry pi?
18:40
There is a fork of mtkclient with carbonara baked in if anyone wants the link I'll find it
R
18:55
Roscoe
In reply to this message
Yes please.
18:55
In reply to this message
Are you referring to penumbra?
18:58
Look at the link he provides for mtkclient with carbonara exploit for mt8168
R
19:10
Roscoe
In reply to this message
Yep that's penumbra. But thanks for the links 👍
Secured Wizzy joined group by link from Group
R
21:33
Roscoe
D Do you have a dump of the bootloader (lk.img)?
D
23:32
Don
In reply to this message
yeah its on his website. I was able to extract it
Terry Thompson V 2.0 removed Secured Wizzy
17 October 2025
R
01:13
Roscoe
In reply to this message
Have you used it to make chouchou?
01:16
Anyone know if it's possible to transplant a charging port from one tablet to another and still have a data connection? My repair guy said he hasn't been able to do it.
JB
01:57
John Blaze
In reply to this message
I don't think you have to let the time fully expire but you do need to watch a good chunk of it. But so far as the 48 hours that time frame is irrelevant from my experience
02:08
In reply to this message
Possible Yes.
Difficulty level : advanced
My suggestion would be to cut the doner part from the doner board. Destroying the circuit board for the benefit of the part integrity.
Then remove the old port in the reverse fashion.
Cut and destroy the port for the sake of saving the board. BY this i mean cut open the port so that you can desolder one pin at a time and remove it separately from the rest.
Unless of course it all comes off easy.

But in my experience this process provides the best condition replacement part that should go on easily.

Of course clean the pads with flux and be sure not to use excessive solder.

Flux is a must not a luxury.
If done right you can even accomplish this with an oversized tip.
R
02:20
Roscoe
In reply to this message
You're saying cut off a section of the board to make it easier to manipulate while delicately removing the donor port?
JB
02:52
John Blaze
Correct.
Because the board is useless after you remove the part anyway and if you do it right you will not have a big assed ground plane to suck up all the heat from your iron and you can even separate sections of the board from the part being sure that the board takes the abuse over the doner part
02:54
Sometimes because of the small amount of solder used you are able to mechanically remove the part better than desoldering it.

Like pry it off carefully.
02:56
That's usually how I do the mp3 ports
A lot of times the pads delaminate from the board and you can remove them easily one by one with the soldering iron or the solder joint itself breaks free
03:00
You may have to slightly realign the legs again with a needle before soldering to the new board and a magnifying glass is recommended for the attachment process.

After cleaning both the pads and legs of the connector if needed use flux
Place the part
Solder the 1st leg
Inspect for good alignment
Realign if needed
Solder the last leg
Again check for good alignment
Than ride through all of em.
Less solder is better.
You should be able to do it with flux alone and not adding solder
TT
03:08
Terry Thompson V 2.0
From experience I can tell you it's not easy getting that USBC off board without messing board up but a trick I actually learned from youtube. You can remove it in less than 15 seconds put some flux on it and use a heat gun pull with a little pressure with some pliers or whatever and I kept heat gun pointed at backside of port to try to keep most of heat off board and about a foot away. I know we don't have heat guns in our cell but I used one at cms and most tool rooms have at east one
03:10
How to unsolder USB Type-C without damaging it. #diyua
https://youtube.com/shorts/DR09JpuEDNU?si=N5u59AhAXFUo47V0
HH
03:18
Halfredo Hernandez
What do you guys think about the post by ablbd here
03:19
Claims to have a mt8168 exploit payload
JS
03:54
John Smith
Just curious if anyone else got the Derek Gilna newsletter this week talking about expanding the use of tablets and expediting that process as soon as the government shutdown is over and money can move again? It was very vague but he said we would be happy about it. No idea what that means, since I know we will only be happy if we can unlock these damn things ourselves!
TT
03:56
Terry Thompson V 2.0
What newsletter is that ? U get it through corrlinks?
R
04:40
Roscoe
I get it through Gmail. Corrlinks blocks most newsletters now.
04:41
Regardless, when one door closes, another opens, and reliable sources indicate to me that given the sorry state of the agency’s computer services, more widespread use of tablets has been fast-tracked. Pending the end of the government funding shutdown, which limits expenditures for all but essential services (food, medicine, medical care, toilet paper) expect some positive news on this front
within 30 days of the government reopening.
GG
04:54
Gino Green
In reply to this message
I work on these things and yes this would be the best way to go
JB
D
04:57
D
In reply to this message
Derek Gilna is a lying, two-faced piece of shit that exploits people for money by selling them hope. If he is predicting anything that happens to come true, it was by luck only that he got something right.
R
07:47
Roscoe
In reply to this message
I think I have everything needed to attempt carbonara using mtkclient with dependencies reworked for ARM if anyone can get a tablet in BROM and wants to give it a shot
D
07:51
D
How did you get the dependencies reworked for ARM?
07:54
In reply to this message
You have a hot air gun at your spot?
R
08:05
Roscoe
In reply to this message
Gemini CLI
08:07
I'm also setup to run penumbra just in case. Cause the dev hasn't actually implemented carbonara into mtkclient yet. But I have... theoretically...maybe...🤷‍♂️
D
17:14
Don
In reply to this message
penumbra is the rust version, right
R
17:31
Roscoe
In reply to this message
Yep
D
17:33
Don
that link from yesterdya has it built into mtkclient? tha you ported to arm? i have na x86 pc i wll tey it on when my flash d4ive comes
R
17:34
Roscoe
It's not built into mtkclient yet. But I've adapted mtkclient to ARM and incorporated carbonara. Theoretically.
D
17:36
Don
gemini was ableto graft in carbonara?
17:37
impressive ifit works
17:37
ill be ale to help once my drive gets here. i can code in c.
17:37
and python
R
17:42
Roscoe
In reply to this message
Yep. Hypothetically. 😅
D
17:47
Don
i hope this drive gets here soon i will be able to help. i know x86 asm too and will learn arm once i have a tablet unlocked to play with
17:53
i found a github of thelk code so i wantto get that restored (boot meu) and twrp working
R
17:55
Roscoe
I'm actually just trying to get my hands on a working tablet to fuck with.
17:56
Has anyone successfully got to BROM with test pads? I'd love to have a definitive guide when I get one to work on.
D
18:23
Don
a friend fucked up his tablet and turned it into a cigarette lighter. ill ask him if he kept the board right now. brb
Johny Cash joined group by link from Group
D
18:49
Don
theyfucked off the board but they have it with the shield off so i will get it and look for test points
TT
19:44
Terry Thompson V 2.0
In reply to this message
Yes about 5 of them and couple of soldering stations ,hot glue gun,solder suckers ,etc. I work there
R
20:02
Roscoe
In reply to this message
Thank you for offering. But I've got plenty of eyes on the board. Just trying to find someone -- anyone -- who's actually succeeded before. Stand on the shoulders of giants; don't reinvent the wheel; work smarter, not harder. That sorta thing.
JS
21:22
John Smith
Don't know if anyone is willing to look further into this, but it might be a way to backdoor the tablets and load content onto them. Having issues with our c to c data cord and trying this without one that's stable isn't working.
JS
21:22
John Smith
MJ
Mike Jones 17.10.2025 06:32:23
mkdir -p ~/mtk_setup && cd ~/mtk_setup
cat > setup_mtkclient.sh << 'EOF'
#!/data/data/com.termux/files/usr/bin/bash
# ==========================================
# MTKClient Full Setup Script for Termux
# Non-Root Android + OTG Flashing Environment
# ==========================================

echo ">>> Updating Termux packages..."
pkg update && pkg upgrade -y

echo ">>> Installing required packages..."
pkg install -y python git rust clang libusb wget unzip

echo ">>> Upgrading pip..."
pip install --upgrade pip setuptools wheel

echo ">>> Installing Python dependencies..."
pip install pyusb pyserial json5 construct tqdm

echo ">>> Cloning mtkclient repository..."
cd ~
if [ -d "mtkclient" ]; then
echo ">>> Existing mtkclient found, updating..."
cd mtkclient && git pull
else
git clone https://github.com/bkerler/mtkclient
cd mtkclient
fi

echo ">>> Installing Python requirements from repo..."
pip install -r requirements.txt

