Re: HiSense 65H6510G no boot

Thanks.

I have no idea is this emmc dump path is possible to repair the failed eMMC board. I tried varied MStar commands that seemed useful and made the following document.

• I'm guessing I properly dumped boot1 boot2 and user
• 512b of ECSD is retrievable
• RPMB requires knowing [addr] [size] [start block] and its an authenticated read so I'm assuming a write to new eMMC requires setting the authentication key

Re: HiSense 65H6510G no boot

eMMC and UFS memory chips have an access-protected section called RPMB (Replay Protect Memory Block).
In the UFS chip, the partition that performs the RPMB functions has the ID: W-LUN 0xC4.

How it works in more detail:

If the key (Key) is missing, then the device (processor) programs the key into the chip.
The key is generated from the SN of the processor and the CID of the eMMC, and thus the key is different for different processors and different eMMCs. Further work takes place in the same mode as with a programmed key. The programmed key cannot be changed.

If the key (Key) already exists, then, as a rule, the counter has a value greater than 0.
With a microcircuit that already has a key (16 bytes), the device (processor) can only work through data encoded by the key (Key) and the record counter (Counter).

Read mode: the device (processor) receives the counter value from eMMC, requests to read the data (in blocks of 256 bytes), receives the data encoded by the counter and key, decrypts it using the stored key and counter value, checks the validity of the data.

Write mode: The device (processor) receives the counter value from the eMMC, encodes the data using the key and the counter (in blocks of 256 bytes) and sends it to the chip. The chip decrypts them using the stored key and counter value, checks the validity of the data. If the data is valid, the block is written, and the value of the write counter (Counter) is increased by 1.
Thus, the value of the write counter (Counter) shows how many blocks of 256 bytes (or how many times) have been written to the RPMB area.

In order to write to the RPMB partition, you need to know the key that is stored in the chip (eMMC).

In order to read, you can try to apply a certain method of obtaining data. Although it is impossible to guarantee their validity, the experiments conducted by the Z3x Easy JTAG team show that data read in this way is valid in more than 90% of cases.

In the latest versions of the Z3x EasyJTAG Classic program (3.4.4.0 and higher), the output to the log of the RPMB area status line has been added (whether data has ever been written to it or not).

An example of a line in the program log:
EMMC RPMB is not yet programmed (clear) or NO Error
or
EMMC RPMB is programmed and written 12 times

At the same time, it is possible to read RPMB experimentally by selecting the RPMB partition (in the ROM selection combobox).
Important:
1) when writing Firmware to eMMC, the internal NAND memory of eMMC is re-initialized, with the key, counter and RPMB data being erased
2) there is no other way to remove a key from RPMB or change a counter other than incrementing the counter by writing data encoded with a valid key.

Re: HiSense 65H6510G no boot

Wow, thanks for the explanation @lotas! I worked in network content delivery systems before so am aware of the general security mechanisms (HW+SW keys and naturally evolved to put the most important keys inside most complex chip. iPhones have been inserting security inside various complex chips including LCD screen so mod chips can not be made). Your explanation of using SOC key, eMMC key, and access counter make sense to increase security. JTAG is also ultimate HW debugging tool for development and often used for break security

I guess SONY Android TVs can be repaired with pre-programmed eMMC sellers because SONY must not keep per device keys in eMMC? HiSense keeps it in eMMC and unfortunately when non secured area of eMMC break eMMC, then everything disappears

I guess probably to have all the tools and knowledge to repair this HiSense failed eMMC board is beyond most DIYers including me haha.

Re: HiSense 65H6510G no boot

BTW, the service manual method of recovery probably requires MS ISP hardware? I use generic USB UART and encounter the following

• MStar TV tool doesn't have Show DeviceID button. Without getting device ID, can't email MStar and get ID password (no idea if still get reply from email)
• MStar ISP tool doesn't launch at all (Win10) Cursor just spins and stops..

Anyway, even if these tools worked, still need to get mboot bin file and know how to load it to new eMMC. And still need to gather all the security keys from failed eMMC.

Seems to need many detailed special knowledge to actually save this main board...

Re: HiSense 65H6510G no boot

Searched for Android TV RPMB and found this post. SONY Android TV with dying eMMC. Poster recovered most of eMMC but not RPMB. Lost Netflix, Chromecast etc after writing data on new eMMC

https://forum.xda-developers.com/t/s.../post-86106623
https://forum.xda-developers.com/t/s.../post-86206099

I guess RPMB recovery is the most challenging even if eMMC isn't completely dead. But losing Netflix/Chromecast or even all smart apps is okay as new Fire/Roku stick is much faster anyways. However, losing HDCP would be the biggest problem. The preprogrammed eMMC seller in post 82 ( link ) said HDCP/Netflix/HBO Max etc. will be lost without original eMMC. Does any know if HDCP will work if skip flashing RPMB?

This kind of tool ( https://unlocktool.net/ ) exist for smartphones to backup RPMB and write it to eMMC. I guess it must know? can read? can change the SOC's key+counter to read and write to new eMMC RPMB region.

Re: HiSense 65H6510G no boot

I guess eMMC wear could be from aggressive streaming app buffering. When turn on HiSense Android TV, it will show streaming app video quickly. This requires prefetching the video content and store locally on TV. If this is written to eMMC rather than DDR, then this can be a source of wearing out eMMC.

This is just a guess, maybe the best usage mode is to turn off network (and maybe delete as many smart apps as possible?) and exclusively run smart feature via external smart device such as fire/roku stick.

Re: HiSense 65H6510G no boot

streaming last will be most on DDR and Soc.
the key i was talking on its about the firmware extractor. not license keys. dtump/ write eMMC will take care on them 1 to 1.
but to tell the truth.. i still don't think yours emmc dead since we have sandwich boards .. every things possible.

Re: HiSense 65H6510G no boot

Yes, good point. I guess to 100% confirm require ext ISP to read eMMC without powering on main. I'll try acquire and try.

Re: HiSense 65H6510G no boot

USB to TTL are fixed baudrate.. you need to connect with TTL end another adapter such serial to TTL. 1-2$ this adapter will response to any request of changing the rate as reguested... then TTL will remain work with out error... i did explain this before. each section Soc request other rate of data transfer... this the function of the ISP

Re: HiSense 65H6510G no boot

Unfortunately I don't understand this idea at all. re-read post #101 to #107 including @lotas's comments and unfortunately don't understand

My understanding to read eMMC on main board without powering on main is to use external ISP or USB SD Card reader. Connect VCC, GND, D0, CMD, CLK and access eMMC in 1 bit mode. This video ( link ) provide detail steps. Poster took careful step to cut eMMC 1.8v 3.3v line from main board rails for board protection and drove 1.8v line with 3.3v from ISP/SD Card Reader.

If there is someway to connect PL2303 and CH340G to eMMC without power on main board. Please explain where RXD, TXD, 3.3V, and GND should be soldered to on eMMC. I also don't understand what you mean by "log" What do we do to get the log without powered on main?

Re: HiSense 65H6510G no boot

my last post#129 wasn't about to write eMMC as you planed in off mode.. because you can read too i mentioned the Soc baudrate request.. its explain on my thought i wrote at post
so you can write firmware on it in power mode. and there many succeed with Mstar Soc listed on xda developer portal.

Re: HiSense 65H6510G no boot

Found more documentation and combining with @lotas's RPMB explanation in post #122. I think this is general process to repair failed eMMC

boot1 and mboot both contain device specific keys

Found guides that outline how to produce production firmware from existing eMMC. It says need to use original boot1 and mboot as any boot1/mboot copied from existing eMMC has device specific key

link1 link2 link3

Based on @lotas's explanation in post #122. Device specific key is combination of SOC ID (often implemented by blowing tiny fuses on chip called efuse) and eMMC ID. This means if eMMC is changed, keys need to be recalculated.

Likely Process

1. dump boot1 and eMMC user area
2. dump RPMB keys
3. maybe extract keys from boot1?
4. flash original boot1 to new eMMC
5. flash eMMC - mboot + original mboot to new eMMC
6. boot board with new eMMC
7. write device key to eMMC
8. write dumped RPMB keys to RPMB

So far, I achieved only #1 haha. #2 require knowledge of how to use MStar mmc rpmb read commands (I tried and don't have detailed understanding of command arguments)

Anyway, continuing learning.

Here is updated MStar command guide link

====

Also maybe eMMC access has failed due to some component failure on board. Will check around eMMC and compare working and failed board to see if any difference.

Re: HiSense 65H6510G no boot

Hi, I have the same model of Hisense TV and had the similar symptoms. I've seen every posts in this thread and seems like emmc is a problematic part and it's very hard to replace it. I'm wondering if we could fix it differently to make the TV working as a normal diaplay only, then we could connect it to a streaming tv box. And are there any tips to purchase a new TV without having to worry this emmc problem? I dont think the TV sellers could tell if the Tv has emmc or not.

Re: HiSense 65H6510G no boot

I think best repair is still replace mainboard at reasonable price. Need to register for notification and act fast on following 2 sources when they appear.

• ~$70 per post #112
• ~$30 from ebay seller goodpointrecycling (save a search for this board and notification)

Boards come up every 2-3 weeks so far.

Looked into closely related Roku model equivalent by HiSense in post #65 but wasn't able to secure one to compare t-con output to see if compatible (also need wifi module+cable as they are different)

https://www.badcaps.net/forum/showpo...5&postcount=65

I think to just turn it into display without smart features is fine but probably will at least need HDCP keys.

Every smart TV use eMMC since ~mid 2010s and most run fine. Main eMMC failures I read about are all Android TVs by HiSense, SONY etc. Don't know if newer versions of Android TV OS is better... I guess won't know until a few years. But modern TVs do fail so fast from variety of reasons.. Samsung LCD panel failure. LED backlight on all cheaper brands. At least latest ones aren't dying of thermal cycle breakage of main SOC solder balls anymore.

Finally I'm in Sammamish if you are in Redmond, WA. Have the service port dongle to confirm eMMC failure.

Re: HiSense 65H6510G no boot

hi, any progress in this? do you have find any firmware for these model?

Re: HiSense 65H6510G no boot

HiSense website does provide download of USB upgrade firmware. However, if you have eMMC failure, need to locate/recover a bunch of stuff that HiSense doesn't provide. Read starting post #119

Replacement board availability is challenging in US. Maybe almost impossible in other countries

Re: HiSense 65H6510G no boot

just an idea...
since its android ....how about we use SDCARD and let the firmware from hisense on it and we add on the root of the SD script with extension .pkg to drive the Soc to the other firmware location on SD !!!

or we inject on SD recovery for the Soc from other brand.

Re: HiSense 65H6510G no boot

Seems it's tough to get a replacment main board of the same model. The main board for this model is out of stock everywhere and I don't want to order from OEM which is too expensive. Is it possible to replace the main board with another Hisense TV model which had the same screen size? It's ok that some functions are not working, but at least the display can power on and I can stream from a TV box.

Re: HiSense 65H6510G no boot

I posted the answer in post #134. 65R6G is close but I didn't get one in hand to confirm t-con signals match. Wifi flex + board is also different so will need to get that.

Most cost effective solution is what I posted in #134. Need to save search on ebay and register for stock availability on TVPartsToday (setup your account + credit card, boards will disappear within an hour after becoming available. Lots of people have registered for notification)

Re: HiSense 65H6510G no boot

Hello, I have read the emmc of a Hisense H65B7300 that works well and I have transferred it to another TV H65B7300 in which the emmc had reached the end of its useful life, I have used a new emmc but I can never get it to come out of Standby, What could be the problem?