FREE Oppo and Clones Jailbreak

Thomas Szucs

Active Member
In the first post we ask people to do a NAND backup before jailbreaking but it has not been explained how to restore them again. I have written the following text based on different posts and how I think the process is. I would like you guys to review it and then I will update it with your suggestions.
When it's OK @theaxledentaldj could put it in the first post if it's OK.

!!!!!!!WARNING - TEXT IS FOR REVIEW ONLY AS FOR NOW - DO NOT USE IT!!!!!!!

The NAND backup is a complete copy of the software in your player. It is recommended that you do this backup just incase something goes wrong with the jailbreak.
The most important files in the NAND backup are the following six files

mtd4-mac_addr_1.img mtd5-mac_addr_2.img mtd6-key_block_1.img mtd7-key_block_2.img mtd10-fe_test_data.img mtd11-fe_parameters.img mtd12-fe_power_curve.img

They can be named differently if you used another script to do the backup. I have seen them named like this also.

mac_addr_1.bin mac_addr_2.bin key_block_1.bin key_block_2.bin fe_test_data.bin fe_parameters.bin fe_power_curve.bin

But the files are basically the same.

These six files are unique to each player and stores the id of your player, decrypt keys and the network MAC addresses for the LAN and WIFI adapters. Do not share these files. The decrypt keys could end up being used in a chinese clone player and then become blacklisted by the BDA and your player could stop working for playback of regular discs.

The rest of the files are part of the general firmware but keep the copy of them anyway. Normally there are no problem with restoring those using the TTL cable and the general firmwarefile.

If you have some issues with the jailbreak and end up corrupting any of the 7 files in the NAND (in the player), then you can get issues playing back commercial Blu-ray/UHD discs.

Writing back the files to your player are done like this.

First you need to downgrade to firmware 60. This can only be done using a TTL cable.
Place the 7 files in the root of an USB stick. Create an Autoscript with the following.

Use a standard "Autoscript.TSS" in order to call "cf.sh" file :
SLEEPMS(1000) CLI(CLI_exec dd if=/mnt/sda1/mtd4-mac_addr_1.img of=/dev/mtdblock4) CLI(CLI_exec dd if=/mnt/sda1/mtd5-mac_addr_2.img of=/dev/mtdblock5) CLI(CLI_exec dd if=/mnt/sda1/mtd6-key_block_1.img of=/dev/mtdblock6) CLI(CLI_exec dd if=/mnt/sda1/mtd7-key_block_2.img of=/dev/mtdblock7) CLI(CLI_exec dd if=/mnt/sda1/mtd10-fe_test_data.img of=/dev/mtdblock10) CLI(CLI_exec dd if=/mnt/sda1/mtd11-fe_parameters.img of=/dev/mtdblock11) CLI(CLI_exec dd if=/mnt/sda1/mtd12-fe_power_curve.img of=/dev/mtdblock12) SLEEPMS(1000) CLI(CLI_exec sync) CLI(CLI_drv.ir.rx.sq 0xaf000)

With the different naming it is like this.
SLEEPMS(1000) CLI(CLI_exec dd if=/mnt/sda1/mac_addr_1.bin of=/dev/mtdblock4) CLI(CLI_exec dd if=/mnt/sda1/mac_addr_2.bin of=/dev/mtdblock5) CLI(CLI_exec dd if=/mnt/sda1/key_block_1.bin of=/dev/mtdblock6) CLI(CLI_exec dd if=/mnt/sda1/key_block_2.bin of=/dev/mtdblock7) CLI(CLI_exec dd if=/mnt/sda1/fe_test_data.bin of=/dev/mtdblock10) CLI(CLI_exec dd if=/mnt/sda1/fe_parameters.bin of=/dev/mtdblock11) CLI(CLI_exec dd if=/mnt/sda1/fe_power_curve.bin of=/dev/mtdblock12) SLEEPMS(1000) CLI(CLI_exec sync) CLI(CLI_drv.ir.rx.sq 0xaf000)

But before doing this please consult the people in this forum. It is dangerous stuff to play around with and you could end up breaking your player.
 
Last edited:

theaxledentaldj

Active Member
I'm reviewing it Thomas Szucs, but I think moremodey01 already outlined a small instruction on how to put back the backed up NAND somewhere in this thread. I can dig it up and look at it and compare it to yours. But, until moremodey01 tells me its a tested process, I don't think I want to add it to my first post on page 1. I'm not sure I want to be held responsible for a NAND replacement nor support it?

cle200, page 1 post 1 has info by you, but I used my AutoScript module.

Thomas S. I do have:
Nand Key FE Restore AutoScript Module, I don't know if the was shared on this thread. I'll go back into this thread and see if I can find moremodey01 post about how to do the Restore of the NAND Backup.

 
Last edited:

cle2000

Standard Member
I'm reviewing it Thomas Szucs, but I think moremodey01 already outlined a small instruction on how to put back the backed up NAND somewhere in this thread. I can dig it up and look at it and compare it to yours. But, until moremodey01 tells me its a tested process, I don't think I want to add it to my first post on page 1. I'm not sure I want to be held responsible for a NAND replacement nor support it?

cle200, page 1 post 1 has info by you, but I used my AutoScript module.

Thomas S. I do have:
Nand Key FE Restore AutoScript Module, I don't know if the was shared on this thread. I'll go back into this thread and see if I can find moremodey01 post about how to do the Restore of the NAND Backup.

Thomas : it's a good idea because it could be very useful but of course it has to be tested. I don't know if @liwil already tried it as i know he did several firmware upgrades. @theaxledentaldj are you abble to contact him ?
 

cle2000

Standard Member
@theaxledentaldj : thanks for your post in the first page.
May i suggest you a different wording in order to avoid misunderstanding :

--------
You said :
"He wanted to revert back from the Original EU firmware from his RU Jailbreak firmware, so he made a custom AutoScript module to replace the RU Jailbreak bdpprog with the Original EU bdpprog and then was able to use the USB Method to re-install his Original EU Firmware."

I would say :
"He wanted to revert back from the Original EU firmware from his RU Jailbreak firmware, so he made a custom AutoScript module to use the Original EU bdpprog (instead of the RU JB one) and then was able to use the standard USB Firmware Upgrade process in Oppo menu to re-install his Original EU Firmware."
--------

Actually, as you know I didn't replace physically the RU Jailbreak bdpprog , but to explain it simply i put the Original EU bdpprog into /mnt/ubi_boot/ and then i did a chmod +x on it (with autoscript).
I powered off/on my Oppo in order to use the original EU bdpprog instead of the RU JB one and then i used the Oppo FW upgrade menu with an USB key containing the last EU firmware (65-0131) : UDP20XEU.bin.
 
Last edited:

theaxledentaldj

Active Member
cle2000, I dont have a good contact with liwil. Im certainly not going to test it on my Oppo. with moremodey01's guidance and even then, I have no need to reveret back to stock original firmware. I even tried a method last nite that I thought would work.
I only ended up on Original Russian firmware then back to RU JB Firmware. Suprisingly, after I did that, my custom skin came right backup. I wonder how much or what the firmware actually writes?
It difinatally writes back my Russian JB bdpprog file back. 😁
 

cle2000

Standard Member
cle2000, I dont have a good contact with liwil. Im certainly not going to test it on my Oppo. with moremodey01's guidance and even then, I have no need to reveret back to stock original firmware. I even tried a method last nite that I thought would work.
I only ended up on Original Russian firmware then back to RU JB Firmware. Suprisingly, after I did that, my custom skin came right backup. I wonder how much or what the firmware actually writes?
It difinatally writes back my Russian JB bdpprog file back. 😁
@theaxledentaldj : your test confirms that it's possible to revert back to stock firmware by USB process. The only condition is to have the same Region version (EU->EU, US->US, RU->RU ....).
The firmware upgrade process doesn't have any impact on custom files added in /mnt/ubi_boot/ where is installed the overlay.
So when you re-jailbreak your firmware, your overlay is operational again.
I think, it can explain why your custom skin was still there.
 
Last edited:

Thomas Szucs

Active Member
I'm reviewing it Thomas Szucs, but I think moremodey01 already outlined a small instruction on how to put back the backed up NAND somewhere in this thread. I can dig it up and look at it and compare it to yours. But, until moremodey01 tells me its a tested process, I don't think I want to add it to my first post on page 1. I'm not sure I want to be held responsible for a NAND replacement nor support it?

cle200, page 1 post 1 has info by you, but I used my AutoScript module.

