Related
Hey guys, I've been interested in getting AOSP running on the Captivate, just like the NexusS. Since I now have an UnBrickable Phone, I figured I'd flash the firmware, but it didn't work. I need a new partition table. I found that the partitions are hidden within the bootloader image, so that didn't work... There is no direct upload without proper partitioning and the partition tables are not in the same format. I was talking to Rebellos and he said it would be possible... Then he came up with the mod out of the blue.
The linux commands used were as follows, the sleep is added so you can copy and paste.
Code:
sudo smdk-usbdl -f ./HIBL.bin -a D0020000
sleep 3
sudo smdk-usbdl -f ./nexus_sbl.bin -a 33040000
which loads the HIBL to memory address 0xD0020000 and the SBL to memory Address 0x33040000. At this point it is executed by the HIBL and....
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
All buttons worked properly! this means there is no work for volume+ volume - or power... There will probly be something else though.
I asked Rebellos to explain here so we can all learn something. I'm attaching the HIBL and the SBL to this post.
Warning: Since unlocking NexusS requires format of the MoviNAND and SDCard be prepaired to format all information on your phone, including EFS. Have a backup of all critical information.
Some general (and less-general) stuff about bootloaders analyse:
How to extract SBL from fused image?
(as the one in Nexus S, where IBL, PBL and SBL are together in bootloader.img)
Bootloaders are usually aligned to memory blocks of size like 4, 8, 16, 32KBs. The gaps between them are filled with 0x00 bytes.
SBL is the largest bootloader, so the thing is to open file in hex editor (personally I prefer XVI32), find the largest solid block of data and erase everything before first non-zero byte block. This way you've got Sbl.bin image.
Why is correct entry point (EP) of bootloader so important?
It comes out from ARM specification. Enough to say is that in most of cases code is non-relocatable
More info: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3698.html
How to find correct bootloader EP?
In all SGS series SBLs I've seen so far EP is always written on 0x20 offset of SBL image, 32bit int in Little Endian notation.
Taking as example Nexus S SBL, in hex editor following bytes are:
Code:
00 00 04 33
So correct EP = 0x33040000
Way more complicated thing is when (as we can see in Samsung Waves) SBL (BL3) does not have entrypoint in file. Then it's mainly matter of correct analyse and some guessing.
Most of string pointers are stored and used in ARM assembly this way:
Code:
<code>
LDR R4, [some_string_ptr] ;this means LoaD Register (or Load Data Register) from given address, which means we are loading address of some_string
<code>
some_string_ptr DW some_string
some_string DB "string_example"
some_string_ptr will be valid pointer only when code is loaded into valid location (data stored under some_string_ptr doesn't change)
The fastest way is to load such code into any address in IDA disassembler, find few string pointers and see on which address are these pointing. Remember that LDR are also used to obtain CPU SFRs (Special Function Registers) addresses and constant data (this is matter of practice). Example:
We have loaded code under 0x10000000, some random LDRs taken from code:
LDR R0, 0x43000204
LDR R3, 0x12345678 ;looks like magic-const
LDR R8, 0xABCDABCD ;this one also
LDR R1, 0xFFFFFFFF ;looks like error return value or bit mask
LDR R1, 0xE0010000 ;doesn't match the rest, SFR probably (always keep CPU reference manual opened)
LDR R2, 0x43122508
LDR R0, 0x4311270A
LDR R0, 0x430F0100
The rest of LDR are in 0x43****** area, code entrypoint is usually aligned, as I said before, so first entrypoint try would be 0x43000000. You'll recognize you've got valid entrypoint by IDA properly matching strings X-refs to LDR instructions.
Example of code with invalid entrypoint:
Code:
TEXT:4148EA20 LDR R1, =0x42593D59
TEXT:4148EA24 MOV R0, R4
The same code, with valid entrypoint:
Code:
TEXT:4248EA20 LDR R1, =pSecBootFixedSeedKey ; "Fixed one for Samsung 3G platform. This"...
TEXT:4248EA24 MOV R0, R4
Got any more questions? Suggestions? Problems? Feel free to ask here or PM me.
First.
Pls post a bit more detailed instructns... would love 2 try this out wen my unbrickable cappy gets here n Monday.
Sent from my Transformer TF101 using XDA Premium App
psycho2097 where did you send yours to have it done at?
BloodSkin said:
psycho2097 where did you send yours to have it done at?
Click to expand...
Click to collapse
To me. You can also pm Connexion2005. He's done the mod as well.
Apparently the Nexus S works with odin, but it's not flashing for some reason... I was able to get the partition table here.. see attached file: http://forum.xda-developers.com/attachment.php?attachmentid=709328&stc=1&d=1315096743
Boot the nexus S bootloader as above, while holding VOL+ and VOL-, then use heimdall to download the part.pit.
AdamOutler said:
To me. You can also pm Connexion2005. He's done the mod as well. I'm still working with it..
Apparently the Nexus S works with odin, but it's not flashing for some reason... I was able to get the partition table here.. see attached file: http://forum.xda-developers.com/attachment.php?attachmentid=709328&stc=1&d=1315096743
Boot the nexus S bootloader as above, while holding VOL+ and VOL-, then use heimdall to download the part.pit.
Click to expand...
Click to collapse
Why not try Heimdall? Or have you already?
Kyuta Syuko said:
Why not try Heimdall? Or have you already?
Click to expand...
Click to collapse
I tried. read above.. I used heimdall to download the partition table... however there is a problem with heimdall's repartitioning ability.
