LeapFrog Epic part 2: An open letter to the company (bootloader and ROM development)

OK, so a bit of a rant, though for one I gotta give LeapFrog some credits to this. Sure, repairs are a service centre away, and the main market for this device are kids and their parents, but what about the more tech-savvy parents (e.g. geeks or tinkerer types) who'd certainly re-purpose or service their kids' Epics either because it broke down or gone on a boot loop for some reason?

You see the main thing with this is the preloader, or other words the bootloader, is locked from tampering, making it next to impossible to use custom ROMs or kernels. You can somehow subvert this by editing just the system.img offline assuming you extracted it off your device, or in the case of backups, backing up the whole ROM image, boot/recovery and other images included, to a single ROM_0 file, and flashing it back using the hidden Write Memory feature in SP Flash Tool.

The problem is when you need to replace boot.img with a different one - you simply can't. Flashing unsigned images gives out a BROM 6045 (S_SECURITY_SECURE_USB_DL_IMAGE_SIGN_HEADER_NOT_FOUND) error, and if you did manage to do so through the aforementioned Write Memory tool, at most you're stuck with the LeapFrog logo unless a kernel the preloader seems happy with is flashed back.

Granted, I see the reason why LeapFrog had Quanta Computer (i.e. the OEM responsible for manufacturing the Epic) lock the thing down to prevent unauthorised tampering and/or security issues, but what's the point of sending my friend a CD-ROM of the kernel sources? Sure, they'd say it's for auditing purposes or merely for compliance with the GPL, but as the company has had a history of being chill with tinkerers, why wouldn't they at least offer an option to unlock it? It may be of little use to an average parent, and it's moot as you can develop apps without having to poke into the low-level internals, but why not, if one's going to unlock an Epic's bootloader in good faith? We've seen the likes of is0-mick loading up random stuff on their LeapFrog devices, and the lads over at Emeryville doesn't seem to object much - in fact, a company engineer stopped by the Spiffy Hacks forums and told his tale about the LeapTV.

If any one of you LeapFrog employees, like engineers or perhaps just staff members, are reading this right now, I'd be more than happy to have a talk with you. I do understand if you want nothing to do from this especially in this day and age where even electronic toys are scrutinised for security issues, but this isn't about pwning some boy or girl's toy for nefarious means, it's to re-purpose or make the most out of something which would be obsolete in a few years - let's say that one's son or daughter outgrew the tablet or simply got burned out by it, and his mum or dad would like to turn it into some mobile internet device where they could check their emails without being subjected to something infantile. I'd basically be more than happy to recommend your company to anyone who is interested in an educational toy for their children rather than just buy a regular tab and have them play (possibly) inappropriate content on said devices, so as long as you provide us advanced users the means to unlock and repurpose or service these Epics in good faith.


Ashley Francis said…
Hello, were you ever able to get this fixed? I am a mom who evidently bought one of the demo models. Just wondering if this can be fixed. The store I bought it at doesn't have any more so I'd have to go pay full price somewhere else.
Huckleberry Pie said…
Do you have any contact details (Skype, Google Hangouts, etc.) so I can walk you through the process?
Sam Vilhelmsson said…
Hi. We bought the last one in a Wal-MART store. Now back in sweden we realize they sold us the demo version. Can you send us instruction how to fix it
Huckleberry Pie said…
@Sam - Check your facebook inbox. I've already posted a link to the ROM here and am more than willing to help you with your issue.

Popular posts from this blog

Macintosh in a pinch: Sierra on a Pentium G3258/ASUS H81M-D

Stock ROM for Galaxy S7/G930FD MT6580 clone (Z6U030; 512MB RAM/8GB ROM)

LeapFrog Epic part 1: The hidden Lock Screen.