Close
0%
0%

Hacking MSD7831S based DVB-T tuner

Hacking and tinkering with Embedded Linux in Mstar's MSD7831S

Public Chat
Similar projects worth following
I will try to put here all info regarding DVB-T tuner distributed in Poland under brand: Skymaster TNT-5. Probably in other places it have different names. Same cpu can be found also in smart TVs. My model have 256MB nand flash and 256MB of RAM.

Goal of this project is to allow access to telnet/ssh and extend capabilities of the device.

ProcessorMSD7831S
Flash256MB
Ram256MB
Kernel versionLinux-3.1.10-mstar (MIPS)
U-Boot version
2011.06-svn (Feb 09 2017 - 14:19:35) MBOT-1106.0.10.1376750

uboot_help.txt

U-Boot "help" output

plain - 9.46 kB - 02/23/2019 at 23:15

Download

uboot_printenv.txt

U-Boot "printenv" output

plain - 3.34 kB - 02/23/2019 at 23:15

Download

  • Trying to get root

    A.Mnemonic02/23/2019 at 23:28 0 comments

    Default u-boot "bootargs" variable for kernel is following:

    bootargs=quiet console=ttyS0,115200 ubi.mtd=UBI root=ubi:RFS ubi.mtd=UBILD rootfstype=ubifs rw EMAC_MEM=0x100000 DRAM_LEN=0x10000000 mtdparts=edb64M-nand:2432k@0x180000(MBOOT),2432k(MBOOTBAK),2m(UBILD),4m(BFN),6m(KL),54m(MSLIB),18176k(APP),896k(RTPM),-(UBI) norandmaps BRICK_TERMINATOR_SPI_STATUS_OFFSET=0005D000 LX_MEM=0x7000000 LX_MEM2=0x50000000,0xF600000 PM51_ADDR=0x7100000 PM51_LEN=0x10000 BOOTLOGO_IN_MBOOT ENV_VAR_OFFSET=0xBA000 ENV_VAR_SIZE=0x10000 ENV=NAND SECURITY=OFF

     I tried:

    • removing quiet
    • adding single init=/bin/sh

    Without success. If you have any ideas how to modify kernel's boot arguments to gain root shell on uart please leave comment.

  • U-Boot

    A.Mnemonic02/23/2019 at 23:03 0 comments

    After connecting to serial console the below bootlog can be observed. When message "Starting kernel ..." is spit out then only message is "Hello UART". There is no shell access. Nothing.

    ROM
    
    UART_115200
    AC_ON
    
    [3456789ABC][23456789AB][456789ABCDE][3456789ABC]-7697
    
    
    BIST0-OK[AT][MB][start ub][432]
    
    U-Boot 2011.06-svn (Feb 09 2017 - 14:19:35)  MBOT-1106.0.10.1376750
    
    
    DRAM:  256 MiB
    
    
    Hello U-Boot
    Stack Pointer at: 8ff5dfc0
    mem initial, start 0x8e1d0180, len 0x1020000
    uboot held at [8f000000~90000000]
    Now running in RAM - U-Boot at: 8f1f0180
    NAND:  CIS is found @Blk0
    FCIE is set to 54MHz
    256 MiB
    *** Warning - set default for mtdparts, using default environment
    
    Creating 1 MTD partitions on "nand0":
    0x000000640000-0x000000840000 : "mtd=2"
    Bad block table found at page 131008, version 0x01
    Bad block table found at page 130944, version 0x01
    UBI: attaching mtd1 to ubi0
    UBI: physical eraseblock size:   131072 bytes (128 KiB)
    UBI: logical eraseblock size:    126976 bytes
    UBI: smallest flash I/O unit:    2048
    UBI: VID header offset:          2048 (aligned 2048)
    UBI: data offset:                4096
    Can't find "CTRL" partition
    restore UBI scan
    UBI: the backup volume was not found
    UBI: attached mtd1 to ubi0
    UBI: MTD device name:            "mtd=2"
    UBI: MTD device size:            2 MiB
    UBI: number of good PEBs:        16
    UBI: number of bad PEBs:         0
    UBI: max. allowed volumes:       128
    UBI: wear-leveling threshold:    250
    UBI: number of internal volumes: 2
    UBI: number of user volumes:     1
    UBI: available PEBs:             1
    UBI: total number of reserved PEBs: 15
    UBI: number of PEBs reserved for bad PEB handling: 2
    UBI: max/mean erase counter: 203/110
    Volume  not found!
    
    NAND read: device 0 offset 0x180000, size 0xa8
     168 bytes read: OK
    Volume "MPOOL" found at volume id 0
    Volume "MPOOL" found at volume id 0
    u32EnvRescueOffset = 0x7c000
    In:    serial
    Out:   serial
    Err:   serial
    Net:   No ethernet found.
    MAC:  0x8: 0xf7: 0x28: 0x0:0x4f: 0xc6
    #######################################################################
    # [PROTECT WARNING], miu kernel protect is not enabled on second dram #
    #######################################################################
    Volume "MPOOL" found at volume id 0
    
    Changelist:	001101749
    ============= set bootargs ===============
    Hit any key to stop autoboot:  0 
    fore uup IRKey [0xff]
    AC on
    create Audio SHM data ...[[utopia]]      MApi_AUDIO_SetCommand() : Audio system is not ready yet, please try again later
    
     [Warning!!]No SRS TSXT license!! [[utopia]]      MApi_AUDIO_ReleaseDecodeSystem() : Audio system is not ready yet, please try again later
    [[utopia]]      MApi_AUDIO_ReleaseDecodeSystem() : Audio system is not ready yet, please try again later
    [[utopia]]      MApi_AUDIO_ReleaseDecodeSystem() : Audio system is not ready yet, please try again later
    [AT][MB][audio_preinit][918]
    MDrv_PNL_Init u32PnlRiuBaseAddr = bf200000
    MDrv_PNL_Init u32PMRiuBaseAddr = bf000000
    [_MDrv_PNL_Init_LPLL][305]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
    [_MDrv_PNL_Init_LPLL][307]u16HTotal=2199,u16VTotal=1124,pstPanelInitData->u16HTotal=2199,pstPanelInitData->u16VTotal=1124, u16DefaultVFreq=600
    [_MDrv_PNL_Init_Output_Dclk][350]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
    [_MDrv_PNL_Init_Output_Dclk][352]u16HTotal=2199,u16VTotal=1124,pstPanelInitData->u16HTotal=2199,pstPanelInitData->u16VTotal=1124, u16DefaultVFreq=600
    [AT][MB][panel_pre_init][972]
    
    NAND read: device 0 offset 0x5a00000, size 0x10000
     65536 bytes read: OK
    Wait for PM51 standby...........PM51 run ok...........msHdmitx_Disp_Init
    [XC,Version] 
     no need to patchEDID NOT READY! 
    EDID NOT READY! 
    EDID NOT READY! 
    EDID NOT READY! 
    EDID NOT READY! 
    Rx Support DVI mode only! 
    shift 0 pixels in NTSC mode 
    Create Dolby single part name task failed!![Hal_VE_EnableDI][1453] bEnable = 0, bIsDNR2VE = 0
    setHDMITxAnalogTuning: Error: MApi_HDMITx_GetRxDCInfoFromEDID EDID is not ready, at 271
    
    [AT][MB][bootlogo begin][1111]
    [AT][MB][JPD Decode][1141]
    
    [GOP3, PID 0, TID 0x-1][Driver Version]: 0089, BuildNum: 0002, ChangeList: 00524916
    [AT][MB][Show Logo][1175]
    [AT][MB][Play...
    Read more »

  • Accessing UART

    A.Mnemonic02/23/2019 at 22:44 0 comments

    UART header pinout, speed: 115200

View all 3 project logs

Enjoy this project?

Share

Discussions

Alexander wrote 02/26/2019 at 07:52 point

Nice start to the project, this would be super awesome to hack! I bet it could be modified to add a lot more SDR functionality. The fact it is running Uboot makes us think Linux, but it looks like it's probably running a proprietary OS (although it might be Linux with custom UART output, who knows?)

I will definitely be following this project! Good luck and I hope you find a way to get root!

  Are you sure? yes | no

A.Mnemonic wrote 02/26/2019 at 19:05 point

Hi Alexander. Thanks for comment. I didn't even thought about idea of SDR but hey! That would be even more interesting :) Onboard demodulator is MSB1241 but two USB ports are also available.

Regarding linux - using command 'nandbinall' I am able to dump all partitions to bin files. On one of them is root file system in ubifs which looks like that: https://i.imgur.com/yksQy0B.png :) So ultimately it is possible to dump filesystem, mount it under linux, modify initrd and add telnetd but for now I'm looking to do this using only serial console.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates