Hacking T-RBYDEUC Firmware - LE40A756 and A856

[erdem_ua]

Could you tell us that if this devices support NFS share, CIFS share and UPNP shares? ( for compatibility chart.)
CIFS would require kernel module. Is it available? Could you mount it? Whats about UPNP? THanks.

[erdem_ua]

No where. You needed to patch your firmware. Because redistributing of this software could arise legal problems.
There is help on Wiki pages.

[tom_van]

Hi all,

first let me thank to all brave hackers who are making big progress here.

I have a LE46A956 purchased in November 2008 upgraded to T-RBYDEUC 1013 firmware.
I tried johnd19's modification but all looks like my TV ignores it at all.
I flashed firmware with start.sh modified according to instructions in this forum, then I tried several own modifications to ensure calling usb.sh. Finally I flashed content of LE46A956.rar from wiktor_m's ftp. Doors stay closed.

1) I'm not able to get debug output on RS232.
I used INFO-MENU-MUTE-POWER, navigated to Advanced, entered 0-0-0-0, then selected ?Control? and change ?Service Select? from Normal to Sti. This change does not seem to make any change on serial line, also after TV reboot ?Service Select? is set back to Normal.
The only output from RS232 is

Code: Select all

Enter MBL..[0001]
_ShadowOS.

at 115200Bd when booting starts
and 3 times binary 00 A4 03 01 00 01 97 at 9600Bd in time when TV is shown.
No response to sending debug, ~ or whatever to line at different baud rates

2) telnet connection to tv's IP is refused (ping and dlna works)

3) usb.sh is probably not called at all. I entered commands

Code: Select all

sleep 30
/mtd_boot/MicomCtrl 18
killall -9 exeDSP

to usb.sh script and TV worked as normally.

What am I doing wrong? Is there a problem in flashing modified version 1013 over the same version number?
Can anybody with telnet access to LExxA956 send the output of mount command?

[erdem_ua]

AFAIK you can enable Telnet access with Telnetd Application.
I forget to put them download area. I wish I can put them tomorrow, you can find them in the forum.

[tom_van]

Is there a problem in flashing modified version 1013 over the same version number?

Yes! I sorted out the problem downgrading to modified version 1012.
So if you have flashed version 1013 in both actual and backup firmware,
extra updates to 1013 are not actually run by TV. They might be written
just as a backup.

AFAIK you can enable Telnet access with Telnetd Application.
I forget to put them download area. I wish I can put them tomorrow, you can find them in the forum.

Thanks for help. Do you really mean Telnetd Application for LE46A956 with SH4 CPU?

[erdem_ua]

Thanks for help. Do you really mean Telnetd Application for LE46A956 with SH4 CPU?

Yes, since A series have SH4 CPU

[tom_van]

since A series have SH4 CPU

Unfortunately wiki page Samsung_A_Series_(2008_Model)_Hacks talks mainly about T-SPHAUSC (Models LNxxA850 and LNxxA860), which AFAIK are ARM powered, or not? Anyways I'll be happy to add some info about LE46A956 to the wiki. Also it would be nice to extend "Table Of Compatibility" and enter info about CPU and kernel version if known.

[tom_van]

I recently bricked my LE46A956 after a modification of SWU_T-RBYDEU_001013_I02_EK000DK000_090417 firmware. Don't worry, I'm not asking for help. My TV is working again after a busy night of hacking. Some of my experience might be worth for others:

Usual warning: YOU CAN BRICK YOUR TV (if you haven't bricked it already)

U-Boot

I confirm that boot can be interrupted sending <space> character to the ExLink serial line @115200baud 8bits No parity. The right moment is just after OneBoot outputs

Code: Select all

Enter MBL..[0001]
_ShadowOS.

and uboot starts. As bootdelay is originally set to 0, best practice is hold space when TV switched on and let autorepeat do the job.
If you have configured UART Select to STi in service menu, uboot work normally. If not, don't expect a fancy prompt, uboot is crippled by setting GD_FLG_SILENT in gd->flags. Source from Samsung is not available, I believe
ftp://ftp.stlinux.com/pub/stlinux/2.0/S ... 14.src.rpm
is original they crippled. Fortunately silent mode doesn't stop putc() output, so if you see the command line editing working, you can type uboot command. Help an many other command are silent, however they work.
If you don't like the crippled silent mode and you don't have access to service menu, you can reset the flag directly in the RAM. Enter the command

Code: Select all

mw 86149a18 3

and enjoy uboot.

Code: Select all

STi710x> ?

?       - alias for 'help'
askenv  - get environment variables from stdin
autoscr - run script from memory
base    - print or set address offset
bbm   - BBM sub-system
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp	- boot image via network using BootP/TFTP protocol
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp	- invoke DHCP client to obtain IP/boot params
diskboot- boot from IDE device
echo    - echo args to console
erase   - erase FLASH memory
exit    - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls- list files in a directory (default /)
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
fnw    - FlexoneNand Writer
go      - start application at address 'addr'
help    - print online help
ide     - IDE sub-system
iminfo  - print header information for application image
imls    - list all images found in flash
itest	- return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nfs	- boot image via network using NFS protocol
nm      - memory modify (constant address)
ping	- send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sleep   - delay execution for some time
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor version
STi710x> bdinfo

boot_params = 0x85D7FF88
memstart    = 0x84000000
memsize     = 0x08000000
flashstart  = 0xA0000000
flashsize   = 0x85DFFF88
flashoffset = 0x00037BC8
ethaddr     = 00:[i]removed[/i]
ip_addr     = 192.168.10.120
baudrate    = 115200 bps

STb7109 version 3.x
PLL0      = 531 MHz
PLL1      = 391 MHz
ST40  CPU = 265 MHz
ST40  BUS = 132 MHz
ST40  PER = 66 MHz
ST231 CPU = 391 MHz
ST BUS    = 195 MHz
EMI       = 97 MHz
LMI       = 195 MHz
STi710x> 

Crucial for debricking my TV was to run linux with rootfs mounted from USB.
I customized rootfs.img on my linux box by squashfs-tools 3.0 and copied to MS flash card (fast USB stick would be much better) - directly to device, not to any filesystem

Code: Select all

cp rootfs-cust.img /dev/sdx

(use appropriate device instead of sdx)
I attached flash card with USB reader to TV and run

Code: Select all

bbm load kernel; bbm close; setenv bootargs console=ttyAS0,115200 mem=84M root=/dev/sdb rootfstype=squashfs bigphysarea=2000,rxsize:512,watchdog=4000 rootdelay=4 yongsik ; bootm 0x84100000

It works but the boot time is critical. USB is slower (and old MS even more) than internal OneNand so you need adjust kernel parameter rootdelay to 3 or 5 seconds. When boot take longer, watchdog reset the TV. Unfortunately I haven't found how to switch off the watchdog (no item in service menu, MicomCtrl 23 doesn't seem to work, it might be possible in the debug menu, but can't access it).
Kernel and other debugging output on console stops suddenly when exeDSP application intitializes the serial line as motorized frame control @9600baud. And the slow down of boot makes the watchdog fire again. Full boot to operational TV is possible without serial console only.

Afterwards I also tested to load kernel image by tftp (dnsmasq 2.50 was tftpd server). No luck loading nfs method, but haven't tried too hard. There is also method of loading image from USB device, I did not test it.

So in the theory working oneboot and uboot is enough to repair rest of STi7103 firmware.

Happy hacking