Awesome, I love that someone is working on this and that AdamOutler is one of the ones leading the pack. You have done some great things on the development side of the Captivate and I know you actually work on these things instead of bringing the idea to light but never really going anywhere with it. I am very excited to watch the progress on this. Good luck.
AdamOutler said:
I tried. read above.. I used heimdall to download the partition table... however there is a problem with heimdall's repartitioning ability.
Click to expand...
Click to collapse
Guess I missed that last part. What kinda problem?
Kyuta Syuko said:
Guess I missed that last part. What kinda problem?
Click to expand...
Click to collapse
Not quite sure.. it seems to not be able to set the partition in stone. I contacted Benjamin Dobell about it. Its a problem with heimdall
This is a bit different though.. even Odin fails in this case. I am still working with it.
AdamOutler said:
Not quite sure.. it seems to not be able to set the partition in stone. I contacted Benjamin Dobell about it. Its a problem with heimdall
This is a bit different though.. even Odin fails in this case. I am still working with it.
Click to expand...
Click to collapse
I only asked because I personally prefer to use Heimdall over Odin. It's how I flash back to stock and how I flashed from 2.2 to 2.3 =|
Is it just the Windows version of Heimdall that has this problem or is it all variations? I use it on my laptop running Kubuntu since it likes to detect my phone better.
Kyuta Syuko said:
I only asked because I personally prefer to use Heimdall over Odin. It's how I flash back to stock and how I flashed from 2.2 to 2.3 =|
Is it just the Windows version of Heimdall that has this problem or is it all variations? I use it on my laptop running Kubuntu since it likes to detect my phone better.
Click to expand...
Click to collapse
I run Ubuntu primarily and I have all other platforms in virtual machines. It's a problem with Heimdall's ability to repartition.
AdamOutler said:
I run Ubuntu primarily and I have all other platforms in virtual machines. It's a problem with Heimdall's ability to repartition.
Click to expand...
Click to collapse
I figured you ran some Linux Distro =| Well at least I'm not experiencing any issues with my phone currently... Hope he gets that fixed soon. Sorry to derail the topic =/
I'm trying to flash some Nexus S firmware. Odin does not seem to work, it fails at repartitioning even with the part.pit I downloaded using Heimdall.... So I did some research and found that the device requires fastboot unlock or upload of firmware before I can unlock it for use with Odin...
To get Fastboot, i followed instrutctions on the Nexus S forums.... Instead of pushing power on, I simply held the proper key combination (Power + Volume up) while uploading the SBL.
I've never used fastboot and I can't quite figure out why it's not working. I see "FASTBOOT MODE" on my screen.
Here's what I see in my UART Debug window
Code:
��������������������������������������������������������������������������������
Uart negotiation Error
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x33040000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: HERRING REV 03 (JTAG)
Build On: Jan 20 2011 17:19:41
-----------------------------------------------------------
MMC MAG8DE 15264 MB
Re_partition: magic code(0xffffffff)
Muxed OneNAND 512MB (0x50) Sync
Scanning Bad Block .......
Bad Block 2047 (0)
Partitions loading success
Read image(PARAM) from flash .......
Done
init_fuel_gauge: vcell = 4193mV, soc = 100
PMIC_IRQ1 = 0xe8
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x1
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0xc0
PMIC_STATUS2 = 0x2c
PMIC_STATUS3 = 0xff
PMIC_STATUS4 = 0xff
PMIC_STATUS5 = 0xff
PMIC_SMPL = 0x80
Key scan = 0x50
keypad_scan: handler name = fastboot
Check Power Key ... Skip!
BOOT_MODE_FASTBOOT (HW_RST(0x00000001), INFORM(0x00000000))
So that says I just booted into fastboot
I see this in the linux "lsusb" command
Code:
Bus 001 Device 122: ID 18d1:4e20 Google Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x18d1 Google Inc.
idProduct 0x4e20
bcdDevice 1.00
iManufacturer 1 Google, Inc
iProduct 2 Android 1.0
iSerial 3 30325181F24700EC
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 50mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 255 Vendor Specific Class
bDeviceSubClass 66
bDeviceProtocol 3
bMaxPacketSize0 64
bNumConfigurations 1
can't get debug descriptor: Connection timed out
Device Status: 0x0001
Self Powered
So obviously, it's detecting as a Google device now..
however...
Code:
[email protected]:~/Desktop/nexus firmware$ fastboot oem unlock
< waiting for device >
I can't seem to do the fastboot commands with this. Any ideas?
Dang just lost internet at work. I'm no pro but I saw a topic on the nexus section that seemed to indicate people had problems with this command in LiNux but running it in windows fixed the problem for about 3 people. Best of luck!
edit :internet back! here was the topic: http://forum.xda-developers.com/showthread.php?t=685449
Sent from my GT-I9000 using Tapatalk
The waiting for device command typically means it's not being seen correctly. Type fastboot devices and see if you see anything. Fastboot is what I'll be playing with when I return from the trip. Nexus S firmware is the purest Android experience possible on any phone. This would be a major breakthrough and more importantly, make the Captivate the first in line for Android updates just as the Nexus S is.
Also if fastboot works, it's very easy to make a one click Nexus S firmware installer with the flash all command fastboot has.
Awesome stuff.
Sent from my SGH-I897 using XDA Premium App
And now im back on stock
Sent from my SAMSUNG-SGH-I897 using xda premium
If you get the unbrickable mod to work on your phone then wouldn't you be able to flash a sense rom that has the same resolution as the galaxy s.
