THE ULTIMATE OPPO MEDIA DEVICE !

my german provider refuses to give me a link to the jailbroken firmware and redirects me to the oppo official firmware. I think it is sad but it is his full right and part of the game :).

@theaxledentaldj gave me a link to this firmware ; http://www.bd-mod.com/OPPO65-0131RRR.rar

but the early post in this forum point to http://www.bd-mod.com/OPPO65-0131.rar. Can anybody share a link to the second firmware.

I want to achieve code execution to automount network shares and automate if possible from kodi . There was apparently an AutoScript feature in the past and people automounting shares here : https://corp.ixbt.com/topic.cgi?id=60:4837-9

But with this feature disabled im facing exact same issue as described there with a freebsd nas.

Upon those comment the deleted http://www.bd-mod.com/OPPO65-0131.rar firmware had autoscript enabled.
 
Ok it looks that what Rong or oopo did is to replace the string "/mnt/sda1/AutoScript/AutoScript.TSS" in the code of the player by "/mnt/xxxx/AutoScript/AutoScript.TSS",0, so it can never find the file.

Really a sad move :(, especially because from old jailbroken fiorware i found from him , he was using Autoscript to patch in memory the player :(

it could be possible to simply rebuild a new firmware file with a new bd player prog and this would enable autoscript again and give full access to the box.

If people are interested i can try but i need to gather some additional firmware and opinion first
 
Ok it looks that what Rong or oopo did is to replace the string "/mnt/sda1/AutoScript/AutoScript.TSS" in the code of the player by "/mnt/xxxx/AutoScript/AutoScript.TSS",0, so it can never find the file.

Really a sad move :(, especially because from old jailbroken fiorware i found from him , he was using Autoscript to patch in memory the player :(

it could be possible to simply rebuild a new firmware file with a new bd player prog and this would enable autoscript again and give full access to the box.

If people are interested i can try but i need to gather some additional firmware and opinion first
Hi your perseverance is really commendable but for the novice users what would the Autoscript do exactly?
 
Hi your perseverance is really commendable but for the novice users what would the Autoscript do exactly?
It can execute any application from the firmware or compiled externally , this mean :
  • Having remote shell access
  • automounting some NFS/SMB share and not rely on the bdprog way
  • launch the player on a specific title
  • Add a rest server or other to launch title directly from external app, for instance a Kodi add-on
  • ......
 
Ok it looks that what Rong or oopo did is to replace the string "/mnt/sda1/AutoScript/AutoScript.TSS" in the code of the player by "/mnt/xxxx/AutoScript/AutoScript.TSS",0, so it can never find the file.

Really a sad move :(, especially because from old jailbroken fiorware i found from him , he was using Autoscript to patch in memory the player :(

it could be possible to simply rebuild a new firmware file with a new bd player prog and this would enable autoscript again and give full access to the box.

If people are interested i can try but i need to gather some additional firmware and opinion first
I think I once stunbled upon on a chinese forum that other firmware.. hd1999 I think...?
Hmm.. if it was safe.. I might re-flash if it included the original Oppo home screens.. maybe..

Hmm, get it to work with Plex.. because I have Plex on my iphone.

Ill go dig around for that firmware and look on my backup HDD for other firmwares
 
Last edited:
It can execute any application from the firmware or compiled externally , this mean :
  • Having remote shell access
  • automounting some NFS/SMB share and not rely on the bdprog way
  • launch the player on a specific title
  • Add a rest server or other to launch title directly from external app, for instance a Kodi add-on
  • ......
I have what you were looking for on my backup Flash Drive. I'll upload it to my mega into a folder.

Here's the files I have:
http www.bd-mod.com OPPO65-0131.rar
OPPO60-0625.rar
UDPLX500V5.rar
OPPO65-0131RRR.rar

Its uploading now to my mega, will edit post with url.
NPoser from the Russian forum has it and he's on here too.
( Медиаплеер M9702 клон: Oppo UDP-203/Cambridge CXUHD/Pioneer UDP-LX500 - Версия для печати (стр. 3) - Конференция iXBT.com)

So I think thats where I got it.
Download here: File folder on MEGA
 
Last edited:
Thanks i got all i need then, the OPPO65-0131RRR.rar OPPO65-0131.rar. Are exactly the same file so nice to confirm
 
automounting some NFS/SMB share and not rely on the bdprog way
This would be really helpful, not to always wait a samba share to show up!
 
It can execute any application from the firmware or compiled externally , this mean :
  • Having remote shell access
  • automounting some NFS/SMB share and not rely on the bdprog way
  • launch the player on a specific title
  • Add a rest server or other to launch title directly from external app, for instance a Kodi add-on
  • ......
Kool I'm up for that. You have my support.
 
Does anyone know the difference (from a user point of view) between the 60-625 f/w and the 65-131 f/w?
 
The official changelogs are here OPPO Digital - Ultra HD Blu-ray Disc Players

Also between 60 and 65 the jailbreak developper disabled Autoscript feature that allow to launch commands on the firmware :)

Thanks for the link to the changelog.

So your plan is to restore the Autoscript feature in the 65 jailbreak f/w? Sounds good to me!

I haven't come across any incompatibility with the 60 f/w, so I guess it's better to wait for a 65 with autoscript to update the player.
 
I'd also be happy if you figure out how to get autoscripts working. I want the ability to telnet into the box and see the logs of its its bluray playback (assuming it has)
 
I’ll support anything that gets NFS working with this POS just now :D
 
Thanks for the link to the changelog.

So your plan is to restore the Autoscript feature in the 65 jailbreak f/w? Sounds good to me!

I haven't come across any incompatibility with the 60 f/w, so I guess it's better to wait for a 65 with autoscript to update the player.

Yes the author patched 4 bytes /mnt/sda1/Autoscript -> /mnt/xxxx/Autoscript to disable it in the bdprogram.

Patching the initial firmware is easy but im waiting first for this to be delivered : https://aliexpress.com/item/32838230005.html?spm=a2g0s.9042311.0.0.1e026c37NENfRm

As i would like to backup my nand flash without unsoldering it, i have an history of breaking a board when playing with tsop48 flash a few years ago:).

The russian forum claims that the mtd6 and mtd7 partition on the nand does not always contains the activation keys needed to read sacd (At least on firmware <= 60), so better to be on the safe side here and have backup. Unfortunatly delivery time is like 3 weeks :(

Alternativly the m9702 contains 3 unpopulated 4 pins headers and one of them may be the fe debug port from the original oppo 203. I will check that tomorrow but it could be possible then to use this technique :
 
Yes the author patched 4 bytes /mnt/sda1/Autoscript -> /mnt/xxxx/Autoscript to disable it in the bdprogram.

Patching the initial firmware is easy but im waiting first for this to be delivered : https://aliexpress.com/item/32838230005.html?spm=a2g0s.9042311.0.0.1e026c37NENfRm

As i would like to backup my nand flash without unsoldering it, i have an history of breaking a board when playing with tsop48 flash a few years ago:).

The russian forum claims that the mtd6 and mtd7 partition on the nand does not always contains the activation keys needed to read sacd (At least on firmware <= 60), so better to be on the safe side here and have backup. Unfortunatly delivery time is like 3 weeks :(

Alternativly the m9702 contains 3 unpopulated 4 pins headers and one of them may be the fe debug port from the original oppo 203. I will check that tomorrow but it could be possible then to use this technique :

I thought that "Upgrade" port on the back of the M9702 was the debug/ firmware update port? Of which the mtktool connects with it.

I tested it on my mac mini running vmfusion:
Windows 7. It picked up the M9702 comm port via USB.

Ive always wondered how they jailbroke the Oppo firmware. I know they probably compared older firmwares with the new ones to see what was turned off/removed. Like the ISO support was removed in an early firmware and so was the easy downgrading of firmwares.

Hmmm.. I wonder if Rong had to disable;
VFD Display, USB 3.0 port 2, BD-ROM drive
and Wifi, on his custom jailbroken firmware? Compared to that other Jailbroken firmware for the full Oppo UDO-203 unit?
 
