9

I'm TV repair tech and I've found that corrupted firmware is responsible for the failure of a large portion of the TV's I work on. I came up with the idea that if I could reverse engineer the firmware, I could probably write a script which could analyze a fw image and determine if it's corrupted or not. The current method involves buying a preprogrammed eeprom, at a cost of $15, and at least half the time it ends up being a waste of money.

I've done some testing with UART and found that I get the same messages at boot whether the fw is corrupted or not, basically saying everything is OK. That leads me to believe that the problem is with the file system. And that's pretty much where I'm stuck. I've tried binwalk, and after some time I have been able to extract and decompress about 3mb of LZMA compressed data and a JPG which is the splash screen, but I can't find the file system.

Running binwalk on the original binary, I get this:

101602        0x18CE2         MySQL MISAM index file Version 4
145536        0x23880         LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: 3126792 bytes
2246688       0x224820        JPEG image data, JFIF standard 1.02

For whatever reason, I can't seem to extract the MISAM part.

Running binwalk on the decompressed LZMA part I get this:

1484791       0x16A7F7        PARity archive data - file number 24064
1715704       0x1A2DF8        MySQL MISAM index file Version 4
1764734       0x1AED7E        Boot section Start 0x0 End 0x100

I've tried extracting the PARchive and boot sections with dd, but I can't open them. I think it's because of trailing garbage. I've used hexdump and searched for magic bytes, but can't find any. Any suggestions would be greatly appreciated. I can also provide a copy of the fw if anyone cares to take a stab at it.

NirIzr
  • 11,765
  • 1
  • 37
  • 87
Swappart
  • 91
  • 3
  • 2
    Could you go into more details about what you mean by "corrupted firmware is responsible for the failure"? How'd you reach that conclusion? Additionally, if there's a firmware issue, I assume a firmware update or a service restore will fix it. Have you tried that? – NirIzr Sep 24 '18 at 23:56
  • When the fw is corrupted, the TV will usually boot and then either freeze at the splash screen, or at a blank screen. At that point, it's completely unresponsive and must be unplugged to reset. Reaching the conclusion that it's corrupted firmware comes from replacing the eeprom with a preprogrammed one and it solves the problem. In my experience, firmware updates don't seem to be available for the cheap brands. Maybe on the smart ones, but even that usually requires selecting that option in the menu. – Swappart Sep 25 '18 at 00:40
  • 1
    Be aware that since binwalk scans for specific byte sequences (signatures) false positives can be an issue. A signature scan needs to be done in conjunction with other methods of analysis in order to be meaningful – julian Sep 25 '18 at 04:03
  • @SYS_V I agree. I've been trying to figure this out for about a week and through reading every post I could find on the subject, that is the conclusion I'd come up with. Plus, aside from the fact that I couldn't manually locate the signature for a parchive, it seems unusual that it would be used for a filesystem. How would I go about identifying the actual file system if it has a modified signature. I've spent hours combing through hex dumps looking for what could be the beginnings or ends of files, potential modified sigs, etc. – Swappart Sep 25 '18 at 04:56
  • 2
    First do an entropy scan of the firmware binaries to make sure if there are any compressed or encrypted areas or not. Then see if you can do a diff of the known good firmware binary with a suspected corrupted binary to find out how they differ on a byte-by-byte basis. Perhaps you could share the binaries with us as well – julian Sep 25 '18 at 05:16
  • 1
    have you tried dumping the flash from a known good chip and flashing the image onto a broken one? did it work? – Igor Skochinsky Sep 25 '18 at 07:51
  • I had done a binwalk entropy scan in the beginning, as well as using ENT to get the Chi square distribution, and Monte Carlo pi approximation. That revealed compression, as opposed to encryption. As far as a known corrupted fw, I don't have a sample for this particular image. It's always been my practice to save a copy of the original problematic fw so I'm sure I do have a good and bad copy of something, but not on this HD. @Igor I've found that fw from almost any other board using the same SoC will work for basic testing, and appear to be written by the same company even across brands. – Swappart Sep 25 '18 at 12:05
  • 1
    Here's the firmware image. The SoC on the boards is made by MStar, and according to their website, they provide software drivers and an SDK to their clients for easy custom development. That's probably why I can find so many similarities in images from unrelated brands. Also, the boards appear to be designed by the same company. I'm hoping to be able to recreate the SDK from extracted samples. – Swappart Sep 25 '18 at 12:22
  • Here's the entropy scans I did. Entire image Extracted LZMA section – Swappart Sep 26 '18 at 01:14
  • What operating system is it booting? The download link no longer works but it looks like it could be Linux. This would mean extracting the Linux kernel (often compressed), then searching inside that for the ramdisk, which is often used as the whole filesystem for these devices. It's a pain to extract but I've done it a few times. This filesystem is read-only however, so it wouldn't be possible to corrupt it unless the chip dies. If it's a common problem maybe you could buy a TL866 USB programmer, extract the known good image and just reflash it onto the existing chips if a suspect TV comes in? – Malvineous Jan 25 '20 at 10:23

0 Answers0