MSO9380AM

[kuba2k2]

Hi,
I have a set-top box (IPTV) with MSO9380AM. There seems to be totally no info about this chip, apart from it being used in some Roku streaming boxes, and a dead Kickstarter project.

The board I have has two 4-pin headers and a few test points, but so far none of them wanted to give me any UART output at all. They are not labeled, so maybe they're for something else, or the UART output was somehow completely disabled.

I found that Roku published the U-Boot and Linux sources:
https://m.box.com/shared_item/https%3A%2F%2Froku.app.box.com%2Fv%2FRokuOpenSourceSoftware/browse/162847473218
https://www.roku.com/ossfiles/v9.4.0/OSS-RokuPremiere_RokuUltra_2016/sources
(apparently Premiere and Ultra were the models with MSO9380)

U-Boot 2011.06, with some precompiled binaries for Roku players, in MSTARUPGRADEBIN format.

Linux 3.10.108 with grsecurity and something called "rt". mstar2 folder with configs, HALs, etc. In make menuconfig and in the configs there are a few "chip names":

• clippers, muji, kano, curry, kastor, monet, manhattan, maserati, monaco, maldives, macan, mustang, miami, madison, messi, einstein, napoli, kaiser, kris, kiwi
• also some names in Kconfig_OBAMA: titania, triton, titania2, oberon, euclid
  ..which doesn't really correlate to what's on linux-chenxing page.

There's also something on GitHub:
https://github.com/search?p=2&q=mso9380am&type=Code
that would hint the chip name is curry.

I'm totally new to that platform, and I'd like to evaluate if there's anything I can do with this box at all. In particular, I'm interested in dumping the firmware first (without desoldering the eMMC, of course).

I'm wondering if these MSTARUPGRADEBIN files can be used to do this (run Roku's U-Boot, which will possibly output something over UART). I read somewhere that these files can be put on an SD card to be read by MStar, but I don't want it to overwrite ("upgrade") anything just yet.

Thanks in advance
Kuba

[fifteenhex]

I think we could probably get it to boot mainline. Most of these chips are so similar it just works.
But a lot of the useful hardware wouldn't work.

A dump of the boot up output would be interesting if you can get it.

[kuba2k2]

Hi,
that's the problem - I don't see any output on any pin of the soldered headers. I thought you may know how to i.e. access the ISP, and if it's available on every MStar SoC or just on some... The ISP should be accessible on the VGA port, right? Mine doesn't even have VGA, only HDMI. There are also USB and microSD slots, I wonder if they could be used for something?

[fifteenhex]

Sorry, I missed that bit..
I think the ISP is generally over VGA but it should be on the board somewhere as it would have been used to write u-boot etc. Do you have picture of the board?

For what it's worth: The debug UART and ISP (i2c) are on the same pins. If you do find something that shows u-boot messages you've found both :)

[kuba2k2]

Sure:

This is a set-top IPTV box from a local TV provider. I think it's not running Android, at least it doesn't mention that anywhere in the UI. The OS has a "YouTube TV" app which looks to be based on Chromium (showed a familiar error screen when I messed around with DNS spoofing).

CPU markings:
MSO9380AMZ-M43-DC3
ATTBUF12B
2104E (date code?)
Flash:
MX30LF4G18AC-XKI (512 MiB)
RAM:
2x SEC 101 K4A8G16 5WB BCRC (2 GiB total)
No EEPROM chips that I'm aware of.

These are the pin headers I mentioned:

Each has GND and 3V3 pins, so there's only 4 possible "signal" pins, although I've seen no activity so far when probing each of them with an UART adapter. Maybe I should try harder, i.e. probe each pin and reboot the board (so maybe BootROM prints something)?

Can the SD card slot be used to boot something off-the-board? I.e. Allwinner CPUs prioritize reading from SD card, and boot from there if they find a valid image. I would like to run something (or get into the box at all) without overwriting the stock firmware, if that's possible at all.

[kuba2k2]

Hi @fifteenhex
I'm back to the topic after a long time. I decided it was pointless to try and hack the running firmware, so I took the NAND chip out (with a hot air gun), and put together a simple reader using a Pi Pico.

So now I have the entire 512 MiB (+OOB data) of the NAND contents. I can see the CIS at the beginning, as well as MBOOT, TEE, ARMFW/ATFW, splash image (ILDS), and user data in UbiFS.

There's also a "high level download" image, which seems to contain a copy of the mboot (perhaps for OTA flashing?). I've also acquired a firmware upgrade file, but it seems to be proprietary and encrypted; it's probably parsed in the userspace application.

I'm having trouble with recognizing the kernel. There are two (one is backup) "loader images", which are over 32 MiB in size, which may be the kernel (and ramdisk?). However, the format of these images is different than what I've seen in other MStar firmwares from the internet (i.e. extracted from MstarUpgrade.bin).

It seems that the kernel itself might be either encrypted or compressed somehow. Do you happen to know anything about the TEE on these chips and/or encryption schemes that may be used?

I've started disassembling MBOOT, and so far it seems to be pretty consistent with the sources that can be found online. However, I can't figure out what exactly is booted by it, as the "bootcmd" doesn't make sense (refers to a non-existent NAND partition), and the "readKL" and "bootKL" commands don't exist in this MBOOT (or I can't find them at least).

If you know anything that could help, I'd be grateful. I can provide binaries or more information that I've gathered if you want.

Thanks