FORUMS
Remove All Ads from XDA

Rooting MediaTek Based Linux Smart TV

60 posts
Thanks Meter: 20
 
By borillion_star, Member on 4th July 2015, 11:36 PM
Post Reply Email Thread
19th April 2016, 08:58 PM |#21  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,577
 
Donate to Me
More
I've uploaded some extracted files here : http://vache-android.com/?dir=hisense

If someone want to have a look... I had no luck mounting or unpacking 3drw.img (Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-0000-675f-946fc0f9f25b (extents) (large files))

Looks like there's a console on ttyMT0
From init : /sbin/getty -n -L ttyMT0 115200 vt100 -l /bin/sh

Interesting link : https://smarttvhacking.wordpress.com...510c-smart-tv/
Another one : http://neophob.com/2010/01/root-my-t...ilips-pfl9703/

We have a serial jack port (called "Service") on the TV, a cable like this could be used to debug : http://www.amazon.com/SF-Cable-Femal.../dp/B004T9BBJC. @borillion_star you bought somethink like this ?
 
 
21st April 2016, 05:39 PM |#22  
OP Member
Thanks Meter: 20
 
More
Quote:
Originally Posted by vache

I've uploaded some extracted files here : http://vache-android.com/?dir=hisense

If someone want to have a look... I had no luck mounting or unpacking 3drw.img (Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-0000-675f-946fc0f9f25b (extents) (large files))

Looks like there's a console on ttyMT0
From init : /sbin/getty -n -L ttyMT0 115200 vt100 -l /bin/sh

Interesting link : https://smarttvhacking.wordpress.com...510c-smart-tv/
Another one : http://neophob.com/2010/01/root-my-t...ilips-pfl9703/

We have a serial jack port (called "Service") on the TV, a cable like this could be used to debug : http://www.amazon.com/SF-Cable-Femal.../dp/B004T9BBJC. @borillion_star you bought somethink like this ?

Thanks Vache, I have not purchased that no, I did not know they existed. I will look at the files you have and compare them with what I as able to extract. I don't think 3rd had anything significant in it.
21st April 2016, 08:55 PM |#23  
OP Member
Thanks Meter: 20
 
More
So mine has this on the board. I am not sure the serial to the 2.5mm jack device will work on it. Interesting.
Attached Thumbnails
Click image for larger version

Name:	isItserialPort.jpg
Views:	1470
Size:	219.8 KB
ID:	3726420  
21st April 2016, 11:34 PM |#24  
Member
Thanks Meter: 10
 
More
Here is PDF for your TV
https://mega.nz/#!NsRXWACB!7pP5JYus-...een1n-8phPoNRA

Sent from my SM-N910F using Tapatalk

---------- Post added at 10:57 PM ---------- Previous post was at 10:54 PM ----------

How ever in that file there is photo with description of surrounding connectors apart this one. Dam but you might find something else useful

Sent from my SM-N910F using Tapatalk

---------- Post added at 11:34 PM ---------- Previous post was at 10:57 PM ----------

It is four pin upgrade interface port

Sent from my SM-N910F using Tapatalk
The Following User Says Thank You to tommyk999 For This Useful Post: [ View ] Gift tommyk999 Ad-Free
22nd April 2016, 03:23 AM |#25  
OP Member
Thanks Meter: 20
 
More
I was able to capture input form the internal UART and its a bit different that I have seen before, its using u-boot.

Code:
Boot-

DRAM Channel A Calibration.

Byte 0 : Gating(2 ~ 67), Size=66, Mid=36, Set=36.

Byte 1 : Gating(2 ~ 57), Size=56, Mid=31, Set=31.

Byte 2 : Gating(2 ~ 77), Size=76, Mid=41, Set=41.

Byte 3 : Gating(2 ~ 72), Size=71, Mid=39, Set=39.

HW Byte 0 : DQS(13 ~ 45), Size 33, Set 27, HW_Set 31.

HW Byte 1 : DQS(9 ~ 45), Size 37, Set 25, HW_Set 28.

HW Byte 2 : DQS(13 ~ 47), Size 35, Set 28, HW_Set 32.

HW Byte 3 : DQS(13 ~ 48), Size 36, Set 28, HW_Set 31.

DRAM A Size = 512 Mbytes.

Boot


Start Pmain


0x0000a000

Nand boot

NID=0x9590dcad

LZHS addr:0x00100040

LZHS size:0x0012fdd8

LZHS checksum:0x000000ef

Boot


Start Lmain



MT5880 Boot Loader v0.9
Boot reason: A/C power on!!
Load VGA internal EDID.................
 Load HDMI internal EDID.................
 CEC Physical offset 159
HDMI1 Physical adr 0x30
HDMI1 PA 0x30
HDMI1 checksum 0xa1
HDMI2 PA 0x30
HDMI2 checksum 0xa1
HDMI3 PA 0x20
HDMI3 checksum 0xb1
HDMI4 PA 0x10
HDMI4 checksum 0xc1
SIF_Master0: new design
IR DATA register : 0x       0
Boot reason: A/C power on!!T8032 init A/C on case loader stage...
Load T8032 FW (addr: 0x  e0dd30, size: 24576)success!!
T8032 FW version: 73
T8032 change to loader stage...
LDR_FlashCopy 0xf010 0x6ec00 0x80
Detect NAND flash ID: 0x9590DCAD
Detect HY27U4G8F2DTR NAND flash(SLC): 512MB
NAND_BDM_Mount: Partid=0, offset=0x0, size=0x200000
NAND_BDM_Mount: Partid: 0, Total Block Count: 16, Bad Block Count: 0
1st MAC in EEP is valid (c8:16:bd:ff:d9:c6)
1st : (c8:16:bd:ff:d9:c6)
2nd : (ff:ff:ff:ff:ff:ff)
Boot reason: A/C power on!!Boot reason: A/C power on!!Org:0x30 Flags:0x30
                             
PDWNC_Init
Boot reason: A/C power on!!USB0: Set GPIO63 = 1.
USB1: Set GPIO64 = 1.
USB2: Set GPIO61 = 1.
Boot reason: A/C power on!!Boot reason: A/C power on!!Org:0x30 Flags:0x30
                             

Do USB upgrade
USB: Vbus turn up time = 226 ms, Max =300 ms.
USB-0: insert.
USB-1: insert.
USB-0: ClassCode= 0xFF, u4Diff=0 ms.
USB-1: ClassCode= 0x9, u4Diff=0 ms.

