This project is a collection of my experiences in repairing a TV from a hackers perspective. A 40" with no obvious HW problem is not waste!
To make the experience fit your profile, pick a username and tell us what interests you.
We found and based on your interests.
I think this problem could have been easily avoided by the manufacturer.
The PCB was mounted tightly by 4 screws to the flexible metal backplate of the TV's screen.
In my opinion this led to hairline cracks in the solder joint of this PCB.
Possible solution: use plastic PCB spacers which allows a little movement of the PCB.
Describing this project on HaD is also some kind of self-cleansing ritual. Repairing this TV was not easy and took me a lot of spare time.
It is really pissing me off: there is a 5 year old TV which is perfectly fine for my use-case (I want to remove the tuner anyway), but it broke down because of wear down issues. Still, the lack of information and possibility to modify devices nearly led to another ~5kg of e-waste. If the sources would be available, disabling the tuner could be done in no time.
I find it funny, that you can repair some of your gadget with your kitchen oven. Maybe it was pure luck that this method worked 2 out of 2 times.
In the end, I am enjoying a bigger TV (upgraded from 32"), a friend of mine got the 32" TV.
I learned a lot, got a free TV and saved some resources by avoiding e-waste.
I did this procedure once with a graphics card (Radeon HD 7870 GHz Edition), which had the strange error of supporting only EFI/BIOS resolution, even the boot screens of Windows/Linux crashed the GPU.
It works until now without any problems (~6 months of heavy Corona-caused gaming usage).
I do not have a clear procedure for doing that, but it takes roughly these steps:
I had to do it twice for my TV's board, because on the first try, the remains of the antenna connectors were too high, so the plastic cover pressed down the PCB again.
According to the technical reference, there is a I2C bus for the ARM CPU & all tuner ICs:
I dig out my OpenBench Logic Sniffer and let's see whats happening on the I2C bus.
Unfortunately, I didn't get any useful signals from the keypad connector. Either there are no I2C pins on this connector or the logic sniffer doesn't work as expected.
After some unsuccessful attempts to get I2C bus data, I discarded this approach for now.
Obviously, the firmware was not able to find/initialize the tuner IC and has no retry counter -> endless loop...
As I have the firmware binary, there must be some hint on the tuner initialization. Maybe there is the possibility to ignore the tuner at all?
Until now, I never used any disassembler to examine binaries (shame on me :-)).
The most commonly known disassembler is IDA. No freeware version to examine ARM binaries, so I needed an alternative (IDA would cost more than the TV :-)).
The NSA released their Ghidra toolchain, let's go with that.
These analyzer software has a steep learning curve, but after some searching and randomly clicking, I got the analyzed binary with the assembler code & C routines.
By searching in the program memory for "6000", following locations will show up:
If you click on the string, you will jump to location in memory, where you can see all callers/references as well).
Most of the functions return 0 nevertheless. But at location 0x000531f0, there is a function where the return value depends
on the success of the tuner setup. The return value loading is done at 0x00053294 by "cpy r0,r4".
Most of the developers use 0 as return value for success, so maybe we can modify the binary in a way that this function always returns 0?
Maybe it is possible to simply load 0 here (mov r0,#0x00)?
To be honest, I can use hex editors, but I have no idea if it is possible to simply replace a machine command in an ELF file (hashes, location in the binary file,...).
Still, very interesting to have a deep look into the firmware.
Firmware upgrading is done via placing the upgrade_loader.pkg file on a USB flash drive, insert it into the TV, press the OK button on the remote & switch on power.
The firmware files are some kind of encrypted, a string command on this file gives us just a few boot messages.
I am not sure what exactly is overwritten with the firmware upgrade, because even with a firmware from a different TV manufacturer, I still got the Medion logo on startup.
You will find some different upgrade files, but be warned: this PCB works with different screens, so some funny things might happen (picture upside down, bricked PCB,...)!
After connecting the FTDI cable, it was possible to watch the debug output.
You can interrupt the normal foreground code execution with CTRL+C, and voila: there is a Linux shell!
I immediately tried to dump all of the decrypted data to the external USB drive.
Frequently, the watchdog is hitting and the CPU is reset, so this is a hideous task.
A short summary of the boot process:
root=/dev/mtdblock2 rootwait lpj=1814528 console=ttyMT0,115200n1 quiet mtdparts=mt53xx-nor:192k(loader),1216k(kernel),8M(root),64k(ro),1664k(rw),960k(ro2) _2nd_4M
Call /basic/autorun.sh to start the device software. Normally, it simply mounts the USB drive & calls /basic/post_init.sh & /basic/vestel.bin. If MB82_DEVELOPER or MB82_AUTOTEST is set (whereever these are set usually), some stuff from the USB drive is loaded.
post_init.sh calls load_usb_modules.sh (which loads all kernel modules) & a binary ./dtv_svc (no idea what this is doing).
vestel.bin is the main TV service program
With my TV, there was cleary something wrong. I received repeating error messages:
[Montage RS6000 _mt_fe_tn_set_reg] RS6000 set repeater error!
Now what???
First of all: what is this RS6000 my TV is complaining about?
When searching the error message in the vestel.bin file, there are also different messages related to the tuner so I think this is related to the tuner IC:
#strings -n 20 vestel.bin | grep 6000
My version of the technical manual does not list this chip (I have to acknowledge: Vestel provides the full schematic, this is really fine!!!), so it seems I have a different board.
Nevertheless, I need to open the shielded tuners. Here we are, a M88RS6000 IC. This is the DVB-S tuner.
I didn't find any datasheet, by there is Linux support (but with firmware blobs).
Maybe there are some infos if we need to do something about it...
The TV is a 40" TV, brand Medion. This brand is sold in Europa by Aldi (Hofer in Austria)
and is known for its "basic" quality. I guess the price was around 250-300€ (I found an offer of 299€ for a 55" TV).
On the Medion homepage, there is no useful information for this device. No firmware files, but a store for some spare parts.
If you open the TV, there are basically 3 PCBs:
After some research, I found following details:
Time spent: 20h, mostly for finding infos on the internet
Create an account to leave a comment. Already have an account? Log In.
Love these kind of postmortems -- not really a hack, but still really instructive. And reflowing in the oven is pretty smart. I'll have to keep an eye out for TVs that I can try this out on.
You are right, its not a "classic" hack, but its also no "classic" repair guide :-).
It would be really nice to change the firmware to disable the tuner, but there are so many projects going on and I lack the knowledge to do this fast....
THX for the feedback!
Become a member to follow this project and never miss any updates
Well done for preventing another item going into e-waste. I guess it'll be a mystery where the hairline crack happened.