echo ">>> Checking USB access..."
termux-usb -l

echo
echo ">>> Setup complete!"
echo ">>> Now connect your MTK device (Score 7C) with OTG cable."
echo ">>> Make sure the device is OFF, hold Volume Up + Volume Down while plugging in."
echo
echo ">>> Then run the following command to test detection:"
echo "termux-usb -l"
echo
echo "If you see your device listed, run:"
echo "python mtk r --preloader preloader.bin"
echo
echo ">>> All done. MTKClient ready!"
EOF
21:32
Deleted Account
In reply to this message
Well, on the step of installing dependencies it will fail.
JS
21:45
John Smith
In reply to this message
Is there a way it won't fail? Or is this just because he isn't using a rooted phone?
22:26
Deleted Account
In reply to this message
As far as I know. There are no MTKclient that works directly from the phone natively or via termux. I haven't investigated this deep enough to understand the cause of the issue.
R
22:37
Roscoe
In reply to this message
Mine didn't 😁
22:39
In reply to this message
I had to rewrite it to go through termux-usb instead of libusb and pyusb. No USB backend, no problem.
JB
23:07
John Blaze
In reply to this message
A while back after a ridiculous amount of trial and error I had finally gotten mtkclient to work in termux but wasn't able to have low level access to the USB because my phone was not rooted and it was running android 14 which has some kind of sandboxing shit that makes it difficult beyond my abilities to access.
I tried USB passthrough to a virtual machine and some other avenues with no luck.
23:08
I still have my notes which are excessive if needed
23:11
In reply to this message
Yeah the back end was a major issue.
If I remember correctly the termux USB is the way I went as well.
I think I had to do it in a proot environment as well. But I may be miss remembering.
18 October 2025
JB
02:47
John Blaze
In reply to this message
There is or at least was an android termux fork though it was private if I remember correctly.
I'll try to find it again
HH
02:47
Halfredo Hernandez
Someone on reddit was talking about successfully using mtkclient in a proot environment
02:48
There was some type of "fake root" access for termux
R
02:49
Roscoe
R
Roscoe 17.10.2025 07:47:24
I think I have everything needed to attempt carbonara using mtkclient with dependencies reworked for ARM if anyone can get a tablet in BROM and wants to give it a shot
02:49
R
Roscoe 17.10.2025 08:07:06
I'm also setup to run penumbra just in case. Cause the dev hasn't actually implemented carbonara into mtkclient yet. But I have... theoretically...maybe...🤷‍♂️
JB
02:49
John Blaze
Like I was saying i had it working but it was useless without root . Even proot was not enough nor was chroot
R
02:50
Roscoe
R
Roscoe 17.10.2025 17:34:16
It's not built into mtkclient yet. But I've adapted mtkclient to ARM and incorporated carbonara. Theoretically.
02:50
R
Roscoe 17.10.2025 17:55:09
I'm actually just trying to get my hands on a working tablet to fuck with.
02:50
Has anyone successfully got to BROM with test pads? I'd love to have a definitive guide when I get one to work on.
HH
02:50
Halfredo Hernandez
Oh I see
JB
02:51
John Blaze
Maybe with a good USB passthrough but I couldn't find one sufficient for what we needed
R
02:52
Roscoe
R
Roscoe 17.10.2025 22:39:00
I had to rewrite it to go through termux-usb instead of libusb and pyusb. No USB backend, no problem.
JB
02:55
John Blaze
But were you able to run the relevant commands without root?
R
02:56
Roscoe
In reply to this message
I don't know yet. Need a tablet and need it in BROM.
JB
03:03
John Blaze
In reply to this message
Try another phone if you can.
D
05:38
D
In reply to this message
So jealous right now. There ain't shit here.
05:39
In reply to this message
Were you running it in Ventoy or on its own? Ventoy fucks the loader on Slax.
05:42
In reply to this message
You can only run chroot if you have root access.
05:45
In reply to this message
This would (at least) require editing the pluggable authentication modules (PAM) backend, which requires root. Even then, I don't know that you could launch different profiles this way. LineageOS supports multiple user profiles though. If we get that version of the ROM working on the tablets, you just sign in, go to settings, and switch to the profile with the good apps.
05:46
In reply to this message
Also, no hooking to other devices to transfer files. If SIS gets your device and plugs it in, you're fucked regardless. Otherwise, is it that hard to not plug it in to the kiosk?
Xx. Xx joined group by link from Group
S
15:12
Synonymous
In reply to this message
On its own, and then with rEFInd
15:14
In reply to this message
I'm thinking more along the lines of less intelligent people getting sloppy. It's only a matter of time before someone dumb some something dumber. Perhaps in the event of theft
15:21
In reply to this message
My goal is something for instant camouflage
JS
18:33
John Smith
Any ideas about letting someone on the outside using a computer to slave a phone with one of the remote access apps and letting them root the phone or try to access the tablets? I don't know if it's possible, but I have people out there willing to try...
19 October 2025
HH
02:46
Halfredo Hernandez
Anyone else have this problem? I bought music years ago to my mp3 player that was never delivered to my tablet. I never got a refund either. I think the songs are no longer on the server and I was robbed of the money
S
02:47
Synonymous
Find it in your purchase history
HH
02:48
Halfredo Hernandez
Only history is how many tru units spent, not the song names. On the music tab on kiosk it's not in my list of music but I definitely had it before I got tablet
02:49
At least 3 songs I remember gone
D
04:01
D
In reply to this message
If an idiot steals it, they probably won't hook it into the kiosk. Even if they do, and the cops ask questions about the serial number being tied to you, you just say it was legit when it was stolen, and you have no idea what happened to it after.
04:02
In reply to this message
Instant camouflage? 99% of cops just reboot it or look at the back (to check for a board swap). I have never seen one make you open it. Even if that was the issue, just make sure you set a 4-digit pin and don't allow notifications on the lock screen. It's the same version of Android, so it looks the same.
04:04
In reply to this message
The problem with the USB over networking apps is that they don't do certain low level things that programs like mtkclient require. I tried doing this with the Gen2 players and the Windows software we were using before the Android app was available. It sounds good in theory, but doesn't actually work. But Roscoe is working on a Termux version of mtkclient. That's what you need.
04:06
In reply to this message
That's weird. I got transferred and my MP3 player didn't get shipped. I had to buy a tablet and load all my music from scratch. I am pretty sure I got everything, and I know for sure it loaded stuff that was no longer available. Maybe it's the difference between something they just lost the license to versus something they banned and removed.
TT
04:15
Terry Thompson V 2.0
Is this possible. I would say no unless 1st gen and somebody wrote wrote a script for fw or something but this is 3rd gen
TT
04:15
Terry Thompson V 2.0
CS
Chalino Sanchez 18.10.2025 22:10:20
So.eome sent me this saying it's a homemade bop issue as card reader...u think it's B's or is it possible?
04:15
04:15
D
04:19
D
In reply to this message
I don't know everything about how these systems work, but that looks like a Gen3 player. The thing about the Gen3s is that the OS is on the SD. I don't know how it would read the SD as a passthrough like that without the software to manage the connection. But maybe, just maybe, it is simply being plugged into an Android phone (via the USB-C), and the phone reads the SD card directly?
S
04:23
Synonymous
No chance. Pure fake
TT
04:24
Terry Thompson V 2.0
I don't see how either but someone went to a lot of trouble to make it
S
04:25
Synonymous
Agreed. Fake clout or looking ffor a sucker
TT
04:28
Terry Thompson V 2.0
Dude is in feds. His homie plugged his street MP3 up to computer to charge and as u know MP3 is shipped in debugging mode and abracadabra now he ain't got shit and he wanting to write image so he been asking to borrow a external SD c5 reader and somebody told him he could use this
D
04:29
D
How much is he charging?
S
04:29
Synonymous
All the important stuff is missing. unless the type-c male was ALREADY a cardreader and its on the other side and just needed a new SD cage
TT
04:29
Terry Thompson V 2.0
He just borrowing it I think trying to write the image
04:31
He just wants his player to work again
D
04:32
D
If it's not costing him anything, it's not like he could be any worse off.
JB
04:56
John Blaze
In reply to this message
I see that there are 8 wires each going in numerical order to the chip slot
It looks like that may have been from a damaged card reader and this was a way to try to connect to the card slot.
The mp3 and it's system would be irrelevant.

A direct connection from USB to SD card would obviously not work .
it needs an IC to interpret and interface with the card to USB communications.
B
17:11
Bill
In reply to this message
I got one into brom but I don't have carbonara. Can you send it to me please
JS
17:47
John Smith
In reply to this message
Is there a process we can use to duplicate on our end that you can share to get the tablet into BROM? That would be extremely helpful.
👍
R
TW
Terry Thompson V 2.0 removed Xx. Xx
JS
22:59
John Smith
Python script screenshot, waiting for text and any advice is appreciated.
23:04
Here is more of this progress.
JS
23:04
John Smith
MJ
Mike Jones 19.10.2025 23:02:10
23:04
23:04
23:04
23:04
23:04
23:04
20 October 2025
J
04:15
John
In reply to this message
I believe that in the interview that the BOP director has with Chrisley, he was talking about using the tablets for video visits and delivering educational courses. This already exists throughout county jails....one of them I passed through used Edovo, which actually has some fascinating courses. None of this is hard, the BOP just hasn't caught up with county jails.
S
20:50
Synonymous
My county had Kahn academy (free)
JB
20:58
John Blaze
In reply to this message
Yeah mine too
Who would have thought the feds would be such bullshit and have worse education than the state
S
21:32
Synonymous
We don't have the new tablets yet
21 October 2025
JS
02:07
John Smith
So what do we think we can do with this?
JS
02:07
John Smith
MJ
Mike Jones 20.10.2025 22:05:10
02:07
MJ
Mike Jones 21.10.2025 02:05:35
02:07
S
02:10
Synonymous
The USB vender and device info? We have that already. It changes based on the mode the tablet is in. Full boot, brom, preloader etc
HH
02:50
Halfredo Hernandez
The bop had an industry vendor demonstration August 2025. Looking for vendors to add functionality to score tablets. Including commissary ordering, administrative remedies, trust fund account, phone calls, video calls, and educational material on tablets
02:52
Demonstration Session Content:

The FBOP is interested in vendor solutions for inmate tablet devices with the ability to manage administrative functions (commissary ordering, administrative remedies, receiving money, etc.), phone calls, video visiting, emails, education programing, and entertainment/leisure purchasing (movies, music, books, games, etc.).
Terry Thompson V 2.0 invited Tony
J
16:41
Jammer
Anyone make any progress
22 October 2025
S
02:35
Synonymous
I propose monthly check-ins to remove old/duplicate accounts.
It would also give people a chance to say hello, stand thier ground, and state their intentions.
It would also remove any stalker accounts sis has

If a name hasn't posted anything in the last month, the account is assumed inactive and removed

Thoughts/opinions?
HH
02:37
Halfredo Hernandez
In reply to this message
I like the month timer. No check ins in a month I think means either lost account/ phone, leacher, or otherwise bad news
02:37
My opinion anyway
JB
02:38
John Blaze
I would suggest a little more time than a month.
It's not hard to get 20 to 30 days In the shu and it could take a min to get back on
02:39
Or maybe an easy to remember email that we could use to get back in touch with in the case of a. All out fuck up
S
02:52
Synonymous
Im new to telegram, so i have a few questions:
Can a kicked out person locate the group or be invited back in?
How easy is it to find the group or mod?
Do DMs persist after getting kicked out?
TT
03:44
Terry Thompson V 2.0
I agree also. Unless we know the person and why he hasn't been active we take precautions. And after losing access when I los my phone and lost everything including my 2000 amv shows. I made plans and ways to get back in. The federal hostage channel and group which several of us are members I made my best friend administrator and he is in street I just log in his telegram and contact one of y'all to add me back. After 3 months in shu I couldn't remember very many usernames lol
03:45
I couldn't find this group after searching for a couple days
S
03:54
Synonymous
Would a separate dummy group that people don't get kicked out of work? So that people who get booted can make a request?
I think my account is linked to my #, so a new phone would mean new account. If I were to join the dummy group bt link and ABC says they are XYZ, that could work
C
12:20
C
After losing my tg last time I set it up this time with an email so I should still have access if I lose the number
JB
21:19
John Blaze
In reply to this message
Damn I didn't realize I could do that.
Thanks 👍
23 October 2025
TT
00:10
Terry Thompson V 2.0
I did too but it still send code to phone
C
00:28
C
Good point. I just switched number to Google voice.

