Root shell on a MStar based UMC TV (Sharp LC-24CFG6132EM)

Not being happy with a few things on my Sharp LC-24CFG6132EM smart TV, I decided to dig deeper, hoping to find ways to reconfigure some settings. While I not achieved that goal yet, I at least managed to gain root access to the Linux running on the TV. Since the TV set is based on a MStar product, I suspect that my procedure will work for any MStar based TV, at least those manufactured by UMC, which for Europe own the brands of Sharp and Blaupunkt. So here I document the procedure.

Disclaimer: The procedures given here potentially may render your TV useless! Follow the instructions at your own risk! There is no official support for this by MStar, UMC or Sharp, and the settings you gain access to, potentially may brick your device!

To skip my usual bla bla in the beginning, you may directly go to

Motivation

From my earlier blog post you may have learned that I was watching TV with a pretty old SD CRT TV. But two things “forced” me to upgrade: Many TV shows nowadays assume that you have a hi-res TV, and many text inserts are too tiny to read on a SD TV. This sometimes considerably spoils the pleasure. Second reason: The switch to DVB-T2 in Germany. My old settop box stopped working, and instead of buying a new one, my thoughts more went into the direction of a DVB-T2 capable TV. So I went for a cheap Smart TV, the Sharp LC-24CFG6132EM, which sports Full HD resolution at 24″ screen size – not easy to find other models meeting this spec’s.

Short Review of the Sharp LC-24CFG6132EM

Here’s the Pro’s:

  • FullHD resolution
  • Smart TV: Works really well with HbbTV and IPTV
  • Good panel: Viewing angle OK, colour nice, brightness good, reasonably black when black.
  • Surprisingly good sound for its size. Not something to write home about, but well enough. Still, I mainly use my Stereo for better sound.
  • Radio based remote, not IR – works “around the corner”
  • Slender design, unobstrusive
  • Internet browser OK, Youtube works, Apps from Aquos
  • PVR and timeshift functionality
  • Good connectivity (2x HDMI and some other)
  • HDMI CEC works nicely with my Kodi Media Center
  • Offers Miracast and DLNA client – but not really… (see below)

Here’s the Con’s:

  • The picture “improvement” ActiveMotion 100 creates in certain contrast situations red, black or blue blurs that are strongly visible. This is especially annoying in faces, where lips, nostrils and hair often create dominant red blurs. Actually, that’s the reason I started all the stuff this post is about.
  • Lousy, bug infested software – Miracast and DLNA are practically not usable
  • Slow to boot – needs about 1 minute to be fully up’n’runnin’
  • PVR function is “blocking”, i.e. you can’t already start to watch a recording while it still records. This is rather stupid, since timeshift works just well – its just a bad implementation.
  • Menu functions are blocked when watching IPTV – no way to adjust the picture or the sound (Volume works, but not much more)
  • And some minor things about bad UI design and bugs.

Mainly the blurs are extremely annoying – all the rest is not too important, I can cope with it. I contacted Sharp support, and after quite some back and forth, they told me: The blurs, thats a broken motherboard – just send it in for repair. Did so: problem persists – no surprise, since I am rather sure it’s purely software/firmware caused.

In the meantime a software update (v. 4.21) went online – which was not helping with any bug, but added new ones! IPTV, which worked well before, became instable like hell! Fortunately I had the old firmware (v. 4.05) at hand from my odyssey with Sharp support… Did a downgrade.

Contacted Sharp support again, and now they offer to switch off ActiveMotion completely (which – stupid as it is – is not possible from any user accessible menu!) – I need to send the device in again *sigh*. I will certainly do so, but first I was curious what I can do myself.

To summarize my review: Currently I’d not recommend to buy this TV. Hardware is decent, but software is really awful!

So, what can I do myself? Will I be able to switch off ActiveMotion myself? Thet’s the goal. But first, I was able to

Connect to the TV via Debug UART

The TV has a 2.5 mm jack (smaller than the standard headphone jack, which is 3.5 mm) labeled “Service”. Using my Oscilloscope and its serial decode function, I quickly figured out that this is the debug UART, running at 115200,8,N,1, with 3.3 V logic level. Here’s what goes where (please make sure that your TV has the same pin assignment before you follow me blindly!):

Debug Jack
Debug jack pin assignment

So, using either a Raspberry Pi’s UART, or – as I did – a UART to USB converter with 3.3 V logic level, you can use the UART.

When you switch on the TV, you’ll see the U-Boot messages and some more. Still, more is possible, e.g.

Accessing the MStar Console

When the TV just switched on, start hitting Enter on your serial terminal. The TV will stop booting (no picture will come up), and you’ll end up in the MStar command line console. Type help to see what’s possible – and it’s quite a lot! I could not find anything there to directly influence ActiveMotion, but there are many commands that allow to modify the firmware partitions. I did not yet dare to fiddle around there, but perhaps it’s worth a try later. Some commands strongly suggest that using them in a wrong way may brick the TV, so be careful!

Not finding what I was looking for, I aimed for

Accessing the root Shell

From my excessice exchange with Sharp support I learned that pressing

Menu – 1 – 1 – 4 – 7

on the remote brings you into the service menu, which again offers loads of functionality, not all clear to me. Among these there are very useful settings like the overscan, and others I’d say are even dangerous, like the LVDS panel parameters – I’m nearly sure you can render the screen unusable switching the wrong parameters! So: Handle with care!

But this Menu also brings you to the root shell. Do the following steps:

  • Attach UART as given above and open serial connection
  • Use Menu 1147 to access the service menu
  • Navigate to DEBUG
  • Navigate to MSTAR FAC MENU → A new menu opens
  • Navigate to WDT (WatchDogTimer) and switch it Off (otherwise, the TV will switch off after a few seconds after entering the root shell, because some TV functions cease to work when the root shell is entered and the WDT will interpret this as malfunction to be resolved by a reboot)
  • Navigate to “Other” (in German “Andere” – hope the translation is correct – it’s below “PIP/POP” in my case)
  • Turn UART BUS on
  • Hit Enter on your serial session/terminal

That’s it, you’re in! You’ll see a nice root hash prompt, and whoami will tell you you’re root! RC and TV will no longer be responsive, but who cares 🙂 Most volumes are mounted read-only, and so far I did not try to change anything about it. Needless to say that you are one wrong command away from bricking your TV here!

Last remark here: To restart the TV run command reboot, or to switch it off, run poweroff.

Modify Settings

I am not very far with regard to alter settings yet. Still, I figured out a few things: One interesting file seems to be /config/sys.ini. It contains several configurations, among them ActiveMotion. While it is a read only file with a CRC checksum at its end, from my Sharp support communications I learned that there is a file named UMC_KMODE.txt, and its contents, when presented via USB memory stick, directly is digested into this sys.ini on boot. You’ll even notice that boot takes longer with such a stick/file attached, and the UART shows quite some activity during boot. So here’s the UMC_KMODE.txt I received for my model from Sharp support:

So, when I alter e.g. ADVANCEDCOLOR or ACEPRO from 1 to 0, it goes into sys.ini! And – lo and behold – there’s a line ACTIVEMOTIONID! But, looking into the comments in sys.ini, you’ll learn that it can take values from 1 to 5 – but not 0! And indeed, a zero is just ignored 🙁 So I’m stuck here at the moment… So,

Where to Go From Here?

I’ve just only started some internet research, and looking for “hacking MStar”, there is quite some stuff to be found:

  • These Mstar Android TV firmware tools look really promising (Download on Github)
  • Samsung also seems to use MStar, and there’s a Wiki about hacking it
  • A PDF telling how to hack LG, again using MStar
  • And Kogan (never heard of it before) seems also to do something with MStar, and here you’ll find some report on hacking it even via network.

I am not sure how far I’ll go, but what I certainly will do is send the TV to Sharp and see if they are really able to disable ActiveMotion. before that, I’ll try to dump the whole firmware somewhere and do a before-after comparison.

I’d be happy to learn from anyone who was able to advance further than me – please leave a comment!

 

4 thoughts on “Root shell on a MStar based UMC TV (Sharp LC-24CFG6132EM)

  1. Hello Hauke,

    Good WEB page – I like it.

    Your findings are very interesting. Please could you preview that sys.ini file in original form? Or even better send me your sys.ini to my email ? I want to help you with that variables for color “tuning”. Since I have both Sharp and Blaupunkt LCD TV (both uses same mainboard but with slightly different FW & UMC_KMODE file) near to test, we will try to make some progress …

     

    1. Hi dbg,
      great, will do! May take a few days, since I am currently occupied with different things, but will let you know as soon as I found the time.
      Cheers
      Hauke

  2. Moin Hauke,

    I have a sharp tv which seems to run similar firmware. (LC-49CUF8472ES) You wrote that you like to backup the firmware. I did it on mine by interrupting the boot process by holding down enter while powering on, mboot says press “any” key but only enter worked for me. First important thing, type “printenv” to see environment variables. If “MstarUpgrade_complete” equals 0 you have to set it to 1 again, seems like it will be set to zero every time the autoboot is interrupted. Use “setenv MstarUpgrade_complete 1” and “saveenv” to store the change.

    You need a fat32 formatted thumbdrive, and you need to know the index of the USB port. In my case it was 4, but in case it is different on your model here is how to find it:

    Type “usb reset x” in mboot where x is the index of the USB port, start with 0 and repeat with 1,2,3… until it prints the name of your thumbrive. If you know the index you can type “nandbinall x” and it will begin to create files for every flash partition on your thumbdrive. “UBI.BIN” is the filesystem.

    Maybe it would be nice to have a raw backup of the nand, that should be possible but I didn’t tried it for now.

     

    You mentioned that you downgraded your firmware, I’m not able to find any firmware images on the Internet, do you got them from sharp support? Can you please drop me an E-Mail with an official firmware image for research? That would be really nice, thanks!

    1. Moin gORDon_vdLg,
      thank you very much for these hints! That saves me a lot of research!
      With regard to firmware: Indeed I got one from my contact to Sharp support, which was quite some odyssey with firmware files sent that did not match my TV etc. – they don’t always seem to know what they are doing. I’ll mail you the versions 4.05 and 4.21 that I have – of course for my model, not yours. Any insights you gain I’m happy to learn about!
      Cheers
      Hauke

Leave a Reply

Your email address will not be published. Required fields are marked *