Sent from my GT-I9000 using XDA Premium App
ameedi600 said:
If you get the unbrickable mod to work on your phone then wouldn't you be able to flash a sense rom that has the same resolution as the galaxy s.
Sent from my GT-I9000 using XDA Premium App
Click to expand...
Click to collapse
Endless capabilities
Sent from my SAMSUNG-SGH-I897 using xda premium
My Odroid won't boot to CWM recovery with CM10.1 installed on the emmc.
I extracted the three files from here: http://cyanogenmod.org/rc/odroidu2-recovery.zip and placed them on the root of the emmc but every time I boot up I get this
Code:
U-Boot 2010.12-svn (Jan 28 2013 - 14:10:19) for Exynox4412
CPU: S5PC220 [Samsung SOC on SMP Platform Base on ARM CortexA9]
APLL = 1000MHz, MPLL = 880MHz
DRAM: 2047 MiB
PMIC VERSION : 0x00, CHIP REV : 2
TrustZone Enabled BSP
BL1 version: 20121128
Checking Boot Mode ... EMMC4.41
REVISION: 2.0
Manufacturer TOSHIBA [ 15028MB ]
NAME: S5P_MSHC4
MMC Device 0: 15028 MB
MMC Device 1: 0 MB
MMC Device 2 not found
*** Warning - using default environment
ModeKey Check... run normal_boot
Net: No ethernet found.
Hit any key to stop autoboot: 0
NAME: S5P_MSHC4
NAME: S5P_MSHC4
>>> Load Boot Script from mmc 0:1 <<<
NAME: S5P_MSHC4
Partition1: Start Address(0x520000), Size(0x181a000)
reading boot.scr
Warning : Reads a file that is smaller than the cluster size.
623 bytes read
## Executing script at 40008000
Wrong image format for "source" command
Exynos4412 #
how can i get past this?
deleted
So I just got a Nexus 7 refurb from Amazon, quite happy with the price. I went ahead rooted it, installed SmoothRom and even tested out Ubuntu 13.04. Here is where it gets odd. I didn't check to verify it was the 32gb tablet when I got it, I should have but it slipped my mind, I got too excited heh. After I had put Ubuntu on it I decided to go back to my smoothrom so I restored the backup with TWRP and when I was copying some movies to it I got a "your low on storage space" type alert which I found odd since I was only putting 4-5 gigs of files on it and I had not installed that many apps. I went into the storage manager and it reported I had like 6gb of space total, and 4 used. I thought it was really strange so I tried a bunch of different partition info apps and all of them basically reported the same thing. So I went back into TWRP and formatted everything, and restored the Smoothrom I had before. Now its reporting 13GB, so I am assuming now they sent me a 16gb and not the 32gb, but is there anyway to verify that is accurate? Could something else be eating some of the space and not reporting it to TWRP or android? I'm assuming Ubuntu did something funky when it was installed which made it look like it was only 8gb and not 16.. Ijust want to make sure its truely not a 32gb before I go through returning this to stock and sending it back. Sorry of the newbie questions.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my Nexus 7 using xda app-developers app
You can get a pretty good idea by rebooting and capturing the dmesg output (as soon as possible!) .
e.g.
Code:
...
<6>[ 5.867778] [mmc]:mmc_decode_cid:113 cid.prv 0x1
<6>[ 5.879277] [mmc]:mmc_read_ext_csd:285 ext_csd.sectors 0x3b78000 prod_name MMC32G BOOT_MULTI 0x10
<6>[ 5.881183] mmc0: new high speed DDR MMC card at address 0001
<6>[ 5.881431] mmcblk mmc0:0001: Card claimed for testing.
<6>[ 5.881759] mmcblk0: mmc0:0001 MMC32G 29.7 GiB
<6>[ 5.882064] mmcblk0boot0: mmc0:0001 MMC32G partition 1 2.00 MiB
<6>[ 5.882306] mmcblk0boot1: mmc0:0001 MMC32G partition 2 2.00 MiB
<4>[ 5.884469] Primary GPT is invalid, using alternate GPT.
Look for "mmc" 5 or 6 seconds into the boot.
I think I might have captured the above using a terminal emulator app, as in
Code:
$ su
# dmesg > /sdcard/dmesgboot.text
but the important thing to remember is that /proc/kmsg has a limited size, so don't dilly-dally after the boot. You could also do the same from your PC if you have ADB setup.
Note that there have been several people that reported mysteriously short ext4 file systems in the /data partition (including me) - but I don't know exactly how it happened. Search for those threads.
bftb0 said:
You can get a pretty good idea by rebooting and capturing the dmesg output (as soon as possible!) .
e.g.
Code:
...
<6>[ 5.867778] [mmc]:mmc_decode_cid:113 cid.prv 0x1
<6>[ 5.879277] [mmc]:mmc_read_ext_csd:285 ext_csd.sectors 0x3b78000 prod_name MMC32G BOOT_MULTI 0x10
<6>[ 5.881183] mmc0: new high speed DDR MMC card at address 0001
<6>[ 5.881431] mmcblk mmc0:0001: Card claimed for testing.
<6>[ 5.881759] mmcblk0: mmc0:0001 MMC32G 29.7 GiB
<6>[ 5.882064] mmcblk0boot0: mmc0:0001 MMC32G partition 1 2.00 MiB
<6>[ 5.882306] mmcblk0boot1: mmc0:0001 MMC32G partition 2 2.00 MiB
<4>[ 5.884469] Primary GPT is invalid, using alternate GPT.
