Root shell on a MStar based UMC TV (Sharp LC-24CFG6132EM)
Not being happy with a few things on my Sharp LC-24CFG6132EM smart TV, I decided to dig deeper, hoping to find ways to reconfigure some settings. While I not achieved that goal yet, I at least managed to gain root access to the Linux running on the TV. Since the TV set is based on a MStar product, I suspect that my procedure will work for any MStar based TV, at least those manufactured by UMC, which for Europe own the brands of Sharp and Blaupunkt. So here I document the procedure.
To skip my usual bla bla in the beginning, you may directly go to
- A short review of the Sharp LC-24CFG6132EM
- Interfacing the TV via UART
- Accessing the MStar Console
- Accessing the root shell
- Change settings using UMC_KMODE.txt
Motivation
From my earlier blog post you may have learned that I was watching TV with a pretty old SD CRT TV. But two things “forced” me to upgrade: Many TV shows nowadays assume that you have a hi-res TV, and many text inserts are too tiny to read on a SD TV. This sometimes considerably spoils the pleasure. Second reason: The switch to DVB-T2 in Germany. My old settop box stopped working, and instead of buying a new one, my thoughts more went into the direction of a DVB-T2 capable TV. So I went for a cheap Smart TV, the Sharp LC-24CFG6132EM, which sports Full HD resolution at 24″ screen size – not easy to find other models meeting this spec’s.
Short Review of the Sharp LC-24CFG6132EM
Here’s the Pro’s:
- FullHD resolution
- Smart TV: Works really well with HbbTV and IPTV
- Good panel: Viewing angle OK, colour nice, brightness good, reasonably black when black.
- Surprisingly good sound for its size. Not something to write home about, but well enough. Still, I mainly use my Stereo for better sound.
- Radio based remote, not IR – works “around the corner”
- Slender design, unobstrusive
- Internet browser OK, Youtube works, Apps from Aquos
- PVR and timeshift functionality
- Good connectivity (2x HDMI and some other)
- HDMI CEC works nicely with my Kodi Media Center
- Offers Miracast and DLNA client – but not really… (see below)
Here’s the Con’s:
- The picture “improvement” ActiveMotion 100 creates in certain contrast situations red, black or blue blurs that are strongly visible. This is especially annoying in faces, where lips, nostrils and hair often create dominant red blurs. Actually, that’s the reason I started all the stuff this post is about.
- Lousy, bug infested software – Miracast and DLNA are practically not usable
- Slow to boot – needs about 1 minute to be fully up’n’runnin’
- PVR function is “blocking”, i.e. you can’t already start to watch a recording while it still records. This is rather stupid, since timeshift works just well – its just a bad implementation.
- Menu functions are blocked when watching IPTV – no way to adjust the picture or the sound (Volume works, but not much more)
- And some minor things about bad UI design and bugs.
Mainly the blurs are extremely annoying – all the rest is not too important, I can cope with it. I contacted Sharp support, and after quite some back and forth, they told me: The blurs, thats a broken motherboard – just send it in for repair. Did so: problem persists – no surprise, since I am rather sure it’s purely software/firmware caused.
In the meantime a software update (v. 4.21) went online – which was not helping with any bug, but added new ones! IPTV, which worked well before, became instable like hell! Fortunately I had the old firmware (v. 4.05) at hand from my odyssey with Sharp support… Did a downgrade.
Contacted Sharp support again, and now they offer to switch off ActiveMotion completely (which – stupid as it is – is not possible from any user accessible menu!) – I need to send the device in again *sigh*. I will certainly do so, but first I was curious what I can do myself.
To summarize my review: Currently I’d not recommend to buy this TV. Hardware is decent, but software is really awful!
So, what can I do myself? Will I be able to switch off ActiveMotion myself? Thet’s the goal. But first, I was able to
Connect to the TV via Debug UART
The TV has a 2.5 mm jack (smaller than the standard headphone jack, which is 3.5 mm) labeled “Service”. Using my Oscilloscope and its serial decode function, I quickly figured out that this is the debug UART, running at 115200,8,N,1, with 3.3 V logic level. Here’s what goes where (please make sure that your TV has the same pin assignment before you follow me blindly!):
So, using either a Raspberry Pi’s UART, or – as I did – a UART to USB converter with 3.3 V logic level, you can use the UART.
When you switch on the TV, you’ll see the U-Boot messages and some more. Still, more is possible, e.g.
Accessing the MStar Console
When the TV just switched on, start hitting Enter on your serial terminal. The TV will stop booting (no picture will come up), and you’ll end up in the MStar command line console. Type help to see what’s possible – and it’s quite a lot! I could not find anything there to directly influence ActiveMotion, but there are many commands that allow to modify the firmware partitions. I did not yet dare to fiddle around there, but perhaps it’s worth a try later. Some commands strongly suggest that using them in a wrong way may brick the TV, so be careful!
Not finding what I was looking for, I aimed for
Accessing the root Shell
From my excessice exchange with Sharp support I learned that pressing
Menu – 1 – 1 – 4 – 7
on the remote brings you into the service menu, which again offers loads of functionality, not all clear to me. Among these there are very useful settings like the overscan, and others I’d say are even dangerous, like the LVDS panel parameters – I’m nearly sure you can render the screen unusable switching the wrong parameters! So: Handle with care!
But this Menu also brings you to the root shell. Do the following steps:
- Attach UART as given above and open serial connection
- Use Menu 1147 to access the service menu
- Navigate to DEBUG
- Navigate to MSTAR FAC MENU → A new menu opens
- Navigate to WDT (WatchDogTimer) and switch it Off (otherwise, the TV will switch off after a few seconds after entering the root shell, because some TV functions cease to work when the root shell is entered and the WDT will interpret this as malfunction to be resolved by a reboot)
- Navigate to “Other” (in German “Andere” – hope the translation is correct – it’s below “PIP/POP” in my case)
- Turn UART BUS on
- Hit Enter on your serial session/terminal
That’s it, you’re in! You’ll see a nice root hash prompt, and whoami will tell you you’re root! RC and TV will no longer be responsive, but who cares 🙂 Most volumes are mounted read-only, and so far I did not try to change anything about it. Needless to say that you are one wrong command away from bricking your TV here!
Last remark here: To restart the TV run command reboot, or to switch it off, run poweroff.
Modify Settings
I am not very far with regard to alter settings yet. Still, I figured out a few things: One interesting file seems to be /config/sys.ini. It contains several configurations, among them ActiveMotion. While it is a read only file with a CRC checksum at its end, from my Sharp support communications I learned that there is a file named UMC_KMODE.txt, and its contents, when presented via USB memory stick, directly is digested into this sys.ini on boot. You’ll even notice that boot takes longer with such a stick/file attached, and the UART shows quite some activity during boot. So here’s the UMC_KMODE.txt I received for my model from Sharp support:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
K0 MODELNAME:A24CF6132EB22H PANELID:11 IRID:5 KEYPADTYPE:1 ACTIVEMOTIONID:1 SPEAKERID:7 DVBSENABLE:1 PVRENABLE:1 DVDENABLE:0 RESOLUTION:2 DVD:0 AQUOSLED:1 USBMEDIA:1 PVR:1 SDCARD:0 HEVC:1 ADVANCECOLOR:1 ACEPRO:1 DOLBY:1 DTS2:0 DTSTRU:1 DTSSTUDIO:0 DVBT2:0 DVBS2:1 SMART:1 MIRACAST:1 SSCONNECT:1 DLNA:1 HDMI:2 BLUETOOTH:0 RFRC:1 HKSOUND:0 VGA:0 |
So, when I alter e.g. ADVANCEDCOLOR or ACEPRO from 1 to 0, it goes into sys.ini! And – lo and behold – there’s a line ACTIVEMOTIONID! But, looking into the comments in sys.ini, you’ll learn that it can take values from 1 to 5 – but not 0! And indeed, a zero is just ignored 🙁 So I’m stuck here at the moment… So,
Where to Go From Here?
I’ve just only started some internet research, and looking for “hacking MStar”, there is quite some stuff to be found:
- These Mstar Android TV firmware tools look really promising (Download on Github)
- Samsung also seems to use MStar, and there’s a Wiki about hacking it
- A PDF telling how to hack LG, again using MStar
- And Kogan (never heard of it before) seems also to do something with MStar, and here you’ll find some report on hacking it even via network.
I am not sure how far I’ll go, but what I certainly will do is send the TV to Sharp and see if they are really able to disable ActiveMotion. before that, I’ll try to dump the whole firmware somewhere and do a before-after comparison.
I’d be happy to learn from anyone who was able to advance further than me – please leave a comment!
Update March 21st 2019: Device *trashed*…
I finally took the time to send in the TV set to have the ActiveMotion feature removed. Result: PST, which is the repair service for Sharp UMC, just wrote me a lapidar mail, that the device is beyond repair and was – trashed! They did not even ask for consent! They just trashed my property! I am shocked and was rather mad with them on the phone. It’s a bit like having your garage call to say that the motor of your car was beyond repair, so they just put the car into the scrap press. They could not even understand my anger, they just said: What’s your problem? You get the money back, and it was broken anyhow… I do not believe a single word. They just decided they can’t do the change and that it’s cheaper to end the process here. Thats doubly annoying, since I cannot find a new 24″ Smart-TV with FullHD anywhere… Ba*tards!
UMC_KMODE.txt
So one thing is worth mentioning still, because before I sent the unit in I played around a bit, and I looked closer into sys.ini. The remarks there suggested that I could set ACTIVEMOTIONID to anything between 1 and 5 (see above), listing a number of features behind the numbers. I tried every number, and nice enough, when you go above one, in the picture menu a new sub-menu appears called “Expert settings”. In there is more picture control, like color control, backlight control etc. However, ActiveMotion was still missing 🙁 But ActiveMotion was less pronounced for any value above one, and the artifacts were more bearable. Another reason to be angry about the desaster…
I can only encourage you to put a modified UMC_KMODE.txt on a USB drive, let the TV digest it and enjoy the new menu. You can (and should) remove UMC_KMODE.txt after that, since the boot process is considerably slower with the file present. The new settings are kept by the TV after removal, so that’s fine. To revert to the old settings you’d need to present a suitable UMC_KMODE.txt again.
Hello Hauke,
Good WEB page – I like it.
Your findings are very interesting. Please could you preview that sys.ini file in original form? Or even better send me your sys.ini to my email ? I want to help you with that variables for color “tuning”. Since I have both Sharp and Blaupunkt LCD TV (both uses same mainboard but with slightly different FW & UMC_KMODE file) near to test, we will try to make some progress …
Hi dbg,
great, will do! May take a few days, since I am currently occupied with different things, but will let you know as soon as I found the time.
Cheers
Hauke
Moin Hauke,
I have a sharp tv which seems to run similar firmware. (LC-49CUF8472ES) You wrote that you like to backup the firmware. I did it on mine by interrupting the boot process by holding down enter while powering on, mboot says press “any” key but only enter worked for me. First important thing, type “printenv” to see environment variables. If “MstarUpgrade_complete” equals 0 you have to set it to 1 again, seems like it will be set to zero every time the autoboot is interrupted. Use “setenv MstarUpgrade_complete 1” and “saveenv” to store the change.
You need a fat32 formatted thumbdrive, and you need to know the index of the USB port. In my case it was 4, but in case it is different on your model here is how to find it:
Type “usb reset x” in mboot where x is the index of the USB port, start with 0 and repeat with 1,2,3… until it prints the name of your thumbrive. If you know the index you can type “nandbinall x” and it will begin to create files for every flash partition on your thumbdrive. “UBI.BIN” is the filesystem.
Maybe it would be nice to have a raw backup of the nand, that should be possible but I didn’t tried it for now.
You mentioned that you downgraded your firmware, I’m not able to find any firmware images on the Internet, do you got them from sharp support? Can you please drop me an E-Mail with an official firmware image for research? That would be really nice, thanks!
Moin gORDon_vdLg,
thank you very much for these hints! That saves me a lot of research!
With regard to firmware: Indeed I got one from my contact to Sharp support, which was quite some odyssey with firmware files sent that did not match my TV etc. – they don’t always seem to know what they are doing. I’ll mail you the versions 4.05 and 4.21 that I have – of course for my model, not yours. Any insights you gain I’m happy to learn about!
Cheers
Hauke
Ahoi,
I did some research last weekend and I think this information can save your and other peoples time so I decided to post some hints right here.
Firmware files are encrypted with AES, dipcores “mstar-bin-tools” repository on GitHub contains an AES tool as win32 binary. Sources for an other version of this tool can be found on the Internet but they use 256 Bit key length, CBC and a checksum. The firmware images uses 128 Bit without any headers. But since it makes sense to use Linux to fiddle around with Linux firmware images I debugged that tool and found out that it is using AES in ECB mode and it is just decrypting the whole file. The default key found in that repository works for your files. I wrote a python script for that to be platform independent, it works but is not finished right now. I think I’ll do a pull request to dipcores repository when the script is ready.
Firmware images are starting with a script for the mboot bootloader. Most stuff is loaded from the binary file and will be decompressed with the “mscompress7” script command. This command uses LZMA compression and the classic LZMA file format (5 Bytes lzma properties, 8 Bytes decompressed file length, n Bytes compressed stream). This data can be decompressed with the “xz” command line tool, the important thing you should know is that this command line tool will interpret files with data after the compressed stream as corrupted and will refuse to extract them. This is important because in the firmware images every stream seems to end with 0xBEEF and some 0x00 padding. If you want to extract something, dump the data without 0xBEEF and save it as *.lzma, then the “xz” tool will extract it.
This is fascinating stuff!
I’ve just bought a Sharp LC-24DHG6131K and after having some issues with Wifi dropping out so after a bit of hacking about I encountered the hidden menu.
Unfortunately I haven’t been able to sort out the wifi so I’ve contacted Sharp to see if there’s a firmware fix but I’m still waiting to hear from the factory.
Meanwhile I’ve been testing the picture settings, changing white balance settings to improve the picture.
I’m interested to see if I can enable more features by either upgrading firmware or changing the configuration through linux directly. I’d like to add extra catchup apps (ITV hub, All4, 5 on demand, UKTV Play) from here in the uk and also use the new Freeview Play tv guide as the EPG TV guide I’m using is slow and buggy.
Any information or advice is always appreciated!
Hi Matthew,
thanks for the feedback!
Honestly, I cannot give very much advice. This is just a side project, and I will not spend very much time on digging deeper. I must even admit that my busy last half year even kept me from sending in the TV set, contrary what my original plans were.
Still, in the post there are a few links where I would expect you might find help.
And, if you are in for some serious hacking and programming, I guess it should be possible to achive a lot! From some error messages my TV showed in the meantime I learned that the OS is actually some kind of Android. So I’d assume that you might even be able to install “real” Android on it, but certainly this would mean a lot of hard work.
If you learn more, please do not hesitate to report here! Would appreciate that!
Cheers and happy Christmas!
Hauke
I have a LC-40FI5242KF Sharp TV which has been very poor, it “had” Freeview play with all of the apps BBC, ITV, 4, 5 and Netflix but it was constantly crashing and rebooting, so after contacting support they have sent me some new firmware/software to install via USB, so I have installed this and the menus look pretty good and it seems faster scrolling through the EPG but I now have noticed that I dont have Freeview Play anymore, when I press the freeview play button the TV reboots and then goes back to the initial setup screen meaning I have to select language and connect to WIFI again and rescan the channels, so there must be someway of enabling this, I am going to go back to support and raise it. I have had a look in the UMC_KMODE file that came with the 2 software files they sent but cannot see any obvious setting to enable this.
I will let you know how I get on!
Joe