Note that Google may delete the number if inactive for a while, just send a text every few months
S
01:01
Synonymous
A friend said that if you pay to import a number to Google voice, it's reserved for life. I did not verify
JS
01:58
John Smith
The warden at my spot told an inmate today that they are planning to issue tablets to new people as they arrive. We will have to sign up and pay for whatever services are offered to be able to use them. No idea if we will be able to use these score tablets or if they are planning to phase them out. Anyone heard anything like that?
D
02:02
Don
interesting
J
02:15
Jammer
Need a break for these..
S
14:39
Synonymous
Have not heard it here, but have heard of it in the distant past. There was a phase period and old tablets were required to be sent home.

Rental tablets would combat hacking. They are turned in at night or weekly
14:40
*at private and state facilities
S
20:03
Synonymous
My pin idea was implemented in miui and is called "second space"
👍
HH
24 October 2025
20:01
✨✨ Vejeeter✨✨
I haven't been on much but I just talked to my cousin he is trying to get a WiFi stick fixed...if he does he will be a good source of info for a hack
TT
20:01
Terry Thompson V 2.0
Ok do u want him in group
20:03
✨✨ Vejeeter✨✨
In reply to this message
He's not online that much right now...but when he gets straight I think he can help us...
20:03
Right now he's trying to figure out how to get a WiFi stick to power back on so he can activate it
TT
20:05
Terry Thompson V 2.0
Well there are some pretty smart people in this group and we have been really scrutinizing people before we add them but as far as I am concerned if he is your cousin and I want him in we can bypass all that and I will add him now. Me and u both been around a long time
20:06
✨✨ Vejeeter✨✨
In reply to this message
Yeah he's good frfr and he knows more than me frfr....
TT
20:09
Terry Thompson V 2.0
Sende his username
20:09
✨✨ Vejeeter✨✨
@JeanDeaux615
20:11
Gotta go I'll check back later if I can
20:12
See if any guys can shoot me some instructions to forward to him to fix the stick...it looks like this he says
20:13
S
TT
20:23
Terry Thompson V 2.0
Ok. I not on as much last couple days got jammed up a few days ago
20:23
I sent him invite link
The Wwwizard joined group by link from Group
TW
21:59
The Wwwizard
Just got invited by Ryan, talked to him today

Talked to someone else on the compound as well, who referred me to Ryan

I have a background in software / web development, and I've got some experience in mobile development
25 October 2025
JB
01:32
John Blaze
In reply to this message
More info would help.
1, Has it ever worked before or is it new?
2, If it did work..
did it just one day stop working or was there something that had happened to it?
3, Does it run off battery or a power supply?
4, if battery verify power from it.
5, check the power supply for power output.
6, verify the power port is passing current to the board.
If there is a switch verify it functions or circumvent it briefly to rule it out.
7, if there is no traction with any of those open and inspect for corrosion or damage or foreign objects.
8, connect to power when open and feel if any ic's are warm or hot.

These will get em started.
Ask for a specific model number and get back to us
JS
01:56
John Smith
Would anyone want to do a brainstorming day this Sunday from 12p to 12a where we can try to figure out where everyone is in regards to accomplishing our goal of deinstitutionalizing these tablets? I know everyone here has their own skill sets, and it might be helpful to see where we really are with this. Any thoughts?
TT
03:16
Terry Thompson V 2.0
In reply to this message
This is kind of weird I been trying to get in touch with Ryan for a minute. I have sent DM and and Hank also. I am not doubting your word but Ryan had to click on this group to send u the invite link . It's just hard to believe none of us have heard from him in probably a month and all of a sudden he logs on telegram and goes to this group but doesn't post or reply to messages, especially in his and Hank absence we have started checking people out before we let anybody in. Unless me and probably a few others can talk to Ryan soon and verify it's really him and where he has been I don't figure your gonna have anybody here anymore half of us is already paranoid and this really feels like we are compromised. I hope none of this is true and I am just tripping but it's just so weird because Ryan and Hank haven't been around in a month and all of a sudden today I look and they were both online at 10:00 this morning and got off telegram 9 minutes apart .
03:16
03:23
And they haven't been on telegram since. So hasn't been on telegram in a month but both sign on this morning and Don't reply to messages or post hey gonna add @thewwwizard25 . So guys is it just me paranoid or we been compromised?
03:26
@thewwwizard25 sorry for all this but could u DM me and tell me what compound your on ?
👍
S
D
03:27
Don
I dont have any updates yet, still waiting on thumb drive to hit
JB
05:28
John Blaze
In reply to this message
Definitely sounds off.
Dude gets an invite outta nowhere from an account that has been dark and still has had no real contact.
Were Hank and Ryan on the same pound?
S
14:58
Synonymous
Could be the feds got the phones, and assumed thier identities. Explains the timing and added account
🤣
TW
JS
18:41
John Smith
What are we going to do moving forward here? If there are feds on this board, what would they be able to do to stop any success that we have if we figure out how to get these rooted or modified? We already have the tablets. I feel like I'm holding into a 100 series grenade with this phone and I feel as though at least some of us would be better suited to have our tablets as our primary tool. I'm still trying to figure out where we are all realistically at in this process and I have people willing to help with whatever we might need.
JS
18:42
John Smith
MJ
Mike Jones 24.10.2025 16:32:33
https://github.com/ColdWindScholar/MIO-KITCHEN-SOURCE
18:42
This something new I'm getting stuck trying to get tablet to go to and stay in brom mode it's connecting as you can see in my old pic to set up the pre loader but I'm getting stuck there bout to write a script to force tablet to go to brom mode an stay there
19:03
✨✨ Vejeeter✨✨
In reply to this message
He says he plugged it in and it came on so he went to settings to connect to it when he put in password and waited to connect it cycled off....now it doesn't come on at all...
19:14
In reply to this message
Most definitely would be better to have a broken tablet with the phone stashed and hotspot on...I'm trying to go back over a few things but the main thing is making sure you have a flash tool installed...mtkclient
19:17
In reply to this message
I'm curious about this
S
19:38
Synonymous
In reply to this message
I say nuke the channel, delete it and start a new one
19:45
✨✨ Vejeeter✨✨
In reply to this message
How would you write a script to go to Brom mode? And stay there? 🤔🤔🤔
JS
21:13
John Smith
In reply to this message
I'm waiting for a copy of the script, I'll post everything I get.
JS
21:36
John Smith
These are the screenshots dude sent me using a slightly modified version of the script I posted earlier. If you have questions for me to ask him let me know. BROM mode only exists for a second at most and then kicks out.
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
21:36
26 October 2025
TT
00:53
Terry Thompson V 2.0
In reply to this message
I don't know what pound Hank was on but I know where Ryan was and I asked the new guy where he was at and he told me the right answer so I told him to have Ryan contact me. He said he should be seeing him today or tomorrow. If anybody wants to help with this let me know what u think . I started to ask him for the regular things we been asking to produce bop id and pic of tablet with name and # but I got so much going on wish somebody else would take this one. I hate being the gatekeeping asshole but how can I not be when we have so much to lose. @Oakcliffamerica469 @roscoefilburn what u think. One of y'all want to ask him. And Ryan ? If nothing has happened to him like shu or something similar well I don't know how I feel about not even telling us anything. I am for whatever someone take the helm
TW
01:05
The Wwwizard
John are you running these commands on a rooted phone?
TT
01:16
Terry Thompson V 2.0
@thewwwizard25 is good everybody I just video him and he is what he says he is
👍
S
S
01:34
Synonymous
In reply to this message
A wizard? :p
TW
01:36
The Wwwizard
Not just any wizard
01:38
I'm down for the cause

I have a background in app development, and I've flashed tablets / laptops and computers back in my day

Dual boot, USB boot, any type of boot you can think of 🥾
S
01:41
Synonymous
Ever convert winxp to EFI loader?
Also trying to repackage any Linux into a bootable wim file, no Linux loaders.
TW
01:42
The Wwwizard
I can't say that I have
EFI is different from UEFI I take it?
S
01:42
Synonymous
Technically yes, but not as far as I am concerned
JS
01:48
John Smith
In reply to this message
No, it is not rooted. Unknown if this will work for that reason. Any ideas?
GG
01:50
Gino Green
In reply to this message
Im here bro if you need me to I'll look at the stuff on DM and see if everything checks out .. I'm always paranoid my self i would much rather have some kind of clearance on here
TW
01:55
The Wwwizard
In reply to this message
Root allows access to lower, system level access, to run adb or apks like Magisk and Magisk su when connected to a tablet with otg
GG
01:55
Gino Green
I think if we verify our self on here we can feel a lot more confident talking on here ..sometimes you don't want to say certain things in fear that some one might be on here from the other side
👍
S
TW
01:55
The Wwwizard
So some commands might or might not work if the phone or tablet is not rooted
TT
01:56
Terry Thompson V 2.0
In reply to this message
Agreed bro.
👍
S
JB
01:57
John Blaze
In reply to this message
Thank you for taking the wheel and putting in so much of your personal time and effort towards the cause as well as bearing the uncomfortable and sometimes taxing burden of being a gatekeeper for the benefit of us all.
Anything you might ever need that I can provide just say the word and if it's within my power... Consider it done
👍
S
TT
02:01
Terry Thompson V 2.0
Thank you for that. I really enjoy being here and on HF I just been going through some stuff here lately. Had some problems earlier in the week that I dodged. Not that I care getting a shot but I got a loved one that I think will be passing away soon and it would kill me not to be able to talk with them or my family when they passed if I was in shu
D
03:58
Don
In reply to this message
right, the usb subsystem cannot be directly accessed without root. there is an api, but it is unique to android
T
04:17
Tony
Except Termux has a method for accessing it, with user permission, of course.
TW
09:30
The Wwwizard
In reply to this message
With the use of Magisk / MagiskSU?
T
11:20
Tony
No. Termux can access USB devices without root. The benefit of root is to be able to have broad access without having to ask for permission for each device/connection. Without root, Termux must make a request for access each time it makes a connection. But this is fine for mtkclient, as a device in BROM mode maintains the same VID/PID until it is rebooted.
TW
13:20
The Wwwizard
So this + otg should allow you to view partitions? And other info?
JS
17:10
John Smith
I have some one on the outside that'll slave my phone and use his PC to break my tablet problem is once he slaves my phone what process step by step does he need to follow to break these damn things? Once we do that we can use a broken tablet to break everyone else's right? Even yours remotely
17:11
Ideas or even strong theory is appreciated
JB
17:21
John Blaze
In reply to this message
That maybe true.
it however was not my experience. That maybe because of a misconfiguration error on my part or just operator error. But when I had tried it there were certain things that would just fail when other commands would run fine. I attributed it to lack of root access and the sandboxing that android 14 uses.

