LeapFrog Epic: Difference between revisions

(9 intermediate revisions by the same user not shown)

Line 8:

*Display: 7-inch capacitive touchscreen with TN LCD display

*Resolution: 1024x600

*Operating System: Android 4.4.2 "KitKat" (MT8127 models); Android 10 (Rockchip models)

*Operating System:

*Processor: Quad-core, 1.3 GHz MediaTek MT8127~~; later~~ LeapPad Academy SKUs replace it with a 1.5 GHz Rockchip RK3326

** Android 4.4.2 "KitKat" (MT8127 models)

** Android 10 (Rockchip models; the Rockchip variant can also boot generic system images up to Android 14)

*Processor:

** Quad-core, 1.3 GHz MediaTek MT8127

** Later (2021) LeapPad Academy SKUs replace it with a 1.5 GHz Rockchip RK3326

*Memory: 1GB RAM

*Storage: 16GB; ~9GB available for /sdcard partition

Line 78:

Line 82:

====LeapPad Academy (second-generation)====

* [https://archive.org/details/leapfrog-epicv4-firmware Internet Archive page]

* [https://www.androidfilehost.com/?fid=9180008750105244111 EPIC4.user.1.7.2109.312280833] ([https://drive.google.com/file/d/13TB0eCUFWSyyq5E0nM4RVBH9hpMxQ2XI/view Google Drive mirror])

* [https://archive.org/details/leapfrog-epicv4-firmware_MIPI EPIC4.user.2.6.2196.402290923 (MIPI variant)]

===Demo to retail conversion===

Line 84:

Line 90:

===Google Apps and root===

*[https://www.youtube.com/watch?v=56XdXJbFbjQ Install TWRP, Google Play and SuperSU root on your LeapFrog Epic]

*The original MT8127 Epic/LeapPad Academy firmware is vulnerable to the [[wikipedia:Dirty COW|Dirty COW]] exploit where a temporary root shell can be obtained via ADB.

*The Rockchip RK3326 revision LeapPad Academy on the other hand can be rooted by patching the boot image using Magisk, but doing so breaks wireless functionality at least with the latest version. Ditto with the MT8127 version, but in that case the real-time clock seems to be a little sketchy with Magisk enabled, not to mention that they may no longer have support for early Android versions at the time of this writing.

===Useful apps===

Line 100:

Line 108:

LeapFrog also [https://fccid.io/G2R-6022 quietly released a hardware revision] of the Epic circa 2021, replacing the MT8127 with a Rockchip RK3326. While this allowed LeapFrog to upgrade the included operating system to Android 10, it also means that the change in hardware rendered most hacks designed for the original Epic obsolete.

VTech ~~did their homework with~~ the device ~~and locked out most if not all entry points for hacking,~~ such as ADB and development settings~~. Bizarrely enough they also dropped Bluetooth~~, ~~replacing the wireless module with an obscure AltoBeam ATBM6011 wireless LAN controller. Ripping the firmware may also prove to~~ be ~~a challenge as the uboot binary that came with~~ the device ~~came~~ with ~~a deterrent which corrupts~~ the ~~dumped images past~~ a ~~certain point. To be fair this is hardly even unique to LeapFrog~~ as ~~the implementation by Rockchip themselves~~ [https://~~gitlab.com/pgwipeout/u-boot-rockchip/-/blob/1b01cf5590f8d0b2270ffff5a656e38c5e3930ee/cmd/rockusb~~.~~c#L28 has this] until the [https://gitlab~~.com/~~pgwipeout/u-boot-rockchip/-/blob~~/~~6336d2324985831ed766031f91d410d0e587dbc8~~/~~cmd/rockusb~~.~~c latest commit~~]. ~~It may be possible to patch out the offending instructions from the uboot binary~~, ~~though flashing it back to~~ the ~~device can be a pain as you may or may not end up~~ with a brick. Fortunately, it is possible to unbrick the LeapPad by forcing it to run in MASKROM mode through shorting two conveniently-located test points on the logic board just beside the eMMC chip; this however assumes that you have a ROM backup at hand.

VTech more or less nerfed the device by disabling features such as ADB and development settings, though USB debugging can be restored by temporarily rooting the device by patching boot.img with Magisk and editing the ADB setting using a settings database editor such as [https://play.google.com/store/apps/details?id=by4a.setedit22&hl=en&gl=US SetEdit]. Bizarrely enough they also dropped Bluetooth, replacing the wireless module with an obscure AltoBeam ATBM6011 wireless LAN controller.

It is also ~~apparently~~ possible to boot from an SD card with a firmware image flashed onto it. Performance with such a setup would be unsurprisingly bad compared to a ROM flashed into internal storage, but it should be fine for testing if the firmware dump works fine or for recovering from a bricked tablet.

Ripping the firmware also used to be a challenge due to the uboot binary coded with a deterrent which corrupts the dumped images past a certain point. To be fair this is hardly even unique to LeapFrog as the implementation by Rockchip themselves [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/1b01cf5590f8d0b2270ffff5a656e38c5e3930ee/cmd/rockusb.c#L28 has this] until the [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/6336d2324985831ed766031f91d410d0e587dbc8/cmd/rockusb.c latest commit]. However, an update to RedScorpio's [https://xdaforums.com/t/tool-imgrepackerrk-rockchips-firmware-images-unpacker-packer.2257331/post-89464941 imgRePackerRK] tool now made it possible to patch the stock uboot and enable firmware dumping.

In case of a brick, it is possible to unbrick the LeapPad by forcing it to run in MASKROM mode through shorting two conveniently-located test points on the logic board just beside the eMMC chip, though it may also be rather fiddly to pull off; a small reset switch may be soldered onto the testpoints like those generic TV boxes running off similar Rockchip hardware.

It is also (theoretically) possible to boot from an SD card with a firmware image flashed onto it. Performance with such a setup would be unsurprisingly bad compared to a ROM flashed into internal storage, but it should be fine for testing if the firmware dump works fine or for recovering from a bricked tablet.

As the second-gen LeapPad Academy supports Project Treble, generic system images (GSIs) are bootable even up to [https://www.youtube.com/watch?v=UWrepWibbtc Android 14], though performance and battery life ''will'' suffer with it; earlier versions such as 10 and 11 should run with fewer issues.

There are also two sub-variants of the EPICv4, with internal and firmware differences that are subtle on the surface but are still enough that firmware for each other isn't cross-compatible. Firmware for the non-MIPI variant bear the <tt>EPIC4.user.1.x.xxxx.xxxxxxxxx</tt> build number, while those on the MIPI variant use <tt>EPIC4.user.2.x.xxxx.xxxxxxxxx</tt> builds. Apparently the display module and driver on the MIPI version is different compared to the non-MIPI units as round objects appear more elongated on the latter due to the display using non-square pixels to force a "16:9" ratio, similar to countless discount Android tablets.

====Gallery====

Line 108:

Line 124:

File:RK3326 LeapPad.jpg|The LeapPad in action.

File:RK3326 LeapPad internals.jpg|Internals

File:LeapPad Academy Treble compatibility.jpg|~~Good luck trying~~ to ~~boot a GSI on it tho.~~

File:LeapPad Academy Treble compatibility.jpg|Yup, GSIs should now work on this one, though a dedicated custom ROM would be ideal due to some software issues

File:ATBM 6011.jpg|AltoBeam ATBM6011 wireless LAN module

File:RK3326 LeapPad MASKROM testpoints.jpg|Short those two pins beside the eMMC chip to boot into MASKROM mode.