Look for "mmc" 5 or 6 seconds into the boot.
I think I might have captured the above using a terminal emulator app, as in
Code:
$ su
# dmesg > /sdcard/dmesgboot.text
but the important thing to remember is that /proc/kmsg has a limited size, so don't dilly-dally after the boot. You could also do the same from your PC if you have ADB setup.
Note that there have been several people that reported mysteriously short ext4 file systems in the /data partition (including me) - but I don't know exactly how it happened. Search for those threads.
Click to expand...
Click to collapse
Excellent thanks a ton. Yeah mine says 14.7 GiB so I guess they did screw it up. I also have various "mnc0: invalid maximum block size, assuming 512 bytes" above that, assuming thats not a big issue as I didn't find anyone talking about that on the forums.
You can also try flashing stock with adb and fastboot:
http://forum.xda-developers.com/showthread.php?t=1907796
It's something you might have to do anyway if you're returning you're device so it's worth a try.
vortico said:
I also have various "mnc0: invalid maximum block size, assuming 512 bytes" above that, assuming thats not a big issue as I didn't find anyone talking about that on the forums.
Click to expand...
Click to collapse
I have that too - I just didn't want to make the cut-n-paste too long.
good luck with the refurb-return.
Cool will try that as well, thanks
Sent from my Nexus 7 using xda app-developers app
Hi Guys,
I am looking for methods to get root on my Linux smart tv. Anyone have any ideas?
I ran metasploit against it and had no luck, it did find some open ports for upnp and something
called twonkymedia but I was not able to get anywhere with that.
I have a Hisense LTDN50K220GWUS (Hisense 50H5GB) Smart TV that is running what appears to be a customized version of "Opera TV OS"
Its running on "Linux-3.0.13" and is using Uboot, I tried connecting a usb keyboard to the ports and pounding escape and other buttons
but that didn't get me anywhere.
Using Binwalk I was able to extract so info from a rom firmware image:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
613 0x265 Unix path: /DTV/ROMCODE/NANDBOOT/V01.00
778954 0xBE2CA ELF, 32-bit LSB relocatable, ARM, version 1 (SYSV)
779300 0xBE424 Unix path: /home/gfkfcmo/CMO/MTK5651_US_II_WFD/vm_linux/chiling/uboot/drv_lib/mt5880/inc
1188782 0x1223AE UBI volume ID header, version: 1, type: 1, volume id: 0, size: 0
1190830 0x122BAE UBIFS superblock node, CRC: 0x50BF95C5, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 1016, max erase blocks: 3271, format version: 4, compression type: lzo
1321902 0x142BAE UBIFS master node, CRC: 0xCC5C7044, highest inode: 2313, commit number: 0
1452974 0x162BAE UBIFS master node, CRC: 0xC06C8559, highest inode: 2313, commit number: 0
2632671 0x282BDF XML document, version: "1.0"
2633575 0x282F67 XML document, version: "1.0"
2636223 0x2839BF XML document, version: "1.0"
2637455 0x283E8F XML document, version: "1.0"
{{{ TRUNKATED }}}
132181160 0x7E0ECA8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
132236386 0x7E1C462 Unix path: /i686/bin/../sysroot/usr/include
132240154 0x7E1D31A Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*=
132277477 0x7E264E5 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132295801 0x7E2AC79 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132320817 0x7E30E31 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132336687 0x7E34C2F Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132337438 0x7E34F1E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132362676 0x7E3B1B4 Base64 standard index table
132404806 0x7E45646 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132432505 0x7E4C279 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132462804 0x7E538D4 Base64 standard index table
132499502 0x7E5C82E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132532241 0x7E64811 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132547032 0x7E681D8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
133142037 0x7EF9615 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133142057 0x7EF9629 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133599305 0x7F69049 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134172625 0x7FF4FD1 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134360038 0x8022BE6 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 7064247 bytes, 126 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:46:16
141462558 0x86E8C1E Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
168987734 0xA128C56 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
196508814 0xBB67C8E uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
196508878 0xBB67CCE LZO compressed data
196508929 0xBB67D01 uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
197183535 0xBC0C82F SHA256 hash constants, little endian
198761115 0xBD8DA9B uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
198761179 0xBD8DADB LZO compressed data
198761230 0xBD8DB0E uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
199435836 0xBE3263C SHA256 hash constants, little endian
The Firmware can be found here, its a zipped *.pkg file http://hisense-usa.com/support/firmware/50H5G_V00.01.130a.F0113_us.zip
If it helps I also have the ports that metasploit was able to find on it"
Code:
10.0.0.76 unknown 8060 tcp
10.0.0.76 upnp 9085 tcp TwonkyMedia UPnP UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1
10.0.0.76 13000 tcp
10.0.0.76 tcpwrapped 56789 tcp
10.0.0.76 tcpwrapped 56790 tcp
Hi,
@borillion_star Did you find a way to extract the .pkg file ?
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
tommyk999 said:
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
Click to expand...
Click to collapse
@tommyk999 and @vache The pkg files do not contain any files such as /etc/shadow or /etc/passwd that can be used to get the root account password.
I think the only way is to try and dump the tv firmware, there appears to be a serial or uart on the mainboard but I have not had the chance to try that yet.
borillion_star said:
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Click to expand...
Click to collapse
Yes, i was able to unpack firmware using binwalk.
Still looking into filesystem to find some backdoors.
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Any update on progress? Would be possible to connect raspberry pi with already rooted firmware to go around stock firmware? So you won't void warranty and when anything goes wrong you just disconnect raspb. Pi and go with stock.
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
borillion_star said:
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
Click to expand...
Click to collapse
That zip file actually contains a root for HiSense TV's running android. You can tell because of the adb.exe and the apk file types. It doesn't apply here.
I did purchase a logic board for this TV with the power board off of ebay. There is something on it that is marked as a UART with 3.3V.
I will power it up and see what I can read out white its booting, and post when I am able.
I got some pdf file it is in chinese for led65k720uc, it is getting interestin at the end i think it describes how to get acces to the system with some description. hope this would help you.
https://mega.nz/#!sggVSJaS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Found some info on led42k220 but have to find a way how to translate pdf from Chinese to English
https://drive.google.com/file/d/0B7GyFV1vAMbRUkt0LW9kRjUzQ1E/view?usp=docslist_api
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Looks like it's for AndroidTV, while mine runs OperaTV.
I will keep looking hope I found something with opera
Sent from my SM-N910F using Tapatalk
What type is Chinese equivalent to 50k220gwus?
Sent from my SM-N910F using Tapatalk
Mouse/keyboard works on browser, but nothing to do here.
I'm trying to repack firmware after changing some interesting files to check if we can do something interesting.
I first get squashfs filesystem using dd command, then tried to mount it but no luck.
So i used unsquashfs to unpack it (like binwalk did)
Then i used mksquashfs to repack it and used dd to inject file again in upgrade_loader.pkg
OperaTV is new for me, i have to learn how it works before going further.
--------------------------------------------------------------------------------------------------------------------
Firmware Analazing (from 40EC591)
Partitions :
3rdw (Apps ?) (ext4 - /dev/mmcblk0p12 - dev/mmcblk0p11)
3rdp (Apps ?) (squashfs - dev/mmcblk0p11)
uImage (kernel - /dev/mmcblk0p5)
rootfs.bin (squashfs - /dev/mmcblk0p7)
pq.bin (? - /dev/mmcblk0p16)
aq.bin (? - /dev/mmcblk0p17)
adsp.bin (? - /dev/mmcblk0p21)
facsetdata.bin (? - /dev/mmcblk0p25)
uboot.bin (bootloader - /dev/mmcblk0p1)
uenv.bin (? - /dev/mmcblk0p2)
logo.bin (? - /dev/mmcblk0p18)
default_db.bin (? - /dev/mmcblk0p23)
hdmi_2_0_hdcp.bin (? - /dev/mmcblk0p24)
Mstar Android TV firmware toolsPhython 3.4+ required.
Currently available tools:
unpack.py - unpack MStar bin firmware
pack.py - pack MStar bin firmware
extract_keys.py - extract AES and RSA-public keys from MBOOT binary
secure_partition.py - encrypt image and generate signature file
Unpack MStar bin firmware files
Code:
Usage: unpack.py <firmware> <output folder [default: ./unpacked/]>
<firmware> - MStar bin firmware to unpack
<output folder> - directory to store unpacked stuff. Default value: ./unpacked/
Pack MStar bin firmware
Usage: pack.py <config file>
Code:
Example: pack.py configs/letv-x355pro-full.ini
<config file> - Configuration file. The config file structure will be described later.
For now you can take a look at configs/letv-x355pro-full.ini
and use it as an example
Extract keys from MBOOT
That tool is used to get AES and public RSA keys from the MBOOT. AES keys are needed to encrypt/decrypt boot.img and recovery.img images. aescrypt2 tool is used.
Code:
Usage: extract_keys.py <path to mboot> [<folder to store keys>] [<key bank offset>] [<key bank size>]
Defaults:
<folder to store keys> keys
<key bank offset> 0x168e00
<key bank size> 0x450
Example: extract_keys.py ./unpacked/MBOOT.img
Example: extract_keys.py ./unpacked/MBOOT.img ./keys 0x169e00 0x450
Encrypt partition and generate signature
All new MStar builds have SECURE_BOOT option enabled. In that case boot.img and recovery.img is encrypted (AES) and signed with RSA priv keys. That script is used to encrypt image and generate sign file.
To manually encrypt|decrypt image use aescrypt tool from bin folder. AES key can be extracted from MBOOT with extract_keys.py script.
Code:
Usage: secure_partition.py <file to encrypt> <AES key file> <RSA private key file> <RSA public key file> <output encrypted file> <output signature file>
Example: secure_partition.py ./pack/boot.img ./keys/AESbootKey ./keys/RSAboot_priv.txt ./keys/RSAboot_pub.txt ./pack/boot.img.aes ./pack/bootSign
Download tools:
https://github.com/dipcore/mstar-bin-tool
reserved
hi how to backup mstar tv partition including tee.img and sboot.bin?
is there any way to backup them?
i cant find my specific firmware for my mstar CV628H_B42 32SX250 (32EX250F) ctvupgrade.bin
bamster89 said:
hi how to backup mstar tv partition including tee.img and sboot.bin?
is there any way to backup them?
i cant find my specific firmware for my mstar CV628H_B42 32SX250 (32EX250F) ctvupgrade.bin
Click to expand...
Click to collapse
You can use dd tool and create needed images. All what you need is here: /dev/block/platform/mstar_mci.0/by-name/ root is required.
Another way to do so is to create a back up of whole emmc device and then using any hex editor just slice it on required partitions (emmc header structure is pretty straightforward).
You can do it via mboot console (uart acces is required) or you can flash specially prepared firmware bin (look at https://github.com/dipcore/mstar-bin-tool/blob/master/configs/letv-emmc2usb.ini as an example). Basically that bin will just run couple mboot commands to start copying emmc to usb device.
PS You can access to debugging uart via VGA port on the TV. Use 12 and 15 pins (see attachment). 99% of mstar based TV have uart routed to those unused pins on VGA port. So no need to open TV and solder something.
Take a look on this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
dipcore said:
You can do it via mboot console (uart acces is required) or you can flash specially prepared firmware bin (look at https://github.com/dipcore/mstar-bin-tool/blob/master/configs/letv-emmc2usb.ini as an example). Basically that bin will just run couple mboot commands to start copying emmc to usb device.
Click to expand...
Click to collapse
i modify this 2 lines in configs/letv-emmc2usb.ini
FirmwareFileName=CtvUpgrade.bin
......
#emmcbin 0 to emmcbin 0
.......
setenv CtvUpgrade_complete 1
and pack after that ,,
i upgrade my mstar in factory menu Source +2580 ..,, and it reboot instantly and there is no partition save in USB.,
this is my MBOOT.img
https://mega.nz/#!LBgQjZbZ!ZirBzDOwbJrz6q-wD7gnikeNPGnVXfD8nGyKiaVkPls
bamster89 said:
i upgrade my mstar in factory menu Source +2580 ..,, and it reboot instantly and there is no partition save in USB
Click to expand...
Click to collapse
Its two step process.
1. EMMC backup. Prepare and flash 1st bin file:
Code:
[Main]
FirmwareFileName=CtvUpgrade.bin
ProjectFolder=./pack
useHexValuesPrefix=false
SCRIPT_FIRMWARE_FILE_NAME=${FirmwareFileName}
DRAM_BUF_ADDR=20200000
MAGIC_FOOTER=12345678
HEADER_SIZE=16KB
[HeaderScript]
Prefix:
mmc dd mmc2usb 0
Suffix:
# Nothing here
It will take some time to copy it to usb drive (in my case it was like 25 minutes)
2. Restore normal boot process. Pack and flash 2-nd bin:
Code:
[Main]
FirmwareFileName=CtvUpgrade.bin
ProjectFolder=./pack
useHexValuesPrefix=false
SCRIPT_FIRMWARE_FILE_NAME=${FirmwareFileName}
DRAM_BUF_ADDR=20200000
MAGIC_FOOTER=12345678
HEADER_SIZE=16KB
[HeaderScript]
Prefix:
setenv MstarUpgrade_complete 1
setenv ForcePowerOn 0
saveenv
Suffix:
# Nothing here
After flasing it will restore normal boot process.
One more thing, in the line
mmc dd mmc2usb 0
it uses usb port #0 in the TV. I do not know where is it located in your TV. You may try all usb ports. If that did not worked then just change it to
mmc dd mmc2usb 1 etc
dipcore said:
One more thing, in the line
mmc dd mmc2usb 0
it uses usb port #0 in the TV. I do not know where is it located in your TV. You may try all usb ports. If that did not worked then just change it to
mmc dd mmc2usb 1 etc
Click to expand...
Click to collapse
i already did changing 0-3 and try to put 3 usb on each port each usb have CtvUpgrade.bin same thing happens no partition created on usb ithink my MBOOT does not allow me to use mmc dd mmc2usb and emmcbin
all i did is to manually backup using dd in terminal
this is my fstab.madison
HTML:
[email protected]_caixun_international:/ # cat fstab.madison
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
/dev/block/platform/mstar_mci.0/by-name/system /system ext4 ro wait
/dev/block/platform/mstar_mci.0/by-name/cache /cache ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/userdata /data ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvservice /tvservice ext4 ro wait
/dev/block/platform/mstar_mci.0/by-name/tvconfig /tvconfig ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvdatabase /tvdatabase ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvcustomer /tvcustomer ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/usersdcard /usersdcard vfat noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/factory /factory ext4 noatime,nosuid,nodev wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/zram0 none swap defaults zramsize=104857600
/dev/block/mmcblk0boot0 /boot1 emmc defaults defaults
/dev/block/mmcblk0boot1 /boot2 emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/MBOOT /MBOOT emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/MPOOL /MPOOL emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/misc /misc emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/boot /boot emmc defaults defaults
/dev/block/platform/mstar_mci.0/by-name/RTPM /RTPM ext4 defaults defaults
HTML:
dd if=/dev/block/platform/mstar_mci.0/by-name/system of=/mnt/usb/sda1/DUMP/system.img
dd if=/dev/block/platform/mstar_mci.0/by-name/cache of=/mnt/usb/sda1/DUMP/cache.img
dd if=/dev/block/platform/mstar_mci.0/by-name/userdata of=/mnt/usb/sda1/DUMP/userdata.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvservice of=/mnt/usb/sda1/DUMP/tvservice.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvconfig of=/mnt/usb/sda1/DUMP/tvconfig.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvdatabase of=/mnt/usb/sda1/DUMP/tvdatabase.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvcustomer of=/mnt/usb/sda1/DUMP/tvcustomer.img
