Samsung UN40H5003 boot loop every ~8 seconds

Digitek · 07-29-2025, 10:55 PM

Originally posted by eigma

Code:

#!/opt/homebrew/bin/python3.11
import sys, struct, zlib, hexdump, tqdm
import crcmod

CRC32 = crcmod.mkCrcFun(0x104C11DB7, 0, 0)

data = bytearray(open(sys.argv[1], 'rb').read())

print('At 0x20000:')
header = data[0x20000:0x20020]
hexdump.hexdump(header)
print()

u32ROM_START, u32RAM_START, u32RAM_END, u32ROM_END, _, u32CRC32_SW = \
struct.unpack('<6L', header[0:0x18])
print(f'u32ROM_START: 0x{u32ROM_START:08x}')
print(f'u32RAM_START: 0x{u32RAM_START:08x}')
print(f'u32RAM_END: 0x{u32RAM_END:08x} (len 0x{u32RAM_END-u32RAM_START:06x})')
print(f'u32ROM_END: 0x{u32ROM_END:08x} (len 0x{u32ROM_END-u32ROM_START:06x})')
print(f'u32CRC32_SW: 0x{u32CRC32_SW:08x}')
print()

for byte in tqdm.tqdm(range(u32ROM_START, u32ROM_END)):
for bit in range(8):
data[byte] ^= (1< crc = CRC32(data[u32ROM_START:u32ROM_END])
if crc == u32CRC32_SW:
print(f'byte 0x{byte:08x} bit {bit}: 0x{crc:08x} {"GOOD" if crc == u32CRC32_SW else "BAD!"}')
data[byte] ^= (1<

Thank you so much.
I finally understood the meaning of the 20 bytes at offset 0x20000

eigma · 07-28-2025, 07:38 PM

Code:

#!/opt/homebrew/bin/python3.11
import sys, struct, zlib, hexdump, tqdm
import crcmod

CRC32 = crcmod.mkCrcFun(0x104C11DB7, 0, 0)

data = bytearray(open(sys.argv[1], 'rb').read())

print('At 0x20000:')
header = data[0x20000:0x20020]
hexdump.hexdump(header)
print()

u32ROM_START, u32RAM_START, u32RAM_END, u32ROM_END, _, u32CRC32_SW = \
  struct.unpack('<6L', header[0:0x18])
print(f'u32ROM_START: 0x{u32ROM_START:08x}')
print(f'u32RAM_START: 0x{u32RAM_START:08x}')
print(f'u32RAM_END:   0x{u32RAM_END:08x}  (len 0x{u32RAM_END-u32RAM_START:06x})')
print(f'u32ROM_END:   0x{u32ROM_END:08x}  (len 0x{u32ROM_END-u32ROM_START:06x})')
print(f'u32CRC32_SW:  0x{u32CRC32_SW:08x}')
print()

for byte in tqdm.tqdm(range(u32ROM_START, u32ROM_END)):
  for bit in range(8):
    data[byte] ^= (1<<bit)
    crc = CRC32(data[u32ROM_START:u32ROM_END])
    if crc == u32CRC32_SW:
      print(f'byte 0x{byte:08x} bit {bit}: 0x{crc:08x}  {"GOOD" if crc == u32CRC32_SW else "BAD!"}')
    data[byte] ^= (1<<bit)

Digitek · 07-26-2025, 07:17 PM

Originally posted by eigma

So I wrote a script to brute-force every possible bit flip, and check CRC

Greetings.
Could you share the script you created for this purpose?
I've tried to do it in C# based on what you posted, but I can't get the result you show.

missyy · 05-18-2025, 05:57 AM

Trawling for info on "Eden" I was surprised to encounter a familiar name from my past life frequenting Foulab. It must be a small world for the handful of people interested in these chips.

Congratulations on the successful diagnosis and repair, and thanks for the writeup. I have a couple MSD3393 boards and--for a firmware reversing/hardware hacking novice like me, at least--this thread is an enormous help in figuring them out.

eigma · 11-24-2024, 05:23 PM

Some handwritten notes for main board power circuit.

Attached Files

Premium supporters get full download access and other benefits.

lotas · 11-24-2024, 02:45 PM

Well done! Here are two clean dumps, one for the programmer, the second, which is smaller for usb, you just need to rename it to T-MXL1AUSC.bin

Attached Files

Premium supporters get full download access and other benefits.

samsung-un40h5003af.rar (3.27 MB, 1 view)

eigma · 11-24-2024, 02:10 PM

Okay, wow, I think I got it. It was a single bit flip in the SPI flash. Details below:

After confirming I could compute the CRC correctly, I thought most of the flash dump looked valid, so there must be only some very small corruption. Maybe it was a single bit. (I have seen this before on a cheap WRT54G router) So I wrote a script to brute-force every possible bit flip, and check CRC, it took 18 hours, and found one:

Code:

$ venv/bin/python3 spi_crc_brute.py samsung-un40h5003af.bin | tee spi_crc_brute.log
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  25 66 38 00 A5 66 1A 00  ...... .%f8..f..
00000010: 00 00 00 00 EB 54 7C 3A  00 00 00 00 00 00 00 00  .....T|:........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00386625  (len 0x186625)
u32ROM_END:   0x001a66a5  (len 0x186625)
u32CRC32_SW:  0x3a7c54eb

  4%|████▍                       | 70265/1599013 [49:37<17:55:48, 23.68it/s]
byte 0x000a507f bit 4: 0x3a7c54eb  GOOD

then produced a new file samsung-un40h5003af.bin-flip, flashed it, and it worked!

Code:

$ diff -u <(hexdump -C samsung-un40h5003af.bin) <(hexdump -C samsung-un40h5003af.bin-flip)
--- /dev/fd/63 2024-11-24 13:54:35.598092212 -0500
+++ /dev/fd/62 2024-11-24 13:54:35.594092165 -0500
@@ -37170,7 +37170,7 @@
000a5040 d3 c6 71 31 00 1b c7 ac 12 96 cf ea 40 fe ea 1d |..q1........@...|
000a5050 56 b0 6a b6 df ce 2c 16 f0 d7 9e 61 05 ab aa 60 |V.j...,....a...`|
000a5060 90 68 e0 ff ae 60 51 ab 8e f2 7f ff c1 e8 57 6d |.h...`Q.......Wm|
-000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f b5 |g.......T-.Q../.|
+000a5070 67 90 a8 e1 ff de c3 e8 54 2d b0 51 f4 e5 2f a5 |g.......T-.Q../.|
000a5080 d9 28 8e 64 d0 1f f7 f8 4b d3 6c 14 bd f8 4b 11 |.(.d....K.l...K.|
000a5090 8c 4e 65 03 83 fe d8 cb 5f ea c1 e8 54 8a 0c fa |.Ne....._...T...|
000a50a0 63 19 ff 17 9b 75 33 93 57 ec 29 45 0d ff d7 cb |c....u3.W.)E....|

UART output on power up, into standby:

Code:

 Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER    size = 7
QUICK_DB_GENSETTING_BANK     start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1       start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0   start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0      start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1      start @ 0x37, size = 65536
GENSETTING       start @ 0x00E7A000, size = 4828
MODE_SETTING     start @ 0x00E7E004, size = 1920
RF_CH_START_ADR     start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR     start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH       start @ 0x00E7F080, size = 53053
AIR_CH_SETTING   start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING  start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE  , size = 121170
RRT_DESCRIPTOR   start @ 0x00EAF93C, size = 47250
RRT_SETTING      start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING)                   = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM  = 1920
sizeof(MS_VIRTUAL_CHANNEL)              = 53
sizeof(MS_CHANNEL_SETTING)x2            = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
 MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
 g_u8DCOnOff = 55
POWERON_MODE_SAVE >>
should go to standby!!!!!
Power down

MDrv_Power_ExecutePowerDown
=> StandBy

===DevNtp7414sByteWrite fail !!  Address 0x56CB9E===
===DevNtp7414sByteWrite fail !!  Address 0x56CBA2===

UART output for full power on (pressing TV remote 'Power' button):

Code:

Eden: BD_SECXL1_D01B_S
SPI BOOT
Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

MIU Initial OK 0328
Can not find good RRT block!!
Error: Load RRT5 setting failed
MApp_DB_Factory_Init() at 70
MApp_DB_Factory_Init() end at 73

