Re: HiSense 65H6510G no boot

USB to TTL are fixed baudrate.. you need to connect with TTL end another adapter such serial to TTL. 1-2$ this adapter will response to any request of changing the rate as reguested... then TTL will remain work with out error... i did explain this before. each section Soc request other rate of data transfer... this the function of the ISP

Re: HiSense 65H6510G no boot

Yes, good point. I guess to 100% confirm require ext ISP to read eMMC without powering on main. I'll try acquire and try.

Re: HiSense 65H6510G no boot

streaming last will be most on DDR and Soc.
the key i was talking on its about the firmware extractor. not license keys. dtump/ write eMMC will take care on them 1 to 1.
but to tell the truth.. i still don't think yours emmc dead since we have sandwich boards .. every things possible.

Re: HiSense 65H6510G no boot

I guess eMMC wear could be from aggressive streaming app buffering. When turn on HiSense Android TV, it will show streaming app video quickly. This requires prefetching the video content and store locally on TV. If this is written to eMMC rather than DDR, then this can be a source of wearing out eMMC.

This is just a guess, maybe the best usage mode is to turn off network (and maybe delete as many smart apps as possible?) and exclusively run smart feature via external smart device such as fire/roku stick.

Re: HiSense 65H6510G no boot

Searched for Android TV RPMB and found this post. SONY Android TV with dying eMMC. Poster recovered most of eMMC but not RPMB. Lost Netflix, Chromecast etc after writing data on new eMMC

https://forum.xda-developers.com/t/s.../post-86106623
https://forum.xda-developers.com/t/s.../post-86206099

I guess RPMB recovery is the most challenging even if eMMC isn't completely dead. But losing Netflix/Chromecast or even all smart apps is okay as new Fire/Roku stick is much faster anyways. However, losing HDCP would be the biggest problem. The preprogrammed eMMC seller in post 82 ( link ) said HDCP/Netflix/HBO Max etc. will be lost without original eMMC. Does any know if HDCP will work if skip flashing RPMB?

This kind of tool ( https://unlocktool.net/ ) exist for smartphones to backup RPMB and write it to eMMC. I guess it must know? can read? can change the SOC's key+counter to read and write to new eMMC RPMB region.

Re: HiSense 65H6510G no boot

BTW, the service manual method of recovery probably requires MS ISP hardware? I use generic USB UART and encounter the following

• MStar TV tool doesn't have Show DeviceID button. Without getting device ID, can't email MStar and get ID password (no idea if still get reply from email)
• MStar ISP tool doesn't launch at all (Win10) Cursor just spins and stops..

Anyway, even if these tools worked, still need to get mboot bin file and know how to load it to new eMMC. And still need to gather all the security keys from failed eMMC.

Seems to need many detailed special knowledge to actually save this main board...

Re: HiSense 65H6510G no boot

Wow, thanks for the explanation @lotas! I worked in network content delivery systems before so am aware of the general security mechanisms (HW+SW keys and naturally evolved to put the most important keys inside most complex chip. iPhones have been inserting security inside various complex chips including LCD screen so mod chips can not be made). Your explanation of using SOC key, eMMC key, and access counter make sense to increase security. JTAG is also ultimate HW debugging tool for development and often used for break security

I guess SONY Android TVs can be repaired with pre-programmed eMMC sellers because SONY must not keep per device keys in eMMC? HiSense keeps it in eMMC and unfortunately when non secured area of eMMC break eMMC, then everything disappears

I guess probably to have all the tools and knowledge to repair this HiSense failed eMMC board is beyond most DIYers including me haha.

Re: HiSense 65H6510G no boot

eMMC and UFS memory chips have an access-protected section called RPMB (Replay Protect Memory Block).
In the UFS chip, the partition that performs the RPMB functions has the ID: W-LUN 0xC4.

How it works in more detail:

If the key (Key) is missing, then the device (processor) programs the key into the chip.
The key is generated from the SN of the processor and the CID of the eMMC, and thus the key is different for different processors and different eMMCs. Further work takes place in the same mode as with a programmed key. The programmed key cannot be changed.

If the key (Key) already exists, then, as a rule, the counter has a value greater than 0.
With a microcircuit that already has a key (16 bytes), the device (processor) can only work through data encoded by the key (Key) and the record counter (Counter).

Read mode: the device (processor) receives the counter value from eMMC, requests to read the data (in blocks of 256 bytes), receives the data encoded by the counter and key, decrypts it using the stored key and counter value, checks the validity of the data.

Write mode: The device (processor) receives the counter value from the eMMC, encodes the data using the key and the counter (in blocks of 256 bytes) and sends it to the chip. The chip decrypts them using the stored key and counter value, checks the validity of the data. If the data is valid, the block is written, and the value of the write counter (Counter) is increased by 1.
Thus, the value of the write counter (Counter) shows how many blocks of 256 bytes (or how many times) have been written to the RPMB area.