dd if=/dev/block/platform/mstar_mci.0/by-name/usersdcard of=/mnt/usb/sda1/DUMP/usersdcard.img
dd if=/dev/block/platform/mstar_mci.0/by-name/factory of=/mnt/usb/sda1/DUMP/factory.img
dd if=/dev/block/mmcblk0boot0 of=/mnt/usb/sda1/DUMP/boot1.bin
dd if=/dev/block/mmcblk0boot1 of=/mnt/usb/sda1/DUMP/boot2.bin
dd if=/dev/block/platform/mstar_mci.0/by-name/MBOOT of=/mnt/usb/sda1/DUMP/MBOOT.img
dd if=/dev/block/platform/mstar_mci.0/by-name/MPOOL of=/mnt/usb/sda1/DUMP/MPOOL.img
dd if=/dev/block/platform/mstar_mci.0/by-name/misc of=/mnt/usb/sda1/DUMP/misc.img
dd if=/dev/block/platform/mstar_mci.0/by-name/recovery of=/mnt/usb/sda1/DUMP/recovery.img
dd if=/dev/block/platform/mstar_mci.0/by-name/boot of=/mnt/usb/sda1/DUMP/boot.img
dd if=/dev/block/platform/mstar_mci.0/by-name/RTPM of=/mnt/usb/sda1/DUMP/RTPM.img
HTML:
[email protected]_caixun_international:/ # ls /dev/block/platform/mstar_mci.0/by-name/
MBOOT
MPOOL
RTPM
boot
cache
factory
misc
recovery
system
tvconfig
tvcustomer
tvdatabase
tvservice
userdata
usersdcard
ifound this on my MBOOT
HTML:
sar sar Command: (0-base, SAR0~SAR5)
sar <ch#> : ex: sar 0 // read sar channel 0
panel_pre_init - init panel by panel.ini
command: panel_pre_init [option]
-s : static init : panel init para from uboot
-d : dynamic init : panel init para from SN panel_init - init panel by panel.ini
command: panel_init [option]
-s : static init : panel init para from uboot
-d : dynamic init : panel init para from SN panel_post_init backligth on - backlight on
command: backlight_on
mmcinfo display MMC info mmcreg mmcreg show ext-csd <dev num>
- device number of the device to dislay info of
bin2emmc bin2emmc - read bin file and restore it to emmc
command: bin2emmc [usbportnum] [pad] [binname] [offset/partitionname]
emmcbootbin emmcbootbin - dump emmc boot partition and write it to fat usb disk
command: emmcbootbin [usbportnum] [partitionname]
emmcbin emmcbin - dump emmc and restore it to fat usb disk
command: emmcbin [usbportnum] [pad] [binname] [offset/partitionname] [dumpsize]
mmcbininfo mmcbininfo - Valid block num in each partition
command: mmcbininfo [usbportnum]
read[.boot|.gp] [bootpart|gppart] addr blk# size
mmc write[.boot|.gp] [bootpart|gppart] addr blk# size [empty_skip:0-disable,1-enable]
mmc readall - read all blocks for device internal ecc check
mmc crcall - read all blocks and calculate crc32
mmc read.p addr partition_name size
mmc read.p.continue addr partition_name offset size
mmc write.p addr partition_name size [empty_skip:0-disable,1-enable]
mmc write.p.continue addr partition_name offset size [empty_skip:0-disable,1-enable]
mmc rescan
mmc part[.gp] - lists available [GP] partition on current mmc device
mmc look [name] - lists specific partition info on mmc
mmc dev [dev] [part] - show or set current mmc device [partition]
mmc list - lists available devices
mmc create [name] [size]- create/change mmc partition [name]
mmc create.gp part_no size enh_attr ext_attr relwr_attr - create/change eMMC GP partition No.[part_no(0~3)] with size and enhance/extended/reliable_write attribute
mmc create.enhusr start_addr size enha_attr relwr_atrr - create/change eMMC enhance user partition(slc mode) from start_addr with size and enhance/reliable_write attribute
mmc create.complete - complete eMMC gp, enhance user, reliable write partition setting
Note: enh_attr = 0: no slc mode 1: using slc mode, ext_attr = 0: no attr 1: system code 2: Non-persisent, relwr_attr = 0: disable 1: enable reliable write
mmc remove [name] - remove mmc partition [name]
mmc rmgpt - clean all mmc partition table
mmc slc size relwr - set slc in the front of user area, 0xffffffff means max slc size
mmc ecsd - print ecsd register of emmc
mmc setecsd num mask value - set value to num of ecsd according to mask
mmc size - print the mmc size info
mmc slcchk - check the slc/mlc mode of emmc
mmc relwrchk - check the reliable write configuration of emmc
mmc slcrelwrchk - check the slc/mlc mode and reliable write configuration of emmc
mmc unlzo Src_Address Src_Length Partition_Name [empty_skip:0-disable,1-enable]- decompress lzo file and write to mmc partition
mmc erase[.boot] bootpart [blk#] [size]
mmc erase.p partition_name
mmc erase - erase all blocks in device
mmc dd mmc2usb/usb2mmc [portnum] [pad] - dump/restore emmc raw data
mmc alignsize - check the alignment size of slc partition
mmc trim_test [chunk_size] [loop_count] - test read/write performance after trim enabled
eMMC sub system emmc info - lists CSD & ExtCSD on eMMC
emmc init count - reset & init eMMC for count loops
emmc test count - verify eMMC & board signals for count loops
emmc speed [mode]- show eMMC speed sdr or ddr mode @ driver layer
emmc t_table [hs200/ddr] build - build timing table
emmc mode - ddr or sdr
emmc clk - set ClkRegVal
emmc cis - check or erase
emmc pwr_cut init [addr][start block] - eMMC Power Cut Init
emmc pwr_cut test [addr][start block] - eMMC Power Cut Test
emmc reset [0/1] - toggle eMMC reset pin
Maybe this is heplful
MSTAR ROOT_BOOT volume production
https://mega.nz/#!jQIyQJKT!PAnuBXZOPuPvOkoWkhpvk_ZCiHR1UJqAu9IobbemuTU
you do not need to play with bin files, if dd works for you.
bamster89 said:
Maybe this is heplful
MSTAR ROOT_BOOT volume production
https://mega.nz/#!jQIyQJKT!PAnuBXZOPuPvOkoWkhpvk_ZCiHR1UJqAu9IobbemuTU
Click to expand...
Click to collapse
Yes I read it, I used it to create that bin file configs.
Here are more docs: https://github.com/dipcore/Madsion/tree/master/MBoot_Madison_TVOS/doc
My Mstar semi conductor tv stuck on boot animation
plz help
what i am doing now
---------- Post added at 03:33 PM ---------- Previous post was at 03:30 PM ----------
Plz Help my tv stuck on boot animation
I changed the boot animation after my tv is not booting plz help
how to tv in pc and any other solution plz help me someone
---------- Post added at 03:34 PM ---------- Previous post was at 03:33 PM ----------
MStar Semiconductor, Inc. MStar Android TV
MStar Android TV (full.cv6a628h_international)
---------- Post added at 03:37 PM ---------- Previous post was at 03:34 PM ----------
last i doing in tv permission in platform.xml
i thing going wrong in this
and other is boot animation change in media zip file
plz help what i am dong now .............any link of tv firmware to download in tv
thanks in advance
masifkalam said:
plz help
Click to expand...
Click to collapse
1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.
dipcore said:
1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.
Click to expand...
Click to collapse
dont have stock bin and how connect to pc plz some brief
---------- Post added at 04:58 PM ---------- Previous post was at 04:48 PM ----------
dipcore said:
1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.
Click to expand...
Click to collapse
plz some brief for debugging UART i will do
thanks fro reply
masifkalam said:
plz some brief for debugging UART i will do
thanks fro reply
Click to expand...
Click to collapse
look at my post #4 https://forum.xda-developers.com/showpost.php?p=71294095&postcount=4
use VGA port
dipcore said:
look at my post #4 https://forum.xda-developers.com/showpost.php?p=71294095&postcount=4
use VGA port
Click to expand...
Click to collapse
and how console used for revert changes
some examples
thanks dear i will understand these things
---------- Post added at 05:49 PM ---------- Previous post was at 05:25 PM ----------
masifkalam said:
and how console used for revert changes
some examples
thanks dear i will understand these things
Click to expand...
Click to collapse
any other solution for revert changes through pc or recovery mode
masifkalam said:
and how console used for revert changes
some examples
thanks dear i will understand these things
Click to expand...
Click to collapse
It's just shell console with root privileges. Use it as you would use any shell console. I.e. using the sell copy needed files to usb drive then do changes on the PC and copy them back to TV.
dipcore said:
It's just shell console with root privileges. Use it as you would use any shell console. I.e. using the sell copy needed files to usb drive then do changes on the PC and copy them back to TV.
Click to expand...
Click to collapse
shell console with root privileges????? root???
and why copy files to usb first
just revert files from pc through deb uart
debugging uart this cable
http://www.96boards.org/wp-content/uploads/2015/06/uart-to-usb-cable.jpg
masifkalam said:
shell console with root privileges????? root???
and why copy files to usb first
just revert files from pc through deb uart
debugging uart this cable
http://www.96boards.org/wp-content/uploads/2015/06/uart-to-usb-cable.jpg
Click to expand...
Click to collapse
1. Yes ROOT, ROOOT, ROOOOT. It's by default for mstar based TV. So you should get root shell via UART debugging port, of course If your TV vendor did not change that.
2. Yes, you can update it directly from PC. I just provided an example of how to do it. Having shell access you can do a lot of stuff in a many different ways.
3. You can use any cable with usb-uart converter, for instance on pl2303 chip. I'm using similar to this one: https://www.aliexpress.com/item/Fre...lgo_pvid=d98f45a8-1c26-4a5e-bac3-39fdef513502
dipcore said:
1. Yes ROOT, ROOOT, ROOOOT. It's by default for mstar based TV. So you should get root shell via UART debugging port, of course If your TV vendor did not change that.
2. Yes, you can update it directly from PC. I just provided an example of how to do it. Having shell access you can do a lot of stuff in a many different ways.
3. You can use any cable with usb-uart converter, for instance on pl2303 chip. I'm using similar to this one: https://www.aliexpress.com/item/Fre...lgo_pvid=d98f45a8-1c26-4a5e-bac3-39fdef513502
Click to expand...
Click to collapse
thanks dear
i will purchased this and connect to later in this platform
thanks for your time
---------- Post added at 06:41 PM ---------- Previous post was at 06:30 PM ----------
masifkalam said:
thanks dear
i will purchased this and connect to later in this platform
thanks for your time
Click to expand...
Click to collapse
just one thing more
debugging uart connect to tv in stand by position just red light , uart working because my tv automatically restart and off in boot animation
thanks ..............thanks.,,,,,,,,,,,,,,,,,,,,,,thanks...........................dear for your time