Thomas S. I do have:
Nand Key FE Restore AutoScript Module, I don't know if the was shared on this thread. I'll go back into this thread and see if I can find moremodey01 post about how to do the Restore of the NAND Backup.

I have updated my post above. I totally understand regarding putting it on the first post. It is delicate stuff to mess around with and requires a lot of involvement. Maybe the part about the importance of the 7 NAND files could be added. I can also delete my post if you want.
 

Thomas Szucs

Active Member
Thanks Thomas.

I wonder, if anyone did this and if something went wrong, would it be a softbrick or a perminant brick?
If you have a backup of the 7 NAND files I don't think you can break your player permantly. Without the 7 files you can end up only to use your Oppo as a mediaplayer without the drive.

The link to the Hao4K专注家庭影音-4K资源下载、影音行业报道及影音器材评测 site that iwill provided some time ago shows a guide on how to clone mac_addr_1.bin and mac_addr_2.bin so several people could use the same paid jailbreak and decryption key. This was to avoid paying for the jailbreak. Looks like a lot of chinese people did this.
Remember this was before moremodey01 did his work.
 

cle2000

Standard Member
Thanks Thomas. Translation proposed by google chrome is good. Just curious about Activation jailbreak Script (dd command and so on) attached in this chinese site. Did you manage to download it ? Seems, it's necessary to register in order to download.
 

cle2000

Standard Member
For Oppo 203/205 - Safe and fully tested on Oppo 203 EU with and without Overlay

Step by step Switch to stock FW with 100% Autoscript

Prerequisites :

  • you already jailbroke your Oppo with 65-0131 RU Jailbreak
  • you own the official bdpprog 65-0131 specific to your region
  • download "Switch JB RU bdpprog to Stock.zip"

Step 1 : installation of the official bdpprog (EU by default)
  • Case 1 : you didn't installed the JB_Overlay => use "Switch_Stock_bdpprog (NO Overlay)"
  • Case 2 : you already installed the JB_Overlay => use "Switch_Stock_bdpprog (Overlay ONLY)"
If your region is different than EU then replace "bdpprog_stk" by the official bdpprog to be used for your region with the same name (bdpprog_stk).
Copy AutoScript directory into a USB stick.
Plug in your USB stick, wait for 10s after the Disk tray opening and then power off your Oppo.
Plug out the USB stick and Power on : verify in Oppo menu that the version of the firmware used is the stock one.


Step 2 (Optional) : Complete revert to stock firmware (tested only on Oppo 203 EU)
Prepare a USB stick containing the last stock firmware (65-0131) of your region (for EU : UDP20XEU.bin) and plug in it to your oppo.
Upgrade your firmware in Oppo menu (choose yes when asking to replace firmware with the same version).
Do a factory reset in Oppo menu.


Step 3 : revert to JB RU firmware
  • Case 1 : you didn't installed the JB_Overlay => use "Remove_Stock_bdpprog (NO Overlay)"
  • Case 2 : you already installed the JB_Overlay => use "Remove_Stock_bdpprog (Overlay ONLY)"
Copy AutoScript directory into a USB stick.
Plug in your USB stick, wait a few seconds after the Disk tray opening and then power off your Oppo.
Plug out the USB stick.
If you made the optional step 2, you will have to do again the entire RU Jailbreak USB procedure but you won't have to reinstall the overlay if you installed it before.
Otherwise, power on : verify in Oppo menu that the version of the firmware used is the JB RU one.
 
Last edited:

Thomas Szucs

Active Member
Thanks Thomas. Translation proposed by google chrome is good. Just curious about Activation jailbreak Script (dd command and so on) attached in this chinese site. Did you manage to download it ? Seems, it's necessary to register in order to download.
I have pm'ed you. If you want to get up to speed with knowledge then read page 110 - 150 at

This is where the most important stuff is written.
 

cle2000

Standard Member
I have pm'ed you. If you want to get up to speed with knowledge then read page 110 - 150 at

This is where the most important stuff is written.
Ok Thanks
 

theaxledentaldj

Active Member
Thomas, I remember that forum post. We looked at it, tried to get the files, but thier baidu requires registration in china to get the files. Obviously, we surpassed that method and its outdated as we all know, we offer a free RU JB now.

I'll say it again, I have no need to go back to stock original firmware. What moremodey01 has accomplished for my Oppo-203 is all I ever wanted out of my device.
 

Thomas Szucs

Active Member
Thomas, I remember that forum post. We looked at it, tried to get the files, but thier baidu requires registration in china to get the files. Obviously, we surpassed that method and its outdated as we all know, we offer a free RU JB now.
I got the files but there are no interesting things as you already pointed out.
 

theflo7

Novice Member
Hi "theaxeledentaldj" after reading a lot on this forum I finally decided to do the jailbreak, really thank you for making this good manual and making the installer files it all worked great on my Oppo 205EU. I have a few questions since I am pretty new to this. I havent installed the NFS auto script yet. What is the advantage of that script only to make shortcuts to directories on a Server/NAS. I am also a Mac user and I can get to my shared drives via the Network menu: NFS: MY IP nummer
Then I see 'Movies' and after that my shared drives that I made via NFS manager. So what is the benefit of the autoscript?
Another question since you are also mac user. I have a macpro 5,1 running as server with 8TB of storage. I want to use my SATA docking station to use removable SATA discs for backups. The only thing is that NFS manager does not allow removable discs. (shared discs always need to be mounted For NFS manager to work) Do you know a work around for this? The only way with NFS manager is to delete the unmounted disc from the list and add the the new one to the list. It works but would be great if I don't have to do this every time.
I also tried to connect via SMB via network menu. But I get error with my login and password when I try to login the server to check if this way would work with removable discs.

Thanks again for making this work playing BDMV and ISO over the network really awesome. Keep up the good work!

Flo

 
Last edited:

theaxledentaldj

Active Member
hey theflo7, Congrats!

Another MacOS user, sweet!

Using the AutoScript or the jb_overlay v1 to run an Autostart.sh script to auto mount your NFS shares fools the Oppo-203/205 that ALL mkv, DVD ISO's, BD and 4K BD ISO's are local and then you can create them as "Favorites" and give them poster art jpg files so they show up in the Favorites section of the Oppo's Favorites page.

I use NFS Manager too (works just fine in Demo mode for free).

As for your SATA docking station, I don't know another way. You'll need to manage you movie collection another way.. or your music another way. I have 4 external HDDs and I put them on a USB Hub into my Mac mini.

SMB will NEVER work from a MacOS to the Oppo-203/205 because the Oppo only supports SMBv1. Besides NFS is faster.

I can't take much of the credit, A Huge shout out and props and respect goto moremodey01 and anonymous for giving us a free RU JB. I Thank Thomas Szucs as well for discovering the USB Method.
 

moremodey01

Active Member
Thanks Thomas.

I wonder, if anyone did this and if something went wrong, would it be a softbrick or a perminant brick?
does this work : CLI(CLI_exec dd if=/mnt/sda1/mac_addr_1.bin of=/dev/mtdblock4)

i tried with a guy that broke his m9702 and it was not possible, i assumed based on the chinese forum that you have to downgrade to v60, could have missed something

Btw i reversed a while back , how oppo is flashing those mac and key blobs in a plane trip, and you need to put the player in a debug mode. then you can flash those on the rs232 port by inputting a specific password , command and subcommand following by signed (or just checksumed iirc) blob.
didnt follow much as i dont have an oppo
 

theflo7

Novice Member
hey theflo7, Congrats!

Another MacOS user, sweet!

Using the AutoScript or the jb_overlay v1 to run an Autostart.sh script to auto mount your NFS shares fools the Oppo-203/205 that ALL mkv, DVD ISO's, BD and 4K BD ISO's are local and then you can create them as "Favorites" and give them poster art jpg files so they show up in the Favorites section of the Oppo's Favorites page.

I use NFS Manager too (works just fine in Demo mode for free).

As for your SATA docking station, I don't know another way. You'll need to manage you movie collection another way.. or your music another way. I have 4 external HDDs and I put them on a USB Hub into my Mac mini.

SMB will NEVER work from a MacOS to the Oppo-203/205 because the Oppo only supports SMBv1. Besides NFS is faster.

