And I came in for another LeapFrog Epic post.

Alright, I'm sure some of you may remember the now-infamous guide on how to turn that LeapFrog Epic demo unit you bought off eBay into a fully-functional device last year. It did work well by all intents and purposes, even going so far as being able to connect to LeapFrog services and download apps off their store, but the problem here is it relied on a method involving a workaround using a modified demo ROM, and the hidden Write Memory feature in SP Flash Tool (The secure boot feature in some MediaTek devices actually has this loophole where most critical system images e.g. boot and recovery are checked if they're properly signed on bootup, but system isn't for whatever reason, likely due to FOTA updates or something). Not to mention that the modified ROM is based on an earlier codebase with the Stagefright exploit amongst other vulnerabilities. I know Kitkat's already antiquated enough as it is, but eh...

This method is based on the fact that LeapFrog, through their ODM Quanta Computer, used reference keys to sign their firmware, and since there's a Linux-based commandline signing tool used to brand MediaTek scatter ROMs as legit factory images circulating the web, it was only a matter of time for a clean and proper method to be done. I would like to thank diplomatic@XDA for schooling me about the MediaTek secure boot implementation, and stricted for being kind enough to do ROM0Split in a whim.

You'll need the following tools:

OK, on to the conversion...

Run SP Flash Tool (either version may do in this step) and click on the Scatter-loading or Choose button on the scatter loading row. Open MT8127_Android_Scatter.txt from the EPICv2 ROM you've just downloaded and unzipped using 7-Zip. You need to do this as Readback and Write Memory options won't work without the stock firmware loaded.


After that, click on the Readback tab. Click Add, then click on the row that shows up. You'll then be prompted where to save your backup.

 
You'll then be greeted by this window. Region should be set to EMMC_USER, the starting address at 0x0 and the length has to be at 0xC5D00000 as shown here. The readback length for demo units is supposed to be 0x205E00000, but since the system partition is smaller on retail units, we'll have to use 0xC5D00000 instead. It shouldn't matter since /system for demo units isn't filled to the brim and the tail end of it is just a bunch of zeroes anyway.

Turn off the Epic, then plug it into your PC. A device named "MTK 65xx Preloader..." or something along the lines of it should appear on Device Manager or the notifications area. On Windows 10 this should install on its own, but you may have to install them manually on an earlier version of Windows or if the drivers don't download and install automatically. A tutorial can be found here:


Once the drivers are done installing, unplug the tablet, press Read Back then plug it in again, this time whilst holding the volume up button. This will force the tablet to go into serial mode. Alternatively, plug in the tablet as is, and you will see an error message. Ignore that one, quickly dismiss it, then click on Read Back again as soon as possible. This step can get a little tricky so patience is definitely required for this. A tip would be to open Device Manager whilst SP Flash Tool is running so you'll know if the device is detected properly.

If done correctly, you should see a red progress bar flash by for a few seconds, followed by a blue one. That means that the backup is now being done, both for insurance purposes (since there's obviously the risk of bricking as what I can attest), and so we can use the secure boot info (NVRAM, seccfg and all that kind of junk) once we repartition the tablet's system and data partitions.
This should take at least eight to ten minutes depending on your computer. Once that is done you should end up with a ROM_0 image to roll back to in case something goes wrong, and of course to chop up into a scatter package for repartitioning. Now fire up ROM0Split, and you should be greeted by this window:
Click on the Scatter file button, then open MT8127_Android_scatter_demo2retail.txt from the epic_demo_to_retail.zip file you've downloaded and unzipped.

Then click on ROM0 File, and browse to the ROM_0 backup you made earlier using SP Flash Tool.


Now once everything is accounted for, click Split.
This should take five to ten minutes to process, and once everything is done a message should pop up telling you that the operation is complete.

There should be 22 files in the out folder within where you saved ROM0Split. Make sure to copy the contents of epic_demo_to_retail.zip to the out folder, then proceed to the next step.

Start SP Flash Tool 5.1532, then browse to MT8127_Android_scatter_demo2retail.txt from the out folder.
On the main SP Flash Tool window, click on the drop-down menu that says Download only. Change it to Format all + Download, then click Download.

Now plug the tablet in again as before, and if done correctly the Epic should now be wiped clean and repartitioned in preparation for the actual conversion.

Once done, close SP Flash Tool 5.1532 and run SP Flash Tool 5.1744. As to why we're using two versions is this: 5.1532 has this quirk where it can flash any image, even unsigned ones. This however doesn't mean that you can flash whatever you want on the Epic and expect it to boot as there is a signature check in place, hence why I signed the Academy Edition ROM to make life easier. You'll have to use 5.1532 so you can flash back the unique security data that came with your device without having to sign the image again, all while the internal user storage partition is being made as big as with a retail Epic. 5.1744 is what you'll use to flash the Academy ROM and whatever signed image you may have lying around just in case.

Open the scatter file from the EPICv2 folder you saved earlier, then click download. This time, leave the download option to Download only since we don't need to format or repartition things in this case.




This shouldn't take as long as before, though, and once it's all done you may now unplug the device. Plug it in again and make sure that the battery charging screen shows up. If you've done all steps correctly, you should be greeted by these.



Again sorry if this post is a mouthful or if it looks a bit intimidating, but I hope this would be of major help to you guys especially at the time I wrote this post when parents are asking me about how to get the demo mode off the Epics they bought on eBay. And if you're having any issues or you'd like to ask about anything related, feel free to leave a comment here or on my Facebook pages.

Comments

Unknown said…
Can't get the Read Back portion of this to work. tried it with device powered on and off. followed the video to install the drivers. keep getting errors. tried it several different ways and about 50 times each.
Unknown said…
Nvm that comment. I didn’t extract the file properly.
Unknown said…
Now the issue is “ROM0Split has stopped working” every time I click Split.
Huckleberry Pie said…
Have you tried running ROM0Split as administrator? And what operating system are you using?

Popular posts from this blog

LeapFrog Epic part 1: The hidden Lock Screen.

Stock ROM for Galaxy S7/G930FD MT6580 clone (Z6U030; 512MB RAM/8GB ROM)

Macintosh in a pinch: Sierra on a Pentium G3258/ASUS H81M-D