• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[TOOLS] Mstar Android TV firmware tools

Search This thread

dipcore

Senior Member
Jul 7, 2015
136
135
@dipcore Please find attach the boot.img and mboot.img

The attached boot.img is encrypted one that's why i have attached Mboot.img in case i was failed to decrypt the boot.img.

Decrypted Boot.img is here

It's not well decrypted.
The easiest way to check if it's decrypted well just open the image in any text editor, you will get a lot of garbage but close to the beginning of the file you should have a text "MStar-linux(recovery)" or "MStar-linux(boot)".

Here is your well decrypted boot: https://www.dropbox.com/s/l1qh61b7s85itph/boot.img.out?dl=0 Rename it to boot.img

To decrypt use:
PHP:
bin\win32\aescrypt2.exe 1 project\boot.img project\boot.img.out  hex:0007FF4154534D92FC55AA0FFF0110E0

To encrypt it back use:
PHP:
bin\win32\aescrypt2.exe 0 project\boot.img.new project\boot.img.aes  hex:0007FF4154534D92FC55AA0FFF0110E0

PS You have default MStar keys.
 
Last edited:

ankush82

Member
Feb 20, 2012
31
1
Ghaziabad
@goujibing please see above msg it has decrypted boot.img just use uboot unpacker link is available in above posts of dipcore. If know what all changes required to get the root plz let me know i will do it and repack it which can help everyone.
 

L0neWarri0r

New member
Oct 2, 2017
3
1
Hi, where did you search for those p2us firmwares?

I have a problem with the game mode setting, newer versions, which came after 075, cancels it every time, when tv if turned off, or even, when I change a decktop resolution. Can somebody tell me what may causing that glitch?
 
Last edited:

hexcoder

Member
Jan 24, 2015
27
3
@goujibing please see above msg it has decrypted boot.img just use uboot unpacker link is available in above posts of dipcore. If know what all changes required to get the root plz let me know i will do it and repack it which can help everyone.

You can try this method to gain root.

---------- Post added at 08:32 AM ---------- Previous post was at 08:25 AM ----------

Hi, where did you search for those p2us firmwares?

I have a problem with the game mode setting, newer versions, which came after 075, cancels it every time, when tv if turned off, or even, when I change a decktop resolution. Can somebody tell me what may causing that glitch?

From a Chinese forum.

---------- Post added at 08:33 AM ---------- Previous post was at 08:32 AM ----------
 
Last edited:

hexcoder

Member
Jan 24, 2015
27
3
Hi, where did you search for those p2us firmwares?

I have a problem with the game mode setting, newer versions, which came after 075, cancels it every time, when tv if turned off, or even, when I change a decktop resolution. Can somebody tell me what may causing that glitch?

Are you facing the same issue on the newer version of the firmware that I shared ?
 

ankush82

Member
Feb 20, 2012
31
1
Ghaziabad
Are you facing the same issue on the newer version of the firmware that I shared ?
New version came with its own problem. Setting button stopped working now to open settings menu we hav to use setting app only. I revert back to v150

---------- Post added at 02:31 PM ---------- Previous post was at 02:29 PM ----------

You can try this method to gain root.

---------- Post added at 08:32 AM ---------- Previous post was at 08:25 AM ----------



From a Chinese forum.

---------- Post added at 08:33 AM ---------- Previous post was at 08:32 AM ----------
This method doesn't work i tried. Tclsu is a location specific file we cant replace it with any other file. I tried this method and lost adb root many times bcoz it links with su binary which doesn't work.
 

hexcoder

Member
Jan 24, 2015
27
3
New version came with its own problem. Setting button stopped working now to open settings menu we hav to use setting app only. I revert back to v150

---------- Post added at 02:31 PM ---------- Previous post was at 02:29 PM ----------


This method doesn't work i tried. Tclsu is a location specific file we cant replace it with any other file. I tried this method and lost adb root many times bcoz it links with su binary which doesn't work.

Well, then I guess its better to get an android box:mad:, anyways I'm returning my device to manufacturer as within span of 4 days there are like 5 dead pixels which have developed on the screen. Will have to wait to experiment. Until then I'll start working on the original firmware itself to unpack the boot.img and system.img for exploring any possible mod that we can do.
 

ankush82

Member
Feb 20, 2012
31
1
Ghaziabad
Here is my research till date.
1. To gain the basic command line adb root need to change the following in default.prop
ro.secure=0
2. There is a line in under file_context which is renaming su file to tclsu. if we can remove this line their is a possibility to put our su binary to gain root.
(Though i dont know much about how file_context works)
3. There is a anti root method which restore build.prop and put all custom binary into block list. I just forgot the name of that file will share once i found it.
 

L0neWarri0r

New member
Oct 2, 2017
3
1
Are you facing the same issue on the newer version of the firmware that I shared ?
Unfortunately, yes. Also, now I get "starting smart system" message every time I turn the tv on. But, what a most strange, different people have different problems with different firmware versions on similar tv and a root of this problem is unclear.
 

ankush82

Member
Feb 20, 2012
31
1
Ghaziabad
Another finding, there is a blacklist file which includes all the google apps like play service and others thats why play service not updated by its own. I need more guidance on this so that i can make changes and replace it with edited file.
 

ankush82

Member
Feb 20, 2012
31
1
Ghaziabad
I unpacked system.img and found following content in install-recovery.sh

/system/bin/sh
i=0
ret=-1
while ( [ $ret -ne 0 ] && [ $i -lt 200 ] )
do
/tvos/bin/tcli db.factory.watchdog
let "ret = $?"
let "i++"
log -t recovery "do tcli db.factory.watchdog."
log -t recovery $i
sleep 1
done
log -t recovery "finish tcli db.factory.watchdog."

file_context contain this line under devices section- /dev/watchdog uobject_r:watchdog_device:s0

here we can find "watchdog" which is a anti root file. Now i am not able to find this watchdog file anywhere. I hope we can root @dipcore can help on this.

---------- Post added at 04:46 PM ---------- Previous post was at 04:07 PM ----------

I have extracted recovery.img and found watchdog file under \sbin folder. Now shell i delete this file please help @dipcore
 
Last edited:

hexcoder

Member
Jan 24, 2015
27
3
I unpacked system.img and found following content in install-recovery.sh

/system/bin/sh
i=0
ret=-1
while ( [ $ret -ne 0 ] && [ $i -lt 200 ] )
do
/tvos/bin/tcli db.factory.watchdog
let "ret = $?"
let "i++"
log -t recovery "do tcli db.factory.watchdog."
log -t recovery $i
sleep 1
done
log -t recovery "finish tcli db.factory.watchdog."

file_context contain this line under devices section- /dev/watchdog uobject_r:watchdog_device:s0

here we can find "watchdog" which is a anti root file. Now i am not able to find this watchdog file anywhere. I hope we can root @dipcore can help on this.

---------- Post added at 04:46 PM ---------- Previous post was at 04:07 PM ----------

I have extracted recovery.img and found watchdog file under \sbin folder. Now shell i delete this file please help @dipcore


I don't think the watchdog to be the culprit behind anti-root mechanism.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Mstar Android TV firmware tools​
    Phython 3.4+ required.

    Currently available tools:
    unpack.py - unpack MStar bin firmware
    pack.py - pack MStar bin firmware
    extract_keys.py - extract AES and RSA-public keys from MBOOT binary
    secure_partition.py - encrypt image and generate signature file

    Unpack MStar bin firmware files
    Code:
    Usage: unpack.py <firmware> <output folder [default: ./unpacked/]>
            <firmware> - MStar bin firmware to unpack
            <output folder> - directory to store unpacked stuff. Default value: ./unpacked/

    Pack MStar bin firmware
    Usage: pack.py <config file>
    Code:
    Example: pack.py configs/letv-x355pro-full.ini
            <config file> - Configuration file. The config file structure will be described later.
                            For now you can take a look at configs/letv-x355pro-full.ini
                            and use it as an example

    Extract keys from MBOOT
    That tool is used to get AES and public RSA keys from the MBOOT. AES keys are needed to encrypt/decrypt boot.img and recovery.img images. aescrypt2 tool is used.
    Code:
    Usage: extract_keys.py <path to mboot> [<folder to store keys>] [<key bank offset>] [<key bank size>]
    Defaults:
              <folder to store keys>        keys
              <key bank offset>             0x168e00
              <key bank size>               0x450
    Example: extract_keys.py ./unpacked/MBOOT.img
    Example: extract_keys.py ./unpacked/MBOOT.img ./keys 0x169e00 0x450

    Encrypt partition and generate signature
    All new MStar builds have SECURE_BOOT option enabled. In that case boot.img and recovery.img is encrypted (AES) and signed with RSA priv keys. That script is used to encrypt image and generate sign file.
    To manually encrypt|decrypt image use aescrypt tool from bin folder. AES key can be extracted from MBOOT with extract_keys.py script.
    Code:
    Usage: secure_partition.py <file to encrypt> <AES key file> <RSA private key file> <RSA public key file> <output encrypted file> <output signature file>
    Example: secure_partition.py ./pack/boot.img ./keys/AESbootKey ./keys/RSAboot_priv.txt ./keys/RSAboot_pub.txt ./pack/boot.img.aes ./pack/bootSign

    Download tools:
    https://github.com/dipcore/mstar-bin-tool
    4
    If you want to enable HDR10 on HDMI ports of TCL TV P2US series/variants (based on MS6488 SoC).

    + Requirement:
    - Root your TV with SuperSU
    - Any file manager (I'm using ESFileExplorer and enabled Root)

    + Steps:
    1/ Download TCL_HDR_HDMI.zip in attachment file
    2/ Extract TCL-HDMI*-2.0-n3d-gb-hdr-420.bin file to /tclconfig/mstar/tvconfig/config/EDID_BIN/
    3/ Edit your ProjectID ini file /tclconfig/model/
    - In my TV, project ID is 187 (you can see it by open service menu via 9735 secret code), so I find EM_187_MS6488A.ini and edit:
    Add these lines to enable HDR HDMI
    [M_HDR]
    # if true, enable VS buffer switch patch, means to open HDMI HDR; if false: close HDME HDR
    F_HDR_HDMI = 1;
    #if mm or hdmi need support HDR feature, the flag should be set, otherwise should be cleaned.
    F_HDR_SUPPORT = 1;
    Change these lines to use new EDID with support HDR10 signal.
    [HDMI_EDID_1]
    HDMI_EDID_File_2_0 = "/config/EDID_BIN/TCL-HDMI1-2.0-n3d-gb-hdr-420.bin";
    ...
    [HDMI_EDID_2]
    HDMI_EDID_File_2_0 = "/config/EDID_BIN/TCL-HDMI2-2.0-n3d-gb-hdr-420.bin";
    ...
    [HDMI_EDID_3]
    HDMI_EDID_File_2_0 = "/config/EDID_BIN/TCL-HDMI3-2.0-n3d-gb-hdr-420.bin";
    ...
    - Save and reboot your TV.

    + Test HDR10 signal:
    - I'm using Mi box 4k (firmware 6.0.1 build 1034), set screen resolution to 4k2k-60Hz, enable Deep Color, HDR set to auto, use HDMI3 port on TCL TV.
    - Use Kodi to play Samsung Wonderland Demo.ts (4k HDR10 demo), this will auto switch HDMI signal to HDR10, new option HDR10 will appear in Picture Preset.
    - ADB log will spam "HDMI HDR metadata" is instead "GetHdrStatus: bHdrEnable=0"
    2
    Hello
    I havent root my tv.

    This is instruction how to update google services

    Description:
    All necessary (missing and updated) components required for the Google Play Market to work on TCL LxxP1US, LxxP2US, LxxC1US, LxxC1CUS. Included in the archive of packages, libraries and binaries are taken from OpenGapps version of arm64, Android 5.1, tvstock. Works on all firmware, including V108 and V150.

    A responsibility:
    You are responsible for what you do with your device. If you are not sure of your abilities, do not do the described actions better. To avoid errors, it is recommended to copy-paste commands, rather than typing manually.

    Installation:
    1. It is assumed that you have the ADB utility installed on your computer.
    2. Download zip-archive and unpack it into the directory where ADB is located.
    3. Start the terminal ("cmd" for Windows) and go to the directory with ADB.
    4. Check that there is a connection to the TV:

    Code:
    adb devices

    Find IP of ur's TV

    Code:
    adb connect <ip>:5555

    5. Copy the data to the device:

    Code:
    adb push tar-arm /sdcard
    adb push tcl-system-gapps.tar /sdcard

    6. Go to the remote system:

    Code:
    adb shell

    Then we take a root

    Code:
    tclsu

    7. Installing gapps

    Code:
    cd /system
    cp /sdcard/tar-arm xbin/tar
    chmod 0755 xbin/tar
    tar -xf /sdcard/tcl-system-gapps.tar
    rm /sdcard/tcl-system-gapps.tar /sdcard/tar-arm
    exit

    8. Done. If all commands are executed without errors, you can close the terminal and reboot the TV (it is better to disconnect from the socket).
    9. After the reboot, we check the work of the market play. Attention: Play Market application from TCL Appstore must be installed. Do not worry, this is not the market itself, but only a shortcut for launching the built-in application from the shell.

    Note #1: on MacOS / Linux before "adb" it is necessary to type "./"
    Note #2: the reboot after installation lasts a very long time (I had about 5 minutes). This is normal, the system should index new packages.
    Note #3: if something went wrong, and the TV is not loaded, you can return everything back, flashing through the flash drive with an alternative method from the cap.

    Download gapps from my google drive
    Or download it from
    @hexcoder will i used the above method but replaced the file for google play services in this file tcl-system-gapps.tar with latest google play services for android tv which i downloaded from apk mirror

    what you have to do is download the latest google play services for android tv and rename it PrebuiltGmsCorePano.apk
    and insert it in the file tcl-system-gapps.tar in the priv-app folder follow the above guide and it will be updated

    and if you want i can upload the updated files for you but when i get home
    2
    Hello
    I havent root my tv.

    This is instruction how to update google services - 4pda.ru)

    Description:
    All necessary (missing and updated) components required for the Google Play Market to work on TCL LxxP1US, LxxP2US, LxxC1US, LxxC1CUS. Included in the archive of packages, libraries and binaries are taken from OpenGapps version of arm64, Android 5.1, tvstock. Works on all firmware, including V108 and V150.

    A responsibility:
    You are responsible for what you do with your device. If you are not sure of your abilities, do not do the described actions better. To avoid errors, it is recommended to copy-paste commands, rather than typing manually.

    Installation:
    1. It is assumed that you have the ADB utility installed on your computer.
    2. Download zip-archive and unpack it into the directory where ADB is located.
    3. Start the terminal ("cmd" for Windows) and go to the directory with ADB.
    4. Check that there is a connection to the TV:

    Code:
    adb devices

    Find IP of ur's TV

    Code:
    adb connect <ip>:5555

    5. Copy the data to the device:

    Code:
    adb push tar-arm /sdcard
    adb push tcl-system-gapps.tar /sdcard

    6. Go to the remote system:

    Code:
    adb shell

    Then we take a root

    Code:
    tclsu

    7. Installing gapps

    Code:
    cd /system
    cp /sdcard/tar-arm xbin/tar
    chmod 0755 xbin/tar
    tar -xf /sdcard/tcl-system-gapps.tar
    rm /sdcard/tcl-system-gapps.tar /sdcard/tar-arm
    exit

    8. Done. If all commands are executed without errors, you can close the terminal and reboot the TV (it is better to disconnect from the socket).
    9. After the reboot, we check the work of the market play. Attention: Play Market application from TCL Appstore must be installed. Do not worry, this is not the market itself, but only a shortcut for launching the built-in application from the shell.

    Note #1: on MacOS / Linux before "adb" it is necessary to type "./"
    Note #2: the reboot after installation lasts a very long time (I had about 5 minutes). This is normal, the system should index new packages.
    Note #3: if something went wrong, and the TV is not loaded, you can return everything back, flashing through the flash drive with an alternative method from the cap.

    Download gapps from my google drive - tvgapps
    Or download it from opengapps.org