In order to write to the RPMB partition, you need to know the key that is stored in the chip (eMMC).

In order to read, you can try to apply a certain method of obtaining data. Although it is impossible to guarantee their validity, the experiments conducted by the Z3x Easy JTAG team show that data read in this way is valid in more than 90% of cases.

In the latest versions of the Z3x EasyJTAG Classic program (3.4.4.0 and higher), the output to the log of the RPMB area status line has been added (whether data has ever been written to it or not).

An example of a line in the program log:
EMMC RPMB is not yet programmed (clear) or NO Error
or
EMMC RPMB is programmed and written 12 times

At the same time, it is possible to read RPMB experimentally by selecting the RPMB partition (in the ROM selection combobox).
Important:
1) when writing Firmware to eMMC, the internal NAND memory of eMMC is re-initialized, with the key, counter and RPMB data being erased
2) there is no other way to remove a key from RPMB or change a counter other than incrementing the counter by writing data encoded with a valid key.

Re: HiSense 65H6510G no boot

Thanks.

I have no idea is this emmc dump path is possible to repair the failed eMMC board. I tried varied MStar commands that seemed useful and made the following document.

• I'm guessing I properly dumped boot1 boot2 and user
• 512b of ECSD is retrievable
• RPMB requires knowing [addr] [size] [start block] and its an authenticated read so I'm assuming a write to new eMMC requires setting the authentication key

Re: HiSense 65H6510G no boot

there are tool to read the Mstar firmware extractor key... hope i could find it on my pc..... 2 time i had format it lol

Re: HiSense 65H6510G no boot

MSTAR console provide an easy command to dump boot1/boot2/emmc (I presume emmc is eMMC's user partition) bin files to USB stick. I retrieved all 3 bin files from a good main board.

boot1.bin 12.6MB
boot2.bin 12.6MB
emmc.bin 3.52GB (took like 20min+ to dump to USB stick)

- I think uboot is in boot1 but mboot is probably in user area? (needs kernel + device tree to perform the many MSTAR console features)
- Are the various security keys in boot1/boot2?
- What about RPMB ( Replay Protected Memory Block ) partition on eMMC? Surely some streaming security stuff are in here? How to read this?
- What about ECSD (Extended Card Specific Data) register? Looks like ECSD provide info on how to parse eMMC
- If boot1/boot2/user partition of failed eMMC board can be read (will take awhile to dump user, will the failed eMMC need to be frozen this whole time?) Is it possible to just copy to new eMMC, boot mboot then follow USB firmware update procedure?

Here is a quick review of eMMC partitions ( link ) p6-7 gives good overview of what is stored where

Attached is the complete MSTAR console command list

====

Placing per device data in eMMC seems like a problem from cost cutting. Its best to put per device data like keys in more durable storage. Probably the sellers of preprogrammed eMMC can only provide for boards that avoided this cost cutting problem.

Re: HiSense 65H6510G no boot

Probably giving up trying to repair failed eMMC on main board. Require some tool investment and unknown outcome on this failed eMMC (doesn't read at all) But want to ask a couple of questions before surrendering

I think there are 3 ways to read eMMC data

MSTAR ISP Tool

I run version 5.0.8 provided by @lotus in post #76 on Win10. exe file doesn't launch. Downloaded other versions of MSTAR ISP Tool and same result (doesn't launch). I guess the tool probably require MSTAR burner programmer? ( aliexpress link ) and will not work with generic USB to UART dongles?

ISP Programmer

solder CMD/D0/GND/CLK with sufficient current 3.3v current. Alternative to use programming boxes like RT809H (although removing failed eMMC with heat probably will kill the data access)

telnet/ftp

This is a favorite method of modder community ( link ) to modding files on eMMC. But these surely are limited to files rather than mboot partition dump?

====

If any path works on a good HiSense MSD6886 main board (practice), then can try to freeze failed main board eMMC and see if can dump data with unknown success. Failed eMMC doesn't read at all and not sure how long it takes to dump mboot and if need to froze during the entire data dump process ( practice on good eMMC first to avoid delays is probably good idea )

Dumping and using eMMC data from other main boards seems like it will encounter security key problem and lose many main board feature.

