[Report Back] about succesfuly restored bricked TV

[juusso]

Hello all,

i want to tell our experience of reanimation and restoring bricked le32b652T4W.
What was the problem: wrong commands were executed and by mistake tbml2 and tbml4 were erased and tbml5(kernel) partition was overwritten with dump image of u-boot. After TV restart TV went on directly to bootloader menu. There was another important option - Watchdog on service menu was ON
And TV was always restarting every 10 sec and no possibility to restore partitions from u-boot promt.

At first we have tried to boot kernel via u-boot from Fat32 formated USB using kernel made by SamyGO OpenEmbedded
(the process of making kernel was long, up to 12 hours...)
We discovered, that booting time from USB was quite long (uImage 17 sec and kernel 16 sec whole time was 33 sec), but the problem, we had just 10 sec at all to play with until TV resets. Then we tried to boot from tftp server and this way was quicker: uImage 3-4 sec and for kernel 14-15 sec. Full boot time until telnet starts and console shows request to login was 18 sec. To long too...

We needed to kill watchdog to have more time and finally it was done. Because there was no /mtd_boot/ mountig, MicomCtrl 23 command didn`t work at all. We copied MicomCtrl file from working system to rootfs on ext3 partition to /usr/sbin/ folder and modified /etc/init.d/busybox-telnetd script like:

Code: Select all

#!/bin/sh
 
DAEMON=/usr/sbin/telnetd
NAME=telnetd
DESC="Busybox Telnet Daemon"
ARGS=""
 
test -f $DAEMON || exit 0
 
set -e
 
case "$1" in
    start)
	echo -n "Killing watchdog "
	/usr/sbin/MicomCtrl 23
        echo "done."
        echo -n "Starting $DESC: $NAME... "
        start-stop-daemon -S -b -n $NAME -a $DAEMON -- $ARGS
        ;;
    stop)
        echo -n "Stopping $DESC: $NAME... "
        start-stop-daemon -K -n $NAME
        echo "done."
        ;;
    restart)
        echo "Restarting $DESC: $NAME... "
        $0 stop
        $0 start
        echo "done."
        ;;
    reload)
        echo -n "Reloading $DESC: $NAME... "
        killall -HUP $(basename ${DAEMON})
        echo "done."
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload}"
        exit 1
        ;;
esac
 
exit 0

After this we were able to stop Watchdog and get to console by pressing Ctrl+c :

Code: Select all

...
Creating tmpfs at /dev
Populating /dev using mdev
Remounting root file system...
Configuring update-modules.
Configuring util-linux-ng.
update-alternatives: Linking //bin/dmesg to dmesg.util-linux-ng
update-alternatives: Linking //bin/kill to kill.util-linux-ng
Killing watchdog done.
Starting Busybox Telnet Daemon: telnetd...
SamyGO localhost ttyS1

localhost login:

Without pressing ctrl+c we didn`t stop Wachdog, not enought time.

Next task was more difficult as we thought before. The kernel from SamyGO OpenEmbedded was not fully working. There was no chance to restore or dump any partition, because on such compiled kernel were missing some modules for enabling NAND flash mode. (wiki).Copying these modules (coped from /mtd_boot/modules of working system - fsr.ko, rfs.ko and fsr_stl.ko) did not help: was unable to load them (there were a lot of errors about unknown symbols after insmod command). No NAND flash mode - no chance to recovery TV. Copying libraries from working Tvs /lib folder did not change anything. Some missing binaries were copied from /sbin and /bin. No success too.

Notice: we had full dumps of tbml1-tbml7 made earlier.

We have discovered, that after powered on, process of startup reads data from NAND flash and writes it to memory (DRAM) and from memory are partitions and all data further loading and starting TV. From partition table we got start addresses for kernel: 0x61000000 and for u-boot: 0x60200000.

Idea was to write needed partitions to right places of DRAM (not NAND) and boot TV. Because the OE kernel was not working for us, we needed another kernel. No knowledges about compilation of another kernel...

Then we used dump of tbml5 partition made with bml.dump before TV crush. Unchanged dump was not working and we got errors:

Code: Select all

## Booting image at 61000000 ...
Bad Magic Number

After few researches we used mkimage tool on linux computer and changed this tbml5 dump this way :

Code: Select all

mkimage -A arm -O linux -T kernel -a 0x60008000 -e 0x60008000 -C none -n "Original Samsung Kernel" -d ./tbml5 uImage

And swaped uImage from OE on tftp service directory with this tbml5 dump of original kernel.

From this moment all steps were made from u-boot promt:

1. bbm load kernel
2. cp 61000000 60200000 100000
3. go 60200000
4. setenv ipaddr 192.168.1.105;setenv gatewayip 192.168.1.1;setenv serverip 192.168.1.100
5. tftp
6. bootm

Finaly - after bootm command we got fully operating TV and we were able to connect via telnet and use tbml.restore commands to restore necessary deleted partitions.

Big hard work was made by Perforator from forum.ixbt.com with help of some forum users, and with advices from #samygo irc channel too. Thank you guys!

[juusso]

Hi, guys!

I have another story with happy end

The patient: UA32B6000VR with original firmware on it T-CHL5DEUC 2004.1. After dummy firmware upgrade was done, ve`ve got a problem.

Problem: TV was upgraded with firmware for model for European TV (T-CHL5DEUC 2009.0_step1 - this is actually the latest firmware with all restrictions - UDN, no u-boot, no TOP debug menu, no further upgrade except encrypted 2010.1_step2 firmware). The main problem - no working USB port left. Ex-Link cable was showing debug log w/o possibility to enter to console. I don`t know why TV accepted firmware from UE TVs...

Solution:
Needed to have a working USB an it was done. An idea was, that wrong firmware didn`t block USB port, but it plugged of this working USB and plugged on the second one, which was not soldered. It was enough to solder the missing USB connector (i will write later about soldering process) and USB became working. Fully functional - watching movies from USB (with trick on SM definitely) was w/o problems.

Next what was to make - restore tbml2,4 and 5 partitions to revert back the original firmware. We didn`t have dumps of exact version of our TV and
i asked for help in this forum and merv07 did help. Many thanks for him! He made dumps from partitions tbml1-7 from his TV UA32B6000VF T-CHL5DAUC v.2001.1. I compared by content those dumps with files from another full firmware version T-CHL5DCNC v.1010.0 (it has boot.img, onboot.bin, onw.bin, u-boot.bin, fnw.bin, Image, rootfs.img inside),that we found on Samsungs official download site. The result was:

T-CHL5DAUC______T-CHL5DCNC

tbml1 ------------->onboot.bin Identical, exept empty lines at the end
tbml2 ------------->u-boot Not equal, just few blocks of code are similar
tbml3 ------------->uboot_env.bin just first two or three bits are different, other code 100% identical
tbml4 ------------->onw.bin code nearly 100% identical
tbml5 ------------->Image code absolutely 100% identical
tbml6 ------------->rootfs.img code 50/50

The general conclusion we made, that those dumps should work on our TV.

The basis for hybrid firmware upgrade file was firmware T-CHL5DEUC 2010.1_step2 because TV didn`t accept any other firmware (for well known reasons). Some files were deleted and the USB disk structure was like:

Code: Select all

T-CHL5DEUC
----image
--------info.txt
--------major_version
--------minor_version
--------version_info.txt
--------u-boot.bin
--------fnw.bin
--------Image

After inserting this USB, TV noticed, that no firmware upgrade file was found. Then the full untouched firmware upgrade USB with firmware T-CHL5DEUC 2010.1_step2 was inserted and after this TV reported being ready for upgrade. Cancel was pressed, USB disk was disconnected, required images were added and other files were deleted... and the same USB was reinserted back to TV. TV reporded being ready for firmware upgrade and after OK was pressed, upgrade process started. It was done w/o errors and after few seconds TV rebooted.
After TV restart u-boot menu, TOP debug menu were available and the Ex-link console is still accepting commands.

Try to revert back firmware with help of erdem-ua script was unsuccessfull:

Code: Select all

# chmod 755 /dtv/usb/sda1/telnet.sh
# sh +x /dtv/usb/sda1/telnet.sh
/dtv/usb/sda1/telnet.sh: /dtv/usb/sda1/telnet.sh: 5: ./busybox: not found
.
.
.!!!!!!!!!!!!!!! Start script. Wait....for next message....!!!!!!!!!!!!!!!.
mount: Mounting /dev/tbml8 on /dtv/test failed: Invalid argument
egrep: /dtv/test/exeDSP: No such file or directory
/dtv/usb/sda1/telnet.sh: /dtv/usb/sda1/telnet.sh: 42: cannot create ./error.log: Read-only file system
.
.done!
.!!!!!!!!!!!!!!! Now go to firmware update menu !!!!!!!!!!!!!!!.

Alternative firmware (the actual native for this TV) was activated with command:

Code: Select all

touch /mtd_rwarea/PartitionSwitch_0_0

TV restarted to T-CHL5DEUC 2004.1 for UA32B6000VR TV. After this TV was upgraded twice with 2004 and 2005 firmwares.
Another additional test was made: u-boot.bin, found in T-CHL5DCNC firmware, was flashed to TV and the result was excellent - u-boot is fully working state too.


Some Experience

Before making this, i made some experiments on my own TV.
1. tbml0/2 (u-boot) partition was erased and to confirm that, the dump after was made - here were only zeros. After TV reboot - no u-boot was found.
2. I remade tbml2 dump from working TV (empty bytes (ff ff) were removed from the end of the file with help of HEX editor)
3. The dump file was renamed to u-boot.bin and placed to USB/T-CHL7DEUC/image folder.
Basis for investigations was T-CHL7DEUC 2005.0 firmware upgrade file for LE40B653T5WXBT. I deleted exe.img, appdata.img and validinfo.txt from USB flash disk. The USB file structure was like:

Code: Select all

USB
--T-CHL7DEUC
----crc
----ddcmp
----MicomCtrl
----rc.local
----run.sh.enc
-----------image
---------------info.txt
---------------serial_temp
---------------u-boot.bin
---------------version_info.txt

4. USB was plugged in, TV asked for firmware upgrade. OK was pressed. Upgrade process was very short and without any errors.
5. After TV reboot i was able to enter to u-boot menu by pressing

Code: Select all

shift + "`"

I think this info can be helpful for safe restoring deleted partitions after reverting back from the latest firmware.

Added on Sat Oct 16, 2010 11:50 am:
Few days later made another tests with T-CHL7DEUC 3000.2 firmware upgrade file on my TV. I upgraded my TV with T-CHL7DEUC_3000.2_step1.exe firmware. As i`ve expected bml2, bml4 were deleted and bml5 was changed by install process of this firmware.

I tried to add u-boot.bin, fnw.bin and Image to step1 USB upgrade file, but after upgrade i got all these partitions changed (no success)

Then i attached 3001.1_step2 upgrade USB to TV and after TV noticed about new FW upgrade, i disconnected USB, deleted some files (i wrote before about), added theese three images (fnw.bin and Image) and after re-insertion of USB pressed OK. Upgrade process was broken on about 60-70% and nothing was restored.
On ExLink log i got:

Code: Select all

Source : 5120  Window Type : 0  Back End Decoder Type : 4
ICPCFlashDevice  read size error : return size(524288)
ICPCFlashDevice  read size error : m_size = 0
errno = 0
ICPCFlashDevice  read size error : return size(524288)
ICPCFlashDevice  read size error : m_size = 0
errno = 0
sd 5:0:0:0: rejecting I/O to device being removed
Buffer I/O error on device sda1, logical block 15514
[DEV_USB    ] [bool CUsbEventService::SendEvent(int, int, int)] In... sdndMessageType:1394000   param1:45782088   param2:0
 
MESSAGE_USB_DISCONNECTED
sda: assuming drive cache: write through
sda: assuming drive cache: write through
FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
[DEV_USB    ] [bool CUsbEventService::SendEvent(int, int, int)] In... sdndMessageType:1394000   param1:47289288   param2:0
 
[ROSE_ERROR ] [BackupUsbInfo:458] No More Data...
MESSAGE_USB_CONNECTED
&&&&&&&&&&&&&&&&& USB node ID = 0
==> Add Partition (0, 0, USB Flash Drive)
>>>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The Size of USB Device List (App) = 1
        Device Type = MSC Device
        Device ID = 0
        Device model = USB Flash Drive
        Device vendor = A-DATA
                Partition ID = 0
                Partition Path = /dtv/usb/sda1
                Partition FS = vfat
                Partition Serial = 8f619540c6063d
                Partition Devpath = 1
                Partition Lun = 0
                Capacity = [3935616/3936220]
                Storage ID = 0x0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<<<
 
 
fsrerase /dev/bml0/8
This program is operated over FSR based
The flash memory blocks have been erased successfully.

I deleted Image and repeated the test again. In this case upgrade process was successful, after reboot i got u-boot working and tbml4 was restored too. Few more tests were made but it didn`t not help to restore kernel (Image). I tried to delete files from USB directly via telnet (to avoid re-insertion of USB), but always i got the same - with Image (alone or with u-boot.bin and fnw.bin) TV upgrade process broke. In all cases the bml0/8 partition was deleted on the beginning of upgrade (i didn`t notice this on the same tests on 2005.0 firmware).
The log was the same:

Code: Select all

Source : 5120  Window Type : 0  Back End Decoder Type : 4
ICPCFlashDevice  read size error : return size(524288)
ICPCFlashDevice  read size error : m_size = 0
errno = 0
ICPCFlashDevice  read size error : return size(524288)
ICPCFlashDevice  read size error : m_size = 0
errno = 0
fsrerase /dev/bml0/8
This program is operated over FSR based
The flash memory blocks have been erased successfully.

Any ideas?


How about
It would be great to make some rescue firmware upgrade set,that restores deleted partitions and in the same time disables watchdog (if it is ON) and sets debug option on ServiceMenu to have access via Ex-Link cable. Any suggestions?

Added on 25.11.2010

Partialy i have done my idea - to restore bricked partitions or firmware by game. (or script if you run it from console). Read more.
Force firmware back

[juusso]

Have you soldered that missing USB port or not? If yes, have you access to that USB?
p.s. what is your exact TV model and original firmware? i guess T-CHL5DAUC?