Announcement

Collapse
No announcement yet.

Samsung UN40H5003 boot loop every ~8 seconds

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Samsung UN40H5003 boot loop every ~8 seconds

    Hi, I rescued a Samsung UN40H5003AF (H = 2014 FHD) from the curb. Symptoms are: standby (red) light comes on, stays on for 8 seconds, flickers off, then comes back on, and the cycle continues.

    Service manual: https://www.electronica-pt.com/esque...is-u8la-71272/

    SMPS board: checked voltages, all seem normal (A13V = 12.8V, UD = 3.3V, PWM_BLU = 0.77V, PS_OnOff = 5.5V). Remove 10p cable to main board -> backlight comes on. I think this means SMPS board and backlight are good.

    Main board: BN94-07592P / BN97-08922R / BN41-02263 - see attached photo.

    Multiple power supplies:
    • IC203 SMPS AOZ3015PI input 12.8V output 4.94V
    • IC204 LDO input 5.0V output 1.8V
    • IC205 LDO input 5.0V output 3.3V
    • IC201 LDO input 5.0V output 3.3V
    • IC501 LDO input 5.0V output 3.3V
    • IC206 SMPS input 12.8V output 1.17V
    CPU label: Samsung SEMS32 DNIe 1436BA7MLH88ZA, some obscure 32-bit RISC variant "AEON".

    RAM: I don't see any on the board. Service manuals refers to "Check B1.8V of DDR IC" but I don't see any DDR IC. Back of board is empty.

    SPI flash IC601_4MB: Winbond 4 MB, can be read with a SOIC8 clip, strings like "BD_SECXL1_D01B_S", "MSIF0000S3", "MBOT020600622871000", "T-MXL1AUSC-1005.0", "Hello Eden standby mode", "Enter EDEN PM Standby". Boot loader source code: https://github.com/neuschaefer/mstar-mboot

    CN801_DB debug UART 3.3V shows this output on every boot cycle:

    Code:
     Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
    According to another post (https://www.badcaps.net/forum/troubl...08#post1274408), it should print more messages (SBOOT:AC ON, Hello Eden standby mode, ...).

    Service manual "4-2. How to Check Fault Symptom" says "Check the Q206 base, voltage must be no larger than 0.5V". Mine is 0.57V. Is this a significant difference?

    Q206 collector does have pulses at the same time as the standby LED, so it seems involved in the power-up circuit. But I don't have schematic so I can't really understand the meaning. And my meter is a little too slow to capture them reliably. I think most rails are steady (no pulses).

    I have done some dumb basic checks like:
    - Check all capacitors for shorts, all look good.
    - Check all SMD fuses / chokes, all show continuity.

    Found some schematics here with similar main board part number (https://www.eserviceinfo.com/downloa...ain%20sch.html) but it's not exactly the same power rails, the schematics has DDR while mine doesn't, etc.

    Any idea what I could try next?
    1 Photo
    Tags: None
  • Answer selected by eigma at 11-24-2024, 02:14 PM.
    Okay, wow, I think I got it. It was a single bit flip in the SPI flash. Details below:

    After confirming I could compute the CRC correctly, I thought most of the flash dump looked valid, so there must be only some very small corruption. Maybe it was a single bit. (I have seen this before on a cheap WRT54G router) So I wrote a script to brute-force every possible bit flip, and check CRC, it took 18 hours, and found one:

    Code:
    $ venv/bin/python3 spi_crc_brute.py samsung-un40h5003af.bin | tee spi_crc_brute.log
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  25 66 38 00 A5 66 1A 00  ...... .%f8..f..
00000010: 00 00 00 00 EB 54 7C 3A  00 00 00 00 00 00 00 00  .....T|:........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00386625  (len 0x186625)
u32ROM_END:   0x001a66a5  (len 0x186625)
u32CRC32_SW:  0x3a7c54eb

  4%|████▍                       | 70265/1599013 [49:37<17:55:48, 23.68it/s]
byte 0x000a507f bit 4: 0x3a7c54eb  GOOD
    then produced a new file samsung-un40h5003af.bin-flip, flashed it, and it worked!

    Code:
    $ diff -u <(hexdump -C samsung-un40h5003af.bin) <(hexdump -C samsung-un40h5003af.bin-flip)
--- /dev/fd/63 2024-11-24 13:54:35.598092212 -0500
+++ /dev/fd/62 2024-11-24 13:54:35.594092165 -0500
@@ -37170,7 +37170,7 @@
000a5040 d3 c6 71 31 00 1b c7 ac 12 96 cf ea 40 fe ea 1d |..q1........@...|
000a5050 56 b0 6a b6 df ce 2c 16 f0 d7 9e 61 05 ab aa 60 |V.j...,....a...`|
000a5060 90 68 e0 ff ae 60 51 ab 8e f2 7f ff c1 e8 57 6d |.h...`Q.......Wm|
-000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f b5 |g.......T-.Q../.|
+000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f a5 |g.......T-.Q../.|
000a5080 d9 28 8e 64 d0 1f f7 f8 4b d3 6c 14 bd f8 4b 11 |.(.d....K.l...K.|
000a5090 8c 4e 65 03 83 fe d8 cb 5f ea c1 e8 54 8a 0c fa |.Ne....._...T...|
000a50a0 63 19 ff 17 9b 75 33 93 57 ec 29 45 0d ff d7 cb |c....u3.W.)E....|

    Click image for larger version Name: IMG_2457.jpg Views: 0 Size: 160.2 KB ID: 3514243

    UART output on power up, into standby:

    Code:
     Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER    size = 7
QUICK_DB_GENSETTING_BANK     start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1       start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0   start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0      start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1      start @ 0x37, size = 65536
GENSETTING       start @ 0x00E7A000, size = 4828
MODE_SETTING     start @ 0x00E7E004, size = 1920
RF_CH_START_ADR     start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR     start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH       start @ 0x00E7F080, size = 53053
AIR_CH_SETTING   start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING  start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE  , size = 121170
RRT_DESCRIPTOR   start @ 0x00EAF93C, size = 47250
RRT_SETTING      start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING)                   = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM  = 1920
sizeof(MS_VIRTUAL_CHANNEL)              = 53
sizeof(MS_CHANNEL_SETTING)x2            = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
 MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
 g_u8DCOnOff = 55
POWERON_MODE_SAVE >>
should go to standby!!!!!
Power down

MDrv_Power_ExecutePowerDown
=> StandBy

===DevNtp7414sByteWrite fail !!  Address 0x56CB9E===
===DevNtp7414sByteWrite fail !!  Address 0x56CBA2===
    UART output for full power on (pressing TV remote 'Power' button):

    Code:
    Eden: BD_SECXL1_D01B_S
SPI BOOT
Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER size = 7
QUICK_DB_GENSETTING_BANK start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1 start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0 start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0 start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1 start @ 0x37, size = 65536
GENSETTING start @ 0x00E7A000, size = 4828
MODE_SETTING start @ 0x00E7E004, size = 1920
RF_CH_START_ADR start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH start @ 0x00E7F080, size = 53053
AIR_CH_SETTING start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE , size = 121170
RRT_DESCRIPTOR start @ 0x00EAF93C, size = 47250
RRT_SETTING start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING) = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM = 1920
sizeof(MS_VIRTUAL_CHANNEL) = 53
sizeof(MS_CHANNEL_SETTING)x2 = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
DSP code loaded successfully

Auth OK

===== Check Audio Decoder Protection from hash-key IP =====
Hash-key Support DD.
Hash-key Support DD+.
Hash-key Support Generic HE-AAC !!
Hash Key Check DDCO Fail, No DDCO license!!
Hash-key Support DTS DMP.
Hash-key Support WMA.
Hash Key Check DRA Fail, No DRA license!!
Hash Key Check DTSLBR Fail, No DTSLBR license!!
===== Check Protection IP End =====

===HacI2cWrite fail !! Address 0x1===
===HacI2cWrite fail !! Address 0x2===
===HacI2cWrite fail !! Address 0x0===--AUDIO_SURROUND_SRS_TSHD--

[GOP0, PID 0][Driver Version]: 0088, BuildNum: 0488, ChangeList: 2147483647
gop_stretch: u16Pitch = 384, u16Width = 372, u16Height = 133
>Load Code...
>INTERN_ATSC Code...
>Verify Code...
>DSP Loadcode done.unsupport N51 FS compress
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Reload BKSV: 0xAB
Reload BKSV: 0x8
Reload BKSV: 0x5C
Reload BKSV: 0xDB
Reload BKSV: 0x5C
delay should be great than 20ms.

RTC not init DB_CH: u8DataBaseBank=0
DB_CH: Erase bank=0x3E

msAPI_MIU_QuickDataBaseErase, dst=0x3E0000
msAPI_MIU_QuickDataBaseErase, dst=0x3F0000
HAL_SERFLASH_BlockErase (0x0000003F, 0x00000040, 0)
DB_CH: s_DB_CH_u32WriteTime=0x1
DB_CH: Write Done~ use 379ms

Warning: Someone want enable WP, but another one is in use!(0x2)
    I have attached the recovered firmware file samsung-un40h5003af.bin-flip. I guess this should be pretty similar to the genuine T-MXL1AUSC.bin, but I don't know for sure, be careful if you decide to use it on your device!
    • Selected Answer

    Comment

      #2
      Post dump spi flash here.
      Check the resistance of the HDMI and USB signal lines relative to gnd.
      Last edited by lotas; 11-21-2024, 09:37 AM.

      Comment

        #3
        SPI flash dump attached.

        HDMI to ground - all values in ohms:
        CN401_H1 CN404_H2
        1 TMDS data2+ 30M 33M
        2 TMDS data2 shield 0 0
        3 TMDS data2− 30M 33M
        4 TMDS data1+ 30M 33M
        5 TMDS data1 shield 0 0
        6 TMDS data1− 30M 33M
        7 TMDS data0+ 32M 33M
        8 TMDS data0 shield 0 0
        9 TMDS data0− 32M 35M
        10 TMDS clock+ 31M 35M
        11 TMDS clock shield 0 0
        12 TMDS clock− 32M 34M
        13 Consumer Electronics Control (CEC) 3M 3M
        14 Utility/HEAC+ open open
        15 SCL 340 340
        16 SDA 330 330
        17 Ground 0 0
        18 +5 V 12k 12k
        19 Hot plug detect 13k 13k

        USB to ground:
        • Ground: 0
        • D+: open
        • D-: open
        • +5V: open
        Found another schematic, which seems a bit more similar to my device:
        https://www.eserviceinfo.com/downloa...ain%20sch.html
        Some things are more similar (Q207, 1.1V rail), other things are still different (input power, main IC, DDR).
        Attached Files

        Comment

          #4
          Your CPU is MStar, dump is not working (broken core).

          Comment

            #5
            I'm sorry, can you explain more? MStar is broken or SPI chip is broken?

            I tried to erase SPI chip and write a firmware from Samsung website, for a very similar model (though not exactly the same). The firmwares have the same first 4 KB, many other similarities, maybe a chance to work.

            But I cannot erase the flash chip:

            Code:
            $ flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -w T-MXL1JAUSC-4mb.bin
flashrom v1.3.0 on Darwin 23.6.0 (arm64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found Winbond flash chip "W25Q32.V" (4096 kB, SPI) on ft2232_spi.
===
This flash part has status UNTESTED for operations: WP
The test status of this chip may have been updated in the latest development
version of flashrom. If you are running the latest development version,
please email a report to flashrom@flashrom.org if any of the above operations
work correctly for you with this flash chip. Please include the flashrom log
file for all operations you tested (see the man page for details), and mention
which mainboard or programmer you tested in the subject line.
Thanks for your help!
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x00010fff: 0xfff
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x00017fff: 0x7eeb
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x0001ffff: 0xfe9c
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00000000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x003fffff: 0x3b5256
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00000000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x003fffff: 0x3b5256
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Good, writing to the flash chip apparently didn't do anything.
Please check the connections (especially those to write protection pins) between
the programmer and the flash chip. If you think the error is caused by flashrom
please report this to the mailing list at flashrom@flashrom.org or on IRC (see
https://www.flashrom.org/Contact for details), thanks!
            I checked voltages, /WP pin was in the middle, around 1.8V, I thought maybe that was the problem. So added a 470 ohm resistor to VCC, now /WP at 3.1V, and tried again. But still, flashrom error "ERASE FAILED!".

            Comment

              #6
              The firmware is damaged, it is better to erase the chip on a programmer by desoldering it from the board; if it is not erased, some kind of status register may be written.

              Comment

                #7
                In a few days I will get access to SMD soldering equipment and try to remove the SPI chip.

                Until then, I spent some time understanding SPI flash dump file format, and comparing to the clean genuine firmware file downloaded from Samsung (T-MXL1JAUSC.bin). From sboot/src/MSDecompress.c we see there is a header at 0x20000 including a CRC32. The CRC32 algorithm seems unusual, not compatible with standard Python zlib.crc32. After more searching, I find Chakra3_017a0d6_20170731/scripts/BinIDPackFiles_Compress.py which gives the correct CRC32 algorithm and much more information about the file format.

                And indeed, the clean firmware from Samsung has good CRC:

                Code:
                $ ./spi_crc.py T-MXL1JAUSC.bin
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  73 80 39 00 F3 80 1B 00  ...... .s.9.....
00000010: 00 00 00 00 56 E2 50 B5  00 00 00 00 00 00 00 00  ....V.P.........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00398073  (len 0x198073)
u32ROM_END:   0x001b80f3  (len 0x198073)
u32CRC32_SW:  0xb550e256

CRC:          0xb550e256  GOOD
                while my reading from SPI flash does not!

                Code:
                $ ./spi_crc.py samsung-un40h5003af.bin
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  25 66 38 00 A5 66 1A 00  ...... .%f8..f..
00000010: 00 00 00 00 EB 54 7C 3A  00 00 00 00 00 00 00 00  .....T|:........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00386625  (len 0x186625)
u32ROM_END:   0x001a66a5  (len 0x186625)
u32CRC32_SW:  0x3a7c54eb

CRC:          0xe6632d3d  BAD!
                I am still hoping to find a clean T-MXL1AUSC.bin (version 1005) for my device. But until then, I might try flashing T-MXL1JAUSC and hope for the best.

                Comment

                  #8
                  Ha! I was using flashrom 1.4.0.. but seems there have been changes. I built flashrom from Git (~v1.5.0-rc1), I think this brings better support for WP (write protect) features of the chip, and was able to program the flash (despite the "Protection mode: hardware"...)!

                  Code:
                  $ ./builddir/flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -c W25Q32FV --wp-status
flashrom v1.5.0-rc1 (git:v1.5.0-rc1) on Darwin 23.6.0 (arm64)
...
Protection range: start=0x00000000 length=0x00400000 (all)
Protection mode: hardware


$ ./builddir/flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -c W25Q32FV -w ../T-MXL1JAUSC-4mb.bin
flashrom v1.5.0-rc1 (git:v1.5.0-rc1) on Darwin 23.6.0 (arm64)
...
Reading old flash chip contents... done.
Updating flash chip contents... Erase/write done from 0 to 3fffff
Verifying flash... VERIFIED.
                  This image, maybe due to model mismatch, maybe something else, behaves differently, more output!!

                  Code:
                   Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
ASSERT: core/api/msAPI_Flash.c 388
------ stack backtrace ------
5A5AA5A5
Exception: 6
r0 : 00000000  r1 : 00598AD4  r2 : FFFFFFFD  r3 : 00000009
r4 : 00598993  r5 : 90000000  r6 : 90000005  r7 : 0000000A
r8 : B0000F78  r9 : 003992BB  r10: 5A5AA5A5  r11: 003C0000
r12: 00543082  r13: 000000BB  r14: 00540000  r15: 00000000
r16: 000000B0  r17: 0019806D  r18: FFFFFFA7  r19: 8671011D
r20: 60291913  r21: FFFF015A  r22: 606C9C0A  r23: 0034E613
r24: 00560000  r25: 00000016  r26: 003DEF16  r27: 00000000
r28: A0200000  r29: 00540000  r30: 02100018  r31: 00000004
sr : 0000821F  pc : 003992AD  eear: 5A5AA5A1
------ stack backtrace ------
398768
Exception: 6
r0 : 00000000  r1 : 005989A4  r2 : FFFFFFFD  r3 : 00000007
r4 : 00598863  r5 : 90000000  r6 : 90000005  r7 : 0000000A
...
                  Chakra3 does contain core/api/msAPI_Flash.c but line 388 is wrong. Must be a different version. I may reverse engineer the AP code to see what's the ASSERT.

                  Call out, anyone who has T-MXL1AUSC.bin or knows how to obtain it, please help!

                  Comment

                    #9
                    Look at this firmware, it looks like it's for Korea... (T-MXL1JAKRC)
                    Attached Files

                    Comment

                      #10
                      Okay, wow, I think I got it. It was a single bit flip in the SPI flash. Details below:

                      After confirming I could compute the CRC correctly, I thought most of the flash dump looked valid, so there must be only some very small corruption. Maybe it was a single bit. (I have seen this before on a cheap WRT54G router) So I wrote a script to brute-force every possible bit flip, and check CRC, it took 18 hours, and found one:

                      Code:
                      $ venv/bin/python3 spi_crc_brute.py samsung-un40h5003af.bin | tee spi_crc_brute.log
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  25 66 38 00 A5 66 1A 00  ...... .%f8..f..
00000010: 00 00 00 00 EB 54 7C 3A  00 00 00 00 00 00 00 00  .....T|:........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00386625  (len 0x186625)
u32ROM_END:   0x001a66a5  (len 0x186625)
u32CRC32_SW:  0x3a7c54eb

  4%|████▍                       | 70265/1599013 [49:37<17:55:48, 23.68it/s]
byte 0x000a507f bit 4: 0x3a7c54eb  GOOD
                      then produced a new file samsung-un40h5003af.bin-flip, flashed it, and it worked!

                      Code:
                      $ diff -u <(hexdump -C samsung-un40h5003af.bin) <(hexdump -C samsung-un40h5003af.bin-flip)
--- /dev/fd/63 2024-11-24 13:54:35.598092212 -0500
+++ /dev/fd/62 2024-11-24 13:54:35.594092165 -0500
@@ -37170,7 +37170,7 @@
000a5040 d3 c6 71 31 00 1b c7 ac 12 96 cf ea 40 fe ea 1d |..q1........@...|
000a5050 56 b0 6a b6 df ce 2c 16 f0 d7 9e 61 05 ab aa 60 |V.j...,....a...`|
000a5060 90 68 e0 ff ae 60 51 ab 8e f2 7f ff c1 e8 57 6d |.h...`Q.......Wm|
-000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f b5 |g.......T-.Q../.|
+000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f a5 |g.......T-.Q../.|
000a5080 d9 28 8e 64 d0 1f f7 f8 4b d3 6c 14 bd f8 4b 11 |.(.d....K.l...K.|
000a5090 8c 4e 65 03 83 fe d8 cb 5f ea c1 e8 54 8a 0c fa |.Ne....._...T...|
000a50a0 63 19 ff 17 9b 75 33 93 57 ec 29 45 0d ff d7 cb |c....u3.W.)E....|

                      Click image for larger version Name: IMG_2457.jpg Views: 0 Size: 160.2 KB ID: 3514243

                      UART output on power up, into standby:

                      Code:
                       Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER    size = 7
QUICK_DB_GENSETTING_BANK     start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1       start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0   start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0      start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1      start @ 0x37, size = 65536
GENSETTING       start @ 0x00E7A000, size = 4828
MODE_SETTING     start @ 0x00E7E004, size = 1920
RF_CH_START_ADR     start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR     start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH       start @ 0x00E7F080, size = 53053
AIR_CH_SETTING   start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING  start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE  , size = 121170
RRT_DESCRIPTOR   start @ 0x00EAF93C, size = 47250
RRT_SETTING      start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING)                   = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM  = 1920
sizeof(MS_VIRTUAL_CHANNEL)              = 53
sizeof(MS_CHANNEL_SETTING)x2            = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
 MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
 g_u8DCOnOff = 55
POWERON_MODE_SAVE >>
should go to standby!!!!!
Power down

MDrv_Power_ExecutePowerDown
=> StandBy

===DevNtp7414sByteWrite fail !!  Address 0x56CB9E===
===DevNtp7414sByteWrite fail !!  Address 0x56CBA2===
                      UART output for full power on (pressing TV remote 'Power' button):

                      Code:
                      Eden: BD_SECXL1_D01B_S
SPI BOOT
Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER size = 7
QUICK_DB_GENSETTING_BANK start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1 start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0 start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0 start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1 start @ 0x37, size = 65536
GENSETTING start @ 0x00E7A000, size = 4828
MODE_SETTING start @ 0x00E7E004, size = 1920
RF_CH_START_ADR start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH start @ 0x00E7F080, size = 53053
AIR_CH_SETTING start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE , size = 121170
RRT_DESCRIPTOR start @ 0x00EAF93C, size = 47250
RRT_SETTING start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING) = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM = 1920
sizeof(MS_VIRTUAL_CHANNEL) = 53
sizeof(MS_CHANNEL_SETTING)x2 = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
DSP code loaded successfully

Auth OK

===== Check Audio Decoder Protection from hash-key IP =====
Hash-key Support DD.
Hash-key Support DD+.
Hash-key Support Generic HE-AAC !!
Hash Key Check DDCO Fail, No DDCO license!!
Hash-key Support DTS DMP.
Hash-key Support WMA.
Hash Key Check DRA Fail, No DRA license!!
Hash Key Check DTSLBR Fail, No DTSLBR license!!
===== Check Protection IP End =====

===HacI2cWrite fail !! Address 0x1===
===HacI2cWrite fail !! Address 0x2===
===HacI2cWrite fail !! Address 0x0===--AUDIO_SURROUND_SRS_TSHD--

[GOP0, PID 0][Driver Version]: 0088, BuildNum: 0488, ChangeList: 2147483647
gop_stretch: u16Pitch = 384, u16Width = 372, u16Height = 133
>Load Code...
>INTERN_ATSC Code...
>Verify Code...
>DSP Loadcode done.unsupport N51 FS compress
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Reload BKSV: 0xAB
Reload BKSV: 0x8
Reload BKSV: 0x5C
Reload BKSV: 0xDB
Reload BKSV: 0x5C
delay should be great than 20ms.

RTC not init DB_CH: u8DataBaseBank=0
DB_CH: Erase bank=0x3E

msAPI_MIU_QuickDataBaseErase, dst=0x3E0000
msAPI_MIU_QuickDataBaseErase, dst=0x3F0000
HAL_SERFLASH_BlockErase (0x0000003F, 0x00000040, 0)
DB_CH: s_DB_CH_u32WriteTime=0x1
DB_CH: Write Done~ use 379ms

Warning: Someone want enable WP, but another one is in use!(0x2)
                      I have attached the recovered firmware file samsung-un40h5003af.bin-flip. I guess this should be pretty similar to the genuine T-MXL1AUSC.bin, but I don't know for sure, be careful if you decide to use it on your device!
                      • Selected Answer

                      Comment

                        #11
                        Well done! Here are two clean dumps, one for the programmer, the second, which is smaller for usb, you just need to rename it to T-MXL1AUSC.bin
                        Attached Files

                        Comment

                          #12
                          Some handwritten notes for main board power circuit.
                          Attached Files

                          Comment

                          Previous template Next
                          Working...