 FIND_CLASS_HUB.

 HUB No USB Medium on Hub.
USB upgrade stop
Boot reason: A/C power on!!Boot reason: A/C power on!!Org:0x30 Flags:0x30
                             
PDWNC_EnterPowerDown(100,0) 
Disable VGA wakeup
[LdrLedBlinkikng] Start to Init/Turn off timer!
Standby             *
UART>
UART>
UART>
UART>
UART>
UART>¡HšøDRAM Channel A Calibration.

Byte 0 : Gating(2 ~ 62), Size=61, Mid=34, Set=34.

Byte 1 : Gating(2 ~ 57), Size=56, Mid=31, Set=31.

Byte 2 : Gating(2 ~ 77), Size=76, Mid=41, Set=41.

Byte 3 : Gating(2 ~ 72), Size=71, Mid=39, Set=39.

HW Byte 0 : DQS(13 ~ 45), Size 33, Set 27, HW_Set 31.

HW Byte 1 : DQS(9 ~ 46), Size 38, Set 25, HW_Set 28.

HW Byte 2 : DQS(13 ~ 47), Size 35, Set 28, HW_Set 32.

HW Byte 3 : DQS(13 ~ 48), Size 36, Set 28, HW_Set 31.

DRAM A Size = 512 Mbytes.

Boot


Start Pmain


0x0000a000

Nand boot

NID=0x9590dcad

LZHS addr:0x00100040

LZHS size:0x0012fdd8

LZHS checksum:0x000000ef

Boot


Start Lmain



MT5880 Boot Loader v0.9
SIF_Master0: new design
IR DATA register : 0x       0
T8032 change to loader stage...
LDR_FlashCopy 0xf010 0x6ec00 0x80
Detect NAND flash ID: 0x9590DCAD
Detect HY27U4G8F2DTR NAND flash(SLC): 512MB
NAND_BDM_Mount: Partid=0, offset=0x0, size=0x200000
NAND_BDM_Mount: Partid: 0, Total Block Count: 16, Bad Block Count: 0
1st MAC in EEP is valid (c8:16:bd:ff:d9:c6)
1st : (c8:16:bd:ff:d9:c6)
2nd : (ff:ff:ff:ff:ff:ff)
PDWNC_Init
USB0: Set GPIO63 = 1.
USB1: Set GPIO64 = 1.
USB2: Set GPIO61 = 1.
Display 0x00e353a0 background:0x00000000

OSD_SetPlaneSwitchOrder[0,1,2],Switch[1,2,3]
---------- [SA7] vErrorHandleInit ----------
[SA7] Error handling init 
[SA7] PANEL_GetPanelWidth=0x780, PANEL_GetPanelHeight=0x438 , wDrvGetOutputHTotal=0x898 , wDrvGetOutputVTotal=0x465
[SA7] PANEL_GetHTotalMax=0x92c, PANEL_GetHTotalMin=0x82a, PANEL_GetVTotalMax=0x578, PANEL_GetVTotalMin=0x456 
[SA7] PANEL_GetPixelClkMax=152500000, PANEL_GetPixelClkMin=130000000 
[SA7] PANEL_GetPixelClk60Hz = 0x8d9ee20 
---------- [SA7] vErrorHandleSetByTiming ----------
[SA7] u2HSyncWidth=260, u2HSyncStart=1930, u2VSyncWidth=26, u2VSyncStart=1094
---------- [SA7] vErrorHandleSetByTiming end----------
---------- [SA7] vErrorHandleSetByPanel end----------
[SA7] vDDDSInit
---------- [SA7] vErrorHandleSetByTiming ----------
[SA7] u2HSyncWidth=30, u2HSyncStart=1936, u2VSyncWidth=3, u2VSyncStart=1119
---------- [SA7] vErrorHandleSetByTiming end----------
vDrvSetOCLKClockSchemaInit.
[SA7] _fgVopllUseDDDS = True
[LVDS] VOPLL Initialize successful !
LDR_OsdDisplay(13, 0x00d43530, 768, 240)
Color:13 BmpAddr:0x00d43530 Width:768 Height:240
Panel 1920 x 1080 

*************u4BmpPitch=1536******************
u4OutWidth=768,u4OutHeight=240,u4OutX=576,u4OutY=420.

Do USB upgrade
USB: Vbus turn up time = 2739 ms, Max =300 ms.
USB-0: insert.
USB-1: insert.
USB-0: ClassCode= 0xFF, u4Diff=0 ms.
USB-1: ClassCode= 0x9, u4Diff=0 ms.

 FIND_CLASS_HUB.

 HUB No USB Medium on Hub.
USB upgrade stop

Flash load lzhs header from 0x80000 to dram(0x15203a0), size=2048
Decompression uboot to 0x00800000...

Flash load image from 0x80000 to dram(0x15203a0), size=0x3e34e
NAND_BDM_Mount: Partid=4, offset=0x480000, size=0x300000
NAND_BDM_Mount: Partid: 4, Total Block Count: 24, Bad Block Count: 0

Flash load tz from 0x1f7343(kernel) to dram(0x1f200000), size=0x2e978
secure boot ok
secure boot ok
Starting image...



U-Boot 2011.12.12 (Dec 29 2014 - 13:20:10)

DRAM:  261.3 MiB
WARNING: Caches not enabled
NAND:  Detect NAND flash ID: 0x9590DCAD
Detect HY27U4G8F2DTR NAND flash: 512MB
512 MiB

0.0.0.0
In:    serial
Out:   serial
Err:   serial
Boot from kernelA and rootfsA(partition 6)
Net:   Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot:  0 
Partition rootfsA defined at mtdparts:
ID:6, Offset:0x00000000, Size:0x00a80000
Loader succeeded in signature verification
## Booting kernel from Legacy Image at 00007fc0 ...
   XIP Kernel Image ... OK
OK

Starting kernel ...

TZ Heap: start=0x1FA63280, end=0x20000000

TZ dram: start=0x1F000000, end=0x20000000

[    0.000000] timekeeping_init done


INIT: version 2.86 booting

Loading /etc/profile...
Start readahead /etc/readahead_early
Running rc.local...
# mount 3rd_rw
net.ipv4.tcp_window_scaling = 6
net.core.rmem_max = 1048576
UBI device number 1, total 3189 LEBs (404926464 bytes, 386.2 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
# mount 3rd DMVERITY(SquashFS read-only)
real	0m 0.00s
user	0m 0.00s
sys	0m 0.00s
 can't not find /3rd/upgrade/download.xml 
Start readahead /etc/readahead
[AM ERROR][am_main.c][getPowerKeyWDSetting] open /dev/rmmgr failed(No such device or address)
commandline read: app_man

   ~~~~~~~~~~~~~~~~~~~~~~~~~~| DirectFB 1.5.3 |~~~~~~~~~~~~~~~~~~~~~~~~~~
        (c) 2001-2010  The world wide DirectFB Open Source Community
        (c) 2000-2004  Convergence (integrated media) GmbH
      ----------------------------------------------------------------

(*) DirectFB/Core: Multi Application Core. (2014幎 12月 29日 星期䞀 13:24:02 CST) 
(*) Direct/Memcpy: Using libc memcpy()
(*) Fusion/SHM: Using MADV_REMOVE (3.0.13.0 >= 2.6.19.2)
(*) Direct/Thread: Started 'Fusion Dispatch' (-1) [MESSAGING OTHER/OTHER 0/0] <8388608>...
(*) Direct/Thread: Started 'Fusion Deferred' (-1) [MESSAGING OTHER/OTHER 0/0] <8388608>...
======DFB 3DMM u4VirtAddr : 0x1bac5000, and DFB 3DMM u4Size : 0x1f80000======
(*) Direct/Thread: Started 'Virtual Input' (-1) [INPUT OTHER/OTHER 0/0] <8388608>...
(*) DirectFB/Input: Virtual Input 0.0 (Convergence GmbH)
input thread's parent pid is 451 tid is 451
(*) Direct/Thread: Started 'RC Input' (-1) [INPUT OTHER/OTHER 0/0] <8388608>...
(*) DirectFB/Input: MediaTek RC Input 0.1 (Denis Oliver Kropp)
(*) Direct/Thread: Started 'Hotplug with Linux Input' (-1) [INPUT OTHER/OTHER 0/0] <8388608>...
[DirectFB]: Wait to Init IR...!
(*) DirectFB/Input: Hot-plug detection enabled with Linux Input Driver 
(*) MediaTek/Driver: Mapped shared command queue control structure to 0x4324e000
(*) MediaTek/Driver: Mapped DMA region to 0x4326a000
(*) MediaTek/Driver: GFX_CmdQueInit( 0x4324e000, 0x38920 )
(*) DirectFB/Graphics: MediaTek 53xx 0.3 (Denis Oliver Kropp)
(*) DirectFB/Core/WM: SaWMan 0.2 (directfb.org)
(*) SaWMan/Config: Parsing config file '/etc/sawmanrc'.
(*) SaWMan: Initializing stack 0x20298a00 for tier 0x216b3000, 0x0, layer 0, context 0x20089000 [3]...
(*) SaWMan: Initializing stack 0x20298900 for tier 0x216b3800, 0x0, layer 1, context 0x20089a00 [6]...
(*) SaWMan/Init: Layer  0:  1280x720, ARGB, options: 0
(*) SaWMan/Init: Border 0:  426x240, LUT8, options: 8
(*) SaWMan/Init: Layer  1:  1280x720, ARGB, options: 0
(*) SaWMan/Init: Border 1:  426x240, LUT8, options: 8
[dtv_app_mtk]>drv_init as 0x0 model
[dtv_app_mtk]>drv_init as US model
[dtv_app_mtk]>HDMI fast booting init...
[   11.247113] NAND_SDM_Mount: Partid=13, offset=0x1f900000, size=0x700000

readahead: can't open '/basic/lib/libnet_info.so': No such file or directory
[dtv_app_mtk]>
[dtv_app_mtk]>TVD MsgCtrl:  NRL:60/40, PER:100/90
input thread pid is 451 tid is 458
original scheduler policy 0
scheduler nice 0
original child scheduler policy 0 prio 0
new child scheduler policy 2 prio 99
Start to wait IR event...
[dtv_app_mtk]>x_drv_init end!!
[dtv_app_mtk]>[ FakeDM ] Init...
[dtv_app_mtk]>
[FakeDM] Init FM...
[dtv_app_mtk]>
/dev is created./mnt is already existed.  That is OK.
[dtv_app_mtk]>
/mnt/usb is created.[FakeDM] FM inited...
[dtv_app_mtk]>
[FakeDM] Init DLNA...
[dtv_app_mtk]>
[FakeDM] DLNA inited...
[dtv_app_mtk]>
[FakeDM] Init SMB...
[dtv_app_mtk]>
[FakeDM] SMB inited...
[dtv_app_mtk]>
Init chip_spec_init!!!!!
[dtv_app_mtk]>
[DM] _dm_open_dev_thread: entered
[dtv_app_mtk]>
EEPROM size is 0xc0.
[dtv_app_mtk]>
[DM] _dm_nfy_req_thread enter
[dtv_app_mtk]>
[DM] _dm_nfy_req_thread get_nl_sock:18
[dtv_app_mtk]>
[DM] _dm_cb_msg_thread enter
[dtv_app_mtk]>
{CDB} Loading metadata (version 7)
[dtv_app_mtk]>
{CDB} Loading metadata (version 7)
[dtv_app_mtk]>
{CDB} Loading metadata (version 7)
[dtv_app_mtk]>
{CDB} Loading metadata (version 7)
[dtv_app_mtk]>
[dtv_app_mtk]>   ~~~~~~~~~~~~~~~~~~~~~~~~~~| DirectFB 1.5.3 |~~~~~~~~~~~~~~~~~~~~~~~~~~
[dtv_app_mtk]>        (c) 2001-2010  The world wide DirectFB Open Source Community
[dtv_app_mtk]>        (c) 2000-2004  Convergence (integrated media) GmbH
[dtv_app_mtk]>      ----------------------------------------------------------------
[dtv_app_mtk]>
[dtv_app_mtk]>(*) DirectFB/Core: Multi Application Core. (2014幎 12月 29日 星期䞀 13:24:02 CST) 
[dtv_app_mtk]>(*) Direct/Memcpy: Using libc memcpy()
[dtv_app_mtk]>(*) Fusion/SHM: Using MADV_REMOVE (3.0.13.0 >= 2.6.19.2)
[dtv_app_mtk]>(*) Direct/Thread: Started 'Fusion Dispatch' (-1) [MESSAGING OTHER/OTHER 0/0] <8388608>...
[dtv_app_mtk]>(*) Direct/Thread: Started 'Fusion Deferred' (-1) [MESSAGING OTHER/OTHER 0/0] <8388608>...
[dtv_app_mtk]>(*) MediaTek/Driver: Mapped shared command queue control structure to 0x4002b000
[dtv_app_mtk]>(*) MediaTek/Driver: Mapped DMA region to 0x43817000
[dtv_app_mtk]>(*) MediaTek/Driver: GFX_CmdQueInit( 0x4002b000, 0x39a040 )
[dtv_app_mtk]>(*) DirectFB/Graphics: MediaTek 53xx 0.3 (Denis Oliver Kropp)
[dtv_app_mtk]>(*) SaWMan/Config: Parsing config file '/etc/sawmanrc'.
stacking [0x0], layer_id [0] 
stacking [0x0], layer_id [0] 
[dtv_app_mtk]>
dtv_svc_main: fbm phy addr = 1674b000, share mem addr = 452c6000, vir addr = 0, size = 143347712 
[dtv_app_mtk]>SC_FCT_0: sched_getparam 441 error -1
[dtv_app_mtk]>SC_FCT_0: sched_getparam 442 error -1
[dtv_app_mtk]>[* GL DFB *] Create plane (ON layer) :10112a7 
stacking [0x0], layer_id [0] 
stacking [0x0], layer_id [0] 
[dtv_app_mtk]>
[dtv_app_mtk]>

[dtv_app_mtk]>
x_wifi_cli_init~~~
[dtv_app_mtk]>

[dtv_app_mtk]>
=====================
[dtv_app_mtk]>
channel id:(262272), svl rec id:(1), channel id in rec:(262272), brdcst type:(1)
[dtv_app_mtk]>
=====================
[dtv_app_mtk]>

[dtv_app_mtk]>
 channel info: svl_id(262272), channel_id(262272) 
[dtv_app_mtk]>
{DT} Real Time Clock is available on this system.
[dtv_app_mtk]>
reason: 0x00000003 - 0x00000000
[dtv_app_mtk]><AM> wakeup reason = 3
[dtv_app_mtk]>

IDX_FAC_LVDS_SPREAD offset = 0x11f +0x460
[dtv_app_mtk]>
[zxf 222]  IDX_BBY_BUTTON_LOCK offset = 0x120 +0x460
[dtv_app_mtk]>
EEPROM size is 0xba0.
[dtv_app_mtk]>
EEPROM size is 0x1000.
[dtv_app_mtk]>
reason: 0x00000003 - 0x00000000
[dtv_app_mtk]>[OT][_acfg_ch_lst_load_p1][707]: e_wakeup_reason = 3.
[dtv_app_mtk]>
{CDB} Loading metadata (version 7)
[dtv_app_mtk]>
<MSCVT>Call function : a_msg_convert_register.
[dtv_app_mtk]>
<MSCVT>Call function _mc_app_init_fct.
[dtv_app_mtk]>
<MSCVT>msg_convert_custom_init 
[dtv_app_mtk]>
<MSCVT> msgconvert custom: do something before init
[dtv_app_mtk]>
----------------restore------------ui_tbl
[dtv_app_mtk]>:dtv_app_mtk,am,:started=agent_app
[dtv_app_mtk]>_id =0
[dtv_app_mtk]>
<MSCVT>language is eng
[dtv_app_mtk]>
<MSCVT>country is USA
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[dtv_app_mtk]>

[dtv_app_mtk]>
[dtv_app_mtk]> file=wifi_direct.c line = 599, func=a_wifi_direct_register reason = 0
[dtv_app_mtk]>

 file=wifi_direct.c line = 603, func=a_wifi_direct_register reason = 0
[dtv_app_mtk]>

 file=wifi_direct_view_main.c line = 730, func=wifi_direct_view_main_proc_fct reason = 268
[dtv_app_mtk]>

 file=wifi_direct_view_main.c line = 730, func=wifi_direct_view_main_proc_fct reason = 267
[dtv_app_mtk]>

 file=wifi_direct_view.c line = 616, func=_wifi_direct_view_init reason = 0
[dtv_app_mtk]>

 file=wifi_direct_view.c line = 624, func=_wifi_direct_view_init reason = 0
[dtv_app_mtk]>

[INET] 6.156, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 1, plugin
[dtv_app_mtk]>
[INET] 6.157, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 2, unplug
[dtv_app_mtk]>
 file=wifi_direct.c line = 180, func=_wifi_direct_init reason = 0
[dtv_app_mtk]>

_wifi_direct_init enable wifi direct
[dtv_app_mtk]>
[INET] 6.169, ni_mon_thread.1906 >>> wifi0 is unplug!
[dtv_app_mtk]>
<MENU> Because this is 2D panel, 3d item is hide.
[dtv_app_mtk]>mkdir: cannot create directory '/3rd_rw/tmp_upg': File exists
[dtv_app_mtk]>

[dtv_app_mtk]>
 creat  /tmp/keyboard_exist ,dev_type=1 
[dtv_app_mtk]>
 
[dtv_app_mtk]>
 creat  /tmp/mouse_exist ,dev_type=2 
[dtv_app_mtk]>
 [xuehongfeng] is acfg_video.c,acfg_video_update,7406
[dtv_app_mtk]>

[dtv_app_mtk]>[NAV]SVL_ID= 2, ui_tuner_type = 1, ui1_svl_lst_idx = 0 @Func = 
[dtv_app_mtk]>
[NAV]SVL_ID= 2, ui_tuner_type = 1, ui1_svl_lst_idx = 0 @Func = 
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[dtv_app_mtk]>
acfg_common.c, Get RRT2_idx=5
[dtv_app_mtk]>
{RRCTX}[L730] i4_ret = 0  len = 1
[dtv_app_mtk]>
{Rating_Info}[L276] set region id 5   0 
[dtv_app_mtk]>
========network.c,5816,[a_nw_init] init NMC/DMR stack ========
[dtv_app_mtk]>
========hs_nmc_dmr.c,2195,[hs_nmc_dmr_stack_init] init NMC/DMR lib add wanghaibin log ========
[dtv_app_mtk]>
========hs_nmc_dmr.c,2201,[hs_nmc_dmr_stack_init] call tm_dmscp_ioctl(TRUE) add wanghaibin log ========
[dtv_app_mtk]>
reason: 0x00000003 - 0x00000000
[dtv_app_mtk]>
[dtv_app_mtk]>
===ONE_TOUCH_PLAY wake up reason 3===
[dtv_app_mtk]>
reason: 0x00000003 - 0x00000000
[dtv_app_mtk]>reason: 0x00000003 - 0x00000000
[dtv_app_mtk]>[PosDemo] Demo mode selection is OFF
[dtv_app_mtk]>

[dtv_app_mtk]><wfd>: a_wfd_init is OK

[dtv_app_mtk]>
 file=wifi_direct.c line = 473, func=_wifi_direct_device_remove_nfy_handler reason = 2
[dtv_app_mtk]>

 file=wifi_direct.c line = 474, func=_wifi_direct_device_remove_nfy_handler reason = 1
[dtv_app_mtk]>

 file=wifi_direct.c line = 703, func=wifi_direct_app_get_p2p_sta reason = 1
[dtv_app_mtk]>

 file=wifi_direct.c line = 703, func=wifi_direct_app_get_p2p_sta reason = 1
[dtv_app_mtk]>


[dtv_app_mtk]>:dtv_app_mtk,am,:started=eas_app
[dtv_app_mtk]>
[dtv_app_mtk]>
 channel info: svl_id(262272), channel_id(262272) 
[dtv_app_mtk]>

[dtv_app_mtk]>
DIVX_DRM_51
[dtv_app_mtk]>
strMacRet -> 6C9D
[dtv_app_m[   14.062183] star: star_open(eth0)

tk]>
========GetModelMac -> 50K220GWUS6C9D==========
[dtv_app[   14.071014] star: request interrupt vector=40

_mtk]>
nmc_ldmr_init IN
[dtv_app_mtk]>
initDmcList ... 
[dtv[   14.081061] star: Internal PHY mode

_app_mtk]>
readList >> no file yet.
[dtv_app_mtk]>

[dtv_app_mtk]>
set g_bIsSeeking to FALSE
[dtv_app_mtk]>
nResult == CP_ERR_NO_ERROR
[dtv_app_mtk]>
[INET] 7.238, x_net_ip_v6_auto.4714 >>> (eth0->eth0, b_restart_if = 0
[dtv_app_mtk]>
[INET] 7.239, x_net_network_reg_nfy.4291 >>> 0x40f72bb0, 0x00000000
[dtv_app_mtk]>
[INET] 7.240, x_net_ni_enable.1444 >>> if enable eth0->eth0
[dtv_app_mtk]>


[dtv_app_mtk]>
 @@@@@@@@@@@@@@@t_g_menu_common_item_auto_upgrade added!
[dtv_app_mtk]>
menu_factory_hierarchy.c,2793,s_tmp_str=api.us.hismarttv.com
[dtv_app_mtk]>
,
[dtv_app_mtk]><factory> init is invoked
[dtv_app_mtk]>
AM_BRDCST_MSG_POWER_ON
[dtv_app_mtk]>
numb=0 t_fac_src_sw_av.numbs=0
[dtv_app_mtk]>

numb=0 t_fac_src_sw_av.numbs=0
[dtv_app_mtk]>

numb=1 t_fac_src_sw_av.numbs=1
[dtv_app_mtk]>


[dtv_app_mtk]>:dtv_app_mtk,am,:started=factory
[   14.186103] ADDRCONF(NETDEV_UP): eth0: link is not ready

[dtv_app[   14.190674] 5707 write 1 byte ok!

[   14.192911] 5711 write 1 byte fail=0x 6, 0x 0!

_mtk]>[INET] 7.367, x_net_network_reg_nfy.4295 >>> call eth0 enabled
[dtv_app_mtk]>
<ACFG> Open audio outport: 0 ms
[dtv_app_mtk]>
Enter next state by event 4
[dtv_a[   14.427972] 

[   14.427977]  <drv_cust_api>___GPIO(224),set to (1)  

[   14.427981]  pp_mtk]>acfg_common.c, Get RRT2_idx=5
[dtv_app_mtk]>
{RRCTX}[L730] i4_ret = 0  len = 1
[dtv_app_mtk]>
{Rating_Info}[L276] set region id 5   0 
[dtv_app_mtk]>

[dtv_app_mtk]>
 true NowTV=50K220GWUS-- SMART_DMR_MODEL=50K220GWUS--LEN=10--
[dtv_app_mtk]>
---Right_TV_Model---acfg_custom_update_all---7486--


[   14.541132]  111111 <api_pecustui>___GPIO(67),get status (0)  

[   14.541139]  

[   14.545754]  <api_pecustui>___GPIO(67),get status (0)  

[   14.545759]  >>setmatrixlvladj in_y_ofst=200 

[dtv_app_mtk]>

[dtv_app_mtk]>
!!!!!![SHL]FILE:acfg_custom.c,FUNC:a_cfg_get_hp_plug_in_gpio_polarity,LINE:10171,u4GpioVal:0!!!!!!
[dtv_app_mtk]>

[dtv_app_mtk]>
<SHL-power>a_cfg_get_hp_plug_in_gpio_polarity=0 
[dtv_app_mtk]>
[xuehongfeng] is acfg_video.c,acfg_video_update,7406
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[   14.826660] [NPTV]FlashPQ Gamma OK

[   14.884775] >>setmatrixlvladj in_y_ofst=200 

[   14.886427] >>setmatrixlvladj in_y_ofst=200 

[   14.890741] Output Width or Height is 0

[dtv_app_mtk]>
[acfg_video_update]8722,  3D_Mode= 0,  s_n[   14.901742] Output Width or Height is 0

ame=dtv_app_mtk
[dtv_app_mtk]>
<ACFG> The min/max/pos of h-po[   14.911211] [NPTV]FlashPQ Gamma OK

s in driver is wrong.
[dtv_app_mtk]>
<ACFG> The min/max/pos of v-pos in driver is wrong.
[dtv_app_mtk]>
[xuehongfeng] is acfg_video.c,acfg_video_update,7406
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[dtv_app_mtk]>
# mount perm
[   15.877695] UBI: attaching mtd10 to ubi2

[   15.878876] UBI: save scan info advance:     1

[   15.883440] UBI: physical eraseblock size:   131072 bytes (128 KiB)

[   15.889806] UBI: logical eraseblock size:    126976 bytes

[   15.895072] UBI: smallest flash I/O unit:    2048

[   15.899664] UBI: VID header offset:          2048 (aligned 2048)

[   15.907285] UBI: data offset:                4096

[   15.919731] UBI: scan info block is a empty block

[   15.921791] UBI: ubi get sid err[-22]

[   15.936883] UBI: max. sequence number:       512

[   15.951517] UBI: attached mtd10 to ubi2

[   15.952597] UBI: MTD device name:            "perm"

[   15.961044] UBI: MTD device size:            5 MiB

[   15.965993] UBI: number of good PEBs:        39

[   15.967743] UBI: number of bad PEBs:         0

[   15.981071] UBI: number of corrupted PEBs:   0

[   15.982735] UBI: max. allowed volumes:       128

[   15.995991] UBI: wear-leveling threshold:    4096

[   15.997915] UBI: number of internal volumes: 1

[   16.006070] UBI: number of user volumes:     1

[   16.007732] UBI: available PEBs:             0

[   16.015979] UBI: total number of reserved PEBs: 39

[dtv_app_mtk]>[DM[   16.019534] UBI: number of PEBs reserved for bad PEB handling: 5

[   16.026127] UBI: max/mean erase counter: 20/13

[   16.029882] UBI: image sequence number:  1102700798

[   16.035079] UBI: background thread "ubi_bgt2d" started, PID 616

] usbfs mounted.
[dtv_app_mtk]>
UBI device number 2, total 39 LEBs (4952064 bytes, 4.7 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
[   16.067850] UBIFS: recovery needed

[   16.125078] UBIFS: recovery completed

[   16.126286] UBIFS: mounted UBI device 2, volume 0, name "perm"

[   16.131916] UBIFS: file system size:   2539520 bytes (2480 KiB, 2 MiB, 20 LEBs)

[   16.139294] UBIFS: journal size:       1142785 bytes (1116 KiB, 1 MiB, 8 LEBs)

[   16.146556] UBIFS: media format:       w4/r0 (latest is w4/r0)

[   16.152332] UBIFS: default compressor: lzo

[   16.156221] UBIFS: reserved for root:  0 bytes (0 KiB)

[dtv_app_mtk]>[INFO] playready  installation
[dtv_app_mtk]>/etc/scripts/ins_playready.sh: cd: line 9: can't cd to /3rd/playready/data
[dtv_app_mtk]>[ERROR] Please put bgroupcert.dat to this folder
[dtv_app_mtk]>[FM-Linux]Mount /dev/mtd10 to /perm successfully.
[dtv_app_mtk]>
[FM](/dev/mtd10) is mounted to (/perm) successfully(0)
[dtv_app_mtk]>
3rd partition is already attached!!!
[dtv_app_mtk]>3rd partition is already mounted!!!
[dtv_app_mtk]>[FM-Linux]Mount /dev/mtd9 to /3rd_rw successfully.
[dtv_app_mtk]>
[FM](/dev/mtd9) is mounted to (/3rd_rw) successfully(0)
[dtv_app_mtk]>
# mount 3rd DMVERITY(SquashFS read-only)
[dtv_app_mtk]>3rd_ro partition is already attached!!!
[dtv_app_mtk]>[FM-Linux]Mount /dev/mtd12 to /3rd successfully.
[dtv_app_mtk]>
[FM](/dev/mtd12) is mounted to (/3rd) successfully(0)
[   16.492210] rtusb init rtusbSTA --->

[   16.493309] usbcore: registered new interface driver rtusbSTA

[   16.564079] NTFS driver 2.1.30 [Flags: R/O MODULE].

[   16.597081] usbcore: registered new interface driver usbhid

[   16.599873] usbhid: USB HID core driver

[dtv_app_mtk]>mount: mounting none on /proc/bus/usb failed: Device or resource busy
[   16.633021] v4l2_common: Unknown symbol v4l2_ctrl_get_menu (err 0)

[   16.636693] v4l2_common: Unknown symbol v4l2_ctrl_fill (err 0)

[dtv_app_mtk]>insmod: can't insert '/basic/modules/v4l2-common.ko': unknown symbol in module or invalid parameter
[   16.655688] Linux video capture interface: v2.00

[   16.666183] usbcore: registered new interface driver uvcvideo

[   16.669363] USB Video Class driver (v1.1.0)

[   16.680733] [email protected]#[email protected]# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ alsa_card_mtk_init 201202101600

[dtv_app_mtk]>
reason: 0x00000003 - 0x00000000
[dtv_app_mtk]>reason: 0x00000003[   16.734777] >>setmatrixlvladj in_y_ofst=200 

[   16.738925] >>setmatrixlvladj in_y_ofst=200 

[   16.743261] Output Width or Height is 0

 - 0x00000000
[dtv_app_mtk]>
[dtv_app_mtk]>
[dtv_app_mtk]>
 channel info: svl_id(262272), channel_id(262272) 
[dtv_app_mtk]>
[PosDemo] Demo mode selection is OFF
[   17.155913] MUC_Irq 3843: [USB]Connect interrupt  = 0x10.

[   17.175902] MUC_Irq 3843: [USB]Connect interrupt  = 0x10.

[dtv_app_mtk]>
[PosDemo] Demo mode selection is OFF
[   17.255909] usb_events_timer_func 529: [usb]USB_EVENTS_CHECK_CONNECT

[   17.275902] usb_events_timer_func 529: [usb]USB_EVENTS_CHECK_CONNECT

[   17.484747] >>setmatrixlvladj in_y_ofst=200 

[   17.541232] usb 1-1: new high speed USB device number 2 using MtkUsbHcd

[dtv_app_mtk]>
[xuehongfeng] is acfg_video.c,acfg_video_update,7406
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[   17.745795] [NPTV]FlashPQ Gamma OK

[   17.770172] 

[   17.770176] 

[   17.770179] === pAd = dfcc3000, size = 1603200 ===

[   17.770184] 

[   17.778766] <-- RTMPAllocTxRxRingMemory, Status=0

[   17.781841] <-- RTMPAllocAdapterBlock, Status=0

[   17.786215] Efuse Size=0x2d [2d0-2fc] 

[   17.789674] NVM is EFUSE

[dtv_app_mtk]>
[acfg_video_update]8722,  3D_Mode= 0,  s_name=dtv_app_mtk
[dtv_app_mtk]>
[xuehongfeng] is acfg_video.c,acfg_vi[   17.814219] [NPTV]FlashPQ Gamma OK

deo_update,7406
[dtv_app_mtk]>
Get  APP_CFG_RECID_VID_LUMA
[dtv_app_mtk]>
[INET] 11.229, ni_mon_thread.1850 >>> ra0 is plug!
[dtv_app_mtk]>
 file=wifi_direct.c line = 473, func=_wifi_direct_device_remove_nfy_handler reason = 1
[dtv_app_mtk]>

 file=wifi_direct.c line = 474, func=_wifi_direct_device_remove_nfy_handler reason = 1
[   18.075991] usb 2-1: new high speed USB device number 2 using MtkUsbHcd

[   18.287956] hub 2-1:1.0: USB hub found

[   18.289008] hub 2-1:1.0: 4 ports detected

[   18.391153] MGC_FindEnd 757: [USB] Port-1: New Dev=0xC93B3800, proto=I int, wPacketSize=8.

[   18.396643] MGC_FindEnd 760: [USB] Port-1: idVendor=0x1A40, idProduct=0x0101, bcdDevice=0x0100.

[   18.405323] MGC_FindEnd 850: [USB] Rx Ep 7 is free for use.

[   18.410878] MGC_FindEnd 900: [USB] Rx Ep 7 prepare to use fifo at 64.

[dtv_app_mtk]>

[INET] 13.689, _net_network_ready_thread.4220 >>> start
[dtv_app_mtk]>
[INET] 13.690, x_net_network_init.285 >>> start
[dtv_app_mtk]>[WIFI MW]c_net_wlan_wpa_reg_cbk
[dtv_app_mtk]>[WIFI MW]c_net_wlan_task_create
[dtv_app_mtk]>
[INET] 13.744, x_net_ni_enable.1444 >>> if enable eth0->eth0
[dtv_app_mtk]>
[INET] 13.744, x_net_network_init.357 >>> call eth0 enabled
[dtv_app_mtk]>
[INET] 13.744, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 1, plugin
[dtv_app_mtk]>
[INET] 13.744, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 2, unplug
[dtv_app_mtk]>
[INET] 13.745, x_net_network_init.371 >>> wifi plug/unplug callback reg-ed
[dtv_app_mtk]>
[INET] 13.745, x_net_network_init.374 >>> inited
[dtv_app_mtk]>
[INET] 13.745, x_net_ni_reg_ev_notify.2009 >>> dev: eth0->eth0, event: 3, ipchg
[dtv_app_mtk]>
[INET] 13.745, x_net_ni_reg_ev_notify.2009 >>> dev: eth0->eth0, event: 4, ipexp
[dtv_app_mtk]>
[INET] 13.745, x_net_ni_reg_ev_notify.2009 >>> dev: eth0->eth0, event: 1, plugin
[dtv_app_mtk]>
[INET] 13.746, x_net_ni_reg_ev_notify.2009 >>> dev: eth0->eth0, event: 2, unplug
[dtv_app_mtk]>
