[TOOLS] Mstar Android TV firmware tools

[dipcore]

Mstar Android TV firmware tools​

Phython 3.4+ required.

Currently available tools:
unpack.py - unpack MStar bin firmware
pack.py - pack MStar bin firmware
extract_keys.py - extract AES and RSA-public keys from MBOOT binary
secure_partition.py - encrypt image and generate signature file

Unpack MStar bin firmware files

Usage: unpack.py <firmware> <output folder [default: ./unpacked/]>
        <firmware> - MStar bin firmware to unpack
        <output folder> - directory to store unpacked stuff. Default value: ./unpacked/

Pack MStar bin firmware
Usage: pack.py <config file>

Example: pack.py configs/letv-x355pro-full.ini
        <config file> - Configuration file. The config file structure will be described later.
                        For now you can take a look at configs/letv-x355pro-full.ini
                        and use it as an example

Extract keys from MBOOT
That tool is used to get AES and public RSA keys from the MBOOT. AES keys are needed to encrypt/decrypt boot.img and recovery.img images. aescrypt2 tool is used.

Usage: extract_keys.py <path to mboot> [<folder to store keys>] [<key bank offset>] [<key bank size>]
Defaults:
          <folder to store keys>        keys
          <key bank offset>             0x168e00
          <key bank size>               0x450
Example: extract_keys.py ./unpacked/MBOOT.img
Example: extract_keys.py ./unpacked/MBOOT.img ./keys 0x169e00 0x450

Encrypt partition and generate signature
All new MStar builds have SECURE_BOOT option enabled. In that case boot.img and recovery.img is encrypted (AES) and signed with RSA priv keys. That script is used to encrypt image and generate sign file.
To manually encrypt|decrypt image use aescrypt tool from bin folder. AES key can be extracted from MBOOT with extract_keys.py script.

Usage: secure_partition.py <file to encrypt> <AES key file> <RSA private key file> <RSA public key file> <output encrypted file> <output signature file>
Example: secure_partition.py ./pack/boot.img ./keys/AESbootKey ./keys/RSAboot_priv.txt ./keys/RSAboot_pub.txt ./pack/boot.img.aes ./pack/bootSign

Download tools:
https://github.com/dipcore/mstar-bin-tool

 

[dipcore]

reserved

 

[bamster89]

hi how to backup mstar tv partition including tee.img and sboot.bin?
is there any way to backup them?
i cant find my specific firmware for my mstar CV628H_B42 32SX250 (32EX250F) ctvupgrade.bin

 

[dipcore]

hi how to backup mstar tv partition including tee.img and sboot.bin?
is there any way to backup them?
i cant find my specific firmware for my mstar CV628H_B42 32SX250 (32EX250F) ctvupgrade.bin

You can use dd tool and create needed images. All what you need is here: /dev/block/platform/mstar_mci.0/by-name/ root is required.

Another way to do so is to create a back up of whole emmc device and then using any hex editor just slice it on required partitions (emmc header structure is pretty straightforward).
You can do it via mboot console (uart acces is required) or you can flash specially prepared firmware bin (look at https://github.com/dipcore/mstar-bin-tool/blob/master/configs/letv-emmc2usb.ini as an example). Basically that bin will just run couple mboot commands to start copying emmc to usb device.
PS You can access to debugging uart via VGA port on the TV. Use 12 and 15 pins (see attachment). 99% of mstar based TV have uart routed to those unused pins on VGA port. So no need to open TV and solder something.

Take a look on this:

 

[bamster89]

You can do it via mboot console (uart acces is required) or you can flash specially prepared firmware bin (look at https://github.com/dipcore/mstar-bin-tool/blob/master/configs/letv-emmc2usb.ini as an example). Basically that bin will just run couple mboot commands to start copying emmc to usb device.

i modify this 2 lines in configs/letv-emmc2usb.ini
FirmwareFileName=CtvUpgrade.bin
......
#emmcbin 0 to emmcbin 0
.......
setenv CtvUpgrade_complete 1

and pack after that ,,
i upgrade my mstar in factory menu Source +2580 ..,, and it reboot instantly and there is no partition save in USB.,

this is my MBOOT.img
https://mega.nz/#!LBgQjZbZ!ZirBzDOwbJrz6q-wD7gnikeNPGnVXfD8nGyKiaVkPls

 

[dipcore]

i upgrade my mstar in factory menu Source +2580 ..,, and it reboot instantly and there is no partition save in USB

Its two step process.

1. EMMC backup. Prepare and flash 1st bin file:

[Main]
FirmwareFileName=CtvUpgrade.bin
ProjectFolder=./pack
useHexValuesPrefix=false

SCRIPT_FIRMWARE_FILE_NAME=${FirmwareFileName}
DRAM_BUF_ADDR=20200000
MAGIC_FOOTER=12345678
HEADER_SIZE=16KB

[HeaderScript]
Prefix:
	mmc dd mmc2usb 0

Suffix:
	# Nothing here

It will take some time to copy it to usb drive (in my case it was like 25 minutes)

2. Restore normal boot process. Pack and flash 2-nd bin:

[Main]
FirmwareFileName=CtvUpgrade.bin
ProjectFolder=./pack
useHexValuesPrefix=false

SCRIPT_FIRMWARE_FILE_NAME=${FirmwareFileName}
DRAM_BUF_ADDR=20200000
MAGIC_FOOTER=12345678
HEADER_SIZE=16KB

[HeaderScript]
Prefix:
	setenv MstarUpgrade_complete 1
	setenv ForcePowerOn 0
	saveenv

Suffix:
	# Nothing here

After flasing it will restore normal boot process.

 

[dipcore]

One more thing, in the line
mmc dd mmc2usb 0
it uses usb port #0 in the TV. I do not know where is it located in your TV. You may try all usb ports. If that did not worked then just change it to
mmc dd mmc2usb 1 etc

 

[bamster89]

One more thing, in the line
mmc dd mmc2usb 0
it uses usb port #0 in the TV. I do not know where is it located in your TV. You may try all usb ports. If that did not worked then just change it to
mmc dd mmc2usb 1 etc

i already did changing 0-3 and try to put 3 usb on each port each usb have CtvUpgrade.bin same thing happens no partition created on usb ithink my MBOOT does not allow me to use mmc dd mmc2usb and emmcbin

all i did is to manually backup using dd in terminal
this is my fstab.madison

root@cv6a628h_caixun_international:/ # cat fstab.madison
# Android fstab file.
#<src>                                                  <mnt_point>         <type>    <mnt_flags>                                          <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK


/dev/block/platform/mstar_mci.0/by-name/system          /system             ext4      ro                                                    wait
/dev/block/platform/mstar_mci.0/by-name/cache           /cache              ext4      noatime,nosuid,nodev                                  wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/userdata        /data               ext4      noatime,nosuid,nodev                                  wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvservice       /tvservice          ext4      ro                                                    wait
/dev/block/platform/mstar_mci.0/by-name/tvconfig        /tvconfig           ext4      noatime,nosuid,nodev                                  wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvdatabase      /tvdatabase         ext4      noatime,nosuid,nodev                                  wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/tvcustomer      /tvcustomer         ext4      noatime,nosuid,nodev                                  wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/usersdcard      /usersdcard         vfat      noatime,nosuid,nodev                                      wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/platform/mstar_mci.0/by-name/factory        /factory                           ext4      noatime,nosuid,nodev                                        wait,block_validity,nodiscard,data=ordered,journal_checksum
/dev/block/zram0                                        none                swap      defaults                                              zramsize=104857600
/dev/block/mmcblk0boot0                                 /boot1              emmc      defaults                                              defaults
/dev/block/mmcblk0boot1                                 /boot2              emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/MBOOT           /MBOOT              emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/MPOOL           /MPOOL              emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/misc            /misc               emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/recovery        /recovery           emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/boot            /boot               emmc      defaults                                              defaults
/dev/block/platform/mstar_mci.0/by-name/RTPM            /RTPM               ext4      defaults                                              defaults

dd if=/dev/block/platform/mstar_mci.0/by-name/system of=/mnt/usb/sda1/DUMP/system.img
dd if=/dev/block/platform/mstar_mci.0/by-name/cache of=/mnt/usb/sda1/DUMP/cache.img
dd if=/dev/block/platform/mstar_mci.0/by-name/userdata of=/mnt/usb/sda1/DUMP/userdata.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvservice of=/mnt/usb/sda1/DUMP/tvservice.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvconfig of=/mnt/usb/sda1/DUMP/tvconfig.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvdatabase of=/mnt/usb/sda1/DUMP/tvdatabase.img
dd if=/dev/block/platform/mstar_mci.0/by-name/tvcustomer of=/mnt/usb/sda1/DUMP/tvcustomer.img
dd if=/dev/block/platform/mstar_mci.0/by-name/usersdcard of=/mnt/usb/sda1/DUMP/usersdcard.img
dd if=/dev/block/platform/mstar_mci.0/by-name/factory of=/mnt/usb/sda1/DUMP/factory.img
dd if=/dev/block/mmcblk0boot0 of=/mnt/usb/sda1/DUMP/boot1.bin
dd if=/dev/block/mmcblk0boot1 of=/mnt/usb/sda1/DUMP/boot2.bin
dd if=/dev/block/platform/mstar_mci.0/by-name/MBOOT of=/mnt/usb/sda1/DUMP/MBOOT.img
dd if=/dev/block/platform/mstar_mci.0/by-name/MPOOL of=/mnt/usb/sda1/DUMP/MPOOL.img
dd if=/dev/block/platform/mstar_mci.0/by-name/misc of=/mnt/usb/sda1/DUMP/misc.img
dd if=/dev/block/platform/mstar_mci.0/by-name/recovery of=/mnt/usb/sda1/DUMP/recovery.img
dd if=/dev/block/platform/mstar_mci.0/by-name/boot of=/mnt/usb/sda1/DUMP/boot.img
dd if=/dev/block/platform/mstar_mci.0/by-name/RTPM of=/mnt/usb/sda1/DUMP/RTPM.img

root@cv6a628h_caixun_international:/ # ls /dev/block/platform/mstar_mci.0/by-name/
MBOOT
MPOOL
RTPM
boot
cache
factory
misc
recovery
system
tvconfig
tvcustomer
tvdatabase
tvservice
userdata
usersdcard

ifound this on my MBOOT

 sar sar Command: (0-base, SAR0~SAR5)
sar <ch#> : ex: sar 0       // read sar channel 0
 panel_pre_init  - init panel by panel.ini
 command: panel_pre_init [option]
 -s : static init : panel init para from uboot
 -d : dynamic init : panel init para from SN panel_init  - init panel by panel.ini
 command: panel_init [option]
 -s : static init : panel init para from uboot
 -d : dynamic init : panel init para from SN panel_post_init backligth on  - backlight on
 command: backlight_on
 mmcinfo display MMC info mmcreg mmcreg show ext-csd <dev num>
    - device number of the device to dislay info of
 bin2emmc bin2emmc - read bin file and restore it to emmc
 command: bin2emmc [usbportnum] [pad] [binname] [offset/partitionname]
 emmcbootbin emmcbootbin - dump emmc boot partition and write it to fat usb disk
 command: emmcbootbin [usbportnum] [partitionname]
 emmcbin emmcbin - dump emmc and restore it to fat usb disk
 command: emmcbin [usbportnum] [pad] [binname] [offset/partitionname] [dumpsize]
 mmcbininfo mmcbininfo - Valid block num in each partition
 command: mmcbininfo [usbportnum]
 read[.boot|.gp] [bootpart|gppart] addr blk# size
mmc write[.boot|.gp] [bootpart|gppart] addr blk# size [empty_skip:0-disable,1-enable]
mmc readall - read all blocks for device internal ecc check
mmc crcall - read all blocks and calculate crc32
mmc read.p addr partition_name size
mmc read.p.continue addr partition_name offset size
mmc write.p addr partition_name size [empty_skip:0-disable,1-enable]
mmc write.p.continue addr partition_name offset size [empty_skip:0-disable,1-enable]
mmc rescan
mmc part[.gp] - lists available [GP] partition on current mmc device
mmc look [name] - lists specific partition info on mmc
mmc dev [dev] [part] - show or set current mmc device [partition]
mmc list - lists available devices
mmc create [name] [size]- create/change mmc partition [name]
mmc create.gp part_no size enh_attr ext_attr relwr_attr - create/change eMMC GP partition No.[part_no(0~3)] with size and enhance/extended/reliable_write attribute
mmc create.enhusr start_addr size enha_attr relwr_atrr - create/change eMMC enhance user partition(slc mode) from start_addr with size and enhance/reliable_write attribute
mmc create.complete - complete eMMC gp, enhance user, reliable write partition setting

Note: enh_attr = 0: no slc mode 1: using slc mode, ext_attr = 0: no attr 1: system code 2: Non-persisent, relwr_attr = 0: disable 1: enable reliable write

mmc remove [name] - remove mmc partition [name]
mmc rmgpt - clean all mmc partition table
mmc slc size relwr - set slc in the front of user area,  0xffffffff means max slc size
mmc ecsd - print ecsd register of emmc
mmc setecsd num mask value - set value to num of ecsd according to mask
mmc size - print the mmc size info
mmc slcchk - check the slc/mlc mode of emmc
mmc relwrchk - check the reliable write configuration of emmc
mmc slcrelwrchk - check the slc/mlc mode and reliable write configuration of emmc
mmc unlzo Src_Address Src_Length Partition_Name [empty_skip:0-disable,1-enable]- decompress lzo file and write to mmc partition 
mmc erase[.boot] bootpart [blk#] [size]
mmc erase.p partition_name
mmc erase - erase all blocks in device
mmc dd mmc2usb/usb2mmc [portnum] [pad] - dump/restore emmc raw data
mmc alignsize - check the alignment size of slc partition
mmc trim_test [chunk_size] [loop_count] - test read/write performance after trim enabled
 eMMC sub system emmc info - lists CSD & ExtCSD on eMMC
emmc init count - reset & init eMMC for count loops
emmc test count - verify eMMC & board signals for count loops
emmc speed [mode]- show eMMC speed sdr or ddr mode @ driver layer
emmc t_table [hs200/ddr] build - build timing table
emmc mode - ddr or sdr 
emmc clk - set ClkRegVal 
emmc cis - check or erase 
emmc pwr_cut init [addr][start block] - eMMC Power Cut Init
emmc pwr_cut test [addr][start block] - eMMC Power Cut Test
emmc reset [0/1] - toggle eMMC reset pin

 

[bamster89]

Maybe this is heplful

MSTAR ROOT_BOOT volume production
https://mega.nz/#!jQIyQJKT!PAnuBXZOPuPvOkoWkhpvk_ZCiHR1UJqAu9IobbemuTU

 

[dipcore]

you do not need to play with bin files, if dd works for you.

 

[dipcore]

Maybe this is heplful

MSTAR ROOT_BOOT volume production
https://mega.nz/#!jQIyQJKT!PAnuBXZOPuPvOkoWkhpvk_ZCiHR1UJqAu9IobbemuTU

Yes I read it, I used it to create that bin file configs.
Here are more docs: https://github.com/dipcore/Madsion/tree/master/MBoot_Madison_TVOS/doc

 

[masifkalam]

My Mstar semi conductor tv stuck on boot animation

plz help

what i am doing now

---------- Post added at 03:33 PM ---------- Previous post was at 03:30 PM ----------

Plz Help my tv stuck on boot animation
I changed the boot animation after my tv is not booting plz help

how to tv in pc and any other solution plz help me someone

---------- Post added at 03:34 PM ---------- Previous post was at 03:33 PM ----------

MStar Semiconductor, Inc. MStar Android TV

MStar Android TV (full.cv6a628h_international)

---------- Post added at 03:37 PM ---------- Previous post was at 03:34 PM ----------

last i doing in tv permission in platform.xml

i thing going wrong in this

and other is boot animation change in media zip file

plz help what i am dong now .............any link of tv firmware to download in tv

thanks in advance

 

[dipcore]

plz help

1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.

 

[masifkalam]

1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.

dont have stock bin and how connect to pc plz some brief

---------- Post added at 04:58 PM ---------- Previous post was at 04:48 PM ----------

1. If you have stock bin or zip firmware just flash it.
2. If you do not have a firmware file, just connect to debugging UART and revert all your changes using console.

plz some brief for debugging UART i will do
thanks fro reply

 

[dipcore]

plz some brief for debugging UART i will do
thanks fro reply

look at my post #4 https://xdaforums.com/showpost.php?p=71294095&postcount=4
use VGA port

 

[masifkalam]

look at my post #4 https://xdaforums.com/showpost.php?p=71294095&postcount=4
use VGA port

and how console used for revert changes
some examples
thanks dear i will understand these things

---------- Post added at 05:49 PM ---------- Previous post was at 05:25 PM ----------

and how console used for revert changes
some examples
thanks dear i will understand these things

any other solution for revert changes through pc or recovery mode

 

[dipcore]

and how console used for revert changes
some examples
thanks dear i will understand these things

It's just shell console with root privileges. Use it as you would use any shell console. I.e. using the sell copy needed files to usb drive then do changes on the PC and copy them back to TV.

 

[masifkalam]

It's just shell console with root privileges. Use it as you would use any shell console. I.e. using the sell copy needed files to usb drive then do changes on the PC and copy them back to TV.

shell console with root privileges????? root???
and why copy files to usb first
just revert files from pc through deb uart

debugging uart this cable
http://www.96boards.org/wp-content/uploads/2015/06/uart-to-usb-cable.jpg

 

[dipcore]

shell console with root privileges????? root???
and why copy files to usb first
just revert files from pc through deb uart

debugging uart this cable
http://www.96boards.org/wp-content/uploads/2015/06/uart-to-usb-cable.jpg

1. Yes ROOT, ROOOT, ROOOOT. It's by default for mstar based TV. So you should get root shell via UART debugging port, of course If your TV vendor did not change that.
2. Yes, you can update it directly from PC. I just provided an example of how to do it. Having shell access you can do a lot of stuff in a many different ways.
3. You can use any cable with usb-uart converter, for instance on pl2303 chip. I'm using similar to this one: https://www.aliexpress.com/item/Fre...lgo_pvid=d98f45a8-1c26-4a5e-bac3-39fdef513502

 

[masifkalam]

1. Yes ROOT, ROOOT, ROOOOT. It's by default for mstar based TV. So you should get root shell via UART debugging port, of course If your TV vendor did not change that.
2. Yes, you can update it directly from PC. I just provided an example of how to do it. Having shell access you can do a lot of stuff in a many different ways.
3. You can use any cable with usb-uart converter, for instance on pl2303 chip. I'm using similar to this one: https://www.aliexpress.com/item/Fre...lgo_pvid=d98f45a8-1c26-4a5e-bac3-39fdef513502

thanks dear
i will purchased this and connect to later in this platform
thanks for your time

---------- Post added at 06:41 PM ---------- Previous post was at 06:30 PM ----------

thanks dear
i will purchased this and connect to later in this platform
thanks for your time

just one thing more
debugging uart connect to tv in stand by position just red light , uart working because my tv automatically restart and off in boot animation

thanks ..............thanks.,,,,,,,,,,,,,,,,,,,,,,thanks...........................dear for your time