The Pixel Magic – Magic TV MTV3600NZ
I really objected to two of the Freeview approved restrictions on this device:
- Fixed skip time of 10 minutes, effectively making this feature useless.
- Inability to copy recorded shows to external media.
So I set about finding a way around these artificial restrictions (the same device marketed in Hong Kong has these features and more).
My guess was the device was based on Linux (although the device makes no mention of this and probably violates the GNU license). I thought there were two avenues for investigation, the device hardware and software.
I looked at the hardware first. Upon opening the case I found a Western Digital Green 500GB (WDC WD5000AVVS-63M8B0) hard drive and two circuit boards, one a small display board to drive the VFD, the other containing pretty much everything else:
Here is a scan of the motherboard: http://2lostkiwis.com/magictv/magic_scan.jpg
Devices of note:
- Sigma Designs SMP8635LF
- Spansion S29GL128P10TF101
- 4x NANYA NT5DS16M16CS-5T
- JMicron JM20330
- Realtek RTL8201CP
In the bottom right hand side of the scan is an unpopulated 28pin SSOP device and a 10 pin header. I thought this would be the serial console port with missing RS232 level conversion. Turns out this was a correct assumption, pin 9 of this chip is transmit from the MTV and pin 10 is receive to the MTV. These are +3V3 level signals at 115200 baud. I have connected an external level shifter board as I haven’t found a level shifter device with the correct pinout yet. Luckily the serial console has not been disabled and when powered up I got the following boot log (I think with the hard drive unplugged): http://2lostkiwis.com/magictv/boot.txt
This certainly proved the device ran linux, and I was pretty excited at getting the login prompt. Unfortunately I had no idea what the root password was, I tried a few guesses but had no luck. I tried various ways to interrupt the boot process but no luck there either. Time to find a new attack route.
The next investigation was looking at the upgrade firmware, downloadable from Pixel Magic:
If you unzip the archive, the file “mtv3600_3_12NZ.upg” contains (among other things) the root filesystem in a squashfs image. I found the image offset in the file by opening mtv3600_3_12NZ.upg in a hex editor and searching for the squashfs magic number – ascii string “hsqs“. In this case it was at 1696882 bytes in. Next the squashfs filesystem was extracted with the command “dd if=mtv3600_3_12NZ.upg of=squash.bin bs=1 skip=1696882“. The extracted image was then mounted with “mount -t squashfs ./squash.bin /mnt/tmp -o loop” which gave the following filesystem:
root@slax:~# ls /mnt/tmp
bin/ etc/ init@ linuxrc@ opt/ root/ sys/ usr/ version
dev/ home/ lib/ mnt/ proc/ sbin/ tmp/ var/
I immediately looked at the “/etc/shadow” file to try and find the root password. It contained the string “root:$1$eG/OSotD$9oEArAGZ89ZTsUibWtl.q.:10933:0:99999:7:::” this meant the password was stored as an MD5 hash, salted to be more secure against a table attack. I downloaded John the Ripper to give a brute force attack on the password a go: http://www.openwall.com/john/. It took almost 4 days on a Core2 3GHz machine and it finally cracked the password.
I then went back to my serial console and made a successful root login.
BusyBox v1.00 (2009.11.23-02:24+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
# cat /proc/cpuinfo
system type : Sigma Designs TangoX
processor : 0
cpu model : MIPS 4KEc V6.9
Initial BogoMIPS : 291.84
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16
shadow register sets : 1
VCED exceptions : not available
VCEI exceptions : not available
System bus frequency : 198000000 Hz
CPU frequency : 297000000 Hz
DSP frequency : 297000000 Hz
/dev/mtdblock5 on / type squashfs (rw)
/proc on /proc type proc (rw)
tmpfs on /dev type tmpfs (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /mnt type tmpfs (rw)
tmpfs on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock6 on /mnt/mtd6 type jffs2 (rw,noatime)
/dev/hda1 on /mnt/hd0 type ext3 (rw,noatime,data=ordered)
/dev/hda2 on /mnt/hd0/1 type jfs (rw,noatime)
It turns out that most of the software related to the Magic TV is mounted on another filesystem mounted under /mnt/mtd6 and is a jffs2 read/write filesystem. This contains a startup script “/mnt/mtd6/autorun.sh” that is quite interesting. It has some lines copied below:
- #telnetd -p 8282
- #modprobe pl2303 debug=1
- insmod /lib/wifi/rt2870sta.ko
Line 1 is to run a telnet server, I have uncommented this line and can now telnet into my Magic TV over ethernet while it is turned on.