DATABASE_TOTAL_SIZE=1D952MApp_DB_CH_Init()
MApp_InitVChipRegion5!
Reload Period: 2 ms
TOTAL_USAGE_FLASH_BANK_NUMBER size = 7
QUICK_DB_GENSETTING_BANK start @ 0x3A, size = 131072
SYSTEM_BANK_DATABASE1 start @ 0x3C, size = 131072
SYSTEM_BANK_DATABASE0 start @ 0x3E, size = 131072
SYSTEM_RRT5_BANK0 start @ 0x37, size = 65536
SYSTEM_RRT5_BANK1 start @ 0x37, size = 65536
GENSETTING start @ 0x00E7A000, size = 4828
MODE_SETTING start @ 0x00E7E004, size = 1920
RF_CH_START_ADR start @ 0x00E7E784, size = 2300
RF_CH_AIR_START_ADR start @ 0x00E7E784, size = 2415919104
AIR_VIR_CH start @ 0x00E7F080, size = 53053
AIR_CH_SETTING start @ 0x00E8BFBD, size = 5420
CATV_CH_SETTING start @ 0x00E9A426, size = 5420
DATABASE_TOTAL_SIZE , size = 121170
RRT_DESCRIPTOR start @ 0x00EAF93C, size = 47250
RRT_SETTING start @ 0x00EBB1CE, size = 2520
Database Usage Status :
sizeof(MS_GENSETTING) = 4828
sizeof(ModeInputModeType)*MAX_MODE_NUM = 1920
sizeof(MS_VIRTUAL_CHANNEL) = 53
sizeof(MS_CHANNEL_SETTING)x2 = 10840
Total Database >> used = 55634 , free = 9902

Keypad Initialize OK
MDrv_PNL_Init u32PnlRiuBaseAddr = A0200000
MDrv_PNL_Init u32PMRiuBaseAddr = A0000000
[_MDrv_PNL_Init_LPLL][295]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_LPLL][297]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[_MDrv_PNL_Init_Output_Dclk][340]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
[_MDrv_PNL_Init_Output_Dclk][342]u16HTotal=2200,u16VTotal=1125,pstPanelInitData->u16HTotal=2200,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=600
[XC,Version] 00442327
MApi_XC_Init, 537, pXC_InitData->stPanelInfo.eLPLL_Type=1
MDrv_WBLE_EnableBLE(): invoking Hal_WBLE_set_ble()
PACLK:0xF006
PACLK:0xF006
PACLK:0xF006

[GOP_ALL, PID 0][Driver Version]: 0880, BuildNum: 4880, ChangeList: 2147483647
====================
First GOP driver instance, flush GWIN HW
====================

[HAL_TSP_CPU_SetBase][2167] load firmware (address, size) = (0x0056CD00, 0x00002A28)
firmware 111 0x0056CD00 0x00000000 0x0000AD9A
DSP code loaded successfully

Auth OK

===== Check Audio Decoder Protection from hash-key IP =====
Hash-key Support DD.
Hash-key Support DD+.
Hash-key Support Generic HE-AAC !!
Hash Key Check DDCO Fail, No DDCO license!!
Hash-key Support DTS DMP.
Hash-key Support WMA.
Hash Key Check DRA Fail, No DRA license!!
Hash Key Check DTSLBR Fail, No DTSLBR license!!
===== Check Protection IP End =====

===HacI2cWrite fail !! Address 0x1===
===HacI2cWrite fail !! Address 0x2===
===HacI2cWrite fail !! Address 0x0===--AUDIO_SURROUND_SRS_TSHD--

[GOP0, PID 0][Driver Version]: 0088, BuildNum: 0488, ChangeList: 2147483647
gop_stretch: u16Pitch = 384, u16Width = 372, u16Height = 133
>Load Code...
>INTERN_ATSC Code...
>Verify Code...
>DSP Loadcode done.unsupport N51 FS compress
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Reload BKSV: 0xAB
Reload BKSV: 0x8
Reload BKSV: 0x5C
Reload BKSV: 0xDB
Reload BKSV: 0x5C
delay should be great than 20ms.

RTC not init DB_CH: u8DataBaseBank=0
DB_CH: Erase bank=0x3E

msAPI_MIU_QuickDataBaseErase, dst=0x3E0000
msAPI_MIU_QuickDataBaseErase, dst=0x3F0000
HAL_SERFLASH_BlockErase (0x0000003F, 0x00000040, 0)
DB_CH: s_DB_CH_u32WriteTime=0x1
DB_CH: Write Done~ use 379ms

Warning: Someone want enable WP, but another one is in use!(0x2)

I have attached the recovered firmware file samsung-un40h5003af.bin-flip. I guess this should be pretty similar to the genuine T-MXL1AUSC.bin, but I don't know for sure, be careful if you decide to use it on your device!

lotas · 11-23-2024, 02:48 AM

Look at this firmware, it looks like it's for Korea... (T-MXL1JAKRC)

Attached Files

Premium supporters get full download access and other benefits.

T-MXL1JAKRC.zip (3.59 MB, 1 view)

eigma · 11-22-2024, 09:49 PM

Ha! I was using flashrom 1.4.0.. but seems there have been changes. I built flashrom from Git (~v1.5.0-rc1), I think this brings better support for WP (write protect) features of the chip, and was able to program the flash (despite the "Protection mode: hardware"...)!

Code:

$ ./builddir/flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -c W25Q32FV --wp-status
flashrom v1.5.0-rc1 (git:v1.5.0-rc1) on Darwin 23.6.0 (arm64)
...
Protection range: start=0x00000000 length=0x00400000 (all)
Protection mode: hardware


$ ./builddir/flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -c W25Q32FV -w ../T-MXL1JAUSC-4mb.bin
flashrom v1.5.0-rc1 (git:v1.5.0-rc1) on Darwin 23.6.0 (arm64)
...
Reading old flash chip contents... done.
Updating flash chip contents... Erase/write done from 0 to 3fffff
Verifying flash... VERIFIED.

This image, maybe due to model mismatch, maybe something else, behaves differently, more output!!

Code:

 Eden: BD_SECXL1_D01B_S
 SPI BOOT
 Console Initial OK

65
[123456789][123456789]
0055

BIST_0 PASS.

 MIU Initial OK 0328
ASSERT: core/api/msAPI_Flash.c 388
------ stack backtrace ------
5A5AA5A5
Exception: 6
r0 : 00000000  r1 : 00598AD4  r2 : FFFFFFFD  r3 : 00000009
r4 : 00598993  r5 : 90000000  r6 : 90000005  r7 : 0000000A
r8 : B0000F78  r9 : 003992BB  r10: 5A5AA5A5  r11: 003C0000
r12: 00543082  r13: 000000BB  r14: 00540000  r15: 00000000
r16: 000000B0  r17: 0019806D  r18: FFFFFFA7  r19: 8671011D
r20: 60291913  r21: FFFF015A  r22: 606C9C0A  r23: 0034E613
r24: 00560000  r25: 00000016  r26: 003DEF16  r27: 00000000
r28: A0200000  r29: 00540000  r30: 02100018  r31: 00000004
sr : 0000821F  pc : 003992AD  eear: 5A5AA5A1
------ stack backtrace ------
398768
Exception: 6
r0 : 00000000  r1 : 005989A4  r2 : FFFFFFFD  r3 : 00000007
r4 : 00598863  r5 : 90000000  r6 : 90000005  r7 : 0000000A
...

Chakra3 does contain core/api/msAPI_Flash.c but line 388 is wrong. Must be a different version. I may reverse engineer the AP code to see what's the ASSERT.

Call out, anyone who has T-MXL1AUSC.bin or knows how to obtain it, please help!

eigma · 11-22-2024, 08:58 PM

In a few days I will get access to SMD soldering equipment and try to remove the SPI chip.

Until then, I spent some time understanding SPI flash dump file format, and comparing to the clean genuine firmware file downloaded from Samsung (T-MXL1JAUSC.bin). From sboot/src/MSDecompress.c we see there is a header at 0x20000 including a CRC32. The CRC32 algorithm seems unusual, not compatible with standard Python zlib.crc32. After more searching, I find Chakra3_017a0d6_20170731/scripts/BinIDPackFiles_Compress.py which gives the correct CRC32 algorithm and much more information about the file format.

And indeed, the clean firmware from Samsung has good CRC:

Code:

$ ./spi_crc.py T-MXL1JAUSC.bin
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  73 80 39 00 F3 80 1B 00  ...... .s.9.....
00000010: 00 00 00 00 56 E2 50 B5  00 00 00 00 00 00 00 00  ....V.P.........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00398073  (len 0x198073)
u32ROM_END:   0x001b80f3  (len 0x198073)
u32CRC32_SW:  0xb550e256

CRC:          0xb550e256  GOOD

while my reading from SPI flash does not!

Code:

$ ./spi_crc.py samsung-un40h5003af.bin
At 0x20000:
00000000: 80 00 02 00 00 00 20 00  25 66 38 00 A5 66 1A 00  ...... .%f8..f..
00000010: 00 00 00 00 EB 54 7C 3A  00 00 00 00 00 00 00 00  .....T|:........

u32ROM_START: 0x00020080
u32RAM_START: 0x00200000
u32RAM_END:   0x00386625  (len 0x186625)
u32ROM_END:   0x001a66a5  (len 0x186625)
u32CRC32_SW:  0x3a7c54eb

CRC:          0xe6632d3d  BAD!

I am still hoping to find a clean T-MXL1AUSC.bin (version 1005) for my device. But until then, I might try flashing T-MXL1JAUSC and hope for the best.

lotas · 11-22-2024, 03:12 AM

The firmware is damaged, it is better to erase the chip on a programmer by desoldering it from the board; if it is not erased, some kind of status register may be written.

eigma · 11-22-2024, 12:34 AM

I'm sorry, can you explain more? MStar is broken or SPI chip is broken?

I tried to erase SPI chip and write a firmware from Samsung website, for a very similar model (though not exactly the same). The firmwares have the same first 4 KB, many other similarities, maybe a chance to work.

But I cannot erase the flash chip:

Code:

$ flashrom -p ft2232_spi:type=2232H,port=B,divisor=100 -w T-MXL1JAUSC-4mb.bin
flashrom v1.3.0 on Darwin 23.6.0 (arm64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found Winbond flash chip "W25Q32.V" (4096 kB, SPI) on ft2232_spi.
===
This flash part has status UNTESTED for operations: WP
The test status of this chip may have been updated in the latest development
version of flashrom. If you are running the latest development version,
please email a report to flashrom@flashrom.org if any of the above operations
work correctly for you with this flash chip. Please include the flashrom log
file for all operations you tested (see the man page for details), and mention
which mainboard or programmer you tested in the subject line.
Thanks for your help!
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x00010fff: 0xfff
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x00017fff: 0x7eeb
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00010000! Expected=0xff, Found=0x00, failed byte count from 0x00010000-0x0001ffff: 0xfe9c
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00000000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x003fffff: 0x3b5256
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00000000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x003fffff: 0x3b5256
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Good, writing to the flash chip apparently didn't do anything.
Please check the connections (especially those to write protection pins) between
the programmer and the flash chip. If you think the error is caused by flashrom
please report this to the mailing list at flashrom@flashrom.org or on IRC (see
https://www.flashrom.org/Contact for details), thanks!

I checked voltages, /WP pin was in the middle, around 1.8V, I thought maybe that was the problem. So added a 470 ohm resistor to VCC, now /WP at 3.1V, and tried again. But still, flashrom error "ERASE FAILED!".

lotas · 11-21-2024, 04:58 PM

Your CPU is MStar, dump is not working (broken core).

eigma · 11-21-2024, 03:46 PM

SPI flash dump attached.

HDMI to ground - all values in ohms:

		CN401_H1	CN404_H2
1	TMDS data2+	30M	33M
2	TMDS data2 shield	0	0
3	TMDS data2−	30M	33M
4	TMDS data1+	30M	33M
5	TMDS data1 shield	0	0
6	TMDS data1−	30M	33M
7	TMDS data0+	32M	33M
8	TMDS data0 shield	0	0
9	TMDS data0−	32M	35M
10	TMDS clock+	31M	35M
11	TMDS clock shield	0	0
12	TMDS clock−	32M	34M
13	Consumer Electronics Control (CEC)	3M	3M
14	Utility/HEAC+	open	open
15	SCL	340	340
16	SDA	330	330
17	Ground	0	0
18	+5 V	12k	12k
19	Hot plug detect	13k	13k

USB to ground:

Ground: 0
D+: open
D-: open
+5V: open

Found another schematic, which seems a bit more similar to my device:
https://www.eserviceinfo.com/downloa...ain%20sch.html
Some things are more similar (Q207, 1.1V rail), other things are still different (input power, main IC, DDR).

Attached Files

Premium supporters get full download access and other benefits.

samsung-un40h5003af.zip (3.29 MB, 11 views)

lotas · 11-21-2024, 09:29 AM

Post dump spi flash here.
Check the resistance of the HDMI and USB signal lines relative to gnd.

Samsung UN40H5003 boot loop every ~8 seconds

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Samsung UN40H5003 boot loop every ~8 seconds

Related Topics