Ok it looks that what Rong or oopo did is to replace the string "/mnt/sda1/AutoScript/AutoScript.TSS" in the code of the player by "/mnt/xxxx/AutoScript/AutoScript.TSS",0, so it can never find the file.
Indeed, just tried out with this "\AutoScript\AutoScript.TSS" file (for SMB shares), but it doesn't do anything with my v3 65-0131 firmware:

Code:
CLI(CLI_exec echo root::0:0:root,,,:/root:/bin/sh >/etc/passwd)
CLI(CLI_exec echo system::100:100:user,,,::/bin/sh >>/etc/passwd)
CLI(CLI_exec cp /mnt/sda1/AutoScript/services /etc/)
CLI(CLI_exec /usr/sbin/inetd &)
CLI(CLI_exec sync)
CLI(CLI_exec sync)
CLI(CLI_exec /usr/sbin/telnetd &)
SLEEPMS(1000)
CLI(CLI_exec mkdir /mnt/sda1/Desktop_e)
CLI(CLI_exec mkdir /mnt/sda1/Desktop_f)
CLI(CLI_exec mount.cifs //192.168.1.89/bar1 /mnt/sda1/Desktop_e -o user=foo,password=,ro,iocharset=utf8)
CLI(CLI_exec mount.cifs //192.168.1.89/bar2 /mnt/sda1/Desktop_f -o user=foo,password=,ro,iocharset=utf8)
CLI(CLI_exec mount > /mnt/sda1/mount.txt)
 
I thought that "Upgrade" port on the back of the M9702 was the debug/ firmware update port? Of which the mtktool connects with it.

I tested it on my mac mini running vmfusion:
Windows 7. It picked up the M9702 comm port via USB.

Ive always wondered how they jailbroke the Oppo firmware. I know they probably compared older firmwares with the new ones to see what was turned off/removed. Like the ISO support was removed in an early firmware and so was the easy downgrading of firmwares.

Hmmm.. I wonder if Rong had to disable;
VFD Display, USB 3.0 port 2, BD-ROM drive
and Wifi, on his custom jailbroken firmware? Compared to that other Jailbroken firmware for the full Oppo UDO-203 unit?

For how they jailbreak it , you can have an idea with this file : http://www.bd-mod.com/56CXUHD.rar

It looks like they used autoscript to launch a tool called testptcx that was attaching to the bdprog with linux ptrace debug capabilities and then reading some memory area from it.
I guess some needed decryption keys.

Fo the ports, it looks like there was 3 debug port on the Oppo 203 based on this picture :

Left one looks like another serial port, i hope used by uboot or kernel or even console , and middle one some i2c .

I ll try those a bit later this week on the m9702
 
Ok is 1917 Dolby Vision? Because it loads up the menu and the Dolby Vision logo appears. Then I play the movie and it switches to HDR10+.

I've added photo of what I'm talking about. And photo of the settings I have on the device, and photo of the settings on my TV (GZ950)

Regarding the last photo, when I turn off HDR10+ Functionality to OFF and leave DV ON, the film plays in HDR10 instead of 10+ and not DV

This is the same issue with The Shining + all other discs that have both HDR10+ and Dolby Vision. In the HDR Settings, I changed "Auto" to "Dolby Vision" in HDR and my titles now play with Dolby Vision instead of the usual HDR10+. I'm still not 100% sure it's the "real" DV or some silly conversion, hope someone with more knowledge could chime in.
 
This is the same issue with The Shining + all other discs that have both HDR10+ and Dolby Vision. In the HDR Settings, I changed "Auto" to "Dolby Vision" in HDR and my titles now play with Dolby Vision instead of the usual HDR10+. I'm still not 100% sure it's the "real" DV or some silly conversion, hope someone with more knowledge could chime in.
i Wonder exactly the same , also what is this TV vs player convertion option ? any idea
 
For how they jailbreak it , you can have an idea with this file : http://www.bd-mod.com/56CXUHD.rar

It looks like they used autoscript to launch a tool called testptcx that was attaching to the bdprog with linux ptrace debug capabilities and then reading some memory area from it.
I guess some needed decryption keys.

Fo the ports, it looks like there was 3 debug port on the Oppo 203 based on this picture :

Left one looks like another serial port, i hope used by uboot or kernel or even console , and middle one some i2c .

I ll try those a bit later this week on the m9702
Good info. Do you need any pics of the M9702 v2 or did you already open yours up?

It might be interesting to make a custom jailbroken65-0131 firmware, even better, would be able to use it on the Oppo UDP-203 unit..? Just curious how they injected or re-built the firmware to require a .dat file to "Activate" the jailbroken features..? I get it, to make $$. I came from the PS3 TrueBlue days, and they reverse engineered that dongle to allow custom firmwares on it for free.
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom