Philips Android TV

Search This thread
By:
Advanced…
M

marcinn

Member
Dec 9, 2008
10
3
Kodi 15.* nightly builds work on this TV

Hi,
quick tutorial:

1) Download terminal emulator from playstore
2) Open terminal emulator and paste this without quota "am start --user 0 -n com.android.settings/.SecuritySettings"
3) Enable unknow sources
4) Download latest Kodi dev build verison from here: mirrors.kodi.tv/nightlies/android/arm/
5) Install and enjoy!
 
  • Like
Reactions: Sithhy™, rawdealer and Acquanauta
G

gunnm92

New member
Feb 6, 2015
4
0
marcinn said:
Hi,
quick tutorial:

1) Download terminal emulator from playstore
2) Open terminal emulator and paste this without quota "am start --user 0 -n com.android.settings/.SecuritySettings"
3) Enable unknow sources
4) Download latest Kodi dev build verison from here: mirrors.kodi.tv/nightlies/android/arm/
5) Install and enjoy!
Click to expand...
Click to collapse

Tested and approved on a 55PUS8909C

Thanks ;)
 
S

snoerenberg

Member
Jan 19, 2009
10
3
Serial log from Philips Android TV

Hi,

I build a cable to connect directly to the service port of my 48PFS8159.
It consists out of a CP2102 USB2.0 to UART -> connected to a normal headphone jack.

I used Putty with
Speed: 115200
Connection Type: Serial

cw6hznojt1wu4f7me.jpg


Following is a log from my TV while installing the Ambilight Redlight Fix. I was interested to find the AES256 CBC cipher key to decrypt the firmware. Right now I cannot enter any commands into the console. The key for decryption resides in "/res/keyfile.txt".

Serial log:
Code: 
[     0] sys_init start. boot_strap=0x00000514 (source=eMMC), boot_state=0xff
[   372] image verified, start at 0x00920000...
tz kernel starting... MV88DE3114(BG2Q)-A1 total 4 cpus, v2.0.0.21, Aug  5 2014 14:39:52
0321[   427] start_bootloader
UªULAUNCH_ITM is set to zero
board_number = 2
uiBoot = 255
I2C switch set as 0

I2C switch set as 1
--------- I2C Initialization ----------
I2C_INIT: I2C-2 bus 
I2C_INIT: I2C-1 bus 
I2C_INIT: I2C-0 bus 
leakage info 336.
set Vcpu to 1300mV, default setting by hardware. 
core from 1200 to 1150
...

complete log is attached to this post.
Any further ideas?

Stephan
 

Attachments

  • putty_log.txt
    20.4 KB · Views: 406
Last edited:
G

Giacoz81

New member
Feb 20, 2015
2
0
sorry, i'm new with android,
i can't understand the 2 point : " Connect ADB via WIFI -> adb start-server" , adb connect IP:5555"
how should I do?

I have downloaded adb shell on my windows pc , but now?
 
H

hvoda

New member
Feb 18, 2015
1
0
After I installed the update, my TV 55PU8809 won't respond to the remote when I try to start it up the next day. The LED is flashing, so the TV receives the input from the remote, but it remains in stand-by. LED still flashing, but TV does not turn on
 
S

SeanBH1987

New member
Feb 22, 2015
1
0
Kodi/Xbmc crash on startup

Burn2Hell said:
I have the '48PFS8109/12' and tryed also some things.
- 13.2 Gotham XBMC (kodi) not working, my tv starts the app and after a few seconds the app crashs and the tv volume goes to 60.
- Kodi 14.0 “Helix” – RC 2 not working, my tv starts the app and after a few seconds the app crashs and the tv volume goes to 60.
- Kodi 14.0 “Helix” – Nightly not working, my tv starts the app and after a few seconds the app crashs and the tv volume goes to 60.

I use 'MX Player' with the DTS codec, i don't know if that player can handle 4K, i know that they say KODI can do 4K.
Click to expand...
Click to collapse

Did you find a fix for this issue, i am having exactly the same problems, crashes on startup. Tried all sorts of stuff: With and without internet, on factory version of operating system and newest software updates, tried most of xbmc and kodi versions, on hdd and internal hdd. Nothing makes a difference.
BTW didnt have the sounds issues you had.

Really need some help...

Just tried Frodo version, and it works fine... though very outdated so would like to get Kodi to work. Could it be some of the preinstalled addons in the newer versions that might be causing the issue?
 
Last edited:
M

mr_purple

New member
Mar 3, 2015
1
11
firmware decryption + rooting attempts

#################################
WARNING: don't look at the following information nor try to use any of it if you have no clue about linux or android as it is most likely that you are going to break your expensive gadget. For every one else: don't blame philips if you brick your device -> think before actually trying. If you post about vulnerabilities and stuff better cover your ass - who knows what the legal department of philips thinks about your cool stuff.
#################################

So as you decided to ignore my warning, here we go:

I already spent plenty of time researching the internals of the device in order to get root privileges. Unluckily without the final breakthrough - but at least I found out some very interesting details.

You might ask what those extended privileges should be good for? Well in my eyes android - a project available as open source with uncountable possibilities for developers and users - should not be closed down by profit oriented manufacturers. As those are often forcing the users into their own "crappy" software without given them any chance to escape. I like to develop at system base, use the underlying linux tools and most important check what the manufacturer does (behind my back) in my own living room. Hell I bought this expensive device and have no idea and can't nearly control what is sent to Philips nor Google.

1. I wrote a tool to decrypt the official firmware. It was created via reverse-engineering the "upgrade.bin" arm-file (thanks for the trace, snoerenberg).

Some interesting details about the used cryptography:
- openssl library functions
- used algorithm: aes-256 in CBC mode
- the encryption key is generated via "EVP_BytesToKey" using only the first 127 byte of the keyfile + an eight byte salt found near the beginning of every input file

Source-Code: attachment or pastebin_com / z3nA2r3J
maybe mirroring this paste and the source would be a good idea (Google for the HASH if link is down)

The decrypted firmware archive contains the following files:

boot.img.zip: kernel + initrd + ramdisk (unknown file format)
bootloader.zip: bootloader (unknown file format)
tzk_normal.img.zip: ? maybe recovery (unknown file format)

user_setting.zip: content of /user_setting
system.img.zip: content of /system (ext4-img)
firmware.img.zip: content of /firmware (ext4-img)

BackEndBin.zip, EdidBin.zip, fpgaUhdBin.zip, RougeBin.zip: different binary files - supposedly firmware for these components

As you see I was not able to extract the most interesting part (kernel + ramdisk) - Hopefully some android experts could help!

The current and some older firmware files could be downloaded at philips_samipupu_com (thanks for hosting)

2. General information:
- Kernel version: Linux version 3.4.70+ (build.ci@indbrnblx041) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Nov 14 01:52:21 IST 2014
- Kernel cmd-line: androidboot.hardware=AND1E quiet lpj=11935744 root=/dev/ram0 androidboot.console=ttyS0 console=ttyS0,115200 init=/init vmalloc=448M quiet macaddr=00:00:00:00:00:00 emmc_ts.dev_id=1 emmc_ts.size=16777216 emmc_ts.erasesize=524288 emmc_ts.writesize=512
- lsmod:
usb8797 359014 3 - Live 0x00000000
usb97mlan 290809 1 usb8797, Live 0x00000000 (P)
mbtusbchar 52685 0 - Live 0x00000000
usbfwdnld 8530 0 - Live 0x00000000
fusion 96777 0 - Live 0x00000000 (O)
tpvinput 7132 2 - Live 0x00000000 (O)
trcext 333860 0 - Live 0x00000000 (O)
gal3d 161434 16 - Live 0x00000000
amp_core 72528 2 - Live 0x00000000 (O)
tzlogger 1199 0 - Live 0x00000000 (O)
tzd 32013 30 amp_core,tzlogger, Live 0x00000000 (O)

3. The trcext module seems to be very interesting as a short look with a disassembler revealed that it might be able to read and manipulate process memory of any process. Maybe someone good at kernel-drivers could take a look?

4. There are two world-readable directories containing very interesting information:
- /data/debugdump: stack-traces, process-lists, short memory excerpts based on crashes of the native binaries (could be very helpful for exploiting)
- /data/anr: davlik crash-dumps of android applications

5. There are 3 SGUID and 1 SUID binaries (visible):
-rwxr-s--- root inet 5500 netcfg
-rwxr-sr-x root net_raw 26072 ping
-rwsr-s--- root shell 9464 run-as

6. The recovery menu which could be used to install a "new" firmware if the device does not boot properly could be reached via the following steps:
- unplug the power
- press and hold the joypad on the backside of the TV downwards
- replug
- release the joypad after 10 sec

7. There is a Customer-Service-Menu at “123654” which contains read only information about the current firmware and so one. However there is also the real service menu (062?96i) which could be used for much more things. But you need to be really careful with this, i already managed to break booting without changing something important.

8. The settings-app calls the "su" command inside of CSMActivity. If this is no obsolete debug code (i was not able to trigger this part yet) than there could be a "su" inside /sbin. The Manifest also shows this strange "org.droidtv.tv.tv_power_system_access" permission. Therefore i tried to write my own app with the same permission and call "su" which did however not work out (even if I use the same namespace org.droidtv.?)

9. Every time you pop in an usb stick android creates an backup folder on it. The filenames are "hidden" via base64 and there are some junk bytes at the beginning of the files which you need to crop in order to read them. However the content is quite boring mostly some sqlite3 databases with configuration parameters.

10. By default the usb sticks you plug in is read-only for user apps. However there is in option in the settings to re-format it. This will result in an XFS formatted, read-write mounted stick where you could even outsource your apps.

11. There is a soap (http) service running on port 1925 which is used by the philips remote app and allows different things for example starting one of the installed apps. More details could be found if you decompile the XTV-App.


Hope some of you guys could do something fancy with those information.
@snoerenberg(xda): did you manage to send commands over your cable yet - If you do rooting should be quite easy from this point (maybe /system/bin/run-as).

Cheers,
5003b4d49cbf7916123271b7b1918f123cca0c09bf1428f4398257751ac6570c

ps: some of the information were dumped on an older firmware and some with the current one
 

Attachments

  • decrypt-firmware.c
    4.3 KB · Views: 543
  • Like
Reactions: p0isk, Sithhy™, ramy911us and 8 others
michie

michie

Senior Member
Apr 15, 2007
1,586
2,642
Hasselt
Ok so Philips stated that due to the hardware of the 2014 android tv´s they will NOT receive the lollipop update of the 2015 line.
The only way for us to be able to update will be a custom rom based on the 2015 abdroid TV line which will need a software dump , a port and a custom recovery.

I dont think this will be easy at all... but i do see some interesting progress in achieving root here :)
 
  • Like
Reactions: Sithhy™, peppies and dkz
S

shaggie76

Member
Mar 16, 2015
5
2
marcinn said:
Hi,
quick tutorial:

1) Download terminal emulator from playstore
2) Open terminal emulator and paste this without quota "am start --user 0 -n com.android.settings/.SecuritySettings"
3) Enable unknow sources
4) Download latest Kodi dev build verison from here: mirrors.kodi.tv/nightlies/android/arm/
5) Install and enjoy!
Click to expand...
Click to collapse

Hi there!

First of all: thanks! I Followed your steps and installed Kodi on the TV no rpoblem. Unfortunately I'm not getting any more then a Kodi splash screen. Right after that, the tv jumps back to television source. Any advice anyone?
 
  • Like
Reactions: ELTURKO24PHONE
V

Visi_dk

New member
Mar 23, 2015
1
0
christian_cvi said:
Hi, to enable Unknown Sources:

Download "QuickShortCutMaker" from Google Play with "evozi apk downloader".
Install application via ADB WIFI (previous post).
Search Activities - Settings - Security
Press with Remote Pointer in Security and press in "Try" and this launch security activity to enable option.

Regards ;)
Click to expand...
Click to collapse

I got installed the "QuickShortCutMaker" but i can't find the security under the setting ?
what is the procedure after i press "try"
would i be able to install apk that i have in my donwload folder (Philips android TV )
 
D

djbala

New member
Apr 16, 2012
1
0
marcinn said:
Hi,
quick tutorial:

1) Download terminal emulator from playstore
2) Open terminal emulator and paste this without quota "am start --user 0 -n com.android.settings/.SecuritySettings"
3) Enable unknow sources
4) Download latest Kodi dev build verison from here: mirrors.kodi.tv/nightlies/android/arm/
5) Install and enjoy!
Click to expand...
Click to collapse

Visi_dk said:
I got installed the "QuickShortCutMaker" but i can't find the security under the setting ?
what is the procedure after i press "try"
would i be able to install apk that i have in my donwload folder (Philips android TV )
Click to expand...
Click to collapse


The marcin quick tutorial to activate "unknow sources" is better option than mine and not need adb!
Try it. It's faster.

Thanks.
 
C

cgtyklnc

New member
Mar 28, 2015
1
1
Marcinn Hello
i have same problem too the apk you give it also does not work do you have any idea about that ?

---------- Post added at 09:30 AM ---------- Previous post was at 09:06 AM ----------

answer to shaggie76 and all having same issue

If Kodi is closing please disconnect or wireless mouse or keyboard etc. and it works =)
 
  • Like
Reactions: ELTURKO24PHONE
R

Reversedhex

Senior Member
Nov 12, 2008
210
5
Amsterdam
ppomagaev said:
In my case it is failed, I have 55PUS9109, and after launch of all developer tool options I cannot connect to Google Play any more... What is wrong?
Click to expand...
Click to collapse
Same here, reconnect to network in the settings menu fixed it.

abinmuell said:
Hey guys, i have a problem with my 55PUS9109.
It has an softwareversion which is not updatable (dont know if its 100% based on the Version but dont want to believe its a hardware based issue)
Version 0.9.32.100 - its not listed in the changelogs - was factory side installed.
An no update works - neither from internet - nor from usb stick i want to access the recovery mode and try it there.
Does anyone know how to get there?
JK
Click to expand...
Click to collapse
I had this version to, using adb I rebooted in recovery and flashed the upg file.

I tried rooting using root genius but it failed. I did manage to get to 100% but I had to write a script which reopened to adb connection every 5 seconds to even get there.
 
Last edited:
R

Reversedhex

Senior Member
Nov 12, 2008
210
5
Amsterdam
mr_purple said:
@snoerenberg(xda): did you manage to send commands over your cable yet - If you do rooting should be quite easy from this point (maybe /system/bin/run-as).
Click to expand...
Click to collapse
The serial console appears to be readonly when android is booted normally.
unfortunately I can't boot into recovery anymore since I updated the firmare.
edit: It looks like a was booting to recovery but the screen just stays black.
When the tv is in this state it allows me to enter commands through the serial console but it doesnt respond.
 
Last edited:
peppies

peppies

Senior Member
Sep 7, 2007
68
25
Liberec
I have same problem with Youtube - new version. I cant login on youtube account. You must uninstall new version and wait for fix from google ( owner Youtube ) Srry for my bronx english :)
 
You must log in or register to reply here.

Similar threads

smartcard2
TCL Android TV model 55p8m / Android Recovery TCL/BeyondTV/BeyondTV
Replies
5K
Views
1M
L
lexus46
brar.arsh
Sony Android TV Users
Replies
2K
Views
738K
V
VerizonLover
ovso
  • Poll
[GUIDE] Continuous restart / bootloop fix for Philips Android TV with Wipe Data Tool
Replies
303
Views
313K
bellzebu
bellzebu
ovso
  • Poll
[GUIDE] How to root 2015 Philips Android TV
Replies
326
Views
208K
K
koliberk
stasiof
TCL 2021 Android/Google TVs (P725/C725/C728/C825/X925)
Replies
2K
Views
620K
stasiof
stasiof

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    kalinskym
    kalinskym
    Guys! To disable Philips Collections bar or also known as Philips Apps Tray at top of Android TV leanback launcher. All you have to do is find leanbackcustomizer in System Apps or Running Apps and turn off its notifications which can be turned off at button of the menu when you click on the service.

    I couldn't find a single source which mentioned these steps to take to disable Philips bloatware. I figured these out on own. I am not aware of any other methods that has the same results.

    Enjoy your less of a pain Android TV by Philips

    Hope this helps.

    ---------- Post added at 02:03 AM ---------- Previous post was at 01:56 AM ----------

    To disable recommendations, disable org.droidtv.nett_launcherapp in system apps or running apps. Hope this also helps debloat your Philips Android TV to a manageable level. However, this doesn't get rid of the recommendations field only apps that shows up.
    View
    11
    M
    mr_purple
    firmware decryption + rooting attempts

    #################################
    WARNING: don't look at the following information nor try to use any of it if you have no clue about linux or android as it is most likely that you are going to break your expensive gadget. For every one else: don't blame philips if you brick your device -> think before actually trying. If you post about vulnerabilities and stuff better cover your ass - who knows what the legal department of philips thinks about your cool stuff.
    #################################

    So as you decided to ignore my warning, here we go:

    I already spent plenty of time researching the internals of the device in order to get root privileges. Unluckily without the final breakthrough - but at least I found out some very interesting details.

    You might ask what those extended privileges should be good for? Well in my eyes android - a project available as open source with uncountable possibilities for developers and users - should not be closed down by profit oriented manufacturers. As those are often forcing the users into their own "crappy" software without given them any chance to escape. I like to develop at system base, use the underlying linux tools and most important check what the manufacturer does (behind my back) in my own living room. Hell I bought this expensive device and have no idea and can't nearly control what is sent to Philips nor Google.

    1. I wrote a tool to decrypt the official firmware. It was created via reverse-engineering the "upgrade.bin" arm-file (thanks for the trace, snoerenberg).

    Some interesting details about the used cryptography:
    - openssl library functions
    - used algorithm: aes-256 in CBC mode
    - the encryption key is generated via "EVP_BytesToKey" using only the first 127 byte of the keyfile + an eight byte salt found near the beginning of every input file

    Source-Code: attachment or pastebin_com / z3nA2r3J
    maybe mirroring this paste and the source would be a good idea (Google for the HASH if link is down)

    The decrypted firmware archive contains the following files:

    boot.img.zip: kernel + initrd + ramdisk (unknown file format)
    bootloader.zip: bootloader (unknown file format)
    tzk_normal.img.zip: ? maybe recovery (unknown file format)

    user_setting.zip: content of /user_setting
    system.img.zip: content of /system (ext4-img)
    firmware.img.zip: content of /firmware (ext4-img)

    BackEndBin.zip, EdidBin.zip, fpgaUhdBin.zip, RougeBin.zip: different binary files - supposedly firmware for these components

    As you see I was not able to extract the most interesting part (kernel + ramdisk) - Hopefully some android experts could help!

    The current and some older firmware files could be downloaded at philips_samipupu_com (thanks for hosting)

    2. General information:
    - Kernel version: Linux version 3.4.70+ (build.ci@indbrnblx041) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Nov 14 01:52:21 IST 2014
    - Kernel cmd-line: androidboot.hardware=AND1E quiet lpj=11935744 root=/dev/ram0 androidboot.console=ttyS0 console=ttyS0,115200 init=/init vmalloc=448M quiet macaddr=00:00:00:00:00:00 emmc_ts.dev_id=1 emmc_ts.size=16777216 emmc_ts.erasesize=524288 emmc_ts.writesize=512
    - lsmod:
    usb8797 359014 3 - Live 0x00000000
    usb97mlan 290809 1 usb8797, Live 0x00000000 (P)
    mbtusbchar 52685 0 - Live 0x00000000
    usbfwdnld 8530 0 - Live 0x00000000
    fusion 96777 0 - Live 0x00000000 (O)
    tpvinput 7132 2 - Live 0x00000000 (O)
    trcext 333860 0 - Live 0x00000000 (O)
    gal3d 161434 16 - Live 0x00000000
    amp_core 72528 2 - Live 0x00000000 (O)
    tzlogger 1199 0 - Live 0x00000000 (O)
    tzd 32013 30 amp_core,tzlogger, Live 0x00000000 (O)

    3. The trcext module seems to be very interesting as a short look with a disassembler revealed that it might be able to read and manipulate process memory of any process. Maybe someone good at kernel-drivers could take a look?

    4. There are two world-readable directories containing very interesting information:
    - /data/debugdump: stack-traces, process-lists, short memory excerpts based on crashes of the native binaries (could be very helpful for exploiting)
    - /data/anr: davlik crash-dumps of android applications

    5. There are 3 SGUID and 1 SUID binaries (visible):
    -rwxr-s--- root inet 5500 netcfg
    -rwxr-sr-x root net_raw 26072 ping
    -rwsr-s--- root shell 9464 run-as

    6. The recovery menu which could be used to install a "new" firmware if the device does not boot properly could be reached via the following steps:
    - unplug the power
    - press and hold the joypad on the backside of the TV downwards
    - replug
    - release the joypad after 10 sec

    7. There is a Customer-Service-Menu at “123654” which contains read only information about the current firmware and so one. However there is also the real service menu (062?96i) which could be used for much more things. But you need to be really careful with this, i already managed to break booting without changing something important.

    8. The settings-app calls the "su" command inside of CSMActivity. If this is no obsolete debug code (i was not able to trigger this part yet) than there could be a "su" inside /sbin. The Manifest also shows this strange "org.droidtv.tv.tv_power_system_access" permission. Therefore i tried to write my own app with the same permission and call "su" which did however not work out (even if I use the same namespace org.droidtv.?)

    9. Every time you pop in an usb stick android creates an backup folder on it. The filenames are "hidden" via base64 and there are some junk bytes at the beginning of the files which you need to crop in order to read them. However the content is quite boring mostly some sqlite3 databases with configuration parameters.

    10. By default the usb sticks you plug in is read-only for user apps. However there is in option in the settings to re-format it. This will result in an XFS formatted, read-write mounted stick where you could even outsource your apps.

    11. There is a soap (http) service running on port 1925 which is used by the philips remote app and allows different things for example starting one of the installed apps. More details could be found if you decompile the XTV-App.


    Hope some of you guys could do something fancy with those information.
    @snoerenberg(xda): did you manage to send commands over your cable yet - If you do rooting should be quite easy from this point (maybe /system/bin/run-as).

    Cheers,
    5003b4d49cbf7916123271b7b1918f123cca0c09bf1428f4398257751ac6570c

    ps: some of the information were dumped on an older firmware and some with the current one
    View
    11
    C
    christian_cvi
    Steps for install any APK in 2014 Philips Android TV AND1E

    Hello,

    For install any application in 2014 Philips Android TV AND1E :

    1º You must download "Developer Settings" from "Google Play" and enable "Usb Debugging" in "Developer options".
    2º Connect ADB via WIFI -> adb start-server" , adb connect IP:5555
    3º Install APK -> adb install "app.apk" (download apk from google play with evozzi apk downloader in web or in chrome extension)

    I've tried it in 55PUS8909 and it works!.

    I've tried for root framaroot, towelroot and vroot and exploits not run.
    I've tried all for "Unknown Sources" and nothing.

    sorry for my english....thanks, regards!
    View
    9
    Toengel
    Toengel
    Hi,

    Android TV 8 (Oreo) is coming to Philips TV: https://toengel.net/philipsblog/2018/06/27/philips-2014-2018er-tvs-erhalten-android-tv-8-oreo/

    Toengel@Alex
    View
    8
    ovso
    ovso
    [GUIDE] How to root 2015 Philips Android TV

    [GUIDE] How to root 2015 Philips Android TV moved to separate thread here

    Please vote regardless you were successful with rooting or not...
    View

New posts