Tag Archives: philips

Rooting MCI730/12 device

Promised post about getting root on Philips MCI730/12 media center. As always – no warranty, anything could happens with your device, you are doing this on your own risk.

  1. You will need USB flash formatted to FAT or FAT32.
  2. Put file firmware2010_102h.tgz to the root folder of the disk. This is not a real firmware and it will not modify your device. Only purpose of this package is to provide root access on boot.
  3. Unplug AC cord to power off the device. Insert USB flash in the device. Press and hold EJECT key then plug AC cord. After some time device will start booting in the “Rescue” mode.
  4. If everything done right you will see something like this: Image
  5. To telnet device you need to connect to the Ethernet port. Device address is 192.168.101.211/255.255.255.0, telnetd is running on standard port (23). Password is root/root.
  6. If you want to start telnetd in normal (non-rescue) mode permanently add line
    “/usr/sbin/telnetd -p 23 &” to the /usr/local/etc/mnetwork.conf file using command
    echo '/usr/sbin/telnetd -p 23 &' >> /usr/local/etc/mnetwork.conf
  7. Reboot the device. Telnet will be running on standard (e.g. DHCP) device address, on port 23, with root/root login.

Some background information:

File firmware2010_102h.tgz emulate firmware update. When device booting in the “rescue” mode it extracting content of this file to the temporary directories and starts ./install shell script. In normal update tarball this script re-flashing device, but in our case it just configuring network interface and starting telnetd. I am using /usr/local/etc/mnetwork.conf to start telnetd because it only file located on r/w partition. This file is included by /etc/netinit.sh from the read-only (cramfs) rootfs. Also it is used by mediabolic server, but it seems that it silently ignoring this line, so this hack works fine.

Tagged , , , ,

MCI730 – status and plans

So far I did a big progress with this device, so decided to write some summary post:

  • Source code and root access is obtained, hooray.
  • WIFI bug is kernel related.
  • It is possible to run non-vendor software, but before it will be useful – a lot of R&D needs to be done. CPU is powerful enough to play all popular audio formats.
  • Vendor software is closed source blob without documentation, scripts or SDK. It is unlikely that it would be possible to improve it, e.g. by adding new formats. But it is possible to suspend it and do anything you want with hardware

It is yet unknown how to control FM, CD and sound mixer. Other hardware is pretty standard. I see  some different ways on improving knowledge about hardware:

  1. It is possible to use strace (kernel supports it), but in current strace code there is no support for I2C and SPI ioctl`s. It should be not very hard to add this code to strace.
  2. It would be even easer to add more debug in the kernel itself. Only problem is that we will need to write new kernel to the flash – in case of problems we will get a dead device. It should be much safer if I will be able to get serial data to control uboot. Also it should be possible to get kernel from tftp then to avoid any risks.
  3. To find specification on the used chips. I don`t think that it will help a lot without full schematic, but it may help to 1. and 2.

For me primary goal is to have some “magic” button sequence causing switching to my software (and back). It also interesting to find some easy-to-program frame buffer interface (something like curses “dialog”) to simplify this task.

Currently I do not have a lot of time to continue this efforts, so if you owner of such device and want to join to development – please drop me a note.

Tagged , , , ,

MCI730 Linux status update

After getting root access i was able to do a lot of interesting tricks with my sound system. Some of them:

  • I was able to compile and run mplayer and mpg123. Mplayer perfectly plays audio in all known formats. It also able to play from remote streams, seems to be more reliable then player software. CPU seems to be to slow to play video (running at 150Mhz).
  • Sound interface is OSS, but mixer is controlled not (or at least not only) with /dev/mixer, so it is not yet known how to control volume.
  • Mount my NAS music folder by NFS. It is also possible to browse it and play files from it (supported by firmware formats only). With mplayer it possible to play any format. Tried FLAC, MP3 and WAVPACK without any issues.
  • Player software is keeping /dev/dsp open only while playing, so it is possible to use it without unloading it.
  • WIFI problem caused by buggy WIFI driver. After some time device may hang completely. Currently i completely disabled internal WIFI by unloading driver.
  • In the “Sleep” mode (when clocks are displayed) device is not really sleeping – Linux is functioning as usual.
  • Its possible to record from FM Radio (!) to the file, by reading /dev/dsp. I tried with  “/dev/dsp > /tmp/sda1/nfs/123/out.raw” and then reading this file on desktop with aplay -f dat  /nfs/out.raw and it works fine (Signed 16 bit Little Endian, Rate 48000 Hz, Stereo)

And a lot of other interesting findings. I will do  “rooting device” post a little later. Now, to consolidate all knowledge and to share Philips GPL code i created SourceForge project.

Tagged , , , , ,

MCI 730 – got root access!

Finally was able to get the root. It was done via “fake” update from USB + some modifications on the configuration partition. I will post more details and root package later. Now some output:

# uname -a
Linux (none) 2.6.10_dev-VT8610 #295 Wed Oct 13 11:48:35 CST 2010 armv5tejl unknow

# cat /proc/cpuinfo
Processor       : ARM926EJ-Sid(wb) rev 5 (v5l)
BogoMIPS        : 151.60
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ

# cat /proc/meminfo
MemTotal:       110868 kB
MemFree:         56164 kB

# cat /proc/mtd
dev: size erasesize name
mtd0: 00c50000 00010000 "filesystem"
mtd1: 00280000 00010000 "mini_filesystem"
mtd2: 00180000 00010000 "mini_kernel"
mtd3: 00400000 00010000 "font_lib"
mtd4: 00050000 00010000 "sysconf"
mtd5: 00170000 00010000 "kernel"
mtd6: 00180000 00010000 "wifi"
mtd7: 00010000 00010000 "ECD_key"
mtd8: 00030000 00010000 "uboot"
mtd9: 00010000 00010000 "uboot var1"
mtd10: 00010000 00010000 "uboot var2"
mtd11: 00010000 00010000 "vload"

Continue reading

Tagged , , , , ,

Updates on Philips MCI 730

I finally was able to get source code package from Philips. Initially my request (via support) was denied. Then i sent message to the open.source@philips.com and finally got source tar. It contains a lot of interesting, including user interface binaries and kernel source/tool-chain. Currently i am far from my home, but soon will return and will try to root this device. The package also contains some scripts to create firmware update package and uboot source code. Firmware is based on MontaVista Linux 4.0 with 2.6.10 kernel. I think it should be possible to get root access without serial console. Stay tuned 🙂

Tagged , , , , , ,

Philips MCI730 hacking – preparation

I am owner of the Philips MCI730 device. It runs Linux inside and has WIFI and Ethernet ports. It supports MP3 and Internet Radio. Also device supports UPNP/DLNA, so i am able to listen music directly from my NAS. Device is working mostly fine, but there are some very annoying problems.

  • WIFI works VERY unstable. I tried with 2 different routers. Sometime it just loosing AP. As workaround i am using Ethernet-connected access point in the “Client” mode.
  • No compressed lossless formats are supported. For me it sounds very stupid – there is MP3/WMA support, but no FLAC, wavepack or ape. As workaround my NAS converts lossless files to the LPCM on the fly.
  • No gap-less playback from UPNP device. I think it is limitations of the Firware.
  • Control point is implemented with a lot of bugs.

Despite all this problems i like the device, because it works good with my favorite radio-stations and FM tuner is also very good, i had much more expensive receiver before, but quality of radio was poor (bad reception zone). I think that WIFI problem should be easy-to-fix. Probably software is one-big-blob, so it would not be possible to add more formats. For control point interface probably some telnet-based workaround could be found. Problem is lack of  root access. I tried several options to get root on the device, but no luck so far. Some findings:

  1. There is no web interface. NMAP shows that ports 111/tcp, 1024/tcp and 8888/tcp are open. On 8888 Mediabolic UPNP/DLNA server is running. It is unclear what is on 1024 ports, tcp connection could be established, but it is closed in a short time.
  2. According to NMAP system is running Linux 2.6.X.
  3. I used tcpdump on my router to capture protocol between device and Philips servers. Protocol is HTTP (no TLS) with all data sent in the message body. Data is encrypted somehow.
  4. On USB only FAT formatted drives are detected.
  5. There is no GPL code or firmware sources/binaries on the vendor web site.

So i assume that only way to hack this device is to physically open it.What could be done then:

  • There should be somewhere serial interface, soldered or not.
  • JTAG (likely) or removable flash (unlikely).
  • If CPU is not hidden there will be more chances to find what is running on this box.

I am going to open the box in the nearest time. I found no stickers on the case, so warranty should not be affected. If you have positive experience with hacking this type of the devices – please drop me a comment.

Tagged , , , , ,