Line 2 looks to be a module for a PL2303 chipset USB to RS232 serial converter. I have not tested this, but maybe the Magic TV outputs some useful information here.
Line 3 is already uncommented, and it looks as if the Magic TV might already support some wireless network adapters based on this chipset.
Once I enabled the telnet server, I reassembled the Magic TV and put the device back in service. I can now copy files off over the network using the built in ftp client, it’s not the most user friendly but it does work:
# /mnt/mtd6/ncftp/ncftp -u xxxxx -p xxxxx 10.0.0.11
NcFTP 3.2.3 (Jul 28, 2009) by Mike Gleason (http://www.NcFTP.com/contact/).
Copyright (c) 1992-2009 by Mike Gleason.
All rights reserved.
Connecting to 10.0.0.11…
10.0.0.11 FTP server (tnftpd 20080929) ready.
User ian logged in.
Logged in to 10.0.0.11.
ncftp /Users/ian > put 100613213005_002.ts
100613213005_002.ts: ETA: 1:11 29.69/277.25 MB 3.50 MB/s
Copying the files off at 3.5 MB/s did not appear to have any impact on watching live TV which normally uses around 15% of the CPU.
That’s where I can currently up to. In the future I would like to try the following things:
- Find out what the RS232 level translator is and solder it onto the PCB to make a tidy console connection.
- Examine and compare the Hong Kong upgrade image to see the differences. Maybe one day get the variable program skip option added.
- Get a bittorrent client running for convienient downloading (just kidding :-).
Any suggestions, help gladly accepted.
31 thoughts on “Hacking the Magic TV MTV3600”
Very good work.
Good to see this! More noob friendly details so more people can try the first step would be great.
#2 should be straight forward once you find where the configuration is stored (assuming its stored in a writeable area, just copy of the top with what you want).
#3. surely this can be done….
Hi, could the unpacked firmware be flashed back to the MTV, or is the CRC check still in place? I’m thinking there’s a few parameters one could tweak. e.g. The skip time periods shouldn’t be too hard to locate.
Again, great work – you can mount util.img in the firmware files with
mount -o loop util.img /mnt/tmp
stage2 seems to be a bz2 file, with 3 files inside.
No noticeable difference between the 2 NZ firmwares.
mentalinc said: “More noob friendly details so more people can try the first step would be great.”
Well, to get at the config files the same way you’d have to be willing to do the soldering of a line-driver chip the same way Ian has. Then there is the matter of just what is the root password … Ian has left that one up to each person that follows.
BTW, Impressive sleuthing Ian.
Ian, I gather it’s pins 9 and 10 of the 28 pin SSOP that is the data lines?
I note the rather telltale 10 pin header holes look remarkably like a PC motherboard USB header. If that is so then the obvious chip that would fit is the FT232RL. However it’s data lines are on pins 1 and 5.
Hey Evan, I hope you’re right because I have ordered mine from Digikey. Cheers, Ian.
Ok, bit the bullet and pulled mine apart to have a look – It ain’t a header for a USB connector! The 10 pin header power and Gnd aren’t right so the FT232 is no-go.
Assuming, instead, a generic PC DIL10DB9 adapter then pins 19 and 20 of the 28 pin SSOP would be the data pins for the line driver side going to the DB9. On this basis I get something that looks good at first with the MAX3238E but still no-go.
Bed time …
Got it! DS14C335
Datasheet – http://www.national.com/mpf/DS/DS14C335.html
RS has them stocked in UK, http://newzealand.rs-online.com/web/search/searchBrowseAction.html?method=searchProducts&searchTerm=DS14C335&x=0&y=0
Mate – why you selling?
Evan, I assume the files you were copying off were video content, if so what format are they in?
Wot news Ian ? I can see you head is split many ways but it looks like you are very close to a good solution for this project.
Belated reply …
Ross, I presume you are referring to my geekzone comments. They are .ts files which are some variety of streaming mpeg4+aac that VLC has no problems playing. Although I’ve struck a couple of these .ts files that VLC has decided is mpeg2 rather than mpeg4 which results in failed playback.
As I’ve learnt, the good news is they are not encrypted in NZ. So, once extracted from the MTV, these files can be played by any player.
Nice work so far. You seem to be heading in the right direction.
Though personally I would try and find where in the firmware the model / system id is stored. Then work out what’s required to change it(checksum, unpack/repack etc). The goal of this would be to simply try firmware from various other models and/or regions.