Anyway, given the tool investment, no much well published steps ( need to practice on good main/eMMC ) and unknown success results. Probably have to give up

Re: HiSense 65H6510G no boot

Some interesting info on eMMC health of 2 HiSense Android TVs with same MSD6886 SOC

75H6570G appears to be original main board

- Runtime is ~480 days or 11,500 hours
- 1/84 LED failed (followed by backlight replacement)
- UART log shows following eMMC health

eMMC: HS400 5.1 200MHz
eMMC 7.28 GB
ecsd 267:0x01 msg:eMMC pre_eol_info normal
ecsd 268:0x01 msg:eMMC SLC mmc type 0%%-10%% device life time used
ecsd 269:0x01 msg:eMMC MLC mmc type 0%%-10%% device life time used

65H6510G with replacement main (likely repaired with new eMMC)

- Original failed eMMC main board mainly used with firetv for smart/streaming feature (owner provided info)
- Runtime is ~4 days on replacement board
- UART log shows following eMMC health

eMMC: HS400 5.1 200MHz
eMMC eMMC 7.28 GB
ecsd 267:0x01 msg:eMMC pre_eol_info normal
ecsd 268:0x01 msg:eMMC SLC mmc type 0%%-10%% device life time used
ecsd 269:0x01 msg:eMMC MLC mmc type 0%%-10%% device life time used

Summary

11k+ hour eMMC has same health as 4 days eMMC (<10% wear). Both shows kernel and security patch in 2021. Maybe flash memory write cycle isn't what is killing these eMMCs... Maybe the firmware has a poor code section accessing eMMC during power interruption? Maybe the preventive solution is an UPS (Uninterruptible Power Supply)? It seems many failure cases involves power outage shortly before failure.

Re: HiSense 65H6510G no boot

Ok thx, I connected LAN and got new MAC instead of dummy as you said

Re: HiSense 65H6510G no boot

Android LAN MAC are dummy fixed by writing it key... LAN mac will take action only if there are LAN connected and an IP assigned to it..... other wise the Android will listed only WIFI MAC as it fixed in CHIP of the module.

Re: HiSense 65H6510G no boot

Thanks for the .bin info. I'll research how to use my UART to USB dongle to dump eMMC data+files and see what I can retrieve/parse.

The LAN MAC address remained same on every reboot AND a reset. You provided interesting hint. Maybe also need to also find original eMMC LAN MAC and program into new eMMC? But I guess maybe not so important if most people use wifi?

Re: HiSense 65H6510G no boot

i mixed by my answer on other plat forum... both are Android.. the keys are not as i wrote before... they are .bin file burned and placed at the keys section at first of bootloader...

you just check if the replacement MB since no SN. if it had fixed LAN MAC address. or it change the MAC at each boot

Re: HiSense 65H6510G no boot

Resurrecting this tread on a dead eMMC...

TV fixed with replacement board

Bought a main board from TVPartsToday for $52+$17 ship and TV booted up working. These boards are rare (Seems most Android TV boards are rare and expensive). Probably something about these Android (version 9) TVs thats killing the eMMC.

The purchased TV board may have eMMC replaced? (SN = 000000000000000) see pic

Comparing KEYs

Just repaired a HiSense 75H6570G with failed backlight. Both TVs are the same MSD6886 SOC/Chassis and generally similar main board design. Compared the KEYs between the 75 and the repaired 65 with replaced main board.

- Widevine, HDCP1.4, HDCP2.2, Attestation keys are all *.bin (Is this the key or actual key in a bin file in firmware?)
- What is MGK?
- Widevine, HDCP1.4, HDCP2.2, Attestation, MGK, and Netflix are all different between the 2 TVs
- Only key that is same is playstore key ( playready30 )
- Are there other keys I should retrieve/compare?
- Firmware version (listed in USA his eng) are identical to hisense support website firmware downloads file names (after entering SN) for both TVs

Like to Repair the eMMC of the failed board

Since I have working replacement main board. Like to repair the failed eMMC board if possible. Are these the basic steps?

- Freeze failed eMMC (or ISP) to recovery keys if possible
- Extract mboot from good board and program failed board with new eMMC (ISP with sufficient 3.3v current after soldering okay?)?
- Service manual does have a section on TV board without mboot (p38) but doesn't tell what to do other than remove UART connection. I doubt can install USB firmware without mboot.
- USB update firmware after mboot installed
- Reinstall keys

Is this understanding correct? Since my replacement board has no SN, it might be repaired so it seems repair process is possible if know the recipe.

Pics

Blocked out a few digits on the keys for security. But everything except Playstore key is different. I don't know if just because different TVs. Maybe the same models are the same keys? Can anyone confirm?

65H6510G Replacement Main Board



75H6570G Original Main Board

Re: HiSense 65H6510G no boot

Thanks for the link. Mine doesn't get that far due to likely failed eMMC.

However, this is a newer MT9602 service manual from 2021. Mine on post #1 is MSD6886 (my SOC) from 2018. So its useful to compare the two (looks very similar if not identical)

Re: HiSense 65H6510G no boot

I'm out of my depth here...could this info help in any way?

https://cdn.badcaps-static.com/pdfs/...cfd645b8af.pdf