The Pixel Magic – Magic TV MTV3600NZ
I really objected to two of the Freeview approved restrictions on this device:
- Fixed skip time of 10 minutes, effectively making this feature useless.
- Inability to copy recorded shows to external media.
So I set about finding a way around these artificial restrictions (the same device marketed in Hong Kong has these features and more).
My guess was the device was based on Linux (although the device makes no mention of this and probably violates the GNU license). I thought there were two avenues for investigation, the device hardware and software.
I looked at the hardware first. Upon opening the case I found a Western Digital Green 500GB (WDC WD5000AVVS-63M8B0) hard drive and two circuit boards, one a small display board to drive the VFD, the other containing pretty much everything else:
Here is a scan of the motherboard: http://2lostkiwis.com/magictv/magic_scan.jpg
Devices of note:
- Sigma Designs SMP8635LF
- Spansion S29GL128P10TF101
- 4x NANYA NT5DS16M16CS-5T
- JMicron JM20330
- Realtek RTL8201CP
In the bottom right hand side of the scan is an unpopulated 28pin SSOP device and a 10 pin header. I thought this would be the serial console port with missing RS232 level conversion. Turns out this was a correct assumption, pin 9 of this chip is transmit from the MTV and pin 10 is receive to the MTV. These are +3V3 level signals at 115200 baud. I have connected an external level shifter board as I haven’t found a level shifter device with the correct pinout yet. Luckily the serial console has not been disabled and when powered up I got the following boot log (I think with the hard drive unplugged): http://2lostkiwis.com/magictv/boot.txt
This certainly proved the device ran linux, and I was pretty excited at getting the login prompt. Unfortunately I had no idea what the root password was, I tried a few guesses but had no luck. I tried various ways to interrupt the boot process but no luck there either. Time to find a new attack route.
The next investigation was looking at the upgrade firmware, downloadable from Pixel Magic:
If you unzip the archive, the file “mtv3600_3_12NZ.upg” contains (among other things) the root filesystem in a squashfs image. I found the image offset in the file by opening mtv3600_3_12NZ.upg in a hex editor and searching for the squashfs magic number – ascii string “hsqs“. In this case it was at 1696882 bytes in. Next the squashfs filesystem was extracted with the command “dd if=mtv3600_3_12NZ.upg of=squash.bin bs=1 skip=1696882“. The extracted image was then mounted with “mount -t squashfs ./squash.bin /mnt/tmp -o loop” which gave the following filesystem:
root@slax:~# ls /mnt/tmp
bin/ etc/ init@ linuxrc@ opt/ root/ sys/ usr/ version
dev/ home/ lib/ mnt/ proc/ sbin/ tmp/ var/
I immediately looked at the “/etc/shadow” file to try and find the root password. It contained the string “root:$1$eG/OSotD$9oEArAGZ89ZTsUibWtl.q.:10933:0:99999:7:::” this meant the password was stored as an MD5 hash, salted to be more secure against a table attack. I downloaded John the Ripper to give a brute force attack on the password a go: http://www.openwall.com/john/. It took almost 4 days on a Core2 3GHz machine and it finally cracked the password.
I then went back to my serial console and made a successful root login.
BusyBox v1.00 (2009.11.23-02:24+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
# cat /proc/cpuinfo
system type : Sigma Designs TangoX
processor : 0
cpu model : MIPS 4KEc V6.9
Initial BogoMIPS : 291.84
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16
shadow register sets : 1
VCED exceptions : not available
VCEI exceptions : not available
System bus frequency : 198000000 Hz
CPU frequency : 297000000 Hz
DSP frequency : 297000000 Hz
/dev/mtdblock5 on / type squashfs (rw)
/proc on /proc type proc (rw)
tmpfs on /dev type tmpfs (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /mnt type tmpfs (rw)
tmpfs on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock6 on /mnt/mtd6 type jffs2 (rw,noatime)
/dev/hda1 on /mnt/hd0 type ext3 (rw,noatime,data=ordered)
/dev/hda2 on /mnt/hd0/1 type jfs (rw,noatime)
It turns out that most of the software related to the Magic TV is mounted on another filesystem mounted under /mnt/mtd6 and is a jffs2 read/write filesystem. This contains a startup script “/mnt/mtd6/autorun.sh” that is quite interesting. It has some lines copied below:
- #telnetd -p 8282
- #modprobe pl2303 debug=1
- insmod /lib/wifi/rt2870sta.ko
Line 1 is to run a telnet server, I have uncommented this line and can now telnet into my Magic TV over ethernet while it is turned on.
Line 2 looks to be a module for a PL2303 chipset USB to RS232 serial converter. I have not tested this, but maybe the Magic TV outputs some useful information here.
Line 3 is already uncommented, and it looks as if the Magic TV might already support some wireless network adapters based on this chipset.
Once I enabled the telnet server, I reassembled the Magic TV and put the device back in service. I can now copy files off over the network using the built in ftp client, it’s not the most user friendly but it does work:
# /mnt/mtd6/ncftp/ncftp -u xxxxx -p xxxxx 10.0.0.11
NcFTP 3.2.3 (Jul 28, 2009) by Mike Gleason (http://www.NcFTP.com/contact/).
Copyright (c) 1992-2009 by Mike Gleason.
All rights reserved.
Connecting to 10.0.0.11…
10.0.0.11 FTP server (tnftpd 20080929) ready.
User ian logged in.
Logged in to 10.0.0.11.
ncftp /Users/ian > put 100613213005_002.ts
100613213005_002.ts: ETA: 1:11 29.69/277.25 MB 3.50 MB/s
Copying the files off at 3.5 MB/s did not appear to have any impact on watching live TV which normally uses around 15% of the CPU.
That’s where I can currently up to. In the future I would like to try the following things:
- Find out what the RS232 level translator is and solder it onto the PCB to make a tidy console connection.
- Examine and compare the Hong Kong upgrade image to see the differences. Maybe one day get the variable program skip option added.
- Get a bittorrent client running for convienient downloading (just kidding :-).
Any suggestions, help gladly accepted.