Of course before attempting any firmware swaps I’d dig a little deeper to ensure that the boot loader is NOT included in the firmware (otherwise you could end up with an expensive door stopper).
I believe that the PVRs for NZ, HK and AUS all use the same hardware (3200, 3700, 4000 and 7000). i.e. The Aussie 3700 freeview PVR and the new 4000 non-freeview PVR use the same hardware. The 4000 has +30 and -8 second ad skip, number buttons jump to # minutes (or % ?), export recordings and expand storage capacity via USB.
Last night I started working on reverse engineering the mtv3600_3_15NZ.
1. Extracted the romfs and squashfs filesystem.
2. Mounted the squashfs filesystem I retrieved the passwd/shadow files.
3. Downloaded Hashcat GPU cracker to recover the root password
This morning, I decided to check whether there was anyone else going down this path. I saw your post. Nice effort.
Any chance you can send me the recovered root password for v15? It will save me a few days, and allow me continue the reverse engineering effort.
Q: Have you had a go with rebuilding the firmware?
Ps. Send root pwd to jjsharpe aatt gmail ddoott com
Anyone had any luck in modifing a firmware update to enable the terminal server.
Ian said on Geekzone that he’d redone the telnet/ftp process with 3.14NZ using the same root password. Presumable 3.15NZ is still the same password also.
Personally, I’m pretty happy periodically swapping HDDs. Although, even this method needs some tools to handle the filesystem structures when plugged into a desktop computer.
Mmm. I havent seen the geekzone thing. Google does that to ya sometimes. Time to search again.
@Evanh: Found it. Lots to read but looks interesting.
Just finished cracking the root passwd so I’m going to tinker with the firmware I’ll probably unsquashfs and re-do it with faith that the checksums used are the internal file ones. not really bothered about corrupting it, as the guide tells you the firmware recovery process (section 10.3)
Ideally i’de like to uncomment the tftpd line in the autorun.sh script so that when the box comes on it starts up the telnet session for me to connect to.
time to start reading the squashfs docs.
@Sean sorry haven’t read here for a while. Are you interested in testing my patched firmware to change the skip times and enable the telnet daemon. If so email me ian at 2lostkiwis dot com. The patched firmware can be uploaded in the normal way using a USB flash drive, so no need to remove the cover.
Ian I have been following progress on GZ and here. I would be interested in testing. Have you tried on 3.16? Please send me links etc and I can patch my 3600.
I also have version 3.16NZ on my device. I would love to try your solution for file extraction. (FTP access).
I am sick to death of running out of disk space and having programs I wish to view later removed. Some stuff I really want to keep is labeled keep for ever but there is only so much you can keep.
Hi Ian working great!
Ross! Or maybe it is Tim’s computer. What a strange selection of spam all the same.
Your right Evenh.
I wonder what Ian is up to these days seems to have gone quiet in here and on Geekzone.
I’m still using his original patch for skip forward and back it works really well for me.
is there a way to hack the 7000D and 7000D mini from hong kong to scan DVB-T frequencies and also be in english as i am after one of these badly as well as be able to enable the unit to play avi files at all?
I’m mostly interested in reading the tv1.db file.
I tried opening it in sqlite3 but it said that the database is either corrupt or encrypted. The fact that (if I open the file in a plain ol’ text editor) I can see show descriptions etc in the file would suggest that it isn’t that encrypted. Therefore I was wondering if anyone else had any luck opening up the database file in something?
I’d be interested to write some code (perhaps something in Python) to compile a list of what is available on the drive. Then from there a script could be made to stream directly off using VLC or even stitch the files together to store onto an external storage device for backing up.
i followed your guide and tried to hack the MTV3700TD-NZ by referencing the MTV4000 Australia firmware.this is my hard work.
it enables +30/-8 seconds skips,and 1-9 minute jumps by pressing 1-9 buttons.
to do backward minute,rewind then press 1-9.
green left/right for 5 minute jumps are also restored.
MTV3700TD-NZ Firmware 6.06 Hack:
I have recently updated my hard drive to a 1TB drive, I am currently using your 3.17nz build 13 hack for 1 minute forward and 8 seconds back.
I would love to be able to use version 3.18nz with your modifications, do you have such a beast available??
Further to my previous message.
The reason I would like to use 3.18nz is that I hope it might help with or even fix a booking issue I have with CH40 (Canterbury Television) Kordia rf 36. But I don’t want to lose Ian’s mods.