I can't take much of the credit, A Huge shout out and props and respect goto moremodey01 and anonymous for giving us a free RU JB. I Thank Thomas Szucs as well for discovering the USB Method.
Hi thank you for replying : ) That sounds pretty cool, I am going to try that out aswell. Do the poster icons option only work with the Autoscript NFS script or do I need the jb_overlay to get the poster icons to work. I read the article for install looks pretty complicated. Thanx for your comments about SMB saves a lot of time trying with no luck : ). Greetings Flo
 

theaxledentaldj

Active Member
theflo7,

The poster art feature works with or without
AutoScript, with one requirement.

(You dont have to have installed the jb_overlay v1 either.)

The one exception: in order to add them to Favorites, an AutoScript must be used to auto-mount them and that fools the Oppo to see them as Local.

Installing the jb_overlay v1 is easy be to install because it installs from its AutoScript. Best feature it adds is FTP and ssh so you can add a Theme easier.
 

theaxledentaldj

Active Member
Hey guys.. I did some Firmware testing.. trying to downgrade to an original stock firmware just to get the bdpprog. Looks like I'm still unsuccessfull.

I tried Thomas Szucs method, and it started to work but was on 45 and it wouldn't pass "Hello" and the Mtktool said something along the line, not compatible.. I was forced to use the RU JB MAIN20XCN.bin file and was all good... After many different renaming file tries, all I could install properly was the RU JB 65 firmware. The Original 65 MAIN20X.bin had Mtktool spit out a error about xor sign missing. I took some screenshots. I left my Windows 10 64-Bit Bootcamp still installed incase someone has any other methods, even though messing around with firmwares stresses me out. Interestingly, when the MTKtool is still running and connected to my Oppo that has a finished RU JB Firmware installed and powered on to home menus, I get log report.

Maybe I did Thomas Szucs method incompletely:


"1. Applied downgrade.bin
2. Downgraded back to the very FIRST firmware. I ONLY typed 'upg' in MTKTool and NOT 'usb upg be all'.

3. From there the player suggests to upgrade to EU45, which I did from web.
4. After that the player suggests to upgrade to EU65, which I did from web.

On each firmware level I checked a BluRay. Afterwards I have checked 2 BluRays and 1 UHD movie. Everything has played back fine.
But now I'm back at jailbrake again.

Just remember to do a nand-backup before trying anything."

____
Maybe Thomas Szucs method didn't work right because I only started on Original 45 bin and didn't go even start on very first Oppo/s firmware release UDP20X-29-1209 firmware...??

Update:

Read Liwil post and I missed a step!
After running downgrade.bin procedure, I then ran all Original stock 45 renamed files with CN in them and used "upg", and that finished without any errors but when you turn off and turn back on, it will stay at "Hello" on VFD display.

So, I then power off, run upgrade.bin in Mtk tool and select up Upgrade button and quickly power on my Oppo and when thats finished, then power off and back on and now Im at Official UDP20X-45-065!!

Then used the normal USB firmware updatecfrom withing settings to update Orig 60 via USB and that worked and then Original 65 and that worked!

Page one post one updated with more detail instructions on how I did all this:

 

Attachments

  • IMG_5583.jpg
    IMG_5583.jpg
    445.6 KB · Views: 14
  • IMG_5584.jpg
    IMG_5584.jpg
    423.9 KB · Views: 14
  • 1B643618-6E4C-4D68-9F56-22464BE4BAB3.jpeg
    1B643618-6E4C-4D68-9F56-22464BE4BAB3.jpeg
    154.9 KB · Views: 14
Last edited:

The latest video from AVForums

LG C1 OLED TV Best Picture Settings for SDR, HDR and Dolby Vision
Subscribe to our YouTube channel

Latest News

Sky drops Sky One brand and introduces Showcase and Max
  • By Andy Bassett
  • Published
Cleer Audio announces Roam NC, affordable TWS earbuds
  • By Andy Bassett
  • Published
Toshiba smart TVs add Amazon Music and Twitch apps
  • By Andy Bassett
  • Published
Samsung launches Odyssey Neo G9 mini LED gaming monitor
  • By Andy Bassett
  • Published
LG adds to TONE Free earphone lineup for 2021
  • By Andy Bassett
  • Published

Full fat HDMI teeshirts

Support AVForums with Patreon

Top Bottom