@@ Line 8: / Line 8: @@
 *Display: 7-inch capacitive touchscreen with TN LCD display
 *Resolution: 1024x600
-*Operating System: Android 4.4.2 "KitKat" (MT8127 models); Android 10 (Rockchip models)
+*Operating System:
-*Processor: Quad-core, 1.3 GHz MediaTek MT8127; later LeapPad Academy SKUs replace it with a 1.5 GHz Rockchip RK3326
+** Android 4.4.2 "KitKat" (MT8127 models)
+** Android 10 (Rockchip models; the Rockchip variant can also boot generic system images up to Android 14)
+*Processor:
+** Quad-core, 1.3 GHz MediaTek MT8127
+** Later (2021) LeapPad Academy SKUs replace it with a 1.5 GHz Rockchip RK3326
 *Memory: 1GB RAM
 *Storage: 16GB; ~9GB available for /sdcard partition
@@ Line 78: / Line 82: @@
 ====LeapPad Academy (second-generation)====
 * [https://archive.org/details/leapfrog-epicv4-firmware Internet Archive page]
+* [https://www.androidfilehost.com/?fid=9180008750105244111 EPIC4.user.1.7.2109.312280833] ([https://drive.google.com/file/d/13TB0eCUFWSyyq5E0nM4RVBH9hpMxQ2XI/view Google Drive mirror])
+* [https://archive.org/details/leapfrog-epicv4-firmware_MIPI EPIC4.user.2.6.2196.402290923 (MIPI variant)]
 ===Demo to retail conversion===
@@ Line 84: / Line 90: @@
 ===Google Apps and root===
 *[https://www.youtube.com/watch?v=56XdXJbFbjQ Install TWRP, Google Play and SuperSU root on your LeapFrog Epic]
+*The original MT8127 Epic/LeapPad Academy firmware is vulnerable to the [[wikipedia:Dirty COW|Dirty COW]] exploit where a temporary root shell can be obtained via ADB.
+*The Rockchip RK3326 revision LeapPad Academy on the other hand can be rooted by patching the boot image using Magisk, but doing so breaks wireless functionality at least with the latest version. Ditto with the MT8127 version, but in that case the real-time clock seems to be a little sketchy with Magisk enabled, not to mention that they may no longer have support for early Android versions at the time of this writing.
 ===Useful apps===
@@ Line 100: / Line 108: @@
 LeapFrog also [https://fccid.io/G2R-6022 quietly released a hardware revision] of the Epic circa 2021, replacing the MT8127 with a Rockchip RK3326. While this allowed LeapFrog to upgrade the included operating system to Android 10, it also means that the change in hardware rendered most hacks designed for the original Epic obsolete.
-VTech did their homework with the device and locked out most if not all entry points for hacking, such as ADB and development settings. Bizarrely enough they also dropped Bluetooth, replacing the wireless module with an obscure AltoBeam ATBM6011 wireless LAN controller. Ripping the firmware may also prove to be a challenge as the uboot binary that came with the device came with a deterrent which corrupts the dumped images past a certain point. To be fair this is hardly even unique to LeapFrog as the implementation by Rockchip themselves [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/1b01cf5590f8d0b2270ffff5a656e38c5e3930ee/cmd/rockusb.c#L28 has this] until the [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/6336d2324985831ed766031f91d410d0e587dbc8/cmd/rockusb.c latest commit]. It may be possible to patch out the offending instructions from the uboot binary, though flashing it back to the device can be a pain as you may or may not end up with a brick. Fortunately, it is possible to unbrick the LeapPad by forcing it to run in MASKROM mode through shorting two conveniently-located test points on the logic board just beside the eMMC chip; this however assumes that you have a ROM backup at hand.
+VTech more or less nerfed the device by disabling features such as ADB and development settings, though USB debugging can be restored by temporarily rooting the device by patching boot.img with Magisk and editing the ADB setting using a settings database editor such as [https://play.google.com/store/apps/details?id=by4a.setedit22&hl=en&gl=US SetEdit]. Bizarrely enough they also dropped Bluetooth, replacing the wireless module with an obscure AltoBeam ATBM6011 wireless LAN controller.
-It is also apparently possible to boot from an SD card with a firmware image flashed onto it. Performance with such a setup would be unsurprisingly bad compared to a ROM flashed into internal storage, but it should be fine for testing if the firmware dump works fine or for recovering from a bricked tablet.
+Ripping the firmware also used to be a challenge due to the uboot binary coded with a deterrent which corrupts the dumped images past a certain point. To be fair this is hardly even unique to LeapFrog as the implementation by Rockchip themselves [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/1b01cf5590f8d0b2270ffff5a656e38c5e3930ee/cmd/rockusb.c#L28 has this] until the [https://gitlab.com/pgwipeout/u-boot-rockchip/-/blob/6336d2324985831ed766031f91d410d0e587dbc8/cmd/rockusb.c latest commit]. However, an update to RedScorpio's [https://xdaforums.com/t/tool-imgrepackerrk-rockchips-firmware-images-unpacker-packer.2257331/post-89464941 imgRePackerRK] tool now made it possible to patch the stock uboot and enable firmware dumping.
+In case of a brick, it is possible to unbrick the LeapPad by forcing it to run in MASKROM mode through shorting two conveniently-located test points on the logic board just beside the eMMC chip, though it may also be rather fiddly to pull off; a small reset switch may be soldered onto the testpoints like those generic TV boxes running off similar Rockchip hardware.
+It is also (theoretically) possible to boot from an SD card with a firmware image flashed onto it. Performance with such a setup would be unsurprisingly bad compared to a ROM flashed into internal storage, but it should be fine for testing if the firmware dump works fine or for recovering from a bricked tablet.
+As the second-gen LeapPad Academy supports Project Treble, generic system images (GSIs) are bootable even up to [https://www.youtube.com/watch?v=UWrepWibbtc Android 14], though performance and battery life ''will'' suffer with it; earlier versions such as 10 and 11 should run with fewer issues.
+There are also two sub-variants of the EPICv4, with internal and firmware differences that are subtle on the surface but are still enough that firmware for each other isn't cross-compatible. Firmware for the non-MIPI variant bear the <tt>EPIC4.user.1.x.xxxx.xxxxxxxxx</tt> build number, while those on the MIPI variant use <tt>EPIC4.user.2.x.xxxx.xxxxxxxxx</tt> builds. Apparently the display module and driver on the MIPI version is different compared to the non-MIPI units as round objects appear more elongated on the latter due to the display using non-square pixels to force a "16:9" ratio, similar to countless discount Android tablets.
 ====Gallery====
@@ Line 108: / Line 124: @@
 File:RK3326 LeapPad.jpg|The LeapPad in action.
 File:RK3326 LeapPad internals.jpg|Internals
-File:LeapPad Academy Treble compatibility.jpg|Good luck trying to boot a GSI on it tho.
+File:LeapPad Academy Treble compatibility.jpg|Yup, GSIs should now work on this one, though a dedicated custom ROM would be ideal due to some software issues
 File:ATBM 6011.jpg|AltoBeam ATBM6011 wireless LAN module
 File:RK3326 LeapPad MASKROM testpoints.jpg|Short those two pins beside the eMMC chip to boot into MASKROM mode.