[INET] 13.746, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 3, ipchg
[dtv_app_mtk]>
[INET] 13.746, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 4, ipexp
[dtv_app_mtk]>
[INET] 13.747, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 1, plugin
[dtv_app_mtk]>
[INET] 13.747, x_net_ni_reg_ev_notify.2009 >>> dev: wifi0->wifi0, event: 2, unplug
[dtv_app_mtk]>
eth0 is unplug!
[dtv_app_mtk]>
[INET] 13.748, x_net_ni_enable.1444 >>> if enable eth0->eth0
[dtv_app_mtk]>
[INET] 13.748, x_net_enable.3543 >>> call eth0 enabled
[dtv_app_mtk]>
[INET] 13.748, x_net_set_if_type.416 >>> type: 71, wifi?
[dtv_app_mtk]>
[INET] 13.749, x_net_ip_config.836 >>> (eth0->eth0, 0x00000000, 0xff000000, 0x00000000)
[dtv_app_mtk]>
[INET] 13.768, ni_mon_thread.1850 >>> ra0 is plug!
[dtv_app_mtk]>
[INET] 13.768, ni_mon_thread.1906 >>> eth0 is unplug!
[dtv_app_mtk]>
[/sbin/ifconfig.script] ifconfig interface ipaddr netmask maskaddr
[dtv_app_mtk]>[/sbin/ifconfig.script] ifconfig eth0 0.0.0.0
[dtv_app_mtk]>DHCP_FLAG=0
[dtv_app_mtk]>IP=0.0.0.0
[dtv_app_mtk]>Subnet=0.0.0.0
[dtv_app_mtk]>router=0.0.0.0
[dtv_app_mtk]>DNS1=0.0.0.0
[dtv_app_mtk]>DNS2=0.0.0.0
[dtv_app_mtk]>[INET] 13.823, x_net_ni_enable.1444 >>> if enable wifi0->ra0
[   20.870109] NICLoadFirmware: We need to load firmware

[   20.940822] RTMP_TimerListAdd: add timer obj dfde6418!

[   20.943572] RTMP_TimerListAdd: add timer obj dfde6430!

[   20.950647] RTMP_TimerListAdd: add timer obj dfde6448!

[   20.953682] RTMP_TimerListAdd: add timer obj dfde6400!

[   20.958760] RTMP_TimerListAdd: add timer obj dfde63b8!

[   20.964109] RTMP_TimerListAdd: add timer obj dfde63d0!

[   20.969042] RTMP_TimerListAdd: add timer obj dfd7b64c!

[   20.973967] RTMP_TimerListAdd: add timer obj dfd67cdc!

[   20.979494] RTMP_TimerListAdd: add timer obj dfd67cf8!

[   20.984242] RTMP_TimerListAdd: add timer obj dfd7b6a8!

[   20.989556] RTMP_TimerListAdd: add timer obj dfd67d14!

[   20.994846] RTMP_TimerListAdd: add timer obj dfd6a644!

[   20.999641] RTMP_TimerListAdd: add timer obj dfd69eb4!

[   21.004932] RTMP_TimerListAdd: add timer obj dfd6a628!

[   21.010253] RTMP_TimerListAdd: add timer obj dfd6a8cc!

[   21.015043] RTMP_TimerListAdd: add timer obj dfd6a660!

[   21.020298] RTMP_TimerListAdd: add timer obj dfd6a67c!

[   21.025347] RTMP_TimerListAdd: add timer obj dfd6a698!

[   21.030640] RTMP_TimerListAdd: add timer obj dfcc77d0!

[   21.035616] RTMP_TimerListAdd: add timer obj dfcc7040!

[   21.040642] RTMP_TimerListAdd: add timer obj dfcc77b4!

[   21.046051] RTMP_TimerListAdd: add timer obj dfcc7a58!

[   21.050757] RTMP_TimerListAdd: add timer obj dfcc79d0!


....
Attached Files
File Type: txt hisense.txt - [Click for QR Code] (176.6 KB, 98 views)
The Following 2 Users Say Thank You to borillion_star For This Useful Post: [ View ] Gift borillion_star Ad-Free
23rd April 2016, 10:07 AM |#26  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,577
 
Donate to Me
More
Just noticed that using Browser and going to file:// (we can use keyboard and mouse with it) we can browse entire file system.
The Following User Says Thank You to vache For This Useful Post: [ View ]
23rd April 2016, 12:07 PM |#27  
Member
Thanks Meter: 10
 
More
Nice find thx

Sent from my SM-N910F using Tapatalk
24th April 2016, 05:06 PM |#28  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,577
 
Donate to Me
More
56789 and 56790 ports are used by something like this : https://gfiber.googlesource.com/vendor/opensource/dial/

Ex.: http://192.168.1.19:56790/dd.xml
http://192.168.1.19:56789/apps/YouTube
http://192.168.1.19:56789/apps/Netflix

It uses Mongoose as web server, didn't find exploit for it.
The Following User Says Thank You to vache For This Useful Post: [ View ]
25th April 2016, 06:43 AM |#29  
OP Member
Thanks Meter: 20
 
More
@vache

Code:
mount 3rd DMVERITY(SquashFS read-only,
I am concerned about this, this has a block level verification on the nand.

DM-Verity - validates the data blocks contained in a file system against a list of cryptographic hash values.

Now on Chrome OS devices, the systems have a developer mode switch. Nothing like this appears to be present on this board.
It could be software based, but it may not exist at all. Use Caution.
25th April 2016, 07:44 AM |#30  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,577
 
Donate to Me
More
Yeah i saw that too. There is also a 4k blocks header in upgrade file before both squashfs file, containing md5 sum. I think it's use before flashing.

Repacking may be harder than i think.
2nd May 2016, 05:58 PM |#31  
vache's Avatar
Recognized Developer
Flag Paris
Thanks Meter: 3,577
 
Donate to Me
More
@borillion_star Could you try to capture logs while update running ?
Post Reply Subscribe to Thread

Tags
exploit, hisense, linux, root, smart tv

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes