Rooting MediaTek Based Linux Smart TV

[1337p]

I've also found this in /etc/login.sh

#!/bin/sh
stty -echo

while true
do
    read line
    # if [ $(echo -n "x${line}" | md5sum | awk '{print $1}') = "e6007a36a7bacfb32502f787431664df" ]; then
    if [ "$line" = "05328087" ]; then
        stty echo
        exit 0
    fi
done

no idea where it's used though there could be a shell hidden somewhere..

 

[Kirby54]

Hi

i'm not sure but maybe somebody can help, i need to know if it's possible to install any application on a 2020 Hisense TV (model is 43A7100F), that run the Vidaa 3 OS:

HISENSE 43A7100F 108 cm sur LCD Compare !

Voir la fiche technique LCD-Compare, les marchands, prix et avis utilisateurs sur le HISENSE 43A7100F - 108 cm

www.lcd-compare.com

I'm not sure if i need to use a ftp browser to browse the TV config files to install app that are not available on the TV app store ?

Thanks

 

[fellaw]

The user fellaw posted in neophob com/2010/01/root-my-tv-hack-philips-pfl9703/ about exploiting Busybox DHCP client to get higher access to the TVs, here is the full post (for backup)

fellaw here after a looooong time. Sorry to dig out this old thread but I have exciting news in regards to the QN141E 2014 Philip models. I have been just too busy with life to play with the firmware other than quite recently.

With that said: Further analysis showed that there is a simple, permanent entry point even in the latest QN141E_012.003.086.128 firmware.
In particular at boot time some lib looks for a certain script in two locations and executes it if found.
Both locations are in writable filesystems, and normally there is no script in either.

Search order:

1. /3rd_rw/sigma/mtksigma_start_wfd.sh
2. /mnt/usb/sda1/sigma/mtksigma_start_wfd.sh

No. 2 is only triggered if no. 1 is not found.
If no. 2 is not found then there will be an execute error on the console.
Successful execution is logged to the console for either.

/3rd_rw is a persistent filesystem, even over firmware upgrades. Also it does not depend on external devices.
Thus I preferred to drop a script there rather than use USB.

I dropped my script via my initial method.
I used firmware QN141E_012.003.030.128 to exploit CVE-2011-2716 and drop the script via BusyBox ftpd.

As far as I can tell QN141E_012.003.038.128 and beyond are not exploitable via CVE-2011-2716, although the udhcpc binary and it's calling script are identical. Not sure what is going on though, and frankly I lost patience to dig further.

The relevant lib is /basic/lib/libwfd.so. It's used by a core service, /basic/dtv_svc.
Thus I doubt that the entry point is easy to fix other than maybe with signatures.

 

[tarator.ru]

Hisense Vidaa TV, how to :

- make a backup of TV settings & apps
- install applications from a USB flash drive
- delete pre-installed apps

Sorry, Russian only. But the video is clear without words

 

[tarator.ru]

no idea where it's used though there could be a shell hidden somewhere..

from service manual:​

When questions appear , computer run SecureCRT input lowercase " getlog" ,if fails input

another"05328087".then rolls the lots of log print message

 

[a13x501]

And something interesting. I found AES key for Hisense and some Sharp and Philips TV's.

dd if=upgrade_loader.pkg of=header.aes bs=16 count=10
openssl enc -aes-128-cbc -vi 0 -d -K 09291094092910940929109409291094 -in header.aes -out header
hexdump -C header
00000000  68 69 73 65 23 44 48 40 46 69 52 6D 49 44 54 56  |hise#[email protected]|
00000010  04 87 57 42 57 85 B2 F1 4D E0 AA 53 71 2E E6 DE  |.‡WBW…ІсMаЄSq.жЮ|
00000020  5E 3E E1 66 F8 31 4D 4C FE BB 27 CF 34 9A F5 CC  |^>бfш1MLю»'П4љхМ|
00000030  17 2B 9F A0 45 EB 66 BF 10 BA A0 BC 55 79 BF 27  |.+џ*Eлfї.є*јUyї'|
00000040  09 A6 98 A5 B0 02 42 1A A6 7A A2 64 C2 0B 36 5D  |.¦.Ґ°.B.¦zўdВ.6]|
00000050  7D 82 E9 F8 B7 E7 41 5F 64 CD EF B8 FA 69 C5 73  |}‚йш·зA_dНпёъiЕs|
00000060  A9 51 6D 87 B4 5C 17 99 80 FD 3A C5 50 75 37 3B  |©Qm‡ґ\.™Ђэ:ЕPu7;|
00000070  2C CC 0D FD 58 74 A2 38 4D 16 F6 4C F4 B4 1E A8  |,М.эXtў8M.цLфґ.Ё|
00000080  EA BB 1E C9 9F FF EC CE 4C F2 ED 74 E6 B1 E9 D4  |к».ЙџямОLтнtж±йФ|

Hm, first string of header and digest are good, but not other.

Header :
35 b3 67 73 08 b5 82 c3 7e d0 9c 0c 40 1c b9 ee    [email protected]
6e 0f be 55 cf 6e 7d 7c c9 e4 16 f6 00 9a f5 cc    n..U.n}|........
17 2b 9f a0 45 eb 66 bf 10 ba a0 bc 55 79 bf 27    .+..E.f.....Uy.'
09 a6 98 a5 b0 02 42 1a dd ac 39 21 c2 0b 36 5d    ......B...9!..6]
10 f6 dc c0 8e d7 1e 3a 11 92 83 d1 94 1c bd 73    .......:.......s
a9 51 6d 87 b4 5c 17 99 80 fd 3a c5 50 75 37 3b    .Qm..\....:.Pu7;
38 b9 d6 10 84 03 94 b2 c3 60 14 9b ed 0b 63 73    8........`....cs

Header :
68 69 73 65 23 44 48 40 46 69 52 6d 49 44 54 56    hise#[email protected]
31 34 30 31 5f 30 30 32 33 30 36 5f 31 32 5f 30    1401_002306_12_0
30 31 5f 33 37 5f 30 30 37 5f 31 39 34 00 00 00    01_37_007_194...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 00 00 00 00 7b d6 9b 45 00 00 00 00    ........{..E....
6d 74 35 38 39 30 5f 65 75 5f 6c 69 6e 75 78 00    mt5890_eu_linux.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

Validate codefile HMAC
open File = /mnt/usb_0/upgrade_loader.pkg
Encrypted digest:
ea bb 1e c9 9f ff ec ce 4c f2 ed 74 e6 b1 e9 d4    ........L..t....
9c f4 dd 7b 1b cc d9 f3 7e 0e 00 2d 80 00 77 cb    ...{....~..-..w.

Download digest
2c cc 0d fd 58 74 a2 38 4d 16 f6 4c f4 b4 1e a8    ,...Xt.8M..L....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

But wait... second string of digest is look like first encrypted string! It's mean that after AES you need apply some operation with previous string. But which operation? Subtract? Maybe, but it does work for header. XOR is the answer!

Conclusion:
+we can sign selfmade firmware
-we can not sign part of firmware (mtk loader, uboot... ): it needed RSA key
-we don't have anything to sign

P.S.: Sharp Android TV based on mt5890 cpu and don't encrypt like Sony. Do you want Hisense Android TV?

DTV>u
[H-CheckUpgrade]Read flag u1fgAPForceUpdate = 2!
[H-CheckUpgrade]Set u1fgAPForceUpdate =1

Do USB upgrade
hs>>in-upgrade
[H]WakeupReason = 3
u1USBBlock = 0x01d0ab80
USB: Vbus turn up time = 11871 ms, Max =0 ms.
USB-0: insert.
Device High speed.
MGC_HostEnumerator:MGC_EnumStateGetMaxDevice
HubPort-0: Device reset.
Silent Reset: Root device = 0x01d0bb84, Reset.
MGC_HostEnumerator:MGC_EnumStateReset
HubPort-0: Device address = 1.
MGC_HostEnumerator:MGC_EnumStateSetAddress
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: idVendor = 0x0951.
HubPort-0: idProduct = 0x1613.
HubPort-0: bcdDevice = 0x0110.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Lang Id: 0x409.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Manufacturer: Kingston.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Product: DT 101 II.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: SerialNum: 5B871400022A.
MGC_HostEnumerator:MGC_EnumStateSizeConfigs
MGC_HostEnumerator:MGC_EnumStateGetConfigs
MGC_HostEnumerator:MGC_EnumStateConnectDevice
USB Enumerator: find device driver
MGC_HostFindDriver:++
MUSB_TARGET_CLASS case 2:bMatch =1, 0x0,0x0
MUSB_TARGET_CLASS case1:bMatch =1,0x8,0x8
MUSB_TARGET_ACCEPT:bMatch = 1
HubPort-0: Driver support, class = 0x8.
USB Enumerator: Driver support
HubPort-0: Device is accepted.
HubPort-0: Device is accepted.
MGC_HostEnumerator:Connect device complete, bRet=1
MGC_HostEnumerator: break connect device
USB-0: ClassCode= 0x8, u4Diff=239 ms.
MUSB_GetInsert return 1

FIND_CLASS_MASS_STORAGE.
Wait USB medium to be mounted...
LUN = 0-1.
vid = 0x0951, pid = 0x1613, bMediumStatus = 0.
LUN = 0-1.
ID = KingstonDT 101 II PMAP. [RW].
Block size = 512 bytes, Total size = 7646 Mbytes.
MUSB_HfiMediumInserted().
USB Medium on Device, Time = 1742 ms.
USB block size = 512 bytes.
/dev is created.
/mnt is already existed. That is OK.
/dev/usb is created.
/mnt/usb_0 is created.
/dev/usb_0 is mounted as /mnt/usb_0.
[H]Serial product name:Id=27,str=SA5600H,Len=32
[H-ReadTVSerialModel]Tv Serial Model name pkg: usb_SA5600H.pkg
====
[H]Find PKG -> path name: /mnt/usb_0/usb_SA5600H.pkg
Use internal integrity check API
open File = /mnt/usb_0/usb_SA5600H.pkg
Header encrypt by AES
Header :
d7 d2 f5 90 ad 28 09 38 12 37 e5 ac fc f4 fa ba .....(.8.7......
35 8a c0 17 60 ee 85 33 6a 0c 63 9b 8c 64 f7 2d 5...`..3j.c..d.-
bf 86 d7 a5 62 5f e1 b3 aa 50 62 76 a5 f7 f7 5f ....b_...Pbv..._
85 01 fa 58 8b ee 01 89 45 2c ab 27 10 1c ca 79 ...X....E,.'...y
c9 ff 02 07 9e 4b a3 d4 a1 05 c9 67 11 46 e9 69 .....K.....g.F.i
fc 5d 6a b4 fb 9f ad d7 a3 db d0 b8 72 e5 5f 47 .]j.........r._G
c9 b5 ee df e6 1c 06 fd 6e 21 f4 78 85 b0 cd 04 ........n!.x....

Header :
68 69 73 65 23 44 48 40 46 69 52 6d 53 41 35 36 hise#[email protected]
30 30 48 31 00 00 00 00 00 00 00 00 00 00 00 00 00H1............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed 1a 40 1f 00 00 00 00 [email protected]
6d 74 35 38 36 33 5f 73 61 5f 37 36 38 5f 6c 69 mt5863_sa_768_li
6e 75 78 00 00 00 00 00 00 00 00 00 00 00 00 00 nux.............

open File = /mnt/usb_0/usb_SA5600H.pkg
Encrypted header:
d7 d2 f5 90 ad 28 09 38 12 37 e5 ac fc f4 fa ba .....(.8.7......
35 8a c0 17 60 ee 85 33 6a 0c 63 9b 8c 64 f7 2d 5...`..3j.c..d.-
bf 86 d7 a5 62 5f e1 b3 aa 50 62 76 a5 f7 f7 5f ....b_...Pbv..._
85 01 fa 58 8b ee 01 89 45 2c ab 27 10 1c ca 79 ...X....E,.'...y
c9 ff 02 07 9e 4b a3 d4 a1 05 c9 67 11 46 e9 69 .....K.....g.F.i
fc 5d 6a b4 fb 9f ad d7 a3 db d0 b8 72 e5 5f 47 .]j.........r._G
c9 b5 ee df e6 1c 06 fd 6e 21 f4 78 85 b0 cd 04 ........n!.x....

Header:
68 69 73 65 23 44 48 40 46 69 52 6d 53 41 35 36 hise#[email protected]
30 30 48 31 00 00 00 00 00 00 00 00 00 00 00 00 00H1............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed 1a 40 1f 00 00 00 00 [email protected]
6d 74 35 38 36 33 5f 73 61 5f 37 36 38 5f 6c 69 mt5863_sa_768_li
6e 75 78 00 00 00 00 00 00 00 00 00 00 00 00 00 nux.............

Model_name=SA5600H1

[H]Get this PKG product name: usb_SA5600H1.pkg

[H-MorePkgDetect]The can not find available upgrade files
[H-UsbUpgrade] IsHaveUpgradeFile = 1

Error: No valid upgrade file found or found more than 2 avliable upgrade files, USB upgrade stop
hs>>upgrade-err-USB upgrade stop
[HI]Set Clean block empty status 0.

Apparently this serves only to identify that the file is adequate to be able to use it in the firmware update, it is a check who can make a decoder AND encoder with the AES key to verify that you can use another file by just changing the first lines
(hise # DH @ FiRmSA5600h1) by (hise # DH @ FiRmSA5600h)

 

[a13x501]

GitHub - opensource-hisense/SmartTV-Series9 at 82b65288a9a12b73674184d20c69b9e2adc4a1cc

Productions List: HS32A5600HWB HS43A5600FWB HS39A5600FWB HS32A5605HWB HS43A5605FWB HS49N2173FWB HS32N1800HWB HS43N1800FWB HS50N1800FWB HS32A5608HWB HE39A5600FWTS HE32A5600HWTS HE...

github.com

source code​

Productions List: HS32A5600HWB HS43A5600FWB HS39A5600FWB HS32A5605HWB HS43A5605FWB HS49N2173FWB HS32N1800HWB HS43N1800FWB HS50N1800FWB HS32A5608HWB HE39A5600FWTS HE32A5600HWTS HE43A5600FWTS HE39A5607FWTS HE43A5607FWTS HE32A5800HWTS HX32A5610HWTS HX49N2183FWTS HX43A5610FWTS HE39A5600FWTS(0001) HE43A5600FWTS(0001) HE32A5600HWTS(0001) 40E5600EE 32E…

 

[p0isk]

DTV>u
[H-CheckUpgrade]Read flag u1fgAPForceUpdate = 2!
[H-CheckUpgrade]Set u1fgAPForceUpdate =1

Do USB upgrade
hs>>in-upgrade
[H]WakeupReason = 3
u1USBBlock = 0x01d0ab80
USB: Vbus turn up time = 11871 ms, Max =0 ms.
USB-0: insert.
Device High speed.
MGC_HostEnumerator:MGC_EnumStateGetMaxDevice
HubPort-0: Device reset.
Silent Reset: Root device = 0x01d0bb84, Reset.
MGC_HostEnumerator:MGC_EnumStateReset
HubPort-0: Device address = 1.
MGC_HostEnumerator:MGC_EnumStateSetAddress
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: idVendor = 0x0951.
HubPort-0: idProduct = 0x1613.
HubPort-0: bcdDevice = 0x0110.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Lang Id: 0x409.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Manufacturer: Kingston.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: Product: DT 101 II.
MGC_HostEnumerator:MGC_EnumStateGetFullDevice
HubPort-0: SerialNum: 5B871400022A.
MGC_HostEnumerator:MGC_EnumStateSizeConfigs
MGC_HostEnumerator:MGC_EnumStateGetConfigs
MGC_HostEnumerator:MGC_EnumStateConnectDevice
USB Enumerator: find device driver
MGC_HostFindDriver:++
MUSB_TARGET_CLASS case 2:bMatch =1, 0x0,0x0
MUSB_TARGET_CLASS case1:bMatch =1,0x8,0x8
MUSB_TARGET_ACCEPT:bMatch = 1
HubPort-0: Driver support, class = 0x8.
USB Enumerator: Driver support
HubPort-0: Device is accepted.
HubPort-0: Device is accepted.
MGC_HostEnumerator:Connect device complete, bRet=1
MGC_HostEnumerator: break connect device
USB-0: ClassCode= 0x8, u4Diff=239 ms.
MUSB_GetInsert return 1

FIND_CLASS_MASS_STORAGE.
Wait USB medium to be mounted...
LUN = 0-1.
vid = 0x0951, pid = 0x1613, bMediumStatus = 0.
LUN = 0-1.
ID = KingstonDT 101 II PMAP. [RW].
Block size = 512 bytes, Total size = 7646 Mbytes.
MUSB_HfiMediumInserted().
USB Medium on Device, Time = 1742 ms.
USB block size = 512 bytes.
/dev is created.
/mnt is already existed. That is OK.
/dev/usb is created.
/mnt/usb_0 is created.
/dev/usb_0 is mounted as /mnt/usb_0.
[H]Serial product name:Id=27,str=SA5600H,Len=32
[H-ReadTVSerialModel]Tv Serial Model name pkg: usb_SA5600H.pkg
====
[H]Find PKG -> path name: /mnt/usb_0/usb_SA5600H.pkg
Use internal integrity check API
open File = /mnt/usb_0/usb_SA5600H.pkg
Header encrypt by AES
Header :
d7 d2 f5 90 ad 28 09 38 12 37 e5 ac fc f4 fa ba .....(.8.7......
35 8a c0 17 60 ee 85 33 6a 0c 63 9b 8c 64 f7 2d 5...`..3j.c..d.-
bf 86 d7 a5 62 5f e1 b3 aa 50 62 76 a5 f7 f7 5f ....b_...Pbv..._
85 01 fa 58 8b ee 01 89 45 2c ab 27 10 1c ca 79 ...X....E,.'...y
c9 ff 02 07 9e 4b a3 d4 a1 05 c9 67 11 46 e9 69 .....K.....g.F.i
fc 5d 6a b4 fb 9f ad d7 a3 db d0 b8 72 e5 5f 47 .]j.........r._G
c9 b5 ee df e6 1c 06 fd 6e 21 f4 78 85 b0 cd 04 ........n!.x....

Header :
68 69 73 65 23 44 48 40 46 69 52 6d 53 41 35 36 hise#[email protected]
30 30 48 31 00 00 00 00 00 00 00 00 00 00 00 00 00H1............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed 1a 40 1f 00 00 00 00 [email protected]
6d 74 35 38 36 33 5f 73 61 5f 37 36 38 5f 6c 69 mt5863_sa_768_li
6e 75 78 00 00 00 00 00 00 00 00 00 00 00 00 00 nux.............

open File = /mnt/usb_0/usb_SA5600H.pkg
Encrypted header:
d7 d2 f5 90 ad 28 09 38 12 37 e5 ac fc f4 fa ba .....(.8.7......
35 8a c0 17 60 ee 85 33 6a 0c 63 9b 8c 64 f7 2d 5...`..3j.c..d.-
bf 86 d7 a5 62 5f e1 b3 aa 50 62 76 a5 f7 f7 5f ....b_...Pbv..._
85 01 fa 58 8b ee 01 89 45 2c ab 27 10 1c ca 79 ...X....E,.'...y
c9 ff 02 07 9e 4b a3 d4 a1 05 c9 67 11 46 e9 69 .....K.....g.F.i
fc 5d 6a b4 fb 9f ad d7 a3 db d0 b8 72 e5 5f 47 .]j.........r._G
c9 b5 ee df e6 1c 06 fd 6e 21 f4 78 85 b0 cd 04 ........n!.x....

Header:
68 69 73 65 23 44 48 40 46 69 52 6d 53 41 35 36 hise#[email protected]
30 30 48 31 00 00 00 00 00 00 00 00 00 00 00 00 00H1............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed 1a 40 1f 00 00 00 00 [email protected]
6d 74 35 38 36 33 5f 73 61 5f 37 36 38 5f 6c 69 mt5863_sa_768_li
6e 75 78 00 00 00 00 00 00 00 00 00 00 00 00 00 nux.............

Model_name=SA5600H1

[H]Get this PKG product name: usb_SA5600H1.pkg

[H-MorePkgDetect]The can not find available upgrade files
[H-UsbUpgrade] IsHaveUpgradeFile = 1

Error: No valid upgrade file found or found more than 2 avliable upgrade files, USB upgrade stop
hs>>upgrade-err-USB upgrade stop
[HI]Set Clean block empty status 0.

Apparently this serves only to identify that the file is adequate to be able to use it in the firmware update, it is a check who can make a decoder AND encoder with the AES key to verify that you can use another file by just changing the first lines
(hise # DH @ FiRmSA5600h1) by (hise # DH @ FiRmSA5600h)

Does Your usb_SA5600H.pkg file contain any partition?
Next step is reading all file's header in upgrade file:
open File = /mnt/usb_0/upgrade_loader.pkg Append file length = 223 Append file length = 52473995 Append file length = 10205 Append file length = 902576 Append file length = 30784 Append file length = 8196 Append file length = 4592 Append file length = 2803992 Append file length = 13396 Append file length = 196672 Append file length = 288271360 Append file length = 257196096 Append file length = 64553024 Append file length = 3213520 Append file length = 512 Process tag "usig" length = 512, 00.00.02.00 _LdrUsigUpgrade, verify key pass, command='1'(0x31) No version defined!! No CC_DISABLE_UART_UPGRADE defined!! download usig percentage = 100 free memory size = 4194304 UID hise open File = /mnt/usb_0/upgrade_loader.pkg Header encrypt by AES Header : 35 b3 67 73 08 b5 82 c3 7e d0 9c 0c 40 1c b9 ee [email protected] 6e 0f be 55 cf 6e 7d 7c c9 e4 16 f6 00 9a f5 cc n..U.n}|........ 17 2b 9f a0 45 eb 66 bf 10 ba a0 bc 55 79 bf 27 .+..E.f.....Uy.' 09 a6 98 a5 b0 02 42 1a dd ac 39 21 c2 0b 36 5d ......B...9!..6] 10 f6 dc c0 8e d7 1e 3a 11 92 83 d1 94 1c bd 73 .......:.......s a9 51 6d 87 b4 5c 17 99 80 fd 3a c5 50 75 37 3b .Qm..\....:.Pu7; 38 b9 d6 10 84 03 94 b2 c3 60 14 9b ed 0b 63 73 8........`....cs Header : 68 69 73 65 23 44 48 40 46 69 52 6d 49 44 54 56 hise#[email protected] 31 34 30 31 5f 30 30 32 33 30 36 5f 31 32 5f 30 1401_002306_12_0 30 31 5f 33 37 5f 30 30 37 5f 31 39 34 00 00 00 01_37_007_194... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 7b d6 9b 45 00 00 00 00 ........{..E.... 6d 74 35 38 39 30 5f 65 75 5f 6c 69 6e 75 78 00 mt5890_eu_linux. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ open File = /mnt/usb_0/upgrade_loader.pkg Append file length = 223 .. Process tag "cfig" length = 223, 00.00.00.df download cfig percentage = 100 free memory size = 4194304 Dynamic Tag No: 0 TagName: load FlashType: 0 PartitionID: 0 Dynamic Tag No: 1 TagName: uenv FlashType: 0 PartitionID: 1 Dynamic Tag No: 2 TagName: kern FlashType: 0 PartitionID: 4 Dynamic Tag No: 3 TagName: kern FlashType: 0 PartitionID: 5 Dynamic Tag No: 4 TagName: rtfs FlashType: 0 PartitionID: 6 Dynamic Tag No: 5 TagName: rtfs FlashType: 0 PartitionID: 7 Dynamic Tag No: 6 TagName: perm FlashType: 0 PartitionID: 9 Dynamic Tag No: 7 TagName: 3rdp FlashType: 0 PartitionID: 10 Dynamic Tag No: 8 TagName: 3rdw FlashType: 0 PartitionID: 11 Dynamic Tag No: 9 TagName: pqda FlashType: 0 PartitionID: 15 Dynamic Tag No: 10 TagName: aqda FlashType: 0 PartitionID: 16 Dynamic Tag No: 11 TagName: logo FlashType: 0 PartitionID: 17 Dynamic Tag No: 12 TagName: adsp FlashType: 0 PartitionID: 20 Dynamic Tag No: 13 TagName: ddb FlashType: 0 PartitionID: 22 Dynamic Tag No: 14 TagName: hdcp FlashType: 0 PartitionID: 23 Dynamic Tag No: 15 TagName: facs FlashType: 0 PartitionID: 24

 

[xiaodeng]

太棒了，伙计们！感谢您提供有关此线程的所有

太棒了，伙计们！感谢您提供有关此线程的所有信息！


：笑：

can you tell me how to repack the pkg firmware? thanks
信息！


：笑：

 

[xiaodeng]

固件可以在这里找到，它是一个压缩的 *.pkg 文件http://hisense-usa.com/support/firmware/50H5G_V00.01.130a.F0113_us.zip

HELLO, epk2extract can unpack the pkg firmware and how to repack it?

 

[p0isk]

HELLO, epk2extract can unpack the pkg firmware and how to repack it?

There is no pack tool. But you can write it

 

[xiaodeng]

没有打包工具。但是你可以写

没有打包工具。但是你可以写

thanks,but I don't known how to do

 

[hackwerk]

Today I did a large comprehensive post about my Sony Bravia 4K Android TV in the topic Sony Android TV Users.

Parts are based on your great topic and work.

Maybe some of you are able to help me/us too, as the chipsets are the same/similar (MediaTek MT5890 (= MT5595 = ATV1))?

It would be HUGE to us if the tv could be rooted, if we could manage to unpack/pack firmwares (Sony) or if we would be able to upgrade the tv to international firmware (US/Asia 6.827 instead of EU 5.457)!

Thanks, and keep up your great work!

 

[Kalaskas]

I have a TV Hisense U7H 2022 version ASIA with Vidaa OS U , I can not install extra applications , it has no web browser , if I write in the search Hisense://debug only searches within YouTube. It seems to be capped everywhere. Any hope to install something ?

 

[chris1892006]

May you help me?

 

[fellaw]

Hey people, I successfully ran telnet server on my MT5880 tv using the following:



The problem is that I cannot add it to boot secuence and didn't found any file in 3rd_rw related to boot, any ideas of how could add it to boot?

You may want to try
/3rd_rw/sigma/mtksigma_start_wfd.sh
or
/mnt/usb/sda1/sigma/mtksigma_start_wfd.sh

Those are attempted to be executed on my MT53xx based philips TV.

I did mention this here a while ago:

Rooting MediaTek Based Linux Smart TV

Hi Guys, I am looking for methods to get root on my Linux smart tv. Anyone have any ideas? I ran metasploit against it and had no luck, it did find some open ports for upnp and something called twonkymedia but I was not able to get anywhere...

forum.xda-developers.com

 

[chris1892006]

Has anyone rooted the tv yet? I have my Hisense 43A6H boot.img but after patching and flashing in fastboot, still no root... On Android 11. I tried almost every version like 6 magisk versions and all same result. Whats the deal?

 

[chris1892006]

Can you help with that Hisense root file you uploaded? I had to use an updated adb to get it to work yet it still wouldn't work...

D:\HISENSE 43A6H GOOGLE TV\Root\root>root.bat
╥╗╝ⁿroot╣ñ╛▀ú¼▓╗╚╖╢¿╦∙╙╨╗·╨═─▄╙├ú¼by ╦º▓╗╖│í¡í¡
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
╟δ╩Σ╚δ╡τ╩╙(║╨╫╙)╡─IP╡╪╓╖ú║
┐¬╩╝┴¼╜╙í¡í¡
unable to connect to :5555
adbd cannot run as root in production builds
/system/bin/sh: /system/bin/remount: inaccessible or not found
failed to copy 'su' to '/system/bin/su': couldn't create file: Read-only file system
failed to copy 'Superuser.apk' to '/system/app/Superuser.apk': couldn't create file: Read-only file system
chmod: /system/bin/su: No such file or directory
╓╪╞⌠╡τ╩╙(║╨╫╙)ú¼╡╚╞⌠╢»═Ω╛═╛═╩╟root┴╦ú¼╒Γ╕÷┼·┤ª└φ┐╔╥╘╣╪┴╦í¡í¡

 

[chris1892006]

Today I did a large comprehensive post about my Sony Bravia 4K Android TV in the topic Sony Android TV Users.

Parts are based on your great topic and work.

Maybe some of you are able to help me/us too, as the chipsets are the same/similar (MediaTek MT5890 (= MT5595 = ATV1))?

It would be HUGE to us if the tv could be rooted, if we could manage to unpack/pack firmwares (Sony) or if we would be able to upgrade the tv to international firmware (US/Asia 6.827 instead of EU 5.457)!

Thanks, and keep up your great work!

Any update because I used Python Binwalk to extract my Hisense 43A6H firmware and no dice once i extracted the .pkg it had two .gz files in there that couldn't be extracted using gzip in Python. I plan on upgrading to a Sony google tv and want to root it, your thoughts?

 

[[email protected]]

Greetings.
Does anyone know how to extract encrypted MTK firmware for TV?
I saw that they mentioned something about MTK_RESERVED_MAGIC and I have some firmware that have that byte string:
9BF7ED4FDA262A8E58FC63CF38F6E8A9
I have been trying for a long time to find some script or program that can unpack them, but so far I have not been able to find it.
I appreciate any information about it.
Thank you.