If you have or could verify that we have low level access by practice on an android 14 or 15 through termux I would appreciate it. And I will get right again on this jack.
T
17:24
Tony
It definitely doesn't have "low level access." It has limited functions, basically listing devices and selecting one for Termux to have access to. But for the Score7, that should be enough to run Carbonara.
JB
17:26
John Blaze
Oh okay...
I misunderstood you..
Yes it definitely did that.
I will have to go through my notes to see which commands I had success with and which failed.

But I hope we can..
TW
17:49
The Wwwizard
Do any of you have a specific link for more information on carbonara?
TT
17:52
Terry Thompson V 2.0
Anybody interested in group call today?
D
18:32
Don
In reply to this message
I've used that. it establishes a file descriptor but only after a successful connection.it wasn't able to send the type of usb commands that mtkclient uses
JB
19:53
John Blaze
In reply to this message
That was my experience as well.
TW
21:03
The Wwwizard
Theoretically, the OS flash should work on both the 7C and 7T right?
JB
21:06
John Blaze
In reply to this message
Depends....What time are you thinking?
TT
21:14
Terry Thompson V 2.0
Whenever is clever. Just a idea
T
21:45
Tony
In reply to this message
They have the same hardware, so yes. The only concern is what revision of firmware is on the device. The earliest versions had a recovery partition that made BROM access very easy (hold VOL DOWN + POWER during boot). Later, most versions of the 7c received firmware updates that removed BROM access via this method. However, the BOP system is unreliable about pushing updates, and some people left the Bureau before getting the tablet patched.
👍
TW
GG
22:17
Gino Green
In reply to this message
Since some don't ever come out the unit 😂😂
TW
22:20
The Wwwizard
Go out? For what? 😂
TT
22:31
Terry Thompson V 2.0
LoL. U talking about yourself Gino
GG
22:31
Gino Green
In reply to this message
😂😂😆😆
Jp joined group by link from Group
J
23:59
Jp
Blackhole127.0.0.1 on new rental
27 October 2025
J
00:01
Jp
I'll be on a different joint later tu verify this one lol
TT
01:32
Terry Thompson V 2.0
I done away with invite link unless Hank or Ryan shared one again
Terry Thompson V 2.0 removed Jp
01:43
Deleted Account
Blackhole127.0.0.1 removing old rental
Deleted removed Deleted Account
JS
02:29
John Smith
Just got this from dude in another unit.
02:29
Just installed this to run with non cli
02:30
I just bought an installed a debian desktop VR interface
02:30
Ok so now I got root access through this modded os
02:31
02:31
02:31
02:31
Anybody try this yet?
TW
10:18
The Wwwizard
Root access to the OS for that modded OS?

Are you trying to do USB passthrough with it?
JB
21:11
John Blaze
I have previously tried some USB passthrough apks without success but my options were limited to the very few that I was able to find at the time. I heard that there were some built into virtual PC software but I had not found any that would allow me low level access on my android 14 phone at the time.
I suspect because of the sandboxing that is native to the android 14.

Hopefully someone else might have better luck 🍀
21:15
I tried either debian or Ubuntu I don't remember but still a flavor of Linux
28 October 2025
JS
01:57
John Smith
In reply to this message
So no success with either?
01:58
We have access to 2 phones and we have more than one person on the outside willing to remote login to one phone to root the other. Has anyone had any experience with trying to do this?
JB
02:48
John Blaze
In reply to this message
I wasn’t successful using mtkclient with my unrooted Moto G 5G (XT2417D) running Android 14 on a virtual machine
The host OS was either Ubuntu or Debian I researched both but don’t remember which I ended up using.
I ran the setup in a virtual machine and tested several USB passthrough options but I couldn’t get mtkclient commands of any real significance to work.
I think the problem was Android 14 sandboxing and VM USB passthrough limitations
02:50
I'm no super genius so it may have been an error on my part but I would like to think that I was pretty thorough with my attempt.
It sure as shit ate up a lot and I mean a lot of fuckin time
HH
03:00
Halfredo Hernandez
Maybe related maybe not but we tried windows in a virtual machine inside android at my last spot. Waste of time because android still didn't allow low level access
JB
03:19
John Blaze
Oh yeah I'm retarded 😂 I forgot to mention that I also tried win XP and win 11 on that vpc set up
S
12:05
Synonymous
Anyone able to mount a squashfs filesystem and remove an obnoxiously large folder? (Ghidra) in https://www.androidfilehost.com/?fid=1109791587270922802
Elegar Infernis removed Elegar Infernis
T
20:47
Tony
In reply to this message
I could take care of this problem. Msg me to let me know what you want removed from the image and I can give you a new download link.
👍
S
29 October 2025
O
00:49
Ohhmonky
In reply to this message
This would rely on the virtualizer app(limbo? Qemu in termux?) to access the usb and passthrough it to the guest system. A lot of moving parts in there. Any one of them could be at fault.
So if that was not successful, it doesn't mean there isn't another way to access usb from a non-rooted android in a satisfactory fashion.
00:55
In reply to this message
Seems to be not much more difficult than:
(Termux)
pkg install squashfs-tools
unsquashfs a.squashfs
cd squashfs-root
rm dir1/dir2/wrongfile
cd ..
mksquashfs squashfs-root a_modified.squashfs
👍
S
JS
02:06
John Smith
More from the Debian attempt:

Successfully installed shiboken6
Which I was never able to get installed before
I did check with ai an this what came up after i sent that screenshot

I gotta brom mode bypass script so all I gotta do is just plug tablet in while it's off an it forces it into brom mode if this fails

I've just completed everything successfully an ready to run read bottom of this last screenshot Everything installing without error

More stable cause I wasn't using the debian modded os I was just using termux with fake root privileges this has actual root access
I've just completed everything successfully an ready to run read bottom of this last screenshot
02:09
Screenshots, still waiting to see if this worked.
02:09
02:09
02:09
02:09
02:09
T
03:45
Tony
In reply to this message
BROM mode bypass script? I am intrigued. Can you share?
JS
03:53
John Smith
In reply to this message
As soon as I get it, I will share it. I want this to work so badly!
30 October 2025
Terry Thompson V 2.0 invited Jp
31 October 2025
Halfredo Hernandez removed Halfredo Hernandez
Jp removed Jp
1 November 2025
Halfredo Hernandez joined group by link from Group
HH
02:48
Halfredo Hernandez
Hey all, this is a rental phone i think someone kicked me out of the group that uses this phone
02:48
I was able to get back in from the old invite link a mod sent me
TT
02:50
Terry Thompson V 2.0
I didn't kick u out somebody on your end must have left the group. Can u put a pin on telegram that's what I do with my personal phone then nobody can get into telegram but u
HH
02:52
Halfredo Hernandez
Thanks Terry. I'm not too savvy with tg. But this isn't my phone so is there a way I can find this group in case someone quits the group on this rental or if I lose the phone?
TT
02:59
Terry Thompson V 2.0
Remember my username or somebody else and send a direct message to me or Gino or Rosco and we can add u back
HH
03:11
Halfredo Hernandez
Appreciate it terry
TT
04:52
Terry Thompson V 2.0
No problem
JS
15:43
John Smith
This is the script that would put the tablet into BROM mode without a rooted phone.

#!/bin/bash

# Complete Script to Install mtkclient in Termux on Non-Rooted Android for Flashing MTK Devices via OTG
# Author: Grok (based on community guides)
# Prerequisites:
# - Install Termux from F-Droid (not Play Store).
# - Install Termux:API app from F-Droid and grant permissions.
# - Enable USB OTG on your phone.
# - Have your Score 7C tablet firmware unpacked in ~/firmware/ directory.
# - Firmware files should be named after partitions (e.g., boot.img, system.img, preloader.bin, etc.).
# - For Score 7C (MT8167/MT8168), download stock firmware (search "MT8167 Android 8.1 firmware" for similar), unpack using MTK tools on PC if needed.
# - Place all .img/.bin files in ~/firmware/ (create if not exists).
# - To enter BROM mode on Score 7C: Power off tablet, hold Vol Up + Vol Down, connect OTG cable to phone (do not release buttons until detected).
# - Run this script in Termux: curl -s https://pastebin.com/raw/XXXXX | bash (or copy-paste directly).
# - After install, the script will prompt to flash: Press 'y' to proceed after plugging in tablet.

set -e # Exit on error

echo "=== MTKClient Installation Script for Termux (Non-Rooted) ==="
echo "This will install a modified mtkclient for Termux. It may take 10-20 minutes."
echo "Ensure Termux:API is installed and permissions granted for USB access."

# Step 1: Update Termux and install base packages
echo "Updating Termux and installing dependencies..."
pkg update -y && pkg upgrade -y
pkg install -y git python libusb python-pip termux-api cmake

# Step 2: Clone modified mtkclient repo for Termux (v1.52 compatible with fixes)
echo "Cloning mtkclient repository..."
cd ~
rm -rf mtkclient # Remove if exists
git clone https://github.com/RohitVerma882/termux-mtkclient mtkclient
cd mtkclient

# Step 3: Install Python requirements (with workaround for keystone-engine if needed)
echo "Installing Python dependencies..."
pip install --upgrade pip
pip install -r requirements.txt || pip install --no-build-isolation -r requirements.txt
pip install .

echo "Installation complete! mtkclient is ready at ~/mtkclient"

# Step 4: Prepare firmware directory (user must populate it)
mkdir -p ~/firmware
echo "Firmware directory created at ~/firmware"
echo "Please ensure your unpacked firmware files (e.g., boot.img, system.img) are in ~/firmware/"
echo "If not, copy them now (use 'termux-setup-storage' if needed for access)."

# Function to flash
flash_device() {
echo "=== Preparing to Flash Score 7C Tablet ==="
echo "Plug in the tablet via OTG now."
echo "Enter BROM mode: Hold Vol Up + Vol Down on tablet while connecting (release after detection)."
read -p "Is the tablet connected in BROM mode? Press Enter to detect, or Ctrl+C to cancel."

cd ~/mtkclient
echo "Detecting device..."
python mtk printgpt # Test detection and show GPT

if [ $? -ne 0 ]; then
echo "Detection failed. Check OTG cable, BROM mode, or Termux:API permissions."
echo "Run 'python mtk' manually for debug."
exit 1
fi

echo "Device detected! Starting flash from ~/firmware/ (all matching partitions)..."
read -p "Confirm flash? This will overwrite partitions (backup first if possible). Type 'yes' to proceed: " confirm

if [ "$confirm" != "yes" ]; then
echo "Flash cancelled."
exit 0
fi

# Flash all files in ~/firmware/ to corresponding partitions
python mtk wl ~/firmware/

if [ $? -eq 0 ]; then
echo "Flash successful!"
else
echo "Flash failed. Check logs in ~/mtkclient/log.txt"
fi

echo "Rebooting device..."
python mtk reset

echo "Done! Disconnect OTG and check tablet."
}
CD
15:43
# Run flash if script reaches here (single 'button' equivalent: just run script after prep)
read -p "Installation done. Ready to flash? (Firmware in ~/firmware/?) Press Enter to proceed, or 'n' to exit: "
if [[ $REPLY != "n" ]]; then
flash_device
else
echo "Exiting. Run the script again when ready."
fi
JS
16:22
John Smith
Install proot distro Yea you might have to along the way install some things first an formost install all the root access commands like PKG install tsu you'll need to install termux api as well to run separate from termux it allows the adb an USB feature termux don't jus download all them from fdroid not play store both termux an the termux apiInstall all the libfuse utils pip pyside6 python Anything that can help an grant low level usb
TW
16:40
The Wwwizard
John The pastebin link is broken, it's giving a 404
JS
16:44
John Smith
In reply to this message
I'll see what happened.
T
16:48
Tony
Also, the script is contingent on getting the tablet into BROM easily. We know that button combo no longer works. As a matter of technicality, the Score7c and subsequent tablets do not use the 8167, as the script mentions.
16:50
Oh, and mtkclient does not match filenames in a directory to on-device partitions in the manner in which this script has been written, nor does this script account for variations in image size for partitions to be flashed.
TW
17:01
The Wwwizard
Man, I haven't been part of a code review in years
17:01
😂
JS
17:02
John Smith
Alright just talked to dude. He's renting till 2 eastern. And will be back in touch. I'll talk to him and tell him to give me everything he's got to make stuff easier on our end
S
21:22
Synonymous
Be careful of ai codeing, ai hallucinations can be convincing at a glance
2 November 2025
Terry Thompson V 2.0 invited Charlie Durk
Terry Thompson V 2.0 invited Roscoe
R
01:40
Roscoe
In reply to this message
This is Roscoe. Ha, looks like you caught up with me while I was in the SHU. 🙃

How did it go?
T
03:19
Tony
He posted it to the AI channel. It's not as promising as we were led to believe.
03:20
I rather thought I would have been sent to home confinement, but apparently I am stuck in RRC until January, and in tablet limbo for some short time after.
JS
17:35
John Smith
Someone offered me a USB Type-C/A to SD/Micro SD Card Reader and I am going to buy it. What advice do you have for how to put it to use for our tablet needs?
GG
18:48
Gino Green
In reply to this message
Yes
4 November 2025
JS
02:57
John Smith
I have a request from the group here. I am not well versed in coding or any of the complex things that many of you seem to be comfortable with. I am more than capable of following instructions. What devices and accessories would someone need to do this tablet breaking? I have an avenue for getting things into this spot, but I need to know what to get. A handheld PC? A raspberry pi device? What would be the must have list to get this done from the inside?
T
03:47
Tony
We have seen evidence that one or two teams have accomplished this. However, nobody here has made a breakthrough and shared the results. So we don't really know what you need. Based on my last experience, a higole mini pc and a USB-C SD card reader that can handle 1-bit mode worked for me and my partner to read the tablet eMMC drive. But I got shipped, and haven't been able to replicate our work due to lack of access to tools.
TT
04:17
Terry Thompson V 2.0
Hank posted a tablet jailbroke over a month ago then disappeared. Him and Ryan. I am beginning to realize why the owner and one of the admistrator abandoned us. Right before he left he promoted me. Is anybody else connecting the same dots I am
JS
04:45
John Smith
In reply to this message
Yeah, doesn't look good.
TT
04:47
Terry Thompson V 2.0
Supposably they had it figured out just a couple of small things to work out. But if they do have it I guess they don't want to share and don't need group anymore
TW
11:51
The Wwwizard
Is Treble just a "flavor" of lineage OS?
D
23:54
Drew
In reply to this message
That's pretty fucking shitty of them
23:55
Anybody know where they were maybe reach out to that place and see if they're breaking them
5 November 2025
JS
02:58
John Smith
Not sure. Kind of sucks people not sharing shit. That's the whole point. I'm going to figure it out and I promise I'll put the shit on here just like I did with mp
TT
03:09
Terry Thompson V 2.0
Well it does suck but makes a lot of sense should have saw it coming I guess
03:10
They are at dix where it was originally jailbroke first
TS
03:13
Tony Sparks
In reply to this message
Fort Dix would be the place. It's so big and so much going on there. Easy to get lost in there and do what you gotta do compared to a smaller yard
03:15
If I could get into the PCs here and get past the prison OS and boot windows, would that work well for me?
Terry Thompson V 2.0 invited Jp
R
03:30
Roscoe
In reply to this message
That's pretty much ballgame. And oddly enough, I just got access to a desktop that had USB access. Ask I gotta do is get a bootable live USB or get a portable app that will spring me out of the limited/managed/locked down Windows.
TS
03:32
Tony Sparks
In reply to this message
I think I have someone that can get it in, but those pesky locks on the machine keeps us out.
03:33
I'd just have to find one that runs windows instead of fully installing it
JB
04:45
John Blaze
In reply to this message
Splice into an existing USB cable like for the tablet, mp3 or mouse if needed and drive with keyboard shortcuts
04:58
In reply to this message
Damn I hope that's not how that went.
Didn't one of them send someone to this group and we thought he might have been a cop or sis?
What happened to that dude?
GG
05:03
Gino Green
In reply to this message
What if you find a USB female and run it to a micro or USBC female and plug right to the mp3 cord or tablet cord.. They all have the same 4 wires black red white and green
SM
05:05
I'm sure it's doable I made a micro female to USBC male to charge my tablet since they stole all the cords for tablets and I also used it to revalidate thru the mp3 cord
JB
05:26
John Blaze
My bad I was responding to something else here I just erased my post Gino 😂
J
18:16
Jp
Ok I'm at Fort Dix East, which is apparently the place the break started. There are both Score 7c & 7t broken here but it's hard as hell to get ahold of one to confirm. The process, whatever it is seemingly is being kept under wraps since the original guy left, and the price after dropping as low as $600 to have it done on your supplied tablet has gone back up to $1100 for a prebroken tablet as a "friend deal" (one time offer).

I have limited access to a confirmed working cable, as in connected to a phone and tablet the phone says it's ready for USB mode and the tablet denies access. But now I'm stuck, from what I've seen the tablet requires a very invasive hardware mod to maybe get it into the right mode, which I'm still not sure works on 7t. Does it?

Next is the phone side, the script for access without root seems to have issues you folks pointed out, and previously I've heard bugjaeger can be used. Now I'm a Windows, VMware, Citrix, DOS/Posh/scripting guy of 40 years experience running large data centers, and done Linux/ Android at home for fun on my own phones/tablets including ROM/etc, so my expertise somewhat carries over and I'm willing to share my info, the hacker ethos took me to being one of the top system administrators around.

I'll be available here pretty much every day from 12:30pm to 1:30pm EST. Even if I get it working I'm not disappearing, the hacker ethos demands sharing. Thanks for all the info folks looking forward to getting this done. Blackhole127.0.0.1 on the forums and Gmail if needed.
👏
R
23:01
Deleted Account
The ways to do it was already listed. Aquire the private signing key that is used by the kiosk to authorize the signature for connection to the tablet. Which is hard without access to the server which is local in each prison, even then we dont know if the local server doesn't work as a proxy to ask for a signature from a remote server. But worth a try.
Once the key acquired its easy to unlock any tablet from any phone. No root required.
If they didn't get the key then there might be a flaw in connection protocol which I haven't found. There was a talk about test keys being used i. The process somewhere but I haven't had time to dig for that info. All source code for kiosk listed on the server from D
R
23:18
Roscoe
In reply to this message
I don't know anything for certain, but FWIW I have my doubts that it involves any secret keys.
6 November 2025
JB
01:27
John Blaze
Has there been any progress on actually testing and verifying the hardware mod to get into brom mode ?
I remember seeing some people talking about it and said they were going to try but I haven't seen a confirmation of success yet.
Unless I missed it
D
02:06
Don
In reply to this message
I have shared the bios password to the trulincs computers several times. you can se it to boot from a usb flash drive. it is TLall041405
02:07
In reply to this message
i am waiting on a usb drive. supposed to come next week. then I can get to work. also I am about to be transferred to a lower security facility so I can get tools easier
02:09
In reply to this message
your cv sounds a lot like mine. data center, Unix admin, etc.
02:11
In reply to this message
agreed. Switzerland and I put a lot of work in and got everything but the private key. but since we could not acquire it going to try to use carbonara mtk exploit to write treble image
T
02:20
Tony
In reply to this message
The test keys post had to do with the LineageOS image that was loaded on some tablets. It was signed with the test keys, and yet the user who had the tablet claimed the bootloader was still locked, meaning the SoC recognized the test keys.

This had nothing to do with Kiosk to Tablet communication. The private key necessary to enable this CANNOT be sniffed. And it is only stored on the ATG server, accessible only by the prison network.
R
03:15
Roscoe
FYI, from the old group. Should we invite him and pick his brain? I'm sure y'all have some ideas about what he could do.
R
03:15
Roscoe
MD
Michael David 06.11.2025 01:43:54
I got a jb tablet but dont know how to reverse engineer it so I can do others
R
07:35
Roscoe
R
Roscoe 17.10.2025 17:56:02
Has anyone successfully got to BROM with test pads? I'd love to have a definitive guide when I get one to work on.
J
17:51
Jp
In reply to this message
So I'm going to guess that no one here at Fort Dix got ahold of the private key to break either c or t, mainly due to no one I've ever talked to on staff from even computer services having more experience with computers than A+ Who in the BOP would even have access to the private keys, some dude in central who's trying to keep their ancient systems working and duct taping together shit like movie rentals into it? Just trying to be realistic here... not just anyone will have that info.

The guy who built the original cord was great at hardware, didn't know much more than how to reflash mp3s for software. If he was involved further it's most likely he was consulted on hardware only, and he had a great soldering kit.
👍
R
17:52
In reply to this message
BBS days sysop as well? 😆
JB
23:33
John Blaze
In reply to this message
28.8k on a good day dual POTS lines to hit up the BBS and mom trippin because the phone line was tied up 🤣🤣 those were the days.
R
23:45
Roscoe
In reply to this message
My sentiments exactly
23:46
Right now when I plug in an expired tablet to my phone, I get nothing. Just slow charging. Am I missing anything? Any confirmed tips on getting into BROM mode?
23:46
In reply to this message
This is a new C-to-C cable I'm using; perhaps it's charging only?
7 November 2025
T
00:22
Tony
Some C-to-C cables don't have the data lines connected, and thus are only good for charging. Also, if the tablet is in Safe Mode, it won't register the attached phone anyway, and will just charge it.
00:24
In reply to this message
Nobody in the BOP has the key used for signing tablet communications or filesystem images. Those are kept on ATG's servers. The only thing the BOP does is enable communication between the kiosks and those servers. The only part I'm not sure if is whether the ATG server at each institution keeps a copy of the communication key, or if it relays to a central server at ATG HQ.
D
00:40
Don
In reply to this message
yes. on 2400 . xmodem and all that. these youngsters dont know the pain of waiting hours for a Pamela Anderson nudie and then somebody picks up the phone and kills your dl. 🤣
00:41
In reply to this message
there is a key server but i havent ascertained where it is. likely it is local because otherwise a wan connectivity issue would stop revalidations
T
00:42
Tony
I haven't been somewhere with a verified WAN connectivity issue and tested validation. It may or may not work.
D
00:43
Don
tony you saw i gave you the bios password for the workstations
00:44
so you can boot from a thumb drive
R
00:50
Roscoe
I now have access to a Windows desktop with a very limited user account...and USB access 😁
00:51
Right now I'm trying to plan the best vector for privesc. Thinking WinPE, utilman.exe swap with cmd.exe (or something similar), then enable admin account or create a new one. But let me know if you have other thoughts or suggestions.
00:52
Right now it's not online so no worries about tripping any alarm cells with SIS
JS
02:59
John Smith
In reply to this message
We have the thin client Trulinks terminals in the units, they used to have an icon to click on the bottom left that would bring up a screen for admin password. There was an update last week and now that icon is gone. Would this password work on those terminals, and how would I get the password prompt to come up?
R
03:07
Roscoe
In reply to this message
No. It's the bios password you enter of you hit F12 or Del during boot. You can unplug and plug it back in if you want to try it.
JS
03:08
John Smith
In reply to this message
Ok I will try that thanks.
R
03:09
Roscoe
In reply to this message
It allows you to change the boot order so that it will check USB before the HD. And disable secure boot.
JB
03:30
John Blaze
In reply to this message
Yo don't go driving drunk.
If you weren't aware that was a bios PW ...
Really dude I'm not sure what your plan was but take your time ... Do your research.. and above all... Do NOT trigger something that will get you wrapped up by s.i.s.
👍
S
JS
03:32
John Smith
In reply to this message
Good looking out John, I'm doing my research for sure. Just checking to see what other people have done and are able to do.
T
03:32
Tony
In reply to this message
I am no longer inside, so I can't do this. Once I get to home confinement, I can do some work on making an app for Linux that can run in a thumb drive and exploit access to the ATG server to break the tablets.
TT
04:49
Terry Thompson V 2.0
In reply to this message
Or when we wanted faster and would shotgun 2 phone lines and 2 56k modems to 1 computer
04:50
Or overclock our processors and get computer so hot it would shut down I had 2 big fans blowing over a bowl of ice trying to keep socket 7 lolcpu cool
JS
17:38
John Smith
What would I need to have loaded on a thumb drive to be able to get a non network computer to boot from? What else should be on it before it comes into the spot? I have someone who could potentially get into a computer here. I need a specific list so if I can get one in here it will have everything ready to boot up and go.
R
21:31
Roscoe
In reply to this message
I'm about to undertake this exact task. So I'll let you know what works.
R
21:32
Roscoe
R
Roscoe 07.11.2025 00:50:10
I now have access to a Windows desktop with a very limited user account...and USB access 😁
21:32
Right now I'm trying to plan the best vector for privesc. Thinking WinPE, utilman.exe swap with cmd.exe (or something similar), then enable admin account or create a new one. But let me know if you have other thoughts or suggestions.
21:32
Right now it's not online so no worries about tripping any alarm cells with SIS
8 November 2025
TS
01:23
Tony Sparks
In reply to this message
What is possible on a limited user account. Can programs be installed and ran?
R
01:30
Roscoe
In reply to this message
Not much. Nothing except what is expressly allowed. Which is basically nothing. Right now it mainly involves loading PDFs from USB. But I intend to bring some portable apps to test over the weekend. Word processor and PDF editor to start.
TS
01:36
Tony Sparks
In reply to this message
I see. Someone here suggested getting in a USB flash but if it doesn't allow us to even run programs I might tell him to hold off. For now. He's really just tryna get a PC to try stuff out. I suggested getting in a rooted phone but hes worried it won't be enough
C
01:45
C
In reply to this message
If this is the windows that they have in pretrial that allows discovery and restarts every few hours, I've found portable apps do work on those
R
02:22
Roscoe
In reply to this message
Run programs, yes. At least I think so. And I'm about to find out. Install programs, no.
02:23
Hence why I was talking about portable apps: ie, a version of an app made specifically to run just from the exe with no installation required
TW
03:00
The Wwwizard
Was anyone able to get into BROM mode with just key combos?
03:02
Suggestion as well, I want to see what people think

Another sub channel called FAQs that covers anything that has already been asked / covered before? As a quick reference

One for both tablets as well as MP3s
R
03:54
Roscoe
In reply to this message
No, not since the 7 (before the 7c), I believe. Or it's long since been patched.
S
14:12
Synonymous
In reply to this message
I've used it when it was based on win7. Grouppolicy was set to a whitelist. Just rename your app to notepad.exe

The reboot and wipe software can be uninstalled from the limited account. They denied read access to the program files folder in a later version
9 November 2025
TS
01:22
Tony Sparks
Ima just get a raspberry pi thrown in and use that, that way I don't have to worry about getting into their computers here. Getting into brom mode is the biggest obstacle for me here
Terry Thompson V 2.0 invited Georgio Armani
GA
12:58
Georgio Armani
In reply to this message
Do you still need this billie
Jp removed Jp
GA
18:27
Georgio Armani
In reply to this message
Yes I would like the termux script please
GA
20:15
Georgio Armani
In reply to this message
I'm ready to try this but my problem is I'm not as educated as everyone here and need to see pictures of the soldering points on the tablets side. Is there anyone willing to assist me. I real soldering iron and both 2 gen and 3 gen mp3s to use which ever one is best.
20:21
✨✨ Vejeeter✨✨
In reply to this message
Meaning it's time to change your occupation
10 November 2025
J
02:15
John
In reply to this message
Even better, she had an ironclad agreement with the company she defrauded (JP Morgan) that they had to pay her legal bills. So she and her codefendant went and hired 5 legal teams, to the tune of $115 million, that her victim has to pay. That's why she got such a lenient sentence, they pulled out all the stops.

https://nypost.com/2025/10/25/us-news/jpmorgan-tries-to-get-off-hook-for-115m-in-legal-bills-for-cons-who-scammed-them-out-of-175m/
S
02:17
Synonymous
I fixed the boot issue in slax, problem now is the latest build of slax someone forgot to add python to path

cd to usr/bin and run pip to download dependencies and pip can't find them.

ChatGPT had me update repository, and that somehow also started updating my whole slimmed down slax into full Debian with extra apps I don't want... Ran out of USB storage. Still don't have dependencies.

Making more room. Anyone else have a slax build with everything running?
R
02:23
Roscoe
In reply to this message
Remind me again what's the objective of running Slax?
S
02:28
Synonymous
To run mtkclient
R
03:42
Roscoe
I've already got it running in Termux. Is Slax something that runs on your phone?
TS
04:00
Tony Sparks
In reply to this message
Some guy here said a mp3 wouldn't be enough youd need a dedicated programmer
T
04:07
Tony
In reply to this message
Slax is for booting a kiosk in Linux and running mtkclient on that. It sidesteps the chance of locking the tablet. Also, if we can get Slax running, then it may also be possible to create a kiosk simulator to access the ATG server and unlock the tablets with no hardware modification.
R
04:09
Roscoe
In reply to this message
Gotcha, thanks.
GA
04:50
Georgio Armani
In reply to this message
What spot was that Bastrop pretty lenient but they check mps and tablets sometimes
GA
05:14
Georgio Armani
In reply to this message
Can you please get a picture to clarify
S
16:30
Synonymous
In reply to this message
Does not side step chance of locking tablet at all
17:50
Deleted Account
In reply to this message
Why go through all of that if you can just use RPi for MiM attack.
Unless u are in the situation that u can't get it
Jp joined group by link from Group
T
18:45
Tony
In reply to this message
Yes it does, because the tablet will always go into accessory mode when hooked to an actual desktop computer because of the way the cord is wired. It cannot get any information on the device it is connected to when it is in accessory mode.

It is only when two USB-C devices could both be master devices that the tablet asserts control and gets data from the other, which is forced into accessory mode. I have tested this.
18:48
In reply to this message
1) RPi is difficult for some guys to get. 2) A MiM attack is not possible in this context because of the way the tablet and kiosk encrypt communication, and the way the kiosk obtains the signature from the ATG server. I have reverse-engineered this myself and reviewed the code. A MiM cannot work.
19:05
Deleted Account
In reply to this message
1. Agree.
2. Don't agree. But because of the #1 I cannot produce a POC.
T
19:09
Tony
Okay, thinking about it more, it MIGHT be possible, if you can spoof the USB VID & PID of the RPi to look like a 7c, and you implemented a copy of edgejas to run on the RPi.
19:11
Gemini says VID & PID spoofing is possible, but not easy.
19:35
Deleted Account
In reply to this message
It's what rpi is made for. But its my opinion, not an AI. Again, can't do a POC so might be wrong.
C
19:37
C
Even if you could use an rpi in that way it seems more complicated than booting up into a special kiosk

Wouldn't you need access to the kiosk anyway with the rpi to get the signature? What's the advantage?
19:38
Deleted Account
In reply to this message
Yes, that's what MiM is. You are in the middle with a rpi.
It seems easier for me to immitate a communication process than the whole kiosk.
C
19:42
C
If you don't change the kiosk software then you wouldn't be able to sign the relevant commands just being MITM. I had a back and forth on this in the AI channel until I was convinced of this
C
19:42
C
D
D 03.10.2025 10:27:22
The tablet just forks over its identity data, and then validates the signature on the package after it comes back with the kiosk public key.
T
19:43
Tony
Well, since I already wrote a Kiosk emulation app for Android, I'm going to say that's much easier than writing MiM software that emulates a Kiosk from one side (to the tablet) and a tablet from the other (to the kiosk).
C
19:43
C
Do we know the actual endpoints that the kiosk calls to get the signature?
19:49
Deleted Account
In reply to this message
Yes, it's in the source code
R
19:57
Roscoe
19:57
19:57
19:57
19:57
19:57
19:59
My kingdom for BROM! Still trying to get definitive help on the right test pad(s) and sequencing.
TW
21:35
The Wwwizard
👍
HH
21:35
21:36
Apparently MTKClient is a suitable alternative for SP Flash Tool on the tablet based on some research
21:36
Has anyone been able to install MTKClient successfully through termux?
R
22:08
Roscoe
In reply to this message
Yes
TW
22:23
The Wwwizard
Via pip or the GitHub project?
22:23
Pip talks about needing an externally managed environment, but I've had issues installing it through venv

And the GitHub project gives me a dependency install issue
T
23:07
Tony
In reply to this message
Could you explain your research or what is shown here? This looks like mtkclient. Did you succeed in getting the tablet in BROM, or did mtkclient do it automatically?
TW
23:10
The Wwwizard
I did not get into BROM
That's my next step
23:11
This is a broken tablet that I have installed termux on and I wrote some scripts to perform an "autopsy" on what happened to it
23:11
In order to replicate on another tablet

I need guidance on setting up MTKClient correctly on this main tablet
23:12
So we can all get further on this project
GA
23:33
Georgio Armani
I have a way to get RPi...is there a certain one I need to get. Also is there anything else I should get sent that will help us
TW
23:48
The Wwwizard
I wonder if an otg cable with a resistor attached, being sent in, would be more help than the ones being attempted in here
11 November 2025
R
00:02
Roscoe
In reply to this message
Neither. It's homemade.
GA
00:09
Georgio Armani
In reply to this message
Do you guys have shu crank radios
00:09
In reply to this message
Do you mind sharing this with us
00:10
There is a 4.7 surface resistor on the crank radios that transfers data
R
00:29
Roscoe
In reply to this message
I'll probably distribute as soon as someone can get me into BROM mode 😁
👍
GA
TS
03:25
Tony Sparks
Getting these items in within the new couple of weeks
03:26
03:26
03:26
GA
04:46
Georgio Armani
Is this all's we need .. also has anyone ever plugged the tablet to the phone and been able to go into file transfer mode?
TW
15:56
The Wwwizard
Winlator doesn't support the drivers needed for mediatek devices through its emulation on android
R
16:11
Roscoe
In reply to this message
And unless you're rooted you aren't getting low level USB passthrough in the first place
👍
TW
GA
16:12
Georgio Armani
Wwwizard you told me not to get the raspberry pi zero right?
16:19
Deleted Account
In reply to this message
Why not?
GA
16:20
Georgio Armani
Idk I'm green so I'm asking around before I order... I'm determined and I have access to order shit so please tell me what I can get to help the cause.
16:21
In reply to this message
After seeing this I know it can be done so I'm gonna do whatever it takes
S
16:31
Synonymous
In reply to this message
Can you dump the partitions individually and upload them?
I'd start with boot and recovery
GA
16:47
Georgio Armani
That's an already broke tablet
D
17:21
D
I think he's asking for the portions from the jail broken one to see what they put on it
R
17:23
Roscoe
In reply to this message
Right, but me meant to ask @thewwwizard25 not @Georgiothegreat
TW
17:39
The Wwwizard
For a reliable and efficient flashing station, the best Raspberry Pi model depends on your goals: speed, compatibility, and power handling. Here's a breakdown of the top contenders:

---

🧠 Best Raspberry Pi Models for Flashing Station

| Model | Why It's Good for Flashing | Notes |
|--------------------|----------------------------|-------|
| Raspberry Pi 4B (4GB or 8GB) | ✅ Fast USB 3.0 ports<br>✅ Quad-core CPU<br>✅ Good RAM for multitasking | Ideal for MTKClient, ADB, fastboot, and logging |

| Raspberry Pi 5 | ✅ PCIe support<br>✅ USB 3.0<br>✅ Much faster CPU | Best performance, but newer and may need active cooling |

| Raspberry Pi 400 | ✅ Built-in keyboard<br>✅ USB 3.0<br>✅ Same SoC as Pi 4 | Great for desktop-style flashing setups |

| Raspberry Pi Zero 2 W | ⚠️ Lightweight, portable | Only for minimal flashing tasks; lacks USB 3.0 and horsepower |

---
GA
GA
19:39
Georgio Armani
Do I'm thinking the 4b but if you all think something different then let me know
JB
22:44
John Blaze
In reply to this message
Have you examined the board for possible evidence of test pad shorting for brom mode ?
12 November 2025
HH
04:05
Halfredo Hernandez
In reply to this message
Has this tablet case been opened? And if so, as John blaze suggests, any evidence of test pad shorting? Curious if you could figure out which pads
TW
20:04
The Wwwizard
Has not been opened from the back
20:05
I need help setting up MTKClient on termux on the tablet, which has Magisk installed

So I can do some more research for us all

@theroscoefilburn
JB
21:48
John Blaze
In reply to this message
WOW 😳 really?
%100 for sure?
Damn... that's very interesting 🤔
Thank you.
TW
22:16
The Wwwizard
100% sure
22:16
Screws weren't tampered with

Board wasn't moved around

All tape is in the same place

No signs of soldering
👍
HH
JB
22:27
John Blaze
Okay thank you for double checking. That is a very interesting piece of information that I didn't expect to hear.
That means it's %100 software hax
13 November 2025
GA
01:02
Georgio Armani
I've been searching high and low for information and I'm hearing that a complete button press, volume up, down, and HW together sets it into brom
01:02
I also found the test point for Dot0 for the eMMC
01:03
It's going to be directly under the eMMC on the back side of the board
TW
01:21
The Wwwizard
In reply to this message
I was surprised too
T
02:14
Tony
In reply to this message
This worked on the original Score7, and the Score7c before it was patched. Now, it does not work on the 7c or the 7t.
02:17
In reply to this message
Unless you are very knowledgeable about low-level hardware, the Pi Zero W is probably not going to be what you want. under the hood, it's not different from the 3B+, but it has NO CONNECTORS. If you want to attach anything (USB, keyboard, network, POWER) you have to either solder a connector on, or solder it directly to whatever accessory you're attaching.
GA
🙏
TW
TW
02:18
The Wwwizard
In reply to this message
Any idea if your guy was able to get MTKClient working in termux?
T
02:20
Tony
The 3B+ is the cheapest and least power hungry, and it will run anything the Pi 4 or 5 will. The only difference is if you're trying to run a full desktop, you need at least a Pi 4. If you want a desktop AND 1080p YouTube video playback, then you need a Pi 5. But mtkclient is so basic and will run from the command line.
TW
02:20
The Wwwizard
In reply to this message
Tony Stark said it best y'all
😁
T
02:21
GIF
GA
02:45
Georgio Armani
02:46
I found this 302 and 202 and ran like this should give me 5.2k let's see what happens
JB
02:48
John Blaze
In reply to this message
Okay
Just so ya know your posting in the tablet section.
Ya should be in the mp3.
If ya need additional help ya can DM me
GA
02:52
Georgio Armani
Oops
02:53
Gotcha yea it's not working... I'm moving to mp3
HH
03:22
Halfredo Hernandez
In reply to this message
Wow, so apparently brom can be forced from host device. Maybe carbonara on a raspberry pi or something. What do you guys think
👍
GA
TW
03:24
The Wwwizard
Can someone give me the TLDR on carbonara
03:24
Is there a link I can learn more from?
HH
03:26
Halfredo Hernandez
Some news here, apparently someone else figured it out here. The lineage 17 0808 version test keys. Im going to ask if the tablet needs to be opened. They are charging 1500 so no chance they share the method. I think it can't be super complex if multiple people are discovering how
03:27
And that being said, my opinion is that we should pledge to share the information should any of us figure it out. What do you guys think
👍
GA
03:29
Carbonara is a MediaTek exploit to force the chipset in the score 7t (mt8168) into brom mode
TW
03:30
The Wwwizard
I'm down for that
But I need help setting up MTKClient so I can make some more progress for us all, and the person who apparently knows how to set it up on termux is currently unwilling to tell me
03:53
He claims to have mtkclient on termux without root
03:54
Haven't tried it though
GA
05:21
Georgio Armani
Grok says it easy to install but unless your phone is rooted you won't be able to pick up devices via USB otg
S
13:02
Synonymous
In reply to this message
A USB jig could do it, the paid cracking companies use them
16:23
Deleted Account
In reply to this message
This is i teresting. Did phrase "lineage 17 0807 test keys" come from them?
GA
21:50
Georgio Armani
21:51
Has anyone tried this
J
23:54
Jammer
Post the link
14 November 2025
GA
00:08
Georgio Armani
[NEWS] mtkclient to add Carbonara exploit support, enabling Bootloader Unlock/Root for modern (pre-2024) Dimensity SoCs! : r/androidroot
https://www.reddit.com/r/androidroot/comments/1nwfdwi/news_mtkclient_to_add_carbonara_exploit_support/
00:21
Scroll down to the comments
J
01:53
Jammer
Cara install mtkclient di termux

