Wednesday, October 16, 2013

Toshiba Regza TL868 firmware analysis

My TV has a quite complex set of features, none of which work particularly well. Except perhaps using it as a PC display.



Input latency is quite bad, ranging from over 200ms in normal mode to 100ms in "gaming" mode.
The latency can easily be tested by going to this link and making a picture of both displays (native and external) at the same time, preferably with a flash, in order to shorten exposure time.



There's a half-assed [HBBTV] implementation that crashes once in a while, a horrible YouTube app that takes 1-2 seconds to react to keypresses, a barely-workable DLNA implementation and barely-acceptable USB media integration. Oh, it also does triple-tuner TV, but I don't watch TV.
Sometimes I'm just wishing they would have stuck with a Linux, WinCE or Android implementation with freeware apps instead of reinventing the square wheel each time.

What's worse, each of these apps (TV, DLNA, HBBTV, YouTube, USB media) seems to be written by a different party.
As with most (all?) TVs you can kiss your updates goodbye once you've taken it out of the box.

Frustrated by this and having stumbled into this article I've decided to try and break the firmware down into managable pieces.



The assumption is that most of these "feature-rich" gadgets use some form or other of Linux and they HAVE to use GPL software, especially if they have network connectivity built in. Let's make the best of software patenting!

There are a couple of ways to attack this problem: get the update package and unpack it, dump logs from the TTL-UART port, dump the memory of on-board flash chips, search for similar models that have the published sources.

Initial investigation


There's one relatively big update package that can be used on several models, a zip file containing three files:
xxTL838_513312_INIT_CLEAR.bin 59871240 bytes
TL_MBOOT_480288.bin 2105352 bytes
TL_MFC_240226.bin 232144 bytes

The first step is to check if the files are archives, this is easily done with TotalCommander's CTRL+PageDn shortcut key or some other freeware utility.
Since they are not archives, a binwalk dump comes next. The MFC files does not show anything obvious, while the other two:
MBOOT:
DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
950567          0xE8127         POSIX tar archive
1044321         0xFEF61         LZMA compressed data (sig 3), properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes

INIT:
DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
8192            0x2000          LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 4341968 bytes
3878912         0x3B3000        LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 6348800 bytes
7356416         0x704000        LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 16777216
17711104        0x10E4000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 16777216 bytes
29245440        0x1BE4000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 2760704 bytes
30887936        0x1D75000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 5713920 bytes
33906688        0x2056000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 16777216 bytes
44982272        0x2AE6000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 16777216 bytes
55468032        0x34E6000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 5554176 bytes
59338752        0x3897000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 1904640 bytes
59600896        0x38D7000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 1650688 bytes
59666432        0x38E7000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 1777664 bytes
59731968        0x38F7000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 1650688 bytes
59797504        0x3907000       LZMA compressed data (sig 2), properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 1650688 bytes

I proceed in running "dd if=xxTL838_513312_INIT_CLEAR.bin of=init1.lzma bs=1 skip=8192" on each of the sections. A script would come in handy here. After running this on all 14 sections I can do "lzma -d init1.lzma".
The LZMA-decoded output of MBOOT yields a file that's 310 megabytes large, which is kind of strange, so it will be dealt with later.

Running binwalk and strings -n 10 on the init1 through init14 files yields some interesting results, though the files are still not correctly unpacked:

  • init1 has nothing of interest
  • init2 has some GDB headers, busybox scripts, Red Hat references, MSTAR.com.tw DNS lookups, http://www.freedesktop.org/wiki/Software/dbus/, and some references to various core Linux libraries
    • Also interesting are some strings: 32_SAMSUNG_FHD_100_120+, D_BIN/Mstar_v1_3_1080p_2_0e, 32_SAMSUNG_FHD_50_60.ini
    • the [binwalk dump] shows a few LZMA sections and a lot of "ELF new 32-bit LSB" headers
  • init3 has some media decoding references, TV display options, "(VDLinux 1.1.x MIPS 2010-02-13) 4.3.3", [Cairo graphics], OpenSSL 0.9.8o engine, cURL, inflate/deflate, WebKit,
    • also interesting are a few strings containing references to Android-related functions, "/home/jusNFORCE/DAILEO/temp_branch/D*/CUS22T_SN_T12_DVBT_20110825_TL868/component_src/utopia/projV-/tQ", "/home/david.lin/PERFORCE/DAILEO/DVB-T/CUS22ent_src/utopia/project/tT", "utopia driver libraries"
    • the [binwalk dump] shows a lot of LZMA sections, a lot of "ELF new 32-bit LSB" and "MIPSEB MIPS-III ECOFF executable not stripped - version 43 ^H.189" headers
  • init4: GStreamer
    • - "http://172.16.88.94/gstM", "ifconfig ath0/Customer/APsInfo.txt", "cp /usb/sda1/*.bin ./L", "/usb/sda1/HOTELOPT"

GPL


Thinking I had enough information I have written an email to the friendly guys at http://gpl-violations.org/. I have received an immediate reply directing me to look into the TV menu which I did. I've somehow stupidly missed the big menu called software licenses:


At least the Linux Kernel, u-boot and libstdc++ are covered under the GPL licenses so I will send an email to linux [at] toshiba-dme.co.jp to request the source code.

Further actions


In preparation for the modification I have to do two things:

  • figure out the desired feature set
  • figure out what tools and languages are needed
The first part is probably the easiest:
  • enabling  PVR/DVR/Timeshift capability on USB
  • getting custom WiFi sticks to work with the TV
  • improving the YouTube experience
  • replacing the custom Toshiba HbbTv menu with another site
  • having as little TV processing done in Game mode as possible, in order to reduce latency
  • enable 3D file playback via DLNA (it's only possible via USB)
  • replace the media player with something better (XBMC?)
For the second part we need to analyze the rest of the files. Without going into many details:
  • binwalk from init6 to init10 shows a lot of small PNG files, pointing to an image-based menu
  • init4 suggests a .SWF decoder and init7 has string references to: yt_lbl.swf, leanback.swf, yt_font.swf, yt_lbl_ext.swf . This is most likely YouTube Leanback.
  • some HTML strings: rootApp.html, GWT (2.0.4) generated web apps
  • a link to Toshiba Places - the main menu for the online TV app
  • "http://idcp.iplaydev.extx bbc.co.uk/er/bigscreen?avdn=mstar.tv.2011&avui=tv\vp=ssl,no-auth" and http://www.bbc.co.uk/iplayer
  •  newproject.png ... Copyright (c) 2005-P   8, The Android Open Source Project
  • http://samantha.pleyo.org:8180/WidgetDock/
So a lot of the apps seem web-based with a frontend written either in Adobe Flash (yuck!) or GWT. The nice thing about GWT is that it's somehow part of my area of expertise. Who would have guessed?!

Part of the backend stuff is probably a Linux executable with my money being on GStreamer. There are no obvious Perl or Python scripts so everything else is probably a native application.

Last update:

See also http://hackcorrelation.blogspot.de/2015/01/toshiba-32tl868-led-3d-tv-teardown.html for a quick teardown.
Unfortunately I've quit trying to make ends of the firmware. The sources provided by Toshiba are completely useless, there's absolutely no mention of Toshiba or Regza in them, just some generic MStar code. I have not seen any visible RS232 port inside the unit and at this point don't care too much.
For people looking for a smart TV you can choose one of the following:
- ChromeCast - ~25$ - for Youtube and Netflix
- EZCast M2 - ~25$ - desktop/mobile mirroring, AirPlay, DLNA renderer
- Raspberry PI  & Co. - 30-50$ - retro console, XBMC, netbook
- Android phone/tablet with HDMI out - 30-80$ - all from the above

Any of the above is likely to cost a lot less than what the TV manufacturers demand and provide a better experience, with updates. You also get the added benefit that the TV is not sending your viewing habits without your consent.


10 comments:

  1. Any luck with that? I have a 32TL933G wich it's almost the same with TL 868...

    ReplyDelete
  2. Hi there, any news regarding this "Hack"? It would be wonderfull to have on my 55YL875 (should be similiar to your type?) an XBMC Client...

    Or do you know any other way to hack my TV into a real Smart TV?

    ReplyDelete
    Replies
    1. The best way would be to hook up a Raspberry PI with XBMC, this is what I did as well, the 'smart' tv interface which my tv has is too dumb and slow to use.

      Even if the models look similar in specs I suspect the chipsets inside and the firmware images are very different. I my particular case I know that the TL/SL/VL models share a very similar hardware and have interchangeable firmware updates in some cases.
      If you want to do something similar download your firmware update image and follow the steps I did above too see what it contains.

      Regarding the original 'hack', I just pressed Toshiba again yesterday and got a response, they will send me the source code via post very soon. Better late (~6 months) than never.

      Delete
  3. Hi! any news about decrypting firmware for toshiba?

    ReplyDelete
    Replies
    1. I have received the CD from Toshiba, had a quick look on it but it's just source code for various OSS libraries, I was not able to trace something specific to this TV. I've only spent 1h or so so there might be stomething still.
      Will have to ask around some guys (girls?) that know how to further decrypt the firmware given the info above. Unfortunately Toshiba did not provide me with a complete environment that is able to build the firmware like Sony does, so it's a lot of hunting in the dark.

      Delete
  4. I have a ZL1 and tried to get into the firmware file.
    Already uncompress the file and had a look into it.
    Toshiba deactivated the telnet port and any other protocol.
    Further the firmware is digitally signed. The signature is checked when firmware update is performed. I think this is because of CI+. I try to change the program which check this signature without luck and gave up.
    Maybe you habe some other ideas how to get into the system. In my opinion this have to be the first step otherwise no additional steps can be performed.
    Maybe also your TV use a different chip and so the software is different.

    You can try with the command "file" at Linux system to get relevant information about the bin files.

    ReplyDelete
    Replies
    1. Unfortunately you have to visually inspect the files and know what you are looking for, "file" will not give you reasonable results.
      I suspect a lot of the firmware development is outsourced to various companies so the TVs end up quite different except for some features. Judging by model number it's probably a different beast but send me the link to the firmware or try to follow the steps above.

      Delete
  5. During your look at the software guts, did you take a look at the hardware of the TV? I would really like to know how fast the MIPS ist running, which one it is, RAM size and version, Linux Version, Standard User(s), if the SSH is able to be activated, if the network interfaces are hooked to an USB interface, or if they are actually onboard.

    ReplyDelete
    Replies
    1. I did take it apart a couple of months ago to fix a broken plastic stand-off. Unfortunately I cannot find the pictures anymore but the panel was a generic Samsung one, the CPU/motherboard combo was Samsung-based and I think the CPU/MPU was potted black. If I'm able to find the pictures again I will make a new post and put the link here.
      I did want to check whether SSH was activated (I can guess within 99% that it's not), there were no unpopulated parts for RS232 connections

      Best bet if you find something similar: open wireshark/tcpdump on your master machine, check if the TV wants to connect to a specific address and set the PC to that address. The must have either this or tftp enabled for debugging purposes.
      If you get lucky and you manage to find some serial connections, press ENTER/SPACE/ESC while booting up to get into the firmware menu.

      Delete
    2. found the pics: http://hackcorrelation.blogspot.de/2015/01/toshiba-32tl868-led-3d-tv-teardown.html

      Delete