apt update

termux-setup-storage

pkg install git sudo android-tools python3 libusb

git clone --branch 1.52 https://github.com/bkerler/mtkcl...​

cd mtkclient

pip3 install setuptools

pip3 install -r requirements.txt

python3 setup.py build

python3 setup.py install

sudo python mtk

Mtkclient
Termux mtk
Flash termux
Flash android
Install ulang android
Termux mtkclient
Termux
MTK
Mediatek
UnlockBootloader
BypassFRP
Xiaomi
AndroidTools
TermuxTools
FlashingTools
CustomROM
FirmwareUpdate
TechTutorial
MobileRepair
GA
02:47
Georgio Armani
In reply to this message
Explain
J
03:26
Jammer
Its how to install mtk client
JS
04:40
John Smith
In reply to this message
The github link is not all there, it 404s.
git clone --branch 1.52 https://github.com/bkerler/mtkcl...
GA
04:56
Georgio Armani
In reply to this message
On turmux
J
07:22
John
Does anybody have the score 8 yet?
D
15:06
D
Not here
GA
15:47
Georgio Armani
Nope
17:47
That link loads
15 November 2025
A
03:41
Alan
Screenshot_20251114-222028_Termux.png
75.1 KB
I tried installing but got errors
JB
03:51
John Blaze
Copy the errors and past it in to grok or whatever ai and usually it will point you to the dependencies and the fixes
J
03:52
John
Ok, so as far as existing tablets, my quick catch-up on all of this is that this lineage image might be able to be loaded onto the tablet, and then we'd have adb and can take it from there? Is that basically where we are at?
S
04:02
Synonymous
I came to a similar conclusion
T
04:02
Tony
It's not that simple. The Lineage image is fucking huge. Currently, the product, vendor, and system partitions are bundled in a super partition. No amount trimming the Lineage partition (which accounts for the system partition only) gets it to fit into the space currently allocated for the super partition. And the drivers are in vendor, so I assume we need those too.

Because of where the super partition is currently located, this means we would have to shrink the user data partition and move the beginning of it further back, then move the cache partition back, and only then would a larger super/system partition fit.
04:05
In reply to this message
I used to have this same problem. But I think the branch 1.52 doesn't present the same dependency problems. I installed it, with dependencies, this evening.

Also, you have to specify the branch for mtkclient AFTER the repo.

git clone https://github.com/bkerler/mtkclient --branch 1.52
04:09
However, this gives us the base version of mtkclient (no Carbonara). Shomykohai's version with Carbonara seems to have different dependencies, however. After getting standard mtkclient installed in Termux, I then cloned into Shomykohai's version and got python errors.

AND, this doesn't fix the issue that mtkclient was written to use libusb, not Termux-USB. Though the xdaforum folks imply that this is not an issue, but I haven't been in a position to test it.
A
04:19
Alan
In reply to this message
Thanks , it installed no errors this time
04:22
Now what's the best way to test this thing out? I have installed this on jail broken and already rooted tablet. I have another tablet that is not jail broken here with me to test it
T
04:23
Tony
Don't forget, the xda forum said there were some extra steps:

Install termux-api apk from f-droid

Commands:

termux-usb -l
termux-usb -E -e "./termux-mtkclient/mtk.py r boot,vbmeta boot.img,vbmeta.img" -r /dev/bus/usb/001/002
S
04:37
Synonymous
In reply to this message
make a backup first, and upload these partitions

copy paste all this in termux

su -c dd if=/dev/block/by-name/seccfg of=/sdcard/Download/seccfg.img
su -c dd if=/dev/block/by-name/boot of=/sdcard/Download/boot.img
su -c dd if=/dev/block/by-name/recovery of=/sdcard/Download/recovery.img
su -c dd if=/dev/block/by-name/preloader of=/sdcard/Download/preloader.img
R
09:02
Roscoe
In reply to this message
I have mtkclient ready to go with Carbonara and termux-usb. I also have Penumbra gtg. Just need BROM.
09:14
J
09:31
John
ChatGPT says this about this issue:

No — Carbonara/exploit-based DA-auth bypasses do not let anyone install LineageOS or root an MT8168 device.
Anyone claiming otherwise is either:

misunderstanding the exploit class,

confusing DA auth-bypass with actual verified-boot bypass, or

outright lying/scamming.


And I can tell you exactly why.

And then it provided a lengthy, detailed explanation as to why, but here's the gist:

To boot any custom ROM like LineageOS, you need two things:

1. Ability to flash custom images to boot/recovery

2. Ability for the bootloader to accept and execute those images

Carbonara-style bypasses only give you #1, and even that is limited.

They absolutely do not give you #2.

So are we just spinning our wheels on this one?
09:32
"Without the OEM private keys, you cannot boot an unsigned kernel or recovery, no matter what you flashed.

Carbonara does not bypass LK or AVB."
T
13:55
Tony
In reply to this message
No, it does not bypass LK or AVB. What mtkclient does do, after having run a successful exploit like Carbonara, is have a separate function which unlocks the bootloader. This disables checking through the LK and AVB.

Unfortunately, LLMs don't understand everything about the topics they speak on. It depends on how much has been written about the topic in question, in relation to other functions of the larger topic. Carbonara is very new, and very little has been written about it to give the LLMs context for answering questions in an intelligent manner.

Never forget that LLMs are NOT thinking. They do not reason like humans do. They look like they are, but it has everything to do with the amount and quality of words and sentences that have been fed into them.
👍
J
D
GA
15:39
Georgio Armani
Tony I'm getting this pi in about a month what are the chances that we can make significant progress with it?
D
16:39
D
Can anyone add @Tjfed2025
TW
18:34
The Wwwizard
18:34
MTKClient running on broken tablet
GA
18:41
Georgio Armani
In reply to this message
Yes!!! Progress... What's next
TW
18:42
The Wwwizard
Connecting to another tablet via otg and seeing if I can enumerate it and force it into BROM mode
J
18:44
Jammer
In reply to this message
Can u send direction please
TT
19:04
Terry Thompson V 2.0
In reply to this message
Will u vouch for him and he can send me his info
J
19:05
Jammer
In reply to this message
Is this a swap tablet?
TW
19:19
The Wwwizard
In reply to this message
Force it into BROM mode from the broken tablet?
19:20
I think you still need to get brom mode working from the other non broken tablet, before running anything via otg
TW
19:38
The Wwwizard
I'm assuming someone can confirm this theory ^
GA
22:02
Georgio Armani
In reply to this message
Well I'm thinking that you have to plug in the otg cable while either doing the button sequence or while shorting the bored
S
22:50
Synonymous
Correct
16 November 2025
T
01:16
Tony
In reply to this message
Well, it would be way easier to run mtkclient+Carbonara on a Pi. It has full root access.
R
01:42
Roscoe
I never could get it into BROM or to enumerate at all over USB (running termux-usb -l continuously).
J
01:43
Jammer
I have full root on my device now
J
👍
R
01:45
Working on installing mtkclent now if I get it to work I can try with root but I'll need a walk thru but my signal is in and out due to jammers
01:45
I'll have to find the carbana thing don't have it yet
R
01:45
Roscoe
Congrats. Speaking of which, anyone know if it's possible to root a Galaxy A15 without a PC (or an already rooted phone)? Someone here has one that is FRP locked after a factory reset, and all of the tools I could find for FRP bypass require a PC.
J
01:46
Jammer
Nope need PC if its done any soft ware patches
D
03:32
Don
I don't think it is very easy to root any usa galaxy
03:32
halfr3do Hernandez just dm3d me for invite lin to this on redditmgoign to send it to him
03:36
Roscoe if you're okay with that dm me the Invite link and I will dm it to him on reddit
J
03:36
Jammer
Ok so because of new developments will be adding the installation of a few packages new to our toolset:

pkg install  python3 libusb-1.0-0 python3-pip

pip install pyusb pyserial json5

git clone https://github.com/bkerler/mtkclient

cd mtkclient pip3 install -r requirements.txt
python3 setup.py build
python3 setup.py install
03:38
Am I missing something
R
03:38
Roscoe
libusb and pyusb aren't going to work on Termux. You'll keep getting errors about the backend.
TS
03:39
Tony Sparks
03:39
03:39
03:39
03:39
03:39
03:39
Getting these items next week
J
03:40
Jammer
Can you send direction on correct install
03:42
I have rooted device cables just need mtk so I can test
R
03:42
Roscoe
In reply to this message
My current intention is to share it as soon as one of us can get into BROM mode and share the method. We've had a couple people likely figure things out then bail on the group. I don't want to help anyone else do the same.

Plus, it's useless until we can get into BROM mode, so I don't think it's unreasonable.
D
03:42
Don
agreed.
03:43
supposedly Wednesday i will get the USB drive and I can start working
TS
03:44
Tony Sparks
I'm hoping the uart will help with finding the with test points for brom mode, one guy told me kcolo would be the test point but im not sure
D
03:45
Don
have a computer so if it works there I will let you know so we can figure out how to do it from a phone. BTW, the phone will have to be rooted, one hundred percent it will not work on non eoot. ever.
J
03:45
Jammer
So on securus tablets we use hexa flash and built by Bama and sul it achieves brom mode on securus only after initiating flash and shorting out the test pin
R
03:45
Roscoe
In reply to this message
Disagree.
D
03:46
Don
the wrapper won't open an fs in from mode. I found that out a couple years ago. I'm certain
03:46
fd in from autocorrect
03:47
brom
03:47
I couldn't even flash an mo3 without root
R
03:47
Roscoe
I tried every test point I could find, in front and back of the board, plugging in, powering on, every iteration of order and timing you can think of.

The whole time I was running this continuously:
while true; do termux-usb -l; sleep 0.5; done

No USB enumeration. Nada. Zip. Zilch.
J
03:48
Jammer
So question how will you know if you have brom if your not flashing ?something
D
03:48
Don
in brom mode there is a magic number string sent over the usb
R
03:48
Roscoe
So I don't see how people expect to use mtkclient to crash DA to BROM if there's no enumeration in the first place
D
03:49
Don
I have a good article let me find it
03:49
termux USB works at too high of a level
R
03:49
Roscoe
You should see something pop up when you're running that command I just pasted.
D
03:49
Don
i couldn't even get an mp3 to work doing exactly what you're doing
03:50
termux USB is not carrier grade
R
03:50
Roscoe
And yet we flash mp3s now all the time...
D
03:50
Don
by writing to the SD card
03:50
not flashing firmware
03:50
over usb
R
03:50
Roscoe
Not the Gen2. It doesn't have an SD card internal.
03:50
Lol. False. It's definitely flashing the NAND.
TS
03:51
Tony Sparks
Im trying it anyway fuck it, if the stuff I get works we'll be ahead if not then we won't be any worse off